Skip to content

V
vlc-gpu
Commit 17202b11 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont
Browse files
Options

- Load root certificates from /etc/ssl (currently very slow :( ) 

- Cosmetic
parent 3a4d69de
Hide whitespace changes
Inline Side-by-side
Showing with 49 additions and 34 deletions
modules/misc/gnutls.c
View file @ 17202b11
...@@ -88,6 +88,12 @@ static void Close( vlc_object_t * ); ...@@ -88,6 +88,12 @@ static void Close( vlc_object_t * );
#define CHECK_HOSTNAME_LONGTEXT N_( \ #define CHECK_HOSTNAME_LONGTEXT N_( \
"Ensures that server hostname in certificate match requested host name." ) "Ensures that server hostname in certificate match requested host name." )
#if defined (WIN32) || defined (UNDER_CE)
# undef HOST_CA_PATH
#else
# define HOST_CA_PATH "/etc/ssl/certs"
#endif
vlc_module_begin(); vlc_module_begin();
set_shortname( "GnuTLS" ); set_shortname( "GnuTLS" );
set_description( _("GnuTLS TLS encryption layer") ); set_description( _("GnuTLS TLS encryption layer") );
...@@ -96,16 +102,16 @@ vlc_module_begin(); ...@@ -96,16 +102,16 @@ vlc_module_begin();
set_category( CAT_ADVANCED ); set_category( CAT_ADVANCED );
set_subcategory( SUBCAT_ADVANCED_MISC ); set_subcategory( SUBCAT_ADVANCED_MISC );
add_bool( "tls-check-cert", VLC_FALSE, NULL, CHECK_CERT_TEXT, add_bool( "tls-check-cert", VLC_TRUE, NULL, CHECK_CERT_TEXT,
CHECK_CERT_LONGTEXT, VLC_FALSE ); CHECK_CERT_LONGTEXT, VLC_FALSE );
add_bool( "tls-check-hostname", VLC_FALSE, NULL, CHECK_HOSTNAME_TEXT, add_bool( "tls-check-hostname", VLC_TRUE, NULL, CHECK_HOSTNAME_TEXT,
CHECK_HOSTNAME_LONGTEXT, VLC_FALSE ); CHECK_HOSTNAME_LONGTEXT, VLC_FALSE );
add_integer( "dh-bits", DH_BITS, NULL, DH_BITS_TEXT, add_integer( "gnutls-dh-bits", DH_BITS, NULL, DH_BITS_TEXT,
DH_BITS_LONGTEXT, VLC_TRUE ); DH_BITS_LONGTEXT, VLC_TRUE );
add_integer( "tls-cache-expiration", CACHE_EXPIRATION, NULL, add_integer( "gnutls-cache-expiration", CACHE_EXPIRATION, NULL,
CACHE_EXPIRATION_TEXT, CACHE_EXPIRATION_LONGTEXT, VLC_TRUE ); CACHE_EXPIRATION_TEXT, CACHE_EXPIRATION_LONGTEXT, VLC_TRUE );
add_integer( "tls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT, add_integer( "gnutls-cache-size", CACHE_SIZE, NULL, CACHE_SIZE_TEXT,
CACHE_SIZE_LONGTEXT, VLC_TRUE ); CACHE_SIZE_LONGTEXT, VLC_TRUE );
vlc_module_end(); vlc_module_end();
...@@ -245,7 +251,7 @@ gnutls_ContinueHandshake( tls_session_t *p_session) ...@@ -245,7 +251,7 @@ gnutls_ContinueHandshake( tls_session_t *p_session)
if( val < 0 ) if( val < 0 )
{ {
msg_Err( p_session, "TLS handshake failed : %s", msg_Err( p_session, "TLS handshake failed: %s",
gnutls_strerror( val ) ); gnutls_strerror( val ) );
p_session->pf_close( p_session ); p_session->pf_close( p_session );
return -1; return -1;
...@@ -274,7 +280,7 @@ gnutls_HandshakeAndValidate( tls_session_t *p_session ) ...@@ -274,7 +280,7 @@ gnutls_HandshakeAndValidate( tls_session_t *p_session )
if( val ) if( val )
{ {
msg_Err( p_session, "TLS certificate verification failed : %s", msg_Err( p_session, "TLS certificate verification failed: %s",
gnutls_strerror( val ) ); gnutls_strerror( val ) );
p_session->pf_close( p_session ); p_session->pf_close( p_session );
return -1; return -1;
...@@ -282,7 +288,7 @@ gnutls_HandshakeAndValidate( tls_session_t *p_session ) ...@@ -282,7 +288,7 @@ gnutls_HandshakeAndValidate( tls_session_t *p_session )
if( status ) if( status )
