Archipelago » qemu

/*

 * QEMU VNC display driver: TLS helpers

 *

 * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>

 * Copyright (C) 2006 Fabrice Bellard

 * Copyright (C) 2009 Red Hat, Inc

 *

 * Permission is hereby granted, free of charge, to any person obtaining a copy

 * of this software and associated documentation files (the "Software"), to deal

 * in the Software without restriction, including without limitation the rights

 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

 * copies of the Software, and to permit persons to whom the Software is

 * furnished to do so, subject to the following conditions:

 *

 * The above copyright notice and this permission notice shall be included in

 * all copies or substantial portions of the Software.

 *

 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL

 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

 * THE SOFTWARE.

 */

#include "qemu-x509.h"

#include "vnc.h"

#include "qemu/sockets.h"

#if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2

/* Very verbose, so only enabled for _VNC_DEBUG >= 2 */

static void vnc_debug_gnutls_log(int level, const char* str) {

    VNC_DEBUG("%d %s", level, str);

}

#endif /* defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 */

#define DH_BITS 1024

static gnutls_dh_params_t dh_params;

static int vnc_tls_initialize(void)

{

    static int tlsinitialized = 0;

    if (tlsinitialized)

        return 1;

    if (gnutls_global_init () < 0)

        return 0;

    /* XXX ought to re-generate diffie-hellman params periodically */

    if (gnutls_dh_params_init (&dh_params) < 0)

        return 0;

    if (gnutls_dh_params_generate2 (dh_params, DH_BITS) < 0)

        return 0;

#if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2

    gnutls_global_set_log_level(10);

    gnutls_global_set_log_function(vnc_debug_gnutls_log);

#endif

    tlsinitialized = 1;

    return 1;

}

static ssize_t vnc_tls_push(gnutls_transport_ptr_t transport,

                            const void *data,

                            size_t len) {

    struct VncState *vs = (struct VncState *)transport;

    int ret;

 retry:

    ret = send(vs->csock, data, len, 0);

    if (ret < 0) {

        if (errno == EINTR)

            goto retry;

        return -1;

    }

    return ret;

}

static ssize_t vnc_tls_pull(gnutls_transport_ptr_t transport,

                            void *data,

                            size_t len) {

    struct VncState *vs = (struct VncState *)transport;

    int ret;

 retry:

    ret = qemu_recv(vs->csock, data, len, 0);

    if (ret < 0) {

        if (errno == EINTR)

            goto retry;

        return -1;

    }

    return ret;

}

static gnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void)

{

    gnutls_anon_server_credentials_t anon_cred;

    int ret;

    if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {

        VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));

        return NULL;

    }

    gnutls_anon_set_server_dh_params(anon_cred, dh_params);

    return anon_cred;

}

static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd)

{

    gnutls_certificate_credentials_t x509_cred;

    int ret;

    if (!vd->tls.x509cacert) {

        VNC_DEBUG("No CA x509 certificate specified\n");

        return NULL;

    }

    if (!vd->tls.x509cert) {

        VNC_DEBUG("No server x509 certificate specified\n");

        return NULL;

    }

    if (!vd->tls.x509key) {

        VNC_DEBUG("No server private key specified\n");

        return NULL;

    }

    if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) {

        VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));

        return NULL;

    }

    if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred,

                                                      vd->tls.x509cacert,

                                                      GNUTLS_X509_FMT_PEM)) < 0) {

        VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret));

        gnutls_certificate_free_credentials(x509_cred);

        return NULL;

    }

    if ((ret = gnutls_certificate_set_x509_key_file (x509_cred,

                                                     vd->tls.x509cert,

                                                     vd->tls.x509key,

                                                     GNUTLS_X509_FMT_PEM)) < 0) {

        VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret));

        gnutls_certificate_free_credentials(x509_cred);

        return NULL;

    }

    if (vd->tls.x509cacrl) {

        if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred,

                                                        vd->tls.x509cacrl,

                                                        GNUTLS_X509_FMT_PEM)) < 0) {

            VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret));

            gnutls_certificate_free_credentials(x509_cred);

            return NULL;

        }

    }

    gnutls_certificate_set_dh_params (x509_cred, dh_params);

    return x509_cred;

}

int vnc_tls_validate_certificate(struct VncState *vs)

{

    int ret;

    unsigned int status;

    const gnutls_datum_t *certs;

    unsigned int nCerts, i;

    time_t now;

    VNC_DEBUG("Validating client certificate\n");

    if ((ret = gnutls_certificate_verify_peers2 (vs->tls.session, &status)) < 0) {

        VNC_DEBUG("Verify failed %s\n", gnutls_strerror(ret));

        return -1;

