Hide build time dependancy on gnutls fom non-crypto code

-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmDcUxcACgkQvobrtBUQ T9/ADQ/9HyQrNxamHekMTZgGVuKbAPkw+eRXFV3CJMZ+CgOjm1DksQeSkBd9xhN6 YcmPOCHTc+ok5AptjmjXxthtHvaW7YxpFSZI9Bb0OlSap5FdltOm2CVDb+iLZany FOnq/+fog2snnCV386xchAHMEZ7VKc6wJozFKuc0mZ2kZMH3wniGQj8XXinT8Ko4 VHg1AWzoAxARHbMhFWGMolGL2JoJlk3qTdjwNO9eQgPMdT93ikF2GZ9QUcNdNa41 fqkpjNVD8hvzRAoxmCPzz5lAX1NCUtGlDHbyUeDrkvI/KXaUgjAhcTO6dYaR82Gt maUt7nL++hvGkU1vqnogSCaFpcC4pFvAfje8StEJFqBOUqc90NB/rhv0+RsuxYJu nW1aL1bGYe6AALu8Un4r1GE1t761v/D/11UB2gHZVP67av3c+3SoFiTRthlfy6CU 1X2N1NbF8eM1xcTFOy1frB0zKf9u1BOvaOX9WnFWhExQwjf7r/CZx1I2gBqFE/6I 2SdzYjgjhD00z8L9wNndB29KidyfcLZs+tvuRL4KVp2f4S8BNxQE1rTLLdEK1W3A /LYZc5icFyBcuQPvcaf6d9iGyQlfVL01KN881VRrB7Yb7Xcu9tRk1e3JguC/GFwU WSrNGInArqcnisRO+PqxMCJrpmA2hYgYa2cDQjuYMo3NioP6CDw= =NX10 -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/berrange-gitlab/tags/tls-deps-pull-request' into staging Hide build time dependancy on gnutls fom non-crypto code # gpg: Signature made Wed 30 Jun 2021 12:18:47 BST # gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF # gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full] # gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full] # Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF * remotes/berrange-gitlab/tags/tls-deps-pull-request: crypto: Make QCryptoTLSCreds* structures private ui/vnc: Use qcrypto_tls_creds_check_endpoint() migration/tls: Use qcrypto_tls_creds_check_endpoint() chardev/socket: Use qcrypto_tls_creds_check_endpoint() qemu-nbd: Use qcrypto_tls_creds_check_endpoint() block/nbd: Use qcrypto_tls_creds_check_endpoint() crypto/tlscreds: Introduce qcrypto_tls_creds_check_endpoint() helper Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2021-07-02 08:22:38 +01:00 · 2021-07-02 08:22:38 +01:00 · 5a67d7735d
parent 67e25eed97 678bcc3c2c
commit 5a67d7735d
18 changed files with 108 additions and 94 deletions
--- a/block/nbd.c
+++ b/block/nbd.c
@ -1839,9 +1839,9 @@ static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp)
        return NULL;
    }

-    if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
-        error_setg(errp,
-                   "Expecting TLS credentials with a client endpoint");
+    if (!qcrypto_tls_creds_check_endpoint(creds,
+                                          QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
+                                          errp)) {
        return NULL;
    }
    object_ref(obj);
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@ -108,9 +108,9 @@ static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, Error **errp)
        return NULL;
    }

-    if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
-        error_setg(errp,
-                   "Expecting TLS credentials with a server endpoint");
+    if (!qcrypto_tls_creds_check_endpoint(creds,
+                                          QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
+                                          errp)) {
        return NULL;
    }
    object_ref(obj);
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@ -1402,18 +1402,12 @@ static void qmp_chardev_open_socket(Chardev *chr,
            return;
        }
        object_ref(OBJECT(s->tls_creds));
-        if (is_listen) {
-            if (s->tls_creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
-                error_setg(errp, "%s",
-                           "Expected TLS credentials for server endpoint");
-                return;
-            }
-        } else {
-            if (s->tls_creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
-                error_setg(errp, "%s",
-                           "Expected TLS credentials for client endpoint");
-                return;
-            }
+        if (!qcrypto_tls_creds_check_endpoint(s->tls_creds,
+                                          is_listen
+                                          ? QCRYPTO_TLS_CREDS_ENDPOINT_SERVER
+                                          : QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT,
+                                          errp)) {
+            return;
        }
    }
    s->tls_authz = g_strdup(sock->tls_authz);
--- a/crypto/tls-cipher-suites.c
+++ b/crypto/tls-cipher-suites.c
@ -14,8 +14,15 @@
 #include "crypto/tlscreds.h"
 #include "crypto/tls-cipher-suites.h"
 #include "hw/nvram/fw_cfg.h"
+#include "tlscredspriv.h"
 #include "trace.h"

+struct QCryptoTLSCipherSuites {
+    /* <private> */
+    QCryptoTLSCreds parent_obj;
+    /* <public> */
+};
+
 /*
 * IANA registered TLS ciphers:
 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
--- a/crypto/tlscreds.c
+++ b/crypto/tlscreds.c
@ -20,6 +20,7 @@