{ {
msg_Warn( p_session, "TLS session : access denied" ); msg_Warn( p_session, "TLS session: access denied" );
if( status & GNUTLS_CERT_INVALID ) if( status & GNUTLS_CERT_INVALID )
msg_Dbg( p_session, "certificate could not be verified" ); msg_Dbg( p_session, "certificate could not be verified" );
if( status & GNUTLS_CERT_REVOKED ) if( status & GNUTLS_CERT_REVOKED )
...@@ -311,7 +317,7 @@ gnutls_HandshakeAndValidate( tls_session_t *p_session ) ...@@ -311,7 +317,7 @@ gnutls_HandshakeAndValidate( tls_session_t *p_session )
val = gnutls_x509_crt_init( &cert ); val = gnutls_x509_crt_init( &cert );
if( val ) if( val )
{ {
msg_Err( p_session, "x509 fatal error : %s", msg_Err( p_session, "x509 fatal error: %s",
gnutls_strerror( val ) ); gnutls_strerror( val ) );
p_session->pf_close( p_session ); p_session->pf_close( p_session );
return -1; return -1;
...@@ -320,7 +326,7 @@ gnutls_HandshakeAndValidate( tls_session_t *p_session ) ...@@ -320,7 +326,7 @@ gnutls_HandshakeAndValidate( tls_session_t *p_session )
val = gnutls_x509_crt_import( cert, p_data, GNUTLS_X509_FMT_DER ); val = gnutls_x509_crt_import( cert, p_data, GNUTLS_X509_FMT_DER );
if( val ) if( val )
{ {
msg_Err( p_session, "x509 certificate import error : %s", msg_Err( p_session, "x509 certificate import error: %s",
gnutls_strerror( val ) ); gnutls_strerror( val ) );
gnutls_x509_crt_deinit( cert ); gnutls_x509_crt_deinit( cert );
p_session->pf_close( p_session ); p_session->pf_close( p_session );
...@@ -426,7 +432,7 @@ gnutls_Addx509Directory( vlc_object_t *p_this, ...@@ -426,7 +432,7 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
dir = utf8_opendir( psz_dirname ); dir = utf8_opendir( psz_dirname );
if( dir == NULL ) if( dir == NULL )
{ {
msg_Warn( p_this, "Cannot open directory (%s) : %s", psz_dirname, msg_Warn( p_this, "Cannot open directory (%s): %s", psz_dirname,
strerror( errno ) ); strerror( errno ) );
return VLC_EGENERIC; return VLC_EGENERIC;
} }
...@@ -455,7 +461,13 @@ gnutls_Addx509Directory( vlc_object_t *p_this, ...@@ -455,7 +461,13 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
{ {
struct stat st; struct stat st;
char *psz_filename; char *psz_filename;
int check = asprintf( &psz_filename, "%s/%s", psz_dirname, int check;
if( ( strcmp( ".", psz_dirent ) == 0 )
|| ( strcmp( "..", psz_dirent ) == 0 ) )
continue;
check = asprintf( &psz_filename, "%s/%s", psz_dirname,
psz_dirent ); psz_dirent );
LocaleFree( psz_dirent ); LocaleFree( psz_dirent );
if( check == -1 ) if( check == -1 )
...@@ -474,10 +486,11 @@ gnutls_Addx509Directory( vlc_object_t *p_this, ...@@ -474,10 +486,11 @@ gnutls_Addx509Directory( vlc_object_t *p_this,
LocaleFree( psz_localname ); LocaleFree( psz_localname );
if( i < 0 ) if( i < 0 )
{ msg_Warn( p_this, "Cannot add x509 certificate (%s): %s",
msg_Warn( p_this, "Cannot add x509 certificate (%s) : %s",
psz_filename, gnutls_strerror( i ) ); psz_filename, gnutls_strerror( i ) );
} else
msg_Dbg( p_this, "Added x509 credentials (%s)",
psz_filename );
} }
else if( S_ISDIR( st.st_mode ) ) else if( S_ISDIR( st.st_mode ) )
{ {
...@@ -537,14 +550,13 @@ gnutls_ClientCreate( tls_t *p_tls ) ...@@ -537,14 +550,13 @@ gnutls_ClientCreate( tls_t *p_tls )
i_val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred ); i_val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
if( i_val != 0 ) if( i_val != 0 )
{ {
