xref: /qemu/include/io/channel-tls.h (revision db1015e92e04835c9eb50c29625fe566d1202dbd) 
1ed8ee42cSDaniel P. Berrange /*
2ed8ee42cSDaniel P. Berrange  * QEMU I/O channels TLS driver
3ed8ee42cSDaniel P. Berrange  *
4ed8ee42cSDaniel P. Berrange  * Copyright (c) 2015 Red Hat, Inc.
5ed8ee42cSDaniel P. Berrange  *
6ed8ee42cSDaniel P. Berrange  * This library is free software; you can redistribute it and/or
7ed8ee42cSDaniel P. Berrange  * modify it under the terms of the GNU Lesser General Public
8ed8ee42cSDaniel P. Berrange  * License as published by the Free Software Foundation; either
9ed8ee42cSDaniel P. Berrange  * version 2 of the License, or (at your option) any later version.
10ed8ee42cSDaniel P. Berrange  *
11ed8ee42cSDaniel P. Berrange  * This library is distributed in the hope that it will be useful,
12ed8ee42cSDaniel P. Berrange  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13ed8ee42cSDaniel P. Berrange  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14ed8ee42cSDaniel P. Berrange  * Lesser General Public License for more details.
15ed8ee42cSDaniel P. Berrange  *
16ed8ee42cSDaniel P. Berrange  * You should have received a copy of the GNU Lesser General Public
17ed8ee42cSDaniel P. Berrange  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18ed8ee42cSDaniel P. Berrange  *
19ed8ee42cSDaniel P. Berrange  */
20ed8ee42cSDaniel P. Berrange 
212a6a4076SMarkus Armbruster #ifndef QIO_CHANNEL_TLS_H
222a6a4076SMarkus Armbruster #define QIO_CHANNEL_TLS_H
23ed8ee42cSDaniel P. Berrange 
24ed8ee42cSDaniel P. Berrange #include "io/channel.h"
25ed8ee42cSDaniel P. Berrange #include "io/task.h"
26ed8ee42cSDaniel P. Berrange #include "crypto/tlssession.h"
27*db1015e9SEduardo Habkost #include "qom/object.h"
28ed8ee42cSDaniel P. Berrange 
29ed8ee42cSDaniel P. Berrange #define TYPE_QIO_CHANNEL_TLS "qio-channel-tls"
30*db1015e9SEduardo Habkost typedef struct QIOChannelTLS QIOChannelTLS;
31ed8ee42cSDaniel P. Berrange #define QIO_CHANNEL_TLS(obj)                                     \
32ed8ee42cSDaniel P. Berrange     OBJECT_CHECK(QIOChannelTLS, (obj), TYPE_QIO_CHANNEL_TLS)
33ed8ee42cSDaniel P. Berrange 
34ed8ee42cSDaniel P. Berrange 
35ed8ee42cSDaniel P. Berrange /**
36ed8ee42cSDaniel P. Berrange  * QIOChannelTLS
37ed8ee42cSDaniel P. Berrange  *
38ed8ee42cSDaniel P. Berrange  * The QIOChannelTLS class provides a channel wrapper which
39ed8ee42cSDaniel P. Berrange  * can transparently run the TLS encryption protocol. It is
40ed8ee42cSDaniel P. Berrange  * usually used over a TCP socket, but there is actually no
41ed8ee42cSDaniel P. Berrange  * technical restriction on which type of master channel is
42ed8ee42cSDaniel P. Berrange  * used as the transport.
43ed8ee42cSDaniel P. Berrange  *
44ed8ee42cSDaniel P. Berrange  * This channel object is capable of running as either a
45ed8ee42cSDaniel P. Berrange  * TLS server or TLS client.
46ed8ee42cSDaniel P. Berrange  */
47ed8ee42cSDaniel P. Berrange 
48ed8ee42cSDaniel P. Berrange struct QIOChannelTLS {
49ed8ee42cSDaniel P. Berrange     QIOChannel parent;
50ed8ee42cSDaniel P. Berrange     QIOChannel *master;
51ed8ee42cSDaniel P. Berrange     QCryptoTLSSession *session;
52a2458b6fSDaniel P. Berrangé     QIOChannelShutdown shutdown;
53ed8ee42cSDaniel P. Berrange };
54ed8ee42cSDaniel P. Berrange 
55ed8ee42cSDaniel P. Berrange /**
56ed8ee42cSDaniel P. Berrange  * qio_channel_tls_new_server:
57ed8ee42cSDaniel P. Berrange  * @master: the underlying channel object
58ed8ee42cSDaniel P. Berrange  * @creds: the credentials to use for TLS handshake
59ed8ee42cSDaniel P. Berrange  * @aclname: the access control list for validating clients
60821791b5SDaniel P. Berrange  * @errp: pointer to a NULL-initialized error object
61ed8ee42cSDaniel P. Berrange  *
62ed8ee42cSDaniel P. Berrange  * Create a new TLS channel that runs the server side of
63ed8ee42cSDaniel P. Berrange  * a TLS session. The TLS session handshake will use the
64ed8ee42cSDaniel P. Berrange  * credentials provided in @creds. If the @aclname parameter
65ed8ee42cSDaniel P. Berrange  * is non-NULL, then the client will have to provide
66ed8ee42cSDaniel P. Berrange  * credentials (ie a x509 client certificate) which will
67ed8ee42cSDaniel P. Berrange  * then be validated against the ACL.
68ed8ee42cSDaniel P. Berrange  *
69ed8ee42cSDaniel P. Berrange  * After creating the channel, it is mandatory to call
70ed8ee42cSDaniel P. Berrange  * the qio_channel_tls_handshake() method before attempting
71ed8ee42cSDaniel P. Berrange  * todo any I/O on the channel.
72ed8ee42cSDaniel P. Berrange  *
73ed8ee42cSDaniel P. Berrange  * Once the handshake has completed, all I/O should be done
74ed8ee42cSDaniel P. Berrange  * via the new TLS channel object and not the original
75ed8ee42cSDaniel P. Berrange  * master channel
76ed8ee42cSDaniel P. Berrange  *
77ed8ee42cSDaniel P. Berrange  * Returns: the new TLS channel object, or NULL
78ed8ee42cSDaniel P. Berrange  */
79ed8ee42cSDaniel P. Berrange QIOChannelTLS *
80ed8ee42cSDaniel P. Berrange qio_channel_tls_new_server(QIOChannel *master,
81ed8ee42cSDaniel P. Berrange                            QCryptoTLSCreds *creds,
82ed8ee42cSDaniel P. Berrange                            const char *aclname,
83ed8ee42cSDaniel P. Berrange                            Error **errp);
84ed8ee42cSDaniel P. Berrange 
85ed8ee42cSDaniel P. Berrange /**
86ed8ee42cSDaniel P. Berrange  * qio_channel_tls_new_client:
87ed8ee42cSDaniel P. Berrange  * @master: the underlying channel object
88ed8ee42cSDaniel P. Berrange  * @creds: the credentials to use for TLS handshake
89ed8ee42cSDaniel P. Berrange  * @hostname: the user specified server hostname
90821791b5SDaniel P. Berrange  * @errp: pointer to a NULL-initialized error object
91ed8ee42cSDaniel P. Berrange  *
92ed8ee42cSDaniel P. Berrange  * Create a new TLS channel that runs the client side of
93ed8ee42cSDaniel P. Berrange  * a TLS session. The TLS session handshake will use the
94ed8ee42cSDaniel P. Berrange  * credentials provided in @creds. The @hostname parameter
95ed8ee42cSDaniel P. Berrange  * should provide the user specified hostname of the server
96ed8ee42cSDaniel P. Berrange  * and will be validated against the server's credentials
97ed8ee42cSDaniel P. Berrange  * (ie CommonName of the x509 certificate)
98ed8ee42cSDaniel P. Berrange  *
99ed8ee42cSDaniel P. Berrange  * After creating the channel, it is mandatory to call
100ed8ee42cSDaniel P. Berrange  * the qio_channel_tls_handshake() method before attempting
101ed8ee42cSDaniel P. Berrange  * todo any I/O on the channel.
102ed8ee42cSDaniel P. Berrange  *
103ed8ee42cSDaniel P. Berrange  * Once the handshake has completed, all I/O should be done
104ed8ee42cSDaniel P. Berrange  * via the new TLS channel object and not the original
105ed8ee42cSDaniel P. Berrange  * master channel
106ed8ee42cSDaniel P. Berrange  *
107ed8ee42cSDaniel P. Berrange  * Returns: the new TLS channel object, or NULL
108ed8ee42cSDaniel P. Berrange  */
109ed8ee42cSDaniel P. Berrange QIOChannelTLS *
110ed8ee42cSDaniel P. Berrange qio_channel_tls_new_client(QIOChannel *master,
111ed8ee42cSDaniel P. Berrange                            QCryptoTLSCreds *creds,
112ed8ee42cSDaniel P. Berrange                            const char *hostname,
113ed8ee42cSDaniel P. Berrange                            Error **errp);
114ed8ee42cSDaniel P. Berrange 
115ed8ee42cSDaniel P. Berrange /**
116ed8ee42cSDaniel P. Berrange  * qio_channel_tls_handshake:
117ed8ee42cSDaniel P. Berrange  * @ioc: the TLS channel object
118ed8ee42cSDaniel P. Berrange  * @func: the callback to invoke when completed
119ed8ee42cSDaniel P. Berrange  * @opaque: opaque data to pass to @func
120ed8ee42cSDaniel P. Berrange  * @destroy: optional callback to free @opaque
1211939ccdaSPeter Xu  * @context: the context that TLS handshake will run with. If %NULL,
1221939ccdaSPeter Xu  *           the default context will be used
123ed8ee42cSDaniel P. Berrange  *
124ed8ee42cSDaniel P. Berrange  * Perform the TLS session handshake. This method
125ed8ee42cSDaniel P. Berrange  * will return immediately and the handshake will
126ed8ee42cSDaniel P. Berrange  * continue in the background, provided the main
127ed8ee42cSDaniel P. Berrange  * loop is running. When the handshake is complete,
128ed8ee42cSDaniel P. Berrange  * or fails, the @func callback will be invoked.
129ed8ee42cSDaniel P. Berrange  */
130ed8ee42cSDaniel P. Berrange void qio_channel_tls_handshake(QIOChannelTLS *ioc,
131ed8ee42cSDaniel P. Berrange                                QIOTaskFunc func,
132ed8ee42cSDaniel P. Berrange                                gpointer opaque,
1331939ccdaSPeter Xu                                GDestroyNotify destroy,
1341939ccdaSPeter Xu                                GMainContext *context);
135ed8ee42cSDaniel P. Berrange 
136ed8ee42cSDaniel P. Berrange /**
137ed8ee42cSDaniel P. Berrange  * qio_channel_tls_get_session:
138ed8ee42cSDaniel P. Berrange  * @ioc: the TLS channel object
139ed8ee42cSDaniel P. Berrange  *
140ed8ee42cSDaniel P. Berrange  * Get the TLS session used by the channel.
141ed8ee42cSDaniel P. Berrange  *
142ed8ee42cSDaniel P. Berrange  * Returns: the TLS session
143ed8ee42cSDaniel P. Berrange  */
144ed8ee42cSDaniel P. Berrange QCryptoTLSSession *
145ed8ee42cSDaniel P. Berrange qio_channel_tls_get_session(QIOChannelTLS *ioc);
146ed8ee42cSDaniel P. Berrange 
1472a6a4076SMarkus Armbruster #endif /* QIO_CHANNEL_TLS_H */
148