[FFmpeg-devel] [PATCH v2] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version
From 2db025b18be995afea46dea6c15a3caf1d985a82 Mon Sep 17 00:00:00 2001
From: sfan5
Date: Wed, 4 Sep 2024 17:56:05 +0200
Subject: [PATCH v2] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround
to affected version
Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.
ref: c28e5b597ecc34188427347ad8d773bf9a0176cd
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 567b95b129..e802c6b872 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -270,8 +270,8 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
}
#ifdef MBEDTLS_SSL_PROTO_TLS1_3
-// mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
-if (!shr->verify) {
+// this version does not allow disabling certificate verification with TLSv1.3 (yes, really).
+if (mbedtls_version_get_number() == 0x0306 && !shr->verify) {
av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
}
--
2.46.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version
Am 09.09.24 um 12:21 schrieb Anton Khirnov: Quoting sfan5 (2024-09-04 18:55:37) From 57b37df52c7d528a1ce926cd7a7d75f62f6b46c6 Mon Sep 17 00:00:00 2001 From: sfan5 Date: Wed, 4 Sep 2024 17:56:05 +0200 Subject: [PATCH] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression. ref: c28e5b597ecc34188427347ad8d773bf9a0176cd Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 567b95b129..6dd807d5b6 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -269,8 +269,8 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } -#ifdef MBEDTLS_SSL_PROTO_TLS1_3 -// mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really). +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && MBEDTLS_VERSION_NUMBER == 0x0306 Should this not be a runtime check, or is 3.6.1 ABI-incompatible with 3.6.0? Good point. Should be, so I'll move it to runtime. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version
From 57b37df52c7d528a1ce926cd7a7d75f62f6b46c6 Mon Sep 17 00:00:00 2001
From: sfan5
Date: Wed, 4 Sep 2024 17:56:05 +0200
Subject: [PATCH] lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to
affected version
Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.
ref: c28e5b597ecc34188427347ad8d773bf9a0176cd
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 567b95b129..6dd807d5b6 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -269,8 +269,8 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
goto fail;
}
-#ifdef MBEDTLS_SSL_PROTO_TLS1_3
-// mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && MBEDTLS_VERSION_NUMBER == 0x0306
+// this version does not allow disabling certificate verification with TLSv1.3 (yes, really).
if (!shr->verify) {
av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
--
2.46.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v2] avcodec/mediacodecdec: call MediaCodec.stop on close
revised commit message as suggested
From 9aa111c400cc3245edf870c431a5e271432ef5f2 Mon Sep 17 00:00:00 2001
From: sfan5
Date: Wed, 7 Aug 2024 17:48:06 +0200
Subject: [PATCH v2] avcodec/mediacodecdec: call MediaCodec.stop on close
Usually the MediaCodec context will be released immediately, or it needs to stay
alive due to existing hardware buffers.
However we can free resources early in the case of
hw_buffer_count == 0 && refcount > 1, which can be reproduced by keeping frames
referenced after flushing and closing. mpv currently behaves like this.
Signed-off-by: sfan5
---
libavcodec/mediacodecdec_common.c | 12
1 file changed, 12 insertions(+)
diff --git a/libavcodec/mediacodecdec_common.c b/libavcodec/mediacodecdec_common.c
index d6f91e6e89..c888dea8cf 100644
--- a/libavcodec/mediacodecdec_common.c
+++ b/libavcodec/mediacodecdec_common.c
@@ -841,6 +841,18 @@ int ff_mediacodec_dec_flush(AVCodecContext *avctx, MediaCodecDecContext *s)
int ff_mediacodec_dec_close(AVCodecContext *avctx, MediaCodecDecContext *s)
{
+if (!s)
+return 0;
+
+if (s->codec) {
+if (atomic_load(&s->hw_buffer_count) == 0) {
+ff_AMediaCodec_stop(s->codec);
+av_log(avctx, AV_LOG_DEBUG, "MediaCodec %p stopped\n", s->codec);
+} else {
+av_log(avctx, AV_LOG_DEBUG, "Not stopping MediaCodec (there are buffers pending)\n");
+}
+}
+
ff_mediacodec_dec_unref(s);
return 0;
--
2.46.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH] avcodec/mediacodecdec: call MediaCodec.stop on close
Am 08.08.24 um 17:29 schrieb Zhao Zhili:
On Aug 8, 2024, at 00:27, sfan5 wrote:
Hi all,
attached is a small fix for the MediaCodec code. Tested on Android 14.
This can free up vital resources in case of using multiple
decoding instances and there are buffer references left over
and not immediately cleaned up.
Signed-off-by: sfan5
---
libavcodec/mediacodecdec_common.c | 12
1 file changed, 12 insertions(+)
diff --git a/libavcodec/mediacodecdec_common.c
b/libavcodec/mediacodecdec_common.c
index d6f91e6e89..c888dea8cf 100644
--- a/libavcodec/mediacodecdec_common.c
+++ b/libavcodec/mediacodecdec_common.c
@@ -841,6 +841,18 @@ int ff_mediacodec_dec_flush(AVCodecContext *avctx,
MediaCodecDecContext *s)
int ff_mediacodec_dec_close(AVCodecContext *avctx, MediaCodecDecContext *s)
{
+if (!s)
+return 0;
+
+if (s->codec) {
+if (atomic_load(&s->hw_buffer_count) == 0) {
+ff_AMediaCodec_stop(s->codec);
+av_log(avctx, AV_LOG_DEBUG, "MediaCodec %p stopped\n", s->codec);
+} else {
+av_log(avctx, AV_LOG_DEBUG, "Not stopping MediaCodec (there are buffers
pending)\n");
+}
+}
+
Could you elaborate on how this resolved the issue?
If hw_buffer_count is zero, isn’t MediaCodecDecContext will be released
immediately?
If hw_buffer_count isn’t zero, the patch make no real change, so how does this
patch work?
Sure.
here's the original report:
https://github.com/mpv-android/mpv-android/issues/966
summary:
mpv's hwdec code uses a single surface to facilitate zero-copy video
playback. Keeping an active MediaCodec instance connected to the surface
blocks the same surface from being used with a different MediaCodec
instance.
However mpv also keeps a reference to the last rendered frame alive even
when switching between files. It also flushes the codec when it's done
with a file. This leads to a situation where hw_buffer_count == 0 &&
refcount > 1.
If you were to say that this should be fixed in mpv I would agree and I
have indeed proposed a PR for this. But I noticed we're never calling
stop() in mediacodecdec and it's a very simple remedy.
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH] avcodec/mediacodecdec: call MediaCodec.stop on close
Hi all,
attached is a small fix for the MediaCodec code. Tested on Android 14.
From 3f5d05920dc6826b4c0ea0ed7969e9259e08084e Mon Sep 17 00:00:00 2001
From: sfan5
Date: Wed, 7 Aug 2024 17:48:06 +0200
Subject: [PATCH] avcodec/mediacodecdec: call MediaCodec.stop on close
This can free up vital resources in case of using multiple
decoding instances and there are buffer references left over
and not immediately cleaned up.
