提交 · f53cc36fe8a59d1798d40c6a294a1de0af54254c · openeuler / libvirt

20 7月, 2011 2 次提交

Fix checking of key usage/purpose data · f53cc36f

由 Daniel P. Berrange 提交于 7月 20, 2011

If key usage or purpose data is not present in the cert, the
RFC recommends that access be allowed. Also fix checking of
key usage to include requirements for client/server certs,
and fix key purpose checking to treat data as a list of bits

f53cc36f

D
Fix mixed up error messages when reporting TLS certificate problems · 3ea04325
由 Daniel P. Berrange 提交于 7月 20, 2011
```
* src/rpc/virnettlscontext.c: Fix mixed up error messages
```
3ea04325

19 7月, 2011 2 次提交

Add sanity checking of basic constraints, key purpose & key usage · 79591d4f

由 Daniel P. Berrange 提交于 7月 15, 2011

Gnutls requires that certificates have basic constraints present
to be used as a CA certificate. OpenSSL doesn't add this data
by default, so add a sanity check to catch this situation. Also
validate that the key usage and key purpose constraints contain
correct data

* src/rpc/virnettlscontext.c: Add sanity checking of certificate
  constraints

79591d4f

Add some basic sanity checking of certificates before use · 543c266d

由 Daniel P. Berrange 提交于 7月 14, 2011

If the libvirt daemon or libvirt client is configured with bogus
certificates, it is very unhelpful to only find out about this
when a TLS connection is actually attempted. Not least because
the error messages you get back for failures are incredibly
obscure.

This adds some basic sanity checking of certificates at the
time the virNetTLSContext object is created. This is at libvirt
startup, or when creating a virNetClient instance.

This checks that the certificate expiry/start dates are valid
and that the certificate is actually signed by the CA that is
loaded.

* src/rpc/virnettlscontext.c: Add certificate sanity checks

543c266d

15 7月, 2011 2 次提交

D
Fix error message for missing TLS write function · c8771867
由 Daniel P. Berrange 提交于 7月 15, 2011
```
* src/rpc/virnettlscontext.c: s/read/write/
```
c8771867

Fix reporting of cert validation failures · f2845177

由 Daniel P. Berrange 提交于 7月 15, 2011

If the server succesfully validates the client cert, it will send
back a single byte, under TLS. If it fails, it will close the
connection. In this case, we were just reporting the standard
I/O error. The original RPC code had a special case hack for the
GNUTLS_E_UNEXPECTED_PACKET_LENGTH error code to make us report
a more useful error message

* src/rpc/virnetclient.c: Return ENOMSG if we get
  GNUTLS_E_UNEXPECTED_PACKET_LENGTH
* src/rpc/virnettlscontext.c: Report cert failure if we
  see ENOMSG

f2845177

08 7月, 2011 1 次提交

Fix mistaken order of server cert/key parameters in constructor · c2ddd536

由 Daniel P. Berrange 提交于 7月 08, 2011

The virNetTLSContextNew was being passed key/cert parameters in
the wrong order. This wasn't immediately visible because if
virNetTLSContextNewPath was used, a second bug reversed the order
of those parameters again.

Only if the paths were manually specified in /etc/libvirt/libvirtd.conf
did the bug appear

* src/rpc/virnettlscontext.c: Fix order of params passed to
  virNetTLSContextNew

c2ddd536

24 6月, 2011 1 次提交

Generic module for handling TLS encryption and x509 certs · 30fd0bbb

由 Daniel P. Berrange 提交于 11月 23, 2010

This provides two modules for handling TLS

 * virNetTLSContext provides the process-wide state, in particular
   all the x509 credentials, DH params and x509 whitelists
 * virNetTLSSession provides the per-connection state, ie the
   TLS session itself.

The virNetTLSContext provides APIs for validating a TLS session's
x509 credentials. The virNetTLSSession includes APIs for performing
the initial TLS handshake and sending/recving encrypted data

* src/Makefile.am: Add to libvirt-net-rpc.la
* src/rpc/virnettlscontext.c, src/rpc/virnettlscontext.h: Generic
  TLS handling code

30fd0bbb