[FFmpeg-cvslog] [ffmpeg] branch master updated. 61d0050924 avformat/tls_openssl: simplify fingerprint generation
ffmpeg-git at ffmpeg.org
ffmpeg-git at ffmpeg.org
Sat Aug 16 03:16:17 EEST 2025
The branch, master has been updated
via 61d00509244d7503b3ad467c719da2662d11b6c7 (commit)
via 4676f97928c1c38753d4f5da4ec13a75d5f22944 (commit)
via 113c9c6cf36a703afc5ef10bbb40f248df521425 (commit)
via 3a8b3dfeca2ddbee9999262f3240bfe05b55c66a (commit)
from 1f4fed5cc3be0737305e342f753c42716d6bf432 (commit)
- Log -----------------------------------------------------------------
commit 61d00509244d7503b3ad467c719da2662d11b6c7
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Wed Jul 30 00:23:20 2025 +0200
Commit: Leo Izen <leo.izen at gmail.com>
CommitDate: Sat Aug 16 00:15:30 2025 +0000
avformat/tls_openssl: simplify fingerprint generation
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index ba5895316a..0f2dbc8da6 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -91,48 +91,26 @@ done:
/**
* Generate a SHA-256 fingerprint of an X.509 certificate.
- *
- * @param ctx AVFormatContext for logging (can be NULL)
- * @param cert X509 certificate to fingerprint
- * @return Newly allocated fingerprint string in "AA:BB:CC:…" format,
- * or NULL on error (logs via av_log if ctx is not NULL).
- * Caller must free() the returned string.
*/
-static char *generate_fingerprint(X509 *cert)
+static int x509_fingerprint(X509 *cert, char **fingerprint)
{
unsigned char md[EVP_MAX_MD_SIZE];
int n = 0;
- AVBPrint fingerprint;
- char *result = NULL;
- int i;
-
- /* To prevent a crash during cleanup, always initialize it. */
- av_bprint_init(&fingerprint, 0, AV_BPRINT_SIZE_UNLIMITED);
+ AVBPrint buf;
if (X509_digest(cert, EVP_sha256(), md, &n) != 1) {
- av_log(NULL, AV_LOG_ERROR, "TLS: Failed to generate fingerprint, %s\n", ERR_error_string(ERR_get_error(), NULL));
- goto end;
- }
-
- for (i = 0; i < n; i++) {
- av_bprintf(&fingerprint, "%02X", md[i]);
- if (i + 1 < n)
- av_bprintf(&fingerprint, ":");
+ av_log(NULL, AV_LOG_ERROR, "TLS: Failed to generate fingerprint, %s\n",
+ ERR_error_string(ERR_get_error(), NULL));
+ return AVERROR(ENOMEM);
}
- if (!fingerprint.str || !strlen(fingerprint.str)) {
- av_log(NULL, AV_LOG_ERROR, "TLS: Fingerprint is empty\n");
- goto end;
- }
+ av_bprint_init(&buf, n*3, n*3);
- result = av_strdup(fingerprint.str);
- if (!result) {
- av_log(NULL, AV_LOG_ERROR, "TLS: Out of memory generating fingerprint\n");
- }
+ for (int i = 0; i < n - 1; i++)
+ av_bprintf(&buf, "%02X:", md[i]);
+ av_bprintf(&buf, "%02X", md[n - 1]);
-end:
- av_bprint_finalize(&fingerprint, NULL);
- return result;
+ return av_bprint_finalize(&buf, fingerprint);
}
int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint)
@@ -190,15 +168,9 @@ int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t ke
pkey_to_pem_string(pkey, key_buf, key_sz);
cert_to_pem_string(cert, cert_buf, cert_sz);
- /* Generate fingerprint. */
- if (fingerprint) {
- *fingerprint = generate_fingerprint(cert);
- if (!*fingerprint) {
- av_log(NULL, AV_LOG_ERROR, "TLS: Failed to generate fingerprint from %s\n", cert_url);
- ret = AVERROR(EIO);
- goto end;
- }
- }
+ ret = x509_fingerprint(cert, fingerprint);
+ if (ret < 0)
+ av_log(NULL, AV_LOG_ERROR, "TLS: Failed to generate fingerprint from %s\n", cert_url);
end:
BIO_free(key_b);
@@ -347,12 +319,9 @@ static int openssl_gen_certificate(EVP_PKEY *pkey, X509 **cert, char **fingerpri
goto einval_end;
}
- if (fingerprint) {
- *fingerprint = generate_fingerprint(*cert);
- if (!*fingerprint) {
- goto enomem_end;
- }
- }
+ ret = x509_fingerprint(*cert, fingerprint);
+ if (ret < 0)
+ goto end;
goto end;
enomem_end:
commit 4676f97928c1c38753d4f5da4ec13a75d5f22944
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Tue Jul 29 23:55:33 2025 +0200
Commit: Leo Izen <leo.izen at gmail.com>
CommitDate: Sat Aug 16 00:15:30 2025 +0000
avformat/tls_openssl: clean keys serialization
It was unnecessary convoluted, remove not needed memory allocations,
snprintf.
