+++ /dev/null
-/*****************************************************************************
- * tls.c
- *****************************************************************************
- * Copyright (C) 2004 VideoLAN
- * $Id: httpd.c 8263 2004-07-24 09:06:58Z courmisch $
- *
- * Authors: Remi Denis-Courmont <courmisch@via.ecp.fr>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
- *****************************************************************************/
-
-#include <stdlib.h>
-#include <vlc/vlc.h>
-#include <assert.h>
-
-#include "vlc_tls.h"
-
-
-/*
- * TODO:
- * - libgcrypt thread-safety !!!
- * - fix FIXMEs,
- * - gnutls version check,
- * - client side stuff,
- * - server-side client cert validation,
- * - client-side server cert validation (?).
- */
-
-/* FIXME: proper configure check */
-//#define HAVE_GNUTLS 1
-
-#ifdef HAVE_GNUTLS
-# include <gnutls/gnutls.h>
-
-# define DH_BITS 1024
-
-
-struct tls_server_t
-{
- gnutls_certificate_credentials x509_cred;
- gnutls_dh_params dh_params;
- vlc_object_t *p_this;
-};
-
-struct tls_session_t
-{
- gnutls_session session;
- vlc_object_t *p_this;
-};
-
-/* FIXME: is this legal in the VLC? */
-unsigned i_servernum = 0;
-
-
-static int
-tls_Init( vlc_object_t *p_this )
-{
- vlc_value_t lock;
-
- var_Create( p_this->p_libvlc, "tls_mutex", VLC_VAR_MUTEX );
- var_Get( p_this->p_libvlc, "tls_mutex", &lock );
- vlc_mutex_lock( lock.p_address );
-
- /* Initialize GnuTLS only once */
- /* FIXME: should check version number */
- if( i_servernum == 0)
- {
- if( gnutls_global_init( ) )
- {
- msg_Warn( p_this, "cannot initialize GNUTLS" );
- vlc_mutex_unlock( lock.p_address);
- return -1;
- }
- msg_Dbg( p_this, "GNUTLS initialized" );
- }
-
- i_servernum++;
- vlc_mutex_unlock( lock.p_address );
-
- return 0;
-}
-
-
-static void
-tls_CleanUp( vlc_object_t *p_this )
-{
- vlc_value_t lock;
-
- var_Create( p_this->p_libvlc, "tls_mutex", VLC_VAR_MUTEX );
- var_Get( p_this->p_libvlc, "tls_mutex", &lock );
- vlc_mutex_lock( lock.p_address );
-
- i_servernum--;
- if( i_servernum == 0 )
- {
- gnutls_global_deinit( );
- msg_Dbg( p_this, "GNUTLS deinitialized" );
- }
-
- vlc_mutex_unlock( lock.p_address);
-}
-
-#endif
-
-
-/*****************************************************************************
- * tls_ServerCreate:
- *****************************************************************************
- * Allocates a whole server's TLS credentials.
- * Returns NULL on error.
