include/vlc_tls.h

   1 /*****************************************************************************
   2  * vlc_tls.h: Transport Layer Security API
   3  *****************************************************************************
   4  * Copyright (C) 2004-2016 Rémi Denis-Courmont
   5  * Copyright (C) 2005-2006 VLC authors and VideoLAN
   6  *
   7  * This program is free software; you can redistribute it and/or modify it
   8  * under the terms of the GNU Lesser General Public License as published by
   9  * the Free Software Foundation; either version 2.1 of the License, or
  10  * (at your option) any later version.
  11  *
  12  * This program is distributed in the hope that it will be useful,
  13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15  * GNU Lesser General Public License for more details.
  16  *
  17  * You should have received a copy of the GNU Lesser General Public License
  18  * along with this program; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA.
  20  *****************************************************************************/
  21
  22 #ifndef VLC_TLS_H
  23 # define VLC_TLS_H
  24
  25 /**
  26  * \ingroup sockets
  27  * \defgroup tls Transport Layer Security
  28  * @{
  29  * \file
  30  * Transport Layer Security (TLS) functions
  31  */
  32
  33 # include <vlc_network.h>
  34
  35 typedef struct vlc_tls vlc_tls_t;
  36 typedef struct vlc_tls_creds vlc_tls_creds_t;
  37
  38 /** TLS session */
  39 struct vlc_tls
  40 {
  41     vlc_object_t *obj;
  42     void *sys;
  43
  44     int (*get_fd)(struct vlc_tls *);
  45     ssize_t (*readv)(struct vlc_tls *, struct iovec *, unsigned);
  46     ssize_t (*writev)(struct vlc_tls *, const struct iovec *, unsigned);
  47     int (*shutdown)(struct vlc_tls *, bool duplex);
  48     void (*close)(struct vlc_tls *);
  49
  50     void *p;
  51 };
  52
  53 /**
  54  * Initiates a client TLS session.
  55  *
  56  * Initiates a Transport Layer Security (TLS) session as the client side, using
  57  * trusted root CAs previously loaded with vlc_tls_ClientCreate().
  58  *
  59  * This is a blocking network operation and may be a thread cancellation point.
  60  *
  61  * @param creds X.509 credentials, i.e. set of root certificates of trusted
  62  *              certificate authorities
  63  * @param sock socket through which to establish the secure channel
  64  * @param hostname expected server name, used both as Server Name Indication
  65  *                 and as expected Common Name of the peer certificate [IN]
  66  * @param service unique identifier for the service to connect to
  67  *                (only used locally for certificates database) [IN]
  68  * @param alpn NULL-terminated list of Application Layer Protocols
  69  *             to negotiate, or NULL to not negotiate protocols [IN]
  70  * @param alp storage space for the negotiated Application Layer
  71  *            Protocol or NULL if negotiation was not performed [OUT]
  72  *
  73  * @note The credentials must remain valid until the session is finished.
  74  *
  75  * @return TLS session, or NULL on error.
  76  **/
  77 VLC_API vlc_tls_t *vlc_tls_ClientSessionCreate(vlc_tls_creds_t *creds,
  78                                                vlc_tls_t *sock,
  79                                                const char *host,
  80                                                const char *service,
  81                                                const char *const *alpn,
  82                                                char **alp);
  83
  84 /**
  85  * Creates a TLS server session.
  86  *
  87  * Allocates a Transport Layer Security (TLS) session as the server side, using
  88  * cryptographic keys pair and X.509 certificates chain already loaded with
  89  * vlc_tls_ServerCreate().
  90  *
  91  * Unlike vlc_tls_ClientSessionCreate(), this function does not perform any
  92  * actual network I/O. vlc_tls_SessionHandshake() must be used to perform the
  93  * TLS handshake before sending and receiving data through the TLS session.
  94  *
  95  * This function is non-blocking and is not a cancellation point.
  96  *
  97  * @param creds server credentials, i.e. keys pair and X.509 certificates chain
  98  * @param alpn NULL-terminated list of Application Layer Protocols
  99  *             to negotiate, or NULL to not negotiate protocols
 100  *
 101  * @return TLS session, or NULL on error.
 102  */
 103 VLC_API vlc_tls_t *vlc_tls_ServerSessionCreate(vlc_tls_creds_t *creds, int fd,
 104                                                const char *const *alpn);
 105
 106 /**
 107  * Destroys a TLS session down.
 108  *
 109  * All resources associated with the TLS session are released.
 110  *
 111  * If the session was established successfully, then shutdown cleanly, the
 112  * underlying socket can be reused. Otherwise, it must be closed. Either way,
 113  * this function does not close the underlying socket: Use vlc_tls_Close()
 114  * instead to close it at the same.
 115  *
 116  * This function is non-blocking and is not a cancellation point.
 117  */
 118 VLC_API void vlc_tls_SessionDelete (vlc_tls_t *);
 119
 120 static inline int vlc_tls_GetFD(vlc_tls_t *tls)
 121 {
 122     return tls->get_fd(tls);
 123 }
 124
 125 /**
 126  * Receives data through a TLS session.
 127  */
 128 VLC_API ssize_t vlc_tls_Read(vlc_tls_t *, void *buf, size_t len, bool waitall);
 129 VLC_API char *vlc_tls_GetLine(vlc_tls_t *);
 130
 131 /**
 132  * Sends data through a TLS session.
 133  */
 134 VLC_API ssize_t vlc_tls_Write(vlc_tls_t *, const void *buf, size_t len);
 135
 136 /**
 137  * Terminates a TLS session.
 138  *
 139  * This sends the TLS session close notification to the other end, securely
 140  * indicating that no further data will be sent. Data can still be received
 141  * until a close notification is received from the other end.
 142  *
 143  * @param duplex whether to stop receiving data as well
 144  * @retval 0 the session was terminated securely and cleanly
 145  *           (the underlying socket can be reused for other purposes)
 146  * @return -1 the session was terminated locally, but either a notification
 147  *            could not be sent or received (the underlying socket cannot be
 148  *            reused and must be closed)
 149  */
 150 static inline int vlc_tls_Shutdown(vlc_tls_t *tls, bool duplex)
 151 {
 152     return tls->shutdown(tls, duplex);
 153 }
 154
 155 # define tls_Recv(a,b,c) vlc_tls_Read(a,b,c,false)
 156 # define tls_Send(a,b,c) vlc_tls_Write(a,b,c)
 157
 158 /**
 159  * Closes a TLS session and underlying connection.
 160  *
 161  * This function is non-blocking and is a cancellation point.
 162  */
 163 static inline void vlc_tls_Close(vlc_tls_t *session)
 164 {
 165     int fd = vlc_tls_GetFD(session);
 166
 167     vlc_tls_SessionDelete(session);
 168     shutdown(fd, SHUT_RDWR);
 169     net_Close(fd);
 170 }
 171
 172 /** TLS credentials (certificate, private and trust settings) */
 173 struct vlc_tls_creds
 174 {
 175     VLC_COMMON_MEMBERS
 176
 177     module_t  *module;
 178     void *sys;
 179
 180     int (*open)(vlc_tls_creds_t *, vlc_tls_t *session, vlc_tls_t *sock,
 181                 const char *host, const char *const *alpn);
 182     int  (*handshake)(vlc_tls_creds_t *, vlc_tls_t *session, const char *host,
 183                       const char *service, char ** /*restrict*/ alp);
 184 };
 185
 186 /**
 187  * Allocates TLS credentials for a client.
 188  * Credentials can be cached and reused across multiple TLS sessions.
 189  *
 190  * @return TLS credentials object, or NULL on error.
 191  **/
 192 VLC_API vlc_tls_creds_t *vlc_tls_ClientCreate (vlc_object_t *);
 193
 194 /**
 195  * Allocates server TLS credentials.
 196  *
 197  * @param cert path to an x509 certificate (required)
 198  * @param key path to the PKCS private key for the certificate,
 199  *            or NULL to use cert path
 200  *
 201  * @return TLS credentials object, or NULL on error.
 202  */
 203 VLC_API vlc_tls_creds_t *vlc_tls_ServerCreate (vlc_object_t *,
 204                                                const char *cert,
 205                                                const char *key);
 206
 207 static inline int vlc_tls_SessionHandshake (vlc_tls_creds_t *crd,
 208                                             vlc_tls_t *tls)
 209 {
 210     return crd->handshake(crd, tls, NULL, NULL, NULL);
 211 }
 212
 213 /**
 214  * Releases TLS credentials.
 215  *
 216  * Releases data allocated with vlc_tls_ClientCreate() or
 217  * vlc_tls_ServerCreate().
 218  *
 219  * @param srv object to be destroyed (or NULL)
 220  */
 221 VLC_API void vlc_tls_Delete (vlc_tls_creds_t *);
 222
 223 /**
 224  * Creates a transport-layer stream from a socket.
 225  *
 226  * Creates a transport-layer I/O stream from a socket file descriptor.
 227  * Data will be sent and received directly through the socket. This can be used
 228  * either to share common code between non-TLS and TLS cases, or for testing
 229  * purposes.
 230  *
 231  * This function is not a cancellation point.
 232  */
 233 VLC_API vlc_tls_t *vlc_tls_SocketOpen(vlc_object_t *obj, int fd);
 234
 235 VLC_DEPRECATED
 236 static inline vlc_tls_t *
 237 vlc_tls_ClientSessionCreateFD(vlc_tls_creds_t *crd, int fd, const char *host,
 238                               const char *srv, const char *const *lp, char **p)
 239 {
 240     vlc_tls_t *sock = vlc_tls_SocketOpen(VLC_OBJECT(crd), fd);
 241     if (unlikely(sock == NULL))
 242         return NULL;
 243
 244     vlc_tls_t *tls = vlc_tls_ClientSessionCreate(crd, sock, host, srv, lp, p);
 245     if (unlikely(tls == NULL))
 246         vlc_tls_SessionDelete(sock);
 247     else
 248         tls->p = sock;
 249     return tls;
 250 }
 251
 252 /** @} */
 253
 254 #endif