gnutls.c 20.6 KB
Newer Older
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
1
/*****************************************************************************
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
2
 * gnutls.c
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
3
 *****************************************************************************
4
 * Copyright (C) 2004-2015 Rémi Denis-Courmont
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
5 6
 *
 * This program is free software; you can redistribute it and/or modify
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
7 8
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
9 10 11 12 13
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
14
 * GNU Lesser General Public License for more details.
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
15
 *
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
16 17 18
 * You should have received a copy of the GNU Öesser General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
19 20
 *****************************************************************************/

21 22 23 24
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif

25
#include <limits.h>
26 27
#include <stdlib.h>
#include <string.h>
28
#include <time.h>
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
29
#include <errno.h>
30
#include <assert.h>
31

32 33
#include <vlc_common.h>
#include <vlc_plugin.h>
34
#include <vlc_tls.h>
35
#include <vlc_block.h>
36
#include <vlc_dialog.h>
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
37 38

#include <gnutls/gnutls.h>
39
#include <gnutls/x509.h>
40

41 42 43 44 45 46 47 48 49
#if (GNUTLS_VERSION_NUMBER >= 0x030300)
static int gnutls_Init (vlc_object_t *obj)
{
    const char *version = gnutls_check_version ("3.3.0");
    if (version == NULL)
    {
        msg_Err (obj, "unsupported GnuTLS version");
        return -1;
    }
Benjamin Drung's avatar
Benjamin Drung committed
50
    msg_Dbg (obj, "using GnuTLS version %s", version);
51 52 53 54 55
    return 0;
}

# define gnutls_Deinit() (void)0
#else
56
#define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_NORMAL
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
57 58
static vlc_mutex_t gnutls_mutex = VLC_STATIC_MUTEX;

59 60 61 62
/**
 * Initializes GnuTLS with proper locking.
 * @return VLC_SUCCESS on success, a VLC error code otherwise.
 */
63
static int gnutls_Init (vlc_object_t *obj)
64
{
65
    const char *version = gnutls_check_version ("3.1.11");
66
    if (version == NULL)
67
    {
68 69
        msg_Err (obj, "unsupported GnuTLS version");
        return -1;
70
    }
Benjamin Drung's avatar
Benjamin Drung committed
71
    msg_Dbg (obj, "using GnuTLS version %s", version);
72

73
    if (gnutls_check_version ("3.3.0") == NULL)
74
    {
75
         int val;
76

77 78 79
         vlc_mutex_lock (&gnutls_mutex);
         val = gnutls_global_init ();
         vlc_mutex_unlock (&gnutls_mutex);
80

81 82 83 84 85 86 87
         if (val)
         {
             msg_Err (obj, "cannot initialize GnuTLS");
             return -1;
         }
    }
    return 0;
88 89 90 91 92
}

/**
 * Deinitializes GnuTLS.
 */
93
static void gnutls_Deinit (void)
94
{
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
95
    vlc_mutex_lock (&gnutls_mutex);
96
    gnutls_global_deinit ();
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
97
    vlc_mutex_unlock (&gnutls_mutex);
98
}
99
#endif
100

101
static int gnutls_Error(vlc_tls_t *tls, int val)
102 103 104 105
{
    switch (val)
    {
        case GNUTLS_E_AGAIN:
106
#ifdef _WIN32
107
            WSASetLastError (WSAEWOULDBLOCK);
108
#endif
109
            errno = EAGAIN;
110
            break;
111 112

        case GNUTLS_E_INTERRUPTED:
113
#ifdef _WIN32
114
            WSASetLastError (WSAEINTR);
115
#endif
116
            errno = EINTR;
117 118 119
            break;

        default:
120
            msg_Err(tls->obj, "%s", gnutls_strerror (val));
121
#ifndef NDEBUG
122
            if (!gnutls_error_is_fatal (val))
123
                msg_Err(tls->obj, "Error above should be handled");
124
#endif
125
#ifdef _WIN32
126
            WSASetLastError (WSAECONNRESET);
127
#endif
128
            errno = ECONNRESET;
129 130 131 132
    }
    return -1;
}

