X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=modules%2Fmisc%2Fgnutls.c;h=5c527d2b1213045745417c5f204533ba898f747e;hb=f659703fb4033420e0607d34bc7cd880a5802ea7;hp=163172b8b3111c54eca4fa808e32e39c932099d1;hpb=770a2ac676c3f3fd8ce9aae369246ebec828d19a;p=vlc

diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c
index 163172b8b3..5c527d2b12 100644
--- a/modules/misc/gnutls.c
+++ b/modules/misc/gnutls.c
@@ -25,34 +25,46 @@
  * Preamble
  *****************************************************************************/
 
-#include <vlc/vlc.h>
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <vlc_common.h>
+#include <vlc_plugin.h>
 #include <errno.h>
 #include <time.h>
 
 #include <sys/types.h>
 #include <errno.h>
-#ifdef HAVE_DIRENT_H
-# include <dirent.h>
-#endif
 #ifdef HAVE_SYS_STAT_H
 # include <sys/stat.h>
-# ifdef HAVE_UNISTD_H
-#  include <unistd.h>
-# endif
 #endif
+#ifdef WIN32
+# include <io.h>
+#else
+# include <unistd.h>
+#endif
+# include <fcntl.h>
 
 
-#include "vlc_tls.h"
+#include <vlc_tls.h>
 #include <vlc_charset.h>
+#include <vlc_fs.h>
+#include <vlc_block.h>
 
 #include <gcrypt.h>
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
 
-#define DH_BITS           1024
+#include <vlc_gcrypt.h>
+
 #define CACHE_TIMEOUT     3600
 #define CACHE_SIZE          64
 
+#include "dhparams.h"
+
+#include <assert.h>
+
 /*****************************************************************************
  * Module descriptor
  *****************************************************************************/
@@ -61,12 +73,6 @@ static void CloseClient (vlc_object_t *);
 static int  OpenServer  (vlc_object_t *);
 static void CloseServer (vlc_object_t *);
 
-#define DH_BITS_TEXT N_("Diffie-Hellman prime bits")
-#define DH_BITS_LONGTEXT N_( \
-    "This allows you to modify the Diffie-Hellman prime's number of bits, " \
-    "used for TLS or SSL-based server-side encryption. This is generally " \
-    "not needed." )
-
 #define CACHE_TIMEOUT_TEXT N_("Expiration time for resumed TLS sessions")
 #define CACHE_TIMEOUT_LONGTEXT N_( \
     "It is possible to cache the resumed TLS sessions. This is the expiration "\
@@ -77,98 +83,32 @@ static void CloseServer (vlc_object_t *);
     "This is the maximum number of resumed TLS sessions that " \
     "the cache will hold." )
 
