virnettlscontext.c 44.8 KB
Newer Older
1 2 3
/*
 * virnettlscontext.c: TLS encryption/x509 handling
 *
4
 * Copyright (C) 2010-2013 Red Hat, Inc.
5 6 7 8 9 10 11 12 13 14 15 16
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
17
 * License along with this library.  If not, see
O
Osier Yang 已提交
18
 * <http://www.gnu.org/licenses/>.
19 20 21 22 23 24 25 26 27
 */

#include <config.h>

#include <unistd.h>
#include <fnmatch.h>
#include <stdlib.h>

#include <gnutls/gnutls.h>
E
Eric Blake 已提交
28
#if HAVE_GNUTLS_CRYPTO_H
E
Eric Blake 已提交
29 30
# include <gnutls/crypto.h>
#endif
31 32 33 34
#include <gnutls/x509.h>
#include "gnutls_1_0_compat.h"

#include "virnettlscontext.h"
35
#include "virstring.h"
36

37
#include "viralloc.h"
38
#include "virerror.h"
39
#include "virfile.h"
40
#include "virutil.h"
41
#include "virlog.h"
42
#include "virthread.h"
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
#include "configmake.h"

#define DH_BITS 1024

#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"

#define VIR_FROM_THIS VIR_FROM_RPC

struct _virNetTLSContext {
58
    virObjectLockable parent;
59 60 61 62 63 64 65 66 67 68

    gnutls_certificate_credentials_t x509cred;
    gnutls_dh_params_t dhParams;

    bool isServer;
    bool requireValidCert;
    const char *const*x509dnWhitelist;
};

struct _virNetTLSSession {
69
    virObjectLockable parent;
70 71 72

    bool handshakeComplete;

73
    bool isServer;
74 75 76 77 78
    char *hostname;
    gnutls_session_t session;
    virNetTLSSessionWriteFunc writeFunc;
    virNetTLSSessionReadFunc readFunc;
    void *opaque;
79
    char *x509dname;
80 81
};

82 83 84 85 86 87 88 89
static virClassPtr virNetTLSContextClass;
static virClassPtr virNetTLSSessionClass;
static void virNetTLSContextDispose(void *obj);
static void virNetTLSSessionDispose(void *obj);


static int virNetTLSContextOnceInit(void)
{
90
    if (!(virNetTLSContextClass = virClassNew(virClassForObjectLockable(),
91
                                              "virNetTLSContext",
92 93 94 95
                                              sizeof(virNetTLSContext),
                                              virNetTLSContextDispose)))
        return -1;

96
    if (!(virNetTLSSessionClass = virClassNew(virClassForObjectLockable(),
97
                                              "virNetTLSSession",
98 99 100 101 102 103 104 105 106
                                              sizeof(virNetTLSSession),
                                              virNetTLSSessionDispose)))
        return -1;

    return 0;
}

VIR_ONCE_GLOBAL_INIT(virNetTLSContext)

107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123

static int
virNetTLSContextCheckCertFile(const char *type, const char *file, bool allowMissing)
{
    if (!virFileExists(file)) {
        if (allowMissing)
            return 1;

        virReportSystemError(errno,
                             _("Cannot read %s '%s'"),
                             type, file);
        return -1;
    }
    return 0;
}


124 125
static void virNetTLSLog(int level ATTRIBUTE_UNUSED,
                         const char *str ATTRIBUTE_UNUSED) {
126 127 128
    VIR_DEBUG("%d %s", level, str);
}

129

130 131 132 133
static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert,
                                          const char *certFile,
                                          bool isServer,
                                          bool isCA)
134 135 136 137 138 139
{
    time_t now;

    if ((now = time(NULL)) == ((time_t)-1)) {
        virReportSystemError(errno, "%s",
                             _("cannot get current time"));
140
        return -1;
141 142 143
    }

    if (gnutls_x509_crt_get_expiration_time(cert) < now) {
144 145 146 147 148 149 150
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s has expired") :
                        (isServer ?
                         _("The server certificate %s has expired") :
                         _("The client certificate %s has expired"))),
                       certFile);
151
        return -1;
152 153 154
    }

    if (gnutls_x509_crt_get_activation_time(cert) > now) {
155 156 157 158 159 160 161
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s is not yet active") :
                        (isServer ?
                         _("The server certificate %s is not yet active") :
                         _("The client certificate %s is not yet active"))),
                       certFile);
162
        return -1;
163 164
    }

165 166 167
    return 0;
}

168 169 170 171 172 173 174 175 176

#ifndef GNUTLS_1_0_COMPAT
/*
 * The gnutls_x509_crt_get_basic_constraints function isn't
 * available in GNUTLS 1.0.x branches. This isn't critical
 * though, since gnutls_certificate_verify_peers2 will do
 * pretty much the same check at runtime, so we can just
 * disable this code
 */
177 178 179 180 181 182 183
static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert,
                                                     const char *certFile,
                                                     bool isServer,
                                                     bool isCA)
{
    int status;

184 185 186 187 188
    status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
    VIR_DEBUG("Cert %s basic constraints %d", certFile, status);

    if (status > 0) { /* It is a CA cert */
        if (!isCA) {
189 190 191 192
            virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                           _("The certificate %s basic constraints show a CA, but we need one for a server") :
                           _("The certificate %s basic constraints show a CA, but we need one for a client"),
                           certFile);
193
            return -1;
194 195 196
        }
    } else if (status == 0) { /* It is not a CA cert */
        if (isCA) {
197 198 199
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s basic constraints do not show a CA"),
                           certFile);
200
            return -1;
201 202 203
        }
    } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */
        if (isCA) {
204 205 206
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s is missing basic constraints for a CA"),
                           certFile);
207
            return -1;
208 209
        }
    } else { /* General error */
210 211 212
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to query certificate %s basic constraints %s"),
                       certFile, gnutls_strerror(status));
213
        return -1;
214 215
    }

216 217
    return 0;
}
218 219
#endif

220 221 222 223 224 225

static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert,
                                             const char *certFile,
                                             bool isCA)
{
    int status;
226 227
    unsigned int usage = 0;
    unsigned int critical = 0;
228

229
    status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
230

231
    VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
232
    if (status < 0) {
233 234 235 236
        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
            usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
                GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
        } else {
237 238 239
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key usage %s"),
                           certFile, gnutls_strerror(status));
240
            return -1;
241
        }
242 243
    }

244 245
    if (isCA) {
        if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
246
            if (critical) {
247 248 249
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit certificate signing"),
                               certFile);
250
                return -1;
251 252 253 254
            } else {
                VIR_WARN("Certificate %s usage does not permit certificate signing",
                         certFile);
            }
255 256
        }
    } else {
257
        if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
258
            if (critical) {
259 260 261
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit digital signature"),
                               certFile);
262
                return -1;
263 264 265 266
            } else {
                VIR_WARN("Certificate %s usage does not permit digital signature",
                         certFile);
            }
267 268
        }
        if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
269
            if (critical) {
270 271 272
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit key encipherment"),
                               certFile);
273
                return -1;
274 275 276 277
            } else {
                VIR_WARN("Certificate %s usage does not permit key encipherment",
                         certFile);
            }
278 279 280
        }
    }

281 282 283 284 285 286 287 288 289
    return 0;
}


static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
                                               const char *certFile,
                                               bool isServer)
{
    int status;
290
    size_t i;
291 292
    unsigned int purposeCritical;
    unsigned int critical;
E
Eric Blake 已提交
293
    char *buffer = NULL;
294 295 296
    size_t size;
    bool allowClient = false, allowServer = false;

297
    critical = 0;
298
    for (i = 0; ; i++) {
299 300 301 302
        size = 0;
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL);

        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
303
            VIR_DEBUG("No key purpose data available at slot %zu", i);
304 305 306 307

            /* If there is no data at all, then we must allow client/server to pass */
            if (i == 0)
                allowServer = allowClient = true;
308 309 310
            break;
        }
        if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
311 312 313
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
314
            return -1;
315 316
        }

317
        if (VIR_ALLOC_N(buffer, size) < 0)
318
            return -1;
319

320
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical);
321
        if (status < 0) {
322
            VIR_FREE(buffer);
323 324 325
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
326
            return -1;
327
        }
328 329
        if (purposeCritical)
            critical = true;
330

331
        VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical);
332
        if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
333
            allowServer = true;
334
        } else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
335
            allowClient = true;
336
        } else if (STRNEQ(buffer, GNUTLS_KP_ANY)) {
337
            allowServer = allowClient = true;
338 339 340 341 342
        }

        VIR_FREE(buffer);
    }

343 344
    if (isServer) {
        if (!allowServer) {
345
            if (critical) {
346 347 348
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS server"),
                               certFile);
349
                return -1;
350 351 352 353
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS server",
                         certFile);
            }
354
        }
355 356
    } else {
        if (!allowClient) {
357
            if (critical) {
358 359 360
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS client"),
                               certFile);
361
                return -1;
362 363 364 365
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS client",
                         certFile);
            }
366 367 368
        }
    }

369 370 371 372 373 374 375 376 377
    return 0;
}

/* Check DN is on tls_allowed_dn_list. */
static int
virNetTLSContextCheckCertDNWhitelist(const char *dname,
                                     const char *const*wildcards)
{
    while (*wildcards) {
378
        int ret = fnmatch(*wildcards, dname, 0);
J
Ján Tomko 已提交
379
        if (ret == 0) /* Successful match */
380 381
            return 1;
        if (ret != FNM_NOMATCH) {
382 383 384
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("Malformed TLS whitelist regular expression '%s'"),
                           *wildcards);
385 386 387 388 389 390 391 392 393 394
            return -1;
        }

        wildcards++;
    }

    /* Log the client's DN for debugging */
    VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);

    /* This is the most common error: make it informative. */
395 396 397
    virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                   _("Client's Distinguished Name is not on the list "
                     "of allowed clients (tls_allowed_dn_list).  Use "
398 399
                     "'certtool -i --infile clientcert.pem' to view the "
                     "Distinguished Name field in the client certificate, "
400
                     "or run this daemon with --verbose option."));
401 402 403 404 405 406 407 408
    return 0;
}


static int
virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
                            const char *certFile,
                            const char *hostname,
409
                            const char *dname,
410 411
                            const char *const* whitelist)
{
412 413
    if (whitelist && dname &&
        virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0)
414 415 416 417
        return -1;

    if (hostname &&
        !gnutls_x509_crt_check_hostname(cert, hostname)) {
418 419 420
        virReportError(VIR_ERR_RPC,
                       _("Certificate %s owner does not match the hostname %s"),
                       certFile, hostname);
421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436
        return -1;
    }

    return 0;
}


static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert,
                                     const char *certFile,
                                     bool isServer,
                                     bool isCA)
{
    if (virNetTLSContextCheckCertTimes(cert, certFile,
                                       isServer, isCA) < 0)
        return -1;

437
#ifndef GNUTLS_1_0_COMPAT
438 439 440
    if (virNetTLSContextCheckCertBasicConstraints(cert, certFile,
                                                  isServer, isCA) < 0)
        return -1;
441
#endif
442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457

    if (virNetTLSContextCheckCertKeyUsage(cert, certFile,
                                          isCA) < 0)
        return -1;

    if (!isCA &&
        virNetTLSContextCheckCertKeyPurpose(cert, certFile,
                                            isServer) < 0)
        return -1;

    return 0;
}


static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
                                         const char *certFile,
458 459
                                         gnutls_x509_crt_t *cacerts,
                                         size_t ncacerts,
460 461 462 463 464 465
                                         const char *cacertFile,
                                         bool isServer)
{
    unsigned int status;

    if (gnutls_x509_crt_list_verify(&cert, 1,
466
                                    cacerts, ncacerts,
467 468
                                    NULL, 0,
                                    0, &status) < 0) {
469 470 471 472
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to verify server certificate %s against CA certificate %s") :
                       _("Unable to verify client certificate %s against CA certificate %s"),
                       certFile, cacertFile);
473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492
        return -1;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

#ifndef GNUTLS_1_0_COMPAT
        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");
#endif

493 494 495
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Our own certificate %s failed validation against %s: %s"),
                       certFile, cacertFile, reason);
496 497 498 499 500 501 502 503
        return -1;
    }

    return 0;
}


static gnutls_x509_crt_t virNetTLSContextLoadCertFromFile(const char *certFile,
504
                                                          bool isServer)
505 506 507 508 509 510
{
    gnutls_datum_t data;
    gnutls_x509_crt_t cert = NULL;
    char *buf = NULL;
    int ret = -1;

511 512
    VIR_DEBUG("isServer %d certFile %s",
              isServer, certFile);
513 514

    if (gnutls_x509_crt_init(&cert) < 0) {
515 516
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Unable to initialize certificate"));
517 518 519 520 521 522 523 524 525 526
        goto cleanup;
    }

    if (virFileReadAll(certFile, (1<<16), &buf) < 0)
        goto cleanup;

    data.data = (unsigned char *)buf;
    data.size = strlen(buf);

    if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
527 528 529 530
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to import server certificate %s") :
                       _("Unable to import client certificate %s"),
                       certFile);
531 532
        goto cleanup;
    }
533

534 535 536 537 538 539 540 541 542 543 544 545
    ret = 0;

cleanup:
    if (ret != 0) {
        gnutls_x509_crt_deinit(cert);
        cert = NULL;
    }
    VIR_FREE(buf);
    return cert;
}


546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580
static int virNetTLSContextLoadCACertListFromFile(const char *certFile,
                                                  gnutls_x509_crt_t *certs,
                                                  size_t *ncerts)
{
    gnutls_datum_t data;
    char *buf = NULL;
    int ret = -1;
    unsigned int certMax = *ncerts;

    *ncerts = 0;
    VIR_DEBUG("certFile %s", certFile);

    if (virFileReadAll(certFile, (1<<16), &buf) < 0)
        goto cleanup;

    data.data = (unsigned char *)buf;
    data.size = strlen(buf);

    if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM, 0) < 0) {
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to import CA certificate list %s"),
                       certFile);
        goto cleanup;
    }
    *ncerts = certMax;

    ret = 0;

cleanup:
    VIR_FREE(buf);
    return ret;
}


#define MAX_CERTS 16
581 582 583 584 585
static int virNetTLSContextSanityCheckCredentials(bool isServer,
                                                  const char *cacertFile,
                                                  const char *certFile)
{
    gnutls_x509_crt_t cert = NULL;
586 587 588
    gnutls_x509_crt_t cacerts[MAX_CERTS];
    size_t ncacerts = MAX_CERTS;
    size_t i;
589 590
    int ret = -1;

591
    if ((access(certFile, R_OK) == 0) &&
592
        !(cert = virNetTLSContextLoadCertFromFile(certFile, isServer)))
593 594
        goto cleanup;
    if ((access(cacertFile, R_OK) == 0) &&
595
        virNetTLSContextLoadCACertListFromFile(cacertFile, cacerts, &ncacerts) < 0)
596
        goto cleanup;
597

598 599 600
    if (cert &&
        virNetTLSContextCheckCert(cert, certFile, isServer, false) < 0)
        goto cleanup;
601

602 603 604 605
    for (i = 0; i < ncacerts; i++) {
        if (virNetTLSContextCheckCert(cacerts[i], cacertFile, isServer, true) < 0)
            goto cleanup;
    }
606

607 608
    if (cert && ncacerts &&
        virNetTLSContextCheckCertPair(cert, certFile, cacerts, ncacerts, cacertFile, isServer) < 0)
609
        goto cleanup;
610 611 612 613 614 615

    ret = 0;

cleanup:
    if (cert)
        gnutls_x509_crt_deinit(cert);
616 617
    for (i = 0; i < ncacerts; i++)
        gnutls_x509_crt_deinit(cacerts[i]);
618 619 620 621
    return ret;
}


622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640
static int virNetTLSContextLoadCredentials(virNetTLSContextPtr ctxt,
                                           bool isServer,
                                           const char *cacert,
                                           const char *cacrl,
                                           const char *cert,
                                           const char *key)
{
    int ret = -1;
    int err;

    if (cacert && cacert[0] != '\0') {
        if (virNetTLSContextCheckCertFile("CA certificate", cacert, false) < 0)
            goto cleanup;

        VIR_DEBUG("loading CA cert from %s", cacert);
        err = gnutls_certificate_set_x509_trust_file(ctxt->x509cred,
                                                     cacert,
                                                     GNUTLS_X509_FMT_PEM);
        if (err < 0) {
641 642
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to set x509 CA certificate: %s: %s"),
643
                           cacert, gnutls_strerror(err));
644 645 646 647 648 649 650 651 652 653 654 655 656 657 658
            goto cleanup;
        }
    }

    if (cacrl && cacrl[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("CA revocation list", cacrl, true)) < 0)
            goto cleanup;

        if (rv == 0) {
            VIR_DEBUG("loading CRL from %s", cacrl);
            err = gnutls_certificate_set_x509_crl_file(ctxt->x509cred,
                                                       cacrl,
                                                       GNUTLS_X509_FMT_PEM);
            if (err < 0) {
659 660 661
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 certificate revocation list: %s: %s"),
                               cacrl, gnutls_strerror(err));
662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683
                goto cleanup;
            }
        } else {
            VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl);
        }
    }

    if (cert && cert[0] != '\0' && key && key[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("certificate", cert, !isServer)) < 0)
            goto cleanup;
        if (rv == 0 &&
            (rv = virNetTLSContextCheckCertFile("private key", key, !isServer)) < 0)
            goto cleanup;

        if (rv == 0) {
            VIR_DEBUG("loading cert and key from %s and %s", cert, key);
            err =
                gnutls_certificate_set_x509_key_file(ctxt->x509cred,
                                                     cert, key,
                                                     GNUTLS_X509_FMT_PEM);
            if (err < 0) {
684 685 686
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 key and certificate: %s, %s: %s"),
                               key, cert, gnutls_strerror(err));
687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705
                goto cleanup;
            }
        } else {
            VIR_DEBUG("Skipping non-existant cert %s key %s on client", cert, key);
        }
    }

    ret = 0;

cleanup:
    return ret;
}


static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
                                               const char *const*x509dnWhitelist,
706
                                               bool sanityCheckCert,
707 708 709 710 711 712 713
                                               bool requireValidCert,
                                               bool isServer)
{
    virNetTLSContextPtr ctxt;
    char *gnutlsdebug;
    int err;

714 715 716
    if (virNetTLSContextInitialize() < 0)
        return NULL;

717
    if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
718 719
        return NULL;

720 721 722 723 724 725 726 727 728 729 730 731
    if ((gnutlsdebug = getenv("LIBVIRT_GNUTLS_DEBUG")) != NULL) {
        int val;
        if (virStrToLong_i(gnutlsdebug, NULL, 10, &val) < 0)
            val = 10;
        gnutls_global_set_log_level(val);
        gnutls_global_set_log_function(virNetTLSLog);
        VIR_DEBUG("Enabled GNUTLS debug");
    }


    err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
    if (err) {
732 733 734
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to allocate x509 credentials: %s"),
                       gnutls_strerror(err));
735 736 737
        goto error;
    }

738
    if (sanityCheckCert &&
739 740 741
        virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0)
        goto error;

742 743 744 745 746 747 748 749 750 751 752
    if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
        goto error;

    /* Generate Diffie Hellman parameters - for use with DHE
     * kx algorithms. These should be discarded and regenerated
     * once a day, once a week or once a month. Depending on the
     * security requirements.
     */
    if (isServer) {
        err = gnutls_dh_params_init(&ctxt->dhParams);
        if (err < 0) {
753 754 755
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to initialize diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
756 757 758 759
            goto error;
        }
        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
        if (err < 0) {
760 761 762
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to generate diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
763 764 765 766 767 768 769 770 771 772 773
            goto error;
        }

        gnutls_certificate_set_dh_params(ctxt->x509cred,
                                         ctxt->dhParams);
    }

    ctxt->requireValidCert = requireValidCert;
    ctxt->x509dnWhitelist = x509dnWhitelist;
    ctxt->isServer = isServer;

774
    PROBE(RPC_TLS_CONTEXT_NEW,
775 776
          "ctxt=%p cacert=%s cacrl=%s cert=%s key=%s sanityCheckCert=%d requireValidCert=%d isServer=%d",
          ctxt, cacert, NULLSTR(cacrl), cert, key, sanityCheckCert, requireValidCert, isServer);
777

778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814
    return ctxt;

error:
    if (isServer)
        gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
    VIR_FREE(ctxt);
    return NULL;
}


static int virNetTLSContextLocateCredentials(const char *pkipath,
                                             bool tryUserPkiPath,
                                             bool isServer,
                                             char **cacert,
                                             char **cacrl,
                                             char **cert,
                                             char **key)
{
    char *userdir = NULL;
    char *user_pki_path = NULL;

    *cacert = NULL;
    *cacrl = NULL;
    *key = NULL;
    *cert = NULL;

    VIR_DEBUG("pkipath=%s isServer=%d tryUserPkiPath=%d",
              pkipath, isServer, tryUserPkiPath);

    /* Explicit path, then use that no matter whether the
     * files actually exist there
     */
    if (pkipath) {
        VIR_DEBUG("Told to use TLS credentials in %s", pkipath);
        if ((virAsprintf(cacert, "%s/%s", pkipath,
                         "cacert.pem")) < 0)
815
            goto error;
816 817
        if ((virAsprintf(cacrl, "%s/%s", pkipath,
                         "cacrl.pem")) < 0)
818
            goto error;
819 820
        if ((virAsprintf(key, "%s/%s", pkipath,
                         isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
821
            goto error;
822 823 824

        if ((virAsprintf(cert, "%s/%s", pkipath,
                         isServer ? "servercert.pem" : "clientcert.pem")) < 0)
825
             goto error;
826 827 828 829
    } else if (tryUserPkiPath) {
        /* Check to see if $HOME/.pki contains at least one of the
         * files and if so, use that
         */
830
        userdir = virGetUserDirectory();
831 832

        if (!userdir)
833
            goto error;
834 835

        if (virAsprintf(&user_pki_path, "%s/.pki/libvirt", userdir) < 0)
836
            goto error;
837 838 839 840 841

        VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);

        if ((virAsprintf(cacert, "%s/%s", user_pki_path,
                         "cacert.pem")) < 0)
842
            goto error;
843 844 845

        if ((virAsprintf(cacrl, "%s/%s", user_pki_path,
                         "cacrl.pem")) < 0)
846
            goto error;
847 848 849

        if ((virAsprintf(key, "%s/%s", user_pki_path,
                         isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
850
            goto error;
851 852 853

        if ((virAsprintf(cert, "%s/%s", user_pki_path,
                         isServer ? "servercert.pem" : "clientcert.pem")) < 0)
854
            goto error;
855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878

        /*
         * If some of the files can't be found, fallback
         * to the global location for them
         */
        if (!virFileExists(*cacert))
            VIR_FREE(*cacert);
        if (!virFileExists(*cacrl))
            VIR_FREE(*cacrl);

        /* Check these as a pair, since it they are
         * mutually dependent
         */
        if (!virFileExists(*key) || !virFileExists(*cert)) {
            VIR_FREE(*key);
            VIR_FREE(*cert);
        }
    }

    /* No explicit path, or user path didn't exist, so
     * fallback to global defaults
     */
    if (!*cacert) {
        VIR_DEBUG("Using default TLS CA certificate path");
879 880
        if (VIR_STRDUP(*cacert, LIBVIRT_CACERT) < 0)
            goto error;
881 882 883 884
    }

    if (!*cacrl) {
        VIR_DEBUG("Using default TLS CA revocation list path");
885 886
        if (VIR_STRDUP(*cacrl, LIBVIRT_CACRL) < 0)
            goto error;
887 888 889 890
    }

    if (!*key && !*cert) {
        VIR_DEBUG("Using default TLS key/certificate path");
891 892
        if (VIR_STRDUP(*key, isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY) < 0)
            goto error;
893

894 895
        if (VIR_STRDUP(*cert, isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT) < 0)
            goto error;
896 897 898 899 900 901 902
    }

    VIR_FREE(user_pki_path);
    VIR_FREE(userdir);

    return 0;

903
error:
904 905 906 907 908 909 910 911 912 913 914 915 916
    VIR_FREE(*cacert);
    VIR_FREE(*cacrl);
    VIR_FREE(*key);
    VIR_FREE(*cert);
    VIR_FREE(user_pki_path);
    VIR_FREE(userdir);
    return -1;
}


static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
                                                   bool tryUserPkiPath,
                                                   const char *const*x509dnWhitelist,
917
                                                   bool sanityCheckCert,
918 919 920 921 922 923 924
                                                   bool requireValidCert,
                                                   bool isServer)
{
    char *cacert = NULL, *cacrl = NULL, *key = NULL, *cert = NULL;
    virNetTLSContextPtr ctxt = NULL;

    if (virNetTLSContextLocateCredentials(pkipath, tryUserPkiPath, isServer,
925
                                          &cacert, &cacrl, &cert, &key) < 0)
926 927
        return NULL;

928
    ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
929 930
                               x509dnWhitelist, sanityCheckCert,
                               requireValidCert, isServer);
931 932 933 934 935 936 937 938 939 940 941 942

    VIR_FREE(cacert);
    VIR_FREE(cacrl);
    VIR_FREE(key);
    VIR_FREE(cert);

    return ctxt;
}

virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
                                                  bool tryUserPkiPath,
                                                  const char *const*x509dnWhitelist,
943
                                                  bool sanityCheckCert,
944 945
                                                  bool requireValidCert)
{
946 947
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist,
                                   sanityCheckCert, requireValidCert, true);
948 949 950 951
}

virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
                                                  bool tryUserPkiPath,
952
                                                  bool sanityCheckCert,
953 954
                                                  bool requireValidCert)
{
955 956
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL,
                                   sanityCheckCert, requireValidCert, false);
957 958 959 960 961 962 963 964
}


virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
                                              const char *const*x509dnWhitelist,
965
                                              bool sanityCheckCert,
966 967
                                              bool requireValidCert)
{
968 969
    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist,
                               sanityCheckCert, requireValidCert, true);
970 971 972 973 974 975 976
}


virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
977
                                              bool sanityCheckCert,
978 979
                                              bool requireValidCert)
{
980 981
    return virNetTLSContextNew(cacert, cacrl, cert, key, NULL,
                               sanityCheckCert, requireValidCert, false);
982 983 984 985 986 987 988 989 990
}


static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
                                            virNetTLSSessionPtr sess)
{
    int ret;
    unsigned int status;
    const gnutls_datum_t *certs;
991 992
    unsigned int nCerts;
    size_t i;
993
    char dname[256];
994
    char *dnameptr = dname;
995 996 997
    size_t dnamesize = sizeof(dname);

    memset(dname, 0, dnamesize);
998 999

    if ((ret = gnutls_certificate_verify_peers2(sess->session, &status)) < 0){
1000 1001 1002
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to verify TLS peer: %s"),
                       gnutls_strerror(ret));
1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022
        goto authdeny;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

#ifndef GNUTLS_1_0_COMPAT
        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");
#endif

1023 1024 1025
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Certificate failed validation: %s"),
                       reason);
1026 1027 1028 1029
        goto authdeny;
    }

    if (gnutls_certificate_type_get(sess->session) != GNUTLS_CRT_X509) {
1030 1031
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Only x509 certificates are supported"));
1032 1033 1034 1035
        goto authdeny;
    }

    if (!(certs = gnutls_certificate_get_peers(sess->session, &nCerts))) {
1036 1037
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("The certificate has no peers"));
1038 1039 1040 1041 1042 1043 1044
        goto authdeny;
    }

    for (i = 0; i < nCerts; i++) {
        gnutls_x509_crt_t cert;

        if (gnutls_x509_crt_init(&cert) < 0) {
1045 1046
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to initialize certificate"));
1047 1048 1049 1050
            goto authfail;
        }

        if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
1051 1052
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to load certificate"));
1053 1054 1055 1056
            gnutls_x509_crt_deinit(cert);
            goto authfail;
        }

1057 1058
        if (virNetTLSContextCheckCertTimes(cert, "[session]",
                                           sess->isServer, i > 0) < 0) {
1059 1060 1061 1062 1063
            gnutls_x509_crt_deinit(cert);
            goto authdeny;
        }

        if (i == 0) {
1064 1065
            ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize);
            if (ret != 0) {
1066 1067 1068
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Failed to get certificate %s distinguished name: %s"),
                               "[session]", gnutls_strerror(ret));
1069 1070
                goto authfail;
            }
1071
            if (VIR_STRDUP(sess->x509dname, dname) < 0)
1072
                goto authfail;
1073 1074 1075
            VIR_DEBUG("Peer DN is %s", dname);

            if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
1076
                                            ctxt->x509dnWhitelist) < 0) {
1077
                gnutls_x509_crt_deinit(cert);
1078 1079 1080 1081 1082 1083
                goto authdeny;
            }

            /* !sess->isServer, since on the client, we're validating the
             * server's cert, and on the server, the client's cert
             */
1084
#ifndef GNUTLS_1_0_COMPAT
1085 1086 1087 1088
            if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]",
                                                          !sess->isServer, false) < 0) {
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
1089
            }
1090
#endif
1091

1092 1093
            if (virNetTLSContextCheckCertKeyUsage(cert, "[session]",
                                                  false) < 0) {
1094 1095 1096 1097
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }

1098 1099 1100
            /* !sess->isServer - as above */
            if (virNetTLSContextCheckCertKeyPurpose(cert, "[session]",
                                                    !sess->isServer) < 0) {
1101 1102 1103 1104
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }
        }
1105
        gnutls_x509_crt_deinit(cert);
1106 1107
    }

1108 1109
    PROBE(RPC_TLS_CONTEXT_SESSION_ALLOW,
          "ctxt=%p sess=%p dname=%s",
1110
          ctxt, sess, dnameptr);
1111

1112 1113 1114
    return 0;

authdeny:
1115 1116
    PROBE(RPC_TLS_CONTEXT_SESSION_DENY,
          "ctxt=%p sess=%p dname=%s",
1117
          ctxt, sess, dnameptr);
1118

1119 1120 1121
    return -1;

authfail:
1122 1123 1124 1125
    PROBE(RPC_TLS_CONTEXT_SESSION_FAIL,
          "ctxt=%p sess=%p",
          ctxt, sess);

1126 1127 1128 1129 1130 1131
    return -1;
}

int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,
                                     virNetTLSSessionPtr sess)
{
1132 1133
    int ret = -1;

1134 1135
    virObjectLock(ctxt);
    virObjectLock(sess);
1136
    if (virNetTLSContextValidCertificate(ctxt, sess) < 0) {
1137 1138
        virErrorPtr err = virGetLastError();
        VIR_WARN("Certificate check failed %s", err && err->message ? err->message : "<unknown>");
1139
        if (ctxt->requireValidCert) {
1140 1141
            virReportError(VIR_ERR_AUTH_FAILED, "%s",
                           _("Failed to verify peer's certificate"));
1142
            goto cleanup;
1143
        }
1144
        virResetLastError();
1145 1146
        VIR_INFO("Ignoring bad certificate at user request");
    }
1147 1148 1149 1150

    ret = 0;

cleanup:
1151 1152
    virObjectUnlock(ctxt);
    virObjectUnlock(sess);
1153 1154

    return ret;
1155 1156
}

1157
void virNetTLSContextDispose(void *obj)
1158
{
1159
    virNetTLSContextPtr ctxt = obj;
1160

1161 1162 1163
    PROBE(RPC_TLS_CONTEXT_DISPOSE,
          "ctxt=%p", ctxt);

1164 1165 1166 1167 1168 1169 1170 1171 1172 1173
    gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
}


static ssize_t
virNetTLSSessionPush(void *opaque, const void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->writeFunc) {
1174
        VIR_WARN("TLS session push with missing write function");
1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202
        errno = EIO;
        return -1;
    };

    return sess->writeFunc(buf, len, sess->opaque);
}


static ssize_t
virNetTLSSessionPull(void *opaque, void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->readFunc) {
        VIR_WARN("TLS session pull with missing read function");
        errno = EIO;
        return -1;
    };

    return sess->readFunc(buf, len, sess->opaque);
}


virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
                                        const char *hostname)
{
    virNetTLSSessionPtr sess;
    int err;

E
Eric Blake 已提交
1203 1204
    VIR_DEBUG("ctxt=%p hostname=%s isServer=%d",
              ctxt, NULLSTR(hostname), ctxt->isServer);
1205

1206
    if (!(sess = virObjectLockableNew(virNetTLSSessionClass)))
1207 1208
        return NULL;

1209
    if (VIR_STRDUP(sess->hostname, hostname) < 0)
1210 1211 1212 1213
        goto error;

    if ((err = gnutls_init(&sess->session,
                           ctxt->isServer ? GNUTLS_SERVER : GNUTLS_CLIENT)) != 0) {
1214 1215 1216
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed to initialize TLS session: %s"),
                       gnutls_strerror(err));
1217 1218 1219 1220 1221 1222
        goto error;
    }

    /* avoid calling all the priority functions, since the defaults
     * are adequate.
     */
1223
    if ((err = gnutls_set_default_priority(sess->session)) != 0) {
1224 1225 1226
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed to set TLS session priority %s"),
                       gnutls_strerror(err));
1227 1228 1229 1230 1231 1232
        goto error;
    }

    if ((err = gnutls_credentials_set(sess->session,
                                      GNUTLS_CRD_CERTIFICATE,
                                      ctxt->x509cred)) != 0) {
1233 1234 1235
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed set TLS x509 credentials: %s"),
                       gnutls_strerror(err));
1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252
        goto error;
    }

    /* request client certificate if any.
     */
    if (ctxt->isServer) {
        gnutls_certificate_server_set_request(sess->session, GNUTLS_CERT_REQUEST);

        gnutls_dh_set_prime_bits(sess->session, DH_BITS);
    }

    gnutls_transport_set_ptr(sess->session, sess);
    gnutls_transport_set_push_function(sess->session,
                                       virNetTLSSessionPush);
    gnutls_transport_set_pull_function(sess->session,
                                       virNetTLSSessionPull);

1253 1254
    sess->isServer = ctxt->isServer;

1255
    PROBE(RPC_TLS_SESSION_NEW,
1256 1257
          "sess=%p ctxt=%p hostname=%s isServer=%d",
          sess, ctxt, hostname, sess->isServer);
1258

1259 1260 1261
    return sess;

error:
1262
    virObjectUnref(sess);
1263 1264 1265 1266 1267 1268 1269 1270 1271
    return NULL;
}


void virNetTLSSessionSetIOCallbacks(virNetTLSSessionPtr sess,
                                    virNetTLSSessionWriteFunc writeFunc,
                                    virNetTLSSessionReadFunc readFunc,
                                    void *opaque)
{
1272
    virObjectLock(sess);
1273 1274 1275
    sess->writeFunc = writeFunc;
    sess->readFunc = readFunc;
    sess->opaque = opaque;
1276
    virObjectUnlock(sess);
1277 1278 1279 1280 1281 1282 1283
}


ssize_t virNetTLSSessionWrite(virNetTLSSessionPtr sess,
                              const char *buf, size_t len)
{
    ssize_t ret;
1284

1285
    virObjectLock(sess);
1286 1287 1288
    ret = gnutls_record_send(sess->session, buf, len);

    if (ret >= 0)
1289
        goto cleanup;
1290 1291 1292 1293 1294 1295 1296 1297

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
1298 1299 1300
    case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
        errno = ENOMSG;
        break;
1301 1302 1303 1304 1305
    default:
        errno = EIO;
        break;
    }

1306 1307 1308
    ret = -1;

cleanup:
1309
    virObjectUnlock(sess);
1310
    return ret;
1311 1312 1313 1314 1315 1316 1317
}

ssize_t virNetTLSSessionRead(virNetTLSSessionPtr sess,
                             char *buf, size_t len)
{
    ssize_t ret;

1318
    virObjectLock(sess);
1319 1320 1321
    ret = gnutls_record_recv(sess->session, buf, len);

    if (ret >= 0)
1322
        goto cleanup;
1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
    default:
        errno = EIO;
        break;
    }

1336 1337 1338
    ret = -1;

cleanup:
1339
    virObjectUnlock(sess);
1340
    return ret;
1341 1342 1343 1344
}

int virNetTLSSessionHandshake(virNetTLSSessionPtr sess)
{
1345
    int ret;
1346
    VIR_DEBUG("sess=%p", sess);
1347
    virObjectLock(sess);
1348
    ret = gnutls_handshake(sess->session);
1349 1350 1351 1352
    VIR_DEBUG("Ret=%d", ret);
    if (ret == 0) {
        sess->handshakeComplete = true;
        VIR_DEBUG("Handshake is complete");
1353 1354 1355 1356 1357
        goto cleanup;
    }
    if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
        ret = 1;
        goto cleanup;
1358 1359 1360 1361 1362 1363 1364
    }

#if 0
    PROBE(CLIENT_TLS_FAIL, "fd=%d",
          virNetServerClientGetFD(client));
#endif

1365 1366 1367
    virReportError(VIR_ERR_AUTH_FAILED,
                   _("TLS handshake failed %s"),
                   gnutls_strerror(ret));
1368 1369 1370
    ret = -1;

cleanup:
1371
    virObjectUnlock(sess);
1372
    return ret;
1373 1374 1375 1376 1377
}

virNetTLSSessionHandshakeStatus
virNetTLSSessionGetHandshakeStatus(virNetTLSSessionPtr sess)
{
1378
    virNetTLSSessionHandshakeStatus ret;
1379
    virObjectLock(sess);
1380
    if (sess->handshakeComplete)
1381
        ret = VIR_NET_TLS_HANDSHAKE_COMPLETE;
1382
    else if (gnutls_record_get_direction(sess->session) == 0)
1383
        ret = VIR_NET_TLS_HANDSHAKE_RECVING;
1384
    else
1385
        ret = VIR_NET_TLS_HANDSHAKE_SENDING;
1386
    virObjectUnlock(sess);
1387
    return ret;
1388 1389 1390 1391 1392 1393
}

int virNetTLSSessionGetKeySize(virNetTLSSessionPtr sess)
{
    gnutls_cipher_algorithm_t cipher;
    int ssf;
1394
    virObjectLock(sess);
1395 1396
    cipher = gnutls_cipher_get(sess->session);
    if (!(ssf = gnutls_cipher_get_key_size(cipher))) {
1397 1398
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("invalid cipher size for TLS session"));
1399 1400
        ssf = -1;
        goto cleanup;
1401 1402
    }

1403
cleanup:
1404
    virObjectUnlock(sess);
1405 1406 1407
    return ssf;
}

1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419
const char *virNetTLSSessionGetX509DName(virNetTLSSessionPtr sess)
{
    const char *ret = NULL;

    virObjectLock(sess);

    ret = sess->x509dname;

    virObjectUnlock(sess);

    return ret;
}
1420

1421
void virNetTLSSessionDispose(void *obj)
1422
{
1423
    virNetTLSSessionPtr sess = obj;
1424

1425 1426 1427
    PROBE(RPC_TLS_SESSION_DISPOSE,
          "sess=%p", sess);

1428
    VIR_FREE(sess->x509dname);
1429 1430 1431
    VIR_FREE(sess->hostname);
    gnutls_deinit(sess->session);
}
M
Michal Privoznik 已提交
1432 1433 1434 1435 1436 1437

/*
 * This function MUST be called before any
 * virNetTLS* because it initializes
 * underlying GnuTLS library. According to
 * it's documentation, it's safe to be called
1438 1439 1440 1441 1442 1443 1444
 * many times, but is not thread safe.
 *
 * There is no corresponding "Deinit" / "Cleanup"
 * function because there is no safe way to call
 * 'gnutls_global_deinit' from a multi-threaded
 * library, where other libraries linked into the
 * application may also be using gnutls.
M
Michal Privoznik 已提交
1445 1446 1447 1448 1449
 */
void virNetTLSInit(void)
{
    gnutls_global_init();
}