msg_Err( p_tls, "Cannot allocate X509 credentials : %s", msg_Err( p_tls, "Cannot allocate X509 credentials: %s",
gnutls_strerror( i_val ) ); gnutls_strerror( i_val ) );
goto error; goto error;
} }
if( get_Bool( p_tls, "tls-check-cert" ) ) if( get_Bool( p_tls, "tls-check-cert" ) )
{ {
/* FIXME: support for changing path/using multiple paths */
char *psz_path; char *psz_path;
if( asprintf( &psz_path, "%s/"CONFIG_DIR"/ssl/certs", if( asprintf( &psz_path, "%s/"CONFIG_DIR"/ssl/certs",
...@@ -556,6 +568,10 @@ gnutls_ClientCreate( tls_t *p_tls ) ...@@ -556,6 +568,10 @@ gnutls_ClientCreate( tls_t *p_tls )
gnutls_Addx509Directory( (vlc_object_t *)p_session, p_sys->x509_cred, gnutls_Addx509Directory( (vlc_object_t *)p_session, p_sys->x509_cred,
psz_path, VLC_FALSE ); psz_path, VLC_FALSE );
#ifdef HOST_CA_PATH
gnutls_Addx509Directory( (vlc_object_t *)p_session, p_sys->x509_cred,
HOST_CA_PATH, VLC_FALSE );
#endif
free( psz_path ); free( psz_path );
p_session->pf_handshake2 = gnutls_HandshakeAndValidate; p_session->pf_handshake2 = gnutls_HandshakeAndValidate;
...@@ -564,7 +580,6 @@ gnutls_ClientCreate( tls_t *p_tls ) ...@@ -564,7 +580,6 @@ gnutls_ClientCreate( tls_t *p_tls )
p_session->pf_handshake2 = gnutls_ContinueHandshake; p_session->pf_handshake2 = gnutls_ContinueHandshake;
{ {
/* FIXME: support for changing path/using multiple paths */
char *psz_path; char *psz_path;
if( asprintf( &psz_path, "%s/"CONFIG_DIR"/ssl/private", if( asprintf( &psz_path, "%s/"CONFIG_DIR"/ssl/private",
...@@ -583,7 +598,7 @@ gnutls_ClientCreate( tls_t *p_tls ) ...@@ -583,7 +598,7 @@ gnutls_ClientCreate( tls_t *p_tls )
i_val = gnutls_init( &p_sys->session.session, GNUTLS_CLIENT ); i_val = gnutls_init( &p_sys->session.session, GNUTLS_CLIENT );
if( i_val != 0 ) if( i_val != 0 )
{ {
msg_Err( p_tls, "Cannot initialize TLS session : %s", msg_Err( p_tls, "Cannot initialize TLS session: %s",
gnutls_strerror( i_val ) ); gnutls_strerror( i_val ) );
gnutls_certificate_free_credentials( p_sys->x509_cred ); gnutls_certificate_free_credentials( p_sys->x509_cred );
goto error; goto error;
...@@ -592,7 +607,7 @@ gnutls_ClientCreate( tls_t *p_tls ) ...@@ -592,7 +607,7 @@ gnutls_ClientCreate( tls_t *p_tls )
i_val = gnutls_set_default_priority( p_sys->session.session ); i_val = gnutls_set_default_priority( p_sys->session.session );
if( i_val < 0 ) if( i_val < 0 )
{ {
msg_Err( p_tls, "Cannot set ciphers priorities : %s", msg_Err( p_tls, "Cannot set ciphers priorities: %s",
gnutls_strerror( i_val ) ); gnutls_strerror( i_val ) );
gnutls_deinit( p_sys->session.session ); gnutls_deinit( p_sys->session.session );
gnutls_certificate_free_credentials( p_sys->x509_cred ); gnutls_certificate_free_credentials( p_sys->x509_cred );
...@@ -603,7 +618,7 @@ gnutls_ClientCreate( tls_t *p_tls ) ...@@ -603,7 +618,7 @@ gnutls_ClientCreate( tls_t *p_tls )
cert_type_priority ); cert_type_priority );
if( i_val < 0 ) if( i_val < 0 )
{ {
msg_Err( p_tls, "Cannot set certificate type priorities : %s", msg_Err( p_tls, "Cannot set certificate type priorities: %s",
gnutls_strerror( i_val ) ); gnutls_strerror( i_val ) );
gnutls_deinit( p_sys->session.session ); gnutls_deinit( p_sys->session.session );
gnutls_certificate_free_credentials( p_sys->x509_cred ); gnutls_certificate_free_credentials( p_sys->x509_cred );
...@@ -615,7 +630,7 @@ gnutls_ClientCreate( tls_t *p_tls ) ...@@ -615,7 +630,7 @@ gnutls_ClientCreate( tls_t *p_tls )
