Commit Graph

13 Commits

Author SHA1 Message Date
Daniel P. Berrange
5622830c53 Add mutex protection to SASL and TLS modules
The virNetSASLContext, virNetSASLSession, virNetTLSContext and
virNetTLSSession classes previously relied in their owners
(virNetClient / virNetServer / virNetServerClient) to provide
locking protection for concurrent usage. When virNetSocket
gained its own locking code, this invalidated the implicit
safety the SASL/TLS modules relied on. Thus we need to give
them all explicit locking of their own via new mutexes.

* src/rpc/virnetsaslcontext.c, src/rpc/virnettlscontext.c: Add
  a mutex per object
2011-07-26 08:21:32 +08:00
Daniel P. Berrange
07f9b6f019 Allow certificate sanity checking to be disabled
When libvirtd starts it it will sanity check its own certs,
and before libvirt clients connect to a remote server they
will sanity check their own certs. This patch allows such
sanity checking to be skipped. There is no strong reason to
need to do this, other than to bypass possible libvirt bugs
in sanity checking, or for testing purposes.

libvirt.conf gains tls_no_sanity_certificate parameter to
go along with tls_no_verify_certificate. The remote driver
client URIs gain a no_sanity URI parameter

* daemon/test_libvirtd.aug, daemon/libvirtd.conf,
  daemon/libvirtd.c, daemon/libvirtd.aug: Add parameter to
  allow cert sanity checks to be skipped
* src/remote/remote_driver.c: Add no_sanity parameter to
  skip cert checks
* src/rpc/virnettlscontext.c, src/rpc/virnettlscontext.h:
  Add new parameter for skipping sanity checks independantly
  of skipping session cert validation checks
2011-07-22 15:18:32 +01:00
Daniel P. Berrange
637711cbdf Refactor the certification validation code
There is some commonality between the code for sanity checking
certs when initializing libvirt and the code for validating
certs during a live TLS session handshake. This patchset splits
up the sanity checking function into several smaller functions
each doing a specific type of check. The cert validation code
is then updated to also call into these functions

* src/rpc/virnettlscontext.c: Refactor cert validation code
2011-07-22 12:04:47 +01:00
Daniel P. Berrange
3b8061c759 Remove call to deprecated gnutls_certificate_type_set_priority (again)
The gnutls_certificate_type_set_priority method is deprecated.
Since we already set the default gnutls priority, it was not
serving any useful purpose and can be removed

* src/rpc/virnettlscontext.c: Remove gnutls_certificate_type_set_priority
  call
2011-07-22 11:39:44 +01:00
Daniel P. Berrange
14800d49cb Honour key usage/purpose criticality flag
If a key purpose or usage field is marked as non-critical in the
certificate, then a data mismatch is not (ordinarily) a cause for
rejecting the connection

* src/rpc/virnettlscontext.c: Honour key usage/purpose criticality
2011-07-20 15:23:33 +01:00
Daniel P. Berrange
f53cc36fe8 Fix checking of key usage/purpose data
If key usage or purpose data is not present in the cert, the
RFC recommends that access be allowed. Also fix checking of
key usage to include requirements for client/server certs,
and fix key purpose checking to treat data as a list of bits
2011-07-20 15:19:35 +01:00
Daniel P. Berrange
3ea043254c Fix mixed up error messages when reporting TLS certificate problems
* src/rpc/virnettlscontext.c: Fix mixed up error messages
2011-07-20 15:19:35 +01:00
Daniel P. Berrange
79591d4fbf Add sanity checking of basic constraints, key purpose & key usage
Gnutls requires that certificates have basic constraints present
to be used as a CA certificate. OpenSSL doesn't add this data
by default, so add a sanity check to catch this situation. Also
validate that the key usage and key purpose constraints contain
correct data

* src/rpc/virnettlscontext.c: Add sanity checking of certificate
  constraints
2011-07-19 16:25:01 +01:00
Daniel P. Berrange
543c266d2d Add some basic sanity checking of certificates before use
If the libvirt daemon or libvirt client is configured with bogus
certificates, it is very unhelpful to only find out about this
when a TLS connection is actually attempted. Not least because
the error messages you get back for failures are incredibly
obscure.

This adds some basic sanity checking of certificates at the
time the virNetTLSContext object is created. This is at libvirt
startup, or when creating a virNetClient instance.

This checks that the certificate expiry/start dates are valid
and that the certificate is actually signed by the CA that is
loaded.

* src/rpc/virnettlscontext.c: Add certificate sanity checks
2011-07-19 16:24:57 +01:00
Daniel P. Berrange
c8771867b8 Fix error message for missing TLS write function
* src/rpc/virnettlscontext.c: s/read/write/
2011-07-15 16:26:11 +01:00
Daniel P. Berrange
f2845177e2 Fix reporting of cert validation failures
If the server succesfully validates the client cert, it will send
back a single byte, under TLS. If it fails, it will close the
connection. In this case, we were just reporting the standard
I/O error. The original RPC code had a special case hack for the
GNUTLS_E_UNEXPECTED_PACKET_LENGTH error code to make us report
a more useful error message

* src/rpc/virnetclient.c: Return ENOMSG if we get
  GNUTLS_E_UNEXPECTED_PACKET_LENGTH
* src/rpc/virnettlscontext.c: Report cert failure if we
  see ENOMSG
2011-07-15 16:26:07 +01:00
Daniel P. Berrange
c2ddd53614 Fix mistaken order of server cert/key parameters in constructor
The virNetTLSContextNew was being passed key/cert parameters in
the wrong order. This wasn't immediately visible because if
virNetTLSContextNewPath was used, a second bug reversed the order
of those parameters again.

Only if the paths were manually specified in /etc/libvirt/libvirtd.conf
did the bug appear

* src/rpc/virnettlscontext.c: Fix order of params passed to
  virNetTLSContextNew
2011-07-08 16:19:57 +01:00
Daniel P. Berrange
30fd0bbbfc Generic module for handling TLS encryption and x509 certs
This provides two modules for handling TLS

 * virNetTLSContext provides the process-wide state, in particular
   all the x509 credentials, DH params and x509 whitelists
 * virNetTLSSession provides the per-connection state, ie the
   TLS session itself.

The virNetTLSContext provides APIs for validating a TLS session's
x509 credentials. The virNetTLSSession includes APIs for performing
the initial TLS handshake and sending/recving encrypted data

* src/Makefile.am: Add to libvirt-net-rpc.la
* src/rpc/virnettlscontext.c, src/rpc/virnettlscontext.h: Generic
  TLS handling code
2011-06-24 11:48:22 +01:00