31 #include <openssl/bio.h>
32 #include <openssl/ssl.h>
33 #include <openssl/err.h>
45 if (!(mem = BIO_new(BIO_s_mem())))
53 BIO_get_mem_ptr(mem, &bptr);
54 if (!bptr || !bptr->length)
63 memcpy(pem_str, bptr->data, bptr->length);
64 pem_str[bptr->length] =
'\0';
83 BIO *mem = BIO_new(BIO_s_mem());
90 if (!PEM_write_bio_X509(mem, cert))
93 BIO_get_mem_ptr(mem, &bptr);
94 if (!bptr || !bptr->length)
goto err;
99 memcpy(
out, bptr->data, bptr->length);
100 out[bptr->length] =
'\0';
124 unsigned char md[EVP_MAX_MD_SIZE];
126 AVBPrint fingerprint;
133 if (X509_digest(cert, EVP_sha256(),
md, &n) != 1) {
138 for (
i = 0;
i < n;
i++) {
144 if (!fingerprint.str || !strlen(fingerprint.str)) {
159 int ff_ssl_read_key_cert(
char *key_url,
char *cert_url,
char *key_buf,
size_t key_sz,
char *cert_buf,
size_t cert_sz,
char **fingerprint)
163 AVBPrint key_bp, cert_bp;
166 char *key_tem =
NULL, *cert_tem =
NULL;
179 if (!(key_b = BIO_new(BIO_s_mem()))) {
184 BIO_write(key_b, key_bp.str, key_bp.len);
185 pkey = PEM_read_bio_PrivateKey(key_b,
NULL,
NULL,
NULL);
199 if (!(cert_b = BIO_new(BIO_s_mem()))) {
204 BIO_write(cert_b, cert_bp.str, cert_bp.len);
215 snprintf(key_buf, key_sz,
"%s", key_tem);
216 snprintf(cert_buf, cert_sz,
"%s", cert_tem);
249 #if OPENSSL_VERSION_NUMBER < 0x30000000L
250 EC_GROUP *ecgroup =
NULL;
251 int curve = NID_X9_62_prime256v1;
253 const char *curve = SN_X9_62_prime256v1;
256 #if OPENSSL_VERSION_NUMBER < 0x30000000L
257 *pkey = EVP_PKEY_new();
258 *eckey = EC_KEY_new();
259 ecgroup = EC_GROUP_new_by_curve_name(curve);
265 if (EC_KEY_set_group(*eckey, ecgroup) != 1) {
266 av_log(
NULL,
AV_LOG_ERROR,
"TLS: Generate private key, EC_KEY_set_group failed, %s\n", ERR_error_string(ERR_get_error(),
NULL));
270 if (EC_KEY_generate_key(*eckey) != 1) {
271 av_log(
NULL,
AV_LOG_ERROR,
"TLS: Generate private key, EC_KEY_generate_key failed, %s\n", ERR_error_string(ERR_get_error(),
NULL));
275 if (EVP_PKEY_set1_EC_KEY(*pkey, *eckey) != 1) {
276 av_log(
NULL,
AV_LOG_ERROR,
"TLS: Generate private key, EVP_PKEY_set1_EC_KEY failed, %s\n", ERR_error_string(ERR_get_error(),
NULL));
280 *pkey = EVP_EC_gen(curve);
282 av_log(
NULL,
AV_LOG_ERROR,
"TLS: Generate private key, EVP_EC_gen curve=%s failed, %s\n", curve, ERR_error_string(ERR_get_error(),
NULL));
291 #if OPENSSL_VERSION_NUMBER < 0x30000000L
292 EC_GROUP_free(ecgroup);
299 int ret = 0, serial, expire_day;
300 const char *aor =
"lavf";
301 X509_NAME* subject =
NULL;
309 subject = X509_NAME_new();
315 if (ASN1_INTEGER_set(X509_get_serialNumber(*cert), serial) != 1) {
320 if (X509_NAME_add_entry_by_txt(subject,
"CN", MBSTRING_ASC, aor, strlen(aor), -1, 0) != 1) {
325 if (X509_set_issuer_name(*cert, subject) != 1) {
329 if (X509_set_subject_name(*cert, subject) != 1) {
335 if (!X509_gmtime_adj(X509_get_notBefore(*cert), 0)) {
339 if (!X509_gmtime_adj(X509_get_notAfter(*cert), 60*60*24*expire_day)) {
344 if (X509_set_version(*cert, 2) != 1) {
349 if (X509_set_pubkey(*cert, pkey) != 1) {
354 if (!X509_sign(*cert, pkey, EVP_sha1())) {
371 X509_NAME_free(subject);
378 EVP_PKEY *pkey =
NULL;
379 EC_KEY *ec_key =
NULL;
381 char *key_tem =
NULL, *cert_tem =
NULL;
392 snprintf(key_buf, key_sz,
"%s", key_tem);
393 snprintf(cert_buf, cert_sz,
"%s", cert_tem);
412 BIO *mem = BIO_new_mem_buf(pem_str, -1);
418 EVP_PKEY *pkey =
NULL;
427 is_priv ?
"private" :
"public");
442 BIO *mem = BIO_new_mem_buf(pem_str, -1);
479 int r2 = ERR_get_error();
481 ERR_error_string_n(r2,
ctx->error_message,
sizeof(
ctx->error_message));
483 ctx->error_message[0] =
'\0';
486 return ctx->error_message;
495 c->tls_shared.udp = sock;
497 c->tls_shared.tcp = sock;
505 const char*
dst =
"EXTRACTOR-dtls_srtp";
508 ret = SSL_export_keying_material(
c->ssl, dtls_srtp_materials, materials_sz,
520 return c->tls_shared.state;
528 int err = SSL_get_error(
c->ssl,
ret);
529 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE)
532 while ((e = ERR_get_error()) != 0) {
551 SSL_shutdown(
c->ssl);
555 SSL_CTX_free(
c->ctx);
557 if (
c->url_bio_method)
558 BIO_meth_free(
c->url_bio_method);
565 BIO_set_data(
b,
NULL);
578 int ret =
ffurl_read(
c->tls_shared.is_dtls ?
c->tls_shared.udp :
c->tls_shared.tcp, buf,
len);
581 BIO_clear_retry_flags(
b);
585 BIO_set_retry_read(
b);
597 BIO_clear_retry_flags(
b);
601 BIO_set_retry_write(
b);
609 if (cmd == BIO_CTRL_FLUSH) {
610 BIO_clear_retry_flags(
b);
625 int bio_idx = BIO_get_new_index();
628 p->
url_bio_method = BIO_meth_new(bio_idx | BIO_TYPE_SOURCE_SINK,
"urlprotocol bio");
636 BIO_set_data(bio, p);
638 SSL_set_bio(p->
ssl, bio, bio);
643 const char *method =
"undefined";
646 if (where & SSL_ST_CONNECT) {
647 method =
"SSL_connect";
648 }
else if (where & SSL_ST_ACCEPT)
649 method =
"SSL_accept";
651 if (where & SSL_CB_LOOP) {
653 method, SSL_state_string(ssl), SSL_state_string_long(ssl), where,
ret);
654 }
else if (where & SSL_CB_ALERT) {
655 method = (where & SSL_CB_READ) ?
"read":
"write";
657 method, SSL_state_string(ssl), SSL_state_string_long(ssl), where,
ret);
675 r0 = SSL_do_handshake(p->
ssl);
676 r1 = SSL_get_error(p->
ssl, r0);
678 if (r1 != SSL_ERROR_WANT_READ && r1 != SSL_ERROR_WANT_WRITE && r1 != SSL_ERROR_ZERO_RETURN) {
688 if (SSL_is_init_finished(p->
ssl) != 1)
701 EVP_PKEY *pkey =
NULL;
705 if (!SSL_CTX_load_verify_locations(p->
ctx,
c->ca_file,
NULL))
710 ret = SSL_CTX_use_certificate_chain_file(p->
ctx,
c->cert_file);
717 }
else if (
c->cert_buf) {
719 if (SSL_CTX_use_certificate(p->
ctx, cert) != 1) {
724 }
else if (
c->is_dtls){
731 ret = SSL_CTX_use_PrivateKey_file(p->
ctx,
c->key_file, SSL_FILETYPE_PEM);
738 }
else if (
c->key_buf) {
740 if (SSL_CTX_use_PrivateKey(p->
ctx, pkey) != 1) {
745 }
else if (
c->is_dtls) {
765 const char* ciphers =
"ALL";
771 const char*
profiles =
"SRTP_AES128_CM_SHA1_80";
773 const char*
curves =
"X25519:P-256:P-384:P-521";
775 p->
ctx = SSL_CTX_new(DTLS_method());
782 if (SSL_CTX_set1_curves_list(p->
ctx,
curves) != 1) {
793 if (SSL_CTX_set_cipher_list(p->
ctx, ciphers) != 1) {
806 SSL_CTX_set_verify_depth(p->
ctx, 4);
808 SSL_CTX_set_read_ahead(p->
ctx, 1);
810 if (SSL_CTX_set_tlsext_use_srtp(p->
ctx,
profiles)) {
811 av_log(p,
AV_LOG_ERROR,
"TLS: Init SSL_CTX_set_tlsext_use_srtp failed, profiles=%s, %s\n",
825 SSL_set_ex_data(p->
ssl, 0, p);
831 SSL_set_options(p->
ssl, SSL_OP_NO_QUERY_MTU);
846 c->listen ? SSL_set_accept_state(p->
ssl) : SSL_set_connect_state(p->
ssl);
882 SSL_CTX_free(
ctx->ctx);
885 EVP_PKEY_free(
ctx->pkey);
902 p->
ctx = SSL_CTX_new(
c->listen ? TLS_server_method() : TLS_client_method());
908 if (!SSL_CTX_set_min_proto_version(p->
ctx, TLS1_VERSION)) {
918 SSL_CTX_set_verify(p->
ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
925 SSL_set_ex_data(p->
ssl, 0, p);
930 if (!
c->listen && !
c->numerichost)
931 SSL_set_tlsext_host_name(p->
ssl,
c->host);
932 ret =
c->listen ? SSL_accept(p->
ssl) : SSL_connect(p->
ssl);
937 }
else if (
ret < 0) {
951 URLContext *uc =
c->tls_shared.is_dtls ?
c->tls_shared.udp
968 URLContext *uc =
c->tls_shared.is_dtls ?
c->tls_shared.udp