From patchwork Tue Jan 19 13:09:23 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 569975 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 1D67C14090A for ; Wed, 20 Jan 2016 00:16:26 +1100 (AEDT) Received: from localhost ([::1]:36937 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLW91-00008p-Lk for incoming@patchwork.ozlabs.org; Tue, 19 Jan 2016 08:16:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39899) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLW2k-0007fG-Cg for qemu-devel@nongnu.org; Tue, 19 Jan 2016 08:09:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aLW2j-0005ze-6b for qemu-devel@nongnu.org; Tue, 19 Jan 2016 08:09:54 -0500 Received: from mx1.redhat.com ([209.132.183.28]:60528) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLW2b-0005y3-Jb; Tue, 19 Jan 2016 08:09:45 -0500 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (Postfix) with ESMTPS id 5918F471; Tue, 19 Jan 2016 13:09:45 +0000 (UTC) Received: from t530wlan.home.berrange.com.com (vpn1-6-80.ams2.redhat.com [10.36.6.80]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0JD9Qb7012785; Tue, 19 Jan 2016 08:09:44 -0500 From: "Daniel P. Berrange" To: qemu-devel@nongnu.org Date: Tue, 19 Jan 2016 13:09:23 +0000 Message-Id: <1453208963-16834-14-git-send-email-berrange@redhat.com> In-Reply-To: <1453208963-16834-1-git-send-email-berrange@redhat.com> References: <1453208963-16834-1-git-send-email-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Paolo Bonzini , qemu-block@nongnu.org Subject: [Qemu-devel] [PATCH v3 13/13] nbd: enable use of TLS with nbd-server-start command X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org This modifies the nbd-server-start QMP command so that it is possible to request use of TLS. This is done by adding a new optional parameter "tls-creds" which provides the ID of a previously created QCryptoTLSCreds object instance. TLS is only supported when using an IPv4/IPv6 socket listener. Signed-off-by: Daniel P. Berrange --- blockdev-nbd.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++---------- hmp.c | 2 +- qapi/block.json | 4 +- qmp-commands.hx | 2 +- 4 files changed, 105 insertions(+), 25 deletions(-) diff --git a/blockdev-nbd.c b/blockdev-nbd.c index 6af1684..e287f05 100644 --- a/blockdev-nbd.c +++ b/blockdev-nbd.c @@ -19,42 +19,126 @@ #include "block/nbd.h" #include "io/channel-socket.h" -static QIOChannelSocket *server_ioc; -static int server_watch = -1; +typedef struct NBDServerData { + QIOChannelSocket *listen_ioc; + int watch; + QCryptoTLSCreds *tlscreds; +} NBDServerData; + +static NBDServerData *nbd_server; + static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, gpointer opaque) { QIOChannelSocket *cioc; + if (!nbd_server) { + return FALSE; + } + cioc = qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc), NULL); if (!cioc) { return TRUE; } - nbd_client_new(NULL, cioc, NULL, NULL, nbd_client_put); + nbd_client_new(NULL, cioc, + nbd_server->tlscreds, NULL, + nbd_client_put); object_unref(OBJECT(cioc)); return TRUE; } -void qmp_nbd_server_start(SocketAddress *addr, Error **errp) + +static void nbd_server_free(NBDServerData *server) { - if (server_ioc) { - error_setg(errp, "NBD server already running"); + if (!server) { return; } - server_ioc = qio_channel_socket_new(); - if (qio_channel_socket_listen_sync(server_ioc, addr, errp) < 0) { + if (server->watch != -1) { + g_source_remove(server->watch); + } + object_unref(OBJECT(server->listen_ioc)); + if (server->tlscreds) { + object_unref(OBJECT(server->tlscreds)); + } + + g_free(server); +} + +static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp) +{ + Object *obj; + QCryptoTLSCreds *creds; + + obj = object_resolve_path_component( + object_get_objects_root(), id); + if (!obj) { + error_setg(errp, "No TLS credentials with id '%s'", + id); + return NULL; + } + creds = (QCryptoTLSCreds *) + object_dynamic_cast(obj, TYPE_QCRYPTO_TLS_CREDS); + if (!creds) { + error_setg(errp, "Object with id '%s' is not TLS credentials", + id); + return NULL; + } + + if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { + error_setg(errp, + "Expecting TLS credentials with a server endpoint"); + return NULL; + } + object_ref(obj); + return creds; +} + + +void qmp_nbd_server_start(SocketAddress *addr, + bool has_tls_creds, const char *tls_creds, + Error **errp) +{ + if (nbd_server) { + error_setg(errp, "NBD server already running"); return; } - server_watch = qio_channel_add_watch(QIO_CHANNEL(server_ioc), - G_IO_IN, - nbd_accept, - NULL, - NULL); + nbd_server = g_new0(NBDServerData, 1); + nbd_server->watch = -1; + nbd_server->listen_ioc = qio_channel_socket_new(); + if (qio_channel_socket_listen_sync( + nbd_server->listen_ioc, addr, errp) < 0) { + goto error; + } + + if (has_tls_creds) { + nbd_server->tlscreds = nbd_get_tls_creds(tls_creds, errp); + if (!nbd_server->tlscreds) { + goto error; + } + + if (addr->type != SOCKET_ADDRESS_KIND_INET) { + error_setg(errp, "TLS is only supported with IPv4/IPv6"); + goto error; + } + } + + nbd_server->watch = qio_channel_add_watch( + QIO_CHANNEL(nbd_server->listen_ioc), + G_IO_IN, + nbd_accept, + NULL, + NULL); + + return; + + error: + nbd_server_free(nbd_server); + nbd_server = NULL; } /* @@ -89,7 +173,7 @@ void qmp_nbd_server_add(const char *device, bool has_writable, bool writable, NBDExport *exp; NBDCloseNotifier *n; - if (!server_ioc) { + if (!nbd_server) { error_setg(errp, "NBD server not running"); return; } @@ -139,12 +223,6 @@ void qmp_nbd_server_stop(Error **errp) nbd_close_notifier(&cn->n, nbd_export_get_blockdev(cn->exp)); } - if (server_watch != -1) { - g_source_remove(server_watch); - server_watch = -1; - } - if (server_ioc) { - object_unref(OBJECT(server_ioc)); - server_ioc = NULL; - } + nbd_server_free(nbd_server); + nbd_server = NULL; } diff --git a/hmp.c b/hmp.c index 95930b0..d43b38f 100644 --- a/hmp.c +++ b/hmp.c @@ -1792,7 +1792,7 @@ void hmp_nbd_server_start(Monitor *mon, const QDict *qdict) goto exit; } - qmp_nbd_server_start(addr, &local_err); + qmp_nbd_server_start(addr, false, NULL, &local_err); qapi_free_SocketAddress(addr); if (local_err != NULL) { goto exit; diff --git a/qapi/block.json b/qapi/block.json index 84022f1..876bac4 100644 --- a/qapi/block.json +++ b/qapi/block.json @@ -130,13 +130,15 @@ # QEMU instance could refer to them as "nbd:HOST:PORT:exportname=NAME". # # @addr: Address on which to listen. +# @tls-creds: (optional) ID of the TLS credentials object. Since 2.6 # # Returns: error if the server is already running. # # Since: 1.3.0 ## { 'command': 'nbd-server-start', - 'data': { 'addr': 'SocketAddress' } } + 'data': { 'addr': 'SocketAddress', + '*tls-creds': 'str'} } ## # @nbd-server-add: diff --git a/qmp-commands.hx b/qmp-commands.hx index db072a6..c54893c 100644 --- a/qmp-commands.hx +++ b/qmp-commands.hx @@ -3802,7 +3802,7 @@ EQMP { .name = "nbd-server-start", - .args_type = "addr:q", + .args_type = "addr:q,tls-creds:s?", .mhandler.cmd_new = qmp_marshal_nbd_server_start, }, {