virnettlscontext.c 44.9 KB
Newer Older
1 2 3
/*
 * virnettlscontext.c: TLS encryption/x509 handling
 *
4
 * Copyright (C) 2010-2013 Red Hat, Inc.
5 6 7 8 9 10 11 12 13 14 15 16
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
17
 * License along with this library.  If not, see
O
Osier Yang 已提交
18
 * <http://www.gnu.org/licenses/>.
19 20 21 22 23 24 25 26 27
 */

#include <config.h>

#include <unistd.h>
#include <fnmatch.h>
#include <stdlib.h>

#include <gnutls/gnutls.h>
E
Eric Blake 已提交
28
#if HAVE_GNUTLS_CRYPTO_H
E
Eric Blake 已提交
29 30
# include <gnutls/crypto.h>
#endif
31 32 33 34
#include <gnutls/x509.h>
#include "gnutls_1_0_compat.h"

#include "virnettlscontext.h"
35
#include "virstring.h"
36

37
#include "viralloc.h"
38
#include "virerror.h"
39
#include "virfile.h"
40
#include "virutil.h"
41
#include "virlog.h"
42
#include "virthread.h"
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
#include "configmake.h"

#define DH_BITS 1024

#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"

#define VIR_FROM_THIS VIR_FROM_RPC

struct _virNetTLSContext {
58
    virObjectLockable parent;
59 60 61 62 63 64 65 66 67 68

    gnutls_certificate_credentials_t x509cred;
    gnutls_dh_params_t dhParams;

    bool isServer;
    bool requireValidCert;
    const char *const*x509dnWhitelist;
};

struct _virNetTLSSession {
69
    virObjectLockable parent;
70 71 72

    bool handshakeComplete;

73
    bool isServer;
74 75 76 77 78
    char *hostname;
    gnutls_session_t session;
    virNetTLSSessionWriteFunc writeFunc;
    virNetTLSSessionReadFunc readFunc;
    void *opaque;
79
    char *x509dname;
80 81
};

82 83 84 85 86 87 88 89
static virClassPtr virNetTLSContextClass;
static virClassPtr virNetTLSSessionClass;
static void virNetTLSContextDispose(void *obj);
static void virNetTLSSessionDispose(void *obj);


static int virNetTLSContextOnceInit(void)
{
90
    if (!(virNetTLSContextClass = virClassNew(virClassForObjectLockable(),
91
                                              "virNetTLSContext",
92 93 94 95
                                              sizeof(virNetTLSContext),
                                              virNetTLSContextDispose)))
        return -1;

96
    if (!(virNetTLSSessionClass = virClassNew(virClassForObjectLockable(),
97
                                              "virNetTLSSession",
98 99 100 101 102 103 104 105 106
                                              sizeof(virNetTLSSession),
                                              virNetTLSSessionDispose)))
        return -1;

    return 0;
}

VIR_ONCE_GLOBAL_INIT(virNetTLSContext)

107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123

static int
virNetTLSContextCheckCertFile(const char *type, const char *file, bool allowMissing)
{
    if (!virFileExists(file)) {
        if (allowMissing)
            return 1;

        virReportSystemError(errno,
                             _("Cannot read %s '%s'"),
                             type, file);
        return -1;
    }
    return 0;
}


124 125
static void virNetTLSLog(int level ATTRIBUTE_UNUSED,
                         const char *str ATTRIBUTE_UNUSED) {
126 127 128
    VIR_DEBUG("%d %s", level, str);
}

129

130 131 132 133
static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert,
                                          const char *certFile,
                                          bool isServer,
                                          bool isCA)
134 135 136 137 138 139
{
    time_t now;

    if ((now = time(NULL)) == ((time_t)-1)) {
        virReportSystemError(errno, "%s",
                             _("cannot get current time"));
140
        return -1;
141 142 143
    }

    if (gnutls_x509_crt_get_expiration_time(cert) < now) {
144 145 146 147 148 149 150
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s has expired") :
                        (isServer ?
                         _("The server certificate %s has expired") :
                         _("The client certificate %s has expired"))),
                       certFile);
151
        return -1;
152 153 154
    }

    if (gnutls_x509_crt_get_activation_time(cert) > now) {
155 156 157 158 159 160 161
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       (isCA ?
                        _("The CA certificate %s is not yet active") :
                        (isServer ?
                         _("The server certificate %s is not yet active") :
                         _("The client certificate %s is not yet active"))),
                       certFile);
162
        return -1;
163 164
    }

165 166 167
    return 0;
}

168 169 170 171 172 173 174 175 176

#ifndef GNUTLS_1_0_COMPAT
/*
 * The gnutls_x509_crt_get_basic_constraints function isn't
 * available in GNUTLS 1.0.x branches. This isn't critical
 * though, since gnutls_certificate_verify_peers2 will do
 * pretty much the same check at runtime, so we can just
 * disable this code
 */
177 178 179 180 181 182 183
static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert,
                                                     const char *certFile,
                                                     bool isServer,
                                                     bool isCA)
{
    int status;

184 185 186 187 188
    status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
    VIR_DEBUG("Cert %s basic constraints %d", certFile, status);

    if (status > 0) { /* It is a CA cert */
        if (!isCA) {
189 190 191 192
            virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                           _("The certificate %s basic constraints show a CA, but we need one for a server") :
                           _("The certificate %s basic constraints show a CA, but we need one for a client"),
                           certFile);
193
            return -1;
194 195 196
        }
    } else if (status == 0) { /* It is not a CA cert */
        if (isCA) {
197 198 199
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s basic constraints do not show a CA"),
                           certFile);
200
            return -1;
201 202 203
        }
    } else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */
        if (isCA) {
204 205 206
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("The certificate %s is missing basic constraints for a CA"),
                           certFile);
207
            return -1;
208 209
        }
    } else { /* General error */
210 211 212
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to query certificate %s basic constraints %s"),
                       certFile, gnutls_strerror(status));
213
        return -1;
214 215
    }

216 217
    return 0;
}
218 219
#endif

220 221 222 223 224 225

static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert,
                                             const char *certFile,
                                             bool isCA)
{
    int status;
226 227
    unsigned int usage = 0;
    unsigned int critical = 0;
228

229
    status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
230

231
    VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
232
    if (status < 0) {
233 234 235 236
        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
            usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
                GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
        } else {
237 238 239
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key usage %s"),
                           certFile, gnutls_strerror(status));
240
            return -1;
241
        }
242 243
    }

244 245
    if (isCA) {
        if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
246
            if (critical) {
247 248 249
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit certificate signing"),
                               certFile);
250
                return -1;
251 252 253 254
            } else {
                VIR_WARN("Certificate %s usage does not permit certificate signing",
                         certFile);
            }
255 256
        }
    } else {
257
        if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
258
            if (critical) {
259 260 261
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit digital signature"),
                               certFile);
262
                return -1;
263 264 265 266
            } else {
                VIR_WARN("Certificate %s usage does not permit digital signature",
                         certFile);
            }
267 268
        }
        if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
269
            if (critical) {
270 271 272
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s usage does not permit key encipherment"),
                               certFile);
273
                return -1;
274 275 276 277
            } else {
                VIR_WARN("Certificate %s usage does not permit key encipherment",
                         certFile);
            }
278 279 280
        }
    }

281 282 283 284 285 286 287 288 289
    return 0;
}


static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
                                               const char *certFile,
                                               bool isServer)
{
    int status;
290
    size_t i;
291 292
    unsigned int purposeCritical;
    unsigned int critical;
E
Eric Blake 已提交
293
    char *buffer = NULL;
294 295 296
    size_t size;
    bool allowClient = false, allowServer = false;

297
    critical = 0;
298
    for (i = 0; ; i++) {
299 300 301 302
        size = 0;
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL);

        if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
303
            VIR_DEBUG("No key purpose data available at slot %zu", i);
304 305 306 307

            /* If there is no data at all, then we must allow client/server to pass */
            if (i == 0)
                allowServer = allowClient = true;
308 309 310
            break;
        }
        if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
311 312 313
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
314
            return -1;
315 316
        }

317
        if (VIR_ALLOC_N(buffer, size) < 0)
318
            return -1;
319

320
        status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical);
321
        if (status < 0) {
322
            VIR_FREE(buffer);
323 324 325
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to query certificate %s key purpose %s"),
                           certFile, gnutls_strerror(status));
326
            return -1;
327
        }
328 329
        if (purposeCritical)
            critical = true;
330

331
        VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical);
332
        if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
333
            allowServer = true;
334
        } else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
335
            allowClient = true;
336
        } else if (STRNEQ(buffer, GNUTLS_KP_ANY)) {
337
            allowServer = allowClient = true;
338 339 340 341 342
        }

        VIR_FREE(buffer);
    }

343 344
    if (isServer) {
        if (!allowServer) {
345
            if (critical) {
346 347 348
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS server"),
                               certFile);
349
                return -1;
350 351 352 353
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS server",
                         certFile);
            }
354
        }
355 356
    } else {
        if (!allowClient) {
357
            if (critical) {
358 359 360
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Certificate %s purpose does not allow use for with a TLS client"),
                               certFile);
361
                return -1;
362 363 364 365
            } else {
                VIR_WARN("Certificate %s purpose does not allow use for with a TLS client",
                         certFile);
            }
366 367 368
        }
    }

369 370 371 372 373 374 375 376 377
    return 0;
}

/* Check DN is on tls_allowed_dn_list. */
static int
virNetTLSContextCheckCertDNWhitelist(const char *dname,
                                     const char *const*wildcards)
{
    while (*wildcards) {
378
        int ret = fnmatch(*wildcards, dname, 0);
J
Ján Tomko 已提交
379
        if (ret == 0) /* Successful match */
380 381
            return 1;
        if (ret != FNM_NOMATCH) {
382 383 384
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           _("Malformed TLS whitelist regular expression '%s'"),
                           *wildcards);
385 386 387 388 389 390 391 392 393 394
            return -1;
        }

        wildcards++;
    }

    /* Log the client's DN for debugging */
    VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);

