virnettlscontext.c 44.9 KB
Newer Older
1 2 3
/*
 * virnettlscontext.c: TLS encryption/x509 handling
 *
4
 * Copyright (C) 2010-2013 Red Hat, Inc.
5 6 7 8 9 10 11 12 13 14 15 16
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
17
 * License along with this library.  If not, see
O
Osier Yang 已提交
18
 * <http://www.gnu.org/licenses/>.
19 20 21 22 23 24 25 26 27
 */

#include <config.h>

#include <unistd.h>
#include <fnmatch.h>
#include <stdlib.h>

#include <gnutls/gnutls.h>
E
Eric Blake 已提交
28
#if HAVE_GNUTLS_CRYPTO_H
E
Eric Blake 已提交
29 30
# include <gnutls/crypto.h>
#endif
31 32 33 34
#include <gnutls/x509.h>
#include "gnutls_1_0_compat.h"

#include "virnettlscontext.h"
35
#include "virstring.h"
36

37
#include "viralloc.h"
38
#include "virerror.h"
39
#include "virfile.h"
40
#include "virutil.h"
41
#include "virlog.h"
42
#include "virprobe.h"
43
#include "virthread.h"
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
#include "configmake.h"

#define DH_BITS 1024

#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"

#define VIR_FROM_THIS VIR_FROM_RPC

struct _virNetTLSContext {
59
    virObjectLockable parent;
60 61 62 63 64 65 66 67 68 69

    gnutls_certificate_credentials_t x509cred;
    gnutls_dh_params_t dhParams;

    bool isServer;
    bool requireValidCert;
    const char *const*x509dnWhitelist;
};

struct _virNetTLSSession {
70
    virObjectLockable parent;
71 72 73

    bool handshakeComplete;

74
    bool isServer;
75 76 77 78 79
    char *hostname;
    gnutls_session_t session;
    virNetTLSSessionWriteFunc writeFunc;
    virNetTLSSessionReadFunc readFunc;
    void *opaque;
80
    char *x509dname;
81 82
};

83 84 85 86 87 88 89 90
static virClassPtr virNetTLSContextClass;
static virClassPtr virNetTLSSessionClass;
static void virNetTLSContextDispose(void *obj);
static void virNetTLSSessionDispose(void *obj);


static int virNetTLSContextOnceInit(void)
{
91
    if (!(virNetTLSContextClass = virClassNew(virClassForObjectLockable(),
92
                                              "virNetTLSContext",
93 94 95 96
                                              sizeof(virNetTLSContext),
                                              virNetTLSContextDispose)))
        return -1;

97
    if (!(virNetTLSSessionClass = virClassNew(virClassForObjectLockable(),
98
                                              "virNetTLSSession",
99 100 101 102 103 104 105 106 107
                                              sizeof(virNetTLSSession),
                                              virNetTLSSessionDispose)))
        return -1;

    return 0;
}

VIR_ONCE_GLOBAL_INIT(virNetTLSContext)

108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124

static int
virNetTLSContextCheckCertFile(const char *type, const char *file, bool allowMissing)
{
    if (!virFileExists(file)) {
        if (allowMissing)
            return 1;

        virReportSystemError(errno,
                             _("Cannot read %s '%s'"),
                             type, file);
        return -1;
    }
    return 0;
}


125 126
static void virNetTLSLog(int level ATTRIBUTE_UNUSED,
                         const char *str ATTRIBUTE_UNUSED) {
127 128 129
    VIR_DEBUG("%d %s", level, str);
}

130

131 132 133 134
static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert,
                                          const char *certFile,
                                          bool isServer,
                                          bool isCA)
135 136 137 138 139 140
{
    time_t now;

    if ((now = time(NULL)) == ((time_t)-1)) {
        virReportSystemError(errno, "%s",
                             _("cannot get current time"));
141
        return -1;
142 143 144
    }

    if (gnutls_x509_crt_get_expiration_time(cert) < now) {
145 146 147 148 149 150 151
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s has expired") :
                        (isServer ?
                         _("The server certificate %s has expired") :
                         _("The client certificate %s has expired"))),
                       certFile);
152
        return -1;
153 154 155
    }

    if (gnutls_x509_crt_get_activation_time(cert) > now) {
156 157 158 159 160 161 162
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s is not yet active") :
                        (isServer ?
                         _("The server certificate %s is not yet active") :
                         _("The client certificate %s is not yet active"))),
                       certFile);
163
        return -1;
164 165
    }

166 167 168
    return 0;
}

169 170 171 172 173 174 175 176 177

#ifndef GNUTLS_1_0_COMPAT
/*
 * The gnutls_x509_crt_get_basic_constraints function isn't
 * available in GNUTLS 1.0.x branches. This isn't critical
 * though, since gnutls_certificate_verify_peers2 will do
 * pretty much the same check at runtime, so we can just
 * disable this code
 */
178 179 180 181 182 183 184
static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert,
                                                     const char *certFile,
                                                     bool isServer,
                                                     bool isCA)
{
    int status;

