From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Richard W.M. Jones" <rjones@redhat.com>
Cc: qemu-devel@nongnu.org, eblake@redhat.com, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v6] crypto: Implement TLS Pre-Shared Keys (PSK).
Date: Tue, 3 Jul 2018 12:17:23 +0100 [thread overview]
Message-ID: <20180703111723.GA24516@redhat.com> (raw)
In-Reply-To: <20180703080303.17355-2-rjones@redhat.com>
On Tue, Jul 03, 2018 at 09:03:03AM +0100, Richard W.M. Jones wrote:
> Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
> connections than using certificates. It requires only a simple secret
> key:
>
> $ mkdir -m 0700 /tmp/keys
> $ psktool -u rjones -p /tmp/keys/keys.psk
> $ cat /tmp/keys/keys.psk
> rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
>
> The key can be secretly shared between clients and servers. Clients
> must specify the directory containing the "keys.psk" file and a
> username (defaults to "qemu"). Servers must specify only the
> directory.
>
> Example NBD client:
>
> $ qemu-img info \
> --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
> --image-opts \
> file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
>
> Example NBD server using qemu-nbd:
>
> $ qemu-nbd -t -x / \
> --object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
> --tls-creds tls0 \
> image.qcow2
>
> Example NBD server using nbdkit:
>
> $ nbdkit -n -e / -fv \
> --tls=on --tls-psk=/tmp/keys/keys.psk \
> file file=disk.img
>
> Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
> ---
> crypto/Makefile.objs | 1 +
> crypto/tlscredspsk.c | 308 +++++++++++++++++++++++++++++++++
> crypto/tlssession.c | 56 +++++-
> crypto/trace-events | 3 +
> include/crypto/tlscredspsk.h | 106 ++++++++++++
> qemu-doc.texi | 37 ++++
> qemu-options.hx | 24 +++
> tests/Makefile.include | 4 +-
> tests/crypto-tls-psk-helpers.c | 50 ++++++
> tests/crypto-tls-psk-helpers.h | 29 ++++
> tests/test-crypto-tlssession.c | 185 +++++++++++++++++---
> 11 files changed, 777 insertions(+), 26 deletions(-)
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
I'll send a pull request with it shortly
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
prev parent reply other threads:[~2018-07-03 11:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-03 8:03 [Qemu-devel] [PATCH v6] crypto: Implement TLS Pre-Shared Keys (PSK) Richard W.M. Jones
2018-07-03 8:03 ` Richard W.M. Jones
2018-07-03 11:17 ` Daniel P. Berrangé [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180703111723.GA24516@redhat.com \
--to=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).