22 #include <mbedtls/version.h>
23 #include <mbedtls/ctr_drbg.h>
24 #include <mbedtls/entropy.h>
25 #include <mbedtls/net_sockets.h>
26 #include <mbedtls/platform.h>
27 #include <mbedtls/ssl.h>
28 #include <mbedtls/x509_crt.h>
50 #define OFFSET(x) offsetof(TLSContext, x)
58 mbedtls_x509_crt_free(&tls_ctx->
ca_cert);
59 mbedtls_x509_crt_free(&tls_ctx->
own_cert);
73 return react_on_eagain;
78 return MBEDTLS_ERR_NET_CONN_RESET;
82 return MBEDTLS_ERR_NET_SEND_FAILED;
93 if (
h->max_packet_size &&
len >
h->max_packet_size)
94 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
106 if (
h->max_packet_size &&
len >
h->max_packet_size)
107 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
115 case MBEDTLS_ERR_PK_FILE_IO_ERROR:
116 av_log(
h,
AV_LOG_ERROR,
"Read of key file failed. Is it actually there, are the access permissions correct?\n");
118 case MBEDTLS_ERR_PK_PASSWORD_REQUIRED:
121 case MBEDTLS_ERR_PK_PASSWORD_MISMATCH:
133 #if MBEDTLS_VERSION_MAJOR < 3
134 case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
135 av_log(
h,
AV_LOG_ERROR,
"None of the common ciphersuites is usable. Was the local certificate correctly set?\n");
138 case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:
142 case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
143 av_log(
h,
AV_LOG_ERROR,
"A fatal alert message was received from the peer, has the peer a correct certificate?\n");
145 case MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED:
146 av_log(
h,
AV_LOG_ERROR,
"No CA chain is set, but required to operate. Was the CA correctly set?\n");
148 case MBEDTLS_ERR_NET_CONN_RESET:
160 const char *p = strchr(uri,
'?');
172 uint32_t verify_res_flags;
182 mbedtls_ssl_config_init(&tls_ctx->
ssl_config);
185 mbedtls_x509_crt_init(&tls_ctx->
ca_cert);
186 mbedtls_pk_init(&tls_ctx->
priv_key);
206 mbedtls_entropy_func,
215 if ((
ret = mbedtls_pk_parse_keyfile(&tls_ctx->
priv_key,
218 #
if MBEDTLS_VERSION_MAJOR >= 3
219 , mbedtls_ctr_drbg_random,
229 shr->
listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
230 MBEDTLS_SSL_TRANSPORT_STREAM,
231 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
236 mbedtls_ssl_conf_authmode(&tls_ctx->
ssl_config,
237 shr->
verify ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE);
263 while ((
ret = mbedtls_ssl_handshake(&tls_ctx->
ssl_context)) != 0) {
264 if (
ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
272 if ((verify_res_flags = mbedtls_ssl_get_verify_result(&tls_ctx->
ssl_context)) != 0) {
274 "with the certificate verification, returned flags: %u\n",
276 if (verify_res_flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
292 case MBEDTLS_ERR_SSL_WANT_READ:
293 case MBEDTLS_ERR_SSL_WANT_WRITE:
295 case MBEDTLS_ERR_NET_SEND_FAILED:
296 case MBEDTLS_ERR_NET_RECV_FAILED:
298 case MBEDTLS_ERR_NET_CONN_RESET:
299 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY: