From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: [Qemu-devel] [PATCH v1 RFC 14/34] crypto: introduce new module for handling TLS credentials
Date: Fri, 17 Apr 2015 15:22:17 +0100 [thread overview]
Message-ID: <1429280557-8887-15-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1429280557-8887-1-git-send-email-berrange@redhat.com>
Introduce a QCryptoTLSCreds class to store TLS credentials, for use
by later TLS session code. The class is setup as a user creatable object,
so instance can be created/deleted via 'object-add' and 'object-del'
QMP commands, or via the -object command line arg.
If the credentials cannot be initialized an error will be reported
as a QMP reply, or on stderr respectively.
A later patch will update the VNC server to use this eg
qemu-system-x86_64 -object qcrypto-tls-creds,id=tls0,... \
-vnc 127.0.0.1:1,tls-creds=tls0
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/Makefile.objs | 1 +
crypto/init.c | 8 +
crypto/tlscreds.c | 566 ++++++++++++++++++++++++++++++++++++++++++++++
include/crypto/tlscreds.h | 134 +++++++++++
qemu-options.hx | 30 +++
tests/Makefile | 4 +-
6 files changed, 741 insertions(+), 2 deletions(-)
create mode 100644 crypto/tlscreds.c
create mode 100644 include/crypto/tlscreds.h
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index b050138..cf62d51 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -3,3 +3,4 @@ util-obj-y += hash.o
util-obj-y += aes.o
util-obj-y += desrfb.o
util-obj-y += cipher.o
+util-obj-y += tlscreds.o
diff --git a/crypto/init.c b/crypto/init.c
index 486af37..c2d04bf 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -19,6 +19,7 @@
*/
#include "crypto/init.h"
+#include "crypto/tlscreds.h"
#include "qemu/thread.h"
#include <glib/gi18n.h>
@@ -139,6 +140,13 @@ int qcrypto_init(Error **errp)
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
#endif
+ /* XXX hack - if we don't reference any function in tlscreds.c
+ * then the linker drops tlscred.o from libqemutil.a when it
+ * links the emulators as it thinks it is unused. It isn't
+ * clever enough to see the constructor :-(
+ */
+ qcrypto_tls_creds_dummy();
+
return 0;
}
diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
new file mode 100644
index 0000000..9baf547
--- /dev/null
+++ b/crypto/tlscreds.c
@@ -0,0 +1,566 @@
+/*
+ * QEMU crypto TLS credential support
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/tlscreds.h"
+#include "qom/object_interfaces.h"
+
+#include <glib/gi18n.h>
+
+/* #define QCRYPTO_DEBUG */
+
+#ifdef QCRYPTO_DEBUG
+#define DPRINTF(fmt, ...) do { fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(fmt, ...) do { } while (0)
+#endif
+
+
+#define DH_BITS 2048
+
+static const char * const endpoint_map[QCRYPTO_TLS_CREDS_ENDPOINT_LAST + 1] = {
+ [QCRYPTO_TLS_CREDS_ENDPOINT_SERVER] = "server",
+ [QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT] = "client",
+ [QCRYPTO_TLS_CREDS_ENDPOINT_LAST] = NULL,
+};
+
+static const char * const type_map[QCRYPTO_TLS_CREDS_TYPE_LAST + 1] = {
+ [QCRYPTO_TLS_CREDS_TYPE_NONE] = "none",
+ [QCRYPTO_TLS_CREDS_TYPE_ANON] = "anon",
+ [QCRYPTO_TLS_CREDS_TYPE_X509] = "x509",
+ [QCRYPTO_TLS_CREDS_TYPE_LAST] = NULL,
+};
+
+#ifdef CONFIG_GNUTLS
+static int qcrypto_tls_creds_set_dh_params_file(QCryptoTLSCreds *creds,
+ const char *filename,
+ Error **errp)
+{
+ int ret;
+
+ DPRINTF("Loading DH params %s\n", filename ? filename : "<generated>");
+ if (filename == NULL) {
+ ret = gnutls_dh_params_init(&creds->dh_params);
+ if (ret < 0) {
+ error_setg(errp, _("Unable to initialize DH parameters %s"),
+ gnutls_strerror(ret));
+ return -1;
+ }
+ ret = gnutls_dh_params_generate2(creds->dh_params, DH_BITS);
+ if (ret < 0) {
+ gnutls_dh_params_deinit(creds->dh_params);
+ creds->dh_params = NULL;
+ error_setg(errp, _("Unable to generate DH parameters %s"),
+ gnutls_strerror(ret));
+ return -1;
+ }
+ } else {
+ GError *gerr = NULL;
+ gchar *contents;
+ gsize len;
+ gnutls_datum_t data;
+ if (!g_file_get_contents(filename,
+ &contents,
+ &len,
+ &gerr)) {
+ error_setg(errp, "%s", gerr->message);
+ g_error_free(gerr);
+ return -1;
+ }
+ data.data = (unsigned char *)contents;
+ data.size = len;
+ ret = gnutls_dh_params_init(&creds->dh_params);
+ if (ret < 0) {
+ g_free(contents);
+ error_setg(errp, _("Unable to initialize DH parameters %s"),
+ gnutls_strerror(ret));
+ return -1;
+ }
+ ret = gnutls_dh_params_import_pkcs3(creds->dh_params,
+ &data,
+ GNUTLS_X509_FMT_PEM);
+ g_free(contents);
+ if (ret < 0) {
+ gnutls_dh_params_deinit(creds->dh_params);
+ creds->dh_params = NULL;
+ error_setg(errp, _("Unable to load DH parameters from %s: %s"),
+ filename, gnutls_strerror(ret));
+ return -1;
+ }
+ }
+
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ gnutls_anon_set_server_dh_params(creds->data.anonServer,
+ creds->dh_params);
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ gnutls_certificate_set_dh_params(creds->data.x509,
+ creds->dh_params);
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+
+static int qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds,
+ const char *filename,
+ bool required,
+ char **cred,
+ Error **errp)
+{
+ struct stat sb;
+ int ret = -1;
+
+ if (!creds->dir) {
+ error_setg(errp, "%s",
+ _("Missing 'dir' property value"));
+ return -1;
+ }
+
+ *cred = g_strdup_printf("%s/%s", creds->dir, filename);
+
+ if (stat(*cred, &sb) < 0) {
+ if (errno == ENOENT && !required) {
+ ret = 0;
+ } else {
+ error_setg_errno(errp, errno,
+ _("Unable to access credentials %s"),
+ *cred);
+ }
+ g_free(*cred);
+ *cred = NULL;
+ goto cleanup;
+ }
+
+ DPRINTF("Resolved file %s\n", *cred ? *cred : "<none>");
+ ret = 0;
+ cleanup:
+ return ret;
+}
+
+
+
+static int
+qcrypto_tls_creds_load_x509(QCryptoTLSCreds *creds,
+ Error **errp)
+{
+ char *cacert = NULL, *cacrl = NULL, *cert = NULL,
+ *key = NULL, *dhparams = NULL;
+ int ret;
+ int rv = -1;
+
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ if (qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CA_CRL,
+ false, &cacrl, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
+ true, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
+ true, &key, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_DH_PARAMS,
+ false, &dhparams, errp) < 0) {
+ goto cleanup;
+ }
+ } else {
+ if (qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
+ false, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
+ false, &key, errp) < 0) {
+ goto cleanup;
+ }
+ }
+
+ ret = gnutls_certificate_allocate_credentials(&creds->data.x509);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot allocate credentials '%s'"),
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ ret = gnutls_certificate_set_x509_trust_file(creds->data.x509,
+ cacert,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot load CA certificate '%s': %s"),
+ cacert, gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ ret = gnutls_certificate_set_x509_key_file(creds->data.x509,
+ cert, key,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot load certificate '%s' & key '%s': %s"),
+ cert, key, gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ if (cacrl) {
+ ret = gnutls_certificate_set_x509_crl_file(creds->data.x509,
+ cacrl,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot load CRL '%s': %s"),
+ cacrl, gnutls_strerror(ret));
+ goto cleanup;
+ }
+ }
+
+ if ((creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) &&
+ qcrypto_tls_creds_set_dh_params_file(creds, dhparams, errp) < 0) {
+ goto cleanup;
+ }
+
+ rv = 0;
+ cleanup:
+ g_free(cacert);
+ g_free(cacrl);
+ g_free(cert);
+ g_free(key);
+ g_free(dhparams);
+ return rv;
+}
+
+
+static int
+qcrypto_tls_creds_load_anon(QCryptoTLSCreds *creds,
+ Error **errp)
+{
+ char *dhparams = NULL;
+ int ret;
+ int rv = -1;
+
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ if (qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_DH_PARAMS,
+ false, &dhparams, errp) < 0) {
+ goto cleanup;
+ }
+
+ ret = gnutls_anon_allocate_server_credentials(&creds->data.anonServer);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot allocate credentials: %s"),
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ if (qcrypto_tls_creds_set_dh_params_file(creds, dhparams, errp) < 0) {
+ goto cleanup;
+ }
+ } else {
+ ret = gnutls_anon_allocate_client_credentials(&creds->data.anonClient);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot allocate credentials: %s"),
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+ }
+
+ rv = 0;
+ cleanup:
+ g_free(dhparams);
+ return rv;
+}
+
+static void qcrypto_tls_creds_load(QCryptoTLSCreds *creds,
+ Error **errp)
+{
+ DPRINTF("Loading creds %d from %s\n",
+ creds->type, creds->dir ? creds->dir : "<nodir>");
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ error_setg(errp, "%s", _("Missing 'credtype' property value"));
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ if (qcrypto_tls_creds_load_anon(creds,
+ errp) < 0) {
+ return;
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ if (qcrypto_tls_creds_load_x509(creds,
+ errp) < 0) {
+ return;
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ error_setg(errp, _("Unknown TLS credential type %d"), creds->type);
+ break;
+ }
+}
+
+#else
+static void qcrypto_tls_creds_load(QCryptoTLSCreds *creds G_GNUC_UNUSED,
+ Error **errp)
+{
+ error_setg(errp, "%s", _("TLS credentials support requires GNUTLS"));
+}
+#endif /* ! CONFIG_GNUTLS */
+
+#ifdef CONFIG_GNUTLS
+static void qcrypto_tls_creds_unload(QCryptoTLSCreds *creds)
+{
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
+ if (creds->data.anonClient) {
+ gnutls_anon_free_client_credentials(creds->data.anonClient);
+ creds->data.anonClient = NULL;
+ }
+ } else {
+ if (creds->data.anonServer) {
+ gnutls_anon_free_server_credentials(creds->data.anonServer);
+ creds->data.anonServer = NULL;
+ }
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ if (creds->data.x509) {
+ gnutls_certificate_free_credentials(creds->data.x509);
+ creds->data.x509 = NULL;
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ break;
+ };
+ if (creds->dh_params) {
+ gnutls_dh_params_deinit(creds->dh_params);
+ creds->dh_params = NULL;
+ }
+}
+#else /* ! CONFIG_GNUTLS */
+static void qcrypto_tls_creds_unload(QCryptoTLSCreds *creds G_GNUC_UNUSED)
+{
+ /* nada */
+}
+#endif /* ! CONFIG_GNUTLS */
+
+static void qcrypto_tls_creds_prop_set_loaded(Object *obj,
+ bool value,
+ Error **errp)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ if (value) {
+ qcrypto_tls_creds_load(creds, errp);
+ } else {
+ qcrypto_tls_creds_unload(creds);
+ }
+}
+
+
+#ifdef CONFIG_GNUTLS
+static bool qcrypto_tls_creds_prop_get_loaded(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ return false;
+
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ return creds->data.x509 != NULL;
+
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ return creds->data.anonServer != NULL;
+ } else {
+ return creds->data.anonClient != NULL;
+ }
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ return false;
+ }
+}
+
+#else /* ! CONFIG_GNUTLS */
+static bool qcrypto_tls_creds_prop_get_loaded(Object *obj G_GNUC_UNUSED,
+ Error **errp G_GNUC_UNUSED)
+{
+ return false;
+}
+#endif /* ! CONFIG_GNUTLS */
+
+static void qcrypto_tls_creds_prop_set_verify(Object *obj,
+ bool value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->verifyPeer = value;
+}
+
+
+static bool qcrypto_tls_creds_prop_get_verify(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return creds->verifyPeer;
+}
+
+static void qcrypto_tls_creds_prop_set_dir(Object *obj,
+ const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->dir = g_strdup(value);
+}
+
+static char *qcrypto_tls_creds_prop_get_dir(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return g_strdup(creds->dir);
+}
+
+static void qcrypto_tls_creds_prop_set_type(Object *obj,
+ int value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->type = value;
+}
+
+static int qcrypto_tls_creds_prop_get_type(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return creds->type;
+}
+
+static void qcrypto_tls_creds_prop_set_endpoint(Object *obj,
+ int value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->endpoint = value;
+}
+
+static int qcrypto_tls_creds_prop_get_endpoint(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return creds->endpoint;
+}
+
+
+static void qcrypto_tls_creds_complete(UserCreatable *uc, Error **errp)
+{
+ object_property_set_bool(OBJECT(uc), true, "loaded", errp);
+}
+
+
+static void qcrypto_tls_creds_init(Object *obj G_GNUC_UNUSED)
+{
+ object_property_add_bool(obj, "loaded",
+ qcrypto_tls_creds_prop_get_loaded,
+ qcrypto_tls_creds_prop_set_loaded,
+ NULL);
+ object_property_add_bool(obj, "verify-peer",
+ qcrypto_tls_creds_prop_get_verify,
+ qcrypto_tls_creds_prop_set_verify,
+ NULL);
+ object_property_add_str(obj, "dir",
+ qcrypto_tls_creds_prop_get_dir,
+ qcrypto_tls_creds_prop_set_dir,
+ NULL);
+ object_property_add_enum(obj, "credtype",
+ type_map,
+ qcrypto_tls_creds_prop_get_type,
+ qcrypto_tls_creds_prop_set_type,
+ NULL);
+ object_property_add_enum(obj, "endpoint",
+ endpoint_map,
+ qcrypto_tls_creds_prop_get_endpoint,
+ qcrypto_tls_creds_prop_set_endpoint,
+ NULL);
+}
+
+
+static void qcrypto_tls_creds_finalize(Object *obj G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ qcrypto_tls_creds_unload(creds);
+}
+
+
+static void qcrypto_tls_creds_class_init(ObjectClass *oc, void *data)
+{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = qcrypto_tls_creds_complete;
+}
+
+
+static const TypeInfo qcrypto_tls_creds_info = {
+ .parent = TYPE_OBJECT,
+ .name = TYPE_QCRYPTO_TLS_CREDS,
+ .instance_size = sizeof(QCryptoTLSCreds),
+ .instance_init = qcrypto_tls_creds_init,
+ .instance_finalize = qcrypto_tls_creds_finalize,
+ .class_size = sizeof(QCryptoTLSCredsClass),
+ .class_init = qcrypto_tls_creds_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void qcrypto_tls_creds_register_types(void)
+{
+ DPRINTF("Register tls\n");
+ type_register_static(&qcrypto_tls_creds_info);
+}
+
