From: Anthony Liguori <anthony@codemonkey.ws>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] PATCH 7/8: command line args for x509 cert paths
Date: Tue, 31 Jul 2007 20:54:09 -0500 [thread overview]
Message-ID: <46AFE7C1.50902@codemonkey.ws> (raw)
In-Reply-To: <20070731192958.GP18730@redhat.com>
Daniel P. Berrange wrote:
> This final code patch adds 4 new command line arguments to QEMU to allow the
> certificate files to be specified. The '-x509cacert', '-x509cert' and '-x509key'
> parameters are mandatory if the 'x509' or 'x509verify' flags are used when
> setting up the VNC server. If the certificates are not provided, all client
> authentication attempts will be rejected.
>
It concerns me a little to add 4 new command line options. Perhaps just
supply a directory and hard code the names of each file? Then it could
even be specified as -vnc
[proto]:<proto-arg>[,tls[,x509[:/path/to/x509/certs]]] with a
reasonable default provided.
What do you think?
Regards,
Anthony Liguori
> diff -r f38519b13575 vl.c
> --- a/vl.c Tue Jul 31 14:51:31 2007 -0400
> +++ b/vl.c Tue Jul 31 14:51:32 2007 -0400
> @@ -6701,6 +6701,12 @@ static void help(int exitcode)
> "-no-reboot exit instead of rebooting\n"
> "-loadvm file start right away with a saved state (loadvm in monitor)\n"
> "-vnc display start a VNC server on display\n"
> +#if CONFIG_VNC_TLS
> + "-x509cacert FILE x509 CA certificate for TLS services\n"
> + "-x509cacrl FILE x509 CA certificate revocation list for TLS services\n"
> + "-x509cert FILE x509 public certificate for TLS services\n"
> + "-x509key FILE x509 private key for TLS services\n"
> +#endif
> #ifndef _WIN32
> "-daemonize daemonize QEMU after initializing\n"
> #endif
> @@ -6796,6 +6802,12 @@ enum {
> QEMU_OPTION_usbdevice,
> QEMU_OPTION_smp,
> QEMU_OPTION_vnc,
> +#if CONFIG_VNC_TLS
> + QEMU_OPTION_x509cacert,
> + QEMU_OPTION_x509cacrl,
> + QEMU_OPTION_x509cert,
> + QEMU_OPTION_x509key,
> +#endif
> QEMU_OPTION_no_acpi,
> QEMU_OPTION_no_reboot,
> QEMU_OPTION_show_cursor,
> @@ -6889,6 +6901,12 @@ const QEMUOption qemu_options[] = {
> { "usbdevice", HAS_ARG, QEMU_OPTION_usbdevice },
> { "smp", HAS_ARG, QEMU_OPTION_smp },
> { "vnc", HAS_ARG, QEMU_OPTION_vnc },
> +#if CONFIG_VNC_TLS
> + { "x509cacert", HAS_ARG, QEMU_OPTION_x509cacert },
> + { "x509cacrl", HAS_ARG, QEMU_OPTION_x509cacrl },
> + { "x509cert", HAS_ARG, QEMU_OPTION_x509cert },
> + { "x509key", HAS_ARG, QEMU_OPTION_x509key },
> +#endif
>
> /* temporary options */
> { "usb", 0, QEMU_OPTION_usb },
> @@ -7171,6 +7189,9 @@ int main(int argc, char **argv)
> int fds[2];
> const char *pid_file = NULL;
> VLANState *vlan;
> +#if CONFIG_VNC_TLS
> + const char *x509cacert = NULL, *x509cacrl = NULL, *x509cert = NULL, *x509key = NULL;
> +#endif
>
> LIST_INIT (&vm_change_state_head);
> #ifndef _WIN32
> @@ -7648,6 +7669,20 @@ int main(int argc, char **argv)
> case QEMU_OPTION_vnc:
> vnc_display = optarg;
> break;
> +#if CONFIG_VNC_TLS
> + case QEMU_OPTION_x509cacert:
> + x509cacert = optarg;
> + break;
> + case QEMU_OPTION_x509cacrl:
> + x509cacrl = optarg;
> + break;
> + case QEMU_OPTION_x509cert:
> + x509cert = optarg;
> + break;
> + case QEMU_OPTION_x509key:
> + x509key = optarg;
> + break;
> +#endif
> case QEMU_OPTION_no_acpi:
> acpi_enabled = 0;
> break;
> @@ -7945,6 +7980,10 @@ int main(int argc, char **argv)
> dumb_display_init(ds);
> } else if (vnc_display != NULL) {
> vnc_display_init(ds);
> +#if CONFIG_VNC_TLS
> + if (vnc_set_x509_credentials(ds, x509cacert, x509cacrl, x509cert, x509key) < 0)
> + exit(1);
> +#endif
> if (vnc_display_open(ds, vnc_display, NULL) < 0)
> exit(1);
> } else {
> diff -r f38519b13575 vl.h
> --- a/vl.h Tue Jul 31 14:51:31 2007 -0400
> +++ b/vl.h Tue Jul 31 14:51:32 2007 -0400
> @@ -971,6 +971,13 @@ void vnc_display_close(DisplayState *ds)
> void vnc_display_close(DisplayState *ds);
> int vnc_display_open(DisplayState *ds, const char *display, const char *password);
> void do_info_vnc(void);
> +#if CONFIG_VNC_TLS
> +int vnc_set_x509_credentials(DisplayState *ds,
> + const char *cacert,
> + const char *cacrl,
> + const char *cert,
> + const char *key);
> +#endif
>
> /* x_keymap.c */
> extern uint8_t _translate_keycode(const int key);
> diff -r f38519b13575 vnc.c
> --- a/vnc.c Tue Jul 31 14:51:31 2007 -0400
> +++ b/vnc.c Tue Jul 31 14:51:32 2007 -0400
> @@ -142,6 +142,11 @@ struct VncState
> #if CONFIG_VNC_TLS
> int subauth;
> int x509verify;
> +
> + char *x509cacert;
> + char *x509cacrl;
> + char *x509cert;
> + char *x509key;
> #endif
> char challenge[VNC_AUTH_CHALLENGE_SIZE];
>
> @@ -1378,36 +1383,50 @@ static gnutls_anon_server_credentials vn
> }
>
>
> -static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(void)
> +static gnutls_certificate_credentials_t vnc_tls_initialize_x509_cred(VncState *vs)
> {
> gnutls_certificate_credentials_t x509_cred;
> int ret;
> - struct stat st;
> +
> + if (!vs->x509cacert) {
> + VNC_DEBUG("No CA x509 certificate specified\n");
> + return NULL;
> + }
> + if (!vs->x509cert) {
> + VNC_DEBUG("No server x509 certificate specified\n");
> + return NULL;
> + }
> + if (!vs->x509key) {
> + VNC_DEBUG("No server private key specified\n");
> + return NULL;
> + }
> +
>
> if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) {
> VNC_DEBUG("Cannot allocate credentials %s\n", gnutls_strerror(ret));
> return NULL;
> }
> - if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred, CA_FILE, GNUTLS_X509_FMT_PEM)) < 0) {
> + if ((ret = gnutls_certificate_set_x509_trust_file(x509_cred,
> + vs->x509cacert,
> + GNUTLS_X509_FMT_PEM)) < 0) {
> VNC_DEBUG("Cannot load CA certificate %s\n", gnutls_strerror(ret));
> gnutls_certificate_free_credentials(x509_cred);
> return NULL;
> }
>
> - if ((ret = gnutls_certificate_set_x509_key_file (x509_cred, CERT_FILE, KEY_FILE,
> + if ((ret = gnutls_certificate_set_x509_key_file (x509_cred,
> + vs->x509cert,
> + vs->x509key,
> GNUTLS_X509_FMT_PEM)) < 0) {
> VNC_DEBUG("Cannot load certificate & key %s\n", gnutls_strerror(ret));
> gnutls_certificate_free_credentials(x509_cred);
> return NULL;
> }
>
> - if (stat(CRL_FILE, &st) < 0) {
> - if (errno != ENOENT) {
> - gnutls_certificate_free_credentials(x509_cred);
> - return NULL;
> - }
> - } else {
> - if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred, CRL_FILE, GNUTLS_X509_FMT_PEM)) < 0) {
> + if (vs->x509cacrl) {
> + if ((ret = gnutls_certificate_set_x509_crl_file(x509_cred,
> + vs->x509cacrl,
> + GNUTLS_X509_FMT_PEM)) < 0) {
> VNC_DEBUG("Cannot load CRL %s\n", gnutls_strerror(ret));
> gnutls_certificate_free_credentials(x509_cred);
> return NULL;
> @@ -1623,7 +1642,7 @@ static int vnc_start_tls(struct VncState
> }
>
> if (NEED_X509_AUTH(vs)) {
> - gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred();
> + gnutls_certificate_server_credentials x509_cred = vnc_tls_initialize_x509_cred(vs);
> if (!x509_cred) {
> gnutls_deinit(vs->tls_session);
> vs->tls_session = NULL;
> @@ -1888,6 +1907,43 @@ void vnc_display_init(DisplayState *ds)
> vnc_dpy_resize(vs->ds, 640, 400);
> }
>
> +#if CONFIG_VNC_TLS
> +int vnc_set_x509_credentials(DisplayState *ds,
> + const char *cacert,
> + const char *cacrl,
> + const char *cert,
> + const char *key)
> +{
> + VncState *vs = ds ? (VncState *)ds->opaque : vnc_state;
> +
> + if (vs->x509cacert) {
> + free(vs->x509cacert);
> + vs->x509cacert = NULL;
> + }
> + if (vs->x509cacrl) {
> + free(vs->x509cacrl);
> + vs->x509cacrl = NULL;
> + }
> + if (vs->x509cert) {
> + free(vs->x509cert);
> + vs->x509cert = NULL;
> + }
> + if (vs->x509key) {
> + free(vs->x509key);
> + vs->x509key = NULL;
> + }
> + if (cacert && !(vs->x509cacert = qemu_strdup(cacert)))
> + return -1;
> + if (cacrl && !(vs->x509cacrl = qemu_strdup(cacrl)))
> + return -1;
> + if (cert && !(vs->x509cert = qemu_strdup(cert)))
> + return -1;
> + if (key && !(vs->x509key = qemu_strdup(key)))
> + return -1;
> + return 0;
> +}
> +#endif /* CONFIG_VNC_TLS */
> +
> void vnc_display_close(DisplayState *ds)
> {
> VncState *vs = ds ? (VncState *)ds->opaque : vnc_state;
>
>
next prev parent reply other threads:[~2007-08-01 1:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-31 19:23 [Qemu-devel] PATCH 0/8: Authentication support for the VNC server Daniel P. Berrange
2007-07-31 19:25 ` [Qemu-devel] PATCH 1/8: Refactor VNC server setup API Daniel P. Berrange
2007-07-31 19:25 ` [Qemu-devel] PATCH 2/8: Extend monitor 'change' command for VNC Daniel P. Berrange
2007-08-01 1:43 ` Anthony Liguori
2007-07-31 19:26 ` [Qemu-devel] PATCH 3/8: VNC password authentication Daniel P. Berrange
2007-08-01 1:46 ` Anthony Liguori
2007-08-01 16:26 ` Daniel P. Berrange
2007-08-02 14:35 ` Anthony Liguori
2007-07-31 19:27 ` [Qemu-devel] PATCH 4/8: VeNCrypt basic TLS support Daniel P. Berrange
2007-08-01 1:50 ` Anthony Liguori
2007-08-01 16:28 ` Daniel P. Berrange
2007-07-31 19:28 ` [Qemu-devel] PATCH 5/8: x509 certificate for server Daniel P. Berrange
2007-07-31 19:28 ` [Qemu-devel] PATCH 6/8: x509 client certificate verification Daniel P. Berrange
2007-07-31 19:29 ` [Qemu-devel] PATCH 7/8: command line args for x509 cert paths Daniel P. Berrange
2007-08-01 1:54 ` Anthony Liguori [this message]
2007-08-01 16:31 ` Daniel P. Berrange
2007-07-31 19:30 ` [Qemu-devel] PATCH 8/8: document all VNC authentication options Daniel P. Berrange
2007-08-01 1:55 ` [Qemu-devel] PATCH 0/8: Authentication support for the VNC server Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46AFE7C1.50902@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).