/* * This tests sanity checking of our own certificates * * This code is done when libvirtd starts up, or before * a libvirt client connects. The test is ensuring that * the creation of virNetTLSContextPtr fails if we * give bogus certs, or succeeds for good certs */ static int testTLSContextInit(const void *opaque) { struct testTLSContextData *data = (struct testTLSContextData *)opaque; virNetTLSContextPtr ctxt = NULL; int ret = -1; if (data->isServer) { ctxt = virNetTLSContextNewServer(data->cacrt, NULL, data->crt, KEYFILE, NULL, "NORMAL", true, true); } else { ctxt = virNetTLSContextNewClient(data->cacrt, NULL, data->crt, KEYFILE, "NORMAL", true, true); } if (ctxt) { if (data->expectFail) { VIR_WARN("Expected failure %s against %s", data->cacrt, data->crt); goto cleanup; } } else { if (!data->expectFail) { VIR_WARN("Unexpected failure %s against %s", data->cacrt, data->crt); goto cleanup; } VIR_DEBUG("Got error %s", virGetLastErrorMessage()); } ret = 0; cleanup: virObjectUnref(ctxt); return ret; }
static int daemonSetupNetworking(virNetServerPtr srv, struct daemonConfig *config, const char *sock_path, const char *sock_path_ro, bool ipsock, bool privileged) { virNetServerServicePtr svc = NULL; virNetServerServicePtr svcRO = NULL; virNetServerServicePtr svcTCP = NULL; virNetServerServicePtr svcTLS = NULL; gid_t unix_sock_gid = 0; int unix_sock_ro_mask = 0; int unix_sock_rw_mask = 0; if (config->unix_sock_group) { if (virGetGroupID(config->unix_sock_group, &unix_sock_gid) < 0) return -1; } if (virStrToLong_i(config->unix_sock_ro_perms, NULL, 8, &unix_sock_ro_mask) != 0) { VIR_ERROR(_("Failed to parse mode '%s'"), config->unix_sock_ro_perms); goto error; } if (virStrToLong_i(config->unix_sock_rw_perms, NULL, 8, &unix_sock_rw_mask) != 0) { VIR_ERROR(_("Failed to parse mode '%s'"), config->unix_sock_rw_perms); goto error; } if (!(svc = virNetServerServiceNewUNIX(sock_path, unix_sock_rw_mask, unix_sock_gid, config->auth_unix_rw, false, config->max_client_requests, NULL))) goto error; if (sock_path_ro && !(svcRO = virNetServerServiceNewUNIX(sock_path_ro, unix_sock_ro_mask, unix_sock_gid, config->auth_unix_ro, true, config->max_client_requests, NULL))) goto error; if (virNetServerAddService(srv, svc, config->mdns_adv && !ipsock ? "_libvirt._tcp" : NULL) < 0) goto error; if (svcRO && virNetServerAddService(srv, svcRO, NULL) < 0) goto error; if (ipsock) { if (config->listen_tcp) { if (!(svcTCP = virNetServerServiceNewTCP(config->listen_addr, config->tcp_port, config->auth_tcp, false, config->max_client_requests, NULL))) goto error; if (virNetServerAddService(srv, svcTCP, config->mdns_adv ? "_libvirt._tcp" : NULL) < 0) goto error; } if (config->listen_tls) { virNetTLSContextPtr ctxt = NULL; if (config->ca_file || config->cert_file || config->key_file) { if (!(ctxt = virNetTLSContextNewServer(config->ca_file, config->crl_file, config->cert_file, config->key_file, (const char *const*)config->tls_allowed_dn_list, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto error; } else { if (!(ctxt = virNetTLSContextNewServerPath(NULL, !privileged, (const char *const*)config->tls_allowed_dn_list, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto error; } if (!(svcTLS = virNetServerServiceNewTCP(config->listen_addr, config->tls_port, config->auth_tls, false, config->max_client_requests, ctxt))) { virNetTLSContextFree(ctxt); goto error; } if (virNetServerAddService(srv, svcTLS, config->mdns_adv && !config->listen_tcp ? "_libvirt._tcp" : NULL) < 0) goto error; virNetTLSContextFree(ctxt); } } #if HAVE_SASL if (config->auth_unix_rw == REMOTE_AUTH_SASL || config->auth_unix_ro == REMOTE_AUTH_SASL || config->auth_tcp == REMOTE_AUTH_SASL || config->auth_tls == REMOTE_AUTH_SASL) { saslCtxt = virNetSASLContextNewServer( (const char *const*)config->sasl_allowed_username_list); if (!saslCtxt) goto error; } #endif return 0; error: virNetServerServiceFree(svcTLS); virNetServerServiceFree(svcTCP); virNetServerServiceFree(svc); virNetServerServiceFree(svcRO); return -1; }
static int daemonSetupNetworking(virNetServerPtr srv, struct daemonConfig *config, const char *sock_path, const char *sock_path_ro, bool ipsock, bool privileged) { virNetServerServicePtr svc = NULL; virNetServerServicePtr svcRO = NULL; virNetServerServicePtr svcTCP = NULL; #if WITH_GNUTLS virNetServerServicePtr svcTLS = NULL; #endif gid_t unix_sock_gid = 0; int unix_sock_ro_mask = 0; int unix_sock_rw_mask = 0; if (config->unix_sock_group) { if (virGetGroupID(config->unix_sock_group, &unix_sock_gid) < 0) return -1; } if (virStrToLong_i(config->unix_sock_ro_perms, NULL, 8, &unix_sock_ro_mask) != 0) { VIR_ERROR(_("Failed to parse mode '%s'"), config->unix_sock_ro_perms); goto error; } if (virStrToLong_i(config->unix_sock_rw_perms, NULL, 8, &unix_sock_rw_mask) != 0) { VIR_ERROR(_("Failed to parse mode '%s'"), config->unix_sock_rw_perms); goto error; } VIR_DEBUG("Registering unix socket %s", sock_path); if (!(svc = virNetServerServiceNewUNIX(sock_path, unix_sock_rw_mask, unix_sock_gid, config->auth_unix_rw, #if WITH_GNUTLS NULL, #endif false, config->max_queued_clients, config->max_client_requests))) goto error; if (sock_path_ro) { VIR_DEBUG("Registering unix socket %s", sock_path_ro); if (!(svcRO = virNetServerServiceNewUNIX(sock_path_ro, unix_sock_ro_mask, unix_sock_gid, config->auth_unix_ro, #if WITH_GNUTLS NULL, #endif true, config->max_queued_clients, config->max_client_requests))) goto error; } if (virNetServerAddService(srv, svc, config->mdns_adv && !ipsock ? "_libvirt._tcp" : NULL) < 0) goto error; if (svcRO && virNetServerAddService(srv, svcRO, NULL) < 0) goto error; if (ipsock) { if (config->listen_tcp) { VIR_DEBUG("Registering TCP socket %s:%s", config->listen_addr, config->tcp_port); if (!(svcTCP = virNetServerServiceNewTCP(config->listen_addr, config->tcp_port, config->auth_tcp, #if WITH_GNUTLS NULL, #endif false, config->max_queued_clients, config->max_client_requests))) goto error; if (virNetServerAddService(srv, svcTCP, config->mdns_adv ? "_libvirt._tcp" : NULL) < 0) goto error; } #if WITH_GNUTLS if (config->listen_tls) { virNetTLSContextPtr ctxt = NULL; if (config->ca_file || config->cert_file || config->key_file) { if (!(ctxt = virNetTLSContextNewServer(config->ca_file, config->crl_file, config->cert_file, config->key_file, (const char *const*)config->tls_allowed_dn_list, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto error; } else { if (!