virnettlscontext.c 45.1 KB
Newer Older
1 2 3
/*
 * virnettlscontext.c: TLS encryption/x509 handling
 *
4
 * Copyright (C) 2010-2014 Red Hat, Inc.
5 6 7 8 9 10 11 12 13 14 15 16
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
17
 * License along with this library.  If not, see
18
 * <http://www.gnu.org/licenses/>.
19 20 21 22 23 24 25
 */

#include <config.h>

#include <unistd.h>

#include <gnutls/gnutls.h>
26
#include <gnutls/crypto.h>
27 28 29
#include <gnutls/x509.h>

#include "virnettlscontext.h"
30
#include "virstring.h"
31

32
#include "viralloc.h"
33
#include "virerror.h"
34
#include "virfile.h"
35
#include "virutil.h"
36
#include "virlog.h"
37
#include "virprobe.h"
38
#include "virthread.h"
39 40
#include "configmake.h"

41
#define DH_BITS 2048
42 43 44 45 46 47 48 49 50 51 52

#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"

#define VIR_FROM_THIS VIR_FROM_RPC

53 54
VIR_LOG_INIT("rpc.nettlscontext");

55
struct _virNetTLSContext {
56
    virObjectLockable parent;
57 58 59 60 61 62

    gnutls_certificate_credentials_t x509cred;
    gnutls_dh_params_t dhParams;

    bool isServer;
    bool requireValidCert;
63
    const char *const *x509dnACL;
64
    char *priority;
65 66 67
};

struct _virNetTLSSession {
68
    virObjectLockable parent;
69 70 71

    bool handshakeComplete;

72
    bool isServer;
73 74 75 76 77
    char *hostname;
    gnutls_session_t session;
    virNetTLSSessionWriteFunc writeFunc;
    virNetTLSSessionReadFunc readFunc;
    void *opaque;
78
    char *x509dname;
79 80
};

81 82 83 84 85 86 87 88
static virClassPtr virNetTLSContextClass;
static virClassPtr virNetTLSSessionClass;
static void virNetTLSContextDispose(void *obj);
static void virNetTLSSessionDispose(void *obj);


static int virNetTLSContextOnceInit(void)
{
89
    if (!VIR_CLASS_NEW(virNetTLSContext, virClassForObjectLockable()))
90 91
        return -1;

92
    if (!VIR_CLASS_NEW(virNetTLSSession, virClassForObjectLockable()))
93 94 95 96 97
        return -1;

    return 0;
}

98
VIR_ONCE_GLOBAL_INIT(virNetTLSContext);
99

100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116

static int
virNetTLSContextCheckCertFile(const char *type, const char *file, bool allowMissing)
{
    if (!virFileExists(file)) {
        if (allowMissing)
            return 1;

        virReportSystemError(errno,
                             _("Cannot read %s '%s'"),
                             type, file);
        return -1;
    }
    return 0;
}


J
Ján Tomko 已提交
117 118
static void virNetTLSLog(int level G_GNUC_UNUSED,
                         const char *str G_GNUC_UNUSED)
119
{
120 121 122
    VIR_DEBUG("%d %s", level, str);
}

123

124 125 126 127
static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert,
                                          const char *certFile,
                                          bool isServer,
                                          bool isCA)
128 129 130 131 132 133
{
    time_t now;

    if ((now = time(NULL)) == ((time_t)-1)) {
        virReportSystemError(errno, "%s",
                             _("cannot get current time"));
134
        return -1;
135 136 137
    }

    if (gnutls_x509_crt_get_expiration_time(cert) < now) {
138 139 140 141 142 143 144
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s has expired") :
                        (isServer ?
                         _("The server certificate %s has expired") :
                         _("The client certificate %s has expired"))),
                       certFile);
145
        return -1;
146 147 148
    }

    if (gnutls_x509_crt_get_activation_time(cert) > now) {
149 150 151 152 153 154 155
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s is not yet active") :
                        (isServer ?
                         _("The server certificate %s is not yet active") :
                         _("The client certificate %s is not yet active"))),
                       certFile);
156
        return -1;
157 158
    }

159 160 161
    return 0;
}

162

163 164 165 166 167 168 169
static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert,
                                                     const char *certFile,
                                                     bool isServer,
                                                     bool isCA)
{
    int status;

170 171 172 173 174
    status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
    VIR_DEBUG("Cert %s basic constraints %d", certFile, status);

    if (status > 0) { /* It is a CA cert */
        if (!isCA) {
175 176 177 178
            virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                           _("The certificate %s basic constraints show a CA, but we need one for a server") :
                           _("The certificate %s basic constraints show a CA, but we need one for a client"),
                           certFile);
179
            return -1;
180 181 182
        }
    } else if (status == 0) { /* It is not a CA cert */
        if (isCA) {
183 184 185
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s basic constraints do not show a CA"),
                           certFile);
186
            return -1;
187 188 189
        }
    } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */
        if (isCA) {
190 191 192
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s is missing basic constraints for a CA"),
                           certFile);
193
            return -1;
194 195
        }
    } else { /* General error */
196 197 198
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to query certificate %s basic constraints %s"),
                       certFile, gnutls_strerror(status));
199
        return -1;
200 201
    }

202 203
    return 0;
}
204

205 206 207 208 209 210

static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert,
                                             const char *certFile,
                                             bool isCA)
{
    int status;
211 212
    unsigned int usage = 0;
    unsigned int critical = 0;
213

214
    status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
215

216
    VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
217
    if (status < 0) {
218 219 220 221
        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
            usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
                GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
        } else {
222 223 224
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key usage %s"),
                           certFile, gnutls_strerror(status));
225
            return -1;
226
        }
227 228
    }

229 230
    if (isCA) {
        if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
231
            if (critical) {
232 233 234
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit certificate signing"),
                               certFile);
235
                return -1;
236 237 238 239
            } else {
                VIR_WARN("Certificate %s usage does not permit certificate signing",
                         certFile);
            }
240 241
        }
    } else {
242
        if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
243
            if (critical) {
244 245 246
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit digital signature"),
                               certFile);
247
                return -1;
248 249 250 251
            } else {
                VIR_WARN("Certificate %s usage does not permit digital signature",
                         certFile);
            }
252 253
        }
        if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
254
            if (critical) {
255 256 257
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit key encipherment"),
                               certFile);
258
                return -1;
259 260 261 262
            } else {
                VIR_WARN("Certificate %s usage does not permit key encipherment",
                         certFile);
            }
263 264 265
        }
    }

266 267 268 269 270 271 272 273 274
    return 0;
}


static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
                                               const char *certFile,
                                               bool isServer)
{
    int status;
275
    size_t i;
276 277
    unsigned int purposeCritical;
    unsigned int critical;
278
    char *buffer = NULL;
279 280 281
    size_t size;
    bool allowClient = false, allowServer = false;

282
    critical = 0;
283
    for (i = 0; ; i++) {
284 285 286 287
        size = 0;
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL);

        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
288
            VIR_DEBUG("No key purpose data available at slot %zu", i);
289 290 291 292

            /* If there is no data at all, then we must allow client/server to pass */
            if (i == 0)
                allowServer = allowClient = true;
293 294 295
            break;
        }
        if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
296 297 298
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
299
            return -1;
300 301
        }

302
        if (VIR_ALLOC_N(buffer, size) < 0)
303
            return -1;
304

305
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical);
306
        if (status < 0) {
307
            VIR_FREE(buffer);
308 309 310
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
311
            return -1;
312
        }
313 314
        if (purposeCritical)
            critical = true;
315

316
        VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical);
317
        if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
318
            allowServer = true;
319
        } else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
320
            allowClient = true;
321
        } else if (STRNEQ(buffer, GNUTLS_KP_ANY)) {
322
            allowServer = allowClient = true;
323 324 325 326 327
        }

        VIR_FREE(buffer);
    }

328 329
    if (isServer) {
        if (!allowServer) {
330
            if (critical) {
331 332 333
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS server"),
                               certFile);
334
                return -1;
335 336 337 338
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS server",
                         certFile);
            }
339
        }
340 341
    } else {
        if (!allowClient) {
342
            if (critical) {
343 344 345
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS client"),
                               certFile);
346
                return -1;
347 348 349 350
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS client",
                         certFile);
            }
351 352 353
        }
    }

354 355 356 357 358
    return 0;
}

/* Check DN is on tls_allowed_dn_list. */
static int
359 360
virNetTLSContextCheckCertDNACL(const char *dname,
                               const char *const *wildcards)
361 362
{
    while (*wildcards) {
363
        if (g_pattern_match_simple(*wildcards, dname))
364 365 366 367 368 369
            return 1;

        wildcards++;
    }

    /* Log the client's DN for debugging */
370
    VIR_DEBUG("Failed ACL check for client DN '%s'", dname);
371 372

    /* This is the most common error: make it informative. */
373 374 375
    virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                   _("Client's Distinguished Name is not on the list "
                     "of allowed clients (tls_allowed_dn_list).  Use "
376 377
                     "'certtool -i --infile clientcert.pem' to view the "
                     "Distinguished Name field in the client certificate, "
378
                     "or run this daemon with --verbose option."));
379 380 381 382 383 384 385 386
    return 0;
}


static int
virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
                            const char *certFile,
                            const char *hostname,
387
                            const char *dname,
388
                            const char *const *acl)
389
{
390 391
    if (acl && dname &&
        virNetTLSContextCheckCertDNACL(dname, acl) <= 0)
392 393 394 395
        return -1;

    if (hostname &&
        !gnutls_x509_crt_check_hostname(cert, hostname)) {
396 397 398
        virReportError(VIR_ERR_RPC,
                       _("Certificate %s owner does not match the hostname %s"),
                       certFile, hostname);
399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433
        return -1;
    }

    return 0;
}


static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert,
                                     const char *certFile,
                                     bool isServer,
                                     bool isCA)
{
    if (virNetTLSContextCheckCertTimes(cert, certFile,
                                       isServer, isCA) < 0)
        return -1;

    if (virNetTLSContextCheckCertBasicConstraints(cert, certFile,
                                                  isServer, isCA) < 0)
        return -1;

    if (virNetTLSContextCheckCertKeyUsage(cert, certFile,
                                          isCA) < 0)
        return -1;

