* [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode
@ 2025-07-13 19:24 Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 02/14] avformat/tls_openssl: force dtls handshake to be blocking Timo Rothenpieler
` (12 more replies)
0 siblings, 13 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
Taken from the first received packet, which will signify the now
permanent peer of this DTLS "connection".
---
libavformat/tls_openssl.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 2a01fb387d..f6826222f9 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -465,6 +465,8 @@ typedef struct TLSContext {
BIO_METHOD* url_bio_method;
int io_err;
char error_message[256];
+ struct sockaddr_storage dest_addr;
+ socklen_t dest_addr_len;
} TLSContext;
/**
@@ -575,9 +577,23 @@ static int url_bio_destroy(BIO *b)
static int url_bio_bread(BIO *b, char *buf, int len)
{
TLSContext *c = BIO_get_data(b);
+ TLSShared *s = &c->tls_shared;
int ret = ffurl_read(c->tls_shared.is_dtls ? c->tls_shared.udp : c->tls_shared.tcp, buf, len);
- if (ret >= 0)
+ if (ret >= 0) {
+ if (s->is_dtls && s->listen && !c->dest_addr_len) {
+ int err_ret;
+
+ ff_udp_get_last_recv_addr(s->udp, &c->dest_addr, &c->dest_addr_len);
+ err_ret = ff_udp_set_remote_addr(s->udp, (struct sockaddr *)&c->dest_addr, c->dest_addr_len, 1);
+ if (err_ret < 0) {
+ av_log(c, AV_LOG_ERROR, "Failed connecting udp context\n");
+ return err_ret;
+ }
+ av_log(c, AV_LOG_TRACE, "Set UDP remote addr on UDP socket, now 'connected'\n");
+ }
+
return ret;
+ }
BIO_clear_retry_flags(b);
if (ret == AVERROR_EXIT)
return 0;
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 02/14] avformat/tls_openssl: force dtls handshake to be blocking
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 03/14] avformat/tls_openssl: don't abort if dtls has no key/cert set Timo Rothenpieler
` (11 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
There is no sensible way to handle this otherwise anyway, one just has
to loop over this function until it succeeds.
---
libavformat/tls_openssl.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index f6826222f9..54213c4090 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -685,27 +685,33 @@ static int openssl_dtls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
static int dtls_handshake(URLContext *h)
{
- int ret = 0, r0, r1;
+ int ret = 1, r0, r1;
TLSContext *p = h->priv_data;
+ int was_nonblock = h->flags & AVIO_FLAG_NONBLOCK;
+ h->flags &= ~AVIO_FLAG_NONBLOCK;
+
r0 = SSL_do_handshake(p->ssl);
- r1 = SSL_get_error(p->ssl, r0);
if (r0 <= 0) {
+ r1 = SSL_get_error(p->ssl, r0);
+
if (r1 != SSL_ERROR_WANT_READ && r1 != SSL_ERROR_WANT_WRITE && r1 != SSL_ERROR_ZERO_RETURN) {
- av_log(p, AV_LOG_ERROR, "TLS: Read failed, r0=%d, r1=%d %s\n", r0, r1, openssl_get_error(p));
- ret = AVERROR(EIO);
+ av_log(p, AV_LOG_ERROR, "Handshake failed, r0=%d, r1=%d\n", r0, r1);
+ ret = print_ssl_error(h, r0);
goto end;
}
} else {
- av_log(p, AV_LOG_TRACE, "TLS: Read %d bytes, r0=%d, r1=%d\n", r0, r0, r1);
+ av_log(p, AV_LOG_TRACE, "Handshake success, r0=%d\n", r0);
}
- /* Check whether the DTLS is completed. */
if (SSL_is_init_finished(p->ssl) != 1)
goto end;
+ ret = 0;
p->tls_shared.state = DTLS_STATE_FINISHED;
end:
+ if (was_nonblock)
+ h->flags |= AVIO_FLAG_NONBLOCK;
return ret;
}
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 03/14] avformat/tls_openssl: don't abort if dtls has no key/cert set
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 02/14] avformat/tls_openssl: force dtls handshake to be blocking Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 04/14] avformat/tls_openssl: initialize DTLS context with correct method Timo Rothenpieler
` (10 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 54213c4090..81b2f066c9 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -743,10 +743,6 @@ static av_cold int openssl_init_ca_key_cert(URLContext *h)
ret = AVERROR(EINVAL);
return ret;
}
- } else if (c->is_dtls){
- av_log(p, AV_LOG_ERROR, "TLS: Init cert failed, %s\n", openssl_get_error(p));
- ret = AVERROR(EINVAL);
- goto fail;
}
if (c->key_file) {
@@ -764,10 +760,6 @@ static av_cold int openssl_init_ca_key_cert(URLContext *h)
ret = AVERROR(EINVAL);
return ret;
}
- } else if (c->is_dtls) {
- av_log(p, AV_LOG_ERROR, "TLS: Init pkey failed, %s\n", openssl_get_error(p));
- ret = AVERROR(EINVAL);
- goto fail;
}
ret = 0;
fail:
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 04/14] avformat/tls_openssl: initialize DTLS context with correct method
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 02/14] avformat/tls_openssl: force dtls handshake to be blocking Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 03/14] avformat/tls_openssl: don't abort if dtls has no key/cert set Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 05/14] avformat/tls_openssl: set default MTU if none is set Timo Rothenpieler
` (9 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 81b2f066c9..f116b5eac6 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -786,7 +786,7 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
/* Refer to the test cases regarding these curves in the WebRTC code. */
const char* curves = "X25519:P-256:P-384:P-521";
- p->ctx = SSL_CTX_new(DTLS_method());
+ p->ctx = SSL_CTX_new(c->listen ? DTLS_server_method() : DTLS_client_method());
if (!p->ctx) {
ret = AVERROR(ENOMEM);
goto fail;
@@ -810,6 +810,7 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
ret = AVERROR(EINVAL);
return ret;
}
+
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 05/14] avformat/tls_openssl: set default MTU if none is set
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (2 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 04/14] avformat/tls_openssl: initialize DTLS context with correct method Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 06/14] avformat/tls_openssl: properly limit written size to data mtu Timo Rothenpieler
` (8 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index f116b5eac6..900ee0f5ab 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -839,13 +839,17 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
/* Setup the callback for logging. */
SSL_set_ex_data(p->ssl, 0, p);
SSL_set_info_callback(p->ssl, openssl_info_callback);
+
/**
* We have set the MTU to fragment the DTLS packet. It is important to note that the
* packet is split to ensure that each handshake packet is smaller than the MTU.
*/
+ if (c->mtu <= 0)
+ c->mtu = 1096;
SSL_set_options(p->ssl, SSL_OP_NO_QUERY_MTU);
- SSL_set_mtu(p->ssl, p->tls_shared.mtu);
- DTLS_set_link_mtu(p->ssl, p->tls_shared.mtu);
+ SSL_set_mtu(p->ssl, c->mtu);
+ DTLS_set_link_mtu(p->ssl, c->mtu);
+
ret = init_bio_method(h);
if (ret < 0)
goto fail;
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 06/14] avformat/tls_openssl: properly limit written size to data mtu
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (3 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 05/14] avformat/tls_openssl: set default MTU if none is set Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 07/14] avformat/tls_openssl: don't hardcode ciphers and curves for dtls Timo Rothenpieler
` (7 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 900ee0f5ab..8326762592 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -987,9 +987,14 @@ static int tls_write(URLContext *h, const uint8_t *buf, int size)
URLContext *uc = c->tls_shared.is_dtls ? c->tls_shared.udp
: c->tls_shared.tcp;
int ret;
+
// Set or clear the AVIO_FLAG_NONBLOCK on c->tls_shared.tcp
uc->flags &= ~AVIO_FLAG_NONBLOCK;
uc->flags |= h->flags & AVIO_FLAG_NONBLOCK;
+
+ if (c->tls_shared.is_dtls)
+ size = FFMIN(size, DTLS_get_data_mtu(c->ssl));
+
ret = SSL_write(c->ssl, buf, size);
if (ret > 0)
return ret;
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 07/14] avformat/tls_openssl: don't hardcode ciphers and curves for dtls
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (4 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 06/14] avformat/tls_openssl: properly limit written size to data mtu Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 08/14] avformat/tls_openssl: clean up peer verify logic in dtls mode Timo Rothenpieler
` (6 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 22 ----------------------
1 file changed, 22 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 8326762592..bb9a5b8054 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -776,15 +776,12 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
TLSShared *c = &p->tls_shared;
int ret = 0;
c->is_dtls = 1;
- const char* ciphers = "ALL";
/**
* The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c.