185 186 187 188 189
    status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
    VIR_DEBUG("Cert %s basic constraints %d", certFile, status);

    if (status > 0) { /* It is a CA cert */
        if (!isCA) {
190 191 192 193
            virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                           _("The certificate %s basic constraints show a CA, but we need one for a server") :
                           _("The certificate %s basic constraints show a CA, but we need one for a client"),
                           certFile);
194
            return -1;
195 196 197
        }
    } else if (status == 0) { /* It is not a CA cert */
        if (isCA) {
198 199 200
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s basic constraints do not show a CA"),
                           certFile);
201
            return -1;
202 203 204
        }
    } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */
        if (isCA) {
205 206 207
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s is missing basic constraints for a CA"),
                           certFile);
208
            return -1;
209 210
        }
    } else { /* General error */
211 212 213
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to query certificate %s basic constraints %s"),
                       certFile, gnutls_strerror(status));
214
        return -1;
215 216
    }

217 218
    return 0;
}
219 220
#endif

221 222 223 224 225 226

static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert,
                                             const char *certFile,
                                             bool isCA)
{
    int status;
227 228
    unsigned int usage = 0;
    unsigned int critical = 0;
229

230
    status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
231

232
    VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
233
    if (status < 0) {
234 235 236 237
        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
            usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
                GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
        } else {
238 239 240
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key usage %s"),
                           certFile, gnutls_strerror(status));
241
            return -1;
242
        }
243 244
    }

245 246
    if (isCA) {
        if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
247
            if (critical) {
248 249 250
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit certificate signing"),
                               certFile);
251
                return -1;
252 253 254 255
            } else {
                VIR_WARN("Certificate %s usage does not permit certificate signing",
                         certFile);
            }
256 257
        }
    } else {
258
        if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
259
            if (critical) {
260 261 262
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit digital signature"),
                               certFile);
263
                return -1;
264 265 266 267
            } else {
                VIR_WARN("Certificate %s usage does not permit digital signature",
                         certFile);
            }
268 269
        }
        if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
270
            if (critical) {
271 272 273
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit key encipherment"),
                               certFile);
274
                return -1;
275 276 277 278
            } else {
                VIR_WARN("Certificate %s usage does not permit key encipherment",
                         certFile);
            }
279 280 281
        }
    }

282 283 284 285 286 287 288 289 290
    return 0;
}


static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
                                               const char *certFile,
                                               bool isServer)
{
    int status;
291
    size_t i;
292 293
    unsigned int purposeCritical;
    unsigned int critical;
E
Eric Blake 已提交
294
    char *buffer = NULL;
295 296 297
    size_t size;
    bool allowClient = false, allowServer = false;

298
    critical = 0;
299
    for (i = 0; ; i++) {
300 301 302 303
        size = 0;
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL);

        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
304
            VIR_DEBUG("No key purpose data available at slot %zu", i);
305 306 307 308

            /* If there is no data at all, then we must allow client/server to pass */
            if (i == 0)
                allowServer = allowClient = true;
309 310 311
            break;
        }
        if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
312 313 314
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
315
            return -1;
316 317
        }

318
        if (VIR_ALLOC_N(buffer, size) < 0)
319
            return -1;
320

321
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical);
322
        if (status < 0) {
323
            VIR_FREE(buffer);
324 325 326
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
327
            return -1;
328
        }
329 330
        if (purposeCritical)
            critical = true;
331

332
        VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical);
333
        if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
334
            allowServer = true;
335
        } else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
336
            allowClient = true;
337
        } else if (STRNEQ(buffer, GNUTLS_KP_ANY)) {
338
            allowServer = allowClient = true;
339 340 341 342 343
        }

        VIR_FREE(buffer);
    }

344 345
    if (isServer) {
        if (!allowServer) {
346
            if (critical) {
347 348 349
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS server"),
                               certFile);
350
                return -1;
351 352 353 354
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS server",
                         certFile);
            }
355
        }
356 357
    } else {
        if (!allowClient) {
358
            if (critical) {
359 360 361
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS client"),
                               certFile);
362
                return -1;
363 364 365 366
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS client",
                         certFile);
            }
367 368 369
        }
    }

370 371 372 373 374 375 376 377 378
    return 0;
}

/* Check DN is on tls_allowed_dn_list. */
static int
virNetTLSContextCheckCertDNWhitelist(const char *dname,
                                     const char *const*wildcards)
{
    while (*wildcards) {
379
        int ret = fnmatch(*wildcards, dname, 0);
J
Ján Tomko 已提交
380
        if (ret == 0) /* Successful match */
381 382
            return 1;
        if (ret != FNM_NOMATCH) {
383 384 385
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("Malformed TLS whitelist regular expression '%s'"),
                           *wildcards);
386 387 388 389 390 391 392 393 394 395
            return -1;
        }

        wildcards++;
    }

    /* Log the client's DN for debugging */
    VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);

    /* This is the most common error: make it informative. */
396 397 398
    virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                   _("Client's Distinguished Name is not on the list "
                     "of allowed clients (tls_allowed_dn_list).  Use "
399 400
                     "'certtool -i --infile clientcert.pem' to view the "
                     "Distinguished Name field in the client certificate, "
401
                     "or run this daemon with --verbose option."));
402 403 404 405 406 407 408 409
    return 0;
}


static int
virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
                            const char *certFile,
                            const char *hostname,
410
                            const char *dname,
411 412
                            const char *const* whitelist)
{
413 414
    if (whitelist && dname &&
        virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0)
415 416 417 418
        return -1;

    if (hostname &&
        !gnutls_x509_crt_check_hostname(cert, hostname)) {
419 420 421
        virReportError(VIR_ERR_RPC,
                       _("Certificate %s owner does not match the hostname %s"),
                       certFile, hostname);
422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437
        return -1;
    }

    return 0;
}


static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert,
                                     const char *certFile,
                                     bool isServer,
                                     bool isCA)
{
    if (virNetTLSContextCheckCertTimes(cert, certFile,
                                       isServer, isCA) < 0)
        return -1;

438
#ifndef GNUTLS_1_0_COMPAT
439 440 441
    if (virNetTLSContextCheckCertBasicConstraints(cert, certFile,
                                                  isServer, isCA) < 0)
        return -1;
442
#endif
443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458

    if (virNetTLSContextCheckCertKeyUsage(cert, certFile,
                                          isCA) < 0)
        return -1;

    if (!isCA &&
        virNetTLSContextCheckCertKeyPurpose(cert, certFile,
                                            isServer) < 0)
        return -1;

    return 0;
}


static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
                                         const char *certFile,
459 460
                                         gnutls_x509_crt_t *cacerts,
                                         size_t ncacerts,
461 462 463 464 465 466
                                         const char *cacertFile,
                                         bool isServer)
{
    unsigned int status;

    if (gnutls_x509_crt_list_verify(&cert, 1,
467
                                    cacerts, ncacerts,
468 469
                                    NULL, 0,
                                    0, &status) < 0) {
470 471 472 473
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to verify server certificate %s against CA certificate %s") :
                       _("Unable to verify client certificate %s against CA certificate %s"),
                       certFile, cacertFile);
474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493
        return -1;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

#ifndef GNUTLS_1_0_COMPAT
        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");
#endif

494 495 496
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Our own certificate %s failed validation against %s: %s"),
                       certFile, cacertFile, reason);
497 498 499 500 501 502 503 504
        return -1;
    }

    return 0;
}


static gnutls_x509_crt_t virNetTLSContextLoadCertFromFile(const char *certFile,
505
                                                          bool isServer)
506 507 508 509 510 511
{
    gnutls_datum_t data;
    gnutls_x509_crt_t cert = NULL;
    char *buf = NULL;
    int ret = -1;

512 513
    VIR_DEBUG("isServer %d certFile %s",
              isServer, certFile);
514 515

    if (gnutls_x509_crt_init(&cert) < 0) {
516 517
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Unable to initialize certificate"));
518 519 520 521 522 523 524 525 526 527
        goto cleanup;
    }

    if (virFileReadAll(certFile, (1<<16), &buf) < 0)
        goto cleanup;

    data.data = (unsigned char *)buf;
    data.size = strlen(buf);

    if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
528 529 530 531
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to import server certificate %s") :
                       _("Unable to import client certificate %s"),
                       certFile);
532 533
        goto cleanup;
    }
534

535 536 537 538 539 540 541 542 543 544 545 546
    ret = 0;

cleanup:
    if (ret != 0) {
        gnutls_x509_crt_deinit(cert);
        cert = NULL;
    }
    VIR_FREE(buf);
    return cert;
}


547 548
static int virNetTLSContextLoadCACertListFromFile(const char *certFile,
                                                  gnutls_x509_crt_t *certs,
549
                                                  unsigned int certMax,
550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581
                                                  size_t *ncerts)
{
    gnutls_datum_t data;
    char *buf = NULL;
    int ret = -1;

    *ncerts = 0;
    VIR_DEBUG("certFile %s", certFile);

    if (virFileReadAll(certFile, (1<<16), &buf) < 0)
        goto cleanup;

    data.data = (unsigned char *)buf;
    data.size = strlen(buf);

    if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM, 0) < 0) {
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to import CA certificate list %s"),
                       certFile);
        goto cleanup;
    }
    *ncerts = certMax;

    ret = 0;

cleanup:
    VIR_FREE(buf);
    return ret;
}


#define MAX_CERTS 16
582 583 584 585 586
static int virNetTLSContextSanityCheckCredentials(bool isServer,
                                                  const char *cacertFile,
                                                  const char *certFile)
{
    gnutls_x509_crt_t cert = NULL;
587
    gnutls_x509_crt_t cacerts[MAX_CERTS];
588
    size_t ncacerts = 0;
589
    size_t i;
590 591
    int ret = -1;

592
    memset(cacerts, 0, sizeof(cacerts));
593
    if ((access(certFile, R_OK) == 0) &&
594
        !(cert = virNetTLSContextLoadCertFromFile(certFile, isServer)))
595 596
        goto cleanup;
    if ((access(cacertFile, R_OK) == 0) &&
597 598
        virNetTLSContextLoadCACertListFromFile(cacertFile, cacerts,
                                               MAX_CERTS, &ncacerts) < 0)
599
        goto cleanup;
600

601 602 603
    if (cert &&
        virNetTLSContextCheckCert(cert, certFile, isServer, false) < 0)
        goto cleanup;
604

