avformat: tls: drop support for OpenSSL < 1.1.0

libavformat/network.c

@@ -36,11 +36,6 @@
 int ff_tls_init(void)
 {
 #if CONFIG_TLS_PROTOCOL
-#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L
-    int ret;
-    if ((ret = ff_openssl_init()) < 0)
-        return ret;
-#endif
 #if CONFIG_GNUTLS
     ff_gnutls_init();
 #endif
@@ -51,9 +46,6 @@ int ff_tls_init(void)
 void ff_tls_deinit(void)
 {
 #if CONFIG_TLS_PROTOCOL
-#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L
-    ff_openssl_deinit();
-#endif
 #if CONFIG_GNUTLS
     ff_gnutls_deinit();
 #endif

libavformat/tls_openssl.c

@@ -262,11 +262,6 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
         goto einval_end;
     }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x
-    /* For openssl 1.0, we must set the group parameters, so that cert is ok. */
-    EC_GROUP_set_asn1_flag(ecgroup, OPENSSL_EC_NAMED_CURVE);
-#endif
-
     if (EC_KEY_set_group(*eckey, ecgroup) != 1) {
         av_log(NULL, AV_LOG_ERROR, "TLS: Generate private key, EC_KEY_set_group failed, %s\n", ERR_error_string(ERR_get_error(), NULL));
         goto einval_end;
@@ -415,11 +410,7 @@ error:
  */
 static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv)
 {
-#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */
-    BIO *mem = BIO_new_mem_buf((void *)pem_str, -1);
-#else
     BIO *mem = BIO_new_mem_buf(pem_str, -1);
-#endif
     if (!mem) {
         av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n");
         return NULL;
@@ -449,11 +440,7 @@ static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv)
  */
 static X509 *cert_from_pem_string(const char *pem_str)
 {
-#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */
-    BIO *mem = BIO_new_mem_buf((void *)pem_str, -1);
-#else
     BIO *mem = BIO_new_mem_buf(pem_str, -1);
-#endif
     if (!mem) {
         av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n");
         return NULL;
@@ -476,9 +463,7 @@ typedef struct TLSContext {
     SSL_CTX *ctx;
     SSL *ssl;
     EVP_PKEY *pkey;
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
     BIO_METHOD* url_bio_method;
-#endif
     int io_err;
     char error_message[256];
 } TLSContext;
@@ -530,87 +515,6 @@ int ff_dtls_state(URLContext *h)
     return c->tls_shared.state;
 }
 
-/* OpenSSL 1.0.2 or below, then you would use SSL_library_init. If you are
- * using OpenSSL 1.1.0 or above, then the library will initialize
- * itself automatically.
- * https://wiki.openssl.org/index.php/Library_Initialization
- */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#include "libavutil/thread.h"
-
-static AVMutex openssl_mutex = AV_MUTEX_INITIALIZER;
-
-static int openssl_init;
-
-#if HAVE_THREADS
-#include <openssl/crypto.h>
-#include "libavutil/mem.h"
-
-pthread_mutex_t *openssl_mutexes;
-static void openssl_lock(int mode, int type, const char *file, int line)
-{
-    if (mode & CRYPTO_LOCK)
-        pthread_mutex_lock(&openssl_mutexes[type]);
-    else
-        pthread_mutex_unlock(&openssl_mutexes[type]);
-}
-#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
-static unsigned long openssl_thread_id(void)
-{
-    return (intptr_t) pthread_self();
-}
-#endif
-#endif
-
-int ff_openssl_init(void)
-{
-    ff_mutex_lock(&openssl_mutex);
-    if (!openssl_init) {
-        SSL_library_init();
-        SSL_load_error_strings();
-#if HAVE_THREADS
-        if (!CRYPTO_get_locking_callback()) {
-            int i;
-            openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks());
-            if (!openssl_mutexes) {
-                ff_mutex_unlock(&openssl_mutex);
-                return AVERROR(ENOMEM);
-            }
-
-            for (i = 0; i < CRYPTO_num_locks(); i++)
-                pthread_mutex_init(&openssl_mutexes[i], NULL);
-            CRYPTO_set_locking_callback(openssl_lock);
-#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
-            CRYPTO_set_id_callback(openssl_thread_id);
-#endif
-        }
-#endif
-    }
-    openssl_init++;
-    ff_mutex_unlock(&openssl_mutex);
-
-    return 0;
-}
-
-void ff_openssl_deinit(void)
-{
-    ff_mutex_lock(&openssl_mutex);
-    openssl_init--;
-    if (!openssl_init) {
-#if HAVE_THREADS
-        if (CRYPTO_get_locking_callback() == openssl_lock) {
-            int i;
-            CRYPTO_set_locking_callback(NULL);
-            for (i = 0; i < CRYPTO_num_locks(); i++)
-                pthread_mutex_destroy(&openssl_mutexes[i]);
-            av_free(openssl_mutexes);
-        }
-#endif
-    }
-    ff_mutex_unlock(&openssl_mutex);
-}
-#endif
-
 static int print_ssl_error(URLContext *h, int ret)
 {
     TLSContext *c = h->priv_data;
@@ -645,27 +549,16 @@ static int tls_close(URLContext *h)
     if (c->ctx)
         SSL_CTX_free(c->ctx);
     ffurl_closep(&c->tls_shared.tcp);
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
     if (c->url_bio_method)
         BIO_meth_free(c->url_bio_method);
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    ff_openssl_deinit();
-#endif
     return 0;
 }
 
 static int url_bio_create(BIO *b)
 {
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
     BIO_set_init(b, 1);
     BIO_set_data(b, NULL);
     BIO_set_flags(b, 0);
-#else
-    b->init = 1;
-    b->ptr = NULL;
-    b->flags = 0;
-#endif
     return 1;
 }
 