133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159
static ssize_t vlc_gnutls_writev (gnutls_transport_ptr_t ptr,
                                  const giovec_t *giov, int iovcnt)
{
    if (unlikely((unsigned)iovcnt > IOV_MAX))
    {
        errno = EINVAL;
        return -1;
    }
    if (unlikely(iovcnt == 0))
        return 0;

    struct iovec iov[iovcnt];
    struct msghdr msg = {
        .msg_iov = iov,
        .msg_iovlen = iovcnt,
    };
    int fd = (intptr_t)ptr;

    for (int i = 0; i < iovcnt; i++)
    {
        iov[i].iov_base = giov[i].iov_base;
        iov[i].iov_len = giov[i].iov_len;
    }

    return sendmsg (fd, &msg, MSG_NOSIGNAL);
}

160 161 162 163 164 165 166
static int gnutls_GetFD(vlc_tls_t *tls)
{
    gnutls_session_t session = tls->sys;

    return gnutls_transport_get_int(session);
}

167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189
static ssize_t gnutls_Recv(vlc_tls_t *tls, struct iovec *iov, unsigned count)
{
    gnutls_session_t session = tls->sys;
    size_t rcvd = 0;

    while (count > 0)
    {
        ssize_t val = gnutls_record_recv(session, iov->iov_base, iov->iov_len);
        if (val < 0)
            return rcvd ? (ssize_t)rcvd : gnutls_Error(tls, val);

        rcvd += val;

        if ((size_t)val < iov->iov_len)
            break;

        iov++;
        count--;
    }

    return rcvd;
}

190 191
static ssize_t gnutls_Send (vlc_tls_t *tls, const struct iovec *iov,
                            unsigned count)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
192
{
193
    gnutls_session_t session = tls->sys;
194
    ssize_t val;
195

196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211
    if (!gnutls_record_check_corked(session))
    {
        gnutls_record_cork(session);

        while (count > 0)
        {
            val = gnutls_record_send(session, iov->iov_base, iov->iov_len);
            if (val < (ssize_t)iov->iov_len)
                break;

            iov++;
            count--;
        }
    }

    val = gnutls_record_uncork(session, 0);
212
    return (val < 0) ? gnutls_Error (tls, val) : val;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
213 214
}

215 216 217
static int gnutls_Shutdown(vlc_tls_t *tls, bool duplex)
{
    gnutls_session_t session = tls->sys;
218 219 220 221 222 223
    ssize_t val;

    /* Flush any pending data */
    val = gnutls_record_uncork(session, 0);
    if (val < 0)
        return gnutls_Error(tls, val);
224

225 226 227 228 229
    val = gnutls_bye(session, duplex ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
    if (val < 0)
        return gnutls_Error(tls, val);

    return 0;
230 231
}

232 233 234 235 236 237 238
static void gnutls_Close (vlc_tls_t *tls)
{
    gnutls_session_t session = tls->sys;

    gnutls_deinit (session);
}

239 240 241
static int gnutls_SessionOpen(vlc_tls_creds_t *creds, vlc_tls_t *tls, int type,
                              gnutls_certificate_credentials_t x509, int fd,
                              const char *const *alpn)
242
{
243
    gnutls_session_t session;
244 245 246
    const char *errp;
    int val;

247
    val = gnutls_init (&session, type);
248 249
    if (val != 0)
    {
250 251
        msg_Err(creds, "cannot initialize TLS session: %s",
                gnutls_strerror(val));
252 253 254
        return VLC_EGENERIC;
    }

255
    char *priorities = var_InheritString(creds, "gnutls-priorities");
256 257 258
    if (unlikely(priorities == NULL))
        goto error;

259
    val = gnutls_priority_set_direct (session, priorities, &errp);
260
    if (val < 0)
261 262
        msg_Err(creds, "cannot set TLS priorities \"%s\": %s", errp,
                gnutls_strerror(val));
263 264 265 266
    free (priorities);
    if (val < 0)
        goto error;

267
    val = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509);
268 269
    if (val < 0)
    {
270 271
        msg_Err(creds, "cannot set TLS session credentials: %s",
                gnutls_strerror(val));
272 273 274
        goto error;
    }

275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297
    if (alpn != NULL)
    {
        gnutls_datum_t *protv = NULL;
        unsigned protc = 0;

        while (*alpn != NULL)
        {
            gnutls_datum_t *n = realloc(protv, sizeof (*protv) * (protc + 1));
            if (unlikely(n == NULL))
            {
                free(protv);
                goto error;
            }
            protv = n;

            protv[protc].data = (void *)*alpn;
            protv[protc].size = strlen(*alpn);
            protc++;
            alpn++;
        }

        val = gnutls_alpn_set_protocols (session, protv, protc, 0);
        free (protv);
298
    }
299

300
    gnutls_transport_set_int (session, fd);
301
    gnutls_transport_set_vec_push_function (session, vlc_gnutls_writev);
302
    tls->sys = session;
303
    tls->get_fd = gnutls_GetFD;
304
    tls->readv = gnutls_Recv;
305
    tls->writev = gnutls_Send;
306
    tls->shutdown = gnutls_Shutdown;
307
    tls->close = gnutls_Close;
308 309 310
    return VLC_SUCCESS;

error:
311
    gnutls_deinit (session);
312 313
    return VLC_EGENERIC;
}
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
314

315
/**
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
316 317
 * Starts or continues the TLS handshake.
 *
Rémi Denis-Courmont's avatar
Typos  
Rémi Denis-Courmont committed
318
 * @return -1 on fatal error, 0 on successful handshake completion,
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
319 320
 * 1 if more would-be blocking recv is needed,
 * 2 if more would-be blocking send is required.
321
 */
322 323
static int gnutls_ContinueHandshake(vlc_tls_creds_t *crd, vlc_tls_t *tls,
                                    char **restrict alp)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
324
{
325
    gnutls_session_t session = tls->sys;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
326 327
    int val;

328
#ifdef _WIN32
329
    WSASetLastError (0);
330
#endif
331 332
    do
    {
333
        val = gnutls_handshake (session);
334
        msg_Dbg(crd, "TLS handshake: %s", gnutls_strerror (val));
335 336 337 338

        switch (val)
        {
            case GNUTLS_E_SUCCESS:
339
                goto done;
340 341 342
            case GNUTLS_E_AGAIN:
            case GNUTLS_E_INTERRUPTED:
                /* I/O event: return to caller's poll() loop */
343
                return 1 + gnutls_record_get_direction (session);
344
        }
345
    }
346
    while (!gnutls_error_is_fatal (val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
347

348
#ifdef _WIN32
349
    msg_Dbg(crd, "Winsock error %d", WSAGetLastError ());
350
#endif
351
    msg_Err(crd, "TLS handshake error: %s", gnutls_strerror (val));
352
    return -1;
353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372

done:
    if (alp != NULL)
    {
        gnutls_datum_t datum;

        val = gnutls_alpn_get_selected_protocol (session, &datum);
        if (val == 0)
        {
            if (memchr (datum.data, 0, datum.size) != NULL)
                return -1; /* Other end is doing something fishy?! */

            *alp = strndup ((char *)datum.data, datum.size);
            if (unlikely(*alp == NULL))
                return -1;
        }
        else
            *alp = NULL;
    }
    return 0;
373 374 375
}

static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *tls,
376 377
                                     int fd, const char *hostname,
                                     const char *const *alpn)
378
{
379
    int val = gnutls_SessionOpen(crd, tls, GNUTLS_CLIENT, crd->sys, fd, alpn);
380 381 382
    if (val != VLC_SUCCESS)
        return val;

383
    gnutls_session_t session = tls->sys;
384 385

    /* minimum DH prime bits */
386
    gnutls_dh_set_prime_bits (session, 1024);
387 388 389

    if (likely(hostname != NULL))
        /* fill Server Name Indication */
390
        gnutls_server_name_set (session, GNUTLS_NAME_DNS,
391 392 393 394 395
                                hostname, strlen (hostname));

    return VLC_SUCCESS;
}

396 397 398
static int gnutls_ClientHandshake(vlc_tls_creds_t *creds, vlc_tls_t *tls,
                                  const char *host, const char *service,
                                  char **restrict alp)
399
{
400
    int val = gnutls_ContinueHandshake(creds, tls, alp);
401 402 403 404
    if (val)
        return val;

    /* certificates chain verification */
405
    gnutls_session_t session = tls->sys;
406 407
    unsigned status;

408
    val = gnutls_certificate_verify_peers3 (session, host, &status);
409 410
    if (val)
    {
411 412
        msg_Err(creds, "Certificate verification error: %s",
                gnutls_strerror(val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
413 414 415
error:
        if (alp != NULL)
            free(*alp);
416
        return -1;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
417
    }
418

419
    if (status == 0) /* Good certificate */
420
        return 0;
421

422 423
    /* Bad certificate */
    gnutls_datum_t desc;
424

425
    if (gnutls_certificate_verification_status_print(status,
426
                         gnutls_certificate_type_get (session), &desc, 0) == 0)
427
    {
428
        msg_Err(creds, "Certificate verification failure: %s", desc.data);
429 430 431 432 433 434 435 436
        gnutls_free (desc.data);
    }

    status &= ~GNUTLS_CERT_INVALID; /* always set / catch-all error */
    status &= ~GNUTLS_CERT_SIGNER_NOT_FOUND; /* unknown CA */
    status &= ~GNUTLS_CERT_UNEXPECTED_OWNER; /* mismatched hostname */

    if (status != 0 || host == NULL)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
437
        goto error; /* Really bad certificate */
438

439
    /* Look up mismatching certificate in store */
440 441 442
    const gnutls_datum_t *datum;
    unsigned count;

443
    datum = gnutls_certificate_get_peers (session, &count);
444 445
    if (datum == NULL || count == 0)
    {
446
        msg_Err(creds, "Peer certificate not available");
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
447
        goto error;
448 449
    }

450
    msg_Dbg(creds, "%u certificate(s) in the list", count);
451 452
    val = gnutls_verify_stored_pubkey (NULL, NULL, host, service,
                                       GNUTLS_CRT_X509, datum, 0);
453
    const char *msg;
454 455 456
    switch (val)
    {
        case 0:
457
            msg_Dbg(creds, "certificate key match for %s", host);
458
            return 0;
459
        case GNUTLS_E_NO_CERTIFICATE_FOUND:
460
            msg_Dbg(creds, "no known certificates for %s", host);
461 462 463
            msg = N_("However the security certificate presented by the "
                "server is unknown and could not be authenticated by any "
                "trusted Certificate Authority.");
464 465
            break;
        case GNUTLS_E_CERTIFICATE_KEY_MISMATCH:
466
            msg_Dbg(creds, "certificate keys mismatch for %s", host);
467 468 469
            msg = N_("However the security certificate presented by the "
                "server changed since the previous visit and was not "
                "authenticated by any trusted Certificate Authority. ");
470 471
            break;
        default:
472 473
            msg_Err(creds, "certificate key match error for %s: %s", host,
                    gnutls_strerror(val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
474
            goto error;
475
    }
476

477
    if (dialog_Question(creds, _("Insecure site"),
478 479 480 481
        _("You attempted to reach %s. %s\n"
          "This problem may be stem from an attempt to breach your security, "
          "compromise your privacy, or a configuration error.\n\n"
          "If in doubt, abort now.\n"),
482 483
                        _("Abort"), _("View certificate"), NULL,
                        vlc_gettext(msg), host) != 2)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
484
        goto error;
485 486 487 488

    gnutls_x509_crt_t cert;

    if (gnutls_x509_crt_init (&cert))
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
489
        goto error;
490 491 492 493
    if (gnutls_x509_crt_import (cert, datum, GNUTLS_X509_FMT_DER)
     || gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &desc))
    {
        gnutls_x509_crt_deinit (cert);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
494
        goto error;
495 496 497
    }
    gnutls_x509_crt_deinit (cert);

498
    val = dialog_Question(creds, _("Insecure site"),
499 500
         _("This is the certificate presented by %s:\n%s\n\n"
           "If in doubt, abort now.\n"),
501 502
                          _("Abort"), _("Accept 24 hours"),
                          _("Accept permanently"), host, desc.data);
503 504
    gnutls_free (desc.data);

505 506 507 508 509 510 511
    time_t expiry = 0;
    switch (val)
    {
        case 2:
            time (&expiry);
            expiry += 24 * 60 * 60;
        case 3:
512 513 514
            val = gnutls_store_pubkey (NULL, NULL, host, service,
                                       GNUTLS_CRT_X509, datum, expiry, 0);
            if (val)
515
                msg_Err(creds, "cannot store X.509 certificate: %s",
516
                         gnutls_strerror (val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
517 518 519
            break;
        default:
            goto error;
520
    }
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
521
    return 0;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
522 523
}

524
/**
525
 * Initializes a client-side TLS credentials.
526
 */
527
static int OpenClient (vlc_tls_creds_t *crd)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
528
{
529
    gnutls_certificate_credentials_t x509;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
530

531 532
    if (gnutls_Init (VLC_OBJECT(crd)))
        return VLC_EGENERIC;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
533

534
    int val = gnutls_certificate_allocate_credentials (&x509);
535
    if (val != 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
536
    {
537
        msg_Err (crd, "cannot allocate credentials: %s",
538
                 gnutls_strerror (val));
539
        gnutls_Deinit ();
540
        return VLC_EGENERIC;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
541
    }
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
542

543
    val = gnutls_certificate_set_x509_system_trust (x509);
544
    if (val < 0)
545
        msg_Err (crd, "cannot load trusted Certificate Authorities: %s",
546
                 gnutls_strerror (val));
547 548
    else
        msg_Dbg (crd, "loaded %d trusted CAs", val);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
549

550 551 552 553 554 555
    gnutls_certificate_set_verify_flags (x509,
                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);

    crd->sys = x509;
    crd->open = gnutls_ClientSessionOpen;
    crd->handshake = gnutls_ClientHandshake;
556

557
    return VLC_SUCCESS;
558
}
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
559

560 561 562 563 564
static void CloseClient (vlc_tls_creds_t *crd)
{
    gnutls_certificate_credentials_t x509 = crd->sys;

    gnutls_certificate_free_credentials (x509);
565
    gnutls_Deinit ();
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
566 567
}

568
#ifdef ENABLE_SOUT
569 570 571 572 573 574 575 576 577
/**
 * Server-side TLS credentials private data
 */
typedef struct vlc_tls_creds_sys
{
    gnutls_certificate_credentials_t x509_cred;
    gnutls_dh_params_t dh_params;
} vlc_tls_creds_sys_t;

578 579 580
/**
 * Initializes a server-side TLS session.
 */
581
static int gnutls_ServerSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *tls,
582 583
                                     int fd, const char *hostname,
                                     const char *const *alpn)
584
{
585 586
    vlc_tls_creds_sys_t *sys = crd->sys;

587
    assert (hostname == NULL);
588 589
    return gnutls_SessionOpen(crd, tls, GNUTLS_SERVER, sys->x509_cred, fd,
                              alpn);
590 591
}

592 593 594
static int gnutls_ServerHandshake(vlc_tls_creds_t *crd, vlc_tls_t *tls,
                                  const char *host, const char *service,
                                  char **restrict alp)
595
{
596
    (void) host; (void) service;
597
    return gnutls_ContinueHandshake(crd, tls, alp);
598 599
}

600
/**
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
601
 * Allocates a whole server's TLS credentials.
602
 */
603
static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
604 605 606
{
    int val;

607
    if (gnutls_Init (VLC_OBJECT(crd)))
608 609
        return VLC_EGENERIC;

610 611
    vlc_tls_creds_sys_t *sys = malloc (sizeof (*sys));
    if (unlikely(sys == NULL))
612 613 614 615
    {
        gnutls_Deinit ();
        return VLC_ENOMEM;
    }
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
616 617

    /* Sets server's credentials */
618 619
    val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
    if (val != 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
620
    {
621
        msg_Err (crd, "cannot allocate credentials: %s",
622
                 gnutls_strerror (val));
623 624 625
        free (sys);
        gnutls_Deinit ();
        return VLC_ENOMEM;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
626 627
    }

628 629 630
    block_t *certblock = block_FilePath (cert);
    if (certblock == NULL)
    {
631 632
        msg_Err (crd, "cannot read certificate chain from %s: %s", cert,
                 vlc_strerror_c(errno));
633
        goto error;
634 635 636 637 638
    }

    block_t *keyblock = block_FilePath (key);
    if (keyblock == NULL)
    {
639 640
        msg_Err (crd, "cannot read private key from %s: %s", key,
                 vlc_strerror_c(errno));
641
        block_Release (certblock);
642
        goto error;
643 644 645 646 647 648 649 650 651 652 653
    }

    gnutls_datum_t pub = {
       .data = certblock->p_buffer,
       .size = certblock->i_buffer,
    }, priv = {
       .data = keyblock->p_buffer,
       .size = keyblock->i_buffer,
    };

    val = gnutls_certificate_set_x509_key_mem (sys->x509_cred, &pub, &priv,
654
                                                GNUTLS_X509_FMT_PEM);
655 656
    block_Release (keyblock);
    block_Release (certblock);
657
    if (val < 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
658
    {
659
        msg_Err (crd, "cannot load X.509 key: %s", gnutls_strerror (val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
660
        goto error;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
661 662
    }

663
    /* FIXME:
664
     * - regenerate these regularly
665
     * - support other cipher suites
666
     */
667
    val = gnutls_dh_params_init (&sys->dh_params);
668 669
    if (val >= 0)
    {
670 671
        gnutls_sec_param_t sec = GNUTLS_SEC_PARAM_MEDIUM;
        unsigned bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, sec);
672

673 674
        msg_Dbg (crd, "generating Diffie-Hellman %u-bits parameters...", bits);
        val = gnutls_dh_params_generate2 (sys->dh_params, bits);
675
        if (val == 0)
676 677
            gnutls_certificate_set_dh_params (sys->x509_cred,
                                              sys->dh_params);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
678
    }
679
    if (val < 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
680
    {
681
        msg_Err (crd, "cannot initialize DHE cipher suites: %s",
682
                 gnutls_strerror (val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
683 684
    }

685 686
    msg_Dbg (crd, "ciphers parameters loaded");

687 688
    crd->sys = sys;
    crd->open = gnutls_ServerSessionOpen;
689
    crd->handshake = gnutls_ServerHandshake;
690

691
    return VLC_SUCCESS;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
692 693

error:
694
    gnutls_certificate_free_credentials (sys->x509_cred);
695
    free (sys);
696
    gnutls_Deinit ();
697
    return VLC_EGENERIC;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
698 699
}

700
/**
701
 * Destroys a TLS server object.
702
 */
703
static void CloseServer (vlc_tls_creds_t *crd)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
704
{
705
    vlc_tls_creds_sys_t *sys = crd->sys;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
706

707
    /* all sessions depending on the server are now deinitialized */
708 709 710
    gnutls_certificate_free_credentials (sys->x509_cred);
    gnutls_dh_params_deinit (sys->dh_params);
    free (sys);
711
    gnutls_Deinit ();
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
712
}
713
#endif
714

715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732
#define PRIORITIES_TEXT N_("TLS cipher priorities")
#define PRIORITIES_LONGTEXT N_("Ciphers, key exchange methods, " \
    "hash functions and compression methods can be selected. " \
    "Refer to GNU TLS documentation for detailed syntax.")
static const char *const priorities_values[] = {
    "PERFORMANCE",
    "NORMAL",
    "SECURE128",
    "SECURE256",
    "EXPORT",
};
static const char *const priorities_text[] = {
    N_("Performance (prioritize faster ciphers)"),
    N_("Normal"),
    N_("Secure 128-bits (exclude 256-bits ciphers)"),
    N_("Secure 256-bits (prioritize 256-bits ciphers)"),
    N_("Export (include insecure ciphers)"),
};
733

734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752
vlc_module_begin ()
    set_shortname( "GNU TLS" )
    set_description( N_("GNU TLS transport layer security") )
    set_capability( "tls client", 1 )
    set_callbacks( OpenClient, CloseClient )
    set_category( CAT_ADVANCED )
    set_subcategory( SUBCAT_ADVANCED_NETWORK )
    add_string ("gnutls-priorities", "NORMAL", PRIORITIES_TEXT,
                PRIORITIES_LONGTEXT, false)
        change_string_list (priorities_values, priorities_text)
#ifdef ENABLE_SOUT
    add_submodule ()
        set_description( N_("GNU TLS server") )
        set_capability( "tls server", 1 )
        set_category( CAT_ADVANCED )
        set_subcategory( SUBCAT_ADVANCED_NETWORK )
        set_callbacks( OpenServer, CloseServer )
#endif
vlc_module_end ()