Signed-off-by: sfan5
---
libavcodec/mediacodecdec_common.c | 12
1 file changed, 12 insertions(+)
diff --git a/libavcodec/mediacodecdec_common.c b/libavcodec/mediacodecdec_common.c
index d6f91e6e89..c888dea8cf 100644
--- a/libavcodec/mediacodecdec_common.c
+++ b/libavcodec/mediacodecdec_common.c
@@ -841,6 +841,18 @@ int ff_mediacodec_dec_flush(AVCodecContext *avctx, MediaCodecDecContext *s)
int ff_mediacodec_dec_close(AVCodecContext *avctx, MediaCodecDecContext *s)
{
+if (!s)
+return 0;
+
+if (s->codec) {
+if (atomic_load(&s->hw_buffer_count) == 0) {
+ff_AMediaCodec_stop(s->codec);
+av_log(avctx, AV_LOG_DEBUG, "MediaCodec %p stopped\n", s->codec);
+} else {
+av_log(avctx, AV_LOG_DEBUG, "Not stopping MediaCodec (there are buffers pending)\n");
+}
+}
+
ff_mediacodec_dec_unref(s);
return 0;
--
2.46.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0
Am 11.06.24 um 17:02 schrieb Anton Khirnov: Quoting Sfan5 (2024-05-17 10:34:50) As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification is now mandatory. Our default configuration does not do verification, so downgrade to 1.2 in these situations to avoid breaking it. ref: https://github.com/Mbed-TLS/mbedtls/issues/7075 Signed-off-by: sfan5 --- Would it not be simpler to simply set authmode to MBEDTLS_SSL_VERIFY_OPTIONAL unconditionally, then just disregard the verification result? That's the thing and it's exactly as stupid as it sounds: When using TLSv1.3 it will ignore the MBEDTLS_SSL_VERIFY mode entirely. If the verification doesn't pass the handshake fails and you don't get an usable connection. I'm hoping the mbedTLS devs realize at some point how nonviable this is and fix it but as of right now this is the only way to not have ffmpeg "randomly" (depending on if the server speaks TLSv1.3) fail with mbedTLS 3.6.0. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH v3 1/6] lavf/tls_mbedtls: handle more error codes for
Am 04.06.24 um 12:25 schrieb sfan5: ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". Will commit this patch series in 3 days if there are no objections. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v3 4/6] lavf/tls_mbedtls: fix handling of certification
From 2cfdd92e8b323a41b65e3d6be2fc9c7641bb26c0 Mon Sep 17 00:00:00 2001 From: sfan5 Date: Mon, 13 May 2024 20:27:17 +0200 Subject: [PATCH v3 4/6] lavf/tls_mbedtls: fix handling of certification validation failures We manually check the verification status after the handshake has completed using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED mbedtls_ssl_handshake() already returns an error, so this code is never reached. Fix that by using VERIFY_OPTIONAL, which performs the verification but does not abort the handshake. Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index ba94ab3a70..f65f2f4020 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -269,8 +269,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +// not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context); mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL); -- 2.45.2 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v3 3/6] lavf/tls_mbedtls: hook up debug message callback
From 9e5993cf104cdc1b7c4eabe173f9ab3e8f0cfeca Mon Sep 17 00:00:00 2001
From: sfan5
Date: Mon, 13 May 2024 20:26:16 +0200
Subject: [PATCH v3 3/6] lavf/tls_mbedtls: hook up debug message callback
Unfortunately this won't work out-of-the-box because mbedTLS
only provides a global (not per-context) debug toggle.
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 0d14e9f814..ba94ab3a70 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -26,6 +26,7 @@
#include
#include
#include
+#include
#ifdef MBEDTLS_PSA_CRYPTO_C
#include
#endif
@@ -36,6 +37,7 @@
#include "tls.h"
#include "libavutil/mem.h"
#include "libavutil/parseutils.h"
+#include "libavutil/avstring.h"
typedef struct TLSContext {
const AVClass *class;
@@ -112,6 +114,13 @@ static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret);
}
+static void mbedtls_debug(void *ctx, int lvl, const char *file, int line, const char *msg)
+{
+URLContext *h = (URLContext*) ctx;
+int av_lvl = lvl >= 4 ? AV_LOG_TRACE : AV_LOG_DEBUG;
+av_log(h, av_lvl, "%s:%d: %s", av_basename(file), line, msg);
+}
+
static void handle_pk_parse_error(URLContext *h, int ret)
{
switch (ret) {
@@ -204,6 +213,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
mbedtls_x509_crt_init(&tls_ctx->ca_cert);
mbedtls_pk_init(&tls_ctx->priv_key);
+if (av_log_get_level() >= AV_LOG_DEBUG) {
+mbedtls_ssl_conf_dbg(&tls_ctx->ssl_config, mbedtls_debug, shr->tcp);
+/*
+ * Note: we can't call mbedtls_debug_set_threshold() here because
+ * it's global state. The user is thus expected to manage this.
+ */
+}
+
// load trusted CA
if (shr->ca_file) {
if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) {
--
2.45.2
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v3 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.
From 9df718654e45eb02c1f2b3f29b4554a6a90900ef Mon Sep 17 00:00:00 2001
From: sfan5
Date: Fri, 17 May 2024 10:06:42 +0200
Subject: [PATCH v3 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.
verify=0
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.
ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 8
1 file changed, 8 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 91e93fb862..567b95b129 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -269,6 +269,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
goto fail;
}
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+// mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+if (!shr->verify) {
+av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
+mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
+}
+#endif
+
// not VERIFY_REQUIRED because we manually check after handshake
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
--
2.45.2
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v3 2/6] lavf/tls_mbedtls: add missing call to psa_crypto_init
From 8b2cab9a0ad225fc2b13850ff1bafb45d3d8ebaa Mon Sep 17 00:00:00 2001
From: sfan5
Date: Mon, 13 May 2024 20:24:43 +0200
Subject: [PATCH v3 2/6] lavf/tls_mbedtls: add missing call to psa_crypto_init
This is mandatory depending on configuration or at least with mbedTLS 3.6.0.
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 02f08fddbb..0d14e9f814 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -26,6 +26,9 @@
#include
#include
#include
+#ifdef MBEDTLS_PSA_CRYPTO_C
+#include
+#endif
#include "avformat.h"
#include "internal.h"
@@ -187,6 +190,13 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
if ((ret = ff_tls_open_underlying(shr, h, uri, options)) < 0)
goto fail;
+#ifdef MBEDTLS_PSA_CRYPTO_C
+if ((ret = psa_crypto_init()) != PSA_SUCCESS) {
+av_log(h, AV_LOG_ERROR, "psa_crypto_init returned %d\n", ret);
+goto fail;
+}
+#endif
+
mbedtls_ssl_init(&tls_ctx->ssl_context);
mbedtls_ssl_config_init(&tls_ctx->ssl_config);
mbedtls_entropy_init(&tls_ctx->entropy_context);
--
2.45.2
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v3 5/6] lavf/tls_mbedtls: handle session ticket error code as
From c8d7f937f5d8f1cf001aec510d4f6f28c5d9fc59 Mon Sep 17 00:00:00 2001
From: sfan5
Date: Mon, 13 May 2024 20:29:10 +0200
Subject: [PATCH v3 5/6] lavf/tls_mbedtls: handle session ticket error code as
no-op
When TLSv1.3 and session tickets are enabled mbedtls_ssl_read()
will return an error code to inform about a received session ticket.
