* Preamble
*****************************************************************************/
-#include <vlc/vlc.h>
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <vlc_common.h>
+#include <vlc_plugin.h>
#include <errno.h>
#include <time.h>
#include <sys/types.h>
#include <errno.h>
-#ifdef HAVE_DIRENT_H
-# include <dirent.h>
-#endif
#ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
-# ifdef HAVE_UNISTD_H
-# include <unistd.h>
-# endif
#endif
+#ifdef WIN32
+# include <io.h>
+#else
+# include <unistd.h>
+#endif
+# include <fcntl.h>
-#include "vlc_tls.h"
+#include <vlc_tls.h>
#include <vlc_charset.h>
+#include <vlc_fs.h>
+#include <vlc_block.h>
#include <gcrypt.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
+#include <vlc_gcrypt.h>
+
#define CACHE_TIMEOUT 3600
#define CACHE_SIZE 64
#include "dhparams.h"
+#include <assert.h>
+
/*****************************************************************************
* Module descriptor
*****************************************************************************/
"This is the maximum number of resumed TLS sessions that " \
"the cache will hold." )
-#define CHECK_CERT_TEXT N_("Check TLS/SSL server certificate validity")
-#define CHECK_CERT_LONGTEXT N_( \
- "This ensures that the server certificate is valid " \
- "(i.e. signed by an approved Certification Authority)." )
-
-vlc_module_begin();
- set_shortname( "GnuTLS" );
- set_description( _("GnuTLS transport layer security") );
- set_capability( "tls client", 1 );
- set_callbacks( OpenClient, CloseClient );
- set_category( CAT_ADVANCED );
- set_subcategory( SUBCAT_ADVANCED_MISC );
-
- add_bool( "tls-check-cert", VLC_TRUE, NULL, CHECK_CERT_TEXT,
- CHECK_CERT_LONGTEXT, VLC_FALSE );
- add_obsolete_bool( "tls-check-hostname" );
-
- add_submodule();
- set_description( _("GnuTLS server") );
- set_capability( "tls server", 1 );
- set_category( CAT_ADVANCED );
- set_subcategory( SUBCAT_ADVANCED_MISC );
- set_callbacks( OpenServer, CloseServer );
-
- add_obsolete_integer( "gnutls-dh-bits" );
+vlc_module_begin ()
+ set_shortname( "GnuTLS" )
+ set_description( N_("GnuTLS transport layer security") )
+ set_capability( "tls client", 1 )
+ set_callbacks( OpenClient, CloseClient )
+ set_category( CAT_ADVANCED )
+ set_subcategory( SUBCAT_ADVANCED_MISC )
+
+ add_obsolete_bool( "tls-check-cert" )
+ add_obsolete_bool( "tls-check-hostname" )
+
+ add_submodule ()
+ set_description( N_("GnuTLS server") )
+ set_capability( "tls server", 1 )
+ set_category( CAT_ADVANCED )
+ set_subcategory( SUBCAT_ADVANCED_MISC )
+ set_callbacks( OpenServer, CloseServer )
+
+ add_obsolete_integer( "gnutls-dh-bits" )
add_integer( "gnutls-cache-timeout", CACHE_TIMEOUT, NULL,
- CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, VLC_TRUE );
+ CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, true )
add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT,
- CACHE_SIZE_LONGTEXT, VLC_TRUE );
-vlc_module_end();
-
-
-
-#ifdef LIBVLC_USE_PTHREAD
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-# define gcry_threads_vlc gcry_threads_pthread
-#else
-/**
- * gcrypt thread option VLC implementation
- */
-
-# define NEED_THREAD_CONTEXT 1
-static vlc_object_t *__p_gcry_data = NULL;
-
-static int gcry_vlc_mutex_init( void **p_sys )
-{
- int i_val;
- vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc( sizeof( vlc_mutex_t ) );
-
- if( p_lock == NULL)
- return ENOMEM;
-
- i_val = vlc_mutex_init( __p_gcry_data, p_lock );
- if( i_val )
- free( p_lock );
- else
- *p_sys = p_lock;
- return i_val;
-}
-
-static int gcry_vlc_mutex_destroy( void **p_sys )
-{
- int i_val;
- vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
-
- i_val = vlc_mutex_destroy( p_lock );
- free( p_lock );
- return i_val;
-}
-
-static int gcry_vlc_mutex_lock( void **p_sys )
-{
- return vlc_mutex_lock( (vlc_mutex_t *)*p_sys );
-}
-
-static int gcry_vlc_mutex_unlock( void **lock )
-{
- return vlc_mutex_unlock( (vlc_mutex_t *)*lock );
-}
-
-static struct gcry_thread_cbs gcry_threads_vlc =
-{
- GCRY_THREAD_OPTION_USER,
- NULL,
- gcry_vlc_mutex_init,
- gcry_vlc_mutex_destroy,
- gcry_vlc_mutex_lock,
- gcry_vlc_mutex_unlock
-};
-#endif
+ CACHE_SIZE_LONGTEXT, true )
+vlc_module_end ()
+static vlc_mutex_t gnutls_mutex = VLC_STATIC_MUTEX;
/**
* Initializes GnuTLS with proper locking.
{
int ret = VLC_EGENERIC;
- vlc_mutex_t *lock = var_GetGlobalMutex ("gnutls_mutex");
- vlc_mutex_lock (lock);
-
- /* This should probably be removed/fixed. It will screw up with multiple
- * LibVLC instances. */
-#ifdef NEED_THREAD_CONTEXT
- __p_gcry_data = VLC_OBJECT (p_this->p_libvlc);
-#endif
+ vlc_gcrypt_init (); /* GnuTLS depends on gcrypt */
- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
+ vlc_mutex_lock (&gnutls_mutex);
if (gnutls_global_init ())
{
msg_Err (p_this, "cannot initialize GnuTLS");
ret = VLC_SUCCESS;
error:
- vlc_mutex_unlock (lock);
+ vlc_mutex_unlock (&gnutls_mutex);
return ret;
}
*/
static void gnutls_Deinit (vlc_object_t *p_this)
{
- vlc_mutex_t *lock = var_GetGlobalMutex( "gnutls_mutex" );
- vlc_mutex_lock (lock);
+ vlc_mutex_lock (&gnutls_mutex);
gnutls_global_deinit ();
msg_Dbg (p_this, "GnuTLS deinitialized");
- vlc_mutex_unlock (lock);
+ vlc_mutex_unlock (&gnutls_mutex);
}
switch (val)
{
case GNUTLS_E_AGAIN:
-#ifndef WIN32
+#ifdef WIN32
+ WSASetLastError (WSAEWOULDBLOCK);
+#else
errno = EAGAIN;
- break;
#endif
- /* WinSock does not return EAGAIN, return EINTR instead */
+ break;
case GNUTLS_E_INTERRUPTED:
#ifdef WIN32
{
gnutls_session_t session;
char *psz_hostname;
- vlc_bool_t b_handshaked;
+ bool b_handshaked;
};
/**
* Starts or continues the TLS handshake.
*
- * @return -1 on fatal error, 0 on succesful handshake completion,
+ * @return -1 on fatal error, 0 on successful handshake completion,
* 1 if more would-be blocking recv is needed,
* 2 if more would-be blocking send is required.
*/
return -1;
}
- p_sys->b_handshaked = VLC_TRUE;
+ p_sys->b_handshaked = true;
return 0;
}
goto error;
}
- if( p_sys->psz_hostname != NULL )
+ assert( p_sys->psz_hostname != NULL );
+ if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
{
- if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
- {
- msg_Err( session, "Certificate does not match \"%s\"",
- p_sys->psz_hostname );
- goto error;
- }
+ msg_Err( session, "Certificate does not match \"%s\"",
+ p_sys->psz_hostname );
+ goto error;
}
- else
- msg_Warn( session, "Certificate and hostname were not verified" );
if( gnutls_x509_crt_get_expiration_time( cert ) < time( NULL ) )
{
/* Note that ordering matters (on the client side) */
static const int protos[] =
{
+ /*GNUTLS_TLS1_2, as of GnuTLS 2.6.5, still not ratified */
GNUTLS_TLS1_1,
GNUTLS_TLS1_0,
GNUTLS_SSL3,
};
static const int macs[] =
{
+ GNUTLS_MAC_SHA512,
+ GNUTLS_MAC_SHA384,
+ GNUTLS_MAC_SHA256,
GNUTLS_MAC_SHA1,
GNUTLS_MAC_RMD160, // RIPEMD
GNUTLS_MAC_MD5,
GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC,
GNUTLS_CIPHER_ARCFOUR_128,
+ // TODO? Camellia ciphers?
//GNUTLS_CIPHER_DES_CBC,
//GNUTLS_CIPHER_ARCFOUR_40,
//GNUTLS_CIPHER_RC2_40_CBC,
static int
gnutls_Addx509File( vlc_object_t *p_this,
gnutls_certificate_credentials_t cred,
- const char *psz_path, vlc_bool_t b_priv );
+ const char *psz_path, bool b_priv );
static int
gnutls_Addx509Directory( vlc_object_t *p_this,
gnutls_certificate_credentials_t cred,
const char *psz_dirname,
- vlc_bool_t b_priv )
+ bool b_priv )
{
DIR* dir;
if( *psz_dirname == '\0' )
psz_dirname = ".";
- dir = utf8_opendir( psz_dirname );
+ dir = vlc_opendir( psz_dirname );
if( dir == NULL )
{
if (errno != ENOENT)
msg_Dbg (p_this, "creating empty certificate directory: %s",
psz_dirname);
- utf8_mkdir (psz_dirname, b_priv ? 0700 : 0755);
+ vlc_mkdir (psz_dirname, b_priv ? 0700 : 0755);
return VLC_SUCCESS;
}
#ifdef S_ISLNK
* that the inode is still the same, to avoid TOCTOU race condition.
*/
if( ( fd == -1)
- || fstat( fd, &st1 ) || utf8_lstat( psz_dirname, &st2 )
+ || fstat( fd, &st1 ) || vlc_lstat( psz_dirname, &st2 )
|| S_ISLNK( st2.st_mode ) || ( st1.st_ino != st2.st_ino ) )
{
closedir( dir );
for (;;)
{
- char *ent = utf8_readdir (dir);
+ char *ent = vlc_readdir (dir);
if (ent == NULL)
break;
if ((strcmp (ent, ".") == 0) || (strcmp (ent, "..") == 0))
+ {
+ free( ent );
continue;
+ }
char path[strlen (psz_dirname) + strlen (ent) + 2];
sprintf (path, "%s"DIR_SEP"%s", psz_dirname, ent);
static int
gnutls_Addx509File( vlc_object_t *p_this,
gnutls_certificate_credentials cred,
- const char *psz_path, vlc_bool_t b_priv )
+ const char *psz_path, bool b_priv )
{
struct stat st;
- if( utf8_stat( psz_path, &st ) == 0 )
+ int fd = vlc_open (psz_path, O_RDONLY);
+ if (fd == -1)
+ goto error;
+
+ block_t *block = block_File (fd);
+ if (block != NULL)
{
- if( S_ISREG( st.st_mode ) )
- {
- char *psz_localname = ToLocale( psz_path );
- int i = b_priv
- ? gnutls_certificate_set_x509_key_file( cred,
- psz_localname, psz_localname, GNUTLS_X509_FMT_PEM )
- : gnutls_certificate_set_x509_trust_file( cred,
- psz_localname, GNUTLS_X509_FMT_PEM );
- LocaleFree( psz_localname );
-
- if( i < 0 )
- {
- msg_Warn( p_this, "cannot add x509 credentials (%s): %s",
- psz_path, gnutls_strerror( i ) );
- return VLC_EGENERIC;
- }
- else
- {
- msg_Dbg( p_this, "added x509 credentials (%s)",
- psz_path );
- return VLC_SUCCESS;
- }
- }
- else if( S_ISDIR( st.st_mode ) )
+ close (fd);
+
+ gnutls_datum data = {
+ .data = block->p_buffer,
+ .size = block->i_buffer,
+ };
+ int res = b_priv
+ ? gnutls_certificate_set_x509_key_mem (cred, &data, &data,
+ GNUTLS_X509_FMT_PEM)
+ : gnutls_certificate_set_x509_trust_mem (cred, &data,
+ GNUTLS_X509_FMT_PEM);
+ block_Release (block);
+
+ if (res < 0)
{
- msg_Dbg( p_this,
- "looking recursively for x509 credentials in %s",
- psz_path );
- return gnutls_Addx509Directory( p_this, cred, psz_path, b_priv);
+ msg_Warn (p_this, "cannot add x509 credentials (%s): %s",
+ psz_path, gnutls_strerror (res));
+ return VLC_EGENERIC;
}
+ msg_Dbg (p_this, "added x509 credentials (%s)", psz_path);
+ return VLC_SUCCESS;
}
- else
- msg_Warn( p_this, "cannot add x509 credentials (%s): %m", psz_path );
+
+ if (!fstat (fd, &st) && S_ISDIR (st.st_mode))
+ {
+ close (fd);
+ msg_Dbg (p_this, "looking recursively for x509 credentials in %s",
+ psz_path);
+ return gnutls_Addx509Directory (p_this, cred, psz_path, b_priv);
+ }
+
+error:
+ msg_Warn (p_this, "cannot add x509 credentials (%s): %m", psz_path);
+ if (fd != -1)
+ close (fd);
return VLC_EGENERIC;
}
p_session->sock.pf_recv = gnutls_Recv;
p_session->pf_set_fd = gnutls_SetFD;
- p_sys->session.b_handshaked = VLC_FALSE;
- p_sys->session.psz_hostname = NULL;
-
- const char *homedir = obj->p_libvlc->psz_datadir,
- *datadir = config_GetDataDir ();
- size_t l1 = strlen (homedir), l2 = strlen (datadir);
- char path[((l1 > l2) ? l1 : l2) + sizeof ("/ca-certificates.crt")];
- // > sizeof ("/ssl/private")
- // > sizeof ("/ssl/certs")
+ p_sys->session.b_handshaked = false;
i_val = gnutls_certificate_allocate_credentials (&p_sys->x509_cred);
if (i_val != 0)
goto error;
}
- sprintf (path, "%s/ssl", homedir);
- utf8_mkdir (path, 0755);
-
- if (var_CreateGetBool (obj, "tls-check-cert"))
+ char *userdir = config_GetUserDir ( VLC_DATA_DIR );
+ if (userdir != NULL)
{
- sprintf (path, "%s/ssl/certs", homedir);
+ char path[strlen (userdir) + sizeof ("/ssl/private")];
+ sprintf (path, "%s/ssl", userdir);
+ vlc_mkdir (path, 0755);
+
+ sprintf (path, "%s/ssl/certs", userdir);
gnutls_Addx509Directory (VLC_OBJECT (p_session),
- p_sys->x509_cred, path, VLC_FALSE);
+ p_sys->x509_cred, path, false);
+ sprintf (path, "%s/ssl/private", userdir);
+ gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
+ path, true);
+ free (userdir);
+ }
- sprintf (path, "%s/ca-certificates.crt", datadir);
+ const char *confdir = config_GetConfDir ();
+ {
+ char path[strlen (confdir)
+ + sizeof ("/ssl/certs/ca-certificates.crt")];
+ sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir);
gnutls_Addx509File (VLC_OBJECT (p_session),
- p_sys->x509_cred, path, VLC_FALSE);
- p_session->pf_handshake = gnutls_HandshakeAndValidate;
+ p_sys->x509_cred, path, false);
}
- else
- p_session->pf_handshake = gnutls_ContinueHandshake;
-
- sprintf (path, "%s/ssl/private", homedir);
- gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
- path, VLC_TRUE);
+ p_session->pf_handshake = gnutls_HandshakeAndValidate;
+ /*p_session->pf_handshake = gnutls_ContinueHandshake;*/
i_val = gnutls_init (&p_sys->session.session, GNUTLS_CLIENT);
if (i_val != 0)
}
char *servername = var_GetNonEmptyString (p_session, "tls-server-name");
- if (servername != NULL )
- {
- p_sys->session.psz_hostname = servername;
+ if (servername == NULL )
+ msg_Err (p_session, "server name missing for TLS session");
+ else
gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
servername, strlen (servername));
- }
+
+ p_sys->session.psz_hostname = servername;
return VLC_SUCCESS;
tls_session_t *client = (tls_session_t *)obj;
tls_client_sys_t *p_sys = (tls_client_sys_t *)(client->p_sys);
- if (p_sys->session.b_handshaked == VLC_TRUE)
+ if (p_sys->session.b_handshaked == true)
gnutls_bye (p_sys->session.session, GNUTLS_SHUT_WR);
gnutls_deinit (p_sys->session.session);
/* credentials must be free'd *after* gnutls_deinit() */
tls_session_sys_t *p_sys = p_session->p_sys;
(void)p_server;
- if( p_sys->b_handshaked == VLC_TRUE )
+ if( p_sys->b_handshaked == true )
gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
gnutls_deinit( p_sys->session );
- vlc_object_detach( p_session );
- vlc_object_destroy( p_session );
+ vlc_object_release( p_session );
free( p_sys );
}
p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) );
if( p_session->p_sys == NULL )
{
- vlc_object_destroy( p_session );
+ vlc_object_release( p_session );
return NULL;
}
p_session->pf_set_fd = gnutls_SetFD;
p_session->pf_handshake = p_server_sys->pf_handshake;
- p_session->p_sys->b_handshaked = VLC_FALSE;
+ p_session->p_sys->b_handshaked = false;
p_session->p_sys->psz_hostname = NULL;
i_val = gnutls_init( &session, GNUTLS_SERVER );
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
/* Session resumption support */
- i_val = config_GetInt (p_server, "gnutls-cache-timeout");
- gnutls_db_set_cache_expiration (session, i_val);
+ i_val = var_InheritInteger (p_server, "gnutls-cache-timeout");
+ if (i_val >= 0)
+ gnutls_db_set_cache_expiration (session, i_val);
gnutls_db_set_retrieve_function( session, cb_fetch );
gnutls_db_set_remove_function( session, cb_delete );
gnutls_db_set_store_function( session, cb_store );
error:
free( p_session->p_sys );
- vlc_object_detach( p_session );
- vlc_object_destroy( p_session );
+ vlc_object_release( p_session );
return NULL;
}
if( p_sys == NULL )
return VLC_ENOMEM;
- p_sys->i_cache_size = config_GetInt (obj, "gnutls-cache-size");
+ p_sys->i_cache_size = var_InheritInteger (obj, "gnutls-cache-size");
+ if (p_sys->i_cache_size == -1) /* Duh, config subsystem exploded?! */
+ p_sys->i_cache_size = 0;
p_sys->p_cache = calloc (p_sys->i_cache_size,
sizeof (struct saved_session_t));
if (p_sys->p_cache == NULL)
/* No certificate validation by default */
p_sys->pf_handshake = gnutls_ContinueHandshake;
- vlc_mutex_init( p_server, &p_sys->cache_lock );
+ vlc_mutex_init( &p_sys->cache_lock );
/* Sets server's credentials */
val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );