virnettlscontext.c 43.4 KB
Newer Older
1 2 3
/*
 * virnettlscontext.c: TLS encryption/x509 handling
 *
4
 * Copyright (C) 2010-2013 Red Hat, Inc.
5 6 7 8 9 10 11 12 13 14 15 16
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
17
 * License along with this library.  If not, see
O
Osier Yang 已提交
18
 * <http://www.gnu.org/licenses/>.
19 20 21 22 23 24 25 26 27 28 29 30 31 32
 */

#include <config.h>

#include <unistd.h>
#include <fnmatch.h>
#include <stdlib.h>

#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include "gnutls_1_0_compat.h"

#include "virnettlscontext.h"

33
#include "viralloc.h"
34
#include "virerror.h"
35
#include "virutil.h"
36
#include "virlog.h"
37
#include "virthread.h"
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
#include "configmake.h"

#define DH_BITS 1024

#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"

#define VIR_FROM_THIS VIR_FROM_RPC

struct _virNetTLSContext {
53
    virObjectLockable parent;
54 55 56 57 58 59 60 61 62 63

    gnutls_certificate_credentials_t x509cred;
    gnutls_dh_params_t dhParams;

    bool isServer;
    bool requireValidCert;
    const char *const*x509dnWhitelist;
};

struct _virNetTLSSession {
64
    virObjectLockable parent;
65 66 67

    bool handshakeComplete;

68
    bool isServer;
69 70 71 72 73 74 75
    char *hostname;
    gnutls_session_t session;
    virNetTLSSessionWriteFunc writeFunc;
    virNetTLSSessionReadFunc readFunc;
    void *opaque;
};

76 77 78 79 80 81 82 83
static virClassPtr virNetTLSContextClass;
static virClassPtr virNetTLSSessionClass;
static void virNetTLSContextDispose(void *obj);
static void virNetTLSSessionDispose(void *obj);


static int virNetTLSContextOnceInit(void)
{
84
    if (!(virNetTLSContextClass = virClassNew(virClassForObjectLockable(),
85
                                              "virNetTLSContext",
86 87 88 89
                                              sizeof(virNetTLSContext),
                                              virNetTLSContextDispose)))
        return -1;

90
    if (!(virNetTLSSessionClass = virClassNew(virClassForObjectLockable(),
91
                                              "virNetTLSSession",
92 93 94 95 96 97 98 99 100
                                              sizeof(virNetTLSSession),
                                              virNetTLSSessionDispose)))
        return -1;

    return 0;
}

VIR_ONCE_GLOBAL_INIT(virNetTLSContext)

101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117

static int
virNetTLSContextCheckCertFile(const char *type, const char *file, bool allowMissing)
{
    if (!virFileExists(file)) {
        if (allowMissing)
            return 1;

        virReportSystemError(errno,
                             _("Cannot read %s '%s'"),
                             type, file);
        return -1;
    }
    return 0;
}


118 119
static void virNetTLSLog(int level ATTRIBUTE_UNUSED,
                         const char *str ATTRIBUTE_UNUSED) {
120 121 122
    VIR_DEBUG("%d %s", level, str);
}

123

124 125 126 127
static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert,
                                          const char *certFile,
                                          bool isServer,
                                          bool isCA)
128 129 130 131 132 133
{
    time_t now;

    if ((now = time(NULL)) == ((time_t)-1)) {
        virReportSystemError(errno, "%s",
                             _("cannot get current time"));
134
        return -1;
135 136 137
    }

    if (gnutls_x509_crt_get_expiration_time(cert) < now) {
138 139 140 141 142 143 144
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s has expired") :
                        (isServer ?
                         _("The server certificate %s has expired") :
                         _("The client certificate %s has expired"))),
                       certFile);
145
        return -1;
146 147 148
    }

    if (gnutls_x509_crt_get_activation_time(cert) > now) {
149 150 151 152 153 154 155
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s is not yet active") :
                        (isServer ?
                         _("The server certificate %s is not yet active") :
                         _("The client certificate %s is not yet active"))),
                       certFile);
156
        return -1;
157 158
    }

159 160 161
    return 0;
}

162 163 164 165 166 167 168 169 170

#ifndef GNUTLS_1_0_COMPAT
/*
 * The gnutls_x509_crt_get_basic_constraints function isn't
 * available in GNUTLS 1.0.x branches. This isn't critical
 * though, since gnutls_certificate_verify_peers2 will do
 * pretty much the same check at runtime, so we can just
 * disable this code
 */
171 172 173 174 175 176 177
static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert,
                                                     const char *certFile,
                                                     bool isServer,
                                                     bool isCA)
{
    int status;

178 179 180 181 182
    status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
    VIR_DEBUG("Cert %s basic constraints %d", certFile, status);

    if (status > 0) { /* It is a CA cert */
        if (!isCA) {
183 184 185 186
            virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                           _("The certificate %s basic constraints show a CA, but we need one for a server") :
                           _("The certificate %s basic constraints show a CA, but we need one for a client"),
                           certFile);
187
            return -1;
188 189 190
        }
    } else if (status == 0) { /* It is not a CA cert */
        if (isCA) {
191 192 193
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s basic constraints do not show a CA"),
                           certFile);
194
            return -1;
195 196 197
        }
    } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */
        if (isCA) {
198 199 200
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s is missing basic constraints for a CA"),
                           certFile);
201
            return -1;
202 203
        }
    } else { /* General error */
204 205 206
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to query certificate %s basic constraints %s"),
                       certFile, gnutls_strerror(status));
207
        return -1;
208 209
    }

210 211
    return 0;
}
212 213
#endif

214 215 216 217 218 219 220 221 222

static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert,
                                             const char *certFile,
                                             bool isCA)
{
    int status;
    unsigned int usage;
    unsigned int critical;

223
    status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
224

225
    VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
226
    if (status < 0) {
227 228 229 230
        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
            usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
                GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
        } else {
231 232 233
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key usage %s"),
                           certFile, gnutls_strerror(status));
234
            return -1;
235
        }
236 237
    }

238 239
    if (isCA) {
        if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
240
            if (critical) {
241 242 243
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit certificate signing"),
                               certFile);
244
                return -1;
245 246 247 248
            } else {
                VIR_WARN("Certificate %s usage does not permit certificate signing",
                         certFile);
            }
249 250
        }
    } else {
251
        if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
252
            if (critical) {
253 254 255
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit digital signature"),
                               certFile);
256
                return -1;
257 258 259 260
            } else {
                VIR_WARN("Certificate %s usage does not permit digital signature",
                         certFile);
            }
261 262
        }
        if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
263
            if (critical) {
264 265 266
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit key encipherment"),
                               certFile);
267
                return -1;
268 269 270 271
            } else {
                VIR_WARN("Certificate %s usage does not permit key encipherment",
                         certFile);
            }
272 273 274
        }
    }

275 276 277 278 279 280 281 282 283 284 285 286
    return 0;
}


static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
                                               const char *certFile,
                                               bool isServer)
{
    int status;
    int i;
    unsigned int purposeCritical;
    unsigned int critical;
E
Eric Blake 已提交
287
    char *buffer = NULL;
288 289 290
    size_t size;
    bool allowClient = false, allowServer = false;

291
    critical = 0;
292 293 294 295 296
    for (i = 0 ; ; i++) {
        size = 0;
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL);

        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
297 298 299 300 301
            VIR_DEBUG("No key purpose data available at slot %d", i);

            /* If there is no data at all, then we must allow client/server to pass */
            if (i == 0)
                allowServer = allowClient = true;
302 303 304
            break;
        }
        if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
305 306 307
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
308
            return -1;
309 310 311 312
        }

        if (VIR_ALLOC_N(buffer, size) < 0) {
            virReportOOMError();
313
            return -1;
314 315
        }

316
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical);
317
        if (status < 0) {
318
            VIR_FREE(buffer);
319 320 321
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
322
            return -1;
323
        }
324 325
        if (purposeCritical)
            critical = true;
326

327
        VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical);
328
        if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
329
            allowServer = true;
330
        } else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
331
            allowClient = true;
332
        } else if (STRNEQ(buffer, GNUTLS_KP_ANY)) {
333
            allowServer = allowClient = true;
334 335 336 337 338
        }

        VIR_FREE(buffer);
    }

339 340
    if (isServer) {
        if (!allowServer) {
341
            if (critical) {
342 343 344
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS server"),
                               certFile);
345
                return -1;
346 347 348 349
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS server",
                         certFile);
            }
350
        }
351 352
    } else {
        if (!allowClient) {
353
            if (critical) {
354 355 356
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS client"),
                               certFile);
357
                return -1;
358 359 360 361
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS client",
                         certFile);
            }
362 363 364
        }
    }

365 366 367 368 369 370 371 372 373
    return 0;
}

/* Check DN is on tls_allowed_dn_list. */
static int
virNetTLSContextCheckCertDNWhitelist(const char *dname,
                                     const char *const*wildcards)
{
    while (*wildcards) {
374
        int ret = fnmatch(*wildcards, dname, 0);
J
Ján Tomko 已提交
375
        if (ret == 0) /* Successful match */
376 377
            return 1;
        if (ret != FNM_NOMATCH) {
378 379 380
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("Malformed TLS whitelist regular expression '%s'"),
                           *wildcards);
381 382 383 384 385 386 387 388 389 390
            return -1;
        }

        wildcards++;
    }

    /* Log the client's DN for debugging */
    VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);

    /* This is the most common error: make it informative. */
391 392 393
    virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                   _("Client's Distinguished Name is not on the list "
                     "of allowed clients (tls_allowed_dn_list).  Use "
394 395
                     "'certtool -i --infile clientcert.pem' to view the "
                     "Distinguished Name field in the client certificate, "
396
                     "or run this daemon with --verbose option."));
397 398 399 400 401 402 403 404
    return 0;
}


static int
virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
                            const char *certFile,
                            const char *hostname,
405
                            const char *dname,
406 407
                            const char *const* whitelist)
{
408 409
    if (whitelist && dname &&
        virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0)
410 411 412 413
        return -1;

    if (hostname &&
        !gnutls_x509_crt_check_hostname(cert, hostname)) {
414 415 416
        virReportError(VIR_ERR_RPC,
                       _("Certificate %s owner does not match the hostname %s"),
                       certFile, hostname);
417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432
        return -1;
    }

    return 0;
}


static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert,
                                     const char *certFile,
                                     bool isServer,
                                     bool isCA)
{
    if (virNetTLSContextCheckCertTimes(cert, certFile,
                                       isServer, isCA) < 0)
        return -1;

433
#ifndef GNUTLS_1_0_COMPAT
434 435 436
    if (virNetTLSContextCheckCertBasicConstraints(cert, certFile,
                                                  isServer, isCA) < 0)
        return -1;
437
#endif
438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463

    if (virNetTLSContextCheckCertKeyUsage(cert, certFile,
                                          isCA) < 0)
        return -1;

    if (!isCA &&
        virNetTLSContextCheckCertKeyPurpose(cert, certFile,
                                            isServer) < 0)
        return -1;

    return 0;
}


static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
                                         const char *certFile,
                                         gnutls_x509_crt_t cacert,
                                         const char *cacertFile,
                                         bool isServer)
{
    unsigned int status;

    if (gnutls_x509_crt_list_verify(&cert, 1,
                                    &cacert, 1,
                                    NULL, 0,
                                    0, &status) < 0) {
464 465 466 467
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to verify server certificate %s against CA certificate %s") :
                       _("Unable to verify client certificate %s against CA certificate %s"),
                       certFile, cacertFile);
468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487
        return -1;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

#ifndef GNUTLS_1_0_COMPAT
        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");
#endif

488 489 490
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Our own certificate %s failed validation against %s: %s"),
                       certFile, cacertFile, reason);
491 492 493 494 495 496 497 498 499
        return -1;
    }

    return 0;
}


static gnutls_x509_crt_t virNetTLSContextLoadCertFromFile(const char *certFile,
                                                          bool isServer,
500
                                                          bool isCA ATTRIBUTE_UNUSED)
501 502 503 504 505 506 507 508 509 510
{
    gnutls_datum_t data;
    gnutls_x509_crt_t cert = NULL;
    char *buf = NULL;
    int ret = -1;

    VIR_DEBUG("isServer %d isCA %d certFile %s",
              isServer, isCA, certFile);

    if (gnutls_x509_crt_init(&cert) < 0) {
511 512
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Unable to initialize certificate"));
513 514 515 516 517 518 519 520 521 522
        goto cleanup;
    }

    if (virFileReadAll(certFile, (1<<16), &buf) < 0)
        goto cleanup;

    data.data = (unsigned char *)buf;
    data.size = strlen(buf);

    if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
523 524 525 526
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to import server certificate %s") :
                       _("Unable to import client certificate %s"),
                       certFile);
527 528
        goto cleanup;
    }
529

530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549
    ret = 0;

cleanup:
    if (ret != 0) {
        gnutls_x509_crt_deinit(cert);
        cert = NULL;
    }
    VIR_FREE(buf);
    return cert;
}


static int virNetTLSContextSanityCheckCredentials(bool isServer,
                                                  const char *cacertFile,
                                                  const char *certFile)
{
    gnutls_x509_crt_t cert = NULL;
    gnutls_x509_crt_t cacert = NULL;
    int ret = -1;

550 551 552 553 554 555
    if ((access(certFile, R_OK) == 0) &&
        !(cert = virNetTLSContextLoadCertFromFile(certFile, isServer, false)))
        goto cleanup;
    if ((access(cacertFile, R_OK) == 0) &&
        !(cacert = virNetTLSContextLoadCertFromFile(cacertFile, isServer, false)))
        goto cleanup;
556

557 558 559
    if (cert &&
        virNetTLSContextCheckCert(cert, certFile, isServer, false) < 0)
        goto cleanup;
560

561 562 563
    if (cacert &&
        virNetTLSContextCheckCert(cacert, cacertFile, isServer, true) < 0)
        goto cleanup;
564

565 566 567
    if (cert && cacert &&
        virNetTLSContextCheckCertPair(cert, certFile, cacert, cacertFile, isServer) < 0)
        goto cleanup;
568 569 570 571 572 573 574 575 576 577 578 579

    ret = 0;

cleanup:
    if (cert)
        gnutls_x509_crt_deinit(cert);
    if (cacert)
        gnutls_x509_crt_deinit(cacert);
    return ret;
}


580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598
static int virNetTLSContextLoadCredentials(virNetTLSContextPtr ctxt,
                                           bool isServer,
                                           const char *cacert,
                                           const char *cacrl,
                                           const char *cert,
                                           const char *key)
{
    int ret = -1;
    int err;

    if (cacert && cacert[0] != '\0') {
        if (virNetTLSContextCheckCertFile("CA certificate", cacert, false) < 0)
            goto cleanup;

        VIR_DEBUG("loading CA cert from %s", cacert);
        err = gnutls_certificate_set_x509_trust_file(ctxt->x509cred,
                                                     cacert,
                                                     GNUTLS_X509_FMT_PEM);
        if (err < 0) {
599 600
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to set x509 CA certificate: %s: %s"),
601
                           cacert, gnutls_strerror(err));
602 603 604 605 606 607 608 609 610 611 612 613 614 615 616
            goto cleanup;
        }
    }

    if (cacrl && cacrl[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("CA revocation list", cacrl, true)) < 0)
            goto cleanup;

        if (rv == 0) {
            VIR_DEBUG("loading CRL from %s", cacrl);
            err = gnutls_certificate_set_x509_crl_file(ctxt->x509cred,
                                                       cacrl,
                                                       GNUTLS_X509_FMT_PEM);
            if (err < 0) {
617 618 619
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 certificate revocation list: %s: %s"),
                               cacrl, gnutls_strerror(err));
620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641
                goto cleanup;
            }
        } else {
            VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl);
        }
    }

    if (cert && cert[0] != '\0' && key && key[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("certificate", cert, !isServer)) < 0)
            goto cleanup;
        if (rv == 0 &&
            (rv = virNetTLSContextCheckCertFile("private key", key, !isServer)) < 0)
            goto cleanup;

        if (rv == 0) {
            VIR_DEBUG("loading cert and key from %s and %s", cert, key);
            err =
                gnutls_certificate_set_x509_key_file(ctxt->x509cred,
                                                     cert, key,
                                                     GNUTLS_X509_FMT_PEM);
            if (err < 0) {
642 643 644
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 key and certificate: %s, %s: %s"),
                               key, cert, gnutls_strerror(err));
645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663
                goto cleanup;
            }
        } else {
            VIR_DEBUG("Skipping non-existant cert %s key %s on client", cert, key);
        }
    }

    ret = 0;

cleanup:
    return ret;
}


static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
                                               const char *const*x509dnWhitelist,
664
                                               bool sanityCheckCert,
665 666 667 668 669 670 671
                                               bool requireValidCert,
                                               bool isServer)
{
    virNetTLSContextPtr ctxt;
    char *gnutlsdebug;
    int err;

672 673 674
    if (virNetTLSContextInitialize() < 0)
        return NULL;

675
    if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
676 677
        return NULL;

678 679 680 681 682 683 684 685 686 687 688 689
    if ((gnutlsdebug = getenv("LIBVIRT_GNUTLS_DEBUG")) != NULL) {
        int val;
        if (virStrToLong_i(gnutlsdebug, NULL, 10, &val) < 0)
            val = 10;
        gnutls_global_set_log_level(val);
        gnutls_global_set_log_function(virNetTLSLog);
        VIR_DEBUG("Enabled GNUTLS debug");
    }


    err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
    if (err) {
690 691 692
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to allocate x509 credentials: %s"),
                       gnutls_strerror(err));
693 694 695
        goto error;
    }

696
    if (sanityCheckCert &&
697 698 699
        virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0)
        goto error;

700 701 702 703 704 705 706 707 708 709 710
    if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
        goto error;

    /* Generate Diffie Hellman parameters - for use with DHE
     * kx algorithms. These should be discarded and regenerated
     * once a day, once a week or once a month. Depending on the
     * security requirements.
     */
    if (isServer) {
        err = gnutls_dh_params_init(&ctxt->dhParams);
        if (err < 0) {
711 712 713
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to initialize diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
714 715 716 717
            goto error;
        }
        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
        if (err < 0) {
718 719 720
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to generate diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
721 722 723 724 725 726 727 728 729 730 731
            goto error;
        }

        gnutls_certificate_set_dh_params(ctxt->x509cred,
                                         ctxt->dhParams);
    }

    ctxt->requireValidCert = requireValidCert;
    ctxt->x509dnWhitelist = x509dnWhitelist;
    ctxt->isServer = isServer;

732
    PROBE(RPC_TLS_CONTEXT_NEW,
733 734
          "ctxt=%p cacert=%s cacrl=%s cert=%s key=%s sanityCheckCert=%d requireValidCert=%d isServer=%d",
          ctxt, cacert, NULLSTR(cacrl), cert, key, sanityCheckCert, requireValidCert, isServer);
735

736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787
    return ctxt;

error:
    if (isServer)
        gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
    VIR_FREE(ctxt);
    return NULL;
}


static int virNetTLSContextLocateCredentials(const char *pkipath,
                                             bool tryUserPkiPath,
                                             bool isServer,
                                             char **cacert,
                                             char **cacrl,
                                             char **cert,
                                             char **key)
{
    char *userdir = NULL;
    char *user_pki_path = NULL;

    *cacert = NULL;
    *cacrl = NULL;
    *key = NULL;
    *cert = NULL;

    VIR_DEBUG("pkipath=%s isServer=%d tryUserPkiPath=%d",
              pkipath, isServer, tryUserPkiPath);

    /* Explicit path, then use that no matter whether the
     * files actually exist there
     */
    if (pkipath) {
        VIR_DEBUG("Told to use TLS credentials in %s", pkipath);
        if ((virAsprintf(cacert, "%s/%s", pkipath,
                         "cacert.pem")) < 0)
            goto out_of_memory;
        if ((virAsprintf(cacrl, "%s/%s", pkipath,
                         "cacrl.pem")) < 0)
            goto out_of_memory;
        if ((virAsprintf(key, "%s/%s", pkipath,
                         isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
            goto out_of_memory;

        if ((virAsprintf(cert, "%s/%s", pkipath,
                         isServer ? "servercert.pem" : "clientcert.pem")) < 0)
             goto out_of_memory;
    } else if (tryUserPkiPath) {
        /* Check to see if $HOME/.pki contains at least one of the
         * files and if so, use that
         */
788
        userdir = virGetUserDirectory();
789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875

        if (!userdir)
            goto out_of_memory;

        if (virAsprintf(&user_pki_path, "%s/.pki/libvirt", userdir) < 0)
            goto out_of_memory;

        VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);

        if ((virAsprintf(cacert, "%s/%s", user_pki_path,
                         "cacert.pem")) < 0)
            goto out_of_memory;

        if ((virAsprintf(cacrl, "%s/%s", user_pki_path,
                         "cacrl.pem")) < 0)
            goto out_of_memory;

        if ((virAsprintf(key, "%s/%s", user_pki_path,
                         isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
            goto out_of_memory;

        if ((virAsprintf(cert, "%s/%s", user_pki_path,
                         isServer ? "servercert.pem" : "clientcert.pem")) < 0)
            goto out_of_memory;

        /*
         * If some of the files can't be found, fallback
         * to the global location for them
         */
        if (!virFileExists(*cacert))
            VIR_FREE(*cacert);
        if (!virFileExists(*cacrl))
            VIR_FREE(*cacrl);

        /* Check these as a pair, since it they are
         * mutually dependent
         */
        if (!virFileExists(*key) || !virFileExists(*cert)) {
            VIR_FREE(*key);
            VIR_FREE(*cert);
        }
    }

    /* No explicit path, or user path didn't exist, so
     * fallback to global defaults
     */
    if (!*cacert) {
        VIR_DEBUG("Using default TLS CA certificate path");
        if (!(*cacert = strdup(LIBVIRT_CACERT)))
            goto out_of_memory;
    }

    if (!*cacrl) {
        VIR_DEBUG("Using default TLS CA revocation list path");
        if (!(*cacrl = strdup(LIBVIRT_CACRL)))
            goto out_of_memory;
    }

    if (!*key && !*cert) {
        VIR_DEBUG("Using default TLS key/certificate path");
        if (!(*key = strdup(isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY)))
            goto out_of_memory;

        if (!(*cert = strdup(isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT)))
            goto out_of_memory;
    }

    VIR_FREE(user_pki_path);
    VIR_FREE(userdir);

    return 0;

out_of_memory:
    virReportOOMError();
    VIR_FREE(*cacert);
    VIR_FREE(*cacrl);
    VIR_FREE(*key);
    VIR_FREE(*cert);
    VIR_FREE(user_pki_path);
    VIR_FREE(userdir);
    return -1;
}


static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
                                                   bool tryUserPkiPath,
                                                   const char *const*x509dnWhitelist,
876
                                                   bool sanityCheckCert,
877 878 879 880 881 882 883
                                                   bool requireValidCert,
                                                   bool isServer)
{
    char *cacert = NULL, *cacrl = NULL, *key = NULL, *cert = NULL;
    virNetTLSContextPtr ctxt = NULL;

    if (virNetTLSContextLocateCredentials(pkipath, tryUserPkiPath, isServer,
884
                                          &cacert, &cacrl, &cert, &key) < 0)
885 886
        return NULL;

887
    ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
888 889
                               x509dnWhitelist, sanityCheckCert,
                               requireValidCert, isServer);
890 891 892 893 894 895 896 897 898 899 900 901

    VIR_FREE(cacert);
    VIR_FREE(cacrl);
    VIR_FREE(key);
    VIR_FREE(cert);

    return ctxt;
}

virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
                                                  bool tryUserPkiPath,
                                                  const char *const*x509dnWhitelist,
902
                                                  bool sanityCheckCert,
903 904
                                                  bool requireValidCert)
{
905 906
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist,
                                   sanityCheckCert, requireValidCert, true);
907 908 909 910
}

virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
                                                  bool tryUserPkiPath,
911
                                                  bool sanityCheckCert,
912 913
                                                  bool requireValidCert)
{
914 915
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL,
                                   sanityCheckCert, requireValidCert, false);
916 917 918 919 920 921 922 923
}


virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
                                              const char *const*x509dnWhitelist,
924
                                              bool sanityCheckCert,
925 926
                                              bool requireValidCert)
{
927 928
    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist,
                               sanityCheckCert, requireValidCert, true);
929 930 931 932 933 934 935
}


virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
936
                                              bool sanityCheckCert,
937 938
                                              bool requireValidCert)
{
939 940
    return virNetTLSContextNew(cacert, cacrl, cert, key, NULL,
                               sanityCheckCert, requireValidCert, false);
941 942 943 944 945 946 947 948 949 950
}


static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
                                            virNetTLSSessionPtr sess)
{
    int ret;
    unsigned int status;
    const gnutls_datum_t *certs;
    unsigned int nCerts, i;
951
    char dname[256];
952
    char *dnameptr = dname;
953 954 955
    size_t dnamesize = sizeof(dname);

    memset(dname, 0, dnamesize);
956 957

    if ((ret = gnutls_certificate_verify_peers2(sess->session, &status)) < 0){
958 959 960
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to verify TLS peer: %s"),
                       gnutls_strerror(ret));
961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980
        goto authdeny;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

#ifndef GNUTLS_1_0_COMPAT
        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");
#endif

981 982 983
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Certificate failed validation: %s"),
                       reason);
984 985 986 987
        goto authdeny;
    }

    if (gnutls_certificate_type_get(sess->session) != GNUTLS_CRT_X509) {
988 989
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Only x509 certificates are supported"));
990 991 992 993
        goto authdeny;
    }

    if (!(certs = gnutls_certificate_get_peers(sess->session, &nCerts))) {
994 995
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("The certificate has no peers"));
996 997 998 999 1000 1001 1002
        goto authdeny;
    }

    for (i = 0; i < nCerts; i++) {
        gnutls_x509_crt_t cert;

        if (gnutls_x509_crt_init(&cert) < 0) {
1003 1004
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to initialize certificate"));
1005 1006 1007 1008
            goto authfail;
        }

        if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
1009 1010
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to load certificate"));
1011 1012 1013 1014
            gnutls_x509_crt_deinit(cert);
            goto authfail;
        }

1015 1016
        if (virNetTLSContextCheckCertTimes(cert, "[session]",
                                           sess->isServer, i > 0) < 0) {
1017 1018 1019 1020 1021
            gnutls_x509_crt_deinit(cert);
            goto authdeny;
        }

        if (i == 0) {
1022 1023
            ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize);
            if (ret != 0) {
1024 1025 1026
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Failed to get certificate %s distinguished name: %s"),
                               "[session]", gnutls_strerror(ret));
1027 1028 1029 1030 1031
                goto authfail;
            }
            VIR_DEBUG("Peer DN is %s", dname);

            if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
1032
                                            ctxt->x509dnWhitelist) < 0) {
1033
                gnutls_x509_crt_deinit(cert);
1034 1035 1036 1037 1038 1039
                goto authdeny;
            }

            /* !sess->isServer, since on the client, we're validating the
             * server's cert, and on the server, the client's cert
             */
1040
#ifndef GNUTLS_1_0_COMPAT
1041 1042 1043 1044
            if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]",
                                                          !sess->isServer, false) < 0) {
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
1045
            }
1046
#endif
1047

1048 1049
            if (virNetTLSContextCheckCertKeyUsage(cert, "[session]",
                                                  false) < 0) {
1050 1051 1052 1053
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }

1054 1055 1056
            /* !sess->isServer - as above */
            if (virNetTLSContextCheckCertKeyPurpose(cert, "[session]",
                                                    !sess->isServer) < 0) {
1057 1058 1059 1060
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }
        }
1061
        gnutls_x509_crt_deinit(cert);
1062 1063
    }

1064 1065
    PROBE(RPC_TLS_CONTEXT_SESSION_ALLOW,
          "ctxt=%p sess=%p dname=%s",
1066
          ctxt, sess, dnameptr);
1067

1068 1069 1070
    return 0;

authdeny:
1071 1072
    PROBE(RPC_TLS_CONTEXT_SESSION_DENY,
          "ctxt=%p sess=%p dname=%s",
1073
          ctxt, sess, dnameptr);
1074

1075 1076 1077
    return -1;

authfail:
1078 1079 1080 1081
    PROBE(RPC_TLS_CONTEXT_SESSION_FAIL,
          "ctxt=%p sess=%p",
          ctxt, sess);

1082 1083 1084 1085 1086 1087
    return -1;
}

int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,
                                     virNetTLSSessionPtr sess)
{
1088 1089
    int ret = -1;

1090 1091
    virObjectLock(ctxt);
    virObjectLock(sess);
1092
    if (virNetTLSContextValidCertificate(ctxt, sess) < 0) {
1093 1094
        virErrorPtr err = virGetLastError();
        VIR_WARN("Certificate check failed %s", err && err->message ? err->message : "<unknown>");
1095
        if (ctxt->requireValidCert) {
1096 1097
            virReportError(VIR_ERR_AUTH_FAILED, "%s",
                           _("Failed to verify peer's certificate"));
1098
            goto cleanup;
1099
        }
1100
        virResetLastError();
1101 1102
        VIR_INFO("Ignoring bad certificate at user request");
    }
1103 1104 1105 1106

    ret = 0;

cleanup:
1107 1108
    virObjectUnlock(ctxt);
    virObjectUnlock(sess);
1109 1110

    return ret;
1111 1112
}

1113
void virNetTLSContextDispose(void *obj)
1114
{
1115
    virNetTLSContextPtr ctxt = obj;
1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126

    gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
}


static ssize_t
virNetTLSSessionPush(void *opaque, const void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->writeFunc) {
1127
        VIR_WARN("TLS session push with missing write function");
1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155
        errno = EIO;
        return -1;
    };

    return sess->writeFunc(buf, len, sess->opaque);
}


static ssize_t
virNetTLSSessionPull(void *opaque, void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->readFunc) {
        VIR_WARN("TLS session pull with missing read function");
        errno = EIO;
        return -1;
    };

    return sess->readFunc(buf, len, sess->opaque);
}


virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
                                        const char *hostname)
{
    virNetTLSSessionPtr sess;
    int err;

E
Eric Blake 已提交
1156 1157
    VIR_DEBUG("ctxt=%p hostname=%s isServer=%d",
              ctxt, NULLSTR(hostname), ctxt->isServer);
1158

1159
    if (!(sess = virObjectLockableNew(virNetTLSSessionClass)))
1160 1161 1162 1163 1164 1165 1166 1167 1168 1169
        return NULL;

    if (hostname &&
        !(sess->hostname = strdup(hostname))) {
        virReportOOMError();
        goto error;
    }

    if ((err = gnutls_init(&sess->session,
                           ctxt->isServer ? GNUTLS_SERVER : GNUTLS_CLIENT)) != 0) {
1170 1171 1172
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed to initialize TLS session: %s"),
                       gnutls_strerror(err));
1173 1174 1175 1176 1177 1178
        goto error;
    }

    /* avoid calling all the priority functions, since the defaults
     * are adequate.
     */
1179
    if ((err = gnutls_set_default_priority(sess->session)) != 0) {
1180 1181 1182
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed to set TLS session priority %s"),
                       gnutls_strerror(err));
1183 1184 1185 1186 1187 1188
        goto error;
    }

    if ((err = gnutls_credentials_set(sess->session,
                                      GNUTLS_CRD_CERTIFICATE,
                                      ctxt->x509cred)) != 0) {
1189 1190 1191
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed set TLS x509 credentials: %s"),
                       gnutls_strerror(err));
1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208
        goto error;
    }

    /* request client certificate if any.
     */
    if (ctxt->isServer) {
        gnutls_certificate_server_set_request(sess->session, GNUTLS_CERT_REQUEST);

        gnutls_dh_set_prime_bits(sess->session, DH_BITS);
    }

    gnutls_transport_set_ptr(sess->session, sess);
    gnutls_transport_set_push_function(sess->session,
                                       virNetTLSSessionPush);
    gnutls_transport_set_pull_function(sess->session,
                                       virNetTLSSessionPull);

1209 1210
    sess->isServer = ctxt->isServer;

1211
    PROBE(RPC_TLS_SESSION_NEW,
1212 1213
          "sess=%p ctxt=%p hostname=%s isServer=%d",
          sess, ctxt, hostname, sess->isServer);
1214

1215 1216 1217
    return sess;

error:
1218
    virObjectUnref(sess);
1219 1220 1221 1222 1223 1224 1225 1226 1227
    return NULL;
}


void virNetTLSSessionSetIOCallbacks(virNetTLSSessionPtr sess,
                                    virNetTLSSessionWriteFunc writeFunc,
                                    virNetTLSSessionReadFunc readFunc,
                                    void *opaque)
{
1228
    virObjectLock(sess);
1229 1230 1231
    sess->writeFunc = writeFunc;
    sess->readFunc = readFunc;
    sess->opaque = opaque;
1232
    virObjectUnlock(sess);
1233 1234 1235 1236 1237 1238 1239
}


ssize_t virNetTLSSessionWrite(virNetTLSSessionPtr sess,
                              const char *buf, size_t len)
{
    ssize_t ret;
1240

1241
    virObjectLock(sess);
1242 1243 1244
    ret = gnutls_record_send(sess->session, buf, len);

    if (ret >= 0)
1245
        goto cleanup;
1246 1247 1248 1249 1250 1251 1252 1253

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
1254 1255 1256
    case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
        errno = ENOMSG;
        break;
1257 1258 1259 1260 1261
    default:
        errno = EIO;
        break;
    }

1262 1263 1264
    ret = -1;

cleanup:
1265
    virObjectUnlock(sess);
1266
    return ret;
1267 1268 1269 1270 1271 1272 1273
}

ssize_t virNetTLSSessionRead(virNetTLSSessionPtr sess,
                             char *buf, size_t len)
{
    ssize_t ret;

1274
    virObjectLock(sess);
1275 1276 1277
    ret = gnutls_record_recv(sess->session, buf, len);

    if (ret >= 0)
1278
        goto cleanup;
1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
    default:
        errno = EIO;
        break;
    }

1292 1293 1294
    ret = -1;

cleanup:
1295
    virObjectUnlock(sess);
1296
    return ret;
1297 1298 1299 1300
}

int virNetTLSSessionHandshake(virNetTLSSessionPtr sess)
{
1301
    int ret;
1302
    VIR_DEBUG("sess=%p", sess);
1303
    virObjectLock(sess);
1304
    ret = gnutls_handshake(sess->session);
1305 1306 1307 1308
    VIR_DEBUG("Ret=%d", ret);
    if (ret == 0) {
        sess->handshakeComplete = true;
        VIR_DEBUG("Handshake is complete");
1309 1310 1311 1312 1313
        goto cleanup;
    }
    if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
        ret = 1;
        goto cleanup;
1314 1315 1316 1317 1318 1319 1320
    }

#if 0
    PROBE(CLIENT_TLS_FAIL, "fd=%d",
          virNetServerClientGetFD(client));
#endif

1321 1322 1323
    virReportError(VIR_ERR_AUTH_FAILED,
                   _("TLS handshake failed %s"),
                   gnutls_strerror(ret));
1324 1325 1326
    ret = -1;

cleanup:
1327
    virObjectUnlock(sess);
1328
    return ret;
1329 1330 1331 1332 1333
}

virNetTLSSessionHandshakeStatus
virNetTLSSessionGetHandshakeStatus(virNetTLSSessionPtr sess)
{
1334
    virNetTLSSessionHandshakeStatus ret;
1335
    virObjectLock(sess);
1336
    if (sess->handshakeComplete)
1337
        ret = VIR_NET_TLS_HANDSHAKE_COMPLETE;
1338
    else if (gnutls_record_get_direction(sess->session) == 0)
1339
        ret = VIR_NET_TLS_HANDSHAKE_RECVING;
1340
    else
1341
        ret = VIR_NET_TLS_HANDSHAKE_SENDING;
1342
    virObjectUnlock(sess);
1343
    return ret;
1344 1345 1346 1347 1348 1349
}

int virNetTLSSessionGetKeySize(virNetTLSSessionPtr sess)
{
    gnutls_cipher_algorithm_t cipher;
    int ssf;
1350
    virObjectLock(sess);
1351 1352
    cipher = gnutls_cipher_get(sess->session);
    if (!(ssf = gnutls_cipher_get_key_size(cipher))) {
1353 1354
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("invalid cipher size for TLS session"));
1355 1356
        ssf = -1;
        goto cleanup;
1357 1358
    }

1359
cleanup:
1360
    virObjectUnlock(sess);
1361 1362 1363 1364
    return ssf;
}


1365
void virNetTLSSessionDispose(void *obj)
1366
{
1367
    virNetTLSSessionPtr sess = obj;
1368 1369 1370 1371

    VIR_FREE(sess->hostname);
    gnutls_deinit(sess->session);
}
M
Michal Privoznik 已提交
1372 1373 1374 1375 1376 1377

/*
 * This function MUST be called before any
 * virNetTLS* because it initializes
 * underlying GnuTLS library. According to
 * it's documentation, it's safe to be called
1378 1379 1380 1381 1382 1383 1384
 * many times, but is not thread safe.
 *
 * There is no corresponding "Deinit" / "Cleanup"
 * function because there is no safe way to call
 * 'gnutls_global_deinit' from a multi-threaded
 * library, where other libraries linked into the
 * application may also be using gnutls.
M
Michal Privoznik 已提交
1385 1386 1387 1388 1389
 */
void virNetTLSInit(void)
{
    gnutls_global_init();
}