root / ui / vnc-tls.c @ bd5c51ee
History | View | Annotate | Download (14.6 kB)
1 |
/*
|
---|---|
2 |
* QEMU VNC display driver: TLS helpers
|
3 |
*
|
4 |
* Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
|
5 |
* Copyright (C) 2006 Fabrice Bellard
|
6 |
* Copyright (C) 2009 Red Hat, Inc
|
7 |
*
|
8 |
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
9 |
* of this software and associated documentation files (the "Software"), to deal
|
10 |
* in the Software without restriction, including without limitation the rights
|
11 |
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
12 |
* copies of the Software, and to permit persons to whom the Software is
|
13 |
* furnished to do so, subject to the following conditions:
|
14 |
*
|
15 |
* The above copyright notice and this permission notice shall be included in
|
16 |
* all copies or substantial portions of the Software.
|
17 |
*
|
18 |
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
19 |
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
20 |
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
21 |
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
22 |
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
23 |
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
24 |
* THE SOFTWARE.
|
25 |
*/
|
26 |
|
27 |
#include "qemu-x509.h" |
28 |
#include "vnc.h" |
29 |
#include "qemu/sockets.h" |
30 |
|
31 |
#if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 |
32 |
/* Very verbose, so only enabled for _VNC_DEBUG >= 2 */
|
33 |
static void vnc_debug_gnutls_log(int level, const char* str) { |
34 |
VNC_DEBUG("%d %s", level, str);
|
35 |
} |
36 |
#endif /* defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 */ |
37 |
|
38 |
|
39 |
#define DH_BITS 1024 |
40 |
static gnutls_dh_params_t dh_params;
|
41 |
|
42 |
static int vnc_tls_initialize(void) |
43 |
{ |
44 |
static int tlsinitialized = 0; |
45 |
|
46 |
if (tlsinitialized)
|
47 |
return 1; |
48 |
|
49 |
if (gnutls_global_init () < 0) |
50 |
return 0; |
51 |
|
52 |
/* XXX ought to re-generate diffie-hellman params periodically */
|
53 |
if (gnutls_dh_params_init (&dh_params) < 0) |
54 |
return 0; |
55 |
if (gnutls_dh_params_generate2 (dh_params, DH_BITS) < 0) |
56 |
return 0; |
57 |
|
58 |
#if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 |
59 |
gnutls_global_set_log_level(10);
|
60 |
gnutls_global_set_log_function(vnc_debug_gnutls_log); |
61 |
#endif
|
62 |
|
63 |
tlsinitialized = 1;
|
64 |
|
65 |
return 1; |
66 |
} |
67 |
|
68 |
static ssize_t vnc_tls_push(gnutls_transport_ptr_t transport,
|
69 |
const void *data, |
70 |
size_t len) { |
71 |
struct VncState *vs = (struct VncState *)transport; |
72 |
int ret;
|
73 |
|
74 |
retry:
|
75 |
ret = send(vs->csock, data, len, 0);
|
76 |
if (ret < 0) { |
77 |
if (errno == EINTR)
|
78 |
goto retry;
|
79 |
return -1; |
80 |
} |
81 |
return ret;
|
82 |
} |
83 |
|
84 |
|
85 |
static ssize_t vnc_tls_pull(gnutls_transport_ptr_t transport,
|
86 |
void *data,
|
87 |
size_t len) { |
88 |
struct VncState *vs = (struct VncState *)transport; |
