1 /*****************************************************************************
3 *****************************************************************************
4 * Copyright (C) 2004 VideoLAN
5 * $Id: httpd.c 8263 2004-07-24 09:06:58Z courmisch $
7 * Authors: Remi Denis-Courmont <courmisch@via.ecp.fr>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
22 *****************************************************************************/
27 * - client side stuff,
28 * - server-side client cert validation,
29 * - client-side server cert validation (?).
33 /*****************************************************************************
35 *****************************************************************************/
43 #include <gnutls/gnutls.h>
48 /*****************************************************************************
50 *****************************************************************************/
51 static int Open ( vlc_object_t * );
52 static void Close( vlc_object_t * );
54 #define DH_BITS_TEXT N_("Diffie-Hellman prime bits")
55 #define DH_BITS_LONGTEXT N_( \
56 "Allows you to modify the Diffie-Hellman prime's number of bits " \
57 "(used for TLS or SSL-based server-side encryption)." )
60 set_description( _("GnuTLS TLS encryption layer") );
61 set_capability( "tls", 1 );
62 set_callbacks( Open, Close );
63 set_category( CAT_ADVANCED );
64 set_subcategory( SUBCAT_ADVANCED_MISC );
66 add_integer( "dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
67 DH_BITS_LONGTEXT, VLC_TRUE );
72 typedef struct tls_server_sys_t
74 gnutls_certificate_credentials x509_cred;
75 gnutls_dh_params dh_params;
79 typedef struct tls_session_sys_t
81 gnutls_session session;
85 typedef struct tls_client_sys_t
87 struct tls_session_sys_t session;
88 gnutls_certificate_credentials x509_cred;
92 /*****************************************************************************
94 *****************************************************************************
95 * Sends data through a TLS session.
96 *****************************************************************************/
98 gnutls_Send( void *p_session, const void *buf, int i_length )
101 tls_session_sys_t *p_sys;
103 p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
105 val = gnutls_record_send( p_sys->session, buf, i_length );
106 /* TODO: handle fatal error */
107 return val < 0 ? -1 : val;
111 /*****************************************************************************
113 *****************************************************************************
114 * Receives data through a TLS session.
115 *****************************************************************************/
117 gnutls_Recv( void *p_session, void *buf, int i_length )
120 tls_session_sys_t *p_sys;
122 p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
124 val = gnutls_record_recv( p_sys->session, buf, i_length );
125 /* TODO: handle fatal error */
126 return val < 0 ? -1 : val;
130 /*****************************************************************************
131 * tls_Session(Continue)?Handshake:
132 *****************************************************************************
133 * Establishes TLS session with a peer through socket <fd>.
134 * Returns -1 on error (you need not and must not call tls_SessionClose)
135 * 0 on succesful handshake completion, 1 if more would-be blocking recv is
136 * needed, 2 if more would-be blocking send is required.
137 *****************************************************************************/
139 gnutls_SessionContinueHandshake( tls_session_t *p_session)
141 tls_session_sys_t *p_sys;
144 p_sys = (tls_session_sys_t *)(p_session->p_sys);
146 /* TODO: handle fatal error */
147 val = gnutls_handshake( p_sys->session );
148 if( ( val == GNUTLS_E_AGAIN ) || ( val == GNUTLS_E_INTERRUPTED ) )
149 return 1 + gnutls_record_get_direction( p_sys->session );
153 gnutls_deinit( p_sys->session );
154 msg_Err( p_session->p_tls, "TLS handshake failed : %s",
155 gnutls_strerror( val ) );
165 gnutls_SessionHandshake( tls_session_t *p_session, int fd )
167 tls_session_sys_t *p_sys;
169 p_sys = (tls_session_sys_t *)(p_session->p_sys);
171 gnutls_transport_set_ptr (p_sys->session, (gnutls_transport_ptr)fd);
173 return gnutls_SessionContinueHandshake( p_session );
177 /*****************************************************************************
179 *****************************************************************************
180 * Terminates TLS session and releases session data.
181 *****************************************************************************/
183 gnutls_SessionClose( tls_session_t *p_session )
185 tls_session_sys_t *p_sys;
187 p_sys = (tls_session_sys_t *)(p_session->p_sys);
189 /* On the client-side, credentials are re-allocated per session */
190 if( p_session->p_server == NULL )
191 gnutls_certificate_free_credentials( ((tls_client_sys_t *)p_sys)
194 gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
195 gnutls_deinit( p_sys->session );
201 /*****************************************************************************
203 *****************************************************************************
204 * Initializes client-side TLS session data.
