[FFmpeg-devel] [PATCH 2/2] lavf/tls: accept a default CA bundle at configure-time

Rodger Combs rodger.combs at gmail.com
Wed May 20 23:59:47 CEST 2015


---
 configure         | 30 +++++++++++++++++++++++++++++-
 libavformat/tls.c |  2 +-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index fed69ec..346e135 100755
--- a/configure
+++ b/configure
@@ -108,6 +108,7 @@ Configuration options:
   --disable-all            disable building components, libraries and programs
   --enable-incompatible-libav-abi enable incompatible Libav fork ABI [no]
   --enable-raise-major     increase major version numbers in sonames [no]
+  --default-ca-file=PATH   default CA file for TLS verification [autodetect]
 
 Program options:
   --disable-programs       do not build command line programs
@@ -1953,6 +1954,7 @@ PATHS_LIST="
     mandir
     prefix
     shlibdir
+    default_ca_file
 "
 
 CMDLINE_SET="
@@ -3138,6 +3140,7 @@ test -n "$cross_prefix" && enable cross_compile
 if enabled cross_compile; then
     test -n "$arch" && test -n "$target_os" ||
         die "Must specify target arch and OS when cross-compiling"
+    disable find_cert_bundle
 fi
 
 ar_default="${cross_prefix}${ar_default}"
@@ -5188,11 +5191,31 @@ if ! disabled sdl; then
 fi
 enabled sdl && add_cflags $sdl_cflags && add_extralibs $sdl_libs
 
-{ enabled openssl || enabled gnutls; } && disable securetransport
+{ enabled openssl || enabled gnutls; } && disable securetransport || disable find_cert_bundle
 
 disabled securetransport || { check_lib2 Security/SecureTransport.h SSLCreateContext "-Wl,-framework,CoreFoundation -Wl,-framework,Security" &&
     enable securetransport; }
 
+# CA bundle
+
+if ! disabled find_cert_bundle && [ -z "$default_ca_file" ]; then
+    for a in /etc/ssl/certs/ca-certificates.crt \
+             /etc/ssl/cert.pem \
+             /etc/pki/tls/certs/ca-bundle.crt \
+             /etc/pki/tls/certs/ca-bundle.trust.crt \
+             /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
+             /usr/share/ssl/certs/ca-bundle.crt \
+             /usr/local/share/certs/ca-root.crt \
+             /usr/local/share/curl/curl-ca-bundle.crt \
+             /System/Library/OpenSSL/cert.pem;
+             do
+        if test -f "$a"; then
+            default_ca_file="$a"
+            break
+        fi
+    done
+fi
+
 makeinfo --version > /dev/null 2>&1 && enable makeinfo  || disable makeinfo
 enabled makeinfo && (makeinfo --version | \
                      grep -q 'makeinfo (GNU texinfo) 5' > /dev/null 2>&1) \
@@ -5724,6 +5747,7 @@ echo "makeinfo enabled          ${makeinfo-no}"
 echo "makeinfo supports HTML    ${makeinfo_html-no}"
 test -n "$random_seed" &&
     echo "random seed               ${random_seed}"
+echo "default CA file           ${default_ca_file:-none}"
 echo
 
 echo "External libraries:"
@@ -5916,6 +5940,10 @@ cat > $TMPH <<EOF
 #define SWS_MAX_FILTER_SIZE $sws_max_filter_size
 EOF
 
+test -n "$default_ca_file" &&
+    echo "#define DEFAULT_CA_FILE \"$(eval c_escape $default_ca_file)\"" >>$TMPH ||
+    echo "#define DEFAULT_CA_FILE NULL" >> $TMPH
+
 test -n "$assert_level" &&
     echo "#define ASSERT_LEVEL $assert_level" >>$TMPH
 
diff --git a/libavformat/tls.c b/libavformat/tls.c
index 70596f8..c941de8 100644
--- a/libavformat/tls.c
+++ b/libavformat/tls.c
@@ -102,7 +102,7 @@ typedef struct TLSContext {
 #define D AV_OPT_FLAG_DECODING_PARAM
 #define E AV_OPT_FLAG_ENCODING_PARAM
 static const AVOption options[] = {
-    {"ca_file",    "Certificate Authority database file", OFFSET(ca_file),   AV_OPT_TYPE_STRING, .flags = D|E },
+    {"ca_file",    "Certificate Authority database file", OFFSET(ca_file),   AV_OPT_TYPE_STRING, { .str = DEFAULT_CA_FILE }, .flags = D|E },
     {"cafile",     "Certificate Authority database file", OFFSET(ca_file),   AV_OPT_TYPE_STRING, .flags = D|E },
     {"tls_verify", "Verify the peer certificate",         OFFSET(verify),    AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, .flags = D|E },
     {"cert_file",  "Certificate file",                    OFFSET(cert_file), AV_OPT_TYPE_STRING, .flags = D|E },
-- 
2.3.5



More information about the ffmpeg-devel mailing list