/*****************************************************************************
- * tls.c
+ * gnutls.c
*****************************************************************************
- * Copyright (C) 2004 VideoLAN
- * $Id: httpd.c 8263 2004-07-24 09:06:58Z courmisch $
+ * Copyright (C) 2004-2006 Rémi Denis-Courmont
+ * $Id$
*
- * Authors: Remi Denis-Courmont <courmisch@via.ecp.fr>
+ * Authors: Rémi Denis-Courmont <rem # videolan.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
*****************************************************************************/
-/*
- * TODO:
- * - fix FIXMEs,
- * - client side stuff,
- * - server-side client cert validation,
- * - client-side server cert validation (?).
- */
-
-
/*****************************************************************************
* Preamble
*****************************************************************************/
-#include <stdlib.h>
-#include <errno.h>
+
#include <vlc/vlc.h>
+#include <errno.h>
+#include <time.h>
+
+#include <sys/types.h>
+#include <errno.h>
+#ifdef HAVE_DIRENT_H
+# include <dirent.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+# ifdef HAVE_UNISTD_H
+# include <unistd.h>
+# endif
+#endif
+
#include "vlc_tls.h"
+#include <vlc_charset.h>
#include <gcrypt.h>
#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
-#define DH_BITS 1024
-
+#define DH_BITS 1024
+#define CACHE_TIMEOUT 3600
+#define CACHE_SIZE 64
/*****************************************************************************
* Module descriptor
*****************************************************************************/
-static int Open ( vlc_object_t * );
-static void Close( vlc_object_t * );
+static int OpenClient (vlc_object_t *);
+static void CloseClient (vlc_object_t *);
+static int OpenServer (vlc_object_t *);
+static void CloseServer (vlc_object_t *);
#define DH_BITS_TEXT N_("Diffie-Hellman prime bits")
#define DH_BITS_LONGTEXT N_( \
- "Allows you to modify the Diffie-Hellman prime's number of bits" \
- "(used for TLS or SSL-based server-side encryption)." )
+ "This allows you to modify the Diffie-Hellman prime's number of bits, " \
+ "used for TLS or SSL-based server-side encryption. This is generally " \
+ "not needed." )
-vlc_module_begin();
- set_description( _("GnuTLS TLS encryption layer") );
- set_capability( "tls", 1 );
- set_callbacks( Open, Close );
+#define CACHE_TIMEOUT_TEXT N_("Expiration time for resumed TLS sessions")
+#define CACHE_TIMEOUT_LONGTEXT N_( \
+ "It is possible to cache the resumed TLS sessions. This is the expiration "\
+ "time of the sessions stored in this cache, in seconds." )
+
+#define CACHE_SIZE_TEXT N_("Number of resumed TLS sessions")
+#define CACHE_SIZE_LONGTEXT N_( \
+ "This is the maximum number of resumed TLS sessions that " \
+ "the cache will hold." )
+
+#define CHECK_CERT_TEXT N_("Check TLS/SSL server certificate validity")
+#define CHECK_CERT_LONGTEXT N_( \
+ "This ensures that the server certificate is valid " \
+ "(i.e. signed by an approved Certification Authority)." )
- add_integer( "dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
- DH_BITS_LONGTEXT, VLC_TRUE );
+vlc_module_begin();
+ set_shortname( "GnuTLS" );
+ set_description( _("GnuTLS transport layer security") );
+ set_capability( "tls client", 1 );
+ set_callbacks( OpenClient, CloseClient );
+ set_category( CAT_ADVANCED );
+ set_subcategory( SUBCAT_ADVANCED_MISC );
+
+ add_bool( "tls-check-cert", VLC_TRUE, NULL, CHECK_CERT_TEXT,
+ CHECK_CERT_LONGTEXT, VLC_FALSE );
+ add_obsolete_bool( "tls-check-hostname" );
+
+ add_submodule();
+ set_description( _("GnuTLS server") );
+ set_capability( "tls server", 1 );
+ set_category( CAT_ADVANCED );
+ set_subcategory( SUBCAT_ADVANCED_MISC );
+ set_callbacks( OpenServer, CloseServer );
+
+ add_integer( "gnutls-dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
+ DH_BITS_LONGTEXT, VLC_TRUE );
+ add_integer( "gnutls-cache-timeout", CACHE_TIMEOUT, NULL,
+ CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, VLC_TRUE );
+ add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT,
+ CACHE_SIZE_LONGTEXT, VLC_TRUE );
vlc_module_end();
-typedef struct tls_server_sys_t
+#ifdef LIBVLC_USE_PTHREAD
+GCRY_THREAD_OPTION_PTHREAD_IMPL;
+# define gcry_threads_vlc gcry_threads_pthread
+#else
+/**
+ * gcrypt thread option VLC implementation
+ */
+
+# define NEED_THREAD_CONTEXT 1
+static vlc_object_t *__p_gcry_data = NULL;
+
+static int gcry_vlc_mutex_init( void **p_sys )
{
- gnutls_certificate_credentials x509_cred;
- gnutls_dh_params dh_params;
-} tls_server_sys_t;
+ int i_val;
+ vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc( sizeof( vlc_mutex_t ) );
+ if( p_lock == NULL)
+ return ENOMEM;
-/* client-side session private data */
-typedef struct tls_client_sys_t
+ i_val = vlc_mutex_init( __p_gcry_data, p_lock );
+ if( i_val )
+ free( p_lock );
+ else
+ *p_sys = p_lock;
+ return i_val;
+}
+
+static int gcry_vlc_mutex_destroy( void **p_sys )
{
- gnutls_session session;
- gnutls_certificate_credentials x509_cred;
-} tls_client_sys_t;
+ int i_val;
+ vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
+ i_val = vlc_mutex_destroy( p_lock );
+ free( p_lock );
+ return i_val;
+}
-/*****************************************************************************
- * tls_Send:
- *****************************************************************************
+static int gcry_vlc_mutex_lock( void **p_sys )
+{
+ return vlc_mutex_lock( (vlc_mutex_t *)*p_sys );
+}
+
+static int gcry_vlc_mutex_unlock( void **lock )
+{
+ return vlc_mutex_unlock( (vlc_mutex_t *)*lock );
+}
+
+static struct gcry_thread_cbs gcry_threads_vlc =
+{
+ GCRY_THREAD_OPTION_USER,
+ NULL,
+ gcry_vlc_mutex_init,
+ gcry_vlc_mutex_destroy,
+ gcry_vlc_mutex_lock,
+ gcry_vlc_mutex_unlock
+};
+#endif
+
+
+/**
+ * Initializes GnuTLS with proper locking.
+ * @return VLC_SUCCESS on success, a VLC error code otherwise.
+ */
+static int gnutls_Init (vlc_object_t *p_this)
+{
+ int ret = VLC_EGENERIC;
+
+ vlc_mutex_t *lock = var_GetGlobalMutex ("gnutls_mutex");
+ vlc_mutex_lock (lock);
+
+ /* This should probably be removed/fixed. It will screw up with multiple
+ * LibVLC instances. */
+#ifdef NEED_THREAD_CONTEXT
+ __p_gcry_data = VLC_OBJECT (p_this->p_libvlc);
+#endif
+
+ gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
+ if (gnutls_global_init ())
+ {
+ msg_Err (p_this, "cannot initialize GnuTLS");
+ goto error;
+ }
+
+ const char *psz_version = gnutls_check_version ("1.3.3");
+ if (psz_version == NULL)
+ {
+ msg_Err (p_this, "unsupported GnuTLS version");
+ gnutls_global_deinit ();
+ goto error;
+ }
+
+ msg_Dbg (p_this, "GnuTLS v%s initialized", psz_version);
+ ret = VLC_SUCCESS;
+
+error:
+ vlc_mutex_unlock (lock);
+ return ret;
+}
+
+
+/**
+ * Deinitializes GnuTLS.
+ */
+static void gnutls_Deinit (vlc_object_t *p_this)
+{
+ vlc_mutex_t *lock = var_GetGlobalMutex( "gnutls_mutex" );
+ vlc_mutex_lock (lock);
+
+ gnutls_global_deinit ();
+ msg_Dbg (p_this, "GnuTLS deinitialized");
+ vlc_mutex_unlock (lock);
+}
+
+
+static int gnutls_Error (vlc_object_t *obj, int val)
+{
+ switch (val)
+ {
+ case GNUTLS_E_AGAIN:
+#ifndef WIN32
+ errno = EAGAIN;
+ break;
+#endif
+ /* WinSock does not return EAGAIN, return EINTR instead */
+
+ case GNUTLS_E_INTERRUPTED:
+#ifdef WIN32
+ WSASetLastError (WSAEINTR);
+#else
+ errno = EINTR;
+#endif
+ break;
+
+ default:
+ msg_Err (obj, "%s", gnutls_strerror (val));
+#ifndef NDEBUG
+ if (!gnutls_error_is_fatal (val))
+ msg_Err (obj, "Error above should be handled");
+#endif
+#ifdef WIN32
+ WSASetLastError (WSAECONNRESET);
+#else
+ errno = ECONNRESET;
+#endif
+ }
+ return -1;
+}
+
+
+struct tls_session_sys_t
+{
+ gnutls_session_t session;
+ char *psz_hostname;
+ vlc_bool_t b_handshaked;
+};
+
+
+/**
* Sends data through a TLS session.
- *****************************************************************************/
+ */
static int
-gnutls_Send( tls_session_t *p_session, const char *buf, int i_length )
+gnutls_Send( void *p_session, const void *buf, int i_length )
{
int val;
+ tls_session_sys_t *p_sys;
+
+ p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
- val = gnutls_record_send( *(gnutls_session *)(p_session->p_sys),
- buf, i_length );
- return val < 0 ? -1 : val;
+ val = gnutls_record_send( p_sys->session, buf, i_length );
+ return (val < 0) ? gnutls_Error ((vlc_object_t *)p_session, val) : val;
}
-/*****************************************************************************
- * tls_Recv:
- *****************************************************************************
+/**
* Receives data through a TLS session.
- *****************************************************************************/
+ */
static int
-gnutls_Recv( tls_session_t *p_session, char *buf, int i_length )
+gnutls_Recv( void *p_session, void *buf, int i_length )
{
int val;
+ tls_session_sys_t *p_sys;
- val = gnutls_record_recv( *(gnutls_session *)(p_session->p_sys),
- buf, i_length );
- return val < 0 ? -1 : val;
+ p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
+
+ val = gnutls_record_recv( p_sys->session, buf, i_length );
+ return (val < 0) ? gnutls_Error ((vlc_object_t *)p_session, val) : val;
}
-/*****************************************************************************
- * tls_SessionHandshake:
- *****************************************************************************
- * Establishes TLS session with a peer through socket <fd>
- * Returns NULL on error (do NOT call tls_SessionClose in case of error or
- * re-use the session structure).
- *****************************************************************************/
-static tls_session_t *
-gnutls_SessionHandshake( tls_session_t *p_session, int fd )
+/**
+ * Starts or continues the TLS handshake.
+ *
+ * @return -1 on fatal error, 0 on succesful handshake completion,
+ * 1 if more would-be blocking recv is needed,
+ * 2 if more would-be blocking send is required.
+ */
+static int
+gnutls_ContinueHandshake (tls_session_t *p_session)
{
+ tls_session_sys_t *p_sys = p_session->p_sys;
int val;
- gnutls_session *p_sys;
- p_sys = (gnutls_session *)(p_session->p_sys);
+#ifdef WIN32
+ WSASetLastError( 0 );
+#endif
+ val = gnutls_handshake( p_sys->session );
+ if( ( val == GNUTLS_E_AGAIN ) || ( val == GNUTLS_E_INTERRUPTED ) )
+ return 1 + gnutls_record_get_direction( p_sys->session );
- gnutls_transport_set_ptr( *p_sys, (gnutls_transport_ptr)fd);
- val = gnutls_handshake( *p_sys );
if( val < 0 )
{
- gnutls_deinit( *p_sys );
- msg_Err( p_session->p_tls, "TLS handshake failed : %s",
+#ifdef WIN32
+ msg_Dbg( p_session, "Winsock error %d", WSAGetLastError( ) );
+#endif
+ msg_Err( p_session, "TLS handshake error: %s",
gnutls_strerror( val ) );
- free( p_sys );
- free( p_session );
- return NULL;
+ return -1;
}
- return p_session;
+
+ p_sys->b_handshaked = VLC_TRUE;
+ return 0;
}
-/*****************************************************************************
- * tls_SessionClose:
- *****************************************************************************
- * Terminates TLS session and releases session data.
- *****************************************************************************/
-static void
-gnutls_SessionClose( tls_session_t *p_session )
+typedef struct
{
- gnutls_session *p_sys;
+ int flag;
+ const char *msg;
+} error_msg_t;
- p_sys = (gnutls_session *)(p_session->p_sys);
+static const error_msg_t cert_errors[] =
+{
+ { GNUTLS_CERT_INVALID,
+ "Certificate could not be verified" },
+ { GNUTLS_CERT_REVOKED,
+ "Certificate was revoked" },
+ { GNUTLS_CERT_SIGNER_NOT_FOUND,
+ "Certificate's signer was not found" },
+ { GNUTLS_CERT_SIGNER_NOT_CA,
+ "Certificate's signer is not a CA" },
+ { GNUTLS_CERT_INSECURE_ALGORITHM,
+ "Insecure certificate signature algorithm" },
+ { 0, NULL }
+};
- /* On the client-side, credentials are re-allocated per session */
- if( p_session->p_server == NULL )
- gnutls_certificate_free_credentials( ((tls_client_sys_t *)p_sys)
- ->x509_cred );
- gnutls_bye( *p_sys, GNUTLS_SHUT_WR );
- gnutls_deinit( *p_sys );
- free( p_sys );
- free( p_session );
+static int
+gnutls_HandshakeAndValidate( tls_session_t *session )
+{
+ int val = gnutls_ContinueHandshake( session );
+ if( val )
+ return val;
+
+ tls_session_sys_t *p_sys = (tls_session_sys_t *)(session->p_sys);
+
+ /* certificates chain verification */
+ unsigned status;
+ val = gnutls_certificate_verify_peers2( p_sys->session, &status );
+
+ if( val )
+ {
+ msg_Err( session, "Certificate verification failed: %s",
+ gnutls_strerror( val ) );
+ return -1;
+ }
+
+ if( status )
+ {
+ msg_Err( session, "TLS session: access denied" );
+ for( const error_msg_t *e = cert_errors; e->flag; e++ )
+ {
+ if( status & e->flag )
+ {
+ msg_Err( session, "%s", e->msg );
+ status &= ~e->flag;
+ }
+ }
+
+ if( status )
+ msg_Err( session,
+ "unknown certificate error (you found a bug in VLC)" );
+
+ return -1;
+ }
+
+ /* certificate (host)name verification */
+ const gnutls_datum_t *data;
+ data = gnutls_certificate_get_peers (p_sys->session, &(unsigned){0});
+ if( data == NULL )
+ {
+ msg_Err( session, "Peer certificate not available" );
+ return -1;
+ }
+
+ gnutls_x509_crt_t cert;
+ val = gnutls_x509_crt_init( &cert );
+ if( val )
+ {
+ msg_Err( session, "x509 fatal error: %s", gnutls_strerror( val ) );
+ return -1;
+ }
+
+ val = gnutls_x509_crt_import( cert, data, GNUTLS_X509_FMT_DER );
+ if( val )
+ {
+ msg_Err( session, "Certificate import error: %s",
+ gnutls_strerror( val ) );
+ goto error;
+ }
+
+ if( p_sys->psz_hostname != NULL )
+ {
+ if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
+ {
+ msg_Err( session, "Certificate does not match \"%s\"",
+ p_sys->psz_hostname );
+ goto error;
+ }
+ }
+ else
+ msg_Warn( session, "Certificate and hostname were not verified" );
+
+ if( gnutls_x509_crt_get_expiration_time( cert ) < time( NULL ) )
+ {
+ msg_Err( session, "Certificate expired" );
+ goto error;
+ }
+
+ if( gnutls_x509_crt_get_activation_time( cert ) > time ( NULL ) )
+ {
+ msg_Err( session, "Certificate not yet valid" );
+ goto error;
+ }
+
+ gnutls_x509_crt_deinit( cert );
+ msg_Dbg( session, "TLS/x509 certificate verified" );
+ return 0;
+
+error:
+ gnutls_x509_crt_deinit( cert );
+ return -1;
}
+/**
+ * Sets the operating system file descriptor backend for the TLS sesison.
+ *
+ * @param fd stream socket already connected with the peer.
+ */
+static void
+gnutls_SetFD (tls_session_t *p_session, int fd)
+{
+ gnutls_transport_set_ptr (p_session->p_sys->session,
+ (gnutls_transport_ptr_t)(intptr_t)fd);
+}
-/*****************************************************************************
- * tls_ClientCreate:
- *****************************************************************************
- * Initializes client-side TLS session data.
- *****************************************************************************/
-static tls_session_t *
-gnutls_ClientCreate( tls_t *p_tls, const char *psz_ca_path )
+typedef int (*tls_prio_func) (gnutls_session_t, const int *);
+
+static int
+gnutls_SetPriority (vlc_object_t *restrict obj, const char *restrict name,
+ tls_prio_func func, gnutls_session_t session,
+ const int *restrict values)
{
- tls_session_t *p_session;
- tls_client_sys_t *p_sys;
- int i_val;
- const int cert_type_priority[3] =
+ int val = func (session, values);
+ if (val < 0)
+ {
+ msg_Err (obj, "cannot set %s priorities: %s", name,
+ gnutls_strerror (val));
+ return VLC_EGENERIC;
+ }
+ return VLC_SUCCESS;
+}
+
+
+static int
+gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
+{
+ /* Note that ordering matters (on the client side) */
+ static const int protos[] =
+ {
+ GNUTLS_TLS1_1,
+ GNUTLS_TLS1_0,
+ GNUTLS_SSL3,
+ 0
+ };
+ static const int comps[] =
+ {
+ GNUTLS_COMP_DEFLATE,
+ GNUTLS_COMP_NULL,
+ 0
+ };
+ static const int macs[] =
+ {
+ GNUTLS_MAC_SHA1,
+ GNUTLS_MAC_RMD160, // RIPEMD
+ GNUTLS_MAC_MD5,
+ //GNUTLS_MAC_MD2,
+ //GNUTLS_MAC_NULL,
+ 0
+ };
+ static const int ciphers[] =
+ {
+ GNUTLS_CIPHER_AES_256_CBC,
+ GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_3DES_CBC,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ //GNUTLS_CIPHER_DES_CBC,
+ //GNUTLS_CIPHER_ARCFOUR_40,
+ //GNUTLS_CIPHER_RC2_40_CBC,
+ //GNUTLS_CIPHER_NULL,
+ 0
+ };
+ static const int kx[] =
+ {
+ GNUTLS_KX_DHE_RSA,
+ GNUTLS_KX_DHE_DSS,
+ GNUTLS_KX_RSA,
+ //GNUTLS_KX_RSA_EXPORT,
+ //GNUTLS_KX_DHE_PSK, TODO
+ //GNUTLS_KX_PSK, TODO
+ //GNUTLS_KX_SRP_RSA, TODO
+ //GNUTLS_KX_SRP_DSS, TODO
+ //GNUTLS_KX_SRP, TODO
+ //GNUTLS_KX_ANON_DH,
+ 0
+ };
+ static const int cert_types[] =
{
GNUTLS_CRT_X509,
+ //GNUTLS_CRT_OPENPGP, TODO
0
};
- p_sys = (tls_client_sys_t *)malloc( sizeof(struct tls_client_sys_t) );
- if( p_sys == NULL )
- return NULL;
+ int val = gnutls_set_default_priority (session);
+ if (val < 0)
+ {
+ msg_Err (obj, "cannot set default TLS priorities: %s",
+ gnutls_strerror (val));
+ return VLC_EGENERIC;
+ }
- i_val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
- if( i_val != 0 )
+ if (gnutls_SetPriority (obj, "protocols",
+ gnutls_protocol_set_priority, session, protos)
+ || gnutls_SetPriority (obj, "compression algorithms",
+ gnutls_compression_set_priority, session, comps)
+ || gnutls_SetPriority (obj, "MAC algorithms",
+ gnutls_mac_set_priority, session, macs)
+ || gnutls_SetPriority (obj, "ciphers",
+ gnutls_cipher_set_priority, session, ciphers)
+ || gnutls_SetPriority (obj, "key exchange algorithms",
+ gnutls_kx_set_priority, session, kx)
+ || gnutls_SetPriority (obj, "certificate types",
+ gnutls_certificate_type_set_priority, session,
+ cert_types))
+ return VLC_EGENERIC;
+
+ return VLC_SUCCESS;
+}
+
+
+static int
+gnutls_Addx509File( vlc_object_t *p_this,
+ gnutls_certificate_credentials_t cred,
+ const char *psz_path, vlc_bool_t b_priv );
+
+static int
+gnutls_Addx509Directory( vlc_object_t *p_this,
+ gnutls_certificate_credentials_t cred,
+ const char *psz_dirname,
+ vlc_bool_t b_priv )
+{
+ DIR* dir;
+
+ if( *psz_dirname == '\0' )
+ psz_dirname = ".";
+
+ dir = utf8_opendir( psz_dirname );
+ if( dir == NULL )
{
- msg_Err( p_tls, "Cannot allocate X509 credentials : %s",
- gnutls_strerror( i_val ) );
- free( p_sys );
- return NULL;
+ if (errno != ENOENT)
+ {
+ msg_Err (p_this, "cannot open directory (%s): %m", psz_dirname);
+ return VLC_EGENERIC;
+ }
+
+ msg_Dbg (p_this, "creating empty certificate directory: %s",
+ psz_dirname);
+ utf8_mkdir (psz_dirname, b_priv ? 0700 : 0755);
+ return VLC_SUCCESS;
}
+#ifdef S_ISLNK
+ else
+ {
+ struct stat st1, st2;
+ int fd = dirfd( dir );
+
+ /*
+ * Gets stats for the directory path, checks that it is not a
+ * symbolic link (to avoid possibly infinite recursion), and verifies
+ * that the inode is still the same, to avoid TOCTOU race condition.
+ */
+ if( ( fd == -1)
+ || fstat( fd, &st1 ) || utf8_lstat( psz_dirname, &st2 )
+ || S_ISLNK( st2.st_mode ) || ( st1.st_ino != st2.st_ino ) )
+ {
+ closedir( dir );
+ return VLC_EGENERIC;
+ }
+ }
+#endif
- if( psz_ca_path != NULL )
+ for (;;)
{
- i_val = gnutls_certificate_set_x509_trust_file( p_sys->x509_cred,
- psz_ca_path,
- GNUTLS_X509_FMT_PEM );
- if( i_val != 0 )
+ char *ent = utf8_readdir (dir);
+ if (ent == NULL)
+ break;
+
+ if ((strcmp (ent, ".") == 0) || (strcmp (ent, "..") == 0))
+ continue;
+
+ char path[strlen (psz_dirname) + strlen (ent) + 2];
+ sprintf (path, "%s"DIR_SEP"%s", psz_dirname, ent);
+ free (ent);
+
+ gnutls_Addx509File( p_this, cred, path, b_priv );
+ }
+
+ closedir( dir );
+ return VLC_SUCCESS;
+}
+
+
+static int
+gnutls_Addx509File( vlc_object_t *p_this,
+ gnutls_certificate_credentials cred,
+ const char *psz_path, vlc_bool_t b_priv )
+{
+ struct stat st;
+
+ if( utf8_stat( psz_path, &st ) == 0 )
+ {
+ if( S_ISREG( st.st_mode ) )
{
- msg_Err( p_tls, "Cannot add trusted CA (%s) : %s", psz_ca_path,
- gnutls_strerror( i_val ) );
- gnutls_certificate_free_credentials( p_sys->x509_cred );
- free( p_sys );
- return NULL;
+ char *psz_localname = ToLocale( psz_path );
+ int i = b_priv
+ ? gnutls_certificate_set_x509_key_file( cred,
+ psz_localname, psz_localname, GNUTLS_X509_FMT_PEM )
+ : gnutls_certificate_set_x509_trust_file( cred,
+ psz_localname, GNUTLS_X509_FMT_PEM );
+ LocaleFree( psz_localname );
+
+ if( i < 0 )
+ {
+ msg_Warn( p_this, "cannot add x509 credentials (%s): %s",
+ psz_path, gnutls_strerror( i ) );
+ return VLC_EGENERIC;
+ }
+ else
+ {
+ msg_Dbg( p_this, "added x509 credentials (%s)",
+ psz_path );
+ return VLC_SUCCESS;
+ }
+ }
+ else if( S_ISDIR( st.st_mode ) )
+ {
+ msg_Dbg( p_this,
+ "looking recursively for x509 credentials in %s",
+ psz_path );
+ return gnutls_Addx509Directory( p_this, cred, psz_path, b_priv);
}
}
+ else
+ msg_Warn( p_this, "cannot add x509 credentials (%s): %m", psz_path );
+ return VLC_EGENERIC;
+}
- i_val = gnutls_init( &p_sys->session, GNUTLS_CLIENT );
- if( i_val != 0 )
+
+/** TLS client session data */
+typedef struct tls_client_sys_t
+{
+ struct tls_session_sys_t session;
+ gnutls_certificate_credentials_t x509_cred;
+} tls_client_sys_t;
+
+
+/**
+ * Initializes a client-side TLS session.
+ */
+static int OpenClient (vlc_object_t *obj)
+{
+ tls_session_t *p_session = (tls_session_t *)obj;
+ int i_val;
+
+ if (gnutls_Init (obj))
+ return VLC_EGENERIC;
+
+ tls_client_sys_t *p_sys = malloc (sizeof (*p_sys));
+ if (p_sys == NULL)
{
- msg_Err( p_tls, "Cannot initialize TLS session : %s",
- gnutls_strerror( i_val ) );
- gnutls_certificate_free_credentials( p_sys->x509_cred );
- free( p_sys );
- return NULL;
+ gnutls_Deinit (obj);
+ return VLC_ENOMEM;
}
- i_val = gnutls_set_default_priority( p_sys->session );
- if( i_val < 0 )
+ p_session->p_sys = &p_sys->session;
+ p_session->sock.p_sys = p_session;
+ p_session->sock.pf_send = gnutls_Send;
+ p_session->sock.pf_recv = gnutls_Recv;
+ p_session->pf_set_fd = gnutls_SetFD;
+
+ p_sys->session.b_handshaked = VLC_FALSE;
+ p_sys->session.psz_hostname = NULL;
+
+ const char *homedir = obj->p_libvlc->psz_datadir,
+ *datadir = config_GetDataDir ();
+ size_t l1 = strlen (homedir), l2 = strlen (datadir);
+ char path[((l1 > l2) ? l1 : l2) + sizeof ("/ca-certificates.crt")];
+ // > sizeof ("/ssl/private")
+ // > sizeof ("/ssl/certs")
+
+ i_val = gnutls_certificate_allocate_credentials (&p_sys->x509_cred);
+ if (i_val != 0)
{
- msg_Err( p_tls, "Cannot set ciphers priorities : %s",
- gnutls_strerror( i_val ) );
- gnutls_deinit( p_sys->session );
- gnutls_certificate_free_credentials( p_sys->x509_cred );
- free( p_sys );
- return NULL;
+ msg_Err (obj, "cannot allocate X509 credentials: %s",
+ gnutls_strerror (i_val));
+ goto error;
}
- i_val = gnutls_certificate_type_set_priority( p_sys->session, cert_type_priority );
- if( i_val < 0 )
+ sprintf (path, "%s/ssl", homedir);
+ utf8_mkdir (path);
+
+ if (var_CreateGetBool (obj, "tls-check-cert"))
{
- msg_Err( p_tls, "Cannot set certificate type priorities : %s",
- gnutls_strerror( i_val ) );
- gnutls_deinit( p_sys->session );
- gnutls_certificate_free_credentials( p_sys->x509_cred );
- free( p_sys );
- return NULL;
+ sprintf (path, "%s/ssl/certs", homedir);
+ gnutls_Addx509Directory (VLC_OBJECT (p_session),
+ p_sys->x509_cred, path, VLC_FALSE);
+
+ sprintf (path, "%s/ca-certificates.crt", datadir);
+ gnutls_Addx509File (VLC_OBJECT (p_session),
+ p_sys->x509_cred, path, VLC_FALSE);
+ p_session->pf_handshake = gnutls_HandshakeAndValidate;
}
+ else
+ p_session->pf_handshake = gnutls_ContinueHandshake;
- i_val = gnutls_credentials_set( p_sys->session, GNUTLS_CRD_CERTIFICATE,
- p_sys->x509_cred );
- if( i_val < 0 )
+ sprintf (path, "%s/ssl/private", homedir);
+ gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
+ path, VLC_TRUE);
+
+ i_val = gnutls_init (&p_sys->session.session, GNUTLS_CLIENT);
+ if (i_val != 0)
{
- msg_Err( p_tls, "Cannot set TLS session credentials : %s",
- gnutls_strerror( i_val ) );
- gnutls_deinit( p_sys->session );
- gnutls_certificate_free_credentials( p_sys->x509_cred );