 #include "qemu/osdep.h"
 #include "qapi/error.h"
+#include "qapi-types-crypto.h"
 #include "qemu/module.h"
 #include "tlscredspriv.h"
 #include "trace.h"
@ -259,6 +260,17 @@ qcrypto_tls_creds_finalize(Object *obj)
    g_free(creds->priority);
 }

+bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds *creds,
+                                      QCryptoTLSCredsEndpoint endpoint,
+                                      Error **errp)
+{
+    if (creds->endpoint != endpoint) {
+        error_setg(errp, "Expected TLS credentials for a %s endpoint",
+                   QCryptoTLSCredsEndpoint_str(endpoint));
+        return false;
+    }
+    return true;
+}

 static const TypeInfo qcrypto_tls_creds_info = {
    .parent = TYPE_OBJECT,
--- a/crypto/tlscredsanon.c
+++ b/crypto/tlscredsanon.c
@ -29,6 +29,8 @@

 #ifdef CONFIG_GNUTLS

+#include <gnutls/gnutls.h>
+

 static int
 qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds,
--- a/crypto/tlscredspriv.h
+++ b/crypto/tlscredspriv.h
@ -23,6 +23,51 @@

 #include "crypto/tlscreds.h"

+#ifdef CONFIG_GNUTLS
+#include <gnutls/gnutls.h>
+#endif
+
+struct QCryptoTLSCreds {
+    Object parent_obj;
+    char *dir;
+    QCryptoTLSCredsEndpoint endpoint;
+#ifdef CONFIG_GNUTLS
+    gnutls_dh_params_t dh_params;
+#endif
+    bool verifyPeer;
+    char *priority;
+};
+
+struct QCryptoTLSCredsAnon {
+    QCryptoTLSCreds parent_obj;
+#ifdef CONFIG_GNUTLS
+    union {
+        gnutls_anon_server_credentials_t server;
+        gnutls_anon_client_credentials_t client;
+    } data;
+#endif
+};
+
+struct QCryptoTLSCredsPSK {
+    QCryptoTLSCreds parent_obj;
+    char *username;
+#ifdef CONFIG_GNUTLS
+    union {
+        gnutls_psk_server_credentials_t server;
+        gnutls_psk_client_credentials_t client;
+    } data;
+#endif
+};
+
+struct QCryptoTLSCredsX509 {
+    QCryptoTLSCreds parent_obj;
+#ifdef CONFIG_GNUTLS
+    gnutls_certificate_credentials_t data;
+#endif
+    bool sanityCheck;
+    char *passwordid;
+};
+
 #ifdef CONFIG_GNUTLS

 int qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds,
--- a/crypto/tlscredspsk.c
+++ b/crypto/tlscredspsk.c
@ -29,6 +29,8 @@

 #ifdef CONFIG_GNUTLS

+#include <gnutls/gnutls.h>
+
 static int
 lookup_key(const char *pskfile, const char *username, gnutls_datum_t *key,
           Error **errp)
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@ -30,6 +30,7 @@

 #ifdef CONFIG_GNUTLS

+#include <gnutls/gnutls.h>
 #include <gnutls/x509.h>


--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@ -25,6 +25,7 @@
 #include "crypto/tlscredsx509.h"
 #include "qapi/error.h"
 #include "authz/base.h"
+#include "tlscredspriv.h"
 #include "trace.h"

 #ifdef CONFIG_GNUTLS
--- a/include/crypto/tls-cipher-suites.h
+++ b/include/crypto/tls-cipher-suites.h
@ -19,12 +19,6 @@ typedef struct QCryptoTLSCipherSuites QCryptoTLSCipherSuites;
 DECLARE_INSTANCE_CHECKER(QCryptoTLSCipherSuites, QCRYPTO_TLS_CIPHER_SUITES,
                         TYPE_QCRYPTO_TLS_CIPHER_SUITES)

-struct QCryptoTLSCipherSuites {
-    /* <private> */
-    QCryptoTLSCreds parent_obj;
-    /* <public> */
-};
-
 /**
  * qcrypto_tls_cipher_suites_get_data:
  * @obj: pointer to a TLS cipher suites object
--- a/include/crypto/tlscreds.h
+++ b/include/crypto/tlscreds.h
@ -24,10 +24,6 @@
 #include "qapi/qapi-types-crypto.h"
 #include "qom/object.h"

-#ifdef CONFIG_GNUTLS
-#include <gnutls/gnutls.h>
-#endif
-
 #define TYPE_QCRYPTO_TLS_CREDS "tls-creds"
 typedef struct QCryptoTLSCreds QCryptoTLSCreds;
 typedef struct QCryptoTLSCredsClass QCryptoTLSCredsClass;
@ -48,22 +44,24 @@ typedef bool (*CryptoTLSCredsReload)(QCryptoTLSCreds *, Error **);
 * certificate credentials.
 */

-struct QCryptoTLSCreds {
-    Object parent_obj;
-    char *dir;
-    QCryptoTLSCredsEndpoint endpoint;
-#ifdef CONFIG_GNUTLS
-    gnutls_dh_params_t dh_params;
-#endif
-    bool verifyPeer;
-    char *priority;
-};
-
-
 struct QCryptoTLSCredsClass {
    ObjectClass parent_class;
    CryptoTLSCredsReload reload;
 };

+/**
+ * qcrypto_tls_creds_check_endpoint:
+ * @creds: pointer to a TLS credentials object
+ * @endpoint: type of network endpoint that will be using the credentials
+ * @errp: pointer to a NULL-initialized error object
+ *
+ * Check whether the credentials is setup according to
+ * the type of @endpoint argument.
+ *
+ * Returns true if the credentials is setup for the endpoint, false otherwise
+ */
+bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds *creds,
+                                      QCryptoTLSCredsEndpoint endpoint,
+                                      Error **errp);

 #endif /* QCRYPTO_TLSCREDS_H */
--- a/include/crypto/tlscredsanon.h
+++ b/include/crypto/tlscredsanon.h
@ -92,18 +92,6 @@ typedef struct QCryptoTLSCredsAnonClass QCryptoTLSCredsAnonClass;
 *
 */

-
-struct QCryptoTLSCredsAnon {
-    QCryptoTLSCreds parent_obj;
-#ifdef CONFIG_GNUTLS
-    union {
-        gnutls_anon_server_credentials_t server;
-        gnutls_anon_client_credentials_t client;
-    } data;
-#endif
-};
-
-
 struct QCryptoTLSCredsAnonClass {
    QCryptoTLSCredsClass parent_class;
 };
--- a/include/crypto/tlscredspsk.h
+++ b/include/crypto/tlscredspsk.h
@ -87,18 +87,6 @@ typedef struct QCryptoTLSCredsPSKClass QCryptoTLSCredsPSKClass;
 * The PSK file can be created and managed using psktool.
 */

-struct QCryptoTLSCredsPSK {
-    QCryptoTLSCreds parent_obj;
-    char *username;
-#ifdef CONFIG_GNUTLS
-    union {
-        gnutls_psk_server_credentials_t server;
-        gnutls_psk_client_credentials_t client;
-    } data;
-#endif
-};
-
-
 struct QCryptoTLSCredsPSKClass {
    QCryptoTLSCredsClass parent_class;
 };
--- a/include/crypto/tlscredsx509.h
+++ b/include/crypto/tlscredsx509.h
@ -96,16 +96,6 @@ typedef struct QCryptoTLSCredsX509Class QCryptoTLSCredsX509Class;
 *
 */

-struct QCryptoTLSCredsX509 {
-    QCryptoTLSCreds parent_obj;
-#ifdef CONFIG_GNUTLS
-    gnutls_certificate_credentials_t data;
-#endif
-    bool sanityCheck;
-    char *passwordid;
-};
-
-
 struct QCryptoTLSCredsX509Class {
    QCryptoTLSCredsClass parent_class;
 };
--- a/migration/tls.c
+++ b/migration/tls.c
@ -49,11 +49,7 @@ migration_tls_get_creds(MigrationState *s,
                   s->parameters.tls_creds);
        return NULL;
    }
-    if (ret->endpoint != endpoint) {
-        error_setg(errp,
-                   "Expected TLS credentials for a %s endpoint",
-                   endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT ?
-                   "client" : "server");
+    if (!qcrypto_tls_creds_check_endpoint(ret, endpoint, errp)) {
        return NULL;
    }

--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@ -43,6 +43,7 @@
 #include "io/channel-socket.h"
 #include "io/net-listener.h"
 #include "crypto/init.h"
+#include "crypto/tlscreds.h"
 #include "trace/control.h"
 #include "qemu-version.h"

@ -422,18 +423,12 @@ static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, bool list,
        return NULL;
    }

-    if (list) {
-        if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
-            error_setg(errp,
-                       "Expecting TLS credentials with a client endpoint");
-            return NULL;
-        }
-    } else {
-        if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
-            error_setg(errp,
-                       "Expecting TLS credentials with a server endpoint");
-            return NULL;
-        }
+    if (!qcrypto_tls_creds_check_endpoint(creds,
+                                          list
+                                          ? QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT
+                                          : QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
+                                          errp)) {
+        return NULL;
    }
    object_ref(obj);
    return creds;
--- a/ui/vnc.c
+++ b/ui/vnc.c
@ -46,6 +46,7 @@
 #include "qapi/qapi-commands-ui.h"
 #include "ui/input.h"
 #include "crypto/hash.h"
+#include "crypto/tlscreds.h"
 #include "crypto/tlscredsanon.h"
 #include "crypto/tlscredsx509.h"
 #include "crypto/random.h"
@ -4080,9 +4081,9 @@ void vnc_display_open(const char *id, Error **errp)
        }
        object_ref(OBJECT(vd->tlscreds));

-        if (vd->tlscreds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
-            error_setg(errp,
-                       "Expecting TLS credentials with a server endpoint");
+        if (!qcrypto_tls_creds_check_endpoint(vd->tlscreds,
+                                              QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
+                                              errp)) {
            goto fail;
        }
    }