-#define CHECK_CERT_TEXT N_("Check TLS/SSL server certificate validity")
-#define CHECK_CERT_LONGTEXT N_( \
-    "This ensures that the server certificate is valid " \
-    "(i.e. signed by an approved Certification Authority)." )
-
-vlc_module_begin();
-    set_shortname( "GnuTLS" );
-    set_description( _("GnuTLS transport layer security") );
-    set_capability( "tls client", 1 );
-    set_callbacks( OpenClient, CloseClient );
-    set_category( CAT_ADVANCED );
-    set_subcategory( SUBCAT_ADVANCED_MISC );
-
-    add_bool( "tls-check-cert", VLC_TRUE, NULL, CHECK_CERT_TEXT,
-              CHECK_CERT_LONGTEXT, VLC_FALSE );
-    add_obsolete_bool( "tls-check-hostname" );
-
-    add_submodule();
-        set_description( _("GnuTLS server") );
-        set_capability( "tls server", 1 );
-        set_category( CAT_ADVANCED );
-        set_subcategory( SUBCAT_ADVANCED_MISC );
-        set_callbacks( OpenServer, CloseServer );
-
-        add_integer( "gnutls-dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
-                    DH_BITS_LONGTEXT, VLC_TRUE );
+vlc_module_begin ()
+    set_shortname( "GnuTLS" )
+    set_description( N_("GnuTLS transport layer security") )
+    set_capability( "tls client", 1 )
+    set_callbacks( OpenClient, CloseClient )
+    set_category( CAT_ADVANCED )
+    set_subcategory( SUBCAT_ADVANCED_MISC )
+
+    add_obsolete_bool( "tls-check-cert" )
+    add_obsolete_bool( "tls-check-hostname" )
+
+    add_submodule ()
+        set_description( N_("GnuTLS server") )
+        set_capability( "tls server", 1 )
+        set_category( CAT_ADVANCED )
+        set_subcategory( SUBCAT_ADVANCED_MISC )
+        set_callbacks( OpenServer, CloseServer )
+
+        add_obsolete_integer( "gnutls-dh-bits" )
         add_integer( "gnutls-cache-timeout", CACHE_TIMEOUT, NULL,
-                    CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, VLC_TRUE );
+                    CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, true )
         add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT,
-                    CACHE_SIZE_LONGTEXT, VLC_TRUE );
-vlc_module_end();
-
-
-
-#ifdef LIBVLC_USE_PTHREAD
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-# define gcry_threads_vlc gcry_threads_pthread
-#else
-/**
- * gcrypt thread option VLC implementation
- */
-
-# define NEED_THREAD_CONTEXT 1
-static vlc_object_t *__p_gcry_data = NULL;
-
-static int gcry_vlc_mutex_init( void **p_sys )
-{
-    int i_val;
-    vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc( sizeof( vlc_mutex_t ) );
-
-    if( p_lock == NULL)
-        return ENOMEM;
-
-    i_val = vlc_mutex_init( __p_gcry_data, p_lock );
-    if( i_val )
-        free( p_lock );
-    else
-        *p_sys = p_lock;
-    return i_val;
-}
-
-static int gcry_vlc_mutex_destroy( void **p_sys )
-{
-    int i_val;
-    vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
-
-    i_val = vlc_mutex_destroy( p_lock );
-    free( p_lock );
-    return i_val;
-}
-
-static int gcry_vlc_mutex_lock( void **p_sys )
-{
-    return vlc_mutex_lock( (vlc_mutex_t *)*p_sys );
-}
-
-static int gcry_vlc_mutex_unlock( void **lock )
-{
-    return vlc_mutex_unlock( (vlc_mutex_t *)*lock );
-}
-
-static struct gcry_thread_cbs gcry_threads_vlc =
-{
-    GCRY_THREAD_OPTION_USER,
-    NULL,
-    gcry_vlc_mutex_init,
-    gcry_vlc_mutex_destroy,
-    gcry_vlc_mutex_lock,
-    gcry_vlc_mutex_unlock
-};
-#endif
+                    CACHE_SIZE_LONGTEXT, true )
+vlc_module_end ()
 
+static vlc_mutex_t gnutls_mutex = VLC_STATIC_MUTEX;
 
 /**
  * Initializes GnuTLS with proper locking.
@@ -178,16 +118,9 @@ static int gnutls_Init (vlc_object_t *p_this)
 {
     int ret = VLC_EGENERIC;
 
-    vlc_mutex_t *lock = var_GetGlobalMutex ("gnutls_mutex");
-    vlc_mutex_lock (lock);
-
-    /* This should probably be removed/fixed. It will screw up with multiple
-     * LibVLC instances. */
-#ifdef NEED_THREAD_CONTEXT
-    __p_gcry_data = VLC_OBJECT (p_this->p_libvlc);
-#endif
+    vlc_gcrypt_init (); /* GnuTLS depends on gcrypt */
 
-    gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
+    vlc_mutex_lock (&gnutls_mutex);
     if (gnutls_global_init ())
     {
         msg_Err (p_this, "cannot initialize GnuTLS");
@@ -206,7 +139,7 @@ static int gnutls_Init (vlc_object_t *p_this)
     ret = VLC_SUCCESS;
 
 error:
-    vlc_mutex_unlock (lock);
+    vlc_mutex_unlock (&gnutls_mutex);
     return ret;
 }
 
