Commit 73ae5d90 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

- TLS API cleanup

- some minor fixes as well
parent 1a90a3cd
/*****************************************************************************
* tls.c
*****************************************************************************
* Copyright (C) 2004 VideoLAN
* Copyright (C) 2004-2005 VideoLAN
* $Id: httpd.c 8263 2004-07-24 09:06:58Z courmisch $
*
* Authors: Remi Denis-Courmont <courmisch@via.ecp.fr>
......@@ -34,13 +34,15 @@ struct tls_t
module_t *p_module;
void *p_sys;
tls_server_t * (*pf_server_create) ( tls_t *, const char *, const char * );
tls_session_t * (*pf_client_create) ( tls_t *, const char * );
tls_server_t * (*pf_server_create) ( tls_t *, const char *,
const char * );
tls_session_t * (*pf_client_create) ( tls_t * );
};
struct tls_server_t
{
tls_t *p_tls;
VLC_COMMON_MEMBERS
void *p_sys;
void (*pf_delete) ( tls_server_t * );
......@@ -53,13 +55,12 @@ struct tls_server_t
struct tls_session_t
{
tls_t *p_tls;
tls_server_t *p_server;
VLC_COMMON_MEMBERS
void *p_sys;
struct virtual_socket_t sock;
int (*pf_handshake) ( tls_session_t *, int );
int (*pf_handshake) ( tls_session_t *, int, const char * );
int (*pf_handshake2) ( tls_session_t * );
void (*pf_close) ( tls_session_t * );
};
......@@ -71,7 +72,6 @@ struct tls_session_t
* Allocates a whole server's TLS credentials.
* Returns NULL on error.
*****************************************************************************/
# define __tls_ServerCreate( a, b, c ) (((tls_t *)a)->pf_server_create (a, b, c))
VLC_EXPORT( tls_server_t *, tls_ServerCreate, ( vlc_object_t *, const char *, const char * ) );
/*****************************************************************************
......@@ -92,20 +92,20 @@ VLC_EXPORT( tls_server_t *, tls_ServerCreate, ( vlc_object_t *, const char *, co
# define tls_ServerAddCRL( a, b ) (((tls_server_t *)a)->pf_add_CRL (a, b))
# define __tls_ServerDelete( a ) (((tls_server_t *)a)->pf_delete ( a ))
VLC_EXPORT( void, tls_ServerDelete, ( tls_server_t * ) );
# define tls_ServerSessionPrepare( a ) (((tls_server_t *)a)->pf_session_prepare (a))
# define tls_ServerSessionHandshake( a, b ) (((tls_session_t *)a)->pf_handshake (a, b, NULL))
# define tls_ServerSessionClose( a ) (((tls_session_t *)a)->pf_close (a))
# define __tls_ClientCreate( a, b ) (((tls_t *)a)->pf_client_create (a, b ))
VLC_EXPORT( tls_session_t *, tls_ClientCreate, ( vlc_object_t *, const char *, int ) );
VLC_EXPORT( tls_session_t *, tls_ClientCreate, ( vlc_object_t *, int, const char * ) );
VLC_EXPORT( void, tls_ClientDelete, ( tls_session_t * ) );
# define tls_SessionHandshake( a, b ) (((tls_session_t *)a)->pf_handshake (a, b))
# define tls_ClientSessionHandshake( a, b, c ) (((tls_session_t *)a)->pf_handshake (a, b, c))
# define tls_SessionContinueHandshake( a ) (((tls_session_t *)a)->pf_handshake2 (a))
# define tls_SessionClose( a ) (((tls_session_t *)a)->pf_close (a))
/* NOTE: It is assumed that a->sock.p_sys = a */
# define tls_Send( a, b, c ) (((tls_session_t *)a)->sock.pf_send (a, b, c ))
......
......@@ -860,7 +860,7 @@ static int Connect( access_t *p_access, int64_t i_tell )
return VLC_EGENERIC;
}
p_sys->p_tls = tls_ClientCreate( VLC_OBJECT(p_access), NULL, p_sys->fd );
p_sys->p_tls = tls_ClientCreate( VLC_OBJECT(p_access), p_sys->fd, NULL );
if( p_sys->p_tls == NULL )
{
msg_Err( p_access, "cannot establish HTTP/SSL session" );
......
......@@ -111,6 +111,7 @@ typedef struct tls_server_sys_t
typedef struct tls_session_sys_t
{
gnutls_session session;
vlc_bool_t b_handshaked;
} tls_session_sys_t;
......@@ -199,25 +200,28 @@ gnutls_SessionContinueHandshake( tls_session_t *p_session)
if( val < 0 )
{
gnutls_deinit( p_sys->session );
msg_Err( p_session->p_tls, "TLS handshake failed : %s",
msg_Err( p_session, "TLS handshake failed : %s",
gnutls_strerror( val ) );
free( p_sys );
free( p_session );
p_session->pf_close( p_session );
return -1;
}
p_sys->b_handshaked = VLC_TRUE;
return 0;
}
static int
gnutls_SessionHandshake( tls_session_t *p_session, int fd )
gnutls_SessionHandshake( tls_session_t *p_session, int fd,
const char *psz_hostname )
{
tls_session_sys_t *p_sys;
p_sys = (tls_session_sys_t *)(p_session->p_sys);
gnutls_transport_set_ptr (p_sys->session, (gnutls_transport_ptr)fd);
if( psz_hostname != NULL )
gnutls_server_name_set( p_sys->session, GNUTLS_NAME_DNS, psz_hostname,
strlen( psz_hostname ) );
return gnutls_SessionContinueHandshake( p_session );
}
......@@ -235,15 +239,23 @@ gnutls_SessionClose( tls_session_t *p_session )
p_sys = (tls_session_sys_t *)(p_session->p_sys);
/* On the client-side, credentials are re-allocated per session */
if( p_session->p_server == NULL )
gnutls_certificate_free_credentials( ((tls_client_sys_t *)p_sys)
->x509_cred );
gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
if( p_sys->b_handshaked == VLC_TRUE )
gnutls_bye( p_sys->session, GNUTLS_SHUT_WR );
gnutls_deinit( p_sys->session );
vlc_object_detach( p_session );
vlc_object_destroy( p_session );
free( p_sys );
free( p_session );
}
static void
gnutls_ClientDelete( tls_session_t *p_session )
{
/* On the client-side, credentials are re-allocated per session */
gnutls_certificate_free_credentials( ((tls_client_sys_t *)
(p_session->p_sys))->x509_cred );
gnutls_SessionClose( p_session );
}
......@@ -253,10 +265,10 @@ gnutls_SessionClose( tls_session_t *p_session )
* Initializes client-side TLS session data.
*****************************************************************************/
static tls_session_t *
gnutls_ClientCreate( tls_t *p_tls, const char *psz_ca_path )
gnutls_ClientCreate( tls_t *p_tls )
{
tls_session_t *p_session;
tls_client_sys_t *p_sys;
tls_session_t *p_session = NULL;
tls_client_sys_t *p_sys = NULL;
int i_val;
const int cert_type_priority[3] =
{
......@@ -267,16 +279,35 @@ gnutls_ClientCreate( tls_t *p_tls, const char *psz_ca_path )
p_sys = (tls_client_sys_t *)malloc( sizeof(struct tls_client_sys_t) );
if( p_sys == NULL )
return NULL;
p_session = (struct tls_session_t *)vlc_object_create ( p_tls, sizeof(struct tls_session_t) );
if( p_session == NULL )
{
free( p_sys );
return NULL;
}
p_session->p_sys = p_sys;
p_session->sock.p_sys = p_session;
p_session->sock.pf_send = gnutls_Send;
p_session->sock.pf_recv = gnutls_Recv;
p_session->pf_handshake = gnutls_SessionHandshake;
p_session->pf_handshake2 = gnutls_SessionContinueHandshake;
p_session->pf_close = gnutls_ClientDelete;
p_sys->session.b_handshaked = VLC_FALSE;
vlc_object_attach( p_session, p_tls );
i_val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
if( i_val != 0 )
{
msg_Err( p_tls, "Cannot allocate X509 credentials : %s",
gnutls_strerror( i_val ) );
free( p_sys );
return NULL;
goto error;
}
#if 0
if( psz_ca_path != NULL )
{
i_val = gnutls_certificate_set_x509_trust_file( p_sys->x509_cred,
......@@ -287,19 +318,17 @@ gnutls_ClientCreate( tls_t *p_tls, const char *psz_ca_path )
msg_Err( p_tls, "Cannot add trusted CA (%s) : %s", psz_ca_path,
gnutls_strerror( i_val ) );
gnutls_certificate_free_credentials( p_sys->x509_cred );
free( p_sys );
return NULL;
goto error;
}
}
#endif
i_val = gnutls_init( &p_sys->session.session, GNUTLS_CLIENT );
if( i_val != 0 )
{
msg_Err( p_tls, "Cannot initialize TLS session : %s",
gnutls_strerror( i_val ) );
gnutls_certificate_free_credentials( p_sys->x509_cred );
free( p_sys );
return NULL;
goto error;
}
i_val = gnutls_set_default_priority( p_sys->session.session );
......@@ -309,8 +338,7 @@ gnutls_ClientCreate( tls_t *p_tls, const char *psz_ca_path )
gnutls_strerror( i_val ) );
gnutls_deinit( p_sys->session.session );
gnutls_certificate_free_credentials( p_sys->x509_cred );
free( p_sys );
return NULL;
goto error;
}
i_val = gnutls_certificate_type_set_priority( p_sys->session.session,
......@@ -321,8 +349,7 @@ gnutls_ClientCreate( tls_t *p_tls, const char *psz_ca_path )
gnutls_strerror( i_val ) );
gnutls_deinit( p_sys->session.session );
gnutls_certificate_free_credentials( p_sys->x509_cred );
free( p_sys );
return NULL;
goto error;
}
i_val = gnutls_credentials_set( p_sys->session.session,
......@@ -334,30 +361,17 @@ gnutls_ClientCreate( tls_t *p_tls, const char *psz_ca_path )
gnutls_strerror( i_val ) );
gnutls_deinit( p_sys->session.session );
gnutls_certificate_free_credentials( p_sys->x509_cred );
free( p_sys );
return NULL;
goto error;
}
p_session = malloc( sizeof (struct tls_session_t) );
if( p_session == NULL )
{
gnutls_deinit( p_sys->session.session );
gnutls_certificate_free_credentials( p_sys->x509_cred );
free( p_sys );
return NULL;
}
return p_session;
p_session->p_tls = p_tls;
p_session->p_server = NULL;
p_session->p_sys = p_sys;
p_session->sock.p_sys = p_session;
p_session->sock.pf_send = gnutls_Send;
p_session->sock.pf_recv = gnutls_Recv;
p_session->pf_handshake = gnutls_SessionHandshake;
p_session->pf_handshake2 = gnutls_SessionContinueHandshake;
p_session->pf_close = gnutls_SessionClose;
error:
vlc_object_detach( p_session );
vlc_object_destroy( p_session );
free( p_sys );
return p_session;
return NULL;
}
......@@ -471,21 +485,45 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
gnutls_session session;
int i_val;
p_session = vlc_object_create( p_server, sizeof (struct tls_session_t) );
if( p_session == NULL )
return NULL;
p_session->p_sys = malloc( sizeof(struct tls_session_sys_t) );
if( p_session->p_sys == NULL )
{
vlc_object_destroy( p_session );
return NULL;
}
vlc_object_attach( p_session, p_server );
p_session->sock.p_sys = p_session;
p_session->sock.pf_send = gnutls_Send;
p_session->sock.pf_recv = gnutls_Recv;
p_session->pf_handshake = gnutls_SessionHandshake;
p_session->pf_handshake2 = gnutls_SessionContinueHandshake;
p_session->pf_close = gnutls_SessionClose;
((tls_session_sys_t *)p_session->p_sys)->b_handshaked = VLC_FALSE;
i_val = gnutls_init( &session, GNUTLS_SERVER );
if( i_val != 0 )
{
msg_Err( p_server->p_tls, "Cannot initialize TLS session : %s",
msg_Err( p_server, "Cannot initialize TLS session : %s",
gnutls_strerror( i_val ) );
return NULL;
goto error;
}
((tls_session_sys_t *)p_session->p_sys)->session = session;
i_val = gnutls_set_default_priority( session );
if( i_val < 0 )
{
msg_Err( p_server->p_tls, "Cannot set ciphers priorities : %s",
msg_Err( p_server, "Cannot set ciphers priorities : %s",
gnutls_strerror( i_val ) );
gnutls_deinit( session );
return NULL;
goto error;
}
i_val = gnutls_credentials_set( session, GNUTLS_CRD_CERTIFICATE,
......@@ -493,53 +531,33 @@ gnutls_ServerSessionPrepare( tls_server_t *p_server )
->x509_cred );
if( i_val < 0 )
{
msg_Err( p_server->p_tls, "Cannot set TLS session credentials : %s",
msg_Err( p_server, "Cannot set TLS session credentials : %s",
gnutls_strerror( i_val ) );
gnutls_deinit( session );
return NULL;
goto error;
}
/* TODO: support for client authentication */
/*gnutls_certificate_server_set_request( p_session->session,
GNUTLS_CERT_REQUEST ); */
gnutls_dh_set_prime_bits( session, get_Int( p_server->p_tls, "dh-bits" ) );
gnutls_dh_set_prime_bits( session, get_Int( p_server, "dh-bits" ) );
/* Session resumption support */
gnutls_db_set_cache_expiration( session, get_Int( p_server->p_tls,
gnutls_db_set_cache_expiration( session, get_Int( p_server,
"tls-cache-expiration" ) );
gnutls_db_set_retrieve_function( session, cb_fetch );
gnutls_db_set_remove_function( session, cb_delete );
gnutls_db_set_store_function( session, cb_store );
gnutls_db_set_ptr( session, p_server );
p_session = malloc( sizeof (struct tls_session_t) );
if( p_session == NULL )
{
gnutls_deinit( session );
return NULL;
}
p_session->p_sys = (tls_session_sys_t *)malloc( sizeof(struct tls_session_sys_t) );
if( p_session->p_sys == NULL )
{
gnutls_deinit( session );
free( p_session );
return NULL;
}
((tls_session_sys_t *)p_session->p_sys)->session = session;
p_session->p_tls = p_server->p_tls;
p_session->p_server = p_server;
p_session->sock.p_sys = p_session;
p_session->sock.pf_send = gnutls_Send;
p_session->sock.pf_recv = gnutls_Recv;
p_session->pf_handshake = gnutls_SessionHandshake;
p_session->pf_handshake2 = gnutls_SessionContinueHandshake;
p_session->pf_close = gnutls_SessionClose;
return p_session;
error:
free( p_session->p_sys );
vlc_object_detach( p_session );
vlc_object_destroy( p_session );
return NULL;
}
......@@ -556,10 +574,13 @@ gnutls_ServerDelete( tls_server_t *p_server )
p_sys = (tls_server_sys_t *)p_server->p_sys;
gnutls_certificate_free_credentials( p_sys->x509_cred );
free( p_sys->p_cache );
vlc_mutex_destroy( &p_sys->cache_lock );
vlc_object_detach( p_server );
vlc_object_destroy( p_server );
free( p_sys->p_cache );
free( p_sys );
free( p_server );
}
......@@ -583,13 +604,12 @@ gnutls_ServerAddCA( tls_server_t *p_server, const char *psz_ca_path )
GNUTLS_X509_FMT_PEM );
if( val < 0 )
{
msg_Err( p_server->p_tls, "Cannot add trusted CA (%s) : %s",
psz_ca_path, gnutls_strerror( val ) );
msg_Err( p_server, "Cannot add trusted CA (%s) : %s", psz_ca_path,
gnutls_strerror( val ) );
gnutls_ServerDelete( p_server );
return VLC_EGENERIC;
}
msg_Dbg( p_server->p_tls, " %d trusted CA added (%s)", val,
psz_ca_path );
msg_Dbg( p_server, " %d trusted CA added (%s)", val, psz_ca_path );
return VLC_SUCCESS;
}
......@@ -611,12 +631,12 @@ gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
GNUTLS_X509_FMT_PEM );
if( val < 0 )
{
msg_Err( p_server->p_tls, "Cannot add CRL (%s) : %s",
psz_crl_path, gnutls_strerror( val ) );
msg_Err( p_server, "Cannot add CRL (%s) : %s", psz_crl_path,
gnutls_strerror( val ) );
gnutls_ServerDelete( p_server );
return VLC_EGENERIC;
}
msg_Dbg( p_server->p_tls, "%d CRL added (%s)", val, psz_crl_path );
msg_Dbg( p_server, "%d CRL added (%s)", val, psz_crl_path );
return VLC_SUCCESS;
}
......@@ -628,93 +648,98 @@ gnutls_ServerAddCRL( tls_server_t *p_server, const char *psz_crl_path )
* Returns NULL on error.
*****************************************************************************/
static tls_server_t *
gnutls_ServerCreate( tls_t *p_this, const char *psz_cert_path,
const char *psz_key_path )
gnutls_ServerCreate( tls_t *p_tls, const char *psz_cert_path,
const char *psz_key_path )
{
tls_server_t *p_server;
tls_server_sys_t *p_server_sys;
tls_server_sys_t *p_sys;
int val;
msg_Dbg( p_this, "Creating TLS server" );
msg_Dbg( p_tls, "Creating TLS server" );
p_server_sys = (tls_server_sys_t *)malloc( sizeof(struct tls_server_sys_t) );
if( p_server_sys == NULL )
p_sys = (tls_server_sys_t *)malloc( sizeof(struct tls_server_sys_t) );
if( p_sys == NULL )
return NULL;
p_server_sys->i_cache_size = get_Int( p_this, "tls-cache-size" );
p_server_sys->p_cache = (struct saved_session_t *)
calloc( p_server_sys->i_cache_size,
sizeof( struct saved_session_t ) );
if( p_server_sys->p_cache == NULL )
p_sys->i_cache_size = get_Int( p_tls, "tls-cache-size" );
p_sys->p_cache = (struct saved_session_t *)calloc( p_sys->i_cache_size,
sizeof( struct saved_session_t ) );
if( p_sys->p_cache == NULL )
{
free( p_sys );
return NULL;
}
p_sys->p_store = p_sys->p_cache;
p_server = vlc_object_create( p_tls, sizeof(struct tls_server_t) );
if( p_server == NULL )
{
free( p_server_sys );
free( p_sys->p_cache );
free( p_sys );
return NULL;
}
p_server_sys->p_store = p_server_sys->p_cache;
vlc_object_attach( p_server, p_tls );
p_server->p_sys = p_sys;
p_server->pf_delete = gnutls_ServerDelete;
p_server->pf_add_CA = gnutls_ServerAddCA;
p_server->pf_add_CRL = gnutls_ServerAddCRL;
p_server->pf_session_prepare = gnutls_ServerSessionPrepare;
/* FIXME: check for errors */
vlc_mutex_init( p_this, &p_server_sys->cache_lock );
vlc_mutex_init( p_server, &p_sys->cache_lock );
/* Sets server's credentials */
val = gnutls_certificate_allocate_credentials( &p_server_sys->x509_cred );
val = gnutls_certificate_allocate_credentials( &p_sys->x509_cred );
if( val != 0 )
{
msg_Err( p_this, "Cannot allocate X509 credentials : %s",
msg_Err( p_server, "Cannot allocate X509 credentials : %s",
gnutls_strerror( val ) );
free( p_server_sys );
return NULL;
goto error;
}
val = gnutls_certificate_set_x509_key_file( p_server_sys->x509_cred,
val = gnutls_certificate_set_x509_key_file( p_sys->x509_cred,
psz_cert_path, psz_key_path,
GNUTLS_X509_FMT_PEM );
if( val < 0 )
{
msg_Err( p_this, "Cannot set certificate chain or private key : %s",
msg_Err( p_server, "Cannot set certificate chain or private key : %s",
gnutls_strerror( val ) );
gnutls_certificate_free_credentials( p_server_sys->x509_cred );
free( p_server_sys );
return NULL;
gnutls_certificate_free_credentials( p_sys->x509_cred );
goto error;
}
/* FIXME:
* - regenerate these regularly
* - support other ciper suites
*/
val = gnutls_dh_params_init( &p_server_sys->dh_params );
val = gnutls_dh_params_init( &p_sys->dh_params );
if( val >= 0 )
{
msg_Dbg( p_this, "Computing Diffie Hellman ciphers parameters" );
val = gnutls_dh_params_generate2( p_server_sys->dh_params,
get_Int( p_this, "dh-bits" ) );
msg_Dbg( p_server, "Computing Diffie Hellman ciphers parameters" );
val = gnutls_dh_params_generate2( p_sys->dh_params,
get_Int( p_tls, "dh-bits" ) );
}
if( val < 0 )
{
msg_Err( p_this, "Cannot initialize DH cipher suites : %s",
msg_Err( p_server, "Cannot initialize DH cipher suites : %s",
gnutls_strerror( val ) );
gnutls_certificate_free_credentials( p_server_sys->x509_cred );
free( p_server_sys );
return NULL;
}
msg_Dbg( p_this, "Ciphers parameters computed" );
gnutls_certificate_set_dh_params( p_server_sys->x509_cred,
p_server_sys->dh_params);
p_server = (tls_server_t *)malloc( sizeof(struct tls_server_t) );
if( p_server == NULL )
{
free( p_server_sys );
return NULL;
gnutls_certificate_free_credentials( p_sys->x509_cred );
goto error;
}
msg_Dbg( p_server, "Ciphers parameters computed" );
p_server->p_tls = p_this;
p_server->p_sys = p_server_sys;
p_server->pf_delete = gnutls_ServerDelete;
p_server->pf_add_CA = gnutls_ServerAddCA;
p_server->pf_add_CRL = gnutls_ServerAddCRL;
p_server->pf_session_prepare = gnutls_ServerSessionPrepare;
gnutls_certificate_set_dh_params( p_sys->x509_cred, p_sys->dh_params);
return p_server;
error:
vlc_mutex_destroy( &p_sys->cache_lock );
vlc_object_detach( p_server );
vlc_object_destroy( p_server );
free( p_sys );
return NULL;
}
......
......@@ -1539,7 +1539,7 @@ static void httpd_ClientClean( httpd_client_t *cl )
if( cl->fd >= 0 )
{
if( cl->p_tls != NULL )
tls_SessionClose( cl->p_tls );
tls_ServerSessionClose( cl->p_tls );
net_Close( cl->fd );
cl->fd = -1;
}
......@@ -2480,7 +2480,7 @@ static void httpd_HostThread( httpd_host_t *host )
if( p_tls != NULL)
{
switch ( tls_SessionHandshake( p_tls, fd ) )
switch ( tls_ServerSessionHandshake( p_tls, fd ) )
{
case -1:
msg_Err( host, "Rejecting TLS connection" );
......@@ -2553,6 +2553,9 @@ static void httpd_HostThread( httpd_host_t *host )
}
vlc_mutex_unlock( &host->lock );
}
if( p_tls != NULL )
tls_ServerSessionClose( p_tls );
}
#ifndef HAVE_GETADDRINFO
......
/*****************************************************************************
* tls.c
*****************************************************************************
* Copyright (C) 2004 VideoLAN
* Copyright (C) 2004-2005 VideoLAN
* $Id: httpd.c 8263 2004-07-24 09:06:58Z courmisch $
*
* Authors: Remi Denis-Courmont <courmisch@via.ecp.fr>
......@@ -55,18 +55,18 @@ tls_ServerCreate( vlc_object_t *p_this, const char *psz_cert,
if( psz_key == NULL )
psz_key = psz_cert;
p_server = __tls_ServerCreate( p_tls, psz_cert, psz_key );
p_server = p_tls->pf_server_create( p_tls, psz_cert, psz_key );
if( p_server != NULL )
{
msg_Dbg( p_this, "TLS/SSL provider initialized" );
msg_Dbg( p_tls, "TLS/SSL provider initialized" );
return p_server;
}
else
msg_Err( p_this, "TLS/SSL provider error" );
msg_Err( p_tls, "TLS/SSL provider error" );
module_Unneed( p_tls, p_tls->p_module );
}
else
msg_Err( p_this, "TLS/SSL provider not found" );
msg_Err( p_tls, "TLS/SSL provider not found" );