migration/tls.c - qemu - Git at Google

 /*
  * QEMU migration TLS support
  *
  * Copyright (c) 2015 Red Hat, Inc.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
  * License as published by the Free Software Foundation; either
  * version 2.1 of the License, or (at your option) any later version.
  *
  * This library is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  *
  */

 #include "qemu/osdep.h"
 #include "channel.h"
 #include "migration.h"
 #include "tls.h"
 #include "options.h"
 #include "crypto/tlscreds.h"
 #include "qemu/error-report.h"
 #include "qapi/error.h"
 #include "trace.h"

 static QCryptoTLSCreds *
 migration_tls_get_creds(QCryptoTLSCredsEndpoint endpoint, Error **errp)
 {
     Object *creds;
     const char *tls_creds = migrate_tls_creds();
     QCryptoTLSCreds *ret;

     creds = object_resolve_path_component(object_get_objects_root(), tls_creds);
     if (!creds) {
         error_setg(errp, "No TLS credentials with id '%s'", tls_creds);
         return NULL;
     }
     ret = (QCryptoTLSCreds *)object_dynamic_cast(
         creds, TYPE_QCRYPTO_TLS_CREDS);
     if (!ret) {
         error_setg(errp, "Object with id '%s' is not TLS credentials",
                    tls_creds);
         return NULL;
     }
     if (!qcrypto_tls_creds_check_endpoint(ret, endpoint, errp)) {
         return NULL;
     }

     return ret;
 }


 static void migration_tls_incoming_handshake(QIOTask *task,
                                              gpointer opaque)
 {
     QIOChannel *ioc = QIO_CHANNEL(qio_task_get_source(task));
     Error *err = NULL;

     if (qio_task_propagate_error(task, &err)) {
         trace_migration_tls_incoming_handshake_error(error_get_pretty(err));
         error_report_err(err);
     } else {
         trace_migration_tls_incoming_handshake_complete();
         migration_channel_process_incoming(ioc);
     }
     object_unref(OBJECT(ioc));
 }

 void migration_tls_channel_process_incoming(MigrationState *s,
                                             QIOChannel *ioc,
                                             Error **errp)
 {
     QCryptoTLSCreds *creds;
     QIOChannelTLS *tioc;

     creds = migration_tls_get_creds(QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, errp);
     if (!creds) {
         return;
     }

     tioc = qio_channel_tls_new_server(ioc, creds, migrate_tls_authz(), errp);
     if (!tioc) {
         return;
     }

     trace_migration_tls_incoming_handshake_start();
     qio_channel_set_name(QIO_CHANNEL(tioc), "migration-tls-incoming");
     qio_channel_tls_handshake(tioc,
                               migration_tls_incoming_handshake,
                               NULL,
                               NULL,
                               NULL);
 }


 static void migration_tls_outgoing_handshake(QIOTask *task,
                                              gpointer opaque)
 {
     MigrationState *s = opaque;
     QIOChannel *ioc = QIO_CHANNEL(qio_task_get_source(task));
     Error *err = NULL;

     if (qio_task_propagate_error(task, &err)) {
         trace_migration_tls_outgoing_handshake_error(error_get_pretty(err));
     } else {
         trace_migration_tls_outgoing_handshake_complete();
     }
     migration_channel_connect(s, ioc, NULL, err);
     object_unref(OBJECT(ioc));
 }

 QIOChannelTLS *migration_tls_client_create(QIOChannel *ioc,
                                            const char *hostname,
                                            Error **errp)
 {
     QCryptoTLSCreds *creds;

     creds = migration_tls_get_creds(QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, errp);
     if (!creds) {
         return NULL;
     }

     const char *tls_hostname = migrate_tls_hostname();
     if (tls_hostname && *tls_hostname) {
         hostname = tls_hostname;
     }

     return qio_channel_tls_new_client(ioc, creds, hostname, errp);
 }

 void migration_tls_channel_connect(MigrationState *s,
                                    QIOChannel *ioc,
                                    const char *hostname,
                                    Error **errp)
 {
     QIOChannelTLS *tioc;

     tioc = migration_tls_client_create(ioc, hostname, errp);
     if (!tioc) {
         return;
     }

     /* Save hostname into MigrationState for handshake */
     s->hostname = g_strdup(hostname);
     trace_migration_tls_outgoing_handshake_start(hostname);
     qio_channel_set_name(QIO_CHANNEL(tioc), "migration-tls-outgoing");
     qio_channel_tls_handshake(tioc,
                               migration_tls_outgoing_handshake,
                               s,
                               NULL,
                               NULL);
 }

 bool migrate_channel_requires_tls_upgrade(QIOChannel *ioc)
 {
     if (!migrate_tls()) {
         return false;
     }

     return !object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_TLS);
 }
	/*
	* QEMU migration TLS support
	*
	* Copyright (c) 2015 Red Hat, Inc.
	*
	* This library is free software; you can redistribute it and/or
	* modify it under the terms of the GNU Lesser General Public
	* License as published by the Free Software Foundation; either
	* version 2.1 of the License, or (at your option) any later version.
	*
	* This library is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	* Lesser General Public License for more details.
	*
	* You should have received a copy of the GNU Lesser General Public
	* License along with this library; if not, see <http://www.gnu.org/licenses/>.
	*
	*/

	#include "qemu/osdep.h"
	#include "channel.h"
	#include "migration.h"
	#include "tls.h"
	#include "options.h"
	#include "crypto/tlscreds.h"
	#include "qemu/error-report.h"
	#include "qapi/error.h"
	#include "trace.h"

	static QCryptoTLSCreds *
	migration_tls_get_creds(QCryptoTLSCredsEndpoint endpoint, Error **errp)
	{
	Object *creds;
	const char *tls_creds = migrate_tls_creds();
	QCryptoTLSCreds *ret;

	creds = object_resolve_path_component(object_get_objects_root(), tls_creds);
	if (!creds) {
	error_setg(errp, "No TLS credentials with id '%s'", tls_creds);
	return NULL;
	}
	ret = (QCryptoTLSCreds *)object_dynamic_cast(
	creds, TYPE_QCRYPTO_TLS_CREDS);
	if (!ret) {
	error_setg(errp, "Object with id '%s' is not TLS credentials",
	tls_creds);
	return NULL;
	}
	if (!qcrypto_tls_creds_check_endpoint(ret, endpoint, errp)) {
	return NULL;
	}

	return ret;
	}


	static void migration_tls_incoming_handshake(QIOTask *task,
	gpointer opaque)
	{
	QIOChannel *ioc = QIO_CHANNEL(qio_task_get_source(task));
	Error *err = NULL;

	if (qio_task_propagate_error(task, &err)) {
	trace_migration_tls_incoming_handshake_error(error_get_pretty(err));
	error_report_err(err);
	} else {
	trace_migration_tls_incoming_handshake_complete();
	migration_channel_process_incoming(ioc);
	}
	object_unref(OBJECT(ioc));
	}

	void migration_tls_channel_process_incoming(MigrationState *s,
	QIOChannel *ioc,
	Error **errp)
	{
	QCryptoTLSCreds *creds;
	QIOChannelTLS *tioc;

	creds = migration_tls_get_creds(QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, errp);
	if (!creds) {
	return;
	}

	tioc = qio_channel_tls_new_server(ioc, creds, migrate_tls_authz(), errp);
	if (!tioc) {
	return;
	}

	trace_migration_tls_incoming_handshake_start();
	qio_channel_set_name(QIO_CHANNEL(tioc), "migration-tls-incoming");
	qio_channel_tls_handshake(tioc,
	migration_tls_incoming_handshake,
	NULL,
	NULL,
	NULL);
	}


	static void migration_tls_outgoing_handshake(QIOTask *task,
	gpointer opaque)
	{
	MigrationState *s = opaque;
	QIOChannel *ioc = QIO_CHANNEL(qio_task_get_source(task));
	Error *err = NULL;

	if (qio_task_propagate_error(task, &err)) {
	trace_migration_tls_outgoing_handshake_error(error_get_pretty(err));
	} else {
	trace_migration_tls_outgoing_handshake_complete();
	}
	migration_channel_connect(s, ioc, NULL, err);
	object_unref(OBJECT(ioc));
	}

	QIOChannelTLS migration_tls_client_create(QIOChannel ioc,
	const char *hostname,
	Error **errp)
	{
	QCryptoTLSCreds *creds;

	creds = migration_tls_get_creds(QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, errp);
	if (!creds) {
	return NULL;
	}

	const char *tls_hostname = migrate_tls_hostname();
	if (tls_hostname && *tls_hostname) {
	hostname = tls_hostname;
	}

	return qio_channel_tls_new_client(ioc, creds, hostname, errp);
	}

	void migration_tls_channel_connect(MigrationState *s,
	QIOChannel *ioc,
	const char *hostname,
	Error **errp)
	{
	QIOChannelTLS *tioc;

	tioc = migration_tls_client_create(ioc, hostname, errp);
	if (!tioc) {
	return;
	}

	/* Save hostname into MigrationState for handshake */
	s->hostname = g_strdup(hostname);
	trace_migration_tls_outgoing_handshake_start(hostname);
	qio_channel_set_name(QIO_CHANNEL(tioc), "migration-tls-outgoing");
	qio_channel_tls_handshake(tioc,
	migration_tls_outgoing_handshake,
	s,
	NULL,
	NULL);
	}

	bool migrate_channel_requires_tls_upgrade(QIOChannel *ioc)
	{
	if (!migrate_tls()) {
	return false;
	}

	return !object_dynamic_cast(OBJECT(ioc), TYPE_QIO_CHANNEL_TLS);
	}