/*****************************************************************************
* tls.c
*****************************************************************************
- * Copyright (C) 2004-2005 VideoLAN
- * $Id: httpd.c 8263 2004-07-24 09:06:58Z courmisch $
+ * Copyright (C) 2004-2006 Rémi Denis-Courmont
+ * $Id$
*
- * Authors: Remi Denis-Courmont <courmisch@via.ecp.fr>
+ * Authors: Rémi Denis-Courmont <rem # videolan.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
*****************************************************************************/
/*
* TODO:
- * - fix FIXMEs,
- * - client-side server cert validation (?).
+ * - fix FIXMEs
*/
#include <errno.h>
#include <vlc/vlc.h>
+#include <sys/types.h>
+#include <errno.h>
+#ifdef HAVE_DIRENT_H
+# include <dirent.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+# ifdef HAVE_UNISTD_H
+# include <unistd.h>
+# endif
+#endif
+
+
#include "vlc_tls.h"
+#include "charset.h"
#include <gcrypt.h>
#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
#define DH_BITS 1024
#define CACHE_EXPIRATION 3600
#define CHECK_CERT_TEXT N_("Check TLS/SSL server certificate validity")
#define CHECK_CERT_LONGTEXT N_( \
"Ensures that server certificate is valid " \
- "(ie. signed by an approved Certificate Authority)." )
+ "(i.e. signed by an approved Certificate Authority)." )
#define CHECK_HOSTNAME_TEXT N_("Check TLS/SSL server hostname in certificate")
#define CHECK_HOSTNAME_LONGTEXT N_( \
"Ensures that server hostname in certificate match requested host name." )
vlc_module_begin();
+ set_shortname( "GnuTLS" );
set_description( _("GnuTLS TLS encryption layer") );
set_capability( "tls", 1 );
set_callbacks( Open, Close );
set_category( CAT_ADVANCED );
set_subcategory( SUBCAT_ADVANCED_MISC );
-#if 0
add_bool( "tls-check-cert", VLC_FALSE, NULL, CHECK_CERT_TEXT,
CHECK_CERT_LONGTEXT, VLC_FALSE );
add_bool( "tls-check-hostname", VLC_FALSE, NULL, CHECK_HOSTNAME_TEXT,
CHECK_HOSTNAME_LONGTEXT, VLC_FALSE );
-#endif
add_integer( "dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
DH_BITS_LONGTEXT, VLC_TRUE );
typedef struct tls_session_sys_t
{
gnutls_session session;
+ char *psz_hostname;
vlc_bool_t b_handshaked;
} tls_session_sys_t;
static int
-_get_Int (vlc_object_t *p_this, const char *var)
+_get_Int( vlc_object_t *p_this, const char *var )
{
vlc_value_t value;
return value.i_int;
}
+static int
+_get_Bool( vlc_object_t *p_this, const char *var )
+{
+ vlc_value_t value;
+
+ if( var_Get( p_this, var, &value ) != VLC_SUCCESS )
+ {
+ var_Create( p_this, var, VLC_VAR_BOOL | VLC_VAR_DOINHERIT );
+ var_Get( p_this, var, &value );
+ }
+
+ return value.b_bool;
+}
+
#define get_Int( a, b ) _get_Int( (vlc_object_t *)(a), (b) )
+#define get_Bool( a, b ) _get_Bool( (vlc_object_t *)(a), (b) )
/*****************************************************************************
val = gnutls_ContinueHandshake( p_session );
if( val == 0 )
{
- int status;
+ unsigned status;
+ gnutls_x509_crt cert;
+ const gnutls_datum *p_data;
+ tls_session_sys_t *p_sys;
- val = gnutls_certificate_verify_peers2( ((tls_session_sys_t *)
- (p_session->p_sys))->session,
- &status );
+ p_sys = (tls_session_sys_t *)(p_session->p_sys);
+ /* certificates chain verification */
