* [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0
@ 2025-06-25 19:59 Marvin Scholz
2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0 Marvin Scholz
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw)
To: ffmpeg-devel
Given that OPENSSL_init_ssl was introduced in 1.1.0 means we can rely on
that to ensure we have at least 1.1.0.
---
configure | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/configure b/configure
index d625461983..25d736170b 100755
--- a/configure
+++ b/configure
@@ -7193,13 +7193,10 @@ enabled omx && require_headers OMX_Core.h && \
enabled openssl && { { check_pkg_config openssl "openssl >= 3.0.0" openssl/ssl.h OPENSSL_init_ssl &&
{ enabled gplv3 || ! enabled gpl || enabled nonfree || die "ERROR: OpenSSL >=3.0.0 requires --enable-version3"; }; } ||
{ enabled gpl && ! enabled nonfree && die "ERROR: OpenSSL <3.0.0 is incompatible with the gpl"; } ||
- check_pkg_config openssl openssl openssl/ssl.h OPENSSL_init_ssl ||
- check_pkg_config openssl openssl openssl/ssl.h SSL_library_init ||
+ check_pkg_config openssl "openssl >= 1.1.0" openssl/ssl.h OPENSSL_init_ssl ||
check_lib openssl openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto ||
- check_lib openssl openssl/ssl.h SSL_library_init -lssl -lcrypto ||
- check_lib openssl openssl/ssl.h SSL_library_init -lssl32 -leay32 ||
- check_lib openssl openssl/ssl.h SSL_library_init -lssl -lcrypto -lws2_32 -lgdi32 ||
- die "ERROR: openssl not found"; }
+ check_lib openssl openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto -lws2_32 -lgdi32 ||
+ die "ERROR: openssl (>= 1.1.0) not found"; }
enabled pocketsphinx && require_pkg_config pocketsphinx pocketsphinx pocketsphinx/pocketsphinx.h ps_init
enabled rkmpp && { require_pkg_config rkmpp rockchip_mpp rockchip/rk_mpi.h mpp_create &&
require_pkg_config rockchip_mpp "rockchip_mpp >= 1.3.7" rockchip/rk_mpi.h mpp_create &&
--
2.39.5 (Apple Git-154)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread* [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0 2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz @ 2025-06-25 19:59 ` Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 3/8] avformat/tls_openssl: remove now unnecessary define Marvin Scholz ` (5 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw) To: ffmpeg-devel --- libavformat/network.c | 8 -- libavformat/tls_openssl.c | 166 +------------------------------------- 2 files changed, 2 insertions(+), 172 deletions(-) diff --git a/libavformat/network.c b/libavformat/network.c index 2eabd0c167..a7026ac09b 100644 --- a/libavformat/network.c +++ b/libavformat/network.c @@ -36,11 +36,6 @@ int ff_tls_init(void) { #if CONFIG_TLS_PROTOCOL -#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L - int ret; - if ((ret = ff_openssl_init()) < 0) - return ret; -#endif #if CONFIG_GNUTLS ff_gnutls_init(); #endif @@ -51,9 +46,6 @@ int ff_tls_init(void) void ff_tls_deinit(void) { #if CONFIG_TLS_PROTOCOL -#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L - ff_openssl_deinit(); -#endif #if CONFIG_GNUTLS ff_gnutls_deinit(); #endif diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 2a3905891d..525b7f3701 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -262,11 +262,6 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey) goto einval_end; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x - /* For openssl 1.0, we must set the group parameters, so that cert is ok. */ - EC_GROUP_set_asn1_flag(ecgroup, OPENSSL_EC_NAMED_CURVE); -#endif - if (EC_KEY_set_group(*eckey, ecgroup) != 1) { av_log(NULL, AV_LOG_ERROR, "TLS: Generate private key, EC_KEY_set_group failed, %s\n", ERR_error_string(ERR_get_error(), NULL)); goto einval_end; @@ -415,11 +410,7 @@ error: */ static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv) { -#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */ - BIO *mem = BIO_new_mem_buf((void *)pem_str, -1); -#else BIO *mem = BIO_new_mem_buf(pem_str, -1); -#endif if (!mem) { av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n"); return NULL; @@ -449,11 +440,7 @@ static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv) */ static X509 *cert_from_pem_string(const char *pem_str) { -#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */ - BIO *mem = BIO_new_mem_buf((void *)pem_str, -1); -#else