[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 1/5] crypto: introduce new module for handling TL
|
From: |
Daniel P. Berrange |
|
Subject: |
[Qemu-devel] [PATCH v2 1/5] crypto: introduce new module for handling TLS credentials |
|
Date: |
Tue, 11 Aug 2015 15:26:39 +0100 |
Introduce a QCryptoTLSCreds class to store TLS credentials, for use
by later TLS session code. The class is a user creatable object, so
instances can be created/deleted via 'object-add' and 'object-del'
QMP commands respectively, or via the -object command line arg.
If the credentials cannot be initialized an error will be reported
as a QMP reply, or on stderr respectively.
The idea is to make it possible to represent and manager TLS
credentials independantly of the network service that is using
them. This will enable multiple services to use the same set of
credentials and minimize code duplication. A later patch will
convert the current VNC server TLS code over to use this object.
The representation of credentials is functionally equivalent to
that currently implemented in the VNC server with one exception.
The new code has the ability to (optionally) load a pre-generated
set of diffie-hellman parameters, if the file dh-params.pem exists,
whereas the current VNC server will always generate them on startup.
This is beneficial for admins who wish to avoid the (small) time
sink of generating DH parameters at startup and/or avoid depleting
entropy.
Some example CLI configurations:
- Client credentials using anonymous-DH parameters
$QEMU -object tls-creds,id=tls0,credtype=anon,endpoint=client
- Server credentials using x509 certificate parameters
$QEMU -object tls-creds,id=tls0,credtype=x509,endpoint=server,\
dir=/path/to/x509/cert/dir,verify-peer=yes
The 'id' value in the -object args will be used to associate the
credentials with the network services. For eample, when the VNC
server is later converted it would use
$QEMU -object tls-creds,id=tls0,.... \
-vnc 127.0.0.1:1,tls-creds=tls0
Signed-off-by: Daniel P. Berrange <address@hidden>
---
crypto/Makefile.objs | 1 +
crypto/init.c | 8 +
crypto/tlscreds.c | 575 ++++++++++++++++++++++++++++++++++++++++++++++
include/crypto/tlscreds.h | 150 ++++++++++++
qemu-options.hx | 30 +++
tests/Makefile | 4 +-
6 files changed, 766 insertions(+), 2 deletions(-)
create mode 100644 crypto/tlscreds.c
create mode 100644 include/crypto/tlscreds.h
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index b050138..cf62d51 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -3,3 +3,4 @@ util-obj-y += hash.o
util-obj-y += aes.o
util-obj-y += desrfb.o
util-obj-y += cipher.o
+util-obj-y += tlscreds.o
diff --git a/crypto/init.c b/crypto/init.c
index 7447882..4dfa148 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -19,6 +19,7 @@
*/
#include "crypto/init.h"
+#include "crypto/tlscreds.h"
#include "qemu/thread.h"
#ifdef CONFIG_GNUTLS
@@ -137,6 +138,13 @@ int qcrypto_init(Error **errp)
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
#endif
+ /* XXX hack - if we don't reference any function in tlscreds.c
+ * then the linker drops tlscred.o from libqemutil.a when it
+ * links the emulators as it thinks it is unused. It isn't
+ * clever enough to see the constructor :-(
+ */
+ qcrypto_tls_creds_dummy();
+
return 0;
}
diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
new file mode 100644
index 0000000..bc21e12
--- /dev/null
+++ b/crypto/tlscreds.c
@@ -0,0 +1,575 @@
+/*
+ * QEMU crypto TLS credential support
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/tlscreds.h"
+#include "qom/object_interfaces.h"
+
+/* #define QCRYPTO_DEBUG */
+
+#ifdef QCRYPTO_DEBUG
+#define DPRINTF(fmt, ...) do { fprintf(stderr, fmt, ## __VA_ARGS__); } while
(0)
+#else
+#define DPRINTF(fmt, ...) do { } while (0)
+#endif
+
+
+#define DH_BITS 2048
+
+static const char * const endpoint_map[QCRYPTO_TLS_CREDS_ENDPOINT_LAST + 1] = {
+ [QCRYPTO_TLS_CREDS_ENDPOINT_SERVER] = "server",
+ [QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT] = "client",
+ [QCRYPTO_TLS_CREDS_ENDPOINT_LAST] = NULL,
+};
+
+static const char * const type_map[QCRYPTO_TLS_CREDS_TYPE_LAST + 1] = {
+ [QCRYPTO_TLS_CREDS_TYPE_NONE] = "none",
+ [QCRYPTO_TLS_CREDS_TYPE_ANON] = "anon",
+ [QCRYPTO_TLS_CREDS_TYPE_X509] = "x509",
+ [QCRYPTO_TLS_CREDS_TYPE_LAST] = NULL,
+};
+
+#ifdef CONFIG_GNUTLS
+static int qcrypto_tls_creds_set_dh_params_file(QCryptoTLSCreds *creds,
+ const char *filename,
+ Error **errp)
+{
+ int ret;
+
+ DPRINTF("Loading DH params %s\n", filename ? filename : "<generated>");
+ if (filename == NULL) {
+ ret = gnutls_dh_params_init(&creds->dh_params);
+ if (ret < 0) {
+ error_setg(errp, "Unable to initialize DH parameters %s",
+ gnutls_strerror(ret));
+ return -1;
+ }
+ ret = gnutls_dh_params_generate2(creds->dh_params, DH_BITS);
+ if (ret < 0) {
+ gnutls_dh_params_deinit(creds->dh_params);
+ creds->dh_params = NULL;
+ error_setg(errp, "Unable to generate DH parameters %s",
+ gnutls_strerror(ret));
+ return -1;
+ }
+ } else {
+ GError *gerr = NULL;
+ gchar *contents;
+ gsize len;
+ gnutls_datum_t data;
+ if (!g_file_get_contents(filename,
+ &contents,
+ &len,
+ &gerr)) {
+ error_setg(errp, "%s", gerr->message);
+ g_error_free(gerr);
+ return -1;
+ }
+ data.data = (unsigned char *)contents;
+ data.size = len;
+ ret = gnutls_dh_params_init(&creds->dh_params);
+ if (ret < 0) {
+ g_free(contents);
+ error_setg(errp, "Unable to initialize DH parameters %s",
+ gnutls_strerror(ret));
+ return -1;
+ }
+ ret = gnutls_dh_params_import_pkcs3(creds->dh_params,
+ &data,
+ GNUTLS_X509_FMT_PEM);
+ g_free(contents);
+ if (ret < 0) {
+ gnutls_dh_params_deinit(creds->dh_params);
+ creds->dh_params = NULL;
+ error_setg(errp, "Unable to load DH parameters from %s: %s",
+ filename, gnutls_strerror(ret));
+ return -1;
+ }
+ }
+
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ gnutls_anon_set_server_dh_params(creds->data.anonServer,
+ creds->dh_params);
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ gnutls_certificate_set_dh_params(creds->data.x509,
+ creds->dh_params);
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+
+static int qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds,
+ const char *filename,
+ bool required,
+ char **cred,
+ Error **errp)
+{
+ struct stat sb;
+ int ret = -1;
+
+ if (!creds->dir) {
+ if (required) {
+ error_setg(errp, "Missing 'dir' property value");
+ return -1;
+ } else {
+ return 0;
+ }
+ }
+
+ *cred = g_strdup_printf("%s/%s", creds->dir, filename);
+
+ if (stat(*cred, &sb) < 0) {
+ if (errno == ENOENT && !required) {
+ ret = 0;
+ } else {
+ error_setg_errno(errp, errno,
+ "Unable to access credentials %s",
+ *cred);
+ }
+ g_free(*cred);
+ *cred = NULL;
+ goto cleanup;
+ }
+
+ DPRINTF("Resolved file %s\n", *cred ? *cred : "<none>");
+ ret = 0;
+ cleanup:
+ return ret;
+}
+
+
+
+static int
+qcrypto_tls_creds_load_x509(QCryptoTLSCreds *creds,
+ Error **errp)
+{
+ char *cacert = NULL, *cacrl = NULL, *cert = NULL,
+ *key = NULL, *dhparams = NULL;
+ int ret;
+ int rv = -1;
+
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ if (qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CA_CRL,
+ false, &cacrl, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
+ true, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
+ true, &key, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_DH_PARAMS,
+ false, &dhparams, errp) < 0) {
+ goto cleanup;
+ }
+ } else {
+ if (qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
+ false, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
+ false, &key, errp) < 0) {
+ goto cleanup;
+ }
+ }
+
+ ret = gnutls_certificate_allocate_credentials(&creds->data.x509);
+ if (ret < 0) {
+ error_setg(errp, "Cannot allocate credentials '%s'",
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ ret = gnutls_certificate_set_x509_trust_file(creds->data.x509,
+ cacert,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, "Cannot load CA certificate '%s': %s",
+ cacert, gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ if (cert != NULL && key != NULL) {
+ ret = gnutls_certificate_set_x509_key_file(creds->data.x509,
+ cert, key,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
+ cert, key, gnutls_strerror(ret));
+ goto cleanup;
+ }
+ }
+
+ if (cacrl != NULL) {
+ ret = gnutls_certificate_set_x509_crl_file(creds->data.x509,
+ cacrl,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, "Cannot load CRL '%s': %s",
+ cacrl, gnutls_strerror(ret));
+ goto cleanup;
+ }
+ }
+
+ if ((creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) &&
+ qcrypto_tls_creds_set_dh_params_file(creds, dhparams, errp) < 0) {
+ goto cleanup;
+ }
+
+ rv = 0;
+ cleanup:
+ g_free(cacert);
+ g_free(cacrl);
+ g_free(cert);
+ g_free(key);
+ g_free(dhparams);
+ return rv;
+}
+
+
+static int
+qcrypto_tls_creds_load_anon(QCryptoTLSCreds *creds,
+ Error **errp)
+{
+ char *dhparams = NULL;
+ int ret;
+ int rv = -1;
+
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ if (qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_DH_PARAMS,
+ false, &dhparams, errp) < 0) {
+ goto cleanup;
+ }
+
+ ret = gnutls_anon_allocate_server_credentials(&creds->data.anonServer);
+ if (ret < 0) {
+ error_setg(errp, "Cannot allocate credentials: %s",
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ if (qcrypto_tls_creds_set_dh_params_file(creds, dhparams, errp) < 0) {
+ goto cleanup;
+ }
+ } else {
+ ret = gnutls_anon_allocate_client_credentials(&creds->data.anonClient);
+ if (ret < 0) {
+ error_setg(errp, "Cannot allocate credentials: %s",
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+ }
+
+ rv = 0;
+ cleanup:
+ g_free(dhparams);
+ return rv;
+}
+
+static void qcrypto_tls_creds_load(QCryptoTLSCreds *creds,
+ Error **errp)
+{
+ DPRINTF("Loading creds %d from %s\n",
+ creds->type, creds->dir ? creds->dir : "<nodir>");
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ error_setg(errp, "Missing 'credtype' property value");
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ if (qcrypto_tls_creds_load_anon(creds,
+ errp) < 0) {
+ return;
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ if (qcrypto_tls_creds_load_x509(creds,
+ errp) < 0) {
+ return;
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ error_setg(errp, "Unknown TLS credential type %d", creds->type);
+ break;
+ }
+}
+
+#else
+static void qcrypto_tls_creds_load(QCryptoTLSCreds *creds G_GNUC_UNUSED,
+ Error **errp)
+{
+ error_setg(errp, "TLS credentials support requires GNUTLS");
+}
+#endif /* ! CONFIG_GNUTLS */
+
+#ifdef CONFIG_GNUTLS
+static void qcrypto_tls_creds_unload(QCryptoTLSCreds *creds)
+{
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
+ if (creds->data.anonClient) {
+ gnutls_anon_free_client_credentials(creds->data.anonClient);
+ creds->data.anonClient = NULL;
+ }
+ } else {
+ if (creds->data.anonServer) {
+ gnutls_anon_free_server_credentials(creds->data.anonServer);
+ creds->data.anonServer = NULL;
+ }
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ if (creds->data.x509) {
+ gnutls_certificate_free_credentials(creds->data.x509);
+ creds->data.x509 = NULL;
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ break;
+ };
+ if (creds->dh_params) {
+ gnutls_dh_params_deinit(creds->dh_params);
+ creds->dh_params = NULL;
+ }
+}
+#else /* ! CONFIG_GNUTLS */
+static void qcrypto_tls_creds_unload(QCryptoTLSCreds *creds G_GNUC_UNUSED)
+{
+ /* nada */
+}
+#endif /* ! CONFIG_GNUTLS */
+
+static void qcrypto_tls_creds_prop_set_loaded(Object *obj,
+ bool value,
+ Error **errp)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ if (value) {
+ qcrypto_tls_creds_load(creds, errp);
+ } else {
+ qcrypto_tls_creds_unload(creds);
+ }
+}
+
+
+#ifdef CONFIG_GNUTLS
+static bool qcrypto_tls_creds_prop_get_loaded(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ return false;
+
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ return creds->data.x509 != NULL;
+
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ return creds->data.anonServer != NULL;
+ } else {
+ return creds->data.anonClient != NULL;
+ }
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ return false;
+ }
+}
+
+#else /* ! CONFIG_GNUTLS */
+static bool qcrypto_tls_creds_prop_get_loaded(Object *obj G_GNUC_UNUSED,
+ Error **errp G_GNUC_UNUSED)
+{
+ return false;
+}
+#endif /* ! CONFIG_GNUTLS */
+
+static void qcrypto_tls_creds_prop_set_verify(Object *obj,
+ bool value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->verifyPeer = value;
+}
+
+
+static bool qcrypto_tls_creds_prop_get_verify(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return creds->verifyPeer;
+}
+
+static void qcrypto_tls_creds_prop_set_dir(Object *obj,
+ const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->dir = g_strdup(value);
+}
+
+static char *qcrypto_tls_creds_prop_get_dir(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return g_strdup(creds->dir);
+}
+
+static void qcrypto_tls_creds_prop_set_type(Object *obj,
+ int value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->type = value;
+}
+
+static int qcrypto_tls_creds_prop_get_type(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return creds->type;
+}
+
+static void qcrypto_tls_creds_prop_set_endpoint(Object *obj,
+ int value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->endpoint = value;
+}
+
+static int qcrypto_tls_creds_prop_get_endpoint(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return creds->endpoint;
+}
+
+
+static void qcrypto_tls_creds_complete(UserCreatable *uc, Error **errp)
+{
+ object_property_set_bool(OBJECT(uc), true, "loaded", errp);
+}
+
+
+static void qcrypto_tls_creds_init(Object *obj)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->verifyPeer = true;
+
+ object_property_add_bool(obj, "loaded",
+ qcrypto_tls_creds_prop_get_loaded,
+ qcrypto_tls_creds_prop_set_loaded,
+ NULL);
+ object_property_add_bool(obj, "verify-peer",
+ qcrypto_tls_creds_prop_get_verify,
+ qcrypto_tls_creds_prop_set_verify,
+ NULL);
+ object_property_add_str(obj, "dir",
+ qcrypto_tls_creds_prop_get_dir,
+ qcrypto_tls_creds_prop_set_dir,
+ NULL);
+ object_property_add_enum(obj, "credtype",
+ "QCryptoTLSCredsType",
+ type_map,
+ qcrypto_tls_creds_prop_get_type,
+ qcrypto_tls_creds_prop_set_type,
+ NULL);
+ object_property_add_enum(obj, "endpoint",
+ "QCryptoTLSCredsEndpoint",
+ endpoint_map,
+ qcrypto_tls_creds_prop_get_endpoint,
+ qcrypto_tls_creds_prop_set_endpoint,
+ NULL);
+}
+
+
+static void qcrypto_tls_creds_finalize(Object *obj)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ qcrypto_tls_creds_unload(creds);
+}
+
+
+static void qcrypto_tls_creds_class_init(ObjectClass *oc, void *data)
+{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = qcrypto_tls_creds_complete;
+}
+
+
+static const TypeInfo qcrypto_tls_creds_info = {
+ .parent = TYPE_OBJECT,
+ .name = TYPE_QCRYPTO_TLS_CREDS,
+ .instance_size = sizeof(QCryptoTLSCreds),
+ .instance_init = qcrypto_tls_creds_init,
+ .instance_finalize = qcrypto_tls_creds_finalize,
+ .class_size = sizeof(QCryptoTLSCredsClass),
+ .class_init = qcrypto_tls_creds_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void qcrypto_tls_creds_register_types(void)
+{
+ DPRINTF("Register tls\n");
+ type_register_static(&qcrypto_tls_creds_info);
+}
+
+void qcrypto_tls_creds_dummy(void)
+{
+}
+
+type_init(qcrypto_tls_creds_register_types);
diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h
new file mode 100644
index 0000000..8d94ac2
--- /dev/null
+++ b/include/crypto/tlscreds.h
@@ -0,0 +1,150 @@
+/*
+ * QEMU crypto TLS credential support
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_TLSCRED_H__
+#define QCRYPTO_TLSCRED_H__
+
+#include "qemu-common.h"
+#include "qapi/error.h"
+#include "qom/object.h"
+
+#ifdef CONFIG_GNUTLS
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#endif
+
+#define TYPE_QCRYPTO_TLS_CREDS "tls-creds"
+#define QCRYPTO_TLS_CREDS(obj) \
+ OBJECT_CHECK(QCryptoTLSCreds, (obj), TYPE_QCRYPTO_TLS_CREDS)
+
+typedef struct QCryptoTLSCreds QCryptoTLSCreds;
+typedef struct QCryptoTLSCredsClass QCryptoTLSCredsClass;
+
+
+#define QCRYPTO_TLS_CREDS_DH_PARAMS "dh-params.pem"
+#define QCRYPTO_TLS_CREDS_X509_CA_CERT "ca-cert.pem"
+#define QCRYPTO_TLS_CREDS_X509_CA_CRL "ca-crl.pem"
+#define QCRYPTO_TLS_CREDS_X509_SERVER_KEY "server-key.pem"
+#define QCRYPTO_TLS_CREDS_X509_SERVER_CERT "server-cert.pem"
+#define QCRYPTO_TLS_CREDS_X509_CLIENT_KEY "client-key.pem"
+#define QCRYPTO_TLS_CREDS_X509_CLIENT_CERT "client-cert.pem"
+
+typedef enum {
+ QCRYPTO_TLS_CREDS_TYPE_NONE,
+ QCRYPTO_TLS_CREDS_TYPE_ANON,
+ QCRYPTO_TLS_CREDS_TYPE_X509,
+
+ QCRYPTO_TLS_CREDS_TYPE_LAST,
+} QCryptoTLSCredsType;
+
+typedef enum {
+ QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
+ QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
+
+ QCRYPTO_TLS_CREDS_ENDPOINT_LAST,
+} QCryptoTLSCredsEndpoint;
+
+
+/**
+ * QCryptoTLSCreds:
+ *
+ * The QCryptoTLSCreds object holds a set of credentials used to
+ * perform a TLS handshake. Commonly x509 credentials would be
+ * used, but this also supports anonymous crdentials. The latter
+ * are generally discouraged due to lacking MITM attack protection
+ * amongst other things.
+ *
+ * This is a user creatable object, which can be instantiated
+ * via object_new_propv():
+ *
+ * <example>
+ * <title>Creating TLS credential objects in code</title>
+ * <programlisting>
+ * Object *obj;
+ * Error *err = NULL;
+ * obj = object_new_propv(TYPE_QCRYPTO_TLS_CREDS,
+ * "tlscreds0",
+ * &err,
+ * "credtype", "x509",
+ * "endpoint", "server",
+ * "dir", "/path/x509/cert/dir",
+ * "verify-peer", "yes",
+ * NULL);
+ * </programlisting>
+ * </example>
+ *
+ * Or via QMP:
+ *
+ * <example>
+ * <title>Creating TLS credential objects via QMP</title>
+ * <programlisting>
+ * {
+ * "execute": "object-add", "arguments": {
+ * "id": "tlscreds0",
+ * "qom-type": "tls-creds",
+ * "props": {
+ * "credtype": "x509",
+ * "endpoint": "server",
+ * "dir": "/path/to/x509/cert/dir",
+ * "verify-peer": false
+ * }
+ * }
+ * }
+ * </programlisting>
+ * </example>
+ *
+ *
+ * Or via the CLI:
+ *
+ * <example>
+ * <title>Creating TLS credential objects via CLI</title>
+ * <programlisting>
+ * qemu-system-x86_64 -object tls-creds,id=tlscreds0,\
+ * credtype=x509,endpoint=server,verify-peer=off,\
+ * dir=/path/to/x509/certdir/
+ * </programlisting>
+ * </example>
+ *
+ */
+
+struct QCryptoTLSCreds {
+ Object parent;
+ char *dir;
+ QCryptoTLSCredsType type;
+ QCryptoTLSCredsEndpoint endpoint;
+#ifdef CONFIG_GNUTLS
+ union {
+ gnutls_certificate_credentials_t x509;
+ gnutls_anon_server_credentials_t anonServer;
+ gnutls_anon_client_credentials_t anonClient;
+ } data;
+ gnutls_dh_params_t dh_params;
+#endif
+ bool verifyPeer;
+};
+
+struct QCryptoTLSCredsClass {
+ ObjectClass parent;
+};
+
+void qcrypto_tls_creds_dummy(void);
+
+#endif /* QCRYPTO_TLSCRED_H__ */
+
diff --git a/qemu-options.hx b/qemu-options.hx
index 77f5853..827498c 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3568,6 +3568,36 @@ the @option{virtio-rng} device. The @option{chardev}
parameter is
the unique ID of a character device backend that provides the connection
to the RNG daemon.
address@hidden -object
tls-creds,address@hidden,address@hidden,address@hidden,address@hidden/path/to/cred/dir},address@hidden|off}
+
+Creates a TLS credentials object, which can be used to provide TLS
+support on the VNC server and other network backends. The @option{id}
+parameter is a unique ID which network backends will use to access
+the credentials. The @option{credtype} parameter takes one of the
+values @var{anon}, for anonymous credentials or @var{x509} for
+x509 certificate credentials. The @option{endpoint} is either
address@hidden or @option{client} depending on whether the QEMU
+network backend that uses the credentials will be acting as a client
+or as a server. If @option{verify-peer} is enabled (the default)
+then once the handshake is completed, the peer credentials will be
+verified. With x509 certificates, this implies that the clients
+must be provided with valid client certificates too.
+
+The @var{dir} parameter tells QEMU where to find the credential
+files. For server endpoints, this directory may contain a file
address@hidden providing diffie-hellman parameters to use
+for the TLS server. If the file is missing, QEMU will generate
+a set of DH parameters at startup. This is a computationally
+expensive operation that consumes random pool entropy, so it is
+recommended that a persistent set of parameters be generated
+upfront and saved.
+
+For x509 certificate credentials the directory will contain further files
+providing the x509 certificates. The certificates must be stored
+in PEM format, in filenames @var{ca-cert.pem}, @var{ca-crl.pem} (optional),
address@hidden (only servers), @var{server-key.pem} (only servers),
address@hidden (only clients), and @var{client-key.pem} (only clients).
+
@end table
ETEXI
diff --git a/tests/Makefile b/tests/Makefile
index 7494582..daaaf8e 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -345,8 +345,8 @@ tests/test-opts-visitor$(EXESUF): tests/test-opts-visitor.o
$(test-qapi-obj-y) l
tests/test-mul64$(EXESUF): tests/test-mul64.o libqemuutil.a
tests/test-bitops$(EXESUF): tests/test-bitops.o libqemuutil.a
-tests/test-crypto-hash$(EXESUF): tests/test-crypto-hash.o libqemuutil.a
libqemustub.a
-tests/test-crypto-cipher$(EXESUF): tests/test-crypto-cipher.o libqemuutil.a
libqemustub.a
+tests/test-crypto-hash$(EXESUF): tests/test-crypto-hash.o $(qom-core-obj)
libqemuutil.a libqemustub.a
+tests/test-crypto-cipher$(EXESUF): tests/test-crypto-cipher.o $(qom-core-obj)
libqemuutil.a libqemustub.a
libqos-obj-y = tests/libqos/pci.o tests/libqos/fw_cfg.o tests/libqos/malloc.o
libqos-obj-y += tests/libqos/i2c.o tests/libqos/libqos.o
--
2.4.3