Using SSL_CTX_set_options to disallow specific versions is
discouraged by the documentation, which recommends to use
SSL_CTX_set_min_proto_version instead.
As noted in the OpenSSL documentation, BIO_get_new_index must be
used to get a new BIO index. This is ORd with the proper type flag
BIO_TYPE_SOURCE_SINK.
api doc: https://docs.openssl.org/1.0.2/man3/BIO_s_mem
In higher versions (openssl 1.0.2 and higher),
the function signature is BIO *BIO_new_mem_buf(const void *buf, int len),
so passing a const string doesn't cause an warnings.
However, in lower versions of OpenSSL,
the function signature becomes BIO *BIO_new_mem_buf(void *buf, int len),
which leads to warnings.
OpenSSL guarantees that it will not modify the string,
so it's safe to cast the pem_str to (void *) to avoid this warning.
Signed-off-by: Jack Lau <jacklau1222@qq.com>
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
add the missing data structure pkey in the tls_context
properly set this pkey and free it
Signed-off-by: Jack Lau <jacklau1222@qq.com>
Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
0. WHIP Version 3.
1. The WHIP muxer has been renamed and refined,
with improved logging context and error messages for SSL, DTLS, and RTC.
2. Magic numbers have been replaced with macros and extracted to functions,
and log levels have been altered for better clarity.
3. DTLS curve list has been updated,
and SRTP profile names have been refined for FFmpeg and OpenSSL.
4. ICE STUN magic number has been refined,
and RTP payload types have been updated based on Chrome's definition.
5. Fixed frame size has been refined to rtc->audio_par->frame_size,
and h264_mp4toannexb is now used to convert MP4/ISOM to annexb.
6. OPUS timestamp issue has been addressed,
and marker setting has been corrected after utilizing BSF.
7. DTLS handshake and ICE handling have been optimized for improved performance,
with a single handshake timeout and server role to prevent ARQ.
8. Consolidated ICE request/response handling and DTLS handshake into a single function,
and fixed OpenSSL build errors to work with Pion.
9. Merge TLS & DTLS implementation, shared BIO callbacks, read, write,
print_ssl_error, openssl_init_ca_key_cert,
init_bio_method function and shared same data structure
10. Modify configure that whip is enabled only dtls is
enabled(just support openssl for now) to fix build error
Co-authored-by: winlin <winlinvip@gmail.com>
Co-authored-by: yangrtc <yangrtc@aliyun.com>
Co-authored-by: cloudwebrtc <duanweiwei1982@gmail.com>
Co-authored-by: Haibo Chen <495810242@qq.com>
Co-authored-by: Steven Liu <lq@chinaffmpeg.org>
Co-authored-by: Jun Zhao <barryjzhao@tencent.com>
Signed-off-by: Jack Lau <jacklau1222@qq.com>
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
These functions do nothing useful when used with a non-ancient
version of openssl (namely 1.1.0 or above).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Its existence is a remnant of (libavcodec's) lock-manager API
which has been removed in a04c2c707d.
There is no need to use the same lock for avisynth, chromaprint
or tls, so switch to ordinary static mutexes instead.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
There are lots of files that don't need it: The number of object
files that actually need it went down from 2011 to 884 here.
Keep it for external users in order to not cause breakages.
Also improve the other headers a bit while just at it.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Unnecessary since acf63d5350adeae551d412db699f8ca03f7e76b9;
also avoids relocations.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Print every error in the stack, if more than one, and don't print
bogus errors if there's none logged within OpenSSL.
Retain the underlying IO error code, print an error message out of
it, and pass the error code on to the caller.
Signed-off-by: Martin Storsjö <martin@martin.st>
It avoids leaving dangling pointers behind in memory.
Also remove redundant checks for whether the URLContext to be closed is
already NULL.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
They have been removed altogether without a compat implementation, and are
either no-ops or return NULL.
This fixes compiler warnings about checks always evaluating to false, and leaks
of allocated mutexes.
Signed-off-by: James Almer <jamrial@gmail.com>
* commit '6a9c00c09d2bc50c0ea64ba092b2f4afc46aa978':
tls_openssl: Fix checks for SSL_ERROR_WANT_WRITE in nonblocking operation
Merged-by: James Almer <jamrial@gmail.com>
It's completely absurd that libavcodec would care about libavformat
locking, but it was there because the lock manager was in libavcodec.
This is more stright forward. Changes ABI, but we don't require ABI
compatibility currently.
