/*****************************************************************************
* tls.c
*****************************************************************************
- * Copyright (C) 2004-2005 the VideoLAN team
+ * Copyright © 2004-2007 Rémi Denis-Courmont
* $Id$
*
* Authors: Rémi Denis-Courmont <rem # videolan.org>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
*****************************************************************************/
/**
* libvlc interface to the Transport Layer Security (TLS) plugins.
*/
-#include <stdlib.h>
-#include <vlc/vlc.h>
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
-#include <vlc_tls.h>
+#ifdef HAVE_POLL
+# include <poll.h>
+#endif
+#include <assert.h>
-static tls_t *
-tls_Init( vlc_object_t *p_this )
-{
- tls_t *p_tls;
- vlc_value_t lockval;
+#include <vlc_common.h>
+#include "libvlc.h"
- var_Create( p_this->p_libvlc_global, "tls_mutex", VLC_VAR_MUTEX );
- var_Get( p_this->p_libvlc_global, "tls_mutex", &lockval );
- vlc_mutex_lock( lockval.p_address );
+#include <vlc_tls.h>
+#include <vlc_modules.h>
- p_tls = vlc_object_find( p_this, VLC_OBJECT_TLS, FIND_ANYWHERE );
+/*** TLS credentials ***/
- if( p_tls == NULL )
- {
- p_tls = vlc_object_create( p_this, VLC_OBJECT_TLS );
- if( p_tls == NULL )
- {
- vlc_mutex_unlock( lockval.p_address );
- return NULL;
- }
-
- p_tls->p_module = module_Need( p_tls, "tls", 0, 0 );
- if( p_tls->p_module == NULL )
- {
- msg_Err( p_tls, "TLS/SSL provider not found" );
- vlc_mutex_unlock( lockval.p_address );
- vlc_object_destroy( p_tls );
- return NULL;
- }
-
- vlc_object_attach( p_tls, p_this->p_libvlc );
- vlc_object_yield( p_tls );
- msg_Dbg( p_tls, "TLS/SSL provider initialized" );
- }
- vlc_mutex_unlock( lockval.p_address );
+static int tls_server_load(void *func, va_list ap)
+{
+ int (*activate) (vlc_tls_creds_t *, const char *, const char *) = func;
+ vlc_tls_creds_t *crd = va_arg (ap, vlc_tls_creds_t *);
+ const char *cert = va_arg (ap, const char *);
+ const char *key = va_arg (ap, const char *);
- return p_tls;
+ return activate (crd, cert, key);
}
-static void
-tls_Deinit( tls_t *p_tls )
+static int tls_client_load(void *func, va_list ap)
{
- int i;
- vlc_value_t lockval;
-
- var_Get( p_tls->p_libvlc_global, "tls_mutex", &lockval );
- vlc_mutex_lock( lockval.p_address );
+ int (*activate) (vlc_tls_creds_t *) = func;
+ vlc_tls_creds_t *crd = va_arg (ap, vlc_tls_creds_t *);
- vlc_object_release( p_tls );
-
- i = p_tls->i_refcount;
- if( i == 0 )
- vlc_object_detach( p_tls );
+ return activate (crd);
+}
- vlc_mutex_unlock( lockval.p_address );
+static void tls_unload(void *func, va_list ap)
+{
+ void (*deactivate) (vlc_tls_creds_t *) = func;
+ vlc_tls_creds_t *crd = va_arg (ap, vlc_tls_creds_t *);
- if( i == 0 )
- {
- module_Unneed( p_tls, p_tls->p_module );
- msg_Dbg( p_tls, "TLS/SSL provider deinitialized" );
- vlc_object_destroy( p_tls );
- }
+ deactivate (crd);
}
/**
* Allocates a whole server's TLS credentials.
*
- * @param psz_cert required (Unicode) path to an x509 certificate.
- * @param psz_key required (Unicode) path to the PKCS private key for
- * the certificate.
+ * @param cert_path required (Unicode) path to an x509 certificate,
+ * if NULL, anonymous key exchange will be used.
+ * @param key_path (UTF-8) path to the PKCS private key for the certificate,
+ * if NULL; cert_path will be used.
*
* @return NULL on error.
*/
-tls_server_t *
-tls_ServerCreate( vlc_object_t *p_this, const char *psz_cert,
- const char *psz_key )
+vlc_tls_creds_t *
+vlc_tls_ServerCreate (vlc_object_t *obj, const char *cert_path,
+ const char *key_path)
{
- tls_t *p_tls;
- tls_server_t *p_server;
+ vlc_tls_creds_t *srv = vlc_custom_create (obj, sizeof (*srv),
+ "tls server");
+ if (unlikely(srv == NULL))
+ return NULL;
+
+ if (key_path == NULL)
+ key_path = cert_path;
- p_tls = tls_Init( p_this );
- if( p_tls == NULL )
+ srv->module = vlc_module_load (srv, "tls server", NULL, false,
+ tls_server_load, srv, cert_path, key_path);
+ if (srv->module == NULL)
+ {
+ msg_Err (srv, "TLS server plugin not available");
+ vlc_object_release (srv);
return NULL;
+ }
- if( psz_key == NULL )
- psz_key = psz_cert;
+ return srv;
+}
- p_server = p_tls->pf_server_create( p_tls, psz_cert, psz_key );
- if( p_server != NULL )
+/**
+ * Allocates TLS credentials for a client.
+ * Credentials can be cached and reused across multiple TLS sessions.
+ *
+ * @return TLS credentials object, or NULL on error.
+ **/
+vlc_tls_creds_t *vlc_tls_ClientCreate (vlc_object_t *obj)
+{
+ vlc_tls_creds_t *crd = vlc_custom_create (obj, sizeof (*crd),
+ "tls client");
+ if (unlikely(crd == NULL))
+ return NULL;
+
+ crd->module = vlc_module_load (crd, "tls client", NULL, false,
+ tls_client_load, crd);
+ if (crd->module == NULL)
{
- msg_Dbg( p_tls, "TLS/SSL server initialized" );
- return p_server;
+ msg_Err (crd, "TLS client plugin not available");
+ vlc_object_release (crd);
+ return NULL;
}
- else
- msg_Err( p_tls, "TLS/SSL server error" );
- tls_Deinit( p_tls );
- return NULL;
+ return crd;
+}
+
+/**
+ * Releases data allocated with vlc_tls_ClientCreate() or
+ * vlc_tls_ServerCreate().
+ * @param srv TLS server object to be destroyed, or NULL
+ */
+void vlc_tls_Delete (vlc_tls_creds_t *crd)
+{
+ if (crd == NULL)
+ return;
+
+ vlc_module_unload (crd->module, tls_unload, crd);
+ vlc_object_release (crd);
}
/**
- * Releases data allocated with tls_ServerCreate.
+ * Adds one or more certificate authorities from a file.
+ * @return -1 on error, 0 on success.
*/
-void
-tls_ServerDelete( tls_server_t *p_server )
+int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path)
{
- tls_t *p_tls = (tls_t *)p_server->p_parent;
+ return srv->add_CA (srv, path);
+}
- p_server->pf_delete( p_server );
- tls_Deinit( p_tls );
+/**
+ * Adds one or more certificate revocation list from a file.
+ * @return -1 on error, 0 on success.
+ */
+int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path)
+{
+ return srv->add_CRL (srv, path);
}
+/*** TLS session ***/
+
+vlc_tls_t *vlc_tls_SessionCreate (vlc_tls_creds_t *crd, int fd,
+ const char *host)
+{
+ vlc_tls_t *session = vlc_custom_create (crd, sizeof (*session),
+ "tls session");
+ int val = crd->open (crd, session, fd, host);
+ if (val == VLC_SUCCESS)
+ return session;
+ vlc_object_release (session);
+ return NULL;
+}
+
+void vlc_tls_SessionDelete (vlc_tls_t *session)
+{
+ vlc_tls_creds_t *crd = (vlc_tls_creds_t *)(session->p_parent);
+
+ crd->close (crd, session);
+ vlc_object_release (session);
+}
+
+int vlc_tls_SessionHandshake (vlc_tls_t *session, const char *host,
+ const char *service)
+{
+ return session->handshake (session, host, service);
+}
+
/**
- * Allocates a client's TLS credentials and shakes hands through the network.
- * This is a blocking network operation.
+ * Performs client side of TLS handshake through a connected socket, and
+ * establishes a secure channel. This is a blocking network operation.
*
- * @param fd stream socket through which to establish the secure communication
- * layer.
- * @param psz_hostname Server Name Indication to pass to the server, or NULL.
+ * @param fd socket through which to establish the secure channel
+ * @param hostname expected server name, used both as Server Name Indication
+ * and as expected Common Name of the peer certificate
*
* @return NULL on error.
**/
-tls_session_t *
-tls_ClientCreate( vlc_object_t *p_this, int fd, const char *psz_hostname )
+vlc_tls_t *vlc_tls_ClientSessionCreate (vlc_tls_creds_t *crd, int fd,
+ const char *host, const char *service)
{
- tls_t *p_tls;
- tls_session_t *p_session;
-
- p_tls = tls_Init( p_this );
- if( p_tls == NULL )
+ vlc_tls_t *session = vlc_tls_SessionCreate (crd, fd, host);
+ if (session == NULL)
return NULL;
-
- p_session = p_tls->pf_client_create( p_tls );
- if( p_session != NULL )
+
+ mtime_t deadline = mdate ();
+ deadline += var_InheritInteger (crd, "ipv4-timeout") * 1000;
+
+ struct pollfd ufd[1];
+ ufd[0].fd = fd;
+
+ int val;
+ while ((val = vlc_tls_SessionHandshake (session, host, service)) > 0)
{
- int i_val;
+ mtime_t now = mdate ();
+ if (now > deadline)
+ now = deadline;
- for( i_val = tls_ClientSessionHandshake( p_session, fd,
- psz_hostname );
- i_val > 0;
- i_val = tls_SessionContinueHandshake( p_session ) );
+ assert (val <= 2);
+ ufd[0] .events = (val == 1) ? POLLIN : POLLOUT;
- if( i_val == 0 )
+ if (poll (ufd, 1, (deadline - now) / 1000) == 0)
{
- msg_Dbg( p_this, "TLS/SSL client initialized" );
- return p_session;
+ msg_Err (session, "TLS client session handshake timeout");
+ val = -1;
+ break;
}
- msg_Err( p_this, "TLS/SSL session handshake error" );
}
- else
- msg_Err( p_this, "TLS/SSL client error" );
-
- tls_Deinit( p_tls );
- return NULL;
-}
-
-/**
- * Releases data allocated with tls_ClientCreate.
- * It is your job to close the underlying socket.
- */
-void
-tls_ClientDelete( tls_session_t *p_session )
-{
- tls_t *p_tls = (tls_t *)p_session->p_parent;
-
- p_session->pf_close( p_session );
-
- tls_Deinit( p_tls );
+ if (val != 0)
+ {
+ msg_Err (session, "TLS client session handshake error");
+ vlc_tls_SessionDelete (session);
+ session = NULL;
+ }
+ return session;
}