Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: "Jan Ekström" <jeebjp@gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: add support for mbedtls version 3
Date: Tue, 26 Apr 2022 00:31:35 +0300
Message-ID: <CAEu79SYy3bEDi0TJaCRAja5X8JreLLNO7teq1D7vKvkpg2PnrA@mail.gmail.com> (raw)
In-Reply-To: <20220423233208.27071-1-timo@rothenpieler.org>

On Sun, Apr 24, 2022 at 2:33 AM Timo Rothenpieler <timo@rothenpieler.org> wrote:
>
> - certs.h is gone. Only contains test data, and was not used at all.
> - config.h is renamed. Was seemingly not used, so can be removed.
> - MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE is gone, instead
>   MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE will be thrown.
> - mbedtls_pk_parse_keyfile now needs to be passed a properly seeded
>   RNG. Hence, move the call to after RNG seeding.
>
> Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
> ---
>  libavformat/tls_mbedtls.c | 34 ++++++++++++++++++++++------------
>  1 file changed, 22 insertions(+), 12 deletions(-)
>
> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
> index 5754d0d018..8503523b6d 100644
> --- a/libavformat/tls_mbedtls.c
> +++ b/libavformat/tls_mbedtls.c
> @@ -19,8 +19,7 @@
>   * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>   */
>
> -#include <mbedtls/certs.h>
> -#include <mbedtls/config.h>
> +#include <mbedtls/version.h>
>  #include <mbedtls/ctr_drbg.h>
>  #include <mbedtls/entropy.h>
>  #include <mbedtls/net_sockets.h>
> @@ -130,9 +129,15 @@ static void handle_pk_parse_error(URLContext *h, int ret)
>  static void handle_handshake_error(URLContext *h, int ret)
>  {
>      switch (ret) {
> +#if MBEDTLS_VERSION_MAJOR < 3
>      case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
>          av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n");
>          break;
> +#else
> +    case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:
> +        av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n");
> +        break;
> +#endif
>      case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
>          av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n");
>          break;
> @@ -195,16 +200,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
>          }
>      }
>
> -    // load key file
> -    if (shr->key_file) {
> -        if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
> -                                            shr->key_file,
> -                                            tls_ctx->priv_key_pw)) != 0) {
> -            handle_pk_parse_error(h, ret);
> -            goto fail;
> -        }
> -    }
> -
>      // seed the random number generator
>      if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context,
>                                       mbedtls_entropy_func,
> @@ -214,6 +209,21 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
>          goto fail;
>      }
>
> +    // load key file
> +    if (shr->key_file) {
> +        if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
> +                                            shr->key_file,
> +                                            tls_ctx->priv_key_pw
> +#if MBEDTLS_VERSION_MAJOR >= 3
> +                                            , mbedtls_ctr_drbg_random,
> +                                            &tls_ctx->ctr_drbg_context
> +#endif
> +                                            )) != 0) {
> +            handle_pk_parse_error(h, ret);
> +            goto fail;
> +        }
> +    }
> +

Seems correct enough as the RNG is then utilized in the TLS
configuration as well.

As long as the mbedtls API documentation notes that it is OK to
utilize the same RNG for both this as well as the TLS configuration
itself, this seems fine.

Jan
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

      parent reply	other threads:[~2022-04-25 21:31 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-23 23:32 Timo Rothenpieler
2022-04-24 22:48 ` Timo Rothenpieler
2022-04-25 21:31 ` Jan Ekström [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAEu79SYy3bEDi0TJaCRAja5X8JreLLNO7teq1D7vKvkpg2PnrA@mail.gmail.com \
    --to=jeebjp@gmail.com \
    --cc=ffmpeg-devel@ffmpeg.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git