2015-03-02 20:23:31 +03:00
|
|
|
/*
|
|
|
|
* QEMU crypto TLS session support
|
|
|
|
*
|
|
|
|
* Copyright (c) 2015 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
2019-02-13 18:54:59 +03:00
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
2015-03-02 20:23:31 +03:00
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2016-01-26 21:16:55 +03:00
|
|
|
#include "qemu/osdep.h"
|
2015-03-02 20:23:31 +03:00
|
|
|
#include "crypto/tlssession.h"
|
|
|
|
#include "crypto/tlscredsanon.h"
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 11:03:03 +03:00
|
|
|
#include "crypto/tlscredspsk.h"
|
2015-03-02 20:23:31 +03:00
|
|
|
#include "crypto/tlscredsx509.h"
|
include/qemu/osdep.h: Don't include qapi/error.h
Commit 57cb38b included qapi/error.h into qemu/osdep.h to get the
Error typedef. Since then, we've moved to include qemu/osdep.h
everywhere. Its file comment explains: "To avoid getting into
possible circular include dependencies, this file should not include
any other QEMU headers, with the exceptions of config-host.h,
compiler.h, os-posix.h and os-win32.h, all of which are doing a
similar job to this file and are under similar constraints."
qapi/error.h doesn't do a similar job, and it doesn't adhere to
similar constraints: it includes qapi-types.h. That's in excess of
100KiB of crap most .c files don't actually need.
Add the typedef to qemu/typedefs.h, and include that instead of
qapi/error.h. Include qapi/error.h in .c files that need it and don't
get it now. Include qapi-types.h in qom/object.h for uint16List.
Update scripts/clean-includes accordingly. Update it further to match
reality: replace config.h by config-target.h, add sysemu/os-posix.h,
sysemu/os-win32.h. Update the list of includes in the qemu/osdep.h
comment quoted above similarly.
This reduces the number of objects depending on qapi/error.h from "all
of them" to less than a third. Unfortunately, the number depending on
qapi-types.h shrinks only a little. More work is needed for that one.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
[Fix compilation without the spice devel packages. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-03-14 11:01:28 +03:00
|
|
|
#include "qapi/error.h"
|
2016-02-18 21:40:24 +03:00
|
|
|
#include "authz/base.h"
|
2021-06-28 19:09:14 +03:00
|
|
|
#include "tlscredspriv.h"
|
2015-03-02 20:23:31 +03:00
|
|
|
#include "trace.h"
|
|
|
|
|
|
|
|
#ifdef CONFIG_GNUTLS
|
|
|
|
|
|
|
|
|
|
|
|
#include <gnutls/x509.h>
|
|
|
|
|
|
|
|
|
|
|
|
struct QCryptoTLSSession {
|
|
|
|
QCryptoTLSCreds *creds;
|
|
|
|
gnutls_session_t handle;
|
|
|
|
char *hostname;
|
2016-02-18 21:40:24 +03:00
|
|
|
char *authzid;
|
2015-03-02 20:23:31 +03:00
|
|
|
bool handshakeComplete;
|
|
|
|
QCryptoTLSSessionWriteFunc writeFunc;
|
|
|
|
QCryptoTLSSessionReadFunc readFunc;
|
|
|
|
void *opaque;
|
|
|
|
char *peername;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
qcrypto_tls_session_free(QCryptoTLSSession *session)
|
|
|
|
{
|
|
|
|
if (!session) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
gnutls_deinit(session->handle);
|
|
|
|
g_free(session->hostname);
|
|
|
|
g_free(session->peername);
|
2016-02-18 21:40:24 +03:00
|
|
|
g_free(session->authzid);
|
2015-03-02 20:23:31 +03:00
|
|
|
object_unref(OBJECT(session->creds));
|
|
|
|
g_free(session);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static ssize_t
|
|
|
|
qcrypto_tls_session_push(void *opaque, const void *buf, size_t len)
|
|
|
|
{
|
|
|
|
QCryptoTLSSession *session = opaque;
|
|
|
|
|
|
|
|
if (!session->writeFunc) {
|
|
|
|
errno = EIO;
|
|
|
|
return -1;
|
|
|
|
};
|
|
|
|
|
|
|
|
return session->writeFunc(buf, len, session->opaque);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static ssize_t
|
|
|
|
qcrypto_tls_session_pull(void *opaque, void *buf, size_t len)
|
|
|
|
{
|
|
|
|
QCryptoTLSSession *session = opaque;
|
|
|
|
|
|
|
|
if (!session->readFunc) {
|
|
|
|
errno = EIO;
|
|
|
|
return -1;
|
|
|
|
};
|
|
|
|
|
|
|
|
return session->readFunc(buf, len, session->opaque);
|
|
|
|
}
|
|
|
|
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 11:03:03 +03:00
|
|
|
#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"
|
2018-07-18 13:55:05 +03:00
|
|
|
#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK"
|
2015-03-02 20:23:31 +03:00
|
|
|
|
|
|
|
QCryptoTLSSession *
|
|
|
|
qcrypto_tls_session_new(QCryptoTLSCreds *creds,
|
|
|
|
const char *hostname,
|
2016-02-18 21:40:24 +03:00
|
|
|
const char *authzid,
|
2015-03-02 20:23:31 +03:00
|
|
|
QCryptoTLSCredsEndpoint endpoint,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
QCryptoTLSSession *session;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
session = g_new0(QCryptoTLSSession, 1);
|
|
|
|
trace_qcrypto_tls_session_new(
|
|
|
|
session, creds, hostname ? hostname : "<none>",
|
2016-02-18 21:40:24 +03:00
|
|
|
authzid ? authzid : "<none>", endpoint);
|
2015-03-02 20:23:31 +03:00
|
|
|
|
|
|
|
if (hostname) {
|
|
|
|
session->hostname = g_strdup(hostname);
|
|
|
|
}
|
2016-02-18 21:40:24 +03:00
|
|
|
if (authzid) {
|
|
|
|
session->authzid = g_strdup(authzid);
|
2015-03-02 20:23:31 +03:00
|
|
|
}
|
|
|
|
session->creds = creds;
|
|
|
|
object_ref(OBJECT(creds));
|
|
|
|
|
|
|
|
if (creds->endpoint != endpoint) {
|
|
|
|
error_setg(errp, "Credentials endpoint doesn't match session");
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
|
|
|
|
ret = gnutls_init(&session->handle, GNUTLS_SERVER);
|
|
|
|
} else {
|
|
|
|
ret = gnutls_init(&session->handle, GNUTLS_CLIENT);
|
|
|
|
}
|
|
|
|
if (ret < 0) {
|
|
|
|
error_setg(errp, "Cannot initialize TLS session: %s",
|
|
|
|
gnutls_strerror(ret));
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (object_dynamic_cast(OBJECT(creds),
|
|
|
|
TYPE_QCRYPTO_TLS_CREDS_ANON)) {
|
|
|
|
QCryptoTLSCredsAnon *acreds = QCRYPTO_TLS_CREDS_ANON(creds);
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
char *prio;
|
2015-03-02 20:23:31 +03:00
|
|
|
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
if (creds->priority != NULL) {
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 11:03:03 +03:00
|
|
|
prio = g_strdup_printf("%s:%s",
|
|
|
|
creds->priority,
|
|
|
|
TLS_PRIORITY_ADDITIONAL_ANON);
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
} else {
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 11:03:03 +03:00
|
|
|
prio = g_strdup(CONFIG_TLS_PRIORITY ":"
|
|
|
|
TLS_PRIORITY_ADDITIONAL_ANON);
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
ret = gnutls_priority_set_direct(session->handle, prio, NULL);
|
2015-03-02 20:23:31 +03:00
|
|
|
if (ret < 0) {
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
error_setg(errp, "Unable to set TLS session priority %s: %s",
|
|
|
|
prio, gnutls_strerror(ret));
|
|
|
|
g_free(prio);
|
2015-03-02 20:23:31 +03:00
|
|
|
goto error;
|
|
|
|
}
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
g_free(prio);
|
2015-03-02 20:23:31 +03:00
|
|
|
if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
|
|
|
|
ret = gnutls_credentials_set(session->handle,
|
|
|
|
GNUTLS_CRD_ANON,
|
|
|
|
acreds->data.server);
|
|
|
|
} else {
|
|
|
|
ret = gnutls_credentials_set(session->handle,
|
|
|
|
GNUTLS_CRD_ANON,
|
|
|
|
acreds->data.client);
|
|
|
|
}
|
|
|
|
if (ret < 0) {
|
|
|
|
error_setg(errp, "Cannot set session credentials: %s",
|
|
|
|
gnutls_strerror(ret));
|
|
|
|
goto error;
|
|
|
|
}
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 11:03:03 +03:00
|
|
|