    }

    if ((now = time(NULL)) == ((time_t)-1)) {

        return -1;

    }

    if (status != 0) {

        if (status & GNUTLS_CERT_INVALID)

            VNC_DEBUG("The certificate is not trusted.\n");

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)

            VNC_DEBUG("The certificate hasn't got a known issuer.\n");

        if (status & GNUTLS_CERT_REVOKED)

            VNC_DEBUG("The certificate has been revoked.\n");

        if (status & GNUTLS_CERT_INSECURE_ALGORITHM)

            VNC_DEBUG("The certificate uses an insecure algorithm\n");

        return -1;

    } else {

        VNC_DEBUG("Certificate is valid!\n");

    }

    /* Only support x509 for now */

    if (gnutls_certificate_type_get(vs->tls.session) != GNUTLS_CRT_X509)

        return -1;

    if (!(certs = gnutls_certificate_get_peers(vs->tls.session, &nCerts)))

        return -1;

    for (i = 0 ; i < nCerts ; i++) {

        gnutls_x509_crt_t cert;

        VNC_DEBUG ("Checking certificate chain %d\n", i);

        if (gnutls_x509_crt_init (&cert) < 0)

            return -1;

        if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {

            gnutls_x509_crt_deinit (cert);

            return -1;

        }

        if (gnutls_x509_crt_get_expiration_time (cert) < now) {

            VNC_DEBUG("The certificate has expired\n");

            gnutls_x509_crt_deinit (cert);

            return -1;

        }

        if (gnutls_x509_crt_get_activation_time (cert) > now) {

            VNC_DEBUG("The certificate is not yet activated\n");

            gnutls_x509_crt_deinit (cert);

            return -1;

        }

        if (gnutls_x509_crt_get_activation_time (cert) > now) {

            VNC_DEBUG("The certificate is not yet activated\n");

            gnutls_x509_crt_deinit (cert);

            return -1;

        }

        if (i == 0) {

            size_t dnameSize = 1024;

            vs->tls.dname = g_malloc(dnameSize);

        requery:

            if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) {

                if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {

                    vs->tls.dname = g_realloc(vs->tls.dname, dnameSize);

                    goto requery;

                }

                gnutls_x509_crt_deinit (cert);

                VNC_DEBUG("Cannot get client distinguished name: %s",

                          gnutls_strerror (ret));

                return -1;

            }

            if (vs->vd->tls.x509verify) {

                int allow;

                if (!vs->vd->tls.acl) {

                    VNC_DEBUG("no ACL activated, allowing access");

                    gnutls_x509_crt_deinit (cert);

                    continue;

                }

                allow = qemu_acl_party_is_allowed(vs->vd->tls.acl,

                                                  vs->tls.dname);

                VNC_DEBUG("TLS x509 ACL check for %s is %s\n",

                          vs->tls.dname, allow ? "allowed" : "denied");

                if (!allow) {

                    gnutls_x509_crt_deinit (cert);

                    return -1;

                }

            }

        }

        gnutls_x509_crt_deinit (cert);

    }

    return 0;

}

#if defined(GNUTLS_VERSION_NUMBER) && \

    GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */

static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)

{

    const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";

    int rc;

    rc = gnutls_priority_set_direct(s, priority, NULL);

    if (rc != GNUTLS_E_SUCCESS) {

        return -1;

    }

    return 0;

}

#else

static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)

{

    static const int cert_types[] = { GNUTLS_CRT_X509, 0 };

    static const int protocols[] = {

        GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0

    };

    static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };

    static const int kx_x509[] = {

        GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,

        GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0

    };

    int rc;

    rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);

    if (rc != GNUTLS_E_SUCCESS) {

        return -1;

    }

    rc = gnutls_certificate_type_set_priority(s, cert_types);

    if (rc != GNUTLS_E_SUCCESS) {

        return -1;

    }

    rc = gnutls_protocol_set_priority(s, protocols);

    if (rc != GNUTLS_E_SUCCESS) {

        return -1;

    }

    return 0;

}

#endif

int vnc_tls_client_setup(struct VncState *vs,

                         int needX509Creds) {

    VncStateTLS *tls;

    VNC_DEBUG("Do TLS setup\n");

#ifdef CONFIG_VNC_WS

    if (vs->websocket) {

        tls = &vs->ws_tls;

    } else

#endif /* CONFIG_VNC_WS */

    {

        tls = &vs->tls;

    }

    if (vnc_tls_initialize() < 0) {

        VNC_DEBUG("Failed to init TLS\n");

        vnc_client_error(vs);

        return -1;

    }

    if (tls->session == NULL) {

        if (gnutls_init(&tls->session, GNUTLS_SERVER) < 0) {

            vnc_client_error(vs);

            return -1;

        }

        if (gnutls_set_default_priority(tls->session) < 0) {

            gnutls_deinit(tls->session);

            tls->session = NULL;

            vnc_client_error(vs);

            return -1;

        }

        if (vnc_set_gnutls_priority(tls->session, needX509Creds) < 0) {

            gnutls_deinit(tls->session);

            tls->session = NULL;

            vnc_client_error(vs);

            return -1;

        }

        if (needX509Creds) {

            gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs->vd);

            if (!x509_cred) {

                gnutls_deinit(tls->session);

                tls->session = NULL;

                vnc_client_error(vs);

                return -1;

            }

            if (gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {

                gnutls_deinit(tls->session);

                tls->session = NULL;

                gnutls_certificate_free_credentials(x509_cred);

                vnc_client_error(vs);

                return -1;

            }

            if (vs->vd->tls.x509verify) {

                VNC_DEBUG("Requesting a client certificate\n");

                gnutls_certificate_server_set_request (tls->session, GNUTLS_CERT_REQUEST);

            }

        } else {

            gnutls_anon_server_credentials_t anon_cred = vnc_tls_initialize_anon_cred();

            if (!anon_cred) {

                gnutls_deinit(tls->session);

                tls->session = NULL;

                vnc_client_error(vs);

                return -1;

            }

            if (gnutls_credentials_set(tls->session, GNUTLS_CRD_ANON, anon_cred) < 0) {

                gnutls_deinit(tls->session);

                tls->session = NULL;

                gnutls_anon_free_server_credentials(anon_cred);

                vnc_client_error(vs);

                return -1;

            }

        }

        gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr_t)vs);

        gnutls_transport_set_push_function(tls->session, vnc_tls_push);

        gnutls_transport_set_pull_function(tls->session, vnc_tls_pull);

    }

    return 0;

}

void vnc_tls_client_cleanup(struct VncState *vs)

{

    if (vs->tls.session) {

        gnutls_deinit(vs->tls.session);

        vs->tls.session = NULL;

    }

    vs->tls.wiremode = VNC_WIREMODE_CLEAR;

    g_free(vs->tls.dname);

#ifdef CONFIG_VNC_WS

    if (vs->ws_tls.session) {

        gnutls_deinit(vs->ws_tls.session);

        vs->ws_tls.session = NULL;

    }

    vs->ws_tls.wiremode = VNC_WIREMODE_CLEAR;

    g_free(vs->ws_tls.dname);

#endif /* CONFIG_VNC_WS */

}

static int vnc_set_x509_credential(VncDisplay *vd,

                                   const char *certdir,

                                   const char *filename,

                                   char **cred,

                                   int ignoreMissing)

{

    struct stat sb;

    if (*cred) {

        g_free(*cred);

        *cred = NULL;

    }

    *cred = g_malloc(strlen(certdir) + strlen(filename) + 2);

    strcpy(*cred, certdir);

    strcat(*cred, "/");

    strcat(*cred, filename);

    VNC_DEBUG("Check %s\n", *cred);

    if (stat(*cred, &sb) < 0) {

        g_free(*cred);

        *cred = NULL;

        if (ignoreMissing && errno == ENOENT)

            return 0;

        return -1;

    }

    return 0;

}

int vnc_tls_set_x509_creds_dir(VncDisplay *vd,

                               const char *certdir)

{

    if (vnc_set_x509_credential(vd, certdir, X509_CA_CERT_FILE, &vd->tls.x509cacert, 0) < 0)

        goto cleanup;

    if (vnc_set_x509_credential(vd, certdir, X509_CA_CRL_FILE, &vd->tls.x509cacrl, 1) < 0)

        goto cleanup;

    if (vnc_set_x509_credential(vd, certdir, X509_SERVER_CERT_FILE, &vd->tls.x509cert, 0) < 0)

        goto cleanup;

    if (vnc_set_x509_credential(vd, certdir, X509_SERVER_KEY_FILE, &vd->tls.x509key, 0) < 0)

        goto cleanup;

    return 0;

 cleanup:

    g_free(vd->tls.x509cacert);

    g_free(vd->tls.x509cacrl);

    g_free(vd->tls.x509cert);

    g_free(vd->tls.x509key);

    vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL;

    return -1;

}