X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=modules%2Fmisc%2Fgnutls.c;h=622807bdfd7e7d640359497dff78b67a7a9a7ff6;hb=d632ffe1a6f5e6cea5dd796105e1708cdb0b3631;hp=da50844e2edd05ad94079fdfd13d2e8ab5a9b538;hpb=0e960e4f3c828b7c42863c203664c8e54816ed6b;p=vlc

diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c
index da50844e2e..622807bdfd 100644
--- a/modules/misc/gnutls.c
+++ b/modules/misc/gnutls.c
@@ -25,7 +25,12 @@
  * Preamble
  *****************************************************************************/
 
-#include <vlc/vlc.h>
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <vlc_common.h>
+#include <vlc_plugin.h>
 #include <errno.h>
 #include <time.h>
 
@@ -36,23 +41,32 @@
 #endif
 #ifdef HAVE_SYS_STAT_H
 # include <sys/stat.h>
-# ifdef HAVE_UNISTD_H
-#  include <unistd.h>
-# endif
 #endif
+#ifdef WIN32
+# include <io.h>
+#else
+# include <unistd.h>
+#endif
+# include <fcntl.h>
 
 
-#include "vlc_tls.h"
+#include <vlc_tls.h>
 #include <vlc_charset.h>
+#include <vlc_block.h>
 
 #include <gcrypt.h>
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
 
-#define DH_BITS           1024
+#include <vlc_gcrypt.h>
+
 #define CACHE_TIMEOUT     3600
 #define CACHE_SIZE          64
 
+#include "dhparams.h"
+
+#include <assert.h>
+
 /*****************************************************************************
  * Module descriptor
  *****************************************************************************/
@@ -61,12 +75,6 @@ static void CloseClient (vlc_object_t *);
 static int  OpenServer  (vlc_object_t *);
 static void CloseServer (vlc_object_t *);
 
-#define DH_BITS_TEXT N_("Diffie-Hellman prime bits")
-#define DH_BITS_LONGTEXT N_( \
-    "This allows you to modify the Diffie-Hellman prime's number of bits, " \
-    "used for TLS or SSL-based server-side encryption. This is generally " \
-    "not needed." )
-
 #define CACHE_TIMEOUT_TEXT N_("Expiration time for resumed TLS sessions")
 #define CACHE_TIMEOUT_LONGTEXT N_( \
     "It is possible to cache the resumed TLS sessions. This is the expiration "\
@@ -77,99 +85,31 @@ static void CloseServer (vlc_object_t *);
     "This is the maximum number of resumed TLS sessions that " \
     "the cache will hold." )
 
-#define CHECK_CERT_TEXT N_("Check TLS/SSL server certificate validity")
-#define CHECK_CERT_LONGTEXT N_( \
-    "This ensures that the server certificate is valid " \
-    "(i.e. signed by an approved Certification Authority)." )
-
 vlc_module_begin();
     set_shortname( "GnuTLS" );
-    set_description( _("GnuTLS transport layer security") );
+    set_description( N_("GnuTLS transport layer security") );
     set_capability( "tls client", 1 );
     set_callbacks( OpenClient, CloseClient );
     set_category( CAT_ADVANCED );
     set_subcategory( SUBCAT_ADVANCED_MISC );
 
-    add_bool( "tls-check-cert", VLC_TRUE, NULL, CHECK_CERT_TEXT,
-              CHECK_CERT_LONGTEXT, VLC_FALSE );
+    add_obsolete_bool( "tls-check-cert" );
     add_obsolete_bool( "tls-check-hostname" );
 
     add_submodule();
-        set_description( _("GnuTLS server") );
+        set_description( N_("GnuTLS server") );
         set_capability( "tls server", 1 );
         set_category( CAT_ADVANCED );
         set_subcategory( SUBCAT_ADVANCED_MISC );
         set_callbacks( OpenServer, CloseServer );
 
-        add_integer( "gnutls-dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
-                    DH_BITS_LONGTEXT, VLC_TRUE );
+        add_obsolete_integer( "gnutls-dh-bits" );
         add_integer( "gnutls-cache-timeout", CACHE_TIMEOUT, NULL,
-                    CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, VLC_TRUE );
+                    CACHE_TIMEOUT_TEXT, CACHE_TIMEOUT_LONGTEXT, true );
         add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT,
-                    CACHE_SIZE_LONGTEXT, VLC_TRUE );
+                    CACHE_SIZE_LONGTEXT, true );
 vlc_module_end();
 
