Commit 4dcdc8c4 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Big cleanup of TLS interface

parent 378456a6
...@@ -344,10 +344,6 @@ typedef int (*httpd_handler_callback_t)( httpd_handler_sys_t *, httpd_handler_t ...@@ -344,10 +344,6 @@ typedef int (*httpd_handler_callback_t)( httpd_handler_sys_t *, httpd_handler_t
typedef struct httpd_redirect_t httpd_redirect_t; typedef struct httpd_redirect_t httpd_redirect_t;
typedef struct httpd_stream_t httpd_stream_t; typedef struct httpd_stream_t httpd_stream_t;
/* TLS support */
typedef struct tls_server_t tls_server_t;
typedef struct tls_session_t tls_session_t;
/* Hashing */ /* Hashing */
typedef struct md5_s md5_t; typedef struct md5_s md5_t;
......
...@@ -146,8 +146,8 @@ VLC_API int net_SetCSCov( int fd, int sendcov, int recvcov ); ...@@ -146,8 +146,8 @@ VLC_API int net_SetCSCov( int fd, int sendcov, int recvcov );
struct virtual_socket_t struct virtual_socket_t
{ {
void *p_sys; void *p_sys;
int (*pf_recv) ( void *, void *, int ); int (*pf_recv) ( void *, void *, size_t );
int (*pf_send) ( void *, const void *, int ); int (*pf_send) ( void *, const void *, size_t );
}; };
VLC_API ssize_t net_Read( vlc_object_t *p_this, int fd, const v_socket_t *, void *p_data, size_t i_data, bool b_retry ); VLC_API ssize_t net_Read( vlc_object_t *p_this, int fd, const v_socket_t *, void *p_data, size_t i_data, bool b_retry );
......
/***************************************************************************** /*****************************************************************************
* tls.c: Transport Layer Security API * vlc_tls.h: Transport Layer Security API
***************************************************************************** *****************************************************************************
* Copyright (C) 2004-2007 the VideoLAN team * Copyright (C) 2004-2011 Rémi Denis-Courmont
* $Id$ * Copyright (C) 2005-2006 the VideoLAN team
*
* Authors: Rémi Denis-Courmont <rem # videolan.org>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
...@@ -31,52 +29,56 @@ ...@@ -31,52 +29,56 @@
# include <vlc_network.h> # include <vlc_network.h>
typedef struct tls_server_sys_t tls_server_sys_t; typedef struct vlc_tls_sys vlc_tls_sys_t;
struct tls_server_t typedef struct vlc_tls
{ {
VLC_COMMON_MEMBERS VLC_COMMON_MEMBERS
module_t *p_module; union {
tls_server_sys_t *p_sys; module_t *module; /**< Plugin handle (client) */
void (*close) (struct vlc_tls *); /**< Close callback (server) */
} u;
vlc_tls_sys_t *sys;
int (*pf_add_CA) ( tls_server_t *, const char * ); struct virtual_socket_t sock;
int (*pf_add_CRL) ( tls_server_t *, const char * ); int (*handshake) (struct vlc_tls *);
} vlc_tls_t;
tls_session_t * (*pf_open) ( tls_server_t * ); VLC_API vlc_tls_t *vlc_tls_ClientCreate (vlc_object_t *, int fd,
void (*pf_close) ( tls_server_t *, tls_session_t * ); const char *hostname);
}; VLC_API void vlc_tls_ClientDelete (vlc_tls_t *);
typedef struct tls_session_sys_t tls_session_sys_t; /* NOTE: It is assumed that a->sock.p_sys = a */
# define tls_Send( a, b, c ) (((vlc_tls_t *)a)->sock.pf_send (a, b, c))
struct tls_session_t # define tls_Recv( a, b, c ) (((vlc_tls_t *)a)->sock.pf_recv (a, b, c))
{
VLC_COMMON_MEMBERS
module_t *p_module;
tls_session_sys_t *p_sys;
struct virtual_socket_t sock; typedef struct vlc_tls_creds_sys vlc_tls_creds_sys_t;
void (*pf_set_fd) ( tls_session_t *, int );
int (*pf_handshake) ( tls_session_t * );
};
/** TLS (server-side) credentials */
typedef struct vlc_tls_creds
{
VLC_COMMON_MEMBERS
tls_server_t *tls_ServerCreate (vlc_object_t *, const char *, const char *); module_t *module;
void tls_ServerDelete (tls_server_t *); vlc_tls_creds_sys_t *sys;
int tls_ServerAddCA (tls_server_t *srv, const char *path);
int tls_ServerAddCRL (tls_server_t *srv, const char *path);
tls_session_t *tls_ServerSessionCreate (tls_server_t *, int fd); int (*add_CA) (struct vlc_tls_creds *, const char *path);
int tls_ServerSessionHandshake (tls_session_t *); int (*add_CRL) (struct vlc_tls_creds *, const char *path);
void tls_ServerSessionDelete (tls_session_t *);
VLC_API tls_session_t * tls_ClientCreate( vlc_object_t *, int, const char * ); vlc_tls_t *(*open) (struct vlc_tls_creds *, int fd);
VLC_API void tls_ClientDelete( tls_session_t * ); } vlc_tls_creds_t;
/* NOTE: It is assumed that a->sock.p_sys = a */ vlc_tls_creds_t *vlc_tls_ServerCreate (vlc_object_t *,
# define tls_Send( a, b, c ) (((tls_session_t *)a)->sock.pf_send (a, b, c )) const char *cert, const char *key);
void vlc_tls_ServerDelete (vlc_tls_creds_t *);
int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path);
int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path);
# define tls_Recv( a, b, c ) (((tls_session_t *)a)->sock.pf_recv (a, b, c )) vlc_tls_t *vlc_tls_ServerSessionCreate (vlc_tls_creds_t *, int fd);
int vlc_tls_ServerSessionHandshake (vlc_tls_t *);
void vlc_tls_ServerSessionDelete (vlc_tls_t *);
#endif #endif
...@@ -142,8 +142,8 @@ struct access_sys_t ...@@ -142,8 +142,8 @@ struct access_sys_t
{ {
int fd; int fd;
bool b_error; bool b_error;
tls_session_t *p_tls; vlc_tls_t *p_tls;
v_socket_t *p_vs; v_socket_t *p_vs;
/* From uri */ /* From uri */
vlc_url_t url; vlc_url_t url;
...@@ -1195,8 +1195,8 @@ static int Connect( access_t *p_access, uint64_t i_tell ) ...@@ -1195,8 +1195,8 @@ static int Connect( access_t *p_access, uint64_t i_tell )
} }
/* TLS/SSL handshake */ /* TLS/SSL handshake */
p_sys->p_tls = tls_ClientCreate( VLC_OBJECT(p_access), p_sys->fd, p_sys->p_tls = vlc_tls_ClientCreate( VLC_OBJECT(p_access), p_sys->fd,
p_sys->url.psz_host ); p_sys->url.psz_host );
if( p_sys->p_tls == NULL ) if( p_sys->p_tls == NULL )
{ {
msg_Err( p_access, "cannot establish HTTP/TLS session" ); msg_Err( p_access, "cannot establish HTTP/TLS session" );
...@@ -1621,7 +1621,7 @@ static void Disconnect( access_t *p_access ) ...@@ -1621,7 +1621,7 @@ static void Disconnect( access_t *p_access )
if( p_sys->p_tls != NULL) if( p_sys->p_tls != NULL)
{ {
tls_ClientDelete( p_sys->p_tls ); vlc_tls_ClientDelete( p_sys->p_tls );
p_sys->p_tls = NULL; p_sys->p_tls = NULL;
p_sys->p_vs = NULL; p_sys->p_vs = NULL;
} }
......
/***************************************************************************** /*****************************************************************************
* gnutls.c * gnutls.c
***************************************************************************** *****************************************************************************
* Copyright (C) 2004-2006 Rémi Denis-Courmont * Copyright (C) 2004-2011 Rémi Denis-Courmont
* $Id$
*
* Authors: Rémi Denis-Courmont <rem # videolan.org>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
...@@ -65,8 +62,8 @@ ...@@ -65,8 +62,8 @@
/***************************************************************************** /*****************************************************************************
* Module descriptor * Module descriptor
*****************************************************************************/ *****************************************************************************/
static int OpenClient (vlc_object_t *); static int OpenClient (vlc_tls_t *, int, const char *);
static void CloseClient (vlc_object_t *); static void CloseClient (vlc_tls_t *);
static int OpenServer (vlc_object_t *); static int OpenServer (vlc_object_t *);
static void CloseServer (vlc_object_t *); static void CloseServer (vlc_object_t *);
...@@ -192,45 +189,41 @@ static int gnutls_Error (vlc_object_t *obj, int val) ...@@ -192,45 +189,41 @@ static int gnutls_Error (vlc_object_t *obj, int val)
} }
return -1; return -1;
} }
#define gnutls_Error(o, val) gnutls_Error(VLC_OBJECT(o), val)
struct tls_session_sys_t struct vlc_tls_sys
{ {
gnutls_session_t session; gnutls_session_t session;
char *psz_hostname; gnutls_certificate_credentials_t x509_cred;
bool b_handshaked; char *hostname;
bool handshaked;
}; };
/** /**
* Sends data through a TLS session. * Sends data through a TLS session.
*/ */
static int static int gnutls_Send (void *opaque, const void *buf, size_t length)
gnutls_Send( void *p_session, const void *buf, int i_length )
{ {
int val; vlc_tls_t *session = opaque;
tls_session_sys_t *p_sys; vlc_tls_sys_t *sys = session->sys;
p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
val = gnutls_record_send( p_sys->session, buf, i_length ); int val = gnutls_record_send (sys->session, buf, length);
return (val < 0) ? gnutls_Error ((vlc_object_t *)p_session, val) : val; return (val < 0) ? gnutls_Error (session, val) : val;
} }
/** /**
* Receives data through a TLS session. * Receives data through a TLS session.
*/ */
static int static int gnutls_Recv (void *opaque, void *buf, size_t length)
gnutls_Recv( void *p_session, void *buf, int i_length )
{ {
int val; vlc_tls_t *session = opaque;
tls_session_sys_t *p_sys; vlc_tls_sys_t *sys = session->sys;
p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
val = gnutls_record_recv( p_sys->session, buf, i_length ); int val = gnutls_record_recv (sys->session, buf, length);
return (val < 0) ? gnutls_Error ((vlc_object_t *)p_session, val) : val; return (val < 0) ? gnutls_Error (session, val) : val;
} }
...@@ -241,30 +234,28 @@ gnutls_Recv( void *p_session, void *buf, int i_length ) ...@@ -241,30 +234,28 @@ gnutls_Recv( void *p_session, void *buf, int i_length )
* 1 if more would-be blocking recv is needed, * 1 if more would-be blocking recv is needed,
* 2 if more would-be blocking send is required. * 2 if more would-be blocking send is required.
*/ */
static int static int gnutls_ContinueHandshake (vlc_tls_t *session)
gnutls_ContinueHandshake (tls_session_t *p_session)
{ {
tls_session_sys_t *p_sys = p_session->p_sys; vlc_tls_sys_t *sys = session->sys;
int val; int val;
#ifdef WIN32 #ifdef WIN32
WSASetLastError( 0 ); WSASetLastError (0);
#endif #endif
val = gnutls_handshake( p_sys->session ); val = gnutls_handshake (sys->session);
if( ( val == GNUTLS_E_AGAIN ) || ( val == GNUTLS_E_INTERRUPTED ) ) if ((val == GNUTLS_E_AGAIN) || (val == GNUTLS_E_INTERRUPTED))
return 1 + gnutls_record_get_direction( p_sys->session ); return 1 + gnutls_record_get_direction (sys->session);
if( val < 0 ) if (val < 0)
{ {
#ifdef WIN32 #ifdef WIN32
msg_Dbg( p_session, "Winsock error %d", WSAGetLastError( ) ); msg_Dbg (session, "Winsock error %d", WSAGetLastError ());
#endif #endif
msg_Err( p_session, "TLS handshake error: %s", msg_Err (session, "TLS handshake error: %s", gnutls_strerror (val));
gnutls_strerror( val ) );
return -1; return -1;
} }
p_sys->b_handshaked = true; sys->handshaked = true;
return 0; return 0;
} }
...@@ -291,111 +282,99 @@ static const error_msg_t cert_errors[] = ...@@ -291,111 +282,99 @@ static const error_msg_t cert_errors[] =
}; };
static int static int gnutls_HandshakeAndValidate (vlc_tls_t *session)
gnutls_HandshakeAndValidate( tls_session_t *session )
{ {
int val = gnutls_ContinueHandshake( session ); vlc_tls_sys_t *sys = session->sys;
if( val )
return val;
tls_session_sys_t *p_sys = (tls_session_sys_t *)(session->p_sys); int val = gnutls_ContinueHandshake (session);
if (val)
return val;
/* certificates chain verification */ /* certificates chain verification */
unsigned status; unsigned status;
val = gnutls_certificate_verify_peers2( p_sys->session, &status );
if( val ) val = gnutls_certificate_verify_peers2 (sys->session, &status);
if (val)
{ {
msg_Err( session, "Certificate verification failed: %s", msg_Err (session, "Certificate verification failed: %s",
gnutls_strerror( val ) ); gnutls_strerror (val));
return -1; return -1;
} }
if( status ) if (status)
{ {
msg_Err( session, "TLS session: access denied" ); msg_Err (session, "TLS session: access denied");
for( const error_msg_t *e = cert_errors; e->flag; e++ ) for (const error_msg_t *e = cert_errors; e->flag; e++)
{ {
if( status & e->flag ) if (status & e->flag)
{ {
msg_Err( session, "%s", e->msg ); msg_Err (session, "%s", e->msg);
status &= ~e->flag; status &= ~e->flag;
} }
} }
if( status ) if (status)
msg_Err( session, msg_Err (session,
"unknown certificate error (you found a bug in VLC)" ); "unknown certificate error (you found a bug in VLC)");
return -1; return -1;
} }
/* certificate (host)name verification */ /* certificate (host)name verification */
const gnutls_datum_t *data; const gnutls_datum_t *data;
data = gnutls_certificate_get_peers (p_sys->session, &(unsigned){0}); data = gnutls_certificate_get_peers (sys->session, &(unsigned){0});
if( data == NULL ) if (data == NULL)
{ {
msg_Err( session, "Peer certificate not available" ); msg_Err (session, "Peer certificate not available");
return -1; return -1;
} }
gnutls_x509_crt_t cert; gnutls_x509_crt_t cert;
val = gnutls_x509_crt_init( &cert ); val = gnutls_x509_crt_init (&cert);
if( val ) if (val)
{ {
msg_Err( session, "x509 fatal error: %s", gnutls_strerror( val ) ); msg_Err (session, "x509 fatal error: %s", gnutls_strerror (val));
return -1; return -1;
} }
val = gnutls_x509_crt_import( cert, data, GNUTLS_X509_FMT_DER ); val = gnutls_x509_crt_import (cert, data, GNUTLS_X509_FMT_DER);
if( val ) if (val)
{ {
msg_Err( session, "Certificate import error: %s", msg_Err (session, "Certificate import error: %s",
gnutls_strerror( val ) ); gnutls_strerror (val));
goto error; goto error;
} }
if( p_sys->psz_hostname != NULL if (sys->hostname != NULL
&& !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) ) && !gnutls_x509_crt_check_hostname (cert, sys->hostname))
{ {
msg_Err( session, "Certificate does not match \"%s\"", msg_Err (session, "Certificate does not match \"%s\"", sys->hostname);
p_sys->psz_hostname );
goto error; goto error;
} }
if( gnutls_x509_crt_get_expiration_time( cert ) < time( NULL ) ) time_t now;
time (&now);
if (gnutls_x509_crt_get_expiration_time (cert) < now)
{ {
msg_Err( session, "Certificate expired" ); msg_Err (session, "Certificate expired");
goto error; goto error;
} }
if( gnutls_x509_crt_get_activation_time( cert ) > time ( NULL ) ) if (gnutls_x509_crt_get_activation_time (cert) > now)
{ {
msg_Err( session, "Certificate not yet valid" ); msg_Err( session, "Certificate not yet valid" );
goto error; goto error;
} }
gnutls_x509_crt_deinit( cert ); gnutls_x509_crt_deinit (cert);
msg_Dbg( session, "TLS/x509 certificate verified" ); msg_Dbg (session, "TLS/x509 certificate verified");
return 0; return 0;
error: error:
gnutls_x509_crt_deinit( cert ); gnutls_x509_crt_deinit (cert);
return -1; return -1;
} }
/**
* Sets the operating system file descriptor backend for the TLS sesison.
*
* @param fd stream socket already connected with the peer.
*/
static void
gnutls_SetFD (tls_session_t *p_session, int fd)
{
gnutls_transport_set_ptr (p_session->p_sys->session,
(gnutls_transport_ptr_t)(intptr_t)fd);
}
static int static int
gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session) gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
{ {
...@@ -530,7 +509,8 @@ gnutls_Addx509File( vlc_object_t *p_this, ...@@ -530,7 +509,8 @@ gnutls_Addx509File( vlc_object_t *p_this,
psz_path, gnutls_strerror (res)); psz_path, gnutls_strerror (res));
return VLC_EGENERIC; return VLC_EGENERIC;
} }
msg_Dbg (p_this, "added x509 credentials (%s)", psz_path); msg_Dbg (p_this, "added %d %s(s) from %s", res,
b_priv ? "key" : "certificate", psz_path);
return VLC_SUCCESS; return VLC_SUCCESS;
} }
...@@ -551,7 +531,7 @@ error: ...@@ -551,7 +531,7 @@ error:
#ifdef WIN32 #ifdef WIN32
static int static int
gnutls_loadOSCAList( vlc_object_t *p_this, gnutls_loadOSCAList (vlc_object_t *p_this,
gnutls_certificate_credentials cred) gnutls_certificate_credentials cred)
{ {
HCERTSTORE hCertStore = CertOpenSystemStoreA((HCRYPTPROV)NULL, "ROOT"); HCERTSTORE hCertStore = CertOpenSystemStoreA((HCRYPTPROV)NULL, "ROOT");
...@@ -581,49 +561,36 @@ gnutls_loadOSCAList( vlc_object_t *p_this, ...@@ -581,49 +561,36 @@ gnutls_loadOSCAList( vlc_object_t *p_this,
} }
#endif #endif
/** TLS client session data */
typedef struct tls_client_sys_t
{
struct tls_session_sys_t session;
gnutls_certificate_credentials_t x509_cred;
} tls_client_sys_t;
/** /**
* Initializes a client-side TLS session. * Initializes a client-side TLS session.
*/ */
static int OpenClient (vlc_object_t *obj) static int OpenClient (vlc_tls_t *session, int fd, const char *hostname)
{ {
tls_session_t *p_session = (tls_session_t *)obj; if (gnutls_Init (VLC_OBJECT(session)))
int i_val;
if (gnutls_Init (obj))
return VLC_EGENERIC; return VLC_EGENERIC;
tls_client_sys_t *p_sys = malloc (sizeof (*p_sys)); vlc_tls_sys_t *sys = malloc (sizeof (*sys));
if (p_sys == NULL) if (unlikely(sys == NULL))
{ {
gnutls_Deinit (obj); gnutls_Deinit (VLC_OBJECT(session));
return VLC_ENOMEM; return VLC_ENOMEM;
} }
p_session->p_sys = &p_sys->session; session->sys = sys;
p_session->sock.p_sys = p_session; session->sock.p_sys = session;
p_session->sock.pf_send = gnutls_Send; session->sock.pf_send = gnutls_Send;
p_session->sock.pf_recv = gnutls_Recv; session->sock.pf_recv = gnutls_Recv;
p_session->pf_set_fd = gnutls_SetFD; sys->handshaked = false;
p_sys->session.b_handshaked = false;
i_val = gnutls_certificate_allocate_credentials (&p_sys->x509_cred); int val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
if (i_val != 0) if (val != 0)
{ {
msg_Err (obj, "cannot allocate X509 credentials: %s", msg_Err (session, "cannot allocate X509 credentials: %s",
gnutls_strerror (i_val)); gnutls_strerror (val));
goto error; goto error;
} }
char *userdir = config_GetUserDir ( VLC_DATA_DIR ); char *userdir = config_GetUserDir (VLC_DATA_DIR);
if (userdir != NULL) if (userdir != NULL)
{ {
char path[strlen (userdir) + sizeof ("/ssl/private")]; char path[strlen (userdir) + sizeof ("/ssl/private")];
...@@ -631,102 +598,102 @@ static int OpenClient (vlc_object_t *obj) ...@@ -631,102 +598,102 @@ static int OpenClient (vlc_object_t *obj)
vlc_mkdir (path, 0755); vlc_mkdir (path, 0755);
sprintf (path, "%s/ssl/certs", userdir); sprintf (path, "%s/ssl/certs", userdir);
gnutls_Addx509Directory (VLC_OBJECT (p_session), gnutls_Addx509Directory (VLC_OBJECT(session), sys->x509_cred, path, false);
p_sys->x509_cred, path, false);
sprintf (path, "%s/ssl/private", userdir); sprintf (path, "%s/ssl/private", userdir);
gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred, gnutls_Addx509Directory (VLC_OBJECT(session), sys->x509_cred, path, true);
path, true);
free (userdir); free (userdir);
} }
#ifdef WIN32
gnutls_loadOSCAList (VLC_OBJECT(session), sys->x509_cred);
#else
const char *confdir = config_GetConfDir (); const char *confdir = config_GetConfDir ();
{ {
char path[strlen (confdir) char path[strlen (confdir)
+ sizeof ("/ssl/certs/ca-certificates.crt")]; + sizeof ("/ssl/certs/ca-certificates.crt")];
sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir); sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir);
#ifdef WIN32 gnutls_Addx509File (VLC_OBJECT(session), sys->x509_cred, path, false);
gnutls_loadOSCAList (VLC_OBJECT (p_session),
p_sys->x509_cred);
#else
gnutls_Addx509File (VLC_OBJECT (p_session),
p_sys->x509_cred, path, false);
#endif
} }
p_session->pf_handshake = gnutls_HandshakeAndValidate; #endif
/*p_session->pf_handshake = gnutls_ContinueHandshake;*/ session->handshake = gnutls_HandshakeAndValidate;
/*session->_handshake = gnutls_ContinueHandshake;*/
i_val = gnutls_init (&p_sys->session.session, GNUTLS_CLIENT); val = gnutls_init (&sys->session, GNUTLS_CLIENT);
if (i_val != 0) if (val != 0)
{ {
msg_Err (obj, "cannot initialize TLS session: %s", msg_Err (session, "cannot initialize TLS session: %s",
gnutls_strerror (i_val)); gnutls_strerror (val));
gnutls_certificate_free_credentials (p_sys->x509_cred); gnutls_certificate_free_credentials (sys->x509_cred);
goto error; goto error;
} }
if (gnutls_SessionPrioritize (VLC_OBJECT (p_session), if (gnutls_SessionPrioritize (VLC_OBJECT(session), sys->session))
p_sys->session.session))
goto s_error; goto s_error;
/* minimum DH prime bits */ /* minimum DH prime bits */
gnutls_dh_set_prime_bits (p_sys->session.session, 1024); gnutls_dh_set_prime_bits (sys->session, 1024);
i_val = gnutls_credentials_set (p_sys->session.session, val = gnutls_credentials_set (sys->session, GNUTLS_CRD_CERTIFICATE,
GNUTLS_CRD_CERTIFICATE, sys->x509_cred);
p_sys->x509_cred); if (val < 0)
if (i_val < 0)
{ {
msg_Err (obj, "cannot set TLS session credentials: %s", msg_Err (session, "cannot set TLS session credentials: %s",
gnutls_strerror (i_val)); gnutls_strerror (val));
goto s_error; goto s_error;
} }
char *servername = var_GetNonEmptyString (p_session, "tls-server-name"); /* server name */
if (servername == NULL ) if (likely(hostname != NULL))
msg_Err (p_session, "server name missing for TLS session"); {
/* fill Server Name Indication */
gnutls_server_name_set (sys->session, GNUTLS_NAME_DNS,
hostname, strlen (hostname));
/* keep hostname to match CNAME after handshake */
sys->hostname = strdup (hostname);
if (unlikely(sys->hostname == NULL))
goto s_error;
}
else else
gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS, sys->hostname = NULL;
servername, strlen (servername));
p_sys->session.psz_hostname = servername;
gnutls_transport_set_ptr (sys->session,
(gnutls_transport_ptr_t)(intptr_t)fd);
return VLC_SUCCESS; return VLC_SUCCESS;
s_error: s_error:
gnutls_deinit (p_sys->session.session); gnutls_deinit (sys->session);
gnutls_certificate_free_credentials (p_sys->x509_cred); gnutls_certificate_free_credentials (sys->x509_cred);
error: error:
gnutls_Deinit (obj); gnutls_Deinit (VLC_OBJECT(session));
free (p_sys); free (sys);
return VLC_EGENERIC; return VLC_EGENERIC;
} }
static void CloseClient (vlc_object_t *obj) static void CloseClient (vlc_tls_t *session)
{ {
tls_session_t *client = (tls_session_t *)obj; vlc_tls_sys_t *sys = session->sys;
tls_client_sys_t *p_sys = (tls_client_sys_t *)(client->p_sys);
if (p_sys->session.b_handshaked) if (sys->handshaked)
gnutls_bye (p_sys->session.session, GNUTLS_SHUT_WR); gnutls_bye (sys->session, GNUTLS_SHUT_WR);
gnutls_deinit (p_sys->session.session); gnutls_deinit (sys->session);
/* credentials must be free'd *after* gnutls_deinit() */ /* credentials must be free'd *after* gnutls_deinit() */
gnutls_certificate_free_credentials (p_sys->x509_cred); gnutls_certificate_free_credentials (sys->x509_cred);
gnutls_Deinit (obj); gnutls_Deinit (VLC_OBJECT(session));
free (p_sys->session.psz_hostname); free (sys->hostname);
free (p_sys); free (sys);
} }
/** /**
* Server-side TLS * Server-side TLS
*/ */
struct tls_server_sys_t struct vlc_tls_creds_sys
{ {
gnutls_certificate_credentials_t x509_cred; gnutls_certificate_credentials_t x509_cred;
gnutls_dh_params_t dh_params; gnutls_dh_params_t dh_params;
int (*pf_handshake) (tls_session_t *); int (*handshake) (vlc_tls_t *);
}; };
...@@ -734,88 +701,79 @@ struct tls_server_sys_t ...@@ -734,88 +701,79 @@ struct tls_server_sys_t
* Terminates TLS session and releases session data. * Terminates TLS session and releases session data.
* You still have to close the socket yourself. * You still have to close the socket yourself.
*/ */
static void static void gnutls_SessionClose (vlc_tls_t *session)
gnutls_SessionClose (tls_server_t *p_server, tls_session_t *p_session)
{ {
tls_session_sys_t *p_sys = p_session->p_sys; vlc_tls_sys_t *sys = session->sys;
(void)p_server;
if( p_sys->b_handshaked ) if (sys->handshaked)
gnutls_bye( p_sys->session, GNUTLS_SHUT_WR ); gnutls_bye (sys->session, GNUTLS_SHUT_WR);
gnutls_deinit( p_sys->session ); gnutls_deinit (sys->session);
vlc_object_release( p_session ); vlc_object_release (session);
free (sys);
free( p_sys );
} }
/** /**
* Initializes a server-side TLS session. * Initializes a server-side TLS session.