(ctxt = virNetTLSContextNewServerPath(NULL, !privileged, (const char *const*)config->tls_allowed_dn_list, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto error; } VIR_DEBUG("Registering TLS socket %s:%s", config->listen_addr, config->tls_port); if (!(svcTLS = virNetServerServiceNewTCP(config->listen_addr, config->tls_port, config->auth_tls, ctxt, false, config->max_queued_clients, config->max_client_requests))) { virObjectUnref(ctxt); goto error; } if (virNetServerAddService(srv, svcTLS, config->mdns_adv && !config->listen_tcp ? "_libvirt._tcp" : NULL) < 0) goto error; virObjectUnref(ctxt); } #else (void)privileged; if (config->listen_tls) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("This libvirtd build does not support TLS")); goto error; } #endif } #if WITH_SASL if (config->auth_unix_rw == REMOTE_AUTH_SASL || config->auth_unix_ro == REMOTE_AUTH_SASL || # if WITH_GNUTLS config->auth_tls == REMOTE_AUTH_SASL || # endif config->auth_tcp == REMOTE_AUTH_SASL) { saslCtxt = virNetSASLContextNewServer( (const char *const*)config->sasl_allowed_username_list); if (!saslCtxt) goto error; } #endif return 0; error: #if WITH_GNUTLS virObjectUnref(svcTLS); #endif virObjectUnref(svcTCP); virObjectUnref(svc); virObjectUnref(svcRO); return -1; }
/* * This tests validation checking of peer certificates * * This is replicating the checks that are done for an * active TLS session after handshake completes. To * simulate that we create our TLS contexts, skipping * sanity checks. When then get a socketpair, and * initiate a TLS session across them. Finally do * do actual cert validation tests */ static int testTLSSessionInit(const void *opaque) { struct testTLSSessionData *data = (struct testTLSSessionData *)opaque; virNetTLSContextPtr clientCtxt = NULL; virNetTLSContextPtr serverCtxt = NULL; virNetTLSSessionPtr clientSess = NULL; virNetTLSSessionPtr serverSess = NULL; int ret = -1; int channel[2]; bool clientShake = false; bool serverShake = false; /* We'll use this for our fake client-server connection */ if (socketpair(AF_UNIX, SOCK_STREAM, 0, channel) < 0) abort(); /* * We have an evil loop to do the handshake in a single * thread, so we need these non-blocking to avoid deadlock * of ourselves */ ignore_value(virSetNonBlock(channel[0])); ignore_value(virSetNonBlock(channel[1])); /* We skip initial sanity checks here because we * want to make sure that problems are being * detected at the TLS session validation stage */ serverCtxt = virNetTLSContextNewServer(data->servercacrt, NULL, data->servercrt, KEYFILE, data->wildcards, NULL, false, true); clientCtxt = virNetTLSContextNewClient(data->clientcacrt, NULL, data->clientcrt, KEYFILE, NULL, false, true); if (!serverCtxt) { VIR_WARN("Unexpected failure loading %s against %s", data->servercacrt, data->servercrt); goto cleanup; } if (!clientCtxt) { VIR_WARN("Unexpected failure loading %s against %s", data->clientcacrt, data->clientcrt); goto cleanup; } /* Now the real part of the test, setup the sessions */ serverSess = virNetTLSSessionNew(serverCtxt, NULL); clientSess = virNetTLSSessionNew(clientCtxt, data->hostname); if (!serverSess) { VIR_WARN("Unexpected failure using %s against %s", data->servercacrt, data->servercrt); goto cleanup; } if (!clientSess) { VIR_WARN("Unexpected failure using %s against %s", data->clientcacrt, data->clientcrt); goto