Re: [libav-devel] [PATCH] libavformat: Add mbedTLS based TLS support
On Tue, Apr 24, 2018 at 10:00:00AM +0200, Luca Barbato wrote: > --- a/Changelog > +++ b/Changelog > @@ -24,6 +24,7 @@ version : > - Haivision SRT protocol via libsrt > - Dropped support for building for Windows XP. The minimum supported Windows >version is Windows Vista. > +- support mbedTLS based TLS mbedTLS-based > --- a/configure > +++ b/configure > @@ -2507,7 +2509,7 @@ xcbgrab_indev_suggest="libxcb_shm libxcb_xfixes" > > # protocols > ffrtmpcrypt_protocol_conflict="librtmp_protocol" > -ffrtmpcrypt_protocol_deps_any="gmp openssl" > +ffrtmpcrypt_protocol_deps_any="gmp openssl mbedtls" order > @@ -2547,7 +2549,7 @@ sctp_protocol_deps="struct_sctp_event_subscribe" > tcp_protocol_select="network" > -tls_protocol_deps_any="gnutls openssl" > +tls_protocol_deps_any="gnutls openssl mbedtls" same > --- a/libavformat/rtmpdh.c > +++ b/libavformat/rtmpdh.c > @@ -38,6 +38,11 @@ > > +#if CONFIG_MBEDTLS > +#include > +#include > +#endif For the other external crypto libs these #includes are in rtmpdh.h. > --- /dev/null > +++ b/libavformat/tls_mbedtls.c > @@ -0,0 +1,351 @@ > + * This file is part of FFmpeg. Nah. > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "avformat.h" > +#include "internal.h" > +#include "url.h" > +#include "tls.h" > +#include "libavutil/parseutils.h" Move the libavutil #include into canonical order. > +static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len) > +{ > +URLContext *h = (URLContext*) ctx; pointless void* cast > +static void handle_handshake_error(URLContext *h, int ret) > +{ > +switch (ret) { > +case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: > +av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. > Was the local certificate correctly set?\n"); set correctly > +break; > +case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: > +av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the > peer, has the peer a correct certificate?\n"); does the peer have a correct certificate > +break; > +case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED: > +av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to > operate. Was the CA correctly set?\n"); set correctly > +// set I/O functions to use FFmpeg internal code for transport layer libavformat-internal > +static int handle_tls_error(URLContext *h, const char* func_name, int ret) *func_name > +static const AVOption options[] = { > +TLS_COMMON_OPTIONS(TLSContext, tls_shared), \ > +{"key_password", "Password for the private key file", > OFFSET(priv_key_pw), AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \ space after { > +const URLProtocol ff_tls_protocol = { > +.name = "tls", > +.url_open2 = tls_open, > +.url_read = tls_read, > +.url_write = tls_write, > +.url_close = tls_close, > +.url_get_file_handle = tls_get_file_handle, > +.priv_data_size = sizeof(TLSContext), > +.flags = URL_PROTOCOL_FLAG_NETWORK, > +.priv_data_class = _class, > +}; nit: align Diego ___ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
[libav-devel] [PATCH] libavformat: Add mbedTLS based TLS support
From: Thomas VolkertSigned-off-by: Luca Barbato --- The ex-polarssl library is apache-2 now making it more interesting licensing-wise. Changelog | 1 + configure | 13 +- libavformat/Makefile | 1 + libavformat/rtmpdh.c | 55 libavformat/rtmpdh.h | 5 + libavformat/tls_mbedtls.c | 351 ++ libavformat/version.h | 2 +- 7 files changed, 425 insertions(+), 3 deletions(-) create mode 100644 libavformat/tls_mbedtls.c diff --git a/Changelog b/Changelog index 35b6c066a7..89d52bb582 100644 --- a/Changelog +++ b/Changelog @@ -24,6 +24,7 @@ version : - Haivision