From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36654) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YpwPP-0005Ei-42 for qemu-devel@nongnu.org; Wed, 06 May 2015 06:18:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YpwPL-0005mA-Uf for qemu-devel@nongnu.org; Wed, 06 May 2015 06:18:31 -0400 Received: from mx1.redhat.com ([209.132.183.28]:42472) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YpwPL-0005m3-Ly for qemu-devel@nongnu.org; Wed, 06 May 2015 06:18:27 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 4F0108E6FC for ; Wed, 6 May 2015 10:18:27 +0000 (UTC) Date: Wed, 6 May 2015 11:18:23 +0100 From: "Daniel P. Berrange" Message-ID: <20150506101822.GD7492@redhat.com> References: <1429280557-8887-1-git-send-email-berrange@redhat.com> <1429280557-8887-35-git-send-email-berrange@redhat.com> <20150504200715.GF11726@tesla.redhat.com> <20150505134951.GC32600@redhat.com> <20150505145444.GH30897@tesla.redhat.com> <20150506083406.GA6856@tesla.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20150506083406.GA6856@tesla.redhat.com> Subject: Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Kashyap Chamarthy Cc: Paolo Bonzini , qemu-devel@nongnu.org, Stefan Hajnoczi , Gerd Hoffmann On Wed, May 06, 2015 at 10:34:06AM +0200, Kashyap Chamarthy wrote: > On Tue, May 05, 2015 at 04:54:44PM +0200, Kashyap Chamarthy wrote: > > [. . .] > > > While running QEMU as TLS server, the TLS handshake completes > > successfully when connected via `gnutls-cli`. > > > > However, when using QEMU as client to connect to an existing GnuTLS > > server, I notice a segmentation fault: > > > > $ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \ > > -nodefconfig -nodefaults -device sga -display none \ > > -chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0 \ > > -device isa-serial,chardev=s0 \ > > -object qcrypto-tls-creds,id=tls0,credtype=x509,endpoint=client,dir=/export/security/gnutls > > Segmentation fault (core dumped) > > Some debugging with `gdb` below. > > QEMU was built with: > > ./configure --target-list=x86_64-softmmu --enable-debug > make -j4 > > Stack traces: > > $ gdb /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 > #2 0x00007ffff1c6b3d9 in gnutls_certificate_set_x509_key_file2 () at /lib64/libgnutls.so.28 > #3 0x00005555559aba85 in qcrypto_tls_creds_load_x509 (creds=0x55555639ac60, errp=0x7fffffffd8d8) at /home/kashyapc/tinker-space/qemu/crypto/tlscreds.c:728 > cacert = 0x55555639a8c0 "/export/security/gnutls/ca-cert.pem" > cacrl = 0x0 > cert = 0x0 > key = 0x0 > dhparams = 0x0 > ret = 1 > rv = -1 Ah, with QEMU running in client mode, the client cert + key are optional. In this case you've not provided them (cert & key are 0x0 ie NULL). We are then mistakenly calling gnutls_certificate_set_x509_key_file2 - if I simply skip that I'll avoid the crash. Thanks for testing this - I'll add a test case to validate this scenario too Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|