From patchwork Sat Apr 23 23:32:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Timo Rothenpieler X-Patchwork-Id: 35391 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:3b9e:b0:7d:cfb5:dc7c with SMTP id b30csp1148261pzh; Sat, 23 Apr 2022 16:33:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyK3ROq3CVFY/0BeoYFD0AnIu9Qvfj9lnc7Gul2pGuBNYraHHLDlIYnaO/GXFT+UnmC+JkG X-Received: by 2002:a17:907:7e91:b0:6f3:7c65:29f with SMTP id qb17-20020a1709077e9100b006f37c65029fmr339487ejc.90.1650756781589; Sat, 23 Apr 2022 16:33:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650756781; cv=none; d=google.com; s=arc-20160816; b=qc2saiQx/IjWbXuZL9kAZnnLYi/6Np2AJOPMfvRE7eEeYGXbe+bKXPsHeTHopDSsFf syJjXb3ipUgbLpAzXZF3Phm9XSMLk85oxxjxMIh648RFB4H+2s/G/ReYc/7gafn45gBt oYOm5mjM+BKGfy5j4tiPvQH/TMR9mSKzuOR1s91Gxj0PhnrsA5oHO08HpvdhMG1aRqtJ x7mhY+oqRBuiT2sjv5ACtj0IzUYZOlua13FNvjRRtMtiCziff9mbcmwrolBdenZ/VR1O MxkCEU/0ijnEBdUMzTLZrguiWG5S/CqHlVFrzvf2159keIh0gWE3YgaaM84RZ2hpkiRp H+0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=ZD6dlqeiVjBgZlkkBKRgI11fTfOyaupJGi+VAVImjjk=; b=uwytSKgnV5DQS+PgMERzOmb6iNukZy+iP1AuXFO0Uapyab25kVTtYriImmwZeE23on mh5WtIDWM4NY64fgsG90rZ/fKFVz3excCFmkGstERju8XBV5RTi1N+GS1ybdrHD3JQx7 TMZ3qZwhkl8pwo4mc4YTGgyf2TfoK50eK3saLwCSQRtqhtYKSzGUvgGhRhbpzQ6oxeuO krwz8/wtsbYfdrgXHcPWW+lGifMpI5RP5tsEd6HBY+2gvxqz12Dc45y/DASFSBjAq4Mz pDexayzOvDsmMc/yx/DKBMdBjJpCqjTU7erQubiFjpV7j9ENEJMVJu1K7sRggoO19BwZ /w0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@rothenpieler.org header.s=mail header.b=Js9rw2XA; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=rothenpieler.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id n9-20020a05640205c900b0041cc318987fsi10907844edx.550.2022.04.23.16.32.37; Sat, 23 Apr 2022 16:33:01 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@rothenpieler.org header.s=mail header.b=Js9rw2XA; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=rothenpieler.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4512E68B254; Sun, 24 Apr 2022 02:32:33 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from btbn.de (btbn.de [136.243.74.85]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D0DD268B254 for ; Sun, 24 Apr 2022 02:32:25 +0300 (EEST) Received: from [authenticated] by btbn.de (Postfix) with ESMTPSA id 33F7C25DBEF; Sun, 24 Apr 2022 01:32:25 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rothenpieler.org; s=mail; t=1650756745; bh=5GpOcxFP2pzGCDuHSXeQ1KUGbt5O11c9GgYisN6+Ilk=; h=From:To:Cc:Subject:Date; b=Js9rw2XAAbxQSpADRlLaEFyKiBG9KKyRaZX7IcqArPr0lJbMt+jlT4zzLXR/f/b4k 4F1CTrGcePWymfBMgmwtNTio6uOgd6i7D1srBFHhe6A7Zdm/5hbyILdOD/acTvFfZc t1sH5bUJY/dbTJbzO7sUS6uTRD6IY5ZlZm+9NEI/ouiLHl/4V1oViOXfVU5SuYTJZ9 H5/v5DIhJiEkT+JzeVmb33Ok4CXAMayCyK8lDeCYCr2Q/SaQzTgpCOuih/E0+YUKWd I1KROcHbro/o1rXO7bhiD6ty3Fq3VDevQ1wokdvMXmequnD83sNBgnkMZlxHt+Njgb T+xTlll6g6QLg== From: Timo Rothenpieler To: ffmpeg-devel@ffmpeg.org Date: Sun, 24 Apr 2022 01:32:08 +0200 Message-Id: <20220423233208.27071-1-timo@rothenpieler.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: add support for mbedtls version 3 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Timo Rothenpieler Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: +hRn84bAjg+m - certs.h is gone. Only contains test data, and was not used at all. - config.h is renamed. Was seemingly not used, so can be removed. - MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE is gone, instead MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE will be thrown. - mbedtls_pk_parse_keyfile now needs to be passed a properly seeded RNG. Hence, move the call to after RNG seeding. Signed-off-by: Timo Rothenpieler --- libavformat/tls_mbedtls.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 5754d0d018..8503523b6d 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -19,8 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#include -#include +#include #include #include #include @@ -130,9 +129,15 @@ static void handle_pk_parse_error(URLContext *h, int ret) static void handle_handshake_error(URLContext *h, int ret) { switch (ret) { +#if MBEDTLS_VERSION_MAJOR < 3 case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n"); break; +#else + case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: + av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); + break; +#endif case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); break; @@ -195,16 +200,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op } } - // load key file - if (shr->key_file) { - if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, - shr->key_file, - tls_ctx->priv_key_pw)) != 0) { - handle_pk_parse_error(h, ret); - goto fail; - } - } - // seed the random number generator if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context, mbedtls_entropy_func, @@ -214,6 +209,21 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } + // load key file + if (shr->key_file) { + if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, + shr->key_file, + tls_ctx->priv_key_pw +#if MBEDTLS_VERSION_MAJOR >= 3 + , mbedtls_ctr_drbg_random, + &tls_ctx->ctr_drbg_context +#endif + )) != 0) { + handle_pk_parse_error(h, ret); + goto fail; + } + } + if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config, shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM,