[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v6 00/11] Extract TLS handling code from VNC server
From: |
Daniel P. Berrange |
Subject: |
[Qemu-devel] [PATCH v6 00/11] Extract TLS handling code from VNC server |
Date: |
Wed, 2 Sep 2015 12:17:59 +0100 |
This small patch series is a formal submission of another part
of my previous series
v1: https://lists.gnu.org/archive/html/qemu-devel/2015-04/msg02038.html
v2: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg01267.html
v3: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg01386.html
v4: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg02655.html
v5: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg03159.html
Now we have the basic crypto module defined for hash/cipher APIs,
we extend it to also cover TLS credential and TLS session handling
APIs. These new TLS related APIs obsolete the vast majority of the
TLS handling code in the current VNC server. As a result the VNC
server no longer has to worry about conditional compilation for
GNUTLS. It also gives us code reuse for future patches which intend
to add TLS support to chardevs, migration, nbd, etc.
This series deprecates the existing way of configuring TLS for
VNC on the command line, but maintains support for back-compat
reasons.
Since the TLS code is now totally isolated from the VNC server it
is also practical to provide significant unit test coverage of what
is security critical code.
Aside from the new CLI syntax for configuring TLS with VNC, the
only other functional change is to allow diffie-hellman params
to be loaded from a file, instead of being generated at startup.
Changes in v6:
- Remove use of -Wl,--whole-archive added in v5 since it
bloated the binary sizes too much
- Move crypto code out of libqemuutil.a to allow linking
with QOM without problem of linker dropping objects only
referenced via constructors
- Allow tools to link to QOM objects
- Remove repetition in unit test object deps
- Remove trailing '.' from error messages in TLS code
- Remove leading '_' from struct name in TLS session
- Fix leak of TLS credentials in cert checking error path
- Added docs for enhancement to enum code generator
- Misc docs typos & indentation fixes
- Add more sanity checking to enum code generator
- Add tests to cover enum code generator enhancement
- Fix dereference of Error **errp variables
- Fix overwriting of already set Error * variable in tests
- Use CHAR_BIT constant in sasl code
- Fix incorrect return status in VNC TLS code errorpath
Changes in v5:
- Introduce use of -Wl,--whole-archive with libqemuutil.a
to ensure QOM objects are not discarded by linker
- Remove nasty back dummy functions used to prevent QOM
object discard by linker
- Extend QAPI enum generator to allow enum name prefix
spec to override heuristics
- Switch to use QAPI to generate QCryptoTLSCredsEndpoint
enum definition
- Fix misc bugs in error message strings
- Use alternate definition for DPRINTF
Changes in v4:
- Fix build when GNUTLS is disabled
- Add missed return type conversion in vnc.h
Changes in v3:
- Switched "tls-creds" object to be just an abstract base class
- Created "tls-creds-anon" object subclass in new file
- Created "tls-creds-x509" object subclass in new file
Daniel P. Berrange (11):
qapi: allow override of default enum prefix naming
tests: remove repetition in unit test object deps
crypto: move crypto objects out of libqemuutil.la
qom: allow QOM to be linked into tools binaries
crypto: introduce new base module for TLS credentials
crypto: introduce new module for TLS anonymous credentials
crypto: introduce new module for TLS x509 credentials
crypto: add sanity checking of TLS x509 credentials
crypto: introduce new module for handling TLS sessions
ui: fix return type for VNC I/O functions to be ssize_t
ui: convert VNC server to use QCryptoTLSSession
Makefile | 10 +-
Makefile.objs | 10 +-
Makefile.target | 4 +
configure | 53 +-
crypto/Makefile.objs | 14 +-
crypto/tlscreds.c | 262 ++++++++
crypto/tlscredsanon.c | 236 +++++++
crypto/tlscredspriv.h | 41 ++
crypto/tlscredsx509.c | 820 +++++++++++++++++++++++
crypto/tlssession.c | 586 ++++++++++++++++
docs/qapi-code-gen.txt | 8 +
include/crypto/tlscreds.h | 68 ++
include/crypto/tlscredsanon.h | 112 ++++
include/crypto/tlscredsx509.h | 113 ++++
include/crypto/tlssession.h | 322 +++++++++
qapi-schema.json | 3 +
qapi/crypto.json | 21 +
qemu-options.hx | 75 ++-
qom/Makefile.objs | 7 +-
scripts/qapi-types.py | 16 +-
scripts/qapi.py | 10 +-
tests/.gitignore | 7 +
tests/Makefile | 106 +--
tests/crypto-tls-x509-helpers.c | 486 ++++++++++++++
tests/crypto-tls-x509-helpers.h | 133 ++++
tests/pkix_asn1_tab.c | 1104 +++++++++++++++++++++++++++++++
tests/qapi-schema/enum-bad-prefix.err | 1 +
tests/qapi-schema/enum-bad-prefix.exit | 1 +
tests/qapi-schema/enum-bad-prefix.json | 2 +
tests/qapi-schema/enum-bad-prefix.out | 0
tests/qapi-schema/qapi-schema-test.json | 5 +
tests/qapi-schema/qapi-schema-test.out | 2 +
tests/test-crypto-tlscredsx509.c | 733 ++++++++++++++++++++
tests/test-crypto-tlssession.c | 537 +++++++++++++++
ui/Makefile.objs | 2 +-
ui/vnc-auth-sasl.c | 36 +-
ui/vnc-auth-vencrypt.c | 80 ++-
ui/vnc-tls.c | 474 -------------
ui/vnc-tls.h | 69 --
ui/vnc-ws.c | 84 +--
ui/vnc-ws.h | 2 -
ui/vnc.c | 362 ++++++----
ui/vnc.h | 21 +-
43 files changed, 6157 insertions(+), 881 deletions(-)
create mode 100644 crypto/tlscreds.c
create mode 100644 crypto/tlscredsanon.c
create mode 100644 crypto/tlscredspriv.h
create mode 100644 crypto/tlscredsx509.c
create mode 100644 crypto/tlssession.c
create mode 100644 include/crypto/tlscreds.h
create mode 100644 include/crypto/tlscredsanon.h
create mode 100644 include/crypto/tlscredsx509.h
create mode 100644 include/crypto/tlssession.h
create mode 100644 qapi/crypto.json
create mode 100644 tests/crypto-tls-x509-helpers.c
create mode 100644 tests/crypto-tls-x509-helpers.h
create mode 100644 tests/pkix_asn1_tab.c
create mode 100644 tests/qapi-schema/enum-bad-prefix.err
create mode 100644 tests/qapi-schema/enum-bad-prefix.exit
create mode 100644 tests/qapi-schema/enum-bad-prefix.json
create mode 100644 tests/qapi-schema/enum-bad-prefix.out
create mode 100644 tests/test-crypto-tlscredsx509.c
create mode 100644 tests/test-crypto-tlssession.c
delete mode 100644 ui/vnc-tls.c
delete mode 100644 ui/vnc-tls.h
--
2.4.3
- [Qemu-devel] [PATCH v6 00/11] Extract TLS handling code from VNC server,
Daniel P. Berrange <=
- [Qemu-devel] [PATCH v6 01/11] qapi: allow override of default enum prefix naming, Daniel P. Berrange, 2015/09/02
- [Qemu-devel] [PATCH v6 02/11] tests: remove repetition in unit test object deps, Daniel P. Berrange, 2015/09/02
- [Qemu-devel] [PATCH v6 03/11] crypto: move crypto objects out of libqemuutil.la, Daniel P. Berrange, 2015/09/02
- [Qemu-devel] [PATCH v6 04/11] qom: allow QOM to be linked into tools binaries, Daniel P. Berrange, 2015/09/02
- [Qemu-devel] [PATCH v6 05/11] crypto: introduce new base module for TLS credentials, Daniel P. Berrange, 2015/09/02
- [Qemu-devel] [PATCH v6 06/11] crypto: introduce new module for TLS anonymous credentials, Daniel P. Berrange, 2015/09/02
- [Qemu-devel] [PATCH v6 07/11] crypto: introduce new module for TLS x509 credentials, Daniel P. Berrange, 2015/09/02
- [Qemu-devel] [PATCH v6 10/11] ui: fix return type for VNC I/O functions to be ssize_t, Daniel P. Berrange, 2015/09/02
- [Qemu-devel] [PATCH v6 09/11] crypto: introduce new module for handling TLS sessions, Daniel P. Berrange, 2015/09/02
- [Qemu-devel] [PATCH v6 11/11] ui: convert VNC server to use QCryptoTLSSession, Daniel P. Berrange, 2015/09/02