From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PATCH v4 3/7] crypto: introduce new module for TLS x509 credentials
Date: Mon, 24 Aug 2015 15:14:51 +0100 [thread overview]
Message-ID: <1440425695-24286-4-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1440425695-24286-1-git-send-email-berrange@redhat.com>
Introduce a QCryptoTLSCredsX509 class which is used to
manage x509 certificate TLS credentials. This will be
the preferred credential type offering strong security
characteristics
Example CLI configuration:
$QEMU -object tls-creds-x509,id=tls0,endpoint=server,\
dir=/path/to/creds/dir,verify-peer=yes
The 'id' value in the -object args will be used to associate the
credentials with the network services. For eample, when the VNC
server is later converted it would use
$QEMU -object tls-creds-x509,id=tls0,.... \
-vnc 127.0.0.1:1,tls-creds=tls0
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/Makefile.objs | 1 +
crypto/init.c | 3 +
crypto/tlscredsx509.c | 277 ++++++++++++++++++++++++++++++++++++++++++
include/crypto/tlscredsx509.h | 114 +++++++++++++++++
qemu-options.hx | 27 ++++
5 files changed, 422 insertions(+)
create mode 100644 crypto/tlscredsx509.c
create mode 100644 include/crypto/tlscredsx509.h
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index cf0199e..914bb68 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -5,3 +5,4 @@ util-obj-y += desrfb.o
util-obj-y += cipher.o
util-obj-y += tlscreds.o
util-obj-y += tlscredsanon.o
+util-obj-y += tlscredsx509.o
diff --git a/crypto/init.c b/crypto/init.c
index c08d3ce..8abe7cb 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -21,6 +21,7 @@
#include "crypto/init.h"
#include "crypto/tlscreds.h"
#include "crypto/tlscredsanon.h"
+#include "crypto/tlscredsx509.h"
#include "qemu/thread.h"
#ifdef CONFIG_GNUTLS
@@ -146,6 +147,7 @@ int qcrypto_init(Error **errp)
*/
qcrypto_tls_creds_dummy();
qcrypto_tls_creds_anon_dummy();
+ qcrypto_tls_creds_x509_dummy();
return 0;
}
@@ -157,6 +159,7 @@ int qcrypto_init(Error **errp G_GNUC_UNUSED)
/* XXX hack - see above */
qcrypto_tls_creds_dummy();
qcrypto_tls_creds_anon_dummy();
+ qcrypto_tls_creds_x509_dummy();
return 0;
}
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
new file mode 100644
index 0000000..0adb065
--- /dev/null
+++ b/crypto/tlscredsx509.c
@@ -0,0 +1,277 @@
+/*
+ * QEMU crypto TLS x509 credential support
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/tlscredsx509.h"
+#include "crypto/tlscredspriv.h"
+#include "qom/object_interfaces.h"
+
+/* #define QCRYPTO_DEBUG */
+
+#ifdef QCRYPTO_DEBUG
+#define DPRINTF(fmt, ...) do { fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(fmt, ...) do { } while (0)
+#endif
+
+
+#ifdef CONFIG_GNUTLS
+
+
+static int
+qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
+ Error **errp)
+{
+ char *cacert = NULL, *cacrl = NULL, *cert = NULL,
+ *key = NULL, *dhparams = NULL;
+ int ret;
+ int rv = -1;
+
+ DPRINTF("Loading x509 creds %d from %s\n",
+ creds->type, creds->dir ? creds->dir : "<nodir>");
+
+ if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ if (qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_X509_CA_CRL,
+ false, &cacrl, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
+ true, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
+ true, &key, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_DH_PARAMS,
+ false, &dhparams, errp) < 0) {
+ goto cleanup;
+ }
+ } else {
+ if (qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