-
-
-#ifdef LIBVLC_USE_PTHREAD
-GCRY_THREAD_OPTION_PTHREAD_IMPL;
-# define gcry_threads_vlc gcry_threads_pthread
-#else
-/**
- * gcrypt thread option VLC implementation
- */
-
-# define NEED_THREAD_CONTEXT 1
-static vlc_object_t *__p_gcry_data = NULL;
-
-static int gcry_vlc_mutex_init( void **p_sys )
-{
-    int i_val;
-    vlc_mutex_t *p_lock = (vlc_mutex_t *)malloc( sizeof( vlc_mutex_t ) );
-
-    if( p_lock == NULL)
-        return ENOMEM;
-
-    i_val = vlc_mutex_init( __p_gcry_data, p_lock );
-    if( i_val )
-        free( p_lock );
-    else
-        *p_sys = p_lock;
-    return i_val;
-}
-
-static int gcry_vlc_mutex_destroy( void **p_sys )
-{
-    int i_val;
-    vlc_mutex_t *p_lock = (vlc_mutex_t *)*p_sys;
-
-    i_val = vlc_mutex_destroy( p_lock );
-    free( p_lock );
-    return i_val;
-}
-
-static int gcry_vlc_mutex_lock( void **p_sys )
-{
-    return vlc_mutex_lock( (vlc_mutex_t *)*p_sys );
-}
-
-static int gcry_vlc_mutex_unlock( void **lock )
-{
-    return vlc_mutex_unlock( (vlc_mutex_t *)*lock );
-}
-
-static struct gcry_thread_cbs gcry_threads_vlc =
-{
-    GCRY_THREAD_OPTION_USER,
-    NULL,
-    gcry_vlc_mutex_init,
-    gcry_vlc_mutex_destroy,
-    gcry_vlc_mutex_lock,
-    gcry_vlc_mutex_unlock
-};
-#endif
-
-
 /**
  * Initializes GnuTLS with proper locking.
  * @return VLC_SUCCESS on success, a VLC error code otherwise.
@@ -178,16 +118,9 @@ static int gnutls_Init (vlc_object_t *p_this)
 {
     int ret = VLC_EGENERIC;
 
-    vlc_mutex_t *lock = var_GetGlobalMutex ("gnutls_mutex");
-    vlc_mutex_lock (lock);
+    vlc_gcrypt_init (); /* GnuTLS depends on gcrypt */
 
-    /* This should probably be removed/fixed. It will screw up with multiple
-     * LibVLC instances. */
-#ifdef NEED_THREAD_CONTEXT
-    __p_gcry_data = VLC_OBJECT (p_this->p_libvlc);
-#endif
-
-    gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_vlc);
+    vlc_mutex_t *lock = var_AcquireMutex ("gnutls_mutex");
     if (gnutls_global_init ())
     {
         msg_Err (p_this, "cannot initialize GnuTLS");
@@ -216,8 +149,7 @@ error:
  */
 static void gnutls_Deinit (vlc_object_t *p_this)
 {
-    vlc_mutex_t *lock = var_GetGlobalMutex( "gnutls_mutex" );
-    vlc_mutex_lock (lock);
+    vlc_mutex_t *lock = var_AcquireMutex( "gnutls_mutex" );
 
     gnutls_global_deinit ();
     msg_Dbg (p_this, "GnuTLS deinitialized");
@@ -262,9 +194,9 @@ static int gnutls_Error (vlc_object_t *obj, int val)
 
 struct tls_session_sys_t
 {
-    gnutls_session  session;
-    char                          *psz_hostname;
-    vlc_bool_t      b_handshaked;
+    gnutls_session_t session;
+    char            *psz_hostname;
+    bool       b_handshaked;
 };
 
 
@@ -330,7 +262,7 @@ gnutls_ContinueHandshake (tls_session_t *p_session)
         return -1;
     }
 
-    p_sys->b_handshaked = VLC_TRUE;
+    p_sys->b_handshaked = true;
     return 0;
 }
 
@@ -397,15 +329,15 @@ gnutls_HandshakeAndValidate( tls_session_t *session )
     }
 