This can simply be handled like EAGAIN instead of errornously
aborting the connection.
ref: https://github.com/Mbed-TLS/mbedtls/issues/8749
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index f65f2f4020..91e93fb862 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -328,6 +328,9 @@ static int handle_tls_error(URLContext *h, const char* func_name, int ret)
switch (ret) {
case MBEDTLS_ERR_SSL_WANT_READ:
case MBEDTLS_ERR_SSL_WANT_WRITE:
+#ifdef MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET
+case MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET:
+#endif
return AVERROR(EAGAIN);
case MBEDTLS_ERR_NET_SEND_FAILED:
case MBEDTLS_ERR_NET_RECV_FAILED:
--
2.45.2
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v3 1/6] lavf/tls_mbedtls: handle more error codes for
From 7024782ebac9471194761fba9f60834ed7769efd Mon Sep 17 00:00:00 2001 From: sfan5 Date: Mon, 13 May 2024 20:22:44 +0200 Subject: [PATCH v3 1/6] lavf/tls_mbedtls: handle more error codes for human-readable messages Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 9 + 1 file changed, 9 insertions(+) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 1a182e735e..02f08fddbb 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -138,6 +138,9 @@ static void handle_handshake_error(URLContext *h, int ret) case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); break; +case MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION: +av_log(h, AV_LOG_ERROR, "TLS protocol version mismatch.\n"); +break; #endif case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); @@ -145,9 +148,15 @@ static void handle_handshake_error(URLContext *h, int ret) case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED: av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to operate. Was the CA correctly set?\n"); break; +case MBEDTLS_ERR_SSL_INTERNAL_ERROR: +av_log(h, AV_LOG_ERROR, "Internal error encountered.\n"); +break; case MBEDTLS_ERR_NET_CONN_RESET: av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n"); break; +case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: +av_log(h, AV_LOG_ERROR, "Certificate verification failed.\n"); +break; default: av_log(h, AV_LOG_ERROR, "mbedtls_ssl_handshake returned -0x%x\n", -ret); break; -- 2.45.2 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH v2 1/6] lavf/tls_mbedtls: handle more error codes for
Am 03.06.24 um 22:08 schrieb Jan Ekström:
On Wed, May 29, 2024 at 2:05 PM sfan5 wrote:
Did an initial tired look at the set, and in general it looks alright
and the wrapper still builds with Fedora's mbedtls 2.28.8.
(Of course then it fails to link due to unchecked usage of
`mbedtls_x509_crt_{init,free,parse_file}` in tls_mbedtls, as well as
`mbedtls_mpi_copy` in rtmpdh. But this breakage is unrelated to this
patch, as current master does exactly the same)
I'd just probably move the MBEDTLS_ERR_X509_CERT_VERIFY_FAILED logging
diff into the first commit that adds error codes (also probably
"messages" in the commit message there?), as adding that error's
logging really doesn't have anything to do with the verify=0 + TLS 1.3
workaround.
Jan
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
I will move that change to the first commit for v3 as discussed on IRC.
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v2 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.
From 98dd9aac129fbdf07f83da16b7307cb775ff8e66 Mon Sep 17 00:00:00 2001
From: sfan5
Date: Fri, 17 May 2024 10:06:42 +0200
Subject: [PATCH v2 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs.
verify=0
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.
ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 12
1 file changed, 12 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 9be817af5e..fbad23ab8c 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -163,6 +163,10 @@ static void handle_handshake_error(URLContext *h, int ret)
case MBEDTLS_ERR_SSL_INTERNAL_ERROR:
av_log(h, AV_LOG_ERROR, "Internal error encountered.\n");
break;
+case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
+// This error only happens with TLSv1.3, we normally use mbedtls_ssl_get_verify_result().
+av_log(h, AV_LOG_ERROR, "Certificate verification failed.\n");
+break;
case MBEDTLS_ERR_NET_CONN_RESET:
av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n");
break;
@@ -266,6 +270,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
goto fail;
}
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+// mbedTLS does not allow disabling certificate verification with TLSv1.3 (yes, really).
+if (!shr->verify) {
+av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate verification is disabled\n");
+mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config, MBEDTLS_SSL_VERSION_TLS1_2);
+}
+#endif
+
// not VERIFY_REQUIRED because we manually check after handshake
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
--
2.45.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v2 5/6] lavf/tls_mbedtls: handle session ticket error code as
From 87bf4c7de225036b5e4458c9de2de4b941f8f9b6 Mon Sep 17 00:00:00 2001
From: sfan5
Date: Mon, 13 May 2024 20:29:10 +0200
Subject: [PATCH v2 5/6] lavf/tls_mbedtls: handle session ticket error code as
no-op
When TLSv1.3 and session tickets are enabled mbedtls_ssl_read()
will return an error code to inform about a received session ticket.
This can simply be handled like EAGAIN instead of errornously
aborting the connection.
ref: https://github.com/Mbed-TLS/mbedtls/issues/8749
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index ef447e12a5..9be817af5e 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -325,6 +325,9 @@ static int handle_tls_error(URLContext *h, const char* func_name, int ret)
switch (ret) {
case MBEDTLS_ERR_SSL_WANT_READ:
case MBEDTLS_ERR_SSL_WANT_WRITE:
+#ifdef MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET
+case MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET:
+#endif
return AVERROR(EAGAIN);
case MBEDTLS_ERR_NET_SEND_FAILED:
case MBEDTLS_ERR_NET_RECV_FAILED:
--
2.45.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v2 4/6] lavf/tls_mbedtls: fix handling of certification
From d561732d7c05d820baeb9c8bff5e8a4b133fe624 Mon Sep 17 00:00:00 2001 From: sfan5 Date: Mon, 13 May 2024 20:27:17 +0200 Subject: [PATCH v2 4/6] lavf/tls_mbedtls: fix handling of certification validation failures We manually check the verification status after the handshake has completed using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED mbedtls_ssl_handshake() already returns an error, so this code is never reached. Fix that by using VERIFY_OPTIONAL, which performs the verification but does not abort the handshake. Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index f53e918e04..ef447e12a5 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -266,8 +266,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +// not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context); mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL); -- 2.45.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v2 3/6] lavf/tls_mbedtls: hook up debug message callback
From f51387a129e93af13751237ec2c6e25ad07c8dc4 Mon Sep 17 00:00:00 2001
From: sfan5
Date: Mon, 13 May 2024 20:26:16 +0200
Subject: [PATCH v2 3/6] lavf/tls_mbedtls: hook up debug message callback
Unfortunately this won't work out-of-the-box because mbedTLS
only provides a global (not per-context) debug toggle.
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 1a61fc57d6..f53e918e04 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -26,6 +26,7 @@
#include
#include
#include
+#include
#ifdef MBEDTLS_PSA_CRYPTO_C
#include
#endif
@@ -36,6 +37,7 @@
#include "tls.h"
#include "libavutil/mem.h"
#include "libavutil/parseutils.h"
+#include "libavutil/avstring.h"
typedef struct TLSContext {
const AVClass *class;
@@ -112,6 +114,13 @@ static int mbedtls_recv(void *ctx, unsigned char *buf, size_t len)
return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ, ret);
}
+static void mbedtls_debug(void *ctx, int lvl, const char *file, int line, const char *msg)
+{
+URLContext *h = (URLContext*) ctx;
+int av_lvl = lvl >= 4 ? AV_LOG_TRACE : AV_LOG_DEBUG;
+av_log(h, av_lvl, "%s:%d: %s", av_basename(file), line, msg);
+}
+
static void handle_pk_parse_error(URLContext *h, int ret)
{
switch (ret) {
@@ -201,6 +210,14 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
mbedtls_x509_crt_init(&tls_ctx->ca_cert);
mbedtls_pk_init(&tls_ctx->priv_key);
+if (av_log_get_level() >= AV_LOG_DEBUG) {
+mbedtls_ssl_conf_dbg(&tls_ctx->ssl_config, mbedtls_debug, shr->tcp);
+/*
+ * Note: we can't call mbedtls_debug_set_threshold() here because
+ * it's global state. The user is thus expected to manage this.