+ false, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(&creds->parent_obj,
+ QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
+ false, &key, errp) < 0) {
+ goto cleanup;
+ }
+ }
+
+ ret = gnutls_certificate_allocate_credentials(&creds->data);
+ if (ret < 0) {
+ error_setg(errp, "Cannot allocate credentials '%s'",
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ ret = gnutls_certificate_set_x509_trust_file(creds->data,
+ cacert,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, "Cannot load CA certificate '%s': %s",
+ cacert, gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ if (cert != NULL && key != NULL) {
+ ret = gnutls_certificate_set_x509_key_file(creds->data,
+ cert, key,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
+ cert, key, gnutls_strerror(ret));
+ goto cleanup;
+ }
+ }
+
+ if (cacrl != NULL) {
+ ret = gnutls_certificate_set_x509_crl_file(creds->data,
+ cacrl,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, "Cannot load CRL '%s': %s",
+ cacrl, gnutls_strerror(ret));
+ goto cleanup;
+ }
+ }
+
+ if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ if (qcrypto_tls_creds_get_dh_params_file(dhparams,
+ &creds->parent_obj.dh_params,
+ errp) < 0) {
+ goto cleanup;
+ }
+ gnutls_certificate_set_dh_params(creds->data,
+ creds->parent_obj.dh_params);
+ }
+
+ rv = 0;
+ cleanup:
+ g_free(cacert);
+ g_free(cacrl);
+ g_free(cert);
+ g_free(key);
+ g_free(dhparams);
+ return rv;
+}
+
+
+static void
+qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds)
+{
+ if (creds->data) {
+ gnutls_certificate_free_credentials(creds->data);
+ creds->data = NULL;
+ }
+}
+
+
+#else /* ! CONFIG_GNUTLS */
+
+
+static void
+qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED,
+ Error **errp)
+{
+ error_setg(errp, "TLS credentials support requires GNUTLS");
+}
+
+
+static void
+qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED)
+{
+ /* nada */
+}
+
+
+#endif /* ! CONFIG_GNUTLS */
+
+
+static void
+qcrypto_tls_creds_x509_prop_set_loaded(Object *obj,
+ bool value,
+ Error **errp)
+{
+ QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+
+ if (value) {
+ qcrypto_tls_creds_x509_load(creds, errp);
+ } else {
+ qcrypto_tls_creds_x509_unload(creds);
+ }
+}
+
+
+#ifdef CONFIG_GNUTLS
+
+
+static bool
+qcrypto_tls_creds_x509_prop_get_loaded(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+
+ return creds->data != NULL;
+}
+
+
+#else /* ! CONFIG_GNUTLS */
+
+
+static bool
+qcrypto_tls_creds_x509_prop_get_loaded(Object *obj G_GNUC_UNUSED,
+ Error **errp G_GNUC_UNUSED)
+{
+ return false;
+}
+
+
+#endif /* ! CONFIG_GNUTLS */
+
+
+static void
+qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp)
+{
+ object_property_set_bool(OBJECT(uc), true, "loaded", errp);
+}
+
+
+static void
+qcrypto_tls_creds_x509_init(Object *obj)
+{
+ object_property_add_bool(obj, "loaded",
+ qcrypto_tls_creds_x509_prop_get_loaded,
+ qcrypto_tls_creds_x509_prop_set_loaded,
+ NULL);
+}
+
+
+static void
+qcrypto_tls_creds_x509_finalize(Object *obj)
+{
+ QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+
+ qcrypto_tls_creds_x509_unload(creds);
+}
+
+
+static void
+qcrypto_tls_creds_x509_class_init(ObjectClass *oc, void *data)
+{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = qcrypto_tls_creds_x509_complete;
+}
+
+
+static const TypeInfo qcrypto_tls_creds_x509_info = {
+ .parent = TYPE_QCRYPTO_TLS_CREDS,
+ .name = TYPE_QCRYPTO_TLS_CREDS_X509,
+ .instance_size = sizeof(QCryptoTLSCredsX509),
+ .instance_init = qcrypto_tls_creds_x509_init,
+ .instance_finalize = qcrypto_tls_creds_x509_finalize,
+ .class_size = sizeof(QCryptoTLSCredsX509Class),
+ .class_init = qcrypto_tls_creds_x509_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+
+static void
+qcrypto_tls_creds_x509_register_types(void)
+{
+ DPRINTF("Register TLS x509\n");
+ type_register_static(&qcrypto_tls_creds_x509_info);
+}
+
+
+void
+qcrypto_tls_creds_x509_dummy(void)
+{
+}
+
+
+type_init(qcrypto_tls_creds_x509_register_types);
diff --git a/include/crypto/tlscredsx509.h b/include/crypto/tlscredsx509.h
new file mode 100644
index 0000000..bdb7b25
--- /dev/null
+++ b/include/crypto/tlscredsx509.h
@@ -0,0 +1,114 @@
+/*
+ * QEMU crypto TLS x509 credential support
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_TLSCRED_X509_H__
+#define QCRYPTO_TLSCRED_X509_H__
+
+#include "crypto/tlscreds.h"
+
+#define TYPE_QCRYPTO_TLS_CREDS_X509 "tls-creds-x509"
+#define QCRYPTO_TLS_CREDS_X509(obj) \
+ OBJECT_CHECK(QCryptoTLSCredsX509, (obj), TYPE_QCRYPTO_TLS_CREDS_X509)
+
+typedef struct QCryptoTLSCredsX509 QCryptoTLSCredsX509;
+typedef struct QCryptoTLSCredsX509Class QCryptoTLSCredsX509Class;
+
+#define QCRYPTO_TLS_CREDS_X509_CA_CERT "ca-cert.pem"
+#define QCRYPTO_TLS_CREDS_X509_CA_CRL "ca-crl.pem"
+#define QCRYPTO_TLS_CREDS_X509_SERVER_KEY "server-key.pem"
+#define QCRYPTO_TLS_CREDS_X509_SERVER_CERT "server-cert.pem"
+#define QCRYPTO_TLS_CREDS_X509_CLIENT_KEY "client-key.pem"
+#define QCRYPTO_TLS_CREDS_X509_CLIENT_CERT "client-cert.pem"
+
+
+/**
+ * QCryptoTLSCredsX509:
+ *
+ * The QCryptoTLSCredsX509 object provides a representation
+ * of x509 credentials used to perform a TLS handshake.
+ *
+ * This is a user creatable object, which can be instantiated
+ * via object_new_propv():
+ *
+ * <example>
+ * <title>Creating x509 TLS credential objects in code</title>
+ * <programlisting>
+ * Object *obj;
+ * Error *err = NULL;
+ * obj = object_new_propv(TYPE_QCRYPTO_TLS_CREDS_X509,
+ * "tlscreds0",
+ * &err,
+ * "endpoint", "server",
+ * "dir", "/path/x509/cert/dir",
+ * "verify-peer", "yes",
+ * NULL);
+ * </programlisting>
+ * </example>
+ *
+ * Or via QMP:
+ *
+ * <example>
+ * <title>Creating x509 TLS credential objects via QMP</title>
+ * <programlisting>
+ * {
+ * "execute": "object-add", "arguments": {
+ * "id": "tlscreds0",
+ * "qom-type": "tls-creds-x509",
+ * "props": {
+ * "endpoint": "server",
+ * "dir": "/path/to/x509/cert/dir",
+ * "verify-peer": false
+ * }
+ * }
+ * }
+ * </programlisting>
+ * </example>
+ *
+ *
+ * Or via the CLI:
+ *
+ * <example>
+ * <title>Creating x509 TLS credential objects via CLI</title>
+ * <programlisting>
+ * qemu-system-x86_64 -object tls-creds-x509,id=tlscreds0,\
+ * endpoint=server,verify-peer=off,\
+ * dir=/path/to/x509/certdir/
+ * </programlisting>
+ * </example>
+ *
+ */
+
+struct QCryptoTLSCredsX509 {
+ QCryptoTLSCreds parent_obj;
+#ifdef CONFIG_GNUTLS
+ gnutls_certificate_credentials_t data;
+#endif
+};
+
+
+struct QCryptoTLSCredsX509Class {
+ QCryptoTLSCredsClass parent_class;
+};
+
+
+void qcrypto_tls_creds_x509_dummy(void);
+
+#endif /* QCRYPTO_TLSCRED_X509_H__ */
+
diff --git a/qemu-options.hx b/qemu-options.hx
index 057801a..23c91d5 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3588,6 +3588,33 @@ expensive operation that consumes random pool entropy, so it is
recommended that a persistent set of parameters be generated
upfront and saved.
+@item -object tls-creds-x509,id=@var{id},endpoint=@var{endpoint},dir=@var{/path/to/cred/dir},verify-peer=@var{on|off}
+
+Creates a TLS anonymous credentials object, which can be used to provide
+TLS support on network backends. The @option{id} parameter is a unique
+ID which network backends will use to access the credentials. The
+@option{endpoint} is either @option{server} or @option{client} depending
+on whether the QEMU network backend that uses the credentials will be
+acting as a client or as a server. If @option{verify-peer} is enabled
+(the default) then once the handshake is completed, the peer credentials
+will be verified. With x509 certificates, this implies that the clients
+must be provided with valid client certificates too.
+
+The @var{dir} parameter tells QEMU where to find the credential
+files. For server endpoints, this directory may contain a file
+@var{dh-params.pem} providing diffie-hellman parameters to use
+for the TLS server. If the file is missing, QEMU will generate
+a set of DH parameters at startup. This is a computationally
+expensive operation that consumes random pool entropy, so it is
+recommended that a persistent set of parameters be generated
+upfront and saved.
+
+For x509 certificate credentials the directory will contain further files
+providing the x509 certificates. The certificates must be stored
+in PEM format, in filenames @var{ca-cert.pem}, @var{ca-crl.pem} (optional),
+@var{server-cert.pem} (only servers), @var{server-key.pem} (only servers),
+@var{client-cert.pem} (only clients), and @var{client-key.pem} (only clients).
+
@end table
ETEXI
--
2.4.3
next prev parent reply other threads:[~2015-08-24 14:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-24 14:14 [Qemu-devel] [PATCH v4 0/7] Extract TLS handling code from VNC server Daniel P. Berrange
2015-08-24 14:14 ` [Qemu-devel] [PATCH v4 1/7] crypto: introduce new base module for TLS credentials Daniel P. Berrange
2015-08-24 20:25 ` Eric Blake
2015-08-26 12:48 ` Daniel P. Berrange
2015-08-24 14:14 ` [Qemu-devel] [PATCH v4 2/7] crypto: introduce new module for TLS anonymous credentials Daniel P. Berrange
2015-08-24 20:46 ` Eric Blake
2015-08-26 14:49 ` Daniel P. Berrange
2015-08-24 14:14 ` Daniel P. Berrange [this message]
2015-08-26 15:07 ` [Qemu-devel] [PATCH v4 3/7] crypto: introduce new module for TLS x509 credentials Eric Blake
2015-08-24 14:14 ` [Qemu-devel] [PATCH v4 4/7] crypto: add sanity checking of " Daniel P. Berrange
2015-08-24 14:14 ` [Qemu-devel] [PATCH v4 5/7] crypto: introduce new module for handling TLS sessions Daniel P. Berrange
2015-08-24 14:14 ` [Qemu-devel] [PATCH v4 6/7] ui: fix return type for VNC I/O functions to be ssize_t Daniel P. Berrange
2015-08-24 14:14 ` [Qemu-devel] [PATCH v4 7/7] ui: convert VNC server to use QCryptoTLSSession Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1440425695-24286-4-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.