[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 351d36: qapi: allow override of default enum
From: |
GitHub |
Subject: |
[Qemu-commits] [qemu/qemu] 351d36: qapi: allow override of default enum prefix naming |
Date: |
Tue, 15 Sep 2015 09:30:05 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 351d36e454cddc67a1675740916636a7ccbf1c4b
https://github.com/qemu/qemu/commit/351d36e454cddc67a1675740916636a7ccbf1c4b
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M docs/qapi-code-gen.txt
M scripts/qapi-types.py
M scripts/qapi.py
M tests/Makefile
A tests/qapi-schema/enum-bad-prefix.err
A tests/qapi-schema/enum-bad-prefix.exit
A tests/qapi-schema/enum-bad-prefix.json
A tests/qapi-schema/enum-bad-prefix.out
M tests/qapi-schema/qapi-schema-test.json
M tests/qapi-schema/qapi-schema-test.out
Log Message:
-----------
qapi: allow override of default enum prefix naming
The camel_to_upper() method applies some heuristics to turn
a mixed case type name into an all-uppercase name. This is
used for example, to generate enum constant name prefixes.
The heuristics don't also generate a satisfactory name
though. eg
{ 'enum': 'QCryptoTLSCredsEndpoint',
'data': ['client', 'server']}
Results in Q_CRYPTOTLS_CREDS_ENDPOINT_CLIENT. This has
an undesirable _ after the initial Q and is missing an
_ between the CRYPTO & TLS strings.
Rather than try to add more and more heuristics to try
to cope with this, simply allow the QAPI schema to
specify the desired enum constant prefix explicitly.
eg
{ 'enum': 'QCryptoTLSCredsEndpoint',
'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
'data': ['client', 'server']}
Now gives the QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT name.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: b124533e069a6624316da2096d170b0bd9197d86
https://github.com/qemu/qemu/commit/b124533e069a6624316da2096d170b0bd9197d86
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M tests/Makefile
Log Message:
-----------
tests: remove repetition in unit test object deps
Most of the unit tests have identical sets of object deps.
For example all block unit tests need to depend on
$(block-obj-y) libqemuutil.a libqemustub.a
Currently each unit test repeats this list of test deps.
This list of deps will grow as future patches add more
modules to the build, so define some common variables
that can be used by all unit tests to remove the
repetition.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: fb37726db77b21f3731b90693d2c93ade1777528
https://github.com/qemu/qemu/commit/fb37726db77b21f3731b90693d2c93ade1777528
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M Makefile
M Makefile.objs
M Makefile.target
M crypto/Makefile.objs
M tests/Makefile
Log Message:
-----------
crypto: move crypto objects out of libqemuutil.la
Future patches will be adding more crypto related APIs which
rely on QOM infrastructure. This creates a problem, because
QOM relies on library constructors to register objects. When
you have a file in a static .a library though which is only
referenced by a constructor the linker is dumb and will drop
that file when linking to the final executable :-( The only
workaround for this is to link the .a library to the executable
using the -Wl,--whole-archive flag, but this creates its own
set of problems because QEMU is relying on lazy linking for
libqemuutil.a. Using --whole-archive majorly increases the
size of final executables as they now contain a bunch of
object code they don't actually use.
The least bad option is to thus not include the crypto objects
in libqemuutil.la, and instead define a crypto-obj-y variable
that is referenced directly by all the executables that need
this code (tools + softmmu, but not qemu-ga). We avoid pulling
entire of crypto-obj-y into the userspace emulators as that
would force them to link to gnutls too, which is not required.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 0c7012e0558e4312e575fd4c70652d8ef2265ff7
https://github.com/qemu/qemu/commit/0c7012e0558e4312e575fd4c70652d8ef2265ff7
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M Makefile
M Makefile.objs
M Makefile.target
M qom/Makefile.objs
M tests/Makefile
Log Message:
-----------
qom: allow QOM to be linked into tools binaries
The qom objects are currently added to common-obj-y
which is only linked into the system emulators. The
later crypto patches will depend on QOM infrastructure
and will also be used from tools binaries. Thus the QOM
objects are moved into a new qom-obj-y variable which
can be referenced when linking tools, system emulators
and tests.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: a090187de116a3d0b8146ca481249c8fc83ad3ee
https://github.com/qemu/qemu/commit/a090187de116a3d0b8146ca481249c8fc83ad3ee
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M crypto/Makefile.objs
A crypto/tlscreds.c
A crypto/tlscredspriv.h
A include/crypto/tlscreds.h
M qapi-schema.json
A qapi/crypto.json
M tests/Makefile
M trace-events
Log Message:
-----------
crypto: introduce new base module for TLS credentials
Introduce a QCryptoTLSCreds class to act as the base class for
storing TLS credentials. This will be later subclassed to provide
handling of anonymous and x509 credential types. The subclasses
will be user creatable objects, so instances can be created &
deleted via 'object-add' and 'object-del' QMP commands respectively,
or via the -object command line arg.
If the credentials cannot be initialized an error will be reported
as a QMP reply, or on stderr respectively.
The idea is to make it possible to represent and manage TLS
credentials independently of the network service that is using
them. This will enable multiple services to use the same set of
credentials and minimize code duplication. A later patch will
convert the current VNC server TLS code over to use this object.
The representation of credentials will be functionally equivalent
to that currently implemented in the VNC server with one exception.
The new code has the ability to (optionally) load a pre-generated
set of diffie-hellman parameters, if the file dh-params.pem exists,
whereas the current VNC server will always generate them on startup.
This is beneficial for admins who wish to avoid the (small) time
sink of generating DH parameters at startup and/or avoid depleting
entropy.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: e00adf6c3edf8dbbe7eb60c94e24fe2158e8342f
https://github.com/qemu/qemu/commit/e00adf6c3edf8dbbe7eb60c94e24fe2158e8342f
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M crypto/Makefile.objs
A crypto/tlscredsanon.c
A include/crypto/tlscredsanon.h
M qemu-options.hx
M trace-events
Log Message:
-----------
crypto: introduce new module for TLS anonymous credentials
Introduce a QCryptoTLSCredsAnon class which is used to
manage anonymous TLS credentials. Use of this class is
generally discouraged since it does not offer strong
security, but it is required for backwards compatibility
with the current VNC server implementation.
Simple example CLI configuration:
$QEMU -object tls-creds-anon,id=tls0,endpoint=server
Example using pre-created diffie-hellman parameters
$QEMU -object tls-creds-anon,id=tls0,endpoint=server,\
dir=/path/to/creds/dir
The 'id' value in the -object args will be used to associate the
credentials with the network services. For example, when the VNC
server is later converted it would use
$QEMU -object tls-creds-anon,id=tls0,.... \
-vnc 127.0.0.1:1,tls-creds=tls0
Signed-off-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Commit: 85bcbc789eb65b54548a507b747ffffe6175b404
https://github.com/qemu/qemu/commit/85bcbc789eb65b54548a507b747ffffe6175b404
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M crypto/Makefile.objs
A crypto/tlscredsx509.c
A include/crypto/tlscredsx509.h
M qemu-options.hx
M trace-events
Log Message:
-----------
crypto: introduce new module for TLS x509 credentials
Introduce a QCryptoTLSCredsX509 class which is used to
manage x509 certificate TLS credentials. This will be
the preferred credential type offering strong security
characteristics
Example CLI configuration:
$QEMU -object tls-creds-x509,id=tls0,endpoint=server,\
dir=/path/to/creds/dir,verify-peer=yes
The 'id' value in the -object args will be used to associate the
credentials with the network services. For example, when the VNC
server is later converted it would use
$QEMU -object tls-creds-x509,id=tls0,.... \
-vnc 127.0.0.1:1,tls-creds=tls0
Signed-off-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Commit: 9a2fd4347c40321f5cbb4ab4220e759fcbf87d03
https://github.com/qemu/qemu/commit/9a2fd4347c40321f5cbb4ab4220e759fcbf87d03
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M configure
M crypto/tlscredsx509.c
M include/crypto/tlscredsx509.h
M tests/.gitignore
M tests/Makefile
A tests/crypto-tls-x509-helpers.c
A tests/crypto-tls-x509-helpers.h
A tests/pkix_asn1_tab.c
A tests/test-crypto-tlscredsx509.c
M trace-events
Log Message:
-----------
crypto: add sanity checking of TLS x509 credentials
If the administrator incorrectly sets up their x509 certificates,
the errors seen at runtime during connection attempts are very
obscure and difficult to diagnose. This has been a particular
problem for people using openssl to generate their certificates
instead of the gnutls certtool, because the openssl tools don't
turn on the various x509 extensions that gnutls expects to be
present by default.
This change thus adds support in the TLS credentials object to
sanity check the certificates when QEMU first loads them. This
gives the administrator immediate feedback for the majority of
common configuration mistakes, reducing the pain involved in
setting up TLS. The code is derived from equivalent code that
has been part of libvirt's TLS support and has been seen to be
valuable in assisting admins.
It is possible to disable the sanity checking, however, via
the new 'sanity-check' property on the tls-creds object type,
with a value of 'no'.
Unit tests are included in this change to verify the correctness
of the sanity checking code in all the key scenarios it is
intended to cope with. As part of the test suite, the pkix_asn1_tab.c
from gnutls is imported. This file is intentionally copied from the
(long since obsolete) gnutls 1.6.3 source tree, since that version
was still under GPLv2+, rather than the GPLv3+ of gnutls >= 2.0.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: d321e1e5268103af616ec4c623c6326c3f7c7bc7
https://github.com/qemu/qemu/commit/d321e1e5268103af616ec4c623c6326c3f7c7bc7
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M crypto/Makefile.objs
A crypto/tlssession.c
A include/crypto/tlssession.h
M tests/.gitignore
M tests/Makefile
A tests/test-crypto-tlssession.c
M trace-events
Log Message:
-----------
crypto: introduce new module for handling TLS sessions
Introduce a QCryptoTLSSession object that will encapsulate
all the code for setting up and using a client/sever TLS
session. This isolates the code which depends on the gnutls
library, avoiding #ifdefs in the rest of the codebase, as
well as facilitating any possible future port to other TLS
libraries, if desired. It makes use of the previously
defined QCryptoTLSCreds object to access credentials to
use with the session. It also includes further unit tests
to validate the correctness of the TLS session handshake
and certificate validation. This is functionally equivalent
to the current TLS session handling code embedded in the
VNC server, and will obsolete it.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: fdd1ab6ad5c27a1564a1c73045908736b228458b
https://github.com/qemu/qemu/commit/fdd1ab6ad5c27a1564a1c73045908736b228458b
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M ui/vnc.c
M ui/vnc.h
Log Message:
-----------
ui: fix return type for VNC I/O functions to be ssize_t
Various VNC server I/O functions return 'long' and then
also pass this to a method accepting 'int'. All these
should be ssize_t to match the signature of read/write
APIs and thus avoid potential for integer truncation /
wraparound.
Signed-off-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Commit: 3e305e4a4752f70c0b5c3cf5b43ec957881714f7
https://github.com/qemu/qemu/commit/3e305e4a4752f70c0b5c3cf5b43ec957881714f7
Author: Daniel P. Berrange <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M configure
M qemu-options.hx
M ui/Makefile.objs
M ui/vnc-auth-sasl.c
M ui/vnc-auth-vencrypt.c
R ui/vnc-tls.c
R ui/vnc-tls.h
M ui/vnc-ws.c
M ui/vnc-ws.h
M ui/vnc.c
M ui/vnc.h
Log Message:
-----------
ui: convert VNC server to use QCryptoTLSSession
Switch VNC server over to using the QCryptoTLSSession object
for the TLS session. This removes the direct use of gnutls
from the VNC server code. It also removes most knowledge
about TLS certificate handling from the VNC server code.
This has the nice effect that all the CONFIG_VNC_TLS
conditionals go away and the user gets an actual error
message when requesting TLS instead of it being silently
ignored.
With this change, the existing configuration options for
enabling TLS with -vnc are deprecated.
Old syntax for anon-DH credentials:
-vnc hostname:0,tls
New syntax:
-object tls-creds-anon,id=tls0,endpoint=server \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, no client certs:
-vnc hostname:0,tls,x509=/path/to/certs
New syntax:
-object
tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
-vnc hostname:0,tls-creds=tls0
Old syntax for x509 credentials, requiring client certs:
-vnc hostname:0,tls,x509verify=/path/to/certs
New syntax:
-object
tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
-vnc hostname:0,tls-creds=tls0
This aligns VNC with the way TLS credentials are to be
configured in the future for chardev, nbd and migration
backends. It also has the benefit that the same TLS
credentials can be shared across multiple VNC server
instances, if desired.
If someone uses the deprecated syntax, it will internally
result in the creation of a 'tls-creds' object with an ID
based on the VNC server ID. This allows backwards compat
with the CLI syntax, while still deleting all the original
TLS code from the VNC server.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 619622424dba749feef752d76d79ef2569f7f250
https://github.com/qemu/qemu/commit/619622424dba749feef752d76d79ef2569f7f250
Author: Peter Maydell <address@hidden>
Date: 2015-09-15 (Tue, 15 Sep 2015)
Changed paths:
M Makefile
M Makefile.objs
M Makefile.target
M configure
M crypto/Makefile.objs
A crypto/tlscreds.c
A crypto/tlscredsanon.c
A crypto/tlscredspriv.h
A crypto/tlscredsx509.c
A crypto/tlssession.c
M docs/qapi-code-gen.txt
A include/crypto/tlscreds.h
A include/crypto/tlscredsanon.h
A include/crypto/tlscredsx509.h
A include/crypto/tlssession.h
M qapi-schema.json
A qapi/crypto.json
M qemu-options.hx
M qom/Makefile.objs
M scripts/qapi-types.py
M scripts/qapi.py
M tests/.gitignore
M tests/Makefile
A tests/crypto-tls-x509-helpers.c
A tests/crypto-tls-x509-helpers.h
A tests/pkix_asn1_tab.c
A tests/qapi-schema/enum-bad-prefix.err
A tests/qapi-schema/enum-bad-prefix.exit
A tests/qapi-schema/enum-bad-prefix.json
A tests/qapi-schema/enum-bad-prefix.out
M tests/qapi-schema/qapi-schema-test.json
M tests/qapi-schema/qapi-schema-test.out
A tests/test-crypto-tlscredsx509.c
A tests/test-crypto-tlssession.c
M trace-events
M ui/Makefile.objs
M ui/vnc-auth-sasl.c
M ui/vnc-auth-vencrypt.c
R ui/vnc-tls.c
R ui/vnc-tls.h
M ui/vnc-ws.c
M ui/vnc-ws.h
M ui/vnc.c
M ui/vnc.h
Log Message:
-----------
Merge remote-tracking branch
'remotes/berrange/tags/vnc-crypto-v9-for-upstream' into staging
Merge vnc-crypto-v9
# gpg: Signature made Tue 15 Sep 2015 15:32:38 BST using RSA key ID 15104FDF
# gpg: Good signature from "Daniel P. Berrange <address@hidden>"
# gpg: aka "Daniel P. Berrange <address@hidden>"
* remotes/berrange/tags/vnc-crypto-v9-for-upstream:
ui: convert VNC server to use QCryptoTLSSession
ui: fix return type for VNC I/O functions to be ssize_t
crypto: introduce new module for handling TLS sessions
crypto: add sanity checking of TLS x509 credentials
crypto: introduce new module for TLS x509 credentials
crypto: introduce new module for TLS anonymous credentials
crypto: introduce new base module for TLS credentials
qom: allow QOM to be linked into tools binaries
crypto: move crypto objects out of libqemuutil.la
tests: remove repetition in unit test object deps
qapi: allow override of default enum prefix naming
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/1078f5db8ada...619622424dba
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 351d36: qapi: allow override of default enum prefix naming,
GitHub <=