Also fixes posibility to call snprinft with NULL as %s input.
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index a1073da216..ba5895316a 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -35,80 +35,57 @@
#include <openssl/x509v3.h>
/**
- * Returns a heap-allocated null-terminated string containing
- * the PEM-encoded public key. Caller must free.
+ * Convert an EVP_PKEY to a PEM string.
*/
-static char *pkey_to_pem_string(EVP_PKEY *pkey) {
- BIO *mem = NULL;
- BUF_MEM *bptr = NULL;
- char *pem_str = NULL;
+static int pkey_to_pem_string(EVP_PKEY *pkey, char *out, size_t out_sz)
+{
+ BIO *mem = NULL;
+ size_t read_bytes = 0;
+
+ if (!pkey || !out || !out_sz)
+ goto done;
- // Create a memory BIO
if (!(mem = BIO_new(BIO_s_mem())))
- goto err;
+ goto done;
- // Write public key in PEM form
if (!PEM_write_bio_PrivateKey(mem, pkey, NULL, NULL, 0, NULL, NULL))
- goto err;
-
- // Extract pointer/length
- BIO_get_mem_ptr(mem, &bptr);
- if (!bptr || !bptr->length)
- goto err;
+ goto done;
- // Allocate string (+1 for NUL)
- pem_str = av_malloc(bptr->length + 1);
- if (!pem_str)
- goto err;
+ if (!BIO_read_ex(mem, out, out_sz - 1, &read_bytes))
+ goto done;
- // Copy data & NUL-terminate
- memcpy(pem_str, bptr->data, bptr->length);
- pem_str[bptr->length] = '\0';
-
-cleanup:
+done:
BIO_free(mem);
- return pem_str;
-
-err:
- // error path: free and return NULL
- free(pem_str);
- pem_str = NULL;
- goto cleanup;
+ if (out && out_sz)
+ out[read_bytes] = '\0';
+ return read_bytes;
}
/**
- * Serialize an X509 certificate to a av_malloc’d PEM string.
- * Caller must free the returned pointer.
+ * Convert an X509 certificate to a PEM string.
*/
-static char *cert_to_pem_string(X509 *cert)
+static int cert_to_pem_string(X509 *cert, char *out, size_t out_sz)
{
- BIO *mem = BIO_new(BIO_s_mem());
- BUF_MEM *bptr = NULL;
- char *out = NULL;
-
- if (!mem) goto err;
+ BIO *mem = NULL;
+ size_t read_bytes = 0;
- /* Write the PEM certificate */
- if (!PEM_write_bio_X509(mem, cert))
- goto err;
+ if (!cert || !out || !out_sz)
+ goto done;
- BIO_get_mem_ptr(mem, &bptr);
- if (!bptr || !bptr->length) goto err;
+ if (!(mem = BIO_new(BIO_s_mem())))
+ goto done;
- out = av_malloc(bptr->length + 1);
- if (!out) goto err;
+ if (!PEM_write_bio_X509(mem, cert))
+ goto done;
- memcpy(out, bptr->data, bptr->length);
- out[bptr->length] = '\0';
+ if (!BIO_read_ex(mem, out, out_sz - 1, &read_bytes))
+ goto done;
-cleanup:
+done:
BIO_free(mem);
- return out;
-
-err:
- free(out);
- out = NULL;
- goto cleanup;
+ if (out && out_sz)
+ out[read_bytes] = '\0';
+ return read_bytes;
}
@@ -165,7 +142,6 @@ int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t ke
AVBPrint key_bp, cert_bp;
EVP_PKEY *pkey = NULL;
X509 *cert = NULL;
- char *key_tem = NULL, *cert_tem = NULL;
/* To prevent a crash during cleanup, always initialize it. */
av_bprint_init(&key_bp, 1, MAX_CERTIFICATE_SIZE);
@@ -211,11 +187,8 @@ int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t ke
goto end;
}
- key_tem = pkey_to_pem_string(pkey);
- cert_tem = cert_to_pem_string(cert);
-
- snprintf(key_buf, key_sz, "%s", key_tem);
- snprintf(cert_buf, cert_sz, "%s", cert_tem);
+ pkey_to_pem_string(pkey, key_buf, key_sz);
+ cert_to_pem_string(cert, cert_buf, cert_sz);
/* Generate fingerprint. */
if (fingerprint) {
@@ -232,8 +205,6 @@ end:
av_bprint_finalize(&key_bp, NULL);
BIO_free(cert_b);
av_bprint_finalize(&cert_bp, NULL);
- av_free(key_tem);
- av_free(cert_tem);
EVP_PKEY_free(pkey);
X509_free(cert);
return ret;
@@ -403,7 +374,6 @@ int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cer
int ret = 0;
EVP_PKEY *pkey = NULL;
X509 *cert = NULL;
- char *key_tem = NULL, *cert_tem = NULL;
ret = openssl_gen_private_key(&pkey);
if (ret < 0) goto error;
@@ -411,14 +381,9 @@ int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cer
ret = openssl_gen_certificate(pkey, &cert, fingerprint);
if (ret < 0) goto error;
- key_tem = pkey_to_pem_string(pkey);
- cert_tem = cert_to_pem_string(cert);
-
- snprintf(key_buf, key_sz, "%s", key_tem);
- snprintf(cert_buf, cert_sz, "%s", cert_tem);
+ pkey_to_pem_string(pkey, key_buf, key_sz);
+ cert_to_pem_string(cert, cert_buf, cert_sz);
- av_free(key_tem);
- av_free(cert_tem);
error:
X509_free(cert);
EVP_PKEY_free(pkey);
commit 113c9c6cf36a703afc5ef10bbb40f248df521425
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Wed Jul 30 20:08:38 2025 +0200
Commit: Leo Izen <leo.izen at gmail.com>
CommitDate: Sat Aug 16 00:15:30 2025 +0000
configure: require at least OpenSSL 1.1.1 (LTS)
Commit f256487cd8f29f24036efa5d91a84a26b048861a bumped requirement to
1.1.0 for OPENSSL_init_ssl.
Bump this again to 1.1.1, because it was an LTS version. Although it has
no mainline support anymore, it still has paid/premium support. 1.1.0 has
no support at all.
Motivated for use of BIO_read_ex() for next commits.
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
diff --git a/Changelog b/Changelog
index 0b0e6ecbf4..98b259f17f 100644
--- a/Changelog
+++ b/Changelog
@@ -8,6 +8,7 @@ version 8.0:
- Whisper filter
- Drop support for OpenSSL < 1.1.0
- Enable TLS peer certificate verification by default (on next major version bump)
+- Drop support for OpenSSL < 1.1.1
- yasm support dropped, users need to use nasm
- VVC VAAPI decoder
- RealVideo 6.0 decoder
diff --git a/configure b/configure
index 6c1d6868ea..e1809a3e58 100755
--- a/configure
+++ b/configure
@@ -7260,10 +7260,10 @@ enabled omx && require_headers OMX_Core.h && \
enabled openssl && { { check_pkg_config openssl "openssl >= 3.0.0" openssl/ssl.h OPENSSL_init_ssl &&
{ enabled gplv3 || ! enabled gpl || enabled nonfree || die "ERROR: OpenSSL >=3.0.0 requires --enable-version3"; }; } ||
{ enabled gpl && ! enabled nonfree && die "ERROR: OpenSSL <3.0.0 is incompatible with the gpl"; } ||
- check_pkg_config openssl "openssl >= 1.1.0" openssl/ssl.h OPENSSL_init_ssl ||
+ check_pkg_config openssl "openssl >= 1.1.1" openssl/ssl.h OPENSSL_init_ssl ||
check_lib openssl openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto ||
check_lib openssl openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto -lws2_32 -lgdi32 ||
- die "ERROR: openssl (>= 1.1.0) not found"; }
+ die "ERROR: openssl (>= 1.1.1) not found"; }
enabled pocketsphinx && require_pkg_config pocketsphinx pocketsphinx pocketsphinx/pocketsphinx.h ps_init
enabled rkmpp && { require_pkg_config rkmpp rockchip_mpp rockchip/rk_mpi.h mpp_create &&
require_pkg_config rockchip_mpp "rockchip_mpp >= 1.3.7" rockchip/rk_mpi.h mpp_create &&
commit 3a8b3dfeca2ddbee9999262f3240bfe05b55c66a
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Mon Jul 28 19:07:32 2025 +0200
Commit: Leo Izen <leo.izen at gmail.com>
CommitDate: Sat Aug 16 00:15:30 2025 +0000
avformat/tls_openssl: use ascii - (0x2D) instead of 0x2010 hyphen
Too much AI is bad for you...
Fixes: 167e343bbe75515a80db8ee72ffa0c607c944a00
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index bab2e711c6..a1073da216 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -35,8 +35,8 @@
#include <openssl/x509v3.h>
/**
- * Returns a heapâ€allocated nullâ€terminated string containing
- * the PEMâ€encoded public key. Caller must free.
+ * Returns a heap-allocated null-terminated string containing
+ * the PEM-encoded public key. Caller must free.
*/
static char *pkey_to_pem_string(EVP_PKEY *pkey) {
BIO *mem = NULL;
@@ -61,7 +61,7 @@ static char *pkey_to_pem_string(EVP_PKEY *pkey) {
if (!pem_str)
goto err;
- // Copy data & NULâ€terminate
+ // Copy data & NUL-terminate
memcpy(pem_str, bptr->data, bptr->length);
pem_str[bptr->length] = '\0';
@@ -427,7 +427,7 @@ error:
/**
- * Deserialize a PEMâ€encoded private or public key from a NUL-terminated C string.
+ * Deserialize a PEM-encoded private or public key from a NUL-terminated C string.
*
* @param pem_str The PEM text, e.g.
* "-----BEGIN PRIVATE KEY-----\n…\n-----END PRIVATE KEY-----\n"
@@ -458,7 +458,7 @@ static EVP_PKEY *pkey_from_pem_string(const char *pem_str, int is_priv)
}
/**
- * Deserialize a PEMâ€encoded certificate from a NUL-terminated C string.
+ * Deserialize a PEM-encoded certificate from a NUL-terminated C string.
*
* @param pem_str The PEM text, e.g.
* "-----BEGIN CERTIFICATE-----\n…\n-----END CERTIFICATE-----\n"
-----------------------------------------------------------------------
Summary of changes:
Changelog | 1 +
configure | 4 +-
libavformat/tls_openssl.c | 174 ++++++++++++++--------------------------------
3 files changed, 57 insertions(+), 122 deletions(-)
hooks/post-receive
--
More information about the ffmpeg-cvslog
mailing list