1 | |
2 | |
3 | |
4 | |
5 | |
6 | |
7 | |
8 | |
9 | |
10 | |
11 | |
12 | |
13 | |
14 | |
15 | |
16 | |
17 | |
18 | |
19 | |
20 | |
21 | |
22 | |
23 | |
24 | |
25 | |
26 | |
27 | #include "qemu-x509.h" |
28 | #include "vnc.h" |
29 | #include "qemu_socket.h" |
30 | |
31 | #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 |
32 | |
33 | static void vnc_debug_gnutls_log(int level, const char* str) { |
34 | VNC_DEBUG("%d %s", level, str)do { } while (0); |
35 | } |
36 | #endif /* defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 */ |
37 | |
38 | |
39 | #define DH_BITS1024 1024 |
40 | static gnutls_dh_params_t dh_params; |
41 | |
42 | static int vnc_tls_initialize(void) |
43 | { |
44 | static int tlsinitialized = 0; |
45 | |
46 | if (tlsinitialized) |
47 | return 1; |
48 | |
49 | if (gnutls_global_init () < 0) |
50 | return 0; |
51 | |
52 | |
53 | if (gnutls_dh_params_init (&dh_params) < 0) |
54 | return 0; |
55 | if (gnutls_dh_params_generate2 (dh_params, DH_BITS1024) < 0) |
56 | return 0; |
57 | |
58 | #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 |
59 | gnutls_global_set_log_level(10); |
60 | gnutls_global_set_log_function(vnc_debug_gnutls_log); |
61 | #endif |
62 | |
63 | tlsinitialized = 1; |
64 | |
65 | return 1; |
66 | } |
67 | |
68 | static ssize_t vnc_tls_push(gnutls_transport_ptr_t transport, |
69 | const void *data, |
70 | size_t len) { |
71 | struct VncState *vs = (struct VncState *)transport; |
72 | int ret; |
73 | |
74 | retry: |
75 | ret = send(vs->csock, data, len, 0); |
76 | if (ret < 0) { |
77 | if (errno(*__errno_location ()) == EINTR4) |
78 | goto retry; |
79 | return -1; |
80 | } |
81 | return ret; |
82 | } |
83 | |
84 | |
85 | static ssize_t vnc_tls_pull(gnutls_transport_ptr_t transport, |
86 | void *data, |
87 | size_t len) { |
88 | struct VncState *vs = (struct VncState *)transport; |
89 | int ret; |
90 | |
91 | retry: |
92 | ret = qemu_recv(vs->csock, data, len, 0)recv(vs->csock, data, len, 0); |
93 | if (ret < 0) { |
94 | if (errno(*__errno_location ()) == EINTR4) |
95 | goto retry; |
96 | return -1; |
97 | } |
98 | return ret; |
99 | } |
100 | |
101 | |
102 | static gnutls_anon_server_credentialsgnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void) |
103 | { |
104 | gnutls_anon_server_credentialsgnutls_anon_server_credentials_t anon_cred; |
105 | int ret; |
106 | |
107 | if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) { |
108 | VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret))do { } while (0); |
109 | return NULL((void*)0); |
110 | } |
111 | |
112 | gnutls_anon_set_server_dh_params(anon_cred, dh_params); |
113 | |
114 | return anon_cred; |
115 | } |
116 | |
117 | |
118 | static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd) |
119 | { |
120 | gnutls_certificate_credentials_t x509_cred; |
121 | int ret; |
122 | |
123 | if (!vd->tls.x509cacert) { |
124 | VNC_DEBUG("No CA x509 certificate specified\n")do { } while (0); |
125 | return NULL((void*)0); |
126 | } |
127 | if (!vd->tls.x509cert) { |
128 | VNC_DEBUG("No server x509 certificate specified\n")do { } while (0); |
129 | return NULL((void*)0); |
130 | } |
131 | if (!vd->tls.x509key) { |
132 | VNC_DEBUG("No server private key specified\n")do { } while (0); |
133 | return NULL((void*)0); |
134 | } |
135 | |
136 | if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) { |
| Although the value stored to 'ret' is used in the enclosing expression, the value is never actually read from 'ret' |
137 | VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret))do { } while (0); |
138 | return NULL((void*)0); |
139 | } |
140 | if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred, |
