[vlc-commits] gnutls: remove client certificate support
Rémi Denis-Courmont
git at videolan.org
Fri Aug 22 22:44:40 CEST 2014
vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Fri Aug 22 23:38:43 2014 +0300| [84af793f257b4fe33897b0b92df6a838650d8752] | committer: Rémi Denis-Courmont
gnutls: remove client certificate support
This was never used. The web interface requires a password instead.
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=84af793f257b4fe33897b0b92df6a838650d8752
---
include/vlc_tls.h | 5 ---
modules/misc/gnutls.c | 104 ++++---------------------------------------------
src/libvlc-module.c | 14 +------
src/network/httpd.c | 20 ----------
src/network/tls.c | 20 ----------
5 files changed, 10 insertions(+), 153 deletions(-)
diff --git a/include/vlc_tls.h b/include/vlc_tls.h
index e9db9cc..4af2efc 100644
--- a/include/vlc_tls.h
+++ b/include/vlc_tls.h
@@ -65,9 +65,6 @@ struct vlc_tls_creds
module_t *module;
vlc_tls_creds_sys_t *sys;
- int (*add_CA) (vlc_tls_creds_t *, const char *path);
- int (*add_CRL) (vlc_tls_creds_t *, const char *path);
-
int (*open) (vlc_tls_creds_t *, vlc_tls_t *, int fd, const char *host);
void (*close) (vlc_tls_creds_t *, vlc_tls_t *);
};
@@ -76,7 +73,5 @@ VLC_API vlc_tls_creds_t *vlc_tls_ClientCreate (vlc_object_t *);
vlc_tls_creds_t *vlc_tls_ServerCreate (vlc_object_t *,
const char *cert, const char *key);
VLC_API void vlc_tls_Delete (vlc_tls_creds_t *);
-int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path);
-int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path);
#endif
diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c
index 5a1bf3b..c14eb83 100644
--- a/modules/misc/gnutls.c
+++ b/modules/misc/gnutls.c
@@ -416,8 +416,6 @@ struct vlc_tls_creds_sys
{
gnutls_certificate_credentials_t x509_cred;
gnutls_dh_params_t dh_params; /* XXX: used for server only */
- int (*handshake) (vlc_tls_t *, const char *, const char *);
- /* ^^ XXX: useful for server only */
};
@@ -438,9 +436,6 @@ static void gnutls_SessionClose (vlc_tls_creds_t *crd, vlc_tls_t *session)
}
-/**
- * Initializes a server-side TLS session.
- */
static int gnutls_SessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
int type, int fd)
{
@@ -452,7 +447,10 @@ static int gnutls_SessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
session->sock.p_sys = session;
session->sock.pf_send = gnutls_Send;
session->sock.pf_recv = gnutls_Recv;
- session->handshake = crd->sys->handshake;
+ if (type == GNUTLS_SERVER)
+ session->handshake = gnutls_ContinueHandshake;
+ else
+ session->handshake = gnutls_HandshakeAndValidate;
sys->handshaked = false;
int val = gnutls_init (&sys->session, type);
@@ -485,18 +483,14 @@ error:
return VLC_EGENERIC;
}
+/**
+ * Initializes a server-side TLS session.
+ */
static int gnutls_ServerSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
int fd, const char *hostname)
{
- int val = gnutls_SessionOpen (crd, session, GNUTLS_SERVER, fd);
- if (val != VLC_SUCCESS)
- return val;
-
- if (session->handshake == gnutls_HandshakeAndValidate)
- gnutls_certificate_server_set_request (session->sys->session,
- GNUTLS_CERT_REQUIRE);
assert (hostname == NULL);
- return VLC_SUCCESS;
+ return gnutls_SessionOpen (crd, session, GNUTLS_SERVER, fd);
}
static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
@@ -521,81 +515,6 @@ static int gnutls_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
/**
- * Adds one or more Certificate Authorities to the trusted set.
- *
- * @param path (UTF-8) path to an X.509 certificates list.
- *
- * @return -1 on error, 0 on success.
- */
-static int gnutls_AddCA (vlc_tls_creds_t *crd, const char *path)
-{
- block_t *block = block_FilePath (path);
- if (block == NULL)
- {
- msg_Err (crd, "cannot read trusted CA from %s: %s", path,
- vlc_strerror_c(errno));
- return VLC_EGENERIC;
- }
-
- gnutls_datum_t d = {
- .data = block->p_buffer,
- .size = block->i_buffer,
- };
-
- int val = gnutls_certificate_set_x509_trust_mem (crd->sys->x509_cred, &d,
- GNUTLS_X509_FMT_PEM);
- block_Release (block);
- if (val < 0)
- {
- msg_Err (crd, "cannot load trusted CA from %s: %s", path,
- gnutls_strerror (val));
- return VLC_EGENERIC;
- }
- msg_Dbg (crd, " %d trusted CA%s added from %s", val, (val != 1) ? "s" : "",
- path);
-
- /* enables peer's certificate verification */
- crd->sys->handshake = gnutls_HandshakeAndValidate;
- return VLC_SUCCESS;
-}
-
-
-/**
- * Adds a Certificates Revocation List to be sent to TLS clients.
- *
- * @param path (UTF-8) path of the CRL file.
- *
- * @return -1 on error, 0 on success.
- */
-static int gnutls_AddCRL (vlc_tls_creds_t *crd, const char *path)
-{
- block_t *block = block_FilePath (path);
- if (block == NULL)
- {
- msg_Err (crd, "cannot read CRL from %s: %s", path,
- vlc_strerror_c(errno));
- return VLC_EGENERIC;
- }
-
- gnutls_datum_t d = {
- .data = block->p_buffer,
- .size = block->i_buffer,
- };
-
- int val = gnutls_certificate_set_x509_crl_mem (crd->sys->x509_cred, &d,
- GNUTLS_X509_FMT_PEM);
- block_Release (block);
- if (val < 0)
- {
- msg_Err (crd, "cannot add CRL (%s): %s", path, gnutls_strerror (val));
- return VLC_EGENERIC;
- }
- msg_Dbg (crd, "%d CRL%s added from %s", val, (val != 1) ? "s" : "", path);
- return VLC_SUCCESS;
-}
-
-
-/**
* Allocates a whole server's TLS credentials.
*/
static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
@@ -610,12 +529,8 @@ static int OpenServer (vlc_tls_creds_t *crd, const char *cert, const char *key)
goto error;
crd->sys = sys;
- crd->add_CA = gnutls_AddCA;
- crd->add_CRL = gnutls_AddCRL;
crd->open = gnutls_ServerSessionOpen;
crd->close = gnutls_SessionClose;
- /* No certificate validation by default */
- sys->handshake = gnutls_ContinueHandshake;
/* Sets server's credentials */
val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
@@ -721,11 +636,8 @@ static int OpenClient (vlc_tls_creds_t *crd)
goto error;
crd->sys = sys;
- //crd->add_CA = gnutls_AddCA;
- //crd->add_CRL = gnutls_AddCRL;
crd->open = gnutls_ClientSessionOpen;
crd->close = gnutls_SessionClose;
- sys->handshake = gnutls_HandshakeAndValidate;
int val = gnutls_certificate_allocate_credentials (&sys->x509_cred);
if (val != 0)
diff --git a/src/libvlc-module.c b/src/libvlc-module.c
index 17c0993..539d52e 100644
--- a/src/libvlc-module.c
+++ b/src/libvlc-module.c
@@ -836,16 +836,6 @@ static const char *const ppsz_prefres[] = {
#define KEY_LONGTEXT N_( \
"This private key file (PEM format) is used for server-side TLS.")
-#define HTTP_CA_TEXT N_("HTTP/TLS Certificate Authority")
-#define CA_LONGTEXT N_( \
- "This X.509 certificate file (PEM format) can optionally be used " \
- "to authenticate remote clients in TLS sessions.")
-
-#define HTTP_CRL_TEXT N_("HTTP/TLS Certificate Revocation List")
-#define CRL_LONGTEXT N_( \
- "This file contains an optional CRL to prevent remote clients " \
- "from using revoked certificates in TLS sessions.")
-
#define SOCKS_SERVER_TEXT N_("SOCKS server")
#define SOCKS_SERVER_LONGTEXT N_( \
"SOCKS proxy server to use. This must be of the form " \
@@ -1747,9 +1737,9 @@ vlc_module_begin ()
add_obsolete_string( "sout-http-cert" ) /* since 2.0.0 */
add_loadfile( "http-key", NULL, HTTP_KEY_TEXT, KEY_LONGTEXT, true )
add_obsolete_string( "sout-http-key" ) /* since 2.0.0 */
- add_loadfile( "http-ca", NULL, HTTP_CA_TEXT, CA_LONGTEXT, true )
+ add_obsolete_string( "http-ca" ) /* since 3.0.0 */
add_obsolete_string( "sout-http-ca" ) /* since 2.0.0 */
- add_loadfile( "http-crl", NULL, HTTP_CRL_TEXT, CRL_LONGTEXT, true )
+ add_obsolete_string( "http-crl" ) /* since 3.0.0 */
add_obsolete_string( "sout-http-crl" ) /* since 2.0.0 */
set_section( N_( "Socks proxy") , NULL )
diff --git a/src/network/httpd.c b/src/network/httpd.c
index b8fb979..aa25c74 100644
--- a/src/network/httpd.c
+++ b/src/network/httpd.c
@@ -890,26 +890,6 @@ httpd_host_t *vlc_https_HostNew(vlc_object_t *obj)
free(key);
free(cert);
- char *ca = var_InheritString(obj, "http-ca");
- if (ca) {
- if (vlc_tls_ServerAddCA(tls, ca)) {
- msg_Err(obj, "HTTP/TLS CA error (%s)", ca);
- free(ca);
- goto error;
- }
- free(ca);
- }
-
- char *crl = var_InheritString(obj, "http-crl");
- if (crl) {
- if (vlc_tls_ServerAddCRL(tls, crl)) {
- msg_Err(obj, "TLS CRL error (%s)", crl);
- free(crl);
- goto error;
- }
- free(crl);
- }
-
return httpd_HostCreate(obj, "http-host", "https-port", tls);
error:
diff --git a/src/network/tls.c b/src/network/tls.c
index 8874e70..fde45dc 100644
--- a/src/network/tls.c
+++ b/src/network/tls.c
@@ -143,26 +143,6 @@ void vlc_tls_Delete (vlc_tls_creds_t *crd)
}
-/**
- * Adds one or more certificate authorities from a file.
- * @return -1 on error, 0 on success.
- */
-int vlc_tls_ServerAddCA (vlc_tls_creds_t *srv, const char *path)
-{
- return srv->add_CA (srv, path);
-}
-
-
-/**
- * Adds one or more certificate revocation list from a file.
- * @return -1 on error, 0 on success.
- */
-int vlc_tls_ServerAddCRL (vlc_tls_creds_t *srv, const char *path)
-{
- return srv->add_CRL (srv, path);
-}
-
-
/*** TLS session ***/
vlc_tls_t *vlc_tls_SessionCreate (vlc_tls_creds_t *crd, int fd,
More information about the vlc-commits
mailing list