+void qcrypto_tls_creds_dummy(void)
+{
+}
+
+type_init(qcrypto_tls_creds_register_types);
diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h
new file mode 100644
index 0000000..c9d2009
--- /dev/null
+++ b/include/crypto/tlscreds.h
@@ -0,0 +1,134 @@
+/*
+ * QEMU crypto TLS credential support
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_TLSCRED_H__
+#define QCRYPTO_TLSCRED_H__
+
+#include "qemu-common.h"
+#include "qapi/error.h"
+#include "qom/object.h"
+
+#ifdef CONFIG_GNUTLS
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#endif
+
+#define TYPE_QCRYPTO_TLS_CREDS "qcrypto-tls-creds"
+#define QCRYPTO_TLS_CREDS(obj) \
+ OBJECT_CHECK(QCryptoTLSCreds, (obj), TYPE_QCRYPTO_TLS_CREDS)
+
+typedef struct QCryptoTLSCreds QCryptoTLSCreds;
+typedef struct QCryptoTLSCredsClass QCryptoTLSCredsClass;
+
+
+#define QCRYPTO_TLS_CREDS_DH_PARAMS "dh-params.pem"
+#define QCRYPTO_TLS_CREDS_X509_CA_CERT "ca-cert.pem"
+#define QCRYPTO_TLS_CREDS_X509_CA_CRL "ca-crl.pem"
+#define QCRYPTO_TLS_CREDS_X509_SERVER_KEY "server-key.pem"
+#define QCRYPTO_TLS_CREDS_X509_SERVER_CERT "server-cert.pem"
+#define QCRYPTO_TLS_CREDS_X509_CLIENT_KEY "client-key.pem"
+#define QCRYPTO_TLS_CREDS_X509_CLIENT_CERT "client-cert.pem"
+
+typedef enum {
+ QCRYPTO_TLS_CREDS_TYPE_NONE,
+ QCRYPTO_TLS_CREDS_TYPE_ANON,
+ QCRYPTO_TLS_CREDS_TYPE_X509,
+
+ QCRYPTO_TLS_CREDS_TYPE_LAST,
+} QCryptoTLSCredsType;
+
+typedef enum {
+ QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
+ QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
+
+ QCRYPTO_TLS_CREDS_ENDPOINT_LAST,
+} QCryptoTLSCredsEndpoint;
+
+
+/**
+ * QCryptoTLSCreds:
+ *
+ * The QCryptoTLSCreds object holds a set of credentials used to
+ * perform a TLS handshake. Commonly x509 credentials would be
+ * used, but this also supports anonymous crdentials. The latter
+ * are generally discouraged due to lacking MITM attack protection
+ * amongst other things.
+ *
+ * This is a user creatable object, which can be instantiated
+ * via object_new_propv():
+ *
+ * Object *obj;
+ * Error *err = NULL;
+ * obj = object_new_propv(TYPE_QCRYPTO_TLS_CREDS,
+ * "tlscreds0",
+ * &err,
+ * "credstype", "x509",
+ * "endpoint", "server",
+ * "dir", "/path/x509/cert/dir",
+ * "verify-peer", "yes",
+ * NULL);
+ *
+ * Or via QMP:
+ *
+ * {
+ * "execute": "object-add", "arguments": {
+ * "id": "tlscreds0",
+ * "qom-type": "qcrypto-tls-creds",
+ * "props": {
+ * "credtype": "x509",
+ * "endpoint": "server",
+ * "dir": "/path/to/x509/cert/dir",
+ * "verify-peer": false
+ * }
+ * }
+ * }
+ *
+ * Or via the CLI:
+ *
+ * qemu-system-x86_64 -object qcrypto-tls-creds,id=tlscreds0,\
+ * credtype=x509,endpoint=server,verify-peer=off,\
+ * dir=/path/to/x509/certdir/
+ *
+ */
+
+struct QCryptoTLSCreds {
+ Object parent;
+ char *dir;
+ QCryptoTLSCredsType type;
+ QCryptoTLSCredsEndpoint endpoint;
+#ifdef CONFIG_GNUTLS
+ union {
+ gnutls_certificate_credentials_t x509;
+ gnutls_anon_server_credentials_t anonServer;
+ gnutls_anon_client_credentials_t anonClient;
+ } data;
+ gnutls_dh_params_t dh_params;
+#endif
+ bool verifyPeer;
+};
+
+struct QCryptoTLSCredsClass {
+ ObjectClass parent;
+};
+
+void qcrypto_tls_creds_dummy(void);
+
+#endif /* QCRYPTO_TLSCRED_H__ */
+
diff --git a/qemu-options.hx b/qemu-options.hx
index 5ef0ae4..1c88253 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3495,6 +3495,36 @@ the @option{virtio-rng} device. The @option{chardev} parameter is
the unique ID of a character device backend that provides the connection
to the RNG daemon.
+@item -object qcrypto-tls-cred,id=@var{id},credtype=@var{type},endpoint=@var{endpoint},dir=@var{/path/to/cred/dir},verify-peer=@var{on|off}
+
+Creates a TLS credentials object, which can be used to provide TLS
+support on the VNC server and other network backends. The @option{id}
+parameter is a unique ID which network backends will use to access
+the credentials. The @option{credtype} parameter takes one of the
+values @var{anon}, for anonymous credentials or @var{x509} for
+x509 certificate credentials. The @option{endpoint} is either
+@option{server} or @option{client} depending on whether the QEMU
+network backend that uses the credentials will be acting as a client
+or as a server. If @option{verify-peer} is enabled (the default)
+then once the handshake is completed, the peer credentials will be
+verified. With x509 certificates, this implies that the clients
+must be provided with valid client certificates too.
+
+The @var{dir} parameter tells QEMU where to find the credential
+files. For server endpoints, this directory may contain a file
+@var{dh-params.pem} providing diffie-hellman parameters to use
+for the TLS server. If the file is missing, QEMU will generate
+a set of DH parameters at startup. This is a computationally
+expensive operation that consumes random pool entropy, so it is
+recommended that a persistent set of parameters be generated
+upfront and saved.
+
+For x509 certificate credentials the directory will contain further files
+providing the x509 certificates. The certificates must be stored
+in PEM format, in filenames @var{ca-cert.pem}, @var{ca-crl.pem} (optional),
+@var{server-cert.pem} (only servers), @var{server-key.pem} (only servers),
+@var{client-cert.pem} (only clients), and @var{client-key.pem} (only clients).
+
@end table
ETEXI
diff --git a/tests/Makefile b/tests/Makefile
index 252de54..e920dae 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -311,8 +311,8 @@ tests/test-opts-visitor$(EXESUF): tests/test-opts-visitor.o $(test-qapi-obj-y) l
tests/test-mul64$(EXESUF): tests/test-mul64.o libqemuutil.a
tests/test-bitops$(EXESUF): tests/test-bitops.o libqemuutil.a
-tests/test-crypto-hash$(EXESUF): tests/test-crypto-hash.o libqemuutil.a libqemustub.a
-tests/test-crypto-cipher$(EXESUF): tests/test-crypto-cipher.o libqemuutil.a libqemustub.a
+tests/test-crypto-hash$(EXESUF): tests/test-crypto-hash.o $(qom-core-obj) libqemuutil.a libqemustub.a
+tests/test-crypto-cipher$(EXESUF): tests/test-crypto-cipher.o $(qom-core-obj) libqemuutil.a libqemustub.a
libqos-obj-y = tests/libqos/pci.o tests/libqos/fw_cfg.o tests/libqos/malloc.o
libqos-obj-y += tests/libqos/i2c.o tests/libqos/libqos.o
--
2.1.0
next prev parent reply other threads:[~2015-04-17 14:24 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-17 14:22 [Qemu-devel] [PATCH v1 RFC 00/34] Generic support for TLS protocol & I/O channels Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 01/34] ui: remove check for failure of qemu_acl_init() Daniel P. Berrange
2015-04-17 15:56 ` Eric Blake
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 02/34] qom: document user creatable object types in help text Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 03/34] qom: create objects in two phases Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 04/34] qom: add object_new_propv / object_new_proplist constructors Daniel P. Berrange
2015-04-17 14:55 ` Paolo Bonzini
2015-04-17 15:16 ` Daniel P. Berrange
2015-04-17 16:11 ` Eric Blake
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 05/34] qom: make enum string tables const-correct Daniel P. Berrange
2015-04-17 14:56 ` Paolo Bonzini
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 06/34] qom: add a object_property_add_enum helper method Daniel P. Berrange
2015-04-17 14:56 ` Paolo Bonzini
2015-04-17 15:01 ` Paolo Bonzini
2015-04-17 15:11 ` Daniel P. Berrange
2015-04-17 15:19 ` Paolo Bonzini