+ */
+}
+
// load trusted CA
if (shr->ca_file) {
if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, shr->ca_file)) != 0) {
--
2.45.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v2 2/6] lavf/tls_mbedtls: add missing call to psa_crypto_init
From 18142d98aed9e48a78a37590341bf48f1fe2339e Mon Sep 17 00:00:00 2001
From: sfan5
Date: Mon, 13 May 2024 20:24:43 +0200
Subject: [PATCH v2 2/6] lavf/tls_mbedtls: add missing call to psa_crypto_init
This is mandatory depending on configuration or at least with mbedTLS 3.6.0.
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 1226e3780b..1a61fc57d6 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -26,6 +26,9 @@
#include
#include
#include
+#ifdef MBEDTLS_PSA_CRYPTO_C
+#include
+#endif
#include "avformat.h"
#include "internal.h"
@@ -184,6 +187,13 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
if ((ret = ff_tls_open_underlying(shr, h, uri, options)) < 0)
goto fail;
+#ifdef MBEDTLS_PSA_CRYPTO_C
+if ((ret = psa_crypto_init()) != PSA_SUCCESS) {
+av_log(h, AV_LOG_ERROR, "psa_crypto_init returned %d\n", ret);
+goto fail;
+}
+#endif
+
mbedtls_ssl_init(&tls_ctx->ssl_context);
mbedtls_ssl_config_init(&tls_ctx->ssl_config);
mbedtls_entropy_init(&tls_ctx->entropy_context);
--
2.45.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v2 1/6] lavf/tls_mbedtls: handle more error codes for
From e8b5b6dee2d29690d1ae18090659120399b84e7c Mon Sep 17 00:00:00 2001 From: sfan5 Date: Mon, 13 May 2024 20:22:44 +0200 Subject: [PATCH v2 1/6] lavf/tls_mbedtls: handle more error codes for human-readable message Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 1a182e735e..1226e3780b 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -138,6 +138,9 @@ static void handle_handshake_error(URLContext *h, int ret) case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); break; +case MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION: +av_log(h, AV_LOG_ERROR, "TLS protocol version mismatch.\n"); +break; #endif case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); @@ -145,6 +148,9 @@ static void handle_handshake_error(URLContext *h, int ret) case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED: av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to operate. Was the CA correctly set?\n"); break; +case MBEDTLS_ERR_SSL_INTERNAL_ERROR: +av_log(h, AV_LOG_ERROR, "Internal error encountered.\n"); +break; case MBEDTLS_ERR_NET_CONN_RESET: av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n"); break; -- 2.45.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures
Am 18.05.24 um 21:53 schrieb Michael Niedermayer: On Fri, May 17, 2024 at 10:34:41AM +0200, Sfan5 wrote: We manually check the verification status after the handshake has completed using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED mbedtls_ssl_handshake() already returns an error, so this code is never reached. Fix that by using VERIFY_OPTIONAL, which performs the verification but does not abort the handshake. Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 9508fe3436..67d5c568b9 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +// not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context); mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL); This patch looks corrupted by extra line breaks [...] Thanks for pointing that out. It looks like years later Microsoft is still incapable of leaving patches intact... Will send as attachments for v2. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 1/6] lavf/tls_mbedtls: handle more error codes for human-readable message
Am 17.05.24 um 11:42 schrieb Andrew Sayers: On Fri, May 17, 2024 at 10:34:26AM +0200, Sfan5 wrote: Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 1a182e735e..fd6ba0b1f5 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -138,6 +138,9 @@ static void handle_handshake_error(URLContext *h, int ret) case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); break; +case MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION: +av_log(h, AV_LOG_ERROR, "TLS protocol version mismatches.\n"); "... mismatch" or "... does not match" would be more readable than "mismatches". The word "matches" can mean either "does match" or "plural of match". It's technically valid to use "mismatches" to mean "does not match", but in practice the word is only ever used to mean "plural of mismatch". Alright. Will change for v2. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 3/6] lavf/tls_mbedtls: hook up debug message callback
Am 17.05.24 um 11:51 schrieb Rémi Denis-Courmont:
Le 17 mai 2024 11:34:35 GMT+03:00, Sfan5 a écrit :
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 24c3afd94c..9508fe3436 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -26,6 +26,7 @@
#include
#include
#include
+#include
#ifdef MBEDTLS_PSA_CRYPTO_C
#include
#endif
@@ -36,6 +37,7 @@
#include "tls.h"
#include "libavutil/mem.h"
#include "libavutil/parseutils.h"
+#include "libavutil/avstring.h"
typedef struct TLSContext {
const AVClass *class;
@@ -112,6 +114,13 @@ static int mbedtls_recv(void *ctx, unsigned char *buf,
size_t len)
return handle_transport_error(h, "ffurl_read", MBEDTLS_ERR_SSL_WANT_READ,
ret);
}
+static void mbedtls_debug(void *ctx, int lvl, const char *file, int line,
const char *msg)
+{
+URLContext *h = (URLContext*) ctx;
+int av_lvl = lvl >= 4 ? AV_LOG_TRACE : AV_LOG_DEBUG;
+av_log(h, av_lvl, "%s:%d: %s", av_basename(file), line, msg);
+}
+
static void handle_pk_parse_error(URLContext *h, int ret)
{
switch (ret) {
@@ -201,6 +210,11 @@ static int tls_open(URLContext *h, const char *uri, int
flags, AVDictionary **op
mbedtls_x509_crt_init(&tls_ctx->ca_cert);
mbedtls_pk_init(&tls_ctx->priv_key);
+if (av_log_get_level() >= AV_LOG_DEBUG) {
+mbedtls_ssl_conf_dbg(&tls_ctx->ssl_config, mbedtls_debug, shr->tcp);
+mbedtls_debug_set_threshold(4); // maximum
This doesn't look thread-safe / reentrant.
Indeed. But what alternative is there?
mbedTLS provides only this mechanism to get debug messages from it.
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 6/6] lavf/tls_mbedtls: add workaround for TLSv1.3 vs. verify=0
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate
verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.
ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 12
1 file changed, 12 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 8268e74638..5d5c7bfb25 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -163,6 +163,10 @@ static void handle_handshake_error(URLContext *h,
int ret)
case MBEDTLS_ERR_SSL_INTERNAL_ERROR:
av_log(h, AV_LOG_ERROR, "Internal error encountered.\n");
break;
+case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
+// This error only happens with TLSv1.3, we normally use
mbedtls_ssl_get_verify_result().
+av_log(h, AV_LOG_ERROR, "Certificate verification failed.\n");
+break;
case MBEDTLS_ERR_NET_CONN_RESET:
av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n");
break;
@@ -263,6 +267,14 @@ static int tls_open(URLContext *h, const char *uri,
int flags, AVDictionary **op
goto fail;
}
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
+// mbedTLS does not allow disabling certificate verification with
TLSv1.3 (yes, really).
+if (!shr->verify) {
+av_log(h, AV_LOG_INFO, "Forcing TLSv1.2 because certificate
verification is disabled\n");
+mbedtls_ssl_conf_max_tls_version(&tls_ctx->ssl_config,
MBEDTLS_SSL_VERSION_TLS1_2);
+}
+#endif
+
// not VERIFY_REQUIRED because we manually check after handshake
mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
shr->verify ?
MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
--
2.45.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 5/6] lavf/tls_mbedtls: handle session ticket error code as no-op
When TLSv1.3 and session tickets are enabled mbedtls_ssl_read()
will return an error code to inform about a received session ticket.
