From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PATCH v5 0/9] Extract TLS handling code from VNC server
Date: Wed, 26 Aug 2015 16:05:15 +0100 [thread overview]
Message-ID: <1440601524-30316-1-git-send-email-berrange@redhat.com> (raw)
This small patch series is a formal submission of another part
of my previous series
v1: https://lists.gnu.org/archive/html/qemu-devel/2015-04/msg02038.html
v2: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg01267.html
v3: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg01386.html
v4: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg02655.html
Now we have the basic crypto module defined for hash/cipher APIs,
we extend it to also cover TLS credential and TLS session handling
APIs. These new TLS related APIs obsolete the vast majority of the
TLS handling code in the current VNC server. As a result the VNC
server no longer has to worry about conditional compilation for
GNUTLS. It also gives us code reuse for future patches which intend
to add TLS support to chardevs, migration, nbd, etc.
This series deprecates the existing way of configuring TLS for
VNC on the command line, but maintains support for back-compat
reasons.
Since the TLS code is now totally isolated from the VNC server it
is also practical to provide significant unit test coverage of what
is security critical code.
Aside from the new CLI syntax for configuring TLS with VNC, the
only other functional change is to allow diffie-hellman params
to be loaded from a file, instead of being generated at startup.
Changes in v5:
- Introduce use of -Wl,--whole-archive with libqemuutil.a
to ensure QOM objects are not discarded by linker
- Remove nasty back dummy functions used to prevent QOM
object discard by linker
- Extend QAPI enum generator to allow enum name prefix
spec to override heuristics
- Switch to use QAPI to generate QCryptoTLSCredsEndpoint
enum definition
- Fix misc bugs in error message strings
- Use alternate definition for DPRINTF
Changes in v4:
- Fix build when GNUTLS is disabled
- Add missed return type conversion in vnc.h
Changes in v3:
- Switched "tls-creds" object to be just an abstract base class
- Created "tls-creds-anon" object subclass in new file
- Created "tls-creds-x509" object subclass in new file
Daniel P. Berrange (9):
qapi: allow override of default enum prefix naming
make: ensure all members of libqemuutil.a are linked
crypto: introduce new base module for TLS credentials
crypto: introduce new module for TLS anonymous credentials
crypto: introduce new module for TLS x509 credentials
crypto: add sanity checking of TLS x509 credentials
crypto: introduce new module for handling TLS sessions
ui: fix return type for VNC I/O functions to be ssize_t
ui: convert VNC server to use QCryptoTLSSession
Makefile.target | 7 +-
configure | 53 +-
crypto/Makefile.objs | 4 +
crypto/tlscreds.c | 262 +++++++++
crypto/tlscredsanon.c | 236 ++++++++
crypto/tlscredspriv.h | 41 ++
crypto/tlscredsx509.c | 820 ++++++++++++++++++++++++++++
crypto/tlssession.c | 583 ++++++++++++++++++++
include/crypto/tlscreds.h | 68 +++
include/crypto/tlscredsanon.h | 112 ++++
include/crypto/tlscredsx509.h | 113 ++++
include/crypto/tlssession.h | 322 +++++++++++
qapi-schema.json | 3 +
qapi/crypto.json | 20 +
qemu-options.hx | 75 ++-
scripts/qapi-types.py | 14 +-
scripts/qapi.py | 9 +-
tests/.gitignore | 7 +
tests/Makefile | 14 +-
tests/crypto-tls-x509-helpers.c | 486 +++++++++++++++++
tests/crypto-tls-x509-helpers.h | 133 +++++
tests/pkix_asn1_tab.c | 1103 ++++++++++++++++++++++++++++++++++++++
tests/test-crypto-tlscredsx509.c | 734 +++++++++++++++++++++++++
tests/test-crypto-tlssession.c | 534 ++++++++++++++++++
ui/Makefile.objs | 2 +-
ui/vnc-auth-sasl.c | 36 +-
ui/vnc-auth-vencrypt.c | 80 +--
ui/vnc-tls.c | 474 ----------------
ui/vnc-tls.h | 69 ---
ui/vnc-ws.c | 82 +--
ui/vnc-ws.h | 2 -
ui/vnc.c | 360 ++++++++-----
ui/vnc.h | 21 +-
33 files changed, 6053 insertions(+), 826 deletions(-)
create mode 100644 crypto/tlscreds.c
create mode 100644 crypto/tlscredsanon.c
create mode 100644 crypto/tlscredspriv.h
create mode 100644 crypto/tlscredsx509.c
create mode 100644 crypto/tlssession.c
create mode 100644 include/crypto/tlscreds.h
create mode 100644 include/crypto/tlscredsanon.h
create mode 100644 include/crypto/tlscredsx509.h
create mode 100644 include/crypto/tlssession.h
create mode 100644 qapi/crypto.json
create mode 100644 tests/crypto-tls-x509-helpers.c
create mode 100644 tests/crypto-tls-x509-helpers.h
create mode 100644 tests/pkix_asn1_tab.c
create mode 100644 tests/test-crypto-tlscredsx509.c
create mode 100644 tests/test-crypto-tlssession.c
delete mode 100644 ui/vnc-tls.c
delete mode 100644 ui/vnc-tls.h
--
2.4.3
next reply other threads:[~2015-08-26 15:05 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-26 15:05 Daniel P. Berrange [this message]
2015-08-26 15:05 ` [Qemu-devel] [PATCH v5 1/9] qapi: allow override of default enum prefix naming Daniel P. Berrange
2015-08-26 15:22 ` Eric Blake
2015-08-27 11:04 ` Daniel P. Berrange
2015-08-26 15:05 ` [Qemu-devel] [PATCH v5 2/9] make: ensure all members of libqemuutil.a are linked Daniel P. Berrange
2015-08-26 15:25 ` Eric Blake
2015-08-26 15:42 ` Daniel P. Berrange
2015-08-26 15:05 ` [Qemu-devel] [PATCH v5 3/9] crypto: introduce new base module for TLS credentials Daniel P. Berrange
2015-08-26 16:56 ` Eric Blake
2015-08-26 15:05 ` [Qemu-devel] [PATCH v5 4/9] crypto: introduce new module for TLS anonymous credentials Daniel P. Berrange
2015-08-26 21:22 ` Eric Blake
2015-08-26 15:05 ` [Qemu-devel] [PATCH v5 5/9] crypto: introduce new module for TLS x509 credentials Daniel P. Berrange
2015-08-26 21:32 ` Eric Blake
2015-08-26 15:05 ` [Qemu-devel] [PATCH v5 6/9] crypto: add sanity checking of " Daniel P. Berrange
2015-08-26 21:53 ` Eric Blake
2015-08-27 8:48 ` Daniel P. Berrange
2015-08-26 15:05 ` [Qemu-devel] [PATCH v5 7/9] crypto: introduce new module for handling TLS sessions Daniel P. Berrange
2015-08-27 14:33 ` Eric Blake
2015-08-28 13:14 ` Daniel P. Berrange
2015-08-26 15:05 ` [Qemu-devel] [PATCH v5 8/9] ui: fix return type for VNC I/O functions to be ssize_t Daniel P. Berrange
2015-08-28 21:08 ` Eric Blake
2015-08-26 15:05 ` [Qemu-devel] [PATCH v5 9/9] ui: convert VNC server to use QCryptoTLSSession Daniel P. Berrange
2015-09-01 15:08 ` Eric Blake
2015-09-02 11:06 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1440601524-30316-1-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).