[qemu.git] / crypto / tlssession.c

/*
 * QEMU crypto TLS session support
 *
 * Copyright (c) 2015 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
 *
 */

#include "crypto/tlssession.h"
#include "crypto/tlscredsanon.h"
#include "crypto/tlscredsx509.h"
#include "qemu/acl.h"
#include "trace.h"

#ifdef CONFIG_GNUTLS


#include <gnutls/x509.h>


struct QCryptoTLSSession {
    QCryptoTLSCreds *creds;
    gnutls_session_t handle;
    char *hostname;
    char *aclname;
    bool handshakeComplete;
    QCryptoTLSSessionWriteFunc writeFunc;
    QCryptoTLSSessionReadFunc readFunc;
    void *opaque;
    char *peername;
};


void
qcrypto_tls_session_free(QCryptoTLSSession *session)
{
    if (!session) {
        return;
    }

    gnutls_deinit(session->handle);
    g_free(session->hostname);
    g_free(session->peername);
    g_free(session->aclname);
    object_unref(OBJECT(session->creds));
    g_free(session);
}


static ssize_t
qcrypto_tls_session_push(void *opaque, const void *buf, size_t len)
{
    QCryptoTLSSession *session = opaque;

    if (!session->writeFunc) {
        errno = EIO;
        return -1;
    };

    return session->writeFunc(buf, len, session->opaque);
}


static ssize_t
qcrypto_tls_session_pull(void *opaque, void *buf, size_t len)
{
    QCryptoTLSSession *session = opaque;

    if (!session->readFunc) {
        errno = EIO;
        return -1;
    };

    return session->readFunc(buf, len, session->opaque);
}


QCryptoTLSSession *
qcrypto_tls_session_new(QCryptoTLSCreds *creds,
                        const char *hostname,
                        const char *aclname,
                        QCryptoTLSCredsEndpoint endpoint,
                        Error **errp)
{
    QCryptoTLSSession *session;
    int ret;

    session = g_new0(QCryptoTLSSession, 1);
    trace_qcrypto_tls_session_new(
        session, creds, hostname ? hostname : "<none>",
        aclname ? aclname : "<none>", endpoint);

    if (hostname) {
        session->hostname = g_strdup(hostname);
    }
    if (aclname) {
        session->aclname = g_strdup(aclname);
    }
    session->creds = creds;
    object_ref(OBJECT(creds));

    if (creds->endpoint != endpoint) {
        error_setg(errp, "Credentials endpoint doesn't match session");
        goto error;
    }

    if (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
        ret = gnutls_init(&session->handle, GNUTLS_SERVER);
    } else {
        ret = gnutls_init(&session->handle, GNUTLS_CLIENT);
    }
    if (ret < 0) {
        error_setg(errp, "Cannot initialize TLS session: %s",
                   gnutls_strerror(ret));
        goto error;
    }

    if (object_dynamic_cast(OBJECT(creds),
                            TYPE_QCRYPTO_TLS_CREDS_ANON)) {
        QCryptoTLSCredsAnon *acreds = QCRYPTO_TLS_CREDS_ANON(creds);

        ret = gnutls_priority_set_direct(session->handle,
                                         "NORMAL:+ANON-DH", NULL);
        if (ret < 0) {
            error_setg(errp, "Unable to set TLS session priority: %s",
                       gnutls_strerror(ret));
            goto error;
        }
        if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
            ret = gnutls_credentials_set(session->handle,
                                         GNUTLS_CRD_ANON,
                                         acreds->data.server);
        } else {
            ret = gnutls_credentials_set(session->handle,
                                         GNUTLS_CRD_ANON,
                                         acreds->data.client);
        }
        if (ret < 0) {
            error_setg(errp, "Cannot set session credentials: %s",
                       gnutls_strerror(ret));
            goto error;
        }
    } else if (object_dynamic_cast(OBJECT(creds),
                                   TYPE_QCRYPTO_TLS_CREDS_X509)) {
        QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds);

