[FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures

[FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures

[Sfan5]

We manually check the verification status after the handshake has completed
using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
mbedtls_ssl_handshake() already returns an error, so this code is never 
reached.
Fix that by using VERIFY_OPTIONAL, which performs the verification but
does not abort the handshake.

Signed-off-by: sfan5 <sfan5@live.de>
---
  libavformat/tls_mbedtls.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 9508fe3436..67d5c568b9 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, 
int flags, AVDictionary **op
          goto fail;
      }
  +    // not VERIFY_REQUIRED because we manually check after handshake
      mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
-                              shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED 
: MBEDTLS_SSL_VERIFY_NONE);
+                              shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL 
: MBEDTLS_SSL_VERIFY_NONE);
      mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, 
mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context);
      mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, 
NULL);
  -- 2.45.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1621 bytes --]

On Fri, May 17, 2024 at 10:34:41AM +0200, Sfan5 wrote:
> We manually check the verification status after the handshake has completed
> using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
> mbedtls_ssl_handshake() already returns an error, so this code is never
> reached.
> Fix that by using VERIFY_OPTIONAL, which performs the verification but
> does not abort the handshake.
> 
> Signed-off-by: sfan5 <sfan5@live.de>
> ---
>  libavformat/tls_mbedtls.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
> index 9508fe3436..67d5c568b9 100644
> --- a/libavformat/tls_mbedtls.c
> +++ b/libavformat/tls_mbedtls.c
> @@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int
> flags, AVDictionary **op
>          goto fail;
>      }
>  +    // not VERIFY_REQUIRED because we manually check after handshake
>      mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
> -                              shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED :
> MBEDTLS_SSL_VERIFY_NONE);
> +                              shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL :
> MBEDTLS_SSL_VERIFY_NONE);
>      mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random,
> &tls_ctx->ctr_drbg_context);
>      mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert,
> NULL);

This patch looks corrupted by extra line breaks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

There will always be a question for which you do not know the correct answer.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures

[sfan5]

Am 18.05.24 um 21:53 schrieb Michael Niedermayer:
> On Fri, May 17, 2024 at 10:34:41AM +0200, Sfan5 wrote:
>> We manually check the verification status after the handshake has completed
>> using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
>> mbedtls_ssl_handshake() already returns an error, so this code is never
>> reached.
>> Fix that by using VERIFY_OPTIONAL, which performs the verification but
>> does not abort the handshake.
>>
>> Signed-off-by: sfan5 <sfan5@live.de>
>> ---
>>   libavformat/tls_mbedtls.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
>> index 9508fe3436..67d5c568b9 100644
>> --- a/libavformat/tls_mbedtls.c
>> +++ b/libavformat/tls_mbedtls.c
>> @@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int
>> flags, AVDictionary **op
>>           goto fail;
>>       }
>>   +    // not VERIFY_REQUIRED because we manually check after handshake
>>       mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
>> -                              shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED :
>> MBEDTLS_SSL_VERIFY_NONE);
>> +                              shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL :
>> MBEDTLS_SSL_VERIFY_NONE);
>>       mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random,
>> &tls_ctx->ctr_drbg_context);
>>       mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert,
>> NULL);
> This patch looks corrupted by extra line breaks
>
> [...]

Thanks for pointing that out.

It looks like years later Microsoft is still incapable of leaving 
patches intact... Will send as attachments for v2.

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".