* The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c.
*/
const char* profiles = "SRTP_AES128_CM_SHA1_80";
- /* Refer to the test cases regarding these curves in the WebRTC code. */
- const char* curves = "X25519:P-256:P-384:P-521";
p->ctx = SSL_CTX_new(c->listen ? DTLS_server_method() : DTLS_client_method());
if (!p->ctx) {
@@ -792,25 +789,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
goto fail;
}
- /* For ECDSA, we could set the curves list. */
- if (SSL_CTX_set1_curves_list(p->ctx, curves) != 1) {
- av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set1_curves_list failed, curves=%s, %s\n",
- curves, openssl_get_error(p));
- ret = AVERROR(EINVAL);
- return ret;
- }
-
- /**
- * We activate "ALL" cipher suites to align with the peer's capabilities,
- * ensuring maximum compatibility.
- */
- if (SSL_CTX_set_cipher_list(p->ctx, ciphers) != 1) {
- av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set_cipher_list failed, ciphers=%s, %s\n",
- ciphers, openssl_get_error(p));
- ret = AVERROR(EINVAL);
- return ret;
- }
-
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 08/14] avformat/tls_openssl: clean up peer verify logic in dtls mode
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (5 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 07/14] avformat/tls_openssl: don't hardcode ciphers and curves for dtls Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 09/14] avformar/tls_openssl: use correct info callback in DTLS mode Timo Rothenpieler
` (5 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 22 ++++++++--------------
1 file changed, 8 insertions(+), 14 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index bb9a5b8054..a497d4dfd8 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -674,15 +674,6 @@ static void openssl_info_callback(const SSL *ssl, int where, int ret) {
}
}
-/**
- * Always return 1 to accept any certificate. This is because we allow the peer to
- * use a temporary self-signed certificate for DTLS.
- */
-static int openssl_dtls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-{
- return 1;
-}
-
static int dtls_handshake(URLContext *h)
{
int ret = 1, r0, r1;
@@ -792,13 +783,16 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
ret = openssl_init_ca_key_cert(h);
if (ret < 0) goto fail;
- /* Server will send Certificate Request. */
- SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, openssl_dtls_verify_callback);
- /* The depth count is "level 0:peer certificate", "level 1: CA certificate",
- * "level 2: higher level CA certificate", and so on. */
- SSL_CTX_set_verify_depth(p->ctx, 4);
+ /* Note, this doesn't check that the peer certificate actually matches the requested hostname. */
+ if (c->verify)
+ SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+
+ if (!c->listen && !c->numerichost)
+ SSL_set_tlsext_host_name(p->ssl, c->host);
+
/* Whether we should read as many input bytes as possible (for non-blocking reads) or not. */
SSL_CTX_set_read_ahead(p->ctx, 1);
+
/* Setup the SRTP context */
if (SSL_CTX_set_tlsext_use_srtp(p->ctx, profiles)) {
av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set_tlsext_use_srtp failed, profiles=%s, %s\n",
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 09/14] avformar/tls_openssl: use correct info callback in DTLS mode
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (6 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 08/14] avformat/tls_openssl: clean up peer verify logic in dtls mode Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 10/14] avformat/tls_openssl: don't enable read_ahead in dtls mode Timo Rothenpieler
` (4 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index a497d4dfd8..63fc085e28 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -810,7 +810,7 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
/* Setup the callback for logging. */
SSL_set_ex_data(p->ssl, 0, p);
- SSL_set_info_callback(p->ssl, openssl_info_callback);
+ SSL_CTX_set_info_callback(p->ctx, openssl_info_callback);
/**
* We have set the MTU to fragment the DTLS packet. It is important to note that the
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 10/14] avformat/tls_openssl: don't enable read_ahead in dtls mode
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (7 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 09/14] avformar/tls_openssl: use correct info callback in DTLS mode Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 11/14] avformat/tls_openssl: properly free generated/read keys and certificates Timo Rothenpieler
` (3 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
OpenSSL docs say:
These functions have no impact when used with DTLS.