@@ -216,12 +149,11 @@ error:
  */
 static void gnutls_Deinit (vlc_object_t *p_this)
 {
-    vlc_mutex_t *lock = var_GetGlobalMutex( "gnutls_mutex" );
-    vlc_mutex_lock (lock);
+    vlc_mutex_lock (&gnutls_mutex);
 
     gnutls_global_deinit ();
     msg_Dbg (p_this, "GnuTLS deinitialized");
-    vlc_mutex_unlock (lock);
+    vlc_mutex_unlock (&gnutls_mutex);
 }
 
 
@@ -230,11 +162,12 @@ static int gnutls_Error (vlc_object_t *obj, int val)
     switch (val)
     {
         case GNUTLS_E_AGAIN:
-#ifndef WIN32
+#ifdef WIN32
+            WSASetLastError (WSAEWOULDBLOCK);
+#else
             errno = EAGAIN;
-            break;
 #endif
-            /* WinSock does not return EAGAIN, return EINTR instead */
+            break;
 
         case GNUTLS_E_INTERRUPTED:
 #ifdef WIN32
@@ -264,7 +197,7 @@ struct tls_session_sys_t
 {
     gnutls_session_t session;
     char            *psz_hostname;
-    vlc_bool_t       b_handshaked;
+    bool       b_handshaked;
 };
 
 
@@ -303,7 +236,7 @@ gnutls_Recv( void *p_session, void *buf, int i_length )
 /**
  * Starts or continues the TLS handshake.
  *
- * @return -1 on fatal error, 0 on succesful handshake completion,
+ * @return -1 on fatal error, 0 on successful handshake completion,
  * 1 if more would-be blocking recv is needed,
  * 2 if more would-be blocking send is required.
  */
@@ -330,7 +263,7 @@ gnutls_ContinueHandshake (tls_session_t *p_session)
         return -1;
     }
 
-    p_sys->b_handshaked = VLC_TRUE;
+    p_sys->b_handshaked = true;
     return 0;
 }
 
@@ -421,17 +354,13 @@ gnutls_HandshakeAndValidate( tls_session_t *session )
         goto error;
     }
 
-    if( p_sys->psz_hostname != NULL )
+    assert( p_sys->psz_hostname != NULL );
+    if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
     {
-        if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
-        {
-            msg_Err( session, "Certificate does not match \"%s\"",
-                     p_sys->psz_hostname );
-            goto error;
-        }
+        msg_Err( session, "Certificate does not match \"%s\"",
+                 p_sys->psz_hostname );
+        goto error;
     }
-    else
-        msg_Warn( session, "Certificate and hostname were not verified" );
 
     if( gnutls_x509_crt_get_expiration_time( cert ) < time( NULL ) )
     {
@@ -490,6 +419,7 @@ gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
     /* Note that ordering matters (on the client side) */
     static const int protos[] =
     {
+        /*GNUTLS_TLS1_2, as of GnuTLS 2.6.5, still not ratified */
         GNUTLS_TLS1_1,
         GNUTLS_TLS1_0,
         GNUTLS_SSL3,
@@ -503,6 +433,9 @@ gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
     };
     static const int macs[] =
     {
+        GNUTLS_MAC_SHA512,
+        GNUTLS_MAC_SHA384,
+        GNUTLS_MAC_SHA256,
         GNUTLS_MAC_SHA1,
         GNUTLS_MAC_RMD160, // RIPEMD
         GNUTLS_MAC_MD5,
@@ -516,6 +449,7 @@ gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
         GNUTLS_CIPHER_AES_128_CBC,
         GNUTLS_CIPHER_3DES_CBC,
         GNUTLS_CIPHER_ARCFOUR_128,
+        // TODO? Camellia ciphers?
         //GNUTLS_CIPHER_DES_CBC,
         //GNUTLS_CIPHER_ARCFOUR_40,
         //GNUTLS_CIPHER_RC2_40_CBC,
@@ -573,20 +507,20 @@ gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
 static int
 gnutls_Addx509File( vlc_object_t *p_this,
                     gnutls_certificate_credentials_t cred,
-                    const char *psz_path, vlc_bool_t b_priv );
+                    const char *psz_path, bool b_priv );
 
