vlc_tls.h 9.49 KB
Newer Older
1
/*****************************************************************************
2
 * vlc_tls.h: Transport Layer Security API
3
 *****************************************************************************
4
 * Copyright (C) 2004-2016 Rémi Denis-Courmont
Jean-Baptiste Kempf's avatar
LGPL  
Jean-Baptiste Kempf committed
5
 * Copyright (C) 2005-2006 VLC authors and VideoLAN
6
 *
Jean-Baptiste Kempf's avatar
LGPL  
Jean-Baptiste Kempf committed
7 8 9
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or
10 11 12 13
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
Jean-Baptiste Kempf's avatar
LGPL  
Jean-Baptiste Kempf committed
14 15
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Lesser General Public License for more details.
16
 *
Jean-Baptiste Kempf's avatar
LGPL  
Jean-Baptiste Kempf committed
17 18 19
 * You should have received a copy of the GNU Lesser General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
20 21
 *****************************************************************************/

22 23
#ifndef VLC_TLS_H
# define VLC_TLS_H
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
24

25
/**
26 27 28
 * \ingroup sockets
 * \defgroup tls Transport Layer Security
 * @{
29
 * \file
30
 * Transport Layer Security (TLS) functions
31 32
 */

Clément Stenac's avatar
Clément Stenac committed
33
# include <vlc_network.h>
34

35 36 37
typedef struct vlc_tls vlc_tls_t;
typedef struct vlc_tls_creds vlc_tls_creds_t;

38
/** TLS session */
39
struct vlc_tls
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
40
{
41
    int (*get_fd)(struct vlc_tls *);
42
    ssize_t (*readv)(struct vlc_tls *, struct iovec *, unsigned);
43
    ssize_t (*writev)(struct vlc_tls *, const struct iovec *, unsigned);
44
    int (*shutdown)(struct vlc_tls *, bool duplex);
45
    void (*close)(struct vlc_tls *);
46

47
    struct vlc_tls *p;
48
};
49

50 51 52
/**
 * Initiates a client TLS session.
 *
53 54
 * Initiates a Transport Layer Security (TLS) session as the client side, using
 * trusted root CAs previously loaded with vlc_tls_ClientCreate().
55
 *
56 57 58 59 60
 * This is a blocking network operation and may be a thread cancellation point.
 *
 * @param creds X.509 credentials, i.e. set of root certificates of trusted
 *              certificate authorities
 * @param sock socket through which to establish the secure channel
61
 * @param hostname expected server name, used both as Server Name Indication
62
 *                 and as expected Common Name of the peer certificate [IN]
63
 * @param service unique identifier for the service to connect to
64
 *                (only used locally for certificates database) [IN]
65
 * @param alpn NULL-terminated list of Application Layer Protocols
66
 *             to negotiate, or NULL to not negotiate protocols [IN]
67
 * @param alp storage space for the negotiated Application Layer
68 69 70
 *            Protocol or NULL if negotiation was not performed [OUT]
 *
 * @note The credentials must remain valid until the session is finished.
71 72 73
 *
 * @return TLS session, or NULL on error.
 **/
74 75 76 77 78 79
VLC_API vlc_tls_t *vlc_tls_ClientSessionCreate(vlc_tls_creds_t *creds,
                                               vlc_tls_t *sock,
                                               const char *host,
                                               const char *service,
                                               const char *const *alpn,
                                               char **alp);
80

81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
/**
 * Creates a TLS server session.
 *
 * Allocates a Transport Layer Security (TLS) session as the server side, using
 * cryptographic keys pair and X.509 certificates chain already loaded with
 * vlc_tls_ServerCreate().
 *
 * Unlike vlc_tls_ClientSessionCreate(), this function does not perform any
 * actual network I/O. vlc_tls_SessionHandshake() must be used to perform the
 * TLS handshake before sending and receiving data through the TLS session.
 *
 * This function is non-blocking and is not a cancellation point.
 *
 * @param creds server credentials, i.e. keys pair and X.509 certificates chain
 * @param alpn NULL-terminated list of Application Layer Protocols
 *             to negotiate, or NULL to not negotiate protocols
 *
 * @return TLS session, or NULL on error.
 */
VLC_API vlc_tls_t *vlc_tls_ServerSessionCreate(vlc_tls_creds_t *creds, int fd,
                                               const char *const *alpn);
102 103

/**
104
 * Destroys a TLS session down.
105
 *
106 107
 * All resources associated with the TLS session are released.
 *
108
 * If the session was established successfully, then shutdown cleanly, the
109 110 111
 * underlying socket can be reused. Otherwise, it must be closed. Either way,
 * this function does not close the underlying socket: Use vlc_tls_Close()
 * instead to close it at the same.
112 113 114
 *
 * This function is non-blocking and is not a cancellation point.
 */
115
VLC_API void vlc_tls_SessionDelete (vlc_tls_t *);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
116

117 118 119 120 121
static inline int vlc_tls_GetFD(vlc_tls_t *tls)
{
    return tls->get_fd(tls);
}

122 123 124
/**
 * Receives data through a TLS session.
 */
125
VLC_API ssize_t vlc_tls_Read(vlc_tls_t *, void *buf, size_t len, bool waitall);
126
VLC_API char *vlc_tls_GetLine(vlc_tls_t *);
127 128 129 130

/**
 * Sends data through a TLS session.
 */
131
VLC_API ssize_t vlc_tls_Write(vlc_tls_t *, const void *buf, size_t len);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
132

133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151
/**
 * Terminates a TLS session.
 *
 * This sends the TLS session close notification to the other end, securely
 * indicating that no further data will be sent. Data can still be received
 * until a close notification is received from the other end.
 *
 * @param duplex whether to stop receiving data as well
 * @retval 0 the session was terminated securely and cleanly
 *           (the underlying socket can be reused for other purposes)
 * @return -1 the session was terminated locally, but either a notification
 *            could not be sent or received (the underlying socket cannot be
 *            reused and must be closed)
 */
static inline int vlc_tls_Shutdown(vlc_tls_t *tls, bool duplex)
{
    return tls->shutdown(tls, duplex);
}

152 153
# define tls_Recv(a,b,c) vlc_tls_Read(a,b,c,false)
# define tls_Send(a,b,c) vlc_tls_Write(a,b,c)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
154

155 156 157 158 159 160 161
/**
 * Closes a TLS session and underlying connection.
 *
 * This function is non-blocking and is a cancellation point.
 */
static inline void vlc_tls_Close(vlc_tls_t *session)
{
162 163 164 165 166 167 168 169
    do
    {
        vlc_tls_t *p = session->p;

        vlc_tls_SessionDelete(session);
        session = p;
    }
    while (session != NULL);
170 171
}

172
/** TLS credentials (certificate, private and trust settings) */
173
struct vlc_tls_creds
174 175
{
    VLC_COMMON_MEMBERS
176

177
    module_t  *module;
178
    void *sys;
179

180 181
    vlc_tls_t *(*open)(vlc_tls_creds_t *, vlc_tls_t *sock,
                       const char *host, const char *const *alpn);
182
    int  (*handshake)(vlc_tls_creds_t *, vlc_tls_t *session, const char *host,
183
                      const char *service, char ** /*restrict*/ alp);
184
};
185

186 187 188 189 190 191
/**
 * Allocates TLS credentials for a client.
 * Credentials can be cached and reused across multiple TLS sessions.
 *
 * @return TLS credentials object, or NULL on error.
 **/
192
VLC_API vlc_tls_creds_t *vlc_tls_ClientCreate (vlc_object_t *);
193 194 195 196

/**
 * Allocates server TLS credentials.
 *
197 198 199
 * @param cert path to an x509 certificate (required)
 * @param key path to the PKCS private key for the certificate,
 *            or NULL to use cert path
200 201 202
 *
 * @return TLS credentials object, or NULL on error.
 */
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
203 204 205
VLC_API vlc_tls_creds_t *vlc_tls_ServerCreate (vlc_object_t *,
                                               const char *cert,
                                               const char *key);
206

207 208 209
static inline int vlc_tls_SessionHandshake (vlc_tls_creds_t *crd,
                                            vlc_tls_t *tls)
{
210
    return crd->handshake(crd, tls, NULL, NULL, NULL);
211 212
}

213 214 215 216 217 218 219 220
/**
 * Releases TLS credentials.
 *
 * Releases data allocated with vlc_tls_ClientCreate() or
 * vlc_tls_ServerCreate().
 *
 * @param srv object to be destroyed (or NULL)
 */
221
VLC_API void vlc_tls_Delete (vlc_tls_creds_t *);
222

223
/**
224
 * Creates a transport-layer stream from a socket.
225
 *
226 227
 * Creates a transport-layer I/O stream from a socket file descriptor.
 * Data will be sent and received directly through the socket. This can be used
228 229
 * either to share common code between non-TLS and TLS cases, or for testing
 * purposes.
230 231
 *
 * This function is not a cancellation point.
232
 */
233
VLC_API vlc_tls_t *vlc_tls_SocketOpen(int fd);
234

235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254
struct addrinfo;

/**
 * Creates a transport-layer stream from a struct addrinfo.
 *
 * This is convenience wrapper for vlc_tls_SocketOpen().
 * \note The function currently iterates through the addrinfo linked list.
 * Future versions may implement different behaviour (e.g. RFC6555).
 */
vlc_tls_t *vlc_tls_SocketOpenAddrInfo(vlc_object_t *obj,
                                      const struct addrinfo *);

/**
 * Creates a transport-layer TCP stream from a name and port.
 *
 * This is a convenience wrapper for vlc_tls_SocketOpenAddrInfo().
 */
VLC_API vlc_tls_t *vlc_tls_SocketOpenTCP(vlc_object_t *obj,
                                         const char *hostname, unsigned port);

255 256 257 258 259 260 261 262
/**
 * Initiates a TLS session over TCP.
 */
VLC_API vlc_tls_t *vlc_tls_SocketOpenTLS(vlc_tls_creds_t *crd,
                                         const char *hostname, unsigned port,
                                         const char *service,
                                         const char *const *alpn, char **alp);

263 264 265 266 267
VLC_DEPRECATED
static inline vlc_tls_t *
vlc_tls_ClientSessionCreateFD(vlc_tls_creds_t *crd, int fd, const char *host,
                              const char *srv, const char *const *lp, char **p)
{
268
    vlc_tls_t *sock = vlc_tls_SocketOpen(fd);
269 270 271 272 273
    if (unlikely(sock == NULL))
        return NULL;

    vlc_tls_t *tls = vlc_tls_ClientSessionCreate(crd, sock, host, srv, lp, p);
    if (unlikely(tls == NULL))
274
        free(sock);
275 276 277 278 279
    else
        tls->p = sock;
    return tls;
}

280 281
/** @} */

Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
282
#endif