13f12430d4
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
68 lines
1.7 KiB
C
68 lines
1.7 KiB
C
/*
|
|
* QEMU crypto TLS credential support
|
|
*
|
|
* Copyright (c) 2015 Red Hat, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
|
|
#ifndef QCRYPTO_TLSCRED_H__
|
|
#define QCRYPTO_TLSCRED_H__
|
|
|
|
#include "qom/object.h"
|
|
|
|
#ifdef CONFIG_GNUTLS
|
|
#include <gnutls/gnutls.h>
|
|
#endif
|
|
|
|
#define TYPE_QCRYPTO_TLS_CREDS "tls-creds"
|
|
#define QCRYPTO_TLS_CREDS(obj) \
|
|
OBJECT_CHECK(QCryptoTLSCreds, (obj), TYPE_QCRYPTO_TLS_CREDS)
|
|
|
|
typedef struct QCryptoTLSCreds QCryptoTLSCreds;
|
|
typedef struct QCryptoTLSCredsClass QCryptoTLSCredsClass;
|
|
|
|
#define QCRYPTO_TLS_CREDS_DH_PARAMS "dh-params.pem"
|
|
|
|
|
|
/**
|
|
* QCryptoTLSCreds:
|
|
*
|
|
* The QCryptoTLSCreds object is an abstract base for different
|
|
* types of TLS handshake credentials. Most commonly the
|
|
* QCryptoTLSCredsX509 subclass will be used to provide x509
|
|
* certificate credentials.
|
|
*/
|
|
|
|
struct QCryptoTLSCreds {
|
|
Object parent_obj;
|
|
char *dir;
|
|
QCryptoTLSCredsEndpoint endpoint;
|
|
#ifdef CONFIG_GNUTLS
|
|
gnutls_dh_params_t dh_params;
|
|
#endif
|
|
bool verifyPeer;
|
|
char *priority;
|
|
};
|
|
|
|
|
|
struct QCryptoTLSCredsClass {
|
|
ObjectClass parent_class;
|
|
};
|
|
|
|
|
|
#endif /* QCRYPTO_TLSCRED_H__ */
|
|
|