+ val = gnutls_certificate_verify_peers2( p_sys->session, &status );
if( val )
{
}
msg_Dbg( p_session, "TLS certificate verified" );
+ if( p_sys->psz_hostname == NULL )
+ return 0;
+
+ /* certificate (host)name verification */
+ p_data = gnutls_certificate_get_peers( p_sys->session, &status );
+ if( p_data == NULL )
+ {
+ msg_Err( p_session, "TLS peer certificate not available" );
+ p_session->pf_close( p_session );
+ return -1;
+ }
+
+ val = gnutls_x509_crt_init( &cert );
+ if( val )
+ {
+ msg_Err( p_session, "x509 fatal error : %s",
+ gnutls_strerror( val ) );
+ p_session->pf_close( p_session );
+ return -1;
+ }
+
+ val = gnutls_x509_crt_import( cert, p_data, GNUTLS_X509_FMT_DER );
+ if( val )
+ {
+ msg_Err( p_session, "x509 certificate import error : %s",
+ gnutls_strerror( val ) );
+ gnutls_x509_crt_deinit( cert );
+ p_session->pf_close( p_session );
+ return -1;
+ }
+
+ if( gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) == 0 )
+ {
+ msg_Err( p_session, "x509 certificate does not match \"%s\"",
+ p_sys->psz_hostname );
+ gnutls_x509_crt_deinit( cert );
+ p_session->pf_close( p_session );
+ return -1;
+ }
+
+ gnutls_x509_crt_deinit( cert );
+
+ msg_Dbg( p_session, "x509 hostname verified" );
return 0;
}
p_sys = (tls_session_sys_t *)(p_session->p_sys);
- gnutls_transport_set_ptr (p_sys->session, (gnutls_transport_ptr)fd);
+ gnutls_transport_set_ptr (p_sys->session, (gnutls_transport_ptr)(unsigned long)fd);
+
if( psz_hostname != NULL )
+ {
gnutls_server_name_set( p_sys->session, GNUTLS_NAME_DNS, psz_hostname,
strlen( psz_hostname ) );
+ if( get_Bool( p_session, "tls-check-hostname" ) )
+ {
+ p_sys->psz_hostname = strdup( psz_hostname );
+ if( p_sys->psz_hostname == NULL )
+ {
+ p_session->pf_close( p_session );
+ return -1;
+ }
+ }
+ }
return p_session->pf_handshake2( p_session );
}
gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
gnutls_deinit( p_sys->session );
+ if( p_sys->psz_hostname != NULL )
+ free( p_sys->psz_hostname );
+
vlc_object_detach( p_session );
vlc_object_destroy( p_session );
gnutls_ClientDelete( tls_session_t *p_session )
{
/* On the client-side, credentials are re-allocated per session */
- gnutls_certificate_free_credentials( ((tls_client_sys_t *)
- (p_session->p_sys))->x509_cred );
+ gnutls_certificate_credentials x509_cred =
+ ((tls_client_sys_t *)(p_session->p_sys))->x509_cred;
+
gnutls_SessionClose( p_session );
+
+ /* credentials must be free'd *after* gnutls_deinit() */
+ gnutls_certificate_free_credentials( x509_cred );
}
+inline int
+is_regular( const char *psz_filename )
+{
+#ifdef HAVE_SYS_STAT_H
+ struct stat st;
+
+ return ( utf8_stat( psz_filename, &st ) == 0 )
+ && S_ISREG( st.st_mode );
+#else
+ return 1;
+#endif
+}
+
+static int
+gnutls_Addx509Directory( vlc_object_t *p_this,
+ gnutls_certificate_credentials cred,
+ const char *psz_dirname,
+ vlc_bool_t private )
+{
+ DIR* dir;
+ const char *psz_dirent;
+
+ if( *psz_dirname == '\0' )
+ psz_dirname = ".";
+
+ dir = utf8_opendir( psz_dirname );
+ if( dir == NULL )
+ {
+ msg_Warn( p_this, "Cannot open directory (%s) : %s", psz_dirname,
+ strerror( errno ) );
+ return VLC_EGENERIC;
+ }
+
+ while( ( psz_dirent = utf8_readdir( dir ) ) != NULL )
+ {
+ char *psz_filename;