*/ */
static tls_session_t * static vlc_tls_t *gnutls_SessionOpen (vlc_tls_creds_t *server, int fd)
gnutls_ServerSessionPrepare( tls_server_t *p_server )
{ {
tls_session_t *p_session; vlc_tls_creds_sys_t *ssys = server->sys;
tls_server_sys_t *p_server_sys; int val;
gnutls_session_t session;
int i_val;
p_session = vlc_object_create( p_server, sizeof (struct tls_session_t) ); vlc_tls_t *session = vlc_object_create (server, sizeof (*session));
if( p_session == NULL ) if (unlikely(session == NULL))
return NULL; return NULL;
p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) ); vlc_tls_sys_t *sys = malloc (sizeof (*session->sys));
if( p_session->p_sys == NULL ) if (unlikely(sys == NULL))
{ {
vlc_object_release( p_session ); vlc_object_release (session);
return NULL; return NULL;
} }
p_server_sys = p_server->p_sys; session->sys = sys;
p_session->sock.p_sys = p_session; session->sock.p_sys = session;
p_session->sock.pf_send = gnutls_Send; session->sock.pf_send = gnutls_Send;
p_session->sock.pf_recv = gnutls_Recv; session->sock.pf_recv = gnutls_Recv;
p_session->pf_set_fd = gnutls_SetFD; session->handshake = ssys->handshake;
p_session->pf_handshake = p_server_sys->pf_handshake; session->u.close = gnutls_SessionClose;
sys->handshaked = false;
sys->hostname = NULL;
p_session->p_sys->b_handshaked = false; val = gnutls_init (&sys->session, GNUTLS_SERVER);
p_session->p_sys->psz_hostname = NULL; if (val != 0)
i_val = gnutls_init( &session, GNUTLS_SERVER );
if( i_val != 0 )
{ {
msg_Err( p_server, "cannot initialize TLS session: %s", msg_Err (server, "cannot initialize TLS session: %s",
gnutls_strerror( i_val ) ); gnutls_strerror (val));
goto error; free (sys);
vlc_object_release (session);
return NULL;
} }
p_session->p_sys->session = session; if (gnutls_SessionPrioritize (VLC_OBJECT (server), sys->session))
if (gnutls_SessionPrioritize (VLC_OBJECT (p_session), session))
{
gnutls_deinit( session );
goto error; goto error;
}
i_val = gnutls_credentials_set( session, GNUTLS_CRD_CERTIFICATE, val = gnutls_credentials_set (sys->session, GNUTLS_CRD_CERTIFICATE,
p_server_sys->x509_cred ); ssys->x509_cred);
if( i_val < 0 ) if (val < 0)
{ {
msg_Err( p_server, "cannot set TLS session credentials: %s", msg_Err (server, "cannot set TLS session credentials: %s",
gnutls_strerror( i_val ) ); gnutls_strerror (val));
gnutls_deinit( session );
goto error; goto error;
} }
if (p_session->pf_handshake == gnutls_HandshakeAndValidate) if (session->handshake == gnutls_HandshakeAndValidate)
gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUIRE); gnutls_certificate_server_set_request (sys->session,
GNUTLS_CERT_REQUIRE);
return p_session; gnutls_transport_set_ptr (sys->session,
(gnutls_transport_ptr_t)(intptr_t)fd);
return session;
error: error:
free( p_session->p_sys ); gnutls_SessionClose (session);
vlc_object_release( p_session );
return NULL; return NULL;
} }
...@@ -823,34 +781,29 @@ error: ...@@ -823,34 +781,29 @@ error:
/** /**
* Adds one or more certificate authorities. * Adds one or more certificate authorities.
* *
* @param psz_ca_path (Unicode) path to an x509 certificates list. * @param ca_path (Unicode) path to an x509 certificates list.
* *
* @return -1 on error, 0 on success. * @return -1 on error, 0 on success.
*/ */
static int static int gnutls_ServerAddCA (vlc_tls_creds_t *server, const char *ca_path)
gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
{ {
tls_server_sys_t *p_sys; vlc_tls_creds_sys_t *sys = server->sys;
char *psz_local_path; char *local_path = ToLocale (ca_path);
int val;
p_sys = (tls_server_sys_t *)(p_server->p_sys);
psz_local_path = ToLocale( psz_ca_path ); int val = gnutls_certificate_set_x509_trust_file (sys->x509_cred,
val = gnutls_certificate_set_x509_trust_file( p_sys->x509_cred, local_path,
psz_local_path, GNUTLS_X509_FMT_PEM );
GNUTLS_X509_FMT_PEM ); LocaleFree (local_path);
LocaleFree( psz_local_path ); if (val < 0)
if( val < 0 )
{ {
msg_Err( p_server, "cannot add trusted CA (%s): %s", psz_ca_path, msg_Err (server, "cannot add trusted CA (%s): %s", ca_path,
gnutls_strerror( val ) ); gnutls_strerror (val));
return VLC_EGENERIC; return VLC_EGENERIC;
} }
msg_Dbg( p_server, " %d trusted CA added (%s)", val, psz_ca_path ); msg_Dbg (server, " %d trusted CA added (%s)", val, ca_path);
/* enables peer's certificate verification */ /* enables peer's certificate verification */
p_sys->pf_handshake = gnutls_HandshakeAndValidate; sys->handshake = gnutls_HandshakeAndValidate;
return VLC_SUCCESS; return VLC_SUCCESS;
} }
...@@ -859,28 +812,26 @@ gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path ) ...@@ -859,28 +812,26 @@ gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
/** /**
* Adds a certificates revocation list to be sent to TLS clients. * Adds a certificates revocation list to be sent to TLS clients.
* *
* @param psz_crl_path (Unicode) path of the CRL file. * @param crl_path (Unicode) path of the CRL file.
* *
* @return -1 on error, 0 on success. * @return -1 on error, 0 on success.
*/ */
static int static int gnutls_ServerAddCRL (vlc_tls_creds_t *server, const char *crl_path)
gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
{ {
int val; vlc_tls_creds_sys_t *sys = server->sys;
char *psz_local_path = ToLocale( psz_crl_path ); char *local_path = ToLocale (crl_path);
val = gnutls_certificate_set_x509_crl_file( ((tls_server_sys_t *) int val = gnutls_certificate_set_x509_crl_file (sys->x509_cred,
(p_server->p_sys))->x509_cred, local_path,
psz_local_path, GNUTLS_X509_FMT_PEM);
GNUTLS_X509_FMT_PEM ); LocaleFree (local_path);
LocaleFree( psz_local_path ); if (val < 0)
if( val < 0 )
{ {
msg_Err( p_server, "cannot add CRL (%s): %s", psz_crl_path, msg_Err (server, "cannot add CRL (%s): %s", crl_path,
gnutls_strerror( val ) ); gnutls_strerror (val));