2015-04-17 15:22 ` Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 07/34] qom: don't pass string table to object_get_enum method Daniel P. Berrange
2015-04-17 15:05 ` Paolo Bonzini
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 08/34] crypto: introduce new module for computing hash digests Daniel P. Berrange
2015-05-13 17:04 ` Daniel P. Berrange
2015-05-13 17:12 ` Paolo Bonzini
2015-05-13 17:21 ` Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 09/34] crypto: move built-in AES implementation into crypto/ Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 10/34] crypto: move built-in D3DES " Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 11/34] crypto: introduce generic cipher API & built-in implementation Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 12/34] crypto: add a gcrypt cipher implementation Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 13/34] crypto: add a nettle " Daniel P. Berrange
2015-04-17 14:22 ` Daniel P. Berrange [this message]
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 15/34] crypto: add sanity checking of TLS credentials Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 16/34] crypto: introduce new module for handling TLS sessions Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 17/34] block: convert quorum blockdrv to use crypto APIs Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 18/34] ui: convert VNC websockets " Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 19/34] block: convert qcow/qcow2 to use generic cipher API Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 20/34] ui: convert VNC " Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 21/34] io: add abstract QIOChannel classes Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 22/34] io: add helper module for creating watches on UNIX FDs Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 23/34] io: add QIOChannelSocket class Daniel P. Berrange
2015-04-17 15:28 ` Paolo Bonzini
2015-04-17 15:52 ` Daniel P. Berrange
2015-04-17 16:00 ` Paolo Bonzini
2015-04-20 7:18 ` Gerd Hoffmann
2015-04-23 12:31 ` Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 24/34] io: add QIOChannelFile class Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 25/34] io: add QIOTask class for async operations Daniel P. Berrange
2015-04-17 15:16 ` Paolo Bonzini
2015-04-17 15:49 ` Daniel P. Berrange
2015-04-17 15:57 ` Paolo Bonzini
2015-04-17 16:11 ` Daniel P. Berrange
2015-04-17 17:06 ` Paolo Bonzini
2015-04-17 17:38 ` Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 26/34] io: add QIOChannelTLS class Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 27/34] io: pull Buffer code out of VNC module Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 28/34] io: add QIOChannelWebsock class Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 29/34] ui: convert VNC server to use QEMUIOChannelSocket classes Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 30/34] ui: convert VNC server to use QIOChannelTLS Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 31/34] ui: convert VNC server to use QIOChannelWebsock Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 32/34] char: convert from GIOChannel to QIOChannel Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 33/34] char: don't assume telnet initialization will not block Daniel P. Berrange
2015-04-17 14:22 ` [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend Daniel P. Berrange
2015-04-17 18:27 ` Eric Blake
2015-04-23 12:32 ` Daniel P. Berrange
2015-05-04 20:07 ` Kashyap Chamarthy
2015-05-05 13:49 ` Daniel P. Berrange
2015-05-05 13:53 ` Paolo Bonzini
2015-05-05 13:56 ` Daniel P. Berrange
2015-05-05 14:54 ` Kashyap Chamarthy
2015-05-06 8:34 ` Kashyap Chamarthy
2015-05-06 10:18 ` Daniel P. Berrange
2015-05-06 11:38 ` Kashyap Chamarthy
2015-04-23 12:28 ` [Qemu-devel] [PATCH v1 RFC 00/34] Generic support for TLS protocol & I/O channels Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1429280557-8887-15-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.