89 |
int ret;
|
90 |
|
91 |
retry:
|
92 |
ret = qemu_recv(vs->csock, data, len, 0);
|
93 |
if (ret < 0) { |
94 |
if (errno == EINTR)
|
95 |
goto retry;
|
96 |
return -1; |
97 |
} |
98 |
return ret;
|
99 |
} |
100 |
|
101 |
|
102 |
static gnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void) |
103 |
{ |
104 |
gnutls_anon_server_credentials_t anon_cred; |
105 |
int ret;
|
106 |
|
107 |
if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) { |
108 |
VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
|
109 |
return NULL; |
110 |
} |
111 |
|
112 |
gnutls_anon_set_server_dh_params(anon_cred, dh_params); |
113 |
|
114 |
return anon_cred;
|
115 |
} |
116 |
|
117 |
|
118 |
static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd)
|
119 |
{ |
120 |
gnutls_certificate_credentials_t x509_cred; |
121 |
int ret;
|
122 |
|
123 |
if (!vd->tls.x509cacert) {
|
124 |
VNC_DEBUG("No CA x509 certificate specified\n");
|
125 |
return NULL; |
126 |
} |
127 |
if (!vd->tls.x509cert) {
|
128 |
VNC_DEBUG("No server x509 certificate specified\n");
|
129 |
return NULL; |
130 |
} |
131 |
if (!vd->tls.x509key) {
|
132 |
VNC_DEBUG("No server private key specified\n");
|
133 |
return NULL; |
134 |
} |
135 |
|
136 |
if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) { |
137 |
VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
|
138 |
return NULL; |
139 |
} |
140 |
if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred,
|
141 |
vd->tls.x509cacert, |
142 |
GNUTLS_X509_FMT_PEM)) < 0) {
|
143 |
VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret));
|
144 |
gnutls_certificate_free_credentials(x509_cred); |
145 |
return NULL; |
146 |
} |
147 |
|
148 |
if ((ret = gnutls_certificate_set_x509_key_file (x509_cred,
|
149 |
vd->tls.x509cert, |
150 |
vd->tls.x509key, |
151 |
GNUTLS_X509_FMT_PEM)) < 0) {
|
152 |
VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret));
|
153 |
gnutls_certificate_free_credentials(x509_cred); |
154 |
return NULL; |
155 |
} |
156 |
|
157 |
if (vd->tls.x509cacrl) {
|
158 |
if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred,
|
159 |
vd->tls.x509cacrl, |
160 |
GNUTLS_X509_FMT_PEM)) < 0) {
|
161 |
VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret));
|
162 |
gnutls_certificate_free_credentials(x509_cred); |
163 |
return NULL; |
164 |
} |
165 |
} |
166 |
|
167 |
gnutls_certificate_set_dh_params (x509_cred, dh_params); |
168 |
|
169 |
return x509_cred;
|
170 |
} |
171 |
|
172 |
|
173 |
int vnc_tls_validate_certificate(struct VncState *vs) |
174 |
{ |
175 |
int ret;
|
176 |
unsigned int status; |
177 |
const gnutls_datum_t *certs;
|
178 |
unsigned int nCerts, i; |
179 |
time_t now; |
180 |
|
181 |
VNC_DEBUG("Validating client certificate\n");
|
182 |
if ((ret = gnutls_certificate_verify_peers2 (vs->tls.session, &status)) < 0) { |
183 |
VNC_DEBUG("Verify failed %s\n", gnutls_strerror(ret));
|
184 |
return -1; |
185 |
} |
186 |
|
187 |
if ((now = time(NULL)) == ((time_t)-1)) { |
188 |
return -1; |
189 |
} |
190 |
|
191 |
if (status != 0) { |
192 |
if (status & GNUTLS_CERT_INVALID)
|
193 |
VNC_DEBUG("The certificate is not trusted.\n");
|
194 |
|
195 |
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
|
196 |
VNC_DEBUG("The certificate hasn't got a known issuer.\n");
|
197 |
|
198 |
if (status & GNUTLS_CERT_REVOKED)
|
199 |
VNC_DEBUG("The certificate has been revoked.\n");
|
200 |
|
201 |
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
|
202 |
VNC_DEBUG("The certificate uses an insecure algorithm\n");
|
203 |
|
204 |
return -1; |
205 |
} else {
|
206 |
VNC_DEBUG("Certificate is valid!\n");
|
207 |
} |
208 |
|
209 |
/* Only support x509 for now */
|
210 |
if (gnutls_certificate_type_get(vs->tls.session) != GNUTLS_CRT_X509)
|
211 |
return -1; |
212 |
|
213 |
if (!(certs = gnutls_certificate_get_peers(vs->tls.session, &nCerts)))
|
214 |
return -1; |
215 |
|
216 |
for (i = 0 ; i < nCerts ; i++) { |
217 |
gnutls_x509_crt_t cert; |
218 |
VNC_DEBUG ("Checking certificate chain %d\n", i);
|
219 |
if (gnutls_x509_crt_init (&cert) < 0) |
220 |
return -1; |
221 |
|
222 |
if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) { |
223 |
gnutls_x509_crt_deinit (cert); |
224 |
return -1; |
225 |
} |
226 |
|
227 |
if (gnutls_x509_crt_get_expiration_time (cert) < now) {
|
228 |
VNC_DEBUG("The certificate has expired\n");
|
229 |
gnutls_x509_crt_deinit (cert); |
230 |
return -1; |
231 |
} |
232 |
|
233 |
if (gnutls_x509_crt_get_activation_time (cert) > now) {
|
234 |
VNC_DEBUG("The certificate is not yet activated\n");
|
235 |
gnutls_x509_crt_deinit (cert); |
236 |
return -1; |
237 |
} |
238 |
|
239 |
if (gnutls_x509_crt_get_activation_time (cert) > now) {
|
240 |
VNC_DEBUG("The certificate is not yet activated\n");
|
241 |
gnutls_x509_crt_deinit (cert); |
242 |
return -1; |
243 |
} |
244 |
|
245 |
if (i == 0) { |
246 |
size_t dnameSize = 1024;
|
247 |
vs->tls.dname = g_malloc(dnameSize); |
248 |
requery:
|
249 |
if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) { |
250 |
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
|
251 |
vs->tls.dname = g_realloc(vs->tls.dname, dnameSize); |
252 |
goto requery;
|
253 |
} |
254 |
gnutls_x509_crt_deinit (cert); |
255 |
VNC_DEBUG("Cannot get client distinguished name: %s",
|
256 |
gnutls_strerror (ret)); |
257 |
return -1; |
258 |
} |
259 |
|
260 |
if (vs->vd->tls.x509verify) {
|
261 |
int allow;
|
262 |
if (!vs->vd->tls.acl) {
|
263 |
VNC_DEBUG("no ACL activated, allowing access");
|
264 |
gnutls_x509_crt_deinit (cert); |
265 |
continue;
|
266 |
} |
267 |
|
268 |
allow = qemu_acl_party_is_allowed(vs->vd->tls.acl, |
269 |
vs->tls.dname); |
270 |
|
271 |
VNC_DEBUG("TLS x509 ACL check for %s is %s\n",
|
272 |
vs->tls.dname, allow ? "allowed" : "denied"); |
273 |
if (!allow) {
|
274 |
gnutls_x509_crt_deinit (cert); |
275 |
return -1; |
276 |
} |
277 |
} |
278 |
} |
279 |
|
280 |
gnutls_x509_crt_deinit (cert); |
281 |
} |
282 |
|
283 |
return 0; |
284 |
} |
285 |
|
286 |
#if defined(GNUTLS_VERSION_NUMBER) && \
|
287 |
GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */ |
288 |
|
289 |
static int vnc_set_gnutls_priority(gnutls_session_t s, int x509) |
290 |
{ |
291 |
const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH"; |
292 |
int rc;
|
293 |
|
294 |
rc = gnutls_priority_set_direct(s, priority, NULL);
|
295 |
if (rc != GNUTLS_E_SUCCESS) {
|
296 |
return -1; |
297 |
} |
298 |
return 0; |
299 |
} |
300 |
|
301 |
#else
|
302 |
|
303 |
static int vnc_set_gnutls_priority(gnutls_session_t s, int x509) |
304 |
{ |
305 |
static const int cert_types[] = { GNUTLS_CRT_X509, 0 }; |
306 |
static const int protocols[] = { |
307 |
GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
|
308 |
}; |
309 |
static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 }; |
310 |
static const int kx_x509[] = { |
311 |
GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, |
312 |
GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
|
313 |
}; |
314 |
int rc;
|
315 |
|
316 |
rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon); |
317 |
if (rc != GNUTLS_E_SUCCESS) {
|
318 |
return -1; |
319 |
} |
320 |
|
321 |
rc = gnutls_certificate_type_set_priority(s, cert_types); |
322 |
if (rc != GNUTLS_E_SUCCESS) {
|
323 |
return -1; |
324 |
} |
325 |
|
326 |
rc = gnutls_protocol_set_priority(s, protocols); |
327 |
if (rc != GNUTLS_E_SUCCESS) {
|
328 |
return -1; |
329 |
} |
330 |
return 0; |
331 |
} |
332 |
|
333 |
#endif
|
334 |
|
335 |
int vnc_tls_client_setup(struct VncState *vs, |
336 |
int needX509Creds) {
|
337 |
VncStateTLS *tls; |
338 |
|
339 |
VNC_DEBUG("Do TLS setup\n");
|
340 |
#ifdef CONFIG_VNC_WS
|
341 |
if (vs->websocket) {
|
342 |
tls = &vs->ws_tls; |
343 |
} else
|
344 |
#endif /* CONFIG_VNC_WS */ |
345 |
{ |
346 |
tls = &vs->tls; |
347 |
} |
348 |
if (vnc_tls_initialize() < 0) { |
349 |
VNC_DEBUG("Failed to init TLS\n");
|
350 |
vnc_client_error(vs); |
351 |
return -1; |
352 |
} |
353 |
if (tls->session == NULL) { |
354 |
if (gnutls_init(&tls->session, GNUTLS_SERVER) < 0) { |
355 |
vnc_client_error(vs); |
356 |
return -1; |
357 |
} |
358 |
|
359 |
if (gnutls_set_default_priority(tls->session) < 0) { |
360 |
gnutls_deinit(tls->session); |
361 |
tls->session = NULL;
|
362 |
vnc_client_error(vs); |
363 |
return -1; |
364 |
} |
365 |
|
366 |
if (vnc_set_gnutls_priority(tls->session, needX509Creds) < 0) { |
367 |
gnutls_deinit(tls->session); |
368 |
tls->session = NULL;
|
369 |
vnc_client_error(vs); |
370 |
return -1; |
371 |
} |
372 |
|
373 |
if (needX509Creds) {
|
374 |
gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs->vd); |
375 |
if (!x509_cred) {
|
376 |
gnutls_deinit(tls->session); |
377 |
tls->session = NULL;
|
378 |
vnc_client_error(vs); |
379 |
return -1; |
380 |
} |
381 |
if (gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) { |
382 |
gnutls_deinit(tls->session); |
383 |
tls->session = NULL;
|
384 |
gnutls_certificate_free_credentials(x509_cred); |
385 |
vnc_client_error(vs); |
386 |
return -1; |
387 |
} |
388 |
if (vs->vd->tls.x509verify) {
|
389 |
VNC_DEBUG("Requesting a client certificate\n");
|
390 |
gnutls_certificate_server_set_request (tls->session, GNUTLS_CERT_REQUEST); |
391 |
} |
392 |
|
393 |
} else {
|
394 |
gnutls_anon_server_credentials_t anon_cred = vnc_tls_initialize_anon_cred(); |
395 |
if (!anon_cred) {
|
396 |
gnutls_deinit(tls->session); |
397 |
tls->session = NULL;
|
398 |
vnc_client_error(vs); |
399 |
return -1; |
400 |
} |
401 |
if (gnutls_credentials_set(tls->session, GNUTLS_CRD_ANON, anon_cred) < 0) { |
402 |
gnutls_deinit(tls->session); |
403 |
tls->session = NULL;
|
404 |
gnutls_anon_free_server_credentials(anon_cred); |
405 |
vnc_client_error(vs); |
406 |
return -1; |
407 |
} |
408 |
} |
409 |
|
410 |
gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr_t)vs); |
411 |
gnutls_transport_set_push_function(tls->session, vnc_tls_push); |
412 |
gnutls_transport_set_pull_function(tls->session, vnc_tls_pull); |
413 |
} |
414 |
return 0; |
415 |
} |
416 |
|
417 |
|
418 |
void vnc_tls_client_cleanup(struct VncState *vs) |
419 |
{ |
420 |
if (vs->tls.session) {
|
421 |
gnutls_deinit(vs->tls.session); |
422 |
vs->tls.session = NULL;
|
423 |
} |
424 |
vs->tls.wiremode = VNC_WIREMODE_CLEAR; |
425 |
g_free(vs->tls.dname); |
426 |
#ifdef CONFIG_VNC_WS
|
427 |
if (vs->ws_tls.session) {
|
428 |
gnutls_deinit(vs->ws_tls.session); |
429 |
vs->ws_tls.session = NULL;
|
430 |
} |
431 |
vs->ws_tls.wiremode = VNC_WIREMODE_CLEAR; |
432 |
g_free(vs->ws_tls.dname); |
433 |
#endif /* CONFIG_VNC_WS */ |
434 |
} |
435 |
|
436 |
|
437 |
|
438 |
static int vnc_set_x509_credential(VncDisplay *vd, |
439 |
const char *certdir, |
440 |
const char *filename, |
441 |
char **cred,
|
442 |
int ignoreMissing)
|
443 |
{ |
444 |
struct stat sb;
|
445 |
|
446 |
if (*cred) {
|
447 |
g_free(*cred); |
448 |
*cred = NULL;
|
449 |
} |
450 |
|
451 |
*cred = g_malloc(strlen(certdir) + strlen(filename) + 2);
|
452 |
|
453 |
strcpy(*cred, certdir); |
454 |
strcat(*cred, "/");
|
455 |
strcat(*cred, filename); |
456 |
|
457 |
VNC_DEBUG("Check %s\n", *cred);
|
458 |
if (stat(*cred, &sb) < 0) { |
459 |
g_free(*cred); |
460 |
*cred = NULL;
|
461 |
if (ignoreMissing && errno == ENOENT)
|
462 |
return 0; |
463 |
return -1; |
464 |
} |
465 |
|
466 |
return 0; |
467 |
} |
468 |
|
469 |
|
470 |
int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
|
471 |
const char *certdir) |
472 |
{ |
473 |
if (vnc_set_x509_credential(vd, certdir, X509_CA_CERT_FILE, &vd->tls.x509cacert, 0) < 0) |
474 |
goto cleanup;
|
475 |
if (vnc_set_x509_credential(vd, certdir, X509_CA_CRL_FILE, &vd->tls.x509cacrl, 1) < 0) |
476 |
goto cleanup;
|
477 |
if (vnc_set_x509_credential(vd, certdir, X509_SERVER_CERT_FILE, &vd->tls.x509cert, 0) < 0) |
478 |
goto cleanup;
|
479 |
if (vnc_set_x509_credential(vd, certdir, X509_SERVER_KEY_FILE, &vd->tls.x509key, 0) < 0) |
480 |
goto cleanup;
|
481 |
|
482 |
return 0; |
483 |
|
484 |
cleanup:
|
485 |
g_free(vd->tls.x509cacert); |
486 |
g_free(vd->tls.x509cacrl); |
487 |
g_free(vd->tls.x509cert); |
488 |
g_free(vd->tls.x509key); |
489 |
vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL;
|
490 |
return -1; |
491 |
} |
492 |
|