1 /*****************************************************************************
3 *****************************************************************************
4 * Copyright (C) 2004 VideoLAN
5 * $Id: httpd.c 8263 2004-07-24 09:06:58Z courmisch $
7 * Authors: Remi Denis-Courmont <courmisch@via.ecp.fr>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
22 *****************************************************************************/
27 * - client side stuff,
28 * - server-side client cert validation,
29 * - client-side server cert validation (?).
33 /*****************************************************************************
35 *****************************************************************************/
43 #include <gnutls/gnutls.h>
48 /*****************************************************************************
50 *****************************************************************************/
51 static int Open ( vlc_object_t * );
52 static void Close( vlc_object_t * );
54 #define DH_BITS_TEXT N_("Diffie-Hellman prime bits")
55 #define DH_BITS_LONGTEXT N_( \
56 "Allows you to modify the Diffie-Hellman prime's number of bits " \
57 "(used for TLS or SSL-based server-side encryption)." )
60 set_description( _("GnuTLS TLS encryption layer") );
61 set_capability( "tls", 1 );
62 set_callbacks( Open, Close );
63 set_category( CAT_ADVANCED );
64 set_subcategory( SUBCAT_ADVANCED_MISC );
66 add_integer( "dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
67 DH_BITS_LONGTEXT, VLC_TRUE );
72 typedef struct tls_server_sys_t
74 gnutls_certificate_credentials x509_cred;
75 gnutls_dh_params dh_params;
79 typedef struct tls_session_sys_t
81 gnutls_session session;
85 typedef struct tls_client_sys_t
87 struct tls_session_sys_t session;
88 gnutls_certificate_credentials x509_cred;
92 /*****************************************************************************
94 *****************************************************************************
95 * Sends data through a TLS session.
96 *****************************************************************************/
98 gnutls_Send( void *p_session, const void *buf, int i_length )
101 tls_session_sys_t *p_sys;
103 p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
105 val = gnutls_record_send( p_sys->session, buf, i_length );
106 /* TODO: handle fatal error */
107 return val < 0 ? -1 : val;
111 /*****************************************************************************
113 *****************************************************************************
114 * Receives data through a TLS session.
115 *****************************************************************************/
117 gnutls_Recv( void *p_session, void *buf, int i_length )
120 tls_session_sys_t *p_sys;
122 p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
124 val = gnutls_record_recv( p_sys->session, buf, i_length );
125 /* TODO: handle fatal error */
126 return val < 0 ? -1 : val;
130 /*****************************************************************************
131 * tls_SessionHandshake:
132 *****************************************************************************
133 * Establishes TLS session with a peer through socket <fd>.
134 * Returns NULL on error (do NOT call tls_SessionClose in case of error or
135 * re-use the session structure).
136 *****************************************************************************/
137 static tls_session_t *
138 gnutls_SessionHandshake( tls_session_t *p_session, int fd )
140 tls_session_sys_t *p_sys;
143 p_sys = (tls_session_sys_t *)(p_session->p_sys);
145 gnutls_transport_set_ptr (p_sys->session, (gnutls_transport_ptr)fd);
148 /* TODO: handle fatal error */
149 val = gnutls_handshake( p_sys->session );
150 while( ( val == GNUTLS_E_AGAIN ) || ( val == GNUTLS_E_INTERRUPTED ) );
154 gnutls_deinit( p_sys->session );
155 msg_Err( p_session->p_tls, "TLS handshake failed : %s",
156 gnutls_strerror( val ) );
166 /*****************************************************************************
168 *****************************************************************************
169 * Terminates TLS session and releases session data.
170 *****************************************************************************/
172 gnutls_SessionClose( tls_session_t *p_session )
174 tls_session_sys_t *p_sys;
176 p_sys = (tls_session_sys_t *)(p_session->p_sys);
178 /* On the client-side, credentials are re-allocated per session */
179 if( p_session->p_server == NULL )
180 gnutls_certificate_free_credentials( ((tls_client_sys_t *)p_sys)
183 gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
184 gnutls_deinit( p_sys->session );
190 /*****************************************************************************
192 *****************************************************************************
193 * Initializes client-side TLS session data.
