# include "config.h"
#endif
-#include <vlc_common.h>
-#include <vlc_plugin.h>
#include <errno.h>
-#include <time.h>
-
-#include <sys/types.h>
-#include <errno.h>
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#ifdef WIN32
-# include <io.h>
-# include <wincrypt.h>
-#else
-# include <unistd.h>
-#endif
-# include <fcntl.h>
-
+#include <assert.h>
+#include <vlc_common.h>
+#include <vlc_plugin.h>
#include <vlc_tls.h>
-#include <vlc_charset.h>
-#include <vlc_fs.h>
#include <vlc_block.h>
-#include <gcrypt.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
+#if (GNUTLS_VERSION_NUMBER < 0x030014)
+# define gnutls_certificate_set_x509_system_trust(c) \
+ (c, GNUTLS_E_UNIMPLEMENTED_FEATURE)
+#endif
-#include <vlc_gcrypt.h>
#include "dhparams.h"
-#include <assert.h>
-
/*****************************************************************************
* Module descriptor
*****************************************************************************/
static int OpenClient (vlc_tls_t *, int, const char *);
static void CloseClient (vlc_tls_t *);
-static int OpenServer (vlc_object_t *);
-static void CloseServer (vlc_object_t *);
+static int OpenServer (vlc_tls_creds_t *, const char *, const char *);
+static void CloseServer (vlc_tls_creds_t *);
#define PRIORITIES_TEXT N_("TLS cipher priorities")
#define PRIORITIES_LONGTEXT N_("Ciphers, key exchange methods, " \
add_string ("gnutls-priorities", "NORMAL", PRIORITIES_TEXT,
PRIORITIES_LONGTEXT, false)
- change_string_list (priorities_values, priorities_text, NULL)
+ change_string_list (priorities_values, priorities_text)
vlc_module_end ()
static vlc_mutex_t gnutls_mutex = VLC_STATIC_MUTEX;
{
int ret = VLC_EGENERIC;
- vlc_gcrypt_init (); /* GnuTLS depends on gcrypt */
-
vlc_mutex_lock (&gnutls_mutex);
if (gnutls_global_init ())
{
goto error;
}
- const char *psz_version = gnutls_check_version ("2.0.0");
+ const char *psz_version = gnutls_check_version ("2.6.6");
if (psz_version == NULL)
{
msg_Err (p_this, "unsupported GnuTLS version");
}
#define gnutls_Error(o, val) gnutls_Error(VLC_OBJECT(o), val)
-
struct vlc_tls_sys
{
gnutls_session_t session;
"Certificate's signer is not a CA" },
{ GNUTLS_CERT_INSECURE_ALGORITHM,
"Insecure certificate signature algorithm" },
+ { GNUTLS_CERT_NOT_ACTIVATED,
+ "Certificate is not yet activated" },
+ { GNUTLS_CERT_EXPIRED,
+ "Certificate has expired" },
{ 0, NULL }
};
if (status)
{
- msg_Err (session, "TLS session: access denied");
+ msg_Err (session, "TLS session: access denied (status 0x%X)", status);
for (const error_msg_t *e = cert_errors; e->flag; e++)
{
if (status & e->flag)
val = gnutls_x509_crt_init (&cert);
if (val)
{
- msg_Err (session, "x509 fatal error: %s", gnutls_strerror (val));
+ msg_Err (session, "X.509 fatal error: %s", gnutls_strerror (val));
return -1;
}
goto error;
}
- time_t now;
- time (&now);
-
- if (gnutls_x509_crt_get_expiration_time (cert) < now)
- {
- msg_Err (session, "Certificate expired");
- goto error;
- }
-
- if (gnutls_x509_crt_get_activation_time (cert) > now)
- {
- msg_Err( session, "Certificate not yet valid" );
- goto error;
- }
-
gnutls_x509_crt_deinit (cert);
- msg_Dbg (session, "TLS/x509 certificate verified");
+ msg_Dbg (session, "TLS/X.509 certificate verified");
return 0;
error:
return val;
}
-
-static int
-gnutls_Addx509File( vlc_object_t *p_this,
- gnutls_certificate_credentials_t cred,
- const char *psz_path, bool b_priv );
-
-static int
-gnutls_Addx509Directory( vlc_object_t *p_this,
- gnutls_certificate_credentials_t cred,
- const char *psz_dirname,
- bool b_priv )
-{
- DIR* dir;
-
- if( *psz_dirname == '\0' )
- psz_dirname = ".";
-
- dir = vlc_opendir( psz_dirname );
- if( dir == NULL )
- {
- if (errno != ENOENT)
- {
- msg_Err (p_this, "cannot open directory (%s): %m", psz_dirname);
- return VLC_EGENERIC;
- }
-
- msg_Dbg (p_this, "creating empty certificate directory: %s",
- psz_dirname);
- vlc_mkdir (psz_dirname, b_priv ? 0700 : 0755);
- return VLC_SUCCESS;
- }
-#ifdef S_ISLNK
- else
- {
- struct stat st1, st2;
- int fd = dirfd( dir );
-
- /*
- * Gets stats for the directory path, checks that it is not a
- * symbolic link (to avoid possibly infinite recursion), and verifies
- * that the inode is still the same, to avoid TOCTOU race condition.
- */
- if( ( fd == -1)
- || fstat( fd, &st1 ) || vlc_lstat( psz_dirname, &st2 )
- || S_ISLNK( st2.st_mode ) || ( st1.st_ino != st2.st_ino ) )
- {
- closedir( dir );
- return VLC_EGENERIC;
- }
- }
-#endif
-
- for (;;)
- {
- char *ent = vlc_readdir (dir);
- if (ent == NULL)
- break;
-
- if ((strcmp (ent, ".") == 0) || (strcmp (ent, "..") == 0))
- {
- free( ent );
- continue;
- }
-
- char path[strlen (psz_dirname) + strlen (ent) + 2];
- sprintf (path, "%s"DIR_SEP"%s", psz_dirname, ent);
- free (ent);
-
- gnutls_Addx509File( p_this, cred, path, b_priv );
- }
-
- closedir( dir );
- return VLC_SUCCESS;
-}
-
-
-static int
-gnutls_Addx509File( vlc_object_t *p_this,
- gnutls_certificate_credentials cred,
- const char *psz_path, bool b_priv )
-{
- struct stat st;
-
- int fd = vlc_open (psz_path, O_RDONLY);
- if (fd == -1)
- goto error;
-
- block_t *block = block_File (fd);
- if (block != NULL)
- {
- close (fd);
-
- gnutls_datum data = {
- .data = block->p_buffer,
- .size = block->i_buffer,
- };
- int res = b_priv
- ? gnutls_certificate_set_x509_key_mem (cred, &data, &data,
- GNUTLS_X509_FMT_PEM)
- : gnutls_certificate_set_x509_trust_mem (cred, &data,
- GNUTLS_X509_FMT_PEM);
- block_Release (block);
-
- if (res < 0)
- {
- msg_Warn (p_this, "cannot add x509 credentials (%s): %s",
- psz_path, gnutls_strerror (res));
- return VLC_EGENERIC;
- }
- msg_Dbg (p_this, "added %d %s(s) from %s", res,
- b_priv ? "key" : "certificate", psz_path);
- return VLC_SUCCESS;
- }
-
- if (!fstat (fd, &st) && S_ISDIR (st.st_mode))
- {
- close (fd);
- msg_Dbg (p_this, "looking recursively for x509 credentials in %s",
- psz_path);
- return gnutls_Addx509Directory (p_this, cred, psz_path, b_priv);
- }
-
-error:
- msg_Warn (p_this, "cannot add x509 credentials (%s): %m", psz_path);
- if (fd != -1)
- close (fd);
- return VLC_EGENERIC;
-}
-
-#ifdef WIN32
-static int
-gnutls_loadOSCAList (vlc_object_t *p_this,
- gnutls_certificate_credentials cred)
-{
- HCERTSTORE hCertStore = CertOpenSystemStoreA((HCRYPTPROV)NULL, "ROOT");
- if (!hCertStore)
- {
- msg_Warn (p_this, "could not open the Cert SystemStore");
- return VLC_EGENERIC;
- }
-
- PCCERT_CONTEXT pCertContext = CertEnumCertificatesInStore(hCertStore, NULL);
- while( pCertContext )
- {
- gnutls_datum data = {
- .data = pCertContext->pbCertEncoded,
- .size = pCertContext->cbCertEncoded,
- };
-
- if(!gnutls_certificate_set_x509_trust_mem(cred, &data, GNUTLS_X509_FMT_DER))
- {
- msg_Warn (p_this, "cannot add x509 credential");
- return VLC_EGENERIC;
- }
-
- pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext);
- }
- return VLC_SUCCESS;
-}
-#endif
-
/**
* Initializes a client-side TLS session.
*/
int val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
if (val != 0)
{
- msg_Err (session, "cannot allocate X509 credentials: %s",
+ msg_Err (session, "cannot allocate credentials: %s",
gnutls_strerror (val));
goto error;
}
- char *userdir = config_GetUserDir (VLC_DATA_DIR);
- if (userdir != NULL)
- {
- char path[strlen (userdir) + sizeof ("/ssl/private")];
- sprintf (path, "%s/ssl", userdir);
- vlc_mkdir (path, 0755);
-
- sprintf (path, "%s/ssl/certs", userdir);
- gnutls_Addx509Directory (VLC_OBJECT(session), sys->x509_cred, path, false);
- sprintf (path, "%s/ssl/private", userdir);
- gnutls_Addx509Directory (VLC_OBJECT(session), sys->x509_cred, path, true);
- free (userdir);
- }
+ val = gnutls_certificate_set_x509_system_trust (sys->x509_cred);
+ if (val < 0)
+ msg_Err (session, "cannot load trusted Certificate Authorities: %s",
+ gnutls_strerror (val));
+ else
+ msg_Dbg (session, "loaded %d trusted CAs", val);
+
+ gnutls_certificate_set_verify_flags (sys->x509_cred,
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
-#ifdef WIN32
- gnutls_loadOSCAList (VLC_OBJECT(session), sys->x509_cred);
-#else
- const char *confdir = config_GetConfDir ();
- {
- char path[strlen (confdir)
- + sizeof ("/ssl/certs/ca-certificates.crt")];
- sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir);
- gnutls_Addx509File (VLC_OBJECT(session), sys->x509_cred, path, false);
- }
-#endif
session->handshake = gnutls_HandshakeAndValidate;
/*session->_handshake = gnutls_ContinueHandshake;*/
* Terminates TLS session and releases session data.
* You still have to close the socket yourself.
*/
-static void gnutls_SessionClose (vlc_tls_t *session)
+static void gnutls_SessionClose (vlc_tls_creds_t *crd, vlc_tls_t *session)
{
vlc_tls_sys_t *sys = session->sys;
gnutls_bye (sys->session, GNUTLS_SHUT_WR);
gnutls_deinit (sys->session);
- vlc_object_release (session);
free (sys);
+ (void) crd;
}
/**
* Initializes a server-side TLS session.
*/
-static vlc_tls_t *gnutls_SessionOpen (vlc_tls_creds_t *server, int fd)
+static int gnutls_SessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
+ int fd)
{
- vlc_tls_creds_sys_t *ssys = server->sys;
- int val;
-
- vlc_tls_t *session = vlc_object_create (server, sizeof (*session));
- if (unlikely(session == NULL))
- return NULL;
-
vlc_tls_sys_t *sys = malloc (sizeof (*session->sys));
if (unlikely(sys == NULL))
- {
- vlc_object_release (session);
- return NULL;
- }
+ return VLC_ENOMEM;
session->sys = sys;
session->sock.p_sys = session;
session->sock.pf_send = gnutls_Send;
session->sock.pf_recv = gnutls_Recv;
- session->handshake = ssys->handshake;
- session->u.close = gnutls_SessionClose;
+ session->handshake = crd->sys->handshake;
sys->handshaked = false;
sys->hostname = NULL;
- val = gnutls_init (&sys->session, GNUTLS_SERVER);
+ int val = gnutls_init (&sys->session, GNUTLS_SERVER);
if (val != 0)
{
- msg_Err (server, "cannot initialize TLS session: %s",
+ msg_Err (session, "cannot initialize TLS session: %s",
gnutls_strerror (val));
free (sys);
- vlc_object_release (session);
- return NULL;
+ return VLC_EGENERIC;
}
- if (gnutls_SessionPrioritize (VLC_OBJECT (server), sys->session))
+ if (gnutls_SessionPrioritize (VLC_OBJECT (crd), sys->session))
goto error;
val = gnutls_credentials_set (sys->session, GNUTLS_CRD_CERTIFICATE,
- ssys->x509_cred);
+ crd->sys->x509_cred);
if (val < 0)
{
- msg_Err (server, "cannot set TLS session credentials: %s",
+ msg_Err (session, "cannot set TLS session credentials: %s",
gnutls_strerror (val));
goto error;
}
gnutls_transport_set_ptr (sys->session,
(gnutls_transport_ptr_t)(intptr_t)fd);
- return session;
+ return VLC_SUCCESS;
error:
- gnutls_SessionClose (session);
- return NULL;
+ gnutls_SessionClose (crd, session);
+ return VLC_EGENERIC;
}
/**
- * Adds one or more certificate authorities.
+ * Adds one or more Certificate Authorities to the trusted set.
*
- * @param ca_path (Unicode) path to an x509 certificates list.
+ * @param path (UTF-8) path to an X.509 certificates list.
*
* @return -1 on error, 0 on success.
*/
-static int gnutls_ServerAddCA (vlc_tls_creds_t *server, const char *ca_path)
+static int gnutls_AddCA (vlc_tls_creds_t *crd, const char *path)
{
- vlc_tls_creds_sys_t *sys = server->sys;
- char *local_path = ToLocale (ca_path);
+ block_t *block = block_FilePath (path);
+ if (block == NULL)
+ {
+ msg_Err (crd, "cannot read trusted CA from %s: %m", path);
+ return VLC_EGENERIC;
+ }
- int val = gnutls_certificate_set_x509_trust_file (sys->x509_cred,
- local_path,
- GNUTLS_X509_FMT_PEM );
- LocaleFree (local_path);
+ gnutls_datum_t d = {
+ .data = block->p_buffer,
+ .size = block->i_buffer,
+ };
+
+ int val = gnutls_certificate_set_x509_trust_mem (crd->sys->x509_cred, &d,
+ GNUTLS_X509_FMT_PEM);
+ block_Release (block);
if (val < 0)
{
- msg_Err (server, "cannot add trusted CA (%s): %s", ca_path,
+ msg_Err (crd, "cannot load trusted CA from %s: %s", path,
gnutls_strerror (val));
return VLC_EGENERIC;
}
- msg_Dbg (server, " %d trusted CA added (%s)", val, ca_path);
+ msg_Dbg (crd, " %d trusted CA%s added from %s", val, (val != 1) ? "s" : "",
+ path);
/* enables peer's certificate verification */
- sys->handshake = gnutls_HandshakeAndValidate;
-
+ crd->sys->handshake = gnutls_HandshakeAndValidate;
return VLC_SUCCESS;
}
/**
- * Adds a certificates revocation list to be sent to TLS clients.
+ * Adds a Certificates Revocation List to be sent to TLS clients.
*
- * @param crl_path (Unicode) path of the CRL file.
+ * @param path (UTF-8) path of the CRL file.
*
* @return -1 on error, 0 on success.
*/
-static int gnutls_ServerAddCRL (vlc_tls_creds_t *server, const char *crl_path)
+static int gnutls_AddCRL (vlc_tls_creds_t *crd, const char *path)
{
- vlc_tls_creds_sys_t *sys = server->sys;
- char *local_path = ToLocale (crl_path);
+ block_t *block = block_FilePath (path);
+ if (block == NULL)
+ {
+ msg_Err (crd, "cannot read CRL from %s: %m", path);
+ return VLC_EGENERIC;
+ }
+
+ gnutls_datum_t d = {
+ .data = block->p_buffer,
+ .size = block->i_buffer,
+ };
- int val = gnutls_certificate_set_x509_crl_file (sys->x509_cred,
- local_path,
- GNUTLS_X509_FMT_PEM);
- LocaleFree (local_path);
+ int val = gnutls_certificate_set_x509_crl_mem (crd->sys->x509_cred, &d,
+ GNUTLS_X509_FMT_PEM);
+ block_Release (block);
if (val < 0)
{
- msg_Err (server, "cannot add CRL (%s): %s", crl_path,
- gnutls_strerror (val));
+ msg_Err (crd, "cannot add CRL (%s): %s", path, gnutls_strerror (val));
return VLC_EGENERIC;
}
- msg_Dbg (server, "%d CRL added (%s)", val, crl_path);
+ msg_Dbg (crd, "%d CRL%s added from %s", val, (val != 1) ? "s" : "", path);
return VLC_SUCCESS;
}
/**
* Allocates a whole server's TLS credentials.
*/
-static int OpenServer (vlc_object_t *obj)
+static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
{
- vlc_tls_creds_t *server = (vlc_tls_creds_t *)obj;
int val;
- if (gnutls_Init (obj))
+ if (gnutls_Init (VLC_OBJECT(crd)))
return VLC_EGENERIC;
- msg_Dbg (obj, "creating TLS server");
-
vlc_tls_creds_sys_t *sys = malloc (sizeof (*sys));
if (unlikely(sys == NULL))
- return VLC_ENOMEM;
+ goto error;
- server->sys = sys;
- server->add_CA = gnutls_ServerAddCA;
- server->add_CRL = gnutls_ServerAddCRL;
- server->open = gnutls_SessionOpen;
+ crd->sys = sys;
+ crd->add_CA = gnutls_AddCA;
+ crd->add_CRL = gnutls_AddCRL;
+ crd->open = gnutls_SessionOpen;
+ crd->close = gnutls_SessionClose;
/* No certificate validation by default */
sys->handshake = gnutls_ContinueHandshake;
val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
if (val != 0)
{
- msg_Err (server, "cannot allocate X509 credentials: %s",
+ msg_Err (crd, "cannot allocate credentials: %s",
gnutls_strerror (val));
goto error;
}
- char *cert_path = var_GetNonEmptyString (obj, "tls-x509-cert");
- char *key_path = var_GetNonEmptyString (obj, "tls-x509-key");
- const char *lcert = ToLocale (cert_path);
- const char *lkey = ToLocale (key_path);
- val = gnutls_certificate_set_x509_key_file (sys->x509_cred, lcert, lkey,
- GNUTLS_X509_FMT_PEM);
- LocaleFree (lkey);
- LocaleFree (lcert);
- free (key_path);
- free (cert_path);
+ block_t *certblock = block_FilePath (cert);
+ if (certblock == NULL)
+ {
+ msg_Err (crd, "cannot read certificate chain from %s: %m", cert);
+ return VLC_EGENERIC;
+ }
+ block_t *keyblock = block_FilePath (key);
+ if (keyblock == NULL)
+ {
+ msg_Err (crd, "cannot read private key from %s: %m", key);
+ block_Release (certblock);
+ return VLC_EGENERIC;
+ }
+
+ gnutls_datum_t pub = {
+ .data = certblock->p_buffer,
+ .size = certblock->i_buffer,
+ }, priv = {
+ .data = keyblock->p_buffer,
+ .size = keyblock->i_buffer,
+ };
+
+ val = gnutls_certificate_set_x509_key_mem (sys->x509_cred, &pub, &priv,
+ GNUTLS_X509_FMT_PEM);
+ block_Release (keyblock);
+ block_Release (certblock);
if (val < 0)
{
- msg_Err (server, "cannot set certificate chain or private key: %s",
- gnutls_strerror (val));
+ msg_Err (crd, "cannot load X.509 key: %s", gnutls_strerror (val));
gnutls_certificate_free_credentials (sys->x509_cred);
goto error;
}
}
if (val < 0)
{
- msg_Err (server, "cannot initialize DHE cipher suites: %s",
+ msg_Err (crd, "cannot initialize DHE cipher suites: %s",
gnutls_strerror (val));
}
error:
free (sys);
+ gnutls_Deinit (VLC_OBJECT(crd));
return VLC_EGENERIC;
}
/**
* Destroys a TLS server object.
*/
-static void CloseServer (vlc_object_t *obj)
+static void CloseServer (vlc_tls_creds_t *crd)
{
- vlc_tls_creds_t *server = (vlc_tls_creds_t *)obj;
- vlc_tls_creds_sys_t *sys = server->sys;
+ vlc_tls_creds_sys_t *sys = crd->sys;
/* all sessions depending on the server are now deinitialized */
gnutls_certificate_free_credentials (sys->x509_cred);
gnutls_dh_params_deinit (sys->dh_params);
free (sys);
- gnutls_Deinit (obj);
+ gnutls_Deinit (VLC_OBJECT(crd));
}
projects / vlc / blobdiff