Patchwork [RfC,07/11] spice: tls support

login
register
mail settings
Submitter Gerd Hoffmann
Date April 14, 2010, 9:55 a.m.
Message ID <1271238922-10008-8-git-send-email-kraxel@redhat.com>
Download mbox | patch
Permalink /patch/50138/
State New
Headers show

Comments

Gerd Hoffmann - April 14, 2010, 9:55 a.m.
Add options to the -spice command line switch to setup tls:

tls-port
	listening port

x509-dir
	x509 file directory.  Expects same filenames as
	-vnc $display,x509=$dir

x509-key-file
x509-key-password
x509-cert-file
x509-cacert-file
x509-dh-key-file
	x509 files can also be set individually.

tls-ciphers
	which ciphers to use.
---
 spice.c |   90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 86 insertions(+), 4 deletions(-)

Patch

diff --git a/spice.c b/spice.c
index 68d8c95..0f2595b 100644
--- a/spice.c
+++ b/spice.c
@@ -8,6 +8,7 @@ 
 #include "qemu-spice.h"
 #include "qemu-timer.h"
 #include "qemu-queue.h"
+#include "qemu-x509.h"
 #include "monitor.h"
 
 /* core bits */
@@ -132,11 +133,35 @@  QemuOptsList qemu_spice_opts = {
             .name = "port",
             .type = QEMU_OPT_NUMBER,
         },{
+            .name = "tls-port",           /* old: sport */
+            .type = QEMU_OPT_NUMBER,
+        },{
             .name = "password",
             .type = QEMU_OPT_STRING,
         },{
             .name = "disable-ticketing",
             .type = QEMU_OPT_BOOL,
+        },{
+            .name = "x509-dir",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-key-file",      /* old: sslkey */
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-key-password",  /* old: sslpassword */
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-cert-file",     /* old: sslcert */
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-cacert-file",   /* old: sslcafile */
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-dh-key-file",   /* old: ssldhfile */
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "tls-ciphers",        /* old: sslciphersuite */
+            .type = QEMU_OPT_STRING,
         },
         { /* end if list */ }
     },
@@ -145,18 +170,71 @@  QemuOptsList qemu_spice_opts = {
 void qemu_spice_init(void)
 {
     QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head);
-    const char *password;
-    int port;
+    const char *password, *str, *x509_dir,
+        *x509_key_password = NULL,
+        *x509_dh_file = NULL,
+        *tls_ciphers = NULL;
+    char *x509_key_file = NULL,
+        *x509_cert_file = NULL,
+        *x509_cacert_file = NULL;
+    int port, tls_port, len;
 
     if (!opts)
         return;
     port = qemu_opt_get_number(opts, "port", 0);
-    if (!port)
+    tls_port = qemu_opt_get_number(opts, "tls-port", 0);
+    if (!port && !tls_port)
         return;
     password = qemu_opt_get(opts, "password");
 
+    if (tls_port) {
+        x509_dir = qemu_opt_get(opts, "x509-dir");
+        if (NULL == x509_dir)
+            x509_dir = ".";
+        len = strlen(x509_dir) + 32;
+
+        str = qemu_opt_get(opts, "x509-key-file");
+        if (str) {
+            x509_key_file = qemu_strdup(str);
+        } else {
+            x509_key_file = qemu_malloc(len);
+            snprintf(x509_key_file, len, "%s/%s", x509_dir, X509_SERVER_KEY_FILE);
+        }
+
+        str = qemu_opt_get(opts, "x509-cert-file");
+        if (str) {
+            x509_cert_file = qemu_strdup(str);
+        } else {
+            x509_cert_file = qemu_malloc(len);
+            snprintf(x509_cert_file, len, "%s/%s", x509_dir, X509_SERVER_CERT_FILE);
+        }
+
+        str = qemu_opt_get(opts, "x509-cacert-file");
+        if (str) {
+            x509_cacert_file = qemu_strdup(str);
+        } else {
+            x509_cacert_file = qemu_malloc(len);
+            snprintf(x509_cacert_file, len, "%s/%s", x509_dir, X509_CA_CERT_FILE);
+        }
+
+        x509_key_password = qemu_opt_get(opts, "x509-key-password");
+        x509_dh_file = qemu_opt_get(opts, "x509-dh-file");
+        tls_ciphers = qemu_opt_get(opts, "tls-ciphers");
+    }
+
     spice_server = spice_server_new();
-    spice_server_set_port(spice_server, port);
+    if (port) {
+        spice_server_set_port(spice_server, port);
+    }
+    if (tls_port) {
+        spice_server_set_tls(spice_server, tls_port,
+                             x509_cacert_file,
+                             x509_cert_file,
+                             x509_key_file,
+                             x509_key_password,
+                             x509_dh_file,
+                             tls_ciphers);
+    }
     if (password)
         spice_server_set_ticket(spice_server, password, 0, 0, 0);
     if (qemu_opt_get_bool(opts, "disable-ticketing", 0))
@@ -169,4 +247,8 @@  void qemu_spice_init(void)
     using_spice = 1;
 
     qemu_spice_input_init();
+
+    qemu_free(x509_key_file);
+    qemu_free(x509_cert_file);
+    qemu_free(x509_cacert_file);
 }