---
libavformat/tls_openssl.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 63fc085e28..c58044b46b 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -790,9 +790,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary **
if (!c->listen && !c->numerichost)
SSL_set_tlsext_host_name(p->ssl, c->host);
- /* Whether we should read as many input bytes as possible (for non-blocking reads) or not. */
- SSL_CTX_set_read_ahead(p->ctx, 1);
-
/* Setup the SRTP context */
if (SSL_CTX_set_tlsext_use_srtp(p->ctx, profiles)) {
av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set_tlsext_use_srtp failed, profiles=%s, %s\n",
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 11/14] avformat/tls_openssl: properly free generated/read keys and certificates
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (8 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 10/14] avformat/tls_openssl: don't enable read_ahead in dtls mode Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 12/14] avformat/tls_openssl: don't expose deprecated EC_KEY outside of its function Timo Rothenpieler
` (2 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index c58044b46b..34dd22daf7 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -161,8 +161,8 @@ int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t ke
int ret = 0;
BIO *key_b = NULL, *cert_b = NULL;
AVBPrint key_bp, cert_bp;
- EVP_PKEY *pkey;
- X509 *cert;
+ EVP_PKEY *pkey = NULL;
+ X509 *cert = NULL;
char *key_tem = NULL, *cert_tem = NULL;
/* To prevent a crash during cleanup, always initialize it. */
@@ -230,6 +230,8 @@ end:
av_bprint_finalize(&cert_bp, NULL);
av_free(key_tem);
av_free(cert_tem);
+ EVP_PKEY_free(pkey);
+ X509_free(cert);
return ret;
}
@@ -255,7 +257,16 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
#if OPENSSL_VERSION_NUMBER < 0x30000000L /* OpenSSL 3.0 */
*pkey = EVP_PKEY_new();
+ if (!*pkey)
+ return AVERROR(ENOMEM);
+
*eckey = EC_KEY_new();
+ if (!*eckey) {
+ EVP_PKEY_free(*pkey);
+ *pkey = NULL;
+ return AVERROR(ENOMEM);
+ }
+
ecgroup = EC_GROUP_new_by_curve_name(curve);
if (!ecgroup) {
av_log(NULL, AV_LOG_ERROR, "TLS: Create EC group by curve=%d failed, %s", curve, ERR_error_string(ERR_get_error(), NULL));
@@ -287,6 +298,10 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
einval_end:
ret = AVERROR(EINVAL);
+ EC_KEY_free(*eckey);
+ EVP_PKEY_free(*pkey);
+ *eckey = NULL;
+ *pkey = NULL;
end:
#if OPENSSL_VERSION_NUMBER < 0x30000000L /* OpenSSL 3.0 */
EC_GROUP_free(ecgroup);
@@ -368,6 +383,10 @@ enomem_end:
einval_end:
ret = AVERROR(EINVAL);
end:
+ if (ret) {
+ X509_free(*cert);
+ *cert = NULL;
+ }
X509_NAME_free(subject);
return ret;
}
@@ -395,6 +414,9 @@ int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cer
av_free(key_tem);
av_free(cert_tem);
error:
+ X509_free(cert);
+ EC_KEY_free(ec_key);
+ EVP_PKEY_free(pkey);
return ret;
}
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 12/14] avformat/tls_openssl: don't expose deprecated EC_KEY outside of its function
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (9 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 11/14] avformat/tls_openssl: properly free generated/read keys and certificates Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 13/14] avformat/tls_openssl: make generating fingerprints optional Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 14/14] avformat/tls_openssl: automatically generate self-signed certificate when none is provided in listen mode Timo Rothenpieler
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 34dd22daf7..cd11419fee 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -235,7 +235,7 @@ end:
return ret;
}
-static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
+static int openssl_gen_private_key(EVP_PKEY **pkey)
{
int ret = 0;
@@ -250,6 +250,7 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
*/
#if OPENSSL_VERSION_NUMBER < 0x30000000L /* OpenSSL 3.0 */
EC_GROUP *ecgroup = NULL;
+ EC_KEY *eckey = NULL;
int curve = NID_X9_62_prime256v1;
#else
const char *curve = SN_X9_62_prime256v1;
@@ -260,8 +261,8 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
if (!*pkey)
return AVERROR(ENOMEM);
- *eckey = EC_KEY_new();
- if (!*eckey) {
+ eckey = EC_KEY_new();
+ if (!eckey) {
EVP_PKEY_free(*pkey);
*pkey = NULL;
return AVERROR(ENOMEM);
@@ -273,17 +274,17 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
goto einval_end;
}
- if (EC_KEY_set_group(*eckey, ecgroup) != 1) {
+ if (EC_KEY_set_group(eckey, ecgroup) != 1) {
av_log(NULL, AV_LOG_ERROR, "TLS: Generate private key, EC_KEY_set_group failed, %s\n", ERR_error_string(ERR_get_error(), NULL));
goto einval_end;
}
- if (EC_KEY_generate_key(*eckey) != 1) {
+ if (EC_KEY_generate_key(eckey) != 1) {
av_log(NULL, AV_LOG_ERROR, "TLS: Generate private key, EC_KEY_generate_key failed, %s\n", ERR_error_string(ERR_get_error(), NULL));
goto einval_end;
}
- if (EVP_PKEY_set1_EC_KEY(*pkey, *eckey) != 1) {
+ if (EVP_PKEY_set1_EC_KEY(*pkey, eckey) != 1) {
av_log(NULL, AV_LOG_ERROR, "TLS: Generate private key, EVP_PKEY_set1_EC_KEY failed, %s\n", ERR_error_string(ERR_get_error(), NULL));
goto einval_end;
}
@@ -298,13 +299,12 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey)
einval_end:
ret = AVERROR(EINVAL);
- EC_KEY_free(*eckey);
EVP_PKEY_free(*pkey);
- *eckey = NULL;
*pkey = NULL;
end:
#if OPENSSL_VERSION_NUMBER < 0x30000000L /* OpenSSL 3.0 */
EC_GROUP_free(ecgroup);
+ EC_KEY_free(eckey);
#endif
return ret;
}
@@ -395,11 +395,10 @@ int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cer
{
int ret = 0;
EVP_PKEY *pkey = NULL;
- EC_KEY *ec_key = NULL;
X509 *cert = NULL;
char *key_tem = NULL, *cert_tem = NULL;
- ret = openssl_gen_private_key(&pkey, &ec_key);
+ ret = openssl_gen_private_key(&pkey);
if (ret < 0) goto error;
ret = openssl_gen_certificate(pkey, &cert, fingerprint);
@@ -415,7 +414,6 @@ int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cer
av_free(cert_tem);
error:
X509_free(cert);
- EC_KEY_free(ec_key);
EVP_PKEY_free(pkey);
return ret;
}
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 13/14] avformat/tls_openssl: make generating fingerprints optional
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (10 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 12/14] avformat/tls_openssl: don't expose deprecated EC_KEY outside of its function Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 14/14] avformat/tls_openssl: automatically generate self-signed certificate when none is provided in listen mode Timo Rothenpieler
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index cd11419fee..48d8edb08a 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -216,11 +216,13 @@ int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t ke
snprintf(cert_buf, cert_sz, "%s", cert_tem);
/* Generate fingerprint. */
- *fingerprint = generate_fingerprint(cert);
- if (!*fingerprint) {
- av_log(NULL, AV_LOG_ERROR, "TLS: Failed to generate fingerprint from %s\n", cert_url);
- ret = AVERROR(EIO);
- goto end;
+ if (fingerprint) {
+ *fingerprint = generate_fingerprint(cert);
+ if (!*fingerprint) {
+ av_log(NULL, AV_LOG_ERROR, "TLS: Failed to generate fingerprint from %s\n", cert_url);
+ ret = AVERROR(EIO);
+ goto end;
+ }
}
end:
@@ -371,9 +373,11 @@ static int openssl_gen_certificate(EVP_PKEY *pkey, X509 **cert, char **fingerpri
goto einval_end;
}
- *fingerprint = generate_fingerprint(*cert);
- if (!*fingerprint) {
- goto enomem_end;
+ if (fingerprint) {
+ *fingerprint = generate_fingerprint(*cert);
+ if (!*fingerprint) {
+ goto enomem_end;
+ }
}
goto end;
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
* [FFmpeg-devel] [PATCH 14/14] avformat/tls_openssl: automatically generate self-signed certificate when none is provided in listen mode
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
` (11 preceding siblings ...)
