1. 23 9月, 2015 7 次提交
  2. 21 9月, 2015 2 次提交
  3. 19 9月, 2015 3 次提交
  4. 18 9月, 2015 2 次提交
  5. 16 9月, 2015 7 次提交
  6. 15 9月, 2015 7 次提交
    • R
      652a4b7e
    • C
      linux-user: Support tilegx architecture in linux-user · b16189b2
      Chen Gang 提交于
      Add main working flow feature, system call processing feature, and elf64
      tilegx binary loading feature, based on Linux kernel tilegx 64-bit
      implementation.
      
      [rth: Moved all of the implementation of atomic instructions to a later patch.]
      Signed-off-by: NChen Gang <gang.chen.5i5j@gmail.com>
      Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
      Message-Id: <BLU436-SMTP938552D42808AA60634582B9660@phx.gbl>
      Signed-off-by: NRichard Henderson <rth@twiddle.net>
      b16189b2
    • D
      crypto: introduce new module for handling TLS sessions · d321e1e5
      Daniel P. Berrange 提交于
      Introduce a QCryptoTLSSession object that will encapsulate
      all the code for setting up and using a client/sever TLS
      session. This isolates the code which depends on the gnutls
      library, avoiding #ifdefs in the rest of the codebase, as
      well as facilitating any possible future port to other TLS
      libraries, if desired. It makes use of the previously
      defined QCryptoTLSCreds object to access credentials to
      use with the session. It also includes further unit tests
      to validate the correctness of the TLS session handshake
      and certificate validation. This is functionally equivalent
      to the current TLS session handling code embedded in the
      VNC server, and will obsolete it.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      d321e1e5
    • D
      crypto: add sanity checking of TLS x509 credentials · 9a2fd434
      Daniel P. Berrange 提交于
      If the administrator incorrectly sets up their x509 certificates,
      the errors seen at runtime during connection attempts are very
      obscure and difficult to diagnose. This has been a particular
      problem for people using openssl to generate their certificates
      instead of the gnutls certtool, because the openssl tools don't
      turn on the various x509 extensions that gnutls expects to be
      present by default.
      
      This change thus adds support in the TLS credentials object to
      sanity check the certificates when QEMU first loads them. This
      gives the administrator immediate feedback for the majority of
      common configuration mistakes, reducing the pain involved in
      setting up TLS. The code is derived from equivalent code that
      has been part of libvirt's TLS support and has been seen to be
      valuable in assisting admins.
      
      It is possible to disable the sanity checking, however, via
      the new 'sanity-check' property on the tls-creds object type,
      with a value of 'no'.
      
      Unit tests are included in this change to verify the correctness
      of the sanity checking code in all the key scenarios it is
      intended to cope with. As part of the test suite, the pkix_asn1_tab.c
      from gnutls is imported. This file is intentionally copied from the
      (long since obsolete) gnutls 1.6.3 source tree, since that version
      was still under GPLv2+, rather than the GPLv3+ of gnutls >= 2.0.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      9a2fd434
    • D
      crypto: introduce new module for TLS x509 credentials · 85bcbc78
      Daniel P. Berrange 提交于
      Introduce a QCryptoTLSCredsX509 class which is used to
      manage x509 certificate TLS credentials. This will be
      the preferred credential type offering strong security
      characteristics
      
      Example CLI configuration:
      
       $QEMU -object tls-creds-x509,id=tls0,endpoint=server,\
                     dir=/path/to/creds/dir,verify-peer=yes
      
      The 'id' value in the -object args will be used to associate the
      credentials with the network services. For example, when the VNC
      server is later converted it would use
      
       $QEMU -object tls-creds-x509,id=tls0,.... \
             -vnc 127.0.0.1:1,tls-creds=tls0
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      85bcbc78
    • D
      crypto: introduce new module for TLS anonymous credentials · e00adf6c
      Daniel P. Berrange 提交于
      Introduce a QCryptoTLSCredsAnon class which is used to
      manage anonymous TLS credentials. Use of this class is
      generally discouraged since it does not offer strong
      security, but it is required for backwards compatibility
      with the current VNC server implementation.
      
      Simple example CLI configuration:
      
       $QEMU -object tls-creds-anon,id=tls0,endpoint=server
      
      Example using pre-created diffie-hellman parameters
      
       $QEMU -object tls-creds-anon,id=tls0,endpoint=server,\
                     dir=/path/to/creds/dir
      
      The 'id' value in the -object args will be used to associate the
      credentials with the network services. For example, when the VNC
      server is later converted it would use
      
       $QEMU -object tls-creds-anon,id=tls0,.... \
             -vnc 127.0.0.1:1,tls-creds=tls0
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      e00adf6c
    • D
      crypto: introduce new base module for TLS credentials · a090187d
      Daniel P. Berrange 提交于
      Introduce a QCryptoTLSCreds class to act as the base class for
      storing TLS credentials. This will be later subclassed to provide
      handling of anonymous and x509 credential types. The subclasses
      will be user creatable objects, so instances can be created &
      deleted via 'object-add' and 'object-del' QMP commands respectively,
      or via the -object command line arg.
      
      If the credentials cannot be initialized an error will be reported
      as a QMP reply, or on stderr respectively.
      
      The idea is to make it possible to represent and manage TLS
      credentials independently of the network service that is using
      them. This will enable multiple services to use the same set of
      credentials and minimize code duplication. A later patch will
      convert the current VNC server TLS code over to use this object.
      
      The representation of credentials will be functionally equivalent
      to that currently implemented in the VNC server with one exception.
      The new code has the ability to (optionally) load a pre-generated
      set of diffie-hellman parameters, if the file dh-params.pem exists,
      whereas the current VNC server will always generate them on startup.
      This is beneficial for admins who wish to avoid the (small) time
      sink of generating DH parameters at startup and/or avoid depleting
      entropy.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      a090187d
  7. 14 9月, 2015 7 次提交
  8. 11 9月, 2015 5 次提交