gnutls.c 19.1 KB
Newer Older
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
1
/*****************************************************************************
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
2
 * gnutls.c
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
3
 *****************************************************************************
4
 * Copyright (C) 2004-2014 Rémi Denis-Courmont
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
5 6
 *
 * This program is free software; you can redistribute it and/or modify
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
7 8
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
9 10 11 12 13
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
14
 * GNU Lesser General Public License for more details.
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
15
 *
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
16 17 18
 * You should have received a copy of the GNU Öesser General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
19 20
 *****************************************************************************/

21 22 23 24
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif

25 26
#include <stdlib.h>
#include <string.h>
27
#include <time.h>
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
28
#include <errno.h>
29
#include <assert.h>
30

31 32
#include <vlc_common.h>
#include <vlc_plugin.h>
33
#include <vlc_tls.h>
34
#include <vlc_block.h>
35
#include <vlc_dialog.h>
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
36 37

#include <gnutls/gnutls.h>
38
#include <gnutls/x509.h>
39 40
#include "dhparams.h"

41 42 43 44 45 46 47 48 49
#if (GNUTLS_VERSION_NUMBER >= 0x030300)
static int gnutls_Init (vlc_object_t *obj)
{
    const char *version = gnutls_check_version ("3.3.0");
    if (version == NULL)
    {
        msg_Err (obj, "unsupported GnuTLS version");
        return -1;
    }
Benjamin Drung's avatar
Benjamin Drung committed
50
    msg_Dbg (obj, "using GnuTLS version %s", version);
51 52 53 54 55
    return 0;
}

# define gnutls_Deinit() (void)0
#else
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
56 57
static vlc_mutex_t gnutls_mutex = VLC_STATIC_MUTEX;

58 59 60 61
/**
 * Initializes GnuTLS with proper locking.
 * @return VLC_SUCCESS on success, a VLC error code otherwise.
 */
62
static int gnutls_Init (vlc_object_t *obj)
63
{
64
    const char *version = gnutls_check_version ("3.1.11");
65
    if (version == NULL)
66
    {
67 68
        msg_Err (obj, "unsupported GnuTLS version");
        return -1;
69
    }
Benjamin Drung's avatar
Benjamin Drung committed
70
    msg_Dbg (obj, "using GnuTLS version %s", version);
71

72
    if (gnutls_check_version ("3.3.0") == NULL)
73
    {
74
         int val;
75

76 77 78
         vlc_mutex_lock (&gnutls_mutex);
         val = gnutls_global_init ();
         vlc_mutex_unlock (&gnutls_mutex);
79

80 81 82 83 84 85 86
         if (val)
         {
             msg_Err (obj, "cannot initialize GnuTLS");
             return -1;
         }
    }
    return 0;
87 88 89 90 91
}

/**
 * Deinitializes GnuTLS.
 */
92
static void gnutls_Deinit (void)
93
{
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
94
    vlc_mutex_lock (&gnutls_mutex);
95
    gnutls_global_deinit ();
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
96
    vlc_mutex_unlock (&gnutls_mutex);
97
}
98
#endif
99

100 101 102 103 104
static int gnutls_Error (vlc_object_t *obj, int val)
{
    switch (val)
    {
        case GNUTLS_E_AGAIN:
105
#ifdef _WIN32
106 107
            WSASetLastError (WSAEWOULDBLOCK);
#else
108
            errno = EAGAIN;
109
#endif
110
            break;
111 112

        case GNUTLS_E_INTERRUPTED:
113
#ifdef _WIN32
114
            WSASetLastError (WSAEINTR);
115
#else
116
            errno = EINTR;
117
#endif
118 119 120 121
            break;

        default:
            msg_Err (obj, "%s", gnutls_strerror (val));
122
#ifndef NDEBUG
123 124 125
            if (!gnutls_error_is_fatal (val))
                msg_Err (obj, "Error above should be handled");
#endif
126
#ifdef _WIN32
127
            WSASetLastError (WSAECONNRESET);
128
#else
129
            errno = ECONNRESET;
130
#endif
131 132 133
    }
    return -1;
}
134
#define gnutls_Error(o, val) gnutls_Error(VLC_OBJECT(o), val)
135

136
/**
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
137
 * Sends data through a TLS session.
138
 */
139
static int gnutls_Send (void *opaque, const void *buf, size_t length)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
140
{
141 142 143 144
    assert (opaque != NULL);

    vlc_tls_t *tls = opaque;
    gnutls_session_t session = tls->sys;
145

146 147
    int val = gnutls_record_send (session, buf, length);
    return (val < 0) ? gnutls_Error (tls, val) : val;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
148 149 150
}


151
/**
152
 * Receives data through a TLS session.
153
 */
154
static int gnutls_Recv (void *opaque, void *buf, size_t length)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
155
{
156
    assert (opaque != NULL);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
157

158 159
    vlc_tls_t *tls = opaque;
    gnutls_session_t session = tls->sys;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
160

161 162
    int val = gnutls_record_recv (session, buf, length);
    return (val < 0) ? gnutls_Error (tls, val) : val;
163 164 165
}

static int gnutls_SessionOpen (vlc_tls_t *tls, int type,
166 167
                               gnutls_certificate_credentials_t x509, int fd,
                               const char *const *alpn)
168
{
169
    gnutls_session_t session;
170 171 172
    const char *errp;
    int val;

173
    val = gnutls_init (&session, type);
174 175 176 177 178 179 180 181 182 183 184
    if (val != 0)
    {
        msg_Err (tls, "cannot initialize TLS session: %s",
                 gnutls_strerror (val));
        return VLC_EGENERIC;
    }

    char *priorities = var_InheritString (tls, "gnutls-priorities");
    if (unlikely(priorities == NULL))
        goto error;

185
    val = gnutls_priority_set_direct (session, priorities, &errp);
186 187 188 189 190 191 192
    if (val < 0)
        msg_Err (tls, "cannot set TLS priorities \"%s\": %s", errp,
                 gnutls_strerror (val));
    free (priorities);
    if (val < 0)
        goto error;

193
    val = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509);
194 195 196 197 198 199 200
    if (val < 0)
    {
        msg_Err (tls, "cannot set TLS session credentials: %s",
                 gnutls_strerror (val));
        goto error;
    }

201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223
    if (alpn != NULL)
    {
        gnutls_datum_t *protv = NULL;
        unsigned protc = 0;

        while (*alpn != NULL)
        {
            gnutls_datum_t *n = realloc(protv, sizeof (*protv) * (protc + 1));
            if (unlikely(n == NULL))
            {
                free(protv);
                goto error;
            }
            protv = n;

            protv[protc].data = (void *)*alpn;
            protv[protc].size = strlen(*alpn);
            protc++;
            alpn++;
        }

        val = gnutls_alpn_set_protocols (session, protv, protc, 0);
        free (protv);
224
    }
225

226
    gnutls_transport_set_int (session, fd);
227

228 229
    tls->sys = session;
    tls->sock.p_sys = NULL;
230 231 232 233 234
    tls->sock.pf_send = gnutls_Send;
    tls->sock.pf_recv = gnutls_Recv;
    return VLC_SUCCESS;

error:
235
    gnutls_deinit (session);
236 237
    return VLC_EGENERIC;
}
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
238

239
/**
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
240 241
 * Starts or continues the TLS handshake.
 *
Rémi Denis-Courmont's avatar
Typos  
Rémi Denis-Courmont committed
242
 * @return -1 on fatal error, 0 on successful handshake completion,
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
243 244
 * 1 if more would-be blocking recv is needed,
 * 2 if more would-be blocking send is required.
245
 */
246
static int gnutls_ContinueHandshake (vlc_tls_t *tls, char **restrict alp)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
247
{
248
    gnutls_session_t session = tls->sys;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
249 250
    int val;

251
#ifdef _WIN32
252
    WSASetLastError (0);
253
#endif
254 255
    do
    {
256
        val = gnutls_handshake (session);
257 258 259 260 261
        msg_Dbg (tls, "TLS handshake: %s", gnutls_strerror (val));

        switch (val)
        {
            case GNUTLS_E_SUCCESS:
262
                goto done;
263 264 265
            case GNUTLS_E_AGAIN:
            case GNUTLS_E_INTERRUPTED:
                /* I/O event: return to caller's poll() loop */
266
                return 1 + gnutls_record_get_direction (session);
267
        }
268
    }
269
    while (!gnutls_error_is_fatal (val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
270

271
#ifdef _WIN32
272
    msg_Dbg (tls, "Winsock error %d", WSAGetLastError ());
273
#endif
274 275
    msg_Err (tls, "TLS handshake error: %s", gnutls_strerror (val));
    return -1;
276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295

done:
    if (alp != NULL)
    {
        gnutls_datum_t datum;

        val = gnutls_alpn_get_selected_protocol (session, &datum);
        if (val == 0)
        {
            if (memchr (datum.data, 0, datum.size) != NULL)
                return -1; /* Other end is doing something fishy?! */

            *alp = strndup ((char *)datum.data, datum.size);
            if (unlikely(*alp == NULL))
                return -1;
        }
        else
            *alp = NULL;
    }
    return 0;
296 297
}

298 299 300 301 302 303 304 305 306 307 308 309 310 311
/**
 * Terminates TLS session and releases session data.
 * You still have to close the socket yourself.
 */
static void gnutls_SessionClose (vlc_tls_t *tls)
{
    gnutls_session_t session = tls->sys;

    if (tls->sock.p_sys != NULL)
        gnutls_bye (session, GNUTLS_SHUT_WR);

    gnutls_deinit (session);
}

312
static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *tls,
313 314
                                     int fd, const char *hostname,
                                     const char *const *alpn)
315
{
316
    int val = gnutls_SessionOpen (tls, GNUTLS_CLIENT, crd->sys, fd, alpn);
317 318 319
    if (val != VLC_SUCCESS)
        return val;

320
    gnutls_session_t session = tls->sys;
321 322

    /* minimum DH prime bits */
323
    gnutls_dh_set_prime_bits (session, 1024);
324 325 326

    if (likely(hostname != NULL))
        /* fill Server Name Indication */
327
        gnutls_server_name_set (session, GNUTLS_NAME_DNS,
328 329 330 331 332 333
                                hostname, strlen (hostname));

    return VLC_SUCCESS;
}

static int gnutls_ClientHandshake (vlc_tls_t *tls, const char *host,
334
                                   const char *service, char **restrict alp)
335
{
336
    int val = gnutls_ContinueHandshake (tls, alp);
337 338 339 340
    if (val)
        return val;

    /* certificates chain verification */
341
    gnutls_session_t session = tls->sys;
342 343
    unsigned status;

344
    val = gnutls_certificate_verify_peers3 (session, host, &status);
345 346 347 348
    if (val)
    {
        msg_Err (tls, "Certificate verification error: %s",
                 gnutls_strerror (val));
349 350
failure:
        gnutls_bye (session, GNUTLS_SHUT_RDWR);
351
        return -1;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
352
    }
353

354
    if (status == 0)
355 356 357 358 359
    {   /* Good certificate */
success:
        tls->sock.p_sys = tls;
        return 0;
    }
360

361 362
    /* Bad certificate */
    gnutls_datum_t desc;
363

364
    if (gnutls_certificate_verification_status_print(status,
365
                         gnutls_certificate_type_get (session), &desc, 0) == 0)
366 367 368 369 370 371 372 373 374 375
    {
        msg_Err (tls, "Certificate verification failure: %s", desc.data);
        gnutls_free (desc.data);
    }

    status &= ~GNUTLS_CERT_INVALID; /* always set / catch-all error */
    status &= ~GNUTLS_CERT_SIGNER_NOT_FOUND; /* unknown CA */
    status &= ~GNUTLS_CERT_UNEXPECTED_OWNER; /* mismatched hostname */

    if (status != 0 || host == NULL)
376
        goto failure; /* Really bad certificate */
377

378
    /* Look up mismatching certificate in store */
379 380 381
    const gnutls_datum_t *datum;
    unsigned count;

382
    datum = gnutls_certificate_get_peers (session, &count);
383 384 385
    if (datum == NULL || count == 0)
    {
        msg_Err (tls, "Peer certificate not available");
386
        goto failure;
387 388 389 390 391
    }

    msg_Dbg (tls, "%u certificate(s) in the list", count);
    val = gnutls_verify_stored_pubkey (NULL, NULL, host, service,
                                       GNUTLS_CRT_X509, datum, 0);
392
    const char *msg;
393 394 395
    switch (val)
    {
        case 0:
396 397
            msg_Dbg (tls, "certificate key match for %s", host);
            goto success;
398
        case GNUTLS_E_NO_CERTIFICATE_FOUND:
399 400 401 402
            msg_Dbg (tls, "no known certificates for %s", host);
            msg = N_("However the security certificate presented by the "
                "server is unknown and could not be authenticated by any "
                "trusted Certificate Authority.");
403 404
            break;
        case GNUTLS_E_CERTIFICATE_KEY_MISMATCH:
405 406 407 408
            msg_Dbg (tls, "certificate keys mismatch for %s", host);
            msg = N_("However the security certificate presented by the "
                "server changed since the previous visit and was not "
                "authenticated by any trusted Certificate Authority. ");
409 410
            break;
        default:
411
            msg_Err (tls, "certificate key match error for %s: %s", host,
412
                     gnutls_strerror (val));
413
            goto failure;
414
    }
415

416 417 418 419 420 421 422
    if (dialog_Question (tls, _("Insecure site"),
        _("You attempted to reach %s. %s\n"
          "This problem may be stem from an attempt to breach your security, "
          "compromise your privacy, or a configuration error.\n\n"
          "If in doubt, abort now.\n"),
                         _("Abort"), _("View certificate"), NULL,
                         vlc_gettext (msg), host) != 2)
423
        goto failure;
424 425 426 427

    gnutls_x509_crt_t cert;

    if (gnutls_x509_crt_init (&cert))
428
        goto failure;
429 430 431 432
    if (gnutls_x509_crt_import (cert, datum, GNUTLS_X509_FMT_DER)
     || gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &desc))
    {
        gnutls_x509_crt_deinit (cert);
433
        goto failure;
434 435 436
    }
    gnutls_x509_crt_deinit (cert);

437
    val = dialog_Question (tls, _("Insecure site"),
438 439 440 441
         _("This is the certificate presented by %s:\n%s\n\n"
           "If in doubt, abort now.\n"),
                           _("Abort"), _("Accept 24 hours"),
                           _("Accept permanently"), host, desc.data);
442 443
    gnutls_free (desc.data);

444 445 446 447 448 449 450
    time_t expiry = 0;
    switch (val)
    {
        case 2:
            time (&expiry);
            expiry += 24 * 60 * 60;
        case 3:
451 452 453
            val = gnutls_store_pubkey (NULL, NULL, host, service,
                                       GNUTLS_CRT_X509, datum, expiry, 0);
            if (val)
454
                msg_Err (tls, "cannot store X.509 certificate: %s",
455
                         gnutls_strerror (val));
456
            goto success;
457
    }
458
    goto failure;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
459 460
}

461
/**
462
 * Initializes a client-side TLS credentials.
463
 */
464
static int OpenClient (vlc_tls_creds_t *crd)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
465
{
466
    gnutls_certificate_credentials_t x509;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
467

468 469
    if (gnutls_Init (VLC_OBJECT(crd)))
        return VLC_EGENERIC;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
470

471
    int val = gnutls_certificate_allocate_credentials (&x509);
472
    if (val != 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
473
    {
474
        msg_Err (crd, "cannot allocate credentials: %s",
475
                 gnutls_strerror (val));
476
        gnutls_Deinit ();
477
        return VLC_EGENERIC;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
478
    }
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
479

480
    val = gnutls_certificate_set_x509_system_trust (x509);
481
    if (val < 0)
482
        msg_Err (crd, "cannot load trusted Certificate Authorities: %s",
483
                 gnutls_strerror (val));
484 485
    else
        msg_Dbg (crd, "loaded %d trusted CAs", val);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
486

487 488 489 490 491 492 493
    gnutls_certificate_set_verify_flags (x509,
                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);

    crd->sys = x509;
    crd->open = gnutls_ClientSessionOpen;
    crd->handshake = gnutls_ClientHandshake;
    crd->close = gnutls_SessionClose;
494

495
    return VLC_SUCCESS;
496
}
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
497

498 499 500 501 502
static void CloseClient (vlc_tls_creds_t *crd)
{
    gnutls_certificate_credentials_t x509 = crd->sys;

    gnutls_certificate_free_credentials (x509);
503
    gnutls_Deinit ();
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
504 505
}

506
#ifdef ENABLE_SOUT
507 508 509 510 511 512 513 514 515
/**
 * Server-side TLS credentials private data
 */
typedef struct vlc_tls_creds_sys
{
    gnutls_certificate_credentials_t x509_cred;
    gnutls_dh_params_t dh_params;
} vlc_tls_creds_sys_t;

516 517 518
/**
 * Initializes a server-side TLS session.
 */
519
static int gnutls_ServerSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *tls,
520 521
                                     int fd, const char *hostname,
                                     const char *const *alpn)
522
{
523 524
    vlc_tls_creds_sys_t *sys = crd->sys;

525
    assert (hostname == NULL);
526
    return gnutls_SessionOpen (tls, GNUTLS_SERVER, sys->x509_cred, fd, alpn);
527 528
}

529
static int gnutls_ServerHandshake (vlc_tls_t *tls, const char *host,
530
                                   const char *service, char **restrict alp)
531
{
532
    int val = gnutls_ContinueHandshake (tls, alp);
533
    if (val == 0)
534
        tls->sock.p_sys = tls;
535

536 537
    (void) host; (void) service;
    return val;
538 539
}

540
/**
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
541
 * Allocates a whole server's TLS credentials.
542
 */
543
static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
544 545 546
{
    int val;

547
    if (gnutls_Init (VLC_OBJECT(crd)))
548 549
        return VLC_EGENERIC;

550 551
    vlc_tls_creds_sys_t *sys = malloc (sizeof (*sys));
    if (unlikely(sys == NULL))
552 553 554 555
    {
        gnutls_Deinit ();
        return VLC_ENOMEM;
    }
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
556 557

    /* Sets server's credentials */
558 559
    val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
    if (val != 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
560
    {
561
        msg_Err (crd, "cannot allocate credentials: %s",
562
                 gnutls_strerror (val));
563 564 565
        free (sys);
        gnutls_Deinit ();
        return VLC_ENOMEM;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
566 567
    }

568 569 570
    block_t *certblock = block_FilePath (cert);
    if (certblock == NULL)
    {
571 572
        msg_Err (crd, "cannot read certificate chain from %s: %s", cert,
                 vlc_strerror_c(errno));
573
        goto error;
574 575 576 577 578
    }

    block_t *keyblock = block_FilePath (key);
    if (keyblock == NULL)
    {
579 580
        msg_Err (crd, "cannot read private key from %s: %s", key,
                 vlc_strerror_c(errno));
581
        block_Release (certblock);
582
        goto error;
583 584 585 586 587 588 589 590 591 592 593
    }

    gnutls_datum_t pub = {
       .data = certblock->p_buffer,
       .size = certblock->i_buffer,
    }, priv = {
       .data = keyblock->p_buffer,
       .size = keyblock->i_buffer,
    };

    val = gnutls_certificate_set_x509_key_mem (sys->x509_cred, &pub, &priv,
594
                                                GNUTLS_X509_FMT_PEM);
595 596
    block_Release (keyblock);
    block_Release (certblock);
597
    if (val < 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
598
    {
599
        msg_Err (crd, "cannot load X.509 key: %s", gnutls_strerror (val));
600
        gnutls_certificate_free_credentials (sys->x509_cred);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
601
        goto error;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
602 603
    }

604
    /* FIXME:
605
     * - support other cipher suites
606
     */
607
    val = gnutls_dh_params_init (&sys->dh_params);
608 609
    if (val >= 0)
    {
610 611 612 613 614
        const gnutls_datum_t data = {
            .data = (unsigned char *)dh_params,
            .size = sizeof (dh_params) - 1,
        };

615
        val = gnutls_dh_params_import_pkcs3 (sys->dh_params, &data,
616 617
                                             GNUTLS_X509_FMT_PEM);
        if (val == 0)
618 619
            gnutls_certificate_set_dh_params (sys->x509_cred,
                                              sys->dh_params);
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
620
    }
621
    if (val < 0)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
622
    {
623
        msg_Err (crd, "cannot initialize DHE cipher suites: %s",
624
                 gnutls_strerror (val));
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
625 626
    }

627 628
    crd->sys = sys;
    crd->open = gnutls_ServerSessionOpen;
629
    crd->handshake = gnutls_ServerHandshake;
630 631
    crd->close = gnutls_SessionClose;

632
    return VLC_SUCCESS;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
633 634

error:
635
    gnutls_certificate_free_credentials (sys->x509_cred);
636
    free (sys);
637
    gnutls_Deinit ();
638
    return VLC_EGENERIC;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
639 640
}

641
/**
642
 * Destroys a TLS server object.
643
 */
644
static void CloseServer (vlc_tls_creds_t *crd)
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
645
{
646
    vlc_tls_creds_sys_t *sys = crd->sys;
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
647

648
    /* all sessions depending on the server are now deinitialized */
649 650 651
    gnutls_certificate_free_credentials (sys->x509_cred);
    gnutls_dh_params_deinit (sys->dh_params);
    free (sys);
652
    gnutls_Deinit ();
Rémi Denis-Courmont's avatar
Rémi Denis-Courmont committed
653
}
654
#endif
655

656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673
#define PRIORITIES_TEXT N_("TLS cipher priorities")
#define PRIORITIES_LONGTEXT N_("Ciphers, key exchange methods, " \
    "hash functions and compression methods can be selected. " \
    "Refer to GNU TLS documentation for detailed syntax.")
static const char *const priorities_values[] = {
    "PERFORMANCE",
    "NORMAL",
    "SECURE128",
    "SECURE256",
    "EXPORT",
};
static const char *const priorities_text[] = {
    N_("Performance (prioritize faster ciphers)"),
    N_("Normal"),
    N_("Secure 128-bits (exclude 256-bits ciphers)"),
    N_("Secure 256-bits (prioritize 256-bits ciphers)"),
    N_("Export (include insecure ciphers)"),
};
674

675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693
vlc_module_begin ()
    set_shortname( "GNU TLS" )
    set_description( N_("GNU TLS transport layer security") )
    set_capability( "tls client", 1 )
    set_callbacks( OpenClient, CloseClient )
    set_category( CAT_ADVANCED )
    set_subcategory( SUBCAT_ADVANCED_NETWORK )
    add_string ("gnutls-priorities", "NORMAL", PRIORITIES_TEXT,
                PRIORITIES_LONGTEXT, false)
        change_string_list (priorities_values, priorities_text)
#ifdef ENABLE_SOUT
    add_submodule ()
        set_description( N_("GNU TLS server") )
        set_capability( "tls server", 1 )
        set_category( CAT_ADVANCED )
        set_subcategory( SUBCAT_ADVANCED_NETWORK )
        set_callbacks( OpenServer, CloseServer )
#endif
vlc_module_end ()