diff options
| author | Marvin Scholz <epirat07@gmail.com> | 2025-06-25 21:07:12 +0200 |
|---|---|---|
| committer | Marvin Scholz <epirat07@gmail.com> | 2025-07-07 01:52:46 +0200 |
| commit | f0913b3f16c31f96f626fd43b85ac8762376b06f (patch) | |
| tree | 6920a6301b58190602b3b0523d3c8c8338818518 | |
| parent | f256487cd8f29f24036efa5d91a84a26b048861a (diff) | |
| download | ffmpeg-f0913b3f16c31f96f626fd43b85ac8762376b06f.tar.gz | |
avformat: tls: drop support for OpenSSL < 1.1.0
| -rw-r--r-- | libavformat/network.c | 8 | ||||
| -rw-r--r-- | libavformat/tls_openssl.c | 166 |
2 files changed, 2 insertions, 172 deletions
diff --git a/libavformat/network.c b/libavformat/network.c index 2eabd0c167..a7026ac09b 100644 --- a/libavformat/network.c +++ b/libavformat/network.c @@ -36,11 +36,6 @@ int ff_tls_init(void) { #if CONFIG_TLS_PROTOCOL -#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L - int ret; - if ((ret = ff_openssl_init()) < 0) - return ret; -#endif #if CONFIG_GNUTLS ff_gnutls_init(); #endif @@ -51,9 +46,6 @@ int ff_tls_init(void) void ff_tls_deinit(void) { #if CONFIG_TLS_PROTOCOL -#if CONFIG_OPENSSL && OPENSSL_VERSION_NUMBER < 0x10100000L - ff_openssl_deinit(); -#endif #if CONFIG_GNUTLS ff_gnutls_deinit(); #endif diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c index 08527418b0..9ea1a9f515 100644 --- a/libavformat/tls_openssl.c +++ b/libavformat/tls_openssl.c @@ -262,11 +262,6 @@ static int openssl_gen_private_key(EVP_PKEY **pkey, EC_KEY **eckey) goto einval_end; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x - /* For openssl 1.0, we must set the group parameters, so that cert is ok. */ - EC_GROUP_set_asn1_flag(ecgroup, OPENSSL_EC_NAMED_CURVE); -#endif - if (EC_KEY_set_group(*eckey, ecgroup) != 1) { av_log(NULL, AV_LOG_ERROR, "TLS: Generate private key, EC_KEY_set_group failed, %s\n", ERR_error_string(ERR_get_error(), NULL)); goto einval_end; @@ -415,11 +410,7 @@ error: */ static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv) { -#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */ - BIO *mem = BIO_new_mem_buf((void *)pem_str, -1); -#else BIO *mem = BIO_new_mem_buf(pem_str, -1); -#endif if (!mem) { av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n"); return NULL; @@ -449,11 +440,7 @@ static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv) */ static X509 *cert_from_pem_string(const char *pem_str) { -#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL 1.0.2 */ - BIO *mem = BIO_new_mem_buf((void *)pem_str, -1); -#else BIO *mem = BIO_new_mem_buf(pem_str, -1); -#endif if (!mem) { av_log(NULL, AV_LOG_ERROR, "BIO_new_mem_buf failed\n"); return NULL; @@ -476,9 +463,7 @@ typedef struct TLSContext { SSL_CTX *ctx; SSL *ssl; EVP_PKEY *pkey; -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL BIO_METHOD* url_bio_method; -#endif int io_err; char error_message[256]; } TLSContext; @@ -530,87 +515,6 @@ int ff_dtls_state(URLContext *h) return c->tls_shared.state; } -/* OpenSSL 1.0.2 or below, then you would use SSL_library_init. If you are - * using OpenSSL 1.1.0 or above, then the library will initialize - * itself automatically. - * https://wiki.openssl.org/index.php/Library_Initialization - */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L -#include "libavutil/thread.h" - -static AVMutex openssl_mutex = AV_MUTEX_INITIALIZER; - -static int openssl_init; - -#if HAVE_THREADS -#include <openssl/crypto.h> -#include "libavutil/mem.h" - -pthread_mutex_t *openssl_mutexes; -static void openssl_lock(int mode, int type, const char *file, int line) -{ - if (mode & CRYPTO_LOCK) - pthread_mutex_lock(&openssl_mutexes[type]); - else - pthread_mutex_unlock(&openssl_mutexes[type]); -} -#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000 -static unsigned long openssl_thread_id(void) -{ - return (intptr_t) pthread_self(); -} -#endif -#endif - -int ff_openssl_init(void) -{ - ff_mutex_lock(&openssl_mutex); - if (!openssl_init) { - SSL_library_init(); - SSL_load_error_strings(); -#if HAVE_THREADS - if (!CRYPTO_get_locking_callback()) { - int i; - openssl_mutexes = av_malloc_array(sizeof(pthread_mutex_t), CRYPTO_num_locks()); - if (!openssl_mutexes) { - ff_mutex_unlock(&openssl_mutex); - return AVERROR(ENOMEM); - } - - for (i = 0; i < CRYPTO_num_locks(); i++) - pthread_mutex_init(&openssl_mutexes[i], NULL); - CRYPTO_set_locking_callback(openssl_lock); -#if !defined(WIN32) && OPENSSL_VERSION_NUMBER < 0x10000000 - CRYPTO_set_id_callback(openssl_thread_id); -#endif - } -#endif - } - openssl_init++; - ff_mutex_unlock(&openssl_mutex); - - return 0; -} - -void ff_openssl_deinit(void) -{ - ff_mutex_lock(&openssl_mutex); - openssl_init--; - if (!openssl_init) { -#if HAVE_THREADS - if (CRYPTO_get_locking_callback() == openssl_lock) { - int i; - CRYPTO_set_locking_callback(NULL); - for (i = 0; i < CRYPTO_num_locks(); i++) - pthread_mutex_destroy(&openssl_mutexes[i]); - av_free(openssl_mutexes); - } -#endif - } - ff_mutex_unlock(&openssl_mutex); -} -#endif - static int print_ssl_error(URLContext *h, int ret) { TLSContext *c = h->priv_data; @@ -645,27 +549,16 @@ static int tls_close(URLContext *h) if (c->ctx) SSL_CTX_free(c->ctx); ffurl_closep(&c->tls_shared.tcp); -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL if (c->url_bio_method) BIO_meth_free(c->url_bio_method); -#endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L - ff_openssl_deinit(); -#endif return 0; } static int url_bio_create(BIO *b) { -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL BIO_set_init(b, 1); BIO_set_data(b, NULL); BIO_set_flags(b, 0); -#else - b->init = 1; - b->ptr = NULL; - b->flags = 0; -#endif return 1; } @@ -674,11 +567,7 @@ static int url_bio_destroy(BIO *b) return 1; } -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL #define GET_BIO_DATA(x) BIO_get_data(x) -#else -#define GET_BIO_DATA(x) (x)->ptr -#endif static int url_bio_bread(BIO *b, char *buf, int len) { @@ -726,25 +615,10 @@ static int url_bio_bputs(BIO *b, const char *str) return url_bio_bwrite(b, str, strlen(str)); } -#if OPENSSL_VERSION_NUMBER < 0x1010000fL -static BIO_METHOD url_bio_method = { - .type = BIO_TYPE_SOURCE_SINK, - .name = "urlprotocol bio", - .bwrite = url_bio_bwrite, - .bread = url_bio_bread, - .bputs = url_bio_bputs, - .bgets = NULL, - .ctrl = url_bio_ctrl, - .create = url_bio_create, - .destroy = url_bio_destroy, -}; -#endif - static av_cold void init_bio_method(URLContext *h) { TLSContext *p = h->priv_data; BIO *bio; -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio"); BIO_meth_set_write(p->url_bio_method, url_bio_bwrite); BIO_meth_set_read(p->url_bio_method, url_bio_bread); @@ -754,10 +628,7 @@ static av_cold void init_bio_method(URLContext *h) BIO_meth_set_destroy(p->url_bio_method, url_bio_destroy); bio = BIO_new(p->url_bio_method); BIO_set_data(bio, p); -#else - bio = BIO_new(&url_bio_method); - bio->ptr = p; -#endif + SSL_set_bio(p->ssl, bio, bio); } @@ -885,32 +756,21 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** int ret = 0; c->is_dtls = 1; const char* ciphers = "ALL"; -#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2 - EC_KEY *ec_key = NULL; -#endif + /** * The profile for OpenSSL's SRTP is SRTP_AES128_CM_SHA1_80, see ssl/d1_srtp.c. * The profile for FFmpeg's SRTP is SRTP_AES128_CM_HMAC_SHA1_80, see libavformat/srtp.c. */ const char* profiles = "SRTP_AES128_CM_SHA1_80"; /* Refer to the test cases regarding these curves in the WebRTC code. */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* OpenSSL 1.1.0 */ const char* curves = "X25519:P-256:P-384:P-521"; -#elif OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */ - const char* curves = "P-256:P-384:P-521"; -#endif -#if OPENSSL_VERSION_NUMBER < 0x10002000L /* OpenSSL v1.0.2 */ - p->ctx = SSL_CTX_new(DTLSv1_method()); -#else p->ctx = SSL_CTX_new(DTLS_method()); -#endif if (!p->ctx) { ret = AVERROR(ENOMEM); goto fail; } -#if OPENSSL_VERSION_NUMBER >= 0x10002000L /* OpenSSL 1.0.2 */ /* For ECDSA, we could set the curves list. */ if (SSL_CTX_set1_curves_list(p->ctx, curves) != 1) { av_log(p, AV_LOG_ERROR, "TLS: Init SSL_CTX_set1_curves_list failed, curves=%s, %s\n", @@ -918,7 +778,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** ret = AVERROR(EINVAL); return ret; } -#endif /** * We activate "ALL" cipher suites to align with the peer's capabilities, @@ -933,17 +792,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** ret = openssl_init_ca_key_cert(h); if (ret < 0) goto fail; -#if OPENSSL_VERSION_NUMBER < 0x10100000L // v1.1.x -#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2 - if (p->pkey) - ec_key = EVP_PKEY_get1_EC_KEY(p->pkey); - if (ec_key) - SSL_CTX_set_tmp_ecdh(p->ctx, ec_key); -#else - SSL_CTX_set_ecdh_auto(p->ctx, 1); -#endif -#endif - /* Server will send Certificate Request. */ SSL_CTX_set_verify(p->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, openssl_dtls_verify_callback); /* The depth count is "level 0:peer certificate", "level 1: CA certificate", @@ -975,9 +823,7 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** */ SSL_set_options(p->ssl, SSL_OP_NO_QUERY_MTU); SSL_set_mtu(p->ssl, p->tls_shared.mtu); -#if OPENSSL_VERSION_NUMBER >= 0x100010b0L /* OpenSSL 1.0.1k */ DTLS_set_link_mtu(p->ssl, p->tls_shared.mtu); -#endif init_bio_method(h); if (p->tls_shared.use_external_udp != 1) { @@ -1014,9 +860,6 @@ static int dtls_start(URLContext *h, const char *url, int flags, AVDictionary ** ret = 0; fail: -#if OPENSSL_VERSION_NUMBER < 0x10002000L // v1.0.2 - EC_KEY_free(ec_key); -#endif return ret; } @@ -1040,11 +883,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op TLSShared *c = &p->tls_shared; int ret; -#if OPENSSL_VERSION_NUMBER < 0x10100000L - if ((ret = ff_openssl_init()) < 0) - return ret; -#endif - if ((ret = ff_tls_open_underlying(c, h, uri, options)) < 0) goto fail; |