+ int check = asprintf( &psz_filename, "%s/%s", psz_dirname,
+ psz_dirent );
+ LocaleFree( psz_dirent );
+ if( check == -1 )
+ {
+ closedir( dir );
+ return VLC_ENOMEM;
+ }
+
+ /* we neglect the race condition here - not security sensitive */
+ if( is_regular( psz_filename ) )
+ {
+ int i;
+ char *psz_localname = ToLocale( psz_filename );
+
+ i = (private)
+ ? gnutls_certificate_set_x509_key_file( cred, psz_localname,
+ psz_filename,
+ GNUTLS_X509_FMT_PEM )
+ : gnutls_certificate_set_x509_trust_file( cred, psz_localname,
+ GNUTLS_X509_FMT_PEM
+ );
+ LocaleFree( psz_localname );
+ if( i < 0 )
+ {
+ msg_Warn( p_this, "Cannot add x509 certificate (%s) : %s",
+ psz_filename, gnutls_strerror( i ) );
+ }
+ }
+ free( psz_filename );
+ }
+
+ closedir( dir );
+ return VLC_SUCCESS;
+}
/*****************************************************************************
* tls_ClientCreate:
p_sys = (tls_client_sys_t *)malloc( sizeof(struct tls_client_sys_t) );
if( p_sys == NULL )
return NULL;
-
+
p_session = (struct tls_session_t *)vlc_object_create ( p_tls, sizeof(struct tls_session_t) );
if( p_session == NULL )
{
p_session->sock.pf_send = gnutls_Send;
p_session->sock.pf_recv = gnutls_Recv;
p_session->pf_handshake = gnutls_BeginHandshake;
- p_session->pf_handshake2 = gnutls_ContinueHandshake;
p_session->pf_close = gnutls_ClientDelete;
p_sys->session.b_handshaked = VLC_FALSE;
+ p_sys->session.psz_hostname = NULL;
vlc_object_attach( p_session, p_tls );
goto error;
}
-#if 0
- if( psz_ca_path != NULL )
+ if( get_Bool( p_tls, "tls-check-cert" ) )
{
- i_val = gnutls_certificate_set_x509_trust_file( p_sys->x509_cred,
- psz_ca_path,
- GNUTLS_X509_FMT_PEM );
- if( i_val != 0 )
+ /* FIXME: support for changing path/using multiple paths */
+ char *psz_path;
+
+ if( asprintf( &psz_path, "%s/"CONFIG_DIR"/ssl/certs",
+ p_tls->p_vlc->psz_homedir ) == -1 )
{
- msg_Err( p_tls, "Cannot add trusted CA (%s) : %s", psz_ca_path,
- gnutls_strerror( i_val ) );
gnutls_certificate_free_credentials( p_sys->x509_cred );
goto error;
}
+
+ gnutls_Addx509Directory( (vlc_object_t *)p_session, p_sys->x509_cred,
+ psz_path, VLC_FALSE );
+
+ free( psz_path );
+ p_session->pf_handshake2 = gnutls_HandshakeAndValidate;
}
-#endif
+ else
+ p_session->pf_handshake2 = gnutls_ContinueHandshake;
+
+ {
+ /* FIXME: support for changing path/using multiple paths */
+ char *psz_path;
+
+ if( asprintf( &psz_path, "%s/"CONFIG_DIR"/ssl/private",
+ p_tls->p_vlc->psz_homedir ) == -1 )
+ {
+ gnutls_certificate_free_credentials( p_sys->x509_cred );
+ goto error;
+ }
+
+ gnutls_Addx509Directory( (vlc_object_t *)p_session, p_sys->x509_cred,
+ psz_path, VLC_TRUE );
+
+ free( psz_path );
+ }
+
i_val = gnutls_init( &p_sys->session.session, GNUTLS_CLIENT );
if( i_val != 0 )
{
gnutls_ServerSessionPrepare( tls_server_t *p_server )
{
tls_session_t *p_session;
+ tls_server_sys_t *p_server_sys;
gnutls_session session;
int i_val;
p_session = vlc_object_create( p_server, sizeof (struct tls_session_t) );
if( p_session == NULL )
return NULL;
-
+
p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) );
if( p_session->p_sys == NULL )
{
vlc_object_attach( p_session, p_server );
+ p_server_sys = (tls_server_sys_t *)p_server->p_sys;
p_session->sock.p_sys = p_session;