- *****************************************************************************/
-tls_server_t *
-tls_ServerCreate( vlc_object_t *p_this, const char *psz_cert_path,
- const char *psz_key_path )
-{
-#if HAVE_GNUTLS
- tls_server_t *p_server;
- int val;
-
- msg_Dbg( p_this, "Creating TLS server" );
- if( tls_Init( p_this ) )
- return NULL;
-
- p_server = (tls_server_t *)malloc( sizeof(struct tls_server_t) );
-
- /* FIXME: do not hard-code PEM file paths */
- /* Sets server's credentials */
- val = gnutls_certificate_allocate_credentials( &p_server->x509_cred );
- if( val != 0 )
- {
- msg_Err( p_this, "Cannot allocate X509 credentials : %s",
- gnutls_strerror( val ) );
- free( p_server );
- return NULL;
- }
-
- val = gnutls_certificate_set_x509_key_file( p_server->x509_cred,
- psz_cert_path, psz_key_path,
- GNUTLS_X509_FMT_PEM );
- if( val < 0 )
- {
- msg_Err( p_this, "Cannot set certificate chain or private key : %s",
- gnutls_strerror( val ) );
- gnutls_certificate_free_credentials( p_server->x509_cred );
- free( p_server );
- return NULL;
- }
-
- /* FIXME: regenerate these regularly */
- val = gnutls_dh_params_init( &p_server->dh_params );
- if( val >= 0 )
- {
- msg_Dbg( p_this, "Computing Diffie Hellman ciphers parameters" );
- val = gnutls_dh_params_generate2( p_server->dh_params, DH_BITS );
- }
- if( val < 0 )
- {
- msg_Err( p_this, "Cannot initialize DH cipher suites : %s",
- gnutls_strerror( val ) );
- gnutls_certificate_free_credentials( p_server->x509_cred );
- free( p_server );
- return NULL;
- }
- msg_Dbg( p_this, "Ciphers parameters computed" );
-
- gnutls_certificate_set_dh_params( p_server->x509_cred,
- p_server->dh_params);
-
- p_server->p_this = p_this;
- return p_server;
-#else
- return NULL;
-#endif
-}
-
-
-/*****************************************************************************
- * tls_ServerAddCA:
- *****************************************************************************
- * Adds one or more certificate authorities.
- * TODO: we are not able to check the client credentials yet, so this function
- * is pretty useless.
- * Returns -1 on error, 0 on success.
- *****************************************************************************/
-int
-tls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
-{
-#if HAVE_GNUTLS
- int val;
-
- assert( p_server != NULL);
- val = gnutls_certificate_set_x509_trust_file( p_server->x509_cred,
- psz_ca_path,
- GNUTLS_X509_FMT_PEM );
- if( val < 0 )
- {
- msg_Err( p_server->p_this, "Cannot add trusted CA (%s) : %s",
- psz_ca_path, gnutls_strerror( val ) );
- free( p_server );
- return -1;
- }
- msg_Dbg( p_server->p_this, " %d trusted CA added (%s)", val,
- psz_ca_path );
- return 0;
-#else
- return -1;
-#endif
-}
-
-
-/*****************************************************************************
- * tls_ServerAddCRL:
- *****************************************************************************
- * Adds a certificates revocation list to be sent to TLS clients.
- * Returns -1 on error, 0 on success.
- *****************************************************************************/
-int
-tls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
-{
-#if HAVE_GNUTLS
- int val;
-
- val = gnutls_certificate_set_x509_crl_file( p_server->x509_cred,
- psz_crl_path,
- GNUTLS_X509_FMT_PEM );
- if( val < 0 )
- {
- msg_Err( p_server->p_this, "Cannot add CRL (%s) : %s",
- psz_crl_path, gnutls_strerror( val ) );
- free( p_server );
- return -1;
- }
- msg_Dbg( p_server->p_this, "%d CRL added (%s)", val, psz_crl_path );
- return 0;
-#else
- return -1;
-#endif
-}
-
-
-
-/*****************************************************************************
- * tls_ServerDelete:
- *****************************************************************************
- * Releases data allocated with tls_ServerCreate
- *****************************************************************************/
-void
-tls_ServerDelete( tls_server_t *p_server )
-{
- assert( p_server != NULL );
-
-#if HAVE_GNUTLS
- gnutls_certificate_free_credentials( p_server->x509_cred );
- tls_CleanUp( p_server->p_this );
- free( p_server );
-#endif
-}
-
-
-/*****************************************************************************
- * tls_ServerSessionPrepare:
- *****************************************************************************
- * Initializes a server-side TLS session data
- *****************************************************************************/
-tls_session_t *
-tls_ServerSessionPrepare( const tls_server_t *p_server )
-{
-#if HAVE_GNUTLS
- tls_session_t *p_session;
- gnutls_session session;
- int val;
-
- assert( p_server != NULL );
-
- val = gnutls_init( &session, GNUTLS_SERVER );
- if( val != 0 )
- {
- msg_Err( p_server->p_this, "Cannot initialize TLS session : %s",
- gnutls_strerror( val ) );
- return NULL;
- }
-
- val = gnutls_set_default_priority( session );
- if( val < 0 )
- {
- msg_Err( p_server->p_this, "Cannot set ciphers priorities : %s",
- gnutls_strerror( val ) );
- gnutls_deinit( session );
- return NULL;
- }
-
- val = gnutls_credentials_set( session, GNUTLS_CRD_CERTIFICATE,
- p_server->x509_cred );
- if( val < 0 )
- {
- msg_Err( p_server->p_this, "Cannot set TLS session credentials : %s",
- gnutls_strerror( val ) );
- gnutls_deinit( session );
- return NULL;
- }
-
- /* TODO: support for client authentication */
- /*gnutls_certificate_server_set_request( p_session->session,
- GNUTLS_CERT_REQUEST ); */
-
- gnutls_dh_set_prime_bits( session, DH_BITS );
-
- p_session = malloc( sizeof (struct tls_session_t) );
- p_session->session = session;
- p_session->p_this = p_server->p_this;
-
- return p_session;
-#else
- return NULL;
-#endif
-}
-
-
-/*****************************************************************************
- * tls_SessionHandshake:
- *****************************************************************************
- * Establishes TLS session with a peer through socket <fd>
- * Returns NULL on error (do NOT call tls_SessionClose in case of error or
- * re-use the session structure).
- *****************************************************************************/
-tls_session_t *
-tls_SessionHandshake( tls_session_t *p_session, int fd )
-{
-#if HAVE_GNUTLS
- int val;
-
- assert( p_session != NULL );
-
- gnutls_transport_set_ptr( p_session->session, (gnutls_transport_ptr)fd);
- val = gnutls_handshake( p_session->session);
- if( val < 0 )
- {
- gnutls_deinit( p_session->session );
- msg_Err( p_session->p_this, "TLS handshake failed : %s",
- gnutls_strerror( val ) );
- free( p_session );
- return NULL;
- }
- return p_session;
-#else
- return NULL;
-#endif
-}
-
-
-/*****************************************************************************
- * tls_ServerCreate:
- *****************************************************************************
- * Terminates a TLS session and releases session data.
- *****************************************************************************/
-void
-tls_SessionClose( tls_session_t *p_session )
-{
- assert( p_session != NULL );
-
-#if HAVE_GNUTLS
- gnutls_bye( p_session->session, GNUTLS_SHUT_WR );
- gnutls_deinit (p_session->session );
- free( p_session );
-#endif
-}
-
-
-/*****************************************************************************
- * tls_Send:
- *****************************************************************************
- * Sends data through a TLS session.
- *****************************************************************************/
-int
-tls_Send( tls_session_t *p_session, const char *buf, int i_length )
-{
-#if HAVE_GNUTLS
- int val;
-
- assert( p_session != NULL );
-
- val = gnutls_record_send( p_session->session, buf, i_length );
- if( val < 0 )
- {
- /*msg_Warn( p_session->p_this, "TLS problem : %s",
- gnutls_strerror( val ) );*/
- return -1;
- }
- return val;
-#else
- return -1;
-#endif
-}
-
-
-/*****************************************************************************
- * tls_Recv:
- *****************************************************************************
- * Receives data through a TLS session
- *****************************************************************************/
-int
-tls_Recv( tls_session_t *p_session, char *buf, int i_length )
-{
-#if HAVE_GNUTLS
- int val;
-
- assert( p_session != NULL );
-
- val = gnutls_record_recv( p_session->session, buf, i_length );
- if( val < 0 )
- {
- /*msg_Warn( p_session->p_this, "TLS problem : %s",
- gnutls_strerror( val ) );*/
- return -1;
- }
- return val;
-#else
- return -1;
-#endif
-}