Re: [libav-devel] [PATCH] libavformat: Add mbedTLS based TLS support

2018-04-24 Thread Diego Biurrun 
On Tue, Apr 24, 2018 at 10:00:00AM +0200, Luca Barbato wrote:
> --- a/Changelog
> +++ b/Changelog
> @@ -24,6 +24,7 @@ version :
>  - Haivision SRT protocol via libsrt
>  - Dropped support for building for Windows XP. The minimum supported Windows
>version is Windows Vista.
> +- support mbedTLS based TLS

mbedTLS-based

> --- a/configure
> +++ b/configure
> @@ -2507,7 +2509,7 @@ xcbgrab_indev_suggest="libxcb_shm libxcb_xfixes"
> 
>  # protocols
>  ffrtmpcrypt_protocol_conflict="librtmp_protocol"
> -ffrtmpcrypt_protocol_deps_any="gmp openssl"
> +ffrtmpcrypt_protocol_deps_any="gmp openssl mbedtls"

order

> @@ -2547,7 +2549,7 @@ sctp_protocol_deps="struct_sctp_event_subscribe"
>  tcp_protocol_select="network"
> -tls_protocol_deps_any="gnutls openssl"
> +tls_protocol_deps_any="gnutls openssl mbedtls"

same

> --- a/libavformat/rtmpdh.c
> +++ b/libavformat/rtmpdh.c
> @@ -38,6 +38,11 @@
> 
> +#if CONFIG_MBEDTLS
> +#include 
> +#include 
> +#endif

For the other external crypto libs these #includes are in rtmpdh.h.

> --- /dev/null
> +++ b/libavformat/tls_mbedtls.c
> @@ -0,0 +1,351 @@
> + * This file is part of FFmpeg.

Nah.

> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +
> +#include "avformat.h"
> +#include "internal.h"
> +#include "url.h"
> +#include "tls.h"
> +#include "libavutil/parseutils.h"

Move the libavutil #include into canonical order.

> +static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
> +{
> +URLContext *h = (URLContext*) ctx;

pointless void* cast

> +static void handle_handshake_error(URLContext *h, int ret)
> +{
> +switch (ret) {
> +case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
> +av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. 
> Was the local certificate correctly set?\n");

set correctly

> +break;
> +case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
> +av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the 
> peer, has the peer a correct certificate?\n");

does the peer have a correct certificate

> +break;
> +case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED:
> +av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to 
> operate. Was the CA correctly set?\n");

set correctly

> +// set I/O functions to use FFmpeg internal code for transport layer

libavformat-internal

> +static int handle_tls_error(URLContext *h, const char* func_name, int ret)

*func_name

> +static const AVOption options[] = {
> +TLS_COMMON_OPTIONS(TLSContext, tls_shared), \
> +{"key_password", "Password for the private key file", 
> OFFSET(priv_key_pw),  AV_OPT_TYPE_STRING, .flags = TLS_OPTFL }, \

space after {

> +const URLProtocol ff_tls_protocol = {
> +.name   = "tls",
> +.url_open2  = tls_open,
> +.url_read   = tls_read,
> +.url_write  = tls_write,
> +.url_close  = tls_close,
> +.url_get_file_handle = tls_get_file_handle,
> +.priv_data_size = sizeof(TLSContext),
> +.flags  = URL_PROTOCOL_FLAG_NETWORK,
> +.priv_data_class = _class,
> +};

nit: align

Diego
___
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH] libavformat: Add mbedTLS based TLS support

2018-04-24 Thread Luca Barbato 
From: Thomas Volkert 

Signed-off-by: Luca Barbato 
---

The ex-polarssl library is apache-2 now making it more interesting
licensing-wise.

 Changelog |   1 +
 configure |  13 +-
 libavformat/Makefile  |   1 +
 libavformat/rtmpdh.c  |  55 
 libavformat/rtmpdh.h  |   5 +
 libavformat/tls_mbedtls.c | 351 ++
 libavformat/version.h |   2 +-
 7 files changed, 425 insertions(+), 3 deletions(-)
 create mode 100644 libavformat/tls_mbedtls.c

diff --git a/Changelog b/Changelog
index 35b6c066a7..89d52bb582 100644
--- a/Changelog
+++ b/Changelog
@@ -24,6 +24,7 @@ version :
 - Haivision SRT protocol via libsrt
 - Dropped support for building for Windows XP. The minimum supported Windows
   version is Windows Vista.
+- support mbedTLS based TLS


 version 12:
diff --git a/configure b/configure
index 465fdcfb6d..d09c58becb 100755
--- a/configure
+++ b/configure
@@ -229,6 +229,7 @@ External library support:
   --enable-libxcb-shmX11 shm communication [auto]
   --enable-libxcb-xfixes X11 mouse rendering [auto]
   --enable-libxvid   MPEG-4 ASP video encoding
+  --enable-mbedtls   crypto
   --enable-openssl   crypto
   --enable-zlib  compression [autodetect]

