| 
									
										
										
										
											2015-03-13 17:39:26 +00:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  * QEMU crypto TLS credential support | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * Copyright (c) 2015 Red Hat, Inc. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This library is free software; you can redistribute it and/or | 
					
						
							|  |  |  |  * modify it under the terms of the GNU Lesser General Public | 
					
						
							|  |  |  |  * License as published by the Free Software Foundation; either | 
					
						
							|  |  |  |  * version 2 of the License, or (at your option) any later version. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This library is distributed in the hope that it will be useful, | 
					
						
							|  |  |  |  * but WITHOUT ANY WARRANTY; without even the implied warranty of | 
					
						
							|  |  |  |  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU | 
					
						
							|  |  |  |  * Lesser General Public License for more details. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * You should have received a copy of the GNU Lesser General Public | 
					
						
							|  |  |  |  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
 | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-29 10:12:57 +02:00
										 |  |  | #ifndef QCRYPTO_TLSCREDS_H
 | 
					
						
							|  |  |  | #define QCRYPTO_TLSCREDS_H
 | 
					
						
							| 
									
										
										
										
											2015-03-13 17:39:26 +00:00
										 |  |  | 
 | 
					
						
							|  |  |  | #include "qom/object.h"
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #ifdef CONFIG_GNUTLS
 | 
					
						
							|  |  |  | #include <gnutls/gnutls.h>
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #define TYPE_QCRYPTO_TLS_CREDS "tls-creds"
 | 
					
						
							|  |  |  | #define QCRYPTO_TLS_CREDS(obj)                  \
 | 
					
						
							|  |  |  |     OBJECT_CHECK(QCryptoTLSCreds, (obj), TYPE_QCRYPTO_TLS_CREDS) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | typedef struct QCryptoTLSCreds QCryptoTLSCreds; | 
					
						
							|  |  |  | typedef struct QCryptoTLSCredsClass QCryptoTLSCredsClass; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #define QCRYPTO_TLS_CREDS_DH_PARAMS "dh-params.pem"
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /**
 | 
					
						
							|  |  |  |  * QCryptoTLSCreds: | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * The QCryptoTLSCreds object is an abstract base for different | 
					
						
							|  |  |  |  * types of TLS handshake credentials. Most commonly the | 
					
						
							|  |  |  |  * QCryptoTLSCredsX509 subclass will be used to provide x509 | 
					
						
							|  |  |  |  * certificate credentials. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | struct QCryptoTLSCreds { | 
					
						
							|  |  |  |     Object parent_obj; | 
					
						
							|  |  |  |     char *dir; | 
					
						
							|  |  |  |     QCryptoTLSCredsEndpoint endpoint; | 
					
						
							|  |  |  | #ifdef CONFIG_GNUTLS
 | 
					
						
							|  |  |  |     gnutls_dh_params_t dh_params; | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  |     bool verifyPeer; | 
					
						
							| 
									
										
											  
											
												crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
  $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
                priority="NORMAL:-VERS-SSL3.0" \
        ..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
											
										 
											2016-06-06 09:52:07 +01:00
										 |  |  |     char *priority; | 
					
						
							| 
									
										
										
										
											2015-03-13 17:39:26 +00:00
										 |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | struct QCryptoTLSCredsClass { | 
					
						
							|  |  |  |     ObjectClass parent_class; | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-29 10:12:57 +02:00
										 |  |  | #endif /* QCRYPTO_TLSCREDS_H */
 |