summaryrefslogtreecommitdiffstats
path: root/libavformat/tls_openssl.c
Commit message (Collapse)AuthorAgeFilesLines
* avformat/whip: remove DTLSState enumJack Lau2025-08-161-7/+0
| | | | | | | | | This patch aims to simplify the dtls handshake process since dtls handshake use force block mode We can just use the return code instead of DTLSState enum Signed-off-by: Jack Lau <[email protected]>
* avformat/tls_openssl: simplify fingerprint generationKacper Michajłow2025-08-161-47/+16
| | | | Signed-off-by: Kacper Michajłow <[email protected]>
* avformat/tls_openssl: clean keys serializationKacper Michajłow2025-08-161-71/+36
| | | | | | | | | It was unnecessary convoluted, remove not needed memory allocations, snprintf. Also fixes posibility to call snprinft with NULL as %s input. Signed-off-by: Kacper Michajłow <[email protected]>
* avformat/tls_openssl: use ascii - (0x2D) instead of 0x2010 hyphenKacper Michajłow2025-08-161-5/+5
| | | | | | | Too much AI is bad for you... Fixes: 167e343bbe75515a80db8ee72ffa0c607c944a00 Signed-off-by: Kacper Michajłow <[email protected]>
* avformat/tls_openssl: fix X509 cert serial number might be negativewinlin2025-08-101-3/+4
| | | | | | See RFC5280 4.1.2.2 Signed-off-by: Jack Lau <[email protected]>
* avformat/tls: add new option use_srtp to control whether enable itJack Lau2025-08-091-12/+12
| | | | | | | | The SRTP profile string "SRTP_AES128_CM_SHA1_80" is only used when use_srtp is enabled. Move its declaration inside the "if (s->use_srtp)" block to limit scope Signed-off-by: Jack Lau <[email protected]>
* avformat/tls_openssl: add av_assert0() for tls_sharedJack Lau2025-08-091-0/+3
| | | | Signed-off-by: Jack Lau <[email protected]>
* avformat/tls_openssl: simplify the external_sock checkJack Lau2025-08-091-2/+2
| | | | Signed-off-by: Jack Lau <[email protected]>
* avformat/tls_openssl: cleanup the pointer name of TLSContext and TLSSharedJack Lau2025-08-091-116/+117
| | | | | | | | Pure cleanup, no functional changes Unify local pointer names to `TLSContext *c` and `TLSShared *s` to reduce confusion from inconsistent names (e.g. p, ctx, s, c) Signed-off-by: Jack Lau <[email protected]>
* all: fix typos found by codespellTimo Rothenpieler2025-08-031-1/+1
|
* Revert "avformat/tls_openssl: properly get new BIO index"Kacper Michajłow2025-07-301-14/+4
| | | | | | | | | | | | | | | | | | | | | | | BIO_get_new_index() is static counter meant to get index for custom bio type definition. As we can read in the documentation: > Note that BIO_get_new_index() can only be used 127 times before it > returns an error. We cannot call it repeatedly, because it will fail eventually. To my understanding the index is not needed in our use and we could safely use BIO_TYPE_NONE. Documentation states: > type can be set to either BIO_TYPE_NONE or via BIO_get_new_index() if > a unique type is required for searching (See BIO_find_type(3)) We don't use any search related functions. This reverts commit 816dad231f5b312fd98e81cc6a6cbaf47c1e26a5. Fixes: https://github.com/mpv-player/mpv/issues/16589 Signed-off-by: Kacper Michajłow <[email protected]>
* avformat/tls_openssl: load default verify locationsMarvin Scholz2025-07-221-0/+6
| | | | | | | When no explicit CAs file is set, load the default locations, else there is no way for verification to succeed. This matches the behavior of other TLS backends.
* avformat/tls_openssl: verify setting hostname for SNIMarvin Scholz2025-07-221-1/+5
|
* avformat/tls_openssl: add hostname for verificationDaniel N Pettersson2025-07-221-3/+12
| | | | | | | | When verification is enabled (using -tls_verify 1) now the hostname will be verified properly too, while before only other aspects of the certificate were checked. Co-Authored-By: Marvin Scholz <[email protected]>
* avformat/tls_openssl: avoid unusual inline-if styleTimo Rothenpieler2025-07-171-2/+5
|
* avformat/tls_openssl: make tls and dtls use one close functionJack Lau2025-07-171-15/+3
| | | | | Signed-off-by: Jack Lau <[email protected]> Signed-off-by: Timo Rothenpieler <[email protected]>
* avformat/tls_openssl: remove all redundant "TLS: " in log with AVClassJack Lau2025-07-171-5/+5
| | | | | Signed-off-by: Jack Lau <[email protected]> Signed-off-by: Timo Rothenpieler <[email protected]>
* avformat/tls_openssl: replace 1 with TLS_ST_OK to be more clearJack Lau2025-07-171-1/+2
| | | | | Signed-off-by: Jack Lau <[email protected]> Signed-off-by: Timo Rothenpieler <[email protected]>
* avformat/tls_openssl: unset nonblock flag on correct URLContext during dtls ↵Timo Rothenpieler2025-07-171-4/+1
| | | | | | | handshake The internal BIO functions do not in fact look at this flag, only the outer tls_read and tls_write functions do.
* avformat/tls_openssl: set tlsext host name after init sslJack Lau2025-07-171-3/+3
| | | | | Signed-off-by: Jack Lau <[email protected]> Signed-off-by: Timo Rothenpieler <[email protected]>
* avformat/tls_openssl: automatically generate self-signed certificate when ↵Timo Rothenpieler2025-07-161-5/+30
| | | | none is provided in listen mode
* avformat/tls_openssl: make generating fingerprints optionalTimo Rothenpieler2025-07-161-8/+12
|
* avformat/tls_openssl: don't expose deprecated EC_KEY outside of its functionTimo Rothenpieler2025-07-161-11/+9
|
* avformat/tls_openssl: properly free generated/read keys and certificatesTimo Rothenpieler2025-07-161-2/+24
|
* avformat/tls_openssl: don't enable read_ahead in dtls modeTimo Rothenpieler2025-07-161-3/+0
| | | | | OpenSSL docs say: These functions have no impact when used with DTLS.
* avformar/tls_openssl: use correct info callback in DTLS modeTimo Rothenpieler2025-07-161-1/+1
|
* avformat/tls_openssl: clean up peer verify logic in dtls modeTimo Rothenpieler2025-07-161-14/+8
|
* avformat/tls_openssl: don't hardcode ciphers and curves for dtlsTimo Rothenpieler2025-07-161-22/+0
|
* avformat/tls_openssl: properly limit written size to data mtuTimo Rothenpieler2025-07-161-0/+5
|
* avformat/tls_openssl: set default MTU if none is setTimo Rothenpieler2025-07-161-2/+6
|
* avformat/tls_openssl: initialize DTLS context with correct methodTimo Rothenpieler2025-07-161-1/+2
|
* avformat/tls_openssl: don't abort if dtls has no key/cert setTimo Rothenpieler2025-07-161-8/+0
|
* avformat/tls_openssl: force dtls handshake to be blockingTimo Rothenpieler2025-07-161-6/+12
| | | | | There is no sensible way to handle this otherwise anyway, one just has to loop over this function until it succeeds.
* avformat/tls_openssl: set dtls remote addr in listen modeTimo Rothenpieler2025-07-161-1/+17
| | | | | Taken from the first received packet, which will signify the now permanent peer of this DTLS "connection".
* avformat/tls: make passing an external socket universalTimo Rothenpieler2025-07-111-4/+10
|
* avformat/tls: move whip specific init out of generic tls codeTimo Rothenpieler2025-07-111-4/+8
|
* avformat/tls_openssl: use SSL_CTX_set_min_proto_versionMarvin Scholz2025-07-071-1/+5
| | | | | | Using SSL_CTX_set_options to disallow specific versions is discouraged by the documentation, which recommends to use SSL_CTX_set_min_proto_version instead.
* avformat/tls_openssl: use TLS_[client|server]_methodMarvin Scholz2025-07-071-2/+2
| | | | | SSLv23_*_method was just a define for these anyway since OpenSSL 1.1.0 and the old functions are deprecated.
* avformat/tls_openssl: remove unnecessary checksMarvin Scholz2025-07-071-4/+4
| | | | Calling av_free with NULL is a no-op so this check is not needed.
* avformat/tls_openssl: remove leftover commentMarvin Scholz2025-07-071-1/+0
|
* avformat/tls_openssl: properly get new BIO indexMarvin Scholz2025-07-071-4/+12
| | | | | | As noted in the OpenSSL documentation, BIO_get_new_index must be used to get a new BIO index. This is ORd with the proper type flag BIO_TYPE_SOURCE_SINK.