    if (!isCA &&
        virNetTLSContextCheckCertKeyPurpose(cert, certFile,
                                            isServer) < 0)
        return -1;

    return 0;
}


static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
                                         const char *certFile,
434 435
                                         gnutls_x509_crt_t *cacerts,
                                         size_t ncacerts,
436 437 438 439 440 441
                                         const char *cacertFile,
                                         bool isServer)
{
    unsigned int status;

    if (gnutls_x509_crt_list_verify(&cert, 1,
442
                                    cacerts, ncacerts,
443 444
                                    NULL, 0,
                                    0, &status) < 0) {
445 446 447 448
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to verify server certificate %s against CA certificate %s") :
                       _("Unable to verify client certificate %s against CA certificate %s"),
                       certFile, cacertFile);
449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466
        return -1;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");

467 468 469
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Our own certificate %s failed validation against %s: %s"),
                       certFile, cacertFile, reason);
470 471 472 473 474 475 476 477
        return -1;
    }

    return 0;
}


static gnutls_x509_crt_t virNetTLSContextLoadCertFromFile(const char *certFile,
478
                                                          bool isServer)
479 480 481 482 483 484
{
    gnutls_datum_t data;
    gnutls_x509_crt_t cert = NULL;
    char *buf = NULL;
    int ret = -1;

485 486
    VIR_DEBUG("isServer %d certFile %s",
              isServer, certFile);
487 488

    if (gnutls_x509_crt_init(&cert) < 0) {
489 490
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Unable to initialize certificate"));
491 492 493 494 495 496 497 498 499 500
        goto cleanup;
    }

    if (virFileReadAll(certFile, (1<<16), &buf) < 0)
        goto cleanup;

    data.data = (unsigned char *)buf;
    data.size = strlen(buf);

    if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
501 502 503 504
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to import server certificate %s") :
                       _("Unable to import client certificate %s"),
                       certFile);
505 506
        goto cleanup;
    }
507

508 509
    ret = 0;

510
 cleanup:
511 512 513 514 515 516 517 518 519
    if (ret != 0) {
        gnutls_x509_crt_deinit(cert);
        cert = NULL;
    }
    VIR_FREE(buf);
    return cert;
}


520 521
static int virNetTLSContextLoadCACertListFromFile(const char *certFile,
                                                  gnutls_x509_crt_t *certs,
522
                                                  unsigned int certMax,
523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547
                                                  size_t *ncerts)
{
    gnutls_datum_t data;
    char *buf = NULL;
    int ret = -1;

    *ncerts = 0;
    VIR_DEBUG("certFile %s", certFile);

    if (virFileReadAll(certFile, (1<<16), &buf) < 0)
        goto cleanup;

    data.data = (unsigned char *)buf;
    data.size = strlen(buf);

    if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM, 0) < 0) {
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to import CA certificate list %s"),
                       certFile);
        goto cleanup;
    }
    *ncerts = certMax;

    ret = 0;

548
 cleanup:
549 550 551 552 553 554
    VIR_FREE(buf);
    return ret;
}


#define MAX_CERTS 16
555 556 557 558 559
static int virNetTLSContextSanityCheckCredentials(bool isServer,
                                                  const char *cacertFile,
                                                  const char *certFile)
{
    gnutls_x509_crt_t cert = NULL;
560
    gnutls_x509_crt_t cacerts[MAX_CERTS];
561
    size_t ncacerts = 0;
562
    size_t i;
563 564
    int ret = -1;

565
    memset(cacerts, 0, sizeof(cacerts));
566
    if ((access(certFile, R_OK) == 0) &&
567
        !(cert = virNetTLSContextLoadCertFromFile(certFile, isServer)))
568 569
        goto cleanup;
    if ((access(cacertFile, R_OK) == 0) &&
570 571
        virNetTLSContextLoadCACertListFromFile(cacertFile, cacerts,
                                               MAX_CERTS, &ncacerts) < 0)
572
        goto cleanup;
573

574 575 576
    if (cert &&
        virNetTLSContextCheckCert(cert, certFile, isServer, false) < 0)
        goto cleanup;
577

578 579 580 581
    for (i = 0; i < ncacerts; i++) {
        if (virNetTLSContextCheckCert(cacerts[i], cacertFile, isServer, true) < 0)
            goto cleanup;
    }
582

583 584
    if (cert && ncacerts &&
        virNetTLSContextCheckCertPair(cert, certFile, cacerts, ncacerts, cacertFile, isServer) < 0)
585
        goto cleanup;
586 587 588

    ret = 0;

589
 cleanup:
590 591
    if (cert)
        gnutls_x509_crt_deinit(cert);
592 593
    for (i = 0; i < ncacerts; i++)
        gnutls_x509_crt_deinit(cacerts[i]);
594 595 596 597
    return ret;
}


598 599 600 601 602 603 604 605 606 607 608
static int virNetTLSContextLoadCredentials(virNetTLSContextPtr ctxt,
                                           bool isServer,
                                           const char *cacert,
                                           const char *cacrl,
                                           const char *cert,
                                           const char *key)
{
    int err;

    if (cacert && cacert[0] != '\0') {
        if (virNetTLSContextCheckCertFile("CA certificate", cacert, false) < 0)
609
            return -1;
610 611 612 613 614 615

        VIR_DEBUG("loading CA cert from %s", cacert);
        err = gnutls_certificate_set_x509_trust_file(ctxt->x509cred,
                                                     cacert,
                                                     GNUTLS_X509_FMT_PEM);
        if (err < 0) {
616 617
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to set x509 CA certificate: %s: %s"),
618
                           cacert, gnutls_strerror(err));
619
            return -1;
620 621 622 623 624 625
        }
    }

    if (cacrl && cacrl[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("CA revocation list", cacrl, true)) < 0)
626
            return -1;
627 628 629 630 631 632 633

        if (rv == 0) {
            VIR_DEBUG("loading CRL from %s", cacrl);
            err = gnutls_certificate_set_x509_crl_file(ctxt->x509cred,
                                                       cacrl,
                                                       GNUTLS_X509_FMT_PEM);
            if (err < 0) {
634 635 636
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 certificate revocation list: %s: %s"),
                               cacrl, gnutls_strerror(err));
637
                return -1;
638 639 640 641 642 643 644 645 646
            }
        } else {
            VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl);
        }
    }

    if (cert && cert[0] != '\0' && key && key[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("certificate", cert, !isServer)) < 0)
647
            return -1;
648 649
        if (rv == 0 &&
            (rv = virNetTLSContextCheckCertFile("private key", key, !isServer)) < 0)
650
            return -1;
651 652 653 654 655 656 657 658

        if (rv == 0) {
            VIR_DEBUG("loading cert and key from %s and %s", cert, key);
            err =
                gnutls_certificate_set_x509_key_file(ctxt->x509cred,
                                                     cert, key,
                                                     GNUTLS_X509_FMT_PEM);
            if (err < 0) {
659 660 661
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 key and certificate: %s, %s: %s"),
                               key, cert, gnutls_strerror(err));
662
                return -1;
663 664
            }
        } else {
N
Nehal J Wani 已提交
665 666
            VIR_DEBUG("Skipping non-existent cert %s key %s on client",
                      cert, key);
667 668 669
        }
    }

670
    return 0;
671 672 673 674 675 676 677
}


static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
678
                                               const char *const *x509dnACL,
679
                                               const char *priority,
680
                                               bool sanityCheckCert,
681 682 683 684 685 686
                                               bool requireValidCert,
                                               bool isServer)
{
    virNetTLSContextPtr ctxt;
    int err;

687 688 689
    if (virNetTLSContextInitialize() < 0)
        return NULL;

690
    if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
691 692
        return NULL;

693
    ctxt->priority = g_strdup(priority);
694

695 696
    err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
    if (err) {
697 698 699 700 701 702 703
        /* While gnutls_certificate_credentials_t will free any
         * partially allocated credentials struct, it does not
         * set the returned pointer back to NULL after it is
         * freed in an error path.
         */
        ctxt->x509cred = NULL;

704 705 706
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to allocate x509 credentials: %s"),
                       gnutls_strerror(err));
707 708 709
        goto error;
    }

710
    if (sanityCheckCert &&
711 712 713
        virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0)
        goto error;

714 715 716 717 718 719 720 721 722 723 724
    if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
        goto error;

    /* Generate Diffie Hellman parameters - for use with DHE
     * kx algorithms. These should be discarded and regenerated
     * once a day, once a week or once a month. Depending on the
     * security requirements.
     */
    if (isServer) {
        err = gnutls_dh_params_init(&ctxt->dhParams);
        if (err < 0) {
725 726 727
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to initialize diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
728 729 730 731
            goto error;
        }
        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
        if (err < 0) {
732 733 734
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to generate diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
735 736 737 738 739 740 741 742
            goto error;
        }

        gnutls_certificate_set_dh_params(ctxt->x509cred,
                                         ctxt->dhParams);
    }

    ctxt->requireValidCert = requireValidCert;
743
    ctxt->x509dnACL = x509dnACL;
744 745
    ctxt->isServer = isServer;

746
    PROBE(RPC_TLS_CONTEXT_NEW,
747 748
          "ctxt=%p cacert=%s cacrl=%s cert=%s key=%s sanityCheckCert=%d requireValidCert=%d isServer=%d",
          ctxt, cacert, NULLSTR(cacrl), cert, key, sanityCheckCert, requireValidCert, isServer);
749

750 751
    return ctxt;

752
 error:
753 754
    if (isServer)
        gnutls_dh_params_deinit(ctxt->dhParams);
755
    virObjectUnref(ctxt);
756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783
    return NULL;
}


static int virNetTLSContextLocateCredentials(const char *pkipath,
                                             bool tryUserPkiPath,
                                             bool isServer,
                                             char **cacert,
                                             char **cacrl,
                                             char **cert,
                                             char **key)
{
    char *userdir = NULL;
    char *user_pki_path = NULL;

    *cacert = NULL;
    *cacrl = NULL;
    *key = NULL;
    *cert = NULL;

    VIR_DEBUG("pkipath=%s isServer=%d tryUserPkiPath=%d",
              pkipath, isServer, tryUserPkiPath);

    /* Explicit path, then use that no matter whether the
     * files actually exist there
     */
    if (pkipath) {
        VIR_DEBUG("Told to use TLS credentials in %s", pkipath);
784 785 786 787
        *cacert = g_strdup_printf("%s/%s", pkipath, "cacert.pem");
        *cacrl = g_strdup_printf("%s/%s", pkipath, "cacrl.pem");
        *key = g_strdup_printf("%s/%s", pkipath,
                               isServer ? "serverkey.pem" : "clientkey.pem");
788

789 790
        *cert = g_strdup_printf("%s/%s", pkipath,
                                isServer ? "servercert.pem" : "clientcert.pem");
791 792 793 794
    } else if (tryUserPkiPath) {
        /* Check to see if $HOME/.pki contains at least one of the
         * files and if so, use that
         */
795
        userdir = virGetUserDirectory();
796

797
        user_pki_path = g_strdup_printf("%s/.pki/libvirt", userdir);
798 799 800

        VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);

801
        *cacert = g_strdup_printf("%s/%s", user_pki_path, "cacert.pem");
802

803
        *cacrl = g_strdup_printf("%s/%s", user_pki_path, "cacrl.pem");
804

805 806
        *key = g_strdup_printf("%s/%s", user_pki_path,
                               isServer ? "serverkey.pem" : "clientkey.pem");
807

808 809
        *cert = g_strdup_printf("%s/%s", user_pki_path,
                                isServer ? "servercert.pem" : "clientcert.pem");
810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833

        /*
         * If some of the files can't be found, fallback
         * to the global location for them
         */
        if (!virFileExists(*cacert))
            VIR_FREE(*cacert);
        if (!virFileExists(*cacrl))
            VIR_FREE(*cacrl);

        /* Check these as a pair, since it they are
         * mutually dependent
         */
        if (!virFileExists(*key) || !virFileExists(*cert)) {
            VIR_FREE(*key);
            VIR_FREE(*cert);
        }
    }

    /* No explicit path, or user path didn't exist, so
     * fallback to global defaults
     */
    if (!*cacert) {
        VIR_DEBUG("Using default TLS CA certificate path");
834
        *cacert = g_strdup(LIBVIRT_CACERT);
835 836 837 838
    }

    if (!*cacrl) {
        VIR_DEBUG("Using default TLS CA revocation list path");
839
        *cacrl = g_strdup(LIBVIRT_CACRL);
840 841 842 843
    }

    if (!*key && !*cert) {
        VIR_DEBUG("Using default TLS key/certificate path");
844
        *key = g_strdup(isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY);
845

846
        *cert = g_strdup(isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT);
847 848 849 850 851 852 853 854 855 856 857
    }

    VIR_FREE(user_pki_path);
    VIR_FREE(userdir);

    return 0;
}


static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
                                                   bool tryUserPkiPath,
858
                                                   const char *const *x509dnACL,
859
                                                   const char *priority,
860
                                                   bool sanityCheckCert,
861 862 863 864 865 866 867
                                                   bool requireValidCert,
                                                   bool isServer)
{
    char *cacert = NULL, *cacrl = NULL, *key = NULL, *cert = NULL;
    virNetTLSContextPtr ctxt = NULL;

    if (virNetTLSContextLocateCredentials(pkipath, tryUserPkiPath, isServer,
868
                                          &cacert, &cacrl, &cert, &key) < 0)
869 870
        return NULL;

871
    ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
872
                               x509dnACL, priority, sanityCheckCert,
873
                               requireValidCert, isServer);
874 875 876 877 878 879 880 881 882 883 884

    VIR_FREE(cacert);
    VIR_FREE(cacrl);
    VIR_FREE(key);
    VIR_FREE(cert);

    return ctxt;
}

virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
                                                  bool tryUserPkiPath,
885
                                                  const char *const *x509dnACL,
886
                                                  const char *priority,
887
                                                  bool sanityCheckCert,
888 889
                                                  bool requireValidCert)
{
890
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnACL, priority,
891
                                   sanityCheckCert, requireValidCert, true);
892 893 894 895
}

virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
                                                  bool tryUserPkiPath,
896
                                                  const char *priority,
897
                                                  bool sanityCheckCert,
898 899
                                                  bool requireValidCert)
{
900
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL, priority,
901
                                   sanityCheckCert, requireValidCert, false);
902 903 904 905 906 907 908
}


virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
909
                                              const char *const *x509dnACL,
910
                                              const char *priority,
911
                                              bool sanityCheckCert,
912 913
                                              bool requireValidCert)
{
914
    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnACL, priority,
915
                               sanityCheckCert, requireValidCert, true);
916 917 918
}


919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964
int virNetTLSContextReloadForServer(virNetTLSContextPtr ctxt,
                                    bool tryUserPkiPath)
{
    gnutls_certificate_credentials_t x509credBak;
    int err;
    char *cacert = NULL;
    char *cacrl = NULL;
    char *cert = NULL;
    char *key = NULL;

    x509credBak = ctxt->x509cred;
    ctxt->x509cred = NULL;

    if (virNetTLSContextLocateCredentials(NULL, tryUserPkiPath, true,
                                          &cacert, &cacrl, &cert, &key))
        goto error;

    err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
    if (err) {
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to allocate x509 credentials: %s"),
                       gnutls_strerror(err));
        goto error;
    }

    if (virNetTLSContextSanityCheckCredentials(true, cacert, cert))
        goto error;

    if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, key))
        goto error;

    gnutls_certificate_set_dh_params(ctxt->x509cred,
                                     ctxt->dhParams);

    gnutls_certificate_free_credentials(x509credBak);

    return 0;

 error:
    if (ctxt->x509cred)
        gnutls_certificate_free_credentials(ctxt->x509cred);
    ctxt->x509cred = x509credBak;
    return -1;
}


965 966 967 968
virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
969
                                              const char *priority,
970
                                              bool sanityCheckCert,
971 972
                                              bool requireValidCert)
{
973
    return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, priority,
974
                               sanityCheckCert, requireValidCert, false);
975 976 977 978 979 980 981 982 983
}


static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
                                            virNetTLSSessionPtr sess)
{
    int ret;
    unsigned int status;
    const gnutls_datum_t *certs;
984 985
    unsigned int nCerts;
    size_t i;
986
    char dname[256];
987
    char *dnameptr = dname;
988 989 990
    size_t dnamesize = sizeof(dname);

    memset(dname, 0, dnamesize);
991

992
    if ((ret = gnutls_certificate_verify_peers2(sess->session, &status)) < 0) {
993 994 995
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to verify TLS peer: %s"),
                       gnutls_strerror(ret));
996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013
        goto authdeny;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");

1014 1015 1016
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Certificate failed validation: %s"),
                       reason);
1017 1018 1019 1020
        goto authdeny;
    }

    if (gnutls_certificate_type_get(sess->session) != GNUTLS_CRT_X509) {
1021 1022
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Only x509 certificates are supported"));
1023 1024 1025 1026
        goto authdeny;
    }

    if (!(certs = gnutls_certificate_get_peers(sess->session, &nCerts))) {
1027 1028
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("The certificate has no peers"));
1029 1030 1031 1032 1033 1034 1035
        goto authdeny;
    }

    for (i = 0; i < nCerts; i++) {
        gnutls_x509_crt_t cert;

        if (gnutls_x509_crt_init(&cert) < 0) {
1036 1037
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to initialize certificate"));
1038 1039 1040 1041
            goto authfail;
        }

        if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
1042 1043
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to load certificate"));
1044 1045 1046 1047
            gnutls_x509_crt_deinit(cert);
            goto authfail;
        }

1048 1049
        if (virNetTLSContextCheckCertTimes(cert, "[session]",
                                           sess->isServer, i > 0) < 0) {
1050 1051 1052 1053 1054
            gnutls_x509_crt_deinit(cert);
            goto authdeny;
        }

        if (i == 0) {
1055 1056
            ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize);
            if (ret != 0) {
1057 1058 1059
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Failed to get certificate %s distinguished name: %s"),
                               "[session]", gnutls_strerror(ret));
1060 1061
                goto authfail;
            }
1062
            sess->x509dname = g_strdup(dname);
1063 1064 1065
            VIR_DEBUG("Peer DN is %s", dname);

            if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
1066
                                            ctxt->x509dnACL) < 0) {
1067
                gnutls_x509_crt_deinit(cert);
1068 1069 1070 1071 1072 1073 1074 1075 1076 1077
                goto authdeny;
            }

            /* !sess->isServer, since on the client, we're validating the
             * server's cert, and on the server, the client's cert
             */
            if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]",
                                                          !sess->isServer, false) < 0) {
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
1078 1079
            }

1080 1081
            if (virNetTLSContextCheckCertKeyUsage(cert, "[session]",
                                                  false) < 0) {
1082 1083 1084 1085
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }

1086 1087 1088
            /* !sess->isServer - as above */
            if (virNetTLSContextCheckCertKeyPurpose(cert, "[session]",
                                                    !sess->isServer) < 0) {
1089 1090 1091 1092
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }
        }
1093
        gnutls_x509_crt_deinit(cert);
1094 1095
    }

1096 1097
    PROBE(RPC_TLS_CONTEXT_SESSION_ALLOW,
          "ctxt=%p sess=%p dname=%s",
1098
          ctxt, sess, dnameptr);
1099

1100 1101
    return 0;

1102
 authdeny:
1103 1104
    PROBE(RPC_TLS_CONTEXT_SESSION_DENY,
          "ctxt=%p sess=%p dname=%s",
1105
          ctxt, sess, dnameptr);
1106

1107 1108
    return -1;

1109
 authfail:
1110 1111 1112 1113
    PROBE(RPC_TLS_CONTEXT_SESSION_FAIL,
          "ctxt=%p sess=%p",
          ctxt, sess);

1114 1115 1116 1117 1118 1119
    return -1;
}

int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,
                                     virNetTLSSessionPtr sess)
{
1120 1121
    int ret = -1;

1122 1123
    virObjectLock(ctxt);
    virObjectLock(sess);
1124
    if (virNetTLSContextValidCertificate(ctxt, sess) < 0) {
1125
        VIR_WARN("Certificate check failed %s", virGetLastErrorMessage());
1126
        if (ctxt->requireValidCert) {
1127 1128
            virReportError(VIR_ERR_AUTH_FAILED, "%s",
                           _("Failed to verify peer's certificate"));
1129
            goto cleanup;
1130
        }
1131
        virResetLastError();
1132 1133
        VIR_INFO("Ignoring bad certificate at user request");
    }
1134 1135 1136

    ret = 0;

1137
 cleanup:
1138 1139
    virObjectUnlock(ctxt);
    virObjectUnlock(sess);
1140 1141

    return ret;
1142 1143
}

1144
void virNetTLSContextDispose(void *obj)
1145
{
1146
    virNetTLSContextPtr ctxt = obj;
1147

1148 1149 1150
    PROBE(RPC_TLS_CONTEXT_DISPOSE,
          "ctxt=%p", ctxt);

1151
    VIR_FREE(ctxt->priority);
1152 1153 1154 1155 1156 1157 1158 1159 1160 1161
    gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
}


static ssize_t
virNetTLSSessionPush(void *opaque, const void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->writeFunc) {
1162
        VIR_WARN("TLS session push with missing write function");
1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189
        errno = EIO;
        return -1;
    };

    return sess->writeFunc(buf, len, sess->opaque);
}


static ssize_t
virNetTLSSessionPull(void *opaque, void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->readFunc) {
        VIR_WARN("TLS session pull with missing read function");
        errno = EIO;
        return -1;
    };

    return sess->readFunc(buf, len, sess->opaque);
}


virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
                                        const char *hostname)
{
    virNetTLSSessionPtr sess;
    int err;
1190
    const char *priority;
1191

E
Eric Blake 已提交
1192 1193
    VIR_DEBUG("ctxt=%p hostname=%s isServer=%d",
              ctxt, NULLSTR(hostname), ctxt->isServer);
1194

1195
    if (!(sess = virObjectLockableNew(virNetTLSSessionClass)))
1196 1197
        return NULL;

1198
    sess->hostname = g_strdup(hostname);
1199 1200 1201

    if ((err = gnutls_init(&sess->session,
                           ctxt->isServer ? GNUTLS_SERVER : GNUTLS_CLIENT)) != 0) {
1202 1203 1204
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed to initialize TLS session: %s"),
                       gnutls_strerror(err));
1205 1206 1207 1208 1209 1210
        goto error;
    }

    /* avoid calling all the priority functions, since the defaults
     * are adequate.
     */
1211 1212
    priority = ctxt->priority ? ctxt->priority : TLS_PRIORITY;
    VIR_DEBUG("Setting priority string '%s'", priority);
1213
    if ((err = gnutls_priority_set_direct(sess->session,
1214
                                          priority,
1215
                                          NULL)) != 0) {
1216
        virReportError(VIR_ERR_SYSTEM_ERROR,
1217
                       _("Failed to set TLS session priority to %s: %s"),
1218
                       priority, gnutls_strerror(err));
1219 1220 1221 1222 1223 1224
        goto error;
    }

    if ((err = gnutls_credentials_set(sess->session,
                                      GNUTLS_CRD_CERTIFICATE,
                                      ctxt->x509cred)) != 0) {
1225 1226 1227
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed set TLS x509 credentials: %s"),
                       gnutls_strerror(err));
1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244
        goto error;
    }

    /* request client certificate if any.
     */
    if (ctxt->isServer) {
        gnutls_certificate_server_set_request(sess->session, GNUTLS_CERT_REQUEST);

        gnutls_dh_set_prime_bits(sess->session, DH_BITS);
    }

    gnutls_transport_set_ptr(sess->session, sess);
    gnutls_transport_set_push_function(sess->session,
                                       virNetTLSSessionPush);
    gnutls_transport_set_pull_function(sess->session,
                                       virNetTLSSessionPull);

1245 1246
    sess->isServer = ctxt->isServer;

1247
    PROBE(RPC_TLS_SESSION_NEW,
1248 1249
          "sess=%p ctxt=%p hostname=%s isServer=%d",
          sess, ctxt, hostname, sess->isServer);
1250

1251 1252
    return sess;

1253
 error:
1254
    virObjectUnref(sess);
1255 1256 1257 1258 1259 1260 1261 1262 1263
    return NULL;
}


void virNetTLSSessionSetIOCallbacks(virNetTLSSessionPtr sess,
                                    virNetTLSSessionWriteFunc writeFunc,
                                    virNetTLSSessionReadFunc readFunc,
                                    void *opaque)
{
1264
    virObjectLock(sess);
1265 1266 1267
    sess->writeFunc = writeFunc;
    sess->readFunc = readFunc;
    sess->opaque = opaque;
1268
    virObjectUnlock(sess);
1269 1270 1271 1272 1273 1274 1275
}


ssize_t virNetTLSSessionWrite(virNetTLSSessionPtr sess,
                              const char *buf, size_t len)
{
    ssize_t ret;
1276

1277
    virObjectLock(sess);
1278 1279 1280
    ret = gnutls_record_send(sess->session, buf, len);

    if (ret >= 0)
1281
        goto cleanup;
1282 1283 1284 1285 1286 1287 1288 1289

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
1290 1291 1292
    case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
        errno = ENOMSG;
        break;
1293 1294 1295 1296 1297
    default:
        errno = EIO;
        break;
    }

1298 1299
    ret = -1;

1300
 cleanup:
1301
    virObjectUnlock(sess);
1302
    return ret;
1303 1304 1305 1306 1307 1308 1309
}

ssize_t virNetTLSSessionRead(virNetTLSSessionPtr sess,
                             char *buf, size_t len)
{
    ssize_t ret;

1310
    virObjectLock(sess);
1311 1312 1313
    ret = gnutls_record_recv(sess->session, buf, len);

    if (ret >= 0)
1314
        goto cleanup;
1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
    default:
        errno = EIO;
        break;
    }

1328 1329
    ret = -1;

1330
 cleanup:
1331
    virObjectUnlock(sess);
1332
    return ret;
1333 1334 1335 1336
}

int virNetTLSSessionHandshake(virNetTLSSessionPtr sess)
{
1337
    int ret;
1338
    VIR_DEBUG("sess=%p", sess);
1339
    virObjectLock(sess);
1340
    ret = gnutls_handshake(sess->session);
1341 1342 1343 1344
    VIR_DEBUG("Ret=%d", ret);
    if (ret == 0) {
        sess->handshakeComplete = true;
        VIR_DEBUG("Handshake is complete");
1345 1346 1347 1348 1349
        goto cleanup;
    }
    if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
        ret = 1;
        goto cleanup;
1350 1351 1352 1353 1354 1355 1356
    }

#if 0
    PROBE(CLIENT_TLS_FAIL, "fd=%d",
          virNetServerClientGetFD(client));
#endif

1357 1358 1359
    virReportError(VIR_ERR_AUTH_FAILED,
                   _("TLS handshake failed %s"),
                   gnutls_strerror(ret));
1360 1361
    ret = -1;

1362
 cleanup:
1363
    virObjectUnlock(sess);
1364
    return ret;
1365 1366 1367 1368 1369
}

virNetTLSSessionHandshakeStatus
virNetTLSSessionGetHandshakeStatus(virNetTLSSessionPtr sess)
{
1370
    virNetTLSSessionHandshakeStatus ret;
1371
    virObjectLock(sess);
1372
    if (sess->handshakeComplete)
1373
        ret = VIR_NET_TLS_HANDSHAKE_COMPLETE;
1374
    else if (gnutls_record_get_direction(sess->session) == 0)
1375
        ret = VIR_NET_TLS_HANDSHAKE_RECVING;
1376
    else
1377
        ret = VIR_NET_TLS_HANDSHAKE_SENDING;
1378
    virObjectUnlock(sess);
1379
    return ret;
1380 1381 1382 1383 1384 1385
}

int virNetTLSSessionGetKeySize(virNetTLSSessionPtr sess)
{
    gnutls_cipher_algorithm_t cipher;
    int ssf;
1386
    virObjectLock(sess);
1387 1388
    cipher = gnutls_cipher_get(sess->session);
    if (!(ssf = gnutls_cipher_get_key_size(cipher))) {
1389 1390
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("invalid cipher size for TLS session"));
1391 1392
        ssf = -1;
        goto cleanup;
1393 1394
    }

1395
 cleanup:
1396
    virObjectUnlock(sess);
1397 1398 1399
    return ssf;
}

1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411
const char *virNetTLSSessionGetX509DName(virNetTLSSessionPtr sess)
{
    const char *ret = NULL;

    virObjectLock(sess);

    ret = sess->x509dname;

    virObjectUnlock(sess);

    return ret;
}
1412

1413
void virNetTLSSessionDispose(void *obj)
1414
{
1415
    virNetTLSSessionPtr sess = obj;
1416

1417 1418 1419
    PROBE(RPC_TLS_SESSION_DISPOSE,
          "sess=%p", sess);

1420
    VIR_FREE(sess->x509dname);
1421 1422 1423
    VIR_FREE(sess->hostname);
    gnutls_deinit(sess->session);
}
1424 1425 1426 1427 1428 1429

/*
 * This function MUST be called before any
 * virNetTLS* because it initializes
 * underlying GnuTLS library. According to
 * it's documentation, it's safe to be called
1430 1431 1432 1433 1434 1435 1436
 * many times, but is not thread safe.
 *
 * There is no corresponding "Deinit" / "Cleanup"
 * function because there is no safe way to call
 * 'gnutls_global_deinit' from a multi-threaded
 * library, where other libraries linked into the
 * application may also be using gnutls.
1437 1438 1439
 */
void virNetTLSInit(void)
{
1440
    const char *gnutlsdebug;
1441
    if ((gnutlsdebug = getenv("LIBVIRT_GNUTLS_DEBUG")) != NULL) {
1442 1443 1444 1445 1446 1447 1448 1449
        int val;
        if (virStrToLong_i(gnutlsdebug, NULL, 10, &val) < 0)
            val = 10;
        gnutls_global_set_log_level(val);
        gnutls_global_set_log_function(virNetTLSLog);
        VIR_DEBUG("Enabled GNUTLS debug");
    }

1450 1451
    gnutls_global_init();
}
反馈
建议
客服 返回
顶部