- free( p_sys );
- return NULL;
+ msg_Err (obj, "cannot initialize TLS session: %s",
+ gnutls_strerror (i_val));
+ gnutls_certificate_free_credentials (p_sys->x509_cred);
+ goto error;
}
- p_session = malloc( sizeof (struct tls_session_t) );
- if( p_session == NULL )
+ if (gnutls_SessionPrioritize (VLC_OBJECT (p_session),
+ p_sys->session.session))
+ goto s_error;
+
+ i_val = gnutls_credentials_set (p_sys->session.session,
+ GNUTLS_CRD_CERTIFICATE,
+ p_sys->x509_cred);
+ if (i_val < 0)
{
- gnutls_deinit( p_sys->session );
- gnutls_certificate_free_credentials( p_sys->x509_cred );
- free( p_sys );
- return NULL;
+ msg_Err (obj, "cannot set TLS session credentials: %s",
+ gnutls_strerror (i_val));
+ goto s_error;
}
- p_session->p_tls = p_tls;
- p_session->p_server = NULL;
- p_session->p_sys = p_sys;
- p_session->pf_handshake = gnutls_SessionHandshake;
- p_session->pf_close = gnutls_SessionClose;
- p_session->pf_send = gnutls_Send;
- p_session->pf_recv = gnutls_Recv;
+ char *servername = var_GetNonEmptyString (p_session, "tls-server-name");
+ if (servername != NULL )
+ {
+ p_sys->session.psz_hostname = servername;
+ gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
+ servername, strlen (servername));
+ }
- return p_session;
+ return VLC_SUCCESS;
+
+s_error:
+ gnutls_deinit (p_sys->session.session);
+ gnutls_certificate_free_credentials (p_sys->x509_cred);
+error:
+ gnutls_Deinit (obj);
+ free (p_sys);
+ return VLC_EGENERIC;
}
-/*****************************************************************************
- * tls_ServerSessionPrepare:
- *****************************************************************************
- * Initializes server-side TLS session data.
- *****************************************************************************/
+static void CloseClient (vlc_object_t *obj)
+{
+ tls_session_t *client = (tls_session_t *)obj;
+ tls_client_sys_t *p_sys = (tls_client_sys_t *)(client->p_sys);
+
+ if (p_sys->session.b_handshaked == VLC_TRUE)
+ gnutls_bye (p_sys->session.session, GNUTLS_SHUT_WR);
+ gnutls_deinit (p_sys->session.session);
+ /* credentials must be free'd *after* gnutls_deinit() */
+ gnutls_certificate_free_credentials (p_sys->x509_cred);
+
+ gnutls_Deinit (obj);
+ free (p_sys->session.psz_hostname);
+ free (p_sys);
+}
+
+
+/**
+ * Server-side TLS
+ */
+struct tls_server_sys_t
+{
+ gnutls_certificate_credentials_t x509_cred;
+ gnutls_dh_params_t dh_params;
+
+ struct saved_session_t *p_cache;
+ struct saved_session_t *p_store;
+ int i_cache_size;
+ vlc_mutex_t cache_lock;
+
+ int (*pf_handshake) (tls_session_t *);
+};
+
+
+/**
+ * TLS session resumption callbacks (server-side)
+ */
+#define MAX_SESSION_ID 32
+#define MAX_SESSION_DATA 1024
+
+typedef struct saved_session_t
+{
+ char id[MAX_SESSION_ID];
+ char data[MAX_SESSION_DATA];
+
+ unsigned i_idlen;
+ unsigned i_datalen;
+} saved_session_t;
+
+
+static int cb_store( void *p_server, gnutls_datum key, gnutls_datum data )
+{
+ tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
+
+ if( ( p_sys->i_cache_size == 0 )
+ || ( key.size > MAX_SESSION_ID )
+ || ( data.size > MAX_SESSION_DATA ) )
+ return -1;
+
+ vlc_mutex_lock( &p_sys->cache_lock );
+
+ memcpy( p_sys->p_store->id, key.data, key.size);
+ memcpy( p_sys->p_store->data, data.data, data.size );
+ p_sys->p_store->i_idlen = key.size;
+ p_sys->p_store->i_datalen = data.size;
+
+ p_sys->p_store++;
+ if( ( p_sys->p_store - p_sys->p_cache ) == p_sys->i_cache_size )
+ p_sys->p_store = p_sys->p_cache;
+
+ vlc_mutex_unlock( &p_sys->cache_lock );
+
+ return 0;
+}
+
+
+static gnutls_datum cb_fetch( void *p_server, gnutls_datum key )
+{
+ static const gnutls_datum_t err_datum = { NULL, 0 };
+ tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
+ saved_session_t *p_session, *p_end;
+
+ p_session = p_sys->p_cache;
+ p_end = p_session + p_sys->i_cache_size;
+
+ vlc_mutex_lock( &p_sys->cache_lock );
+
+ while( p_session < p_end )
+ {
+ if( ( p_session->i_idlen == key.size )
+ && !memcmp( p_session->id, key.data, key.size ) )
+ {
+ gnutls_datum_t data;
+
+ data.size = p_session->i_datalen;
+
+ data.data = gnutls_malloc( data.size );
+ if( data.data == NULL )
+ {
+ vlc_mutex_unlock( &p_sys->cache_lock );
+ return err_datum;
+ }
+
+ memcpy( data.data, p_session->data, data.size );
+ vlc_mutex_unlock( &p_sys->cache_lock );
+ return data;
+ }
+ p_session++;
+ }
+
+ vlc_mutex_unlock( &p_sys->cache_lock );
+
+ return err_datum;
+}
+
+
+static int cb_delete( void *p_server, gnutls_datum key )
+{
+ tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
+ saved_session_t *p_session, *p_end;
+
+ p_session = p_sys->p_cache;
+ p_end = p_session + p_sys->i_cache_size;
+
+ vlc_mutex_lock( &p_sys->cache_lock );
+
+ while( p_session < p_end )
+ {
+ if( ( p_session->i_idlen == key.size )
+ && !memcmp( p_session->id, key.data, key.size ) )
+ {
+ p_session->i_datalen = p_session->i_idlen = 0;
+ vlc_mutex_unlock( &p_sys->cache_lock );
+ return 0;
+ }
+ p_session++;
+ }
+
+ vlc_mutex_unlock( &p_sys->cache_lock );
+
+ return -1;
+}
+
+
+/**
+ * Terminates TLS session and releases session data.
+ * You still have to close the socket yourself.
+ */
+static void
+gnutls_SessionClose (tls_server_t *p_server, tls_session_t *p_session)
+{
+ tls_session_sys_t *p_sys = p_session->p_sys;
+ (void)p_server;
+
+ if( p_sys->b_handshaked == VLC_TRUE )
+ gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
+ gnutls_deinit( p_sys->session );
+
+ vlc_object_detach( p_session );
+ vlc_object_destroy( p_session );
+
+ free( p_sys );
+}
+
+
+/**
+ * Initializes a server-side TLS session.
+ */
static tls_session_t *
gnutls_ServerSessionPrepare( tls_server_t *p_server )
{
tls_session_t *p_session;
- gnutls_session *p_sys;
- int val;
- vlc_value_t bits;
+ tls_server_sys_t *p_server_sys;
+ gnutls_session_t session;
+ int i_val;
- p_sys = (gnutls_session *)malloc( sizeof(gnutls_session) );
- if( p_sys == NULL )
+ p_session = vlc_object_create( p_server, sizeof (struct tls_session_t) );
+ if( p_session == NULL )
return NULL;
- val = gnutls_init( p_sys, GNUTLS_SERVER );
- if( val != 0 )
+ p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) );
+ if( p_session->p_sys == NULL )
{
- msg_Err( p_server->p_tls, "Cannot initialize TLS session : %s",
- gnutls_strerror( val ) );
- free( p_sys );
- return NULL;
- }
-
- val = gnutls_set_default_priority( *p_sys );
- if( val < 0 )
- {
- msg_Err( p_server->p_tls, "Cannot set ciphers priorities : %s",
- gnutls_strerror( val ) );
- gnutls_deinit( *p_sys );
- free( p_sys );
+ vlc_object_destroy( p_session );
return NULL;
}
- val = gnutls_credentials_set( *p_sys, GNUTLS_CRD_CERTIFICATE,
- ((tls_server_sys_t *)(p_server->p_sys))
- ->x509_cred );
- if( val < 0 )
+ p_server_sys = p_server->p_sys;
+ p_session->sock.p_sys = p_session;
+ p_session->sock.pf_send = gnutls_Send;
+ p_session->sock.pf_recv = gnutls_Recv;
+ p_session->pf_set_fd = gnutls_SetFD;
+ p_session->pf_handshake = p_server_sys->pf_handshake;
+
+ p_session->p_sys->b_handshaked = VLC_FALSE;
+ p_session->p_sys->psz_hostname = NULL;
+
+ i_val = gnutls_init( &session, GNUTLS_SERVER );
+ if( i_val != 0 )
{
- msg_Err( p_server->p_tls, "Cannot set TLS session credentials : %s",
- gnutls_strerror( val ) );
- gnutls_deinit( *p_sys );
- free( p_sys );
- return NULL;
+ msg_Err( p_server, "cannot initialize TLS session: %s",
+ gnutls_strerror( i_val ) );
+ goto error;
}
- /* TODO: support for client authentication */
- /*gnutls_certificate_server_set_request( p_session->session,
- GNUTLS_CERT_REQUEST ); */
+ p_session->p_sys->session = session;
- if( var_Get( p_server->p_tls, "dh-bits", &bits ) != VLC_SUCCESS )
+ if (gnutls_SessionPrioritize (VLC_OBJECT (p_session), session))
{
- var_Create( p_server->p_tls, "dh-bits",
- VLC_VAR_INTEGER | VLC_VAR_DOINHERIT );
- var_Get( p_server->p_tls, "dh-bits", &bits );
+ gnutls_deinit( session );
+ goto error;
}
- gnutls_dh_set_prime_bits( *p_sys, bits.i_int );
-
- p_session = malloc( sizeof (struct tls_session_t) );
- if( p_session == NULL )
+ i_val = gnutls_credentials_set( session, GNUTLS_CRD_CERTIFICATE,
+ p_server_sys->x509_cred );
+ if( i_val < 0 )
{
- gnutls_deinit( *p_sys );
- free( p_sys );
- return NULL;
+ msg_Err( p_server, "cannot set TLS session credentials: %s",
+ gnutls_strerror( i_val ) );
+ gnutls_deinit( session );
+ goto error;
}
- p_session->p_tls = p_server->p_tls;
- p_session->p_server = p_server;
- p_session->p_sys = p_sys;
- p_session->pf_handshake = gnutls_SessionHandshake;
- p_session->pf_close = gnutls_SessionClose;
- p_session->pf_send = gnutls_Send;
- p_session->pf_recv = gnutls_Recv;
+ if (p_session->pf_handshake == gnutls_HandshakeAndValidate)
+ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
- return p_session;
-}
+ i_val = config_GetInt (p_server, "gnutls-dh-bits");
+ gnutls_dh_set_prime_bits (session, i_val);
+ /* Session resumption support */
+ i_val = config_GetInt (p_server, "gnutls-cache-timeout");
+ gnutls_db_set_cache_expiration (session, i_val);
+ gnutls_db_set_retrieve_function( session, cb_fetch );
+ gnutls_db_set_remove_function( session, cb_delete );
+ gnutls_db_set_store_function( session, cb_store );
+ gnutls_db_set_ptr( session, p_server );
-/*****************************************************************************
- * tls_ServerDelete:
- *****************************************************************************
- * Releases data allocated with tls_ServerCreate.
- *****************************************************************************/
-static void
-gnutls_ServerDelete( tls_server_t *p_server )
-{
- gnutls_certificate_free_credentials(
- ((tls_server_sys_t *)(p_server->p_sys))
- ->x509_cred );
- free( p_server->p_sys );
- free( p_server );
+ return p_session;
+
+error:
+ free( p_session->p_sys );
+ vlc_object_detach( p_session );
+ vlc_object_destroy( p_session );
+ return NULL;
}
-/*****************************************************************************
- * tls_ServerAddCA:
- *****************************************************************************
+/**
* Adds one or more certificate authorities.
- * TODO: we are not able to check the client credentials yet, so this function
- * is pretty useless.
- * Returns -1 on error, 0 on success.
- *****************************************************************************/
+ *
+ * @param psz_ca_path (Unicode) path to an x509 certificates list.
+ *
+ * @return -1 on error, 0 on success.
+ */
static int
gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
{
+ tls_server_sys_t *p_sys;
+ char *psz_local_path;
int val;
- val = gnutls_certificate_set_x509_trust_file( ((tls_server_sys_t *)
- (p_server->p_sys))
- ->x509_cred,
- psz_ca_path,
+ p_sys = (tls_server_sys_t *)(p_server->p_sys);
+
+ psz_local_path = ToLocale( psz_ca_path );
+ val = gnutls_certificate_set_x509_trust_file( p_sys->x509_cred,
+ psz_local_path,
GNUTLS_X509_FMT_PEM );
+ LocaleFree( psz_local_path );
if( val < 0 )
{
- msg_Err( p_server->p_tls, "Cannot add trusted CA (%s) : %s",
- psz_ca_path, gnutls_strerror( val ) );
- gnutls_ServerDelete( p_server );
+ msg_Err( p_server, "cannot add trusted CA (%s): %s", psz_ca_path,
+ gnutls_strerror( val ) );
return VLC_EGENERIC;
}
- msg_Dbg( p_server->p_tls, " %d trusted CA added (%s)", val,
- psz_ca_path );
+ msg_Dbg( p_server, " %d trusted CA added (%s)", val, psz_ca_path );
+
+ /* enables peer's certificate verification */
+ p_sys->pf_handshake = gnutls_HandshakeAndValidate;
+
return VLC_SUCCESS;
}
-/*****************************************************************************
- * tls_ServerAddCRL:
- *****************************************************************************
+/**
* Adds a certificates revocation list to be sent to TLS clients.
- * Returns -1 on error, 0 on success.
- *****************************************************************************/
+ *
+ * @param psz_crl_path (Unicode) path of the CRL file.
+ *
+ * @return -1 on error, 0 on success.
+ */
static int
gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
{
int val;
+ char *psz_local_path = ToLocale( psz_crl_path );
val = gnutls_certificate_set_x509_crl_file( ((tls_server_sys_t *)
(p_server->p_sys))->x509_cred,
- psz_crl_path,
+ psz_local_path,
GNUTLS_X509_FMT_PEM );
+ LocaleFree( psz_crl_path );
if( val < 0 )
{
- msg_Err( p_server->p_tls, "Cannot add CRL (%s) : %s",
- psz_crl_path, gnutls_strerror( val ) );
- gnutls_ServerDelete( p_server );
+ msg_Err( p_server, "cannot add CRL (%s): %s", psz_crl_path,
+ gnutls_strerror( val ) );
return VLC_EGENERIC;
}
- msg_Dbg( p_server->p_tls, "%d CRL added (%s)", val, psz_crl_path );
+ msg_Dbg( p_server, "%d CRL added (%s)", val, psz_crl_path );
return VLC_SUCCESS;
}
-
-/*****************************************************************************
- * tls_ServerCreate:
- *****************************************************************************
+
+/**
* Allocates a whole server's TLS credentials.
- * Returns NULL on error.
- *****************************************************************************/
-static tls_server_t *
-gnutls_ServerCreate( tls_t *p_this, const char *psz_cert_path,
- const char *psz_key_path )
+ */
+static int OpenServer (vlc_object_t *obj)
{
- tls_server_t *p_server;
- tls_server_sys_t *p_server_sys;
+ tls_server_t *p_server = (tls_server_t *)obj;
+ tls_server_sys_t *p_sys;
int val;
- msg_Dbg( p_this, "Creating TLS server" );
+ if (gnutls_Init (obj))
+ return VLC_EGENERIC;
- p_server_sys = (tls_server_sys_t *)malloc( sizeof(struct tls_server_sys_t) );
- if( p_server_sys == NULL )
- return NULL;
+ msg_Dbg (obj, "creating TLS server");
+
+ p_sys = (tls_server_sys_t *)malloc( sizeof(struct tls_server_sys_t) );
+ if( p_sys == NULL )
+ return VLC_ENOMEM;
+
+ p_sys->i_cache_size = config_GetInt (obj, "gnutls-cache-size");
+ p_sys->p_cache = calloc (p_sys->i_cache_size,
+ sizeof (struct saved_session_t));
+ if (p_sys->p_cache == NULL)
+ {
+ free (p_sys);
+ return VLC_ENOMEM;
+ }
+
+ p_sys->p_store = p_sys->p_cache;
+ p_server->p_sys = p_sys;
+ p_server->pf_add_CA = gnutls_ServerAddCA;
+ p_server->pf_add_CRL = gnutls_ServerAddCRL;
+ p_server->pf_open = gnutls_ServerSessionPrepare;
+ p_server->pf_close = gnutls_SessionClose;
+
+ /* No certificate validation by default */
+ p_sys->pf_handshake = gnutls_ContinueHandshake;
+
+ vlc_mutex_init( p_server, &p_sys->cache_lock );
/* Sets server's credentials */
- val = gnutls_certificate_allocate_credentials( &p_server_sys->x509_cred );
+ val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
if( val != 0 )
{
- msg_Err( p_this, "Cannot allocate X509 credentials : %s",
+ msg_Err( p_server, "cannot allocate X509 credentials: %s",
gnutls_strerror( val ) );
- free( p_server_sys );
- return NULL;
+ goto error;
}
- val = gnutls_certificate_set_x509_key_file( p_server_sys->x509_cred,
- psz_cert_path, psz_key_path,
+ char *psz_cert_path = var_GetNonEmptyString (obj, "tls-x509-cert");
+ char *psz_key_path = var_GetNonEmptyString (obj, "tls-x509-key");
+ const char *psz_local_cert = ToLocale (psz_cert_path);
+ const char *psz_local_key = ToLocale (psz_key_path);
+ val = gnutls_certificate_set_x509_key_file (p_sys->x509_cred,
+ psz_local_cert, psz_local_key,
GNUTLS_X509_FMT_PEM );
+ LocaleFree (psz_local_key);
+ free (psz_key_path);
+ LocaleFree (psz_local_cert);
+ free (psz_cert_path);
+
if( val < 0 )
{
- msg_Err( p_this, "Cannot set certificate chain or private key : %s",
+ msg_Err( p_server, "cannot set certificate chain or private key: %s",
gnutls_strerror( val ) );
- gnutls_certificate_free_credentials( p_server_sys->x509_cred );
- free( p_server_sys );
- return NULL;
+ gnutls_certificate_free_credentials( p_sys->x509_cred );
+ goto error;
}
- /* FIXME: regenerate these regularly */
- val = gnutls_dh_params_init( &p_server_sys->dh_params );
+ /* FIXME:
+ * - regenerate these regularly
+ * - support other ciper suites
+ */
+ val = gnutls_dh_params_init( &p_sys->dh_params );
if( val >= 0 )
{
- vlc_value_t bits;
+ msg_Dbg( p_server, "computing DHE ciphers parameters" );
+ val = gnutls_dh_params_generate2 (p_sys->dh_params,
+ config_GetInt (obj, "gnutls-dh-bits"));
+
+ /* Write the DH parameter to cache */
+ const char *cachedir = p_server->p_libvlc->psz_cachedir;
+ char cachefile[strlen (cachedir) + sizeof ("/dh_params.pem")];
+ sprintf (cachefile, "%s/dh_params.pem", cachedir);
- if( var_Get( p_this, "dh-bits", &bits ) != VLC_SUCCESS )
+ FILE *cache = utf8_fopen (cachefile, "wb");
+ if (cache != NULL)
{
- var_Create( p_this, "dh-bits",
- VLC_VAR_INTEGER | VLC_VAR_DOINHERIT );
- var_Get( p_this, "dh-bits", &bits );
+ size_t len = 0;
+ gnutls_dh_params_export_pkcs3 (p_sys->dh_params,
+ GNUTLS_X509_FMT_PEM, NULL, &len);
+ msg_Dbg (p_server, "caching DHE parameters (%u bytes) to %s",
+ (unsigned)len, cachefile);
+
+ unsigned char buf[len];
+ gnutls_dh_params_export_pkcs3 (p_sys->dh_params,
+ GNUTLS_X509_FMT_PEM, buf, &len);
+ if (fwrite (buf, 1, len, cache) != len)
+ msg_Warn (p_server, "cannot write to %s: %m", cachefile);
+ fclose (cache);
}
+ else
+ msg_Warn (p_server, "cannot open to %s: %m", cachefile);
- msg_Dbg( p_this, "Computing Diffie Hellman ciphers parameters" );
- val = gnutls_dh_params_generate2( p_server_sys->dh_params,
- bits.i_int );
}
if( val < 0 )
{
- msg_Err( p_this, "Cannot initialize DH cipher suites : %s",
+ msg_Err( p_server, "cannot initialize DHE cipher suites: %s",
gnutls_strerror( val ) );
- gnutls_certificate_free_credentials( p_server_sys->x509_cred );
- free( p_server_sys );
- return NULL;
- }
- msg_Dbg( p_this, "Ciphers parameters computed" );
-
- gnutls_certificate_set_dh_params( p_server_sys->x509_cred,
- p_server_sys->dh_params);
-
- p_server = (tls_server_t *)malloc( sizeof(struct tls_server_t) );
- if( p_server == NULL )
- {
- free( p_server_sys );
- return NULL;
- }
-
- p_server->p_tls = p_this;
- p_server->p_sys = p_server_sys;
- p_server->pf_delete = gnutls_ServerDelete;
- p_server->pf_add_CA = gnutls_ServerAddCA;
- p_server->pf_add_CRL = gnutls_ServerAddCRL;
- p_server->pf_session_prepare = gnutls_ServerSessionPrepare;
-
- return p_server;
-}
-
-
-/*****************************************************************************
- * gcrypt thread option VLC implementation:
- *****************************************************************************/
-vlc_object_t *__p_gcry_data;
-
-static int gcry_vlc_mutex_init (void **p_sys)
-{
- int i_val;
- vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc (sizeof (vlc_mutex_t));
-
- if( p_lock == NULL)
- return ENOMEM;
-
- i_val = vlc_mutex_init( __p_gcry_data, p_lock);
- if (i_val)
- free (p_lock);
- else
- *p_sys = p_lock;
- return i_val;
-}
-
-static int gcry_vlc_mutex_destroy (void **p_sys)
-{
- int i_val;
- vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
-
- i_val = vlc_mutex_destroy (p_lock);
- free (p_lock);
- return i_val;
-}
-
-static int gcry_vlc_mutex_lock (void **p_sys)
-{
- return vlc_mutex_lock ((vlc_mutex_t *)*p_sys);
-}
-
-static int gcry_vlc_mutex_unlock (void **lock)
-{
- return vlc_mutex_unlock ((vlc_mutex_t *)*lock);
-}
-
-static struct gcry_thread_cbs gcry_threads_vlc =
-{
- GCRY_THREAD_OPTION_USER,
- NULL,
- gcry_vlc_mutex_init,
- gcry_vlc_mutex_destroy,
- gcry_vlc_mutex_lock,
- gcry_vlc_mutex_unlock
-};
-
-
-/*****************************************************************************
- * Module initialization
- *****************************************************************************/
-static int
-Open( vlc_object_t *p_this )
-{
- tls_t *p_tls = (tls_t *)p_this;
-
- vlc_value_t lock, count;
-
- var_Create( p_this->p_libvlc, "tls_mutex", VLC_VAR_MUTEX );
- var_Get( p_this->p_libvlc, "tls_mutex", &lock );
- vlc_mutex_lock( lock.p_address );
-
- /* Initialize GnuTLS only once */
- var_Create( p_this->p_libvlc, "gnutls_count", VLC_VAR_INTEGER );
- var_Get( p_this->p_libvlc, "gnutls_count", &count);
-
- if( count.i_int == 0)
- {
- __p_gcry_data = VLC_OBJECT( p_this->p_vlc );
-
- gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
- if( gnutls_global_init( ) )
- {
- msg_Warn( p_this, "cannot initialize GNUTLS" );
- vlc_mutex_unlock( lock.p_address );
- return VLC_EGENERIC;
- }
- if( gnutls_check_version( "1.0.0" ) == NULL )
- {
- gnutls_global_deinit( );
- vlc_mutex_unlock( lock.p_address );
- msg_Err( p_this, "unsupported GNUTLS version" );
- return VLC_EGENERIC;
- }
- msg_Dbg( p_this, "GNUTLS initialized" );
+ gnutls_certificate_free_credentials( p_sys->x509_cred );
+ goto error;
}
+ msg_Dbg( p_server, "ciphers parameters computed" );
- count.i_int++;
- var_Set( p_this->p_libvlc, "gnutls_count", count);
- vlc_mutex_unlock( lock.p_address );
+ gnutls_certificate_set_dh_params( p_sys->x509_cred, p_sys->dh_params);
- p_tls->pf_server_create = gnutls_ServerCreate;
- p_tls->pf_client_create = gnutls_ClientCreate;
return VLC_SUCCESS;
-}
+error:
+ vlc_mutex_destroy (&p_sys->cache_lock);
+ free (p_sys->p_cache);
+ free (p_sys);
+ return VLC_EGENERIC;
+}
-/*****************************************************************************
- * Module deinitialization
- *****************************************************************************/
-static void
-Close( vlc_object_t *p_this )
+/**
+ * Destroys a TLS server object.
+ */
+static void CloseServer (vlc_object_t *p_server)
{
- /*tls_t *p_tls = (tls_t *)p_this;
- tls_sys_t *p_sys = (tls_sys_t *)(p_this->p_sys);*/
-
- vlc_value_t lock, count;
+ tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
- var_Create( p_this->p_libvlc, "gnutls_mutex", VLC_VAR_MUTEX );
- var_Get( p_this->p_libvlc, "gnutls_mutex", &lock );
- vlc_mutex_lock( lock.p_address );
+ vlc_mutex_destroy (&p_sys->cache_lock);
+ free (p_sys->p_cache);
- var_Create( p_this->p_libvlc, "gnutls_count", VLC_VAR_INTEGER );
- var_Get( p_this->p_libvlc, "gnutls_count", &count);
- count.i_int--;
- var_Set( p_this->p_libvlc, "gnutls_count", count);
-
- if( count.i_int == 0 )
- {
- gnutls_global_deinit( );
- msg_Dbg( p_this, "GNUTLS deinitialized" );
- }
+ /* all sessions depending on the server are now deinitialized */
+ gnutls_certificate_free_credentials (p_sys->x509_cred);
+ gnutls_dh_params_deinit (p_sys->dh_params);
+ free (p_sys);
- vlc_mutex_unlock( lock.p_address);
+ gnutls_Deinit (p_server);
}
projects / vlc / blobdiff