Add vlclua_dir_list_free to free list created by vlclua_dir_list and use it.

[vlc] / modules / misc / gnutls.c
diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c

index da50844e2edd05ad94079fdfd13d2e8ab5a9b538..622807bdfd7e7d640359497dff78b67a7a9a7ff6 100644 (file)
--- a/modules/misc/gnutls.c
+++ b/modules/misc/gnutls.c
@@ -25,7 +25,12 @@
   * Preamble
   *****************************************************************************/
  
-#include <vlc/vlc.h>
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <vlc_common.h>
+#include <vlc_plugin.h>
  #include <errno.h>
  #include <time.h>
  
@@ -36,23 +41,32 @@
  #endif
  #ifdef HAVE_SYS_STAT_H
  # include <sys/stat.h>
-# ifdef HAVE_UNISTD_H
-#  include <unistd.h>
-# endif
  #endif
+#ifdef WIN32
+# include <io.h>
+#else
+# include <unistd.h>
+#endif
+# include <fcntl.h>
  
  
-#include "vlc_tls.h"
+#include <vlc_tls.h>
  #include <vlc_charset.h>
+#include <vlc_block.h>
  
  #include <gcrypt.h>
  #include <gnutls/gnutls.h>
  #include <gnutls/x509.h>
  
-#define DH_BITS           1024
+#include <vlc_gcrypt.h>
+
  #define CACHE_TIMEOUT     3600
  #define CACHE_SIZE          64
  
+#include "dhparams.h"
+
+#include <assert.h>
+
  /*****************************************************************************
   * Module descriptor
   *****************************************************************************/
@@ -61,12 +75,6 @@ static void CloseClient (vlc_object_t *);
  static int  OpenServer  (vlc_object_t *);
  static void CloseServer (vlc_object_t *);
  
-#define DH_BITS_TEXT N_("Diffie-Hellman prime bits")
-#define DH_BITS_LONGTEXT N_( \
-    "This allows you to modify the Diffie-Hellman prime's number of bits, " \
-    "used for TLS or SSL-based server-side encryption. This is generally " \
-    "not needed." )
-
  #define CACHE_TIMEOUT_TEXT N_("Expiration time for resumed TLS sessions")
  #define CACHE_TIMEOUT_LONGTEXT N_( \
      "It is possible to cache the resumed TLS sessions. This is the expiration "\
@@ -77,99 +85,31 @@ static void CloseServer (vlc_object_t *);
      "This is the maximum number of resumed TLS sessions that " \
      "the cache will hold." )
  
-#define CHECK_CERT_TEXT N_("Check TLS/SSL server certificate validity")
-#define CHECK_CERT_LONGTEXT N_( \
-    "This ensures that the server certificate is valid " \
-    "(i.e. signed by an approved Certification Authority)." )
-
  vlc_module_begin();
      set_shortname( "GnuTLS" );
-    set_description( _("GnuTLS transport layer security") );
+    set_description( N_("GnuTLS transport layer security") );
      set_capability( "tls client", 1 );
      set_callbacks( OpenClient, CloseClient );
      set_category( CAT_ADVANCED );
      set_subcategory( SUBCAT_ADVANCED_MISC );
  
-    add_bool( "tls-check-cert", VLC_TRUE, NULL, CHECK_CERT_TEXT,
-              CHECK_CERT_LONGTEXT, VLC_FALSE );
+    add_obsolete_bool( "tls-check-cert" );
      add_obsolete_bool( "tls-check-hostname" );
  
      add_submodule();
-        set_description( _("GnuTLS server") );
+        set_description( N_("GnuTLS server") );
          set_capability( "tls server", 1 );
          set_category( CAT_ADVANCED );
          set_subcategory( SUBCAT_ADVANCED_MISC );
          set_callbacks( OpenServer, CloseServer );
  
-        add_integer( "gnutls-dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
-                    DH_BITS_LONGTEXT, VLC_TRUE );
+        add_obsolete_integer( "gnutls-dh-bits" );
          add_integer( "gnutls-cache-timeout", CACHE_TIMEOUT, NULL,
-                    CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, VLC_TRUE );
+                    CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, true );
          add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT,
-                    CACHE_SIZE_LONGTEXT, VLC_TRUE );
+                    CACHE_SIZE_LONGTEXT, true );
  vlc_module_end();
  
-
-
-#ifdef LIBVLC_USE_PTHREAD
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-# define gcry_threads_vlc gcry_threads_pthread
-#else
-/**
- * gcrypt thread option VLC implementation
- */
-
-# define NEED_THREAD_CONTEXT 1
-static vlc_object_t *__p_gcry_data = NULL;
-
-static int gcry_vlc_mutex_init( void **p_sys )
-{
-    int i_val;
-    vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc( sizeof( vlc_mutex_t ) );
-
-    if( p_lock == NULL)
-        return ENOMEM;
-
-    i_val = vlc_mutex_init( __p_gcry_data, p_lock );
-    if( i_val )
-        free( p_lock );
-    else
-        *p_sys = p_lock;
-    return i_val;
-}
-
-static int gcry_vlc_mutex_destroy( void **p_sys )
-{
-    int i_val;
-    vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
-
-    i_val = vlc_mutex_destroy( p_lock );
-    free( p_lock );
-    return i_val;
-}
-
-static int gcry_vlc_mutex_lock( void **p_sys )
-{
-    return vlc_mutex_lock( (vlc_mutex_t *)*p_sys );
-}
-
-static int gcry_vlc_mutex_unlock( void **lock )
-{
-    return vlc_mutex_unlock( (vlc_mutex_t *)*lock );
-}
-
-static struct gcry_thread_cbs gcry_threads_vlc =
-{
-    GCRY_THREAD_OPTION_USER,
-    NULL,
-    gcry_vlc_mutex_init,
-    gcry_vlc_mutex_destroy,
-    gcry_vlc_mutex_lock,
-    gcry_vlc_mutex_unlock
-};
-#endif
-
-
  /**
   * Initializes GnuTLS with proper locking.
   * @return VLC_SUCCESS on success, a VLC error code otherwise.
@@ -178,16 +118,9 @@ static int gnutls_Init (vlc_object_t *p_this)
  {
      int ret = VLC_EGENERIC;
  
-    vlc_mutex_t *lock = var_GetGlobalMutex ("gnutls_mutex");
-    vlc_mutex_lock (lock);
+    vlc_gcrypt_init (); /* GnuTLS depends on gcrypt */
  
-    /* This should probably be removed/fixed. It will screw up with multiple
-     * LibVLC instances. */
-#ifdef NEED_THREAD_CONTEXT
-    __p_gcry_data = VLC_OBJECT (p_this->p_libvlc);
-#endif
-
-    gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
+    vlc_mutex_t *lock = var_AcquireMutex ("gnutls_mutex");
      if (gnutls_global_init ())
      {
          msg_Err (p_this, "cannot initialize GnuTLS");
@@ -216,8 +149,7 @@ error:
   */
  static void gnutls_Deinit (vlc_object_t *p_this)
  {
-    vlc_mutex_t *lock = var_GetGlobalMutex( "gnutls_mutex" );
-    vlc_mutex_lock (lock);
+    vlc_mutex_t *lock = var_AcquireMutex( "gnutls_mutex" );
  
      gnutls_global_deinit ();
      msg_Dbg (p_this, "GnuTLS deinitialized");
@@ -262,9 +194,9 @@ static int gnutls_Error (vlc_object_t *obj, int val)
  
  struct tls_session_sys_t
  {
-    gnutls_session  session;
-    char                          *psz_hostname;
-    vlc_bool_t      b_handshaked;
+    gnutls_session_t session;
+    char            *psz_hostname;
+    bool       b_handshaked;
  };
  
  
@@ -330,7 +262,7 @@ gnutls_ContinueHandshake (tls_session_t *p_session)
          return -1;
      }
  
-    p_sys->b_handshaked = VLC_TRUE;
+    p_sys->b_handshaked = true;
      return 0;
  }
  
@@ -397,15 +329,15 @@ gnutls_HandshakeAndValidate( tls_session_t *session )
      }
  
      /* certificate (host)name verification */
-    const gnutls_datum *data = gnutls_certificate_get_peers( p_sys->session,
-                                                             &(unsigned){0} );
+    const gnutls_datum_t *data;
+    data = gnutls_certificate_get_peers (p_sys->session, &(unsigned){0});
      if( data == NULL )
      {
          msg_Err( session, "Peer certificate not available" );
          return -1;
      }
  
-    gnutls_x509_crt cert;
+    gnutls_x509_crt_t cert;
      val = gnutls_x509_crt_init( &cert );
      if( val )
      {
@@ -421,17 +353,13 @@ gnutls_HandshakeAndValidate( tls_session_t *session )
          goto error;
      }
  
-    if( p_sys->psz_hostname != NULL )
+    assert( p_sys->psz_hostname != NULL );
+    if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
      {
-        if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
-        {
-            msg_Err( session, "Certificate does not match \"%s\"",
-                     p_sys->psz_hostname );
-            goto error;
-        }
+        msg_Err( session, "Certificate does not match \"%s\"",
+                 p_sys->psz_hostname );
+        goto error;
      }
-    else
-        msg_Warn( session, "Certificate and hostname were not verified" );
  
      if( gnutls_x509_crt_get_expiration_time( cert ) < time( NULL ) )
      {
@@ -463,7 +391,7 @@ static void
  gnutls_SetFD (tls_session_t *p_session, int fd)
  {
      gnutls_transport_set_ptr (p_session->p_sys->session,
-                              (gnutls_transport_ptr)(intptr_t)fd);
+                              (gnutls_transport_ptr_t)(intptr_t)fd);
  }
  
  typedef int (*tls_prio_func) (gnutls_session_t, const int *);
@@ -572,14 +500,14 @@ gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
  
  static int
  gnutls_Addx509File( vlc_object_t *p_this,
-                    gnutls_certificate_credentials cred,
-                    const char *psz_path, vlc_bool_t b_priv );
+                    gnutls_certificate_credentials_t cred,
+                    const char *psz_path, bool b_priv );
  
  static int
  gnutls_Addx509Directory( vlc_object_t *p_this,
-                         gnutls_certificate_credentials cred,
+                         gnutls_certificate_credentials_t cred,
                           const char *psz_dirname,
-                         vlc_bool_t b_priv )
+                         bool b_priv )
  {
      DIR* dir;
  
@@ -589,8 +517,16 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
      dir = utf8_opendir( psz_dirname );
      if( dir == NULL )
      {
-        msg_Warn( p_this, "cannot open directory (%s): %m", psz_dirname );
-        return VLC_EGENERIC;
+        if (errno != ENOENT)
+        {
+            msg_Err (p_this, "cannot open directory (%s): %m", psz_dirname);
+            return VLC_EGENERIC;
+        }
+
+        msg_Dbg (p_this, "creating empty certificate directory: %s",
+                 psz_dirname);
+        utf8_mkdir (psz_dirname, b_priv ? 0700 : 0755);
+        return VLC_SUCCESS;
      }
  #ifdef S_ISLNK
      else
@@ -637,45 +573,52 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
  static int
  gnutls_Addx509File( vlc_object_t *p_this,
                      gnutls_certificate_credentials cred,
-                    const char *psz_path, vlc_bool_t b_priv )
+                    const char *psz_path, bool b_priv )
  {
      struct stat st;
  
-    if( utf8_stat( psz_path, &st ) == 0 )
+    int fd = utf8_open (psz_path, O_RDONLY, 0);
+    if (fd == -1)
+        goto error;
+
+    block_t *block = block_File (fd);
+    if (block != NULL)
      {
-        if( S_ISREG( st.st_mode ) )
+        close (fd);
+
+        gnutls_datum data = {
+            .data = block->p_buffer,
+            .size = block->i_buffer,
+        };
+        int res = b_priv
+            ? gnutls_certificate_set_x509_key_mem (cred, &data, &data,
+                                                   GNUTLS_X509_FMT_PEM)
+            : gnutls_certificate_set_x509_trust_mem (cred, &data,
+                                                     GNUTLS_X509_FMT_PEM);
+        block_Release (block);
+
+        if (res < 0)
          {
-            char *psz_localname = ToLocale( psz_path );
-            int i = b_priv
-                    ? gnutls_certificate_set_x509_key_file( cred,
-                    psz_localname,  psz_localname, GNUTLS_X509_FMT_PEM )
-                : gnutls_certificate_set_x509_trust_file( cred,
-                        psz_localname, GNUTLS_X509_FMT_PEM );
-            LocaleFree( psz_localname );
-
-            if( i < 0 )
-            {
-                msg_Warn( p_this, "cannot add x509 credentials (%s): %s",
-                          psz_path, gnutls_strerror( i ) );
-                return VLC_EGENERIC;
-            }
-            else
-            {
-                msg_Dbg( p_this, "added x509 credentials (%s)",
-                         psz_path );
-                return VLC_SUCCESS;
-            }
-        }
-        else if( S_ISDIR( st.st_mode ) )
-        {
-            msg_Dbg( p_this,
-                     "looking recursively for x509 credentials in %s",
-                     psz_path );
-            return gnutls_Addx509Directory( p_this, cred, psz_path, b_priv);
+            msg_Warn (p_this, "cannot add x509 credentials (%s): %s",
+                      psz_path, gnutls_strerror (res));
+            return VLC_EGENERIC;
          }
+        msg_Dbg (p_this, "added x509 credentials (%s)", psz_path);
+        return VLC_SUCCESS;
      }
-    else
-        msg_Warn( p_this, "cannot add x509 credentials (%s): %m", psz_path );
+
+    if (!fstat (fd, &st) && S_ISDIR (st.st_mode))
+    {
+        close (fd);
+        msg_Dbg (p_this, "looking recursively for x509 credentials in %s",
+                 psz_path);
+        return gnutls_Addx509Directory (p_this, cred, psz_path, b_priv);
+    }
+
+error:
+    msg_Warn (p_this, "cannot add x509 credentials (%s): %m", psz_path);
+    if (fd != -1)
+        close (fd);
      return VLC_EGENERIC;
  }
  
@@ -683,8 +626,8 @@ gnutls_Addx509File( vlc_object_t *p_this,
  /** TLS client session data */
  typedef struct tls_client_sys_t
  {
-    struct tls_session_sys_t       session;
-    gnutls_certificate_credentials x509_cred;
+    struct tls_session_sys_t         session;
+    gnutls_certificate_credentials_t x509_cred;
  } tls_client_sys_t;
  
  
@@ -712,15 +655,7 @@ static int OpenClient (vlc_object_t *obj)
      p_session->sock.pf_recv = gnutls_Recv;
      p_session->pf_set_fd = gnutls_SetFD;
  
-    p_sys->session.b_handshaked = VLC_FALSE;
-    p_sys->session.psz_hostname = NULL;
-
-    const char *homedir = obj->p_libvlc->psz_datadir,
-               *datadir = config_GetDataDir ();
-    size_t l1 = strlen (homedir), l2 = strlen (datadir);
-    char path[((l1 > l2) ? l1 : l2) + sizeof ("/ca-certificates.crt")];
-    //                              > sizeof ("/ssl/private")
-    //                              > sizeof ("/ssl/certs")
+    p_sys->session.b_handshaked = false;
  
      i_val = gnutls_certificate_allocate_credentials (&p_sys->x509_cred);
      if (i_val != 0)
@@ -730,23 +665,32 @@ static int OpenClient (vlc_object_t *obj)
          goto error;
      }
  
-    if (var_CreateGetBool (obj, "tls-check-cert"))
+    char *userdir = config_GetUserDataDir ();
+    if (userdir != NULL)
      {
-        sprintf (path, "%s/ssl/certs", homedir);
+        char path[strlen (userdir) + sizeof ("/ssl/private")];
+        sprintf (path, "%s/ssl", userdir);
+        utf8_mkdir (path, 0755);
+
+        sprintf (path, "%s/ssl/certs", userdir);
          gnutls_Addx509Directory (VLC_OBJECT (p_session),
-                                  p_sys->x509_cred, path, VLC_FALSE);
+                                 p_sys->x509_cred, path, false);
+        sprintf (path, "%s/ssl/private", userdir);
+        gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
+                                 path, true);
+        free (userdir);
+    }
  
-        sprintf (path, "%s/ca-certificates.crt", datadir);
+    const char *confdir = config_GetConfDir ();
+    {
+        char path[strlen (confdir)
+                   + sizeof ("/ssl/certs/ca-certificates.crt")];
+        sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir);
          gnutls_Addx509File (VLC_OBJECT (p_session),
-                            p_sys->x509_cred, path, VLC_FALSE);
-        p_session->pf_handshake = gnutls_HandshakeAndValidate;
+                            p_sys->x509_cred, path, false);
      }
-    else
-        p_session->pf_handshake = gnutls_ContinueHandshake;
-
-    sprintf (path, "%s/ssl/private", homedir);
-    gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
-                             path, VLC_TRUE);
+    p_session->pf_handshake = gnutls_HandshakeAndValidate;
+    /*p_session->pf_handshake = gnutls_ContinueHandshake;*/
  
      i_val = gnutls_init (&p_sys->session.session, GNUTLS_CLIENT);
      if (i_val != 0)
@@ -761,6 +705,9 @@ static int OpenClient (vlc_object_t *obj)
                                    p_sys->session.session))
          goto s_error;
  
+    /* minimum DH prime bits */
+    gnutls_dh_set_prime_bits (p_sys->session.session, 1024);
+
      i_val = gnutls_credentials_set (p_sys->session.session,
                                      GNUTLS_CRD_CERTIFICATE,
                                      p_sys->x509_cred);
@@ -772,12 +719,12 @@ static int OpenClient (vlc_object_t *obj)
      }
  
      char *servername = var_GetNonEmptyString (p_session, "tls-server-name");
-    if (servername != NULL )
-    {
-        p_sys->session.psz_hostname = servername;
-        gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
-                                servername, strlen (servername));
-    }
+    if (servername == NULL )
+        msg_Err (p_session, "server name missing for TLS session");
+
+    p_sys->session.psz_hostname = servername;
+    gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
+                            servername, strlen (servername));
  
      return VLC_SUCCESS;
  
@@ -796,7 +743,7 @@ static void CloseClient (vlc_object_t *obj)
      tls_session_t *client = (tls_session_t *)obj;
      tls_client_sys_t *p_sys = (tls_client_sys_t *)(client->p_sys);
  
-    if (p_sys->session.b_handshaked == VLC_TRUE)
+    if (p_sys->session.b_handshaked == true)
          gnutls_bye (p_sys->session.session, GNUTLS_SHUT_WR);
      gnutls_deinit (p_sys->session.session);
      /* credentials must be free'd *after* gnutls_deinit() */
@@ -813,15 +760,15 @@ static void CloseClient (vlc_object_t *obj)
   */
  struct tls_server_sys_t
  {
-    gnutls_certificate_credentials  x509_cred;
-    gnutls_dh_params                dh_params;
+    gnutls_certificate_credentials_t x509_cred;
+    gnutls_dh_params_t               dh_params;
  
      struct saved_session_t          *p_cache;
      struct saved_session_t          *p_store;
-    int                             i_cache_size;
-    vlc_mutex_t                     cache_lock;
+    int                              i_cache_size;
+    vlc_mutex_t                      cache_lock;
  
-    int                             (*pf_handshake)( tls_session_t * );
+    int                            (*pf_handshake) (tls_session_t *);
  };
  
  
@@ -869,7 +816,7 @@ static int cb_store( void *p_server, gnutls_datum key, gnutls_datum data )
  
  static gnutls_datum cb_fetch( void *p_server, gnutls_datum key )
  {
-    static const gnutls_datum err_datum = { NULL, 0 };
+    static const gnutls_datum_t err_datum = { NULL, 0 };
      tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
      saved_session_t *p_session, *p_end;
  
@@ -883,7 +830,7 @@ static gnutls_datum cb_fetch( void *p_server, gnutls_datum key )
          if( ( p_session->i_idlen == key.size )
           && !memcmp( p_session->id, key.data, key.size ) )
          {
-            gnutls_datum data;
+            gnutls_datum_t data;
  
              data.size = p_session->i_datalen;
  
@@ -945,12 +892,12 @@ gnutls_SessionClose (tls_server_t *p_server, tls_session_t *p_session)
      tls_session_sys_t *p_sys = p_session->p_sys;
      (void)p_server;
  
-    if( p_sys->b_handshaked == VLC_TRUE )
+    if( p_sys->b_handshaked == true )
          gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
      gnutls_deinit( p_sys->session );
  
      vlc_object_detach( p_session );
-    vlc_object_destroy( p_session );
+    vlc_object_release( p_session );
  
      free( p_sys );
  }
@@ -964,7 +911,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
  {
      tls_session_t *p_session;
      tls_server_sys_t *p_server_sys;
-    gnutls_session session;
+    gnutls_session_t session;
      int i_val;
  
      p_session = vlc_object_create( p_server, sizeof (struct tls_session_t) );
@@ -974,7 +921,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
      p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) );
      if( p_session->p_sys == NULL )
      {
-        vlc_object_destroy( p_session );
+        vlc_object_release( p_session );
          return NULL;
      }
  
@@ -985,7 +932,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
      p_session->pf_set_fd = gnutls_SetFD;
      p_session->pf_handshake = p_server_sys->pf_handshake;
  
-    p_session->p_sys->b_handshaked = VLC_FALSE;
+    p_session->p_sys->b_handshaked = false;
      p_session->p_sys->psz_hostname = NULL;
  
      i_val = gnutls_init( &session, GNUTLS_SERVER );
@@ -1017,11 +964,8 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
      if (p_session->pf_handshake == gnutls_HandshakeAndValidate)
          gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
  
-    i_val = config_GetInt (p_server, "gnutls-dh-bits");
-    gnutls_dh_set_prime_bits (session, i_val);
-
      /* Session resumption support */
-    i_val = config_GetInt (p_server, "gnutls-cache-expiration");
+    i_val = config_GetInt (p_server, "gnutls-cache-timeout");
      gnutls_db_set_cache_expiration (session, i_val);
      gnutls_db_set_retrieve_function( session, cb_fetch );
      gnutls_db_set_remove_function( session, cb_delete );
@@ -1033,7 +977,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
  error:
      free( p_session->p_sys );
      vlc_object_detach( p_session );
-    vlc_object_destroy( p_session );
+    vlc_object_release( p_session );
      return NULL;
  }
  
@@ -1140,7 +1084,7 @@ static int OpenServer (vlc_object_t *obj)
      /* No certificate validation by default */
      p_sys->pf_handshake  = gnutls_ContinueHandshake;
  
-    vlc_mutex_init( p_server, &p_sys->cache_lock );
+    vlc_mutex_init( &p_sys->cache_lock );
  
      /* Sets server's credentials */
      val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
@@ -1158,9 +1102,9 @@ static int OpenServer (vlc_object_t *obj)
      val = gnutls_certificate_set_x509_key_file (p_sys->x509_cred,
                                                  psz_local_cert, psz_local_key,
                                                  GNUTLS_X509_FMT_PEM );
-    LocaleFree (psz_key_path);
+    LocaleFree (psz_local_key);
      free (psz_key_path);
-    LocaleFree (psz_cert_path);
+    LocaleFree (psz_local_cert);
      free (psz_cert_path);
  
      if( val < 0 )
@@ -1172,26 +1116,27 @@ static int OpenServer (vlc_object_t *obj)
      }
  
      /* FIXME:
-     * - regenerate these regularly
       * - support other ciper suites
       */
-    val = gnutls_dh_params_init( &p_sys->dh_params );
-    if( val >= 0 )
+    val = gnutls_dh_params_init (&p_sys->dh_params);
+    if (val >= 0)
      {
-        msg_Dbg( p_server, "computing Diffie Hellman ciphers parameters" );
-        val = gnutls_dh_params_generate2 (p_sys->dh_params,
-                                          config_GetInt (obj, "gnutls-dh-bits"));
+        const gnutls_datum_t data = {
+            .data = (unsigned char *)dh_params,
+            .size = sizeof (dh_params) - 1,
+        };
+
+        val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data,
+                                             GNUTLS_X509_FMT_PEM);
+        if (val == 0)
+            gnutls_certificate_set_dh_params (p_sys->x509_cred,
+                                              p_sys->dh_params);
      }
-    if( val < 0 )
+    if (val < 0)
      {
-        msg_Err( p_server, "cannot initialize DH cipher suites: %s",
-                 gnutls_strerror( val ) );
-        gnutls_certificate_free_credentials( p_sys->x509_cred );
-        goto error;
+        msg_Err (p_server, "cannot initialize DHE cipher suites: %s",
+                 gnutls_strerror (val));
      }
-    msg_Dbg( p_server, "ciphers parameters computed" );
-
-    gnutls_certificate_set_dh_params( p_sys->x509_cred, p_sys->dh_params);
  
      return VLC_SUCCESS;