@@ -3,3 +3,4 @@ util-obj-y += hash.o
util-obj-y += aes.o
util-obj-y += desrfb.o
util-obj-y += cipher.o
+util-obj-y += tlscreds.o
@@ -19,6 +19,7 @@
*/
#include "crypto/init.h"
+#include "crypto/tlscreds.h"
#include "qemu/thread.h"
#include <glib/gi18n.h>
@@ -139,6 +140,13 @@ int qcrypto_init(Error **errp)
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
#endif
+ /* XXX hack - if we don't reference any function in tlscreds.c
+ * then the linker drops tlscred.o from libqemutil.a when it
+ * links the emulators as it thinks it is unused. It isn't
+ * clever enough to see the constructor :-(
+ */
+ qcrypto_tls_creds_dummy();
+
return 0;
}
new file mode 100644
@@ -0,0 +1,566 @@
+/*
+ * QEMU crypto TLS credential support
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/tlscreds.h"
+#include "qom/object_interfaces.h"
+
+#include <glib/gi18n.h>
+
+/* #define QCRYPTO_DEBUG */
+
+#ifdef QCRYPTO_DEBUG
+#define DPRINTF(fmt, ...) do { fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(fmt, ...) do { } while (0)
+#endif
+
+
+#define DH_BITS 2048
+
+static const char * const endpoint_map[QCRYPTO_TLS_CREDS_ENDPOINT_LAST + 1] = {
+ [QCRYPTO_TLS_CREDS_ENDPOINT_SERVER] = "server",
+ [QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT] = "client",
+ [QCRYPTO_TLS_CREDS_ENDPOINT_LAST] = NULL,
+};
+
+static const char * const type_map[QCRYPTO_TLS_CREDS_TYPE_LAST + 1] = {
+ [QCRYPTO_TLS_CREDS_TYPE_NONE] = "none",
+ [QCRYPTO_TLS_CREDS_TYPE_ANON] = "anon",
+ [QCRYPTO_TLS_CREDS_TYPE_X509] = "x509",
+ [QCRYPTO_TLS_CREDS_TYPE_LAST] = NULL,
+};
+
+#ifdef CONFIG_GNUTLS
+static int qcrypto_tls_creds_set_dh_params_file(QCryptoTLSCreds *creds,
+ const char *filename,
+ Error **errp)
+{
+ int ret;
+
+ DPRINTF("Loading DH params %s\n", filename ? filename : "<generated>");
+ if (filename == NULL) {
+ ret = gnutls_dh_params_init(&creds->dh_params);
+ if (ret < 0) {
+ error_setg(errp, _("Unable to initialize DH parameters %s"),
+ gnutls_strerror(ret));
+ return -1;
+ }
+ ret = gnutls_dh_params_generate2(creds->dh_params, DH_BITS);
+ if (ret < 0) {
+ gnutls_dh_params_deinit(creds->dh_params);
+ creds->dh_params = NULL;
+ error_setg(errp, _("Unable to generate DH parameters %s"),
+ gnutls_strerror(ret));
+ return -1;
+ }
+ } else {
+ GError *gerr = NULL;
+ gchar *contents;
+ gsize len;
+ gnutls_datum_t data;
+ if (!g_file_get_contents(filename,
+ &contents,
+ &len,
+ &gerr)) {
+ error_setg(errp, "%s", gerr->message);
+ g_error_free(gerr);
+ return -1;
+ }
+ data.data = (unsigned char *)contents;
+ data.size = len;
+ ret = gnutls_dh_params_init(&creds->dh_params);
+ if (ret < 0) {
+ g_free(contents);
+ error_setg(errp, _("Unable to initialize DH parameters %s"),
+ gnutls_strerror(ret));
+ return -1;
+ }
+ ret = gnutls_dh_params_import_pkcs3(creds->dh_params,
+ &data,
+ GNUTLS_X509_FMT_PEM);
+ g_free(contents);
+ if (ret < 0) {
+ gnutls_dh_params_deinit(creds->dh_params);
+ creds->dh_params = NULL;
+ error_setg(errp, _("Unable to load DH parameters from %s: %s"),
+ filename, gnutls_strerror(ret));
+ return -1;
+ }
+ }
+
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ gnutls_anon_set_server_dh_params(creds->data.anonServer,
+ creds->dh_params);
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ gnutls_certificate_set_dh_params(creds->data.x509,
+ creds->dh_params);
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+
+static int qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds,
+ const char *filename,
+ bool required,
+ char **cred,
+ Error **errp)
+{
+ struct stat sb;
+ int ret = -1;
+
+ if (!creds->dir) {
+ error_setg(errp, "%s",
+ _("Missing 'dir' property value"));
+ return -1;
+ }
+
+ *cred = g_strdup_printf("%s/%s", creds->dir, filename);
+
+ if (stat(*cred, &sb) < 0) {
+ if (errno == ENOENT && !required) {
+ ret = 0;
+ } else {
+ error_setg_errno(errp, errno,
+ _("Unable to access credentials %s"),
+ *cred);
+ }
+ g_free(*cred);
+ *cred = NULL;
+ goto cleanup;
+ }
+
+ DPRINTF("Resolved file %s\n", *cred ? *cred : "<none>");
+ ret = 0;
+ cleanup:
+ return ret;
+}
+
+
+
+static int
+qcrypto_tls_creds_load_x509(QCryptoTLSCreds *creds,
+ Error **errp)
+{
+ char *cacert = NULL, *cacrl = NULL, *cert = NULL,
+ *key = NULL, *dhparams = NULL;
+ int ret;
+ int rv = -1;
+
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ if (qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CA_CRL,
+ false, &cacrl, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_SERVER_CERT,
+ true, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_SERVER_KEY,
+ true, &key, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_DH_PARAMS,
+ false, &dhparams, errp) < 0) {
+ goto cleanup;
+ }
+ } else {
+ if (qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CA_CERT,
+ true, &cacert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CLIENT_CERT,
+ false, &cert, errp) < 0 ||
+ qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_X509_CLIENT_KEY,
+ false, &key, errp) < 0) {
+ goto cleanup;
+ }
+ }
+
+ ret = gnutls_certificate_allocate_credentials(&creds->data.x509);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot allocate credentials '%s'"),
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ ret = gnutls_certificate_set_x509_trust_file(creds->data.x509,
+ cacert,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot load CA certificate '%s': %s"),
+ cacert, gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ ret = gnutls_certificate_set_x509_key_file(creds->data.x509,
+ cert, key,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot load certificate '%s' & key '%s': %s"),
+ cert, key, gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ if (cacrl) {
+ ret = gnutls_certificate_set_x509_crl_file(creds->data.x509,
+ cacrl,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot load CRL '%s': %s"),
+ cacrl, gnutls_strerror(ret));
+ goto cleanup;
+ }
+ }
+
+ if ((creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) &&
+ qcrypto_tls_creds_set_dh_params_file(creds, dhparams, errp) < 0) {
+ goto cleanup;
+ }
+
+ rv = 0;
+ cleanup:
+ g_free(cacert);
+ g_free(cacrl);
+ g_free(cert);
+ g_free(key);
+ g_free(dhparams);
+ return rv;
+}
+
+
+static int
+qcrypto_tls_creds_load_anon(QCryptoTLSCreds *creds,
+ Error **errp)
+{
+ char *dhparams = NULL;
+ int ret;
+ int rv = -1;
+
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ if (qcrypto_tls_creds_get_path(creds,
+ QCRYPTO_TLS_CREDS_DH_PARAMS,
+ false, &dhparams, errp) < 0) {
+ goto cleanup;
+ }
+
+ ret = gnutls_anon_allocate_server_credentials(&creds->data.anonServer);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot allocate credentials: %s"),
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+
+ if (qcrypto_tls_creds_set_dh_params_file(creds, dhparams, errp) < 0) {
+ goto cleanup;
+ }
+ } else {
+ ret = gnutls_anon_allocate_client_credentials(&creds->data.anonClient);
+ if (ret < 0) {
+ error_setg(errp, _("Cannot allocate credentials: %s"),
+ gnutls_strerror(ret));
+ goto cleanup;
+ }
+ }
+
+ rv = 0;
+ cleanup:
+ g_free(dhparams);
+ return rv;
+}
+
+static void qcrypto_tls_creds_load(QCryptoTLSCreds *creds,
+ Error **errp)
+{
+ DPRINTF("Loading creds %d from %s\n",
+ creds->type, creds->dir ? creds->dir : "<nodir>");
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ error_setg(errp, "%s", _("Missing 'credtype' property value"));
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ if (qcrypto_tls_creds_load_anon(creds,
+ errp) < 0) {
+ return;
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ if (qcrypto_tls_creds_load_x509(creds,
+ errp) < 0) {
+ return;
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ error_setg(errp, _("Unknown TLS credential type %d"), creds->type);
+ break;
+ }
+}
+
+#else
+static void qcrypto_tls_creds_load(QCryptoTLSCreds *creds G_GNUC_UNUSED,
+ Error **errp)
+{
+ error_setg(errp, "%s", _("TLS credentials support requires GNUTLS"));
+}
+#endif /* ! CONFIG_GNUTLS */
+
+#ifdef CONFIG_GNUTLS
+static void qcrypto_tls_creds_unload(QCryptoTLSCreds *creds)
+{
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
+ if (creds->data.anonClient) {
+ gnutls_anon_free_client_credentials(creds->data.anonClient);
+ creds->data.anonClient = NULL;
+ }
+ } else {
+ if (creds->data.anonServer) {
+ gnutls_anon_free_server_credentials(creds->data.anonServer);
+ creds->data.anonServer = NULL;
+ }
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ if (creds->data.x509) {
+ gnutls_certificate_free_credentials(creds->data.x509);
+ creds->data.x509 = NULL;
+ }
+ break;
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ break;
+ };
+ if (creds->dh_params) {
+ gnutls_dh_params_deinit(creds->dh_params);
+ creds->dh_params = NULL;
+ }
+}
+#else /* ! CONFIG_GNUTLS */
+static void qcrypto_tls_creds_unload(QCryptoTLSCreds *creds G_GNUC_UNUSED)
+{
+ /* nada */
+}
+#endif /* ! CONFIG_GNUTLS */
+
+static void qcrypto_tls_creds_prop_set_loaded(Object *obj,
+ bool value,
+ Error **errp)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ if (value) {
+ qcrypto_tls_creds_load(creds, errp);
+ } else {
+ qcrypto_tls_creds_unload(creds);
+ }
+}
+
+
+#ifdef CONFIG_GNUTLS
+static bool qcrypto_tls_creds_prop_get_loaded(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ switch (creds->type) {
+ case QCRYPTO_TLS_CREDS_TYPE_NONE:
+ return false;
+
+ case QCRYPTO_TLS_CREDS_TYPE_X509:
+ return creds->data.x509 != NULL;
+
+ case QCRYPTO_TLS_CREDS_TYPE_ANON:
+ if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ return creds->data.anonServer != NULL;
+ } else {
+ return creds->data.anonClient != NULL;
+ }
+ case QCRYPTO_TLS_CREDS_TYPE_LAST:
+ default:
+ return false;
+ }
+}
+
+#else /* ! CONFIG_GNUTLS */
+static bool qcrypto_tls_creds_prop_get_loaded(Object *obj G_GNUC_UNUSED,
+ Error **errp G_GNUC_UNUSED)
+{
+ return false;
+}
+#endif /* ! CONFIG_GNUTLS */
+
+static void qcrypto_tls_creds_prop_set_verify(Object *obj,
+ bool value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->verifyPeer = value;
+}
+
+
+static bool qcrypto_tls_creds_prop_get_verify(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return creds->verifyPeer;
+}
+
+static void qcrypto_tls_creds_prop_set_dir(Object *obj,
+ const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->dir = g_strdup(value);
+}
+
+static char *qcrypto_tls_creds_prop_get_dir(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return g_strdup(creds->dir);
+}
+
+static void qcrypto_tls_creds_prop_set_type(Object *obj,
+ int value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->type = value;
+}
+
+static int qcrypto_tls_creds_prop_get_type(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return creds->type;
+}
+
+static void qcrypto_tls_creds_prop_set_endpoint(Object *obj,
+ int value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ creds->endpoint = value;
+}
+
+static int qcrypto_tls_creds_prop_get_endpoint(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ return creds->endpoint;
+}
+
+
+static void qcrypto_tls_creds_complete(UserCreatable *uc, Error **errp)
+{
+ object_property_set_bool(OBJECT(uc), true, "loaded", errp);
+}
+
+
+static void qcrypto_tls_creds_init(Object *obj G_GNUC_UNUSED)
+{
+ object_property_add_bool(obj, "loaded",
+ qcrypto_tls_creds_prop_get_loaded,
+ qcrypto_tls_creds_prop_set_loaded,
+ NULL);
+ object_property_add_bool(obj, "verify-peer",
+ qcrypto_tls_creds_prop_get_verify,
+ qcrypto_tls_creds_prop_set_verify,
+ NULL);
+ object_property_add_str(obj, "dir",
+ qcrypto_tls_creds_prop_get_dir,
+ qcrypto_tls_creds_prop_set_dir,
+ NULL);
+ object_property_add_enum(obj, "credtype",
+ type_map,
+ qcrypto_tls_creds_prop_get_type,
+ qcrypto_tls_creds_prop_set_type,
+ NULL);
+ object_property_add_enum(obj, "endpoint",
+ endpoint_map,
+ qcrypto_tls_creds_prop_get_endpoint,
+ qcrypto_tls_creds_prop_set_endpoint,
+ NULL);
+}
+
+
+static void qcrypto_tls_creds_finalize(Object *obj G_GNUC_UNUSED)
+{
+ QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+ qcrypto_tls_creds_unload(creds);
+}
+
+
+static void qcrypto_tls_creds_class_init(ObjectClass *oc, void *data)
+{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = qcrypto_tls_creds_complete;
+}
+
+
+static const TypeInfo qcrypto_tls_creds_info = {
+ .parent = TYPE_OBJECT,
+ .name = TYPE_QCRYPTO_TLS_CREDS,
+ .instance_size = sizeof(QCryptoTLSCreds),
+ .instance_init = qcrypto_tls_creds_init,
+ .instance_finalize = qcrypto_tls_creds_finalize,
+ .class_size = sizeof(QCryptoTLSCredsClass),
+ .class_init = qcrypto_tls_creds_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void qcrypto_tls_creds_register_types(void)
+{
+ DPRINTF("Register tls\n");
+ type_register_static(&qcrypto_tls_creds_info);
+}
+
+void qcrypto_tls_creds_dummy(void)
+{
+}
+
+type_init(qcrypto_tls_creds_register_types);
new file mode 100644
@@ -0,0 +1,134 @@
+/*
+ * QEMU crypto TLS credential support
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_TLSCRED_H__
+#define QCRYPTO_TLSCRED_H__
+
+#include "qemu-common.h"
+#include "qapi/error.h"
+#include "qom/object.h"
+
+#ifdef CONFIG_GNUTLS
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#endif
+
+#define TYPE_QCRYPTO_TLS_CREDS "qcrypto-tls-creds"
+#define QCRYPTO_TLS_CREDS(obj) \
+ OBJECT_CHECK(QCryptoTLSCreds, (obj), TYPE_QCRYPTO_TLS_CREDS)
+
+typedef struct QCryptoTLSCreds QCryptoTLSCreds;
+typedef struct QCryptoTLSCredsClass QCryptoTLSCredsClass;
+
+
+#define QCRYPTO_TLS_CREDS_DH_PARAMS "dh-params.pem"
+#define QCRYPTO_TLS_CREDS_X509_CA_CERT "ca-cert.pem"
+#define QCRYPTO_TLS_CREDS_X509_CA_CRL "ca-crl.pem"
+#define QCRYPTO_TLS_CREDS_X509_SERVER_KEY "server-key.pem"
+#define QCRYPTO_TLS_CREDS_X509_SERVER_CERT "server-cert.pem"
+#define QCRYPTO_TLS_CREDS_X509_CLIENT_KEY "client-key.pem"
+#define QCRYPTO_TLS_CREDS_X509_CLIENT_CERT "client-cert.pem"
+
+typedef enum {
+ QCRYPTO_TLS_CREDS_TYPE_NONE,
+ QCRYPTO_TLS_CREDS_TYPE_ANON,
+ QCRYPTO_TLS_CREDS_TYPE_X509,
+
+ QCRYPTO_TLS_CREDS_TYPE_LAST,
+} QCryptoTLSCredsType;
+
+typedef enum {
+ QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
+ QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
+
+ QCRYPTO_TLS_CREDS_ENDPOINT_LAST,
+} QCryptoTLSCredsEndpoint;
+
+
+/**
+ * QCryptoTLSCreds:
+ *
+ * The QCryptoTLSCreds object holds a set of credentials used to
+ * perform a TLS handshake. Commonly x509 credentials would be
+ * used, but this also supports anonymous crdentials. The latter
+ * are generally discouraged due to lacking MITM attack protection
+ * amongst other things.
+ *
+ * This is a user creatable object, which can be instantiated
+ * via object_new_propv():
+ *
+ * Object *obj;
+ * Error *err = NULL;
+ * obj = object_new_propv(TYPE_QCRYPTO_TLS_CREDS,
+ * "tlscreds0",
+ * &err,
+ * "credstype", "x509",
+ * "endpoint", "server",
+ * "dir", "/path/x509/cert/dir",
+ * "verify-peer", "yes",
+ * NULL);
+ *
+ * Or via QMP:
+ *
+ * {
+ * "execute": "object-add", "arguments": {
+ * "id": "tlscreds0",
+ * "qom-type": "qcrypto-tls-creds",
+ * "props": {
+ * "credtype": "x509",
+ * "endpoint": "server",
+ * "dir": "/path/to/x509/cert/dir",
+ * "verify-peer": false
+ * }
+ * }
+ * }
+ *
+ * Or via the CLI:
+ *
+ * qemu-system-x86_64 -object qcrypto-tls-creds,id=tlscreds0,\
+ * credtype=x509,endpoint=server,verify-peer=off,\
+ * dir=/path/to/x509/certdir/
+ *
+ */
+
+struct QCryptoTLSCreds {
+ Object parent;
+ char *dir;
+ QCryptoTLSCredsType type;
+ QCryptoTLSCredsEndpoint endpoint;
+#ifdef CONFIG_GNUTLS
+ union {
+ gnutls_certificate_credentials_t x509;
+ gnutls_anon_server_credentials_t anonServer;
+ gnutls_anon_client_credentials_t anonClient;
+ } data;
+ gnutls_dh_params_t dh_params;
+#endif
+ bool verifyPeer;
+};
+
+struct QCryptoTLSCredsClass {
+ ObjectClass parent;
+};
+
+void qcrypto_tls_creds_dummy(void);
+
+#endif /* QCRYPTO_TLSCRED_H__ */
+
@@ -3495,6 +3495,36 @@ the @option{virtio-rng} device. The @option{chardev} parameter is
the unique ID of a character device backend that provides the connection
to the RNG daemon.
+@item -object qcrypto-tls-cred,id=@var{id},credtype=@var{type},endpoint=@var{endpoint},dir=@var{/path/to/cred/dir},verify-peer=@var{on|off}
+
+Creates a TLS credentials object, which can be used to provide TLS
+support on the VNC server and other network backends. The @option{id}
+parameter is a unique ID which network backends will use to access
+the credentials. The @option{credtype} parameter takes one of the
+values @var{anon}, for anonymous credentials or @var{x509} for
+x509 certificate credentials. The @option{endpoint} is either
+@option{server} or @option{client} depending on whether the QEMU
+network backend that uses the credentials will be acting as a client
+or as a server. If @option{verify-peer} is enabled (the default)
+then once the handshake is completed, the peer credentials will be
+verified. With x509 certificates, this implies that the clients
+must be provided with valid client certificates too.
+
+The @var{dir} parameter tells QEMU where to find the credential
+files. For server endpoints, this directory may contain a file
+@var{dh-params.pem} providing diffie-hellman parameters to use
+for the TLS server. If the file is missing, QEMU will generate
+a set of DH parameters at startup. This is a computationally
+expensive operation that consumes random pool entropy, so it is
+recommended that a persistent set of parameters be generated
+upfront and saved.
+
+For x509 certificate credentials the directory will contain further files
+providing the x509 certificates. The certificates must be stored
+in PEM format, in filenames @var{ca-cert.pem}, @var{ca-crl.pem} (optional),
+@var{server-cert.pem} (only servers), @var{server-key.pem} (only servers),
+@var{client-cert.pem} (only clients), and @var{client-key.pem} (only clients).
+
@end table
ETEXI
@@ -311,8 +311,8 @@ tests/test-opts-visitor$(EXESUF): tests/test-opts-visitor.o $(test-qapi-obj-y) l
tests/test-mul64$(EXESUF): tests/test-mul64.o libqemuutil.a
tests/test-bitops$(EXESUF): tests/test-bitops.o libqemuutil.a
-tests/test-crypto-hash$(EXESUF): tests/test-crypto-hash.o libqemuutil.a libqemustub.a
-tests/test-crypto-cipher$(EXESUF): tests/test-crypto-cipher.o libqemuutil.a libqemustub.a
+tests/test-crypto-hash$(EXESUF): tests/test-crypto-hash.o $(qom-core-obj) libqemuutil.a libqemustub.a
+tests/test-crypto-cipher$(EXESUF): tests/test-crypto-cipher.o $(qom-core-obj) libqemuutil.a libqemustub.a
libqos-obj-y = tests/libqos/pci.o tests/libqos/fw_cfg.o tests/libqos/malloc.o
libqos-obj-y += tests/libqos/i2c.o tests/libqos/libqos.o
Introduce a QCryptoTLSCreds class to store TLS credentials, for use by later TLS session code. The class is setup as a user creatable object, so instance can be created/deleted via 'object-add' and 'object-del' QMP commands, or via the -object command line arg. If the credentials cannot be initialized an error will be reported as a QMP reply, or on stderr respectively. A later patch will update the VNC server to use this eg qemu-system-x86_64 -object qcrypto-tls-creds,id=tls0,... \ -vnc 127.0.0.1:1,tls-creds=tls0 Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- crypto/Makefile.objs | 1 + crypto/init.c | 8 + crypto/tlscreds.c | 566 ++++++++++++++++++++++++++++++++++++++++++++++ include/crypto/tlscreds.h | 134 +++++++++++ qemu-options.hx | 30 +++ tests/Makefile | 4 +- 6 files changed, 741 insertions(+), 2 deletions(-) create mode 100644 crypto/tlscreds.c create mode 100644 include/crypto/tlscreds.h