p_session->sock.pf_send = gnutls_Send;
p_session->sock.pf_recv = gnutls_Recv;
p_session->pf_handshake = gnutls_BeginHandshake;
- p_session->pf_handshake2 = ((tls_server_sys_t *)
- (p_server->p_sys))->pf_handshake2;
+ p_session->pf_handshake2 = p_server_sys->pf_handshake2;
p_session->pf_close = gnutls_SessionClose;
((tls_session_sys_t *)p_session->p_sys)->b_handshaked = VLC_FALSE;
+ ((tls_session_sys_t *)p_session->p_sys)->psz_hostname = NULL;
i_val = gnutls_init( &session, GNUTLS_SERVER );
if( i_val != 0 )
}
i_val = gnutls_credentials_set( session, GNUTLS_CRD_CERTIFICATE,
- ((tls_server_sys_t *)(p_server->p_sys))
- ->x509_cred );
+ p_server_sys->x509_cred );
if( i_val < 0 )
{
msg_Err( p_server, "Cannot set TLS session credentials : %s",
goto error;
}
- /* TODO: support for client authentication */
- /*gnutls_certificate_server_set_request( p_session->session,
- GNUTLS_CERT_REQUEST ); */
+ if( p_session->pf_handshake2 == gnutls_HandshakeAndValidate )
+ gnutls_certificate_server_set_request( session, GNUTLS_CERT_REQUIRE );
gnutls_dh_set_prime_bits( session, get_Int( p_server, "dh-bits" ) );
gnutls_ServerDelete( tls_server_t *p_server )
{
tls_server_sys_t *p_sys;
-
p_sys = (tls_server_sys_t *)p_server->p_sys;
- gnutls_certificate_free_credentials( p_sys->x509_cred );
- gnutls_dh_params_deinit( p_sys->dh_params );
vlc_mutex_destroy( &p_sys->cache_lock );
+ free( p_sys->p_cache );
vlc_object_detach( p_server );
vlc_object_destroy( p_server );
- free( p_sys->p_cache );
+ /* all sessions depending on the server are now deinitialized */
+ gnutls_certificate_free_credentials( p_sys->x509_cred );
+ gnutls_dh_params_deinit( p_sys->dh_params );
free( p_sys );
}
static int
gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
{
- int val;
tls_server_sys_t *p_sys;
+ char *psz_local_path;
+ int val;
p_sys = (tls_server_sys_t *)(p_server->p_sys);
+ psz_local_path = ToLocale( psz_ca_path );
val = gnutls_certificate_set_x509_trust_file( p_sys->x509_cred,
- psz_ca_path,
+ psz_local_path,
GNUTLS_X509_FMT_PEM );
+ LocaleFree( psz_local_path );
if( val < 0 )
{
msg_Err( p_server, "Cannot add trusted CA (%s) : %s", psz_ca_path,
gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
{
int val;
+ char *psz_local_path = ToLocale( psz_crl_path );
val = gnutls_certificate_set_x509_crl_file( ((tls_server_sys_t *)
(p_server->p_sys))->x509_cred,
- psz_crl_path,
+ psz_local_path,
GNUTLS_X509_FMT_PEM );
+ LocaleFree( psz_crl_path );
if( val < 0 )
{
msg_Err( p_server, "Cannot add CRL (%s) : %s", psz_crl_path,
msg_Dbg( p_server, "%d CRL added (%s)", val, psz_crl_path );
return VLC_SUCCESS;
}
-
+
/*****************************************************************************
* tls_ServerCreate:
{
tls_server_t *p_server;
tls_server_sys_t *p_sys;
+ char *psz_local_key, *psz_local_cert;
int val;
msg_Dbg( p_tls, "Creating TLS server" );
goto error;
}
+ psz_local_cert = ToLocale( psz_cert_path );
+ psz_local_key = ToLocale( psz_key_path );
val = gnutls_certificate_set_x509_key_file( p_sys->x509_cred,
- psz_cert_path, psz_key_path,
+ psz_local_cert, psz_local_key,
GNUTLS_X509_FMT_PEM );
+ LocaleFree( psz_cert_path );
+ LocaleFree( psz_key_path );
if( val < 0 )
{
msg_Err( p_server, "Cannot set certificate chain or private key : %s",