        ret = gnutls_set_default_priority(session->handle);
        if (ret < 0) {
            error_setg(errp, "Cannot set default TLS session priority: %s",
                       gnutls_strerror(ret));
            goto error;
        }
        ret = gnutls_credentials_set(session->handle,
                                     GNUTLS_CRD_CERTIFICATE,
                                     tcreds->data);
        if (ret < 0) {
            error_setg(errp, "Cannot set session credentials: %s",
                       gnutls_strerror(ret));
            goto error;
        }

        if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
            /* This requests, but does not enforce a client cert.
             * The cert checking code later does enforcement */
            gnutls_certificate_server_set_request(session->handle,
                                                  GNUTLS_CERT_REQUEST);
        }
    } else {
        error_setg(errp, "Unsupported TLS credentials type %s",
                   object_get_typename(OBJECT(creds)));
        goto error;
    }

    gnutls_transport_set_ptr(session->handle, session);
    gnutls_transport_set_push_function(session->handle,
                                       qcrypto_tls_session_push);
    gnutls_transport_set_pull_function(session->handle,
                                       qcrypto_tls_session_pull);

    return session;

 error:
    qcrypto_tls_session_free(session);
    return NULL;
}

static int
qcrypto_tls_session_check_certificate(QCryptoTLSSession *session,
                                      Error **errp)
{
    int ret;
    unsigned int status;
    const gnutls_datum_t *certs;
    unsigned int nCerts, i;
    time_t now;
    gnutls_x509_crt_t cert = NULL;

    now = time(NULL);
    if (now == ((time_t)-1)) {
        error_setg_errno(errp, errno, "Cannot get current time");
        return -1;
    }

    ret = gnutls_certificate_verify_peers2(session->handle, &status);
    if (ret < 0) {
        error_setg(errp, "Verify failed: %s", gnutls_strerror(ret));
        return -1;
    }

    if (status != 0) {
        const char *reason = "Invalid certificate";

        if (status & GNUTLS_CERT_INVALID) {
            reason = "The certificate is not trusted";
        }

        if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
            reason = "The certificate hasn't got a known issuer";
        }

        if (status & GNUTLS_CERT_REVOKED) {
            reason = "The certificate has been revoked";
        }

        if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
            reason = "The certificate uses an insecure algorithm";
        }

        error_setg(errp, "%s", reason);
        return -1;
    }

    certs = gnutls_certificate_get_peers(session->handle, &nCerts);
    if (!certs) {
        error_setg(errp, "No certificate peers");
        return -1;
    }

    for (i = 0; i < nCerts; i++) {
        ret = gnutls_x509_crt_init(&cert);
        if (ret < 0) {
            error_setg(errp, "Cannot initialize certificate: %s",
                       gnutls_strerror(ret));
            return -1;
        }

        ret = gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER);
        if (ret < 0) {
            error_setg(errp, "Cannot import certificate: %s",
                       gnutls_strerror(ret));
            goto error;
        }

        if (gnutls_x509_crt_get_expiration_time(cert) < now) {
            error_setg(errp, "The certificate has expired");
            goto error;
        }

        if (gnutls_x509_crt_get_activation_time(cert) > now) {
            error_setg(errp, "The certificate is not yet activated");
            goto error;
        }

        if (gnutls_x509_crt_get_activation_time(cert) > now) {
            error_setg(errp, "The certificate is not yet activated");
            goto error;
        }

        if (i == 0) {
            size_t dnameSize = 1024;
            session->peername = g_malloc(dnameSize);
        requery:
            ret = gnutls_x509_crt_get_dn(cert, session->peername, &dnameSize);
            if (ret < 0) {
                if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
                    session->peername = g_realloc(session->peername,
                                                  dnameSize);
                    goto requery;
                }
                error_setg(errp, "Cannot get client distinguished name: %s",
                           gnutls_strerror(ret));
                goto error;
            }
            if (session->aclname) {
                qemu_acl *acl = qemu_acl_find(session->aclname);
                int allow;
                if (!acl) {
                    error_setg(errp, "Cannot find ACL %s",
                               session->aclname);
                    goto error;
                }

                allow = qemu_acl_party_is_allowed(acl, session->peername);

                if (!allow) {
                    error_setg(errp, "TLS x509 ACL check for %s is denied",
                               session->peername);
                    goto error;
                }
            }
            if (session->hostname) {
                if (!gnutls_x509_crt_check_hostname(cert, session->hostname)) {
                    error_setg(errp,
                               "Certificate does not match the hostname %s",
                               session->hostname);
                    goto error;
                }
            }
        }

        gnutls_x509_crt_deinit(cert);
    }

    return 0;

 error:
    gnutls_x509_crt_deinit(cert);
    return -1;
}


int
qcrypto_tls_session_check_credentials(QCryptoTLSSession *session,
                                      Error **errp)
{
    if (object_dynamic_cast(OBJECT(session->creds),
                            TYPE_QCRYPTO_TLS_CREDS_ANON)) {
        return 0;
    } else if (object_dynamic_cast(OBJECT(session->creds),
                            TYPE_QCRYPTO_TLS_CREDS_X509)) {
        if (session->creds->verifyPeer) {
            return qcrypto_tls_session_check_certificate(session,
                                                         errp);
        } else {
            return 0;
        }
    } else {
        error_setg(errp, "Unexpected credential type %s",
                   object_get_typename(OBJECT(session->creds)));
        return -1;
    }
}


void
qcrypto_tls_session_set_callbacks(QCryptoTLSSession *session,
                                  QCryptoTLSSessionWriteFunc writeFunc,
                                  QCryptoTLSSessionReadFunc readFunc,
                                  void *opaque)
{
    session->writeFunc = writeFunc;
    session->readFunc = readFunc;
    session->opaque = opaque;
}


ssize_t
qcrypto_tls_session_write(QCryptoTLSSession *session,
                          const char *buf,
                          size_t len)
{
    ssize_t ret = gnutls_record_send(session->handle, buf, len);

    if (ret < 0) {
        switch (ret) {
        case GNUTLS_E_AGAIN:
            errno = EAGAIN;
            break;
        case GNUTLS_E_INTERRUPTED:
            errno = EINTR;
            break;
        default:
            errno = EIO;
            break;
        }
        ret = -1;
    }

    return ret;
}


ssize_t
qcrypto_tls_session_read(QCryptoTLSSession *session,
                         char *buf,
                         size_t len)
{
    ssize_t ret = gnutls_record_recv(session->handle, buf, len);

    if (ret < 0) {
        switch (ret) {
        case GNUTLS_E_AGAIN:
            errno = EAGAIN;
            break;
        case GNUTLS_E_INTERRUPTED:
            errno = EINTR;
            break;
        default:
            errno = EIO;
            break;
        }
        ret = -1;
    }

    return ret;
}


int
qcrypto_tls_session_handshake(QCryptoTLSSession *session,
                              Error **errp)
{
    int ret = gnutls_handshake(session->handle);
    if (ret == 0) {
        session->handshakeComplete = true;
    } else {
        if (ret == GNUTLS_E_INTERRUPTED ||
            ret == GNUTLS_E_AGAIN) {
            ret = 1;
        } else {
            error_setg(errp, "TLS handshake failed: %s",
                       gnutls_strerror(ret));
            ret = -1;
        }
    }

    return ret;
}


QCryptoTLSSessionHandshakeStatus
qcrypto_tls_session_get_handshake_status(QCryptoTLSSession *session)
{
    if (session->handshakeComplete) {
        return QCRYPTO_TLS_HANDSHAKE_COMPLETE;
    } else if (gnutls_record_get_direction(session->handle) == 0) {
        return QCRYPTO_TLS_HANDSHAKE_RECVING;
    } else {
        return QCRYPTO_TLS_HANDSHAKE_SENDING;
    }
}


int
qcrypto_tls_session_get_key_size(QCryptoTLSSession *session,
                                 Error **errp)
{
    gnutls_cipher_algorithm_t cipher;
    int ssf;

    cipher = gnutls_cipher_get(session->handle);
    ssf = gnutls_cipher_get_key_size(cipher);
    if (!ssf) {
        error_setg(errp, "Cannot get TLS cipher key size");
        return -1;
    }
    return ssf;
}


char *
qcrypto_tls_session_get_peer_name(QCryptoTLSSession *session)
{
    if (session->peername) {
        return g_strdup(session->peername);
    }
    return NULL;
}


#else /* ! CONFIG_GNUTLS */


QCryptoTLSSession *
qcrypto_tls_session_new(QCryptoTLSCreds *creds G_GNUC_UNUSED,
                        const char *hostname G_GNUC_UNUSED,
                        const char *aclname G_GNUC_UNUSED,
                        QCryptoTLSCredsEndpoint endpoint G_GNUC_UNUSED,
                        Error **errp)
{
    error_setg(errp, "TLS requires GNUTLS support");
    return NULL;
}


void
qcrypto_tls_session_free(QCryptoTLSSession *sess G_GNUC_UNUSED)
{
}


int
qcrypto_tls_session_check_credentials(QCryptoTLSSession *sess G_GNUC_UNUSED,
                                      Error **errp)
{
    error_setg(errp, "TLS requires GNUTLS support");
    return -1;
}


void
qcrypto_tls_session_set_callbacks(
    QCryptoTLSSession *sess G_GNUC_UNUSED,
    QCryptoTLSSessionWriteFunc writeFunc G_GNUC_UNUSED,
    QCryptoTLSSessionReadFunc readFunc G_GNUC_UNUSED,
    void *opaque G_GNUC_UNUSED)
{
}


ssize_t
qcrypto_tls_session_write(QCryptoTLSSession *sess,
                          const char *buf,
                          size_t len)
{
    errno = -EIO;
    return -1;
}


ssize_t
qcrypto_tls_session_read(QCryptoTLSSession *sess,
                         char *buf,
                         size_t len)
{
    errno = -EIO;
    return -1;
}


int
qcrypto_tls_session_handshake(QCryptoTLSSession *sess,
                              Error **errp)
{
    error_setg(errp, "TLS requires GNUTLS support");
    return -1;
}


QCryptoTLSSessionHandshakeStatus
qcrypto_tls_session_get_handshake_status(QCryptoTLSSession *sess)
{
    return QCRYPTO_TLS_HANDSHAKE_COMPLETE;
}


int
qcrypto_tls_session_get_key_size(QCryptoTLSSession *sess,
                                 Error **errp)
{
    error_setg(errp, "TLS requires GNUTLS support");
    return -1;
}


char *
qcrypto_tls_session_get_peer_name(QCryptoTLSSession *sess)
{
    return NULL;
}

#endif
Commit	Line	Data
d321e1e5 DB	1	/*
	2	* QEMU crypto TLS session support
	3	*
	4	* Copyright (c) 2015 Red Hat, Inc.
	5	*
	6	* This library is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU Lesser General Public
	8	* License as published by the Free Software Foundation; either
	9	* version 2 of the License, or (at your option) any later version.
	10	*
	11	* This library is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	* Lesser General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU Lesser General Public
	17	* License along with this library; if not, see <http://www.gnu.org/licenses/>.
	18	*
	19	*/
	20
	21	#include "crypto/tlssession.h"
	22	#include "crypto/tlscredsanon.h"
	23	#include "crypto/tlscredsx509.h"
	24	#include "qemu/acl.h"
	25	#include "trace.h"
	26
	27	#ifdef CONFIG_GNUTLS
	28
	29
	30	#include <gnutls/x509.h>
	31
	32
	33	struct QCryptoTLSSession {
	34	QCryptoTLSCreds *creds;
	35	gnutls_session_t handle;
	36	char *hostname;
	37	char *aclname;
	38	bool handshakeComplete;
	39	QCryptoTLSSessionWriteFunc writeFunc;
	40	QCryptoTLSSessionReadFunc readFunc;
	41	void *opaque;
	42	char *peername;
	43	};
	44
	45
	46	void
	47	qcrypto_tls_session_free(QCryptoTLSSession *session)
	48	{
	49	if (!session) {
	50	return;
	51	}
	52
	53	gnutls_deinit(session->handle);
	54	g_free(session->hostname);
	55	g_free(session->peername);
	56	g_free(session->aclname);
	57	object_unref(OBJECT(session->creds));
	58	g_free(session);
	59	}
	60
	61
	62	static ssize_t
	63	qcrypto_tls_session_push(void opaque, const void buf, size_t len)
	64	{
65	QCryptoTLSSession *session = opaque;
66
67	if (!session->writeFunc) {
68	errno = EIO;
69	return -1;
70	};
71
72	return session->writeFunc(buf, len, session->opaque);
73	}
74
75
76	static ssize_t
77	qcrypto_tls_session_pull(void opaque, void buf, size_t len)
78	{
79	QCryptoTLSSession *session = opaque;
80
81	if (!session->readFunc) {
82	errno = EIO;
83	return -1;
84	};
85
86	return session->readFunc(buf, len, session->opaque);
87	}
88
89
90	QCryptoTLSSession *
91	qcrypto_tls_session_new(QCryptoTLSCreds *creds,
92	const char *hostname,
93	const char *aclname,
94	QCryptoTLSCredsEndpoint endpoint,
95	Error **errp)
96	{
97	QCryptoTLSSession *session;
98	int ret;
99
100	session = g_new0(QCryptoTLSSession, 1);
101	trace_qcrypto_tls_session_new(
102	session, creds, hostname ? hostname : "<none>",
103	aclname ? aclname : "<none>", endpoint);
104
105	if (hostname) {
106	session->hostname = g_strdup(hostname);
107	}
108	if (aclname) {
109	session->aclname = g_strdup(aclname);
110	}
111	session->creds = creds;
112	object_ref(OBJECT(creds));
113
114	if (creds->endpoint != endpoint) {
115	error_setg(errp, "Credentials endpoint doesn't match session");
116	goto error;
117	}
118
119	if (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
120	ret = gnutls_init(&session->handle, GNUTLS_SERVER);
121	} else {
122	ret = gnutls_init(&session->handle, GNUTLS_CLIENT);
123	}
124	if (ret < 0) {
125	error_setg(errp, "Cannot initialize TLS session: %s",
126	gnutls_strerror(ret));
127	goto error;
128	}
129
130	if (object_dynamic_cast(OBJECT(creds),
131	TYPE_QCRYPTO_TLS_CREDS_ANON)) {
132	QCryptoTLSCredsAnon *acreds = QCRYPTO_TLS_CREDS_ANON(creds);
133
134	ret = gnutls_priority_set_direct(session->handle,
135	"NORMAL:+ANON-DH", NULL);
136	if (ret < 0) {
137	error_setg(errp, "Unable to set TLS session priority: %s",
138	gnutls_strerror(ret));
139	goto error;
140	}
141	if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
142	ret = gnutls_credentials_set(session->handle,
143	GNUTLS_CRD_ANON,
144	acreds->data.server);
145	} else {
146	ret = gnutls_credentials_set(session->handle,
147	GNUTLS_CRD_ANON,
148	acreds->data.client);
149	}
150	if (ret < 0) {
151	error_setg(errp, "Cannot set session credentials: %s",
152	gnutls_strerror(ret));
153	goto error;
154	}
155	} else if (object_dynamic_cast(OBJECT(creds),
156	TYPE_QCRYPTO_TLS_CREDS_X509)) {
157	QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds);
158
159	ret = gnutls_set_default_priority(session->handle);
160	if (ret < 0) {
161	error_setg(errp, "Cannot set default TLS session priority: %s",
162	gnutls_strerror(ret));
163	goto error;
164	}
165	ret = gnutls_credentials_set(session->handle,
166	GNUTLS_CRD_CERTIFICATE,
167	tcreds->data);
168	if (ret < 0) {
169	error_setg(errp, "Cannot set session credentials: %s",
170	gnutls_strerror(ret));
171	goto error;
172	}
173
174	if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
175	/* This requests, but does not enforce a client cert.
176	* The cert checking code later does enforcement */
177	gnutls_certificate_server_set_request(session->handle,
178	GNUTLS_CERT_REQUEST);
179	}
180	} else {
181	error_setg(errp, "Unsupported TLS credentials type %s",
182	object_get_typename(OBJECT(creds)));
183	goto error;
184	}
185
186	gnutls_transport_set_ptr(session->handle, session);
187	gnutls_transport_set_push_function(session->handle,
188	qcrypto_tls_session_push);
189	gnutls_transport_set_pull_function(session->handle,
190	qcrypto_tls_session_pull);
191
192	return session;
193
194	error:
195	qcrypto_tls_session_free(session);
196	return NULL;
197	}
198
199	static int
200	qcrypto_tls_session_check_certificate(QCryptoTLSSession *session,
201	Error **errp)
202	{
203	int ret;
204	unsigned int status;
205	const gnutls_datum_t *certs;
206	unsigned int nCerts, i;
207	time_t now;
208	gnutls_x509_crt_t cert = NULL;
209
210	now = time(NULL);
211	if (now == ((time_t)-1)) {
212	error_setg_errno(errp, errno, "Cannot get current time");
213	return -1;
214	}
215
216	ret = gnutls_certificate_verify_peers2(session->handle, &status);
217	if (ret < 0) {
218	error_setg(errp, "Verify failed: %s", gnutls_strerror(ret));
219	return -1;
220	}
221
222	if (status != 0) {
223	const char *reason = "Invalid certificate";
224
225	if (status & GNUTLS_CERT_INVALID) {
226	reason = "The certificate is not trusted";
227	}
228
229	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
230	reason = "The certificate hasn't got a known issuer";
231	}
232
233	if (status & GNUTLS_CERT_REVOKED) {
234	reason = "The certificate has been revoked";
235	}
236
237	if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
238	reason = "The certificate uses an insecure algorithm";
239	}
240
241	error_setg(errp, "%s", reason);
242	return -1;
243	}
244
245	certs = gnutls_certificate_get_peers(session->handle, &nCerts);
246	if (!certs) {
247	error_setg(errp, "No certificate peers");
248	return -1;
249	}
250
251	for (i = 0; i < nCerts; i++) {
252	ret = gnutls_x509_crt_init(&cert);
253	if (ret < 0) {
254	error_setg(errp, "Cannot initialize certificate: %s",
255	gnutls_strerror(ret));
256	return -1;
257	}
258
259	ret = gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER);
260	if (ret < 0) {
261	error_setg(errp, "Cannot import certificate: %s",
262	gnutls_strerror(ret));
263	goto error;
264	}
265
266	if (gnutls_x509_crt_get_expiration_time(cert) < now) {
267	error_setg(errp, "The certificate has expired");
268	goto error;
269	}
270
271	if (gnutls_x509_crt_get_activation_time(cert) > now) {
272	error_setg(errp, "The certificate is not yet activated");
273	goto error;
274	}
275
276	if (gnutls_x509_crt_get_activation_time(cert) > now) {
277	error_setg(errp, "The certificate is not yet activated");
278	goto error;
279	}
280
281	if (i == 0) {
282	size_t dnameSize = 1024;
283	session->peername = g_malloc(dnameSize);
284	requery:
285	ret = gnutls_x509_crt_get_dn(cert, session->peername, &dnameSize);
286	if (ret < 0) {
287	if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
288	session->peername = g_realloc(session->peername,
289	dnameSize);
290	goto requery;
291	}
292	error_setg(errp, "Cannot get client distinguished name: %s",
293	gnutls_strerror(ret));
294	goto error;
295	}
296	if (session->aclname) {
297	qemu_acl *acl = qemu_acl_find(session->aclname);
298	int allow;
299	if (!acl) {
300	error_setg(errp, "Cannot find ACL %s",
301	session->aclname);
302	goto error;
303	}
304
305	allow = qemu_acl_party_is_allowed(acl, session->peername);
306
d321e1e5	307	if (!allow) {
6ef8cd7a DB	308	error_setg(errp, "TLS x509 ACL check for %s is denied",
6ef8cd7a DB	309	session->peername);
d321e1e5 DB	310	goto error;
	311	}
	312	}
	313	if (session->hostname) {
	314	if (!gnutls_x509_crt_check_hostname(cert, session->hostname)) {
	315	error_setg(errp,
	316	"Certificate does not match the hostname %s",
	317	session->hostname);
	318	goto error;
	319	}
	320	}
	321	}
	322
	323	gnutls_x509_crt_deinit(cert);
	324	}
	325
	326	return 0;
	327
	328	error:
	329	gnutls_x509_crt_deinit(cert);
	330	return -1;
	331	}
	332
	333
	334	int
	335	qcrypto_tls_session_check_credentials(QCryptoTLSSession *session,
	336	Error **errp)
	337	{
	338	if (object_dynamic_cast(OBJECT(session->creds),
	339	TYPE_QCRYPTO_TLS_CREDS_ANON)) {
	340	return 0;
	341	} else if (object_dynamic_cast(OBJECT(session->creds),
	342	TYPE_QCRYPTO_TLS_CREDS_X509)) {
	343	if (session->creds->verifyPeer) {
	344	return qcrypto_tls_session_check_certificate(session,
	345	errp);
	346	} else {
	347	return 0;
	348	}
	349	} else {
	350	error_setg(errp, "Unexpected credential type %s",
	351	object_get_typename(OBJECT(session->creds)));
	352	return -1;
	353	}
	354	}
	355
	356
	357	void
	358	qcrypto_tls_session_set_callbacks(QCryptoTLSSession *session,
	359	QCryptoTLSSessionWriteFunc writeFunc,
	360	QCryptoTLSSessionReadFunc readFunc,
	361	void *opaque)
	362	{
	363	session->writeFunc = writeFunc;
	364	session->readFunc = readFunc;
	365	session->opaque = opaque;
	366	}
	367
	368
	369	ssize_t
	370	qcrypto_tls_session_write(QCryptoTLSSession *session,
	371	const char *buf,
	372	size_t len)
	373	{
374	ssize_t ret = gnutls_record_send(session->handle, buf, len);
375
376	if (ret < 0) {
377	switch (ret) {
378	case GNUTLS_E_AGAIN:
379	errno = EAGAIN;
380	break;
381	case GNUTLS_E_INTERRUPTED:
382	errno = EINTR;
383	break;
384	default:
385	errno = EIO;
386	break;
387	}
388	ret = -1;
389	}
390
391	return ret;
392	}
393
394
395	ssize_t
396	qcrypto_tls_session_read(QCryptoTLSSession *session,
397	char *buf,
398	size_t len)
399	{
400	ssize_t ret = gnutls_record_recv(session->handle, buf, len);
401
402	if (ret < 0) {
403	switch (ret) {
404	case GNUTLS_E_AGAIN:
405	errno = EAGAIN;
406	break;
407	case GNUTLS_E_INTERRUPTED:
408	errno = EINTR;
409	break;
410	default:
411	errno = EIO;
412	break;
413	}
414	ret = -1;
415	}
416
417	return ret;
418	}
419
420
421	int
422	qcrypto_tls_session_handshake(QCryptoTLSSession *session,
423	Error **errp)
424	{
425	int ret = gnutls_handshake(session->handle);
426	if (ret == 0) {
427	session->handshakeComplete = true;
428	} else {
429	if (ret == GNUTLS_E_INTERRUPTED \|\|
430	ret == GNUTLS_E_AGAIN) {
431	ret = 1;
432	} else {
433	error_setg(errp, "TLS handshake failed: %s",
434	gnutls_strerror(ret));
435	ret = -1;
436	}
437	}
438
439	return ret;
440	}
441
442
443	QCryptoTLSSessionHandshakeStatus
444	qcrypto_tls_session_get_handshake_status(QCryptoTLSSession *session)
445	{
446	if (session->handshakeComplete) {
447	return QCRYPTO_TLS_HANDSHAKE_COMPLETE;
448	} else if (gnutls_record_get_direction(session->handle) == 0) {
449	return QCRYPTO_TLS_HANDSHAKE_RECVING;
450	} else {
451	return QCRYPTO_TLS_HANDSHAKE_SENDING;
452	}
453	}
454
455
456	int
457	qcrypto_tls_session_get_key_size(QCryptoTLSSession *session,
458	Error **errp)
459	{
460	gnutls_cipher_algorithm_t cipher;
461	int ssf;
462
463	cipher = gnutls_cipher_get(session->handle);
464	ssf = gnutls_cipher_get_key_size(cipher);
465	if (!ssf) {
466	error_setg(errp, "Cannot get TLS cipher key size");
467	return -1;
468	}
469	return ssf;
470	}
471
472
473	char *
474	qcrypto_tls_session_get_peer_name(QCryptoTLSSession *session)
475	{
476	if (session->peername) {
477	return g_strdup(session->peername);
478	}
479	return NULL;
480	}
481
482
483	#else /* ! CONFIG_GNUTLS */
484
485
486	QCryptoTLSSession *
487	qcrypto_tls_session_new(QCryptoTLSCreds *creds G_GNUC_UNUSED,
488	const char *hostname G_GNUC_UNUSED,
489	const char *aclname G_GNUC_UNUSED,
490	QCryptoTLSCredsEndpoint endpoint G_GNUC_UNUSED,
491	Error **errp)
492	{
493	error_setg(errp, "TLS requires GNUTLS support");
494	return NULL;
495	}
496
497
498	void
499	qcrypto_tls_session_free(QCryptoTLSSession *sess G_GNUC_UNUSED)
500	{
501	}
502
503
504	int
505	qcrypto_tls_session_check_credentials(QCryptoTLSSession *sess G_GNUC_UNUSED,
506	Error **errp)
507	{
508	error_setg(errp, "TLS requires GNUTLS support");
509	return -1;
510	}
511
512
513	void
514	qcrypto_tls_session_set_callbacks(
515	QCryptoTLSSession *sess G_GNUC_UNUSED,
516	QCryptoTLSSessionWriteFunc writeFunc G_GNUC_UNUSED,
517	QCryptoTLSSessionReadFunc readFunc G_GNUC_UNUSED,
518	void *opaque G_GNUC_UNUSED)
519	{
520	}
521
522
523	ssize_t
524	qcrypto_tls_session_write(QCryptoTLSSession *sess,
525	const char *buf,
526	size_t len)
527	{
528	errno = -EIO;
529	return -1;
530	}
531
532
533	ssize_t
534	qcrypto_tls_session_read(QCryptoTLSSession *sess,
535	char *buf,
536	size_t len)
537	{
538	errno = -EIO;
539	return -1;
540	}
541
542
543	int
544	qcrypto_tls_session_handshake(QCryptoTLSSession *sess,
545	Error **errp)
546	{
547	error_setg(errp, "TLS requires GNUTLS support");
548	return -1;
549	}
550
551
552	QCryptoTLSSessionHandshakeStatus
553	qcrypto_tls_session_get_handshake_status(QCryptoTLSSession *sess)
554	{
555	return QCRYPTO_TLS_HANDSHAKE_COMPLETE;
556	}
557
558
559	int
560	qcrypto_tls_session_get_key_size(QCryptoTLSSession *sess,
561	Error **errp)
562	{
563	error_setg(errp, "TLS requires GNUTLS support");
564	return -1;
565	}
566
567
568	char *
569	qcrypto_tls_session_get_peer_name(QCryptoTLSSession *sess)
570	{
571	return NULL;
572	}
573
574	#endif