605 606 607 608
    for (i = 0; i < ncacerts; i++) {
        if (virNetTLSContextCheckCert(cacerts[i], cacertFile, isServer, true) < 0)
            goto cleanup;
    }
609

610 611
    if (cert && ncacerts &&
        virNetTLSContextCheckCertPair(cert, certFile, cacerts, ncacerts, cacertFile, isServer) < 0)
612
        goto cleanup;
613 614 615 616 617 618

    ret = 0;

cleanup:
    if (cert)
        gnutls_x509_crt_deinit(cert);
619 620
    for (i = 0; i < ncacerts; i++)
        gnutls_x509_crt_deinit(cacerts[i]);
621 622 623 624
    return ret;
}


625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643
static int virNetTLSContextLoadCredentials(virNetTLSContextPtr ctxt,
                                           bool isServer,
                                           const char *cacert,
                                           const char *cacrl,
                                           const char *cert,
                                           const char *key)
{
    int ret = -1;
    int err;

    if (cacert && cacert[0] != '\0') {
        if (virNetTLSContextCheckCertFile("CA certificate", cacert, false) < 0)
            goto cleanup;

        VIR_DEBUG("loading CA cert from %s", cacert);
        err = gnutls_certificate_set_x509_trust_file(ctxt->x509cred,
                                                     cacert,
                                                     GNUTLS_X509_FMT_PEM);
        if (err < 0) {
644 645
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to set x509 CA certificate: %s: %s"),
646
                           cacert, gnutls_strerror(err));
647 648 649 650 651 652 653 654 655 656 657 658 659 660 661
            goto cleanup;
        }
    }

    if (cacrl && cacrl[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("CA revocation list", cacrl, true)) < 0)
            goto cleanup;

        if (rv == 0) {
            VIR_DEBUG("loading CRL from %s", cacrl);
            err = gnutls_certificate_set_x509_crl_file(ctxt->x509cred,
                                                       cacrl,
                                                       GNUTLS_X509_FMT_PEM);
            if (err < 0) {
662 663 664
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 certificate revocation list: %s: %s"),
                               cacrl, gnutls_strerror(err));
665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686
                goto cleanup;
            }
        } else {
            VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl);
        }
    }

    if (cert && cert[0] != '\0' && key && key[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("certificate", cert, !isServer)) < 0)
            goto cleanup;
        if (rv == 0 &&
            (rv = virNetTLSContextCheckCertFile("private key", key, !isServer)) < 0)
            goto cleanup;

        if (rv == 0) {
            VIR_DEBUG("loading cert and key from %s and %s", cert, key);
            err =
                gnutls_certificate_set_x509_key_file(ctxt->x509cred,
                                                     cert, key,
                                                     GNUTLS_X509_FMT_PEM);
            if (err < 0) {
687 688 689
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 key and certificate: %s, %s: %s"),
                               key, cert, gnutls_strerror(err));
690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708
                goto cleanup;
            }
        } else {
            VIR_DEBUG("Skipping non-existant cert %s key %s on client", cert, key);
        }
    }

    ret = 0;

cleanup:
    return ret;
}


static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
                                               const char *const*x509dnWhitelist,
709
                                               bool sanityCheckCert,
710 711 712 713
                                               bool requireValidCert,
                                               bool isServer)
{
    virNetTLSContextPtr ctxt;
714
    const char *gnutlsdebug;
715 716
    int err;

717 718 719
    if (virNetTLSContextInitialize() < 0)
        return NULL;

720
    if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
721 722
        return NULL;

723
    if ((gnutlsdebug = virGetEnvAllowSUID("LIBVIRT_GNUTLS_DEBUG")) != NULL) {
724 725 726 727 728 729 730 731 732 733 734
        int val;
        if (virStrToLong_i(gnutlsdebug, NULL, 10, &val) < 0)
            val = 10;
        gnutls_global_set_log_level(val);
        gnutls_global_set_log_function(virNetTLSLog);
        VIR_DEBUG("Enabled GNUTLS debug");
    }


    err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
    if (err) {
735 736 737
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to allocate x509 credentials: %s"),
                       gnutls_strerror(err));
738 739 740
        goto error;
    }

741
    if (sanityCheckCert &&
742 743 744
        virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0)
        goto error;

745 746 747 748 749 750 751 752 753 754 755
    if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
        goto error;

    /* Generate Diffie Hellman parameters - for use with DHE
     * kx algorithms. These should be discarded and regenerated
     * once a day, once a week or once a month. Depending on the
     * security requirements.
     */
    if (isServer) {
        err = gnutls_dh_params_init(&ctxt->dhParams);
        if (err < 0) {
756 757 758
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to initialize diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
759 760 761 762
            goto error;
        }
        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
        if (err < 0) {
763 764 765
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to generate diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
766 767 768 769 770 771 772 773 774 775 776
            goto error;
        }

        gnutls_certificate_set_dh_params(ctxt->x509cred,
                                         ctxt->dhParams);
    }

    ctxt->requireValidCert = requireValidCert;
    ctxt->x509dnWhitelist = x509dnWhitelist;
    ctxt->isServer = isServer;

777
    PROBE(RPC_TLS_CONTEXT_NEW,
778 779
          "ctxt=%p cacert=%s cacrl=%s cert=%s key=%s sanityCheckCert=%d requireValidCert=%d isServer=%d",
          ctxt, cacert, NULLSTR(cacrl), cert, key, sanityCheckCert, requireValidCert, isServer);
780

781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817
    return ctxt;

error:
    if (isServer)
        gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
    VIR_FREE(ctxt);
    return NULL;
}


static int virNetTLSContextLocateCredentials(const char *pkipath,
                                             bool tryUserPkiPath,
                                             bool isServer,
                                             char **cacert,
                                             char **cacrl,
                                             char **cert,
                                             char **key)
{
    char *userdir = NULL;
    char *user_pki_path = NULL;

    *cacert = NULL;
    *cacrl = NULL;
    *key = NULL;
    *cert = NULL;

    VIR_DEBUG("pkipath=%s isServer=%d tryUserPkiPath=%d",
              pkipath, isServer, tryUserPkiPath);

    /* Explicit path, then use that no matter whether the
     * files actually exist there
     */
    if (pkipath) {
        VIR_DEBUG("Told to use TLS credentials in %s", pkipath);
        if ((virAsprintf(cacert, "%s/%s", pkipath,
                         "cacert.pem")) < 0)
818
            goto error;
819 820
        if ((virAsprintf(cacrl, "%s/%s", pkipath,
                         "cacrl.pem")) < 0)
821
            goto error;
822 823
        if ((virAsprintf(key, "%s/%s", pkipath,
                         isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
824
            goto error;
825 826 827

        if ((virAsprintf(cert, "%s/%s", pkipath,
                         isServer ? "servercert.pem" : "clientcert.pem")) < 0)
828
             goto error;
829 830 831 832
    } else if (tryUserPkiPath) {
        /* Check to see if $HOME/.pki contains at least one of the
         * files and if so, use that
         */
833
        userdir = virGetUserDirectory();
834 835

        if (!userdir)
836
            goto error;
837 838

        if (virAsprintf(&user_pki_path, "%s/.pki/libvirt", userdir) < 0)
839
            goto error;
840 841 842 843 844

        VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);

        if ((virAsprintf(cacert, "%s/%s", user_pki_path,
                         "cacert.pem")) < 0)
845
            goto error;
846 847 848

        if ((virAsprintf(cacrl, "%s/%s", user_pki_path,
                         "cacrl.pem")) < 0)
849
            goto error;
850 851 852

        if ((virAsprintf(key, "%s/%s", user_pki_path,
                         isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
853
            goto error;
854 855 856

        if ((virAsprintf(cert, "%s/%s", user_pki_path,
                         isServer ? "servercert.pem" : "clientcert.pem")) < 0)
857
            goto error;
858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881

        /*
         * If some of the files can't be found, fallback
         * to the global location for them
         */
        if (!virFileExists(*cacert))
            VIR_FREE(*cacert);
        if (!virFileExists(*cacrl))
            VIR_FREE(*cacrl);

        /* Check these as a pair, since it they are
         * mutually dependent
         */
        if (!virFileExists(*key) || !virFileExists(*cert)) {
            VIR_FREE(*key);
            VIR_FREE(*cert);
        }
    }

    /* No explicit path, or user path didn't exist, so
     * fallback to global defaults
     */
    if (!*cacert) {
        VIR_DEBUG("Using default TLS CA certificate path");
882 883
        if (VIR_STRDUP(*cacert, LIBVIRT_CACERT) < 0)
            goto error;
884 885 886 887
    }

    if (!*cacrl) {
        VIR_DEBUG("Using default TLS CA revocation list path");
888 889
        if (VIR_STRDUP(*cacrl, LIBVIRT_CACRL) < 0)
            goto error;
890 891 892 893
    }

    if (!*key && !*cert) {
        VIR_DEBUG("Using default TLS key/certificate path");
894 895
        if (VIR_STRDUP(*key, isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY) < 0)
            goto error;
896

897 898
        if (VIR_STRDUP(*cert, isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT) < 0)
            goto error;
899 900 901 902 903 904 905
    }

    VIR_FREE(user_pki_path);
    VIR_FREE(userdir);

    return 0;

906
error:
907 908 909 910 911 912 913 914 915 916 917 918 919
    VIR_FREE(*cacert);
    VIR_FREE(*cacrl);
    VIR_FREE(*key);
    VIR_FREE(*cert);
    VIR_FREE(user_pki_path);
    VIR_FREE(userdir);
    return -1;
}


static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
                                                   bool tryUserPkiPath,
                                                   const char *const*x509dnWhitelist,
920
                                                   bool sanityCheckCert,
921 922 923 924 925 926 927
                                                   bool requireValidCert,
                                                   bool isServer)
{
    char *cacert = NULL, *cacrl = NULL, *key = NULL, *cert = NULL;
    virNetTLSContextPtr ctxt = NULL;

    if (virNetTLSContextLocateCredentials(pkipath, tryUserPkiPath, isServer,
928
                                          &cacert, &cacrl, &cert, &key) < 0)
929 930
        return NULL;

931
    ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
932 933
                               x509dnWhitelist, sanityCheckCert,
                               requireValidCert, isServer);
934 935 936 937 938 939 940 941 942 943 944 945

    VIR_FREE(cacert);
    VIR_FREE(cacrl);
    VIR_FREE(key);
    VIR_FREE(cert);

    return ctxt;
}

virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
                                                  bool tryUserPkiPath,
                                                  const char *const*x509dnWhitelist,
946
                                                  bool sanityCheckCert,
947 948
                                                  bool requireValidCert)
{
949 950
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist,
                                   sanityCheckCert, requireValidCert, true);
951 952 953 954
}

virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
                                                  bool tryUserPkiPath,
955
                                                  bool sanityCheckCert,
956 957
                                                  bool requireValidCert)
{
958 959
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL,
                                   sanityCheckCert, requireValidCert, false);
960 961 962 963 964 965 966 967
}


virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
                                              const char *const*x509dnWhitelist,
968
                                              bool sanityCheckCert,
969 970
                                              bool requireValidCert)
{
971 972
    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist,
                               sanityCheckCert, requireValidCert, true);
973 974 975 976 977 978 979
}


virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
980
                                              bool sanityCheckCert,
981 982
                                              bool requireValidCert)
{
983 984
    return virNetTLSContextNew(cacert, cacrl, cert, key, NULL,
                               sanityCheckCert, requireValidCert, false);
985 986 987 988 989 990 991 992 993
}


static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
                                            virNetTLSSessionPtr sess)
{
    int ret;
    unsigned int status;
    const gnutls_datum_t *certs;
994 995
    unsigned int nCerts;
    size_t i;
996
    char dname[256];
997
    char *dnameptr = dname;
998 999 1000
    size_t dnamesize = sizeof(dname);

    memset(dname, 0, dnamesize);
1001 1002

    if ((ret = gnutls_certificate_verify_peers2(sess->session, &status)) < 0){
1003 1004 1005
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to verify TLS peer: %s"),
                       gnutls_strerror(ret));
1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025
        goto authdeny;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

#ifndef GNUTLS_1_0_COMPAT
        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");
#endif

1026 1027 1028
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Certificate failed validation: %s"),
                       reason);
1029 1030 1031 1032
        goto authdeny;
    }

    if (gnutls_certificate_type_get(sess->session) != GNUTLS_CRT_X509) {
1033 1034
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Only x509 certificates are supported"));
1035 1036 1037 1038
        goto authdeny;
    }

    if (!(certs = gnutls_certificate_get_peers(sess->session, &nCerts))) {
1039 1040
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("The certificate has no peers"));
1041 1042 1043 1044 1045 1046 1047
        goto authdeny;
    }

    for (i = 0; i < nCerts; i++) {
        gnutls_x509_crt_t cert;

        if (gnutls_x509_crt_init(&cert) < 0) {
1048 1049
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to initialize certificate"));
1050 1051 1052 1053
            goto authfail;
        }

        if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
1054 1055
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to load certificate"));
1056 1057 1058 1059
            gnutls_x509_crt_deinit(cert);
            goto authfail;
        }

1060 1061
        if (virNetTLSContextCheckCertTimes(cert, "[session]",
                                           sess->isServer, i > 0) < 0) {
1062 1063 1064 1065 1066
            gnutls_x509_crt_deinit(cert);
            goto authdeny;
        }

        if (i == 0) {
1067 1068
            ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize);
            if (ret != 0) {
1069 1070 1071
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Failed to get certificate %s distinguished name: %s"),
                               "[session]", gnutls_strerror(ret));
1072 1073
                goto authfail;
            }
1074
            if (VIR_STRDUP(sess->x509dname, dname) < 0)
1075
                goto authfail;
1076 1077 1078
            VIR_DEBUG("Peer DN is %s", dname);

            if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
1079
                                            ctxt->x509dnWhitelist) < 0) {
1080
                gnutls_x509_crt_deinit(cert);
1081 1082 1083 1084 1085 1086
                goto authdeny;
            }

            /* !sess->isServer, since on the client, we're validating the
             * server's cert, and on the server, the client's cert
             */
1087
#ifndef GNUTLS_1_0_COMPAT
1088 1089 1090 1091
            if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]",
                                                          !sess->isServer, false) < 0) {
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
1092
            }
1093
#endif
1094

1095 1096
            if (virNetTLSContextCheckCertKeyUsage(cert, "[session]",
                                                  false) < 0) {
1097 1098 1099 1100
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }

1101 1102 1103
            /* !sess->isServer - as above */
            if (virNetTLSContextCheckCertKeyPurpose(cert, "[session]",
                                                    !sess->isServer) < 0) {
1104 1105 1106 1107
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }
        }
1108
        gnutls_x509_crt_deinit(cert);
1109 1110
    }

1111 1112
    PROBE(RPC_TLS_CONTEXT_SESSION_ALLOW,
          "ctxt=%p sess=%p dname=%s",
1113
          ctxt, sess, dnameptr);
1114

1115 1116 1117
    return 0;

authdeny:
1118 1119
    PROBE(RPC_TLS_CONTEXT_SESSION_DENY,
          "ctxt=%p sess=%p dname=%s",
1120
          ctxt, sess, dnameptr);
1121

1122 1123 1124
    return -1;

authfail:
1125 1126 1127 1128
    PROBE(RPC_TLS_CONTEXT_SESSION_FAIL,
          "ctxt=%p sess=%p",
          ctxt, sess);

1129 1130 1131 1132 1133 1134
    return -1;
}

int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,
                                     virNetTLSSessionPtr sess)
{
1135 1136
    int ret = -1;

1137 1138
    virObjectLock(ctxt);
    virObjectLock(sess);
1139
    if (virNetTLSContextValidCertificate(ctxt, sess) < 0) {
1140 1141
        virErrorPtr err = virGetLastError();
        VIR_WARN("Certificate check failed %s", err && err->message ? err->message : "<unknown>");
1142
        if (ctxt->requireValidCert) {
1143 1144
            virReportError(VIR_ERR_AUTH_FAILED, "%s",
                           _("Failed to verify peer's certificate"));
1145
            goto cleanup;
1146
        }
1147
        virResetLastError();
1148 1149
        VIR_INFO("Ignoring bad certificate at user request");
    }
1150 1151 1152 1153

    ret = 0;

cleanup:
1154 1155
    virObjectUnlock(ctxt);
    virObjectUnlock(sess);
1156 1157

    return ret;
1158 1159
}

1160
void virNetTLSContextDispose(void *obj)
1161
{
1162
    virNetTLSContextPtr ctxt = obj;
1163

1164 1165 1166
    PROBE(RPC_TLS_CONTEXT_DISPOSE,
          "ctxt=%p", ctxt);

1167 1168 1169 1170 1171 1172 1173 1174 1175 1176
    gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
}


static ssize_t
virNetTLSSessionPush(void *opaque, const void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->writeFunc) {
1177
        VIR_WARN("TLS session push with missing write function");
1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205
        errno = EIO;
        return -1;
    };

    return sess->writeFunc(buf, len, sess->opaque);
}


static ssize_t
virNetTLSSessionPull(void *opaque, void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->readFunc) {
        VIR_WARN("TLS session pull with missing read function");
        errno = EIO;
        return -1;
    };

    return sess->readFunc(buf, len, sess->opaque);
}


virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
                                        const char *hostname)
{
    virNetTLSSessionPtr sess;
    int err;

E
Eric Blake 已提交
1206 1207
    VIR_DEBUG("ctxt=%p hostname=%s isServer=%d",
              ctxt, NULLSTR(hostname), ctxt->isServer);
1208

1209
    if (!(sess = virObjectLockableNew(virNetTLSSessionClass)))
1210 1211
        return NULL;

1212
    if (VIR_STRDUP(sess->hostname, hostname) < 0)
1213 1214 1215 1216
        goto error;

    if ((err = gnutls_init(&sess->session,
                           ctxt->isServer ? GNUTLS_SERVER : GNUTLS_CLIENT)) != 0) {
1217 1218 1219
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed to initialize TLS session: %s"),
                       gnutls_strerror(err));
1220 1221 1222 1223 1224 1225
        goto error;
    }

    /* avoid calling all the priority functions, since the defaults
     * are adequate.
     */
1226
    if ((err = gnutls_set_default_priority(sess->session)) != 0) {
1227 1228 1229
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed to set TLS session priority %s"),
                       gnutls_strerror(err));
1230 1231 1232 1233 1234 1235
        goto error;
    }

    if ((err = gnutls_credentials_set(sess->session,
                                      GNUTLS_CRD_CERTIFICATE,
                                      ctxt->x509cred)) != 0) {
1236 1237 1238
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed set TLS x509 credentials: %s"),
                       gnutls_strerror(err));
1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255
        goto error;
    }

    /* request client certificate if any.
     */
    if (ctxt->isServer) {
        gnutls_certificate_server_set_request(sess->session, GNUTLS_CERT_REQUEST);

        gnutls_dh_set_prime_bits(sess->session, DH_BITS);
    }

    gnutls_transport_set_ptr(sess->session, sess);
    gnutls_transport_set_push_function(sess->session,
                                       virNetTLSSessionPush);
    gnutls_transport_set_pull_function(sess->session,
                                       virNetTLSSessionPull);

1256 1257
    sess->isServer = ctxt->isServer;

1258
    PROBE(RPC_TLS_SESSION_NEW,
1259 1260
          "sess=%p ctxt=%p hostname=%s isServer=%d",
          sess, ctxt, hostname, sess->isServer);
1261

1262 1263 1264
    return sess;

error:
1265
    virObjectUnref(sess);
1266 1267 1268 1269 1270 1271 1272 1273 1274
    return NULL;
}


void virNetTLSSessionSetIOCallbacks(virNetTLSSessionPtr sess,
                                    virNetTLSSessionWriteFunc writeFunc,
                                    virNetTLSSessionReadFunc readFunc,
                                    void *opaque)
{
1275
    virObjectLock(sess);
1276 1277 1278
    sess->writeFunc = writeFunc;
    sess->readFunc = readFunc;
    sess->opaque = opaque;
1279
    virObjectUnlock(sess);
1280 1281 1282 1283 1284 1285 1286
}


ssize_t virNetTLSSessionWrite(virNetTLSSessionPtr sess,
                              const char *buf, size_t len)
{
    ssize_t ret;
1287

1288
    virObjectLock(sess);
1289 1290 1291
    ret = gnutls_record_send(sess->session, buf, len);

    if (ret >= 0)
1292
        goto cleanup;
1293 1294 1295 1296 1297 1298 1299 1300

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
1301 1302 1303
    case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
        errno = ENOMSG;
        break;
1304 1305 1306 1307 1308
    default:
        errno = EIO;
        break;
    }

1309 1310 1311
    ret = -1;

cleanup:
1312
    virObjectUnlock(sess);
1313
    return ret;
1314 1315 1316 1317 1318 1319 1320
}

ssize_t virNetTLSSessionRead(virNetTLSSessionPtr sess,
                             char *buf, size_t len)
{
    ssize_t ret;

1321
    virObjectLock(sess);
1322 1323 1324
    ret = gnutls_record_recv(sess->session, buf, len);

    if (ret >= 0)
1325
        goto cleanup;
1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
    default:
        errno = EIO;
        break;
    }

1339 1340 1341
    ret = -1;

cleanup:
1342
    virObjectUnlock(sess);
1343
    return ret;
1344 1345 1346 1347
}

int virNetTLSSessionHandshake(virNetTLSSessionPtr sess)
{
1348
    int ret;
1349
    VIR_DEBUG("sess=%p", sess);
1350
    virObjectLock(sess);
1351
    ret = gnutls_handshake(sess->session);
1352 1353 1354 1355
    VIR_DEBUG("Ret=%d", ret);
    if (ret == 0) {
        sess->handshakeComplete = true;
        VIR_DEBUG("Handshake is complete");
1356 1357 1358 1359 1360
        goto cleanup;
    }
    if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
        ret = 1;
        goto cleanup;
1361 1362 1363 1364 1365 1366 1367
    }

#if 0
    PROBE(CLIENT_TLS_FAIL, "fd=%d",
          virNetServerClientGetFD(client));
#endif

1368 1369 1370
    virReportError(VIR_ERR_AUTH_FAILED,
                   _("TLS handshake failed %s"),
                   gnutls_strerror(ret));
1371 1372 1373
    ret = -1;

cleanup:
1374
    virObjectUnlock(sess);
1375
    return ret;
1376 1377 1378 1379 1380
}

virNetTLSSessionHandshakeStatus
virNetTLSSessionGetHandshakeStatus(virNetTLSSessionPtr sess)
{
1381
    virNetTLSSessionHandshakeStatus ret;
1382
    virObjectLock(sess);
1383
    if (sess->handshakeComplete)
1384
        ret = VIR_NET_TLS_HANDSHAKE_COMPLETE;
1385
    else if (gnutls_record_get_direction(sess->session) == 0)
1386
        ret = VIR_NET_TLS_HANDSHAKE_RECVING;
1387
    else
1388
        ret = VIR_NET_TLS_HANDSHAKE_SENDING;
1389
    virObjectUnlock(sess);
1390
    return ret;
1391 1392 1393 1394 1395 1396
}

int virNetTLSSessionGetKeySize(virNetTLSSessionPtr sess)
{
    gnutls_cipher_algorithm_t cipher;
    int ssf;
1397
    virObjectLock(sess);
1398 1399
    cipher = gnutls_cipher_get(sess->session);
    if (!(ssf = gnutls_cipher_get_key_size(cipher))) {
1400 1401
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("invalid cipher size for TLS session"));
1402 1403
        ssf = -1;
        goto cleanup;
1404 1405
    }

1406
cleanup:
1407
    virObjectUnlock(sess);
1408 1409 1410
    return ssf;
}

1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422
const char *virNetTLSSessionGetX509DName(virNetTLSSessionPtr sess)
{
    const char *ret = NULL;

    virObjectLock(sess);

    ret = sess->x509dname;

    virObjectUnlock(sess);

    return ret;
}
1423

1424
void virNetTLSSessionDispose(void *obj)
1425
{
1426
    virNetTLSSessionPtr sess = obj;
1427

1428 1429 1430
    PROBE(RPC_TLS_SESSION_DISPOSE,
          "sess=%p", sess);

1431
    VIR_FREE(sess->x509dname);
1432 1433 1434
    VIR_FREE(sess->hostname);
    gnutls_deinit(sess->session);
}
M
Michal Privoznik 已提交
1435 1436 1437 1438 1439 1440

/*
 * This function MUST be called before any
 * virNetTLS* because it initializes
 * underlying GnuTLS library. According to
 * it's documentation, it's safe to be called
1441 1442 1443 1444 1445 1446 1447
 * many times, but is not thread safe.
 *
 * There is no corresponding "Deinit" / "Cleanup"
 * function because there is no safe way to call
 * 'gnutls_global_deinit' from a multi-threaded
 * library, where other libraries linked into the
 * application may also be using gnutls.
M
Michal Privoznik 已提交
1448 1449 1450 1451 1452
 */
void virNetTLSInit(void)
{
    gnutls_global_init();
}