This can simply be handled like EAGAIN instead of errornously
aborting the connection.
ref: https://github.com/Mbed-TLS/mbedtls/issues/8749
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 67d5c568b9..8268e74638 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -322,6 +322,9 @@ static int handle_tls_error(URLContext *h, const
char* func_name, int ret)
switch (ret) {
case MBEDTLS_ERR_SSL_WANT_READ:
case MBEDTLS_ERR_SSL_WANT_WRITE:
+#ifdef MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET
+case MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET:
+#endif
return AVERROR(EAGAIN);
case MBEDTLS_ERR_NET_SEND_FAILED:
case MBEDTLS_ERR_NET_RECV_FAILED:
--
2.45.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures
We manually check the verification status after the handshake has completed using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED mbedtls_ssl_handshake() already returns an error, so this code is never reached. Fix that by using VERIFY_OPTIONAL, which performs the verification but does not abort the handshake. Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 9508fe3436..67d5c568b9 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } +// not VERIFY_REQUIRED because we manually check after handshake mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context); mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL); -- 2.45.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 3/6] lavf/tls_mbedtls: hook up debug message callback
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 24c3afd94c..9508fe3436 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -26,6 +26,7 @@
#include
#include
#include
+#include
#ifdef MBEDTLS_PSA_CRYPTO_C
#include
#endif
@@ -36,6 +37,7 @@
#include "tls.h"
#include "libavutil/mem.h"
#include "libavutil/parseutils.h"
+#include "libavutil/avstring.h"
typedef struct TLSContext {
const AVClass *class;
@@ -112,6 +114,13 @@ static int mbedtls_recv(void *ctx, unsigned char
*buf, size_t len)
return handle_transport_error(h, "ffurl_read",
MBEDTLS_ERR_SSL_WANT_READ, ret);
}
+static void mbedtls_debug(void *ctx, int lvl, const char *file, int
line, const char *msg)
+{
+URLContext *h = (URLContext*) ctx;
+int av_lvl = lvl >= 4 ? AV_LOG_TRACE : AV_LOG_DEBUG;
+av_log(h, av_lvl, "%s:%d: %s", av_basename(file), line, msg);
+}
+
static void handle_pk_parse_error(URLContext *h, int ret)
{
switch (ret) {
@@ -201,6 +210,11 @@ static int tls_open(URLContext *h, const char *uri,
int flags, AVDictionary **op
mbedtls_x509_crt_init(&tls_ctx->ca_cert);
mbedtls_pk_init(&tls_ctx->priv_key);
+if (av_log_get_level() >= AV_LOG_DEBUG) {
+mbedtls_ssl_conf_dbg(&tls_ctx->ssl_config, mbedtls_debug,
shr->tcp);
+mbedtls_debug_set_threshold(4); // maximum
+}
+
// load trusted CA
if (shr->ca_file) {
if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert,
shr->ca_file)) != 0) {
--
2.45.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 2/6] lavf/tls_mbedtls: add missing call to psa_crypto_init
This is mandatory depending on configuration or at least with mbedTLS 3.6.0.
Signed-off-by: sfan5
---
libavformat/tls_mbedtls.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index fd6ba0b1f5..24c3afd94c 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -26,6 +26,9 @@
#include
#include
#include
+#ifdef MBEDTLS_PSA_CRYPTO_C
+#include
+#endif
#include "avformat.h"
#include "internal.h"
@@ -184,6 +187,13 @@ static int tls_open(URLContext *h, const char *uri,
int flags, AVDictionary **op
if ((ret = ff_tls_open_underlying(shr, h, uri, options)) < 0)
goto fail;
+#ifdef MBEDTLS_PSA_CRYPTO_C
+if ((ret = psa_crypto_init()) != PSA_SUCCESS) {
+av_log(h, AV_LOG_ERROR, "psa_crypto_init returned %d\n", ret);
+goto fail;
+}
+#endif
+
mbedtls_ssl_init(&tls_ctx->ssl_context);
mbedtls_ssl_config_init(&tls_ctx->ssl_config);
mbedtls_entropy_init(&tls_ctx->entropy_context);
--
2.45.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 1/6] lavf/tls_mbedtls: handle more error codes for human-readable message
Signed-off-by: sfan5 --- libavformat/tls_mbedtls.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 1a182e735e..fd6ba0b1f5 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -138,6 +138,9 @@ static void handle_handshake_error(URLContext *h, int ret) case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); break; +case MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION: +av_log(h, AV_LOG_ERROR, "TLS protocol version mismatches.\n"); +break; #endif case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); @@ -145,6 +148,9 @@ static void handle_handshake_error(URLContext *h, int ret) case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED: av_log(h, AV_LOG_ERROR, "No CA chain is set, but required to operate. Was the CA correctly set?\n"); break; +case MBEDTLS_ERR_SSL_INTERNAL_ERROR: +av_log(h, AV_LOG_ERROR, "Internal error encountered.\n"); +break; case MBEDTLS_ERR_NET_CONN_RESET: av_log(h, AV_LOG_ERROR, "TLS handshake was aborted by peer.\n"); break; -- 2.45.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH] mediacodecdec_common: enable refcounting of buffers unconditionally
This allows av_mediacodec_release_buffer to be called safely after
the decoder is closed, this was already the case with delay_flush=1.
Note that this causes holding onto frames to keep the decoding context
alive which is generally considered to be the intended behavior
(resending as my patch got mangled somehow)
From c3a5edd940c503cca706b3d92954b8cd5c715e26 Mon Sep 17 00:00:00 2001
From: sfan5
Date: Sun, 18 Sep 2022 18:26:43 +0200
Subject: [PATCH] mediacodecdec_common: enable refcounting of buffers
unconditionally
This allows av_mediacodec_release_buffer to be called safely after
the decoder is closed, this was already the case with delay_flush=1.
Note that this causes holding onto frames to keep the decoding context
alive which is generally considered to be the intended behavior.
Signed-off-by: sfan5
---
libavcodec/mediacodecdec_common.c | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/libavcodec/mediacodecdec_common.c b/libavcodec/mediacodecdec_common.c
index 9fa769656c..2a605e7f5b 100644
--- a/libavcodec/mediacodecdec_common.c
+++ b/libavcodec/mediacodecdec_common.c
@@ -265,8 +265,7 @@ static void mediacodec_buffer_release(void *opaque, uint8_t *data)
ff_AMediaCodec_releaseOutputBuffer(ctx->codec, buffer->index, 0);
}
-if (ctx->delay_flush)
-ff_mediacodec_dec_unref(ctx);
+ff_mediacodec_dec_unref(ctx);
av_freep(&buffer);
}
@@ -321,8 +320,7 @@ static int mediacodec_wrap_hw_buffer(AVCodecContext *avctx,
buffer->ctx = s;
buffer->serial = atomic_load(&s->serial);
-if (s->delay_flush)
-ff_mediacodec_dec_ref(s);
+ff_mediacodec_dec_ref(s);
buffer->index = index;
buffer->pts = info->presentationTimeUs;
@@ -872,7 +870,7 @@ int ff_mediacodec_dec_receive(AVCodecContext *avctx, MediaCodecDecContext *s,
*/
int ff_mediacodec_dec_flush(AVCodecContext *avctx, MediaCodecDecContext *s)
{
-if (!s->surface || atomic_load(&s->refcount) == 1) {
+if (!s->surface || !s->delay_flush || atomic_load(&s->refcount) == 1) {
int ret;
/* No frames (holding a reference to the codec) are retained by the
--
2.37.3
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH] mediacodecdec_common: enable refcounting of buffers unconditionally
This allows av_mediacodec_release_buffer to be called safely after
the decoder is closed, this was already the case with delay_flush=1.
Note that this causes holding onto frames to keep the decoding context
alive which is generally considered to be the intended behavior.
