* Preamble
*****************************************************************************/
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
#include <vlc/vlc.h>
#include <errno.h>
#include <time.h>
#endif
-#include "vlc_tls.h"
+#include <vlc_tls.h>
#include <vlc_charset.h>
#include <gcrypt.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
-#define DH_BITS 1024
+#include <vlc_gcrypt.h>
+
#define CACHE_TIMEOUT 3600
#define CACHE_SIZE 64
+#include "dhparams.h"
+
/*****************************************************************************
* Module descriptor
*****************************************************************************/
static int OpenServer (vlc_object_t *);
static void CloseServer (vlc_object_t *);
-#define DH_BITS_TEXT N_("Diffie-Hellman prime bits")
-#define DH_BITS_LONGTEXT N_( \
- "This allows you to modify the Diffie-Hellman prime's number of bits, " \
- "used for TLS or SSL-based server-side encryption. This is generally " \
- "not needed." )
-
#define CACHE_TIMEOUT_TEXT N_("Expiration time for resumed TLS sessions")
#define CACHE_TIMEOUT_LONGTEXT N_( \
"It is possible to cache the resumed TLS sessions. This is the expiration "\
"This is the maximum number of resumed TLS sessions that " \
"the cache will hold." )
-#define CHECK_CERT_TEXT N_("Check TLS/SSL server certificate validity")
-#define CHECK_CERT_LONGTEXT N_( \
- "This ensures that the server certificate is valid " \
- "(i.e. signed by an approved Certification Authority)." )
-
vlc_module_begin();
set_shortname( "GnuTLS" );
set_description( _("GnuTLS transport layer security") );
set_category( CAT_ADVANCED );
set_subcategory( SUBCAT_ADVANCED_MISC );
- add_bool( "tls-check-cert", VLC_TRUE, NULL, CHECK_CERT_TEXT,
- CHECK_CERT_LONGTEXT, VLC_FALSE );
+ add_obsolete_bool( "tls-check-cert" );
add_obsolete_bool( "tls-check-hostname" );
add_submodule();
set_subcategory( SUBCAT_ADVANCED_MISC );
set_callbacks( OpenServer, CloseServer );
- add_integer( "gnutls-dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
- DH_BITS_LONGTEXT, VLC_TRUE );
+ add_obsolete_integer( "gnutls-dh-bits" );
add_integer( "gnutls-cache-timeout", CACHE_TIMEOUT, NULL,
- CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, VLC_TRUE );
+ CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, true );
add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT,
- CACHE_SIZE_LONGTEXT, VLC_TRUE );
+ CACHE_SIZE_LONGTEXT, true );
vlc_module_end();
-
-
-#ifdef LIBVLC_USE_PTHREAD
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-# define gcry_threads_vlc gcry_threads_pthread
-#else
-/**
- * gcrypt thread option VLC implementation
- */
-
-# define NEED_THREAD_CONTEXT 1
-static vlc_object_t *__p_gcry_data = NULL;
-
-static int gcry_vlc_mutex_init( void **p_sys )
-{
- int i_val;
- vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc( sizeof( vlc_mutex_t ) );
-
- if( p_lock == NULL)
- return ENOMEM;
-
- i_val = vlc_mutex_init( __p_gcry_data, p_lock );
- if( i_val )
- free( p_lock );
- else
- *p_sys = p_lock;
- return i_val;
-}
-
-static int gcry_vlc_mutex_destroy( void **p_sys )
-{
- int i_val;
- vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
-
- i_val = vlc_mutex_destroy( p_lock );
- free( p_lock );
- return i_val;
-}
-
-static int gcry_vlc_mutex_lock( void **p_sys )
-{
- return vlc_mutex_lock( (vlc_mutex_t *)*p_sys );
-}
-
-static int gcry_vlc_mutex_unlock( void **lock )
-{
- return vlc_mutex_unlock( (vlc_mutex_t *)*lock );
-}
-
-static struct gcry_thread_cbs gcry_threads_vlc =
-{
- GCRY_THREAD_OPTION_USER,
- NULL,
- gcry_vlc_mutex_init,
- gcry_vlc_mutex_destroy,
- gcry_vlc_mutex_lock,
- gcry_vlc_mutex_unlock
-};
-#endif
-
-
/**
* Initializes GnuTLS with proper locking.
* @return VLC_SUCCESS on success, a VLC error code otherwise.
{
int ret = VLC_EGENERIC;
- vlc_mutex_t *lock = var_GetGlobalMutex ("gnutls_mutex");
- vlc_mutex_lock (lock);
-
- /* This should probably be removed/fixed. It will screw up with multiple
- * LibVLC instances. */
-#ifdef NEED_THREAD_CONTEXT
- __p_gcry_data = VLC_OBJECT (p_this->p_libvlc);
-#endif
+ vlc_gcrypt_init (); /* GnuTLS depends on gcrypt */
- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
+ vlc_mutex_t *lock = var_AcquireMutex ("gnutls_mutex");
if (gnutls_global_init ())
{
msg_Err (p_this, "cannot initialize GnuTLS");
*/
static void gnutls_Deinit (vlc_object_t *p_this)
{
- vlc_mutex_t *lock = var_GetGlobalMutex( "gnutls_mutex" );
- vlc_mutex_lock (lock);
+ vlc_mutex_t *lock = var_AcquireMutex( "gnutls_mutex" );
gnutls_global_deinit ();
msg_Dbg (p_this, "GnuTLS deinitialized");
{
gnutls_session_t session;
char *psz_hostname;
- vlc_bool_t b_handshaked;
+ bool b_handshaked;
};
return -1;
}
- p_sys->b_handshaked = VLC_TRUE;
+ p_sys->b_handshaked = true;
return 0;
}
goto error;
}
- if( p_sys->psz_hostname != NULL )
+ assert( p_sys->psz_hostname != NULL );
+ if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
{
- if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
- {
- msg_Err( session, "Certificate does not match \"%s\"",
- p_sys->psz_hostname );
- goto error;
- }
+ msg_Err( session, "Certificate does not match \"%s\"",
+ p_sys->psz_hostname );
+ goto error;
}
- else
- msg_Warn( session, "Certificate and hostname were not verified" );
if( gnutls_x509_crt_get_expiration_time( cert ) < time( NULL ) )
{
static int
gnutls_Addx509File( vlc_object_t *p_this,
gnutls_certificate_credentials_t cred,
- const char *psz_path, vlc_bool_t b_priv );
+ const char *psz_path, bool b_priv );
static int
gnutls_Addx509Directory( vlc_object_t *p_this,
gnutls_certificate_credentials_t cred,
const char *psz_dirname,
- vlc_bool_t b_priv )
+ bool b_priv )
{
DIR* dir;
static int
gnutls_Addx509File( vlc_object_t *p_this,
gnutls_certificate_credentials cred,
- const char *psz_path, vlc_bool_t b_priv )
+ const char *psz_path, bool b_priv )
{
struct stat st;
p_session->sock.pf_recv = gnutls_Recv;
p_session->pf_set_fd = gnutls_SetFD;
- p_sys->session.b_handshaked = VLC_FALSE;
- p_sys->session.psz_hostname = NULL;
+ p_sys->session.b_handshaked = false;
const char *homedir = obj->p_libvlc->psz_datadir,
*datadir = config_GetDataDir ();
sprintf (path, "%s/ssl", homedir);
utf8_mkdir (path, 0755);
- if (var_CreateGetBool (obj, "tls-check-cert"))
- {
- sprintf (path, "%s/ssl/certs", homedir);
- gnutls_Addx509Directory (VLC_OBJECT (p_session),
- p_sys->x509_cred, path, VLC_FALSE);
-
- sprintf (path, "%s/ca-certificates.crt", datadir);
- gnutls_Addx509File (VLC_OBJECT (p_session),
- p_sys->x509_cred, path, VLC_FALSE);
- p_session->pf_handshake = gnutls_HandshakeAndValidate;
- }
- else
- p_session->pf_handshake = gnutls_ContinueHandshake;
+ sprintf (path, "%s/ssl/certs", homedir);
+ gnutls_Addx509Directory (VLC_OBJECT (p_session),
+ p_sys->x509_cred, path, false);
+
+ sprintf (path, "%s/ca-certificates.crt", datadir);
+ gnutls_Addx509File (VLC_OBJECT (p_session),
+ p_sys->x509_cred, path, false);
+ p_session->pf_handshake = gnutls_HandshakeAndValidate;
+ /*p_session->pf_handshake = gnutls_ContinueHandshake;*/
sprintf (path, "%s/ssl/private", homedir);
gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
- path, VLC_TRUE);
+ path, true);
i_val = gnutls_init (&p_sys->session.session, GNUTLS_CLIENT);
if (i_val != 0)
p_sys->session.session))
goto s_error;
+ /* minimum DH prime bits */
+ gnutls_dh_set_prime_bits (p_sys->session.session, 1024);
+
i_val = gnutls_credentials_set (p_sys->session.session,
GNUTLS_CRD_CERTIFICATE,
p_sys->x509_cred);
}
char *servername = var_GetNonEmptyString (p_session, "tls-server-name");
- if (servername != NULL )
- {
- p_sys->session.psz_hostname = servername;
- gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
- servername, strlen (servername));
- }
+ if (servername == NULL )
+ msg_Err (p_session, "server name missing for TLS session");
+
+ p_sys->session.psz_hostname = servername;
+ gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
+ servername, strlen (servername));
return VLC_SUCCESS;
tls_session_t *client = (tls_session_t *)obj;
tls_client_sys_t *p_sys = (tls_client_sys_t *)(client->p_sys);
- if (p_sys->session.b_handshaked == VLC_TRUE)
+ if (p_sys->session.b_handshaked == true)
gnutls_bye (p_sys->session.session, GNUTLS_SHUT_WR);
gnutls_deinit (p_sys->session.session);
/* credentials must be free'd *after* gnutls_deinit() */
tls_session_sys_t *p_sys = p_session->p_sys;
(void)p_server;
- if( p_sys->b_handshaked == VLC_TRUE )
+ if( p_sys->b_handshaked == true )
gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
gnutls_deinit( p_sys->session );
vlc_object_detach( p_session );
- vlc_object_destroy( p_session );
+ vlc_object_release( p_session );
free( p_sys );
}
p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) );
if( p_session->p_sys == NULL )
{
- vlc_object_destroy( p_session );
+ vlc_object_release( p_session );
return NULL;
}
p_session->pf_set_fd = gnutls_SetFD;
p_session->pf_handshake = p_server_sys->pf_handshake;
- p_session->p_sys->b_handshaked = VLC_FALSE;
+ p_session->p_sys->b_handshaked = false;
p_session->p_sys->psz_hostname = NULL;
i_val = gnutls_init( &session, GNUTLS_SERVER );
if (p_session->pf_handshake == gnutls_HandshakeAndValidate)
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
- i_val = config_GetInt (p_server, "gnutls-dh-bits");
- gnutls_dh_set_prime_bits (session, i_val);
-
/* Session resumption support */
i_val = config_GetInt (p_server, "gnutls-cache-timeout");
gnutls_db_set_cache_expiration (session, i_val);
error:
free( p_session->p_sys );
vlc_object_detach( p_session );
- vlc_object_destroy( p_session );
+ vlc_object_release( p_session );
return NULL;
}
/* No certificate validation by default */
p_sys->pf_handshake = gnutls_ContinueHandshake;
- vlc_mutex_init( p_server, &p_sys->cache_lock );
+ vlc_mutex_init( &p_sys->cache_lock );
/* Sets server's credentials */
val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
}
/* FIXME:
- * - regenerate these regularly
* - support other ciper suites
*/
- val = gnutls_dh_params_init( &p_sys->dh_params );
-
+ val = gnutls_dh_params_init (&p_sys->dh_params);
if (val >= 0)
{
- FILE *cache;
- const char *cachedir = p_server->p_libvlc->psz_cachedir;
- char cachefile[strlen (cachedir) + sizeof ("/dh_params.pem")];
- sprintf (cachefile, "%s/dh_params.pem", cachedir);
-
- /* Read DH parameters from cache */
- cache = utf8_fopen (cachefile, "rb");
- if (cache != NULL)
- {
- unsigned char buf[1024];
- gnutls_datum_t data;
-
- data.data = buf;
- data.size = fread (buf, 1, sizeof (buf), cache);
-
- msg_Dbg (p_server, "loading DHE parameters (%u bytes) from %s",
- data.size, cachefile);
- val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data,
- GNUTLS_X509_FMT_PEM);
- fclose (cache);
- if (val == 0)
- goto dh_done;
- }
- else
- msg_Dbg (p_server, "cannot load DHE parameters from %s: %m",
- cachefile);
-
- msg_Dbg (p_server, "computing DHE ciphers parameters");
- val = gnutls_dh_params_generate2 (p_sys->dh_params,
- config_GetInt (obj, "gnutls-dh-bits"));
-
- /* Write the DH parameter to cache */
- cache = utf8_fopen (cachefile, "wb");
- if (cache != NULL)
- {
- size_t len = 0;
- gnutls_dh_params_export_pkcs3 (p_sys->dh_params,
- GNUTLS_X509_FMT_PEM, NULL, &len);
- msg_Dbg (p_server, "saving DHE parameters (%u bytes) to %s",
- (unsigned)len, cachefile);
-
- unsigned char buf[len];
- gnutls_dh_params_export_pkcs3 (p_sys->dh_params,
- GNUTLS_X509_FMT_PEM, buf, &len);
- if (fwrite (buf, 1, len, cache) != len)
- msg_Warn (p_server, "cannot write to %s: %m", cachefile);
- fclose (cache);
- }
- else
- msg_Warn (p_server, "cannot open to %s: %m", cachefile);
+ const gnutls_datum_t data = {
+ .data = (unsigned char *)dh_params,
+ .size = sizeof (dh_params) - 1,
+ };
+
+ val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data,
+ GNUTLS_X509_FMT_PEM);
+ if (val == 0)
+ gnutls_certificate_set_dh_params (p_sys->x509_cred,
+ p_sys->dh_params);
}
-
if (val < 0)
{
msg_Err (p_server, "cannot initialize DHE cipher suites: %s",
gnutls_strerror (val));
- gnutls_certificate_free_credentials (p_sys->x509_cred);
- goto error;
}
-dh_done:
-
- msg_Dbg( p_server, "ciphers parameters computed" );
-
- gnutls_certificate_set_dh_params( p_sys->x509_cred, p_sys->dh_params);
return VLC_SUCCESS;