 static int
 gnutls_Addx509Directory( vlc_object_t *p_this,
                          gnutls_certificate_credentials_t cred,
                          const char *psz_dirname,
-                         vlc_bool_t b_priv )
+                         bool b_priv )
 {
     DIR* dir;
 
     if( *psz_dirname == '\0' )
         psz_dirname = ".";
 
-    dir = utf8_opendir( psz_dirname );
+    dir = vlc_opendir( psz_dirname );
     if( dir == NULL )
     {
         if (errno != ENOENT)
@@ -597,7 +531,7 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
 
         msg_Dbg (p_this, "creating empty certificate directory: %s",
                  psz_dirname);
-        utf8_mkdir (psz_dirname);
+        vlc_mkdir (psz_dirname, b_priv ? 0700 : 0755);
         return VLC_SUCCESS;
     }
 #ifdef S_ISLNK
@@ -612,7 +546,7 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
          * that the inode is still the same, to avoid TOCTOU race condition.
          */
         if( ( fd == -1)
-         || fstat( fd, &st1 ) || utf8_lstat( psz_dirname, &st2 )
+         || fstat( fd, &st1 ) || vlc_lstat( psz_dirname, &st2 )
          || S_ISLNK( st2.st_mode ) || ( st1.st_ino != st2.st_ino ) )
         {
             closedir( dir );
@@ -623,12 +557,15 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
 
     for (;;)
     {
-        char *ent = utf8_readdir (dir);
+        char *ent = vlc_readdir (dir);
         if (ent == NULL)
             break;
 
         if ((strcmp (ent, ".") == 0) || (strcmp (ent, "..") == 0))
+        {
+            free( ent );
             continue;
+        }
 
         char path[strlen (psz_dirname) + strlen (ent) + 2];
         sprintf (path, "%s"DIR_SEP"%s", psz_dirname, ent);
@@ -645,45 +582,52 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
 static int
 gnutls_Addx509File( vlc_object_t *p_this,
                     gnutls_certificate_credentials cred,
-                    const char *psz_path, vlc_bool_t b_priv )
+                    const char *psz_path, bool b_priv )
 {
     struct stat st;
 
-    if( utf8_stat( psz_path, &st ) == 0 )
+    int fd = vlc_open (psz_path, O_RDONLY);
+    if (fd == -1)
+        goto error;
+
+    block_t *block = block_File (fd);
+    if (block != NULL)
     {
-        if( S_ISREG( st.st_mode ) )
+        close (fd);
+
+        gnutls_datum data = {
+            .data = block->p_buffer,
+            .size = block->i_buffer,
+        };
+        int res = b_priv
+            ? gnutls_certificate_set_x509_key_mem (cred, &data, &data,
+                                                   GNUTLS_X509_FMT_PEM)
+            : gnutls_certificate_set_x509_trust_mem (cred, &data,
+                                                     GNUTLS_X509_FMT_PEM);
+        block_Release (block);
+
+        if (res < 0)
         {
-            char *psz_localname = ToLocale( psz_path );
-            int i = b_priv
-                    ? gnutls_certificate_set_x509_key_file( cred,
-                    psz_localname,  psz_localname, GNUTLS_X509_FMT_PEM )
-                : gnutls_certificate_set_x509_trust_file( cred,
-                        psz_localname, GNUTLS_X509_FMT_PEM );
-            LocaleFree( psz_localname );
-
-            if( i < 0 )
-            {
-                msg_Warn( p_this, "cannot add x509 credentials (%s): %s",
-                          psz_path, gnutls_strerror( i ) );
-                return VLC_EGENERIC;
-            }
-            else
-            {
-                msg_Dbg( p_this, "added x509 credentials (%s)",
-                         psz_path );
-                return VLC_SUCCESS;
-            }
-        }
-        else if( S_ISDIR( st.st_mode ) )
-        {
-            msg_Dbg( p_this,
-                     "looking recursively for x509 credentials in %s",
-                     psz_path );
-            return gnutls_Addx509Directory( p_this, cred, psz_path, b_priv);
+            msg_Warn (p_this, "cannot add x509 credentials (%s): %s",
+                      psz_path, gnutls_strerror (res));
+            return VLC_EGENERIC;
         }
+        msg_Dbg (p_this, "added x509 credentials (%s)", psz_path);
+        return VLC_SUCCESS;
     }
-    else
-        msg_Warn( p_this, "cannot add x509 credentials (%s): %m", psz_path );
+
+    if (!fstat (fd, &st) && S_ISDIR (st.st_mode))
+    {
+        close (fd);
+        msg_Dbg (p_this, "looking recursively for x509 credentials in %s",
+                 psz_path);
+        return gnutls_Addx509Directory (p_this, cred, psz_path, b_priv);
+    }
+
+error:
+    msg_Warn (p_this, "cannot add x509 credentials (%s): %m", psz_path);
+    if (fd != -1)
+        close (fd);
     return VLC_EGENERIC;
 }
 
