* [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0
@ 2025-06-25 19:59 Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0 Marvin Scholz
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw)
To: ffmpeg-devel
Given that OPENSSL_init_ssl was introduced in 1.1.0 means we can rely on
that to ensure we have at least 1.1.0.
---
configure | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/configure b/configure
index d625461983..25d736170b 100755
--- a/configure
+++ b/configure
@@ -7193,13 +7193,10 @@ enabled omx && require_headers OMX_Core.h && \
enabled openssl && { { check_pkg_config openssl "openssl >= 3.0.0" openssl/ssl.h OPENSSL_init_ssl &&
{ enabled gplv3 || ! enabled gpl || enabled nonfree || die "ERROR: OpenSSL >=3.0.0 requires --enable-version3"; }; } ||
{ enabled gpl && ! enabled nonfree && die "ERROR: OpenSSL <3.0.0 is incompatible with the gpl"; } ||
- check_pkg_config openssl openssl openssl/ssl.h OPENSSL_init_ssl ||
- check_pkg_config openssl openssl openssl/ssl.h SSL_library_init ||
+ check_pkg_config openssl "openssl >= 1.1.0" openssl/ssl.h OPENSSL_init_ssl ||
check_lib openssl openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto ||
- check_lib openssl openssl/ssl.h SSL_library_init -lssl -lcrypto ||
- check_lib openssl openssl/ssl.h SSL_library_init -lssl32 -leay32 ||
- check_lib openssl openssl/ssl.h SSL_library_init -lssl -lcrypto -lws2_32 -lgdi32 ||
- die "ERROR: openssl not found"; }
+ check_lib openssl openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto -lws2_32 -lgdi32 ||
+ die "ERROR: openssl (>= 1.1.0) not found"; }
enabled pocketsphinx && require_pkg_config pocketsphinx pocketsphinx pocketsphinx/pocketsphinx.h ps_init
enabled rkmpp && { require_pkg_config rkmpp rockchip_mpp rockchip/rk_mpi.h mpp_create &&
require_pkg_config rockchip_mpp "rockchip_mpp >= 1.3.7" rockchip/rk_mpi.h mpp_create &&
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0
2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz
@ 2025-06-25 19:59 ` Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 3/8] avformat/tls_openssl: remove now unnecessary define Marvin Scholz
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw)
To: ffmpeg-devel
---
libavformat/network.c | 8 --
libavformat/tls_openssl.c | 166 +-------------------------------------
2 files changed, 2 insertions(+), 172 deletions(-)
diff --git a/libavformat/network.c b/libavformat/network.c
index 2eabd0c167..a7026ac09b 100644
--- a/libavformat/network.c
+++ b/libavformat/network.c
@@ -36,11 +36,6 @@
int ff_tls_init(void)
{
#if CONFIG_TLS_PROTOCOL
-#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L
- int ret;
- if ((ret = ff_openssl_init()) < 0)
- return ret;
-#endif
#if CONFIG_GNUTLS
ff_gnutls_init();
#endif
@@ -51,9 +46,6 @@ int ff_tls_init(void)
void ff_tls_deinit(void)
{
#if CONFIG_TLS_PROTOCOL
-#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L
- ff_openssl_deinit();
-#endif
#if CONFIG_GNUTLS
ff_gnutls_deinit();
#endif
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 2a3905891d..525b7f3701 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -262,11 +262,6 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
goto einval_end;
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x
- /* For openssl 1.0, we must set the group parameters, so that cert is ok. */
- EC_GROUP_set_asn1_flag(ecgroup, OPENSSL_EC_NAMED_CURVE);
-#endif
-
if (EC_KEY_set_group(*eckey, ecgroup) != 1) {
av_log(NULL, AV_LOG_ERROR, "TLS: Generate private key, EC_KEY_set_group failed, %s\n", ERR_error_string(ERR_get_error(), NULL));
goto einval_end;
@@ -415,11 +410,7 @@ error:
*/
static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv)
{
-#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */
- BIO *mem = BIO_new_mem_buf((void *)pem_str, -1);
-#else
BIO *mem = BIO_new_mem_buf(pem_str, -1);
-#endif
if (!mem) {
av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n");
return NULL;
@@ -449,11 +440,7 @@ static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv)
*/
static X509 *cert_from_pem_string(const char *pem_str)
{
-#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */
- BIO *mem = BIO_new_mem_buf((void *)pem_str, -1);
-#else
BIO *mem = BIO_new_mem_buf(pem_str, -1);
-#endif
if (!mem) {
av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n");
return NULL;
@@ -476,9 +463,7 @@ typedef struct TLSContext {
SSL_CTX *ctx;
SSL *ssl;
EVP_PKEY *pkey;
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
BIO_METHOD* url_bio_method;
-#endif
int io_err;
char error_message[256];
} TLSContext;
@@ -530,87 +515,6 @@ int ff_dtls_state(URLContext *h)
return c->tls_shared.state;
}
-/* OpenSSL 1.0.2 or below, then you would use SSL_library_init. If you are
- * using OpenSSL 1.1.0 or above, then the library will initialize
- * itself automatically.
- * https://wiki.openssl.org/index.php/Library_Initialization
- */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#include "libavutil/thread.h"
-
-static AVMutex openssl_mutex = AV_MUTEX_INITIALIZER;
-
-static int openssl_init;
-
-#if HAVE_THREADS
-#include <openssl/crypto.h>
-#include "libavutil/mem.h"
-
-pthread_mutex_t *openssl_mutexes;
-static void openssl_lock(int mode, int type, const char *file, int line)
-{
- if (mode & CRYPTO_LOCK)
- pthread_mutex_lock(&openssl_mutexes[type]);
- else
- pthread_mutex_unlock(&openssl_mutexes[type]);
-}
-#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
-static unsigned long openssl_thread_id(void)
-{
- return (intptr_t) pthread_self();
-}
-#endif
-#endif
-
-int ff_openssl_init(void)
-{
- ff_mutex_lock(&openssl_mutex);
- if (!openssl_init) {
- SSL_library_init();
- SSL_load_error_strings();
-#if HAVE_THREADS
- if (!CRYPTO_get_locking_callback()) {
- int i;
- openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks());
- if (!openssl_mutexes) {
- ff_mutex_unlock(&openssl_mutex);
- return AVERROR(ENOMEM);
- }
-
- for (i = 0; i < CRYPTO_num_locks(); i++)
- pthread_mutex_init(&openssl_mutexes[i], NULL);
- CRYPTO_set_locking_callback(openssl_lock);
-#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000
- CRYPTO_set_id_callback(openssl_thread_id);
-#endif
- }
-#endif
- }
- openssl_init++;
- ff_mutex_unlock(&openssl_mutex);
-
- return 0;
-}
-
-void ff_openssl_deinit(void)
-{
- ff_mutex_lock(&openssl_mutex);
- openssl_init--;
- if (!openssl_init) {
-#if HAVE_THREADS
- if (CRYPTO_get_locking_callback() == openssl_lock) {
- int i;
- CRYPTO_set_locking_callback(NULL);
- for (i = 0; i < CRYPTO_num_locks(); i++)
- pthread_mutex_destroy(&openssl_mutexes[i]);
- av_free(openssl_mutexes);
- }
-#endif
- }
- ff_mutex_unlock(&openssl_mutex);
-}
-#endif
-
static int print_ssl_error(URLContext *h, int ret)
{
TLSContext *c = h->priv_data;
@@ -645,27 +549,16 @@ static int tls_close(URLContext *h)
if (c->ctx)
SSL_CTX_free(c->ctx);
ffurl_closep(&c->tls_shared.tcp);
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
if (c->url_bio_method)
BIO_meth_free(c->url_bio_method);
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- ff_openssl_deinit();
-#endif
return 0;
}
static int url_bio_create(BIO *b)
{
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
BIO_set_init(b, 1);
BIO_set_data(b, NULL);
BIO_set_flags(b, 0);
-#else
- b->init = 1;
- b->ptr = NULL;
- b->flags = 0;
-#endif
return 1;
}
@@ -674,11 +567,7 @@ static int url_bio_destroy(BIO *b)
return 1;
}
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
#define GET_BIO_DATA(x) BIO_get_data(x)
-#else
-#define GET_BIO_DATA(x) (x)->ptr
-#endif
static int url_bio_bread(BIO *b, char *buf, int len)
{
@@ -726,25 +615,10 @@ static int url_bio_bputs(BIO *b, const char *str)
return url_bio_bwrite(b, str, strlen(str));
}
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
-static BIO_METHOD url_bio_method = {
- .type = BIO_TYPE_SOURCE_SINK,
- .name = "urlprotocol bio",
- .bwrite = url_bio_bwrite,
- .bread = url_bio_bread,
- .bputs = url_bio_bputs,
- .bgets = NULL,
- .ctrl = url_bio_ctrl,
- .create = url_bio_create,
- .destroy = url_bio_destroy,
-};
-#endif
-
static av_cold void init_bio_method(URLContext *h)
{
TLSContext *p = h->priv_data;
BIO *bio;
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
BIO_meth_set_read(p->url_bio_method, url_bio_bread);
@@ -754,10 +628,7 @@ static av_cold void init_bio_method(URLContext *h)
BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy);
bio = BIO_new(p->url_bio_method);
BIO_set_data(bio, p);
-#else
- bio = BIO_new(&url_bio_method);
- bio->ptr = p;
-#endif
+
SSL_set_bio(p->ssl, bio, bio);
}
@@ -885,32 +756,21 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
int ret = 0;
c->is_dtls = 1;
const char* ciphers = "ALL";
-#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2
- EC_KEY *ec_key = NULL;
-#endif
+
/**
* The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c.
* The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c.
*/
const char* profiles = "SRTP_AES128_CM_SHA1_80";
/* Refer to the test cases regarding these curves in the WebRTC code. */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* OpenSSL 1.1.0 */
const char* curves = "X25519:P-256:P-384:P-521";
-#elif OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */
- const char* curves = "P-256:P-384:P-521";
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL v1.0.2 */
- p->ctx = SSL_CTX_new(DTLSv1_method());
-#else
p->ctx = SSL_CTX_new(DTLS_method());
-#endif
if (!p->ctx) {
ret = AVERROR(ENOMEM);
goto fail;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */
/* For ECDSA, we could set the curves list. */
if (SSL_CTX_set1_curves_list(p->ctx, curves) != 1) {
av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set1_curves_list failed, curves=%s, %s\n",
@@ -918,7 +778,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
ret = AVERROR(EINVAL);
return ret;
}
-#endif
/**
* We activate "ALL" cipher suites to align with the peer's capabilities,
@@ -933,17 +792,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x
-#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2
- if (p->pkey)
- ec_key = EVP_PKEY_get1_EC_KEY(p->pkey);
- if (ec_key)
- SSL_CTX_set_tmp_ecdh(p->ctx, ec_key);
-#else
- SSL_CTX_set_ecdh_auto(p->ctx, 1);
-#endif
-#endif
-
/* Server will send Certificate Request. */
SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, openssl_dtls_verify_callback);
/* The depth count is "level 0:peer certificate", "level 1: CA certificate",
@@ -975,9 +823,7 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
*/
SSL_set_options(p->ssl, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(p->ssl, p->tls_shared.mtu);
-#if OPENSSL_VERSION_NUMBER >= 0x100010b0L /* OpenSSL 1.0.1k */
DTLS_set_link_mtu(p->ssl, p->tls_shared.mtu);
-#endif
init_bio_method(h);
if (p->tls_shared.use_external_udp != 1) {
@@ -1015,9 +861,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
ret = 0;
fail:
-#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2
- EC_KEY_free(ec_key);
-#endif
return ret;
}
@@ -1042,11 +885,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
TLSShared *c = &p->tls_shared;
int ret;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((ret = ff_openssl_init()) < 0)
- return ret;
-#endif
-
if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0)
goto fail;
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 3/8] avformat/tls_openssl: remove now unnecessary define
2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0 Marvin Scholz
@ 2025-06-25 19:59 ` Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 4/8] avformat/tls_openssl: properly get new BIO index Marvin Scholz
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw)
To: ffmpeg-devel
This was used previously when multiple OpenSSL versions were supported
that required this to be handled differently.
---
libavformat/tls_openssl.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 525b7f3701..25991c8c9d 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -567,11 +567,9 @@ static int url_bio_destroy(BIO *b)
return 1;
}
-#define GET_BIO_DATA(x) BIO_get_data(x)
-
static int url_bio_bread(BIO *b, char *buf, int len)
{
- TLSContext *c = GET_BIO_DATA(b);
+ TLSContext *c = BIO_get_data(b);
int ret = ffurl_read(c->tls_shared.is_dtls ? c->tls_shared.udp : c->tls_shared.tcp, buf, len);
if (ret >= 0)
return ret;
@@ -587,7 +585,7 @@ static int url_bio_bread(BIO *b, char *buf, int len)
static int url_bio_bwrite(BIO *b, const char *buf, int len)
{
- TLSContext *c = GET_BIO_DATA(b);
+ TLSContext *c = BIO_get_data(b);
int ret = ffurl_write(c->tls_shared.is_dtls ? c->tls_shared.udp : c->tls_shared.tcp, buf, len);
if (ret >= 0)
return ret;
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 4/8] avformat/tls_openssl: properly get new BIO index
2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0 Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 3/8] avformat/tls_openssl: remove now unnecessary define Marvin Scholz
@ 2025-06-25 19:59 ` Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 5/8] avformat/tls_openssl: remove leftover comment Marvin Scholz
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw)
To: ffmpeg-devel
As noted in the OpenSSL documentation, BIO_get_new_index must be
used to get a new BIO index. This is ORd with the proper type flag
BIO_TYPE_SOURCE_SINK.
---
libavformat/tls_openssl.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 25991c8c9d..7f796c7ddb 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -613,11 +613,14 @@ static int url_bio_bputs(BIO *b, const char *str)
return url_bio_bwrite(b, str, strlen(str));
}
-static av_cold void init_bio_method(URLContext *h)
+static av_cold int init_bio_method(URLContext *h)
{
TLSContext *p = h->priv_data;
BIO *bio;
- p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
+ int bio_idx = BIO_get_new_index();
+ if (bio_idx == -1)
+ return AVERROR_EXTERNAL;
+ p->url_bio_method = BIO_meth_new(bio_idx | BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
BIO_meth_set_read(p->url_bio_method, url_bio_bread);
BIO_meth_set_puts(p->url_bio_method, url_bio_bputs);
@@ -628,6 +631,7 @@ static av_cold void init_bio_method(URLContext *h)
BIO_set_data(bio, p);
SSL_set_bio(p->ssl, bio, bio);
+ return 0;
}
static void openssl_info_callback(const SSL *ssl, int where, int ret) {
@@ -822,7 +826,9 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
SSL_set_options(p->ssl, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(p->ssl, p->tls_shared.mtu);
DTLS_set_link_mtu(p->ssl, p->tls_shared.mtu);
- init_bio_method(h);
+ ret = init_bio_method(h);
+ if (ret < 0)
+ goto fail;
if (p->tls_shared.use_external_udp != 1) {
if ((ret = ff_tls_open_underlying(&p->tls_shared, h, url, options)) < 0) {
@@ -911,7 +917,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
}
SSL_set_ex_data(p->ssl, 0, p);
SSL_CTX_set_info_callback(p->ctx, openssl_info_callback);
- init_bio_method(h);
+ ret = init_bio_method(h);
+ if (ret < 0)
+ goto fail;
if (!c->listen && !c->numerichost)
SSL_set_tlsext_host_name(p->ssl, c->host);
ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl);
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 5/8] avformat/tls_openssl: remove leftover comment
2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz
` (2 preceding siblings ...)
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 4/8] avformat/tls_openssl: properly get new BIO index Marvin Scholz
@ 2025-06-25 19:59 ` Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 6/8] avformat/tls_openssl: remove unnecessary checks Marvin Scholz
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw)
To: ffmpeg-devel
---
libavformat/tls_openssl.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 7f796c7ddb..86e57ab389 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -369,7 +369,6 @@ einval_end:
ret = AVERROR(EINVAL);
end:
X509_NAME_free(subject);
- //av_bprint_finalize(&fingerprint, NULL);
return ret;
}
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 6/8] avformat/tls_openssl: remove unnecessary checks
2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz
` (3 preceding siblings ...)
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 5/8] avformat/tls_openssl: remove leftover comment Marvin Scholz
@ 2025-06-25 19:59 ` Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 7/8] avformat/tls_openssl: use TLS_[client|server]_method Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version Marvin Scholz
6 siblings, 0 replies; 8+ messages in thread
From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw)
To: ffmpeg-devel
Calling av_free with NULL is a no-op so this check is not needed.
---
libavformat/tls_openssl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 86e57ab389..8074251d9d 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -228,8 +228,8 @@ end:
av_bprint_finalize(&key_bp, NULL);
BIO_free(cert_b);
av_bprint_finalize(&cert_bp, NULL);
- if (key_tem) av_free(key_tem);
- if (cert_tem) av_free(cert_tem);
+ av_free(key_tem);
+ av_free(cert_tem);
return ret;
}
@@ -392,8 +392,8 @@ int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cer
snprintf(key_buf, key_sz, "%s", key_tem);
snprintf(cert_buf, cert_sz, "%s", cert_tem);
- if (key_tem) av_free(key_tem);
- if (cert_tem) av_free(cert_tem);
+ av_free(key_tem);
+ av_free(cert_tem);
error:
return ret;
}
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 7/8] avformat/tls_openssl: use TLS_[client|server]_method
2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz
` (4 preceding siblings ...)
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 6/8] avformat/tls_openssl: remove unnecessary checks Marvin Scholz
@ 2025-06-25 19:59 ` Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version Marvin Scholz
6 siblings, 0 replies; 8+ messages in thread
From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw)
To: ffmpeg-devel
SSLv23_*_method was just a define for these anyway since OpenSSL 1.1.0
and the old functions are deprecated.
---
libavformat/tls_openssl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 8074251d9d..72ee36e7af 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -892,10 +892,10 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
goto fail;
// We want to support all versions of TLS >= 1.0, but not the deprecated
- // and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method()
+ // and insecure SSLv2 and SSLv3. Despite the name, TLS_*_method()
// enables support for all versions of SSL and TLS, and we then disable
// support for the old protocols immediately after creating the context.
- p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method());
+ p->ctx = SSL_CTX_new(c->listen ? TLS_server_method() : TLS_client_method());
if (!p->ctx) {
av_log(h, AV_LOG_ERROR, "%s\n", openssl_get_error(p));
ret = AVERROR(EIO);
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version
2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz
` (5 preceding siblings ...)
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 7/8] avformat/tls_openssl: use TLS_[client|server]_method Marvin Scholz
@ 2025-06-25 19:59 ` Marvin Scholz
6 siblings, 0 replies; 8+ messages in thread
From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw)
To: ffmpeg-devel
Using SSL_CTX_set_options to disallow specific versions is
discouraged by the documentation, which recommends to use
SSL_CTX_set_min_proto_version instead.
---
libavformat/tls_openssl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 72ee36e7af..e10ccf1cb8 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -901,7 +901,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
ret = AVERROR(EIO);
goto fail;
}
- SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+ if (!SSL_CTX_set_min_proto_version(p->ctx, TLS1_VERSION)) {
+ av_log(h, AV_LOG_ERROR, "Failed to set minimum TLS version to TLSv1\n");
+ ret = AVERROR_EXTERNAL;
+ goto fail;
+ }
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
// Note, this doesn't check that the peer certificate actually matches
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-06-25 20:00 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0 Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 3/8] avformat/tls_openssl: remove now unnecessary define Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 4/8] avformat/tls_openssl: properly get new BIO index Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 5/8] avformat/tls_openssl: remove leftover comment Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 6/8] avformat/tls_openssl: remove unnecessary checks Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 7/8] avformat/tls_openssl: use TLS_[client|server]_method Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version Marvin Scholz
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git