BIO *mem = BIO_new_mem_buf(pem_str, -1); -#endif if (!mem) { av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n"); return NULL; @@ -476,9 +463,7 @@ typedef struct TLSContext { SSL_CTX *ctx; SSL *ssl; EVP_PKEY *pkey; -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL BIO_METHOD* url_bio_method; -#endif int io_err; char error_message[256]; } TLSContext; @@ -530,87 +515,6 @@ int ff_dtls_state(URLContext *h) return c->tls_shared.state; } -/* OpenSSL 1.0.2 or below, then you would use SSL_library_init. If you are - * using OpenSSL 1.1.0 or above, then the library will initialize - * itself automatically. - * https://wiki.openssl.org/index.php/Library_Initialization - */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L -#include "libavutil/thread.h" - -static AVMutex openssl_mutex = AV_MUTEX_INITIALIZER; - -static int openssl_init; - -#if HAVE_THREADS -#include <openssl/crypto.h> -#include "libavutil/mem.h" - -pthread_mutex_t *openssl_mutexes; -static void openssl_lock(int mode, int type, const char *file, int line) -{ - if (mode & CRYPTO_LOCK) - pthread_mutex_lock(&openssl_mutexes[type]); - else - pthread_mutex_unlock(&openssl_mutexes[type]); -} -#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000 -static unsigned long openssl_thread_id(void) -{ - return (intptr_t) pthread_self(); -} -#endif -#endif - -int ff_openssl_init(void) -{ - ff_mutex_lock(&openssl_mutex); - if (!openssl_init) { - SSL_library_init(); - SSL_load_error_strings(); -#if HAVE_THREADS - if (!CRYPTO_get_locking_callback()) { - int i; - openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks()); - if (!openssl_mutexes) { - ff_mutex_unlock(&openssl_mutex); - return AVERROR(ENOMEM); - } - - for (i = 0; i < CRYPTO_num_locks(); i++) - pthread_mutex_init(&openssl_mutexes[i], NULL); - CRYPTO_set_locking_callback(openssl_lock); -#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000 - CRYPTO_set_id_callback(openssl_thread_id); -#endif - } -#endif - } - openssl_init++; - ff_mutex_unlock(&openssl_mutex); - - return 0; -} - -void ff_openssl_deinit(void) -{ - ff_mutex_lock(&openssl_mutex); - openssl_init--; - if (!openssl_init) { -#if HAVE_THREADS - if (CRYPTO_get_locking_callback() == openssl_lock) { - int i; - CRYPTO_set_locking_callback(NULL); - for (i = 0; i < CRYPTO_num_locks(); i++) - pthread_mutex_destroy(&openssl_mutexes[i]); - av_free(openssl_mutexes); - } -#endif - } - ff_mutex_unlock(&openssl_mutex); -} -#endif - static int print_ssl_error(URLContext *h, int ret) { TLSContext *c = h->priv_data; @@ -645,27 +549,16 @@ static int tls_close(URLContext *h) if (c->ctx) SSL_CTX_free(c->ctx); ffurl_closep(&c->tls_shared.tcp); -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL if (c->url_bio_method) BIO_meth_free(c->url_bio_method); -#endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L - ff_openssl_deinit(); -#endif return 0; } static int url_bio_create(BIO *b) { -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL BIO_set_init(b, 1); BIO_set_data(b, NULL); BIO_set_flags(b, 0); -#else - b->init = 1; - b->ptr = NULL; - b->flags = 0; -#endif return 1; } @@ -674,11 +567,7 @@ static int url_bio_destroy(BIO *b) return 1; } -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL #define GET_BIO_DATA(x) BIO_get_data(x) -#else -#define GET_BIO_DATA(x) (x)->ptr -#endif static int url_bio_bread(BIO *b, char *buf, int len) { @@ -726,25 +615,10 @@ static int url_bio_bputs(BIO *b, const char *str) return url_bio_bwrite(b, str, strlen(str)); } -#if OPENSSL_VERSION_NUMBER < 0x1010000fL -static BIO_METHOD url_bio_method = { - .type = BIO_TYPE_SOURCE_SINK, - .name = "urlprotocol bio", - .bwrite = url_bio_bwrite, - .bread = url_bio_bread, - .bputs = url_bio_bputs, - .bgets = NULL, - .ctrl = url_bio_ctrl, - .create = url_bio_create, - .destroy = url_bio_destroy, -}; -#endif - static av_cold void init_bio_method(URLContext *h) { TLSContext *p = h->priv_data; BIO *bio; -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio"); BIO_meth_set_write(p->url_bio_method, url_bio_bwrite); BIO_meth_set_read(p->url_bio_method, url_bio_bread); @@ -754,10 +628,7 @@ static av_cold void init_bio_method(URLContext *h) BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy); bio = BIO_new(p->url_bio_method); BIO_set_data(bio, p); -#else - bio = BIO_new(&url_bio_method); - bio->ptr = p; -#endif + SSL_set_bio(p->ssl, bio, bio); } @@ -885,32 +756,21 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** int ret = 0; c->is_dtls = 1; const char* ciphers = "ALL"; -#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2 - EC_KEY *ec_key = NULL; -#endif + /** * The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c. * The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c. */ const char* profiles = "SRTP_AES128_CM_SHA1_80"; /* Refer to the test cases regarding these curves in the WebRTC code. */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* OpenSSL 1.1.0 */ const char* curves = "X25519:P-256:P-384:P-521"; -#elif OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */ - const char* curves = "P-256:P-384:P-521"; -#endif -#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL v1.0.2 */ - p->ctx = SSL_CTX_new(DTLSv1_method()); -#else p->ctx = SSL_CTX_new(DTLS_method()); -#endif if (!p->ctx) { ret = AVERROR(ENOMEM); goto fail; } -#if OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */ /* For ECDSA, we could set the curves list. */ if (SSL_CTX_set1_curves_list(p->ctx, curves) != 1) { av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set1_curves_list failed, curves=%s, %s\n", @@ -918,7 +778,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** ret = AVERROR(EINVAL); return ret; } -#endif /** * We activate "ALL" cipher suites to align with the peer's capabilities, @@ -933,17 +792,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** ret = openssl_init_ca_key_cert(h); if (ret < 0) goto fail; -#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x -#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2 - if (p->pkey) - ec_key = EVP_PKEY_get1_EC_KEY(p->pkey); - if (ec_key) - SSL_CTX_set_tmp_ecdh(p->ctx, ec_key); -#else - SSL_CTX_set_ecdh_auto(p->ctx, 1); -#endif -#endif - /* Server will send Certificate Request. */ SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, openssl_dtls_verify_callback); /* The depth count is "level 0:peer certificate", "level 1: CA certificate", @@ -975,9 +823,7 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** */ SSL_set_options(p->ssl, SSL_OP_NO_QUERY_MTU); SSL_set_mtu(p->ssl, p->tls_shared.mtu); -#if OPENSSL_VERSION_NUMBER >= 0x100010b0L /* OpenSSL 1.0.1k */ DTLS_set_link_mtu(p->ssl, p->tls_shared.mtu); -#endif init_bio_method(h); if (p->tls_shared.use_external_udp != 1) { @@ -1015,9 +861,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** ret = 0; fail: -#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2 - EC_KEY_free(ec_key); -#endif return ret; } @@ -1042,11 +885,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op TLSShared *c = &p->tls_shared; int ret; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if ((ret = ff_openssl_init()) < 0) - return ret; -#endif - if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0) goto fail; -- 2.39.5 (Apple Git-154) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 3/8] avformat/tls_openssl: remove now unnecessary define 2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0 Marvin Scholz @ 2025-06-25 19:59 ` Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 4/8] avformat/tls_openssl: properly get new BIO index Marvin Scholz ` (4 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw) To: ffmpeg-devel This was used previously when multiple OpenSSL versions were supported that required this to be handled differently. --- libavformat/tls_openssl.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 525b7f3701..25991c8c9d 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -567,11 +567,9 @@ static int url_bio_destroy(BIO *b) return 1; } -#define GET_BIO_DATA(x) BIO_get_data(x) - static int url_bio_bread(BIO *b, char *buf, int len) { - TLSContext *c = GET_BIO_DATA(b); + TLSContext *c = BIO_get_data(b); int ret = ffurl_read(c->tls_shared.is_dtls ? c->tls_shared.udp : c->tls_shared.tcp, buf, len); if (ret >= 0) return ret; @@ -587,7 +585,7 @@ static int url_bio_bread(BIO *b, char *buf, int len) static int url_bio_bwrite(BIO *b, const char *buf, int len) { - TLSContext *c = GET_BIO_DATA(b); + TLSContext *c = BIO_get_data(b); int ret = ffurl_write(c->tls_shared.is_dtls ? c->tls_shared.udp : c->tls_shared.tcp, buf, len); if (ret >= 0) return ret; -- 2.39.5 (Apple Git-154) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 4/8] avformat/tls_openssl: properly get new BIO index 2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0 Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 3/8] avformat/tls_openssl: remove now unnecessary define Marvin Scholz @ 2025-06-25 19:59 ` Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 5/8] avformat/tls_openssl: remove leftover comment Marvin Scholz ` (3 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw) To: ffmpeg-devel As noted in the OpenSSL documentation, BIO_get_new_index must be used to get a new BIO index. This is ORd with the proper type flag BIO_TYPE_SOURCE_SINK. --- libavformat/tls_openssl.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 25991c8c9d..7f796c7ddb 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -613,11 +613,14 @@ static int url_bio_bputs(BIO *b, const char *str) return url_bio_bwrite(b, str, strlen(str)); } -static av_cold void init_bio_method(URLContext *h) +static av_cold int init_bio_method(URLContext *h) { TLSContext *p = h->priv_data; BIO *bio; - p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio"); + int bio_idx = BIO_get_new_index(); + if (bio_idx == -1) + return AVERROR_EXTERNAL; + p->url_bio_method = BIO_meth_new(bio_idx | BIO_TYPE_SOURCE_SINK, "urlprotocol bio"); BIO_meth_set_write(p->url_bio_method, url_bio_bwrite); BIO_meth_set_read(p->url_bio_method, url_bio_bread); BIO_meth_set_puts(p->url_bio_method, url_bio_bputs); @@ -628,6 +631,7 @@ static av_cold void init_bio_method(URLContext *h) BIO_set_data(bio, p); SSL_set_bio(p->ssl, bio, bio); + return 0; } static void openssl_info_callback(const SSL *ssl, int where, int ret) { @@ -822,7 +826,9 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** SSL_set_options(p->ssl, SSL_OP_NO_QUERY_MTU); SSL_set_mtu(p->ssl, p->tls_shared.mtu); DTLS_set_link_mtu(p->ssl, p->tls_shared.mtu); - init_bio_method(h); + ret = init_bio_method(h); + if (ret < 0) + goto fail; if (p->tls_shared.use_external_udp != 1) { if ((ret = ff_tls_open_underlying(&p->tls_shared, h, url, options)) < 0) { @@ -911,7 +917,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op } SSL_set_ex_data(p->ssl, 0, p); SSL_CTX_set_info_callback(p->ctx, openssl_info_callback); - init_bio_method(h); + ret = init_bio_method(h); + if (ret < 0) + goto fail; if (!c->listen && !c->numerichost) SSL_set_tlsext_host_name(p->ssl, c->host); ret = c->listen ? SSL_accept(p->ssl) : SSL_connect(p->ssl); -- 2.39.5 (Apple Git-154) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 5/8] avformat/tls_openssl: remove leftover comment 2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz ` (2 preceding siblings ...) 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 4/8] avformat/tls_openssl: properly get new BIO index Marvin Scholz @ 2025-06-25 19:59 ` Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 6/8] avformat/tls_openssl: remove unnecessary checks Marvin Scholz ` (2 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw) To: ffmpeg-devel --- libavformat/tls_openssl.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 7f796c7ddb..86e57ab389 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -369,7 +369,6 @@ einval_end: ret = AVERROR(EINVAL); end: X509_NAME_free(subject); - //av_bprint_finalize(&fingerprint, NULL); return ret; } -- 2.39.5 (Apple Git-154) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 6/8] avformat/tls_openssl: remove unnecessary checks 2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz ` (3 preceding siblings ...) 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 5/8] avformat/tls_openssl: remove leftover comment Marvin Scholz @ 2025-06-25 19:59 ` Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 7/8] avformat/tls_openssl: use TLS_[client|server]_method Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version Marvin Scholz 6 siblings, 0 replies; 8+ messages in thread From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw) To: ffmpeg-devel Calling av_free with NULL is a no-op so this check is not needed. --- libavformat/tls_openssl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 86e57ab389..8074251d9d 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -228,8 +228,8 @@ end: av_bprint_finalize(&key_bp, NULL); BIO_free(cert_b); av_bprint_finalize(&cert_bp, NULL); - if (key_tem) av_free(key_tem); - if (cert_tem) av_free(cert_tem); + av_free(key_tem); + av_free(cert_tem); return ret; } @@ -392,8 +392,8 @@ int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cer snprintf(key_buf, key_sz, "%s", key_tem); snprintf(cert_buf, cert_sz, "%s", cert_tem); - if (key_tem) av_free(key_tem); - if (cert_tem) av_free(cert_tem); + av_free(key_tem); + av_free(cert_tem); error: return ret; } -- 2.39.5 (Apple Git-154) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 7/8] avformat/tls_openssl: use TLS_[client|server]_method 2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz ` (4 preceding siblings ...) 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 6/8] avformat/tls_openssl: remove unnecessary checks Marvin Scholz @ 2025-06-25 19:59 ` Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version Marvin Scholz 6 siblings, 0 replies; 8+ messages in thread From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw) To: ffmpeg-devel SSLv23_*_method was just a define for these anyway since OpenSSL 1.1.0 and the old functions are deprecated. --- libavformat/tls_openssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 8074251d9d..72ee36e7af 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -892,10 +892,10 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; // We want to support all versions of TLS >= 1.0, but not the deprecated - // and insecure SSLv2 and SSLv3. Despite the name, SSLv23_*_method() + // and insecure SSLv2 and SSLv3. Despite the name, TLS_*_method() // enables support for all versions of SSL and TLS, and we then disable // support for the old protocols immediately after creating the context. - p->ctx = SSL_CTX_new(c->listen ? SSLv23_server_method() : SSLv23_client_method()); + p->ctx = SSL_CTX_new(c->listen ? TLS_server_method() : TLS_client_method()); if (!p->ctx) { av_log(h, AV_LOG_ERROR, "%s\n", openssl_get_error(p)); ret = AVERROR(EIO); -- 2.39.5 (Apple Git-154) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version 2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz ` (5 preceding siblings ...) 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 7/8] avformat/tls_openssl: use TLS_[client|server]_method Marvin Scholz @ 2025-06-25 19:59 ` Marvin Scholz 6 siblings, 0 replies; 8+ messages in thread From: Marvin Scholz @ 2025-06-25 19:59 UTC (permalink / raw) To: ffmpeg-devel Using SSL_CTX_set_options to disallow specific versions is discouraged by the documentation, which recommends to use SSL_CTX_set_min_proto_version instead. --- libavformat/tls_openssl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 72ee36e7af..e10ccf1cb8 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -901,7 +901,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op ret = AVERROR(EIO); goto fail; } - SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + if (!SSL_CTX_set_min_proto_version(p->ctx, TLS1_VERSION)) { + av_log(h, AV_LOG_ERROR, "Failed to set minimum TLS version to TLSv1\n"); + ret = AVERROR_EXTERNAL; + goto fail; + } ret = openssl_init_ca_key_cert(h); if (ret < 0) goto fail; // Note, this doesn't check that the peer certificate actually matches -- 2.39.5 (Apple Git-154) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-06-25 20:00 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-06-25 19:59 [FFmpeg-devel] [PATCH 1/8] configure: require at least OpenSSL 1.1.0 Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 2/8] avformat: tls: drop support for OpenSSL < 1.1.0 Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 3/8] avformat/tls_openssl: remove now unnecessary define Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 4/8] avformat/tls_openssl: properly get new BIO index Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 5/8] avformat/tls_openssl: remove leftover comment Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 6/8] avformat/tls_openssl: remove unnecessary checks Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 7/8] avformat/tls_openssl: use TLS_[client|server]_method Marvin Scholz 2025-06-25 19:59 ` [FFmpeg-devel] [PATCH 8/8] avformat/tls_openssl: use SSL_CTX_set_min_proto_version Marvin Scholz
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git