194 *****************************************************************************/
195 static tls_session_t *
196 gnutls_ClientCreate( tls_t *p_tls, const char *psz_ca_path )
198 tls_session_t *p_session;
199 tls_client_sys_t *p_sys;
201 const int cert_type_priority[3] =
207 p_sys = (tls_client_sys_t *)malloc( sizeof(struct tls_client_sys_t) );
211 i_val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
214 msg_Err( p_tls, "Cannot allocate X509 credentials : %s",
215 gnutls_strerror( i_val ) );
220 if( psz_ca_path != NULL )
222 i_val = gnutls_certificate_set_x509_trust_file( p_sys->x509_cred,
224 GNUTLS_X509_FMT_PEM );
227 msg_Err( p_tls, "Cannot add trusted CA (%s) : %s", psz_ca_path,
228 gnutls_strerror( i_val ) );
229 gnutls_certificate_free_credentials( p_sys->x509_cred );
235 i_val = gnutls_init( &p_sys->session.session, GNUTLS_CLIENT );
238 msg_Err( p_tls, "Cannot initialize TLS session : %s",
239 gnutls_strerror( i_val ) );
240 gnutls_certificate_free_credentials( p_sys->x509_cred );
245 i_val = gnutls_set_default_priority( p_sys->session.session );
248 msg_Err( p_tls, "Cannot set ciphers priorities : %s",
249 gnutls_strerror( i_val ) );
250 gnutls_deinit( p_sys->session.session );
251 gnutls_certificate_free_credentials( p_sys->x509_cred );
256 i_val = gnutls_certificate_type_set_priority( p_sys->session.session,
257 cert_type_priority );
260 msg_Err( p_tls, "Cannot set certificate type priorities : %s",
261 gnutls_strerror( i_val ) );
262 gnutls_deinit( p_sys->session.session );
263 gnutls_certificate_free_credentials( p_sys->x509_cred );
268 i_val = gnutls_credentials_set( p_sys->session.session,
269 GNUTLS_CRD_CERTIFICATE,
273 msg_Err( p_tls, "Cannot set TLS session credentials : %s",
274 gnutls_strerror( i_val ) );
275 gnutls_deinit( p_sys->session.session );
276 gnutls_certificate_free_credentials( p_sys->x509_cred );
281 p_session = malloc( sizeof (struct tls_session_t) );
282 if( p_session == NULL )
284 gnutls_deinit( p_sys->session.session );
285 gnutls_certificate_free_credentials( p_sys->x509_cred );
290 p_session->p_tls = p_tls;
291 p_session->p_server = NULL;
292 p_session->p_sys = p_sys;
293 p_session->sock.p_sys = p_session;
294 p_session->sock.pf_send = gnutls_Send;
295 p_session->sock.pf_recv = gnutls_Recv;
296 p_session->pf_handshake = gnutls_SessionHandshake;
297 p_session->pf_close = gnutls_SessionClose;
303 /*****************************************************************************
304 * tls_ServerSessionPrepare:
305 *****************************************************************************
306 * Initializes server-side TLS session data.
307 *****************************************************************************/
308 static tls_session_t *
309 gnutls_ServerSessionPrepare( tls_server_t *p_server )
311 tls_session_t *p_session;
312 tls_session_sys_t *p_sys;
316 p_sys = (tls_session_sys_t *)malloc( sizeof(struct tls_session_sys_t) );
320 i_val = gnutls_init( &p_sys->session, GNUTLS_SERVER );
323 msg_Err( p_server->p_tls, "Cannot initialize TLS session : %s",
324 gnutls_strerror( i_val ) );
329 i_val = gnutls_set_default_priority( p_sys->session );
332 msg_Err( p_server->p_tls, "Cannot set ciphers priorities : %s",
333 gnutls_strerror( i_val ) );
334 gnutls_deinit( p_sys->session );
339 i_val = gnutls_credentials_set( p_sys->session, GNUTLS_CRD_CERTIFICATE,
340 ((tls_server_sys_t *)(p_server->p_sys))
344 msg_Err( p_server->p_tls, "Cannot set TLS session credentials : %s",
345 gnutls_strerror( i_val ) );
346 gnutls_deinit( p_sys->session );
351 /* TODO: support for client authentication */
352 /*gnutls_certificate_server_set_request( p_session->session,
353 GNUTLS_CERT_REQUEST ); */
355 if( var_Get( p_server->p_tls, "dh-bits", &bits ) != VLC_SUCCESS )
357 var_Create( p_server->p_tls, "dh-bits",
358 VLC_VAR_INTEGER | VLC_VAR_DOINHERIT );
359 var_Get( p_server->p_tls, "dh-bits", &bits );
362 gnutls_dh_set_prime_bits( p_sys->session, bits.i_int );
364 p_session = malloc( sizeof (struct tls_session_t) );
365 if( p_session == NULL )
367 gnutls_deinit( p_sys->session );
372 p_session->p_tls = p_server->p_tls;
373 p_session->p_server = p_server;
374 p_session->p_sys = p_sys;
375 p_session->sock.p_sys = p_session;
376 p_session->sock.pf_send = gnutls_Send;
377 p_session->sock.pf_recv = gnutls_Recv;
378 p_session->pf_handshake = gnutls_SessionHandshake;
379 p_session->pf_close = gnutls_SessionClose;
385 /*****************************************************************************
387 *****************************************************************************
388 * Releases data allocated with tls_ServerCreate.
389 *****************************************************************************/
391 gnutls_ServerDelete( tls_server_t *p_server )
393 gnutls_certificate_free_credentials(
394 ((tls_server_sys_t *)(p_server->p_sys))
396 free( p_server->p_sys );
401 /*****************************************************************************
403 *****************************************************************************
404 * Adds one or more certificate authorities.
405 * TODO: we are not able to check the client credentials yet, so this function
407 * Returns -1 on error, 0 on success.
408 *****************************************************************************/
410 gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
414 val = gnutls_certificate_set_x509_trust_file( ((tls_server_sys_t *)
418 GNUTLS_X509_FMT_PEM );
421 msg_Err( p_server->p_tls, "Cannot add trusted CA (%s) : %s",
422 psz_ca_path, gnutls_strerror( val ) );
423 gnutls_ServerDelete( p_server );
426 msg_Dbg( p_server->p_tls, " %d trusted CA added (%s)", val,
432 /*****************************************************************************
434 *****************************************************************************
435 * Adds a certificates revocation list to be sent to TLS clients.
436 * Returns -1 on error, 0 on success.
437 *****************************************************************************/
439 gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
443 val = gnutls_certificate_set_x509_crl_file( ((tls_server_sys_t *)
444 (p_server->p_sys))->x509_cred,
446 GNUTLS_X509_FMT_PEM );
449 msg_Err( p_server->p_tls, "Cannot add CRL (%s) : %s",
450 psz_crl_path, gnutls_strerror( val ) );
451 gnutls_ServerDelete( p_server );
454 msg_Dbg( p_server->p_tls, "%d CRL added (%s)", val, psz_crl_path );
459 /*****************************************************************************
461 *****************************************************************************
462 * Allocates a whole server's TLS credentials.
463 * Returns NULL on error.
464 *****************************************************************************/
465 static tls_server_t *
466 gnutls_ServerCreate( tls_t *p_this, const char *psz_cert_path,
467 const char *psz_key_path )
469 tls_server_t *p_server;
470 tls_server_sys_t *p_server_sys;
473 msg_Dbg( p_this, "Creating TLS server" );
475 p_server_sys = (tls_server_sys_t *)malloc( sizeof(struct tls_server_sys_t) );
476 if( p_server_sys == NULL )
479 /* Sets server's credentials */
480 val = gnutls_certificate_allocate_credentials( &p_server_sys->x509_cred );
483 msg_Err( p_this, "Cannot allocate X509 credentials : %s",
484 gnutls_strerror( val ) );
485 free( p_server_sys );
489 val = gnutls_certificate_set_x509_key_file( p_server_sys->x509_cred,
490 psz_cert_path, psz_key_path,
491 GNUTLS_X509_FMT_PEM );
494 msg_Err( p_this, "Cannot set certificate chain or private key : %s",
495 gnutls_strerror( val ) );
496 gnutls_certificate_free_credentials( p_server_sys->x509_cred );
497 free( p_server_sys );
501 /* FIXME: regenerate these regularly */
502 val = gnutls_dh_params_init( &p_server_sys->dh_params );
507 if( var_Get( p_this, "dh-bits", &bits ) != VLC_SUCCESS )
509 var_Create( p_this, "dh-bits",
510 VLC_VAR_INTEGER | VLC_VAR_DOINHERIT );
511 var_Get( p_this, "dh-bits", &bits );
514 msg_Dbg( p_this, "Computing Diffie Hellman ciphers parameters" );
515 val = gnutls_dh_params_generate2( p_server_sys->dh_params,
520 msg_Err( p_this, "Cannot initialize DH cipher suites : %s",
521 gnutls_strerror( val ) );
522 gnutls_certificate_free_credentials( p_server_sys->x509_cred );
