2 * QEMU VNC display driver: TLS helpers
4 * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
5 * Copyright (C) 2006 Fabrice Bellard
6 * Copyright (C) 2009 Red Hat, Inc
8 * Permission is hereby granted, free of charge, to any person obtaining a copy
9 * of this software and associated documentation files (the "Software"), to deal
10 * in the Software without restriction, including without limitation the rights
11 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
12 * copies of the Software, and to permit persons to whom the Software is
13 * furnished to do so, subject to the following conditions:
15 * The above copyright notice and this permission notice shall be included in
16 * all copies or substantial portions of the Software.
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
21 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
27 #include "qemu-x509.h"
29 #include "qemu/sockets.h"
31 #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2
32 /* Very verbose, so only enabled for _VNC_DEBUG >= 2 */
33 static void vnc_debug_gnutls_log(int level
, const char* str
) {
34 VNC_DEBUG("%d %s", level
, str
);
36 #endif /* defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 */
40 static gnutls_dh_params_t dh_params
;
42 static int vnc_tls_initialize(void)
44 static int tlsinitialized
= 0;
49 if (gnutls_global_init () < 0)
52 /* XXX ought to re-generate diffie-hellman params periodically */
53 if (gnutls_dh_params_init (&dh_params
) < 0)
55 if (gnutls_dh_params_generate2 (dh_params
, DH_BITS
) < 0)
58 #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2
59 gnutls_global_set_log_level(10);
60 gnutls_global_set_log_function(vnc_debug_gnutls_log
);
68 static ssize_t
vnc_tls_push(gnutls_transport_ptr_t transport
,
71 struct VncState
*vs
= (struct VncState
*)transport
;
75 ret
= send(vs
->csock
, data
, len
, 0);
85 static ssize_t
vnc_tls_pull(gnutls_transport_ptr_t transport
,
88 struct VncState
*vs
= (struct VncState
*)transport
;
92 ret
= qemu_recv(vs
->csock
, data
, len
, 0);
102 static gnutls_anon_server_credentials_t
vnc_tls_initialize_anon_cred(void)
104 gnutls_anon_server_credentials_t anon_cred
;
107 if ((ret
= gnutls_anon_allocate_server_credentials(&anon_cred
)) < 0) {
108 VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret
));
112 gnutls_anon_set_server_dh_params(anon_cred
, dh_params
);
118 static gnutls_certificate_credentials_t
vnc_tls_initialize_x509_cred(VncDisplay
*vd
)
120 gnutls_certificate_credentials_t x509_cred
;
123 if (!vd
->tls
.x509cacert
) {
124 VNC_DEBUG("No CA x509 certificate specified\n");
127 if (!vd
->tls
.x509cert
) {
128 VNC_DEBUG("No server x509 certificate specified\n");
131 if (!vd
->tls
.x509key
) {
132 VNC_DEBUG("No server private key specified\n");
136 if ((ret
= gnutls_certificate_allocate_credentials(&x509_cred
)) < 0) {
137 VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret
));
140 if ((ret
= gnutls_certificate_set_x509_trust_file(x509_cred
,
142 GNUTLS_X509_FMT_PEM
)) < 0) {
143 VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret
));
144 gnutls_certificate_free_credentials(x509_cred
);
148 if ((ret
= gnutls_certificate_set_x509_key_file (x509_cred
,
151 GNUTLS_X509_FMT_PEM
)) < 0) {
152 VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret
));
153 gnutls_certificate_free_credentials(x509_cred
);
157 if (vd
->tls
.x509cacrl
) {
158 if ((ret
= gnutls_certificate_set_x509_crl_file(x509_cred
,
160 GNUTLS_X509_FMT_PEM
)) < 0) {
161 VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret
));
162 gnutls_certificate_free_credentials(x509_cred
);
167 gnutls_certificate_set_dh_params (x509_cred
, dh_params
);
173 int vnc_tls_validate_certificate(struct VncState
*vs
)
177 const gnutls_datum_t
*certs
;
178 unsigned int nCerts
, i
;
181 VNC_DEBUG("Validating client certificate\n");
182 if ((ret
= gnutls_certificate_verify_peers2 (vs
->tls
.session
, &status
)) < 0) {
183 VNC_DEBUG("Verify failed %s\n", gnutls_strerror(ret
));
187 if ((now
= time(NULL
)) == ((time_t)-1)) {
192 if (status
& GNUTLS_CERT_INVALID
)
193 VNC_DEBUG("The certificate is not trusted.\n");
195 if (status
& GNUTLS_CERT_SIGNER_NOT_FOUND
)
196 VNC_DEBUG("The certificate hasn't got a known issuer.\n");
198 if (status
& GNUTLS_CERT_REVOKED
)
199 VNC_DEBUG("The certificate has been revoked.\n");
201 if (status
& GNUTLS_CERT_INSECURE_ALGORITHM
)
202 VNC_DEBUG("The certificate uses an insecure algorithm\n");
206 VNC_DEBUG("Certificate is valid!\n");
209 /* Only support x509 for now */
210 if (gnutls_certificate_type_get(vs
->tls
.session
) != GNUTLS_CRT_X509
)
213 if (!(certs
= gnutls_certificate_get_peers(vs
->tls
.session
, &nCerts
)))
216 for (i
= 0 ; i
< nCerts
; i
++) {
217 gnutls_x509_crt_t cert
;
218 VNC_DEBUG ("Checking certificate chain %d\n", i
);
219 if (gnutls_x509_crt_init (&cert
) < 0)
222 if (gnutls_x509_crt_import(cert
, &certs
[i
], GNUTLS_X509_FMT_DER
) < 0) {
223 gnutls_x509_crt_deinit (cert
);
227 if (gnutls_x509_crt_get_expiration_time (cert
) < now
) {
228 VNC_DEBUG("The certificate has expired\n");
229 gnutls_x509_crt_deinit (cert
);
233 if (gnutls_x509_crt_get_activation_time (cert
) > now
) {
234 VNC_DEBUG("The certificate is not yet activated\n");
235 gnutls_x509_crt_deinit (cert
);
239 if (gnutls_x509_crt_get_activation_time (cert
) > now
) {
240 VNC_DEBUG("The certificate is not yet activated\n");
241 gnutls_x509_crt_deinit (cert
);
246 size_t dnameSize
= 1024;
247 vs
->tls
.dname
= g_malloc(dnameSize
);
249 if ((ret
= gnutls_x509_crt_get_dn (cert
, vs
->tls
.dname
, &dnameSize
)) != 0) {
250 if (ret
== GNUTLS_E_SHORT_MEMORY_BUFFER
) {
251 vs
->tls
.dname
= g_realloc(vs
->tls
.dname
, dnameSize
);
254 gnutls_x509_crt_deinit (cert
);
255 VNC_DEBUG("Cannot get client distinguished name: %s",
256 gnutls_strerror (ret
));
260 if (vs
->vd
->tls
.x509verify
) {
262 if (!vs
->vd
->tls
.acl
) {
263 VNC_DEBUG("no ACL activated, allowing access");
264 gnutls_x509_crt_deinit (cert
);
268 allow
= qemu_acl_party_is_allowed(vs
->vd
->tls
.acl
,
271 VNC_DEBUG("TLS x509 ACL check for %s is %s\n",
272 vs
->tls
.dname
, allow
? "allowed" : "denied");
274 gnutls_x509_crt_deinit (cert
);
280 gnutls_x509_crt_deinit (cert
);
286 #if defined(GNUTLS_VERSION_NUMBER) && \
287 GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
289 static int vnc_set_gnutls_priority(gnutls_session_t s
, int x509
)
291 const char *priority
= x509
? "NORMAL" : "NORMAL:+ANON-DH";
294 rc
= gnutls_priority_set_direct(s
, priority
, NULL
);
295 if (rc
!= GNUTLS_E_SUCCESS
) {
303 static int vnc_set_gnutls_priority(gnutls_session_t s
, int x509
)
305 static const int cert_types
[] = { GNUTLS_CRT_X509
, 0 };
306 static const int protocols
[] = {
307 GNUTLS_TLS1_1
, GNUTLS_TLS1_0
, GNUTLS_SSL3
, 0
309 static const int kx_anon
[] = { GNUTLS_KX_ANON_DH
, 0 };
310 static const int kx_x509
[] = {
311 GNUTLS_KX_DHE_DSS
, GNUTLS_KX_RSA
,
312 GNUTLS_KX_DHE_RSA
, GNUTLS_KX_SRP
, 0
316 rc
= gnutls_kx_set_priority(s
, x509
? kx_x509
: kx_anon
);
317 if (rc
!= GNUTLS_E_SUCCESS
) {
321 rc
= gnutls_certificate_type_set_priority(s
, cert_types
);
322 if (rc
!= GNUTLS_E_SUCCESS
) {
326 rc
= gnutls_protocol_set_priority(s
, protocols
);
327 if (rc
!= GNUTLS_E_SUCCESS
) {
335 int vnc_tls_client_setup(struct VncState
*vs
,
338 VNC_DEBUG("Do TLS setup\n");
339 if (vnc_tls_initialize() < 0) {
340 VNC_DEBUG("Failed to init TLS\n");
341 vnc_client_error(vs
);
344 if (vs
->tls
.session
== NULL
) {
345 if (gnutls_init(&vs
->tls
.session
, GNUTLS_SERVER
) < 0) {
346 vnc_client_error(vs
);
350 if (gnutls_set_default_priority(vs
->tls
.session
) < 0) {
351 gnutls_deinit(vs
->tls
.session
);
352 vs
->tls
.session
= NULL
;
353 vnc_client_error(vs
);
357 if (vnc_set_gnutls_priority(vs
->tls
.session
, needX509Creds
) < 0) {
358 gnutls_deinit(vs
->tls
.session
);
359 vs
->tls
.session
= NULL
;
360 vnc_client_error(vs
);
365 gnutls_certificate_server_credentials x509_cred
= vnc_tls_initialize_x509_cred(vs
->vd
);
367 gnutls_deinit(vs
->tls
.session
);
368 vs
->tls
.session
= NULL
;
369 vnc_client_error(vs
);
372 if (gnutls_credentials_set(vs
->tls
.session
, GNUTLS_CRD_CERTIFICATE
, x509_cred
) < 0) {
373 gnutls_deinit(vs
->tls
.session
);
374 vs
->tls
.session
= NULL
;
375 gnutls_certificate_free_credentials(x509_cred
);
376 vnc_client_error(vs
);
379 if (vs
->vd
->tls
.x509verify
) {
380 VNC_DEBUG("Requesting a client certificate\n");
381 gnutls_certificate_server_set_request (vs
->tls
.session
, GNUTLS_CERT_REQUEST
);
385 gnutls_anon_server_credentials_t anon_cred
= vnc_tls_initialize_anon_cred();
387 gnutls_deinit(vs
->tls
.session
);
388 vs
->tls
.session
= NULL
;
389 vnc_client_error(vs
);
392 if (gnutls_credentials_set(vs
->tls
.session
, GNUTLS_CRD_ANON
, anon_cred
) < 0) {
393 gnutls_deinit(vs
->tls
.session
);
394 vs
->tls
.session
= NULL
;
395 gnutls_anon_free_server_credentials(anon_cred
);
396 vnc_client_error(vs
);
401 gnutls_transport_set_ptr(vs
->tls
.session
, (gnutls_transport_ptr_t
)vs
);
402 gnutls_transport_set_push_function(vs
->tls
.session
, vnc_tls_push
);
403 gnutls_transport_set_pull_function(vs
->tls
.session
, vnc_tls_pull
);
409 void vnc_tls_client_cleanup(struct VncState
*vs
)
411 if (vs
->tls
.session
) {
412 gnutls_deinit(vs
->tls
.session
);
413 vs
->tls
.session
= NULL
;
415 vs
->tls
.wiremode
= VNC_WIREMODE_CLEAR
;
416 g_free(vs
->tls
.dname
);
421 static int vnc_set_x509_credential(VncDisplay
*vd
,
423 const char *filename
,
434 *cred
= g_malloc(strlen(certdir
) + strlen(filename
) + 2);
436 strcpy(*cred
, certdir
);
438 strcat(*cred
, filename
);
440 VNC_DEBUG("Check %s\n", *cred
);
441 if (stat(*cred
, &sb
) < 0) {
444 if (ignoreMissing
&& errno
== ENOENT
)
453 int vnc_tls_set_x509_creds_dir(VncDisplay
*vd
,
456 if (vnc_set_x509_credential(vd
, certdir
, X509_CA_CERT_FILE
, &vd
->tls
.x509cacert
, 0) < 0)
458 if (vnc_set_x509_credential(vd
, certdir
, X509_CA_CRL_FILE
, &vd
->tls
.x509cacrl
, 1) < 0)
460 if (vnc_set_x509_credential(vd
, certdir
, X509_SERVER_CERT_FILE
, &vd
->tls
.x509cert
, 0) < 0)
462 if (vnc_set_x509_credential(vd
, certdir
, X509_SERVER_KEY_FILE
, &vd
->tls
.x509key
, 0) < 0)
468 g_free(vd
->tls
.x509cacert
);
469 g_free(vd
->tls
.x509cacrl
);
470 g_free(vd
->tls
.x509cert
);
471 g_free(vd
->tls
.x509key
);
472 vd
->tls
.x509cacert
= vd
->tls
.x509cacrl
= vd
->tls
.x509cert
= vd
->tls
.x509key
= NULL
;