SRT protocol via libsrt - Dropped support for building for Windows XP. The minimum supported Windows version is Windows Vista. +- support mbedTLS based TLS version 12: diff --git a/configure b/configure index 465fdcfb6d..d09c58becb 100755 --- a/configure +++ b/configure @@ -229,6 +229,7 @@ External library support: --enable-libxcb-shmX11 shm communication [auto] --enable-libxcb-xfixes X11 mouse rendering [auto] --enable-libxvid MPEG-4 ASP video encoding + --enable-mbedtls crypto --enable-openssl crypto --enable-zlib compression [autodetect] @@ -1344,6 +1345,7 @@ EXTERNAL_LIBRARY_VERSION3_LIST=" libopencore_amrwb libvo_aacenc libvo_amrwbenc +mbedtls " EXTERNAL_LIBRARY_LIST=" @@ -2507,7 +2509,7 @@ xcbgrab_indev_suggest="libxcb_shm libxcb_xfixes" # protocols ffrtmpcrypt_protocol_conflict="librtmp_protocol" -ffrtmpcrypt_protocol_deps_any="gmp openssl" +ffrtmpcrypt_protocol_deps_any="gmp openssl mbedtls" ffrtmpcrypt_protocol_select="tcp_protocol" ffrtmphttp_protocol_conflict="librtmp_protocol" ffrtmphttp_protocol_select="http_protocol" @@ -2547,7 +2549,7 @@ sctp_protocol_deps="struct_sctp_event_subscribe" sctp_protocol_select="network" srtp_protocol_select="rtp_protocol srtp" tcp_protocol_select="network" -tls_protocol_deps_any="gnutls openssl" +tls_protocol_deps_any="gnutls openssl mbedtls" tls_protocol_select="tcp_protocol" udp_protocol_select="network" unix_protocol_deps="sys_un_h" @@ -2958,6 +2960,12 @@ fi enabled_all gnutls openssl && die "GnuTLS and OpenSSL must not be enabled at the same time." +enabled_all gnutls mbedtls && +die "GnuTLS and mbedTLS must not be enabled at the same time." + +enabled_all openssl mbedtls && +die "OpenSSL and mbedTLS must not be enabled at the same time." + # Disable all the library-specific components if the library itself # is disabled, see AVCODEC_LIST and following _LIST variables. @@ -4709,6 +4717,7 @@ enabled libx265 && require_pkg_config libx265 x265 x265.h x265_api_get require_cpp_condition x265.h "X265_BUILD >= 57" enabled libxavs && require libxavs "stdint.h xavs.h" xavs_encoder_encode -lxavs enabled libxvid && require libxvid xvid.h xvid_global -lxvidcore +enabled mbedtls && require mbedtls mbedtls/ssl.h mbedtls_ssl_init -lmbedtls -lmbedcrypto -lmbedx509 enabled mmal && { check_lib mmal interface/mmal/mmal.h mmal_port_connect -lmmal_core -lmmal_util -lmmal_vc_client -lbcm_host || { ! enabled cross_compile && add_cflags -isystem/opt/vc/include/ -isystem/opt/vc/include/interface/vmcs_host/linux -isystem/opt/vc/include/interface/vcos/pthreads -fgnu89-inline && diff --git a/libavformat/Makefile b/libavformat/Makefile index 96085d20c6..3992000f8a 100644 --- a/libavformat/Makefile +++ b/libavformat/Makefile @@ -409,6 +409,7 @@ OBJS-$(CONFIG_SCTP_PROTOCOL) += sctp.o OBJS-$(CONFIG_SRTP_PROTOCOL) += srtpproto.o srtp.o OBJS-$(CONFIG_TCP_PROTOCOL) += tcp.o TLS-OBJS-$(CONFIG_GNUTLS)+= tls_gnutls.o +TLS-OBJS-$(CONFIG_MBEDTLS) += tls_mbedtls.o TLS-OBJS-$(CONFIG_OPENSSL) += tls_openssl.o OBJS-$(CONFIG_TLS_PROTOCOL) += tls.o $(TLS-OBJS-yes) OBJS-$(CONFIG_UDP_PROTOCOL) += udp.o diff --git a/libavformat/rtmpdh.c b/libavformat/rtmpdh.c index 0593eac943..dd399a72e3 100644 --- a/libavformat/rtmpdh.c +++ b/libavformat/rtmpdh.c @@ -38,6 +38,11 @@ #include "rtmpdh.h" +#if CONFIG_MBEDTLS +#include +#include +#endif + #define P1024 \ "C90FDAA22168C234C4C6628B80DC1CD1" \ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ @@ -132,6 +137,56 @@ static int bn_modexp(FFBigNum bn, FFBigNum y, FFBigNum q, FFBigNum p) BN_CTX_free(ctx); return 0; } +#elif CONFIG_MBEDTLS +#define bn_new(bn) \ +do {\ +bn = av_malloc(sizeof(*bn));\ +if (bn) \ +mbedtls_mpi_init(bn); \ +} while (0)