virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-04-02 20:35:37 +02:00
Code Issues Releases Activity

lavf/tls_mbedtls: add support for mbedtls version 3

Browse Source 
- certs.h is gone. Only contains test data, and was not used at all.
- config.h is renamed. Was seemingly not used, so can be removed.
- MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE is gone, instead
  MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE will be thrown.
- mbedtls_pk_parse_keyfile now needs to be passed a properly seeded
  RNG. Hence, move the call to after RNG seeding.

Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
This commit is contained in:
Timo Rothenpieler 2022-04-24 01:02:14 +02:00
parent 1d746bd00e
commit 6ffc0e3198
1 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
libavformat/tls_mbedtls.c
View File

@ -19,8 +19,7 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ */
#include <mbedtls/certs.h> #include <mbedtls/version.h>
#include <mbedtls/config.h>
#include <mbedtls/ctr_drbg.h> #include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h> #include <mbedtls/entropy.h>
#include <mbedtls/net_sockets.h> #include <mbedtls/net_sockets.h>
@ -130,9 +129,15 @@ static void handle_pk_parse_error(URLContext *h, int ret)
static void handle_handshake_error(URLContext *h, int ret) static void handle_handshake_error(URLContext *h, int ret)
{ {
switch (ret) { switch (ret) {
#if MBEDTLS_VERSION_MAJOR < 3
case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n"); av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n");
break; break;
#else
case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:
av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n");
break;
#endif
case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n");
break; break;
@ -195,16 +200,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
} }
} }
// load key file
if (shr->key_file) {
if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
shr->key_file,
tls_ctx->priv_key_pw)) != 0) {
handle_pk_parse_error(h, ret);
goto fail;
}
}
// seed the random number generator // seed the random number generator
if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context, if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context,
mbedtls_entropy_func, mbedtls_entropy_func,
@ -214,6 +209,21 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
goto fail; goto fail;
} }
// load key file
if (shr->key_file) {
if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
shr->key_file,
tls_ctx->priv_key_pw
#if MBEDTLS_VERSION_MAJOR >= 3
, mbedtls_ctr_drbg_random,
&tls_ctx->ctr_drbg_context
#endif
)) != 0) {
handle_pk_parse_error(h, ret);
goto fail;
}
}
if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config, if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config,
shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_TRANSPORT_STREAM,