     /* certificate (host)name verification */
-    const gnutls_datum *data = gnutls_certificate_get_peers( p_sys->session,
-                                                             &(unsigned){0} );
+    const gnutls_datum_t *data;
+    data = gnutls_certificate_get_peers (p_sys->session, &(unsigned){0});
     if( data == NULL )
     {
         msg_Err( session, "Peer certificate not available" );
         return -1;
     }
 
-    gnutls_x509_crt cert;
+    gnutls_x509_crt_t cert;
     val = gnutls_x509_crt_init( &cert );
     if( val )
     {
@@ -421,17 +353,13 @@ gnutls_HandshakeAndValidate( tls_session_t *session )
         goto error;
     }
 
-    if( p_sys->psz_hostname != NULL )
+    assert( p_sys->psz_hostname != NULL );
+    if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
     {
-        if ( !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
-        {
-            msg_Err( session, "Certificate does not match \"%s\"",
-                     p_sys->psz_hostname );
-            goto error;
-        }
+        msg_Err( session, "Certificate does not match \"%s\"",
+                 p_sys->psz_hostname );
+        goto error;
     }
-    else
-        msg_Warn( session, "Certificate and hostname were not verified" );
 
     if( gnutls_x509_crt_get_expiration_time( cert ) < time( NULL ) )
     {
@@ -463,7 +391,7 @@ static void
 gnutls_SetFD (tls_session_t *p_session, int fd)
 {
     gnutls_transport_set_ptr (p_session->p_sys->session,
-                              (gnutls_transport_ptr)(intptr_t)fd);
+                              (gnutls_transport_ptr_t)(intptr_t)fd);
 }
 
 typedef int (*tls_prio_func) (gnutls_session_t, const int *);
@@ -572,14 +500,14 @@ gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
 
 static int
 gnutls_Addx509File( vlc_object_t *p_this,
-                    gnutls_certificate_credentials cred,
-                    const char *psz_path, vlc_bool_t b_priv );
+                    gnutls_certificate_credentials_t cred,
+                    const char *psz_path, bool b_priv );
 
 static int
 gnutls_Addx509Directory( vlc_object_t *p_this,
-                         gnutls_certificate_credentials cred,
+                         gnutls_certificate_credentials_t cred,
                          const char *psz_dirname,
-                         vlc_bool_t b_priv )
+                         bool b_priv )
 {
     DIR* dir;
 
@@ -589,8 +517,16 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
     dir = utf8_opendir( psz_dirname );
     if( dir == NULL )
     {
-        msg_Warn( p_this, "cannot open directory (%s): %m", psz_dirname );
-        return VLC_EGENERIC;
+        if (errno != ENOENT)
+        {
+            msg_Err (p_this, "cannot open directory (%s): %m", psz_dirname);
+            return VLC_EGENERIC;
+        }
+
+        msg_Dbg (p_this, "creating empty certificate directory: %s",
+                 psz_dirname);
+        utf8_mkdir (psz_dirname, b_priv ? 0700 : 0755);
+        return VLC_SUCCESS;
     }
 #ifdef S_ISLNK
     else
@@ -637,45 +573,52 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
 static int
 gnutls_Addx509File( vlc_object_t *p_this,
                     gnutls_certificate_credentials cred,
-                    const char *psz_path, vlc_bool_t b_priv )
+                    const char *psz_path, bool b_priv )
 {
     struct stat st;
 
