1. 17 3月, 2016 1 次提交
    • D
      crypto: add support for PBKDF2 algorithm · 37788f25
      Daniel P. Berrange 提交于
      The LUKS data format includes use of PBKDF2 (Password-Based
      Key Derivation Function). The Nettle library can provide
      an implementation of this, but we don't want code directly
      depending on a specific crypto library backend. Introduce
      a new include/crypto/pbkdf.h header which defines a QEMU
      API for invoking PBKDK2. The initial implementations are
      backed by nettle & gcrypt, which are commonly available
      with distros shipping GNUTLS.
      
      The test suite data is taken from the cryptsetup codebase
      under the LGPLv2.1+ license. This merely aims to verify
      that whatever backend we provide for this function in QEMU
      will comply with the spec.
      Reviewed-by: NFam Zheng <famz@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      37788f25
  2. 19 12月, 2015 2 次提交
    • D
      crypto: add QCryptoSecret object class for password/key handling · ac1d8878
      Daniel P. Berrange 提交于
      Introduce a new QCryptoSecret object class which will be used
      for providing passwords and keys to other objects which need
      sensitive credentials.
      
      The new object can provide secret values directly as properties,
      or indirectly via a file. The latter includes support for file
      descriptor passing syntax on UNIX platforms. Ordinarily passing
      secret values directly as properties is insecure, since they
      are visible in process listings, or in log files showing the
      CLI args / QMP commands. It is possible to use AES-256-CBC to
      encrypt the secret values though, in which case all that is
      visible is the ciphertext.  For ad hoc developer testing though,
      it is fine to provide the secrets directly without encryption
      so this is not explicitly forbidden.
      
      The anticipated scenario is that libvirtd will create a random
      master key per QEMU instance (eg /var/run/libvirt/qemu/$VMNAME.key)
      and will use that key to encrypt all passwords it provides to
      QEMU via '-object secret,....'.  This avoids the need for libvirt
      (or other mgmt apps) to worry about file descriptor passing.
      
      It also makes life easier for people who are scripting the
      management of QEMU, for whom FD passing is significantly more
      complex.
      
      Providing data inline (insecure, only for ad hoc dev testing)
      
        $QEMU -object secret,id=sec0,data=letmein
      
      Providing data indirectly in raw format
      
        printf "letmein" > mypasswd.txt
        $QEMU -object secret,id=sec0,file=mypasswd.txt
      
      Providing data indirectly in base64 format
      
        $QEMU -object secret,id=sec0,file=mykey.b64,format=base64
      
      Providing data with encryption
      
        $QEMU -object secret,id=master0,file=mykey.b64,format=base64 \
              -object secret,id=sec0,data=[base64 ciphertext],\
      	           keyid=master0,iv=[base64 IV],format=base64
      
      Note that 'format' here refers to the format of the ciphertext
      data. The decrypted data must always be in raw byte format.
      
      More examples are shown in the updated docs.
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      ac1d8878
    • D
      util: add base64 decoding function · 89bc0b6c
      Daniel P. Berrange 提交于
      The standard glib provided g_base64_decode doesn't provide any
      kind of sensible error checking on its input. Add a QEMU custom
      wrapper qbase64_decode which can be used with untrustworthy
      input that can contain invalid base64 characters, embedded
      NUL characters, or not be NUL terminated at all.
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      89bc0b6c
  3. 18 12月, 2015 6 次提交
    • D
      io: add QIOChannelBuffer class · d98e4eb7
      Daniel P. Berrange 提交于
      Add a QIOChannel subclass that is capable of performing I/O
      to/from a memory buffer. This implementation does not attempt
      to support concurrent readers & writers. It is designed for
      serialized access where by a single thread at a time may write
      data, seek and then read data back out.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      d98e4eb7
    • D
      io: add QIOChannelCommand class · 195e14d0
      Daniel P. Berrange 提交于
      Add a QIOChannel subclass that is capable of performing I/O
      to/from a separate process, via a pair of pipes. The command
      can be used for unidirectional or bi-directional I/O.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      195e14d0
    • D
      io: add QIOChannelTLS class · ed8ee42c
      Daniel P. Berrange 提交于
      Add a QIOChannel subclass that can run the TLS protocol over
      the top of another QIOChannel instance. The object provides a
      simplified API to perform the handshake when starting the TLS
      session. The layering of TLS over the underlying channel does
      not have to be setup immediately. It is possible to take an
      existing QIOChannel that has done some handshake and then swap
      in the QIOChannelTLS layer. This allows for use with protocols
      which start TLS right away, and those which start plain text
      and then negotiate TLS.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      ed8ee42c
    • D
      io: add QIOChannelFile class · d6e48869
      Daniel P. Berrange 提交于
      Add a QIOChannel subclass that is capable of operating on things
      that are files, such as plain files, pipes, character/block
      devices, but notably not sockets.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      d6e48869
    • D
      io: add QIOChannelSocket class · 559607ea
      Daniel P. Berrange 提交于
      Implement a QIOChannel subclass that supports sockets I/O.
      The implementation is able to manage a single socket file
      descriptor, whether a TCP/UNIX listener, TCP/UNIX connection,
      or a UDP datagram. It provides APIs which can listen and
      connect either asynchronously or synchronously. Since there
      is no asynchronous DNS lookup API available, it uses the
      QIOTask helper for spawning a background thread to ensure
      non-blocking operation.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      559607ea
    • D
      io: add QIOTask class for async operations · b02db2d9
      Daniel P. Berrange 提交于
      A number of I/O operations need to be performed asynchronously
      to avoid blocking the main loop. The caller of such APIs need
      to provide a callback to be invoked on completion/error and
      need access to the error, if any. The small QIOTask provides
      a simple framework for dealing with such probes. The API
      docs inline provide an outline of how this is to be used.
      