} else if (object_dynamic_cast(OBJECT(creds),
|
|
|
|
TYPE_QCRYPTO_TLS_CREDS_PSK)) {
|
|
|
|
QCryptoTLSCredsPSK *pcreds = QCRYPTO_TLS_CREDS_PSK(creds);
|
|
|
|
char *prio;
|
|
|
|
|
|
|
|
if (creds->priority != NULL) {
|
|
|
|
prio = g_strdup_printf("%s:%s",
|
|
|
|
creds->priority,
|
|
|
|
TLS_PRIORITY_ADDITIONAL_PSK);
|
|
|
|
} else {
|
|
|
|
prio = g_strdup(CONFIG_TLS_PRIORITY ":"
|
|
|
|
TLS_PRIORITY_ADDITIONAL_PSK);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = gnutls_priority_set_direct(session->handle, prio, NULL);
|
|
|
|
if (ret < 0) {
|
|
|
|
error_setg(errp, "Unable to set TLS session priority %s: %s",
|
|
|
|
prio, gnutls_strerror(ret));
|
|
|
|
g_free(prio);
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
g_free(prio);
|
|
|
|
if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
|
|
|
|
ret = gnutls_credentials_set(session->handle,
|
|
|
|
GNUTLS_CRD_PSK,
|
|
|
|
pcreds->data.server);
|
|
|
|
} else {
|
|
|
|
ret = gnutls_credentials_set(session->handle,
|
|
|
|
GNUTLS_CRD_PSK,
|
|
|
|
pcreds->data.client);
|
|
|
|
}
|
|
|
|
if (ret < 0) {
|
|
|
|
error_setg(errp, "Cannot set session credentials: %s",
|
|
|
|
gnutls_strerror(ret));
|
|
|
|
goto error;
|
|
|
|
}
|
2015-03-02 20:23:31 +03:00
|
|
|
} else if (object_dynamic_cast(OBJECT(creds),
|
|
|
|
TYPE_QCRYPTO_TLS_CREDS_X509)) {
|
|
|
|
QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds);
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
const char *prio = creds->priority;
|
|
|
|
if (!prio) {
|
2016-06-06 12:05:06 +03:00
|
|
|
prio = CONFIG_TLS_PRIORITY;
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
}
|
2015-03-02 20:23:31 +03:00
|
|
|
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
ret = gnutls_priority_set_direct(session->handle, prio, NULL);
|
2015-03-02 20:23:31 +03:00
|
|
|
if (ret < 0) {
|
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-06 11:52:07 +03:00
|
|
|
error_setg(errp, "Cannot set default TLS session priority %s: %s",
|
|
|
|
prio, gnutls_strerror(ret));
|
2015-03-02 20:23:31 +03:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
ret = gnutls_credentials_set(session->handle,
|
|
|
|
GNUTLS_CRD_CERTIFICATE,
|
|
|
|
tcreds->data);
|
|
|
|
if (ret < 0) {
|
|
|
|
error_setg(errp, "Cannot set session credentials: %s",
|
|
|
|
gnutls_strerror(ret));
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
|
|
|
|
/* This requests, but does not enforce a client cert.
|
|
|
|
* The cert checking code later does enforcement */
|
|
|
|
gnutls_certificate_server_set_request(session->handle,
|
|
|
|
GNUTLS_CERT_REQUEST);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
error_setg(errp, "Unsupported TLS credentials type %s",
|
|
|
|
object_get_typename(OBJECT(creds)));
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
gnutls_transport_set_ptr(session->handle, session);
|
|
|
|
gnutls_transport_set_push_function(session->handle,
|
|
|
|
qcrypto_tls_session_push);
|
|
|
|
gnutls_transport_set_pull_function(session->handle,
|
|
|
|
qcrypto_tls_session_pull);
|
|
|
|
|
|
|
|
return session;
|
|
|
|
|
|
|
|
error:
|
|
|
|
qcrypto_tls_session_free(session);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
qcrypto_tls_session_check_certificate(QCryptoTLSSession *session,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
unsigned int status;
|
|
|
|
const gnutls_datum_t *certs;
|
|
|
|
unsigned int nCerts, i;
|
|
|
|
time_t now;
|
|
|
|
gnutls_x509_crt_t cert = NULL;
|
2016-02-18 21:40:24 +03:00
|
|
|
Error *err = NULL;
|
2015-03-02 20:23:31 +03:00
|
|
|
|
|
|
|
now = time(NULL);
|
|
|
|
if (now == ((time_t)-1)) {
|
|
|
|
error_setg_errno(errp, errno, "Cannot get current time");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = gnutls_certificate_verify_peers2(session->handle, &status);
|
|
|
|
if (ret < 0) {
|
|
|
|
error_setg(errp, "Verify failed: %s", gnutls_strerror(ret));
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (status != 0) {
|
|
|
|
const char *reason = "Invalid certificate";
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_INVALID) {
|
|
|
|
reason = "The certificate is not trusted";
|
|
|
|
}
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
|
|
|
|
reason = "The certificate hasn't got a known issuer";
|
|
|
|
}
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_REVOKED) {
|
|
|
|
reason = "The certificate has been revoked";
|
|
|
|
}
|
|
|
|
|
|
|
|
if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
|
|
|
|
reason = "The certificate uses an insecure algorithm";
|
|
|
|
}
|
|
|
|
|
|
|
|
error_setg(errp, "%s", reason);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
certs = gnutls_certificate_get_peers(session->handle, &nCerts);
|
|
|
|
if (!certs) {
|
|
|
|
error_setg(errp, "No certificate peers");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < nCerts; i++) {
|
|
|
|
ret = gnutls_x509_crt_init(&cert);
|
|
|
|
if (ret < 0) {
|
|
|
|
error_setg(errp, "Cannot initialize certificate: %s",
|
|
|
|
gnutls_strerror(ret));
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = gnutls_x509_crt_import(cert, &certs[i], GNUTLS_X509_FMT_DER);
|
|
|
|
if (ret < 0) {
|
|
|
|
error_setg(errp, "Cannot import certificate: %s",
|
|
|
|
gnutls_strerror(ret));
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_get_expiration_time(cert) < now) {
|
|
|
|
error_setg(errp, "The certificate has expired");
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_get_activation_time(cert) > now) {
|
|
|
|
error_setg(errp, "The certificate is not yet activated");
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (gnutls_x509_crt_get_activation_time(cert) > now) {
|
|
|
|
error_setg(errp, "The certificate is not yet activated");
|
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (i == 0) {
|
|
|
|
size_t dnameSize = 1024;
|
|
|
|
session->peername = g_malloc(dnameSize);
|
|
|
|
requery:
|
|
|
|
ret = gnutls_x509_crt_get_dn(cert, session->peername, &dnameSize);
|
|
|
|
if (ret < 0) {
|
|
|
|
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
|
|
|
|
session->peername = g_realloc(session->peername,
|
|
|
|
dnameSize);
|
|
|
|
goto requery;
|
|
|
|
}
|
|
|
|
error_setg(errp, "Cannot get client distinguished name: %s",
|
|
|
|
gnutls_strerror(ret));
|
|
|
|
goto error;
|
|
|
|
}
|
2016-02-18 21:40:24 +03:00
|
|
|
if (session->authzid) {
|
|
|
|
bool allow;
|
|
|
|
|
|
|
|
allow = qauthz_is_allowed_by_id(session->authzid,
|
|
|
|
session->peername, &err);
|
|
|
|
if (err) {
|
|
|
|
error_propagate(errp, err);
|
2015-03-02 20:23:31 +03:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
if (!allow) {
|
2016-02-18 21:40:24 +03:00
|
|
|
error_setg(errp, "TLS x509 authz check for %s is denied",
|
2015-11-18 17:42:40 +03:00
|
|
|
session->peername);
|
2015-03-02 20:23:31 +03:00
|
|
|
goto error;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (session->hostname) {
|
|
|
|
if (!gnutls_x509_crt_check_hostname(cert, session->hostname)) {
|
|
|
|
error_setg(errp,
|
|
|
|
"Certificate does not match the hostname %s",
|
|
|
|
session->hostname);
|
|
|
|
goto error;
|
|
|
|
}
|
2022-03-04 22:35:59 +03:00
|
|
|
} else {
|
|
|
|
if (session->creds->endpoint ==
|
|
|
|
QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
|
|
|
|
error_setg(errp, "No hostname for certificate validation");
|
|
|
|
goto error;
|
|
|
|
}
|
2015-03-02 20:23:31 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
gnutls_x509_crt_deinit(cert);
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error:
|
|
|
|
gnutls_x509_crt_deinit(cert);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
qcrypto_tls_session_check_credentials(QCryptoTLSSession *session,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
if (object_dynamic_cast(OBJECT(session->creds),
|
|
|
|
TYPE_QCRYPTO_TLS_CREDS_ANON)) {
|
2016-09-14 12:18:09 +03:00
|
|
|
trace_qcrypto_tls_session_check_creds(session, "nop");
|
2015-03-02 20:23:31 +03:00
|
|
|
return 0;
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 11:03:03 +03:00
|
|
|
} else if (object_dynamic_cast(OBJECT(session->creds),
|
|
|
|
TYPE_QCRYPTO_TLS_CREDS_PSK)) {
|
|
|
|
trace_qcrypto_tls_session_check_creds(session, "nop");
|
|
|
|
return 0;
|
2015-03-02 20:23:31 +03:00
|
|
|
} else if (object_dynamic_cast(OBJECT(session->creds),
|
|
|
|
TYPE_QCRYPTO_TLS_CREDS_X509)) {
|
|
|
|
if (session->creds->verifyPeer) {
|
2016-09-14 12:18:09 +03:00
|
|
|
int ret = qcrypto_tls_session_check_certificate(session,
|
|
|
|
errp);
|
|
|
|
trace_qcrypto_tls_session_check_creds(session,
|
|
|
|
ret == 0 ? "pass" : "fail");
|
|
|
|
return ret;
|
2015-03-02 20:23:31 +03:00
|
|
|
} else {
|
2016-09-14 12:18:09 +03:00
|
|
|
trace_qcrypto_tls_session_check_creds(session, "skip");
|
2015-03-02 20:23:31 +03:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
} else {
|
2016-09-14 12:18:09 +03:00
|
|
|
trace_qcrypto_tls_session_check_creds(session, "error");
|
2015-03-02 20:23:31 +03:00
|
|
|
error_setg(errp, "Unexpected credential type %s",
|
|
|
|
object_get_typename(OBJECT(session->creds)));
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
qcrypto_tls_session_set_callbacks(QCryptoTLSSession *session,
|
|
|
|
QCryptoTLSSessionWriteFunc writeFunc,
|
|
|
|
QCryptoTLSSessionReadFunc readFunc,
|
|
|
|
void *opaque)
|
|
|
|
{
|
|
|
|
session->writeFunc = writeFunc;
|
|
|
|
session->readFunc = readFunc;
|
|
|
|
session->opaque = opaque;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ssize_t
|
|
|
|
qcrypto_tls_session_write(QCryptoTLSSession *session,
|
|
|
|
const char *buf,
|
|
|
|
size_t len)
|
|
|
|
{
|
|
|
|
ssize_t ret = gnutls_record_send(session->handle, buf, len);
|
|
|
|
|
|
|
|
if (ret < 0) {
|
|
|
|
switch (ret) {
|
|
|
|
case GNUTLS_E_AGAIN:
|
|
|
|
errno = EAGAIN;
|
|
|
|
break;
|
|
|
|
case GNUTLS_E_INTERRUPTED:
|
|
|
|
errno = EINTR;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
errno = EIO;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ssize_t
|
|
|
|
qcrypto_tls_session_read(QCryptoTLSSession *session,
|
|
|
|
char *buf,
|
|
|
|
size_t len)
|
|
|
|
{
|
|
|
|
ssize_t ret = gnutls_record_recv(session->handle, buf, len);
|
|
|
|
|
|
|
|
if (ret < 0) {
|
|
|
|
switch (ret) {
|
|
|
|
case GNUTLS_E_AGAIN:
|
|
|
|
errno = EAGAIN;
|
|
|
|
break;
|
|
|
|
case GNUTLS_E_INTERRUPTED:
|
|
|
|
errno = EINTR;
|
|
|
|
break;
|
2018-11-19 16:42:28 +03:00
|
|
|
case GNUTLS_E_PREMATURE_TERMINATION:
|
|
|
|
errno = ECONNABORTED;
|
|
|
|
break;
|
2015-03-02 20:23:31 +03:00
|
|
|
default:
|
|
|
|
errno = EIO;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2022-11-15 17:23:28 +03:00
|
|
|
size_t
|
|
|
|
qcrypto_tls_session_check_pending(QCryptoTLSSession *session)
|
|
|
|
{
|
|
|
|
return gnutls_record_check_pending(session->handle);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-03-02 20:23:31 +03:00
|
|
|
int
|
|
|
|
qcrypto_tls_session_handshake(QCryptoTLSSession *session,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
int ret = gnutls_handshake(session->handle);
|
|
|
|
if (ret == 0) {
|
|
|
|
session->handshakeComplete = true;
|
|
|
|
} else {
|
|
|
|
if (ret == GNUTLS_E_INTERRUPTED ||
|
|
|
|
ret == GNUTLS_E_AGAIN) {
|
|
|
|
ret = 1;
|
|
|
|
} else {
|
|
|
|
error_setg(errp, "TLS handshake failed: %s",
|
|
|
|
gnutls_strerror(ret));
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
QCryptoTLSSessionHandshakeStatus
|
|
|
|
qcrypto_tls_session_get_handshake_status(QCryptoTLSSession *session)
|
|
|
|
{
|
|
|
|
if (session->handshakeComplete) {
|
|
|
|
return QCRYPTO_TLS_HANDSHAKE_COMPLETE;
|
|
|
|
} else if (gnutls_record_get_direction(session->handle) == 0) {
|
|
|
|
return QCRYPTO_TLS_HANDSHAKE_RECVING;
|
|
|
|
} else {
|
|
|
|
return QCRYPTO_TLS_HANDSHAKE_SENDING;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
qcrypto_tls_session_get_key_size(QCryptoTLSSession *session,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
gnutls_cipher_algorithm_t cipher;
|
|
|
|
int ssf;
|
|
|
|
|
|
|
|
cipher = gnutls_cipher_get(session->handle);
|
|
|
|
ssf = gnutls_cipher_get_key_size(cipher);
|
|
|
|
if (!ssf) {
|
|
|
|
error_setg(errp, "Cannot get TLS cipher key size");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return ssf;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
char *
|
|
|
|
qcrypto_tls_session_get_peer_name(QCryptoTLSSession *session)
|
|
|
|
{
|
|
|
|
if (session->peername) {
|
|
|
|
return g_strdup(session->peername);
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#else /* ! CONFIG_GNUTLS */
|
|
|
|
|
|
|
|
|
|
|
|
QCryptoTLSSession *
|
|
|
|
qcrypto_tls_session_new(QCryptoTLSCreds *creds G_GNUC_UNUSED,
|
|
|
|
const char *hostname G_GNUC_UNUSED,
|
2016-02-18 21:40:24 +03:00
|
|
|
const char *authzid G_GNUC_UNUSED,
|
2015-03-02 20:23:31 +03:00
|
|
|
QCryptoTLSCredsEndpoint endpoint G_GNUC_UNUSED,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
error_setg(errp, "TLS requires GNUTLS support");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
qcrypto_tls_session_free(QCryptoTLSSession *sess G_GNUC_UNUSED)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
qcrypto_tls_session_check_credentials(QCryptoTLSSession *sess G_GNUC_UNUSED,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
error_setg(errp, "TLS requires GNUTLS support");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
qcrypto_tls_session_set_callbacks(
|
|
|
|
QCryptoTLSSession *sess G_GNUC_UNUSED,
|
|
|
|
QCryptoTLSSessionWriteFunc writeFunc G_GNUC_UNUSED,
|
|
|
|
QCryptoTLSSessionReadFunc readFunc G_GNUC_UNUSED,
|
|
|
|
void *opaque G_GNUC_UNUSED)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ssize_t
|
|
|
|
qcrypto_tls_session_write(QCryptoTLSSession *sess,
|
|
|
|
const char *buf,
|
|
|
|
size_t len)
|
|
|
|
{
|
|
|
|
errno = -EIO;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ssize_t
|
|
|
|
qcrypto_tls_session_read(QCryptoTLSSession *sess,
|
|
|
|
char *buf,
|
|
|
|
size_t len)
|
|
|
|
{
|
|
|
|
errno = -EIO;
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2022-11-15 17:23:28 +03:00
|
|
|
size_t
|
|
|
|
qcrypto_tls_session_check_pending(QCryptoTLSSession *session)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-03-02 20:23:31 +03:00
|
|
|
int
|
|
|
|
qcrypto_tls_session_handshake(QCryptoTLSSession *sess,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
error_setg(errp, "TLS requires GNUTLS support");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
QCryptoTLSSessionHandshakeStatus
|
|
|
|
qcrypto_tls_session_get_handshake_status(QCryptoTLSSession *sess)
|
|
|
|
{
|
|
|
|
return QCRYPTO_TLS_HANDSHAKE_COMPLETE;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
qcrypto_tls_session_get_key_size(QCryptoTLSSession *sess,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
error_setg(errp, "TLS requires GNUTLS support");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
char *
|
|
|
|
qcrypto_tls_session_get_peer_name(QCryptoTLSSession *sess)
|
|
|
|
{
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|