avformat/tls_gnutls: fix build error on linux #21435

Jack Lau · 2026-01-12T12:08:26Z

Jack Lau commented

2026-01-12 12:08:26 +00:00

The fd_set need <sys/select.h> on linux, but it's
not included in os_support.h, it's included in os_support.c

So this patch use poll() to replace select() to avoid
this issue and simplify the code.

Signed-off-by: Jack Lau [email protected]

The fd_set need <sys/select.h> on linux, but it's not included in os_support.h, it's included in os_support.c So this patch use poll() to replace select() to avoid this issue and simplify the code. Signed-off-by: Jack Lau <[email protected]>

ffmpeg-devel added the

avformat

new

labels

2026-01-12 12:08:45 +00:00

Jack Lau referenced this pull request

2026-01-12 12:10:14 +00:00

avformat/tls_gnutls: add gnutls_pull_timeout() for dtls #21426

Timo Rothenpieler reviewed

2026-01-12 13:32:52 +00:00

libavformat/tls_gnutls.c Outdated

					
				@ -175,3 +175,2 @@

				    fd_set rfds;

				    struct timeval tv;

				    int sockfd = ffurl_get_file_handle(s->udp);

				    struct pollfd pfd = { .fd = sockfd, .events = POLLIN, .revents = 0};

Small nit, missing space before the final }

Fixed

BtbN marked this conversation as resolved

Jack Lau force-pushed fix_gnutls from af9f2b5aa0

Autolabel / Labeler (pull_request_target) Has been skipped

Details

Lint / Pre-Commit (pull_request) Successful in 46s

Details

Test / Fate (linux-aarch64, static, 64 bit) (pull_request) Successful in 11m27s

Details

Test / Fate (linux-amd64, static, 32 bit) (pull_request) Successful in 15m40s

Details

Test / Fate (linux-amd64, shared, 64 bit) (pull_request) Successful in 22m15s

Details

Test / Fate (Full, wine) (pull_request) Successful in 24m49s

Details

to d888a156cf

Lint / Pre-Commit (pull_request) Successful in 27s

Details

Test / Fate (linux-aarch64, static, 64 bit) (pull_request) Successful in 11m30s

Details

Test / Fate (linux-amd64, shared, 64 bit) (pull_request) Successful in 15m31s

Details

Test / Fate (linux-amd64, static, 32 bit) (pull_request) Successful in 20m49s

Details

Test / Fate (Full, wine) (pull_request) Successful in 24m40s

Details

Autolabel / Labeler (pull_request_target) Has been skipped

Details

2026-01-12 13:37:27 +00:00

Compare

Timo Rothenpieler commented

2026-01-12 13:38:48 +00:00

I'm not set up at all to test gnutls.
Code looks good by eye, but someone who actuall can build and runtime test it should have a closer look.

I'm not set up at all to test gnutls. Code looks good by eye, but someone who actuall can build and runtime test it should have a closer look.

ffmpeg-devel removed the

new

label

2026-01-12 13:38:55 +00:00

RÃ©mi Denis-Courmont commented

2026-01-12 14:44:55 +00:00

fd_set should never be used since it can trigger buffer overflows (or then you need to check fd < FD_SETSIZE).

(Point being that it should be removed elsewhere if applicable. No objections to this patch, obviously.)

`fd_set` should *never* be used since it can trigger buffer overflows (or then you need to check `fd < FD_SETSIZE`). (Point being that it should be removed elsewhere if applicable. No objections to this patch, obviously.)

ðŸ‘ 2

luiscastro193 commented

2026-01-12 19:32:26 +00:00

First-time contributor

I can confirm that this patch fixes the previous build error on Linux. How could I runtime test it?

Jack Lau commented

2026-01-12 21:53:05 +00:00

@Courmisch wrote in #21435 (comment):

fd_set should never be used since it can trigger buffer overflows (or then you need to check fd < FD_SETSIZE).

Thanks for the detailed guidance!

@Courmisch wrote in https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21435#issuecomment-22001: > `fd_set` should _never_ be used since it can trigger buffer overflows (or then you need to check `fd < FD_SETSIZE`). Thanks for the detailed guidance!

Jack Lau commented

2026-01-12 22:04:55 +00:00

@luiscastro193 wrote in #21435 (comment):

I can confirm that this patch fixes the previous build error on Linux. How could I runtime test it?

you could test tls refer to https://ffmpeg.org/ffmpeg-protocols.html#toc-tls to make sure tls wasn't effect by these patches.