523 free( p_server_sys );
526 msg_Dbg( p_this, "Ciphers parameters computed" );
528 gnutls_certificate_set_dh_params( p_server_sys->x509_cred,
529 p_server_sys->dh_params);
531 p_server = (tls_server_t *)malloc( sizeof(struct tls_server_t) );
532 if( p_server == NULL )
534 free( p_server_sys );
538 p_server->p_tls = p_this;
539 p_server->p_sys = p_server_sys;
540 p_server->pf_delete = gnutls_ServerDelete;
541 p_server->pf_add_CA = gnutls_ServerAddCA;
542 p_server->pf_add_CRL = gnutls_ServerAddCRL;
543 p_server->pf_session_prepare = gnutls_ServerSessionPrepare;
549 /*****************************************************************************
550 * gcrypt thread option VLC implementation:
551 *****************************************************************************/
552 vlc_object_t *__p_gcry_data;
554 static int gcry_vlc_mutex_init (void **p_sys)
557 vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc (sizeof (vlc_mutex_t));
562 i_val = vlc_mutex_init( __p_gcry_data, p_lock);
570 static int gcry_vlc_mutex_destroy (void **p_sys)
573 vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
575 i_val = vlc_mutex_destroy (p_lock);
580 static int gcry_vlc_mutex_lock (void **p_sys)
582 return vlc_mutex_lock ((vlc_mutex_t *)*p_sys);
585 static int gcry_vlc_mutex_unlock (void **lock)
587 return vlc_mutex_unlock ((vlc_mutex_t *)*lock);
590 static struct gcry_thread_cbs gcry_threads_vlc =
592 GCRY_THREAD_OPTION_USER,
595 gcry_vlc_mutex_destroy,
597 gcry_vlc_mutex_unlock
601 /*****************************************************************************
602 * Module initialization
603 *****************************************************************************/
605 Open( vlc_object_t *p_this )
607 tls_t *p_tls = (tls_t *)p_this;
609 vlc_value_t lock, count;
611 var_Create( p_this->p_libvlc, "tls_mutex", VLC_VAR_MUTEX );
612 var_Get( p_this->p_libvlc, "tls_mutex", &lock );
613 vlc_mutex_lock( lock.p_address );
615 /* Initialize GnuTLS only once */
616 var_Create( p_this->p_libvlc, "gnutls_count", VLC_VAR_INTEGER );
617 var_Get( p_this->p_libvlc, "gnutls_count", &count);
619 if( count.i_int == 0)
621 __p_gcry_data = VLC_OBJECT( p_this->p_vlc );
623 gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
624 if( gnutls_global_init( ) )
626 msg_Warn( p_this, "cannot initialize GNUTLS" );
627 vlc_mutex_unlock( lock.p_address );
630 if( gnutls_check_version( "1.0.0" ) == NULL )
632 gnutls_global_deinit( );
633 vlc_mutex_unlock( lock.p_address );
634 msg_Err( p_this, "unsupported GNUTLS version" );
637 msg_Dbg( p_this, "GNUTLS initialized" );
641 var_Set( p_this->p_libvlc, "gnutls_count", count);
642 vlc_mutex_unlock( lock.p_address );
644 p_tls->pf_server_create = gnutls_ServerCreate;
645 p_tls->pf_client_create = gnutls_ClientCreate;
650 /*****************************************************************************
651 * Module deinitialization
652 *****************************************************************************/
654 Close( vlc_object_t *p_this )
656 /*tls_t *p_tls = (tls_t *)p_this;
657 tls_sys_t *p_sys = (tls_sys_t *)(p_this->p_sys);*/
659 vlc_value_t lock, count;
661 var_Create( p_this->p_libvlc, "gnutls_mutex", VLC_VAR_MUTEX );
662 var_Get( p_this->p_libvlc, "gnutls_mutex", &lock );
663 vlc_mutex_lock( lock.p_address );
665 var_Create( p_this->p_libvlc, "gnutls_count", VLC_VAR_INTEGER );
666 var_Get( p_this->p_libvlc, "gnutls_count", &count);
668 var_Set( p_this->p_libvlc, "gnutls_count", count);
670 if( count.i_int == 0 )
672 gnutls_global_deinit( );
673 msg_Dbg( p_this, "GNUTLS deinitialized" );
676 vlc_mutex_unlock( lock.p_address);