1ed8ee42cSDaniel P. Berrange /* 2ed8ee42cSDaniel P. Berrange * QEMU I/O channels TLS driver 3ed8ee42cSDaniel P. Berrange * 4ed8ee42cSDaniel P. Berrange * Copyright (c) 2015 Red Hat, Inc. 5ed8ee42cSDaniel P. Berrange * 6ed8ee42cSDaniel P. Berrange * This library is free software; you can redistribute it and/or 7ed8ee42cSDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 8ed8ee42cSDaniel P. Berrange * License as published by the Free Software Foundation; either 9c8198bd5SChetan Pant * version 2.1 of the License, or (at your option) any later version. 10ed8ee42cSDaniel P. Berrange * 11ed8ee42cSDaniel P. Berrange * This library is distributed in the hope that it will be useful, 12ed8ee42cSDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 13ed8ee42cSDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14ed8ee42cSDaniel P. Berrange * Lesser General Public License for more details. 15ed8ee42cSDaniel P. Berrange * 16ed8ee42cSDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 17ed8ee42cSDaniel P. Berrange * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18ed8ee42cSDaniel P. Berrange * 19ed8ee42cSDaniel P. Berrange */ 20ed8ee42cSDaniel P. Berrange 212a6a4076SMarkus Armbruster #ifndef QIO_CHANNEL_TLS_H 222a6a4076SMarkus Armbruster #define QIO_CHANNEL_TLS_H 23ed8ee42cSDaniel P. Berrange 24ed8ee42cSDaniel P. Berrange #include "io/channel.h" 25ed8ee42cSDaniel P. Berrange #include "io/task.h" 26ed8ee42cSDaniel P. Berrange #include "crypto/tlssession.h" 27db1015e9SEduardo Habkost #include "qom/object.h" 28ed8ee42cSDaniel P. Berrange 29ed8ee42cSDaniel P. Berrange #define TYPE_QIO_CHANNEL_TLS "qio-channel-tls" 308063396bSEduardo Habkost OBJECT_DECLARE_SIMPLE_TYPE(QIOChannelTLS, QIO_CHANNEL_TLS) 31ed8ee42cSDaniel P. Berrange 32ed8ee42cSDaniel P. Berrange 33ed8ee42cSDaniel P. Berrange /** 34ed8ee42cSDaniel P. Berrange * QIOChannelTLS 35ed8ee42cSDaniel P. Berrange * 36ed8ee42cSDaniel P. Berrange * The QIOChannelTLS class provides a channel wrapper which 37ed8ee42cSDaniel P. Berrange * can transparently run the TLS encryption protocol. It is 38ed8ee42cSDaniel P. Berrange * usually used over a TCP socket, but there is actually no 39ed8ee42cSDaniel P. Berrange * technical restriction on which type of master channel is 40ed8ee42cSDaniel P. Berrange * used as the transport. 41ed8ee42cSDaniel P. Berrange * 42ed8ee42cSDaniel P. Berrange * This channel object is capable of running as either a 43ed8ee42cSDaniel P. Berrange * TLS server or TLS client. 44ed8ee42cSDaniel P. Berrange */ 45ed8ee42cSDaniel P. Berrange 46ed8ee42cSDaniel P. Berrange struct QIOChannelTLS { 47ed8ee42cSDaniel P. Berrange QIOChannel parent; 48ed8ee42cSDaniel P. Berrange QIOChannel *master; 49ed8ee42cSDaniel P. Berrange QCryptoTLSSession *session; 50a2458b6fSDaniel P. Berrangé QIOChannelShutdown shutdown; 5110be627dSDaniel P. Berrangé guint hs_ioc_tag; 52*30ee8862SFabiano Rosas guint bye_ioc_tag; 53ed8ee42cSDaniel P. Berrange }; 54ed8ee42cSDaniel P. Berrange 55ed8ee42cSDaniel P. Berrange /** 56*30ee8862SFabiano Rosas * qio_channel_tls_bye: 57*30ee8862SFabiano Rosas * @ioc: the TLS channel object 58*30ee8862SFabiano Rosas * @errp: pointer to a NULL-initialized error object 59*30ee8862SFabiano Rosas * 60*30ee8862SFabiano Rosas * Perform the TLS session termination. This method will return 61*30ee8862SFabiano Rosas * immediately and the termination will continue in the background, 62*30ee8862SFabiano Rosas * provided the main loop is running. 