    /* This is the most common error: make it informative. */
395 396 397
    virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                   _("Client's Distinguished Name is not on the list "
                     "of allowed clients (tls_allowed_dn_list).  Use "
398 399
                     "'certtool -i --infile clientcert.pem' to view the "
                     "Distinguished Name field in the client certificate, "
400
                     "or run this daemon with --verbose option."));
401 402 403 404 405 406 407 408
    return 0;
}


static int
virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
                            const char *certFile,
                            const char *hostname,
409
                            const char *dname,
410 411
                            const char *const* whitelist)
{
412 413
    if (whitelist && dname &&
        virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0)
414 415 416 417
        return -1;

    if (hostname &&
        !gnutls_x509_crt_check_hostname(cert, hostname)) {
418 419 420
        virReportError(VIR_ERR_RPC,
                       _("Certificate %s owner does not match the hostname %s"),
                       certFile, hostname);
421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436
        return -1;
    }

    return 0;
}


static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert,
                                     const char *certFile,
                                     bool isServer,
                                     bool isCA)
{
    if (virNetTLSContextCheckCertTimes(cert, certFile,
                                       isServer, isCA) < 0)
        return -1;

437
#ifndef GNUTLS_1_0_COMPAT
438 439 440
    if (virNetTLSContextCheckCertBasicConstraints(cert, certFile,
                                                  isServer, isCA) < 0)
        return -1;
441
#endif
442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457

    if (virNetTLSContextCheckCertKeyUsage(cert, certFile,
                                          isCA) < 0)
        return -1;

    if (!isCA &&
        virNetTLSContextCheckCertKeyPurpose(cert, certFile,
                                            isServer) < 0)
        return -1;

    return 0;
}


static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
                                         const char *certFile,
458 459
                                         gnutls_x509_crt_t *cacerts,
                                         size_t ncacerts,
460 461 462 463 464 465
                                         const char *cacertFile,
                                         bool isServer)
{
    unsigned int status;

    if (gnutls_x509_crt_list_verify(&cert, 1,
466
                                    cacerts, ncacerts,
467 468
                                    NULL, 0,
                                    0, &status) < 0) {
469 470 471 472
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to verify server certificate %s against CA certificate %s") :
                       _("Unable to verify client certificate %s against CA certificate %s"),
                       certFile, cacertFile);
473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492
        return -1;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

#ifndef GNUTLS_1_0_COMPAT
        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");
#endif

493 494 495
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Our own certificate %s failed validation against %s: %s"),
                       certFile, cacertFile, reason);
496 497 498 499 500 501 502 503
        return -1;
    }

    return 0;
}


static gnutls_x509_crt_t virNetTLSContextLoadCertFromFile(const char *certFile,
504
                                                          bool isServer)
505 506 507 508 509 510
{
    gnutls_datum_t data;
    gnutls_x509_crt_t cert = NULL;
    char *buf = NULL;
    int ret = -1;

511 512
    VIR_DEBUG("isServer %d certFile %s",
              isServer, certFile);
513 514

    if (gnutls_x509_crt_init(&cert) < 0) {
515 516
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Unable to initialize certificate"));
517 518 519 520 521 522 523 524 525 526
        goto cleanup;
    }

    if (virFileReadAll(certFile, (1<<16), &buf) < 0)
        goto cleanup;

    data.data = (unsigned char *)buf;
    data.size = strlen(buf);

    if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
527 528 529 530
        virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
                       _("Unable to import server certificate %s") :
                       _("Unable to import client certificate %s"),
                       certFile);
531 532
        goto cleanup;
    }
533

534 535 536 537 538 539 540 541 542 543 544 545
    ret = 0;

cleanup:
    if (ret != 0) {
        gnutls_x509_crt_deinit(cert);
        cert = NULL;
    }
    VIR_FREE(buf);
    return cert;
}


546 547
static int virNetTLSContextLoadCACertListFromFile(const char *certFile,
                                                  gnutls_x509_crt_t *certs,
548
                                                  unsigned int certMax,
549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580
                                                  size_t *ncerts)
{
    gnutls_datum_t data;
    char *buf = NULL;
    int ret = -1;

    *ncerts = 0;
    VIR_DEBUG("certFile %s", certFile);

    if (virFileReadAll(certFile, (1<<16), &buf) < 0)
        goto cleanup;

    data.data = (unsigned char *)buf;
    data.size = strlen(buf);

    if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM, 0) < 0) {
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to import CA certificate list %s"),
                       certFile);
        goto cleanup;
    }
    *ncerts = certMax;

    ret = 0;

cleanup:
    VIR_FREE(buf);
    return ret;
}


#define MAX_CERTS 16
581 582 583 584 585
static int virNetTLSContextSanityCheckCredentials(bool isServer,
                                                  const char *cacertFile,
                                                  const char *certFile)
{
    gnutls_x509_crt_t cert = NULL;
586
    gnutls_x509_crt_t cacerts[MAX_CERTS];
587
    size_t ncacerts = 0;
588
    size_t i;
589 590
    int ret = -1;

591
    memset(cacerts, 0, sizeof(cacerts));
592
    if ((access(certFile, R_OK) == 0) &&
593
        !(cert = virNetTLSContextLoadCertFromFile(certFile, isServer)))
594 595
        goto cleanup;
    if ((access(cacertFile, R_OK) == 0) &&
596 597
        virNetTLSContextLoadCACertListFromFile(cacertFile, cacerts,
                                               MAX_CERTS, &ncacerts) < 0)
598
        goto cleanup;
599

600 601 602
    if (cert &&
        virNetTLSContextCheckCert(cert, certFile, isServer, false) < 0)
        goto cleanup;
603

604 605 606 607
    for (i = 0; i < ncacerts; i++) {
        if (virNetTLSContextCheckCert(cacerts[i], cacertFile, isServer, true) < 0)
            goto cleanup;
    }
608

609 610
    if (cert && ncacerts &&
        virNetTLSContextCheckCertPair(cert, certFile, cacerts, ncacerts, cacertFile, isServer) < 0)
611
        goto cleanup;
612 613 614 615 616 617

    ret = 0;

cleanup:
    if (cert)
        gnutls_x509_crt_deinit(cert);
618 619
    for (i = 0; i < ncacerts; i++)
        gnutls_x509_crt_deinit(cacerts[i]);
620 621 622 623
    return ret;
}


624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642
static int virNetTLSContextLoadCredentials(virNetTLSContextPtr ctxt,
                                           bool isServer,
                                           const char *cacert,
                                           const char *cacrl,
                                           const char *cert,
                                           const char *key)
{
    int ret = -1;
    int err;

    if (cacert && cacert[0] != '\0') {
        if (virNetTLSContextCheckCertFile("CA certificate", cacert, false) < 0)
            goto cleanup;

        VIR_DEBUG("loading CA cert from %s", cacert);
        err = gnutls_certificate_set_x509_trust_file(ctxt->x509cred,
                                                     cacert,
                                                     GNUTLS_X509_FMT_PEM);
        if (err < 0) {
643 644
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to set x509 CA certificate: %s: %s"),
645
                           cacert, gnutls_strerror(err));
646 647 648 649 650 651 652 653 654 655 656 657 658 659 660
            goto cleanup;
        }
    }

    if (cacrl && cacrl[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("CA revocation list", cacrl, true)) < 0)
            goto cleanup;

        if (rv == 0) {
            VIR_DEBUG("loading CRL from %s", cacrl);
            err = gnutls_certificate_set_x509_crl_file(ctxt->x509cred,
                                                       cacrl,
                                                       GNUTLS_X509_FMT_PEM);
            if (err < 0) {
661 662 663
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 certificate revocation list: %s: %s"),
                               cacrl, gnutls_strerror(err));
664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685
                goto cleanup;
            }
        } else {
            VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl);
        }
    }

    if (cert && cert[0] != '\0' && key && key[0] != '\0') {
        int rv;
        if ((rv = virNetTLSContextCheckCertFile("certificate", cert, !isServer)) < 0)
            goto cleanup;
        if (rv == 0 &&
            (rv = virNetTLSContextCheckCertFile("private key", key, !isServer)) < 0)
            goto cleanup;

        if (rv == 0) {
            VIR_DEBUG("loading cert and key from %s and %s", cert, key);
            err =
                gnutls_certificate_set_x509_key_file(ctxt->x509cred,
                                                     cert, key,
                                                     GNUTLS_X509_FMT_PEM);
            if (err < 0) {
686 687 688
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Unable to set x509 key and certificate: %s, %s: %s"),
                               key, cert, gnutls_strerror(err));
689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707
                goto cleanup;
            }
        } else {
            VIR_DEBUG("Skipping non-existant cert %s key %s on client", cert, key);
        }
    }

    ret = 0;

cleanup:
    return ret;
}


static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
                                               const char *const*x509dnWhitelist,
708
                                               bool sanityCheckCert,
709 710 711 712 713 714 715
                                               bool requireValidCert,
                                               bool isServer)
{
    virNetTLSContextPtr ctxt;
    char *gnutlsdebug;
    int err;

716 717 718
    if (virNetTLSContextInitialize() < 0)
        return NULL;

719
    if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
720 721
        return NULL;

722 723 724 725 726 727 728 729 730 731 732 733
    if ((gnutlsdebug = getenv("LIBVIRT_GNUTLS_DEBUG")) != NULL) {
        int val;
        if (virStrToLong_i(gnutlsdebug, NULL, 10, &val) < 0)
            val = 10;
        gnutls_global_set_log_level(val);
        gnutls_global_set_log_function(virNetTLSLog);
        VIR_DEBUG("Enabled GNUTLS debug");
    }


    err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
    if (err) {
734 735 736
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to allocate x509 credentials: %s"),
                       gnutls_strerror(err));
737 738 739
        goto error;
    }

740
    if (sanityCheckCert &&
741 742 743
        virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0)
        goto error;

744 745 746 747 748 749 750 751 752 753 754
    if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
        goto error;

    /* Generate Diffie Hellman parameters - for use with DHE
     * kx algorithms. These should be discarded and regenerated
     * once a day, once a week or once a month. Depending on the
     * security requirements.
     */
    if (isServer) {
        err = gnutls_dh_params_init(&ctxt->dhParams);
        if (err < 0) {
755 756 757
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to initialize diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
758 759 760 761
            goto error;
        }
        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
        if (err < 0) {
762 763 764
            virReportError(VIR_ERR_SYSTEM_ERROR,
                           _("Unable to generate diffie-hellman parameters: %s"),
                           gnutls_strerror(err));
765 766 767 768 769 770 771 772 773 774 775
            goto error;
        }

        gnutls_certificate_set_dh_params(ctxt->x509cred,
                                         ctxt->dhParams);
    }

    ctxt->requireValidCert = requireValidCert;
    ctxt->x509dnWhitelist = x509dnWhitelist;
    ctxt->isServer = isServer;

776
    PROBE(RPC_TLS_CONTEXT_NEW,
777 778
          "ctxt=%p cacert=%s cacrl=%s cert=%s key=%s sanityCheckCert=%d requireValidCert=%d isServer=%d",
          ctxt, cacert, NULLSTR(cacrl), cert, key, sanityCheckCert, requireValidCert, isServer);
779

780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816
    return ctxt;

error:
    if (isServer)
        gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
    VIR_FREE(ctxt);
    return NULL;
}


static int virNetTLSContextLocateCredentials(const char *pkipath,
                                             bool tryUserPkiPath,
                                             bool isServer,
                                             char **cacert,
                                             char **cacrl,
                                             char **cert,
                                             char **key)
{
    char *userdir = NULL;
    char *user_pki_path = NULL;

    *cacert = NULL;
    *cacrl = NULL;
    *key = NULL;
    *cert = NULL;

    VIR_DEBUG("pkipath=%s isServer=%d tryUserPkiPath=%d",
              pkipath, isServer, tryUserPkiPath);

    /* Explicit path, then use that no matter whether the
     * files actually exist there
     */
    if (pkipath) {
        VIR_DEBUG("Told to use TLS credentials in %s", pkipath);
        if ((virAsprintf(cacert, "%s/%s", pkipath,
                         "cacert.pem")) < 0)
817
            goto error;
818 819
        if ((virAsprintf(cacrl, "%s/%s", pkipath,
                         "cacrl.pem")) < 0)
820
            goto error;
821 822
        if ((virAsprintf(key, "%s/%s", pkipath,
                         isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
823
            goto error;
824 825 826

        if ((virAsprintf(cert, "%s/%s", pkipath,
                         isServer ? "servercert.pem" : "clientcert.pem")) < 0)
827
             goto error;
828 829 830 831
    } else if (tryUserPkiPath) {
        /* Check to see if $HOME/.pki contains at least one of the
         * files and if so, use that
         */
832
        userdir = virGetUserDirectory();
833 834

        if (!userdir)
835
            goto error;
836 837

        if (virAsprintf(&user_pki_path, "%s/.pki/libvirt", userdir) < 0)
838
            goto error;
839 840 841 842 843

        VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);

        if ((virAsprintf(cacert, "%s/%s", user_pki_path,
                         "cacert.pem")) < 0)
844
            goto error;
845 846 847

        if ((virAsprintf(cacrl, "%s/%s", user_pki_path,
                         "cacrl.pem")) < 0)
848
            goto error;
849 850 851

        if ((virAsprintf(key, "%s/%s", user_pki_path,
                         isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
852
            goto error;
853 854 855

        if ((virAsprintf(cert, "%s/%s", user_pki_path,
                         isServer ? "servercert.pem" : "clientcert.pem")) < 0)
856
            goto error;
857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880

        /*
         * If some of the files can't be found, fallback
         * to the global location for them
         */
        if (!virFileExists(*cacert))
            VIR_FREE(*cacert);
        if (!virFileExists(*cacrl))
            VIR_FREE(*cacrl);

        /* Check these as a pair, since it they are
         * mutually dependent
         */
        if (!virFileExists(*key) || !virFileExists(*cert)) {
            VIR_FREE(*key);
            VIR_FREE(*cert);
        }
    }

    /* No explicit path, or user path didn't exist, so
     * fallback to global defaults
     */
    if (!*cacert) {
        VIR_DEBUG("Using default TLS CA certificate path");
881 882
        if (VIR_STRDUP(*cacert, LIBVIRT_CACERT) < 0)
            goto error;
883 884 885 886
    }

    if (!*cacrl) {
        VIR_DEBUG("Using default TLS CA revocation list path");
887 888
        if (VIR_STRDUP(*cacrl, LIBVIRT_CACRL) < 0)
            goto error;
889 890 891 892
    }

    if (!*key && !*cert) {
        VIR_DEBUG("Using default TLS key/certificate path");
893 894
        if (VIR_STRDUP(*key, isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY) < 0)
            goto error;
895

896 897
        if (VIR_STRDUP(*cert, isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT) < 0)
            goto error;
898 899 900 901 902 903 904
    }

    VIR_FREE(user_pki_path);
    VIR_FREE(userdir);

    return 0;

905
error:
906 907 908 909 910 911 912 913 914 915 916 917 918
    VIR_FREE(*cacert);
    VIR_FREE(*cacrl);
    VIR_FREE(*key);
    VIR_FREE(*cert);
    VIR_FREE(user_pki_path);
    VIR_FREE(userdir);
    return -1;
}


static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
                                                   bool tryUserPkiPath,
                                                   const char *const*x509dnWhitelist,
919
                                                   bool sanityCheckCert,
920 921 922 923 924 925 926
                                                   bool requireValidCert,
                                                   bool isServer)
{
    char *cacert = NULL, *cacrl = NULL, *key = NULL, *cert = NULL;
    virNetTLSContextPtr ctxt = NULL;

    if (virNetTLSContextLocateCredentials(pkipath, tryUserPkiPath, isServer,
927
                                          &cacert, &cacrl, &cert, &key) < 0)
928 929
        return NULL;

930
    ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
931 932
                               x509dnWhitelist, sanityCheckCert,
                               requireValidCert, isServer);
933 934 935 936 937 938 939 940 941 942 943 944

    VIR_FREE(cacert);
    VIR_FREE(cacrl);
    VIR_FREE(key);
    VIR_FREE(cert);

    return ctxt;
}

virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
                                                  bool tryUserPkiPath,
                                                  const char *const*x509dnWhitelist,
945
                                                  bool sanityCheckCert,
946 947
                                                  bool requireValidCert)
{
948 949
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist,
                                   sanityCheckCert, requireValidCert, true);
950 951 952 953
}

virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
                                                  bool tryUserPkiPath,
954
                                                  bool sanityCheckCert,
955 956
                                                  bool requireValidCert)
{
957 958
    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL,
                                   sanityCheckCert, requireValidCert, false);
959 960 961 962 963 964 965 966
}


virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
                                              const char *const*x509dnWhitelist,
967
                                              bool sanityCheckCert,
968 969
                                              bool requireValidCert)
{
970 971
    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist,
                               sanityCheckCert, requireValidCert, true);
972 973 974 975 976 977 978
}


virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
                                              const char *cacrl,
                                              const char *cert,
                                              const char *key,
979
                                              bool sanityCheckCert,
980 981
                                              bool requireValidCert)
{
982 983
    return virNetTLSContextNew(cacert, cacrl, cert, key, NULL,
                               sanityCheckCert, requireValidCert, false);
984 985 986 987 988 989 990 991 992
}


static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
                                            virNetTLSSessionPtr sess)
{
    int ret;
    unsigned int status;
    const gnutls_datum_t *certs;
993 994
    unsigned int nCerts;
    size_t i;
995
    char dname[256];
996
    char *dnameptr = dname;
997 998 999
    size_t dnamesize = sizeof(dname);

    memset(dname, 0, dnamesize);
1000 1001

    if ((ret = gnutls_certificate_verify_peers2(sess->session, &status)) < 0){
1002 1003 1004
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Unable to verify TLS peer: %s"),
                       gnutls_strerror(ret));
1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024
        goto authdeny;
    }

    if (status != 0) {
        const char *reason = _("Invalid certificate");

        if (status & GNUTLS_CERT_INVALID)
            reason = _("The certificate is not trusted.");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
            reason = _("The certificate hasn't got a known issuer.");

        if (status & GNUTLS_CERT_REVOKED)
            reason = _("The certificate has been revoked.");

#ifndef GNUTLS_1_0_COMPAT
        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
            reason = _("The certificate uses an insecure algorithm");
#endif

1025 1026 1027
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Certificate failed validation: %s"),
                       reason);
1028 1029 1030 1031
        goto authdeny;
    }

    if (gnutls_certificate_type_get(sess->session) != GNUTLS_CRT_X509) {
1032 1033
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("Only x509 certificates are supported"));
1034 1035 1036 1037
        goto authdeny;
    }

    if (!(certs = gnutls_certificate_get_peers(sess->session, &nCerts))) {
1038 1039
        virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                       _("The certificate has no peers"));
1040 1041 1042 1043 1044 1045 1046
        goto authdeny;
    }

    for (i = 0; i < nCerts; i++) {
        gnutls_x509_crt_t cert;

        if (gnutls_x509_crt_init(&cert) < 0) {
1047 1048
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to initialize certificate"));
1049 1050 1051 1052
            goto authfail;
        }

        if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
1053 1054
            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                           _("Unable to load certificate"));
1055 1056 1057 1058
            gnutls_x509_crt_deinit(cert);
            goto authfail;
        }

1059 1060
        if (virNetTLSContextCheckCertTimes(cert, "[session]",
                                           sess->isServer, i > 0) < 0) {
1061 1062 1063 1064 1065
            gnutls_x509_crt_deinit(cert);
            goto authdeny;
        }

        if (i == 0) {
1066 1067
            ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize);
            if (ret != 0) {
1068 1069 1070
                virReportError(VIR_ERR_SYSTEM_ERROR,
                               _("Failed to get certificate %s distinguished name: %s"),
                               "[session]", gnutls_strerror(ret));
1071 1072
                goto authfail;
            }
1073
            if (VIR_STRDUP(sess->x509dname, dname) < 0)
1074
                goto authfail;
1075 1076 1077
            VIR_DEBUG("Peer DN is %s", dname);

            if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
1078
                                            ctxt->x509dnWhitelist) < 0) {
1079
                gnutls_x509_crt_deinit(cert);
1080 1081 1082 1083 1084 1085
                goto authdeny;
            }

            /* !sess->isServer, since on the client, we're validating the
             * server's cert, and on the server, the client's cert
             */
1086
#ifndef GNUTLS_1_0_COMPAT
1087 1088 1089 1090
            if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]",
                                                          !sess->isServer, false) < 0) {
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
1091
            }
1092
#endif
1093

1094 1095
            if (virNetTLSContextCheckCertKeyUsage(cert, "[session]",
                                                  false) < 0) {
1096 1097 1098 1099
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }

1100 1101 1102
            /* !sess->isServer - as above */
            if (virNetTLSContextCheckCertKeyPurpose(cert, "[session]",
                                                    !sess->isServer) < 0) {
1103 1104 1105 1106
                gnutls_x509_crt_deinit(cert);
                goto authdeny;
            }
        }
1107
        gnutls_x509_crt_deinit(cert);
1108 1109
    }

1110 1111
    PROBE(RPC_TLS_CONTEXT_SESSION_ALLOW,
          "ctxt=%p sess=%p dname=%s",
1112
          ctxt, sess, dnameptr);
1113

1114 1115 1116
    return 0;

authdeny:
1117 1118
    PROBE(RPC_TLS_CONTEXT_SESSION_DENY,
          "ctxt=%p sess=%p dname=%s",
1119
          ctxt, sess, dnameptr);
1120

1121 1122 1123
    return -1;

authfail:
1124 1125 1126 1127
    PROBE(RPC_TLS_CONTEXT_SESSION_FAIL,
          "ctxt=%p sess=%p",
          ctxt, sess);

1128 1129 1130 1131 1132 1133
    return -1;
}

int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,
                                     virNetTLSSessionPtr sess)
{
1134 1135
    int ret = -1;

1136 1137
    virObjectLock(ctxt);
    virObjectLock(sess);
1138
    if (virNetTLSContextValidCertificate(ctxt, sess) < 0) {
1139 1140
        virErrorPtr err = virGetLastError();
        VIR_WARN("Certificate check failed %s", err && err->message ? err->message : "<unknown>");
1141
        if (ctxt->requireValidCert) {
1142 1143
            virReportError(VIR_ERR_AUTH_FAILED, "%s",
                           _("Failed to verify peer's certificate"));
1144
            goto cleanup;
1145
        }
1146
        virResetLastError();
1147 1148
        VIR_INFO("Ignoring bad certificate at user request");
    }
1149 1150 1151 1152

    ret = 0;

cleanup:
1153 1154
    virObjectUnlock(ctxt);
    virObjectUnlock(sess);
1155 1156

    return ret;
1157 1158
}

1159
void virNetTLSContextDispose(void *obj)
1160
{
1161
    virNetTLSContextPtr ctxt = obj;
1162

1163 1164 1165
    PROBE(RPC_TLS_CONTEXT_DISPOSE,
          "ctxt=%p", ctxt);

1166 1167 1168 1169 1170 1171 1172 1173 1174 1175
    gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
}


static ssize_t
virNetTLSSessionPush(void *opaque, const void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->writeFunc) {
1176
        VIR_WARN("TLS session push with missing write function");
1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204
        errno = EIO;
        return -1;
    };

    return sess->writeFunc(buf, len, sess->opaque);
}


static ssize_t
virNetTLSSessionPull(void *opaque, void *buf, size_t len)
{
    virNetTLSSessionPtr sess = opaque;
    if (!sess->readFunc) {
        VIR_WARN("TLS session pull with missing read function");
        errno = EIO;
        return -1;
    };

    return sess->readFunc(buf, len, sess->opaque);
}


virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
                                        const char *hostname)
{
    virNetTLSSessionPtr sess;
    int err;

E
Eric Blake 已提交
1205 1206
    VIR_DEBUG("ctxt=%p hostname=%s isServer=%d",
              ctxt, NULLSTR(hostname), ctxt->isServer);
1207

1208
    if (!(sess = virObjectLockableNew(virNetTLSSessionClass)))
1209 1210
        return NULL;

1211
    if (VIR_STRDUP(sess->hostname, hostname) < 0)
1212 1213 1214 1215
        goto error;

    if ((err = gnutls_init(&sess->session,
                           ctxt->isServer ? GNUTLS_SERVER : GNUTLS_CLIENT)) != 0) {
1216 1217 1218
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed to initialize TLS session: %s"),
                       gnutls_strerror(err));
1219 1220 1221 1222 1223 1224
        goto error;
    }

    /* avoid calling all the priority functions, since the defaults
     * are adequate.
     */
1225
    if ((err = gnutls_set_default_priority(sess->session)) != 0) {
1226 1227 1228
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed to set TLS session priority %s"),
                       gnutls_strerror(err));
1229 1230 1231 1232 1233 1234
        goto error;
    }

    if ((err = gnutls_credentials_set(sess->session,
                                      GNUTLS_CRD_CERTIFICATE,
                                      ctxt->x509cred)) != 0) {
1235 1236 1237
        virReportError(VIR_ERR_SYSTEM_ERROR,
                       _("Failed set TLS x509 credentials: %s"),
                       gnutls_strerror(err));
1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254
        goto error;
    }

    /* request client certificate if any.
     */
    if (ctxt->isServer) {
        gnutls_certificate_server_set_request(sess->session, GNUTLS_CERT_REQUEST);

        gnutls_dh_set_prime_bits(sess->session, DH_BITS);
    }

    gnutls_transport_set_ptr(sess->session, sess);
    gnutls_transport_set_push_function(sess->session,
                                       virNetTLSSessionPush);
    gnutls_transport_set_pull_function(sess->session,
                                       virNetTLSSessionPull);

1255 1256
    sess->isServer = ctxt->isServer;

1257
    PROBE(RPC_TLS_SESSION_NEW,
1258 1259
          "sess=%p ctxt=%p hostname=%s isServer=%d",
          sess, ctxt, hostname, sess->isServer);
1260

1261 1262 1263
    return sess;

error:
1264
    virObjectUnref(sess);
1265 1266 1267 1268 1269 1270 1271 1272 1273
    return NULL;
}


void virNetTLSSessionSetIOCallbacks(virNetTLSSessionPtr sess,
                                    virNetTLSSessionWriteFunc writeFunc,
                                    virNetTLSSessionReadFunc readFunc,
                                    void *opaque)
{
1274
    virObjectLock(sess);
1275 1276 1277
    sess->writeFunc = writeFunc;
    sess->readFunc = readFunc;
    sess->opaque = opaque;
1278
    virObjectUnlock(sess);
1279 1280 1281 1282 1283 1284 1285
}


ssize_t virNetTLSSessionWrite(virNetTLSSessionPtr sess,
                              const char *buf, size_t len)
{
    ssize_t ret;
1286

1287
    virObjectLock(sess);
1288 1289 1290
    ret = gnutls_record_send(sess->session, buf, len);

    if (ret >= 0)
1291
        goto cleanup;
1292 1293 1294 1295 1296 1297 1298 1299

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
1300 1301 1302
    case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
        errno = ENOMSG;
        break;
1303 1304 1305 1306 1307
    default:
        errno = EIO;
        break;
    }

1308 1309 1310
    ret = -1;

cleanup:
1311
    virObjectUnlock(sess);
1312
    return ret;
1313 1314 1315 1316 1317 1318 1319
}

ssize_t virNetTLSSessionRead(virNetTLSSessionPtr sess,
                             char *buf, size_t len)
{
    ssize_t ret;

1320
    virObjectLock(sess);
1321 1322 1323
    ret = gnutls_record_recv(sess->session, buf, len);

    if (ret >= 0)
1324
        goto cleanup;
1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337

    switch (ret) {
    case GNUTLS_E_AGAIN:
        errno = EAGAIN;
        break;
    case GNUTLS_E_INTERRUPTED:
        errno = EINTR;
        break;
    default:
        errno = EIO;
        break;
    }

1338 1339 1340
    ret = -1;

cleanup:
1341
    virObjectUnlock(sess);
1342
    return ret;
1343 1344 1345 1346
}

int virNetTLSSessionHandshake(virNetTLSSessionPtr sess)
{
1347
    int ret;
1348
    VIR_DEBUG("sess=%p", sess);
1349
    virObjectLock(sess);
1350
    ret = gnutls_handshake(sess->session);
1351 1352 1353 1354
    VIR_DEBUG("Ret=%d", ret);
    if (ret == 0) {
        sess->handshakeComplete = true;
        VIR_DEBUG("Handshake is complete");
1355 1356 1357 1358 1359
        goto cleanup;
    }
    if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
        ret = 1;
        goto cleanup;
1360 1361 1362 1363 1364 1365 1366
    }

#if 0
    PROBE(CLIENT_TLS_FAIL, "fd=%d",
          virNetServerClientGetFD(client));
#endif

1367 1368 1369
    virReportError(VIR_ERR_AUTH_FAILED,
                   _("TLS handshake failed %s"),
                   gnutls_strerror(ret));
1370 1371 1372
    ret = -1;

cleanup:
1373
    virObjectUnlock(sess);
1374
    return ret;
1375 1376 1377 1378 1379
}

virNetTLSSessionHandshakeStatus
virNetTLSSessionGetHandshakeStatus(virNetTLSSessionPtr sess)
{
1380
    virNetTLSSessionHandshakeStatus ret;
1381
    virObjectLock(sess);
1382
    if (sess->handshakeComplete)
1383
        ret = VIR_NET_TLS_HANDSHAKE_COMPLETE;
1384
    else if (gnutls_record_get_direction(sess->session) == 0)
1385
        ret = VIR_NET_TLS_HANDSHAKE_RECVING;
1386
    else
1387
        ret = VIR_NET_TLS_HANDSHAKE_SENDING;
1388
    virObjectUnlock(sess);
1389
    return ret;
1390 1391 1392 1393 1394 1395
}

int virNetTLSSessionGetKeySize(virNetTLSSessionPtr sess)
{
    gnutls_cipher_algorithm_t cipher;
    int ssf;
1396
    virObjectLock(sess);
1397 1398
    cipher = gnutls_cipher_get(sess->session);
    if (!(ssf = gnutls_cipher_get_key_size(cipher))) {
1399 1400
        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                       _("invalid cipher size for TLS session"));
1401 1402
        ssf = -1;
        goto cleanup;
1403 1404
    }

1405
cleanup:
1406
    virObjectUnlock(sess);
1407 1408 1409
    return ssf;
}

1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421
const char *virNetTLSSessionGetX509DName(virNetTLSSessionPtr sess)
{
    const char *ret = NULL;

    virObjectLock(sess);

    ret = sess->x509dname;

    virObjectUnlock(sess);

    return ret;
}
1422

1423
void virNetTLSSessionDispose(void *obj)
1424
{
1425
    virNetTLSSessionPtr sess = obj;
1426

1427 1428 1429
    PROBE(RPC_TLS_SESSION_DISPOSE,
          "sess=%p", sess);

1430
    VIR_FREE(sess->x509dname);
1431 1432 1433
    VIR_FREE(sess->hostname);
    gnutls_deinit(sess->session);
}
M
Michal Privoznik 已提交
1434 1435 1436 1437 1438 1439

/*
 * This function MUST be called before any
 * virNetTLS* because it initializes
 * underlying GnuTLS library. According to
 * it's documentation, it's safe to be called
1440 1441 1442 1443 1444 1445 1446
 * many times, but is not thread safe.
 *
 * There is no corresponding "Deinit" / "Cleanup"
 * function because there is no safe way to call
 * 'gnutls_global_deinit' from a multi-threaded
 * library, where other libraries linked into the
 * application may also be using gnutls.
M
Michal Privoznik 已提交
1447 1448 1449 1450 1451
 */
void virNetTLSInit(void)
{
    gnutls_global_init();
}