---
libavcodec/mediacodecdec_common.c | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/libavcodec/mediacodecdec_common.c
b/libavcodec/mediacodecdec_common.c
index 9fa769656c..2a605e7f5b 100644
--- a/libavcodec/mediacodecdec_common.c
+++ b/libavcodec/mediacodecdec_common.c
@@ -265,8 +265,7 @@ static void mediacodec_buffer_release(void *opaque,
uint8_t *data)
ff_AMediaCodec_releaseOutputBuffer(ctx->codec, buffer->index, 0);
}
-if (ctx->delay_flush)
-ff_mediacodec_dec_unref(ctx);
+ff_mediacodec_dec_unref(ctx);
av_freep(&buffer);
}
@@ -321,8 +320,7 @@ static int
mediacodec_wrap_hw_buffer(AVCodecContext *avctx,
buffer->ctx = s;
buffer->serial = atomic_load(&s->serial);
-if (s->delay_flush)
-ff_mediacodec_dec_ref(s);
+ff_mediacodec_dec_ref(s);
buffer->index = index;
buffer->pts = info->presentationTimeUs;
@@ -872,7 +870,7 @@ int ff_mediacodec_dec_receive(AVCodecContext *avctx,
MediaCodecDecContext *s,
*/
int ff_mediacodec_dec_flush(AVCodecContext *avctx,
MediaCodecDecContext *s)
{
-if (!s->surface || atomic_load(&s->refcount) == 1) {
+if (!s->surface || !s->delay_flush || atomic_load(&s->refcount) == 1) {
int ret;
/* No frames (holding a reference to the codec) are retained
by the
--
2.37.3
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
On 29.12.2021 at 21:02 Anton Khirnov wrote: Quoting sfan5 (2021-12-13 21:55:41) If ca_file was set, setting tls_verify=0 would not actually disable verification. From 2677353187c4e3c20b50a3f9aab53130e3ead99b Mon Sep 17 00:00:00 2001 From: sfan5 Date: Mon, 13 Dec 2021 21:35:40 +0100 Subject: [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0 If ca_file was set, setting tls_verify=0 would not actually disable verification. --- libavformat/tls_mbedtls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index aadf17760d..5754d0d018 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -223,7 +223,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op } mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, - shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context); mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL); -- 2.34.1 What will happen if verify=1, but ca_file is not set? The verification fails as expected and mbedtls_ssl_handshake returns an error, just tested. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
ping. I'll look at getting this pushed in a few days if there are no objections. If ca_file was set, setting tls_verify=0 would not actually disable verification. ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH] lavc/mediacodecdec: set codec profile and level from extradata for H264+HEVC
This value is later passed to MediaCodec and checked at decoder init.
Notably decoding of 10-bit streams before this commit would "work" without
returning errors but only return garbage output (on most Android devices).
From 304d1bd55e72212c1e907922547d40da240b Mon Sep 17 00:00:00 2001
From: sfan5
Date: Mon, 13 Dec 2021 21:01:00 +0100
Subject: [PATCH] lavc/mediacodecdec: set codec profile and level from
extradata for H264+HEVC
This value is later passed to MediaCodec and checked at decoder init.
Notably decoding of 10-bit streams before this commit would "work" without
returning errors but only return garbage output (on most Android devices).
---
libavcodec/mediacodecdec.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/mediacodecdec.c b/libavcodec/mediacodecdec.c
index 1cebb3d76d..04d5026e68 100644
--- a/libavcodec/mediacodecdec.c
+++ b/libavcodec/mediacodecdec.c
@@ -155,6 +155,9 @@ static int h264_set_extradata(AVCodecContext *avctx, FFAMediaFormat *format)
uint8_t *data = NULL;
int data_size = 0;
+avctx->profile = ff_h264_get_profile(sps);
+avctx->level = sps->level_idc;
+
if ((ret = h2645_ps_to_nalu(sps->data, sps->data_size, &data, &data_size)) < 0) {
goto done;
}
@@ -236,6 +239,9 @@ static int hevc_set_extradata(AVCodecContext *avctx, FFAMediaFormat *format)
uint8_t *data;
int data_size;
+avctx->profile = sps->ptl.general_ptl.profile_idc;
+avctx->level = sps->ptl.general_ptl.level_idc;
+
if ((ret = h2645_ps_to_nalu(vps->data, vps->data_size, &vps_data, &vps_data_size)) < 0 ||
(ret = h2645_ps_to_nalu(sps->data, sps->data_size, &sps_data, &sps_data_size)) < 0 ||
(ret = h2645_ps_to_nalu(pps->data, pps->data_size, &pps_data, &pps_data_size)) < 0) {
--
2.34.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0
If ca_file was set, setting tls_verify=0 would not actually disable verification. From 2677353187c4e3c20b50a3f9aab53130e3ead99b Mon Sep 17 00:00:00 2001 From: sfan5 Date: Mon, 13 Dec 2021 21:35:40 +0100 Subject: [PATCH] lavf/tls_mbedtls: fix handling of tls_verify=0 If ca_file was set, setting tls_verify=0 would not actually disable verification. --- libavformat/tls_mbedtls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index aadf17760d..5754d0d018 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -223,7 +223,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op } mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config, - shr->ca_file ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); + shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random, &tls_ctx->ctr_drbg_context); mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert, NULL); -- 2.34.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 2/2] avcodec/mediacodec_wrapper: use MediaCodecInfo.isSoftwareOnly() when available
>From 22ebde779f61fb030633a881ef320264ea446b6b Mon Sep 17 00:00:00 2001
From: sfan5
Date: Thu, 11 Feb 2021 20:48:54 +0100
Subject: [PATCH 2/2] avcodec/mediacodec_wrapper: use
MediaCodecInfo.isSoftwareOnly() when available
Added in Android 10 it provides a reliable way of filtering out
software decoders, unlike existing string-based checks.
---
libavcodec/mediacodec_wrapper.c | 13 +
1 file changed, 13 insertions(+)
diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c
index f1945bcfc0..c829941d6b 100644
--- a/libavcodec/mediacodec_wrapper.c
+++ b/libavcodec/mediacodec_wrapper.c
@@ -45,6 +45,7 @@ struct JNIAMediaCodecListFields {
jmethodID get_codec_capabilities_id;
jmethodID get_supported_types_id;
jmethodID is_encoder_id;
+jmethodID is_software_only_id;
jclass codec_capabilities_class;
jfieldID color_formats_id;
@@ -81,6 +82,7 @@ static const struct FFJniField jni_amediacodeclist_mapping[] = {
{ "android/media/MediaCodecInfo", "getCapabilitiesForType", "(Ljava/lang/String;)Landroid/media/MediaCodecInfo$CodecCapabilities;", FF_JNI_METHOD, offsetof(struct JNIAMediaCodecListFields, get_codec_capabilities_id), 1 },
{ "android/media/MediaCodecInfo", "getSupportedTypes", "()[Ljava/lang/String;", FF_JNI_METHOD, offsetof(struct JNIAMediaCodecListFields, get_supported_types_id), 1 },
{ "android/media/MediaCodecInfo", "isEncoder", "()Z", FF_JNI_METHOD, offsetof(struct JNIAMediaCodecListFields, is_encoder_id), 1 },
+{ "android/media/MediaCodecInfo", "isSoftwareOnly", "()Z", FF_JNI_METHOD, offsetof(struct JNIAMediaCodecListFields, is_software_only_id), 0 },
{ "android/media/MediaCodecInfo$CodecCapabilities", NULL, NULL, FF_JNI_CLASS, offsetof(struct JNIAMediaCodecListFields, codec_capabilities_class), 1 },
{ "android/media/MediaCodecInfo$CodecCapabilities", "colorFormats", "[I", FF_JNI_FIELD, offsetof(struct JNIAMediaCodecListFields, color_formats_id), 1 },
@@ -441,6 +443,17 @@ char *ff_AMediaCodecList_getCodecNameByType(const char *mime, int profile, int e
goto done_with_info;
}
+if (jfields.is_software_only_id) {
+int is_software_only = (*env)->CallBooleanMethod(env, info, jfields.is_software_only_id);
+if (ff_jni_exception_check(env, 1, log_ctx) < 0) {
+goto done;
+}
+
+if (is_software_only) {
+goto done_with_info;
+}
+}
+
codec_name = (*env)->CallObjectMethod(env, info, jfields.get_name_id);
if (ff_jni_exception_check(env, 1, log_ctx) < 0) {
goto done;
--
2.30.1
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 1/2] avcodec/mediacodec_wrapper: clean up ff_AMediaCodecList_getCodecNameByType a bit
Hi,
while looking into mediacodec for unrelated reasons I saw some room for
improvement.