205 *****************************************************************************/
206 static tls_session_t *
207 gnutls_ClientCreate( tls_t *p_tls, const char *psz_ca_path )
209 tls_session_t *p_session;
210 tls_client_sys_t *p_sys;
212 const int cert_type_priority[3] =
218 p_sys = (tls_client_sys_t *)malloc( sizeof(struct tls_client_sys_t) );
222 i_val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
225 msg_Err( p_tls, "Cannot allocate X509 credentials : %s",
226 gnutls_strerror( i_val ) );
231 if( psz_ca_path != NULL )
233 i_val = gnutls_certificate_set_x509_trust_file( p_sys->x509_cred,
235 GNUTLS_X509_FMT_PEM );
238 msg_Err( p_tls, "Cannot add trusted CA (%s) : %s", psz_ca_path,
239 gnutls_strerror( i_val ) );
240 gnutls_certificate_free_credentials( p_sys->x509_cred );
246 i_val = gnutls_init( &p_sys->session.session, GNUTLS_CLIENT );
249 msg_Err( p_tls, "Cannot initialize TLS session : %s",
250 gnutls_strerror( i_val ) );
251 gnutls_certificate_free_credentials( p_sys->x509_cred );
256 i_val = gnutls_set_default_priority( p_sys->session.session );
259 msg_Err( p_tls, "Cannot set ciphers priorities : %s",
260 gnutls_strerror( i_val ) );
261 gnutls_deinit( p_sys->session.session );
262 gnutls_certificate_free_credentials( p_sys->x509_cred );
267 i_val = gnutls_certificate_type_set_priority( p_sys->session.session,
268 cert_type_priority );
271 msg_Err( p_tls, "Cannot set certificate type priorities : %s",
272 gnutls_strerror( i_val ) );
273 gnutls_deinit( p_sys->session.session );
274 gnutls_certificate_free_credentials( p_sys->x509_cred );
279 i_val = gnutls_credentials_set( p_sys->session.session,
280 GNUTLS_CRD_CERTIFICATE,
284 msg_Err( p_tls, "Cannot set TLS session credentials : %s",
285 gnutls_strerror( i_val ) );
286 gnutls_deinit( p_sys->session.session );
287 gnutls_certificate_free_credentials( p_sys->x509_cred );
292 p_session = malloc( sizeof (struct tls_session_t) );
293 if( p_session == NULL )
295 gnutls_deinit( p_sys->session.session );
296 gnutls_certificate_free_credentials( p_sys->x509_cred );
301 p_session->p_tls = p_tls;
302 p_session->p_server = NULL;
303 p_session->p_sys = p_sys;
304 p_session->sock.p_sys = p_session;
305 p_session->sock.pf_send = gnutls_Send;
306 p_session->sock.pf_recv = gnutls_Recv;
307 p_session->pf_handshake = gnutls_SessionHandshake;
308 p_session->pf_close = gnutls_SessionClose;
314 /*****************************************************************************
315 * tls_ServerSessionPrepare:
316 *****************************************************************************
317 * Initializes server-side TLS session data.
318 *****************************************************************************/
319 static tls_session_t *
320 gnutls_ServerSessionPrepare( tls_server_t *p_server )
322 tls_session_t *p_session;
323 tls_session_sys_t *p_sys;
327 p_sys = (tls_session_sys_t *)malloc( sizeof(struct tls_session_sys_t) );
331 i_val = gnutls_init( &p_sys->session, GNUTLS_SERVER );
334 msg_Err( p_server->p_tls, "Cannot initialize TLS session : %s",
335 gnutls_strerror( i_val ) );
340 i_val = gnutls_set_default_priority( p_sys->session );
343 msg_Err( p_server->p_tls, "Cannot set ciphers priorities : %s",
344 gnutls_strerror( i_val ) );
345 gnutls_deinit( p_sys->session );
350 i_val = gnutls_credentials_set( p_sys->session, GNUTLS_CRD_CERTIFICATE,
351 ((tls_server_sys_t *)(p_server->p_sys))
355 msg_Err( p_server->p_tls, "Cannot set TLS session credentials : %s",
356 gnutls_strerror( i_val ) );
357 gnutls_deinit( p_sys->session );
362 /* TODO: support for client authentication */
363 /*gnutls_certificate_server_set_request( p_session->session,
364 GNUTLS_CERT_REQUEST ); */
366 if( var_Get( p_server->p_tls, "dh-bits", &bits ) != VLC_SUCCESS )
368 var_Create( p_server->p_tls, "dh-bits",
369 VLC_VAR_INTEGER | VLC_VAR_DOINHERIT );
370 var_Get( p_server->p_tls, "dh-bits", &bits );
373 gnutls_dh_set_prime_bits( p_sys->session, bits.i_int );
375 p_session = malloc( sizeof (struct tls_session_t) );
376 if( p_session == NULL )
378 gnutls_deinit( p_sys->session );
383 p_session->p_tls = p_server->p_tls;
384 p_session->p_server = p_server;
385 p_session->p_sys = p_sys;
386 p_session->sock.p_sys = p_session;
387 p_session->sock.pf_send = gnutls_Send;
388 p_session->sock.pf_recv = gnutls_Recv;
389 p_session->pf_handshake = gnutls_SessionHandshake;
390 p_session->pf_handshake2 = gnutls_SessionContinueHandshake;
391 p_session->pf_close = gnutls_SessionClose;
397 /*****************************************************************************
399 *****************************************************************************
400 * Releases data allocated with tls_ServerCreate.
