gnutls.c 19.2 KB
Newer Older
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
1
/*****************************************************************************
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
2
 * gnutls.c
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
3
 *****************************************************************************
4
 * Copyright (C) 2004-2014 Rémi Denis-Courmont
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
5 6
 *
 * This program is free software; you can redistribute it and/or modify
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
7 8
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
9 10 11 12 13
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
14
 * GNU Lesser General Public License for more details.
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
15
 *
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
16 17 18
 * You should have received a copy of the GNU Öesser General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
19 20
 *****************************************************************************/

21 22 23 24
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif

25 26
#include <stdlib.h>
#include <string.h>
27
#include <time.h>
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
28
#include <errno.h>
29
#include <assert.h>
30

31 32
#include <vlc_common.h>
#include <vlc_plugin.h>
33
#include <vlc_tls.h>
34
#include <vlc_block.h>
35
#include <vlc_dialog.h>
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
36 37

#include <gnutls/gnutls.h>
38
#include <gnutls/x509.h>
39 40
#include "dhparams.h"

41 42 43 44 45 46 47 48 49
#if (GNUTLS_VERSION_NUMBER >= 0x030300)
static int gnutls_Init (vlc_object_t *obj)
{
    const char *version = gnutls_check_version ("3.3.0");
    if (version == NULL)
    {
        msg_Err (obj, "unsupported GnuTLS version");
        return -1;
    }
50
    msg_Dbg (obj, "using GnuTLS verson %s", version);
51 52 53 54 55
    return 0;
}

# define gnutls_Deinit() (void)0
#else
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
56 57
static vlc_mutex_t gnutls_mutex = VLC_STATIC_MUTEX;

58 59 60 61
/**
 * Initializes GnuTLS with proper locking.
 * @return VLC_SUCCESS on success, a VLC error code otherwise.
 */
62
static int gnutls_Init (vlc_object_t *obj)
63
{
64
    const char *version = gnutls_check_version ("3.1.11");
65
    if (version == NULL)
66
    {
67 68
        msg_Err (obj, "unsupported GnuTLS version");
        return -1;
69
    }
70
    msg_Dbg (obj, "using GnuTLS verson %s", version);
71

72
    if (gnutls_check_version ("3.3.0") == NULL)
73
    {
74
         int val;
75

76 77 78
         vlc_mutex_lock (&gnutls_mutex);
         val = gnutls_global_init ();
         vlc_mutex_unlock (&gnutls_mutex);
79

80 81 82 83 84 85 86
         if (val)
         {
             msg_Err (obj, "cannot initialize GnuTLS");
             return -1;
         }
    }
    return 0;
87 88 89 90 91
}

/**
 * Deinitializes GnuTLS.
 */
92
static void gnutls_Deinit (void)
93
{
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
94
    vlc_mutex_lock (&gnutls_mutex);
95
    gnutls_global_deinit ();
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
96
    vlc_mutex_unlock (&gnutls_mutex);
97
}
98
#endif
99

100 101 102 103 104
static int gnutls_Error (vlc_object_t *obj, int val)
{
    switch (val)
    {
        case GNUTLS_E_AGAIN:
105
#ifdef _WIN32
106 107
            WSASetLastError (WSAEWOULDBLOCK);
#else
108
            errno = EAGAIN;
109
#endif
110
            break;
111 112

        case GNUTLS_E_INTERRUPTED:
113
#ifdef _WIN32
114
            WSASetLastError (WSAEINTR);
115
#else
116
            errno = EINTR;
117
#endif
118 119 120 121
            break;

        default:
            msg_Err (obj, "%s", gnutls_strerror (val));
122
#ifndef NDEBUG
123 124 125
            if (!gnutls_error_is_fatal (val))
                msg_Err (obj, "Error above should be handled");
#endif
126
#ifdef _WIN32
127
            WSASetLastError (WSAECONNRESET);
128
#else
129
            errno = ECONNRESET;
130
#endif
131 132 133
    }
    return -1;
}
134
#define gnutls_Error(o, val) gnutls_Error(VLC_OBJECT(o), val)
135

136
/**
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
137
 * Sends data through a TLS session.
138
 */
139
static int gnutls_Send (void *opaque, const void *buf, size_t length)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
140
{
141 142 143 144
    assert (opaque != NULL);

    vlc_tls_t *tls = opaque;
    gnutls_session_t session = tls->sys;
145

146 147
    int val = gnutls_record_send (session, buf, length);
    return (val < 0) ? gnutls_Error (tls, val) : val;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
148 149 150
}


151
/**
152
 * Receives data through a TLS session.
153
 */
154
static int gnutls_Recv (void *opaque, void *buf, size_t length)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
155
{
156
    assert (opaque != NULL);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
157

158 159
    vlc_tls_t *tls = opaque;
    gnutls_session_t session = tls->sys;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
160

161 162
    int val = gnutls_record_recv (session, buf, length);
    return (val < 0) ? gnutls_Error (tls, val) : val;
163 164 165
}

static int gnutls_SessionOpen (vlc_tls_t *tls, int type,
166 167
                               gnutls_certificate_credentials_t x509, int fd,
                               const char *const *alpn)
168
{
169
    gnutls_session_t session;
170 171 172
    const char *errp;
    int val;

173
    val = gnutls_init (&session, type);
174 175 176 177 178 179 180 181 182 183 184
    if (val != 0)
    {
        msg_Err (tls, "cannot initialize TLS session: %s",
                 gnutls_strerror (val));
        return VLC_EGENERIC;
    }

    char *priorities = var_InheritString (tls, "gnutls-priorities");
    if (unlikely(priorities == NULL))
        goto error;

185
    val = gnutls_priority_set_direct (session, priorities, &errp);
186 187 188 189 190 191 192
    if (val < 0)
        msg_Err (tls, "cannot set TLS priorities \"%s\": %s", errp,
                 gnutls_strerror (val));
    free (priorities);
    if (val < 0)
        goto error;

193
    val = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509);
194 195 196 197 198 199 200
    if (val < 0)
    {
        msg_Err (tls, "cannot set TLS session credentials: %s",
                 gnutls_strerror (val));
        goto error;
    }

201
#ifdef GNUTLS_ALPN_MAND
202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225
    if (alpn != NULL)
    {
        gnutls_datum_t *protv = NULL;
        unsigned protc = 0;

        while (*alpn != NULL)
        {
            gnutls_datum_t *n = realloc(protv, sizeof (*protv) * (protc + 1));
            if (unlikely(n == NULL))
            {
                free(protv);
                goto error;
            }
            protv = n;

            protv[protc].data = (void *)*alpn;
            protv[protc].size = strlen(*alpn);
            protc++;
            alpn++;
        }

        val = gnutls_alpn_set_protocols (session, protv, protc, 0);
        free (protv);
    }
226 227 228
#else
    VLC_UNUSED(alpn);
#endif
229

230
    gnutls_transport_set_int (session, fd);
231

232 233
    tls->sys = session;
    tls->sock.p_sys = NULL;
234 235 236 237 238
    tls->sock.pf_send = gnutls_Send;
    tls->sock.pf_recv = gnutls_Recv;
    return VLC_SUCCESS;

error:
239
    gnutls_deinit (session);
240 241
    return VLC_EGENERIC;
}
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
242

243
/**
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
244 245
 * Starts or continues the TLS handshake.
 *
Rémi Denis-Courmont's avatar
Typos  
Rémi Denis-Courmont committed
246
 * @return -1 on fatal error, 0 on successful handshake completion,
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
247 248
 * 1 if more would-be blocking recv is needed,
 * 2 if more would-be blocking send is required.
249
 */
250
static int gnutls_ContinueHandshake (vlc_tls_t *tls, char **restrict alp)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
251
{
252
    gnutls_session_t session = tls->sys;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
253 254
    int val;

255
#ifdef _WIN32
256
    WSASetLastError (0);
257
#endif
258 259
    do
    {
260
        val = gnutls_handshake (session);
261 262 263 264 265
        msg_Dbg (tls, "TLS handshake: %s", gnutls_strerror (val));

        switch (val)
        {
            case GNUTLS_E_SUCCESS:
266
                goto done;
267 268 269
            case GNUTLS_E_AGAIN:
            case GNUTLS_E_INTERRUPTED:
                /* I/O event: return to caller's poll() loop */
270
                return 1 + gnutls_record_get_direction (session);
271
        }
272
    }
273
    while (!gnutls_error_is_fatal (val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
274

275
#ifdef _WIN32
276
    msg_Dbg (tls, "Winsock error %d", WSAGetLastError ());
277
#endif
278 279
    msg_Err (tls, "TLS handshake error: %s", gnutls_strerror (val));
    return -1;
280 281

done:
282
#ifdef GNUTLS_ALPN_MAND
283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299
    if (alp != NULL)
    {
        gnutls_datum_t datum;

        val = gnutls_alpn_get_selected_protocol (session, &datum);
        if (val == 0)
        {
            if (memchr (datum.data, 0, datum.size) != NULL)
                return -1; /* Other end is doing something fishy?! */

            *alp = strndup ((char *)datum.data, datum.size);
            if (unlikely(*alp == NULL))
                return -1;
        }
        else
            *alp = NULL;
    }
300 301 302
#else
    VLC_UNUSED(alp);
#endif
303
    return 0;
304 305
}

306 307 308 309 310 311 312 313 314 315 316 317 318 319
/**
 * Terminates TLS session and releases session data.
 * You still have to close the socket yourself.
 */
static void gnutls_SessionClose (vlc_tls_t *tls)
{
    gnutls_session_t session = tls->sys;

    if (tls->sock.p_sys != NULL)
        gnutls_bye (session, GNUTLS_SHUT_WR);

    gnutls_deinit (session);
}

320
static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *tls,
321 322
                                     int fd, const char *hostname,
                                     const char *const *alpn)
323
{
324
    int val = gnutls_SessionOpen (tls, GNUTLS_CLIENT, crd->sys, fd, alpn);
325 326 327
    if (val != VLC_SUCCESS)
        return val;

328
    gnutls_session_t session = tls->sys;
329 330

    /* minimum DH prime bits */
331
    gnutls_dh_set_prime_bits (session, 1024);
332 333 334

    if (likely(hostname != NULL))
        /* fill Server Name Indication */
335
        gnutls_server_name_set (session, GNUTLS_NAME_DNS,
336 337 338 339 340 341
                                hostname, strlen (hostname));

    return VLC_SUCCESS;
}

static int gnutls_ClientHandshake (vlc_tls_t *tls, const char *host,
342
                                   const char *service, char **restrict alp)
343
{
344
    int val = gnutls_ContinueHandshake (tls, alp);
345 346 347 348
    if (val)
        return val;

    /* certificates chain verification */
349
    gnutls_session_t session = tls->sys;
350 351
    unsigned status;

352
    val = gnutls_certificate_verify_peers3 (session, host, &status);
353 354 355 356
    if (val)
    {
        msg_Err (tls, "Certificate verification error: %s",
                 gnutls_strerror (val));
357 358
failure:
        gnutls_bye (session, GNUTLS_SHUT_RDWR);
359
        return -1;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
360
    }
361

362
    if (status == 0)
363 364 365 366 367
    {   /* Good certificate */
success:
        tls->sock.p_sys = tls;
        return 0;
    }
368

369 370
    /* Bad certificate */
    gnutls_datum_t desc;
371

372
    if (gnutls_certificate_verification_status_print(status,
373
                         gnutls_certificate_type_get (session), &desc, 0) == 0)
374 375 376 377 378 379 380 381 382 383
    {
        msg_Err (tls, "Certificate verification failure: %s", desc.data);
        gnutls_free (desc.data);
    }

    status &= ~GNUTLS_CERT_INVALID; /* always set / catch-all error */
    status &= ~GNUTLS_CERT_SIGNER_NOT_FOUND; /* unknown CA */
    status &= ~GNUTLS_CERT_UNEXPECTED_OWNER; /* mismatched hostname */

    if (status != 0 || host == NULL)
384
        goto failure; /* Really bad certificate */
385

386
    /* Look up mismatching certificate in store */
387 388 389
    const gnutls_datum_t *datum;
    unsigned count;

390
    datum = gnutls_certificate_get_peers (session, &count);
391 392 393
    if (datum == NULL || count == 0)
    {
        msg_Err (tls, "Peer certificate not available");
394
        goto failure;
395 396 397 398 399
    }

    msg_Dbg (tls, "%u certificate(s) in the list", count);
    val = gnutls_verify_stored_pubkey (NULL, NULL, host, service,
                                       GNUTLS_CRT_X509, datum, 0);
400
    const char *msg;
401 402 403
    switch (val)
    {
        case 0:
404 405
            msg_Dbg (tls, "certificate key match for %s", host);
            goto success;
406
        case GNUTLS_E_NO_CERTIFICATE_FOUND:
407 408 409 410
            msg_Dbg (tls, "no known certificates for %s", host);
            msg = N_("However the security certificate presented by the "
                "server is unknown and could not be authenticated by any "
                "trusted Certificate Authority.");
411 412
            break;
        case GNUTLS_E_CERTIFICATE_KEY_MISMATCH:
413 414 415 416
            msg_Dbg (tls, "certificate keys mismatch for %s", host);
            msg = N_("However the security certificate presented by the "
                "server changed since the previous visit and was not "
                "authenticated by any trusted Certificate Authority. ");
417 418
            break;
        default:
419
            msg_Err (tls, "certificate key match error for %s: %s", host,
420
                     gnutls_strerror (val));
421
            goto failure;
422
    }
423

424 425 426 427 428 429 430
    if (dialog_Question (tls, _("Insecure site"),
        _("You attempted to reach %s. %s\n"
          "This problem may be stem from an attempt to breach your security, "
          "compromise your privacy, or a configuration error.\n\n"
          "If in doubt, abort now.\n"),
                         _("Abort"), _("View certificate"), NULL,
                         vlc_gettext (msg), host) != 2)
431
        goto failure;
432 433 434 435

    gnutls_x509_crt_t cert;

    if (gnutls_x509_crt_init (&cert))
436
        goto failure;
437 438 439 440
    if (gnutls_x509_crt_import (cert, datum, GNUTLS_X509_FMT_DER)
     || gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &desc))
    {
        gnutls_x509_crt_deinit (cert);
441
        goto failure;
442 443 444
    }
    gnutls_x509_crt_deinit (cert);

445
    val = dialog_Question (tls, _("Insecure site"),
446 447 448 449
         _("This is the certificate presented by %s:\n%s\n\n"
           "If in doubt, abort now.\n"),
                           _("Abort"), _("Accept 24 hours"),
                           _("Accept permanently"), host, desc.data);
450 451
    gnutls_free (desc.data);

452 453 454 455 456 457 458
    time_t expiry = 0;
    switch (val)
    {
        case 2:
            time (&expiry);
            expiry += 24 * 60 * 60;
        case 3:
459 460 461
            val = gnutls_store_pubkey (NULL, NULL, host, service,
                                       GNUTLS_CRT_X509, datum, expiry, 0);
            if (val)
462
                msg_Err (tls, "cannot store X.509 certificate: %s",
463
                         gnutls_strerror (val));
464
            goto success;
465
    }
466
    goto failure;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
467 468
}

469
/**
470
 * Initializes a client-side TLS credentials.
471
 */
472
static int OpenClient (vlc_tls_creds_t *crd)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
473
{
474
    gnutls_certificate_credentials_t x509;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
475

476 477
    if (gnutls_Init (VLC_OBJECT(crd)))
        return VLC_EGENERIC;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
478

479
    int val = gnutls_certificate_allocate_credentials (&x509);
480
    if (val != 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
481
    {
482
        msg_Err (crd, "cannot allocate credentials: %s",
483
                 gnutls_strerror (val));
484
        gnutls_Deinit ();
485
        return VLC_EGENERIC;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
486
    }
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
487

488
    val = gnutls_certificate_set_x509_system_trust (x509);
489
    if (val < 0)
490
        msg_Err (crd, "cannot load trusted Certificate Authorities: %s",
491
                 gnutls_strerror (val));
492 493
    else
        msg_Dbg (crd, "loaded %d trusted CAs", val);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
494

495 496 497 498 499 500 501
    gnutls_certificate_set_verify_flags (x509,
                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);

    crd->sys = x509;
    crd->open = gnutls_ClientSessionOpen;
    crd->handshake = gnutls_ClientHandshake;
    crd->close = gnutls_SessionClose;
502

503
    return VLC_SUCCESS;
504
}
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
505

506 507 508 509 510
static void CloseClient (vlc_tls_creds_t *crd)
{
    gnutls_certificate_credentials_t x509 = crd->sys;

    gnutls_certificate_free_credentials (x509);
511
    gnutls_Deinit ();
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
512 513
}

514
#ifdef ENABLE_SOUT
515 516 517 518 519 520 521 522 523
/**
 * Server-side TLS credentials private data
 */
typedef struct vlc_tls_creds_sys
{
    gnutls_certificate_credentials_t x509_cred;
    gnutls_dh_params_t dh_params;
} vlc_tls_creds_sys_t;

524 525 526
/**
 * Initializes a server-side TLS session.
 */
527
static int gnutls_ServerSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *tls,
528 529
                                     int fd, const char *hostname,
                                     const char *const *alpn)
530
{
531 532
    vlc_tls_creds_sys_t *sys = crd->sys;

533
    assert (hostname == NULL);
534
    return gnutls_SessionOpen (tls, GNUTLS_SERVER, sys->x509_cred, fd, alpn);
535 536
}

537
static int gnutls_ServerHandshake (vlc_tls_t *tls, const char *host,
538
                                   const char *service, char **restrict alp)
539
{
540
    int val = gnutls_ContinueHandshake (tls, alp);
541
    if (val == 0)
542
        tls->sock.p_sys = tls;
543

544 545
    (void) host; (void) service;
    return val;
546 547
}

548
/**
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
549
 * Allocates a whole server's TLS credentials.
550
 */
551
static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
552 553 554
{
    int val;

555
    if (gnutls_Init (VLC_OBJECT(crd)))
556 557
        return VLC_EGENERIC;

558 559
    vlc_tls_creds_sys_t *sys = malloc (sizeof (*sys));
    if (unlikely(sys == NULL))
560 561 562 563
    {
        gnutls_Deinit ();
        return VLC_ENOMEM;
    }
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
564 565

    /* Sets server's credentials */
566 567
    val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
    if (val != 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
568
    {
569
        msg_Err (crd, "cannot allocate credentials: %s",
570
                 gnutls_strerror (val));
571 572 573
        free (sys);
        gnutls_Deinit ();
        return VLC_ENOMEM;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
574 575
    }

576 577 578
    block_t *certblock = block_FilePath (cert);
    if (certblock == NULL)
    {
579 580
        msg_Err (crd, "cannot read certificate chain from %s: %s", cert,
                 vlc_strerror_c(errno));
581
        goto error;
582 583 584 585 586
    }

    block_t *keyblock = block_FilePath (key);
    if (keyblock == NULL)
    {
587 588
        msg_Err (crd, "cannot read private key from %s: %s", key,
                 vlc_strerror_c(errno));
589
        block_Release (certblock);
590
        goto error;
591 592 593 594 595 596 597 598 599 600 601
    }

    gnutls_datum_t pub = {
       .data = certblock->p_buffer,
       .size = certblock->i_buffer,
    }, priv = {
       .data = keyblock->p_buffer,
       .size = keyblock->i_buffer,
    };

    val = gnutls_certificate_set_x509_key_mem (sys->x509_cred, &pub, &priv,
602
                                                GNUTLS_X509_FMT_PEM);
603 604
    block_Release (keyblock);
    block_Release (certblock);
605
    if (val < 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
606
    {
607
        msg_Err (crd, "cannot load X.509 key: %s", gnutls_strerror (val));
608
        gnutls_certificate_free_credentials (sys->x509_cred);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
609
        goto error;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
610 611
    }

612
    /* FIXME:
613
     * - support other cipher suites
614
     */
615
    val = gnutls_dh_params_init (&sys->dh_params);
616 617
    if (val >= 0)
    {
618 619 620 621 622
        const gnutls_datum_t data = {
            .data = (unsigned char *)dh_params,
            .size = sizeof (dh_params) - 1,
        };

623
        val = gnutls_dh_params_import_pkcs3 (sys->dh_params, &data,
624 625
                                             GNUTLS_X509_FMT_PEM);
        if (val == 0)
626 627
            gnutls_certificate_set_dh_params (sys->x509_cred,
                                              sys->dh_params);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
628
    }
629
    if (val < 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
630
    {
631
        msg_Err (crd, "cannot initialize DHE cipher suites: %s",
632
                 gnutls_strerror (val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
633 634
    }

635 636
    crd->sys = sys;
    crd->open = gnutls_ServerSessionOpen;
637
    crd->handshake = gnutls_ServerHandshake;
638 639
    crd->close = gnutls_SessionClose;

640
    return VLC_SUCCESS;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
641 642

error:
643
    gnutls_certificate_free_credentials (sys->x509_cred);
644
    free (sys);
645
    gnutls_Deinit ();
646
    return VLC_EGENERIC;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
647 648
}

649
/**
650
 * Destroys a TLS server object.
651
 */
652
static void CloseServer (vlc_tls_creds_t *crd)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
653
{
654
    vlc_tls_creds_sys_t *sys = crd->sys;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
655

656
    /* all sessions depending on the server are now deinitialized */
657 658 659
    gnutls_certificate_free_credentials (sys->x509_cred);
    gnutls_dh_params_deinit (sys->dh_params);
    free (sys);
660
    gnutls_Deinit ();
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
661
}
662
#endif
663

664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681
#define PRIORITIES_TEXT N_("TLS cipher priorities")
#define PRIORITIES_LONGTEXT N_("Ciphers, key exchange methods, " \
    "hash functions and compression methods can be selected. " \
    "Refer to GNU TLS documentation for detailed syntax.")
static const char *const priorities_values[] = {
    "PERFORMANCE",
    "NORMAL",
    "SECURE128",
    "SECURE256",
    "EXPORT",
};
static const char *const priorities_text[] = {
    N_("Performance (prioritize faster ciphers)"),
    N_("Normal"),
    N_("Secure 128-bits (exclude 256-bits ciphers)"),
    N_("Secure 256-bits (prioritize 256-bits ciphers)"),
    N_("Export (include insecure ciphers)"),
};
682

683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701
vlc_module_begin ()
    set_shortname( "GNU TLS" )
    set_description( N_("GNU TLS transport layer security") )
    set_capability( "tls client", 1 )
    set_callbacks( OpenClient, CloseClient )
    set_category( CAT_ADVANCED )
    set_subcategory( SUBCAT_ADVANCED_NETWORK )
    add_string ("gnutls-priorities", "NORMAL", PRIORITIES_TEXT,
                PRIORITIES_LONGTEXT, false)
        change_string_list (priorities_values, priorities_text)
#ifdef ENABLE_SOUT
    add_submodule ()
        set_description( N_("GNU TLS server") )
        set_capability( "tls server", 1 )
        set_category( CAT_ADVANCED )
        set_subcategory( SUBCAT_ADVANCED_NETWORK )
        set_callbacks( OpenServer, CloseServer )
#endif
vlc_module_end ()