1/* 2 * QEMU I/O channels TLS driver 3 * 4 * Copyright (c) 2015 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21#ifndef QIO_CHANNEL_TLS_H 22#define QIO_CHANNEL_TLS_H 23 24#include "io/channel.h" 25#include "io/task.h" 26#include "crypto/tlssession.h" 27#include "qom/object.h" 28 29#define TYPE_QIO_CHANNEL_TLS "qio-channel-tls" 30OBJECT_DECLARE_SIMPLE_TYPE(QIOChannelTLS, QIO_CHANNEL_TLS) 31 32 33/** 34 * QIOChannelTLS 35 * 36 * The QIOChannelTLS class provides a channel wrapper which 37 * can transparently run the TLS encryption protocol. It is 38 * usually used over a TCP socket, but there is actually no 39 * technical restriction on which type of master channel is 40 * used as the transport. 41 * 42 * This channel object is capable of running as either a 43 * TLS server or TLS client. 44 */ 45 46struct QIOChannelTLS { 47 QIOChannel parent; 48 QIOChannel *master; 49 QCryptoTLSSession *session; 50 QIOChannelShutdown shutdown; 51 guint hs_ioc_tag; 52}; 53 54/** 55 * qio_channel_tls_new_server: 56 * @master: the underlying channel object 57 * @creds: the credentials to use for TLS handshake 58 * @aclname: the access control list for validating clients 59 * @errp: pointer to a NULL-initialized error object 60 * 61 * Create a new TLS channel that runs the server side of 62 * a TLS session. The TLS session handshake will use the 63 * credentials provided in @creds. If the @aclname parameter 64 * is non-NULL, then the client will have to provide 65 * credentials (ie a x509 client certificate) which will 66 * then be validated against the ACL. 67 * 68 * After creating the channel, it is mandatory to call 69 * the qio_channel_tls_handshake() method before attempting 70 * todo any I/O on the channel. 71 * 72 * Once the handshake has completed, all I/O should be done 73 * via the new TLS channel object and not the original 74 * master channel 75 * 76 * Returns: the new TLS channel object, or NULL 77 */ 78QIOChannelTLS * 79qio_channel_tls_new_server(QIOChannel *master, 80 QCryptoTLSCreds *creds, 81 const char *aclname, 82 Error **errp); 83 84/** 85 * qio_channel_tls_new_client: 86 * @master: the underlying channel object 87 * @creds: the credentials to use for TLS handshake 88 * @hostname: the user specified server hostname 89 * @errp: pointer to a NULL-initialized error object 90 * 91 * Create a new TLS channel that runs the client side of 92 * a TLS session. The TLS session handshake will use the 93 * credentials provided in @creds. The @hostname parameter 94 * should provide the user specified hostname of the server 95 * and will be validated against the server's credentials 96 * (ie CommonName of the x509 certificate) 97 * 98 * After creating the channel, it is mandatory to call 99 * the qio_channel_tls_handshake() method before attempting 100 * todo any I/O on the channel. 101 * 102 * Once the handshake has completed, all I/O should be done 103 * via the new TLS channel object and not the original 104 * master channel 105 * 106 * Returns: the new TLS channel object, or NULL 107 */ 108QIOChannelTLS * 109qio_channel_tls_new_client(QIOChannel *master, 110 QCryptoTLSCreds *creds, 111 const char *hostname, 112 Error **errp); 113 114/** 115 * qio_channel_tls_handshake: 116 * @ioc: the TLS channel object 117 * @func: the callback to invoke when completed 118 * @opaque: opaque data to pass to @func 119 * @destroy: optional callback to free @opaque 120 * @context: the context that TLS handshake will run with. If %NULL, 121 * the default context will be used 122 * 123 * Perform the TLS session handshake. This method 124 * will return immediately and the handshake will 125 * continue in the background, provided the main 126 * loop is running. When the handshake is complete, 127 * or fails, the @func callback will be invoked. 128 */ 129void qio_channel_tls_handshake(QIOChannelTLS *ioc, 130 QIOTaskFunc func, 131 gpointer opaque, 132 GDestroyNotify destroy, 133 GMainContext *context); 134 135/** 136 * qio_channel_tls_get_session: 137 * @ioc: the TLS channel object 138 * 139 * Get the TLS session used by the channel. 140 * 141 * Returns: the TLS session 142 */ 143QCryptoTLSSession * 144qio_channel_tls_get_session(QIOChannelTLS *ioc); 145 146#endif /* QIO_CHANNEL_TLS_H */ 147