141 | vd->tls.x509cacert, |
142 | GNUTLS_X509_FMT_PEM)) < 0) { |
143 | VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret))do { } while (0); |
144 | gnutls_certificate_free_credentials(x509_cred); |
145 | return NULL((void*)0); |
146 | } |
147 | |
148 | if ((ret = gnutls_certificate_set_x509_key_file (x509_cred, |
149 | vd->tls.x509cert, |
150 | vd->tls.x509key, |
151 | GNUTLS_X509_FMT_PEM)) < 0) { |
152 | VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret))do { } while (0); |
153 | gnutls_certificate_free_credentials(x509_cred); |
154 | return NULL((void*)0); |
155 | } |
156 | |
157 | if (vd->tls.x509cacrl) { |
158 | if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred, |
159 | vd->tls.x509cacrl, |
160 | GNUTLS_X509_FMT_PEM)) < 0) { |
161 | VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret))do { } while (0); |
162 | gnutls_certificate_free_credentials(x509_cred); |
163 | return NULL((void*)0); |
164 | } |
165 | } |
166 | |
167 | gnutls_certificate_set_dh_params (x509_cred, dh_params); |
168 | |
169 | return x509_cred; |
170 | } |
171 | |
172 | |
173 | int vnc_tls_validate_certificate(struct VncState *vs) |
174 | { |
175 | int ret; |
176 | unsigned int status; |
177 | const gnutls_datum_t *certs; |
178 | unsigned int nCerts, i; |
179 | time_t now; |
180 | |
181 | VNC_DEBUG("Validating client certificate\n")do { } while (0); |
182 | if ((ret = gnutls_certificate_verify_peers2 (vs->tls.session, &status)) < 0) { |
183 | VNC_DEBUG("Verify failed %s\n", gnutls_strerror(ret))do { } while (0); |
184 | return -1; |
185 | } |
186 | |
187 | if ((now = time(NULL((void*)0))) == ((time_t)-1)) { |
188 | return -1; |
189 | } |
190 | |
191 | if (status != 0) { |
192 | if (status & GNUTLS_CERT_INVALID) |
193 | VNC_DEBUG("The certificate is not trusted.\n")do { } while (0); |
194 | |
195 | if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) |
196 | VNC_DEBUG("The certificate hasn't got a known issuer.\n")do { } while (0); |
197 | |
198 | if (status & GNUTLS_CERT_REVOKED) |
199 | VNC_DEBUG("The certificate has been revoked.\n")do { } while (0); |
200 | |
201 | if (status & GNUTLS_CERT_INSECURE_ALGORITHM) |
202 | VNC_DEBUG("The certificate uses an insecure algorithm\n")do { } while (0); |
203 | |
204 | return -1; |
205 | } else { |
206 | VNC_DEBUG("Certificate is valid!\n")do { } while (0); |
207 | } |
208 | |
209 | |
210 | if (gnutls_certificate_type_get(vs->tls.session) != GNUTLS_CRT_X509) |
211 | return -1; |
212 | |
213 | if (!(certs = gnutls_certificate_get_peers(vs->tls.session, &nCerts))) |
214 | return -1; |
215 | |
216 | for (i = 0 ; i < nCerts ; i++) { |
217 | gnutls_x509_crt_t cert; |
218 | VNC_DEBUG ("Checking certificate chain %d\n", i)do { } while (0); |
219 | if (gnutls_x509_crt_init (&cert) < 0) |
220 | return -1; |
221 | |
222 | if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) { |
223 | gnutls_x509_crt_deinit (cert); |
224 | return -1; |
225 | } |
226 | |
227 | if (gnutls_x509_crt_get_expiration_time (cert) < now) { |
228 | VNC_DEBUG("The certificate has expired\n")do { } while (0); |
229 | gnutls_x509_crt_deinit (cert); |
230 | return -1; |
231 | } |
232 | |
233 | if (gnutls_x509_crt_get_activation_time (cert) > now) { |
234 | VNC_DEBUG("The certificate is not yet activated\n")do { } while (0); |
235 | gnutls_x509_crt_deinit (cert); |
236 | return -1; |
237 | } |
238 | |
239 | if (gnutls_x509_crt_get_activation_time (cert) > now) { |
240 | VNC_DEBUG("The certificate is not yet activated\n")do { } while (0); |
241 | gnutls_x509_crt_deinit (cert); |
242 | return -1; |
243 | } |
244 | |
245 | if (i == 0) { |
246 | size_t dnameSize = 1024; |
247 | vs->tls.dname = g_malloc(dnameSize); |
248 | requery: |
249 | if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) { |
250 | if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER-51) { |
251 | vs->tls.dname = g_realloc(vs->tls.dname, dnameSize); |
252 | goto requery; |
253 | } |
254 | gnutls_x509_crt_deinit (cert); |
255 | VNC_DEBUG("Cannot get client distinguished name: %s",do { } while (0) |
256 | gnutls_strerror (ret))do { } while (0); |
257 | return -1; |
258 | } |
259 | |
260 | if (vs->vd->tls.x509verify) { |
261 | int allow; |
262 | if (!vs->vd->tls.acl) { |
263 | VNC_DEBUG("no ACL activated, allowing access")do { } while (0); |
264 | gnutls_x509_crt_deinit (cert); |
265 | continue; |
266 | } |
267 | |
268 | allow = qemu_acl_party_is_allowed(vs->vd->tls.acl, |
269 | vs->tls.dname); |
270 | |
271 | VNC_DEBUG("TLS x509 ACL check for %s is %s\n",do { } while (0) |
272 | vs->tls.dname, allow ? "allowed" : "denied")do { } while (0); |
273 | if (!allow) { |
274 | gnutls_x509_crt_deinit (cert); |
275 | return -1; |
276 | } |
277 | } |
278 | } |
279 | |
280 | gnutls_x509_crt_deinit (cert); |
281 | } |
282 | |
283 | return 0; |
284 | } |
285 | |
286 | #if defined(GNUTLS_VERSION_NUMBER0x020806) && \ |
287 | GNUTLS_VERSION_NUMBER0x020806 >= 0x020200 /* 2.2.0 */ |
288 | |
289 | static int vnc_set_gnutls_priority(gnutls_session_t s, int x509) |
290 | { |
291 | const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH"; |
292 | int rc; |
293 | |
294 | rc = gnutls_priority_set_direct(s, priority, NULL((void*)0)); |
295 | if (rc != GNUTLS_E_SUCCESS0) { |
296 | return -1; |
297 | } |
298 | return 0; |
299 | } |
300 | |
301 | #else |
302 | |
303 | static int vnc_set_gnutls_priority(gnutls_session_t s, int x509) |
304 | { |
305 | static const int cert_types[] = { GNUTLS_CRT_X509, 0 }; |
306 | static const int protocols[] = { |
307 | GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 |
308 | }; |
309 | static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 }; |
310 | static const int kx_x509[] = { |
311 | GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, |
312 | GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0 |
313 | }; |
314 | int rc; |
315 | |
316 | rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon); |
317 | if (rc != GNUTLS_E_SUCCESS0) { |
318 | return -1; |
319 | } |
320 | |
321 | rc = gnutls_certificate_type_set_priority(s, cert_types); |
322 | if (rc != GNUTLS_E_SUCCESS0) { |
323 | return -1; |
324 | } |
325 | |
326 | rc = gnutls_protocol_set_priority(s, protocols); |
327 | if (rc != GNUTLS_E_SUCCESS0) { |
328 | return -1; |
329 | } |
330 | return 0; |
331 | } |
332 | |
333 | #endif |
334 | |
335 | int vnc_tls_client_setup(struct VncState *vs, |
336 | int needX509Creds) { |
337 | |
338 | VNC_DEBUG("Do TLS setup\n")do { } while (0); |
339 | if (vnc_tls_initialize() < 0) { |
340 | VNC_DEBUG("Failed to init TLS\n")do { } while (0); |
341 | vnc_client_error(vs); |
342 | return -1; |
343 | } |
344 | if (vs->tls.session == NULL((void*)0)) { |
345 | if (gnutls_init(&vs->tls.session, GNUTLS_SERVER) < 0) { |
346 | vnc_client_error(vs); |
347 | return -1; |
348 | } |
349 | |
350 | if (gnutls_set_default_priority(vs->tls.session) < 0) { |
351 | gnutls_deinit(vs->tls.session); |
352 | vs->tls.session = NULL((void*)0); |
353 | vnc_client_error(vs); |
354 | return -1; |
355 | } |
356 | |
357 | if (vnc_set_gnutls_priority(vs->tls.session, needX509Creds) < 0) { |
358 | gnutls_deinit(vs->tls.session); |
359 | vs->tls.session = NULL((void*)0); |
360 | vnc_client_error(vs); |
361 | return -1; |
362 | } |
363 | |
364 | if (needX509Creds) { |
365 | gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs->vd); |
366 | if (!x509_cred) { |
367 | gnutls_deinit(vs->tls.session); |
368 | vs->tls.session = NULL((void*)0); |
369 | vnc_client_error(vs); |
370 | return -1; |
371 | } |
372 | if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) { |
373 | gnutls_deinit(vs->tls.session); |
374 | vs->tls.session = NULL((void*)0); |
375 | gnutls_certificate_free_credentials(x509_cred); |
376 | vnc_client_error(vs); |
377 | return -1; |
378 | } |
379 | if (vs->vd->tls.x509verify) { |
380 | VNC_DEBUG("Requesting a client certificate\n")do { } while (0); |
381 | gnutls_certificate_server_set_request (vs->tls.session, GNUTLS_CERT_REQUEST); |
382 | } |
383 | |
384 | } else { |
385 | gnutls_anon_server_credentialsgnutls_anon_server_credentials_t anon_cred = vnc_tls_initialize_anon_cred(); |
386 | if (!anon_cred) { |
387 | gnutls_deinit(vs->tls.session); |
388 | vs->tls.session = NULL((void*)0); |
389 | vnc_client_error(vs); |
390 | return -1; |
391 | } |
392 | if (gnutls_credentials_set(vs->tls.session, GNUTLS_CRD_ANON, anon_cred) < 0) { |
393 | gnutls_deinit(vs->tls.session); |
394 | vs->tls.session = NULL((void*)0); |
395 | gnutls_anon_free_server_credentials(anon_cred); |
396 | vnc_client_error(vs); |
397 | return -1; |
398 | } |
399 | } |
400 | |
401 | gnutls_transport_set_ptr(vs->tls.session, (gnutls_transport_ptr_t)vs); |
402 | gnutls_transport_set_push_function(vs->tls.session, vnc_tls_push); |
403 | gnutls_transport_set_pull_function(vs->tls.session, vnc_tls_pull); |
404 | } |
405 | return 0; |
406 | } |
407 | |
408 | |
409 | void vnc_tls_client_cleanup(struct VncState *vs) |
410 | { |
411 | if (vs->tls.session) { |
412 | gnutls_deinit(vs->tls.session); |
413 | vs->tls.session = NULL((void*)0); |
414 | } |
415 | vs->tls.wiremode = VNC_WIREMODE_CLEAR; |
416 | g_free(vs->tls.dname); |
417 | } |
418 | |
419 | |
420 | |
421 | static int vnc_set_x509_credential(VncDisplay *vd, |
422 | const char *certdir, |
423 | const char *filename, |
424 | char **cred, |
425 | int ignoreMissing) |
426 | { |
427 | struct stat sb; |
428 | |
429 | if (*cred) { |
430 | g_free(*cred); |
431 | *cred = NULL((void*)0); |
432 | } |
433 | |
434 | *cred = g_malloc(strlen(certdir) + strlen(filename) + 2); |
435 | |
436 | strcpy(*cred, certdir); |
437 | strcat(*cred, "/"); |
438 | strcat(*cred, filename); |
439 | |
440 | VNC_DEBUG("Check %s\n", *cred)do { } while (0); |
441 | if (stat(*cred, &sb) < 0) { |
442 | g_free(*cred); |
443 | *cred = NULL((void*)0); |
444 | if (ignoreMissing && errno(*__errno_location ()) == ENOENT2) |
445 | return 0; |
446 | return -1; |
447 | } |
448 | |
449 | return 0; |
450 | } |
451 | |
452 | |
453 | int vnc_tls_set_x509_creds_dir(VncDisplay *vd, |
454 | const char *certdir) |
455 | { |
456 | if (vnc_set_x509_credential(vd, certdir, X509_CA_CERT_FILE"ca-cert.pem", &vd->tls.x509cacert, 0) < 0) |
457 | goto cleanup; |
458 | if (vnc_set_x509_credential(vd, certdir, X509_CA_CRL_FILE"ca-crl.pem", &vd->tls.x509cacrl, 1) < 0) |
459 | goto cleanup; |
460 | if (vnc_set_x509_credential(vd, certdir, X509_SERVER_CERT_FILE"server-cert.pem", &vd->tls.x509cert, 0) < 0) |
461 | goto cleanup; |
462 | if (vnc_set_x509_credential(vd, certdir, X509_SERVER_KEY_FILE"server-key.pem", &vd->tls.x509key, 0) < 0) |
463 | goto cleanup; |
464 | |
465 | return 0; |
466 | |
467 | cleanup: |
468 | g_free(vd->tls.x509cacert); |
469 | g_free(vd->tls.x509cacrl); |
470 | g_free(vd->tls.x509cert); |
471 | g_free(vd->tls.x509key); |
472 | vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL((void*)0); |
473 | return -1; |
474 | } |
475 | |