Therefore, here's a series with two small patches.
>From cadd2b2d4a5ffbb4dcc34faf2d3e139e1d4d608b Mon Sep 17 00:00:00 2001
From: sfan5
Date: Thu, 11 Feb 2021 19:23:26 +0100
Subject: [PATCH 1/2] avcodec/mediacodec_wrapper: clean up
ff_AMediaCodecList_getCodecNameByType a bit
We can skip software decoders before even looking at the mime types.
---
libavcodec/mediacodec_wrapper.c | 113
1 file changed, 57 insertions(+), 56 deletions(-)
diff --git a/libavcodec/mediacodec_wrapper.c b/libavcodec/mediacodec_wrapper.c
index 79abc8b6aa..f1945bcfc0 100644
--- a/libavcodec/mediacodec_wrapper.c
+++ b/libavcodec/mediacodec_wrapper.c
@@ -441,6 +441,30 @@ char *ff_AMediaCodecList_getCodecNameByType(const char *mime, int profile, int e
goto done_with_info;
}
+codec_name = (*env)->CallObjectMethod(env, info, jfields.get_name_id);
+if (ff_jni_exception_check(env, 1, log_ctx) < 0) {
+goto done;
+}
+
+name = ff_jni_jstring_to_utf_chars(env, codec_name, log_ctx);
+if (!name) {
+goto done;
+}
+
+if (codec_name) {
+(*env)->DeleteLocalRef(env, codec_name);
+codec_name = NULL;
+}
+
+/* Skip software decoders */
+if (
+strstr(name, "OMX.google") ||
+strstr(name, "OMX.ffmpeg") ||
+(strstr(name, "OMX.SEC") && strstr(name, ".sw.")) ||
+!strcmp(name, "OMX.qcom.video.decoder.hevcswvdec")) {
+goto done_with_info;
+}
+
type_count = (*env)->GetArrayLength(env, types);
for (j = 0; j < type_count; j++) {
int k;
@@ -456,74 +480,51 @@ char *ff_AMediaCodecList_getCodecNameByType(const char *mime, int profile, int e
goto done;
}
-if (!av_strcasecmp(supported_type, mime)) {
-codec_name = (*env)->CallObjectMethod(env, info, jfields.get_name_id);
-if (ff_jni_exception_check(env, 1, log_ctx) < 0) {
-goto done;
-}
+if (av_strcasecmp(supported_type, mime)) {
+goto done_with_type;
+}
-name = ff_jni_jstring_to_utf_chars(env, codec_name, log_ctx);
-if (!name) {
-goto done;
-}
+capabilities = (*env)->CallObjectMethod(env, info, jfields.get_codec_capabilities_id, type);
+if (ff_jni_exception_check(env, 1, log_ctx) < 0) {
+goto done;
+}
-if (codec_name) {
-(*env)->DeleteLocalRef(env, codec_name);
-codec_name = NULL;
-}
+profile_levels = (*env)->GetObjectField(env, capabilities, jfields.profile_levels_id);
+if (ff_jni_exception_check(env, 1, log_ctx) < 0) {
+goto done;
+}
-/* Skip software decoders */
-if (
-strstr(name, "OMX.google") ||
-strstr(name, "OMX.ffmpeg") ||
-(strstr(name, "OMX.SEC") && strstr(name, ".sw.")) ||
-!strcmp(name, "OMX.qcom.video.decoder.hevcswvdec")) {
-av_freep(&name);
-goto done_with_type;
+profile_count = (*env)->GetArrayLength(env, profile_levels);
+if (!profile_count) {
+found_codec = 1;
+}
+for (k = 0; k < profile_count; k++) {
+int supported_profile = 0;
+
+if (profile < 0) {
+found_codec = 1;
+break;
}
-capabilities = (*env)->CallObjectMethod(env, info, jfields.get_codec_capabilities_id, type);
+profile_level = (*env)->GetObjectArrayElement(env, profile_levels, k);
if (ff_jni_exception_check(env, 1, log_ctx) < 0) {
goto done;
}
-profile_levels = (*env)->GetObjectField(env, capabilities, jfields.profile_levels_id);
+supported_profile = (*env)->GetIntField(env, profile_level, jfields.profile_id);
if (ff_jni_exception_check(env, 1, log_ctx) < 0) {
goto done;
}
-profile_count = (*env)->GetArrayLength(env, profile_levels);
-if (!profile_count) {
-found_codec = 1;
+found_codec = profile == supported_profile;
+
+if (profile_level) {
+(*env)->DeleteLocalRef(env, profile_level);
+
[FFmpeg-devel] [PATCH v3] avcodec/mediacodecdec: Do not abort when H264/HEVC extradata extraction fails
12.02.21 - 21:43 - Andreas Rheinhardt:
sfan5:
Hi,
attached v2 patch after discussion on IRC with JEEB (as he already
mentioned).
Only change is that the log level turns to debug when missing parameter
sets are within spec (cf. 14496-15).
-av_log(avctx, AV_LOG_ERROR, "Could not extract PPS/SPS from
extradata");
-ret = AVERROR_INVALIDDATA;
+const int warn = is_avc && avctx->codec_tag != MKTAG('a','v','c','1')
&&
+avctx->codec_tag != MKTAG('a','v','c','2');
+av_log(avctx, warn ? AV_LOG_WARNING : AV_LOG_DEBUG,
+"Could not extract PPS/SPS from extradata\n");
+ret = 0;
}
warn = is_avc && (avctx->codec_tag == MKTAG('a','v','c','1') ||
avctx->codec_tag == MKTAG('a','v','c','2')
is what you (should) want.
- Andreas
Thanks for pointing that out, you're correct.
here's v3:
>From 40c8ba797b39d1e61dc1697c65e0261411bc20b8 Mon Sep 17 00:00:00 2001
From: sfan5
Date: Mon, 25 Jan 2021 18:12:54 +0100
Subject: [PATCH v3] avcodec/mediacodecdec: Do not abort when H264/HEVC
extradata extraction fails
Although rare, extradata can be present but empty and extraction will fail.
However Android also supports passing codec-specific data inline and
will likely play such a stream anyway. So there's no reason to abort
initialization before we know for sure.
