Commit 4dcdc8c4 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

Big cleanup of TLS interface

parent 378456a6
......@@ -344,10 +344,6 @@ typedef int (*httpd_handler_callback_t)( httpd_handler_sys_t *, httpd_handler_t
typedef struct httpd_redirect_t httpd_redirect_t;
typedef struct httpd_stream_t httpd_stream_t;
/* TLS support */
typedef struct tls_server_t tls_server_t;
typedef struct tls_session_t tls_session_t;
/* Hashing */
typedef struct md5_s md5_t;
......
......@@ -146,8 +146,8 @@ VLC_API int net_SetCSCov( int fd, int sendcov, int recvcov );
struct virtual_socket_t
{
void *p_sys;
int (*pf_recv) ( void *, void *, int );
int (*pf_send) ( void *, const void *, int );
int (*pf_recv) ( void *, void *, size_t );
int (*pf_send) ( void *, const void *, size_t );
};
VLC_API ssize_t net_Read( vlc_object_t *p_this, int fd, const v_socket_t *, void *p_data, size_t i_data, bool b_retry );
......
/*****************************************************************************
* tls.c: Transport Layer Security API
* vlc_tls.h: Transport Layer Security API
*****************************************************************************
* Copyright (C) 2004-2007 the VideoLAN team
* $Id$
*
* Authors: Rémi Denis-Courmont <rem # videolan.org>
* Copyright (C) 2004-2011 Rémi Denis-Courmont
* Copyright (C) 2005-2006 the VideoLAN team
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
......@@ -31,52 +29,56 @@
# include <vlc_network.h>
typedef struct tls_server_sys_t tls_server_sys_t;
typedef struct vlc_tls_sys vlc_tls_sys_t;
struct tls_server_t
typedef struct vlc_tls
{
VLC_COMMON_MEMBERS
module_t *p_module;
tls_server_sys_t *p_sys;
union {
module_t *module; /**< Plugin handle (client) */
void (*close) (struct vlc_tls *); /**< Close callback (server) */
} u;
vlc_tls_sys_t *sys;
int (*pf_add_CA) ( tls_server_t *, const char * );
int (*pf_add_CRL) ( tls_server_t *, const char * );
struct virtual_socket_t sock;
int (*handshake) (struct vlc_tls *);
} vlc_tls_t;
tls_session_t * (*pf_open) ( tls_server_t * );
void (*pf_close) ( tls_server_t *, tls_session_t * );
};
VLC_API vlc_tls_t *vlc_tls_ClientCreate (vlc_object_t *, int fd,
const char *hostname);
VLC_API void vlc_tls_ClientDelete (vlc_tls_t *);
typedef struct tls_session_sys_t tls_session_sys_t;
/* NOTE: It is assumed that a->sock.p_sys = a */
# define tls_Send( a, b, c ) (((vlc_tls_t *)a)->sock.pf_send (a, b, c))
struct tls_session_t
{
VLC_COMMON_MEMBERS
# define tls_Recv( a, b, c ) (((vlc_tls_t *)a)->sock.pf_recv (a, b, c))
module_t *p_module;
tls_session_sys_t *p_sys;
struct virtual_socket_t sock;
void (*pf_set_fd) ( tls_session_t *, int );
int (*pf_handshake) ( tls_session_t * );
};
typedef struct vlc_tls_creds_sys vlc_tls_creds_sys_t;
/** TLS (server-side) credentials */
typedef struct vlc_tls_creds
{
VLC_COMMON_MEMBERS
tls_server_t *tls_ServerCreate (vlc_object_t *, const char *, const char *);
void tls_ServerDelete (tls_server_t *);
int tls_ServerAddCA (tls_server_t *srv, const char *path);
int tls_ServerAddCRL (tls_server_t *srv, const char *path);
module_t *module;
vlc_tls_creds_sys_t *sys;
tls_session_t *tls_ServerSessionCreate (tls_server_t *, int fd);
int tls_ServerSessionHandshake (tls_session_t *);
void tls_ServerSessionDelete (tls_session_t *);
int (*add_CA) (struct vlc_tls_creds *, const char *path);
int (*add_CRL) (struct vlc_tls_creds *, const char *path);
VLC_API tls_session_t * tls_ClientCreate( vlc_object_t *, int, const char * );
VLC_API void tls_ClientDelete( tls_session_t * );
vlc_tls_t *(*open) (struct vlc_tls_creds *, int fd);
} vlc_tls_creds_t;
/* NOTE: It is assumed that a->sock.p_sys = a */
# define tls_Send( a, b, c ) (((tls_session_t *)a)->sock.pf_send (a, b, c ))
vlc_tls_creds_t *vlc_tls_ServerCreate (vlc_object_t *,
const char *cert, const char *key);
void vlc_tls_ServerDelete (vlc_tls_creds_t *);
int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path);
int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path);
# define tls_Recv( a, b, c ) (((tls_session_t *)a)->sock.pf_recv (a, b, c ))
vlc_tls_t *vlc_tls_ServerSessionCreate (vlc_tls_creds_t *, int fd);
int vlc_tls_ServerSessionHandshake (vlc_tls_t *);
void vlc_tls_ServerSessionDelete (vlc_tls_t *);
#endif
......@@ -142,8 +142,8 @@ struct access_sys_t
{
int fd;
bool b_error;
tls_session_t *p_tls;
v_socket_t *p_vs;
vlc_tls_t *p_tls;
v_socket_t *p_vs;
/* From uri */
vlc_url_t url;
......@@ -1195,8 +1195,8 @@ static int Connect( access_t *p_access, uint64_t i_tell )
}
/* TLS/SSL handshake */
p_sys->p_tls = tls_ClientCreate( VLC_OBJECT(p_access), p_sys->fd,
p_sys->url.psz_host );
p_sys->p_tls = vlc_tls_ClientCreate( VLC_OBJECT(p_access), p_sys->fd,
p_sys->url.psz_host );
if( p_sys->p_tls == NULL )
{
msg_Err( p_access, "cannot establish HTTP/TLS session" );
......@@ -1621,7 +1621,7 @@ static void Disconnect( access_t *p_access )
if( p_sys->p_tls != NULL)
{
tls_ClientDelete( p_sys->p_tls );
vlc_tls_ClientDelete( p_sys->p_tls );
p_sys->p_tls = NULL;
p_sys->p_vs = NULL;
}
......
/*****************************************************************************
* gnutls.c
*****************************************************************************
* Copyright (C) 2004-2006 Rémi Denis-Courmont
* $Id$
*
* Authors: Rémi Denis-Courmont <rem # videolan.org>
* Copyright (C) 2004-2011 Rémi Denis-Courmont
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
......@@ -65,8 +62,8 @@
/*****************************************************************************
* Module descriptor
*****************************************************************************/
static int OpenClient (vlc_object_t *);
static void CloseClient (vlc_object_t *);
static int OpenClient (vlc_tls_t *, int, const char *);
static void CloseClient (vlc_tls_t *);
static int OpenServer (vlc_object_t *);
static void CloseServer (vlc_object_t *);
......@@ -192,45 +189,41 @@ static int gnutls_Error (vlc_object_t *obj, int val)
}
return -1;
}
#define gnutls_Error(o, val) gnutls_Error(VLC_OBJECT(o), val)
struct tls_session_sys_t
struct vlc_tls_sys
{
gnutls_session_t session;
char *psz_hostname;
bool b_handshaked;
gnutls_certificate_credentials_t x509_cred;
char *hostname;
bool handshaked;
};
/**
* Sends data through a TLS session.
*/
static int
gnutls_Send( void *p_session, const void *buf, int i_length )
static int gnutls_Send (void *opaque, const void *buf, size_t length)
{
int val;
tls_session_sys_t *p_sys;
p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
vlc_tls_t *session = opaque;
vlc_tls_sys_t *sys = session->sys;
val = gnutls_record_send( p_sys->session, buf, i_length );
return (val < 0) ? gnutls_Error ((vlc_object_t *)p_session, val) : val;
int val = gnutls_record_send (sys->session, buf, length);
return (val < 0) ? gnutls_Error (session, val) : val;
}
/**
* Receives data through a TLS session.
*/
static int
gnutls_Recv( void *p_session, void *buf, int i_length )
static int gnutls_Recv (void *opaque, void *buf, size_t length)
{
int val;
tls_session_sys_t *p_sys;
p_sys = (tls_session_sys_t *)(((tls_session_t *)p_session)->p_sys);
vlc_tls_t *session = opaque;
vlc_tls_sys_t *sys = session->sys;
val = gnutls_record_recv( p_sys->session, buf, i_length );
return (val < 0) ? gnutls_Error ((vlc_object_t *)p_session, val) : val;
int val = gnutls_record_recv (sys->session, buf, length);
return (val < 0) ? gnutls_Error (session, val) : val;
}
......@@ -241,30 +234,28 @@ gnutls_Recv( void *p_session, void *buf, int i_length )
* 1 if more would-be blocking recv is needed,
* 2 if more would-be blocking send is required.
*/
static int
gnutls_ContinueHandshake (tls_session_t *p_session)
static int gnutls_ContinueHandshake (vlc_tls_t *session)
{
tls_session_sys_t *p_sys = p_session->p_sys;
vlc_tls_sys_t *sys = session->sys;
int val;
#ifdef WIN32
WSASetLastError( 0 );
WSASetLastError (0);
#endif
val = gnutls_handshake( p_sys->session );
if( ( val == GNUTLS_E_AGAIN ) || ( val == GNUTLS_E_INTERRUPTED ) )
return 1 + gnutls_record_get_direction( p_sys->session );
val = gnutls_handshake (sys->session);
if ((val == GNUTLS_E_AGAIN) || (val == GNUTLS_E_INTERRUPTED))
return 1 + gnutls_record_get_direction (sys->session);
if( val < 0 )
if (val < 0)
{
#ifdef WIN32
msg_Dbg( p_session, "Winsock error %d", WSAGetLastError( ) );
msg_Dbg (session, "Winsock error %d", WSAGetLastError ());
#endif
msg_Err( p_session, "TLS handshake error: %s",
gnutls_strerror( val ) );
msg_Err (session, "TLS handshake error: %s", gnutls_strerror (val));
return -1;
}
p_sys->b_handshaked = true;
sys->handshaked = true;
return 0;
}
......@@ -291,111 +282,99 @@ static const error_msg_t cert_errors[] =
};
static int
gnutls_HandshakeAndValidate( tls_session_t *session )
static int gnutls_HandshakeAndValidate (vlc_tls_t *session)
{
int val = gnutls_ContinueHandshake( session );
if( val )
return val;
vlc_tls_sys_t *sys = session->sys;
tls_session_sys_t *p_sys = (tls_session_sys_t *)(session->p_sys);
int val = gnutls_ContinueHandshake (session);
if (val)
return val;
/* certificates chain verification */
unsigned status;
val = gnutls_certificate_verify_peers2( p_sys->session, &status );
if( val )
val = gnutls_certificate_verify_peers2 (sys->session, &status);
if (val)
{
msg_Err( session, "Certificate verification failed: %s",
gnutls_strerror( val ) );
msg_Err (session, "Certificate verification failed: %s",
gnutls_strerror (val));
return -1;
}
if( status )
if (status)
{
msg_Err( session, "TLS session: access denied" );
for( const error_msg_t *e = cert_errors; e->flag; e++ )
msg_Err (session, "TLS session: access denied");
for (const error_msg_t *e = cert_errors; e->flag; e++)
{
if( status & e->flag )
if (status & e->flag)
{
msg_Err( session, "%s", e->msg );
msg_Err (session, "%s", e->msg);
status &= ~e->flag;
}
}
if( status )
msg_Err( session,
"unknown certificate error (you found a bug in VLC)" );
if (status)
msg_Err (session,
"unknown certificate error (you found a bug in VLC)");
return -1;
}
/* certificate (host)name verification */
const gnutls_datum_t *data;
data = gnutls_certificate_get_peers (p_sys->session, &(unsigned){0});
if( data == NULL )
data = gnutls_certificate_get_peers (sys->session, &(unsigned){0});
if (data == NULL)
{
msg_Err( session, "Peer certificate not available" );
msg_Err (session, "Peer certificate not available");
return -1;
}
gnutls_x509_crt_t cert;
val = gnutls_x509_crt_init( &cert );
if( val )
val = gnutls_x509_crt_init (&cert);
if (val)
{
msg_Err( session, "x509 fatal error: %s", gnutls_strerror( val ) );
msg_Err (session, "x509 fatal error: %s", gnutls_strerror (val));
return -1;
}
val = gnutls_x509_crt_import( cert, data, GNUTLS_X509_FMT_DER );
if( val )
val = gnutls_x509_crt_import (cert, data, GNUTLS_X509_FMT_DER);
if (val)
{
msg_Err( session, "Certificate import error: %s",
gnutls_strerror( val ) );
msg_Err (session, "Certificate import error: %s",
gnutls_strerror (val));
goto error;
}
if( p_sys->psz_hostname != NULL
&& !gnutls_x509_crt_check_hostname( cert, p_sys->psz_hostname ) )
if (sys->hostname != NULL
&& !gnutls_x509_crt_check_hostname (cert, sys->hostname))
{
msg_Err( session, "Certificate does not match \"%s\"",
p_sys->psz_hostname );
msg_Err (session, "Certificate does not match \"%s\"", sys->hostname);
goto error;
}
if( gnutls_x509_crt_get_expiration_time( cert ) < time( NULL ) )
time_t now;
time (&now);
if (gnutls_x509_crt_get_expiration_time (cert) < now)
{
msg_Err( session, "Certificate expired" );
msg_Err (session, "Certificate expired");
goto error;
}
if( gnutls_x509_crt_get_activation_time( cert ) > time ( NULL ) )
if (gnutls_x509_crt_get_activation_time (cert) > now)
{
msg_Err( session, "Certificate not yet valid" );
goto error;
}
gnutls_x509_crt_deinit( cert );
msg_Dbg( session, "TLS/x509 certificate verified" );
gnutls_x509_crt_deinit (cert);
msg_Dbg (session, "TLS/x509 certificate verified");
return 0;
error:
gnutls_x509_crt_deinit( cert );
gnutls_x509_crt_deinit (cert);
return -1;
}
/**
* Sets the operating system file descriptor backend for the TLS sesison.
*
* @param fd stream socket already connected with the peer.
*/
static void
gnutls_SetFD (tls_session_t *p_session, int fd)
{
gnutls_transport_set_ptr (p_session->p_sys->session,
(gnutls_transport_ptr_t)(intptr_t)fd);
}
static int
gnutls_SessionPrioritize (vlc_object_t *obj, gnutls_session_t session)
{
......@@ -530,7 +509,8 @@ gnutls_Addx509File( vlc_object_t *p_this,
psz_path, gnutls_strerror (res));
return VLC_EGENERIC;
}
msg_Dbg (p_this, "added x509 credentials (%s)", psz_path);
msg_Dbg (p_this, "added %d %s(s) from %s", res,
b_priv ? "key" : "certificate", psz_path);
return VLC_SUCCESS;
}
......@@ -551,7 +531,7 @@ error:
#ifdef WIN32
static int
gnutls_loadOSCAList( vlc_object_t *p_this,
gnutls_loadOSCAList (vlc_object_t *p_this,
gnutls_certificate_credentials cred)
{
HCERTSTORE hCertStore = CertOpenSystemStoreA((HCRYPTPROV)NULL, "ROOT");
......@@ -581,49 +561,36 @@ gnutls_loadOSCAList( vlc_object_t *p_this,
}
#endif
/** TLS client session data */
typedef struct tls_client_sys_t
{
struct tls_session_sys_t session;
gnutls_certificate_credentials_t x509_cred;
} tls_client_sys_t;
/**
* Initializes a client-side TLS session.
*/
static int OpenClient (vlc_object_t *obj)
static int OpenClient (vlc_tls_t *session, int fd, const char *hostname)
{
tls_session_t *p_session = (tls_session_t *)obj;
int i_val;
if (gnutls_Init (obj))
if (gnutls_Init (VLC_OBJECT(session)))
return VLC_EGENERIC;
tls_client_sys_t *p_sys = malloc (sizeof (*p_sys));
if (p_sys == NULL)
vlc_tls_sys_t *sys = malloc (sizeof (*sys));
if (unlikely(sys == NULL))
{
gnutls_Deinit (obj);
gnutls_Deinit (VLC_OBJECT(session));
return VLC_ENOMEM;
}
p_session->p_sys = &p_sys->session;
p_session->sock.p_sys = p_session;
p_session->sock.pf_send = gnutls_Send;
p_session->sock.pf_recv = gnutls_Recv;
p_session->pf_set_fd = gnutls_SetFD;
p_sys->session.b_handshaked = false;
session->sys = sys;
session->sock.p_sys = session;
session->sock.pf_send = gnutls_Send;
session->sock.pf_recv = gnutls_Recv;
sys->handshaked = false;
i_val = gnutls_certificate_allocate_credentials (&p_sys->x509_cred);
if (i_val != 0)
int val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
if (val != 0)
{
msg_Err (obj, "cannot allocate X509 credentials: %s",
gnutls_strerror (i_val));
msg_Err (session, "cannot allocate X509 credentials: %s",
gnutls_strerror (val));
goto error;
}
char *userdir = config_GetUserDir ( VLC_DATA_DIR );
char *userdir = config_GetUserDir (VLC_DATA_DIR);
if (userdir != NULL)
{
char path[strlen (userdir) + sizeof ("/ssl/private")];
......@@ -631,102 +598,102 @@ static int OpenClient (vlc_object_t *obj)
vlc_mkdir (path, 0755);
sprintf (path, "%s/ssl/certs", userdir);
gnutls_Addx509Directory (VLC_OBJECT (p_session),
p_sys->x509_cred, path, false);
gnutls_Addx509Directory (VLC_OBJECT(session), sys->x509_cred, path, false);
sprintf (path, "%s/ssl/private", userdir);
gnutls_Addx509Directory (VLC_OBJECT (p_session), p_sys->x509_cred,
path, true);
gnutls_Addx509Directory (VLC_OBJECT(session), sys->x509_cred, path, true);
free (userdir);
}
#ifdef WIN32
gnutls_loadOSCAList (VLC_OBJECT(session), sys->x509_cred);
#else
const char *confdir = config_GetConfDir ();
{
char path[strlen (confdir)
+ sizeof ("/ssl/certs/ca-certificates.crt")];
sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir);
#ifdef WIN32
gnutls_loadOSCAList (VLC_OBJECT (p_session),
p_sys->x509_cred);
#else
gnutls_Addx509File (VLC_OBJECT (p_session),
p_sys->x509_cred, path, false);
#endif
gnutls_Addx509File (VLC_OBJECT(session), sys->x509_cred, path, false);
}
p_session->pf_handshake = gnutls_HandshakeAndValidate;
/*p_session->pf_handshake = gnutls_ContinueHandshake;*/
#endif
session->handshake = gnutls_HandshakeAndValidate;
/*session->_handshake = gnutls_ContinueHandshake;*/
i_val = gnutls_init (&p_sys->session.session, GNUTLS_CLIENT);
if (i_val != 0)
val = gnutls_init (&sys->session, GNUTLS_CLIENT);
if (val != 0)
{
msg_Err (obj, "cannot initialize TLS session: %s",
gnutls_strerror (i_val));
gnutls_certificate_free_credentials (p_sys->x509_cred);
msg_Err (session, "cannot initialize TLS session: %s",
gnutls_strerror (val));
gnutls_certificate_free_credentials (sys->x509_cred);
goto error;
}
if (gnutls_SessionPrioritize (VLC_OBJECT (p_session),
p_sys->session.session))
if (gnutls_SessionPrioritize (VLC_OBJECT(session), sys->session))
goto s_error;
/* minimum DH prime bits */
gnutls_dh_set_prime_bits (p_sys->session.session, 1024);
gnutls_dh_set_prime_bits (sys->session, 1024);
i_val = gnutls_credentials_set (p_sys->session.session,
GNUTLS_CRD_CERTIFICATE,
p_sys->x509_cred);
if (i_val < 0)
val = gnutls_credentials_set (sys->session, GNUTLS_CRD_CERTIFICATE,
sys->x509_cred);
if (val < 0)
{
msg_Err (obj, "cannot set TLS session credentials: %s",
gnutls_strerror (i_val));
msg_Err (session, "cannot set TLS session credentials: %s",
gnutls_strerror (val));
goto s_error;
}
char *servername = var_GetNonEmptyString (p_session, "tls-server-name");
if (servername == NULL )
msg_Err (p_session, "server name missing for TLS session");
/* server name */
if (likely(hostname != NULL))
{
/* fill Server Name Indication */
gnutls_server_name_set (sys->session, GNUTLS_NAME_DNS,
hostname, strlen (hostname));
/* keep hostname to match CNAME after handshake */
sys->hostname = strdup (hostname);
if (unlikely(sys->hostname == NULL))
goto s_error;
}
else
gnutls_server_name_set (p_sys->session.session, GNUTLS_NAME_DNS,
servername, strlen (servername));
p_sys->session.psz_hostname = servername;
sys->hostname = NULL;
gnutls_transport_set_ptr (sys->session,
(gnutls_transport_ptr_t)(intptr_t)fd);
return VLC_SUCCESS;
s_error:
gnutls_deinit (p_sys->session.session);
gnutls_certificate_free_credentials (p_sys->x509_cred);
gnutls_deinit (sys->session);
gnutls_certificate_free_credentials (sys->x509_cred);
error:
gnutls_Deinit (obj);
free (p_sys);
gnutls_Deinit (VLC_OBJECT(session));
free (sys);
return VLC_EGENERIC;
}
static void CloseClient (vlc_object_t *obj)
static void CloseClient (vlc_tls_t *session)
{
tls_session_t *client = (tls_session_t *)obj;
tls_client_sys_t *p_sys = (tls_client_sys_t *)(client->p_sys);
vlc_tls_sys_t *sys = session->sys;
if (p_sys->session.b_handshaked)