1ed8ee42cSDaniel P. Berrange /* 2ed8ee42cSDaniel P. Berrange * QEMU I/O channels TLS driver 3ed8ee42cSDaniel P. Berrange * 4ed8ee42cSDaniel P. Berrange * Copyright (c) 2015 Red Hat, Inc. 5ed8ee42cSDaniel P. Berrange * 6ed8ee42cSDaniel P. Berrange * This library is free software; you can redistribute it and/or 7ed8ee42cSDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 8ed8ee42cSDaniel P. Berrange * License as published by the Free Software Foundation; either 9c8198bd5SChetan Pant * version 2.1 of the License, or (at your option) any later version. 10ed8ee42cSDaniel P. Berrange * 11ed8ee42cSDaniel P. Berrange * This library is distributed in the hope that it will be useful, 12ed8ee42cSDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 13ed8ee42cSDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14ed8ee42cSDaniel P. Berrange * Lesser General Public License for more details. 15ed8ee42cSDaniel P. Berrange * 16ed8ee42cSDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 17ed8ee42cSDaniel P. Berrange * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18ed8ee42cSDaniel P. Berrange * 19ed8ee42cSDaniel P. Berrange */ 20ed8ee42cSDaniel P. Berrange 212a6a4076SMarkus Armbruster #ifndef QIO_CHANNEL_TLS_H 222a6a4076SMarkus Armbruster #define QIO_CHANNEL_TLS_H 23ed8ee42cSDaniel P. Berrange 24ed8ee42cSDaniel P. Berrange #include "io/channel.h" 25ed8ee42cSDaniel P. Berrange #include "io/task.h" 26ed8ee42cSDaniel P. Berrange #include "crypto/tlssession.h" 27db1015e9SEduardo Habkost #include "qom/object.h" 28ed8ee42cSDaniel P. Berrange 29ed8ee42cSDaniel P. Berrange #define TYPE_QIO_CHANNEL_TLS "qio-channel-tls" 308063396bSEduardo Habkost OBJECT_DECLARE_SIMPLE_TYPE(QIOChannelTLS, QIO_CHANNEL_TLS) 31ed8ee42cSDaniel P. Berrange 32ed8ee42cSDaniel P. Berrange 33ed8ee42cSDaniel P. Berrange /** 34ed8ee42cSDaniel P. Berrange * QIOChannelTLS 35ed8ee42cSDaniel P. Berrange * 36ed8ee42cSDaniel P. Berrange * The QIOChannelTLS class provides a channel wrapper which 37ed8ee42cSDaniel P. Berrange * can transparently run the TLS encryption protocol. It is 38ed8ee42cSDaniel P. Berrange * usually used over a TCP socket, but there is actually no 39ed8ee42cSDaniel P. Berrange * technical restriction on which type of master channel is 40ed8ee42cSDaniel P. Berrange * used as the transport. 41ed8ee42cSDaniel P. Berrange * 42ed8ee42cSDaniel P. Berrange * This channel object is capable of running as either a 43ed8ee42cSDaniel P. Berrange * TLS server or TLS client. 44ed8ee42cSDaniel P. Berrange */ 45ed8ee42cSDaniel P. Berrange 46ed8ee42cSDaniel P. Berrange struct QIOChannelTLS { 47ed8ee42cSDaniel P. Berrange QIOChannel parent; 48ed8ee42cSDaniel P. Berrange QIOChannel *master; 49ed8ee42cSDaniel P. Berrange QCryptoTLSSession *session; 50a2458b6fSDaniel P. Berrangé QIOChannelShutdown shutdown; 51*10be627dSDaniel P. Berrangé guint hs_ioc_tag; 52ed8ee42cSDaniel P. Berrange }; 53ed8ee42cSDaniel P. Berrange 54ed8ee42cSDaniel P. Berrange /** 55ed8ee42cSDaniel P. Berrange * qio_channel_tls_new_server: 56ed8ee42cSDaniel P. Berrange * @master: the underlying channel object 57ed8ee42cSDaniel P. Berrange * @creds: the credentials to use for TLS handshake 58ed8ee42cSDaniel P. Berrange * @aclname: the access control list for validating clients 59821791b5SDaniel P. Berrange * @errp: pointer to a NULL-initialized error object 60ed8ee42cSDaniel P. Berrange * 61ed8ee42cSDaniel P. Berrange * Create a new TLS channel that runs the server side of 62ed8ee42cSDaniel P. Berrange * a TLS session. The TLS session handshake will use the 63ed8ee42cSDaniel P. Berrange * credentials provided in @creds. If the @aclname parameter 64ed8ee42cSDaniel P. Berrange * is non-NULL, then the client will have to provide 65ed8ee42cSDaniel P. Berrange * credentials (ie a x509 client certificate) which will 66ed8ee42cSDaniel P. Berrange * then be validated against the ACL. 67ed8ee42cSDaniel P. Berrange * 68ed8ee42cSDaniel P. Berrange * After creating the channel, it is mandatory to call 69ed8ee42cSDaniel P. Berrange * the qio_channel_tls_handshake() method before attempting 70ed8ee42cSDaniel P. Berrange * todo any I/O on the channel. 71ed8ee42cSDaniel P. Berrange * 72ed8ee42cSDaniel P. Berrange * Once the handshake has completed, all I/O should be done 73ed8ee42cSDaniel P. Berrange * via the new TLS channel object and not the original 74ed8ee42cSDaniel P. Berrange * master channel 75ed8ee42cSDaniel P. Berrange * 76ed8ee42cSDaniel P. Berrange * Returns: the new TLS channel object, or NULL 77ed8ee42cSDaniel P. Berrange */ 78ed8ee42cSDaniel P. Berrange QIOChannelTLS * 79ed8ee42cSDaniel P. Berrange qio_channel_tls_new_server(QIOChannel *master, 80ed8ee42cSDaniel P. Berrange QCryptoTLSCreds *creds, 81ed8ee42cSDaniel P. Berrange const char *aclname, 82ed8ee42cSDaniel P. Berrange Error **errp); 83ed8ee42cSDaniel P. Berrange 84ed8ee42cSDaniel P. Berrange /** 85ed8ee42cSDaniel P. Berrange * qio_channel_tls_new_client: 86ed8ee42cSDaniel P. Berrange * @master: the underlying channel object 87ed8ee42cSDaniel P. Berrange * @creds: the credentials to use for TLS handshake 88ed8ee42cSDaniel P. Berrange * @hostname: the user specified server hostname 89821791b5SDaniel P. Berrange * @errp: pointer to a NULL-initialized error object 90ed8ee42cSDaniel P. Berrange * 91ed8ee42cSDaniel P. Berrange * Create a new TLS channel that runs the client side of 92ed8ee42cSDaniel P. Berrange * a TLS session. The TLS session handshake will use the 93ed8ee42cSDaniel P. Berrange * credentials provided in @creds. The @hostname parameter 94ed8ee42cSDaniel P. Berrange * should provide the user specified hostname of the server 95ed8ee42cSDaniel P. Berrange * and will be validated against the server's credentials 96ed8ee42cSDaniel P. Berrange * (ie CommonName of the x509 certificate) 97ed8ee42cSDaniel P. Berrange * 98ed8ee42cSDaniel P. Berrange * After creating the channel, it is mandatory to call 99ed8ee42cSDaniel P. Berrange * the qio_channel_tls_handshake() method before attempting 100ed8ee42cSDaniel P. Berrange * todo any I/O on the channel. 101ed8ee42cSDaniel P. Berrange * 102ed8ee42cSDaniel P. Berrange * Once the handshake has completed, all I/O should be done 103ed8ee42cSDaniel P. Berrange * via the new TLS channel object and not the original 104ed8ee42cSDaniel P. Berrange * master channel 105ed8ee42cSDaniel P. Berrange * 106ed8ee42cSDaniel P. Berrange * Returns: the new TLS channel object, or NULL 107ed8ee42cSDaniel P. Berrange */ 108ed8ee42cSDaniel P. Berrange QIOChannelTLS * 109ed8ee42cSDaniel P. Berrange qio_channel_tls_new_client(QIOChannel *master, 110ed8ee42cSDaniel P. Berrange QCryptoTLSCreds *creds, 111ed8ee42cSDaniel P. Berrange const char *hostname, 112ed8ee42cSDaniel P. Berrange Error **errp); 113ed8ee42cSDaniel P. Berrange 114ed8ee42cSDaniel P. Berrange /** 115ed8ee42cSDaniel P. Berrange * qio_channel_tls_handshake: 116ed8ee42cSDaniel P. Berrange * @ioc: the TLS channel object 117ed8ee42cSDaniel P. Berrange * @func: the callback to invoke when completed 118ed8ee42cSDaniel P. Berrange * @opaque: opaque data to pass to @func 119ed8ee42cSDaniel P. Berrange * @destroy: optional callback to free @opaque 1201939ccdaSPeter Xu * @context: the context that TLS handshake will run with. If %NULL, 1211939ccdaSPeter Xu * the default context will be used 122ed8ee42cSDaniel P. Berrange * 123ed8ee42cSDaniel P. Berrange * Perform the TLS session handshake. This method 124ed8ee42cSDaniel P. Berrange * will return immediately and the handshake will 125ed8ee42cSDaniel P. Berrange * continue in the background, provided the main 126ed8ee42cSDaniel P. Berrange * loop is running. When the handshake is complete, 127ed8ee42cSDaniel P. Berrange * or fails, the @func callback will be invoked. 128ed8ee42cSDaniel P. Berrange */ 129ed8ee42cSDaniel P. Berrange void qio_channel_tls_handshake(QIOChannelTLS *ioc, 130ed8ee42cSDaniel P. Berrange QIOTaskFunc func, 131ed8ee42cSDaniel P. Berrange gpointer opaque, 1321939ccdaSPeter Xu GDestroyNotify destroy, 1331939ccdaSPeter Xu GMainContext *context); 134ed8ee42cSDaniel P. Berrange 135ed8ee42cSDaniel P. Berrange /** 136ed8ee42cSDaniel P. Berrange * qio_channel_tls_get_session: 137ed8ee42cSDaniel P. Berrange * @ioc: the TLS channel object 138ed8ee42cSDaniel P. Berrange * 139ed8ee42cSDaniel P. Berrange * Get the TLS session used by the channel. 140ed8ee42cSDaniel P. Berrange * 141ed8ee42cSDaniel P. Berrange * Returns: the TLS session 142ed8ee42cSDaniel P. Berrange */ 143ed8ee42cSDaniel P. Berrange QCryptoTLSSession * 144ed8ee42cSDaniel P. Berrange qio_channel_tls_get_session(QIOChannelTLS *ioc); 145ed8ee42cSDaniel P. Berrange 1462a6a4076SMarkus Armbruster #endif /* QIO_CHANNEL_TLS_H */ 147