      Some functions don't have the ability to run asynchronously
      (eg getaddrinfo always blocks), so to facilitate their use,
      the task class provides a mechanism to run a blocking
      function in a thread, while triggering the completion
      callback in the main event loop thread. This easily allows
      any synchronous function to be made asynchronous, albeit
      at the cost of spawning a thread.
      
      In this series, the QIOTask class will be used for things like
      the TLS handshake, the websockets handshake and TCP connect()
      progress.
      
      The concept of QIOTask is inspired by the GAsyncResult
      interface / GTask class in the GIO libraries. The min
      version requirements on glib don't allow those to be
      used from QEMU, so QIOTask provides a facsimilie which
      can be easily switched to GTask in the future if the
      min version is increased.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      b02db2d9
  4. 17 11月, 2015 1 次提交
  5. 06 11月, 2015 1 次提交
  6. 12 10月, 2015 1 次提交
  7. 21 9月, 2015 1 次提交
    • M
      qapi: New QMP command query-qmp-schema for QMP introspection · 39a18158
      Markus Armbruster 提交于
      qapi/introspect.json defines the introspection schema.  It's designed
      for QMP introspection, but should do for similar uses, such as QGA.
      
      The introspection schema does not reflect all the rules and
      restrictions that apply to QAPI schemata.  A valid QAPI schema has an
      introspection value conforming to the introspection schema, but the
      converse is not true.
      
      Introspection lowers away a number of schema details, and makes
      implicit things explicit:
      
      * The built-in types are declared with their JSON type.
      
        All integer types are mapped to 'int', because how many bits we use
        internally is an implementation detail.  It could be pressed into
        external interface service as very approximate range information,
        but that's a bad idea.  If we need range information, we better do
        it properly.
      
      * Implicit type definitions are made explicit, and given
        auto-generated names:
      
        - Array types, named by appending "List" to the name of their
          element type, like in generated C.
      
        - The enumeration types implicitly defined by simple union types,
          named by appending "Kind" to the name of their simple union type,
          like in generated C.
      
        - Types that don't occur in generated C.  Their names start with ':'
          so they don't clash with the user's names.
      
      * All type references are by name.
      
      * The struct and union types are generalized into an object type.
      
      * Base types are flattened.
      
      * Commands take a single argument and return a single result.
      
        Dictionary argument or list result is an implicit type definition.
      
        The empty object type is used when a command takes no arguments or
        produces no results.
      
        The argument is always of object type, but the introspection schema
        doesn't reflect that.
      
        The 'gen': false directive is omitted as implementation detail.
      
        The 'success-response' directive is omitted as well for now, even
        though it's not an implementation detail, because it's not used by
        QMP.
      
      * Events carry a single data value.
      
        Implicit type definition and empty object type use, just like for
        commands.
      
        The value is of object type, but the introspection schema doesn't
        reflect that.
      
      * Types not used by commands or events are omitted.
      
        Indirect use counts as use.
      
      * Optional members have a default, which can only be null right now
      
        Instead of a mandatory "optional" flag, we have an optional default.
        No default means mandatory, default null means optional without
        default value.  Non-null is available for optional with default
        (possible future extension).
      
      * Clients should *not* look up types by name, because type names are
        not ABI.  Look up the command or event you're interested in, then
        follow the references.
      
        TODO Should we hide the type names to eliminate the temptation?
      
      New generator scripts/qapi-introspect.py computes an introspection
      value for its input, and generates a C variable holding it.
      
      It can generate awfully long lines.  Marked TODO.
      
      A new test-qmp-input-visitor test case feeds its result for both
      tests/qapi-schema/qapi-schema-test.json and qapi-schema.json to a
      QmpInputVisitor to verify it actually conforms to the schema.
      
      New QMP command query-qmp-schema takes its return value from that
      variable.  Its reply is some 85KiBytes for me right now.
      
      If this turns out to be too much, we have a couple of options:
      
      * We can use shorter names in the JSON.  Not the QMP style.
      
      * Optionally return the sub-schema for commands and events given as
        arguments.
      
        Right now qmp_query_schema() sends the string literal computed by
        qmp-introspect.py.  To compute sub-schema at run time, we'd have to
        duplicate parts of qapi-introspect.py in C.  Unattractive.
      
      * Let clients cache the output of query-qmp-schema.
      
        It changes only on QEMU upgrades, i.e. rarely.  Provide a command
        query-qmp-schema-hash.  Clients can have a cache indexed by hash,
        and re-query the schema only when they don't have it cached.  Even
        simpler: put the hash in the QMP greeting.
      Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      39a18158
  8. 15 9月, 2015 2 次提交
    • D
      crypto: introduce new module for handling TLS sessions · d321e1e5
      Daniel P. Berrange 提交于
      Introduce a QCryptoTLSSession object that will encapsulate
      all the code for setting up and using a client/sever TLS
      session. This isolates the code which depends on the gnutls
      library, avoiding #ifdefs in the rest of the codebase, as
      well as facilitating any possible future port to other TLS
      libraries, if desired. It makes use of the previously
      defined QCryptoTLSCreds object to access credentials to
      use with the session. It also includes further unit tests
      to validate the correctness of the TLS session handshake
      and certificate validation. This is functionally equivalent
      to the current TLS session handling code embedded in the
      VNC server, and will obsolete it.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      d321e1e5
    • D
      crypto: add sanity checking of TLS x509 credentials · 9a2fd434
      Daniel P. Berrange 提交于
      If the administrator incorrectly sets up their x509 certificates,
      the errors seen at runtime during connection attempts are very
      obscure and difficult to diagnose. This has been a particular
      problem for people using openssl to generate their certificates
      instead of the gnutls certtool, because the openssl tools don't
      turn on the various x509 extensions that gnutls expects to be
      present by default.
      
      This change thus adds support in the TLS credentials object to
      sanity check the certificates when QEMU first loads them. This
      gives the administrator immediate feedback for the majority of
      common configuration mistakes, reducing the pain involved in
      setting up TLS. The code is derived from equivalent code that
      has been part of libvirt's TLS support and has been seen to be
      valuable in assisting admins.
      
      It is possible to disable the sanity checking, however, via
      the new 'sanity-check' property on the tls-creds object type,
      with a value of 'no'.
      
      Unit tests are included in this change to verify the correctness
      of the sanity checking code in all the key scenarios it is
      intended to cope with. As part of the test suite, the pkix_asn1_tab.c
      from gnutls is imported. This file is intentionally copied from the
      (long since obsolete) gnutls 1.6.3 source tree, since that version
      was still under GPLv2+, rather than the GPLv3+ of gnutls >= 2.0.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      9a2fd434
  9. 08 7月, 2015 1 次提交
  10. 07 7月, 2015 1 次提交
    • D
      crypto: introduce new module for computing hash digests · ddbb0d09
      Daniel P. Berrange 提交于
      Introduce a new crypto/ directory that will (eventually) contain
      all the cryptographic related code. This initially defines a
      wrapper for initializing gnutls and for computing hashes with
      gnutls. The former ensures that gnutls is guaranteed to be
      initialized exactly once in QEMU regardless of CLI args. The
      block quorum code currently fails to initialize gnutls so it
      only works by luck, if VNC server TLS is not requested. The
      hash APIs avoids the need to litter the rest of the code with
      preprocessor checks and simplifies callers by allocating the
      correct amount of memory for the requested hash.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      Message-Id: <1435770638-25715-2-git-send-email-berrange@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      ddbb0d09
  11. 20 6月, 2015 1 次提交
    • D
      qom: Add object_new_with_props() / object_new_withpropv() helpers · a31bdae5
      Daniel P. Berrange 提交于
      It is reasonably common to want to create an object, set a
      number of properties, register it in the hierarchy and then
      mark it as complete (if a user creatable type). This requires
      quite a lot of error prone, verbose, boilerplate code to achieve.
      
      First a pair of functions object_set_props() / object_set_propv()
      are added which allow for a list of objects to be set in
      one single API call.
      
      Then object_new_with_props() / object_new_with_propv() constructors
      are added which simplify the sequence of calls to create an
      object, populate properties, register in the object composition
      tree and mark the object complete, into a single method call.
      
      Usage would be:
      
         Error *err = NULL;
         Object *obj;
         obj = object_new_with_propv(TYPE_MEMORY_BACKEND_FILE,
                                     object_get_objects_root(),
                                     "hostmem0",
                                     &err,
                                     "share", "yes",
                                     "mem-path", "/dev/shm/somefile",
                                     "prealloc", "yes",
                                     "size", "1048576",
                                     NULL);
      
      Note all property values are passed in string form and will
      be parsed into their required data types, using normal QOM
      semantics for parsing from string format.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      Reviewed-by: NEric Blake <eblake@redhat.com>
      Signed-off-by: NAndreas Färber <afaerber@suse.de>
      a31bdae5
  12. 10 3月, 2015 1 次提交
  13. 27 9月, 2014 1 次提交
  14. 27 4月, 2014 2 次提交
  15. 01 2月, 2014 1 次提交
  16. 13 1月, 2014 1 次提交
  17. 03 10月, 2013 1 次提交
  18. 01 10月, 2013 1 次提交
  19. 21 9月, 2013 1 次提交
  20. 17 8月, 2013 1 次提交
  21. 21 2月, 2013 1 次提交
  22. 27 1月, 2013 1 次提交
  23. 20 4月, 2012 1 次提交