-    if( utf8_stat( psz_path, &st ) == 0 )
+    int fd = utf8_open (psz_path, O_RDONLY, 0);
+    if (fd == -1)
+        goto error;
+
+    block_t *block = block_File (fd);
+    if (block != NULL)
     {
-        if( S_ISREG( st.st_mode ) )
+        close (fd);
+
+        gnutls_datum data = {
+            .data = block->p_buffer,
+            .size = block->i_buffer,
+        };
+        int res = b_priv
+            ? gnutls_certificate_set_x509_key_mem (cred, &data, &data,
+                                                   GNUTLS_X509_FMT_PEM)
+            : gnutls_certificate_set_x509_trust_mem (cred, &data,
+                                                     GNUTLS_X509_FMT_PEM);
+        block_Release (block);
+
+        if (res < 0)
         {
-            char *psz_localname = ToLocale( psz_path );
-            int i = b_priv
-                    ? gnutls_certificate_set_x509_key_file( cred,
-                    psz_localname,  psz_localname, GNUTLS_X509_FMT_PEM )
-                : gnutls_certificate_set_x509_trust_file( cred,
-                        psz_localname, GNUTLS_X509_FMT_PEM );
-            LocaleFree( psz_localname );
-
-            if( i < 0 )
-            {
-                msg_Warn( p_this, "cannot add x509 credentials (%s): %s",
-                          psz_path, gnutls_strerror( i ) );
-                return VLC_EGENERIC;
-            }
-            else
-            {
-                msg_Dbg( p_this, "added x509 credentials (%s)",
-                         psz_path );
-                return VLC_SUCCESS;
-            }
-        }
-        else if( S_ISDIR( st.st_mode ) )
-        {
-            msg_Dbg( p_this,
-                     "looking recursively for x509 credentials in %s",
-                     psz_path );
-            return gnutls_Addx509Directory( p_this, cred, psz_path, b_priv);
+            msg_Warn (p_this, "cannot add x509 credentials (%s): %s",
+                      psz_path, gnutls_strerror (res));
+            return VLC_EGENERIC;
         }
+        msg_Dbg (p_this, "added x509 credentials (%s)", psz_path);
+        return VLC_SUCCESS;
     }
-    else
-        msg_Warn( p_this, "cannot add x509 credentials (%s): %m", psz_path );
+
+    if (!fstat (fd, &st) && S_ISDIR (st.st_mode))
+    {
+        close (fd);
+        msg_Dbg (p_this, "looking recursively for x509 credentials in %s",
+                 psz_path);
+        return gnutls_Addx509Directory (p_this, cred, psz_path, b_priv);
+    }
+
+error:
+    msg_Warn (p_this, "cannot add x509 credentials (%s): %m", psz_path);
+    if (fd != -1)
+        close (fd);
     return VLC_EGENERIC;
 }
 
@@ -683,8 +626,8 @@ gnutls_Addx509File( vlc_object_t *p_this,
 /** TLS client session data */
 typedef struct tls_client_sys_t
 {
-    struct tls_session_sys_t       session;
-    gnutls_certificate_credentials x509_cred;
+    struct tls_session_sys_t         session;
+    gnutls_certificate_credentials_t x509_cred;
 } tls_client_sys_t;
 
 
@@ -712,15 +655,7 @@ static int OpenClient (vlc_object_t *obj)
     p_session->sock.pf_recv = gnutls_Recv;
     p_session->pf_set_fd = gnutls_SetFD;
 
-    p_sys->session.b_handshaked = VLC_FALSE;
-    p_sys->session.psz_hostname = NULL;
-
-    const char *homedir = obj->p_libvlc->psz_datadir,
-               *datadir = config_GetDataDir ();
-    size_t l1 = strlen (homedir), l2 = strlen (datadir);
-    char path[((l1 > l2) ? l1 : l2) + sizeof ("/ca-certificates.crt")];
-    //                              > sizeof ("/ssl/private")
-    //                              > sizeof ("/ssl/certs")
+    p_sys->session.b_handshaked = false;
 
     i_val = gnutls_certificate_allocate_credentials (&p_sys->x509_cred);
     if (i_val != 0)
@@ -730,23 +665,32 @@ static int OpenClient (vlc_object_t *obj)
         goto error;
     }
 
-    if (var_CreateGetBool (obj, "tls-check-cert"))
+    char *userdir = config_GetUserDataDir ();
+    if (userdir != NULL)
     {
-        sprintf (path, "%s/ssl/certs", homedir);
+        char path[strlen (userdir) + sizeof ("/ssl/private")];
+        sprintf (path, "%s/ssl", userdir);
+        utf8_mkdir (path, 0755);
+
+        sprintf (path, "%s/ssl/certs", userdir);
         gnutls_Addx509Directory (VLC_OBJECT (p_session),
-                                  p_sys->x509_cred, path, VLC_FALSE);
+                                 p_sys->x509_cred, path, false);
+        sprintf (path, "%s/ssl/private", userdir);
+        gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
+                                 path, true);
+        free (userdir);
+    }
 
