31 #include <openssl/bio.h>
32 #include <openssl/ssl.h>
33 #include <openssl/err.h>
34 #include <openssl/x509v3.h>
46 if (!(mem = BIO_new(BIO_s_mem())))
54 BIO_get_mem_ptr(mem, &bptr);
55 if (!bptr || !bptr->length)
64 memcpy(pem_str, bptr->data, bptr->length);
65 pem_str[bptr->length] =
'\0';
84 BIO *mem = BIO_new(BIO_s_mem());
91 if (!PEM_write_bio_X509(mem, cert))
94 BIO_get_mem_ptr(mem, &bptr);
95 if (!bptr || !bptr->length)
goto err;
100 memcpy(
out, bptr->data, bptr->length);
101 out[bptr->length] =
'\0';
125 unsigned char md[EVP_MAX_MD_SIZE];
127 AVBPrint fingerprint;
134 if (X509_digest(cert, EVP_sha256(),
md, &n) != 1) {
139 for (
i = 0;
i < n;
i++) {
145 if (!fingerprint.str || !strlen(fingerprint.str)) {
160 int ff_ssl_read_key_cert(
char *key_url,
char *cert_url,
char *key_buf,
size_t key_sz,
char *cert_buf,
size_t cert_sz,
char **fingerprint)
164 AVBPrint key_bp, cert_bp;
165 EVP_PKEY *pkey =
NULL;
167 char *key_tem =
NULL, *cert_tem =
NULL;
180 if (!(key_b = BIO_new(BIO_s_mem()))) {
185 BIO_write(key_b, key_bp.str, key_bp.len);
186 pkey = PEM_read_bio_PrivateKey(key_b,
NULL,
NULL,
NULL);
200 if (!(cert_b = BIO_new(BIO_s_mem()))) {
205 BIO_write(cert_b, cert_bp.str, cert_bp.len);
216 snprintf(key_buf, key_sz,
"%s", key_tem);
217 snprintf(cert_buf, cert_sz,
"%s", cert_tem);
254 #if OPENSSL_VERSION_NUMBER < 0x30000000L
255 EC_GROUP *ecgroup =
NULL;
256 EC_KEY *eckey =
NULL;
257 int curve = NID_X9_62_prime256v1;
259 const char *curve = SN_X9_62_prime256v1;
262 #if OPENSSL_VERSION_NUMBER < 0x30000000L
263 *pkey = EVP_PKEY_new();
267 eckey = EC_KEY_new();
269 EVP_PKEY_free(*pkey);
274 ecgroup = EC_GROUP_new_by_curve_name(curve);
280 if (EC_KEY_set_group(eckey, ecgroup) != 1) {
281 av_log(
NULL,
AV_LOG_ERROR,
"TLS: Generate private key, EC_KEY_set_group failed, %s\n", ERR_error_string(ERR_get_error(),
NULL));
285 if (EC_KEY_generate_key(eckey) != 1) {
286 av_log(
NULL,
AV_LOG_ERROR,
"TLS: Generate private key, EC_KEY_generate_key failed, %s\n", ERR_error_string(ERR_get_error(),
NULL));
290 if (EVP_PKEY_set1_EC_KEY(*pkey, eckey) != 1) {
291 av_log(
NULL,
AV_LOG_ERROR,
"TLS: Generate private key, EVP_PKEY_set1_EC_KEY failed, %s\n", ERR_error_string(ERR_get_error(),
NULL));
295 *pkey = EVP_EC_gen(curve);
297 av_log(
NULL,
AV_LOG_ERROR,
"TLS: Generate private key, EVP_EC_gen curve=%s failed, %s\n", curve, ERR_error_string(ERR_get_error(),
NULL));
305 EVP_PKEY_free(*pkey);
308 #if OPENSSL_VERSION_NUMBER < 0x30000000L
309 EC_GROUP_free(ecgroup);
317 int ret = 0, serial, expire_day;
318 const char *aor =
"lavf";
319 X509_NAME* subject =
NULL;
327 subject = X509_NAME_new();
333 if (ASN1_INTEGER_set(X509_get_serialNumber(*cert), serial) != 1) {
338 if (X509_NAME_add_entry_by_txt(subject,
"CN", MBSTRING_ASC, aor, strlen(aor), -1, 0) != 1) {
343 if (X509_set_issuer_name(*cert, subject) != 1) {
347 if (X509_set_subject_name(*cert, subject) != 1) {
353 if (!X509_gmtime_adj(X509_get_notBefore(*cert), 0)) {
357 if (!X509_gmtime_adj(X509_get_notAfter(*cert), 60*60*24*expire_day)) {
362 if (X509_set_version(*cert, 2) != 1) {
367 if (X509_set_pubkey(*cert, pkey) != 1) {
372 if (!X509_sign(*cert, pkey, EVP_sha1())) {
395 X509_NAME_free(subject);
402 EVP_PKEY *pkey =
NULL;
404 char *key_tem =
NULL, *cert_tem =
NULL;
415 snprintf(key_buf, key_sz,
"%s", key_tem);
416 snprintf(cert_buf, cert_sz,
"%s", cert_tem);
437 BIO *mem = BIO_new_mem_buf(pem_str, -1);
443 EVP_PKEY *pkey =
NULL;
452 is_priv ?