@@ -720,15 +664,7 @@ static int OpenClient (vlc_object_t *obj)
     p_session->sock.pf_recv = gnutls_Recv;
     p_session->pf_set_fd = gnutls_SetFD;
 
-    p_sys->session.b_handshaked = VLC_FALSE;
-    p_sys->session.psz_hostname = NULL;
-
-    const char *homedir = obj->p_libvlc->psz_datadir,
-               *datadir = config_GetDataDir ();
-    size_t l1 = strlen (homedir), l2 = strlen (datadir);
-    char path[((l1 > l2) ? l1 : l2) + sizeof ("/ca-certificates.crt")];
-    //                              > sizeof ("/ssl/private")
-    //                              > sizeof ("/ssl/certs")
+    p_sys->session.b_handshaked = false;
 
     i_val = gnutls_certificate_allocate_credentials (&p_sys->x509_cred);
     if (i_val != 0)
@@ -738,26 +674,32 @@ static int OpenClient (vlc_object_t *obj)
         goto error;
     }
 
-    sprintf (path, "%s/ssl", homedir);
-    utf8_mkdir (path);
-
-    if (var_CreateGetBool (obj, "tls-check-cert"))
+    char *userdir = config_GetUserDir ( VLC_DATA_DIR );
+    if (userdir != NULL)
     {
-        sprintf (path, "%s/ssl/certs", homedir);
+        char path[strlen (userdir) + sizeof ("/ssl/private")];
+        sprintf (path, "%s/ssl", userdir);
+        vlc_mkdir (path, 0755);
+
+        sprintf (path, "%s/ssl/certs", userdir);
         gnutls_Addx509Directory (VLC_OBJECT (p_session),
-                                  p_sys->x509_cred, path, VLC_FALSE);
+                                 p_sys->x509_cred, path, false);
+        sprintf (path, "%s/ssl/private", userdir);
+        gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
+                                 path, true);
+        free (userdir);
+    }
 
-        sprintf (path, "%s/ca-certificates.crt", datadir);
+    const char *confdir = config_GetConfDir ();
+    {
+        char path[strlen (confdir)
+                   + sizeof ("/ssl/certs/ca-certificates.crt")];
+        sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir);
         gnutls_Addx509File (VLC_OBJECT (p_session),
-                            p_sys->x509_cred, path, VLC_FALSE);
-        p_session->pf_handshake = gnutls_HandshakeAndValidate;
+                            p_sys->x509_cred, path, false);
     }
-    else
-        p_session->pf_handshake = gnutls_ContinueHandshake;
-
-    sprintf (path, "%s/ssl/private", homedir);
-    gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
-                             path, VLC_TRUE);
+    p_session->pf_handshake = gnutls_HandshakeAndValidate;
+    /*p_session->pf_handshake = gnutls_ContinueHandshake;*/
 
     i_val = gnutls_init (&p_sys->session.session, GNUTLS_CLIENT);
     if (i_val != 0)
@@ -772,6 +714,9 @@ static int OpenClient (vlc_object_t *obj)
                                   p_sys->session.session))
         goto s_error;
 
+    /* minimum DH prime bits */
+    gnutls_dh_set_prime_bits (p_sys->session.session, 1024);
+
     i_val = gnutls_credentials_set (p_sys->session.session,
                                     GNUTLS_CRD_CERTIFICATE,
                                     p_sys->x509_cred);
@@ -783,12 +728,13 @@ static int OpenClient (vlc_object_t *obj)
     }
 
     char *servername = var_GetNonEmptyString (p_session, "tls-server-name");
-    if (servername != NULL )
-    {
-        p_sys->session.psz_hostname = servername;
+    if (servername == NULL )
+        msg_Err (p_session, "server name missing for TLS session");
+    else
         gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
                                 servername, strlen (servername));
-    }
+
+    p_sys->session.psz_hostname = servername;
 
     return VLC_SUCCESS;
 
@@ -807,7 +753,7 @@ static void CloseClient (vlc_object_t *obj)
     tls_session_t *client = (tls_session_t *)obj;
     tls_client_sys_t *p_sys = (tls_client_sys_t *)(client->p_sys);
 
-    if (p_sys->session.b_handshaked == VLC_TRUE)
+    if (p_sys->session.b_handshaked == true)
         gnutls_bye (p_sys->session.session, GNUTLS_SHUT_WR);
     gnutls_deinit (p_sys->session.session);
     /* credentials must be free'd *after* gnutls_deinit() */
@@ -956,12 +902,11 @@ gnutls_SessionClose (tls_server_t *p_server, tls_session_t *p_session)
     tls_session_sys_t *p_sys = p_session->p_sys;
     (void)p_server;
 
-    if( p_sys->b_handshaked == VLC_TRUE )
+    if( p_sys->b_handshaked == true )
         gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
     gnutls_deinit( p_sys->session );
 
-    vlc_object_detach( p_session );
-    vlc_object_destroy( p_session );
+    vlc_object_release( p_session );
 
     free( p_sys );
 }
@@ -985,7 +930,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
     p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) );
     if( p_session->p_sys == NULL )
     {
-        vlc_object_destroy( p_session );
+        vlc_object_release( p_session );
         return NULL;
     }
 
@@ -996,7 +941,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
     p_session->pf_set_fd = gnutls_SetFD;
     p_session->pf_handshake = p_server_sys->pf_handshake;
 
-    p_session->p_sys->b_handshaked = VLC_FALSE;
+    p_session->p_sys->b_handshaked = false;
     p_session->p_sys->psz_hostname = NULL;
 
     i_val = gnutls_init( &session, GNUTLS_SERVER );
@@ -1028,12 +973,10 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
     if (p_session->pf_handshake == gnutls_HandshakeAndValidate)
         gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
 
-    i_val = config_GetInt (p_server, "gnutls-dh-bits");
-    gnutls_dh_set_prime_bits (session, i_val);
-
     /* Session resumption support */
-    i_val = config_GetInt (p_server, "gnutls-cache-timeout");
-    gnutls_db_set_cache_expiration (session, i_val);
+    i_val = var_InheritInteger (p_server, "gnutls-cache-timeout");
+    if (i_val >= 0)
+        gnutls_db_set_cache_expiration (session, i_val);
     gnutls_db_set_retrieve_function( session, cb_fetch );
     gnutls_db_set_remove_function( session, cb_delete );
     gnutls_db_set_store_function( session, cb_store );
@@ -1043,8 +986,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
 
 error:
     free( p_session->p_sys );
-    vlc_object_detach( p_session );
-    vlc_object_destroy( p_session );
+    vlc_object_release( p_session );
     return NULL;
 }
 
