All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v8 0/3] vnc: support reload x509 certificates
@ 2021-03-16  7:58 Zihao Chang
  2021-03-16  7:58 ` [PATCH v8 1/3] crypto: add reload for QCryptoTLSCredsClass Zihao Chang
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Zihao Chang @ 2021-03-16  7:58 UTC (permalink / raw)
  To: qemu-devel
  Cc: berrange, oscar.zhangbo, changzihao1, armbru, xiexiangyou,
	yebiaoxiang, kraxel

This series supports reload x509 certificates for vnc
1. Support reload x509 certificates.
2. Support reload vnc certificates.
3. Add new qmp display-reload and implement reload x509 certificates for vnc.

Example:
{"execute": "display-reload", "arguments":{"type": "vnc", "tls-certs": true}}

Zihao Chang (3):
  crypto: add reload for QCryptoTLSCredsClass
  vnc: support reload x509 certificates for vnc
  qmp: add new qmp display-reload

 crypto/tlscredsx509.c     | 48 ++++++++++++++++++++++++++++++
 include/crypto/tlscreds.h |  8 +++--
 include/ui/console.h      |  1 +
 monitor/qmp-cmds.c        | 17 +++++++++++
 qapi/ui.json              | 61 +++++++++++++++++++++++++++++++++++++++
 ui/vnc.c                  | 28 ++++++++++++++++++
 6 files changed, 160 insertions(+), 3 deletions(-)

-- 
2.28.0



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v8 1/3] crypto: add reload for QCryptoTLSCredsClass
  2021-03-16  7:58 [PATCH v8 0/3] vnc: support reload x509 certificates Zihao Chang
@ 2021-03-16  7:58 ` Zihao Chang
  2021-03-16  7:58 ` [PATCH v8 2/3] vnc: support reload x509 certificates for vnc Zihao Chang
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Zihao Chang @ 2021-03-16  7:58 UTC (permalink / raw)
  To: qemu-devel
  Cc: berrange, oscar.zhangbo, changzihao1, armbru, xiexiangyou,
	yebiaoxiang, kraxel

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="y", Size: 3057 bytes --]

This patch adds reload interface for QCryptoTLSCredsClass and implements
the interface for QCryptoTLSCredsX509.

Signed-off-by: Zihao Chang <changzihao1@huawei.com>
Acked-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/tlscredsx509.c     | 48 +++++++++++++++++++++++++++++++++++++++
 include/crypto/tlscreds.h |  8 ++++---
 2 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index dbadad4df28e..bc503bab5585 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -770,6 +770,51 @@ qcrypto_tls_creds_x509_prop_get_sanity(Object *obj,
 }
 
 
+#ifdef CONFIG_GNUTLS
+
+
+static bool
+qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp)
+{
+    QCryptoTLSCredsX509 *x509_creds = QCRYPTO_TLS_CREDS_X509(creds);
+    Error *local_err = NULL;
+    gnutls_certificate_credentials_t creds_data = x509_creds->data;
+    gnutls_dh_params_t creds_dh_params = x509_creds->parent_obj.dh_params;
+
+    x509_creds->data = NULL;
+    x509_creds->parent_obj.dh_params = NULL;
+    qcrypto_tls_creds_x509_load(x509_creds, &local_err);
+    if (local_err) {
+        qcrypto_tls_creds_x509_unload(x509_creds);
+        x509_creds->data = creds_data;
+        x509_creds->parent_obj.dh_params = creds_dh_params;
+        error_propagate(errp, local_err);
+        return false;
+    }
+
+    if (creds_data) {
+        gnutls_certificate_free_credentials(creds_data);
+    }
+    if (creds_dh_params) {
+        gnutls_dh_params_deinit(creds_dh_params);
+    }
+    return true;
+}
+
+
+#else /* ! CONFIG_GNUTLS */
+
+
+static bool
+qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp)
+{
+    return false;
+}
+
+
+#endif /* ! CONFIG_GNUTLS */
+
+
 static void
 qcrypto_tls_creds_x509_complete(UserCreatable *uc, Error **errp)
 {
@@ -800,6 +845,9 @@ static void
 qcrypto_tls_creds_x509_class_init(ObjectClass *oc, void *data)
 {
     UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+    QCryptoTLSCredsClass *ctcc = QCRYPTO_TLS_CREDS_CLASS(oc);
+
+    ctcc->reload = qcrypto_tls_creds_x509_reload;
 
     ucc->complete = qcrypto_tls_creds_x509_complete;
 
diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h
index 079e37604784..d0808e391e91 100644
--- a/include/crypto/tlscreds.h
+++ b/include/crypto/tlscreds.h
@@ -30,14 +30,15 @@
 
 #define TYPE_QCRYPTO_TLS_CREDS "tls-creds"
 typedef struct QCryptoTLSCreds QCryptoTLSCreds;
-DECLARE_INSTANCE_CHECKER(QCryptoTLSCreds, QCRYPTO_TLS_CREDS,
-                         TYPE_QCRYPTO_TLS_CREDS)
-
 typedef struct QCryptoTLSCredsClass QCryptoTLSCredsClass;
+DECLARE_OBJ_CHECKERS(QCryptoTLSCreds, QCryptoTLSCredsClass, QCRYPTO_TLS_CREDS,
+                     TYPE_QCRYPTO_TLS_CREDS)
+
 
 #define QCRYPTO_TLS_CREDS_DH_PARAMS "dh-params.pem"
 
 
+typedef bool (*CryptoTLSCredsReload)(QCryptoTLSCreds *, Error **);
 /**
  * QCryptoTLSCreds:
  *
@@ -61,6 +62,7 @@ struct QCryptoTLSCreds {
 
 struct QCryptoTLSCredsClass {
     ObjectClass parent_class;
+    CryptoTLSCredsReload reload;
 };
 
 
-- 
2.28.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v8 2/3] vnc: support reload x509 certificates for vnc
  2021-03-16  7:58 [PATCH v8 0/3] vnc: support reload x509 certificates Zihao Chang
  2021-03-16  7:58 ` [PATCH v8 1/3] crypto: add reload for QCryptoTLSCredsClass Zihao Chang
@ 2021-03-16  7:58 ` Zihao Chang
  2021-03-16  7:58 ` [PATCH v8 3/3] qmp: add new qmp display-reload Zihao Chang
  2021-03-17  9:59 ` [PATCH v8 0/3] vnc: support reload x509 certificates Gerd Hoffmann
  3 siblings, 0 replies; 5+ messages in thread
From: Zihao Chang @ 2021-03-16  7:58 UTC (permalink / raw)
  To: qemu-devel
  Cc: berrange, oscar.zhangbo, changzihao1, armbru, xiexiangyou,
	yebiaoxiang, kraxel

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="y", Size: 1905 bytes --]

This patch add vnc_display_reload_certs() to support
update x509 certificates.

Signed-off-by: Zihao Chang <changzihao1@huawei.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
---
 include/ui/console.h |  1 +
 ui/vnc.c             | 28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/include/ui/console.h b/include/ui/console.h
index c960b7066ccd..2714038a0fae 100644
--- a/include/ui/console.h
+++ b/include/ui/console.h
@@ -476,6 +476,7 @@ int vnc_display_password(const char *id, const char *password);
 int vnc_display_pw_expire(const char *id, time_t expires);
 void vnc_parse(const char *str);
 int vnc_init_func(void *opaque, QemuOpts *opts, Error **errp);
+bool vnc_display_reload_certs(const char *id,  Error **errp);
 
 /* input.c */
 int index_from_key(const char *key, size_t key_length);
diff --git a/ui/vnc.c b/ui/vnc.c
index 310abc937812..381e21a87563 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -584,6 +584,34 @@ VncInfo2List *qmp_query_vnc_servers(Error **errp)
     return prev;
 }
 
+bool vnc_display_reload_certs(const char *id, Error **errp)
+{
+    VncDisplay *vd = vnc_display_find(id);
+    QCryptoTLSCredsClass *creds = NULL;
+
+    if (!vd) {
+        error_setg(errp, "Can not find vnc display");
+        return false;
+    }
+
+    if (!vd->tlscreds) {
+        error_setg(errp, "vnc tls is not enable");
+        return false;
+    }
+
+    creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
+    if (creds->reload == NULL) {
+        error_setg(errp, "%s doesn't support to reload TLS credential",
+                   object_get_typename(OBJECT(vd->tlscreds)));
+        return false;
+    }
+    if (!creds->reload(vd->tlscreds, errp)) {
+        return false;
+    }
+
+    return true;
+}
+
 /* TODO
    1) Get the queue working for IO.
    2) there is some weirdness when using the -S option (the screen is grey
-- 
2.28.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v8 3/3] qmp: add new qmp display-reload
  2021-03-16  7:58 [PATCH v8 0/3] vnc: support reload x509 certificates Zihao Chang
  2021-03-16  7:58 ` [PATCH v8 1/3] crypto: add reload for QCryptoTLSCredsClass Zihao Chang
  2021-03-16  7:58 ` [PATCH v8 2/3] vnc: support reload x509 certificates for vnc Zihao Chang
@ 2021-03-16  7:58 ` Zihao Chang
  2021-03-17  9:59 ` [PATCH v8 0/3] vnc: support reload x509 certificates Gerd Hoffmann
  3 siblings, 0 replies; 5+ messages in thread
From: Zihao Chang @ 2021-03-16  7:58 UTC (permalink / raw)
  To: qemu-devel
  Cc: berrange, oscar.zhangbo, changzihao1, armbru, xiexiangyou,
	yebiaoxiang, kraxel