@@ -1344,6 +1345,7 @@ EXTERNAL_LIBRARY_VERSION3_LIST="
 libopencore_amrwb
 libvo_aacenc
 libvo_amrwbenc
+mbedtls
 "

 EXTERNAL_LIBRARY_LIST="
@@ -2507,7 +2509,7 @@ xcbgrab_indev_suggest="libxcb_shm libxcb_xfixes"

 # protocols
 ffrtmpcrypt_protocol_conflict="librtmp_protocol"
-ffrtmpcrypt_protocol_deps_any="gmp openssl"
+ffrtmpcrypt_protocol_deps_any="gmp openssl mbedtls"
 ffrtmpcrypt_protocol_select="tcp_protocol"
 ffrtmphttp_protocol_conflict="librtmp_protocol"
 ffrtmphttp_protocol_select="http_protocol"
@@ -2547,7 +2549,7 @@ sctp_protocol_deps="struct_sctp_event_subscribe"
 sctp_protocol_select="network"
 srtp_protocol_select="rtp_protocol srtp"
 tcp_protocol_select="network"
-tls_protocol_deps_any="gnutls openssl"
+tls_protocol_deps_any="gnutls openssl mbedtls"
 tls_protocol_select="tcp_protocol"
 udp_protocol_select="network"
 unix_protocol_deps="sys_un_h"
@@ -2958,6 +2960,12 @@ fi
 enabled_all gnutls openssl &&
 die "GnuTLS and OpenSSL must not be enabled at the same time."

+enabled_all gnutls mbedtls &&
+die "GnuTLS and mbedTLS must not be enabled at the same time."
+
+enabled_all openssl mbedtls &&
+die "OpenSSL and mbedTLS must not be enabled at the same time."
+
 # Disable all the library-specific components if the library itself
 # is disabled, see AVCODEC_LIST and following _LIST variables.

@@ -4709,6 +4717,7 @@ enabled libx265   && require_pkg_config libx265 
x265 x265.h x265_api_get
  require_cpp_condition x265.h "X265_BUILD >= 57"
 enabled libxavs   && require libxavs "stdint.h xavs.h" 
xavs_encoder_encode -lxavs
 enabled libxvid   && require libxvid xvid.h xvid_global -lxvidcore
+enabled mbedtls   && require mbedtls mbedtls/ssl.h mbedtls_ssl_init 
-lmbedtls -lmbedcrypto -lmbedx509
 enabled mmal  && { check_lib mmal interface/mmal/mmal.h 
mmal_port_connect -lmmal_core -lmmal_util -lmmal_vc_client -lbcm_host ||
{ ! enabled cross_compile &&
  add_cflags -isystem/opt/vc/include/ 
-isystem/opt/vc/include/interface/vmcs_host/linux 
-isystem/opt/vc/include/interface/vcos/pthreads -fgnu89-inline &&
diff --git a/libavformat/Makefile b/libavformat/Makefile
index 96085d20c6..3992000f8a 100644
--- a/libavformat/Makefile
+++ b/libavformat/Makefile
@@ -409,6 +409,7 @@ OBJS-$(CONFIG_SCTP_PROTOCOL) += sctp.o
 OBJS-$(CONFIG_SRTP_PROTOCOL) += srtpproto.o srtp.o
 OBJS-$(CONFIG_TCP_PROTOCOL)  += tcp.o
 TLS-OBJS-$(CONFIG_GNUTLS)+= tls_gnutls.o
+TLS-OBJS-$(CONFIG_MBEDTLS)   += tls_mbedtls.o
 TLS-OBJS-$(CONFIG_OPENSSL)   += tls_openssl.o
 OBJS-$(CONFIG_TLS_PROTOCOL)  += tls.o $(TLS-OBJS-yes)
 OBJS-$(CONFIG_UDP_PROTOCOL)  += udp.o
diff --git a/libavformat/rtmpdh.c b/libavformat/rtmpdh.c
index 0593eac943..dd399a72e3 100644
--- a/libavformat/rtmpdh.c
+++ b/libavformat/rtmpdh.c
@@ -38,6 +38,11 @@

 #include "rtmpdh.h"

+#if CONFIG_MBEDTLS
+#include 
+#include 
+#endif
+
 #define P1024  \
 "C90FDAA22168C234C4C6628B80DC1CD1" \
 "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
@@ -132,6 +137,56 @@ static int bn_modexp(FFBigNum bn, FFBigNum y, FFBigNum q, 
FFBigNum p)
 BN_CTX_free(ctx);
 return 0;
 }
+#elif CONFIG_MBEDTLS
+#define bn_new(bn)  \
+do {\
+bn = av_malloc(sizeof(*bn));\
+if (bn) \
+mbedtls_mpi_init(bn);   \
+} while (0)