| blob | 4cafc30d3aa22f3386cf532ee20e035d3e0b103a |
1 /*****************************************************************************
2 * securetransport.c
3 *****************************************************************************
4 * Copyright (C) 2013 David Fuhrmann
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU Lesser General Public License as published by
8 * the Free Software Foundation; either version 2.1 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public License
17 * along with this program; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
19 *****************************************************************************/
21 /*****************************************************************************
22 * Preamble
23 *****************************************************************************/
25 #ifdef HAVE_CONFIG_H
27 #endif
29 #include <vlc_common.h>
30 #include <vlc_plugin.h>
31 #include <vlc_tls.h>
32 #include <vlc_dialog.h>
34 #include <Security/Security.h>
35 #include <Security/SecureTransport.h>
36 #include <TargetConditionals.h>
38 /* From MacErrors.h (cannot be included because it isn't present in iOS: */
39 #ifndef ioErr
40 # define ioErr -36
41 #endif
43 /*****************************************************************************
44 * ALPN helper functions
45 *****************************************************************************/
47 /* Converts the VLC ALPN C array (null-terminated) to a ALPN
48 * CFMutableArray as expected by the Secure Transport API
49 * Returns CFMutableArrayRef on success, else NULL.
50 */
52 {
53 CFMutableArrayRef alpnValues =
57 CFStringRef alpnVal =
60 // Failed to convert the ALPN value to CFString, error out.
63 }
66 }
68 }
70 /* Obtains a copy of the contents of a CFString in ASCII encoding.
71 * Returns char* (must be freed by caller) or NULL on failure.
72 */
74 {
75 // Try the quick way to obtain the buffer
80 }
82 // The quick way did not work, try the long way
84 CFIndex maxSize =
87 // If result would exceed LONG_MAX, kCFNotFound is returned
90 }
92 // Account for the null terminator
93 maxSize++;
99 }
101 // Copy CFString in requested encoding to buffer
107 }
109 /* Returns the first entry copy of the ALPN array as char*
110 * or NULL on failure.
111 */
113 {
121 }
123 /*****************************************************************************
124 * Module descriptor
125 *****************************************************************************/
129 #if !TARGET_OS_IPHONE
132 #endif
141 /*
142 * The server module currently uses an OSX only API, to be compatible with 10.6.
143 If the module is needed on iOS, then the "modern" keychain lookup API need to be
144 * implemented.
145 */
146 #if !TARGET_OS_IPHONE
162 CFMutableArrayRef whitelist;
164 /* valid in server mode */
165 CFArrayRef server_cert_chain;
169 vlc_tls_t tls;
170 SSLContextRef p_context;
180 vlc_mutex_t lock;
184 {
188 {
201 }
203 }
205 /*
206 * Read function called by secure transport for socket read.
207 *
208 * Function is based on Apples SSLSample sample code.
209 */
219 };
231 /* connection closed */
246 }
247 }
249 }
253 }
257 }
259 /*
260 * Write function called by secure transport for socket read.
261 *
262 * Function is based on Apples SSLSample sample code.
263 */
273 };
294 }
296 }
300 }
304 }
317 }
320 hostname,
321 kCFStringEncodingUTF8);
324 /* enable default root / anchor certificates */
330 }
339 }
352 }
354 /* get leaf certificate */
355 /* SSLCopyPeerCertificates is only available on OSX 10.5 or later */
356 #if !TARGET_OS_IPHONE
362 }
368 }
373 #else
374 /* SecTrustGetCertificateAtIndex is only available on 10.7 or iOS */
378 }
382 #endif
385 /* check if leaf already accepted */
399 }
400 }
402 /* We do not show more certificate details yet because there is no proper API to get
403 a summary of the certificate. SecCertificateCopySubjectSummary is the only method
404 available on iOS and 10.6. More promising API functions such as
405 SecCertificateCopyLongDescription also print out the subject only, more or less.
406 But only showing the certificate subject is of no real help for the user.
407 We could use SecCertificateCopyValues, but then we need to parse all OID values for
408 ourself. This is too mad for just printing information the user will never check
409 anyway.
410 */
413 "However the security certificate presented by the server "
414 "is unknown and could not be authenticated by any trusted "
415 "Certification Authority. "
416 "This problem may be caused by a configuration error "
427 /* save leaf certificate in whitelist */
438 }
449 }
451 out:
460 }
462 /*
463 * @return -1 on fatal error, 0 on successful handshake completion,
464 * 1 if more would-be blocking recv is needed,
465 * 2 if more would-be blocking send is required.
466 */
477 // Only try to use ALPN on recent enough SDKs
478 // macOS 10.13.2, iOS 11, tvOS 11, watchOS 4
479 #if (TARGET_OS_OSX && MAC_OS_X_VERSION_MAX_ALLOWED >= 101302) || \
480 (TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MAX_ALLOWED >= 110000) || \
481 (TARGET_OS_TV && __TV_OS_VERSION_MAX_ALLOWED >= 110000) || \
482 (TARGET_OS_WATCH && __WATCH_OS_VERSION_MAX_ALLOWED >= 40000)
483 #pragma clang diagnostic push
486 /* Handle ALPN data */
497 }
500 }
501 }
503 #pragma clang diagnostic pop
504 #else
506 /* No ALPN support */
509 }
511 #endif
516 }
522 }
544 }
545 }
548 {
553 }
555 /**
556 * Sends data through a TLS session.
557 */
560 {
569 /*
570 * SSLWrite does not return the number of bytes actually written to
571 * the socket, but the number of bytes written to the internal cache.
572 *
573 * If return value is errSSLWouldBlock, the underlying socket cannot
574 * send all data, but the data is already cached. In this situation,
575 * we need to call SSLWrite again. To ensure this call even for the
576 * last bytes, we return EAGAIN. On the next call, we give no new data
577 * to SSLWrite until the error is not errSSLWouldBlock anymore.
578 *
579 * This code is adapted the same way as done in curl.
580 * (https://github.com/bagder/curl/blob/master/lib/curl_darwinssl.c#L2067)
581 */
583 /* EAGAIN is not expected by net_Write in this situation,
584 so use EINTR here */
592 /* actualSize remains zero because no new data send */
600 }
611 }
612 }
616 }
618 /**
619 * Receives data through a TLS session.
620 */
622 {
637 }
639 /* peer performed shutdown */
644 }
648 }
650 /**
651 * Closes a TLS session.
652 */
667 }
672 }
675 }
683 #if TARGET_OS_IPHONE
685 #else
688 }
689 #endif
690 }
692 }
694 /**
695 * Initializes a client-side TLS session.
696 */
700 {
725 #if TARGET_OS_IPHONE
730 }
731 #else
735 }
736 #endif
744 }
750 }
754 error:
757 }
761 {
774 }
776 // Only try to use ALPN on recent enough SDKs
777 // macOS 10.13.2, iOS 11, tvOS 11, watchOS 4
778 #if (TARGET_OS_OSX && MAC_OS_X_VERSION_MAX_ALLOWED >= 101302) || \
779 (TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MAX_ALLOWED >= 110000) || \
780 (TARGET_OS_TV && __TV_OS_VERSION_MAX_ALLOWED >= 110000) || \
781 (TARGET_OS_WATCH && __WATCH_OS_VERSION_MAX_ALLOWED >= 40000)
782 #pragma clang diagnostic push
785 /* Handle ALPN */
793 }
798 }
801 msg_Warn(crd, "Ignoring ALPN request due to lack of support in the backend. Proxy behavior potentially undefined.");
802 }
803 }
805 #pragma clang diagnostic pop
806 #else
808 /* No ALPN support */
810 // Fallback if SDK does not has SSLSetALPNProtocols
812 #warning ALPN support in your SDK version missing (need 10.13.2), proxy behavior potentially undefined (rdar://29127318, #17721)
813 }
815 #endif
817 /* disable automatic validation. We do so manually to also handle invalid
818 certificates */
820 /* this has effect only on iOS 5 and OSX 10.8 or later ... */
825 }
826 #if !TARGET_OS_IPHONE
827 /* ... thus calling this for earlier osx versions, which is not available on iOS in turn */
832 }
833 #endif
837 error:
841 }
843 /**
844 * Initializes a client-side TLS credentials.
845 */
861 }
872 }
874 /* Begin of server-side methods */
875 #if !TARGET_OS_IPHONE
877 /**
878 * Initializes a server-side TLS session.
879 */
898 }
902 error:
906 }
908 /**
909 * Initializes server-side TLS credentials.
910 */
913 /*
914 * This function expects the label of the certificate in "cert", stored
915 * in the MacOS keychain. The appropriate private key is found automatically.
916 */
918 OSStatus ret;
922 /*
923 * Get the server certificate.
924 *
925 * This API is deprecated, but the replacement SecItemCopyMatching
926 * only works on >= 10.7
927 */
937 }
944 }
947 /* cast allowed according to documentation */
956 }
958 /*
959 * We try to validate the server certificate, but do not care about the result.
960 * The only aim is to get the certificate chain.
961 */
966 /* According to docu its fine to pass just one certificate */
972 }
974 SecTrustResultType status;
980 }
989 }
993 /* Build up the certificate chain array expected by SSLSetCertificate */
994 CFMutableArrayRef server_cert_chain = CFArrayCreateMutable(kCFAllocatorDefault, num_cert_chain, &kCFTypeArrayCallBacks);
997 msg_Dbg(crd, "Found certificate chain with %ld entries for server certificate", num_cert_chain);
1007 }
1015 out:
1027 }
1038 }