Applied SSL listener patch submitted through bug report #457.

4 files changed, 144 insertions, 27 deletions

diff --git a/README b/README
index 1bc093f..1cb7791 100644
--- a/README
+++ b/README
@@ -17,12 +17,10 @@ See the file COPYING for license information.
 IMPORTANT:
 ==========
 
-This is one of the last developer snapshot versions of LIVE which will
-work with Tntnet < 1.6.0.6. In fact only versions of Tntnet up to
-1.6.0.1 have been used during development of LIVE and can be used for
-shure until today.
+This is the last version of LIVE which will work with Tntnet <
+1.6.0.6.
 
-Since Nov 17 version 1.6.0.6 of Tntnet has been released with new
+Since Nov 17 2007 version 1.6.0.6 of Tntnet has been released with new
 features and binary incompatible changes. This version of LIVE works
 with that version and still maintains backwards compatibilty to older
 versions of Tntnet.
@@ -79,7 +77,7 @@ How to get Locale::PO
 - Check if your distribution provides the package.
   (e.g. in Debian the package name is liblocale-po-perl)
 
-If you added new translations in your language specific .mo file and
+If you added new translations in your language specific .po file and
 still want to use an VDR older than version 1.5.7 you must regenerate
 i18n-generated.h by calling make with the target generate-i18n. Only
 in this case you need to have Locale::PO installed on your system.
@@ -119,6 +117,9 @@ You can also specifiy this parameter via commandline:
                             multiple times
                             (default: 0.0.0.0)
 
+Additional SSL options are available now. See "How to make LIVE listen
+for ssl connections" section below on hints how to setup SSL.
+
 The rest of the parameters can be adjusted in VDR's OSD or in the web
 interface.
 
@@ -131,17 +132,72 @@ during scanning (which can after a few months be well more than 3000
 channels) won't be displayed.
 
 
-So how does it work?
-====================
-Basically, Live itself is a Tntnet webserver integrated into the plugin
-structure VDR needs.
-This webserver, running in VDR's environment, is provided with all public data
-structures VDR provides for plugins and thus has very fast access to
-information like the EPG, timers or recordings.
+How to make LIVE listen for ssl connections
+===========================================
+
+To make LIVE listen for incoming ssl connections you`ll have to use a
+Tntnet version > 1.6.0.6. By default it will listen on port 8443.
+
+	* Example: https://localhost:8443
+
+In order to start the SslListener LIVE requires a SSL certificate. If
+no SSL certificate is specified via commandline option, LIVE will try
+to use the default certificate location
+'$VDRDIR/plugins/live/live.pem'.
+
+If neither the default nor the custom certificate (given by the
+commandline option) could be found, LIVE will only start the default
+HTTP Listener (default: 8008)
+
+Note: Since the gnutls SslListener was broken in Tntnet versions prior
+to SVN revision 1035 you will have to recompile Tntnet with
+"./configure --with-ssl=openssl" to make it work. Alternatively
+install version 1.6.2 of tntnet on your system.
+
+
+SSL Commandline options
+=======================
+
+  -s PORT,  --sslport=PORT     use PORT to listen for incoming ssl connections
+                               (default: 8443)
+  -c CERT,  --cert=CERT        path to a custom ssl certificate
+  			       (default: $CONFIGDIR/live.pem)
+
+
+Creating a self-signed SSL server certificate
+=============================================
+
+To create a self-signed certificate file you`ll have to run this litte
+command.
+
+  $> cd /put/your/path/here/vdr/plugins/live
+  $> openssl req -new -x509 -keyout server.pem -out live.pem -days 365 -nodes
+
+While generating the certifcate you`ll be asked to answer a couple of
+questions.  When it prompts to enter the "Common Name" you`ll have to
+specify the full qualified dns server name of the machine LIVE is
+running on (eg. vdr.example.com).  If your vdr doesn`t have a full
+qualified dns name, you should use the ip LIVE is listening on.
+
+Note: This is just a quick'n dirty way to create a SSL self-signed
+certicate.  Recent browsers (like Firefox 3) will complain about it
+because the certificate wasn´t signed by a known Certificate Authority
+(CA).
+
+
+So how does LIVE work?
+======================
+
+Basically, Live itself is a Tntnet webserver integrated into the
+plugin structure VDR needs.
+
+This webserver, running in VDR's environment, is provided with all
+public data structures VDR provides for plugins and thus has very fast
+access to information like the EPG, timers or recordings.
 
-Live's "pages" are written in "ecpp", a language integrating C++ and HTML in
-one file, very much like e.g. PHP or ASP weave functionality and "static"
-content information together.
+Live's "pages" are written in "ecpp", a language integrating C++ and
+HTML in one file, very much like e.g. PHP or ASP weave functionality
+and "static" content information together.
 
 
 Contribute!
@@ -179,13 +235,12 @@ module Locale::PO installed on your system.
 Security consideratios
 ======================
 
-Live uses the tntnet MapUrl mechanism to map different request urls
-to tntnet components. One component 'content.ecpp' delivers files
-found in the file system. When given the wrong 'path' it could
-retrieve any file from the server where live runs on.  Therefore
-content.ecpp needs to be enhanced to check the paths before returning
-files.  A second measure against missuse is to limit the mappings from
-MapUrl to only valid files. In the current version this approach has
-been taken. But due to the 'dificulty' to fully understand regular
-expressions, this might get spoiled again by 'unchecked' code
-contribution.
+Live uses the tntnet MapUrl mechanism to map different request urls to
+tntnet components. One component 'content.ecpp' delivers files found
+in the file system. When given the wrong 'path' it could retrieve any
+file from the server where live runs on.  Therefore content.ecpp has
+beem enhanced to check the paths before returning files.  A second
+measure against missuse is to limit the mappings from MapUrl to only
+valid files. In the current version this approach has been taken. But
+due to the 'difficulty' to fully understand regular expressions, this
+might get spoiled again by 'unchecked' code contribution.
diff --git a/setup.cpp b/setup.cpp
index 543b5c3..f431842 100644
--- a/setup.cpp
+++ b/setup.cpp
@@ -23,6 +23,10 @@ using namespace std;
 
 Setup::Setup():
 		m_serverPort( 8008 ),
+#ifdef TNTVERS7
+		m_serverSslPort( 8443 ),
+		m_serverSslCert(),
+#endif
 		m_lastChannel( 0 ),
 		m_screenshotInterval( 1000 ),
 		m_useAuth( 1 ),
@@ -49,21 +53,32 @@ bool Setup::ParseCommandLine( int argc, char* argv[] )
 			{ "ip",   required_argument, NULL, 'i' },
 			{ "log",  required_argument, NULL, 'l' },
 			{ "epgimages",  required_argument, NULL, 'e' },
+#ifdef TNTVERS7
+			{ "sslport", required_argument, NULL, 's' },
+			{ "cert", required_argument, NULL, 'c' },
+#endif
 			{ 0 }
 	};
 
 	int optchar, optind = 0;
-	while ( ( optchar = getopt_long( argc, argv, "p:i:l:e:", opts, &optind ) ) != -1 ) {
+	while ( ( optchar = getopt_long( argc, argv, "p:i:l:e:s:c:", opts, &optind ) ) != -1 ) {
 		switch ( optchar ) {
 		case 'p': m_serverPort = atoi( optarg ); break;
 		case 'i': m_serverIps.push_back( optarg ); break;
 		case 'l': m_tntnetloglevel = optarg; break;
 		case 'e': m_epgimagedir = optarg; break;
+#ifdef TNTVERS7
+		case 's': m_serverSslPort = atoi( optarg ); break;
+		case 'c': m_serverSslCert = optarg; break;
+#endif
 		default:  return false;
 		}
 	}
 
 	return CheckServerPort() &&
+#ifdef TNTVERS7
+		   CheckServerSslPort() &&
+#endif
 		   CheckServerIps();
 }
 
@@ -76,6 +91,11 @@ char const* Setup::CommandLineHelp() const
 				<< "  -i IP,    --ip=IP            bind server only to specified IP, may appear\n"
 				   "                               multiple times\n"
 				   "                               (default: 0.0.0.0)\n"
+#ifdef TNTVERS7
+				<< "  -s PORT,  --sslport=PORT     use PORT to listen for incoming ssl connections\n"
+				   "                               (default: " << m_serverSslPort << ")\n"
+				<< "  -c CERT,  --cert=CERT        full path to a custom ssl certificate file\n"
+#endif
 				<< "  -l level, --log=level        log level for tntnet (values: INFO, DEBUG,...)\n"
 				<< "  -e <dir>, --epgimages=<dir>  directory for epgimages\n";
 		m_helpString = builder.str();
@@ -117,6 +137,18 @@ bool Setup::CheckServerPort()
 	return true;
 }
 
+#ifdef TNTVERS7
+bool Setup::CheckServerSslPort()
+{
+	if ( m_serverSslPort <= 0 || m_serverSslPort > numeric_limits< uint16_t >::max() ) {
+		esyslog( "ERROR: live server ssl  port %d is not a valid port number", m_serverSslPort );
+		cerr << "ERROR: live server ssl port " << m_serverSslPort << " is not a valid port number" << endl;
+		return false;
+	}
+	return true;
+}
+#endif
+
 bool Setup::CheckServerIps()
 {
 	if ( m_serverIps.empty() ) {
diff --git a/setup.h b/setup.h
index daed09b..6af356c 100644
--- a/setup.h
+++ b/setup.h
@@ -28,6 +28,10 @@ class Setup
 
 		// commandline
 		int GetServerPort() const { return m_serverPort; }
+#ifdef TNTVERS7
+		int GetServerSslPort() const { return m_serverSslPort; }
+		std::string GetServerSslCert() const { return m_serverSslCert; }
+#endif
 		IpList const& GetServerIps() const { return m_serverIps; }
 		// vdr-setup
 		int GetLastChannel() const { return m_lastChannel == 0 ? std::numeric_limits< int >::max() : m_lastChannel; }
@@ -94,6 +98,11 @@ class Setup
 		mutable std::string m_helpString;
 		// commandline options
 		int m_serverPort;
+#ifdef TNTVERS7
+		int m_serverSslPort;
+		std::string m_serverSslCert;
+		static std::string m_configDirectory;
+#endif
 		IpList m_serverIps;
 		std::string m_epgimagedir;
 
@@ -121,6 +130,9 @@ class Setup
 
 		bool CheckServerPort();
 		bool CheckServerIps();
+#ifdef TNTVERS7
+		bool CheckServerSslPort();
+#endif
 };
 
 Setup& LiveSetup();
diff --git a/tntconfig.cpp b/tntconfig.cpp
index 704ae6f..cdc476e 100644
--- a/tntconfig.cpp
+++ b/tntconfig.cpp
@@ -121,6 +121,24 @@ void TntConfig::WriteConfig()
 	for ( Setup::IpList::const_iterator ip = ips.begin(); ip != ips.end(); ++ip ) {
 		file << "Listen " << *ip << " " << port << endl;
 	}
+
+#ifdef TNTVERS7
+	int s_port = LiveSetup().GetServerSslPort();
+	string s_cert = LiveSetup().GetServerSslCert();
+
+	if (s_cert.empty()) {
+		s_cert = configDir + "/live.pem";
+	}
+
+	if ( ifstream( s_cert.c_str() ) ) {
+		for ( Setup::IpList::const_iterator ip = ips.begin(); ip != ips.end(); ++ip ) {
+			file << "SslListen " << *ip << " " << s_port << " " << s_cert << endl;
+		}
+	}
+	else {
+		esyslog( "ERROR: %s: %s", s_cert.c_str(), strerror( errno ) );
+	}
+#endif
 }
 
 void TntConfig::WriteProperties()