[vlc-devel] [PATCH] access: ftp: add TLS support (fix #137)
Francois Cartegnie
fcvlcdev at free.fr
Tue Jul 16 18:15:52 CEST 2013
Needs fix for 8972 first.
---
modules/access/ftp.c | 235 ++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 178 insertions(+), 57 deletions(-)
diff --git a/modules/access/ftp.c b/modules/access/ftp.c
index f1896f9..0e751c8 100644
--- a/modules/access/ftp.c
+++ b/modules/access/ftp.c
@@ -40,6 +40,7 @@
#include <vlc_network.h>
#include <vlc_url.h>
+#include <vlc_tls.h>
#include <vlc_sout.h>
#include <vlc_charset.h>
@@ -77,7 +78,7 @@ vlc_module_begin ()
PASS_LONGTEXT, false )
add_string( "ftp-account", "anonymous", ACCOUNT_TEXT,
ACCOUNT_LONGTEXT, false )
- add_shortcut( "ftp" )
+ add_shortcut( "ftp", "ftps" )
set_callbacks( InOpen, InClose )
add_submodule ()
@@ -86,7 +87,7 @@ vlc_module_begin ()
set_capability( "sout access", 0 )
set_category( CAT_SOUT )
set_subcategory( SUBCAT_SOUT_ACO )
- add_shortcut( "ftp" )
+ add_shortcut( "ftp", "ftps" )
set_callbacks( OutOpen, OutClose )
vlc_module_end ()
@@ -99,12 +100,27 @@ static int Seek( access_t *, uint64_t );
static int OutSeek( sout_access_out_t *, off_t );
static int Control( access_t *, int, va_list );
+static void FeaturesCheck( void *, const char * );
+
+typedef struct ftp_features_t
+{
+ bool b_unicode;
+ bool b_authtls;
+} ftp_features_t;
+
struct access_sys_t
{
vlc_url_t url;
- int fd_cmd;
- int fd_data;
+ ftp_features_t features;
+ vlc_tls_creds_t *p_creds;
+ bool b_tls;
+ struct
+ {
+ vlc_tls_t *p_tls;
+ v_socket_t *p_vs;
+ int fd;
+ } cmd, data;
char sz_epsv_ip[NI_MAXNUMERICHOST];
bool out;
@@ -133,7 +149,7 @@ static int ftp_SendCommand( vlc_object_t *obj, access_sys_t *sys,
return -1;
msg_Dbg( obj, "sending request: \"%.*s\" (%d bytes)", val - 2, cmd, val );
- if( net_Write( obj, sys->fd_cmd, NULL, cmd, val ) != val )
+ if( net_Write( obj, sys->cmd.fd, sys->cmd.p_vs, cmd, val ) != val )
{
msg_Err( obj, "request failure" );
val = -1;
@@ -168,7 +184,7 @@ static int ftp_RecvAnswer( vlc_object_t *obj, access_sys_t *sys,
if( strp != NULL )
*strp = NULL;
- char *resp = net_Gets( obj, sys->fd_cmd, NULL );
+ char *resp = net_Gets( obj, sys->cmd.fd, sys->cmd.p_vs );
if( resp == NULL )
{
msg_Err( obj, "response failure" );
@@ -191,7 +207,7 @@ static int ftp_RecvAnswer( vlc_object_t *obj, access_sys_t *sys,
*end = ' ';
do
{
- char *line = net_Gets( obj, sys->fd_cmd, NULL );
+ char *line = net_Gets( obj, sys->cmd.fd, sys->cmd.p_vs );
if( line == NULL )
{
msg_Err( obj, "response failure" );
@@ -238,7 +254,7 @@ static int Login( vlc_object_t *p_access, access_sys_t *p_sys )
char *psz;
/* *** Open a TCP connection with server *** */
- int fd = p_sys->fd_cmd = net_ConnectTCP( p_access, p_sys->url.psz_host,
+ int fd = p_sys->cmd.fd = net_ConnectTCP( p_access, p_sys->url.psz_host,
p_sys->url.i_port );
if( fd == -1 )
{
@@ -267,18 +283,77 @@ static int Login( vlc_object_t *p_access, access_sys_t *p_sys )
if( !psz )
return -1;
+ /* Features check first */
+ if( ftp_SendCommand( p_access, p_sys, "FEAT" ) < 0
+ || ftp_RecvAnswer( p_access, p_sys, NULL, NULL,
+ FeaturesCheck, &p_sys->features ) < 0 )
+ {
+ msg_Err( p_access, "cannot get server features" );
+ return -1;
+ }
+
+ /* Create TLS Session */
+ if( p_sys->b_tls && p_sys->features.b_authtls )
+ {
+ if( ftp_SendCommand( p_access, p_sys, "AUTH TLS" ) < 0
+ || ftp_RecvCommand( p_access, p_sys, &i_answer, NULL ) < 0
+ || i_answer != 234 )
+ {
+ msg_Err( p_access, "cannot switch to TLS: server replied with code %d",
+ i_answer );
+ return -1;
+ }
+
+ p_sys->p_creds = vlc_tls_ClientCreate( p_access );
+ if( p_sys->p_creds == NULL ) return -1;
+
+ /* TLS/SSL handshake */
+ p_sys->cmd.p_tls = vlc_tls_ClientSessionCreate( p_sys->p_creds, fd,
+ p_sys->url.psz_host, "ftps" );
+ if( p_sys->cmd.p_tls == NULL )
+ {
+ msg_Err( p_access, "cannot establish HTTP/TLS session on command channel" );
+ free( psz );
+ goto error;
+ }
+ p_sys->cmd.p_vs = &p_sys->cmd.p_tls->sock;
+
+ if( ftp_SendCommand( p_access, p_sys, "PBSZ 0" ) < 0 ||
+ ftp_RecvCommand( p_access, p_sys, &i_answer, NULL ) < 0 ||
+ i_answer != 200 )
+ {
+ msg_Err( p_access, "Can't truncate Protection buffer size for TLS" );
+ free( psz );
+ goto error;
+ }
+
+ if( ftp_SendCommand( p_access, p_sys, "PROT P" ) < 0 ||
+ ftp_RecvCommand( p_access, p_sys, &i_answer, NULL ) < 0 ||
+ i_answer != 200 )
+ {
+ msg_Err( p_access, "Can't set Data channel protection" );
+ free( psz );
+ goto error;
+ }
+ }
+
+ /* Send credentials over channel */
if( ftp_SendCommand( p_access, p_sys, "USER %s", psz ) < 0 ||
ftp_RecvCommand( p_access, p_sys, &i_answer, NULL ) < 0 )
{
free( psz );
- return -1;
+ goto error;
}
free( psz );
switch( i_answer / 100 )
{
case 2:
- msg_Dbg( p_access, "user accepted" );
+ /* X.509 auth successful after AUTH TLS / RFC 2228 sec. 4 */
+ if ( i_answer == 232 )
+ msg_Dbg( p_access, "user accepted and authenticated" );
+ else
+ msg_Dbg( p_access, "user accepted" );
break;
case 3:
msg_Dbg( p_access, "password needed" );
@@ -287,13 +362,13 @@ static int Login( vlc_object_t *p_access, access_sys_t *p_sys )
else
psz = var_InheritString( p_access, "ftp-pwd" );
if( !psz )
- return -1;
+ goto error;
if( ftp_SendCommand( p_access, p_sys, "PASS %s", psz ) < 0 ||
ftp_RecvCommand( p_access, p_sys, &i_answer, NULL ) < 0 )
{
free( psz );
- return -1;
+ goto error;
}
free( psz );
@@ -310,7 +385,7 @@ static int Login( vlc_object_t *p_access, access_sys_t *p_sys )
ftp_RecvCommand( p_access, p_sys, &i_answer, NULL ) < 0 )
{
free( psz );
- return -1;
+ goto error;
}
free( psz );
@@ -320,7 +395,7 @@ static int Login( vlc_object_t *p_access, access_sys_t *p_sys )
dialog_Fatal( p_access,
_("Network interaction failed"),
"%s", _("Your account was rejected.") );
- return -1;
+ goto error;
}
msg_Dbg( p_access, "account accepted" );
break;
@@ -329,25 +404,35 @@ static int Login( vlc_object_t *p_access, access_sys_t *p_sys )
msg_Err( p_access, "password rejected" );
dialog_Fatal( p_access, _("Network interaction failed"),
"%s", _("Your password was rejected.") );
- return -1;
+ goto error;
}
break;
default:
msg_Err( p_access, "user rejected" );
dialog_Fatal( p_access, _("Network interaction failed"), "%s",
_("Your connection attempt to the server was rejected.") );
- return -1;
+ goto error;
}
return 0;
+
+error:
+ if ( p_sys->cmd.p_tls ) vlc_tls_SessionDelete( p_sys->cmd.p_tls );
+ if ( p_sys->p_creds ) vlc_tls_Delete( p_sys->p_creds );
+ p_sys->cmd.p_tls = NULL;
+ p_sys->p_creds = NULL;
+ return -1;
}
static void FeaturesCheck( void *opaque, const char *feature )
{
- bool *unicode = opaque;
+ ftp_features_t *features = opaque;
if( strcasestr( feature, "UTF8" ) != NULL )
- *unicode = true;
+ features->b_unicode = true;
+ else
+ if( strcasestr( feature, "AUTH TLS" ) != NULL )
+ features->b_authtls = true;
}
static const char *IsASCII( const char *str )
@@ -373,7 +458,7 @@ static int Connect( vlc_object_t *p_access, access_sys_t *p_sys )
if( ftp_RecvCommand( p_access, p_sys, NULL, NULL ) == 2 )
{
- if( net_GetPeerAddress( p_sys->fd_cmd, p_sys->sz_epsv_ip, NULL ) )
+ if( net_GetPeerAddress( p_sys->cmd.fd, p_sys->sz_epsv_ip, NULL ) )
goto error;
}
else
@@ -384,23 +469,17 @@ static int Connect( vlc_object_t *p_access, access_sys_t *p_sys )
* the initial connection.
*/
msg_Info( p_access, "FTP Extended passive mode disabled" );
- net_Close( p_sys->fd_cmd );
+ if ( p_sys->cmd.p_tls ) vlc_tls_SessionDelete( p_sys->cmd.p_tls );
+ if ( p_sys->p_creds ) vlc_tls_Delete( p_sys->p_creds );
+ p_sys->cmd.p_tls = NULL;
+ p_sys->p_creds = NULL;
+ net_Close( p_sys->cmd.fd );
if( Login( p_access, p_sys ) )
goto error;
}
- /* features check */
- bool unicode = false;
- if( ftp_SendCommand( p_access, p_sys, "FEAT" ) < 0
- || ftp_RecvAnswer( p_access, p_sys, NULL, NULL,
- FeaturesCheck, &unicode ) < 0 )
- {
- msg_Err( p_access, "cannot get server features" );
- goto error;
- }
-
- if( (unicode ? IsUTF8 : IsASCII)(p_sys->url.psz_path) == NULL )
+ if( (p_sys->features.b_unicode ? IsUTF8 : IsASCII)(p_sys->url.psz_path) == NULL )
{
msg_Err( p_access, "unsupported path: \"%s\"", p_sys->url.psz_path );
goto error;
@@ -416,7 +495,11 @@ static int Connect( vlc_object_t *p_access, access_sys_t *p_sys )
return 0;
error:
- net_Close( p_sys->fd_cmd );
+ if ( p_sys->cmd.p_tls )
+ vlc_tls_SessionDelete( p_sys->cmd.p_tls );
+ if ( p_sys->p_creds )
+ vlc_tls_Delete( p_sys->p_creds );
+ net_Close( p_sys->cmd.fd );
return -1;
}
@@ -472,9 +555,10 @@ static int InOpen( vlc_object_t *p_this )
/* Init p_access */
STANDARD_READ_ACCESS_INIT
- p_sys->fd_data = -1;
+ p_sys->data.fd = -1;
p_sys->out = false;
p_sys->directory = false;
+ p_sys->b_tls = !strncmp( p_access->psz_access, "ftps", 4 );
if( parseURL( &p_sys->url, p_access->psz_location ) )
goto exit_error;
@@ -493,7 +577,7 @@ static int InOpen( vlc_object_t *p_this )
{
p_access->info.i_size = atoll( &psz_arg[4] );
free( psz_arg );
- msg_Dbg( p_access, "file size: %"PRIu64, p_access->info.i_size );
+ msg_Dbg( p_this, "file size: %"PRIu64, p_access->info.i_size );
}
else
if( ftp_SendCommand( p_this, p_sys, "CWD %s", p_sys->url.psz_path ) < 0 )
@@ -501,7 +585,7 @@ static int InOpen( vlc_object_t *p_this )
else
if( ftp_RecvCommand( p_this, p_sys, NULL, NULL ) != 2 )
{
- msg_Err( p_access, "file or directory does not exist" );
+ msg_Err( p_this, "file or directory does not exist" );
goto error;
}
else
@@ -510,15 +594,19 @@ static int InOpen( vlc_object_t *p_this )
/* Start the 'stream' */
if( ftp_StartStream( p_this, p_sys, 0 ) < 0 )
{
- msg_Err( p_access, "cannot retrieve file" );
- net_Close( p_sys->fd_cmd );
+ msg_Err( p_this, "cannot retrieve file" );
+ if ( p_sys->cmd.p_tls ) vlc_tls_SessionDelete( p_sys->cmd.p_tls );
+ if ( p_sys->p_creds ) vlc_tls_Delete( p_sys->p_creds );
+ net_Close( p_sys->cmd.fd );
goto exit_error;
}
return VLC_SUCCESS;
error:
- net_Close( p_sys->fd_cmd );
+ if ( p_sys->cmd.p_tls ) vlc_tls_SessionDelete( p_sys->cmd.p_tls );
+ if ( p_sys->p_creds ) vlc_tls_Delete( p_sys->p_creds );
+ net_Close( p_sys->cmd.fd );
exit_error:
vlc_UrlClean( &p_sys->url );
free( p_sys );
@@ -535,8 +623,9 @@ static int OutOpen( vlc_object_t *p_this )
return VLC_ENOMEM;
/* Init p_access */
- p_sys->fd_data = -1;
+ p_sys->data.fd = -1;
p_sys->out = true;
+ p_sys->b_tls = !strncmp( p_access->psz_access, "ftps", 4 );
if( parseURL( &p_sys->url, p_access->psz_path ) )
goto exit_error;
@@ -553,7 +642,9 @@ static int OutOpen( vlc_object_t *p_this )
if( ftp_StartStream( p_this, p_sys, 0 ) < 0 )
{
msg_Err( p_access, "cannot store file" );
- net_Close( p_sys->fd_cmd );
+ if ( p_sys->cmd.p_tls ) vlc_tls_SessionDelete( p_sys->cmd.p_tls );
+ if ( p_sys->p_creds ) vlc_tls_Delete( p_sys->p_creds );
+ net_Close( p_sys->cmd.fd );
goto exit_error;
}
@@ -585,10 +676,15 @@ static void Close( vlc_object_t *p_access, access_sys_t *p_sys )
{
ftp_RecvCommand( p_access, p_sys, NULL, NULL );
}
- net_Close( p_sys->fd_cmd );
+
+ if( p_sys->cmd.p_tls != NULL)
+ vlc_tls_SessionDelete( p_sys->cmd.p_tls );
+
+ net_Close( p_sys->cmd.fd );
/* free memory */
vlc_UrlClean( &p_sys->url );
+ vlc_tls_Delete( p_sys->p_creds );
free( p_sys );
}
@@ -641,7 +737,7 @@ static ssize_t Read( access_t *p_access, uint8_t *p_buffer, size_t i_len )
{
access_sys_t *p_sys = p_access->p_sys;
- assert( p_sys->fd_data != -1 );
+ assert( p_sys->data.fd != -1 );
assert( !p_sys->out );
if( p_access->info.b_eof )
@@ -649,7 +745,7 @@ static ssize_t Read( access_t *p_access, uint8_t *p_buffer, size_t i_len )
if( p_sys->directory )
{
- char *psz_line = net_Gets( p_access, p_sys->fd_data, NULL );
+ char *psz_line = net_Gets( p_access, p_sys->data.fd, p_sys->data.p_vs );
if( !psz_line )
{
p_access->info.b_eof = true;
@@ -657,7 +753,8 @@ static ssize_t Read( access_t *p_access, uint8_t *p_buffer, size_t i_len )
}
else
{
- snprintf( (char*)p_buffer, i_len, "ftp://%s:%d/%s/%s\n",
+ snprintf( (char*)p_buffer, i_len, "%s://%s:%d/%s/%s\n",
+ p_sys->b_tls ? "ftps" : "ftp",
p_sys->url.psz_host, p_sys->url.i_port,
p_sys->url.psz_path, psz_line );
free( psz_line );
@@ -666,7 +763,7 @@ static ssize_t Read( access_t *p_access, uint8_t *p_buffer, size_t i_len )
}
else
{
- int i_read = net_Read( p_access, p_sys->fd_data, NULL,
+ int i_read = net_Read( p_access, p_sys->data.fd, p_sys->data.p_vs,
p_buffer, i_len, false );
if( i_read == 0 )
p_access->info.b_eof = true;
@@ -685,13 +782,13 @@ static ssize_t Write( sout_access_out_t *p_access, block_t *p_buffer )
access_sys_t *p_sys = GET_OUT_SYS(p_access);
size_t i_write = 0;
- assert( p_sys->fd_data != -1 );
+ assert( p_sys->data.fd != -1 );
while( p_buffer != NULL )
{
block_t *p_next = p_buffer->p_next;;
- i_write += net_Write( p_access, p_sys->fd_data, NULL,
+ i_write += net_Write( p_access, p_sys->data.fd, p_sys->data.p_vs,
p_buffer->p_buffer, p_buffer->i_buffer );
block_Release( p_buffer );
@@ -767,7 +864,7 @@ static int ftp_StartStream( vlc_object_t *p_access, access_sys_t *p_sys,
char *psz_arg, *psz_parser;
int i_port;
- assert( p_sys->fd_data == -1 );
+ assert( p_sys->data.fd == -1 );
if( ( ftp_SendCommand( p_access, p_sys, *psz_ip ? "EPSV" : "PASV" ) < 0 )
|| ( ftp_RecvCommand( p_access, p_sys, &i_answer, &psz_arg ) != 2 ) )
@@ -835,8 +932,8 @@ static int ftp_StartStream( vlc_object_t *p_access, access_sys_t *p_sys,
}
msg_Dbg( p_access, "waiting for data connection..." );
- p_sys->fd_data = net_ConnectTCP( p_access, psz_ip, i_port );
- if( p_sys->fd_data < 0 )
+ p_sys->data.fd = net_ConnectTCP( p_access, psz_ip, i_port );
+ if( p_sys->data.fd < 0 )
{
msg_Err( p_access, "failed to connect with server" );
return VLC_EGENERIC;
@@ -867,7 +964,23 @@ static int ftp_StartStream( vlc_object_t *p_access, access_sys_t *p_sys,
}
}
- shutdown( p_sys->fd_data, p_sys->out ? SHUT_RD : SHUT_WR );
+ if( p_sys->b_tls && p_sys->features.b_authtls )
+ {
+ /* FIXME: Do Reuse TLS Session */
+ /* TLS/SSL handshake */
+ p_sys->data.p_tls = vlc_tls_ClientSessionCreate( p_sys->p_creds,
+ p_sys->data.fd, p_sys->url.psz_host, "ftps-data" );
+ if( p_sys->data.p_tls == NULL )
+ {
+ msg_Err( p_access, "cannot establish HTTP/TLS session for data" \
+ ": server not allowing new session ?" );
+ return VLC_EGENERIC;
+ }
+
+ p_sys->data.p_vs = &p_sys->data.p_tls->sock;
+ }
+
+ shutdown( p_sys->data.fd, p_sys->out ? SHUT_RD : SHUT_WR );
return VLC_SUCCESS;
}
@@ -877,16 +990,24 @@ static int ftp_StopStream ( vlc_object_t *p_access, access_sys_t *p_sys )
if( ftp_SendCommand( p_access, p_sys, "ABOR" ) < 0 )
{
msg_Warn( p_access, "cannot abort file" );
- if( p_sys->fd_data > 0 )
- net_Close( p_sys->fd_data );
- p_sys->fd_data = -1;
+ if( p_sys->data.fd > 0 )
+ {
+ if ( p_sys->data.p_tls ) vlc_tls_SessionDelete( p_sys->data.p_tls );
+ net_Close( p_sys->data.fd );
+ }
+ p_sys->data.fd = -1;
+ p_sys->data.p_tls = NULL;
+ p_sys->data.p_vs = NULL;
return VLC_EGENERIC;
}
- if( p_sys->fd_data != -1 )
+ if( p_sys->data.fd != -1 )
{
- net_Close( p_sys->fd_data );
- p_sys->fd_data = -1;
+ if ( p_sys->data.p_tls ) vlc_tls_SessionDelete( p_sys->data.p_tls );
+ net_Close( p_sys->data.fd );
+ p_sys->data.fd = -1;
+ p_sys->data.p_tls = NULL;
+ p_sys->data.p_vs = NULL;
/* Read the final response from RETR/STOR, i.e. 426 or 226 */
ftp_RecvCommand( p_access, p_sys, NULL, NULL );
}
--
1.8.1.4
More information about the vlc-devel
mailing list