2015-03-02 19:13:13 +01:00
|
|
|
/*
|
|
|
|
* QEMU I/O channels TLS driver
|
|
|
|
*
|
|
|
|
* Copyright (c) 2015 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2016-06-29 13:47:03 +02:00
|
|
|
#ifndef QIO_CHANNEL_TLS_H
|
|
|
|
#define QIO_CHANNEL_TLS_H
|
2015-03-02 19:13:13 +01:00
|
|
|
|
|
|
|
#include "io/channel.h"
|
|
|
|
#include "io/task.h"
|
|
|
|
#include "crypto/tlssession.h"
|
|
|
|
|
|
|
|
#define TYPE_QIO_CHANNEL_TLS "qio-channel-tls"
|
|
|
|
#define QIO_CHANNEL_TLS(obj) \
|
|
|
|
OBJECT_CHECK(QIOChannelTLS, (obj), TYPE_QIO_CHANNEL_TLS)
|
|
|
|
|
|
|
|
typedef struct QIOChannelTLS QIOChannelTLS;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* QIOChannelTLS
|
|
|
|
*
|
|
|
|
* The QIOChannelTLS class provides a channel wrapper which
|
|
|
|
* can transparently run the TLS encryption protocol. It is
|
|
|
|
* usually used over a TCP socket, but there is actually no
|
|
|
|
* technical restriction on which type of master channel is
|
|
|
|
* used as the transport.
|
|
|
|
*
|
|
|
|
* This channel object is capable of running as either a
|
|
|
|
* TLS server or TLS client.
|
|
|
|
*/
|
|
|
|
|
|
|
|
struct QIOChannelTLS {
|
|
|
|
QIOChannel parent;
|
|
|
|
QIOChannel *master;
|
|
|
|
QCryptoTLSSession *session;
|
2018-11-19 14:42:28 +01:00
|
|
|
QIOChannelShutdown shutdown;
|
2015-03-02 19:13:13 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* qio_channel_tls_new_server:
|
|
|
|
* @master: the underlying channel object
|
|
|
|
* @creds: the credentials to use for TLS handshake
|
|
|
|
* @aclname: the access control list for validating clients
|
2016-01-13 13:22:33 +01:00
|
|
|
* @errp: pointer to a NULL-initialized error object
|
2015-03-02 19:13:13 +01:00
|
|
|
*
|
|
|
|
* Create a new TLS channel that runs the server side of
|
|
|
|
* a TLS session. The TLS session handshake will use the
|
|
|
|
* credentials provided in @creds. If the @aclname parameter
|
|
|
|
* is non-NULL, then the client will have to provide
|
|
|
|
* credentials (ie a x509 client certificate) which will
|
|
|
|
* then be validated against the ACL.
|
|
|
|
*
|
|
|
|
* After creating the channel, it is mandatory to call
|
|
|
|
* the qio_channel_tls_handshake() method before attempting
|
|
|
|
* todo any I/O on the channel.
|
|
|
|
*
|
|
|
|
* Once the handshake has completed, all I/O should be done
|
|
|
|
* via the new TLS channel object and not the original
|
|
|
|
* master channel
|
|
|
|
*
|
|
|
|
* Returns: the new TLS channel object, or NULL
|
|
|
|
*/
|
|
|
|
QIOChannelTLS *
|
|
|
|
qio_channel_tls_new_server(QIOChannel *master,
|
|
|
|
QCryptoTLSCreds *creds,
|
|
|
|
const char *aclname,
|
|
|
|
Error **errp);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* qio_channel_tls_new_client:
|
|
|
|
* @master: the underlying channel object
|
|
|
|
* @creds: the credentials to use for TLS handshake
|
|
|
|
* @hostname: the user specified server hostname
|
2016-01-13 13:22:33 +01:00
|
|
|
* @errp: pointer to a NULL-initialized error object
|
2015-03-02 19:13:13 +01:00
|
|
|
*
|
|
|
|
* Create a new TLS channel that runs the client side of
|
|
|
|
* a TLS session. The TLS session handshake will use the
|
|
|
|
* credentials provided in @creds. The @hostname parameter
|
|
|
|
* should provide the user specified hostname of the server
|
|
|
|
* and will be validated against the server's credentials
|
|
|
|
* (ie CommonName of the x509 certificate)
|
|
|
|
*
|
|
|
|
* After creating the channel, it is mandatory to call
|
|
|
|
* the qio_channel_tls_handshake() method before attempting
|
|
|
|
* todo any I/O on the channel.
|
|
|
|
*
|
|
|
|
* Once the handshake has completed, all I/O should be done
|
|
|
|
* via the new TLS channel object and not the original
|
|
|
|
* master channel
|
|
|
|
*
|
|
|
|
* Returns: the new TLS channel object, or NULL
|
|
|
|
*/
|
|
|
|
QIOChannelTLS *
|
|
|
|
qio_channel_tls_new_client(QIOChannel *master,
|
|
|
|
QCryptoTLSCreds *creds,
|
|
|
|
const char *hostname,
|
|
|
|
Error **errp);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* qio_channel_tls_handshake:
|
|
|
|
* @ioc: the TLS channel object
|
|
|
|
* @func: the callback to invoke when completed
|
|
|
|
* @opaque: opaque data to pass to @func
|
|
|
|
* @destroy: optional callback to free @opaque
|
2018-03-05 07:43:24 +01:00
|
|
|
* @context: the context that TLS handshake will run with. If %NULL,
|
|
|
|
* the default context will be used
|
2015-03-02 19:13:13 +01:00
|
|
|
*
|
|
|
|
* Perform the TLS session handshake. This method
|
|
|
|
* will return immediately and the handshake will
|
|
|
|
* continue in the background, provided the main
|
|
|
|
* loop is running. When the handshake is complete,
|
|
|
|
* or fails, the @func callback will be invoked.
|
|
|
|
*/
|
|
|
|
void qio_channel_tls_handshake(QIOChannelTLS *ioc,
|
|
|
|
QIOTaskFunc func,
|
|
|
|
gpointer opaque,
|
2018-03-05 07:43:24 +01:00
|
|
|
GDestroyNotify destroy,
|
|
|
|
GMainContext *context);
|
2015-03-02 19:13:13 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* qio_channel_tls_get_session:
|
|
|
|
* @ioc: the TLS channel object
|
|
|
|
*
|
|
|
|
* Get the TLS session used by the channel.
|
|
|
|
*
|
|
|
|
* Returns: the TLS session
|
|
|
|
*/
|
|
|
|
QCryptoTLSSession *
|
|
|
|
qio_channel_tls_get_session(QIOChannelTLS *ioc);
|
|
|
|
|
2016-06-29 13:47:03 +02:00
|
|
|
#endif /* QIO_CHANNEL_TLS_H */
|