2010-11-23 20:17:41 +00:00
|
|
|
/*
|
|
|
|
* virnettlscontext.c: TLS encryption/x509 handling
|
|
|
|
*
|
2014-03-18 08:14:54 +00:00
|
|
|
* Copyright (C) 2010-2014 Red Hat, Inc.
|
2010-11-23 20:17:41 +00:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 22:30:55 +00:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 10:06:23 +00:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2010-11-23 20:17:41 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <fnmatch.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
|
|
#include <gnutls/gnutls.h>
|
2013-05-29 17:06:39 +00:00
|
|
|
#if HAVE_GNUTLS_CRYPTO_H
|
2013-05-29 03:15:08 +00:00
|
|
|
# include <gnutls/crypto.h>
|
|
|
|
#endif
|
2010-11-23 20:17:41 +00:00
|
|
|
#include <gnutls/x509.h>
|
|
|
|
|
|
|
|
#include "virnettlscontext.h"
|
2013-04-03 10:36:23 +00:00
|
|
|
#include "virstring.h"
|
2010-11-23 20:17:41 +00:00
|
|
|
|
2012-12-12 18:06:53 +00:00
|
|
|
#include "viralloc.h"
|
2012-12-13 18:21:53 +00:00
|
|
|
#include "virerror.h"
|
2013-05-09 18:59:04 +00:00
|
|
|
#include "virfile.h"
|
2012-12-13 17:44:57 +00:00
|
|
|
#include "virutil.h"
|
2012-12-12 17:59:27 +00:00
|
|
|
#include "virlog.h"
|
2014-02-27 13:41:11 +00:00
|
|
|
#include "virprobe.h"
|
2012-12-13 15:49:48 +00:00
|
|
|
#include "virthread.h"
|
2010-11-23 20:17:41 +00:00
|
|
|
#include "configmake.h"
|
|
|
|
|
2014-09-04 08:05:36 +00:00
|
|
|
#define DH_BITS 2048
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
|
|
|
|
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
|
|
|
|
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
|
|
|
|
#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem"
|
|
|
|
#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem"
|
|
|
|
#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem"
|
|
|
|
#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem"
|
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_RPC
|
|
|
|
|
2014-02-28 12:16:17 +00:00
|
|
|
VIR_LOG_INIT("rpc.nettlscontext");
|
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
struct _virNetTLSContext {
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectLockable parent;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
gnutls_certificate_credentials_t x509cred;
|
|
|
|
gnutls_dh_params_t dhParams;
|
|
|
|
|
|
|
|
bool isServer;
|
|
|
|
bool requireValidCert;
|
|
|
|
const char *const*x509dnWhitelist;
|
2016-06-03 16:44:55 +00:00
|
|
|
char *priority;
|
2010-11-23 20:17:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
struct _virNetTLSSession {
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectLockable parent;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
bool handshakeComplete;
|
|
|
|
|
2011-07-14 16:52:03 +00:00
|
|
|
bool isServer;
|
2010-11-23 20:17:41 +00:00
|
|
|
char *hostname;
|
|
|
|
gnutls_session_t session;
|
|
|
|
virNetTLSSessionWriteFunc writeFunc;
|
|
|
|
virNetTLSSessionReadFunc readFunc;
|
|
|
|
void *opaque;
|
2012-01-20 17:18:28 +00:00
|
|
|
char *x509dname;
|
2010-11-23 20:17:41 +00:00
|
|
|
};
|
|
|
|
|
2012-07-11 13:35:48 +00:00
|
|
|
static virClassPtr virNetTLSContextClass;
|
|
|
|
static virClassPtr virNetTLSSessionClass;
|
|
|
|
static void virNetTLSContextDispose(void *obj);
|
|
|
|
static void virNetTLSSessionDispose(void *obj);
|
|
|
|
|
|
|
|
|
|
|
|
static int virNetTLSContextOnceInit(void)
|
|
|
|
{
|
2013-01-09 21:27:28 +00:00
|
|
|
if (!(virNetTLSContextClass = virClassNew(virClassForObjectLockable(),
|
2013-01-09 17:37:27 +00:00
|
|
|
"virNetTLSContext",
|
2012-07-11 13:35:48 +00:00
|
|
|
sizeof(virNetTLSContext),
|
|
|
|
virNetTLSContextDispose)))
|
|
|
|
return -1;
|
|
|
|
|
2013-01-09 21:27:28 +00:00
|
|
|
if (!(virNetTLSSessionClass = virClassNew(virClassForObjectLockable(),
|
2013-01-09 17:37:27 +00:00
|
|
|
"virNetTLSSession",
|
2012-07-11 13:35:48 +00:00
|
|
|
sizeof(virNetTLSSession),
|
|
|
|
virNetTLSSessionDispose)))
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
VIR_ONCE_GLOBAL_INIT(virNetTLSContext)
|
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
static int
|
|
|
|
virNetTLSContextCheckCertFile(const char *type, const char *file, bool allowMissing)
|
|
|
|
{
|
|
|
|
if (!virFileExists(file)) {
|
|
|
|
if (allowMissing)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
virReportSystemError(errno,
|
|
|
|
_("Cannot read %s '%s'"),
|
|
|
|
type, file);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-09-26 16:51:47 +00:00
|
|
|
static void virNetTLSLog(int level ATTRIBUTE_UNUSED,
|
2014-03-18 08:14:54 +00:00
|
|
|
const char *str ATTRIBUTE_UNUSED)
|
|
|
|
{
|
2010-11-23 20:17:41 +00:00
|
|
|
VIR_DEBUG("%d %s", level, str);
|
|
|
|
}
|
|
|
|
|
2011-07-14 16:52:03 +00:00
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert,
|
|
|
|
const char *certFile,
|
|
|
|
bool isServer,
|
|
|
|
bool isCA)
|
2011-07-14 16:52:03 +00:00
|
|
|
{
|
|
|
|
time_t now;
|
|
|
|
|
|
|
|
if ((now = time(NULL)) == ((time_t)-1)) {
|
|
|
|
virReportSystemError(errno, "%s",
|
|
|
|
_("cannot get current time"));
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-14 16:52:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_get_expiration_time(cert) < now) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
(isCA ?
|
|
|
|
_("The CA certificate %s has expired") :
|
|
|
|
(isServer ?
|
|
|
|
_("The server certificate %s has expired") :
|
|
|
|
_("The client certificate %s has expired"))),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-14 16:52:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_get_activation_time(cert) > now) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
(isCA ?
|
|
|
|
_("The CA certificate %s is not yet active") :
|
|
|
|
(isServer ?
|
|
|
|
_("The server certificate %s is not yet active") :
|
|
|
|
_("The client certificate %s is not yet active"))),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-14 16:52:03 +00:00
|
|
|
}
|
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-07-26 10:53:39 +00:00
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert,
|
|
|
|
const char *certFile,
|
|
|
|
bool isServer,
|
|
|
|
bool isCA)
|
|
|
|
{
|
|
|
|
int status;
|
|
|
|
|
2011-07-15 11:55:23 +00:00
|
|
|
status = gnutls_x509_crt_get_basic_constraints(cert, NULL, NULL, NULL);
|
|
|
|
VIR_DEBUG("Cert %s basic constraints %d", certFile, status);
|
|
|
|
|
|
|
|
if (status > 0) { /* It is a CA cert */
|
|
|
|
if (!isCA) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
|
|
|
|
_("The certificate %s basic constraints show a CA, but we need one for a server") :
|
|
|
|
_("The certificate %s basic constraints show a CA, but we need one for a client"),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
|
|
|
} else if (status == 0) { /* It is not a CA cert */
|
|
|
|
if (isCA) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("The certificate %s basic constraints do not show a CA"),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
|
|
|
} else if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* Missing basicConstraints */
|
|
|
|
if (isCA) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("The certificate %s is missing basic constraints for a CA"),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
|
|
|
} else { /* General error */
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to query certificate %s basic constraints %s"),
|
|
|
|
certFile, gnutls_strerror(status));
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2011-07-26 10:53:39 +00:00
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
|
|
|
|
static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert,
|
|
|
|
const char *certFile,
|
|
|
|
bool isCA)
|
|
|
|
{
|
|
|
|
int status;
|
2013-02-04 21:39:43 +00:00
|
|
|
unsigned int usage = 0;
|
|
|
|
unsigned int critical = 0;
|
2011-07-20 14:18:51 +00:00
|
|
|
|
2011-07-20 13:08:39 +00:00
|
|
|
status = gnutls_x509_crt_get_key_usage(cert, &usage, &critical);
|
2011-07-15 11:55:23 +00:00
|
|
|
|
2011-07-20 13:08:39 +00:00
|
|
|
VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
|
2011-07-15 11:55:23 +00:00
|
|
|
if (status < 0) {
|
2011-07-20 12:54:32 +00:00
|
|
|
if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
|
|
usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
|
|
|
|
GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
|
|
|
|
} else {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to query certificate %s key usage %s"),
|
|
|
|
certFile, gnutls_strerror(status));
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-20 12:54:32 +00:00
|
|
|
}
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
|
|
|
|
2011-07-20 12:54:32 +00:00
|
|
|
if (isCA) {
|
|
|
|
if (!(usage & GNUTLS_KEY_KEY_CERT_SIGN)) {
|
2011-07-20 13:08:39 +00:00
|
|
|
if (critical) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Certificate %s usage does not permit certificate signing"),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-20 13:08:39 +00:00
|
|
|
} else {
|
|
|
|
VIR_WARN("Certificate %s usage does not permit certificate signing",
|
|
|
|
certFile);
|
|
|
|
}
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
|
|
|
} else {
|
2011-07-20 12:54:32 +00:00
|
|
|
if (!(usage & GNUTLS_KEY_DIGITAL_SIGNATURE)) {
|
2011-07-20 13:08:39 +00:00
|
|
|
if (critical) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Certificate %s usage does not permit digital signature"),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-20 13:08:39 +00:00
|
|
|
} else {
|
|
|
|
VIR_WARN("Certificate %s usage does not permit digital signature",
|
|
|
|
certFile);
|
|
|
|
}
|
2011-07-20 12:54:32 +00:00
|
|
|
}
|
|
|
|
if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
|
2011-07-20 13:08:39 +00:00
|
|
|
if (critical) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Certificate %s usage does not permit key encipherment"),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-20 13:08:39 +00:00
|
|
|
} else {
|
|
|
|
VIR_WARN("Certificate %s usage does not permit key encipherment",
|
|
|
|
certFile);
|
|
|
|
}
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int virNetTLSContextCheckCertKeyPurpose(gnutls_x509_crt_t cert,
|
|
|
|
const char *certFile,
|
|
|
|
bool isServer)
|
|
|
|
{
|
|
|
|
int status;
|
Convert 'int i' to 'size_t i' in src/rpc/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
size_t i;
|
2011-07-20 14:18:51 +00:00
|
|
|
unsigned int purposeCritical;
|
|
|
|
unsigned int critical;
|
2011-08-02 15:56:10 +00:00
|
|
|
char *buffer = NULL;
|
2011-07-20 14:18:51 +00:00
|
|
|
size_t size;
|
|
|
|
bool allowClient = false, allowServer = false;
|
|
|
|
|
2011-07-20 13:08:39 +00:00
|
|
|
critical = 0;
|
2013-05-21 10:01:01 +00:00
|
|
|
for (i = 0; ; i++) {
|
2011-07-15 11:55:23 +00:00
|
|
|
size = 0;
|
|
|
|
status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, NULL);
|
|
|
|
|
|
|
|
if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
Convert 'int i' to 'size_t i' in src/rpc/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
VIR_DEBUG("No key purpose data available at slot %zu", i);
|
2011-07-20 12:54:32 +00:00
|
|
|
|
|
|
|
/* If there is no data at all, then we must allow client/server to pass */
|
|
|
|
if (i == 0)
|
|
|
|
allowServer = allowClient = true;
|
2011-07-15 11:55:23 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (status != GNUTLS_E_SHORT_MEMORY_BUFFER) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to query certificate %s key purpose %s"),
|
|
|
|
certFile, gnutls_strerror(status));
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
|
|
|
|
2013-07-04 10:15:05 +00:00
|
|
|
if (VIR_ALLOC_N(buffer, size) < 0)
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-15 11:55:23 +00:00
|
|
|
|
2011-07-20 13:08:39 +00:00
|
|
|
status = gnutls_x509_crt_get_key_purpose_oid(cert, i, buffer, &size, &purposeCritical);
|
2011-07-15 11:55:23 +00:00
|
|
|
if (status < 0) {
|
2011-07-20 14:18:51 +00:00
|
|
|
VIR_FREE(buffer);
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to query certificate %s key purpose %s"),
|
|
|
|
certFile, gnutls_strerror(status));
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
2011-07-20 13:08:39 +00:00
|
|
|
if (purposeCritical)
|
|
|
|
critical = true;
|
2011-07-15 11:55:23 +00:00
|
|
|
|
2011-07-20 13:08:39 +00:00
|
|
|
VIR_DEBUG("Key purpose %d %s critical %u", status, buffer, purposeCritical);
|
2011-07-15 11:55:23 +00:00
|
|
|
if (STREQ(buffer, GNUTLS_KP_TLS_WWW_SERVER)) {
|
2011-07-20 12:54:32 +00:00
|
|
|
allowServer = true;
|
2011-07-15 11:55:23 +00:00
|
|
|
} else if (STREQ(buffer, GNUTLS_KP_TLS_WWW_CLIENT)) {
|
2011-07-20 12:54:32 +00:00
|
|
|
allowClient = true;
|
2011-07-15 11:55:23 +00:00
|
|
|
} else if (STRNEQ(buffer, GNUTLS_KP_ANY)) {
|
2011-07-20 12:54:32 +00:00
|
|
|
allowServer = allowClient = true;
|
2011-07-15 11:55:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
VIR_FREE(buffer);
|
|
|
|
}
|
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
if (isServer) {
|
|
|
|
if (!allowServer) {
|
2011-07-20 13:08:39 +00:00
|
|
|
if (critical) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Certificate %s purpose does not allow use for with a TLS server"),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-20 13:08:39 +00:00
|
|
|
} else {
|
|
|
|
VIR_WARN("Certificate %s purpose does not allow use for with a TLS server",
|
|
|
|
certFile);
|
|
|
|
}
|
2011-07-20 12:54:32 +00:00
|
|
|
}
|
2011-07-20 14:18:51 +00:00
|
|
|
} else {
|
|
|
|
if (!allowClient) {
|
2011-07-20 13:08:39 +00:00
|
|
|
if (critical) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Certificate %s purpose does not allow use for with a TLS client"),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
2011-07-20 13:08:39 +00:00
|
|
|
} else {
|
|
|
|
VIR_WARN("Certificate %s purpose does not allow use for with a TLS client",
|
|
|
|
certFile);
|
|
|
|
}
|
2011-07-20 12:54:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check DN is on tls_allowed_dn_list. */
|
|
|
|
static int
|
|
|
|
virNetTLSContextCheckCertDNWhitelist(const char *dname,
|
|
|
|
const char *const*wildcards)
|
|
|
|
{
|
|
|
|
while (*wildcards) {
|
2012-10-17 09:23:12 +00:00
|
|
|
int ret = fnmatch(*wildcards, dname, 0);
|
2012-10-11 16:31:20 +00:00
|
|
|
if (ret == 0) /* Successful match */
|
2011-07-20 14:18:51 +00:00
|
|
|
return 1;
|
|
|
|
if (ret != FNM_NOMATCH) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
_("Malformed TLS whitelist regular expression '%s'"),
|
|
|
|
*wildcards);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
wildcards++;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Log the client's DN for debugging */
|
|
|
|
VIR_DEBUG("Failed whitelist check for client DN '%s'", dname);
|
|
|
|
|
|
|
|
/* This is the most common error: make it informative. */
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
|
|
|
|
_("Client's Distinguished Name is not on the list "
|
|
|
|
"of allowed clients (tls_allowed_dn_list). Use "
|
2012-09-12 16:54:42 +00:00
|
|
|
"'certtool -i --infile clientcert.pem' to view the "
|
|
|
|
"Distinguished Name field in the client certificate, "
|
2012-07-18 10:41:47 +00:00
|
|
|
"or run this daemon with --verbose option."));
|
2011-07-20 14:18:51 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
|
|
|
|
const char *certFile,
|
|
|
|
const char *hostname,
|
2011-10-07 15:42:41 +00:00
|
|
|
const char *dname,
|
2011-07-20 14:18:51 +00:00
|
|
|
const char *const* whitelist)
|
|
|
|
{
|
2011-10-07 15:42:41 +00:00
|
|
|
if (whitelist && dname &&
|
|
|
|
virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0)
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (hostname &&
|
|
|
|
!gnutls_x509_crt_check_hostname(cert, hostname)) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_RPC,
|
|
|
|
_("Certificate %s owner does not match the hostname %s"),
|
|
|
|
certFile, hostname);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert,
|
|
|
|
const char *certFile,
|
|
|
|
bool isServer,
|
|
|
|
bool isCA)
|
|
|
|
{
|
|
|
|
if (virNetTLSContextCheckCertTimes(cert, certFile,
|
|
|
|
isServer, isCA) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (virNetTLSContextCheckCertBasicConstraints(cert, certFile,
|
|
|
|
isServer, isCA) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (virNetTLSContextCheckCertKeyUsage(cert, certFile,
|
|
|
|
isCA) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (!isCA &&
|
|
|
|
virNetTLSContextCheckCertKeyPurpose(cert, certFile,
|
|
|
|
isServer) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
|
|
|
|
const char *certFile,
|
2013-08-06 11:31:20 +00:00
|
|
|
gnutls_x509_crt_t *cacerts,
|
|
|
|
size_t ncacerts,
|
2011-07-20 14:18:51 +00:00
|
|
|
const char *cacertFile,
|
|
|
|
bool isServer)
|
|
|
|
{
|
|
|
|
unsigned int status;
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_list_verify(&cert, 1,
|
2013-08-06 11:31:20 +00:00
|
|
|
cacerts, ncacerts,
|
2011-07-20 14:18:51 +00:00
|
|
|
NULL, 0,
|
|
|
|
0, &status) < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
|
|
|
|
_("Unable to verify server certificate %s against CA certificate %s") :
|
|
|
|
_("Unable to verify client certificate %s against CA certificate %s"),
|
|
|
|
certFile, cacertFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (status != 0) {
|
|
|
|
const char *reason = _("Invalid certificate");
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_INVALID)
|
|
|
|
reason = _("The certificate is not trusted.");
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
|
|
|
|
reason = _("The certificate hasn't got a known issuer.");
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_REVOKED)
|
|
|
|
reason = _("The certificate has been revoked.");
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
|
|
|
|
reason = _("The certificate uses an insecure algorithm");
|
|
|
|
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Our own certificate %s failed validation against %s: %s"),
|
|
|
|
certFile, cacertFile, reason);
|
2011-07-20 14:18:51 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static gnutls_x509_crt_t virNetTLSContextLoadCertFromFile(const char *certFile,
|
2013-08-06 11:31:20 +00:00
|
|
|
bool isServer)
|
2011-07-20 14:18:51 +00:00
|
|
|
{
|
|
|
|
gnutls_datum_t data;
|
|
|
|
gnutls_x509_crt_t cert = NULL;
|
|
|
|
char *buf = NULL;
|
|
|
|
int ret = -1;
|
|
|
|
|
2013-08-06 11:31:20 +00:00
|
|
|
VIR_DEBUG("isServer %d certFile %s",
|
|
|
|
isServer, certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
|
|
|
|
if (gnutls_x509_crt_init(&cert) < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
|
|
|
|
_("Unable to initialize certificate"));
|
2011-07-20 14:18:51 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (virFileReadAll(certFile, (1<<16), &buf) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
data.data = (unsigned char *)buf;
|
|
|
|
data.size = strlen(buf);
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR, isServer ?
|
|
|
|
_("Unable to import server certificate %s") :
|
|
|
|
_("Unable to import client certificate %s"),
|
|
|
|
certFile);
|
2011-07-20 14:18:51 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
2011-07-15 11:55:23 +00:00
|
|
|
|
2011-07-14 16:52:03 +00:00
|
|
|
ret = 0;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
cleanup:
|
2011-07-14 16:52:03 +00:00
|
|
|
if (ret != 0) {
|
|
|
|
gnutls_x509_crt_deinit(cert);
|
|
|
|
cert = NULL;
|
|
|
|
}
|
|
|
|
VIR_FREE(buf);
|
|
|
|
return cert;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-08-06 11:31:20 +00:00
|
|
|
static int virNetTLSContextLoadCACertListFromFile(const char *certFile,
|
|
|
|
gnutls_x509_crt_t *certs,
|
2013-08-09 11:06:34 +00:00
|
|
|
unsigned int certMax,
|
2013-08-06 11:31:20 +00:00
|
|
|
size_t *ncerts)
|
|
|
|
{
|
|
|
|
gnutls_datum_t data;
|
|
|
|
char *buf = NULL;
|
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
*ncerts = 0;
|
|
|
|
VIR_DEBUG("certFile %s", certFile);
|
|
|
|
|
|
|
|
if (virFileReadAll(certFile, (1<<16), &buf) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
data.data = (unsigned char *)buf;
|
|
|
|
data.size = strlen(buf);
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM, 0) < 0) {
|
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to import CA certificate list %s"),
|
|
|
|
certFile);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
*ncerts = certMax;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
cleanup:
|
2013-08-06 11:31:20 +00:00
|
|
|
VIR_FREE(buf);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#define MAX_CERTS 16
|
2011-07-14 16:52:03 +00:00
|
|
|
static int virNetTLSContextSanityCheckCredentials(bool isServer,
|
|
|
|
const char *cacertFile,
|
|
|
|
const char *certFile)
|
|
|
|
{
|
|
|
|
gnutls_x509_crt_t cert = NULL;
|
2013-08-06 11:31:20 +00:00
|
|
|
gnutls_x509_crt_t cacerts[MAX_CERTS];
|
2013-08-09 11:06:34 +00:00
|
|
|
size_t ncacerts = 0;
|
2013-08-06 11:31:20 +00:00
|
|
|
size_t i;
|
2011-07-14 16:52:03 +00:00
|
|
|
int ret = -1;
|
|
|
|
|
2013-08-09 11:06:34 +00:00
|
|
|
memset(cacerts, 0, sizeof(cacerts));
|
2011-07-20 14:18:51 +00:00
|
|
|
if ((access(certFile, R_OK) == 0) &&
|
2013-08-06 11:31:20 +00:00
|
|
|
!(cert = virNetTLSContextLoadCertFromFile(certFile, isServer)))
|
2011-07-20 14:18:51 +00:00
|
|
|
goto cleanup;
|
|
|
|
if ((access(cacertFile, R_OK) == 0) &&
|
2013-08-09 11:06:34 +00:00
|
|
|
virNetTLSContextLoadCACertListFromFile(cacertFile, cacerts,
|
|
|
|
MAX_CERTS, &ncacerts) < 0)
|
2011-07-20 14:18:51 +00:00
|
|
|
goto cleanup;
|
2011-07-14 16:52:03 +00:00
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
if (cert &&
|
|
|
|
virNetTLSContextCheckCert(cert, certFile, isServer, false) < 0)
|
|
|
|
goto cleanup;
|
2011-07-14 16:52:03 +00:00
|
|
|
|
2013-08-06 11:31:20 +00:00
|
|
|
for (i = 0; i < ncacerts; i++) {
|
|
|
|
if (virNetTLSContextCheckCert(cacerts[i], cacertFile, isServer, true) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
}
|
2011-07-14 16:52:03 +00:00
|
|
|
|
2013-08-06 11:31:20 +00:00
|
|
|
if (cert && ncacerts &&
|
|
|
|
virNetTLSContextCheckCertPair(cert, certFile, cacerts, ncacerts, cacertFile, isServer) < 0)
|
2011-07-20 14:18:51 +00:00
|
|
|
goto cleanup;
|
2011-07-14 16:52:03 +00:00
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
cleanup:
|
2011-07-14 16:52:03 +00:00
|
|
|
if (cert)
|
|
|
|
gnutls_x509_crt_deinit(cert);
|
2013-08-06 11:31:20 +00:00
|
|
|
for (i = 0; i < ncacerts; i++)
|
|
|
|
gnutls_x509_crt_deinit(cacerts[i]);
|
2011-07-14 16:52:03 +00:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
static int virNetTLSContextLoadCredentials(virNetTLSContextPtr ctxt,
|
|
|
|
bool isServer,
|
|
|
|
const char *cacert,
|
|
|
|
const char *cacrl,
|
|
|
|
const char *cert,
|
|
|
|
const char *key)
|
|
|
|
{
|
|
|
|
int ret = -1;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (cacert && cacert[0] != '\0') {
|
|
|
|
if (virNetTLSContextCheckCertFile("CA certificate", cacert, false) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
VIR_DEBUG("loading CA cert from %s", cacert);
|
|
|
|
err = gnutls_certificate_set_x509_trust_file(ctxt->x509cred,
|
|
|
|
cacert,
|
|
|
|
GNUTLS_X509_FMT_PEM);
|
|
|
|
if (err < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to set x509 CA certificate: %s: %s"),
|
2012-10-17 09:23:12 +00:00
|
|
|
cacert, gnutls_strerror(err));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (cacrl && cacrl[0] != '\0') {
|
|
|
|
int rv;
|
|
|
|
if ((rv = virNetTLSContextCheckCertFile("CA revocation list", cacrl, true)) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (rv == 0) {
|
|
|
|
VIR_DEBUG("loading CRL from %s", cacrl);
|
|
|
|
err = gnutls_certificate_set_x509_crl_file(ctxt->x509cred,
|
|
|
|
cacrl,
|
|
|
|
GNUTLS_X509_FMT_PEM);
|
|
|
|
if (err < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to set x509 certificate revocation list: %s: %s"),
|
|
|
|
cacrl, gnutls_strerror(err));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (cert && cert[0] != '\0' && key && key[0] != '\0') {
|
|
|
|
int rv;
|
|
|
|
if ((rv = virNetTLSContextCheckCertFile("certificate", cert, !isServer)) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
if (rv == 0 &&
|
|
|
|
(rv = virNetTLSContextCheckCertFile("private key", key, !isServer)) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (rv == 0) {
|
|
|
|
VIR_DEBUG("loading cert and key from %s and %s", cert, key);
|
|
|
|
err =
|
|
|
|
gnutls_certificate_set_x509_key_file(ctxt->x509cred,
|
|
|
|
cert, key,
|
|
|
|
GNUTLS_X509_FMT_PEM);
|
|
|
|
if (err < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to set x509 key and certificate: %s, %s: %s"),
|
|
|
|
key, cert, gnutls_strerror(err));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
} else {
|
2014-04-20 20:07:46 +00:00
|
|
|
VIR_DEBUG("Skipping non-existent cert %s key %s on client",
|
|
|
|
cert, key);
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
cleanup:
|
2010-11-23 20:17:41 +00:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
|
|
|
|
const char *cacrl,
|
|
|
|
const char *cert,
|
|
|
|
const char *key,
|
|
|
|
const char *const*x509dnWhitelist,
|
2016-06-03 16:44:55 +00:00
|
|
|
const char *priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
bool sanityCheckCert,
|
2010-11-23 20:17:41 +00:00
|
|
|
bool requireValidCert,
|
|
|
|
bool isServer)
|
|
|
|
{
|
|
|
|
virNetTLSContextPtr ctxt;
|
|
|
|
int err;
|
|
|
|
|
2012-07-11 13:35:48 +00:00
|
|
|
if (virNetTLSContextInitialize() < 0)
|
|
|
|
return NULL;
|
|
|
|
|
2013-01-09 21:27:28 +00:00
|
|
|
if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
|
2011-07-26 00:21:32 +00:00
|
|
|
return NULL;
|
|
|
|
|
2016-06-03 16:44:55 +00:00
|
|
|
if (VIR_STRDUP(ctxt->priority, priority) < 0)
|
|
|
|
goto error;
|
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
|
|
|
|
if (err) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to allocate x509 credentials: %s"),
|
|
|
|
gnutls_strerror(err));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
2011-07-21 10:13:11 +00:00
|
|
|
if (sanityCheckCert &&
|
2011-07-14 16:52:03 +00:00
|
|
|
virNetTLSContextSanityCheckCredentials(isServer, cacert, cert) < 0)
|
|
|
|
goto error;
|
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
/* Generate Diffie Hellman parameters - for use with DHE
|
|
|
|
* kx algorithms. These should be discarded and regenerated
|
|
|
|
* once a day, once a week or once a month. Depending on the
|
|
|
|
* security requirements.
|
|
|
|
*/
|
|
|
|
if (isServer) {
|
|
|
|
err = gnutls_dh_params_init(&ctxt->dhParams);
|
|
|
|
if (err < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to initialize diffie-hellman parameters: %s"),
|
|
|
|
gnutls_strerror(err));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
|
|
|
|
if (err < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to generate diffie-hellman parameters: %s"),
|
|
|
|
gnutls_strerror(err));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
gnutls_certificate_set_dh_params(ctxt->x509cred,
|
|
|
|
ctxt->dhParams);
|
|
|
|
}
|
|
|
|
|
|
|
|
ctxt->requireValidCert = requireValidCert;
|
|
|
|
ctxt->x509dnWhitelist = x509dnWhitelist;
|
|
|
|
ctxt->isServer = isServer;
|
|
|
|
|
Rewrite all the DTrace/SystemTAP probing
The libvirtd daemon had a few crude system tap probes. Some of
these were broken during the RPC rewrite. The new modular RPC
code is structured in a way that allows much more effective
tracing. Instead of trying to hook up the original probes,
define a new set of probes for the RPC and event code.
The master probes file is now src/probes.d. This contains
probes for virNetServerClientPtr, virNetClientPtr, virSocketPtr
virNetTLSContextPtr and virNetTLSSessionPtr modules. Also add
probes for the poll event loop.
The src/dtrace2systemtap.pl script can convert the probes.d
file into a libvirt_probes.stp file to make use from systemtap
much simpler.
The src/rpc/gensystemtap.pl script can generate a set of
systemtap functions for translating RPC enum values into
printable strings. This works for all RPC header enums (program,
type, status, procedure) and also the authentication enum
The PROBE macro will automatically generate a VIR_DEBUG
statement, so any place with a PROBE can remove any existing
manual DEBUG statements.
* daemon/libvirtd.stp, daemon/probes.d: Remove obsolete probing
* daemon/libvirtd.h: Remove probe macros
* daemon/Makefile.am: Remove all probe buildings/install
* daemon/remote.c: Update authentication probes
* src/dtrace2systemtap.pl, src/rpc/gensystemtap.pl: Scripts
to generate STP files
* src/internal.h: Add probe macros
* src/probes.d: Master list of probes
* src/rpc/virnetclient.c, src/rpc/virnetserverclient.c,
src/rpc/virnetsocket.c, src/rpc/virnettlscontext.c,
src/util/event_poll.c: Insert probe points, removing any
DEBUG statements that duplicate the info
2011-09-30 13:40:23 +00:00
|
|
|
PROBE(RPC_TLS_CONTEXT_NEW,
|
2012-07-11 13:35:48 +00:00
|
|
|
"ctxt=%p cacert=%s cacrl=%s cert=%s key=%s sanityCheckCert=%d requireValidCert=%d isServer=%d",
|
|
|
|
ctxt, cacert, NULLSTR(cacrl), cert, key, sanityCheckCert, requireValidCert, isServer);
|
Rewrite all the DTrace/SystemTAP probing
The libvirtd daemon had a few crude system tap probes. Some of
these were broken during the RPC rewrite. The new modular RPC
code is structured in a way that allows much more effective
tracing. Instead of trying to hook up the original probes,
define a new set of probes for the RPC and event code.
The master probes file is now src/probes.d. This contains
probes for virNetServerClientPtr, virNetClientPtr, virSocketPtr
virNetTLSContextPtr and virNetTLSSessionPtr modules. Also add
probes for the poll event loop.
The src/dtrace2systemtap.pl script can convert the probes.d
file into a libvirt_probes.stp file to make use from systemtap
much simpler.
The src/rpc/gensystemtap.pl script can generate a set of
systemtap functions for translating RPC enum values into
printable strings. This works for all RPC header enums (program,
type, status, procedure) and also the authentication enum
The PROBE macro will automatically generate a VIR_DEBUG
statement, so any place with a PROBE can remove any existing
manual DEBUG statements.
* daemon/libvirtd.stp, daemon/probes.d: Remove obsolete probing
* daemon/libvirtd.h: Remove probe macros
* daemon/Makefile.am: Remove all probe buildings/install
* daemon/remote.c: Update authentication probes
* src/dtrace2systemtap.pl, src/rpc/gensystemtap.pl: Scripts
to generate STP files
* src/internal.h: Add probe macros
* src/probes.d: Master list of probes
* src/rpc/virnetclient.c, src/rpc/virnetserverclient.c,
src/rpc/virnetsocket.c, src/rpc/virnettlscontext.c,
src/util/event_poll.c: Insert probe points, removing any
DEBUG statements that duplicate the info
2011-09-30 13:40:23 +00:00
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
return ctxt;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
error:
|
2010-11-23 20:17:41 +00:00
|
|
|
if (isServer)
|
|
|
|
gnutls_dh_params_deinit(ctxt->dhParams);
|
|
|
|
gnutls_certificate_free_credentials(ctxt->x509cred);
|
|
|
|
VIR_FREE(ctxt);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int virNetTLSContextLocateCredentials(const char *pkipath,
|
|
|
|
bool tryUserPkiPath,
|
|
|
|
bool isServer,
|
|
|
|
char **cacert,
|
|
|
|
char **cacrl,
|
|
|
|
char **cert,
|
|
|
|
char **key)
|
|
|
|
{
|
|
|
|
char *userdir = NULL;
|
|
|
|
char *user_pki_path = NULL;
|
|
|
|
|
|
|
|
*cacert = NULL;
|
|
|
|
*cacrl = NULL;
|
|
|
|
*key = NULL;
|
|
|
|
*cert = NULL;
|
|
|
|
|
|
|
|
VIR_DEBUG("pkipath=%s isServer=%d tryUserPkiPath=%d",
|
|
|
|
pkipath, isServer, tryUserPkiPath);
|
|
|
|
|
|
|
|
/* Explicit path, then use that no matter whether the
|
|
|
|
* files actually exist there
|
|
|
|
*/
|
|
|
|
if (pkipath) {
|
|
|
|
VIR_DEBUG("Told to use TLS credentials in %s", pkipath);
|
|
|
|
if ((virAsprintf(cacert, "%s/%s", pkipath,
|
|
|
|
"cacert.pem")) < 0)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
if ((virAsprintf(cacrl, "%s/%s", pkipath,
|
|
|
|
"cacrl.pem")) < 0)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
if ((virAsprintf(key, "%s/%s", pkipath,
|
|
|
|
isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
if ((virAsprintf(cert, "%s/%s", pkipath,
|
|
|
|
isServer ? "servercert.pem" : "clientcert.pem")) < 0)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
} else if (tryUserPkiPath) {
|
|
|
|
/* Check to see if $HOME/.pki contains at least one of the
|
|
|
|
* files and if so, use that
|
|
|
|
*/
|
2012-05-24 12:29:42 +00:00
|
|
|
userdir = virGetUserDirectory();
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
if (!userdir)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
if (virAsprintf(&user_pki_path, "%s/.pki/libvirt", userdir) < 0)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_path);
|
|
|
|
|
|
|
|
if ((virAsprintf(cacert, "%s/%s", user_pki_path,
|
|
|
|
"cacert.pem")) < 0)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
if ((virAsprintf(cacrl, "%s/%s", user_pki_path,
|
|
|
|
"cacrl.pem")) < 0)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
if ((virAsprintf(key, "%s/%s", user_pki_path,
|
|
|
|
isServer ? "serverkey.pem" : "clientkey.pem")) < 0)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
if ((virAsprintf(cert, "%s/%s", user_pki_path,
|
|
|
|
isServer ? "servercert.pem" : "clientcert.pem")) < 0)
|
2013-07-04 10:15:05 +00:00
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If some of the files can't be found, fallback
|
|
|
|
* to the global location for them
|
|
|
|
*/
|
|
|
|
if (!virFileExists(*cacert))
|
|
|
|
VIR_FREE(*cacert);
|
|
|
|
if (!virFileExists(*cacrl))
|
|
|
|
VIR_FREE(*cacrl);
|
|
|
|
|
|
|
|
/* Check these as a pair, since it they are
|
|
|
|
* mutually dependent
|
|
|
|
*/
|
|
|
|
if (!virFileExists(*key) || !virFileExists(*cert)) {
|
|
|
|
VIR_FREE(*key);
|
|
|
|
VIR_FREE(*cert);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* No explicit path, or user path didn't exist, so
|
|
|
|
* fallback to global defaults
|
|
|
|
*/
|
|
|
|
if (!*cacert) {
|
|
|
|
VIR_DEBUG("Using default TLS CA certificate path");
|
2013-05-03 12:47:53 +00:00
|
|
|
if (VIR_STRDUP(*cacert, LIBVIRT_CACERT) < 0)
|
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!*cacrl) {
|
|
|
|
VIR_DEBUG("Using default TLS CA revocation list path");
|
2013-05-03 12:47:53 +00:00
|
|
|
if (VIR_STRDUP(*cacrl, LIBVIRT_CACRL) < 0)
|
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!*key && !*cert) {
|
|
|
|
VIR_DEBUG("Using default TLS key/certificate path");
|
2013-05-03 12:47:53 +00:00
|
|
|
if (VIR_STRDUP(*key, isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY) < 0)
|
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
2013-05-03 12:47:53 +00:00
|
|
|
if (VIR_STRDUP(*cert, isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTCERT) < 0)
|
|
|
|
goto error;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
VIR_FREE(user_pki_path);
|
|
|
|
VIR_FREE(userdir);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
error:
|
2010-11-23 20:17:41 +00:00
|
|
|
VIR_FREE(*cacert);
|
|
|
|
VIR_FREE(*cacrl);
|
|
|
|
VIR_FREE(*key);
|
|
|
|
VIR_FREE(*cert);
|
|
|
|
VIR_FREE(user_pki_path);
|
|
|
|
VIR_FREE(userdir);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
|
|
|
|
bool tryUserPkiPath,
|
|
|
|
const char *const*x509dnWhitelist,
|
2016-06-03 16:44:55 +00:00
|
|
|
const char *priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
bool sanityCheckCert,
|
2010-11-23 20:17:41 +00:00
|
|
|
bool requireValidCert,
|
|
|
|
bool isServer)
|
|
|
|
{
|
|
|
|
char *cacert = NULL, *cacrl = NULL, *key = NULL, *cert = NULL;
|
|
|
|
virNetTLSContextPtr ctxt = NULL;
|
|
|
|
|
|
|
|
if (virNetTLSContextLocateCredentials(pkipath, tryUserPkiPath, isServer,
|
2011-07-08 10:14:20 +00:00
|
|
|
&cacert, &cacrl, &cert, &key) < 0)
|
2010-11-23 20:17:41 +00:00
|
|
|
return NULL;
|
|
|
|
|
2011-07-08 10:14:20 +00:00
|
|
|
ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
|
2016-06-03 16:44:55 +00:00
|
|
|
x509dnWhitelist, priority, sanityCheckCert,
|
2011-07-21 10:13:11 +00:00
|
|
|
requireValidCert, isServer);
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
VIR_FREE(cacert);
|
|
|
|
VIR_FREE(cacrl);
|
|
|
|
VIR_FREE(key);
|
|
|
|
VIR_FREE(cert);
|
|
|
|
|
|
|
|
return ctxt;
|
|
|
|
}
|
|
|
|
|
|
|
|
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
|
|
|
|
bool tryUserPkiPath,
|
|
|
|
const char *const*x509dnWhitelist,
|
2016-06-03 16:44:55 +00:00
|
|
|
const char *priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
bool sanityCheckCert,
|
2010-11-23 20:17:41 +00:00
|
|
|
bool requireValidCert)
|
|
|
|
{
|
2016-06-03 16:44:55 +00:00
|
|
|
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
sanityCheckCert, requireValidCert, true);
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
|
|
|
|
bool tryUserPkiPath,
|
2016-06-03 16:44:55 +00:00
|
|
|
const char *priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
bool sanityCheckCert,
|
2010-11-23 20:17:41 +00:00
|
|
|
bool requireValidCert)
|
|
|
|
{
|
2016-06-03 16:44:55 +00:00
|
|
|
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL, priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
sanityCheckCert, requireValidCert, false);
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
|
|
|
|
const char *cacrl,
|
|
|
|
const char *cert,
|
|
|
|
const char *key,
|
|
|
|
const char *const*x509dnWhitelist,
|
2016-06-03 16:44:55 +00:00
|
|
|
const char *priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
bool sanityCheckCert,
|
2010-11-23 20:17:41 +00:00
|
|
|
bool requireValidCert)
|
|
|
|
{
|
2016-06-03 16:44:55 +00:00
|
|
|
return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
sanityCheckCert, requireValidCert, true);
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
|
|
|
|
const char *cacrl,
|
|
|
|
const char *cert,
|
|
|
|
const char *key,
|
2016-06-03 16:44:55 +00:00
|
|
|
const char *priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
bool sanityCheckCert,
|
2010-11-23 20:17:41 +00:00
|
|
|
bool requireValidCert)
|
|
|
|
{
|
2016-06-03 16:44:55 +00:00
|
|
|
return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, priority,
|
2011-07-21 10:13:11 +00:00
|
|
|
sanityCheckCert, requireValidCert, false);
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
|
|
|
|
virNetTLSSessionPtr sess)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
unsigned int status;
|
|
|
|
const gnutls_datum_t *certs;
|
Convert 'int i' to 'size_t i' in src/rpc/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 14:09:33 +00:00
|
|
|
unsigned int nCerts;
|
|
|
|
size_t i;
|
2011-10-07 15:42:41 +00:00
|
|
|
char dname[256];
|
2013-01-30 11:43:44 +00:00
|
|
|
char *dnameptr = dname;
|
2011-10-07 15:42:41 +00:00
|
|
|
size_t dnamesize = sizeof(dname);
|
|
|
|
|
|
|
|
memset(dname, 0, dnamesize);
|
2010-11-23 20:17:41 +00:00
|
|
|
|
2014-08-20 11:00:30 +00:00
|
|
|
if ((ret = gnutls_certificate_verify_peers2(sess->session, &status)) < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Unable to verify TLS peer: %s"),
|
|
|
|
gnutls_strerror(ret));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto authdeny;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (status != 0) {
|
|
|
|
const char *reason = _("Invalid certificate");
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_INVALID)
|
|
|
|
reason = _("The certificate is not trusted.");
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
|
|
|
|
reason = _("The certificate hasn't got a known issuer.");
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_REVOKED)
|
|
|
|
reason = _("The certificate has been revoked.");
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
|
|
|
|
reason = _("The certificate uses an insecure algorithm");
|
|
|
|
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Certificate failed validation: %s"),
|
|
|
|
reason);
|
2010-11-23 20:17:41 +00:00
|
|
|
goto authdeny;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (gnutls_certificate_type_get(sess->session) != GNUTLS_CRT_X509) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
|
|
|
|
_("Only x509 certificates are supported"));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto authdeny;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!(certs = gnutls_certificate_get_peers(sess->session, &nCerts))) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
|
|
|
|
_("The certificate has no peers"));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto authdeny;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < nCerts; i++) {
|
|
|
|
gnutls_x509_crt_t cert;
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_init(&cert) < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
|
|
|
|
_("Unable to initialize certificate"));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto authfail;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
|
|
|
|
_("Unable to load certificate"));
|
2010-11-23 20:17:41 +00:00
|
|
|
gnutls_x509_crt_deinit(cert);
|
|
|
|
goto authfail;
|
|
|
|
}
|
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
if (virNetTLSContextCheckCertTimes(cert, "[session]",
|
|
|
|
sess->isServer, i > 0) < 0) {
|
2010-11-23 20:17:41 +00:00
|
|
|
gnutls_x509_crt_deinit(cert);
|
|
|
|
goto authdeny;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (i == 0) {
|
2011-10-07 15:42:41 +00:00
|
|
|
ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize);
|
|
|
|
if (ret != 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Failed to get certificate %s distinguished name: %s"),
|
|
|
|
"[session]", gnutls_strerror(ret));
|
2011-10-07 15:42:41 +00:00
|
|
|
goto authfail;
|
|
|
|
}
|
2013-05-03 12:47:53 +00:00
|
|
|
if (VIR_STRDUP(sess->x509dname, dname) < 0)
|
2012-01-20 17:18:28 +00:00
|
|
|
goto authfail;
|
2011-10-07 15:42:41 +00:00
|
|
|
VIR_DEBUG("Peer DN is %s", dname);
|
|
|
|
|
|
|
|
if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
|
2011-07-20 14:18:51 +00:00
|
|
|
ctxt->x509dnWhitelist) < 0) {
|
2010-11-23 20:17:41 +00:00
|
|
|
gnutls_x509_crt_deinit(cert);
|
2011-07-20 14:18:51 +00:00
|
|
|
goto authdeny;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* !sess->isServer, since on the client, we're validating the
|
|
|
|
* server's cert, and on the server, the client's cert
|
|
|
|
*/
|
|
|
|
if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]",
|
|
|
|
!sess->isServer, false) < 0) {
|
|
|
|
gnutls_x509_crt_deinit(cert);
|
|
|
|
goto authdeny;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
if (virNetTLSContextCheckCertKeyUsage(cert, "[session]",
|
|
|
|
false) < 0) {
|
2010-11-23 20:17:41 +00:00
|
|
|
gnutls_x509_crt_deinit(cert);
|
|
|
|
goto authdeny;
|
|
|
|
}
|
|
|
|
|
2011-07-20 14:18:51 +00:00
|
|
|
/* !sess->isServer - as above */
|
|
|
|
if (virNetTLSContextCheckCertKeyPurpose(cert, "[session]",
|
|
|
|
!sess->isServer) < 0) {
|
2010-11-23 20:17:41 +00:00
|
|
|
gnutls_x509_crt_deinit(cert);
|
|
|
|
goto authdeny;
|
|
|
|
}
|
|
|
|
}
|
2011-09-04 15:48:42 +00:00
|
|
|
gnutls_x509_crt_deinit(cert);
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
Rewrite all the DTrace/SystemTAP probing
The libvirtd daemon had a few crude system tap probes. Some of
these were broken during the RPC rewrite. The new modular RPC
code is structured in a way that allows much more effective
tracing. Instead of trying to hook up the original probes,
define a new set of probes for the RPC and event code.
The master probes file is now src/probes.d. This contains
probes for virNetServerClientPtr, virNetClientPtr, virSocketPtr
virNetTLSContextPtr and virNetTLSSessionPtr modules. Also add
probes for the poll event loop.
The src/dtrace2systemtap.pl script can convert the probes.d
file into a libvirt_probes.stp file to make use from systemtap
much simpler.
The src/rpc/gensystemtap.pl script can generate a set of
systemtap functions for translating RPC enum values into
printable strings. This works for all RPC header enums (program,
type, status, procedure) and also the authentication enum
The PROBE macro will automatically generate a VIR_DEBUG
statement, so any place with a PROBE can remove any existing
manual DEBUG statements.
* daemon/libvirtd.stp, daemon/probes.d: Remove obsolete probing
* daemon/libvirtd.h: Remove probe macros
* daemon/Makefile.am: Remove all probe buildings/install
* daemon/remote.c: Update authentication probes
* src/dtrace2systemtap.pl, src/rpc/gensystemtap.pl: Scripts
to generate STP files
* src/internal.h: Add probe macros
* src/probes.d: Master list of probes
* src/rpc/virnetclient.c, src/rpc/virnetserverclient.c,
src/rpc/virnetsocket.c, src/rpc/virnettlscontext.c,
src/util/event_poll.c: Insert probe points, removing any
DEBUG statements that duplicate the info
2011-09-30 13:40:23 +00:00
|
|
|
PROBE(RPC_TLS_CONTEXT_SESSION_ALLOW,
|
|
|
|
"ctxt=%p sess=%p dname=%s",
|
2013-01-30 11:43:44 +00:00
|
|
|
ctxt, sess, dnameptr);
|
Rewrite all the DTrace/SystemTAP probing
The libvirtd daemon had a few crude system tap probes. Some of
these were broken during the RPC rewrite. The new modular RPC
code is structured in a way that allows much more effective
tracing. Instead of trying to hook up the original probes,
define a new set of probes for the RPC and event code.
The master probes file is now src/probes.d. This contains
probes for virNetServerClientPtr, virNetClientPtr, virSocketPtr
virNetTLSContextPtr and virNetTLSSessionPtr modules. Also add
probes for the poll event loop.
The src/dtrace2systemtap.pl script can convert the probes.d
file into a libvirt_probes.stp file to make use from systemtap
much simpler.
The src/rpc/gensystemtap.pl script can generate a set of
systemtap functions for translating RPC enum values into
printable strings. This works for all RPC header enums (program,
type, status, procedure) and also the authentication enum
The PROBE macro will automatically generate a VIR_DEBUG
statement, so any place with a PROBE can remove any existing
manual DEBUG statements.
* daemon/libvirtd.stp, daemon/probes.d: Remove obsolete probing
* daemon/libvirtd.h: Remove probe macros
* daemon/Makefile.am: Remove all probe buildings/install
* daemon/remote.c: Update authentication probes
* src/dtrace2systemtap.pl, src/rpc/gensystemtap.pl: Scripts
to generate STP files
* src/internal.h: Add probe macros
* src/probes.d: Master list of probes
* src/rpc/virnetclient.c, src/rpc/virnetserverclient.c,
src/rpc/virnetsocket.c, src/rpc/virnettlscontext.c,
src/util/event_poll.c: Insert probe points, removing any
DEBUG statements that duplicate the info
2011-09-30 13:40:23 +00:00
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
return 0;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
authdeny:
|
Rewrite all the DTrace/SystemTAP probing
The libvirtd daemon had a few crude system tap probes. Some of
these were broken during the RPC rewrite. The new modular RPC
code is structured in a way that allows much more effective
tracing. Instead of trying to hook up the original probes,
define a new set of probes for the RPC and event code.
The master probes file is now src/probes.d. This contains
probes for virNetServerClientPtr, virNetClientPtr, virSocketPtr
virNetTLSContextPtr and virNetTLSSessionPtr modules. Also add
probes for the poll event loop.
The src/dtrace2systemtap.pl script can convert the probes.d
file into a libvirt_probes.stp file to make use from systemtap
much simpler.
The src/rpc/gensystemtap.pl script can generate a set of
systemtap functions for translating RPC enum values into
printable strings. This works for all RPC header enums (program,
type, status, procedure) and also the authentication enum
The PROBE macro will automatically generate a VIR_DEBUG
statement, so any place with a PROBE can remove any existing
manual DEBUG statements.
* daemon/libvirtd.stp, daemon/probes.d: Remove obsolete probing
* daemon/libvirtd.h: Remove probe macros
* daemon/Makefile.am: Remove all probe buildings/install
* daemon/remote.c: Update authentication probes
* src/dtrace2systemtap.pl, src/rpc/gensystemtap.pl: Scripts
to generate STP files
* src/internal.h: Add probe macros
* src/probes.d: Master list of probes
* src/rpc/virnetclient.c, src/rpc/virnetserverclient.c,
src/rpc/virnetsocket.c, src/rpc/virnettlscontext.c,
src/util/event_poll.c: Insert probe points, removing any
DEBUG statements that duplicate the info
2011-09-30 13:40:23 +00:00
|
|
|
PROBE(RPC_TLS_CONTEXT_SESSION_DENY,
|
|
|
|
"ctxt=%p sess=%p dname=%s",
|
2013-01-30 11:43:44 +00:00
|
|
|
ctxt, sess, dnameptr);
|
Rewrite all the DTrace/SystemTAP probing
The libvirtd daemon had a few crude system tap probes. Some of
these were broken during the RPC rewrite. The new modular RPC
code is structured in a way that allows much more effective
tracing. Instead of trying to hook up the original probes,
define a new set of probes for the RPC and event code.
The master probes file is now src/probes.d. This contains
probes for virNetServerClientPtr, virNetClientPtr, virSocketPtr
virNetTLSContextPtr and virNetTLSSessionPtr modules. Also add
probes for the poll event loop.
The src/dtrace2systemtap.pl script can convert the probes.d
file into a libvirt_probes.stp file to make use from systemtap
much simpler.
The src/rpc/gensystemtap.pl script can generate a set of
systemtap functions for translating RPC enum values into
printable strings. This works for all RPC header enums (program,
type, status, procedure) and also the authentication enum
The PROBE macro will automatically generate a VIR_DEBUG
statement, so any place with a PROBE can remove any existing
manual DEBUG statements.
* daemon/libvirtd.stp, daemon/probes.d: Remove obsolete probing
* daemon/libvirtd.h: Remove probe macros
* daemon/Makefile.am: Remove all probe buildings/install
* daemon/remote.c: Update authentication probes
* src/dtrace2systemtap.pl, src/rpc/gensystemtap.pl: Scripts
to generate STP files
* src/internal.h: Add probe macros
* src/probes.d: Master list of probes
* src/rpc/virnetclient.c, src/rpc/virnetserverclient.c,
src/rpc/virnetsocket.c, src/rpc/virnettlscontext.c,
src/util/event_poll.c: Insert probe points, removing any
DEBUG statements that duplicate the info
2011-09-30 13:40:23 +00:00
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
return -1;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
authfail:
|
Rewrite all the DTrace/SystemTAP probing
The libvirtd daemon had a few crude system tap probes. Some of
these were broken during the RPC rewrite. The new modular RPC
code is structured in a way that allows much more effective
tracing. Instead of trying to hook up the original probes,
define a new set of probes for the RPC and event code.
The master probes file is now src/probes.d. This contains
probes for virNetServerClientPtr, virNetClientPtr, virSocketPtr
virNetTLSContextPtr and virNetTLSSessionPtr modules. Also add
probes for the poll event loop.
The src/dtrace2systemtap.pl script can convert the probes.d
file into a libvirt_probes.stp file to make use from systemtap
much simpler.
The src/rpc/gensystemtap.pl script can generate a set of
systemtap functions for translating RPC enum values into
printable strings. This works for all RPC header enums (program,
type, status, procedure) and also the authentication enum
The PROBE macro will automatically generate a VIR_DEBUG
statement, so any place with a PROBE can remove any existing
manual DEBUG statements.
* daemon/libvirtd.stp, daemon/probes.d: Remove obsolete probing
* daemon/libvirtd.h: Remove probe macros
* daemon/Makefile.am: Remove all probe buildings/install
* daemon/remote.c: Update authentication probes
* src/dtrace2systemtap.pl, src/rpc/gensystemtap.pl: Scripts
to generate STP files
* src/internal.h: Add probe macros
* src/probes.d: Master list of probes
* src/rpc/virnetclient.c, src/rpc/virnetserverclient.c,
src/rpc/virnetsocket.c, src/rpc/virnettlscontext.c,
src/util/event_poll.c: Insert probe points, removing any
DEBUG statements that duplicate the info
2011-09-30 13:40:23 +00:00
|
|
|
PROBE(RPC_TLS_CONTEXT_SESSION_FAIL,
|
|
|
|
"ctxt=%p sess=%p",
|
|
|
|
ctxt, sess);
|
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,
|
|
|
|
virNetTLSSessionPtr sess)
|
|
|
|
{
|
2011-07-26 00:21:32 +00:00
|
|
|
int ret = -1;
|
|
|
|
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectLock(ctxt);
|
|
|
|
virObjectLock(sess);
|
2010-11-23 20:17:41 +00:00
|
|
|
if (virNetTLSContextValidCertificate(ctxt, sess) < 0) {
|
2016-05-19 19:10:19 +00:00
|
|
|
VIR_WARN("Certificate check failed %s", virGetLastErrorMessage());
|
2010-11-23 20:17:41 +00:00
|
|
|
if (ctxt->requireValidCert) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_AUTH_FAILED, "%s",
|
|
|
|
_("Failed to verify peer's certificate"));
|
2011-07-26 00:21:32 +00:00
|
|
|
goto cleanup;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
2011-07-21 10:13:11 +00:00
|
|
|
virResetLastError();
|
2010-11-23 20:17:41 +00:00
|
|
|
VIR_INFO("Ignoring bad certificate at user request");
|
|
|
|
}
|
2011-07-26 00:21:32 +00:00
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
cleanup:
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectUnlock(ctxt);
|
|
|
|
virObjectUnlock(sess);
|
2011-07-26 00:21:32 +00:00
|
|
|
|
|
|
|
return ret;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
2012-07-11 13:35:48 +00:00
|
|
|
void virNetTLSContextDispose(void *obj)
|
2010-11-23 20:17:41 +00:00
|
|
|
{
|
2012-07-11 13:35:48 +00:00
|
|
|
virNetTLSContextPtr ctxt = obj;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
2013-03-13 19:17:32 +00:00
|
|
|
PROBE(RPC_TLS_CONTEXT_DISPOSE,
|
|
|
|
"ctxt=%p", ctxt);
|
|
|
|
|
2016-06-03 16:44:55 +00:00
|
|
|
VIR_FREE(ctxt->priority);
|
2010-11-23 20:17:41 +00:00
|
|
|
gnutls_dh_params_deinit(ctxt->dhParams);
|
|
|
|
gnutls_certificate_free_credentials(ctxt->x509cred);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static ssize_t
|
|
|
|
virNetTLSSessionPush(void *opaque, const void *buf, size_t len)
|
|
|
|
{
|
|
|
|
virNetTLSSessionPtr sess = opaque;
|
|
|
|
if (!sess->writeFunc) {
|
2011-07-15 10:42:51 +00:00
|
|
|
VIR_WARN("TLS session push with missing write function");
|
2010-11-23 20:17:41 +00:00
|
|
|
errno = EIO;
|
|
|
|
return -1;
|
|
|
|
};
|
|
|
|
|
|
|
|
return sess->writeFunc(buf, len, sess->opaque);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static ssize_t
|
|
|
|
virNetTLSSessionPull(void *opaque, void *buf, size_t len)
|
|
|
|
{
|
|
|
|
virNetTLSSessionPtr sess = opaque;
|
|
|
|
if (!sess->readFunc) {
|
|
|
|
VIR_WARN("TLS session pull with missing read function");
|
|
|
|
errno = EIO;
|
|
|
|
return -1;
|
|
|
|
};
|
|
|
|
|
|
|
|
return sess->readFunc(buf, len, sess->opaque);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
|
|
|
|
const char *hostname)
|
|
|
|
{
|
|
|
|
virNetTLSSessionPtr sess;
|
|
|
|
int err;
|
|
|
|
|
2011-08-02 19:36:14 +00:00
|
|
|
VIR_DEBUG("ctxt=%p hostname=%s isServer=%d",
|
|
|
|
ctxt, NULLSTR(hostname), ctxt->isServer);
|
2010-11-23 20:17:41 +00:00
|
|
|
|
2013-01-09 21:27:28 +00:00
|
|
|
if (!(sess = virObjectLockableNew(virNetTLSSessionClass)))
|
2010-11-23 20:17:41 +00:00
|
|
|
return NULL;
|
|
|
|
|
2013-05-03 12:47:53 +00:00
|
|
|
if (VIR_STRDUP(sess->hostname, hostname) < 0)
|
2010-11-23 20:17:41 +00:00
|
|
|
goto error;
|
|
|
|
|
|
|
|
if ((err = gnutls_init(&sess->session,
|
|
|
|
ctxt->isServer ? GNUTLS_SERVER : GNUTLS_CLIENT)) != 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Failed to initialize TLS session: %s"),
|
|
|
|
gnutls_strerror(err));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* avoid calling all the priority functions, since the defaults
|
|
|
|
* are adequate.
|
|
|
|
*/
|
2016-06-03 16:44:55 +00:00
|
|
|
if ((err = gnutls_priority_set_direct(sess->session,
|
|
|
|
ctxt->priority ? ctxt->priority : TLS_PRIORITY,
|
|
|
|
NULL)) != 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
2016-06-03 16:31:48 +00:00
|
|
|
_("Failed to set TLS session priority to %s: %s"),
|
2016-06-03 16:44:55 +00:00
|
|
|
ctxt->priority ? ctxt->priority : TLS_PRIORITY, gnutls_strerror(err));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((err = gnutls_credentials_set(sess->session,
|
|
|
|
GNUTLS_CRD_CERTIFICATE,
|
|
|
|
ctxt->x509cred)) != 0) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
|
|
_("Failed set TLS x509 credentials: %s"),
|
|
|
|
gnutls_strerror(err));
|
2010-11-23 20:17:41 +00:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* request client certificate if any.
|
|
|
|
*/
|
|
|
|
if (ctxt->isServer) {
|
|
|
|
gnutls_certificate_server_set_request(sess->session, GNUTLS_CERT_REQUEST);
|
|
|
|
|
|
|
|
gnutls_dh_set_prime_bits(sess->session, DH_BITS);
|
|
|
|
}
|
|
|
|
|
|
|
|
gnutls_transport_set_ptr(sess->session, sess);
|
|
|
|
gnutls_transport_set_push_function(sess->session,
|
|
|
|
virNetTLSSessionPush);
|
|
|
|
gnutls_transport_set_pull_function(sess->session,
|
|
|
|
virNetTLSSessionPull);
|
|
|
|
|
2011-07-14 16:52:03 +00:00
|
|
|
sess->isServer = ctxt->isServer;
|
|
|
|
|
Rewrite all the DTrace/SystemTAP probing
The libvirtd daemon had a few crude system tap probes. Some of
these were broken during the RPC rewrite. The new modular RPC
code is structured in a way that allows much more effective
tracing. Instead of trying to hook up the original probes,
define a new set of probes for the RPC and event code.
The master probes file is now src/probes.d. This contains
probes for virNetServerClientPtr, virNetClientPtr, virSocketPtr
virNetTLSContextPtr and virNetTLSSessionPtr modules. Also add
probes for the poll event loop.
The src/dtrace2systemtap.pl script can convert the probes.d
file into a libvirt_probes.stp file to make use from systemtap
much simpler.
The src/rpc/gensystemtap.pl script can generate a set of
systemtap functions for translating RPC enum values into
printable strings. This works for all RPC header enums (program,
type, status, procedure) and also the authentication enum
The PROBE macro will automatically generate a VIR_DEBUG
statement, so any place with a PROBE can remove any existing
manual DEBUG statements.
* daemon/libvirtd.stp, daemon/probes.d: Remove obsolete probing
* daemon/libvirtd.h: Remove probe macros
* daemon/Makefile.am: Remove all probe buildings/install
* daemon/remote.c: Update authentication probes
* src/dtrace2systemtap.pl, src/rpc/gensystemtap.pl: Scripts
to generate STP files
* src/internal.h: Add probe macros
* src/probes.d: Master list of probes
* src/rpc/virnetclient.c, src/rpc/virnetserverclient.c,
src/rpc/virnetsocket.c, src/rpc/virnettlscontext.c,
src/util/event_poll.c: Insert probe points, removing any
DEBUG statements that duplicate the info
2011-09-30 13:40:23 +00:00
|
|
|
PROBE(RPC_TLS_SESSION_NEW,
|
2012-07-11 13:35:48 +00:00
|
|
|
"sess=%p ctxt=%p hostname=%s isServer=%d",
|
|
|
|
sess, ctxt, hostname, sess->isServer);
|
Rewrite all the DTrace/SystemTAP probing
The libvirtd daemon had a few crude system tap probes. Some of
these were broken during the RPC rewrite. The new modular RPC
code is structured in a way that allows much more effective
tracing. Instead of trying to hook up the original probes,
define a new set of probes for the RPC and event code.
The master probes file is now src/probes.d. This contains
probes for virNetServerClientPtr, virNetClientPtr, virSocketPtr
virNetTLSContextPtr and virNetTLSSessionPtr modules. Also add
probes for the poll event loop.
The src/dtrace2systemtap.pl script can convert the probes.d
file into a libvirt_probes.stp file to make use from systemtap
much simpler.
The src/rpc/gensystemtap.pl script can generate a set of
systemtap functions for translating RPC enum values into
printable strings. This works for all RPC header enums (program,
type, status, procedure) and also the authentication enum
The PROBE macro will automatically generate a VIR_DEBUG
statement, so any place with a PROBE can remove any existing
manual DEBUG statements.
* daemon/libvirtd.stp, daemon/probes.d: Remove obsolete probing
* daemon/libvirtd.h: Remove probe macros
* daemon/Makefile.am: Remove all probe buildings/install
* daemon/remote.c: Update authentication probes
* src/dtrace2systemtap.pl, src/rpc/gensystemtap.pl: Scripts
to generate STP files
* src/internal.h: Add probe macros
* src/probes.d: Master list of probes
* src/rpc/virnetclient.c, src/rpc/virnetserverclient.c,
src/rpc/virnetsocket.c, src/rpc/virnettlscontext.c,
src/util/event_poll.c: Insert probe points, removing any
DEBUG statements that duplicate the info
2011-09-30 13:40:23 +00:00
|
|
|
|
2010-11-23 20:17:41 +00:00
|
|
|
return sess;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
error:
|
2012-07-11 13:35:48 +00:00
|
|
|
virObjectUnref(sess);
|
2010-11-23 20:17:41 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void virNetTLSSessionSetIOCallbacks(virNetTLSSessionPtr sess,
|
|
|
|
virNetTLSSessionWriteFunc writeFunc,
|
|
|
|
virNetTLSSessionReadFunc readFunc,
|
|
|
|
void *opaque)
|
|
|
|
{
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectLock(sess);
|
2010-11-23 20:17:41 +00:00
|
|
|
sess->writeFunc = writeFunc;
|
|
|
|
sess->readFunc = readFunc;
|
|
|
|
sess->opaque = opaque;
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectUnlock(sess);
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ssize_t virNetTLSSessionWrite(virNetTLSSessionPtr sess,
|
|
|
|
const char *buf, size_t len)
|
|
|
|
{
|
|
|
|
ssize_t ret;
|
2011-07-26 00:21:32 +00:00
|
|
|
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectLock(sess);
|
2010-11-23 20:17:41 +00:00
|
|
|
ret = gnutls_record_send(sess->session, buf, len);
|
|
|
|
|
|
|
|
if (ret >= 0)
|
2011-07-26 00:21:32 +00:00
|
|
|
goto cleanup;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
switch (ret) {
|
|
|
|
case GNUTLS_E_AGAIN:
|
|
|
|
errno = EAGAIN;
|
|
|
|
break;
|
|
|
|
case GNUTLS_E_INTERRUPTED:
|
|
|
|
errno = EINTR;
|
|
|
|
break;
|
2011-07-15 10:40:35 +00:00
|
|
|
case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
|
|
|
|
errno = ENOMSG;
|
|
|
|
break;
|
2010-11-23 20:17:41 +00:00
|
|
|
default:
|
|
|
|
errno = EIO;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2011-07-26 00:21:32 +00:00
|
|
|
ret = -1;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
cleanup:
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectUnlock(sess);
|
2011-07-26 00:21:32 +00:00
|
|
|
return ret;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
ssize_t virNetTLSSessionRead(virNetTLSSessionPtr sess,
|
|
|
|
char *buf, size_t len)
|
|
|
|
{
|
|
|
|
ssize_t ret;
|
|
|
|
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectLock(sess);
|
2010-11-23 20:17:41 +00:00
|
|
|
ret = gnutls_record_recv(sess->session, buf, len);
|
|
|
|
|
|
|
|
if (ret >= 0)
|
2011-07-26 00:21:32 +00:00
|
|
|
goto cleanup;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
|
|
|
switch (ret) {
|
|
|
|
case GNUTLS_E_AGAIN:
|
|
|
|
errno = EAGAIN;
|
|
|
|
break;
|
|
|
|
case GNUTLS_E_INTERRUPTED:
|
|
|
|
errno = EINTR;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
errno = EIO;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2011-07-26 00:21:32 +00:00
|
|
|
ret = -1;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
cleanup:
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectUnlock(sess);
|
2011-07-26 00:21:32 +00:00
|
|
|
return ret;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int virNetTLSSessionHandshake(virNetTLSSessionPtr sess)
|
|
|
|
{
|
2011-07-26 00:21:32 +00:00
|
|
|
int ret;
|
2010-11-23 20:17:41 +00:00
|
|
|
VIR_DEBUG("sess=%p", sess);
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectLock(sess);
|
2011-07-26 00:21:32 +00:00
|
|
|
ret = gnutls_handshake(sess->session);
|
2010-11-23 20:17:41 +00:00
|
|
|
VIR_DEBUG("Ret=%d", ret);
|
|
|
|
if (ret == 0) {
|
|
|
|
sess->handshakeComplete = true;
|
|
|
|
VIR_DEBUG("Handshake is complete");
|
2011-07-26 00:21:32 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
|
|
|
|
ret = 1;
|
|
|
|
goto cleanup;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#if 0
|
|
|
|
PROBE(CLIENT_TLS_FAIL, "fd=%d",
|
|
|
|
virNetServerClientGetFD(client));
|
|
|
|
#endif
|
|
|
|
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_AUTH_FAILED,
|
|
|
|
_("TLS handshake failed %s"),
|
|
|
|
gnutls_strerror(ret));
|
2011-07-26 00:21:32 +00:00
|
|
|
ret = -1;
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
cleanup:
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectUnlock(sess);
|
2011-07-26 00:21:32 +00:00
|
|
|
return ret;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
virNetTLSSessionHandshakeStatus
|
|
|
|
virNetTLSSessionGetHandshakeStatus(virNetTLSSessionPtr sess)
|
|
|
|
{
|
2011-07-26 00:21:32 +00:00
|
|
|
virNetTLSSessionHandshakeStatus ret;
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectLock(sess);
|
2010-11-23 20:17:41 +00:00
|
|
|
if (sess->handshakeComplete)
|
2011-07-26 00:21:32 +00:00
|
|
|
ret = VIR_NET_TLS_HANDSHAKE_COMPLETE;
|
2010-11-23 20:17:41 +00:00
|
|
|
else if (gnutls_record_get_direction(sess->session) == 0)
|
2011-07-26 00:21:32 +00:00
|
|
|
ret = VIR_NET_TLS_HANDSHAKE_RECVING;
|
2010-11-23 20:17:41 +00:00
|
|
|
else
|
2011-07-26 00:21:32 +00:00
|
|
|
ret = VIR_NET_TLS_HANDSHAKE_SENDING;
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectUnlock(sess);
|
2011-07-26 00:21:32 +00:00
|
|
|
return ret;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int virNetTLSSessionGetKeySize(virNetTLSSessionPtr sess)
|
|
|
|
{
|
|
|
|
gnutls_cipher_algorithm_t cipher;
|
|
|
|
int ssf;
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectLock(sess);
|
2010-11-23 20:17:41 +00:00
|
|
|
cipher = gnutls_cipher_get(sess->session);
|
|
|
|
if (!(ssf = gnutls_cipher_get_key_size(cipher))) {
|
2012-07-18 10:41:47 +00:00
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("invalid cipher size for TLS session"));
|
2011-07-26 00:21:32 +00:00
|
|
|
ssf = -1;
|
|
|
|
goto cleanup;
|
2010-11-23 20:17:41 +00:00
|
|
|
}
|
|
|
|
|
2014-03-25 06:52:31 +00:00
|
|
|
cleanup:
|
2013-01-09 21:27:28 +00:00
|
|
|
virObjectUnlock(sess);
|
2010-11-23 20:17:41 +00:00
|
|
|
return ssf;
|
|
|
|
}
|
|
|
|
|
2012-01-20 17:18:28 +00:00
|
|
|
const char *virNetTLSSessionGetX509DName(virNetTLSSessionPtr sess)
|
|
|
|
{
|
|
|
|
const char *ret = NULL;
|
|
|
|
|
|
|
|
virObjectLock(sess);
|
|
|
|
|
|
|
|
ret = sess->x509dname;
|
|
|
|
|
|
|
|
virObjectUnlock(sess);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
2010-11-23 20:17:41 +00:00
|
|
|
|
2012-07-11 13:35:48 +00:00
|
|
|
void virNetTLSSessionDispose(void *obj)
|
2010-11-23 20:17:41 +00:00
|
|
|
{
|
2012-07-11 13:35:48 +00:00
|
|
|
virNetTLSSessionPtr sess = obj;
|
2010-11-23 20:17:41 +00:00
|
|
|
|
2013-03-13 19:17:32 +00:00
|
|
|
PROBE(RPC_TLS_SESSION_DISPOSE,
|
|
|
|
"sess=%p", sess);
|
|
|
|
|
2012-01-20 17:18:28 +00:00
|
|
|
VIR_FREE(sess->x509dname);
|
2010-11-23 20:17:41 +00:00
|
|
|
VIR_FREE(sess->hostname);
|
|
|
|
gnutls_deinit(sess->session);
|
|
|
|
}
|
2011-08-18 08:44:08 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* This function MUST be called before any
|
|
|
|
* virNetTLS* because it initializes
|
|
|
|
* underlying GnuTLS library. According to
|
|
|
|
* it's documentation, it's safe to be called
|
2012-04-10 11:15:46 +00:00
|
|
|
* many times, but is not thread safe.
|
|
|
|
*
|
|
|
|
* There is no corresponding "Deinit" / "Cleanup"
|
|
|
|
* function because there is no safe way to call
|
|
|
|
* 'gnutls_global_deinit' from a multi-threaded
|
|
|
|
* library, where other libraries linked into the
|
|
|
|
* application may also be using gnutls.
|
2011-08-18 08:44:08 +00:00
|
|
|
*/
|
|
|
|
void virNetTLSInit(void)
|
|
|
|
{
|
2016-06-03 16:20:19 +00:00
|
|
|
const char *gnutlsdebug;
|
|
|
|
if ((gnutlsdebug = virGetEnvAllowSUID("LIBVIRT_GNUTLS_DEBUG")) != NULL) {
|
|
|
|
int val;
|
|
|
|
if (virStrToLong_i(gnutlsdebug, NULL, 10, &val) < 0)
|
|
|
|
val = 10;
|
|
|
|
gnutls_global_set_log_level(val);
|
|
|
|
gnutls_global_set_log_function(virNetTLSLog);
|
|
|
|
VIR_DEBUG("Enabled GNUTLS debug");
|
|
|
|
}
|
|
|
|
|
2011-08-18 08:44:08 +00:00
|
|
|
gnutls_global_init();
|
|
|
|
}
|