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 13/14] avformat/tls_openssl: make generating fingerprints optional Timo Rothenpieler
@ 2025-07-13 19:24 ` Timo Rothenpieler
12 siblings, 0 replies; 14+ messages in thread
From: Timo Rothenpieler @ 2025-07-13 19:24 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Timo Rothenpieler
---
libavformat/tls_openssl.c | 35 ++++++++++++++++++++++++++++++-----
1 file changed, 30 insertions(+), 5 deletions(-)
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 48d8edb08a..07d1af40d8 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -485,7 +485,6 @@ typedef struct TLSContext {
TLSShared tls_shared;
SSL_CTX *ctx;
SSL *ssl;
- EVP_PKEY *pkey;
BIO_METHOD* url_bio_method;
int io_err;
char error_message[256];
@@ -756,7 +755,7 @@ static av_cold int openssl_init_ca_key_cert(URLContext *h)
if (SSL_CTX_use_certificate(p->ctx, cert) != 1) {
av_log(p, AV_LOG_ERROR, "SSL: Init SSL_CTX_use_certificate failed, %s\n", openssl_get_error(p));
ret = AVERROR(EINVAL);
- return ret;
+ goto fail;
}
}
@@ -769,15 +768,42 @@ static av_cold int openssl_init_ca_key_cert(URLContext *h)
goto fail;
}
} else if (c->key_buf) {
- p->pkey = pkey = pkey_from_pem_string(c->key_buf, 1);
+ pkey = pkey_from_pem_string(c->key_buf, 1);
if (SSL_CTX_use_PrivateKey(p->ctx, pkey) != 1) {
av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_use_PrivateKey failed, %s\n", openssl_get_error(p));
ret = AVERROR(EINVAL);
- return ret;
+ goto fail;
}
}
+
+ if (c->listen && !c->cert_file && !c->cert_buf && !c->key_file && !c->key_buf) {
+ av_log(h, AV_LOG_VERBOSE, "No server certificate provided, using self-signed\n");
+
+ ret = openssl_gen_private_key(&pkey);
+ if (ret < 0)
+ goto fail;
+
+ ret = openssl_gen_certificate(pkey, &cert, NULL);
+ if (ret < 0)
+ goto fail;
+
+ if (SSL_CTX_use_certificate(p->ctx, cert) != 1) {
+ av_log(p, AV_LOG_ERROR, "SSL_CTX_use_certificate failed for self-signed cert, %s\n", openssl_get_error(p));
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
+
+ if (SSL_CTX_use_PrivateKey(p->ctx, pkey) != 1) {
+ av_log(p, AV_LOG_ERROR, "SSL_CTX_use_PrivateKey failed for self-signed cert, %s\n", openssl_get_error(p));
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
+ }
+
ret = 0;
fail:
+ X509_free(cert);
+ EVP_PKEY_free(pkey);
return ret;
}
@@ -894,7 +920,6 @@ static av_cold int dtls_close(URLContext *h)
SSL_CTX_free(ctx->ctx);
av_freep(&ctx->tls_shared.cert_buf);
av_freep(&ctx->tls_shared.key_buf);
- EVP_PKEY_free(ctx->pkey);
return 0;
}
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2025-07-13 19:28 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-13 19:24 [FFmpeg-devel] [PATCH 01/14] avformat/tls_openssl: set dtls remote addr in listen mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 02/14] avformat/tls_openssl: force dtls handshake to be blocking Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 03/14] avformat/tls_openssl: don't abort if dtls has no key/cert set Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 04/14] avformat/tls_openssl: initialize DTLS context with correct method Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 05/14] avformat/tls_openssl: set default MTU if none is set Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 06/14] avformat/tls_openssl: properly limit written size to data mtu Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 07/14] avformat/tls_openssl: don't hardcode ciphers and curves for dtls Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 08/14] avformat/tls_openssl: clean up peer verify logic in dtls mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 09/14] avformar/tls_openssl: use correct info callback in DTLS mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 10/14] avformat/tls_openssl: don't enable read_ahead in dtls mode Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 11/14] avformat/tls_openssl: properly free generated/read keys and certificates Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 12/14] avformat/tls_openssl: don't expose deprecated EC_KEY outside of its function Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 13/14] avformat/tls_openssl: make generating fingerprints optional Timo Rothenpieler
2025-07-13 19:24 ` [FFmpeg-devel] [PATCH 14/14] avformat/tls_openssl: automatically generate self-signed certificate when none is provided in listen mode Timo Rothenpieler
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git