From: Marvin Scholz <epirat07-at-gmail.com@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0
Date: Wed, 25 Jun 2025 21:59:10 +0200
Message-ID: <20250625195916.20276-2-epirat07@gmail.com> (raw)
In-Reply-To: <20250625195916.20276-1-epirat07@gmail.com>
---
libavformat/network.c | 8 --
libavformat/tls_openssl.c | 166 +-------------------------------------
2 files changed, 2 insertions(+), 172 deletions(-)
diff --git a/libavformat/network.c b/libavformat/network.c
index 2eabd0c167..a7026ac09b 100644
--- a/libavformat/network.c
+++ b/libavformat/network.c
@@ -36,11 +36,6 @@
int ff_tls_init(void)
{
#if CONFIG_TLS_PROTOCOL
-#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L
- int ret;
- if ((ret = ff_openssl_init()) < 0)
- return ret;
-#endif
#if CONFIG_GNUTLS
ff_gnutls_init();
#endif
@@ -51,9 +46,6 @@ int ff_tls_init(void)
void ff_tls_deinit(void)
{
#if CONFIG_TLS_PROTOCOL
-#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L
- ff_openssl_deinit();
-#endif
#if CONFIG_GNUTLS
ff_gnutls_deinit();
#endif
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 2a3905891d..525b7f3701 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -262,11 +262,6 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
goto einval_end;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x
- /* For openssl 1.0, we must set the group parameters, so that cert is ok. */
- EC_GROUP_set_asn1_flag(ecgroup, OPENSSL_EC_NAMED_CURVE);
-#endif
-
if (EC_KEY_set_group(*eckey, ecgroup) != 1) {
av_log(NULL, AV_LOG_ERROR, "TLS: Generate private key, EC_KEY_set_group failed, %s\n", ERR_error_string(ERR_get_error(), NULL));
goto einval_end;
@@ -415,11 +410,7 @@ error:
*/
static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv)
{
-#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */
- BIO *mem = BIO_new_mem_buf((void *)pem_str, -1);
-#else
BIO *mem = BIO_new_mem_buf(pem_str, -1);
-#endif
if (!mem) {
av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n");
return NULL;
@@ -449,11 +440,7 @@ static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv)
*/
static X509 *cert_from_pem_string(const char *pem_str)
{
-#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */
- BIO *mem = BIO_new_mem_buf((void *)pem_str, -1);
-#else
BIO *mem = BIO_new_mem_buf(pem_str, -1);
-#endif
if (!mem) {
av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n");
return NULL;
@@ -476,9 +463,7 @@ typedef struct TLSContext {
SSL_CTX *ctx;
SSL *ssl;
EVP_PKEY *pkey;
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
BIO_METHOD* url_bio_method;
-#endif
int io_err;
char error_message[256];
} TLSContext;
@@ -530,87 +515,6 @@ int ff_dtls_state(URLContext *h)
return c->tls_shared.state;
}
-/* OpenSSL 1.0.2 or below, then you would use SSL_library_init. If you are
- * using OpenSSL 1.1.0 or above, then the library will initialize
- * itself automatically.
- * https://wiki.openssl.org/index.php/Library_Initialization
- */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#include "libavutil/thread.h"
-
-static AVMutex openssl_mutex = AV_MUTEX_INITIALIZER;
-
-static int openssl_init;
-
-#if HAVE_THREADS
-#include <openssl/crypto.h>
-#include "libavutil/mem.h"
-
-pthread_mutex_t *openssl_mutexes;
-static void openssl_lock(int mode, int type, const char *file, int line)
-{
- if (mode & CRYPTO_LOCK)
- pthread_mutex_lock(&openssl_mutexes[type]);
- else
- pthread_mutex_unlock(&openssl_mutexes[type]);
-}
-#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
-static unsigned long openssl_thread_id(void)
-{
- return (intptr_t) pthread_self();
-}
-#endif
-#endif
-
-int ff_openssl_init(void)
-{
- ff_mutex_lock(&openssl_mutex);
- if (!openssl_init) {
- SSL_library_init();
- SSL_load_error_strings();
-#if HAVE_THREADS
- if (!CRYPTO_get_locking_callback()) {
- int i;
- openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks());
- if (!openssl_mutexes) {
- ff_mutex_unlock(&openssl_mutex);
- return AVERROR(ENOMEM);
- }
-
- for (i = 0; i < CRYPTO_num_locks(); i++)
- pthread_mutex_init(&openssl_mutexes[i], NULL);
- CRYPTO_set_locking_callback(openssl_lock);
-#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
- CRYPTO_set_id_callback(openssl_thread_id);
-#endif
- }
-#endif
- }
- openssl_init++;
- ff_mutex_unlock(&openssl_mutex);
-
- return 0;
-}
-
-void ff_openssl_deinit(void)
-{
- ff_mutex_lock(&openssl_mutex);
- openssl_init--;
- if (!openssl_init) {
-#if HAVE_THREADS
- if (CRYPTO_get_locking_callback() == openssl_lock) {
- int i;
- CRYPTO_set_locking_callback(NULL);
- for (i = 0; i < CRYPTO_num_locks(); i++)
- pthread_mutex_destroy(&openssl_mutexes[i]);
- av_free(openssl_mutexes);
- }
-#endif
- }
- ff_mutex_unlock(&openssl_mutex);
-}
-#endif
-
static int print_ssl_error(URLContext *h, int ret)
{
TLSContext *c = h->priv_data;
@@ -645,27 +549,16 @@ static int tls_close(URLContext *h)
if (c->ctx)
SSL_CTX_free(c->ctx);
ffurl_closep(&c->tls_shared.tcp);
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
if (c->url_bio_method)
BIO_meth_free(c->url_bio_method);
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- ff_openssl_deinit();
-#endif
return 0;
}
static int url_bio_create(BIO *b)
{
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
BIO_set_init(b, 1);
BIO_set_data(b, NULL);
BIO_set_flags(b, 0);
-#else
- b->init = 1;
- b->ptr = NULL;
- b->flags = 0;
-#endif
return 1;
}
@@ -674,11 +567,7 @@ static int url_bio_destroy(BIO *b)
return 1;
}
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
#define GET_BIO_DATA(x) BIO_get_data(x)
-#else
-#define GET_BIO_DATA(x) (x)->ptr
-#endif
static int url_bio_bread(BIO *b, char *buf, int len)
{
@@ -726,25 +615,10 @@ static int url_bio_bputs(BIO *b, const char *str)
return url_bio_bwrite(b, str, strlen(str));
}
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
-static BIO_METHOD url_bio_method = {
- .type = BIO_TYPE_SOURCE_SINK,
- .name = "urlprotocol bio",
- .bwrite = url_bio_bwrite,
- .bread = url_bio_bread,
- .bputs = url_bio_bputs,
- .bgets = NULL,
- .ctrl = url_bio_ctrl,
- .create = url_bio_create,
- .destroy = url_bio_destroy,
-};
-#endif
-
static av_cold void init_bio_method(URLContext *h)
{
TLSContext *p = h->priv_data;
BIO *bio;
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
BIO_meth_set_read(p->url_bio_method, url_bio_bread);
@@ -754,10 +628,7 @@ static av_cold void init_bio_method(URLContext *h)
BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy);
bio = BIO_new(p->url_bio_method);
BIO_set_data(bio, p);
-#else
- bio = BIO_new(&url_bio_method);
- bio->ptr = p;
-#endif
+
SSL_set_bio(p->ssl, bio, bio);
}
@@ -885,32 +756,21 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
int ret = 0;
c->is_dtls = 1;
const char* ciphers = "ALL";
-#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2
- EC_KEY *ec_key = NULL;
-#endif
+
/**
* The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c.
* The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c.
*/
const char* profiles = "SRTP_AES128_CM_SHA1_80";
/* Refer to the test cases regarding these curves in the WebRTC code. */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* OpenSSL 1.1.0 */
const char* curves = "X25519:P-256:P-384:P-521";
-#elif OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */
- const char* curves = "P-256:P-384:P-521";
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL v1.0.2 */
- p->ctx = SSL_CTX_new(DTLSv1_method());
-#else
p->ctx = SSL_CTX_new(DTLS_method());
-#endif
if (!p->ctx) {
ret = AVERROR(ENOMEM);
goto fail;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */
/* For ECDSA, we could set the curves list. */
if (SSL_CTX_set1_curves_list(p->ctx, curves) != 1) {
av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set1_curves_list failed, curves=%s, %s\n",
@@ -918,7 +778,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
ret = AVERROR(EINVAL);
return ret;
}
-#endif
/**
* We activate "ALL" cipher suites to align with the peer's capabilities,
@@ -933,17 +792,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x
-#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2
- if (p->pkey)
- ec_key = EVP_PKEY_get1_EC_KEY(p->pkey);
- if (ec_key)
- SSL_CTX_set_tmp_ecdh(p->ctx, ec_key);
-#else
- SSL_CTX_set_ecdh_auto(p->ctx, 1);
-#endif
-#endif
-
/* Server will send Certificate Request. */
SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, openssl_dtls_verify_callback);
/* The depth count is "level 0:peer certificate", "level 1: CA certificate",
@@ -975,9 +823,7 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
*/
SSL_set_options(p->ssl, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(p->ssl, p->tls_shared.mtu);
-#if OPENSSL_VERSION_NUMBER >= 0x100010b0L /* OpenSSL 1.0.1k */
DTLS_set_link_mtu(p->ssl, p->tls_shared.mtu);
-#endif
init_bio_method(h);
if (p->tls_shared.use_external_udp != 1) {
@@ -1015,9 +861,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
ret = 0;
fail:
-#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2
- EC_KEY_free(ec_key);
-#endif
return ret;
}
@@ -1042,11 +885,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
TLSShared *c = &p->tls_shared;
int ret;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((ret = ff_openssl_init()) < 0)
- return ret;
-#endif
-
if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
goto fail;
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-06-25 19:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz
2025-06-25 19:59 ` Marvin Scholz [this message]
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 3/8] avformat/tls_openssl: remove now unnecessary define Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 4/8] avformat/tls_openssl: properly get new BIO index Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 5/8] avformat/tls_openssl: remove leftover comment Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 6/8] avformat/tls_openssl: remove unnecessary checks Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 7/8] avformat/tls_openssl: use TLS_[client|server]_method Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version Marvin Scholz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250625195916.20276-2-epirat07@gmail.com \
--to=epirat07-at-gmail.com@ffmpeg.org \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git