p_sys->x509_cred ); p_sys->x509_cred );
if( i_val < 0 ) if( i_val < 0 )
{ {
msg_Err( p_tls, "Cannot set TLS session credentials : %s", msg_Err( p_tls, "Cannot set TLS session credentials: %s",
gnutls_strerror( i_val ) ); gnutls_strerror( i_val ) );
gnutls_deinit( p_sys->session.session ); gnutls_deinit( p_sys->session.session );
gnutls_certificate_free_credentials( p_sys->x509_cred ); gnutls_certificate_free_credentials( p_sys->x509_cred );
...@@ -771,7 +786,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server ) ...@@ -771,7 +786,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
i_val = gnutls_init( &session, GNUTLS_SERVER ); i_val = gnutls_init( &session, GNUTLS_SERVER );
if( i_val != 0 ) if( i_val != 0 )
{ {
msg_Err( p_server, "Cannot initialize TLS session : %s", msg_Err( p_server, "Cannot initialize TLS session: %s",
gnutls_strerror( i_val ) ); gnutls_strerror( i_val ) );
goto error; goto error;
} }
...@@ -781,7 +796,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server ) ...@@ -781,7 +796,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
i_val = gnutls_set_default_priority( session ); i_val = gnutls_set_default_priority( session );
if( i_val < 0 ) if( i_val < 0 )
{ {
msg_Err( p_server, "Cannot set ciphers priorities : %s", msg_Err( p_server, "Cannot set ciphers priorities: %s",
gnutls_strerror( i_val ) ); gnutls_strerror( i_val ) );
gnutls_deinit( session ); gnutls_deinit( session );
goto error; goto error;
...@@ -791,7 +806,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server ) ...@@ -791,7 +806,7 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
p_server_sys->x509_cred ); p_server_sys->x509_cred );
if( i_val < 0 ) if( i_val < 0 )
{ {
msg_Err( p_server, "Cannot set TLS session credentials : %s", msg_Err( p_server, "Cannot set TLS session credentials: %s",
gnutls_strerror( i_val ) ); gnutls_strerror( i_val ) );
gnutls_deinit( session ); gnutls_deinit( session );
goto error; goto error;
...@@ -800,11 +815,11 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server ) ...@@ -800,11 +815,11 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
if( p_session->pf_handshake2 == gnutls_HandshakeAndValidate ) if( p_session->pf_handshake2 == gnutls_HandshakeAndValidate )
gnutls_certificate_server_set_request( session, GNUTLS_CERT_REQUIRE ); gnutls_certificate_server_set_request( session, GNUTLS_CERT_REQUIRE );
gnutls_dh_set_prime_bits( session, get_Int( p_server, "dh-bits" ) ); gnutls_dh_set_prime_bits( session, get_Int( p_server, "gnutls-dh-bits" ) );
/* Session resumption support */ /* Session resumption support */
gnutls_db_set_cache_expiration( session, get_Int( p_server, gnutls_db_set_cache_expiration( session, get_Int( p_server,
"tls-cache-expiration" ) ); "gnutls-cache-expiration" ) );
gnutls_db_set_retrieve_function( session, cb_fetch ); gnutls_db_set_retrieve_function( session, cb_fetch );
gnutls_db_set_remove_function( session, cb_delete ); gnutls_db_set_remove_function( session, cb_delete );
gnutls_db_set_store_function( session, cb_store ); gnutls_db_set_store_function( session, cb_store );
...@@ -866,7 +881,7 @@ gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path ) ...@@ -866,7 +881,7 @@ gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
LocaleFree( psz_local_path ); LocaleFree( psz_local_path );
