[mirror_qemu.git] / include / io / channel-tls.h

/*
 * QEMU I/O channels TLS driver
 *
 * Copyright (c) 2015 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
 *
 */

#ifndef QIO_CHANNEL_TLS_H
#define QIO_CHANNEL_TLS_H

#include "io/channel.h"
#include "io/task.h"
#include "crypto/tlssession.h"

#define TYPE_QIO_CHANNEL_TLS "qio-channel-tls"
#define QIO_CHANNEL_TLS(obj)                                     \
    OBJECT_CHECK(QIOChannelTLS, (obj), TYPE_QIO_CHANNEL_TLS)

typedef struct QIOChannelTLS QIOChannelTLS;

/**
 * QIOChannelTLS
 *
 * The QIOChannelTLS class provides a channel wrapper which
 * can transparently run the TLS encryption protocol. It is
 * usually used over a TCP socket, but there is actually no
 * technical restriction on which type of master channel is
 * used as the transport.
 *
 * This channel object is capable of running as either a
 * TLS server or TLS client.
 */

struct QIOChannelTLS {
    QIOChannel parent;
    QIOChannel *master;
    QCryptoTLSSession *session;
};

/**
 * qio_channel_tls_new_server:
 * @master: the underlying channel object
 * @creds: the credentials to use for TLS handshake
 * @aclname: the access control list for validating clients
 * @errp: pointer to a NULL-initialized error object
 *
 * Create a new TLS channel that runs the server side of
 * a TLS session. The TLS session handshake will use the
 * credentials provided in @creds. If the @aclname parameter
 * is non-NULL, then the client will have to provide
 * credentials (ie a x509 client certificate) which will
 * then be validated against the ACL.
 *
 * After creating the channel, it is mandatory to call
 * the qio_channel_tls_handshake() method before attempting
 * todo any I/O on the channel.
 *
 * Once the handshake has completed, all I/O should be done
 * via the new TLS channel object and not the original
 * master channel
 *
 * Returns: the new TLS channel object, or NULL
 */
QIOChannelTLS *
qio_channel_tls_new_server(QIOChannel *master,
                           QCryptoTLSCreds *creds,
                           const char *aclname,
                           Error **errp);

/**
 * qio_channel_tls_new_client:
 * @master: the underlying channel object
 * @creds: the credentials to use for TLS handshake
 * @hostname: the user specified server hostname
 * @errp: pointer to a NULL-initialized error object
 *
 * Create a new TLS channel that runs the client side of
 * a TLS session. The TLS session handshake will use the
 * credentials provided in @creds. The @hostname parameter
 * should provide the user specified hostname of the server
 * and will be validated against the server's credentials
 * (ie CommonName of the x509 certificate)
 *
 * After creating the channel, it is mandatory to call
 * the qio_channel_tls_handshake() method before attempting
 * todo any I/O on the channel.
 *
 * Once the handshake has completed, all I/O should be done
 * via the new TLS channel object and not the original
 * master channel
 *
 * Returns: the new TLS channel object, or NULL
 */
QIOChannelTLS *
qio_channel_tls_new_client(QIOChannel *master,
                           QCryptoTLSCreds *creds,
                           const char *hostname,
                           Error **errp);

/**
 * qio_channel_tls_handshake:
 * @ioc: the TLS channel object
 * @func: the callback to invoke when completed
 * @opaque: opaque data to pass to @func
 * @destroy: optional callback to free @opaque
 * @context: the context that TLS handshake will run with. If %NULL,
 *           the default context will be used
 *
 * Perform the TLS session handshake. This method
 * will return immediately and the handshake will
 * continue in the background, provided the main
 * loop is running. When the handshake is complete,
 * or fails, the @func callback will be invoked.
 */
void qio_channel_tls_handshake(QIOChannelTLS *ioc,
                               QIOTaskFunc func,
                               gpointer opaque,
                               GDestroyNotify destroy,
                               GMainContext *context);

/**
 * qio_channel_tls_get_session:
 * @ioc: the TLS channel object
 *
 * Get the TLS session used by the channel.
 *
 * Returns: the TLS session
 */
QCryptoTLSSession *
qio_channel_tls_get_session(QIOChannelTLS *ioc);

#endif /* QIO_CHANNEL_TLS_H */
Commit	Line	Data
ed8ee42c DB	1	/*
	2	* QEMU I/O channels TLS driver
	3	*
	4	* Copyright (c) 2015 Red Hat, Inc.
	5	*
	6	* This library is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU Lesser General Public
	8	* License as published by the Free Software Foundation; either
	9	* version 2 of the License, or (at your option) any later version.
	10	*
	11	* This library is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	* Lesser General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU Lesser General Public
	17	* License along with this library; if not, see <http://www.gnu.org/licenses/>.
	18	*
	19	*/
	20
2a6a4076 MA	21	#ifndef QIO_CHANNEL_TLS_H
2a6a4076 MA	22	#define QIO_CHANNEL_TLS_H
ed8ee42c DB	23
	24	#include "io/channel.h"
	25	#include "io/task.h"
	26	#include "crypto/tlssession.h"
	27
	28	#define TYPE_QIO_CHANNEL_TLS "qio-channel-tls"
	29	#define QIO_CHANNEL_TLS(obj) \
	30	OBJECT_CHECK(QIOChannelTLS, (obj), TYPE_QIO_CHANNEL_TLS)
	31
	32	typedef struct QIOChannelTLS QIOChannelTLS;
	33
	34	/**
	35	* QIOChannelTLS
	36	*
	37	* The QIOChannelTLS class provides a channel wrapper which
	38	* can transparently run the TLS encryption protocol. It is
	39	* usually used over a TCP socket, but there is actually no
	40	* technical restriction on which type of master channel is
	41	* used as the transport.
	42	*
	43	* This channel object is capable of running as either a
	44	* TLS server or TLS client.
	45	*/
	46
	47	struct QIOChannelTLS {
	48	QIOChannel parent;
	49	QIOChannel *master;
	50	QCryptoTLSSession *session;
	51	};
	52
	53	/**
	54	* qio_channel_tls_new_server:
	55	* @master: the underlying channel object
	56	* @creds: the credentials to use for TLS handshake
	57	* @aclname: the access control list for validating clients
821791b5	58	* @errp: pointer to a NULL-initialized error object
ed8ee42c DB	59	*
	60	* Create a new TLS channel that runs the server side of
	61	* a TLS session. The TLS session handshake will use the
	62	* credentials provided in @creds. If the @aclname parameter
	63	* is non-NULL, then the client will have to provide
	64	* credentials (ie a x509 client certificate) which will
	65	* then be validated against the ACL.
	66	*
	67	* After creating the channel, it is mandatory to call
	68	* the qio_channel_tls_handshake() method before attempting
	69	* todo any I/O on the channel.
	70	*
	71	* Once the handshake has completed, all I/O should be done
	72	* via the new TLS channel object and not the original
	73	* master channel
	74	*
	75	* Returns: the new TLS channel object, or NULL
	76	*/
	77	QIOChannelTLS *
	78	qio_channel_tls_new_server(QIOChannel *master,
	79	QCryptoTLSCreds *creds,
	80	const char *aclname,
	81	Error **errp);
	82
	83	/**
	84	* qio_channel_tls_new_client:
	85	* @master: the underlying channel object
	86	* @creds: the credentials to use for TLS handshake
	87	* @hostname: the user specified server hostname
821791b5	88	* @errp: pointer to a NULL-initialized error object
ed8ee42c DB	89	*
	90	* Create a new TLS channel that runs the client side of
	91	* a TLS session. The TLS session handshake will use the
	92	* credentials provided in @creds. The @hostname parameter
	93	* should provide the user specified hostname of the server
	94	* and will be validated against the server's credentials
	95	* (ie CommonName of the x509 certificate)
	96	*
	97	* After creating the channel, it is mandatory to call
	98	* the qio_channel_tls_handshake() method before attempting
	99	* todo any I/O on the channel.
	100	*
	101	* Once the handshake has completed, all I/O should be done
	102	* via the new TLS channel object and not the original
	103	* master channel
	104	*
	105	* Returns: the new TLS channel object, or NULL
	106	*/
	107	QIOChannelTLS *
	108	qio_channel_tls_new_client(QIOChannel *master,
	109	QCryptoTLSCreds *creds,
	110	const char *hostname,
	111	Error **errp);
	112
	113	/**
	114	* qio_channel_tls_handshake:
	115	* @ioc: the TLS channel object
	116	* @func: the callback to invoke when completed
	117	* @opaque: opaque data to pass to @func
	118	* @destroy: optional callback to free @opaque
1939ccda PX	119	* @context: the context that TLS handshake will run with. If %NULL,
1939ccda PX	120	* the default context will be used
ed8ee42c DB	121	*
	122	* Perform the TLS session handshake. This method
	123	* will return immediately and the handshake will
	124	* continue in the background, provided the main
	125	* loop is running. When the handshake is complete,
	126	* or fails, the @func callback will be invoked.
	127	*/
	128	void qio_channel_tls_handshake(QIOChannelTLS *ioc,
	129	QIOTaskFunc func,
	130	gpointer opaque,
1939ccda PX	131	GDestroyNotify destroy,
1939ccda PX	132	GMainContext *context);
ed8ee42c DB	133
	134	/**
	135	* qio_channel_tls_get_session:
	136	* @ioc: the TLS channel object
	137	*
	138	* Get the TLS session used by the channel.
	139	*
	140	* Returns: the TLS session
	141	*/
	142	QCryptoTLSSession *
	143	qio_channel_tls_get_session(QIOChannelTLS *ioc);
	144
2a6a4076	145	#endif /* QIO_CHANNEL_TLS_H */