-        sprintf (path, "%s/ca-certificates.crt", datadir);
+    const char *confdir = config_GetConfDir ();
+    {
+        char path[strlen (confdir)
+                   + sizeof ("/ssl/certs/ca-certificates.crt")];
+        sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir);
         gnutls_Addx509File (VLC_OBJECT (p_session),
-                            p_sys->x509_cred, path, VLC_FALSE);
-        p_session->pf_handshake = gnutls_HandshakeAndValidate;
+                            p_sys->x509_cred, path, false);
     }
-    else
-        p_session->pf_handshake = gnutls_ContinueHandshake;
-
-    sprintf (path, "%s/ssl/private", homedir);
-    gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
-                             path, VLC_TRUE);
+    p_session->pf_handshake = gnutls_HandshakeAndValidate;
+    /*p_session->pf_handshake = gnutls_ContinueHandshake;*/
 
     i_val = gnutls_init (&p_sys->session.session, GNUTLS_CLIENT);
     if (i_val != 0)
@@ -761,6 +705,9 @@ static int OpenClient (vlc_object_t *obj)
                                   p_sys->session.session))
         goto s_error;
 
+    /* minimum DH prime bits */
+    gnutls_dh_set_prime_bits (p_sys->session.session, 1024);
+
     i_val = gnutls_credentials_set (p_sys->session.session,
                                     GNUTLS_CRD_CERTIFICATE,
                                     p_sys->x509_cred);
@@ -772,12 +719,12 @@ static int OpenClient (vlc_object_t *obj)
     }
 
     char *servername = var_GetNonEmptyString (p_session, "tls-server-name");
-    if (servername != NULL )
-    {
-        p_sys->session.psz_hostname = servername;
-        gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
-                                servername, strlen (servername));
-    }
+    if (servername == NULL )
+        msg_Err (p_session, "server name missing for TLS session");
+
+    p_sys->session.psz_hostname = servername;
+    gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
+                            servername, strlen (servername));
 
     return VLC_SUCCESS;
 
@@ -796,7 +743,7 @@ static void CloseClient (vlc_object_t *obj)
     tls_session_t *client = (tls_session_t *)obj;
     tls_client_sys_t *p_sys = (tls_client_sys_t *)(client->p_sys);
 
-    if (p_sys->session.b_handshaked == VLC_TRUE)
+    if (p_sys->session.b_handshaked == true)
         gnutls_bye (p_sys->session.session, GNUTLS_SHUT_WR);
     gnutls_deinit (p_sys->session.session);
     /* credentials must be free'd *after* gnutls_deinit() */
@@ -813,15 +760,15 @@ static void CloseClient (vlc_object_t *obj)
  */
 struct tls_server_sys_t
 {
-    gnutls_certificate_credentials  x509_cred;
-    gnutls_dh_params                dh_params;
+    gnutls_certificate_credentials_t x509_cred;
+    gnutls_dh_params_t               dh_params;
 
     struct saved_session_t          *p_cache;
     struct saved_session_t          *p_store;
-    int                             i_cache_size;
-    vlc_mutex_t                     cache_lock;
+    int                              i_cache_size;
+    vlc_mutex_t                      cache_lock;
 
-    int                             (*pf_handshake)( tls_session_t * );
+    int                            (*pf_handshake) (tls_session_t *);
 };
 
 
@@ -869,7 +816,7 @@ static int cb_store( void *p_server, gnutls_datum key, gnutls_datum data )
 
 static gnutls_datum cb_fetch( void *p_server, gnutls_datum key )
 {
-    static const gnutls_datum err_datum = { NULL, 0 };
+    static const gnutls_datum_t err_datum = { NULL, 0 };
     tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys;
     saved_session_t *p_session, *p_end;
 
@@ -883,7 +830,7 @@ static gnutls_datum cb_fetch( void *p_server, gnutls_datum key )
         if( ( p_session->i_idlen == key.size )
          && !memcmp( p_session->id, key.data, key.size ) )
         {
-            gnutls_datum data;
+            gnutls_datum_t data;
 
             data.size = p_session->i_datalen;
 
@@ -945,12 +892,12 @@ gnutls_SessionClose (tls_server_t *p_server, tls_session_t *p_session)
     tls_session_sys_t *p_sys = p_session->p_sys;
     (void)p_server;
 
-    if( p_sys->b_handshaked == VLC_TRUE )
+    if( p_sys->b_handshaked == true )
         gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
     gnutls_deinit( p_sys->session );
 
     vlc_object_detach( p_session );
-    vlc_object_destroy( p_session );
+    vlc_object_release( p_session );
 
     free( p_sys );
 }
@@ -964,7 +911,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
 {
     tls_session_t *p_session;
     tls_server_sys_t *p_server_sys;
-    gnutls_session session;
+    gnutls_session_t session;
     int i_val;
 
     p_session = vlc_object_create( p_server, sizeof (struct tls_session_t) );
@@ -974,7 +921,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
     p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) );
     if( p_session->p_sys == NULL )
     {
-        vlc_object_destroy( p_session );
+        vlc_object_release( p_session );
         return NULL;
     }
 
@@ -985,7 +932,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
     p_session->pf_set_fd = gnutls_SetFD;
     p_session->pf_handshake = p_server_sys->pf_handshake;
 
-    p_session->p_sys->b_handshaked = VLC_FALSE;
+    p_session->p_sys->b_handshaked = false;
     p_session->p_sys->psz_hostname = NULL;
 
     i_val = gnutls_init( &session, GNUTLS_SERVER );
@@ -1017,11 +964,8 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
     if (p_session->pf_handshake == gnutls_HandshakeAndValidate)
         gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE);
 
-    i_val = config_GetInt (p_server, "gnutls-dh-bits");
-    gnutls_dh_set_prime_bits (session, i_val);
-
     /* Session resumption support */
-    i_val = config_GetInt (p_server, "gnutls-cache-expiration");
+    i_val = config_GetInt (p_server, "gnutls-cache-timeout");
     gnutls_db_set_cache_expiration (session, i_val);
     gnutls_db_set_retrieve_function( session, cb_fetch );
     gnutls_db_set_remove_function( session, cb_delete );
@@ -1033,7 +977,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
 error:
     free( p_session->p_sys );
     vlc_object_detach( p_session );
-    vlc_object_destroy( p_session );
+    vlc_object_release( p_session );
     return NULL;
 }
 
@@ -1140,7 +1084,7 @@ static int OpenServer (vlc_object_t *obj)
     /* No certificate validation by default */
     p_sys->pf_handshake  = gnutls_ContinueHandshake;
 
-    vlc_mutex_init( p_server, &p_sys->cache_lock );
+    vlc_mutex_init( &p_sys->cache_lock );
 
     /* Sets server's credentials */
     val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
@@ -1158,9 +1102,9 @@ static int OpenServer (vlc_object_t *obj)
     val = gnutls_certificate_set_x509_key_file (p_sys->x509_cred,
                                                 psz_local_cert, psz_local_key,
                                                 GNUTLS_X509_FMT_PEM );
-    LocaleFree (psz_key_path);
+    LocaleFree (psz_local_key);
     free (psz_key_path);
-    LocaleFree (psz_cert_path);
+    LocaleFree (psz_local_cert);
     free (psz_cert_path);
 
     if( val < 0 )
@@ -1172,26 +1116,27 @@ static int OpenServer (vlc_object_t *obj)
     }
 
     /* FIXME:
-     * - regenerate these regularly
      * - support other ciper suites
      */
-    val = gnutls_dh_params_init( &p_sys->dh_params );
-    if( val >= 0 )
+    val = gnutls_dh_params_init (&p_sys->dh_params);
+    if (val >= 0)
     {
-        msg_Dbg( p_server, "computing Diffie Hellman ciphers parameters" );
-        val = gnutls_dh_params_generate2 (p_sys->dh_params,
-                                          config_GetInt (obj, "gnutls-dh-bits"));
+        const gnutls_datum_t data = {
+            .data = (unsigned char *)dh_params,
+            .size = sizeof (dh_params) - 1,
+        };
+
+        val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data,
+                                             GNUTLS_X509_FMT_PEM);
+        if (val == 0)
+            gnutls_certificate_set_dh_params (p_sys->x509_cred,
+                                              p_sys->dh_params);
     }
-    if( val < 0 )
+    if (val < 0)
     {
-        msg_Err( p_server, "cannot initialize DH cipher suites: %s",
-                 gnutls_strerror( val ) );
-        gnutls_certificate_free_credentials( p_sys->x509_cred );
-        goto error;
+        msg_Err (p_server, "cannot initialize DHE cipher suites: %s",
+                 gnutls_strerror (val));
     }
-    msg_Dbg( p_server, "ciphers parameters computed" );
-
-    gnutls_certificate_set_dh_params( p_sys->x509_cred, p_sys->dh_params);
 
     return VLC_SUCCESS;