@@ -1132,7 +1074,9 @@ static int OpenServer (vlc_object_t *obj)
     if( p_sys == NULL )
         return VLC_ENOMEM;
 
-    p_sys->i_cache_size = config_GetInt (obj, "gnutls-cache-size");
+    p_sys->i_cache_size = var_InheritInteger (obj, "gnutls-cache-size");
+    if (p_sys->i_cache_size == -1) /* Duh, config subsystem exploded?! */
+        p_sys->i_cache_size = 0;
     p_sys->p_cache = calloc (p_sys->i_cache_size,
                              sizeof (struct saved_session_t));
     if (p_sys->p_cache == NULL)
@@ -1151,7 +1095,7 @@ static int OpenServer (vlc_object_t *obj)
     /* No certificate validation by default */
     p_sys->pf_handshake  = gnutls_ContinueHandshake;
 
-    vlc_mutex_init( p_server, &p_sys->cache_lock );
+    vlc_mutex_init( &p_sys->cache_lock );
 
     /* Sets server's credentials */
     val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
@@ -1183,51 +1127,27 @@ static int OpenServer (vlc_object_t *obj)
     }
 
     /* FIXME:
-     * - regenerate these regularly
      * - support other ciper suites
      */
-    val = gnutls_dh_params_init( &p_sys->dh_params );
-    if( val >= 0 )
+    val = gnutls_dh_params_init (&p_sys->dh_params);
+    if (val >= 0)
     {
-        msg_Dbg( p_server, "computing DHE ciphers parameters" );
-        val = gnutls_dh_params_generate2 (p_sys->dh_params,
-                                          config_GetInt (obj, "gnutls-dh-bits"));
-
-        /* Write the DH parameter to cache */
-        const char *cachedir = p_server->p_libvlc->psz_cachedir;
-        char cachefile[strlen (cachedir) + sizeof ("/dh_params.pem")];
-        sprintf (cachefile, "%s/dh_params.pem", cachedir);
-
-        FILE *cache = utf8_fopen (cachefile, "wb");
-        if (cache != NULL)
-        {
-            size_t len = 0;
-            gnutls_dh_params_export_pkcs3 (p_sys->dh_params,
-                                           GNUTLS_X509_FMT_PEM, NULL, &len);
-            msg_Dbg (p_server, "caching DHE parameters (%u bytes) to %s",
-                     (unsigned)len, cachefile);
-
-            unsigned char buf[len];
-            gnutls_dh_params_export_pkcs3 (p_sys->dh_params,
-                                           GNUTLS_X509_FMT_PEM, buf, &len);
-            if (fwrite (buf, 1, len, cache) != len)
-                msg_Warn (p_server, "cannot write to %s: %m", cachefile);
-            fclose (cache);
-        }
-        else
-            msg_Warn (p_server, "cannot open to %s: %m", cachefile);
-
+        const gnutls_datum_t data = {
+            .data = (unsigned char *)dh_params,
+            .size = sizeof (dh_params) - 1,
+        };
+
+        val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data,
+                                             GNUTLS_X509_FMT_PEM);
+        if (val == 0)
+            gnutls_certificate_set_dh_params (p_sys->x509_cred,
+                                              p_sys->dh_params);
     }
-    if( val < 0 )
+    if (val < 0)
     {
-        msg_Err( p_server, "cannot initialize DHE cipher suites: %s",
-                 gnutls_strerror( val ) );
-        gnutls_certificate_free_credentials( p_sys->x509_cred );
-        goto error;
+        msg_Err (p_server, "cannot initialize DHE cipher suites: %s",
+                 gnutls_strerror (val));
     }
-    msg_Dbg( p_server, "ciphers parameters computed" );
-
-    gnutls_certificate_set_dh_params( p_sys->x509_cred, p_sys->dh_params);
 
     return VLC_SUCCESS;