1 /* 2 * QEMU I/O channels TLS driver 3 * 4 * Copyright (c) 2015 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #ifndef QIO_CHANNEL_TLS_H__ 22 #define QIO_CHANNEL_TLS_H__ 23 24 #include "io/channel.h" 25 #include "io/task.h" 26 #include "crypto/tlssession.h" 27 28 #define TYPE_QIO_CHANNEL_TLS "qio-channel-tls" 29 #define QIO_CHANNEL_TLS(obj) \ 30 OBJECT_CHECK(QIOChannelTLS, (obj), TYPE_QIO_CHANNEL_TLS) 31 32 typedef struct QIOChannelTLS QIOChannelTLS; 33 34 /** 35 * QIOChannelTLS 36 * 37 * The QIOChannelTLS class provides a channel wrapper which 38 * can transparently run the TLS encryption protocol. It is 39 * usually used over a TCP socket, but there is actually no 40 * technical restriction on which type of master channel is 41 * used as the transport. 42 * 43 * This channel object is capable of running as either a 44 * TLS server or TLS client. 45 */ 46 47 struct QIOChannelTLS { 48 QIOChannel parent; 49 QIOChannel *master; 50 QCryptoTLSSession *session; 51 }; 52 53 /** 54 * qio_channel_tls_new_server: 55 * @master: the underlying channel object 56 * @creds: the credentials to use for TLS handshake 57 * @aclname: the access control list for validating clients 58 * @errp: pointer to an uninitialized error object 59 * 60 * Create a new TLS channel that runs the server side of 61 * a TLS session. The TLS session handshake will use the 62 * credentials provided in @creds. If the @aclname parameter 63 * is non-NULL, then the client will have to provide 64 * credentials (ie a x509 client certificate) which will 65 * then be validated against the ACL. 66 * 67 * After creating the channel, it is mandatory to call 68 * the qio_channel_tls_handshake() method before attempting 69 * todo any I/O on the channel. 70 * 71 * Once the handshake has completed, all I/O should be done 72 * via the new TLS channel object and not the original 73 * master channel 74 * 75 * Returns: the new TLS channel object, or NULL 76 */ 77 QIOChannelTLS * 78 qio_channel_tls_new_server(QIOChannel *master, 79 QCryptoTLSCreds *creds, 80 const char *aclname, 81 Error **errp); 82 83 /** 84 * qio_channel_tls_new_client: 85 * @master: the underlying channel object 86 * @creds: the credentials to use for TLS handshake 87 * @hostname: the user specified server hostname 88 * @errp: pointer to an uninitialized error object 89 * 90 * Create a new TLS channel that runs the client side of 91 * a TLS session. The TLS session handshake will use the 92 * credentials provided in @creds. The @hostname parameter 93 * should provide the user specified hostname of the server 94 * and will be validated against the server's credentials 95 * (ie CommonName of the x509 certificate) 96 * 97 * After creating the channel, it is mandatory to call 98 * the qio_channel_tls_handshake() method before attempting 99 * todo any I/O on the channel. 100 * 101 * Once the handshake has completed, all I/O should be done 102 * via the new TLS channel object and not the original 103 * master channel 104 * 105 * Returns: the new TLS channel object, or NULL 106 */ 107 QIOChannelTLS * 108 qio_channel_tls_new_client(QIOChannel *master, 109 QCryptoTLSCreds *creds, 110 const char *hostname, 111 Error **errp); 112 113 /** 114 * qio_channel_tls_handshake: 115 * @ioc: the TLS channel object 116 * @func: the callback to invoke when completed 117 * @opaque: opaque data to pass to @func 118 * @destroy: optional callback to free @opaque 119 * 120 * Perform the TLS session handshake. This method 121 * will return immediately and the handshake will 122 * continue in the background, provided the main 123 * loop is running. When the handshake is complete, 124 * or fails, the @func callback will be invoked. 125 */ 126 void qio_channel_tls_handshake(QIOChannelTLS *ioc, 127 QIOTaskFunc func, 128 gpointer opaque, 129 GDestroyNotify destroy); 130 131 /** 132 * qio_channel_tls_get_session: 133 * @ioc: the TLS channel object 134 * 135 * Get the TLS session used by the channel. 136 * 137 * Returns: the TLS session 138 */ 139 QCryptoTLSSession * 140 qio_channel_tls_get_session(QIOChannelTLS *ioc); 141 142 #endif /* QIO_CHANNEL_TLS_H__ */ 143