---
libavcodec/mediacodecdec.c | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/libavcodec/mediacodecdec.c b/libavcodec/mediacodecdec.c
index ac1725e466..f5d13b171e 100644
--- a/libavcodec/mediacodecdec.c
+++ b/libavcodec/mediacodecdec.c
@@ -167,8 +167,11 @@ static int h264_set_extradata(AVCodecContext *avctx, FFAMediaFormat *format)
ff_AMediaFormat_setBuffer(format, "csd-1", (void*)data, data_size);
av_freep(&data);
} else {
-av_log(avctx, AV_LOG_ERROR, "Could not extract PPS/SPS from extradata");
-ret = AVERROR_INVALIDDATA;
+const int warn = is_avc && (avctx->codec_tag == MKTAG('a','v','c','1') ||
+avctx->codec_tag == MKTAG('a','v','c','2'));
+av_log(avctx, warn ? AV_LOG_WARNING : AV_LOG_DEBUG,
+"Could not extract PPS/SPS from extradata\n");
+ret = 0;
}
done:
@@ -254,8 +257,10 @@ static int hevc_set_extradata(AVCodecContext *avctx, FFAMediaFormat *format)
av_freep(&data);
} else {
-av_log(avctx, AV_LOG_ERROR, "Could not extract VPS/PPS/SPS from extradata");
-ret = AVERROR_INVALIDDATA;
+const int warn = is_nalff && avctx->codec_tag == MKTAG('h','v','c','1');
+av_log(avctx, warn ? AV_LOG_WARNING : AV_LOG_DEBUG,
+"Could not extract VPS/PPS/SPS from extradata\n");
+ret = 0;
}
done:
--
2.30.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH v2] avcodec/mediacodecdec: Do not abort when H264/HEVC extradata extraction fails
Hi,
attached v2 patch after discussion on IRC with JEEB (as he already
mentioned).
Only change is that the log level turns to debug when missing parameter
sets are within spec (cf. 14496-15).
>From 2fc46b8b22361d02f8c4008c3f47b2c3d0046b3a Mon Sep 17 00:00:00 2001
From: sfan5
Date: Mon, 25 Jan 2021 18:12:54 +0100
Subject: [PATCH v2] avcodec/mediacodecdec: Do not abort when H264/HEVC
extradata extraction fails
Although rare, extradata can be present but empty and extraction will fail.
However Android also supports passing codec-specific data inline and
will likely play such a stream anyway. So there's no reason to abort
initialization before we know for sure.
---
libavcodec/mediacodecdec.c | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/libavcodec/mediacodecdec.c b/libavcodec/mediacodecdec.c
index ac1725e466..5af1fd9198 100644
--- a/libavcodec/mediacodecdec.c
+++ b/libavcodec/mediacodecdec.c
@@ -167,8 +167,11 @@ static int h264_set_extradata(AVCodecContext *avctx, FFAMediaFormat *format)
ff_AMediaFormat_setBuffer(format, "csd-1", (void*)data, data_size);
av_freep(&data);
} else {
-av_log(avctx, AV_LOG_ERROR, "Could not extract PPS/SPS from extradata");
-ret = AVERROR_INVALIDDATA;
+const int warn = is_avc && avctx->codec_tag != MKTAG('a','v','c','1') &&
+avctx->codec_tag != MKTAG('a','v','c','2');
+av_log(avctx, warn ? AV_LOG_WARNING : AV_LOG_DEBUG,
+"Could not extract PPS/SPS from extradata\n");
+ret = 0;
}
done:
@@ -254,8 +257,10 @@ static int hevc_set_extradata(AVCodecContext *avctx, FFAMediaFormat *format)
av_freep(&data);
} else {
-av_log(avctx, AV_LOG_ERROR, "Could not extract VPS/PPS/SPS from extradata");
-ret = AVERROR_INVALIDDATA;
+const int warn = is_nalff && avctx->codec_tag == MKTAG('h','v','c','1');
+av_log(avctx, warn ? AV_LOG_WARNING : AV_LOG_DEBUG,
+"Could not extract VPS/PPS/SPS from extradata\n");
+ret = 0;
}
done:
--
2.30.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 1/2] avformat/dashdec: Fix missing NULL check
26.01.21 - 02:22 - Steven Liu:
sfan5 于2021年1月25日周一 下午11:25写道:
---
libavformat/dashdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index 693fc7372b..dc56e89f11 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -161,7 +161,7 @@ typedef struct DASHContext {
static int ishttp(char *url)
{
const char *proto_name = avio_find_protocol_name(url);
-return av_strstart(proto_name, "http", NULL);
+return proto_name && av_strstart(proto_name, "http", NULL);
}
static int aligned(int val)
--
2.30.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
LGTM
Thanks
Steven
I don't have commit rights myself. Can you push these two patches?
Thanks
sfan5
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH] avcodec/mediacodecdec: Do not abort when H264/HEVC extradata extraction fails
Although rare, extradata can be present but empty and extraction will fail.
However Android also supports passing codec-specific data inline and
will likely play such a stream anyway. So there's no reason to abort
initialization before we know for sure.
---
libavcodec/mediacodecdec.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/mediacodecdec.c b/libavcodec/mediacodecdec.c
index ac1725e466..67adefb530 100644
--- a/libavcodec/mediacodecdec.c
+++ b/libavcodec/mediacodecdec.c
@@ -167,8 +167,8 @@ static int h264_set_extradata(AVCodecContext *avctx,
FFAMediaFormat *format)
ff_AMediaFormat_setBuffer(format, "csd-1", (void*)data,
data_size);
av_freep(&data);
} else {
-av_log(avctx, AV_LOG_ERROR, "Could not extract PPS/SPS from
extradata");
-ret = AVERROR_INVALIDDATA;
+av_log(avctx, AV_LOG_WARNING, "Could not extract PPS/SPS from
extradata\n");
+ret = 0;
}
done:
@@ -254,8 +254,8 @@ static int hevc_set_extradata(AVCodecContext *avctx,
FFAMediaFormat *format)
av_freep(&data);
} else {
-av_log(avctx, AV_LOG_ERROR, "Could not extract VPS/PPS/SPS from
extradata");
-ret = AVERROR_INVALIDDATA;
+av_log(avctx, AV_LOG_WARNING, "Could not extract VPS/PPS/SPS
from extradata\n");
+ret = 0;
}
done:
--
2.30.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 2/2] avformat/dashdec: Avoid segfault when URL template is unexpectedly missing
This isn't supposed to happen, but unfinished support for non-templated
manifests and lack of e.g. presentationTimeOffset handling can provoke
such a situation even with well-formed input.
---
libavformat/dashdec.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index dc56e89f11..c4e6c3da16 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -1625,8 +1625,15 @@ static struct fragment
*get_current_fragment(struct representation *pls)
}
}
if (seg) {
-char *tmpfilename= av_mallocz(c->max_url_size);
+char *tmpfilename;
+if (!pls->url_template) {
+av_log(pls->parent, AV_LOG_ERROR, "Cannot get fragment,
missing template URL\n");
+av_free(seg);
+return NULL;
+}
+tmpfilename = av_mallocz(c->max_url_size);
if (!tmpfilename) {
+av_free(seg);
return NULL;
}
ff_dash_fill_tmpl_params(tmpfilename, c->max_url_size,
pls->url_template, 0, pls->cur_seq_no, 0,
get_segment_start_time_based_on_timeline(pls, pls->cur_seq_no));
@@ -1637,6 +1644,7 @@ static struct fragment
*get_current_fragment(struct representation *pls)
if (!seg->url) {
av_log(pls->parent, AV_LOG_ERROR, "Cannot resolve
template url '%s'\n", pls->url_template);
av_free(tmpfilename);
+av_free(seg);
return NULL;
}
}
--
2.30.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 1/2] avformat/dashdec: Fix missing NULL check
---
libavformat/dashdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index 693fc7372b..dc56e89f11 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -161,7 +161,7 @@ typedef struct DASHContext {
static int ishttp(char *url)
{
const char *proto_name = avio_find_protocol_name(url);
-return av_strstart(proto_name, "http", NULL);
+return proto_name && av_strstart(proto_name, "http", NULL);
}
static int aligned(int val)
--
2.30.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
