crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 11:03:03 +03:00
|
|
|
/*
|
|
|
|
* QEMU crypto TLS Pre-Shared Key (PSK) support
|
|
|
|
*
|
|
|
|
* Copyright (c) 2018 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
2019-02-13 18:54:59 +03:00
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
crypto: Implement TLS Pre-Shared Keys (PSK).
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-07-03 11:03:03 +03:00
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef QCRYPTO_TLSCREDSPSK_H
|
|
|
|
#define QCRYPTO_TLSCREDSPSK_H
|
|
|
|
|
|
|
|
#include "crypto/tlscreds.h"
|
|
|
|
|
|
|
|
#define TYPE_QCRYPTO_TLS_CREDS_PSK "tls-creds-psk"
|
|
|
|
#define QCRYPTO_TLS_CREDS_PSK(obj) \
|
|
|
|
OBJECT_CHECK(QCryptoTLSCredsPSK, (obj), TYPE_QCRYPTO_TLS_CREDS_PSK)
|
|
|
|
|
|
|
|
typedef struct QCryptoTLSCredsPSK QCryptoTLSCredsPSK;
|
|
|
|
typedef struct QCryptoTLSCredsPSKClass QCryptoTLSCredsPSKClass;
|
|
|
|
|
|
|
|
#define QCRYPTO_TLS_CREDS_PSKFILE "keys.psk"
|
|
|
|
|
|
|
|
/**
|
|
|
|
* QCryptoTLSCredsPSK:
|
|
|
|
*
|
|
|
|
* The QCryptoTLSCredsPSK object provides a representation
|
|
|
|
* of the Pre-Shared Key credential used to perform a TLS handshake.
|
|
|
|
*
|
|
|
|
* This is a user creatable object, which can be instantiated
|
|
|
|
* via object_new_propv():
|
|
|
|
*
|
|
|
|
* <example>
|
|
|
|
* <title>Creating TLS-PSK credential objects in code</title>
|
|
|
|
* <programlisting>
|
|
|
|
* Object *obj;
|
|
|
|
* Error *err = NULL;
|
|
|
|
* obj = object_new_propv(TYPE_QCRYPTO_TLS_CREDS_PSK,
|
|
|
|
* "tlscreds0",
|
|
|
|
* &err,
|
|
|
|
* "dir", "/path/to/dir",
|
|
|
|
* "endpoint", "client",
|
|
|
|
* NULL);
|
|
|
|
* </programlisting>
|
|
|
|
* </example>
|
|
|
|
*
|
|
|
|
* Or via QMP:
|
|
|
|
*
|
|
|
|
* <example>
|
|
|
|
* <title>Creating TLS-PSK credential objects via QMP</title>
|
|
|
|
* <programlisting>
|
|
|
|
* {
|
|
|
|
* "execute": "object-add", "arguments": {
|
|
|
|
* "id": "tlscreds0",
|
|
|
|
* "qom-type": "tls-creds-psk",
|
|
|
|
* "props": {
|
|
|
|
* "dir": "/path/to/dir",
|
|
|
|
* "endpoint": "client"
|
|
|
|
* }
|
|
|
|
* }
|
|
|
|
* }
|
|
|
|
* </programlisting>
|
|
|
|
* </example>
|
|
|
|
*
|
|
|
|
* Or via the CLI:
|
|
|
|
*
|
|
|
|
* <example>
|
|
|
|
* <title>Creating TLS-PSK credential objects via CLI</title>
|
|
|
|
* <programlisting>
|
|
|
|
* qemu-system-x86_64 --object tls-creds-psk,id=tlscreds0,\
|
|
|
|
* endpoint=client,dir=/path/to/dir[,username=qemu]
|
|
|
|
* </programlisting>
|
|
|
|
* </example>
|
|
|
|
*
|
|
|
|
* The PSK file can be created and managed using psktool.
|
|
|
|
*/
|
|
|
|
|
|
|
|
struct QCryptoTLSCredsPSK {
|
|
|
|
QCryptoTLSCreds parent_obj;
|
|
|
|
char *username;
|
|
|
|
#ifdef CONFIG_GNUTLS
|
|
|
|
union {
|
|
|
|
gnutls_psk_server_credentials_t server;
|
|
|
|
gnutls_psk_client_credentials_t client;
|
|
|
|
} data;
|
|
|
|
#endif
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
struct QCryptoTLSCredsPSKClass {
|
|
|
|
QCryptoTLSCredsClass parent_class;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
#endif /* QCRYPTO_TLSCREDSPSK_H */
|