![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to vnc-tls.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Qemu by Fabrice Bellard] / qemu / ui|
Return to vnc-tls.c CVS log | Up to [Qemu by Fabrice Bellard] / qemu / ui |
1.1 ! root 1: /* ! 2: * QEMU VNC display driver: TLS helpers ! 3: * ! 4: * Copyright (C) 2006 Anthony Liguori <[email protected]> ! 5: * Copyright (C) 2006 Fabrice Bellard ! 6: * Copyright (C) 2009 Red Hat, Inc ! 7: * ! 8: * Permission is hereby granted, free of charge, to any person obtaining a copy ! 9: * of this software and associated documentation files (the "Software"), to deal ! 10: * in the Software without restriction, including without limitation the rights ! 11: * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ! 12: * copies of the Software, and to permit persons to whom the Software is ! 13: * furnished to do so, subject to the following conditions: ! 14: * ! 15: * The above copyright notice and this permission notice shall be included in ! 16: * all copies or substantial portions of the Software. ! 17: * ! 18: * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ! 19: * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ! 20: * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ! 21: * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ! 22: * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ! 23: * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ! 24: * THE SOFTWARE. ! 25: */ ! 26: ! 27: #include "qemu-x509.h" ! 28: #include "vnc.h" ! 29: #include "qemu_socket.h" ! 30: ! 31: #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 ! 32: /* Very verbose, so only enabled for _VNC_DEBUG >= 2 */ ! 33: static void vnc_debug_gnutls_log(int level, const char* str) { ! 34: VNC_DEBUG("%d %s", level, str); ! 35: } ! 36: #endif /* defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 */ ! 37: ! 38: ! 39: #define DH_BITS 1024 ! 40: static gnutls_dh_params_t dh_params; ! 41: ! 42: static int vnc_tls_initialize(void) ! 43: { ! 44: static int tlsinitialized = 0; ! 45: ! 46: if (tlsinitialized) ! 47: return 1; ! 48: ! 49: if (gnutls_global_init () < 0) ! 50: return 0; ! 51: ! 52: /* XXX ought to re-generate diffie-hellmen params periodically */ ! 53: if (gnutls_dh_params_init (&dh_params) < 0) ! 54: return 0; ! 55: if (gnutls_dh_params_generate2 (dh_params, DH_BITS) < 0) ! 56: return 0; ! 57: ! 58: #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 ! 59: gnutls_global_set_log_level(10); ! 60: gnutls_global_set_log_function(vnc_debug_gnutls_log); ! 61: #endif ! 62: ! 63: tlsinitialized = 1; ! 64: ! 65: return 1; ! 66: } ! 67: ! 68: static ssize_t vnc_tls_push(gnutls_transport_ptr_t transport, ! 69: const void *data, ! 70: size_t len) { ! 71: struct VncState *vs = (struct VncState *)transport; ! 72: int ret; ! 73: ! 74: retry: ! 75: ret = send(vs->csock, data, len, 0); ! 76: if (ret < 0) { ! 77: if (errno == EINTR) ! 78: goto retry; ! 79: return -1; ! 80: } ! 81: return ret; ! 82: } ! 83: ! 84: ! 85: static ssize_t vnc_tls_pull(gnutls_transport_ptr_t transport, ! 86: void *data, ! 87: size_t len) { ! 88: struct VncState *vs = (struct VncState *)transport; ! 89: int ret; ! 90: ! 91: retry: ! 92: ret = recv(vs->csock, data, len, 0); ! 93: if (ret < 0) { ! 94: if (errno == EINTR) ! 95: goto retry; ! 96: return -1; ! 97: } ! 98: return ret; ! 99: } ! 100: ! 101: ! 102: static gnutls_anon_server_credentials vnc_tls_initialize_anon_cred(void) ! 103: { ! 104: gnutls_anon_server_credentials anon_cred; ! 105: int ret; ! 106: ! 107: if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) { ! 108: VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret)); ! 109: return NULL; ! 110: } ! 111: ! 112: gnutls_anon_set_server_dh_params(anon_cred, dh_params); ! 113: ! 114: return anon_cred; ! 115: } ! 116: ! 117: ! 118: static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd) ! 119: { ! 120: gnutls_certificate_credentials_t x509_cred; ! 121: int ret; ! 122: ! 123: if (!vd->tls.x509cacert) { ! 124: VNC_DEBUG("No CA x509 certificate specified\n"); ! 125: return NULL; ! 126: } ! 127: if (!vd->tls.x509cert) { ! 128: VNC_DEBUG("No server x509 certificate specified\n"); ! 129: return NULL; ! 130: } ! 131: if (!vd->tls.x509key) { ! 132: VNC_DEBUG("No server private key specified\n"); ! 133: return NULL; ! 134: } ! 135: ! 136: if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) { ! 137: VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret)); ! 138: return NULL; ! 139: } ! 140: if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred, ! 141: vd->tls.x509cacert, ! 142: GNUTLS_X509_FMT_PEM)) < 0) { ! 143: VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret)); ! 144: gnutls_certificate_free_credentials(x509_cred); ! 145: return NULL; ! 146: } ! 147: ! 148: if ((ret = gnutls_certificate_set_x509_key_file (x509_cred, ! 149: vd->tls.x509cert, ! 150: vd->tls.x509key, ! 151: GNUTLS_X509_FMT_PEM)) < 0) { ! 152: VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret)); ! 153: gnutls_certificate_free_credentials(x509_cred); ! 154: return NULL; ! 155: } ! 156: ! 157: if (vd->tls.x509cacrl) { ! 158: if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred, ! 159: vd->tls.x509cacrl, ! 160: GNUTLS_X509_FMT_PEM)) < 0) { ! 161: VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret)); ! 162: gnutls_certificate_free_credentials(x509_cred); ! 163: return NULL; ! 164: } ! 165: } ! 166: ! 167: gnutls_certificate_set_dh_params (x509_cred, dh_params); ! 168: ! 169: return x509_cred; ! 170: } ! 171: ! 172: ! 173: int vnc_tls_validate_certificate(struct VncState *vs) ! 174: { ! 175: int ret; ! 176: unsigned int status; ! 177: const gnutls_datum_t *certs; ! 178: unsigned int nCerts, i; ! 179: time_t now; ! 180: ! 181: VNC_DEBUG("Validating client certificate\n"); ! 182: if ((ret = gnutls_certificate_verify_peers2 (vs->tls.session, &status)) < 0) { ! 183: VNC_DEBUG("Verify failed %s\n", gnutls_strerror(ret)); ! 184: return -1; ! 185: } ! 186: ! 187: if ((now = time(NULL)) == ((time_t)-1)) { ! 188: return -1; ! 189: } ! 190: ! 191: if (status != 0) { ! 192: if (status & GNUTLS_CERT_INVALID) ! 193: VNC_DEBUG("The certificate is not trusted.\n"); ! 194: ! 195: if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) ! 196: VNC_DEBUG("The certificate hasn't got a known issuer.\n"); ! 197: ! 198: if (status & GNUTLS_CERT_REVOKED) ! 199: VNC_DEBUG("The certificate has been revoked.\n"); ! 200: ! 201: if (status & GNUTLS_CERT_INSECURE_ALGORITHM) ! 202: VNC_DEBUG("The certificate uses an insecure algorithm\n"); ! 203: ! 204: return -1; ! 205: } else { ! 206: VNC_DEBUG("Certificate is valid!\n"); ! 207: } ! 208: ! 209: /* Only support x509 for now */ ! 210: if (gnutls_certificate_type_get(vs->tls.session) != GNUTLS_CRT_X509) ! 211: return -1; ! 212: ! 213: if (!(certs = gnutls_certificate_get_peers(vs->tls.session, &nCerts))) ! 214: return -1; ! 215: ! 216: for (i = 0 ; i < nCerts ; i++) { ! 217: gnutls_x509_crt_t cert; ! 218: VNC_DEBUG ("Checking certificate chain %d\n", i); ! 219: if (gnutls_x509_crt_init (&cert) < 0) ! 220: return -1; ! 221: ! 222: if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) { ! 223: gnutls_x509_crt_deinit (cert); ! 224: return -1; ! 225: } ! 226: ! 227: if (gnutls_x509_crt_get_expiration_time (cert) < now) { ! 228: VNC_DEBUG("The certificate has expired\n"); ! 229: gnutls_x509_crt_deinit (cert); ! 230: return -1; ! 231: } ! 232: ! 233: if (gnutls_x509_crt_get_activation_time (cert) > now) { ! 234: VNC_DEBUG("The certificate is not yet activated\n"); ! 235: gnutls_x509_crt_deinit (cert); ! 236: return -1; ! 237: } ! 238: ! 239: if (gnutls_x509_crt_get_activation_time (cert) > now) { ! 240: VNC_DEBUG("The certificate is not yet activated\n"); ! 241: gnutls_x509_crt_deinit (cert); ! 242: return -1; ! 243: } ! 244: ! 245: if (i == 0) { ! 246: size_t dnameSize = 1024; ! 247: vs->tls.dname = qemu_malloc(dnameSize); ! 248: requery: ! 249: if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) { ! 250: if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { ! 251: vs->tls.dname = qemu_realloc(vs->tls.dname, dnameSize); ! 252: goto requery; ! 253: } ! 254: gnutls_x509_crt_deinit (cert); ! 255: VNC_DEBUG("Cannot get client distinguished name: %s", ! 256: gnutls_strerror (ret)); ! 257: return -1; ! 258: } ! 259: ! 260: if (vs->vd->tls.x509verify) { ! 261: int allow; ! 262: if (!vs->vd->tls.acl) { ! 263: VNC_DEBUG("no ACL activated, allowing access"); ! 264: gnutls_x509_crt_deinit (cert); ! 265: continue; ! 266: } ! 267: ! 268: allow = qemu_acl_party_is_allowed(vs->vd->tls.acl, ! 269: vs->tls.dname); ! 270: ! 271: VNC_DEBUG("TLS x509 ACL check for %s is %s\n", ! 272: vs->tls.dname, allow ? "allowed" : "denied"); ! 273: if (!allow) { ! 274: gnutls_x509_crt_deinit (cert); ! 275: return -1; ! 276: } ! 277: } ! 278: } ! 279: ! 280: gnutls_x509_crt_deinit (cert); ! 281: } ! 282: ! 283: return 0; ! 284: } ! 285: ! 286: ! 287: int vnc_tls_client_setup(struct VncState *vs, ! 288: int needX509Creds) { ! 289: static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; ! 290: static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; ! 291: static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0}; ! 292: static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0}; ! 293: ! 294: VNC_DEBUG("Do TLS setup\n"); ! 295: if (vnc_tls_initialize() < 0) { ! 296: VNC_DEBUG("Failed to init TLS\n"); ! 297: vnc_client_error(vs); ! 298: return -1; ! 299: } ! 300: if (vs->tls.session == NULL) { ! 301: if (gnutls_init(&vs->tls.session, GNUTLS_SERVER) < 0) { ! 302: vnc_client_error(vs); ! 303: return -1; ! 304: } ! 305: ! 306: if (gnutls_set_default_priority(vs->tls.session) < 0) { ! 307: gnutls_deinit(vs->tls.session); ! 308: vs->tls.session = NULL; ! 309: vnc_client_error(vs); ! 310: return -1; ! 311: } ! 312: ! 313: if (gnutls_kx_set_priority(vs->tls.session, needX509Creds ? kx_x509 : kx_anon) < 0) { ! 314: gnutls_deinit(vs->tls.session); ! 315: vs->tls.session = NULL; ! 316: vnc_client_error(vs); ! 317: return -1; ! 318: } ! 319: ! 320: if (gnutls_certificate_type_set_priority(vs->tls.session, cert_type_priority) < 0) { ! 321: gnutls_deinit(vs->tls.session); ! 322: vs->tls.session = NULL; ! 323: vnc_client_error(vs); ! 324: return -1; ! 325: } ! 326: ! 327: if (gnutls_protocol_set_priority(vs->tls.session, protocol_priority) < 0) { ! 328: gnutls_deinit(vs->tls.session); ! 329: vs->tls.session = NULL; ! 330: vnc_client_error(vs); ! 331: return -1; ! 332: } ! 333: ! 334: if (needX509Creds) { ! 335: gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs->vd); ! 336: if (!x509_cred) { ! 337: gnutls_deinit(vs->tls.session); ! 338: vs->tls.session = NULL; ! 339: vnc_client_error(vs); ! 340: return -1; ! 341: } ! 342: if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) { ! 343: gnutls_deinit(vs->tls.session); ! 344: vs->tls.session = NULL; ! 345: gnutls_certificate_free_credentials(x509_cred); ! 346: vnc_client_error(vs); ! 347: return -1; ! 348: } ! 349: if (vs->vd->tls.x509verify) { ! 350: VNC_DEBUG("Requesting a client certificate\n"); ! 351: gnutls_certificate_server_set_request (vs->tls.session, GNUTLS_CERT_REQUEST); ! 352: } ! 353: ! 354: } else { ! 355: gnutls_anon_server_credentials anon_cred = vnc_tls_initialize_anon_cred(); ! 356: if (!anon_cred) { ! 357: gnutls_deinit(vs->tls.session); ! 358: vs->tls.session = NULL; ! 359: vnc_client_error(vs); ! 360: return -1; ! 361: } ! 362: if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_ANON, anon_cred) < 0) { ! 363: gnutls_deinit(vs->tls.session); ! 364: vs->tls.session = NULL; ! 365: gnutls_anon_free_server_credentials(anon_cred); ! 366: vnc_client_error(vs); ! 367: return -1; ! 368: } ! 369: } ! 370: ! 371: gnutls_transport_set_ptr(vs->tls.session, (gnutls_transport_ptr_t)vs); ! 372: gnutls_transport_set_push_function(vs->tls.session, vnc_tls_push); ! 373: gnutls_transport_set_pull_function(vs->tls.session, vnc_tls_pull); ! 374: } ! 375: return 0; ! 376: } ! 377: ! 378: ! 379: void vnc_tls_client_cleanup(struct VncState *vs) ! 380: { ! 381: if (vs->tls.session) { ! 382: gnutls_deinit(vs->tls.session); ! 383: vs->tls.session = NULL; ! 384: } ! 385: vs->tls.wiremode = VNC_WIREMODE_CLEAR; ! 386: free(vs->tls.dname); ! 387: } ! 388: ! 389: ! 390: ! 391: static int vnc_set_x509_credential(VncDisplay *vd, ! 392: const char *certdir, ! 393: const char *filename, ! 394: char **cred, ! 395: int ignoreMissing) ! 396: { ! 397: struct stat sb; ! 398: ! 399: if (*cred) { ! 400: qemu_free(*cred); ! 401: *cred = NULL; ! 402: } ! 403: ! 404: *cred = qemu_malloc(strlen(certdir) + strlen(filename) + 2); ! 405: ! 406: strcpy(*cred, certdir); ! 407: strcat(*cred, "/"); ! 408: strcat(*cred, filename); ! 409: ! 410: VNC_DEBUG("Check %s\n", *cred); ! 411: if (stat(*cred, &sb) < 0) { ! 412: qemu_free(*cred); ! 413: *cred = NULL; ! 414: if (ignoreMissing && errno == ENOENT) ! 415: return 0; ! 416: return -1; ! 417: } ! 418: ! 419: return 0; ! 420: } ! 421: ! 422: ! 423: int vnc_tls_set_x509_creds_dir(VncDisplay *vd, ! 424: const char *certdir) ! 425: { ! 426: if (vnc_set_x509_credential(vd, certdir, X509_CA_CERT_FILE, &vd->tls.x509cacert, 0) < 0) ! 427: goto cleanup; ! 428: if (vnc_set_x509_credential(vd, certdir, X509_CA_CRL_FILE, &vd->tls.x509cacrl, 1) < 0) ! 429: goto cleanup; ! 430: if (vnc_set_x509_credential(vd, certdir, X509_SERVER_CERT_FILE, &vd->tls.x509cert, 0) < 0) ! 431: goto cleanup; ! 432: if (vnc_set_x509_credential(vd, certdir, X509_SERVER_KEY_FILE, &vd->tls.x509key, 0) < 0) ! 433: goto cleanup; ! 434: ! 435: return 0; ! 436: ! 437: cleanup: ! 438: qemu_free(vd->tls.x509cacert); ! 439: qemu_free(vd->tls.x509cacrl); ! 440: qemu_free(vd->tls.x509cert); ! 441: qemu_free(vd->tls.x509key); ! 442: vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL; ! 443: return -1; ! 444: } ! 445:
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.