/*****************************************************************************
* gnutls.c
*****************************************************************************
- * Copyright (C) 2004-2006 Rémi Denis-Courmont
- * $Id$
- *
- * Authors: Rémi Denis-Courmont <rem # videolan.org>
+ * Copyright (C) 2004-2012 Rémi Denis-Courmont
*
* This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * GNU Lesser General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
+ * You should have received a copy of the GNU Öesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
*****************************************************************************/
/*****************************************************************************
# include "config.h"
#endif
-#include <vlc/vlc.h>
-#include <errno.h>
#include <time.h>
-
-#include <sys/types.h>
#include <errno.h>
-#ifdef HAVE_DIRENT_H
-# include <dirent.h>
-#endif
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-# ifdef HAVE_UNISTD_H
-# include <unistd.h>
-# endif
-#endif
-
+#include <assert.h>
-#include "vlc_tls.h"
-#include <vlc_charset.h>
+#include <vlc_common.h>
+#include <vlc_plugin.h>
+#include <vlc_tls.h>
+#include <vlc_block.h>
+#include <vlc_dialog.h>
-#include <gcrypt.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
-
-#define CACHE_TIMEOUT 3600
-#define CACHE_SIZE 64
-
#include "dhparams.h"
/*****************************************************************************
* Module descriptor
*****************************************************************************/
-static int OpenClient (vlc_object_t *);
-static void CloseClient (vlc_object_t *);
-static int OpenServer (vlc_object_t *);
-static void CloseServer (vlc_object_t *);
-
-#define CACHE_TIMEOUT_TEXT N_("Expiration time for resumed TLS sessions")
-#define CACHE_TIMEOUT_LONGTEXT N_( \
- "It is possible to cache the resumed TLS sessions. This is the expiration "\
- "time of the sessions stored in this cache, in seconds." )
-
-#define CACHE_SIZE_TEXT N_("Number of resumed TLS sessions")
-#define CACHE_SIZE_LONGTEXT N_( \
- "This is the maximum number of resumed TLS sessions that " \
- "the cache will hold." )
-
-vlc_module_begin();
- set_shortname( "GnuTLS" );
- set_description( _("GnuTLS transport layer security") );
- set_capability( "tls client", 1 );
- set_callbacks( OpenClient, CloseClient );
- set_category( CAT_ADVANCED );
- set_subcategory( SUBCAT_ADVANCED_MISC );
-
- add_obsolete_bool( "tls-check-cert" );
- add_obsolete_bool( "tls-check-hostname" );
-
- add_submodule();
- set_description( _("GnuTLS server") );
- set_capability( "tls server", 1 );
- set_category( CAT_ADVANCED );
- set_subcategory( SUBCAT_ADVANCED_MISC );
- set_callbacks( OpenServer, CloseServer );
-
- add_obsolete_integer( "gnutls-dh-bits" );
- add_integer( "gnutls-cache-timeout", CACHE_TIMEOUT, NULL,
- CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, true );
- add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT,
- CACHE_SIZE_LONGTEXT, true );
-vlc_module_end();
-
-
-
-#ifdef LIBVLC_USE_PTHREAD
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-# define gcry_threads_vlc gcry_threads_pthread
-#else
-/**
- * gcrypt thread option VLC implementation
- */
-
-static int gcry_vlc_mutex_init( void **p_sys )
-{
- int i_val;
- vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc( sizeof( vlc_mutex_t ) );
+static int OpenClient (vlc_tls_creds_t *);
+static void CloseClient (vlc_tls_creds_t *);
+static int OpenServer (vlc_tls_creds_t *, const char *, const char *);
+static void CloseServer (vlc_tls_creds_t *);
+
+#define PRIORITIES_TEXT N_("TLS cipher priorities")
+#define PRIORITIES_LONGTEXT N_("Ciphers, key exchange methods, " \
+ "hash functions and compression methods can be selected. " \
+ "Refer to GNU TLS documentation for detailed syntax.")
+static const char *const priorities_values[] = {
+ "PERFORMANCE",
+ "NORMAL",
+ "SECURE128",
+ "SECURE256",
+ "EXPORT",
+};
+static const char *const priorities_text[] = {
+ N_("Performance (prioritize faster ciphers)"),
+ N_("Normal"),
+ N_("Secure 128-bits (exclude 256-bits ciphers)"),
+ N_("Secure 256-bits (prioritize 256-bits ciphers)"),
+ N_("Export (include insecure ciphers)"),
+};
- if( p_lock == NULL)
- return ENOMEM;
+vlc_module_begin ()
+ set_shortname( "GNU TLS" )
+ set_description( N_("GNU TLS transport layer security") )
+ set_capability( "tls client", 1 )
+ set_callbacks( OpenClient, CloseClient )
+ set_category( CAT_ADVANCED )
+ set_subcategory( SUBCAT_ADVANCED_NETWORK )
- i_val = vlc_mutex_init( (vlc_object_t *)NULL, p_lock );
- if( i_val )
- free( p_lock );
- else
- *p_sys = p_lock;
- return i_val;
-}
+ add_submodule ()
+ set_description( N_("GNU TLS server") )
+ set_capability( "tls server", 1 )
+ set_category( CAT_ADVANCED )
+ set_subcategory( SUBCAT_ADVANCED_NETWORK )
+ set_callbacks( OpenServer, CloseServer )
-static int gcry_vlc_mutex_destroy( void **p_sys )
-{
- vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
- vlc_mutex_destroy( p_lock );
- free( p_lock );
- return VLC_SUCCESS;
-}
-
-static int gcry_vlc_mutex_lock( void **p_sys )
-{
- vlc_mutex_lock( (vlc_mutex_t *)*p_sys );
- return VLC_SUCCESS;
-}
-
-static int gcry_vlc_mutex_unlock( void **lock )
-{
- vlc_mutex_unlock( (vlc_mutex_t *)*lock );
- return VLC_SUCCESS;
-}
-
-static struct gcry_thread_cbs gcry_threads_vlc =
-{
- GCRY_THREAD_OPTION_USER,
- NULL,
- gcry_vlc_mutex_init,
- gcry_vlc_mutex_destroy,
- gcry_vlc_mutex_lock,
- gcry_vlc_mutex_unlock
-};
-#endif
+ add_string ("gnutls-priorities", "NORMAL", PRIORITIES_TEXT,
+ PRIORITIES_LONGTEXT, false)
+ change_string_list (priorities_values, priorities_text)
+vlc_module_end ()
+static vlc_mutex_t gnutls_mutex = VLC_STATIC_MUTEX;
/**
* Initializes GnuTLS with proper locking.
{
int ret = VLC_EGENERIC;
- vlc_mutex_t *lock = var_AcquireMutex ("gnutls_mutex");
-
- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
+ vlc_mutex_lock (&gnutls_mutex);
if (gnutls_global_init ())
{
msg_Err (p_this, "cannot initialize GnuTLS");
goto error;
}
- const char *psz_version = gnutls_check_version ("1.3.3");
+ const char *psz_version = gnutls_check_version ("3.0.20");
if (psz_version == NULL)
{
msg_Err (p_this, "unsupported GnuTLS version");
ret = VLC_SUCCESS;
error:
- vlc_mutex_unlock (lock);
+ vlc_mutex_unlock (&gnutls_mutex);
return ret;
}
*/
static void gnutls_Deinit (vlc_object_t *p_this)
{
- vlc_mutex_t *lock = var_AcquireMutex( "gnutls_mutex" );
+ vlc_mutex_lock (&gnutls_mutex);
gnutls_global_deinit ();
msg_Dbg (p_this, "GnuTLS deinitialized");
- vlc_mutex_unlock (lock);
+ vlc_mutex_unlock (&gnutls_mutex);
}
switch (val)
{
case GNUTLS_E_AGAIN:
-#ifndef WIN32
+#ifdef _WIN32
+ WSASetLastError (WSAEWOULDBLOCK);
+#else
errno = EAGAIN;
- break;
#endif
- /* WinSock does not return EAGAIN, return EINTR instead */
+ break;
case GNUTLS_E_INTERRUPTED:
-#ifdef WIN32
+#ifdef _WIN32
WSASetLastError (WSAEINTR);
#else
errno = EINTR;
if (!gnutls_error_is_fatal (val))
msg_Err (obj, "Error above should be handled");
#endif
-#ifdef WIN32
+#ifdef _WIN32
WSASetLastError (WSAECONNRESET);
#else
errno = ECONNRESET;
}
return -1;
}
+#define gnutls_Error(o, val) gnutls_Error(VLC_OBJECT(o), val)
-
-struct tls_session_sys_t
+struct vlc_tls_sys
{
gnutls_session_t session;
- char *psz_hostname;
- bool b_handshaked;
+ bool handshaked;
};
/**
* Sends data through a TLS session.
*/
-static int
-gnutls_Send( void *p_session, const void *buf, int i_length )
+static int gnutls_Send (void *opaque, const void *buf, size_t length)
{
- int val;
- tls_session_sys_t *p_sys;
-
- p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
+ vlc_tls_t *session = opaque;
+ vlc_tls_sys_t *sys = session->sys;
- val = gnutls_record_send( p_sys->session, buf, i_length );
- return (val < 0) ? gnutls_Error ((vlc_object_t *)p_session, val) : val;
+ int val = gnutls_record_send (sys->session, buf, length);
+ return (val < 0) ? gnutls_Error (session, val) : val;
}
/**
* Receives data through a TLS session.
*/
-static int
-gnutls_Recv( void *p_session, void *buf, int i_length )
+static int gnutls_Recv (void *opaque, void *buf, size_t length)
{
- int val;
- tls_session_sys_t *p_sys;
-
- p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
+ vlc_tls_t *session = opaque;
+ vlc_tls_sys_t *sys = session->sys;
- val = gnutls_record_recv( p_sys->session, buf, i_length );
- return (val < 0) ? gnutls_Error ((vlc_object_t *)p_session, val) : val;
+ int val = gnutls_record_recv (sys->session, buf, length);
+ return (val < 0) ? gnutls_Error (session, val) : val;
}
/**
* Starts or continues the TLS handshake.
*
- * @return -1 on fatal error, 0 on succesful handshake completion,
+ * @return -1 on fatal error, 0 on successful handshake completion,
* 1 if more would-be blocking recv is needed,
* 2 if more would-be blocking send is required.
*/
-static int
-gnutls_ContinueHandshake (tls_session_t *p_session)
+static int gnutls_ContinueHandshake (vlc_tls_t *session, const char *host,
+ const char *service)
{
- tls_session_sys_t *p_sys = p_session->p_sys;
+ vlc_tls_sys_t *sys = session->sys;
int val;
-#ifdef WIN32
- WSASetLastError( 0 );
+#ifdef _WIN32
+ WSASetLastError (0);
#endif
- val = gnutls_handshake( p_sys->session );
- if( ( val == GNUTLS_E_AGAIN ) || ( val == GNUTLS_E_INTERRUPTED ) )
- return 1 + gnutls_record_get_direction( p_sys->session );
+ do
+ {
+ val = gnutls_handshake (sys->session);
+ msg_Dbg (session, "TLS handshake: %s", gnutls_strerror (val));
- if( val < 0 )
+ if ((val == GNUTLS_E_AGAIN) || (val == GNUTLS_E_INTERRUPTED))
+ /* I/O event: return to caller's poll() loop */
+ return 1 + gnutls_record_get_direction (sys->session);
+ }
+ while (val < 0 && !gnutls_error_is_fatal (val));
+
+ if (val < 0)
{
-#ifdef WIN32
- msg_Dbg( p_session, "Winsock error %d", WSAGetLastError( ) );
+#ifdef _WIN32
+ msg_Dbg (session, "Winsock error %d", WSAGetLastError ());
#endif
- msg_Err( p_session, "TLS handshake error: %s",
- gnutls_strerror( val ) );
+ msg_Err (session, "TLS handshake error: %s", gnutls_strerror (val));
return -1;
}
- p_sys->b_handshaked = true;
+ sys->handshaked = true;
+ (void) host; (void) service;
return 0;
}
-typedef struct
-{
- int flag;
- const char *msg;
-} error_msg_t;
-
-static const error_msg_t cert_errors[] =
-{
- { GNUTLS_CERT_INVALID,
- "Certificate could not be verified" },
- { GNUTLS_CERT_REVOKED,
- "Certificate was revoked" },
- { GNUTLS_CERT_SIGNER_NOT_FOUND,
- "Certificate's signer was not found" },
- { GNUTLS_CERT_SIGNER_NOT_CA,
- "Certificate's signer is not a CA" },
- { GNUTLS_CERT_INSECURE_ALGORITHM,
- "Insecure certificate signature algorithm" },
- { 0, NULL }
-};
-
-
-static int
-gnutls_HandshakeAndValidate( tls_session_t *session )
+/**
+ * Looks up certificate in known hosts data base.
+ * @return 0 on success, -1 on failure.
+ */
+static int gnutls_CertSearch (vlc_tls_t *obj, const char *host,
+ const char *service,
+ const gnutls_datum_t *restrict datum)
{
- int val = gnutls_ContinueHandshake( session );
- if( val )
- return val;
-
- tls_session_sys_t *p_sys = (tls_session_sys_t *)(session->p_sys);
-
- /* certificates chain verification */
- unsigned status;
- val = gnutls_certificate_verify_peers2( p_sys->session, &status );
+ assert (host != NULL);
- if( val )
- {
- msg_Err( session, "Certificate verification failed: %s",
- gnutls_strerror( val ) );
- return -1;
- }
-
- if( status )
+ /* Look up mismatching certificate in store */
+ int val = gnutls_verify_stored_pubkey (NULL, NULL, host, service,
+ GNUTLS_CRT_X509, datum, 0);
+ const char *msg;
+ switch (val)
{
- msg_Err( session, "TLS session: access denied" );
- for( const error_msg_t *e = cert_errors; e->flag; e++ )
- {
- if( status & e->flag )
- {
- msg_Err( session, "%s", e->msg );
- status &= ~e->flag;
- }
- }
-
- if( status )
- msg_Err( session,
- "unknown certificate error (you found a bug in VLC)" );
-
- return -1;
+ case 0:
+ msg_Dbg (obj, "certificate key match for %s", host);
+ return 0;
+ case GNUTLS_E_NO_CERTIFICATE_FOUND:
+ msg_Dbg (obj, "no known certificates for %s", host);
+ msg = N_("You attempted to reach %s. "
+ "However the security certificate presented by the server "
+ "is unknown and could not be authenticated by any trusted "
+ "Certification Authority. "
+ "This problem may be caused by a configuration error "
+ "or an attempt to breach your security or your privacy.\n\n"
+ "If in doubt, abort now.\n");
+ break;
+ case GNUTLS_E_CERTIFICATE_KEY_MISMATCH:
+ msg_Dbg (obj, "certificate keys mismatch for %s", host);
+ msg = N_("You attempted to reach %s. "
+ "However the security certificate presented by the server "
+ "changed since the previous visit "
+ "and was not authenticated by any trusted "
+ "Certification Authority. "
+ "This problem may be caused by a configuration error "
+ "or an attempt to breach your security or your privacy.\n\n"
+ "If in doubt, abort now.\n");
+ break;
+ default:
+ msg_Err (obj, "certificate key match error for %s: %s", host,
+ gnutls_strerror (val));
+ return -1;
}
- /* certificate (host)name verification */
- const gnutls_datum_t *data;
- data = gnutls_certificate_get_peers (p_sys->session, &(unsigned){0});
- if( data == NULL )
- {
- msg_Err( session, "Peer certificate not available" );
+ if (dialog_Question (obj, _("Insecure site"), vlc_gettext (msg),
+ _("Abort"), _("View certificate"), NULL, host) != 2)
return -1;
- }
gnutls_x509_crt_t cert;
- val = gnutls_x509_crt_init( &cert );
- if( val )
- {
- msg_Err( session, "x509 fatal error: %s", gnutls_strerror( val ) );
- return -1;
- }
+ gnutls_datum_t desc;
- val = gnutls_x509_crt_import( cert, data, GNUTLS_X509_FMT_DER );
- if( val )
- {
- msg_Err( session, "Certificate import error: %s",
- gnutls_strerror( val ) );
- goto error;
- }
-
- assert( p_sys->psz_hostname != NULL );
- if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
+ if (gnutls_x509_crt_init (&cert))
+ return -1;
+ if (gnutls_x509_crt_import (cert, datum, GNUTLS_X509_FMT_DER)
+ || gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &desc))
{
- msg_Err( session, "Certificate does not match \"%s\"",
- p_sys->psz_hostname );
- goto error;
+ gnutls_x509_crt_deinit (cert);
+ return -1;
}
+ gnutls_x509_crt_deinit (cert);
- if( gnutls_x509_crt_get_expiration_time( cert ) < time( NULL ) )
- {
- msg_Err( session, "Certificate expired" );
- goto error;
- }
+ val = dialog_Question (obj, _("Insecure site"),
+ _("This is the certificate presented by %s:\n%s\n\n"
+ "If in doubt, abort now.\n"),
+ _("Abort"), _("Accept 24 hours"),
+ _("Accept permanently"), host, desc.data);
+ gnutls_free (desc.data);
- if( gnutls_x509_crt_get_activation_time( cert ) > time ( NULL ) )
+ time_t expiry = 0;
+ switch (val)
{
- msg_Err( session, "Certificate not yet valid" );
- goto error;
+ case 2:
+ time (&expiry);
+ expiry += 24 * 60 * 60;
+ case 3:
+ val = gnutls_store_pubkey (NULL, NULL, host, service,
+ GNUTLS_CRT_X509, datum, expiry, 0);
+ if (val)
+ msg_Err (obj, "cannot store X.509 certificate: %s",
+ gnutls_strerror (val));
+ return 0;
}
-
- gnutls_x509_crt_deinit( cert );
- msg_Dbg( session, "TLS/x509 certificate verified" );
- return 0;
-
-error:
- gnutls_x509_crt_deinit( cert );
return -1;
}
-/**
- * Sets the operating system file descriptor backend for the TLS sesison.
- *
- * @param fd stream socket already connected with the peer.
- */
-static void
-gnutls_SetFD (tls_session_t *p_session, int fd)
-{
- gnutls_transport_set_ptr (p_session->p_sys->session,
- (gnutls_transport_ptr_t)(intptr_t)fd);
-}
-typedef int (*tls_prio_func) (gnutls_session_t, const int *);
-
-static int
-gnutls_SetPriority (vlc_object_t *restrict obj, const char *restrict name,
- tls_prio_func func, gnutls_session_t session,
- const int *restrict values)
+static struct
{
- int val = func (session, values);
- if (val < 0)
- {
- msg_Err (obj, "cannot set %s priorities: %s", name,
- gnutls_strerror (val));
- return VLC_EGENERIC;
- }
- return VLC_SUCCESS;
-}
-
-
-static int
-gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
+ unsigned flag;
+ const char msg[29];
+} cert_errs[] =
{
- /* Note that ordering matters (on the client side) */
- static const int protos[] =
- {
- GNUTLS_TLS1_1,
- GNUTLS_TLS1_0,
- GNUTLS_SSL3,
- 0
- };
- static const int comps[] =
- {
- GNUTLS_COMP_DEFLATE,
- GNUTLS_COMP_NULL,
- 0
- };
- static const int macs[] =
- {
- GNUTLS_MAC_SHA1,
- GNUTLS_MAC_RMD160, // RIPEMD
- GNUTLS_MAC_MD5,
- //GNUTLS_MAC_MD2,
- //GNUTLS_MAC_NULL,
- 0
- };
- static const int ciphers[] =
- {
- GNUTLS_CIPHER_AES_256_CBC,
- GNUTLS_CIPHER_AES_128_CBC,
- GNUTLS_CIPHER_3DES_CBC,
- GNUTLS_CIPHER_ARCFOUR_128,
- //GNUTLS_CIPHER_DES_CBC,
- //GNUTLS_CIPHER_ARCFOUR_40,
- //GNUTLS_CIPHER_RC2_40_CBC,
- //GNUTLS_CIPHER_NULL,
- 0
- };
- static const int kx[] =
- {
- GNUTLS_KX_DHE_RSA,
- GNUTLS_KX_DHE_DSS,
- GNUTLS_KX_RSA,
- //GNUTLS_KX_RSA_EXPORT,
- //GNUTLS_KX_DHE_PSK, TODO
- //GNUTLS_KX_PSK, TODO
- //GNUTLS_KX_SRP_RSA, TODO
- //GNUTLS_KX_SRP_DSS, TODO
- //GNUTLS_KX_SRP, TODO
- //GNUTLS_KX_ANON_DH,
- 0
- };
- static const int cert_types[] =
- {
- GNUTLS_CRT_X509,
- //GNUTLS_CRT_OPENPGP, TODO
- 0
- };
-
- int val = gnutls_set_default_priority (session);
- if (val < 0)
- {
- msg_Err (obj, "cannot set default TLS priorities: %s",
- gnutls_strerror (val));
- return VLC_EGENERIC;
- }
-
- if (gnutls_SetPriority (obj, "protocols",
- gnutls_protocol_set_priority, session, protos)
- || gnutls_SetPriority (obj, "compression algorithms",
- gnutls_compression_set_priority, session, comps)
- || gnutls_SetPriority (obj, "MAC algorithms",
- gnutls_mac_set_priority, session, macs)
- || gnutls_SetPriority (obj, "ciphers",
- gnutls_cipher_set_priority, session, ciphers)
- || gnutls_SetPriority (obj, "key exchange algorithms",
- gnutls_kx_set_priority, session, kx)
- || gnutls_SetPriority (obj, "certificate types",
- gnutls_certificate_type_set_priority, session,
- cert_types))
- return VLC_EGENERIC;
-
- return VLC_SUCCESS;
-}
-
+ { GNUTLS_CERT_INVALID, "Certificate not verified" },
+ { GNUTLS_CERT_REVOKED, "Certificate revoked" },
+ { GNUTLS_CERT_SIGNER_NOT_FOUND, "Signer not found" },
+ { GNUTLS_CERT_SIGNER_NOT_CA, "Signer not a CA" },
+ { GNUTLS_CERT_INSECURE_ALGORITHM, "Signature algorithm insecure" },
+ { GNUTLS_CERT_NOT_ACTIVATED, "Certificate not activated" },
+ { GNUTLS_CERT_EXPIRED, "Certificate expired" },
+};
-static int
-gnutls_Addx509File( vlc_object_t *p_this,
- gnutls_certificate_credentials_t cred,
- const char *psz_path, bool b_priv );
-static int
-gnutls_Addx509Directory( vlc_object_t *p_this,
- gnutls_certificate_credentials_t cred,
- const char *psz_dirname,
- bool b_priv )
+static int gnutls_HandshakeAndValidate (vlc_tls_t *session, const char *host,
+ const char *service)
{
- DIR* dir;
+ vlc_tls_sys_t *sys = session->sys;
- if( *psz_dirname == '\0' )
- psz_dirname = ".";
+ int val = gnutls_ContinueHandshake (session, host, service);
+ if (val)
+ return val;
- dir = utf8_opendir( psz_dirname );
- if( dir == NULL )
- {
- if (errno != ENOENT)
- {
- msg_Err (p_this, "cannot open directory (%s): %m", psz_dirname);
- return VLC_EGENERIC;
- }
-
- msg_Dbg (p_this, "creating empty certificate directory: %s",
- psz_dirname);
- utf8_mkdir (psz_dirname, b_priv ? 0700 : 0755);
- return VLC_SUCCESS;
- }
-#ifdef S_ISLNK
- else
- {
- struct stat st1, st2;
- int fd = dirfd( dir );
-
- /*
- * Gets stats for the directory path, checks that it is not a
- * symbolic link (to avoid possibly infinite recursion), and verifies
- * that the inode is still the same, to avoid TOCTOU race condition.
- */
- if( ( fd == -1)
- || fstat( fd, &st1 ) || utf8_lstat( psz_dirname, &st2 )
- || S_ISLNK( st2.st_mode ) || ( st1.st_ino != st2.st_ino ) )
- {
- closedir( dir );
- return VLC_EGENERIC;
- }
- }
-#endif
+ /* certificates chain verification */
+ unsigned status;
- for (;;)
+ val = gnutls_certificate_verify_peers2 (sys->session, &status);
+ if (val)
{
- char *ent = utf8_readdir (dir);
- if (ent == NULL)
- break;
-
- if ((strcmp (ent, ".") == 0) || (strcmp (ent, "..") == 0))
- continue;
-
- char path[strlen (psz_dirname) + strlen (ent) + 2];
- sprintf (path, "%s"DIR_SEP"%s", psz_dirname, ent);
- free (ent);
-
- gnutls_Addx509File( p_this, cred, path, b_priv );
+ msg_Err (session, "Certificate verification error: %s",
+ gnutls_strerror (val));
+ return -1;
}
-
- closedir( dir );
- return VLC_SUCCESS;
-}
-
-
-static int
-gnutls_Addx509File( vlc_object_t *p_this,
- gnutls_certificate_credentials cred,
- const char *psz_path, bool b_priv )
-{
- struct stat st;
-
- if( utf8_stat( psz_path, &st ) == 0 )
+ if (status)
{
- if( S_ISREG( st.st_mode ) )
- {
- char *psz_localname = ToLocale( psz_path );
- int i = b_priv
- ? gnutls_certificate_set_x509_key_file( cred,
- psz_localname, psz_localname, GNUTLS_X509_FMT_PEM )
- : gnutls_certificate_set_x509_trust_file( cred,
- psz_localname, GNUTLS_X509_FMT_PEM );
- LocaleFree( psz_localname );
-
- if( i < 0 )
- {
- msg_Warn( p_this, "cannot add x509 credentials (%s): %s",
- psz_path, gnutls_strerror( i ) );
- return VLC_EGENERIC;
- }
- else
- {
- msg_Dbg( p_this, "added x509 credentials (%s)",
- psz_path );
- return VLC_SUCCESS;
- }
- }
- else if( S_ISDIR( st.st_mode ) )
- {
- msg_Dbg( p_this,
- "looking recursively for x509 credentials in %s",
- psz_path );
- return gnutls_Addx509Directory( p_this, cred, psz_path, b_priv);
- }
+ msg_Err (session, "Certificate verification failure (0x%04X)", status);
+ for (size_t i = 0; i < sizeof (cert_errs) / sizeof (cert_errs[0]); i++)
+ if (status & cert_errs[i].flag)
+ msg_Err (session, " * %s", cert_errs[i].msg);
+ if (status & ~(GNUTLS_CERT_INVALID|GNUTLS_CERT_SIGNER_NOT_FOUND))
+ return -1;
}
- else
- msg_Warn( p_this, "cannot add x509 credentials (%s): %m", psz_path );
- return VLC_EGENERIC;
-}
-
-
-/** TLS client session data */
-typedef struct tls_client_sys_t
-{
- struct tls_session_sys_t session;
- gnutls_certificate_credentials_t x509_cred;
-} tls_client_sys_t;
-
-
-/**
- * Initializes a client-side TLS session.
- */
-static int OpenClient (vlc_object_t *obj)
-{
- tls_session_t *p_session = (tls_session_t *)obj;
- int i_val;
- if (gnutls_Init (obj))
- return VLC_EGENERIC;
-
- tls_client_sys_t *p_sys = malloc (sizeof (*p_sys));
- if (p_sys == NULL)
+ /* certificate (host)name verification */
+ const gnutls_datum_t *data;
+ unsigned count;
+ data = gnutls_certificate_get_peers (sys->session, &count);
+ if (data == NULL || count == 0)
{
- gnutls_Deinit (obj);
- return VLC_ENOMEM;
+ msg_Err (session, "Peer certificate not available");
+ return -1;
}
+ msg_Dbg (session, "%u certificate(s) in the list", count);
- p_session->p_sys = &p_sys->session;
- p_session->sock.p_sys = p_session;
- p_session->sock.pf_send = gnutls_Send;
- p_session->sock.pf_recv = gnutls_Recv;
- p_session->pf_set_fd = gnutls_SetFD;
-
- p_sys->session.b_handshaked = false;
-
- const char *homedir = obj->p_libvlc->psz_datadir,
- *datadir = config_GetDataDir ();
- size_t l1 = strlen (homedir), l2 = strlen (datadir);
- char path[((l1 > l2) ? l1 : l2) + sizeof ("/ca-certificates.crt")];
- // > sizeof ("/ssl/private")
- // > sizeof ("/ssl/certs")
+ if (val || host == NULL)
+ return val;
+ if (status && gnutls_CertSearch (session, host, service, data))
+ return -1;
- i_val = gnutls_certificate_allocate_credentials (&p_sys->x509_cred);
- if (i_val != 0)
+ gnutls_x509_crt_t cert;
+ val = gnutls_x509_crt_init (&cert);
+ if (val)
{
- msg_Err (obj, "cannot allocate X509 credentials: %s",
- gnutls_strerror (i_val));
- goto error;
+ msg_Err (session, "X.509 fatal error: %s", gnutls_strerror (val));
+ return -1;
}
- sprintf (path, "%s/ssl", homedir);
- utf8_mkdir (path, 0755);
-
- sprintf (path, "%s/ssl/certs", homedir);
- gnutls_Addx509Directory (VLC_OBJECT (p_session),
- p_sys->x509_cred, path, false);
-
- sprintf (path, "%s/ca-certificates.crt", datadir);
- gnutls_Addx509File (VLC_OBJECT (p_session),
- p_sys->x509_cred, path, false);
- p_session->pf_handshake = gnutls_HandshakeAndValidate;
- /*p_session->pf_handshake = gnutls_ContinueHandshake;*/
-
- sprintf (path, "%s/ssl/private", homedir);
- gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
- path, true);
-
- i_val = gnutls_init (&p_sys->session.session, GNUTLS_CLIENT);
- if (i_val != 0)
+ val = gnutls_x509_crt_import (cert, data, GNUTLS_X509_FMT_DER);
+ if (val)
{
- msg_Err (obj, "cannot initialize TLS session: %s",
- gnutls_strerror (i_val));
- gnutls_certificate_free_credentials (p_sys->x509_cred);
+ msg_Err (session, "Certificate import error: %s",
+ gnutls_strerror (val));
goto error;
}
- if (gnutls_SessionPrioritize (VLC_OBJECT (p_session),
- p_sys->session.session))
- goto s_error;
-
- /* minimum DH prime bits */
- gnutls_dh_set_prime_bits (p_sys->session.session, 1024);
-
- i_val = gnutls_credentials_set (p_sys->session.session,
- GNUTLS_CRD_CERTIFICATE,
- p_sys->x509_cred);
- if (i_val < 0)
+ val = !gnutls_x509_crt_check_hostname (cert, host);
+ if (val)
{
- msg_Err (obj, "cannot set TLS session credentials: %s",
- gnutls_strerror (i_val));
- goto s_error;
+ msg_Err (session, "Certificate does not match \"%s\"", host);
+ val = gnutls_CertSearch (session, host, service, data);
}
-
- char *servername = var_GetNonEmptyString (p_session, "tls-server-name");
- if (servername == NULL )
- msg_Err (p_session, "server name missing for TLS session");
-
- p_sys->session.psz_hostname = servername;
- gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
- servername, strlen (servername));
-
- return VLC_SUCCESS;
-
-s_error:
- gnutls_deinit (p_sys->session.session);
- gnutls_certificate_free_credentials (p_sys->x509_cred);
error:
- gnutls_Deinit (obj);
- free (p_sys);
- return VLC_EGENERIC;
+ gnutls_x509_crt_deinit (cert);
+ return val;
}
-
-static void CloseClient (vlc_object_t *obj)
+static int
+gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
{
- tls_session_t *client = (tls_session_t *)obj;
- tls_client_sys_t *p_sys = (tls_client_sys_t *)(client->p_sys);
-
- if (p_sys->session.b_handshaked == true)
- gnutls_bye (p_sys->session.session, GNUTLS_SHUT_WR);
- gnutls_deinit (p_sys->session.session);
- /* credentials must be free'd *after* gnutls_deinit() */
- gnutls_certificate_free_credentials (p_sys->x509_cred);
-
- gnutls_Deinit (obj);
- free (p_sys->session.psz_hostname);
- free (p_sys);
+ char *priorities = var_InheritString (obj, "gnutls-priorities");
+ if (unlikely(priorities == NULL))
+ return VLC_ENOMEM;
+
+ const char *errp;
+ int val = gnutls_priority_set_direct (session, priorities, &errp);
+ if (val < 0)
+ {
+ msg_Err (obj, "cannot set TLS priorities \"%s\": %s", errp,
+ gnutls_strerror (val));
+ val = VLC_EGENERIC;
+ }
+ else
+ val = VLC_SUCCESS;
+ free (priorities);
+ return val;
}
/**
- * Server-side TLS
+ * TLS credentials private data
*/
-struct tls_server_sys_t
+struct vlc_tls_creds_sys
{
gnutls_certificate_credentials_t x509_cred;
- gnutls_dh_params_t dh_params;
-
- struct saved_session_t *p_cache;
- struct saved_session_t *p_store;
- int i_cache_size;
- vlc_mutex_t cache_lock;
-
- int (*pf_handshake) (tls_session_t *);
+ gnutls_dh_params_t dh_params; /* XXX: used for server only */
+ int (*handshake) (vlc_tls_t *, const char *, const char *);
+ /* ^^ XXX: useful for server only */
};
-/**
- * TLS session resumption callbacks (server-side)
- */
-#define MAX_SESSION_ID 32
-#define MAX_SESSION_DATA 1024
-
-typedef struct saved_session_t
-{
- char id[MAX_SESSION_ID];
- char data[MAX_SESSION_DATA];
-
- unsigned i_idlen;
- unsigned i_datalen;
-} saved_session_t;
-
-
-static int cb_store( void *p_server, gnutls_datum key, gnutls_datum data )
-{
- tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
-
- if( ( p_sys->i_cache_size == 0 )
- || ( key.size > MAX_SESSION_ID )
- || ( data.size > MAX_SESSION_DATA ) )
- return -1;
-
- vlc_mutex_lock( &p_sys->cache_lock );
-
- memcpy( p_sys->p_store->id, key.data, key.size);
- memcpy( p_sys->p_store->data, data.data, data.size );
- p_sys->p_store->i_idlen = key.size;
- p_sys->p_store->i_datalen = data.size;
-
- p_sys->p_store++;
- if( ( p_sys->p_store - p_sys->p_cache ) == p_sys->i_cache_size )
- p_sys->p_store = p_sys->p_cache;
-
- vlc_mutex_unlock( &p_sys->cache_lock );
-
- return 0;
-}
-
-
-static gnutls_datum cb_fetch( void *p_server, gnutls_datum key )
-{
- static const gnutls_datum_t err_datum = { NULL, 0 };
- tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
- saved_session_t *p_session, *p_end;
-
- p_session = p_sys->p_cache;
- p_end = p_session + p_sys->i_cache_size;
-
- vlc_mutex_lock( &p_sys->cache_lock );
-
- while( p_session < p_end )
- {
- if( ( p_session->i_idlen == key.size )
- && !memcmp( p_session->id, key.data, key.size ) )
- {
- gnutls_datum_t data;
-
- data.size = p_session->i_datalen;
-
- data.data = gnutls_malloc( data.size );
- if( data.data == NULL )
- {
- vlc_mutex_unlock( &p_sys->cache_lock );
- return err_datum;
- }
-
- memcpy( data.data, p_session->data, data.size );
- vlc_mutex_unlock( &p_sys->cache_lock );
- return data;
- }
- p_session++;
- }
-
- vlc_mutex_unlock( &p_sys->cache_lock );
-
- return err_datum;
-}
-
-
-static int cb_delete( void *p_server, gnutls_datum key )
-{
- tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
- saved_session_t *p_session, *p_end;
-
- p_session = p_sys->p_cache;
- p_end = p_session + p_sys->i_cache_size;
-
- vlc_mutex_lock( &p_sys->cache_lock );
-
- while( p_session < p_end )
- {
- if( ( p_session->i_idlen == key.size )
- && !memcmp( p_session->id, key.data, key.size ) )
- {
- p_session->i_datalen = p_session->i_idlen = 0;
- vlc_mutex_unlock( &p_sys->cache_lock );
- return 0;
- }
- p_session++;
- }
-
- vlc_mutex_unlock( &p_sys->cache_lock );
-
- return -1;
-}
-
-
/**
* Terminates TLS session and releases session data.
* You still have to close the socket yourself.
*/
-static void
-gnutls_SessionClose (tls_server_t *p_server, tls_session_t *p_session)
+static void gnutls_SessionClose (vlc_tls_creds_t *crd, vlc_tls_t *session)
{
- tls_session_sys_t *p_sys = p_session->p_sys;
- (void)p_server;
+ vlc_tls_sys_t *sys = session->sys;
- if( p_sys->b_handshaked == true )
- gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
- gnutls_deinit( p_sys->session );
+ if (sys->handshaked)
+ gnutls_bye (sys->session, GNUTLS_SHUT_WR);
+ gnutls_deinit (sys->session);
- vlc_object_detach( p_session );
- vlc_object_release( p_session );
-
- free( p_sys );
+ free (sys);
+ (void) crd;
}
/**
* Initializes a server-side TLS session.
*/
-static tls_session_t *
-gnutls_ServerSessionPrepare( tls_server_t *p_server )
+static int gnutls_SessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
+ int type, int fd)
{
- tls_session_t *p_session;
- tls_server_sys_t *p_server_sys;
- gnutls_session_t session;
- int i_val;
+ vlc_tls_sys_t *sys = malloc (sizeof (*session->sys));
+ if (unlikely(sys == NULL))
+ return VLC_ENOMEM;
- p_session = vlc_object_create( p_server, sizeof (struct tls_session_t) );
- if( p_session == NULL )
- return NULL;
+ session->sys = sys;
+ session->sock.p_sys = session;
+ session->sock.pf_send = gnutls_Send;
+ session->sock.pf_recv = gnutls_Recv;
+ session->handshake = crd->sys->handshake;
+ sys->handshaked = false;
- p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) );
- if( p_session->p_sys == NULL )
+ int val = gnutls_init (&sys->session, type);
+ if (val != 0)
{
- vlc_object_release( p_session );
- return NULL;
+ msg_Err (session, "cannot initialize TLS session: %s",
+ gnutls_strerror (val));
+ free (sys);
+ return VLC_EGENERIC;
}
- p_server_sys = p_server->p_sys;
- p_session->sock.p_sys = p_session;
- p_session->sock.pf_send = gnutls_Send;
- p_session->sock.pf_recv = gnutls_Recv;
- p_session->pf_set_fd = gnutls_SetFD;
- p_session->pf_handshake = p_server_sys->pf_handshake;
-
- p_session->p_sys->b_handshaked = false;
- p_session->p_sys->psz_hostname = NULL;
+ if (gnutls_SessionPrioritize (VLC_OBJECT (crd), sys->session))
+ goto error;
- i_val = gnutls_init( &session, GNUTLS_SERVER );
- if( i_val != 0 )
+ val = gnutls_credentials_set (sys->session, GNUTLS_CRD_CERTIFICATE,
+ crd->sys->x509_cred);
+ if (val < 0)
{
- msg_Err( p_server, "cannot initialize TLS session: %s",
- gnutls_strerror( i_val ) );
+ msg_Err (session, "cannot set TLS session credentials: %s",
+ gnutls_strerror (val));
goto error;
}
- p_session->p_sys->session = session;
+ gnutls_transport_set_ptr (sys->session,
+ (gnutls_transport_ptr_t)(intptr_t)fd);
+ return VLC_SUCCESS;
- if (gnutls_SessionPrioritize (VLC_OBJECT (p_session), session))
- {
- gnutls_deinit( session );
- goto error;
- }
+error:
+ gnutls_SessionClose (crd, session);
+ return VLC_EGENERIC;
+}
- i_val = gnutls_credentials_set( session, GNUTLS_CRD_CERTIFICATE,
- p_server_sys->x509_cred );
- if( i_val < 0 )
- {
- msg_Err( p_server, "cannot set TLS session credentials: %s",
- gnutls_strerror( i_val ) );
- gnutls_deinit( session );
- goto error;
- }
+static int gnutls_ServerSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
+ int fd, const char *hostname)
+{
+ int val = gnutls_SessionOpen (crd, session, GNUTLS_SERVER, fd);
+ if (val != VLC_SUCCESS)
+ return val;
- if (p_session->pf_handshake == gnutls_HandshakeAndValidate)
- gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
+ if (session->handshake == gnutls_HandshakeAndValidate)
+ gnutls_certificate_server_set_request (session->sys->session,
+ GNUTLS_CERT_REQUIRE);
+ assert (hostname == NULL);
+ return VLC_SUCCESS;
+}
- /* Session resumption support */
- i_val = config_GetInt (p_server, "gnutls-cache-timeout");
- gnutls_db_set_cache_expiration (session, i_val);
- gnutls_db_set_retrieve_function( session, cb_fetch );
- gnutls_db_set_remove_function( session, cb_delete );
- gnutls_db_set_store_function( session, cb_store );
- gnutls_db_set_ptr( session, p_server );
+static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
+ int fd, const char *hostname)
+{
+ int val = gnutls_SessionOpen (crd, session, GNUTLS_CLIENT, fd);
+ if (val != VLC_SUCCESS)
+ return val;
- return p_session;
+ vlc_tls_sys_t *sys = session->sys;
-error:
- free( p_session->p_sys );
- vlc_object_detach( p_session );
- vlc_object_release( p_session );
- return NULL;
+ /* minimum DH prime bits */
+ gnutls_dh_set_prime_bits (sys->session, 1024);
+
+ if (likely(hostname != NULL))
+ /* fill Server Name Indication */
+ gnutls_server_name_set (sys->session, GNUTLS_NAME_DNS,
+ hostname, strlen (hostname));
+
+ return VLC_SUCCESS;
}
/**
- * Adds one or more certificate authorities.
+ * Adds one or more Certificate Authorities to the trusted set.
*
- * @param psz_ca_path (Unicode) path to an x509 certificates list.
+ * @param path (UTF-8) path to an X.509 certificates list.
*
* @return -1 on error, 0 on success.
*/
-static int
-gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
+static int gnutls_AddCA (vlc_tls_creds_t *crd, const char *path)
{
- tls_server_sys_t *p_sys;
- char *psz_local_path;
- int val;
+ block_t *block = block_FilePath (path);
+ if (block == NULL)
+ {
+ msg_Err (crd, "cannot read trusted CA from %s: %m", path);
+ return VLC_EGENERIC;
+ }
- p_sys = (tls_server_sys_t *)(p_server->p_sys);
+ gnutls_datum_t d = {
+ .data = block->p_buffer,
+ .size = block->i_buffer,
+ };
- psz_local_path = ToLocale( psz_ca_path );
- val = gnutls_certificate_set_x509_trust_file( p_sys->x509_cred,
- psz_local_path,
- GNUTLS_X509_FMT_PEM );
- LocaleFree( psz_local_path );
- if( val < 0 )
+ int val = gnutls_certificate_set_x509_trust_mem (crd->sys->x509_cred, &d,
+ GNUTLS_X509_FMT_PEM);
+ block_Release (block);
+ if (val < 0)
{
- msg_Err( p_server, "cannot add trusted CA (%s): %s", psz_ca_path,
- gnutls_strerror( val ) );
+ msg_Err (crd, "cannot load trusted CA from %s: %s", path,
+ gnutls_strerror (val));
return VLC_EGENERIC;
}
- msg_Dbg( p_server, " %d trusted CA added (%s)", val, psz_ca_path );
+ msg_Dbg (crd, " %d trusted CA%s added from %s", val, (val != 1) ? "s" : "",
+ path);
/* enables peer's certificate verification */
- p_sys->pf_handshake = gnutls_HandshakeAndValidate;
-
+ crd->sys->handshake = gnutls_HandshakeAndValidate;
return VLC_SUCCESS;
}
/**
- * Adds a certificates revocation list to be sent to TLS clients.
+ * Adds a Certificates Revocation List to be sent to TLS clients.
*
- * @param psz_crl_path (Unicode) path of the CRL file.
+ * @param path (UTF-8) path of the CRL file.
*
* @return -1 on error, 0 on success.
*/
-static int
-gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
+static int gnutls_AddCRL (vlc_tls_creds_t *crd, const char *path)
{
- int val;
- char *psz_local_path = ToLocale( psz_crl_path );
-
- val = gnutls_certificate_set_x509_crl_file( ((tls_server_sys_t *)
- (p_server->p_sys))->x509_cred,
- psz_local_path,
- GNUTLS_X509_FMT_PEM );
- LocaleFree( psz_crl_path );
- if( val < 0 )
+ block_t *block = block_FilePath (path);
+ if (block == NULL)
{
- msg_Err( p_server, "cannot add CRL (%s): %s", psz_crl_path,
- gnutls_strerror( val ) );
+ msg_Err (crd, "cannot read CRL from %s: %m", path);
return VLC_EGENERIC;
}
- msg_Dbg( p_server, "%d CRL added (%s)", val, psz_crl_path );
+
+ gnutls_datum_t d = {
+ .data = block->p_buffer,
+ .size = block->i_buffer,
+ };
+
+ int val = gnutls_certificate_set_x509_crl_mem (crd->sys->x509_cred, &d,
+ GNUTLS_X509_FMT_PEM);
+ block_Release (block);
+ if (val < 0)
+ {
+ msg_Err (crd, "cannot add CRL (%s): %s", path, gnutls_strerror (val));
+ return VLC_EGENERIC;
+ }
+ msg_Dbg (crd, "%d CRL%s added from %s", val, (val != 1) ? "s" : "", path);
return VLC_SUCCESS;
}
/**
* Allocates a whole server's TLS credentials.
*/
-static int OpenServer (vlc_object_t *obj)
+static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
{
- tls_server_t *p_server = (tls_server_t *)obj;
- tls_server_sys_t *p_sys;
int val;
- if (gnutls_Init (obj))
+ if (gnutls_Init (VLC_OBJECT(crd)))
return VLC_EGENERIC;
- msg_Dbg (obj, "creating TLS server");
+ vlc_tls_creds_sys_t *sys = malloc (sizeof (*sys));
+ if (unlikely(sys == NULL))
+ goto error;
- p_sys = (tls_server_sys_t *)malloc( sizeof(struct tls_server_sys_t) );
- if( p_sys == NULL )
- return VLC_ENOMEM;
+ crd->sys = sys;
+ crd->add_CA = gnutls_AddCA;
+ crd->add_CRL = gnutls_AddCRL;
+ crd->open = gnutls_ServerSessionOpen;
+ crd->close = gnutls_SessionClose;
+ /* No certificate validation by default */
+ sys->handshake = gnutls_ContinueHandshake;
- p_sys->i_cache_size = config_GetInt (obj, "gnutls-cache-size");
- p_sys->p_cache = calloc (p_sys->i_cache_size,
- sizeof (struct saved_session_t));
- if (p_sys->p_cache == NULL)
+ /* Sets server's credentials */
+ val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
+ if (val != 0)
{
- free (p_sys);
- return VLC_ENOMEM;
+ msg_Err (crd, "cannot allocate credentials: %s",
+ gnutls_strerror (val));
+ goto error;
}
- p_sys->p_store = p_sys->p_cache;
- p_server->p_sys = p_sys;
- p_server->pf_add_CA = gnutls_ServerAddCA;
- p_server->pf_add_CRL = gnutls_ServerAddCRL;
- p_server->pf_open = gnutls_ServerSessionPrepare;
- p_server->pf_close = gnutls_SessionClose;
-
- /* No certificate validation by default */
- p_sys->pf_handshake = gnutls_ContinueHandshake;
-
- vlc_mutex_init( p_server, &p_sys->cache_lock );
+ block_t *certblock = block_FilePath (cert);
+ if (certblock == NULL)
+ {
+ msg_Err (crd, "cannot read certificate chain from %s: %m", cert);
+ return VLC_EGENERIC;
+ }
- /* Sets server's credentials */
- val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
- if( val != 0 )
+ block_t *keyblock = block_FilePath (key);
+ if (keyblock == NULL)
{
- msg_Err( p_server, "cannot allocate X509 credentials: %s",
- gnutls_strerror( val ) );
- goto error;
+ msg_Err (crd, "cannot read private key from %s: %m", key);
+ block_Release (certblock);
+ return VLC_EGENERIC;
}
- char *psz_cert_path = var_GetNonEmptyString (obj, "tls-x509-cert");
- char *psz_key_path = var_GetNonEmptyString (obj, "tls-x509-key");
- const char *psz_local_cert = ToLocale (psz_cert_path);
- const char *psz_local_key = ToLocale (psz_key_path);
- val = gnutls_certificate_set_x509_key_file (p_sys->x509_cred,
- psz_local_cert, psz_local_key,
- GNUTLS_X509_FMT_PEM );
- LocaleFree (psz_local_key);
- free (psz_key_path);
- LocaleFree (psz_local_cert);
- free (psz_cert_path);
-
- if( val < 0 )
+ gnutls_datum_t pub = {
+ .data = certblock->p_buffer,
+ .size = certblock->i_buffer,
+ }, priv = {
+ .data = keyblock->p_buffer,
+ .size = keyblock->i_buffer,
+ };
+
+ val = gnutls_certificate_set_x509_key_mem (sys->x509_cred, &pub, &priv,
+ GNUTLS_X509_FMT_PEM);
+ block_Release (keyblock);
+ block_Release (certblock);
+ if (val < 0)
{
- msg_Err( p_server, "cannot set certificate chain or private key: %s",
- gnutls_strerror( val ) );
- gnutls_certificate_free_credentials( p_sys->x509_cred );
+ msg_Err (crd, "cannot load X.509 key: %s", gnutls_strerror (val));
+ gnutls_certificate_free_credentials (sys->x509_cred);
goto error;
}
/* FIXME:
- * - support other ciper suites
+ * - support other cipher suites
*/
- val = gnutls_dh_params_init (&p_sys->dh_params);
+ val = gnutls_dh_params_init (&sys->dh_params);
if (val >= 0)
{
const gnutls_datum_t data = {
.size = sizeof (dh_params) - 1,
};
- val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data,
+ val = gnutls_dh_params_import_pkcs3 (sys->dh_params, &data,
GNUTLS_X509_FMT_PEM);
if (val == 0)
- gnutls_certificate_set_dh_params (p_sys->x509_cred,
- p_sys->dh_params);
+ gnutls_certificate_set_dh_params (sys->x509_cred,
+ sys->dh_params);
}
if (val < 0)
{
- msg_Err (p_server, "cannot initialize DHE cipher suites: %s",
+ msg_Err (crd, "cannot initialize DHE cipher suites: %s",
gnutls_strerror (val));
}
return VLC_SUCCESS;
error:
- vlc_mutex_destroy (&p_sys->cache_lock);
- free (p_sys->p_cache);
- free (p_sys);
+ free (sys);
+ gnutls_Deinit (VLC_OBJECT(crd));
return VLC_EGENERIC;
}
/**
* Destroys a TLS server object.
*/
-static void CloseServer (vlc_object_t *p_server)
+static void CloseServer (vlc_tls_creds_t *crd)
{
- tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
-
- vlc_mutex_destroy (&p_sys->cache_lock);
- free (p_sys->p_cache);
+ vlc_tls_creds_sys_t *sys = crd->sys;
/* all sessions depending on the server are now deinitialized */
- gnutls_certificate_free_credentials (p_sys->x509_cred);
- gnutls_dh_params_deinit (p_sys->dh_params);
- free (p_sys);
+ gnutls_certificate_free_credentials (sys->x509_cred);
+ gnutls_dh_params_deinit (sys->dh_params);
+ free (sys);
+
+ gnutls_Deinit (VLC_OBJECT(crd));
+}
+
+/**
+ * Initializes a client-side TLS credentials.
+ */
+static int OpenClient (vlc_tls_creds_t *crd)
+{
+ if (gnutls_Init (VLC_OBJECT(crd)))
+ return VLC_EGENERIC;
+
+ vlc_tls_creds_sys_t *sys = malloc (sizeof (*sys));
+ if (unlikely(sys == NULL))
+ goto error;
+
+ crd->sys = sys;
+ //crd->add_CA = gnutls_AddCA;
+ //crd->add_CRL = gnutls_AddCRL;
+ crd->open = gnutls_ClientSessionOpen;
+ crd->close = gnutls_SessionClose;
+ sys->handshake = gnutls_HandshakeAndValidate;
+
+ int val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
+ if (val != 0)
+ {
+ msg_Err (crd, "cannot allocate credentials: %s",
+ gnutls_strerror (val));
+ goto error;
+ }
+
+ val = gnutls_certificate_set_x509_system_trust (sys->x509_cred);
+ if (val < 0)
+ msg_Err (crd, "cannot load trusted Certificate Authorities: %s",
+ gnutls_strerror (val));
+ else
+ msg_Dbg (crd, "loaded %d trusted CAs", val);
+
+ gnutls_certificate_set_verify_flags (sys->x509_cred,
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+
+ return VLC_SUCCESS;
+error:
+ free (sys);
+ gnutls_Deinit (VLC_OBJECT(crd));
+ return VLC_EGENERIC;
+}
+
+static void CloseClient (vlc_tls_creds_t *crd)
+{
+ vlc_tls_creds_sys_t *sys = crd->sys;
+
+ gnutls_certificate_free_credentials (sys->x509_cred);
+ free (sys);
- gnutls_Deinit (p_server);
+ gnutls_Deinit (VLC_OBJECT(crd));
}
projects / vlc / blobdiff