vlc | branch: master | Rémi Denis-Courmont <[email protected]> | Fri Aug 22 23:38:43 2014 +0300| [84af793f257b4fe33897b0b92df6a838650d8752] | committer: Rémi Denis-Courmont
gnutls: remove client certificate support This was never used. The web interface requires a password instead. > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=84af793f257b4fe33897b0b92df6a838650d8752 --- include/vlc_tls.h | 5 --- modules/misc/gnutls.c | 104 ++++--------------------------------------------- src/libvlc-module.c | 14 +------ src/network/httpd.c | 20 ---------- src/network/tls.c | 20 ---------- 5 files changed, 10 insertions(+), 153 deletions(-) diff --git a/include/vlc_tls.h b/include/vlc_tls.h index e9db9cc..4af2efc 100644 --- a/include/vlc_tls.h +++ b/include/vlc_tls.h @@ -65,9 +65,6 @@ struct vlc_tls_creds module_t *module; vlc_tls_creds_sys_t *sys; - int (*add_CA) (vlc_tls_creds_t *, const char *path); - int (*add_CRL) (vlc_tls_creds_t *, const char *path); - int (*open) (vlc_tls_creds_t *, vlc_tls_t *, int fd, const char *host); void (*close) (vlc_tls_creds_t *, vlc_tls_t *); }; @@ -76,7 +73,5 @@ VLC_API vlc_tls_creds_t *vlc_tls_ClientCreate (vlc_object_t *); vlc_tls_creds_t *vlc_tls_ServerCreate (vlc_object_t *, const char *cert, const char *key); VLC_API void vlc_tls_Delete (vlc_tls_creds_t *); -int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path); -int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path); #endif diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c index 5a1bf3b..c14eb83 100644 --- a/modules/misc/gnutls.c +++ b/modules/misc/gnutls.c @@ -416,8 +416,6 @@ struct vlc_tls_creds_sys { gnutls_certificate_credentials_t x509_cred; gnutls_dh_params_t dh_params; /* XXX: used for server only */ - int (*handshake) (vlc_tls_t *, const char *, const char *); - /* ^^ XXX: useful for server only */ }; @@ -438,9 +436,6 @@ static void gnutls_SessionClose (vlc_tls_creds_t *crd, vlc_tls_t *session) } -/** - * Initializes a server-side TLS session. - */ static int gnutls_SessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session, int type, int fd) { @@ -452,7 +447,10 @@ static int gnutls_SessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session, session->sock.p_sys = session; session->sock.pf_send = gnutls_Send; session->sock.pf_recv = gnutls_Recv; - session->handshake = crd->sys->handshake; + if (type == GNUTLS_SERVER) + session->handshake = gnutls_ContinueHandshake; + else + session->handshake = gnutls_HandshakeAndValidate; sys->handshaked = false; int val = gnutls_init (&sys->session, type); @@ -485,18 +483,14 @@ error: return VLC_EGENERIC; } +/** + * Initializes a server-side TLS session. + */ static int gnutls_ServerSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session, int fd, const char *hostname) { - int val = gnutls_SessionOpen (crd, session, GNUTLS_SERVER, fd); - if (val != VLC_SUCCESS) - return val; - - if (session->handshake == gnutls_HandshakeAndValidate) - gnutls_certificate_server_set_request (session->sys->session, - GNUTLS_CERT_REQUIRE); assert (hostname == NULL); - return VLC_SUCCESS; + return gnutls_SessionOpen (crd, session, GNUTLS_SERVER, fd); } static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session, @@ -521,81 +515,6 @@ static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session, /** - * Adds one or more Certificate Authorities to the trusted set. - * - * @param path (UTF-8) path to an X.509 certificates list. - * - * @return -1 on error, 0 on success. - */ -static int gnutls_AddCA (vlc_tls_creds_t *crd, const char *path) -{ - block_t *block = block_FilePath (path); - if (block == NULL) - { - msg_Err (crd, "cannot read trusted CA from %s: %s", path, - vlc_strerror_c(errno)); - return VLC_EGENERIC; - } - - gnutls_datum_t d = { - .data = block->p_buffer, - .size = block->i_buffer, - }; - - int val = gnutls_certificate_set_x509_trust_mem (crd->sys->x509_cred, &d, - GNUTLS_X509_FMT_PEM); - block_Release (block); - if (val < 0) - { - msg_Err (crd, "cannot load trusted CA from %s: %s", path, - gnutls_strerror (val)); - return VLC_EGENERIC; - } - msg_Dbg (crd, " %d trusted CA%s added from %s", val, (val != 1) ? "s" : "", - path); - - /* enables peer's certificate verification */ - crd->sys->handshake = gnutls_HandshakeAndValidate; - return VLC_SUCCESS; -} - - -/** - * Adds a Certificates Revocation List to be sent to TLS clients. - * - * @param path (UTF-8) path of the CRL file. - * - * @return -1 on error, 0 on success. - */ -static int gnutls_AddCRL (vlc_tls_creds_t *crd, const char *path) -{ - block_t *block = block_FilePath (path); - if (block == NULL) - { - msg_Err (crd, "cannot read CRL from %s: %s", path, - vlc_strerror_c(errno)); - return VLC_EGENERIC; - } - - gnutls_datum_t d = { - .data = block->p_buffer, - .size = block->i_buffer, - }; - - int val = gnutls_certificate_set_x509_crl_mem (crd->sys->x509_cred, &d, - GNUTLS_X509_FMT_PEM); - block_Release (block); - if (val < 0) - { - msg_Err (crd, "cannot add CRL (%s): %s", path, gnutls_strerror (val)); - return VLC_EGENERIC; - } - msg_Dbg (crd, "%d CRL%s added from %s", val, (val != 1) ? "s" : "", path); - return VLC_SUCCESS; -} - - -/** * Allocates a whole server's TLS credentials. */ static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key) @@ -610,12 +529,8 @@ static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key) goto error; crd->sys = sys; - crd->add_CA = gnutls_AddCA; - crd->add_CRL = gnutls_AddCRL; crd->open = gnutls_ServerSessionOpen; crd->close = gnutls_SessionClose; - /* No certificate validation by default */ - sys->handshake = gnutls_ContinueHandshake; /* Sets server's credentials */ val = gnutls_certificate_allocate_credentials (&sys->x509_cred); @@ -721,11 +636,8 @@ static int OpenClient (vlc_tls_creds_t *crd) goto error; crd->sys = sys; - //crd->add_CA = gnutls_AddCA; - //crd->add_CRL = gnutls_AddCRL; crd->open = gnutls_ClientSessionOpen; crd->close = gnutls_SessionClose; - sys->handshake = gnutls_HandshakeAndValidate; int val = gnutls_certificate_allocate_credentials (&sys->x509_cred); if (val != 0) diff --git a/src/libvlc-module.c b/src/libvlc-module.c index 17c0993..539d52e 100644 --- a/src/libvlc-module.c +++ b/src/libvlc-module.c @@ -836,16 +836,6 @@ static const char *const ppsz_prefres[] = { #define KEY_LONGTEXT N_( \ "This private key file (PEM format) is used for server-side TLS.") -#define HTTP_CA_TEXT N_("HTTP/TLS Certificate Authority") -#define CA_LONGTEXT N_( \ - "This X.509 certificate file (PEM format) can optionally be used " \ - "to authenticate remote clients in TLS sessions.") - -#define HTTP_CRL_TEXT N_("HTTP/TLS Certificate Revocation List") -#define CRL_LONGTEXT N_( \ - "This file contains an optional CRL to prevent remote clients " \ - "from using revoked certificates in TLS sessions.") - #define SOCKS_SERVER_TEXT N_("SOCKS server") #define SOCKS_SERVER_LONGTEXT N_( \ "SOCKS proxy server to use. This must be of the form " \ @@ -1747,9 +1737,9 @@ vlc_module_begin () add_obsolete_string( "sout-http-cert" ) /* since 2.0.0 */ add_loadfile( "http-key", NULL, HTTP_KEY_TEXT, KEY_LONGTEXT, true ) add_obsolete_string( "sout-http-key" ) /* since 2.0.0 */ - add_loadfile( "http-ca", NULL, HTTP_CA_TEXT, CA_LONGTEXT, true ) + add_obsolete_string( "http-ca" ) /* since 3.0.0 */ add_obsolete_string( "sout-http-ca" ) /* since 2.0.0 */ - add_loadfile( "http-crl", NULL, HTTP_CRL_TEXT, CRL_LONGTEXT, true ) + add_obsolete_string( "http-crl" ) /* since 3.0.0 */ add_obsolete_string( "sout-http-crl" ) /* since 2.0.0 */ set_section( N_( "Socks proxy") , NULL ) diff --git a/src/network/httpd.c b/src/network/httpd.c index b8fb979..aa25c74 100644 --- a/src/network/httpd.c +++ b/src/network/httpd.c @@ -890,26 +890,6 @@ httpd_host_t *vlc_https_HostNew(vlc_object_t *obj) free(key); free(cert); - char *ca = var_InheritString(obj, "http-ca"); - if (ca) { - if (vlc_tls_ServerAddCA(tls, ca)) { - msg_Err(obj, "HTTP/TLS CA error (%s)", ca); - free(ca); - goto error; - } - free(ca); - } - - char *crl = var_InheritString(obj, "http-crl"); - if (crl) { - if (vlc_tls_ServerAddCRL(tls, crl)) { - msg_Err(obj, "TLS CRL error (%s)", crl); - free(crl); - goto error; - } - free(crl); - } - return httpd_HostCreate(obj, "http-host", "https-port", tls); error: diff --git a/src/network/tls.c b/src/network/tls.c index 8874e70..fde45dc 100644 --- a/src/network/tls.c +++ b/src/network/tls.c @@ -143,26 +143,6 @@ void vlc_tls_Delete (vlc_tls_creds_t *crd) } -/** - * Adds one or more certificate authorities from a file. - * @return -1 on error, 0 on success. - */ -int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path) -{ - return srv->add_CA (srv, path); -} - - -/** - * Adds one or more certificate revocation list from a file. - * @return -1 on error, 0 on success. - */ -int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path) -{ - return srv->add_CRL (srv, path); -} - - /*** TLS session ***/ vlc_tls_t *vlc_tls_SessionCreate (vlc_tls_creds_t *crd, int fd, _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
