[FFmpeg-devel] [PATCH v2] libavformat/tls_mbedtls: Changes the return code handling of mbedtls_x509_crt_parse_file

[Mohit Gupta]

mbedtls_x509_crt_parse_file returns an error with negative numbers, and 
positive numbers indicate the number of failed certificates to load from 
certificate specific issues, such as critical extensions.

This would fix ticket #11079.

Signed-off-by: Mohit Gupta <git at skybound.link>
---
  libavformat/tls_mbedtls.c | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
index 567b95b129..ccf5ee38ad 100644
--- a/libavformat/tls_mbedtls.c
+++ b/libavformat/tls_mbedtls.c
@@ -223,9 +223,11 @@ static int tls_open(URLContext *h, const char *uri, 
int flags, AVDictionary **op
       // load trusted CA
      if (shr->ca_file) {
-        if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, 
shr->ca_file)) != 0) {
+        if ((ret = mbedtls_x509_crt_parse_file(&tls_ctx->ca_cert, 
shr->ca_file)) < 0) {
              av_log(h, AV_LOG_ERROR, "mbedtls_x509_crt_parse_file for 
CA cert returned %d\n", ret);
              goto fail;
+        } else if (ret > 0) {
+            av_log(h, AV_LOG_WARNING, "Failed to process %d 
certificate(s) from the CA bundle, ignoring these certificates\n", ret);
          }
      }
  -- 2.45.2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240725/978f32a2/attachment.sig>