Commit 84af793f authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont
Browse files

gnutls: remove client certificate support

This was never used. The web interface requires a password instead.
parent f283e253
......@@ -65,9 +65,6 @@ struct vlc_tls_creds
module_t *module;
vlc_tls_creds_sys_t *sys;
int (*add_CA) (vlc_tls_creds_t *, const char *path);
int (*add_CRL) (vlc_tls_creds_t *, const char *path);
int (*open) (vlc_tls_creds_t *, vlc_tls_t *, int fd, const char *host);
void (*close) (vlc_tls_creds_t *, vlc_tls_t *);
};
......@@ -76,7 +73,5 @@ VLC_API vlc_tls_creds_t *vlc_tls_ClientCreate (vlc_object_t *);
vlc_tls_creds_t *vlc_tls_ServerCreate (vlc_object_t *,
const char *cert, const char *key);
VLC_API void vlc_tls_Delete (vlc_tls_creds_t *);
int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path);
int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path);
#endif
......@@ -416,8 +416,6 @@ struct vlc_tls_creds_sys
{
gnutls_certificate_credentials_t x509_cred;
gnutls_dh_params_t dh_params; /* XXX: used for server only */
int (*handshake) (vlc_tls_t *, const char *, const char *);
/* ^^ XXX: useful for server only */
};
......@@ -438,9 +436,6 @@ static void gnutls_SessionClose (vlc_tls_creds_t *crd, vlc_tls_t *session)
}
/**
* Initializes a server-side TLS session.
*/
static int gnutls_SessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
int type, int fd)
{
......@@ -452,7 +447,10 @@ static int gnutls_SessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
session->sock.p_sys = session;
session->sock.pf_send = gnutls_Send;
session->sock.pf_recv = gnutls_Recv;
session->handshake = crd->sys->handshake;
if (type == GNUTLS_SERVER)
session->handshake = gnutls_ContinueHandshake;
else
session->handshake = gnutls_HandshakeAndValidate;
sys->handshaked = false;
int val = gnutls_init (&sys->session, type);
......@@ -485,18 +483,14 @@ error:
return VLC_EGENERIC;
}
/**
* Initializes a server-side TLS session.
*/
static int gnutls_ServerSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
int fd, const char *hostname)
{
int val = gnutls_SessionOpen (crd, session, GNUTLS_SERVER, fd);
if (val != VLC_SUCCESS)
return val;
if (session->handshake == gnutls_HandshakeAndValidate)
gnutls_certificate_server_set_request (session->sys->session,
GNUTLS_CERT_REQUIRE);
assert (hostname == NULL);
return VLC_SUCCESS;
return gnutls_SessionOpen (crd, session, GNUTLS_SERVER, fd);
}
static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
......@@ -520,81 +514,6 @@ static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
}
/**
* Adds one or more Certificate Authorities to the trusted set.
*
* @param path (UTF-8) path to an X.509 certificates list.
*
* @return -1 on error, 0 on success.
*/
static int gnutls_AddCA (vlc_tls_creds_t *crd, const char *path)
{
block_t *block = block_FilePath (path);
if (block == NULL)
{
msg_Err (crd, "cannot read trusted CA from %s: %s", path,
vlc_strerror_c(errno));
return VLC_EGENERIC;
}
gnutls_datum_t d = {
.data = block->p_buffer,
.size = block->i_buffer,
};
int val = gnutls_certificate_set_x509_trust_mem (crd->sys->x509_cred, &d,
GNUTLS_X509_FMT_PEM);
block_Release (block);
if (val < 0)
{
msg_Err (crd, "cannot load trusted CA from %s: %s", path,
gnutls_strerror (val));
return VLC_EGENERIC;
}
msg_Dbg (crd, " %d trusted CA%s added from %s", val, (val != 1) ? "s" : "",
path);
/* enables peer's certificate verification */
crd->sys->handshake = gnutls_HandshakeAndValidate;
return VLC_SUCCESS;
}
/**
* Adds a Certificates Revocation List to be sent to TLS clients.
*
* @param path (UTF-8) path of the CRL file.
*
* @return -1 on error, 0 on success.
*/
static int gnutls_AddCRL (vlc_tls_creds_t *crd, const char *path)
{
block_t *block = block_FilePath (path);
if (block == NULL)
{
msg_Err (crd, "cannot read CRL from %s: %s", path,
vlc_strerror_c(errno));
return VLC_EGENERIC;
}
gnutls_datum_t d = {
.data = block->p_buffer,
.size = block->i_buffer,
};
int val = gnutls_certificate_set_x509_crl_mem (crd->sys->x509_cred, &d,
GNUTLS_X509_FMT_PEM);
block_Release (block);
if (val < 0)
{
msg_Err (crd, "cannot add CRL (%s): %s", path, gnutls_strerror (val));
return VLC_EGENERIC;
}
msg_Dbg (crd, "%d CRL%s added from %s", val, (val != 1) ? "s" : "", path);
return VLC_SUCCESS;
}
/**
* Allocates a whole server's TLS credentials.
*/
......@@ -610,12 +529,8 @@ static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
goto error;
crd->sys = sys;
crd->add_CA = gnutls_AddCA;
crd->add_CRL = gnutls_AddCRL;
crd->open = gnutls_ServerSessionOpen;
crd->close = gnutls_SessionClose;
/* No certificate validation by default */
sys->handshake = gnutls_ContinueHandshake;
/* Sets server's credentials */
val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
......@@ -721,11 +636,8 @@ static int OpenClient (vlc_tls_creds_t *crd)
goto error;
crd->sys = sys;
//crd->add_CA = gnutls_AddCA;
//crd->add_CRL = gnutls_AddCRL;
crd->open = gnutls_ClientSessionOpen;
crd->close = gnutls_SessionClose;
sys->handshake = gnutls_HandshakeAndValidate;
int val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
if (val != 0)
......
......@@ -836,16 +836,6 @@ static const char *const ppsz_prefres[] = {
#define KEY_LONGTEXT N_( \
"This private key file (PEM format) is used for server-side TLS.")
#define HTTP_CA_TEXT N_("HTTP/TLS Certificate Authority")
#define CA_LONGTEXT N_( \
"This X.509 certificate file (PEM format) can optionally be used " \
"to authenticate remote clients in TLS sessions.")
#define HTTP_CRL_TEXT N_("HTTP/TLS Certificate Revocation List")
#define CRL_LONGTEXT N_( \
"This file contains an optional CRL to prevent remote clients " \
"from using revoked certificates in TLS sessions.")
#define SOCKS_SERVER_TEXT N_("SOCKS server")
#define SOCKS_SERVER_LONGTEXT N_( \
"SOCKS proxy server to use. This must be of the form " \
......@@ -1747,9 +1737,9 @@ vlc_module_begin ()
add_obsolete_string( "sout-http-cert" ) /* since 2.0.0 */
add_loadfile( "http-key", NULL, HTTP_KEY_TEXT, KEY_LONGTEXT, true )
add_obsolete_string( "sout-http-key" ) /* since 2.0.0 */
add_loadfile( "http-ca", NULL, HTTP_CA_TEXT, CA_LONGTEXT, true )
add_obsolete_string( "http-ca" ) /* since 3.0.0 */
add_obsolete_string( "sout-http-ca" ) /* since 2.0.0 */
add_loadfile( "http-crl", NULL, HTTP_CRL_TEXT, CRL_LONGTEXT, true )
add_obsolete_string( "http-crl" ) /* since 3.0.0 */
add_obsolete_string( "sout-http-crl" ) /* since 2.0.0 */
set_section( N_( "Socks proxy") , NULL )
......
......@@ -890,26 +890,6 @@ httpd_host_t *vlc_https_HostNew(vlc_object_t *obj)
free(key);
free(cert);
char *ca = var_InheritString(obj, "http-ca");
if (ca) {
if (vlc_tls_ServerAddCA(tls, ca)) {
msg_Err(obj, "HTTP/TLS CA error (%s)", ca);
free(ca);
goto error;
}
free(ca);
}
char *crl = var_InheritString(obj, "http-crl");
if (crl) {
if (vlc_tls_ServerAddCRL(tls, crl)) {
msg_Err(obj, "TLS CRL error (%s)", crl);
free(crl);
goto error;
}
free(crl);
}
return httpd_HostCreate(obj, "http-host", "https-port", tls);
error:
......
......@@ -143,26 +143,6 @@ void vlc_tls_Delete (vlc_tls_creds_t *crd)
}
/**
* Adds one or more certificate authorities from a file.
* @return -1 on error, 0 on success.
*/
int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path)
{
return srv->add_CA (srv, path);
}
/**
* Adds one or more certificate revocation list from a file.
* @return -1 on error, 0 on success.
*/
int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path)
{
return srv->add_CRL (srv, path);
}
/*** TLS session ***/
vlc_tls_t *vlc_tls_SessionCreate (vlc_tls_creds_t *crd, int fd,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment