ui/vnc-tls.c

   1 /*
   2  * QEMU VNC display driver: TLS helpers
   3  *
   4  * Copyright (C) 2006 Anthony Liguori <anthony@codemonkey.ws>
   5  * Copyright (C) 2006 Fabrice Bellard
   6  * Copyright (C) 2009 Red Hat, Inc
   7  *
   8  * Permission is hereby granted, free of charge, to any person obtaining a copy
   9  * of this software and associated documentation files (the "Software"), to deal
  10  * in the Software without restriction, including without limitation the rights
  11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  12  * copies of the Software, and to permit persons to whom the Software is
  13  * furnished to do so, subject to the following conditions:
  14  *
  15  * The above copyright notice and this permission notice shall be included in
  16  * all copies or substantial portions of the Software.
  17  *
  18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
  21  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  24  * THE SOFTWARE.
  25  */
  26
  27 #include "qemu-x509.h"
  28 #include "vnc.h"
  29 #include "qemu/sockets.h"
  30
  31 #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2
  32 /* Very verbose, so only enabled for _VNC_DEBUG >= 2 */
  33 static void vnc_debug_gnutls_log(int level, const char* str) {
  34     VNC_DEBUG("%d %s", level, str);
  35 }
  36 #endif /* defined(_VNC_DEBUG) && _VNC_DEBUG >= 2 */
  37
  38
  39 #define DH_BITS 1024
  40 static gnutls_dh_params_t dh_params;
  41
  42 static int vnc_tls_initialize(void)
  43 {
  44     static int tlsinitialized = 0;
  45
  46     if (tlsinitialized)
  47         return 1;
  48
  49     if (gnutls_global_init () < 0)
  50         return 0;
  51
  52     /* XXX ought to re-generate diffie-hellman params periodically */
  53     if (gnutls_dh_params_init (&dh_params) < 0)
  54         return 0;
  55     if (gnutls_dh_params_generate2 (dh_params, DH_BITS) < 0)
  56         return 0;
  57
  58 #if defined(_VNC_DEBUG) && _VNC_DEBUG >= 2
  59     gnutls_global_set_log_level(10);
  60     gnutls_global_set_log_function(vnc_debug_gnutls_log);
  61 #endif
  62
  63     tlsinitialized = 1;
  64
  65     return 1;
  66 }
  67
  68 static ssize_t vnc_tls_push(gnutls_transport_ptr_t transport,
  69                             const void *data,
  70                             size_t len) {
  71     struct VncState *vs = (struct VncState *)transport;
  72     int ret;
  73
  74  retry:
  75     ret = send(vs->csock, data, len, 0);
  76     if (ret < 0) {
  77         if (errno == EINTR)
  78             goto retry;
  79         return -1;
  80     }
  81     return ret;
  82 }
  83
  84
  85 static ssize_t vnc_tls_pull(gnutls_transport_ptr_t transport,
  86                             void *data,
  87                             size_t len) {
  88     struct VncState *vs = (struct VncState *)transport;
  89     int ret;
  90
  91  retry:
  92     ret = qemu_recv(vs->csock, data, len, 0);
  93     if (ret < 0) {
  94         if (errno == EINTR)
  95             goto retry;
  96         return -1;
  97     }
  98     return ret;
  99 }
 100
 101
 102 static gnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void)
 103 {
 104     gnutls_anon_server_credentials_t anon_cred;
 105     int ret;
 106
 107     if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {
 108         VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
 109         return NULL;
 110     }
 111
 112     gnutls_anon_set_server_dh_params(anon_cred, dh_params);
 113
 114     return anon_cred;
 115 }
 116
 117
 118 static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncDisplay *vd)
 119 {
 120     gnutls_certificate_credentials_t x509_cred;
 121     int ret;
 122
 123     if (!vd->tls.x509cacert) {
 124         VNC_DEBUG("No CA x509 certificate specified\n");
 125         return NULL;
 126     }
 127     if (!vd->tls.x509cert) {
 128         VNC_DEBUG("No server x509 certificate specified\n");
 129         return NULL;
 130     }
 131     if (!vd->tls.x509key) {
 132         VNC_DEBUG("No server private key specified\n");
 133         return NULL;
 134     }
 135
 136     if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) {
 137         VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
 138         return NULL;
 139     }
 140     if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred,
 141                                                       vd->tls.x509cacert,
 142                                                       GNUTLS_X509_FMT_PEM)) < 0) {
 143         VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret));
 144         gnutls_certificate_free_credentials(x509_cred);
 145         return NULL;
 146     }
 147
 148     if ((ret = gnutls_certificate_set_x509_key_file (x509_cred,
 149                                                      vd->tls.x509cert,
 150                                                      vd->tls.x509key,
 151                                                      GNUTLS_X509_FMT_PEM)) < 0) {
 152         VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret));
 153         gnutls_certificate_free_credentials(x509_cred);
 154         return NULL;
 155     }
 156
 157     if (vd->tls.x509cacrl) {
 158         if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred,
 159                                                         vd->tls.x509cacrl,
 160                                                         GNUTLS_X509_FMT_PEM)) < 0) {
 161             VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret));
 162             gnutls_certificate_free_credentials(x509_cred);
 163             return NULL;
 164         }
 165     }
 166
 167     gnutls_certificate_set_dh_params (x509_cred, dh_params);
 168
 169     return x509_cred;
 170 }
 171
 172
 173 int vnc_tls_validate_certificate(struct VncState *vs)
 174 {
 175     int ret;
 176     unsigned int status;
 177     const gnutls_datum_t *certs;
 178     unsigned int nCerts, i;
 179     time_t now;
 180
 181     VNC_DEBUG("Validating client certificate\n");
 182     if ((ret = gnutls_certificate_verify_peers2 (vs->tls.session, &status)) < 0) {
 183         VNC_DEBUG("Verify failed %s\n", gnutls_strerror(ret));
 184         return -1;
 185     }
 186
 187     if ((now = time(NULL)) == ((time_t)-1)) {
 188         return -1;
 189     }
 190
 191     if (status != 0) {
 192         if (status & GNUTLS_CERT_INVALID)
 193             VNC_DEBUG("The certificate is not trusted.\n");
 194
 195         if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
 196             VNC_DEBUG("The certificate hasn't got a known issuer.\n");
 197
 198         if (status & GNUTLS_CERT_REVOKED)
 199             VNC_DEBUG("The certificate has been revoked.\n");
 200
 201         if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
 202             VNC_DEBUG("The certificate uses an insecure algorithm\n");
 203
 204         return -1;
 205     } else {
 206         VNC_DEBUG("Certificate is valid!\n");
 207     }
 208
 209     /* Only support x509 for now */
 210     if (gnutls_certificate_type_get(vs->tls.session) != GNUTLS_CRT_X509)
 211         return -1;
 212
 213     if (!(certs = gnutls_certificate_get_peers(vs->tls.session, &nCerts)))
 214         return -1;
 215
 216     for (i = 0 ; i < nCerts ; i++) {
 217         gnutls_x509_crt_t cert;
 218         VNC_DEBUG ("Checking certificate chain %d\n", i);
 219         if (gnutls_x509_crt_init (&cert) < 0)
 220             return -1;
 221
 222         if (gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER) < 0) {
 223             gnutls_x509_crt_deinit (cert);
 224             return -1;
 225         }
 226
 227         if (gnutls_x509_crt_get_expiration_time (cert) < now) {
 228             VNC_DEBUG("The certificate has expired\n");
 229             gnutls_x509_crt_deinit (cert);
 230             return -1;
 231         }
 232
 233         if (gnutls_x509_crt_get_activation_time (cert) > now) {
 234             VNC_DEBUG("The certificate is not yet activated\n");
 235             gnutls_x509_crt_deinit (cert);
 236             return -1;
 237         }
 238
 239         if (gnutls_x509_crt_get_activation_time (cert) > now) {
 240             VNC_DEBUG("The certificate is not yet activated\n");
 241             gnutls_x509_crt_deinit (cert);
 242             return -1;
 243         }
 244
 245         if (i == 0) {
 246             size_t dnameSize = 1024;
 247             vs->tls.dname = g_malloc(dnameSize);
 248         requery:
 249             if ((ret = gnutls_x509_crt_get_dn (cert, vs->tls.dname, &dnameSize)) != 0) {
 250                 if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
 251                     vs->tls.dname = g_realloc(vs->tls.dname, dnameSize);
 252                     goto requery;
 253                 }
 254                 gnutls_x509_crt_deinit (cert);
 255                 VNC_DEBUG("Cannot get client distinguished name: %s",
 256                           gnutls_strerror (ret));
 257                 return -1;
 258             }
 259
 260             if (vs->vd->tls.x509verify) {
 261                 int allow;
 262                 if (!vs->vd->tls.acl) {
 263                     VNC_DEBUG("no ACL activated, allowing access");
 264                     gnutls_x509_crt_deinit (cert);
 265                     continue;
 266                 }
 267
 268                 allow = qemu_acl_party_is_allowed(vs->vd->tls.acl,
 269                                                   vs->tls.dname);
 270
 271                 VNC_DEBUG("TLS x509 ACL check for %s is %s\n",
 272                           vs->tls.dname, allow ? "allowed" : "denied");
 273                 if (!allow) {
 274                     gnutls_x509_crt_deinit (cert);
 275                     return -1;
 276                 }
 277             }
 278         }
 279
 280         gnutls_x509_crt_deinit (cert);
 281     }
 282
 283     return 0;
 284 }
 285
 286 #if defined(GNUTLS_VERSION_NUMBER) && \
 287     GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
 288
 289 static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
 290 {
 291     const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
 292     int rc;
 293
 294     rc = gnutls_priority_set_direct(s, priority, NULL);
 295     if (rc != GNUTLS_E_SUCCESS) {
 296         return -1;
 297     }
 298     return 0;
 299 }
 300
 301 #else
 302
 303 static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
 304 {
 305     static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
 306     static const int protocols[] = {
 307         GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
 308     };
 309     static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
 310     static const int kx_x509[] = {
 311         GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
 312         GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
 313     };
 314     int rc;
 315
 316     rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
 317     if (rc != GNUTLS_E_SUCCESS) {
 318         return -1;
 319     }
 320
 321     rc = gnutls_certificate_type_set_priority(s, cert_types);
 322     if (rc != GNUTLS_E_SUCCESS) {
 323         return -1;
 324     }
 325
 326     rc = gnutls_protocol_set_priority(s, protocols);
 327     if (rc != GNUTLS_E_SUCCESS) {
 328         return -1;
 329     }
 330     return 0;
 331 }
 332
 333 #endif
 334
 335 int vnc_tls_client_setup(struct VncState *vs,
 336                          int needX509Creds) {
 337     VncStateTLS *tls;
 338
 339     VNC_DEBUG("Do TLS setup\n");
 340 #ifdef CONFIG_VNC_WS
 341     if (vs->websocket) {
 342         tls = &vs->ws_tls;
 343     } else
 344 #endif /* CONFIG_VNC_WS */
 345     {
 346         tls = &vs->tls;
 347     }
 348     if (vnc_tls_initialize() < 0) {
 349         VNC_DEBUG("Failed to init TLS\n");
 350         vnc_client_error(vs);
 351         return -1;
 352     }
 353     if (tls->session == NULL) {
 354         if (gnutls_init(&tls->session, GNUTLS_SERVER) < 0) {
 355             vnc_client_error(vs);
 356             return -1;
 357         }
 358
 359         if (gnutls_set_default_priority(tls->session) < 0) {
 360             gnutls_deinit(tls->session);
 361             tls->session = NULL;
 362             vnc_client_error(vs);
 363             return -1;
 364         }
 365
 366         if (vnc_set_gnutls_priority(tls->session, needX509Creds) < 0) {
 367             gnutls_deinit(tls->session);
 368             tls->session = NULL;
 369             vnc_client_error(vs);
 370             return -1;
 371         }
 372
 373         if (needX509Creds) {
 374             gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs->vd);
 375             if (!x509_cred) {
 376                 gnutls_deinit(tls->session);
 377                 tls->session = NULL;
 378                 vnc_client_error(vs);
 379                 return -1;
 380             }
 381             if (gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, x509_cred) < 0) {
 382                 gnutls_deinit(tls->session);
 383                 tls->session = NULL;
 384                 gnutls_certificate_free_credentials(x509_cred);
 385                 vnc_client_error(vs);
 386                 return -1;
 387             }
 388             if (vs->vd->tls.x509verify) {
 389                 VNC_DEBUG("Requesting a client certificate\n");
 390                 gnutls_certificate_server_set_request (tls->session, GNUTLS_CERT_REQUEST);
 391             }
 392
 393         } else {
 394             gnutls_anon_server_credentials_t anon_cred = vnc_tls_initialize_anon_cred();
 395             if (!anon_cred) {
 396                 gnutls_deinit(tls->session);
 397                 tls->session = NULL;
 398                 vnc_client_error(vs);
 399                 return -1;
 400             }
 401             if (gnutls_credentials_set(tls->session, GNUTLS_CRD_ANON, anon_cred) < 0) {
 402                 gnutls_deinit(tls->session);
 403                 tls->session = NULL;
 404                 gnutls_anon_free_server_credentials(anon_cred);
 405                 vnc_client_error(vs);
 406                 return -1;
 407             }
 408         }
 409
 410         gnutls_transport_set_ptr(tls->session, (gnutls_transport_ptr_t)vs);
 411         gnutls_transport_set_push_function(tls->session, vnc_tls_push);
 412         gnutls_transport_set_pull_function(tls->session, vnc_tls_pull);
 413     }
 414     return 0;
 415 }
 416
 417
 418 void vnc_tls_client_cleanup(struct VncState *vs)
 419 {
 420     if (vs->tls.session) {
 421         gnutls_deinit(vs->tls.session);
 422         vs->tls.session = NULL;
 423     }
 424     vs->tls.wiremode = VNC_WIREMODE_CLEAR;
 425     g_free(vs->tls.dname);
 426 #ifdef CONFIG_VNC_WS
 427     if (vs->ws_tls.session) {
 428         gnutls_deinit(vs->ws_tls.session);
 429         vs->ws_tls.session = NULL;
 430     }
 431     vs->ws_tls.wiremode = VNC_WIREMODE_CLEAR;
 432     g_free(vs->ws_tls.dname);
 433 #endif /* CONFIG_VNC_WS */
 434 }
 435
 436
 437
 438 static int vnc_set_x509_credential(VncDisplay *vd,
 439                                    const char *certdir,
 440                                    const char *filename,
 441                                    char **cred,
 442                                    int ignoreMissing)
 443 {
 444     struct stat sb;
 445
 446     if (*cred) {
 447         g_free(*cred);
 448         *cred = NULL;
 449     }
 450
 451     *cred = g_malloc(strlen(certdir) + strlen(filename) + 2);
 452
 453     strcpy(*cred, certdir);
 454     strcat(*cred, "/");
 455     strcat(*cred, filename);
 456
 457     VNC_DEBUG("Check %s\n", *cred);
 458     if (stat(*cred, &sb) < 0) {
 459         g_free(*cred);
 460         *cred = NULL;
 461         if (ignoreMissing && errno == ENOENT)
 462             return 0;
 463         return -1;
 464     }
 465
 466     return 0;
 467 }
 468
 469
 470 int vnc_tls_set_x509_creds_dir(VncDisplay *vd,
 471                                const char *certdir)
 472 {
 473     if (vnc_set_x509_credential(vd, certdir, X509_CA_CERT_FILE, &vd->tls.x509cacert, 0) < 0)
 474         goto cleanup;
 475     if (vnc_set_x509_credential(vd, certdir, X509_CA_CRL_FILE, &vd->tls.x509cacrl, 1) < 0)
 476         goto cleanup;
 477     if (vnc_set_x509_credential(vd, certdir, X509_SERVER_CERT_FILE, &vd->tls.x509cert, 0) < 0)
 478         goto cleanup;
 479     if (vnc_set_x509_credential(vd, certdir, X509_SERVER_KEY_FILE, &vd->tls.x509key, 0) < 0)
 480         goto cleanup;
 481
 482     return 0;
 483
 484  cleanup:
 485     g_free(vd->tls.x509cacert);
 486     g_free(vd->tls.x509cacrl);
 487     g_free(vd->tls.x509cert);
 488     g_free(vd->tls.x509key);
 489     vd->tls.x509cacert = vd->tls.x509cacrl = vd->tls.x509cert = vd->tls.x509key = NULL;
 490     return -1;
 491 }
 492