This patch provides a new qmp to reload display configuration
without restart VM, but only reloading the vnc tls certificates
is implemented.
Example:
{"execute": "display-reload", "arguments":{"type": "vnc", "tls-certs": true}}

Signed-off-by: Zihao Chang <changzihao1@huawei.com>
---
 monitor/qmp-cmds.c | 17 +++++++++++++
 qapi/ui.json       | 61 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)

diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
index c7df8c0ee268..f7d64a64577a 100644
--- a/monitor/qmp-cmds.c
+++ b/monitor/qmp-cmds.c
@@ -334,3 +334,20 @@ MemoryInfo *qmp_query_memory_size_summary(Error **errp)
 
     return mem_info;
 }
+
+void qmp_display_reload(DisplayReloadOptions *arg, Error **errp)
+{
+    switch (arg->type) {
+    case DISPLAY_RELOAD_TYPE_VNC:
+#ifdef CONFIG_VNC
+        if (arg->u.vnc.has_tls_certs && arg->u.vnc.tls_certs) {
+            vnc_display_reload_certs(NULL, errp);
+        }
+#else
+        error_setg(errp, "vnc is invalid, missing 'CONFIG_VNC'");
+#endif
+        break;
+    default:
+        abort();
+    }
+}
diff --git a/qapi/ui.json b/qapi/ui.json
index d08d72b43923..e39159eae022 100644
--- a/qapi/ui.json
+++ b/qapi/ui.json
@@ -1179,3 +1179,64 @@
 ##
 { 'command': 'query-display-options',
   'returns': 'DisplayOptions' }
+
+##
+# @DisplayReloadType:
+#
+# Available DisplayReload types.
+#
+# @vnc: VNC display
+#
+# Since: 6.0
+#
+##
+{ 'enum': 'DisplayReloadType',
+  'data': ['vnc'] }
+
+##
+# @DisplayReloadOptionsVNC:
+#
+# Specify the VNC reload options.
+#
+# @tls-certs: reload tls certs or not.
+#
+# Since: 6.0
+#
+##
+{ 'struct': 'DisplayReloadOptionsVNC',
+  'data': { '*tls-certs': 'bool' } }
+
+##
+# @DisplayReloadOptions:
+#
+# Options of the display configuration reload.
+#
+# @type: Specify the display type.
+#
+# Since: 6.0
+#
+##
+{ 'union': 'DisplayReloadOptions',
+  'base': {'type': 'DisplayReloadType'},
+  'discriminator': 'type',
+  'data': { 'vnc': 'DisplayReloadOptionsVNC' } }
+
+##
+# @display-reload:
+#
+# Reload display configuration.
+#
+# Returns: Nothing on success.
+#
+# Since: 6.0
+#
+# Example:
+#
+# -> { "execute": "display-reload",
+#      "arguments": { "type": "vnc", "tls-certs": true  } }
+# <- { "return": {} }
+#
+##
+{ 'command': 'display-reload',
+  'data': 'DisplayReloadOptions',
+  'boxed' : true }
-- 
2.28.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v8 0/3] vnc: support reload x509 certificates
  2021-03-16  7:58 [PATCH v8 0/3] vnc: support reload x509 certificates Zihao Chang
                   ` (2 preceding siblings ...)
  2021-03-16  7:58 ` [PATCH v8 3/3] qmp: add new qmp display-reload Zihao Chang
@ 2021-03-17  9:59 ` Gerd Hoffmann
  3 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2021-03-17  9:59 UTC (permalink / raw)
  To: Zihao Chang
  Cc: berrange, oscar.zhangbo, qemu-devel, xiexiangyou, armbru, yebiaoxiang

On Tue, Mar 16, 2021 at 03:58:42PM +0800, Zihao Chang wrote:
> This series supports reload x509 certificates for vnc
> 1. Support reload x509 certificates.
> 2. Support reload vnc certificates.
> 3. Add new qmp display-reload and implement reload x509 certificates for vnc.

Added to ui queue.

thanks,
  Gerd



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-03-17 10:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-16  7:58 [PATCH v8 0/3] vnc: support reload x509 certificates Zihao Chang
2021-03-16  7:58 ` [PATCH v8 1/3] crypto: add reload for QCryptoTLSCredsClass Zihao Chang
2021-03-16  7:58 ` [PATCH v8 2/3] vnc: support reload x509 certificates for vnc Zihao Chang
2021-03-16  7:58 ` [PATCH v8 3/3] qmp: add new qmp display-reload Zihao Chang
2021-03-17  9:59 ` [PATCH v8 0/3] vnc: support reload x509 certificates Gerd Hoffmann

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.