401 *****************************************************************************/
403 gnutls_ServerDelete( tls_server_t *p_server )
405 gnutls_certificate_free_credentials(
406 ((tls_server_sys_t *)(p_server->p_sys))
408 free( p_server->p_sys );
413 /*****************************************************************************
415 *****************************************************************************
416 * Adds one or more certificate authorities.
417 * TODO: we are not able to check the client credentials yet, so this function
419 * Returns -1 on error, 0 on success.
420 *****************************************************************************/
422 gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
426 val = gnutls_certificate_set_x509_trust_file( ((tls_server_sys_t *)
430 GNUTLS_X509_FMT_PEM );
433 msg_Err( p_server->p_tls, "Cannot add trusted CA (%s) : %s",
434 psz_ca_path, gnutls_strerror( val ) );
435 gnutls_ServerDelete( p_server );
438 msg_Dbg( p_server->p_tls, " %d trusted CA added (%s)", val,
444 /*****************************************************************************
446 *****************************************************************************
447 * Adds a certificates revocation list to be sent to TLS clients.
448 * Returns -1 on error, 0 on success.
449 *****************************************************************************/
451 gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
455 val = gnutls_certificate_set_x509_crl_file( ((tls_server_sys_t *)
456 (p_server->p_sys))->x509_cred,
458 GNUTLS_X509_FMT_PEM );
461 msg_Err( p_server->p_tls, "Cannot add CRL (%s) : %s",
462 psz_crl_path, gnutls_strerror( val ) );
463 gnutls_ServerDelete( p_server );
466 msg_Dbg( p_server->p_tls, "%d CRL added (%s)", val, psz_crl_path );
471 /*****************************************************************************
473 *****************************************************************************
474 * Allocates a whole server's TLS credentials.
475 * Returns NULL on error.
476 *****************************************************************************/
477 static tls_server_t *
478 gnutls_ServerCreate( tls_t *p_this, const char *psz_cert_path,
479 const char *psz_key_path )
481 tls_server_t *p_server;
482 tls_server_sys_t *p_server_sys;
485 msg_Dbg( p_this, "Creating TLS server" );
487 p_server_sys = (tls_server_sys_t *)malloc( sizeof(struct tls_server_sys_t) );
488 if( p_server_sys == NULL )
491 /* Sets server's credentials */
492 val = gnutls_certificate_allocate_credentials( &p_server_sys->x509_cred );
495 msg_Err( p_this, "Cannot allocate X509 credentials : %s",
496 gnutls_strerror( val ) );
497 free( p_server_sys );
501 val = gnutls_certificate_set_x509_key_file( p_server_sys->x509_cred,
502 psz_cert_path, psz_key_path,
503 GNUTLS_X509_FMT_PEM );
506 msg_Err( p_this, "Cannot set certificate chain or private key : %s",
507 gnutls_strerror( val ) );
508 gnutls_certificate_free_credentials( p_server_sys->x509_cred );
509 free( p_server_sys );
513 /* FIXME: regenerate these regularly */
514 val = gnutls_dh_params_init( &p_server_sys->dh_params );
519 if( var_Get( p_this, "dh-bits", &bits ) != VLC_SUCCESS )
521 var_Create( p_this, "dh-bits",
522 VLC_VAR_INTEGER | VLC_VAR_DOINHERIT );
523 var_Get( p_this, "dh-bits", &bits );
526 msg_Dbg( p_this, "Computing Diffie Hellman ciphers parameters" );
527 val = gnutls_dh_params_generate2( p_server_sys->dh_params,
532 msg_Err( p_this, "Cannot initialize DH cipher suites : %s",
533 gnutls_strerror( val ) );
534 gnutls_certificate_free_credentials( p_server_sys->x509_cred );
535 free( p_server_sys );
538 msg_Dbg( p_this, "Ciphers parameters computed" );
540 gnutls_certificate_set_dh_params( p_server_sys->x509_cred,
541 p_server_sys->dh_params);
543 p_server = (tls_server_t *)malloc( sizeof(struct tls_server_t) );
544 if( p_server == NULL )
546 free( p_server_sys );
550 p_server->p_tls = p_this;
551 p_server->p_sys = p_server_sys;
552 p_server->pf_delete = gnutls_ServerDelete;
553 p_server->pf_add_CA = gnutls_ServerAddCA;
554 p_server->pf_add_CRL = gnutls_ServerAddCRL;
555 p_server->pf_session_prepare = gnutls_ServerSessionPrepare;
561 /*****************************************************************************
562 * gcrypt thread option VLC implementation:
563 *****************************************************************************/
564 vlc_object_t *__p_gcry_data;
566 static int gcry_vlc_mutex_init (void **p_sys)
569 vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc (sizeof (vlc_mutex_t));
574 i_val = vlc_mutex_init( __p_gcry_data, p_lock);
582 static int gcry_vlc_mutex_destroy (void **p_sys)
585 vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
587 i_val = vlc_mutex_destroy (p_lock);
592 static int gcry_vlc_mutex_lock (void **p_sys)
594 return vlc_mutex_lock ((vlc_mutex_t *)*p_sys);
597 static int gcry_vlc_mutex_unlock (void **lock)
599 return vlc_mutex_unlock ((vlc_mutex_t *)*lock);
602 static struct gcry_thread_cbs gcry_threads_vlc =
604 GCRY_THREAD_OPTION_USER,
607 gcry_vlc_mutex_destroy,
609 gcry_vlc_mutex_unlock
613 /*****************************************************************************
614 * Module initialization
615 *****************************************************************************/
617 Open( vlc_object_t *p_this )
619 tls_t *p_tls = (tls_t *)p_this;
621 vlc_value_t lock, count;
623 var_Create( p_this->p_libvlc, "tls_mutex", VLC_VAR_MUTEX );
624 var_Get( p_this->p_libvlc, "tls_mutex", &lock );
625 vlc_mutex_lock( lock.p_address );
627 /* Initialize GnuTLS only once */
628 var_Create( p_this->p_libvlc, "gnutls_count", VLC_VAR_INTEGER );
629 var_Get( p_this->p_libvlc, "gnutls_count", &count);
631 if( count.i_int == 0)
633 __p_gcry_data = VLC_OBJECT( p_this->p_vlc );
635 gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
636 if( gnutls_global_init( ) )
638 msg_Warn( p_this, "cannot initialize GNUTLS" );
639 vlc_mutex_unlock( lock.p_address );
642 if( gnutls_check_version( "1.0.0" ) == NULL )
644 gnutls_global_deinit( );
645 vlc_mutex_unlock( lock.p_address );
646 msg_Err( p_this, "unsupported GNUTLS version" );
649 msg_Dbg( p_this, "GNUTLS initialized" );
653 var_Set( p_this->p_libvlc, "gnutls_count", count);
654 vlc_mutex_unlock( lock.p_address );
656 p_tls->pf_server_create = gnutls_ServerCreate;
657 p_tls->pf_client_create = gnutls_ClientCreate;
662 /*****************************************************************************
663 * Module deinitialization
664 *****************************************************************************/
666 Close( vlc_object_t *p_this )
668 /*tls_t *p_tls = (tls_t *)p_this;
669 tls_sys_t *p_sys = (tls_sys_t *)(p_this->p_sys);*/
671 vlc_value_t lock, count;
673 var_Create( p_this->p_libvlc, "gnutls_mutex", VLC_VAR_MUTEX );
674 var_Get( p_this->p_libvlc, "gnutls_mutex", &lock );
675 vlc_mutex_lock( lock.p_address );
677 var_Create( p_this->p_libvlc, "gnutls_count", VLC_VAR_INTEGER );
678 var_Get( p_this->p_libvlc, "gnutls_count", &count);
680 var_Set( p_this->p_libvlc, "gnutls_count", count);
682 if( count.i_int == 0 )
684 gnutls_global_deinit( );
685 msg_Dbg( p_this, "GNUTLS deinitialized" );
688 vlc_mutex_unlock( lock.p_address);