If you want to test dtls, you should add this patch (enable gnutls dtls and avoid build error because there're some function don't implement yet):

diff --git a/configure b/configure
index 998b0292b8..0be9153f92 100755
--- a/configure
+++ b/configure
@@ -3972,7 +3972,7 @@ tcp_protocol_select="network"
 tls_protocol_deps_any="gnutls openssl schannel securetransport libtls mbedtls"
 tls_protocol_select="tcp_protocol"
 # TODO: Support libtls, mbedtls, and gnutls.
-dtls_protocol_deps_any="openssl schannel"
+dtls_protocol_deps_any="openssl schannel gnutls"
 dtls_protocol_select="udp_protocol"
 udp_protocol_select="network"
 udplite_protocol_select="network"
diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c
index 36af03456f..0470a1bc3a 100644
--- a/libavformat/tls_gnutls.c
+++ b/libavformat/tls_gnutls.c
@@ -42,6 +42,26 @@
 GCRY_THREAD_OPTION_PTHREAD_IMPL;
 #endif
 
+int ff_tls_set_external_socket(URLContext *h, URLContext *sock)
+{
+    return 0;
+}
+
+int ff_dtls_export_materials(URLContext *h, char *dtls_srtp_materials, size_t materials_sz)
+{
+    return 0;
+}
+
+int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint)
+{
+    return 0;
+}
+
+int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint)
+{
+    return 0;
+}
+
 typedef struct TLSContext {
     TLSShared tls_shared;
     gnutls_session_t session;

Then you could test dtls refer to https://ffmpeg.org/ffmpeg-protocols.html#toc-dtls

Maybe you should use command as below (there're more patches waiting to merged to support full dtls support):

#server
ffmpeg -listen 1 -cert_file cert.pem -key_file key.pem -i dtls://0.0.0.0:1234 test.ts -v debug -y
#client
ffmpeg -re -f lavfi -i testsrc2=duration=5:size=128x72:rate=30 -f mpegts -mtu 10000 dtls://0.0.0.0:1234 -v debug

@luiscastro193 wrote in https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21435#issuecomment-22038: > I can confirm that this patch fixes the previous build error on Linux. How could I runtime test it? you could test tls refer to https://ffmpeg.org/ffmpeg-protocols.html#toc-tls to make sure tls wasn't effect by these patches. If you want to test dtls, you should add this patch (enable gnutls dtls and avoid build error because there're some function don't implement yet): ```diff diff --git a/configure b/configure index 998b0292b8..0be9153f92 100755 --- a/configure +++ b/configure @@ -3972,7 +3972,7 @@ tcp_protocol_select="network" tls_protocol_deps_any="gnutls openssl schannel securetransport libtls mbedtls" tls_protocol_select="tcp_protocol" # TODO: Support libtls, mbedtls, and gnutls. -dtls_protocol_deps_any="openssl schannel" +dtls_protocol_deps_any="openssl schannel gnutls" dtls_protocol_select="udp_protocol" udp_protocol_select="network" udplite_protocol_select="network" diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c index 36af03456f..0470a1bc3a 100644 --- a/libavformat/tls_gnutls.c +++ b/libavformat/tls_gnutls.c @@ -42,6 +42,26 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL; #endif +int ff_tls_set_external_socket(URLContext *h, URLContext *sock) +{ + return 0; +} + +int ff_dtls_export_materials(URLContext *h, char *dtls_srtp_materials, size_t materials_sz) +{ + return 0; +} + +int ff_ssl_read_key_cert(char *key_url, char *cert_url, char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint) +{ + return 0; +} + +int ff_ssl_gen_key_cert(char *key_buf, size_t key_sz, char *cert_buf, size_t cert_sz, char **fingerprint) +{ + return 0; +} + typedef struct TLSContext { TLSShared tls_shared; gnutls_session_t session; ``` Then you could test dtls refer to https://ffmpeg.org/ffmpeg-protocols.html#toc-dtls Maybe you should use command as below (there're more patches waiting to merged to support full dtls support): ```shell #server ffmpeg -listen 1 -cert_file cert.pem -key_file key.pem -i dtls://0.0.0.0:1234 test.ts -v debug -y #client ffmpeg -re -f lavfi -i testsrc2=duration=5:size=128x72:rate=30 -f mpegts -mtu 10000 dtls://0.0.0.0:1234 -v debug ```

luiscastro193 commented

2026-01-12 23:33:39 +00:00

First-time contributor

Okey so, after applying both patches, for tls I did:

#server
ffmpeg -hide_banner -listen 1 -cert cert.pem -key key.pem -i tls://127.0.0.1:8443 -c copy -f mpegts prueba_salida.ts
#client
ffmpeg -re -f lavfi -i testsrc=duration=5:size=640x480:rate=30 -c:v libx264 -f mpegts -tls_verify 0 tls://127.0.0.1:8443

And it worked fine. For dtls I tried your commands and test.ts was produced fine as well.

Okey so, after applying both patches, for tls I did: ```shell #server ffmpeg -hide_banner -listen 1 -cert cert.pem -key key.pem -i tls://127.0.0.1:8443 -c copy -f mpegts prueba_salida.ts #client ffmpeg -re -f lavfi -i testsrc=duration=5:size=640x480:rate=30 -c:v libx264 -f mpegts -tls_verify 0 tls://127.0.0.1:8443 ``` And it worked fine. For dtls I tried your commands and `test.ts` was produced fine as well.

log.txt

21 KiB

â¤ï¸ 1

Timo Rothenpieler referenced this pull request

2026-01-13 01:29:52 +00:00

Git Master fails to build with GNUTLS #21444

luiscastro193 referenced this pull request

2026-01-13 12:51:27 +00:00

avformat/tls_gnutls: add missing sys/time.h include #21446

Jack Lau referenced this pull request

2026-01-16 22:00:06 +00:00

Git Master fails to build with GNUTLS #21444