cleanup; } /* For handshake to work, we need to set the I/O callbacks * to read/write over the socketpair */ virNetTLSSessionSetIOCallbacks(serverSess, testWrite, testRead, &channel[0]); virNetTLSSessionSetIOCallbacks(clientSess, testWrite, testRead, &channel[1]); /* * Finally we loop around & around doing handshake on each * session until we get an error, or the handshake completes. * This relies on the socketpair being nonblocking to avoid * deadlocking ourselves upon handshake */ do { int rv; if (!serverShake) { rv = virNetTLSSessionHandshake(serverSess); if (rv < 0) goto cleanup; if (rv == VIR_NET_TLS_HANDSHAKE_COMPLETE) serverShake = true; } if (!clientShake) { rv = virNetTLSSessionHandshake(clientSess); if (rv < 0) goto cleanup; if (rv == VIR_NET_TLS_HANDSHAKE_COMPLETE) clientShake = true; } } while (!clientShake && !serverShake); /* Finally make sure the server validation does what * we were expecting */ if (virNetTLSContextCheckCertificate(serverCtxt, serverSess) < 0) { if (!data->expectServerFail) { VIR_WARN("Unexpected server cert check fail"); goto cleanup; } else { VIR_DEBUG("Got expected server cert fail"); } } else { if (data->expectServerFail) { VIR_WARN("Expected server cert check fail"); goto cleanup; } else { VIR_DEBUG("No unexpected server cert fail"); } } /* * And the same for the client validation check */ if (virNetTLSContextCheckCertificate(clientCtxt, clientSess) < 0) { if (!data->expectClientFail) { VIR_WARN("Unexpected client cert check fail"); goto cleanup; } else { VIR_DEBUG("Got expected client cert fail"); } } else { if (data->expectClientFail) { VIR_WARN("Expected client cert check fail"); goto cleanup; } else { VIR_DEBUG("No unexpected client cert fail"); } } ret = 0; cleanup: virObjectUnref(serverCtxt); virObjectUnref(clientCtxt); virObjectUnref(serverSess); virObjectUnref(clientSess); VIR_FORCE_CLOSE(channel[0]); VIR_FORCE_CLOSE(channel[1]); return ret; }
daemonSetupNetworking(virNetServerPtr srv, virNetServerPtr srvAdm, struct daemonConfig *config, const char *sock_path, const char *sock_path_ro, const char *sock_path_adm, bool ipsock, bool privileged) { virNetServerServicePtr svc = NULL; virNetServerServicePtr svcAdm = NULL; virNetServerServicePtr svcRO = NULL; virNetServerServicePtr svcTCP = NULL; #if WITH_GNUTLS virNetServerServicePtr svcTLS = NULL; #endif gid_t unix_sock_gid = 0; int unix_sock_ro_mask = 0; int unix_sock_rw_mask = 0; int unix_sock_adm_mask = 0; int ret = -1; unsigned int cur_fd = STDERR_FILENO + 1; unsigned int nfds = virGetListenFDs(); if (config->unix_sock_group) { if (virGetGroupID(config->unix_sock_group, &unix_sock_gid) < 0) return ret; } if (nfds > (sock_path_ro ? 2 : 1)) { VIR_ERROR(_("Too many (%u) FDs passed from caller"), nfds); return ret; } if (virStrToLong_i(config->unix_sock_ro_perms, NULL, 8, &unix_sock_ro_mask) != 0) { VIR_ERROR(_("Failed to parse mode '%s'"), config->unix_sock_ro_perms); goto cleanup; } if (virStrToLong_i(config->unix_sock_admin_perms, NULL, 8, &unix_sock_adm_mask) != 0) { VIR_ERROR(_("Failed to parse mode '%s'"), config->unix_sock_admin_perms); goto cleanup; } if (virStrToLong_i(config->unix_sock_rw_perms, NULL, 8, &unix_sock_rw_mask) != 0) { VIR_ERROR(_("Failed to parse mode '%s'"), config->unix_sock_rw_perms); goto cleanup; } if (!(svc = virNetServerServiceNewFDOrUNIX(sock_path, unix_sock_rw_mask, unix_sock_gid, config->auth_unix_rw, #if WITH_GNUTLS NULL, #endif false, config->max_queued_clients, config->max_client_requests, nfds, &cur_fd))) goto cleanup; if (sock_path_ro) { if (!(svcRO = virNetServerServiceNewFDOrUNIX(sock_path_ro, unix_sock_ro_mask, unix_sock_gid, config->auth_unix_ro, #if WITH_GNUTLS NULL, #endif true, config->max_queued_clients, config->max_client_requests, nfds, &cur_fd))) goto cleanup; } if (virNetServerAddService(srv, svc, config->mdns_adv && !ipsock ? "_libvirt._tcp" : NULL) < 0) goto cleanup; if (svcRO && virNetServerAddService(srv, svcRO, NULL) < 0) goto cleanup; /* Temporarily disabled */ if (sock_path_adm && false) { VIR_DEBUG("Registering unix socket %s", sock_path_adm); if (!(svcAdm = virNetServerServiceNewUNIX(sock_path_adm, unix_sock_adm_mask, unix_sock_gid, REMOTE_AUTH_NONE, #if WITH_GNUTLS NULL, #endif true, config->admin_max_queued_clients, config->admin_max_client_requests))) goto cleanup; if (virNetServerAddService(srvAdm, svcAdm, NULL) < 0) goto cleanup; } if (ipsock) { if (config->listen_tcp) { VIR_DEBUG("Registering TCP socket %s:%s", config->listen_addr, config->tcp_port); if (!(svcTCP = virNetServerServiceNewTCP(config->listen_addr, config->tcp_port, AF_UNSPEC, config->auth_tcp, #if WITH_GNUTLS NULL, #endif false, config->max_queued_clients, config->max_client_requests))) goto cleanup; if (virNetServerAddService(srv, svcTCP, config->mdns_adv ? "_libvirt._tcp" : NULL) < 0) goto cleanup; } #if WITH_GNUTLS if (config->listen_tls) { virNetTLSContextPtr ctxt = NULL; if (config->ca_file || config->cert_file || config->key_file) { if (!(ctxt = virNetTLSContextNewServer(config->ca_file, config->crl_file, config->cert_file, config->key_file, (const char *const*)config->tls_allowed_dn_list, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto cleanup; } else { if (!(ctxt = virNetTLSContextNewServerPath(NULL, !privileged, (const char *const*)config->tls_allowed_dn_list, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto cleanup; } VIR_DEBUG("Registering TLS socket %s:%s", config->listen_addr, config->tls_port); if (!(svcTLS = virNetServerServiceNewTCP(config->listen_addr, config->tls_port, AF_UNSPEC, config->auth_tls, ctxt, false, config->max_queued_clients, config->max_client_requests))) { virObjectUnref(ctxt); goto cleanup; } if (virNetServerAddService(srv, svcTLS, config->mdns_adv && !config->listen_tcp ? "_libvirt._tcp" : NULL) < 0) goto cleanup; virObjectUnref(ctxt); } #else (void)privileged; if (config->listen_tls) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("This libvirtd build does not support TLS")); goto cleanup; } #endif } #if WITH_SASL if (config->auth_unix_rw == REMOTE_AUTH_SASL || config->auth_unix_ro == REMOTE_AUTH_SASL || # if WITH_GNUTLS config->auth_tls == REMOTE_AUTH_SASL || # endif config->auth_tcp == REMOTE_AUTH_SASL) { saslCtxt = virNetSASLContextNewServer( (const char *const*)config->sasl_allowed_username_list); if (!saslCtxt) goto cleanup; } #endif ret = 0; cleanup: #if WITH_GNUTLS virObjectUnref(svcTLS); #endif virObjectUnref(svcTCP); virObjectUnref(svcRO); virObjectUnref(svcAdm); virObjectUnref(svc); return ret; }