return VLC_EGENERIC; return VLC_EGENERIC;
} }
msg_Dbg( p_server, "%d CRL added (%s)", val, psz_crl_path ); msg_Dbg (server, "%d CRL added (%s)", val, crl_path);
return VLC_SUCCESS; return VLC_SUCCESS;
} }
...@@ -890,8 +841,7 @@ gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path ) ...@@ -890,8 +841,7 @@ gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
*/ */
static int OpenServer (vlc_object_t *obj) static int OpenServer (vlc_object_t *obj)
{ {
tls_server_t *p_server = (tls_server_t *)obj; vlc_tls_creds_t *server = (vlc_tls_creds_t *)obj;
tls_server_sys_t *p_sys;
int val; int val;
if (gnutls_Init (obj)) if (gnutls_Init (obj))
...@@ -899,52 +849,49 @@ static int OpenServer (vlc_object_t *obj) ...@@ -899,52 +849,49 @@ static int OpenServer (vlc_object_t *obj)
msg_Dbg (obj, "creating TLS server"); msg_Dbg (obj, "creating TLS server");
p_sys = (tls_server_sys_t *)malloc( sizeof(struct tls_server_sys_t) ); vlc_tls_creds_sys_t *sys = malloc (sizeof (*sys));
if( p_sys == NULL ) if (unlikely(sys == NULL))
return VLC_ENOMEM; return VLC_ENOMEM;
p_server->p_sys = p_sys; server->sys = sys;
p_server->pf_add_CA = gnutls_ServerAddCA; server->add_CA = gnutls_ServerAddCA;
p_server->pf_add_CRL = gnutls_ServerAddCRL; server->add_CRL = gnutls_ServerAddCRL;
p_server->pf_open = gnutls_ServerSessionPrepare; server->open = gnutls_SessionOpen;
p_server->pf_close = gnutls_SessionClose;
/* No certificate validation by default */ /* No certificate validation by default */
p_sys->pf_handshake = gnutls_ContinueHandshake; sys->handshake = gnutls_ContinueHandshake;
/* Sets server's credentials */ /* Sets server's credentials */
val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred ); val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
if( val != 0 ) if (val != 0)
{ {
msg_Err( p_server, "cannot allocate X509 credentials: %s", msg_Err (server, "cannot allocate X509 credentials: %s",
gnutls_strerror( val ) ); gnutls_strerror (val));
goto error; goto error;
} }
char *psz_cert_path = var_GetNonEmptyString (obj, "tls-x509-cert"); char *cert_path = var_GetNonEmptyString (obj, "tls-x509-cert");
char *psz_key_path = var_GetNonEmptyString (obj, "tls-x509-key"); char *key_path = var_GetNonEmptyString (obj, "tls-x509-key");
const char *psz_local_cert = ToLocale (psz_cert_path); const char *lcert = ToLocale (cert_path);
const char *psz_local_key = ToLocale (psz_key_path); const char *lkey = ToLocale (key_path);
val = gnutls_certificate_set_x509_key_file (p_sys->x509_cred, val = gnutls_certificate_set_x509_key_file (sys->x509_cred, lcert, lkey,
psz_local_cert, psz_local_key, GNUTLS_X509_FMT_PEM);
GNUTLS_X509_FMT_PEM ); LocaleFree (lkey);
LocaleFree (psz_local_key); LocaleFree (lcert);
free (psz_key_path); free (key_path);
LocaleFree (psz_local_cert); free (cert_path);
free (psz_cert_path);
if( val < 0 ) if (val < 0)
{ {
msg_Err( p_server, "cannot set certificate chain or private key: %s", msg_Err (server, "cannot set certificate chain or private key: %s",
gnutls_strerror( val ) ); gnutls_strerror (val));
gnutls_certificate_free_credentials( p_sys->x509_cred ); gnutls_certificate_free_credentials (sys->x509_cred);
goto error; goto error;
} }
/* FIXME: /* FIXME:
* - support other ciper suites * - support other cipher suites
*/ */
val = gnutls_dh_params_init (&p_sys->dh_params); val = gnutls_dh_params_init (&sys->dh_params);
if (val >= 0) if (val >= 0)
{ {
const gnutls_datum_t data = { const gnutls_datum_t data = {
...@@ -952,36 +899,37 @@ static int OpenServer (vlc_object_t *obj) ...@@ -952,36 +899,37 @@ static int OpenServer (vlc_object_t *obj)
.size = sizeof (dh_params) - 1, .size = sizeof (dh_params) - 1,
}; };
val = gnutls_dh_params_import_pkcs3 (p_sys->dh_params, &data, val = gnutls_dh_params_import_pkcs3 (sys->dh_params, &data,
GNUTLS_X509_FMT_PEM); GNUTLS_X509_FMT_PEM);
if (val == 0) if (val == 0)
gnutls_certificate_set_dh_params (p_sys->x509_cred, gnutls_certificate_set_dh_params (sys->x509_cred,
p_sys->dh_params); sys->dh_params);
} }
if (val < 0) if (val < 0)
{ {
msg_Err (p_server, "cannot initialize DHE cipher suites: %s", msg_Err (server, "cannot initialize DHE cipher suites: %s",
gnutls_strerror (val)); gnutls_strerror (val));
} }
return VLC_SUCCESS; return VLC_SUCCESS;
error: error:
free (p_sys); free (sys);
return VLC_EGENERIC; return VLC_EGENERIC;
} }
/** /**
* Destroys a TLS server object. * Destroys a TLS server object.
*/ */
static void CloseServer (vlc_object_t *p_server) static void CloseServer (vlc_object_t *obj)
{ {
tls_server_sys_t *p_sys = ((tls_server_t *)p_server)->p_sys; vlc_tls_creds_t *server = (vlc_tls_creds_t *)obj;
vlc_tls_creds_sys_t *sys = server->sys;
/* all sessions depending on the server are now deinitialized */ /* all sessions depending on the server are now deinitialized */
gnutls_certificate_free_credentials (p_sys->x509_cred); gnutls_certificate_free_credentials (sys->x509_cred);
gnutls_dh_params_deinit (p_sys->dh_params); gnutls_dh_params_deinit (sys->dh_params);
free (p_sys); free (sys);
gnutls_Deinit (p_server); gnutls_Deinit (obj);
} }
...@@ -436,8 +436,8 @@ subpicture_Update ...@@ -436,8 +436,8 @@ subpicture_Update
subpicture_region_ChainDelete subpicture_region_ChainDelete
subpicture_region_Delete subpicture_region_Delete
subpicture_region_New subpicture_region_New
tls_ClientCreate vlc_tls_ClientCreate
tls_ClientDelete vlc_tls_ClientDelete
ToCharset ToCharset
ToLocale ToLocale
ToLocaleDup ToLocaleDup
......
...@@ -108,7 +108,7 @@ struct httpd_host_t ...@@ -108,7 +108,7 @@ struct httpd_host_t
httpd_client_t **client; httpd_client_t **client;
/* TLS data */ /* TLS data */
tls_server_t *p_tls; vlc_tls_creds_t *p_tls;
}; };
...@@ -180,7 +180,7 @@ struct httpd_client_t ...@@ -180,7 +180,7 @@ struct httpd_client_t