@@ -674,11 +567,7 @@ static int url_bio_destroy(BIO *b)
     return 1;
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
 #define GET_BIO_DATA(x) BIO_get_data(x)
-#else
-#define GET_BIO_DATA(x) (x)->ptr
-#endif
 
 static int url_bio_bread(BIO *b, char *buf, int len)
 {
@@ -726,25 +615,10 @@ static int url_bio_bputs(BIO *b, const char *str)
     return url_bio_bwrite(b, str, strlen(str));
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
-static BIO_METHOD url_bio_method = {
-    .type = BIO_TYPE_SOURCE_SINK,
-    .name = "urlprotocol bio",
-    .bwrite = url_bio_bwrite,
-    .bread = url_bio_bread,
-    .bputs = url_bio_bputs,
-    .bgets = NULL,
-    .ctrl = url_bio_ctrl,
-    .create = url_bio_create,
-    .destroy = url_bio_destroy,
-};
-#endif
-
 static av_cold void init_bio_method(URLContext *h)
 {
     TLSContext *p = h->priv_data;
     BIO *bio;
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
     p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
     BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
     BIO_meth_set_read(p->url_bio_method, url_bio_bread);
@@ -754,10 +628,7 @@ static av_cold void init_bio_method(URLContext *h)
     BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy);
     bio = BIO_new(p->url_bio_method);
     BIO_set_data(bio, p);
-#else
-    bio = BIO_new(&url_bio_method);
-    bio->ptr = p;
-#endif
+
     SSL_set_bio(p->ssl, bio, bio);
 }
 
@@ -885,32 +756,21 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
     int ret = 0;
     c->is_dtls = 1;
     const char* ciphers = "ALL";
-#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2
-    EC_KEY *ec_key = NULL;
-#endif
+
     /**
      * The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c.
      * The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c.
      */
     const char* profiles = "SRTP_AES128_CM_SHA1_80";
     /* Refer to the test cases regarding these curves in the WebRTC code. */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* OpenSSL 1.1.0 */
     const char* curves = "X25519:P-256:P-384:P-521";
-#elif OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */
-    const char* curves = "P-256:P-384:P-521";
-#endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL v1.0.2 */
-    p->ctx = SSL_CTX_new(DTLSv1_method());
-#else
     p->ctx = SSL_CTX_new(DTLS_method());
-#endif
     if (!p->ctx) {
         ret = AVERROR(ENOMEM);
         goto fail;
     }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */
     /* For ECDSA, we could set the curves list. */
     if (SSL_CTX_set1_curves_list(p->ctx, curves) != 1) {
         av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set1_curves_list failed, curves=%s, %s\n",
@@ -918,7 +778,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
         ret = AVERROR(EINVAL);
         return ret;
     }
-#endif
 
     /**
      * We activate "ALL" cipher suites to align with the peer's capabilities,
@@ -933,17 +792,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
     ret = openssl_init_ca_key_cert(h);
     if (ret < 0) goto fail;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x
-#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2
-    if (p->pkey)
-        ec_key = EVP_PKEY_get1_EC_KEY(p->pkey);
-    if (ec_key)
-        SSL_CTX_set_tmp_ecdh(p->ctx, ec_key);
-#else
-    SSL_CTX_set_ecdh_auto(p->ctx, 1);
-#endif
-#endif
-
     /* Server will send Certificate Request. */
     SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, openssl_dtls_verify_callback);
     /* The depth count is "level 0:peer certificate", "level 1: CA certificate",
@@ -975,9 +823,7 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
      */
     SSL_set_options(p->ssl, SSL_OP_NO_QUERY_MTU);
     SSL_set_mtu(p->ssl, p->tls_shared.mtu);
-#if OPENSSL_VERSION_NUMBER >= 0x100010b0L /* OpenSSL 1.0.1k */
     DTLS_set_link_mtu(p->ssl, p->tls_shared.mtu);
-#endif
     init_bio_method(h);
 
     if (p->tls_shared.use_external_udp != 1) {
@@ -1014,9 +860,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
 
     ret = 0;
 fail:
-#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2
-    EC_KEY_free(ec_key);
-#endif
     return ret;
 }
 
@@ -1040,11 +883,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
     TLSShared *c = &p->tls_shared;
     int ret;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    if ((ret = ff_openssl_init()) < 0)
-        return ret;
-#endif
-
     if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
         goto fail;