"private" :
"public");
467 BIO *mem = BIO_new_mem_buf(pem_str, -1);
505 int r2 = ERR_get_error();
507 ERR_error_string_n(r2,
ctx->error_message,
sizeof(
ctx->error_message));
509 ctx->error_message[0] =
'\0';
512 return ctx->error_message;
521 c->tls_shared.udp = sock;
523 c->tls_shared.tcp = sock;
531 const char*
dst =
"EXTRACTOR-dtls_srtp";
534 ret = SSL_export_keying_material(
c->ssl, dtls_srtp_materials, materials_sz,
546 return c->tls_shared.state;
554 int err = SSL_get_error(
c->ssl,
ret);
555 if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE)
558 while ((e = ERR_get_error()) != 0) {
577 SSL_shutdown(
c->ssl);
581 SSL_CTX_free(
c->ctx);
582 if (!
c->tls_shared.external_sock)
583 ffurl_closep(
c->tls_shared.is_dtls ? &
c->tls_shared.udp : &
c->tls_shared.tcp);
584 if (
c->url_bio_method)
585 BIO_meth_free(
c->url_bio_method);
592 BIO_set_data(
b,
NULL);
606 int ret =
ffurl_read(
c->tls_shared.is_dtls ?
c->tls_shared.udp :
c->tls_shared.tcp, buf,
len);
608 if (
s->is_dtls &&
s->listen && !
c->dest_addr_len) {
622 BIO_clear_retry_flags(
b);
626 BIO_set_retry_read(
b);
638 BIO_clear_retry_flags(
b);
642 BIO_set_retry_write(
b);
650 if (cmd == BIO_CTRL_FLUSH) {
651 BIO_clear_retry_flags(
b);
666 int bio_idx = BIO_get_new_index();
669 p->
url_bio_method = BIO_meth_new(bio_idx | BIO_TYPE_SOURCE_SINK,
"urlprotocol bio");
677 BIO_set_data(bio, p);
679 SSL_set_bio(p->
ssl, bio, bio);
684 const char *method =
"undefined";
687 if (where & SSL_ST_CONNECT) {
688 method =
"SSL_connect";
689 }
else if (where & SSL_ST_ACCEPT)
690 method =
"SSL_accept";
692 if (where & SSL_CB_LOOP) {
694 method, SSL_state_string(ssl), SSL_state_string_long(ssl), where,
ret);
695 }
else if (where & SSL_CB_ALERT) {
696 method = (where & SSL_CB_READ) ?
"read":
"write";
698 method, SSL_state_string(ssl), SSL_state_string_long(ssl), where,
ret);
709 r0 = SSL_do_handshake(p->
ssl);
711 r1 = SSL_get_error(p->
ssl, r0);
713 if (r1 != SSL_ERROR_WANT_READ && r1 != SSL_ERROR_WANT_WRITE && r1 != SSL_ERROR_ZERO_RETURN) {
723 if (SSL_is_init_finished(p->
ssl) != TLS_ST_OK)
737 EVP_PKEY *pkey =
NULL;
741 if (!SSL_CTX_load_verify_locations(p->
ctx,
c->ca_file,
NULL))
744 if (!SSL_CTX_set_default_verify_paths(p->
ctx)) {
752 ret = SSL_CTX_use_certificate_chain_file(p->
ctx,
c->cert_file);
759 }
else if (
c->cert_buf) {
761 if (SSL_CTX_use_certificate(p->
ctx, cert) != 1) {
769 ret = SSL_CTX_use_PrivateKey_file(p->
ctx,
c->key_file, SSL_FILETYPE_PEM);
776 }
else if (
c->key_buf) {
778 if (SSL_CTX_use_PrivateKey(p->
ctx, pkey) != 1) {
785 if (
c->listen && !
c->cert_file && !
c->cert_buf && !
c->key_file && !
c->key_buf) {
796 if (SSL_CTX_use_certificate(p->
ctx, cert) != 1) {
802 if (SSL_CTX_use_PrivateKey(p->
ctx, pkey) != 1) {
831 const char*
profiles =
"SRTP_AES128_CM_SHA1_80";
833 p->
ctx = SSL_CTX_new(
c->listen ? DTLS_server_method() : DTLS_client_method());
844 SSL_CTX_set_verify(p->
ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
847 if (SSL_CTX_set_tlsext_use_srtp(p->
ctx,
profiles)) {
861 if (!
c->listen && !
c->numerichost)
862 SSL_set_tlsext_host_name(p->
ssl,
c->host);
865 SSL_set_ex_data(p->
ssl, 0, p);
874 SSL_set_options(p->
ssl, SSL_OP_NO_QUERY_MTU);
875 SSL_set_mtu(p->
ssl,
c->mtu);
876 DTLS_set_link_mtu(p->
ssl,
c->mtu);
891 SSL_set_accept_state(p->
ssl);
893 SSL_set_connect_state(p->
ssl);
935 p->
ctx = SSL_CTX_new(
c->listen ? TLS_server_method() : TLS_client_method());
941 if (!SSL_CTX_set_min_proto_version(p->
ctx, TLS1_VERSION)) {
950 SSL_CTX_set_verify(p->
ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
957 SSL_set_ex_data(p->
ssl, 0, p);
962 if (!
c->listen && !
c->numerichost) {
964 SSL_set_hostflags(p->
ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
965 if (!SSL_set1_host(p->
ssl,
c->host)) {
971 if (!SSL_set_tlsext_host_name(p->
ssl,
c->host)) {
977 ret =
c->listen ? SSL_accept(p->
ssl) : SSL_connect(p->
ssl);
982 }
else if (
ret < 0) {
996 URLContext *uc =
c->tls_shared.is_dtls ?
c->tls_shared.udp
1013 URLContext *uc =
c->tls_shared.is_dtls ?
c->tls_shared.udp
1014 :
c->tls_shared.tcp;
1021 if (
c->tls_shared.is_dtls)
1024 ret = SSL_write(
c->ssl, buf,
size);