httpd_message_t answer; /* httpd -> client */ httpd_message_t answer; /* httpd -> client */
/* TLS data */ /* TLS data */
tls_session_t *p_tls; vlc_tls_t *p_tls;
}; };
...@@ -982,7 +982,7 @@ httpd_host_t *httpd_TLSHostNew( vlc_object_t *p_this, const char *psz_hostname, ...@@ -982,7 +982,7 @@ httpd_host_t *httpd_TLSHostNew( vlc_object_t *p_this, const char *psz_hostname,
{ {
httpd_t *httpd; httpd_t *httpd;
httpd_host_t *host; httpd_host_t *host;
tls_server_t *p_tls; vlc_tls_creds_t *p_tls;
char *psz_host; char *psz_host;
int i; int i;
...@@ -1043,20 +1043,20 @@ httpd_host_t *httpd_TLSHostNew( vlc_object_t *p_this, const char *psz_hostname, ...@@ -1043,20 +1043,20 @@ httpd_host_t *httpd_TLSHostNew( vlc_object_t *p_this, const char *psz_hostname,
/* determine TLS configuration */ /* determine TLS configuration */
if ( psz_cert != NULL ) if ( psz_cert != NULL )
{ {
p_tls = tls_ServerCreate( p_this, psz_cert, psz_key ); p_tls = vlc_tls_ServerCreate( p_this, psz_cert, psz_key );
if ( p_tls == NULL ) if ( p_tls == NULL )
{ {
msg_Err( p_this, "TLS initialization error" ); msg_Err( p_this, "TLS initialization error" );
goto error; goto error;
} }
if ( ( psz_ca != NULL) && tls_ServerAddCA( p_tls, psz_ca ) ) if ( ( psz_ca != NULL) && vlc_tls_ServerAddCA( p_tls, psz_ca ) )
{ {
msg_Err( p_this, "TLS CA error" ); msg_Err( p_this, "TLS CA error" );
goto error; goto error;
} }
if ( ( psz_crl != NULL) && tls_ServerAddCRL( p_tls, psz_crl ) ) if ( ( psz_crl != NULL) && vlc_tls_ServerAddCRL( p_tls, psz_crl ) )
{ {
msg_Err( p_this, "TLS CRL error" ); msg_Err( p_this, "TLS CRL error" );
goto error; goto error;
...@@ -1132,7 +1132,7 @@ error: ...@@ -1132,7 +1132,7 @@ error:
} }
if( p_tls != NULL ) if( p_tls != NULL )
tls_ServerDelete( p_tls ); vlc_tls_ServerDelete( p_tls );
return NULL; return NULL;
} }
...@@ -1184,7 +1184,7 @@ void httpd_HostDelete( httpd_host_t *host ) ...@@ -1184,7 +1184,7 @@ void httpd_HostDelete( httpd_host_t *host )
} }
if( host->p_tls != NULL) if( host->p_tls != NULL)
tls_ServerDelete( host->p_tls ); vlc_tls_ServerDelete( host->p_tls );
net_ListenClose( host->fds ); net_ListenClose( host->fds );
free( host->psz_hostname ); free( host->psz_hostname );
...@@ -1429,7 +1429,7 @@ static void httpd_ClientClean( httpd_client_t *cl ) ...@@ -1429,7 +1429,7 @@ static void httpd_ClientClean( httpd_client_t *cl )
if( cl->fd >= 0 ) if( cl->fd >= 0 )
{ {
if( cl->p_tls != NULL ) if( cl->p_tls != NULL )
tls_ServerSessionDelete( cl->p_tls ); vlc_tls_ServerSessionDelete( cl->p_tls );
net_Close( cl->fd ); net_Close( cl->fd );
cl->fd = -1; cl->fd = -1;
} }
...@@ -1441,7 +1441,7 @@ static void httpd_ClientClean( httpd_client_t *cl ) ...@@ -1441,7 +1441,7 @@ static void httpd_ClientClean( httpd_client_t *cl )
cl->p_buffer = NULL; cl->p_buffer = NULL;
} }
static httpd_client_t *httpd_ClientNew( int fd, tls_session_t *p_tls, mtime_t now ) static httpd_client_t *httpd_ClientNew( int fd, vlc_tls_t *p_tls, mtime_t now )
{ {
httpd_client_t *cl = malloc( sizeof( httpd_client_t ) ); httpd_client_t *cl = malloc( sizeof( httpd_client_t ) );
...@@ -1460,7 +1460,7 @@ static httpd_client_t *httpd_ClientNew( int fd, tls_session_t *p_tls, mtime_t no ...@@ -1460,7 +1460,7 @@ static httpd_client_t *httpd_ClientNew( int fd, tls_session_t *p_tls, mtime_t no
static static
ssize_t httpd_NetRecv (httpd_client_t *cl, uint8_t *p, size_t i_len) ssize_t httpd_NetRecv (httpd_client_t *cl, uint8_t *p, size_t i_len)
{ {
tls_session_t *p_tls; vlc_tls_t *p_tls;
ssize_t val; ssize_t val;
p_tls = cl->p_tls; p_tls = cl->p_tls;
...@@ -1474,7 +1474,7 @@ ssize_t httpd_NetRecv (httpd_client_t *cl, uint8_t *p, size_t i_len) ...@@ -1474,7 +1474,7 @@ ssize_t httpd_NetRecv (httpd_client_t *cl, uint8_t *p, size_t i_len)
static static
ssize_t httpd_NetSend (httpd_client_t *cl, const uint8_t *p, size_t i_len) ssize_t httpd_NetSend (httpd_client_t *cl, const uint8_t *p, size_t i_len)
{ {
tls_session_t *p_tls; vlc_tls_t *p_tls;
ssize_t val; ssize_t val;
p_tls = cl->p_tls; p_tls = cl->p_tls;
...@@ -2015,7 +2015,7 @@ static void httpd_ClientSend( httpd_client_t *cl ) ...@@ -2015,7 +2015,7 @@ static void httpd_ClientSend( httpd_client_t *cl )
static void httpd_ClientTlsHsIn( httpd_client_t *cl ) static void httpd_ClientTlsHsIn( httpd_client_t *cl )
{ {
switch( tls_ServerSessionHandshake( cl->p_tls ) ) switch( vlc_tls_ServerSessionHandshake( cl->p_tls ) )
{ {
case 0: case 0:
cl->i_state = HTTPD_CLIENT_RECEIVING; cl->i_state = HTTPD_CLIENT_RECEIVING;
...@@ -2033,7 +2033,7 @@ static void httpd_ClientTlsHsIn( httpd_client_t *cl ) ...@@ -2033,7 +2033,7 @@ static void httpd_ClientTlsHsIn( httpd_client_t *cl )
static void httpd_ClientTlsHsOut( httpd_client_t *cl ) static void httpd_ClientTlsHsOut( httpd_client_t *cl )
{ {
switch( tls_ServerSessionHandshake( cl->p_tls ) ) switch( vlc_tls_ServerSessionHandshake( cl->p_tls ) )
{ {
case 0: case 0:
cl->i_state = HTTPD_CLIENT_RECEIVING; cl->i_state = HTTPD_CLIENT_RECEIVING;
...@@ -2533,12 +2533,12 @@ static void* httpd_HostThread( void *data ) ...@@ -2533,12 +2533,12 @@ static void* httpd_HostThread( void *data )
setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, setsockopt (fd, SOL_SOCKET, SO_REUSEADDR,
&(int){ 1 }, sizeof(int)); &(int){ 1 }, sizeof(int));
tls_session_t *p_tls; vlc_tls_t *p_tls;
if( host->p_tls != NULL ) if( host->p_tls != NULL )
{ {
p_tls = tls_ServerSessionCreate( host->p_tls, fd ); p_tls = vlc_tls_ServerSessionCreate( host->p_tls, fd );
switch( tls_ServerSessionHandshake( p_tls ) ) switch( vlc_tls_ServerSessionHandshake( p_tls ) )
{ {
case -1: case -1:
msg_Err( host, "Rejecting TLS connection" ); msg_Err( host, "Rejecting TLS connection" );
......
...@@ -46,14 +46,12 @@ ...@@ -46,14 +46,12 @@
* *
* @return NULL on error. * @return NULL on error.
*/ */
tls_server_t * vlc_tls_creds_t *
tls_ServerCreate (vlc_object_t *obj, const char *cert_path, vlc_tls_ServerCreate (vlc_object_t *obj, const char *cert_path,
const char *key_path) const char *key_path)
{ {
tls_server_t *srv; vlc_tls_creds_t *srv = vlc_custom_create (obj, sizeof (*srv), "tls creds");
if (unlikely(srv == NULL))
srv = (tls_server_t *)vlc_custom_create (obj, sizeof (*srv), "tls server");
if (srv == NULL)
return NULL; return NULL;
var_Create (srv, "tls-x509-cert", VLC_VAR_STRING); var_Create (srv, "tls-x509-cert", VLC_VAR_STRING);
...@@ -68,8 +66,8 @@ tls_ServerCreate (vlc_object_t *obj, const char *cert_path, ...@@ -68,8 +66,8 @@ tls_ServerCreate (vlc_object_t *obj, const char *cert_path,
var_SetString (srv, "tls-x509-key", key_path); var_SetString (srv, "tls-x509-key", key_path);
} }
srv->p_module = module_need (srv, "tls server", NULL, false ); srv->module = module_need (srv, "tls server", NULL, false );
if (srv->p_module == NULL) if (srv->module == NULL)
{ {
msg_Err (srv, "TLS server plugin not available"); msg_Err (srv, "TLS server plugin not available");
vlc_object_release (srv); vlc_object_release (srv);
...@@ -82,15 +80,15 @@ tls_ServerCreate (vlc_object_t *obj, const char *cert_path, ...@@ -82,15 +80,15 @@ tls_ServerCreate (vlc_object_t *obj, const char *cert_path,
/** /**
* Releases data allocated with tls_ServerCreate. * Releases data allocated with vlc_tls_ServerCreate().
* @param srv TLS server object to be destroyed, or NULL * @param srv TLS server object to be destroyed, or NULL
*/ */
void tls_ServerDelete (tls_server_t *srv) void vlc_tls_ServerDelete (vlc_tls_creds_t *srv)
{ {
if (srv == NULL) if (srv == NULL)
return; return;
module_unneed (srv, srv->p_module); module_unneed (srv, srv->module);
vlc_object_release (srv); vlc_object_release (srv);
} }
...@@ -99,9 +97,9 @@ void tls_ServerDelete (tls_server_t *srv) ...@@ -99,9 +97,9 @@ void tls_ServerDelete (tls_server_t *srv)
* Adds one or more certificate authorities from a file. * Adds one or more certificate authorities from a file.
* @return -1 on error, 0 on success. * @return -1 on error, 0 on success.
*/ */
int tls_ServerAddCA (tls_server_t *srv, const char *path) int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path)
{ {
return srv->pf_add_CA (srv, path); return srv->add_CA (srv, path);
} }
...@@ -109,37 +107,54 @@ int tls_ServerAddCA (tls_server_t *srv, const char *path) ...@@ -109,37 +107,54 @@ int tls_ServerAddCA (tls_server_t *srv, const char *path)
* Adds one or more certificate revocation list from a file. * Adds one or more certificate revocation list from a file.
* @return -1 on error, 0 on success. * @return -1 on error, 0 on success.
*/ */
int tls_ServerAddCRL (tls_server_t *srv, const char *path) int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path)
{ {
return srv->pf_add_CRL (srv, path); return srv->add_CRL (srv, path);
} }
tls_session_t *tls_ServerSessionCreate (tls_server_t *srv, int fd) vlc_tls_t *vlc_tls_ServerSessionCreate (vlc_tls_creds_t *srv, int fd)
{ {
tls_session_t *ses = srv->pf_open (srv); return srv->open (srv, fd);
if (ses != NULL)
ses->pf_set_fd (ses, fd);
return ses;
} }
void tls_ServerSessionDelete (tls_session_t *ses) void vlc_tls_ServerSessionDelete (vlc_tls_t *ses)
{ {
tls_server_t *srv = (tls_server_t *)(ses->p_parent); ses->u.close (ses);
srv->pf_close (srv, ses);
} }
int tls_ServerSessionHandshake (tls_session_t *ses) int vlc_tls_ServerSessionHandshake (vlc_tls_t *ses)
{ {
int val = ses->pf_handshake (ses); int val = ses->handshake (ses);
if (val < 0) if (val < 0)
tls_ServerSessionDelete (ses); vlc_tls_ServerSessionDelete (ses);
return val; return val;
} }
/*** TLS client session ***/
/* TODO: cache certificates for the whole VLC instance lifetime */
static int tls_client_start(void *func, va_list ap)
{
int (*activate) (vlc_tls_t *, int fd, const char *hostname) = func;
vlc_tls_t *session = va_arg (ap, vlc_tls_t *);
int fd = va_arg (ap, int);
const char *hostname = va_arg (ap, const char *);
return activate (session, fd, hostname);
}
static void tls_client_stop(void *func, va_list ap)
{
void (*deactivate) (vlc_tls_t *) = func;
vlc_tls_t *session = va_arg (ap, vlc_tls_t *);
deactivate (session);
}
/** /**
* Allocates a client's TLS credentials and shakes hands through the network. * Allocates a client's TLS credentials and shakes hands through the network.
* This is a blocking network operation. * This is a blocking network operation.
...@@ -150,61 +165,49 @@ int tls_ServerSessionHandshake (tls_session_t *ses) ...@@ -150,61 +165,49 @@ int tls_ServerSessionHandshake (tls_session_t *ses)
* *
* @return NULL on error. * @return NULL on error.
**/ **/
tls_session_t * vlc_tls_t *
tls_ClientCreate (vlc_object_t *obj, int fd, const char *psz_hostname) vlc_tls_ClientCreate (vlc_object_t *obj, int fd, const char *hostname)
{ {
tls_session_t *cl; vlc_tls_t *cl = vlc_custom_create (obj, sizeof (*cl), "tls client");
int val; if (unlikely(cl == NULL))
cl = (tls_session_t *)vlc_custom_create (obj, sizeof (*cl), "tls client");
if (cl == NULL)
return NULL; return NULL;
var_Create (cl, "tls-server-name", VLC_VAR_STRING); cl->u.module = vlc_module_load (cl, "tls client", NULL, false,
if (psz_hostname != NULL) tls_client_start, cl, fd, hostname);
{ if (cl->u.module == NULL)
msg_Dbg (cl, "requested server name: %s", psz_hostname);
var_SetString (cl, "tls-server-name", psz_hostname);
}
else
msg_Dbg (cl, "requested anonymous server");
cl->p_module = module_need (cl, "tls client", NULL, false );
if (cl->p_module == NULL)
{ {
msg_Err (cl, "TLS client plugin not available"); msg_Err (cl, "TLS client plugin not available");
vlc_object_release (cl); vlc_object_release (cl);
return NULL; return NULL;
} }
cl->pf_set_fd (cl, fd); /* TODO: do this directly in the TLS plugin */
int val;
do do
val = cl->pf_handshake (cl); val = cl->handshake (cl);
while (val > 0); while (val > 0);
if (val == 0) if (val != 0)
{ {
msg_Dbg (cl, "TLS client session initialized"); msg_Err (cl, "TLS client session handshake error");
return cl; vlc_module_unload (cl->u.module, tls_client_stop, cl);
vlc_object_release (cl);
return NULL;
} }
msg_Err (cl, "TLS client session handshake error"); msg_Dbg (cl, "TLS client session initialized");
return cl;
module_unneed (cl, cl->p_module);
vlc_object_release (cl);
return NULL;
} }
/** /**
* Releases data allocated with tls_ClientCreate. * Releases data allocated with vlc_tls_ClientCreate().
* It is your job to close the underlying socket. * It is your job to close the underlying socket.
*/ */
void tls_ClientDelete (tls_session_t *cl) void vlc_tls_ClientDelete (vlc_tls_t *cl)
{ {
if (cl == NULL) if (cl == NULL)
return; return;
module_unneed (cl, cl->p_module); vlc_module_unload (cl->u.module, tls_client_stop, cl);
vlc_object_release (cl); vlc_object_release (cl);
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment