* Document 'password-secret' option for -iscsi

* Deprecate iSCSI 'password' in favour of 'password-secret'
  * Remove deprecated 'password' option for SPICE
  * Fix handling of cached read buffers with TLS
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmPtGoUACgkQvobrtBUQ
 T99RsA/7BQqQCyZcpTxYXYnGace4qnVx/VQLX7gESjnbsXlA0qUAtxepg2YdsU3W
 GxyZHflP48TesSAsxsA9sBwoFaJZvsq+fZnq62clNNiZTIRynSi65KVUdbqQ/a3F
 3A9XZlqLzXJMPpwyowzcjMCx+/4+cIr9DA0hKUzQJtNder1I17ySXFGGsO98iM24
 KR/Pulk2NogWLez1Tr7qF01+OK8/cBPpD/QEHzKXsyVcbgnFLFnBIpbpLtlK4BEb
 g6csk665kbWZXud25YXdyG9pUPOrNM4l+7fQcDhjy3IoS2P6/bCTp1jsn3txTbEj
 yTKFJEEM18UWNQCvn4wyHiRCK6+KrFigocdj0jdsyG5DtNUTxqNkdscJa8V/d0hR
 4y56Z33yK5JQIPaHE28f5vy/w2014hUoqpoYHt4JOeUuUJq9tvMqY6TCThc3ZvvP
 08DF/0MwIj0NzP5hiEtNxUwFNjwmVRZCSzmNX+22SXOlICwZeQpejwtpEz8YMgDo
 S4vEUjhcNYXoTkL6qZFfBuwn1Gkqqg1DRx8amh3WTB7JDiFA9YwefmBiblAqEK0D
 AG1vPo53uHFytoYqMtsEI/JVE7wfZCBHGBXz2euOOKzUqWS0OGL0h71s5D0yDY+U
 /8YBy86qj7Vm7QuUz+Z2OaWH+miXYy8/kMjdfEcGgqbORReZWrI=
 =sAEk
 -----END PGP SIGNATURE-----

Merge tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu into staging

 * Document 'password-secret' option for -iscsi
 * Deprecate iSCSI 'password' in favour of 'password-secret'
 * Remove deprecated 'password' option for SPICE
 * Fix handling of cached read buffers with TLS

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmPtGoUACgkQvobrtBUQ
# T99RsA/7BQqQCyZcpTxYXYnGace4qnVx/VQLX7gESjnbsXlA0qUAtxepg2YdsU3W
# GxyZHflP48TesSAsxsA9sBwoFaJZvsq+fZnq62clNNiZTIRynSi65KVUdbqQ/a3F
# 3A9XZlqLzXJMPpwyowzcjMCx+/4+cIr9DA0hKUzQJtNder1I17ySXFGGsO98iM24
# KR/Pulk2NogWLez1Tr7qF01+OK8/cBPpD/QEHzKXsyVcbgnFLFnBIpbpLtlK4BEb
# g6csk665kbWZXud25YXdyG9pUPOrNM4l+7fQcDhjy3IoS2P6/bCTp1jsn3txTbEj
# yTKFJEEM18UWNQCvn4wyHiRCK6+KrFigocdj0jdsyG5DtNUTxqNkdscJa8V/d0hR
# 4y56Z33yK5JQIPaHE28f5vy/w2014hUoqpoYHt4JOeUuUJq9tvMqY6TCThc3ZvvP
# 08DF/0MwIj0NzP5hiEtNxUwFNjwmVRZCSzmNX+22SXOlICwZeQpejwtpEz8YMgDo
# S4vEUjhcNYXoTkL6qZFfBuwn1Gkqqg1DRx8amh3WTB7JDiFA9YwefmBiblAqEK0D
# AG1vPo53uHFytoYqMtsEI/JVE7wfZCBHGBXz2euOOKzUqWS0OGL0h71s5D0yDY+U
# /8YBy86qj7Vm7QuUz+Z2OaWH+miXYy8/kMjdfEcGgqbORReZWrI=
# =sAEk
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 15 Feb 2023 17:46:45 GMT
# gpg:                using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg:                 aka "Daniel P. Berrange <berrange@redhat.com>" [full]
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E  8E3F BE86 EBB4 1510 4FDF

* tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu:
  ui: remove deprecated 'password' option for SPICE
  block: deprecate iSCSI 'password' in favour of 'password-secret'
  block: mention 'password-secret' option for -iscsi
  io/channel-tls: fix handling of bigger read buffers
  crypto: TLS: introduce `check_pending`

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

block/iscsi.c

@@ -1353,6 +1353,9 @@ static void apply_chap(struct iscsi_context *iscsi, QemuOpts *opts,
     } else if (!password) {
         error_setg(errp, "CHAP username specified but no password was given");
         return;
+    } else {
+        warn_report("iSCSI block driver 'password' option is deprecated, "
+                    "use 'password-secret' instead");
     }
 
     if (iscsi_set_initiator_username_pwd(iscsi, user, password)) {

crypto/tlssession.c

@@ -493,6 +493,13 @@ qcrypto_tls_session_read(QCryptoTLSSession *session,
 }
 
 
+size_t
+qcrypto_tls_session_check_pending(QCryptoTLSSession *session)
+{
+    return gnutls_record_check_pending(session->handle);
+}
+
+
 int
 qcrypto_tls_session_handshake(QCryptoTLSSession *session,
                               Error **errp)
@@ -615,6 +622,13 @@ qcrypto_tls_session_read(QCryptoTLSSession *sess,
 }
 
 
+size_t
+qcrypto_tls_session_check_pending(QCryptoTLSSession *session)
+{
+    return 0;
+}
+
+
 int
 qcrypto_tls_session_handshake(QCryptoTLSSession *sess,
                               Error **errp)

docs/about/deprecated.rst

@@ -66,14 +66,6 @@ and will cause a warning.
 The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
 rather than ``delay=off``.
 
-``-spice password=string`` (since 6.0)
-''''''''''''''''''''''''''''''''''''''
-
-This option is insecure because the SPICE password remains visible in
-the process listing. This is replaced by the new ``password-secret``
-option which lets the password be securely provided on the command
-line using a ``secret`` object instance.
-
 ``-smp`` ("parameter=0" SMP configurations) (since 6.2)
 '''''''''''''''''''''''''''''''''''''''''''''''''''''''
 
@@ -301,6 +293,14 @@ The above, converted to the current supported format::
 
   json:{"file.driver":"rbd", "file.pool":"rbd", "file.image":"name"}
 
+``iscsi,password=xxx`` (since 8.0)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Specifying the iSCSI password in plain text on the command line using the
+``password`` option is insecure. The ``password-secret`` option should be
+used instead, to refer to a ``--object secret...`` instance that provides
+a password via a file, or encrypted.
+
 Backwards compatibility
 -----------------------
 

docs/about/removed-features.rst

@@ -428,6 +428,13 @@ respectively. The actual backend names should be used instead.
 Use ``-drive if=pflash`` to configure the OTP device of the sifive_u
 RISC-V machine instead.
 
+``-spice password=string`` (removed in 8.0)
+'''''''''''''''''''''''''''''''''''''''''''
+
+This option was insecure because the SPICE password remained visible in
+the process listing. This was replaced by the new ``password-secret``
+option which lets the password be securely provided on the command
+line using a ``secret`` object instance.
 
 QEMU Machine Protocol (QMP) commands
 ------------------------------------

include/crypto/tlssession.h

@@ -248,6 +248,17 @@ ssize_t qcrypto_tls_session_read(QCryptoTLSSession *sess,
                                  char *buf,
                                  size_t len);
 
+/**
+ * qcrypto_tls_session_check_pending:
+ * @sess: the TLS session object
+ *
+ * Check if there are unread data in the TLS buffers that have
+ * already been read from the underlying data source.
+ *
+ * Returns: the number of bytes available or zero
+ */
+size_t qcrypto_tls_session_check_pending(QCryptoTLSSession *sess);
+
 /**
  * qcrypto_tls_session_handshake:
  * @sess: the TLS session object

io/channel-tls.c

@@ -389,12 +389,76 @@ static void qio_channel_tls_set_aio_fd_handler(QIOChannel *ioc,
     qio_channel_set_aio_fd_handler(tioc->master, ctx, io_read, io_write, opaque);
 }
 
+typedef struct QIOChannelTLSSource QIOChannelTLSSource;
+struct QIOChannelTLSSource {
+    GSource parent;
+    QIOChannelTLS *tioc;
+};
+
+static gboolean
+qio_channel_tls_source_check(GSource *source)
+{
+    QIOChannelTLSSource *tsource = (QIOChannelTLSSource *)source;
+
+    return qcrypto_tls_session_check_pending(tsource->tioc->session) > 0;
+}
+
+static gboolean
+qio_channel_tls_source_prepare(GSource *source, gint *timeout)
+{
+    *timeout = -1;
+    return qio_channel_tls_source_check(source);
+}
+
+static gboolean
+qio_channel_tls_source_dispatch(GSource *source, GSourceFunc callback,
+                                gpointer user_data)
+{
+    return G_SOURCE_CONTINUE;
+}
+
+static void
+qio_channel_tls_source_finalize(GSource *source)
+{
+    QIOChannelTLSSource *tsource = (QIOChannelTLSSource *)source;
+
+    object_unref(OBJECT(tsource->tioc));
+}
+
+static GSourceFuncs qio_channel_tls_source_funcs = {
+    qio_channel_tls_source_prepare,
+    qio_channel_tls_source_check,
+    qio_channel_tls_source_dispatch,
+    qio_channel_tls_source_finalize
+};
+
+static void
+qio_channel_tls_read_watch(QIOChannelTLS *tioc, GSource *source)
+{
+    GSource *child;
+    QIOChannelTLSSource *tlssource;
+
+    child = g_source_new(&qio_channel_tls_source_funcs,
+                          sizeof(QIOChannelTLSSource));
+    tlssource = (QIOChannelTLSSource *)child;
+
+    tlssource->tioc = tioc;
+    object_ref(OBJECT(tioc));
+
+    g_source_add_child_source(source, child);
+}
+
 static GSource *qio_channel_tls_create_watch(QIOChannel *ioc,
                                              GIOCondition condition)
 {
     QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+    GSource *source = qio_channel_create_watch(tioc->master, condition);
 
-    return qio_channel_create_watch(tioc->master, condition);
+    if (condition & G_IO_IN) {
+        qio_channel_tls_read_watch(tioc, source);
+    }
+
+    return source;
 }
 
 QCryptoTLSSession *

qemu-options.hx

@@ -1892,8 +1892,8 @@ SRST
 ERST
 
 DEF("iscsi", HAS_ARG, QEMU_OPTION_iscsi,
-    "-iscsi [user=user][,password=password]\n"
-    "       [,header-digest=CRC32C|CR32C-NONE|NONE-CRC32C|NONE\n"
+    "-iscsi [user=user][,password=password][,password-secret=secret-id]\n"
+    "       [,header-digest=CRC32C|CR32C-NONE|NONE-CRC32C|NONE]\n"
     "       [,initiator-name=initiator-iqn][,id=target-iqn]\n"
     "       [,timeout=timeout]\n"
     "                iSCSI session parameters\n", QEMU_ARCH_ALL)
@@ -2135,7 +2135,7 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice,
     "       [,tls-channel=[main|display|cursor|inputs|record|playback]]\n"
     "       [,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n"
     "       [,sasl=on|off][,disable-ticketing=on|off]\n"
-    "       [,password=<string>][,password-secret=<secret-id>]\n"
+    "       [,password-secret=<secret-id>]\n"
     "       [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n"
     "       [,jpeg-wan-compression=[auto|never|always]]\n"
     "       [,zlib-glz-wan-compression=[auto|never|always]]\n"
@@ -2161,13 +2161,6 @@ SRST
     ``ipv4=on|off``; \ ``ipv6=on|off``; \ ``unix=on|off``
         Force using the specified IP version.
 
-    ``password=<string>``
-        Set the password you need to authenticate.
-
-        This option is deprecated and insecure because it leaves the
-        password visible in the process listing. Use ``password-secret``
-        instead.
-
     ``password-secret=<secret-id>``
         Set the ID of the ``secret`` object containing the password
         you need to authenticate.

ui/spice-core.c

@@ -412,9 +412,6 @@ static QemuOptsList qemu_spice_opts = {
             .name = "unix",
             .type = QEMU_OPT_BOOL,
 #endif
-        },{
-            .name = "password",
-            .type = QEMU_OPT_STRING,
         },{
             .name = "password-secret",
             .type = QEMU_OPT_STRING,
@@ -666,20 +663,8 @@ static void qemu_spice_init(void)
     }
     passwordSecret = qemu_opt_get(opts, "password-secret");
     if (passwordSecret) {
-        if (qemu_opt_get(opts, "password")) {
-            error_report("'password' option is mutually exclusive with "
-                         "'password-secret'");
-            exit(1);
-        }
         password = qcrypto_secret_lookup_as_utf8(passwordSecret,
                                                  &error_fatal);
-    } else {
-        str = qemu_opt_get(opts, "password");
-        if (str) {
-            warn_report("'password' option is deprecated and insecure, "
-                        "use 'password-secret' instead");
-            password = g_strdup(str);
-        }
     }
 
     if (tls_port) {