* avformat/tls_openssl: remove now unnecessary defineMarvin Scholz2025-07-071-4/+2
| | | | | This was used previously when multiple OpenSSL versions were supported that required this to be handled differently.
* avformat: tls: drop support for OpenSSL < 1.1.0Marvin Scholz2025-07-071-164/+2
|
* avformat/tls: remove unused fingerprint optionTimo Rothenpieler2025-07-031-3/+1
|
* avformat/tls_openssl: use existing context handleTimo Rothenpieler2025-07-031-6/+6
|
* avformat/tls_openssl: fix warnings when openssl is lower versionJack Lau2025-06-211-0/+8
| | | | | | | | | | | | | | | | | api doc: https://docs.openssl.org/1.0.2/man3/BIO_s_mem In higher versions (openssl 1.0.2 and higher), the function signature is BIO *BIO_new_mem_buf(const void *buf, int len), so passing a const string doesn't cause an warnings. However, in lower versions of OpenSSL, the function signature becomes BIO *BIO_new_mem_buf(void *buf, int len), which leads to warnings. OpenSSL guarantees that it will not modify the string, so it's safe to cast the pem_str to (void *) to avoid this warning. Signed-off-by: Jack Lau <[email protected]> Signed-off-by: Zhao Zhili <[email protected]>
* avformat/tls_openssl: fix build error when openssl version < 3Jack Lau2025-06-071-13/+20
| | | | | | | | | add the missing data structure pkey in the tls_context properly set this pkey and free it Signed-off-by: Jack Lau <[email protected]> Reviewed-by: Martin Storsjö <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]>
* avformat/whip: Add WHIP muxer support for subsecond latency streamingJack Lau2025-06-041-45/+812
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 0. WHIP Version 3. 1. The WHIP muxer has been renamed and refined, with improved logging context and error messages for SSL, DTLS, and RTC. 2. Magic numbers have been replaced with macros and extracted to functions, and log levels have been altered for better clarity. 3. DTLS curve list has been updated, and SRTP profile names have been refined for FFmpeg and OpenSSL. 4. ICE STUN magic number has been refined, and RTP payload types have been updated based on Chrome's definition. 5. Fixed frame size has been refined to rtc->audio_par->frame_size, and h264_mp4toannexb is now used to convert MP4/ISOM to annexb. 6. OPUS timestamp issue has been addressed, and marker setting has been corrected after utilizing BSF. 7. DTLS handshake and ICE handling have been optimized for improved performance, with a single handshake timeout and server role to prevent ARQ. 8. Consolidated ICE request/response handling and DTLS handshake into a single function, and fixed OpenSSL build errors to work with Pion. 9. Merge TLS & DTLS implementation, shared BIO callbacks, read, write, print_ssl_error, openssl_init_ca_key_cert, init_bio_method function and shared same data structure 10. Modify configure that whip is enabled only dtls is enabled(just support openssl for now) to fix build error Co-authored-by: winlin <[email protected]> Co-authored-by: yangrtc <[email protected]> Co-authored-by: cloudwebrtc <[email protected]> Co-authored-by: Haibo Chen <[email protected]> Co-authored-by: Steven Liu <[email protected]> Co-authored-by: Jun Zhao <[email protected]> Signed-off-by: Jack Lau <[email protected]> Signed-off-by: Steven Liu <[email protected]>
* avformat/tls_openssl: #if ff_openssl_init/deinit() away if possibleAndreas Rheinhardt2024-05-201-14/+20
| | | | | | | These functions do nothing useful when used with a non-ancient version of openssl (namely 1.1.0 or above). Signed-off-by: Andreas Rheinhardt <[email protected]>
* avformat/utils: Use static mutexes instead of ff_lock_avformat()Andreas Rheinhardt2024-05-201-10/+7
| | | | | | | | | Its existence is a remnant of (libavcodec's) lock-manager API which has been removed in a04c2c707de2ce850f79870e84ac9d7ec7aa9143. There is no need to use the same lock for avisynth, chromaprint or tls, so switch to ordinary static mutexes instead. Signed-off-by: Andreas Rheinhardt <[email protected]>
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-23 15:59:55 +0000