From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=36393 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1P3lKG-0006tv-Md for qemu-devel@nongnu.org; Thu, 07 Oct 2010 03:55:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1P3lKA-0003gb-US for qemu-devel@nongnu.org; Thu, 07 Oct 2010 03:55:40 -0400 Received: from mx1.redhat.com ([209.132.183.28]:61509) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1P3lKA-0003g2-JD for qemu-devel@nongnu.org; Thu, 07 Oct 2010 03:55:34 -0400 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o977tXeo032642 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 7 Oct 2010 03:55:33 -0400 From: Gerd Hoffmann Date: Thu, 7 Oct 2010 09:55:22 +0200 Message-Id: <1286438126-11250-2-git-send-email-kraxel@redhat.com> In-Reply-To: <1286438126-11250-1-git-send-email-kraxel@redhat.com> References: <1286438126-11250-1-git-send-email-kraxel@redhat.com> Subject: [Qemu-devel] [PATCH 1/5] spice: tls support List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Gerd Hoffmann Add options to the -spice command line switch to setup tls. --- qemu-config.c | 24 +++++++++++++++++++ qemu-options.hx | 18 ++++++++++++++- ui/spice-core.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 104 insertions(+), 5 deletions(-) diff --git a/qemu-config.c b/qemu-config.c index 32917cb..26748a5 100644 --- a/qemu-config.c +++ b/qemu-config.c @@ -362,11 +362,35 @@ QemuOptsList qemu_spice_opts = { .name = "port", .type = QEMU_OPT_NUMBER, },{ + .name = "tls-port", + .type = QEMU_OPT_NUMBER, + },{ .name = "password", .type = QEMU_OPT_STRING, },{ .name = "disable-ticketing", .type = QEMU_OPT_BOOL, + },{ + .name = "x509-dir", + .type = QEMU_OPT_STRING, + },{ + .name = "x509-key-file", + .type = QEMU_OPT_STRING, + },{ + .name = "x509-key-password", + .type = QEMU_OPT_STRING, + },{ + .name = "x509-cert-file", + .type = QEMU_OPT_STRING, + },{ + .name = "x509-cacert-file", + .type = QEMU_OPT_STRING, + },{ + .name = "x509-dh-key-file", + .type = QEMU_OPT_STRING, + },{ + .name = "tls-ciphers", + .type = QEMU_OPT_STRING, }, { /* end if list */ } }, diff --git a/qemu-options.hx b/qemu-options.hx index 718d47a..9d3f8ef 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -680,7 +680,7 @@ Enable the spice remote desktop protocol. Valid options are @table @option @item port= -Set the TCP port spice is listening on. +Set the TCP port spice is listening on for plaintext channels. @item password= Set the password you need to authenticate. @@ -688,6 +688,22 @@ Set the password you need to authenticate. @item disable-ticketing Allow client connects without authentication. +@item tls-port= +Set the TCP port spice is listening on for encrypted channels. + +@item x509-dir= +Set the x509 file directory. Expects same filenames as -vnc $display,x509=$dir + +@item x509-key-file= +@item x509-key-password= +@item x509-cert-file= +@item x509-cacert-file= +@item x509-dh-key-file= +The x509 file names can also be configured individually. + +@item tls-ciphers= +Specify which ciphers to use. + @end table ETEXI diff --git a/ui/spice-core.c b/ui/spice-core.c index 8b5e4a8..51aa782 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c @@ -22,6 +22,7 @@ #include "qemu-spice.h" #include "qemu-timer.h" #include "qemu-queue.h" +#include "qemu-x509.h" #include "monitor.h" /* core bits */ @@ -141,20 +142,74 @@ static SpiceCoreInterface core_interface = { void qemu_spice_init(void) { QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head); - const char *password; - int port; + const char *password, *str, *x509_dir, + *x509_key_password = NULL, + *x509_dh_file = NULL, + *tls_ciphers = NULL; + char *x509_key_file = NULL, + *x509_cert_file = NULL, + *x509_cacert_file = NULL; + int port, tls_port, len; if (!opts) { return; } port = qemu_opt_get_number(opts, "port", 0); - if (!port) { + tls_port = qemu_opt_get_number(opts, "tls-port", 0); + if (!port && !tls_port) { return; } password = qemu_opt_get(opts, "password"); + if (tls_port) { + x509_dir = qemu_opt_get(opts, "x509-dir"); + if (NULL == x509_dir) { + x509_dir = "."; + } + len = strlen(x509_dir) + 32; + + str = qemu_opt_get(opts, "x509-key-file"); + if (str) { + x509_key_file = qemu_strdup(str); + } else { + x509_key_file = qemu_malloc(len); + snprintf(x509_key_file, len, "%s/%s", x509_dir, X509_SERVER_KEY_FILE); + } + + str = qemu_opt_get(opts, "x509-cert-file"); + if (str) { + x509_cert_file = qemu_strdup(str); + } else { + x509_cert_file = qemu_malloc(len); + snprintf(x509_cert_file, len, "%s/%s", x509_dir, X509_SERVER_CERT_FILE); + } + + str = qemu_opt_get(opts, "x509-cacert-file"); + if (str) { + x509_cacert_file = qemu_strdup(str); + } else { + x509_cacert_file = qemu_malloc(len); + snprintf(x509_cacert_file, len, "%s/%s", x509_dir, X509_CA_CERT_FILE); + } + + x509_key_password = qemu_opt_get(opts, "x509-key-password"); + x509_dh_file = qemu_opt_get(opts, "x509-dh-file"); + tls_ciphers = qemu_opt_get(opts, "tls-ciphers"); + } + spice_server = spice_server_new(); - spice_server_set_port(spice_server, port); + if (port) { + spice_server_set_port(spice_server, port); + } + if (tls_port) { + spice_server_set_tls(spice_server, tls_port, + x509_cacert_file, + x509_cert_file, + x509_key_file, + x509_key_password, + x509_dh_file, + tls_ciphers); + } if (password) { spice_server_set_ticket(spice_server, password, 0, 0, 0); } @@ -169,6 +224,10 @@ void qemu_spice_init(void) using_spice = 1; qemu_spice_input_init(); + + qemu_free(x509_key_file); + qemu_free(x509_cert_file); + qemu_free(x509_cacert_file); } int qemu_spice_add_interface(SpiceBaseInstance *sin) -- 1.7.1