qemu/include/crypto/tlscreds.h
Daniel P. Berrange 13f12430d4 crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.

Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.

This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.

For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:

  $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
                priority="NORMAL:-VERS-SSL3.0" \
        ..other args...

If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-04 15:52:43 +01:00

68 lines
1.7 KiB
C

/*
* QEMU crypto TLS credential support
*
* Copyright (c) 2015 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
*
*/
#ifndef QCRYPTO_TLSCRED_H__
#define QCRYPTO_TLSCRED_H__
#include "qom/object.h"
#ifdef CONFIG_GNUTLS
#include <gnutls/gnutls.h>
#endif
#define TYPE_QCRYPTO_TLS_CREDS "tls-creds"
#define QCRYPTO_TLS_CREDS(obj) \
OBJECT_CHECK(QCryptoTLSCreds, (obj), TYPE_QCRYPTO_TLS_CREDS)
typedef struct QCryptoTLSCreds QCryptoTLSCreds;
typedef struct QCryptoTLSCredsClass QCryptoTLSCredsClass;
#define QCRYPTO_TLS_CREDS_DH_PARAMS "dh-params.pem"
/**
* QCryptoTLSCreds:
*
* The QCryptoTLSCreds object is an abstract base for different
* types of TLS handshake credentials. Most commonly the
* QCryptoTLSCredsX509 subclass will be used to provide x509
* certificate credentials.
*/
struct QCryptoTLSCreds {
Object parent_obj;
char *dir;
QCryptoTLSCredsEndpoint endpoint;
#ifdef CONFIG_GNUTLS
gnutls_dh_params_t dh_params;
#endif
bool verifyPeer;
char *priority;
};
struct QCryptoTLSCredsClass {
ObjectClass parent_class;
};
#endif /* QCRYPTO_TLSCRED_H__ */