63*30ee8862SFabiano Rosas */ 64*30ee8862SFabiano Rosas void qio_channel_tls_bye(QIOChannelTLS *ioc, Error **errp); 65*30ee8862SFabiano Rosas 66*30ee8862SFabiano Rosas /** 67ed8ee42cSDaniel P. Berrange * qio_channel_tls_new_server: 68ed8ee42cSDaniel P. Berrange * @master: the underlying channel object 69ed8ee42cSDaniel P. Berrange * @creds: the credentials to use for TLS handshake 70ed8ee42cSDaniel P. Berrange * @aclname: the access control list for validating clients 71821791b5SDaniel P. Berrange * @errp: pointer to a NULL-initialized error object 72ed8ee42cSDaniel P. Berrange * 73ed8ee42cSDaniel P. Berrange * Create a new TLS channel that runs the server side of 74ed8ee42cSDaniel P. Berrange * a TLS session. The TLS session handshake will use the 75ed8ee42cSDaniel P. Berrange * credentials provided in @creds. If the @aclname parameter 76ed8ee42cSDaniel P. Berrange * is non-NULL, then the client will have to provide 77ed8ee42cSDaniel P. Berrange * credentials (ie a x509 client certificate) which will 78ed8ee42cSDaniel P. Berrange * then be validated against the ACL. 79ed8ee42cSDaniel P. Berrange * 80ed8ee42cSDaniel P. Berrange * After creating the channel, it is mandatory to call 81ed8ee42cSDaniel P. Berrange * the qio_channel_tls_handshake() method before attempting 82ed8ee42cSDaniel P. Berrange * todo any I/O on the channel. 83ed8ee42cSDaniel P. Berrange * 84ed8ee42cSDaniel P. Berrange * Once the handshake has completed, all I/O should be done 85ed8ee42cSDaniel P. Berrange * via the new TLS channel object and not the original 86ed8ee42cSDaniel P. Berrange * master channel 87ed8ee42cSDaniel P. Berrange * 88ed8ee42cSDaniel P. Berrange * Returns: the new TLS channel object, or NULL 89ed8ee42cSDaniel P. Berrange */ 90ed8ee42cSDaniel P. Berrange QIOChannelTLS * 91ed8ee42cSDaniel P. Berrange qio_channel_tls_new_server(QIOChannel *master, 92ed8ee42cSDaniel P. Berrange QCryptoTLSCreds *creds, 93ed8ee42cSDaniel P. Berrange const char *aclname, 94ed8ee42cSDaniel P. Berrange Error **errp); 95ed8ee42cSDaniel P. Berrange 96ed8ee42cSDaniel P. Berrange /** 97ed8ee42cSDaniel P. Berrange * qio_channel_tls_new_client: 98ed8ee42cSDaniel P. Berrange * @master: the underlying channel object 99ed8ee42cSDaniel P. Berrange * @creds: the credentials to use for TLS handshake 100ed8ee42cSDaniel P. Berrange * @hostname: the user specified server hostname 101821791b5SDaniel P. Berrange * @errp: pointer to a NULL-initialized error object 102ed8ee42cSDaniel P. Berrange * 103ed8ee42cSDaniel P. Berrange * Create a new TLS channel that runs the client side of 104ed8ee42cSDaniel P. Berrange * a TLS session. The TLS session handshake will use the 105ed8ee42cSDaniel P. Berrange * credentials provided in @creds. The @hostname parameter 106ed8ee42cSDaniel P. Berrange * should provide the user specified hostname of the server 107ed8ee42cSDaniel P. Berrange * and will be validated against the server's credentials 108ed8ee42cSDaniel P. Berrange * (ie CommonName of the x509 certificate) 109ed8ee42cSDaniel P. Berrange * 110ed8ee42cSDaniel P. Berrange * After creating the channel, it is mandatory to call 111ed8ee42cSDaniel P. Berrange * the qio_channel_tls_handshake() method before attempting 112ed8ee42cSDaniel P. Berrange * todo any I/O on the channel. 113ed8ee42cSDaniel P. Berrange * 114ed8ee42cSDaniel P. Berrange * Once the handshake has completed, all I/O should be done 115ed8ee42cSDaniel P. Berrange * via the new TLS channel object and not the original 116ed8ee42cSDaniel P. Berrange * master channel 117ed8ee42cSDaniel P. Berrange * 118ed8ee42cSDaniel P. Berrange * Returns: the new TLS channel object, or NULL 119ed8ee42cSDaniel P. Berrange */ 120ed8ee42cSDaniel P. Berrange QIOChannelTLS * 121ed8ee42cSDaniel P. Berrange qio_channel_tls_new_client(QIOChannel *master, 122ed8ee42cSDaniel P. Berrange QCryptoTLSCreds *creds, 123ed8ee42cSDaniel P. Berrange const char *hostname, 124ed8ee42cSDaniel P. Berrange Error **errp); 125ed8ee42cSDaniel P. Berrange 126ed8ee42cSDaniel P. Berrange /** 127ed8ee42cSDaniel P. Berrange * qio_channel_tls_handshake: 128ed8ee42cSDaniel P. Berrange * @ioc: the TLS channel object 129ed8ee42cSDaniel P. Berrange * @func: the callback to invoke when completed 130ed8ee42cSDaniel P. Berrange * @opaque: opaque data to pass to @func 131ed8ee42cSDaniel P. Berrange * @destroy: optional callback to free @opaque 1321939ccdaSPeter Xu * @context: the context that TLS handshake will run with. If %NULL, 1331939ccdaSPeter Xu * the default context will be used 134ed8ee42cSDaniel P. Berrange * 135ed8ee42cSDaniel P. Berrange * Perform the TLS session handshake. This method 136ed8ee42cSDaniel P. Berrange * will return immediately and the handshake will 137ed8ee42cSDaniel P. Berrange * continue in the background, provided the main 138ed8ee42cSDaniel P. Berrange * loop is running. When the handshake is complete, 139ed8ee42cSDaniel P. Berrange * or fails, the @func callback will be invoked. 140ed8ee42cSDaniel P. Berrange */ 141ed8ee42cSDaniel P. Berrange void qio_channel_tls_handshake(QIOChannelTLS *ioc, 142ed8ee42cSDaniel P. Berrange QIOTaskFunc func, 143ed8ee42cSDaniel P. Berrange gpointer opaque, 1441939ccdaSPeter Xu GDestroyNotify destroy, 1451939ccdaSPeter Xu GMainContext *context); 146ed8ee42cSDaniel P. Berrange 147ed8ee42cSDaniel P. Berrange /** 148ed8ee42cSDaniel P. Berrange * qio_channel_tls_get_session: 149ed8ee42cSDaniel P. Berrange * @ioc: the TLS channel object 150ed8ee42cSDaniel P. Berrange * 151ed8ee42cSDaniel P. Berrange * Get the TLS session used by the channel. 152ed8ee42cSDaniel P. Berrange * 153ed8ee42cSDaniel P. Berrange * Returns: the TLS session 154ed8ee42cSDaniel P. Berrange */ 155ed8ee42cSDaniel P. Berrange QCryptoTLSSession * 156ed8ee42cSDaniel P. Berrange qio_channel_tls_get_session(QIOChannelTLS *ioc); 157ed8ee42cSDaniel P. Berrange 1582a6a4076SMarkus Armbruster #endif /* QIO_CHANNEL_TLS_H */ 159