[FFmpeg-devel] [PATCH] libavformat/tls_mbedtls.c: Accommodating to mbedtls v3.0.0 API changes

Mon Nov 1 20:15:23 EET 2021

On 11/1/2021 2:42 PM, meryacine wrote:
> 
> There were breaking API changes in mbedtls from v2.27.0 to v3.0.0.
> This patch accounts for these changes.
> 
> Changes:
> - mbedtls/certs.h is no longer imported. See https://github.com/ARMmbed/mbedtls/pull/4119.
> - mbedtls/config.h is replaced with mbedtls/build_info.h. See https://github.com/ARMmbed/mbedtls/blob/v3.0.0/docs/3.0-migration-guide.md#introduce-a-level-of-indirection-and-versioning-in-the-config-files.
> - MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE is replaced with MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE. See https://github.com/ARMmbed/mbedtls/blob/v3.0.0/docs/3.0-migration-guide.md#changes-in-the-ssl-error-code-space.
> - The function mbedtls_pk_parse_keyfile should now be given 2 more arguments. See https://github.com/ARMmbed/mbedtls/blob/v3.0.0/docs/3.0-migration-guide.md#some-functions-gained-an-rng-parameter.
> 
> Signed-off-by: meryacine <omar.groza at gmail.com>
> ---
>   libavformat/tls_mbedtls.c | 9 +++++----
>   1 file changed, 5 insertions(+), 4 deletions(-)

> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
> index aadf17760d..0730c2dacb 100644
> --- a/libavformat/tls_mbedtls.c
> +++ b/libavformat/tls_mbedtls.c
> @@ -19,8 +19,7 @@
>   * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>   */
>  
> -#include <mbedtls/certs.h>
> -#include <mbedtls/config.h>
> +#include <mbedtls/build_info.h>
>  #include <mbedtls/ctr_drbg.h>
>  #include <mbedtls/entropy.h>
>  #include <mbedtls/net_sockets.h>
> @@ -130,7 +129,7 @@ static void handle_pk_parse_error(URLContext *h, int ret)
>  static void handle_handshake_error(URLContext *h, int ret)
>  {
>      switch (ret) {
> -    case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
> +    case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:
>          av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n");
>          break;
>      case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
> @@ -199,7 +198,9 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
>      if (shr->key_file) {
>          if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key,
>                                              shr->key_file,
> -                                            tls_ctx->priv_key_pw)) != 0) {
> +                                            tls_ctx->priv_key_pw,
> +                                            mbedtls_ctr_drbg_random,
> +                                            &tls_ctx->ctr_drbg_context)) != 0) {

You need to keep supporting mbedtls <= 2.27 for a while. All distros 
still ship it.

Is there a compile time define that can be used to detect this, and wrap 
either version of the code in pre-processor checks?

>              handle_pk_parse_error(h, ret);
>              goto fail;
>          }