if( val < 0 ) if( val < 0 )
{ {
msg_Err( p_server, "Cannot add trusted CA (%s) : %s", psz_ca_path, msg_Err( p_server, "Cannot add trusted CA (%s): %s", psz_ca_path,
gnutls_strerror( val ) ); gnutls_strerror( val ) );
return VLC_EGENERIC; return VLC_EGENERIC;
} }
...@@ -898,7 +913,7 @@ gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path ) ...@@ -898,7 +913,7 @@ gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
LocaleFree( psz_crl_path ); LocaleFree( psz_crl_path );
if( val < 0 ) if( val < 0 )
{ {
msg_Err( p_server, "Cannot add CRL (%s) : %s", psz_crl_path, msg_Err( p_server, "Cannot add CRL (%s): %s", psz_crl_path,
gnutls_strerror( val ) ); gnutls_strerror( val ) );
return VLC_EGENERIC; return VLC_EGENERIC;
} }
...@@ -928,7 +943,7 @@ gnutls_ServerCreate( tls_t *p_tls, const char *psz_cert_path, ...@@ -928,7 +943,7 @@ gnutls_ServerCreate( tls_t *p_tls, const char *psz_cert_path,
if( p_sys == NULL ) if( p_sys == NULL )
return NULL; return NULL;
p_sys->i_cache_size = get_Int( p_tls, "tls-cache-size" ); p_sys->i_cache_size = get_Int( p_tls, "gnutls-cache-size" );
p_sys->p_cache = (struct saved_session_t *)calloc( p_sys->i_cache_size, p_sys->p_cache = (struct saved_session_t *)calloc( p_sys->i_cache_size,
sizeof( struct saved_session_t ) ); sizeof( struct saved_session_t ) );
if( p_sys->p_cache == NULL ) if( p_sys->p_cache == NULL )
...@@ -964,7 +979,7 @@ gnutls_ServerCreate( tls_t *p_tls, const char *psz_cert_path, ...@@ -964,7 +979,7 @@ gnutls_ServerCreate( tls_t *p_tls, const char *psz_cert_path,
val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred ); val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
if( val != 0 ) if( val != 0 )
{ {
msg_Err( p_server, "Cannot allocate X509 credentials : %s", msg_Err( p_server, "Cannot allocate X509 credentials: %s",
gnutls_strerror( val ) ); gnutls_strerror( val ) );
goto error; goto error;
} }
...@@ -978,7 +993,7 @@ gnutls_ServerCreate( tls_t *p_tls, const char *psz_cert_path, ...@@ -978,7 +993,7 @@ gnutls_ServerCreate( tls_t *p_tls, const char *psz_cert_path,
LocaleFree( psz_key_path ); LocaleFree( psz_key_path );
if( val < 0 ) if( val < 0 )
{ {
msg_Err( p_server, "Cannot set certificate chain or private key : %s", msg_Err( p_server, "Cannot set certificate chain or private key: %s",
gnutls_strerror( val ) ); gnutls_strerror( val ) );
gnutls_certificate_free_credentials( p_sys->x509_cred ); gnutls_certificate_free_credentials( p_sys->x509_cred );
goto error; goto error;
...@@ -993,11 +1008,11 @@ gnutls_ServerCreate( tls_t *p_tls, const char *psz_cert_path, ...@@ -993,11 +1008,11 @@ gnutls_ServerCreate( tls_t *p_tls, const char *psz_cert_path,
{ {
msg_Dbg( p_server, "Computing Diffie Hellman ciphers parameters" ); msg_Dbg( p_server, "Computing Diffie Hellman ciphers parameters" );
val = gnutls_dh_params_generate2( p_sys->dh_params, val = gnutls_dh_params_generate2( p_sys->dh_params,
get_Int( p_tls, "dh-bits" ) ); get_Int( p_tls, "gnutls-dh-bits" ) );
} }
if( val < 0 ) if( val < 0 )
{ {
msg_Err( p_server, "Cannot initialize DH cipher suites : %s", msg_Err( p_server, "Cannot initialize DH cipher suites: %s",
gnutls_strerror( val ) ); gnutls_strerror( val ) );
gnutls_certificate_free_credentials( p_sys->x509_cred ); gnutls_certificate_free_credentials( p_sys->x509_cred );
goto error; goto error;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment