[FFmpeg-devel] [PATCH 4/6] lavf/tls_mbedtls: fix handling of certification validation failures
sfan5
sfan5 at live.de
Tue May 21 13:13:34 EEST 2024
Am 18.05.24 um 21:53 schrieb Michael Niedermayer:
> On Fri, May 17, 2024 at 10:34:41AM +0200, Sfan5 wrote:
>> We manually check the verification status after the handshake has completed
>> using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
>> mbedtls_ssl_handshake() already returns an error, so this code is never
>> reached.
>> Fix that by using VERIFY_OPTIONAL, which performs the verification but
>> does not abort the handshake.
>>
>> Signed-off-by: sfan5 <sfan5 at live.de>
>> ---
>> libavformat/tls_mbedtls.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c
>> index 9508fe3436..67d5c568b9 100644
>> --- a/libavformat/tls_mbedtls.c
>> +++ b/libavformat/tls_mbedtls.c
>> @@ -263,8 +263,9 @@ static int tls_open(URLContext *h, const char *uri, int
>> flags, AVDictionary **op
>> goto fail;
>> }
>> + // not VERIFY_REQUIRED because we manually check after handshake
>> mbedtls_ssl_conf_authmode(&tls_ctx->ssl_config,
>> - shr->verify ? MBEDTLS_SSL_VERIFY_REQUIRED :
>> MBEDTLS_SSL_VERIFY_NONE);
>> + shr->verify ? MBEDTLS_SSL_VERIFY_OPTIONAL :
>> MBEDTLS_SSL_VERIFY_NONE);
>> mbedtls_ssl_conf_rng(&tls_ctx->ssl_config, mbedtls_ctr_drbg_random,
>> &tls_ctx->ctr_drbg_context);
>> mbedtls_ssl_conf_ca_chain(&tls_ctx->ssl_config, &tls_ctx->ca_cert,
>> NULL);
> This patch looks corrupted by extra line breaks
>
> [...]
Thanks for pointing that out.
It looks like years later Microsoft is still incapable of leaving
patches intact... Will send as attachments for v2.
More information about the ffmpeg-devel
mailing list