[vlc-devel] [PATCH] Add secure transport TLS module

david.fuhrmann at gmail.com david.fuhrmann at gmail.com
Sat Dec 14 00:50:01 CET 2013


From: David Fuhrmann <david.fuhrmann at googlemail.com>

Secure Transport is a TLS library part of the Security framework
(preinstalled on every iOS and MacOS device). This library does
certificate validation during handshake automatically using the
root certificates from the preinstalled certificate store.

The main reason for this module is proper certificate validation
on iOS devices. This is not possible with gnutls, because there is
no access to the root certificates for external applications.
The module is also intended for use on OSX.
---
 configure.ac                   |  14 ++
 modules/misc/Modules.am        |   7 +
 modules/misc/securetransport.c | 406 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 427 insertions(+)
 create mode 100644 modules/misc/securetransport.c

diff --git a/configure.ac b/configure.ac
index 5f7ed24..c36fee8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3989,6 +3989,20 @@ AS_IF([test "${enable_gnutls}" != "no"], [
   ])
 ])
 
+dnl
+dnl SecureTransport
+dnl
+AC_ARG_ENABLE(securetransport,
+  [  --enable-securetransport         Secure Transport TLS/SSL support (default disabled)])
+
+if test "${enable_securetransport}" = "yes"
+then
+  AC_CHECK_HEADERS(Security/Security.h, [
+    VLC_ADD_PLUGIN([securetransport])
+  ], [
+    AC_MSG_ERROR(["Cannot enable secure transport module"])
+  ])
+fi
 
 dnl
 dnl Taglib plugin
diff --git a/modules/misc/Modules.am b/modules/misc/Modules.am
index 4858c09..3ce3def 100644
--- a/modules/misc/Modules.am
+++ b/modules/misc/Modules.am
@@ -32,6 +32,13 @@ endif
 EXTRA_LTLIBRARIES += libgnutls_plugin.la
 misc_LTLIBRARIES += $(LTLIBgnutls)
 
+libsecuretransport_plugin_la_SOURCES = securetransport.c
+libsecuretransport_plugin_la_CFLAGS = $(AM_CFLAGS) $(SECURETRANSPORT_CFLAGS)
+libsecuretransport_plugin_la_LIBADD = $(SECURETRANSPORT_LIBS)
+libsecuretransport_plugin_la_LDFLAGS = $(AM_LDFLAGS) -rpath '$(miscdir)' -Wl,-framework,Security,-framework,CoreFoundation
+EXTRA_LTLIBRARIES += libsecuretransport_plugin.la
+misc_LTLIBRARIES += $(LTLIBsecuretransport)
+
 libxdg_screensaver_plugin_la_SOURCES = inhibit/xdg.c
 if HAVE_XCB
 misc_LTLIBRARIES += libxdg_screensaver_plugin.la
diff --git a/modules/misc/securetransport.c b/modules/misc/securetransport.c
new file mode 100644
index 0000000..7d3e2f7
--- /dev/null
+++ b/modules/misc/securetransport.c
@@ -0,0 +1,406 @@
+/*****************************************************************************
+ * securetransport.c
+ *****************************************************************************
+ * Copyright (C) 2013 David Fuhrmann
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation; either version 2.1 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Öesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
+ *****************************************************************************/
+
+/*****************************************************************************
+ * Preamble
+ *****************************************************************************/
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <vlc_common.h>
+#include <vlc_plugin.h>
+#include <vlc_tls.h>
+
+#include <Security/SecureTransport.h>
+#include <TargetConditionals.h>
+
+/* From MacTypes.h (cannot be included because it isn't present in iOS: */
+#define ioErr -36
+
+/*****************************************************************************
+ * Module descriptor
+ *****************************************************************************/
+static int  OpenClient  (vlc_tls_creds_t *);
+static void CloseClient (vlc_tls_creds_t *);
+
+vlc_module_begin ()
+    set_shortname("Secure Transport TLS")
+    set_description(N_("TLS implementation using Secure Transport"))
+    set_capability("tls client", 2)
+    set_callbacks(OpenClient, CloseClient)
+    set_category(CAT_ADVANCED)
+    set_subcategory(SUBCAT_ADVANCED_NETWORK)
+vlc_module_end ()
+
+
+struct vlc_tls_sys {
+    SSLContextRef p_context;
+    int i_fd;
+    size_t i_send_buffered_bytes;
+
+    bool b_blocking_send;
+    bool b_handshaked;
+};
+
+static int st_Error (vlc_tls_t *obj, int val)
+{
+    switch (val)
+    {
+        /* peer performed shutdown */
+        case errSSLClosedGraceful:
+        case errSSLClosedNoNotify:
+            return 0;
+
+        case errSSLWouldBlock:
+            errno = EAGAIN;
+            break;
+
+        default:
+            msg_Err (obj, "Found error %d", val);
+            errno = ECONNRESET;
+    }
+    return -1;
+}
+
+/*
+ * Read function called by secure transport for socket read.
+ *
+ * Function is based on Apples SSLSample sample code.
+ */
+static OSStatus st_SocketReadFunc (SSLConnectionRef connection,
+                                   void *data,
+                                   size_t *dataLength) {
+
+    vlc_tls_t *session = (vlc_tls_t *)connection;
+    vlc_tls_sys_t *sys = session->sys;
+
+    size_t bytesToGo = *dataLength;
+    size_t initLen = bytesToGo;
+    UInt8 *currData = (UInt8 *)data;
+    OSStatus retValue = noErr;
+    ssize_t val;
+
+    for(;;) {
+        val = read(sys->i_fd, currData, bytesToGo);
+        if (val <= 0) {
+            if(val == 0) {
+                retValue = errSSLClosedGraceful;
+            } else /* do the switch */
+                switch(errno) {
+                    case ENOENT:
+                        /* connection closed */
+                        retValue = errSSLClosedGraceful;
+                        break;
+                    case ECONNRESET:
+                        retValue = errSSLClosedAbort;
+                        break;
+                    case EAGAIN:
+                        retValue = errSSLWouldBlock;
+                        sys->b_blocking_send = false;
+                        break;
+                    default:
+                        msg_Err(session, "try to read %d bytes, got error %d",
+                                (int)bytesToGo, errno);
+                        retValue = ioErr;
+                        break;
+                }
+            break;
+        } else {
+            bytesToGo -= val;
+            currData += val;
+        }
+
+        if(bytesToGo == 0) {
+            /* filled buffer with incoming data, done */
+            break;
+        }
+    }
+    *dataLength = initLen - bytesToGo;
+
+    return retValue;
+}
+
+/*
+ * Write function called by secure transport for socket read.
+ *
+ * Function is based on Apples SSLSample sample code.
+ */
+static OSStatus st_SocketWriteFunc (SSLConnectionRef connection,
+                                    const void *data,
+                                    size_t *dataLength) {
+
+    vlc_tls_t *session = (vlc_tls_t *)connection;
+    vlc_tls_sys_t *sys = session->sys;
+
+    size_t bytesSent = 0;
+    size_t dataLen = *dataLength;
+    OSStatus retValue = noErr;
+    ssize_t val;
+
+    do {
+        val = write(sys->i_fd, (char *)data + bytesSent, dataLen - bytesSent);
+    } while (val >= 0 && (bytesSent += val) < dataLen);
+
+	if(val < 0) {
+		if(errno == EAGAIN) {
+			retValue = errSSLWouldBlock;
+            sys->b_blocking_send = true;
+		} else {
+			retValue = ioErr;
+		}
+	}
+
+	*dataLength = bytesSent;
+	return retValue;
+}
+
+/*
+ * @return -1 on fatal error, 0 on successful handshake completion,
+ * 1 if more would-be blocking recv is needed,
+ * 2 if more would-be blocking send is required.
+ */
+static int st_Handshake (vlc_tls_t *session, const char *host,
+                                        const char *service) {
+    VLC_UNUSED(host);
+    VLC_UNUSED(service);
+
+    vlc_tls_sys_t *sys = session->sys;
+
+    OSStatus retValue = SSLHandshake(sys->p_context);
+
+    if (retValue == errSSLWouldBlock) {
+        msg_Dbg(session, "handshake is blocked, try again later");
+        return 1 + (sys->b_blocking_send ? 1 : 0);
+    }
+
+    sys->b_handshaked = true;
+
+    switch (retValue) {
+        case noErr:
+            msg_Dbg(session, "handshake completed sucessfully");
+            return 0;
+
+        case errSSLUnknownRootCert:
+            msg_Err(session, "Certificate verification failed, unknown root certificate");
+            return -1;
+        case errSSLNoRootCert:
+            msg_Err(session, "Certificate verification failed, no root certificate");
+            return -1;
+        case errSSLCertExpired:
+            msg_Err(session, "Certificate verification failed because its expired");
+            return -1;
+        case errSSLCertNotYetValid:
+            msg_Err(session, "Certificate verification failed because its not valid yet");
+            return -1;
+        case errSSLXCertChainInvalid:
+            msg_Err(session, "Certificate chain verification failed");
+            return -1;
+
+        case errSSLHostNameMismatch:
+            msg_Err(session, "Certificate verification failed, hostname does not match");
+            return -1;
+
+        case errSSLConnectionRefused:
+            msg_Err(session, "connection was refused");
+            return -1;
+        case errSSLNegotiation:
+            msg_Err(session, "cipher suite negotiation failed");
+            return -1;
+        case errSSLFatalAlert:
+            msg_Err(session, "fatal error occured during handshake");
+            return -1;
+
+        default:
+            msg_Err(session, "handshake returned error %d", retValue);
+            return -1;
+    }
+}
+
+/**
+ * Sends data through a TLS session.
+ */
+static int st_Send (void *opaque, const void *buf, size_t length)
+{
+    vlc_tls_t *session = opaque;
+    vlc_tls_sys_t *sys = session->sys;
+    OSStatus ret = noErr;
+
+    /*
+     * SSLWrite does not return the number of bytes actually written to
+     * the socket, but the number of bytes written to the internal cache.
+     *
+     * If return value is errSSLWouldBlock, the underlying socket cannot
+     * send all data, but the data is already cached. In this situation,
+     * we need to call SSLWrite again. To ensure this call even for the
+     * last bytes, we return EAGAIN. On the next call, we give no new data
+     * to SSLWrite until the error is not errSSLWouldBlock anymore.
+     *
+     * This code is adapted the same way as done in curl.
+     * (https://github.com/bagder/curl/blob/master/lib/curl_darwinssl.c#L2067)
+     */
+
+    size_t actualSize;
+    if (sys->i_send_buffered_bytes > 0) {
+        ret = SSLWrite(sys->p_context, NULL, 0, &actualSize);
+
+        if (ret == noErr) {
+            /* actualSize remains zero because no new data send */
+            actualSize = sys->i_send_buffered_bytes;
+            sys->i_send_buffered_bytes = 0;
+        }
+
+    } else {
+        ret = SSLWrite(sys->p_context, buf, length, &actualSize);
+
+        if (ret == errSSLWouldBlock) {
+            sys->i_send_buffered_bytes = length;
+        }
+    }
+
+    return ret != noErr ? st_Error(session, ret) : actualSize;
+}
+
+/**
+ * Receives data through a TLS session.
+ */
+static int st_Recv (void *opaque, void *buf, size_t length)
+{
+    vlc_tls_t *session = opaque;
+    vlc_tls_sys_t *sys = session->sys;
+
+    size_t actualSize;
+    OSStatus ret = SSLRead(sys->p_context, buf, length, &actualSize);
+
+    if(ret == errSSLWouldBlock && actualSize)
+        return actualSize;
+
+    return ret != noErr ? st_Error(session, ret) : actualSize;
+}
+
+/**
+ * Closes a client-side TLS credentials.
+ */
+static void st_ClientSessionClose (vlc_tls_creds_t *crd, vlc_tls_t *session) {
+
+    VLC_UNUSED(crd);
+
+    vlc_tls_sys_t *sys = session->sys;
+    msg_Dbg(session, "close session");
+
+    if(sys->b_handshaked) {
+        OSStatus ret = SSLClose(sys->p_context);
+        if(ret != noErr) {
+            msg_Err(session, "error closing ssl context");
+        }
+    }
+
+    if (sys->p_context) {
+#if TARGET_OS_IPHONE
+        CFRelease(sys->p_context);
+#else
+        if(SSLDisposeContext(sys->p_context) != noErr) {
+            msg_Err(session, "error deleting context");
+        }
+#endif
+    }
+    free (sys);
+}
+
+/**
+ * Initializes a client-side TLS session.
+ */
+static int st_ClientSessionOpen (vlc_tls_creds_t *crd, vlc_tls_t *session,
+                                     int fd, const char *hostname) {
+    msg_Dbg(session, "open securetransport TLS session");
+
+    vlc_tls_sys_t *sys = malloc (sizeof (*session->sys));
+    if (unlikely(sys == NULL))
+        return VLC_ENOMEM;
+
+    sys->i_fd = fd;
+    sys->b_handshaked = false;
+    sys->b_blocking_send = false;
+    sys->i_send_buffered_bytes = 0;
+
+    session->sys = sys;
+    session->sock.p_sys = session;
+    session->sock.pf_send = st_Send;
+    session->sock.pf_recv = st_Recv;
+    session->handshake = st_Handshake;
+
+    SSLContextRef p_context = NULL;
+#if TARGET_OS_IPHONE
+    p_context = SSLCreateContext (NULL, kSSLClientSide, kSSLStreamType);
+    if(p_context == NULL) {
+        msg_Err(session, "cannot create ssl context");
+        goto error;
+    }
+#else
+    if (SSLNewContext (false, &p_context) != noErr) {
+        msg_Err(session, "error calling SSLNewContext");
+        goto error;
+    }
+#endif
+
+    sys->p_context = p_context;
+
+    OSStatus ret = SSLSetIOFuncs (p_context, st_SocketReadFunc, st_SocketWriteFunc);
+    if(ret != noErr) {
+        msg_Err(session, "cannot set io functions");
+        goto error;
+    }
+
+    ret = SSLSetConnection (p_context, session);
+    if(ret != noErr) {
+        msg_Err(session, "cannot set connection");
+        goto error;
+    }
+
+    ret = SSLSetPeerDomainName (p_context, hostname, strlen(hostname));
+    if(ret != noErr) {
+        msg_Err(session, "cannot set peer domain name");
+        goto error;
+    }
+    return VLC_SUCCESS;
+
+error:
+    st_ClientSessionClose(crd, session);
+    return VLC_EGENERIC;
+}
+
+/**
+ * Initializes a client-side TLS credentials.
+ */
+static int OpenClient (vlc_tls_creds_t *crd) {
+
+    msg_Dbg(crd, "open st client");
+
+    crd->open = st_ClientSessionOpen;
+    crd->close = st_ClientSessionClose;
+
+    return VLC_SUCCESS;
+
+}
+
+static void CloseClient (vlc_tls_creds_t *crd) {
+    msg_Dbg(crd, "close st client");
+}
-- 
1.8.3.4 (Apple Git-47)




More information about the vlc-devel mailing list