Code Review / kvmfornfv.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Add qemu 2.4.0
[kvmfornfv.git] / qemu / ui / vnc-tls.c
1 /*
2  * QEMU VNC display driver: TLS helpers
3  *
4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5  * Copyright (C) 2006 Fabrice Bellard
6  * Copyright (C) 2009 Red Hat, Inc
7  *
8  * Permission is hereby granted, free of charge, to any person obtaining a copy
9  * of this software and associated documentation files (the "Software"), to deal
10  * in the Software without restriction, including without limitation the rights
11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12  * copies of the Software, and to permit persons to whom the Software is
13  * furnished to do so, subject to the following conditions:
14  *
15  * The above copyright notice and this permission notice shall be included in
16  * all copies or substantial portions of the Software.
17  *
18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24  * THE SOFTWARE.
25  */
26
27 #include "qemu-x509.h"
28 #include "vnc.h"
29 #include "qemu/sockets.h"
30
31 #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2
32 /* Very verbose, so only enabled for _VNC_DEBUG >= 2 */
33 static void vnc_debug_gnutls_log(int level, const char* str) {
34     VNC_DEBUG("%d %s", level, str);
35 }
36 #endif /* defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 */
37
38
39 #define DH_BITS 1024
40 static gnutls_dh_params_t dh_params;
41
42 static int vnc_tls_initialize(void)
43 {
44     static int tlsinitialized = 0;
45
46     if (tlsinitialized)
47         return 1;
48
49     if (gnutls_global_init () < 0)
50         return 0;
51
52     /* XXX ought to re-generate diffie-hellman params periodically */
53     if (gnutls_dh_params_init (&dh_params) < 0)
54         return 0;
55     if (gnutls_dh_params_generate2 (dh_params, DH_BITS) < 0)
56         return 0;
57
58 #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2
59     gnutls_global_set_log_level(10);
60     gnutls_global_set_log_function(vnc_debug_gnutls_log);
61 #endif
62
63     tlsinitialized = 1;
64
65     return 1;
66 }
67
68 static ssize_t vnc_tls_push(gnutls_transport_ptr_t transport,
69                             const void *data,
70                             size_t len) {
71     VncState *vs = (VncState *)transport;
72     int ret;
73
74  retry:
75     ret = send(vs->csock, data, len, 0);
76     if (ret < 0) {
77         if (errno == EINTR)
78             goto retry;
79         return -1;
80     }
81     return ret;
82 }
83
84
85 static ssize_t vnc_tls_pull(gnutls_transport_ptr_t transport,
86                             void *data,
87                             size_t len) {
88     VncState *vs = (VncState *)transport;
89     int ret;
90
91  retry:
92     ret = qemu_recv(vs->csock, data, len, 0);
93     if (ret < 0) {
94         if (errno == EINTR)
95             goto retry;
96         return -1;
97     }
98     return ret;
99 }
100
101
102 static gnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void)
103 {
104     gnutls_anon_server_credentials_t anon_cred;
105     int ret;
106
107     if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {
108         VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
109         return NULL;
110     }
111
112     gnutls_anon_set_server_dh_params(anon_cred, dh_params);
113
114     return anon_cred;
115 }
116
117
118 static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd)
119 {
120     gnutls_certificate_credentials_t x509_cred;
121     int ret;
122
123     if (!vd->tls.x509cacert) {
124         VNC_DEBUG("No CA x509 certificate specified\n");
125         return NULL;
126     }
127     if (!vd->tls.x509cert) {
128         VNC_DEBUG("No server x509 certificate specified\n");
129         return NULL;
130     }
131     if (!vd->tls.x509key) {
132         VNC_DEBUG("No server private key specified\n");
133         return NULL;
134     }
135
136     if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) {
137         VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
138         return NULL;
139     }
140     if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred,
141                                                       vd->tls.x509cacert,
142                                                       GNUTLS_X509_FMT_PEM)) < 0) {
143         VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret));
144         gnutls_certificate_free_credentials(x509_cred);
145         return NULL;
146     }
147
148     if ((ret = gnutls_certificate_set_x509_key_file (x509_cred,
149                                                      vd->tls.x509cert,
150                                                      vd->tls.x509key,
151                                                      GNUTLS_X509_FMT_PEM)) < 0) {
152         VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret));
153         gnutls_certificate_free_credentials(x509_cred);
154         return NULL;
155     }
156
157     if (vd->tls.x509cacrl) {
158         if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred,
159                                                         vd->tls.x509cacrl,
160                                                         GNUTLS_X509_FMT_PEM)) < 0) {
161             VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret));
162             gnutls_certificate_free_credentials(x509_cred);
163             return NULL;
164         }
165     }
166
167     gnutls_certificate_set_dh_params (x509_cred, dh_params);
168
169     return x509_cred;
170 }
171
172
173 int vnc_tls_validate_certificate(VncState *vs)
174 {
175     int ret;
176     unsigned int status;
177     const gnutls_datum_t *certs;
178     unsigned int nCerts, i;
179     time_t now;
180
181     VNC_DEBUG("Validating client certificate\n");
182     if ((ret = gnutls_certificate_verify_peers2 (vs->tls.session, &status)) < 0) {
183         VNC_DEBUG("Verify failed %s\n", gnutls_strerror(ret));
184         return -1;
185     }
186
187     if ((now = time(NULL)) == ((time_t)-1)) {
188         return -1;
189     }
190
191     if (status != 0) {
192         if (status & GNUTLS_CERT_INVALID)
193             VNC_DEBUG("The certificate is not trusted.\n");
194
195         if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
196             VNC_DEBUG("The certificate hasn't got a known issuer.\n");
197
198         if (status & GNUTLS_CERT_REVOKED)
199             VNC_DEBUG("The certificate has been revoked.\n");
200
201         if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
202             VNC_DEBUG("The certificate uses an insecure algorithm\n");
203
204         return -1;
205     } else {
206         VNC_DEBUG("Certificate is valid!\n");
207     }
208
209     /* Only support x509 for now */
210     if (gnutls_certificate_type_get(vs->tls.session) != GNUTLS_CRT_X509)
211         return -1;
212
213     if (!(certs = gnutls_certificate_get_peers(vs->tls.session, &nCerts)))
214         return -1;
215
216     for (i = 0 ; i < nCerts ; i++) {
217         gnutls_x509_crt_t cert;
218         VNC_DEBUG ("Checking certificate chain %d\n", i);
219         if (gnutls_x509_crt_init (&cert) < 0)
220             return -1;
221
222         if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
223             gnutls_x509_crt_deinit (cert);
224             return -1;
225         }
226
227         if (gnutls_x509_crt_get_expiration_time (cert) < now) {
228             VNC_DEBUG("The certificate has expired\n");
229             gnutls_x509_crt_deinit (cert);
230             return -1;
231         }
232
233         if (gnutls_x509_crt_get_activation_time (cert) > now) {
234             VNC_DEBUG("The certificate is not yet activated\n");
235             gnutls_x509_crt_deinit (cert);
236             return -1;
237         }
238
239         if (gnutls_x509_crt_get_activation_time (cert) > now) {
240             VNC_DEBUG("The certificate is not yet activated\n");
241             gnutls_x509_crt_deinit (cert);
242             return -1;
243         }
244
245         if (i == 0) {
246             size_t dnameSize = 1024;
247             vs->tls.dname = g_malloc(dnameSize);
248         requery:
249             if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) {
250                 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
251                     vs->tls.dname = g_realloc(vs->tls.dname, dnameSize);
252                     goto requery;
253                 }
254                 gnutls_x509_crt_deinit (cert);
255                 VNC_DEBUG("Cannot get client distinguished name: %s",
256                           gnutls_strerror (ret));
257                 return -1;
258             }
259
260             if (vs->vd->tls.x509verify) {
261                 int allow;
262                 if (!vs->vd->tls.acl) {
263                     VNC_DEBUG("no ACL activated, allowing access");
264                     gnutls_x509_crt_deinit (cert);
265                     continue;
266                 }
267
268                 allow = qemu_acl_party_is_allowed(vs->vd->tls.acl,
269                                                   vs->tls.dname);
270
271                 VNC_DEBUG("TLS x509 ACL check for %s is %s\n",
272                           vs->tls.dname, allow ? "allowed" : "denied");
273                 if (!allow) {
274                     gnutls_x509_crt_deinit (cert);
275                     return -1;
276                 }
277             }
278         }
279
280         gnutls_x509_crt_deinit (cert);
281     }
282
283     return 0;
284 }
285
286 #if defined(GNUTLS_VERSION_NUMBER) && \
287     GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
288
289 static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
290 {
291     const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
292     int rc;
293
294     rc = gnutls_priority_set_direct(s, priority, NULL);
295     if (rc != GNUTLS_E_SUCCESS) {
296         return -1;
297     }
298     return 0;
299 }
300
301 #else
302
303 static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
304 {
305     static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
306     static const int protocols[] = {
307         GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
308     };
309     static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
310     static const int kx_x509[] = {
311         GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
312         GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
313     };
314     int rc;
315
316     rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
317     if (rc != GNUTLS_E_SUCCESS) {
318         return -1;
319     }
320
321     rc = gnutls_certificate_type_set_priority(s, cert_types);
322     if (rc != GNUTLS_E_SUCCESS) {
323         return -1;
324     }
325
326     rc = gnutls_protocol_set_priority(s, protocols);
327     if (rc != GNUTLS_E_SUCCESS) {
328         return -1;
329     }
330     return 0;
331 }
332
333 #endif
334
335 int vnc_tls_client_setup(VncState *vs,
336                          int needX509Creds) {
337     VNC_DEBUG("Do TLS setup\n");
338     if (vnc_tls_initialize() < 0) {
339         VNC_DEBUG("Failed to init TLS\n");
340         vnc_client_error(vs);
341         return -1;
342     }
343     if (vs->tls.session == NULL) {
344         if (gnutls_init(&vs->tls.session, GNUTLS_SERVER) < 0) {
345             vnc_client_error(vs);
346             return -1;
347         }
348
349         if (gnutls_set_default_priority(vs->tls.session) < 0) {
350             gnutls_deinit(vs->tls.session);
351             vs->tls.session = NULL;
352             vnc_client_error(vs);
353             return -1;
354         }
355
356         if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) {
357             gnutls_deinit(vs->tls.session);
358             vs->tls.session = NULL;
359             vnc_client_error(vs);
360             return -1;
361         }
362
363         if (needX509Creds) {
364             gnutls_certificate_server_credentials x509_cred =
365                 vnc_tls_initialize_x509_cred(vs->vd);
366             if (!x509_cred) {
367                 gnutls_deinit(vs->tls.session);
368                 vs->tls.session = NULL;
369                 vnc_client_error(vs);
370                 return -1;
371             }
372             if (gnutls_credentials_set(vs->tls.session,
373                                        GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {
374                 gnutls_deinit(vs->tls.session);
375                 vs->tls.session = NULL;
376                 gnutls_certificate_free_credentials(x509_cred);
377                 vnc_client_error(vs);
378                 return -1;
379             }
380             if (vs->vd->tls.x509verify) {
381                 VNC_DEBUG("Requesting a client certificate\n");
382                 gnutls_certificate_server_set_request(vs->tls.session,
383                                                       GNUTLS_CERT_REQUEST);
384             }
385
386         } else {
387             gnutls_anon_server_credentials_t anon_cred =
388                 vnc_tls_initialize_anon_cred();
389             if (!anon_cred) {
390                 gnutls_deinit(vs->tls.session);
391                 vs->tls.session = NULL;
392                 vnc_client_error(vs);
393                 return -1;
394             }
395             if (gnutls_credentials_set(vs->tls.session,
396                                        GNUTLS_CRD_ANON, anon_cred) < 0) {
397                 gnutls_deinit(vs->tls.session);
398                 vs->tls.session = NULL;
399                 gnutls_anon_free_server_credentials(anon_cred);
400                 vnc_client_error(vs);
401                 return -1;
402             }
403         }
404
405         gnutls_transport_set_ptr(vs->tls.session, (gnutls_transport_ptr_t)vs);
406         gnutls_transport_set_push_function(vs->tls.session, vnc_tls_push);
407         gnutls_transport_set_pull_function(vs->tls.session, vnc_tls_pull);
408     }
409     return 0;
410 }
411
412
413 void vnc_tls_client_cleanup(VncState *vs)
414 {
415     if (vs->tls.session) {
416         gnutls_deinit(vs->tls.session);
417         vs->tls.session = NULL;
418     }
419     g_free(vs->tls.dname);
420 }
421
422
423
424 static int vnc_set_x509_credential(VncDisplay *vd,
425                                    const char *certdir,
426                                    const char *filename,
427                                    char **cred,
428                                    int ignoreMissing)
429 {
430     struct stat sb;
431
432     g_free(*cred);
433     *cred = g_malloc(strlen(certdir) + strlen(filename) + 2);
434
435     strcpy(*cred, certdir);
436     strcat(*cred, "/");
437     strcat(*cred, filename);
438
439     VNC_DEBUG("Check %s\n", *cred);
440     if (stat(*cred, &sb) < 0) {
441         g_free(*cred);
442         *cred = NULL;
443         if (ignoreMissing && errno == ENOENT)
444             return 0;
445         return -1;
446     }
447
448     return 0;
449 }
450
451
452 int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
453                                const char *certdir)
454 {
455     if (vnc_set_x509_credential(vd, certdir, X509_CA_CERT_FILE, &vd->tls.x509cacert, 0) < 0)
456         goto cleanup;
457     if (vnc_set_x509_credential(vd, certdir, X509_CA_CRL_FILE, &vd->tls.x509cacrl, 1) < 0)
458         goto cleanup;
459     if (vnc_set_x509_credential(vd, certdir, X509_SERVER_CERT_FILE, &vd->tls.x509cert, 0) < 0)
460         goto cleanup;
461     if (vnc_set_x509_credential(vd, certdir, X509_SERVER_KEY_FILE, &vd->tls.x509key, 0) < 0)
462         goto cleanup;
463
464     return 0;
465
466  cleanup:
467     g_free(vd->tls.x509cacert);
468     g_free(vd->tls.x509cacrl);
469     g_free(vd->tls.x509cert);
470     g_free(vd->tls.x509key);
471     vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL;
472     return -1;
473 }
474