riscv
/
qemu
mirror of https://gitea.goldendeliverer.com/riscv/qemu.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

vnc: remove support for deprecated tls, x509, x509verify options 

The 'tls-creds' option accepts the name of a TLS credentials
object. This replaced the usage of 'tls', 'x509' and 'x509verify'
options in 2.5.0. These deprecated options were grandfathered in
when the deprecation policy was introduded in 2.10.0, so can now
finally be removed.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20180725092751.21767-3-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
pull/71/merge
Daniel P. Berrangé 8 years ago
committed by Gerd Hoffmann
parent
756b9da719
commit
ec86faa934
3 changed files with 0 additions and 154 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 20
      qemu-deprecated.texi
  2. 43
      qemu-options.hx
  3. 91
      ui/vnc.c

20
qemu-deprecated.texi
View File

@ -40,26 +40,6 @@ which is the default.
The ``-no-kvm'' argument is now a synonym for setting The ``-no-kvm'' argument is now a synonym for setting
``-machine accel=tcg''. ``-machine accel=tcg''.
@subsection -vnc tls (since 2.5.0)
The ``-vnc tls'' argument is now a synonym for setting
``-object tls-creds-anon,id=tls0'' combined with
``-vnc tls-creds=tls0'
@subsection -vnc x509 (since 2.5.0)
The ``-vnc x509=/path/to/certs'' argument is now a
synonym for setting
``-object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=no''
combined with ``-vnc tls-creds=tls0'
@subsection -vnc x509verify (since 2.5.0)
The ``-vnc x509verify=/path/to/certs'' argument is now a
synonym for setting
``-object tls-creds-x509,dir=/path/to/certs,id=tls0,verify-peer=yes''
combined with ``-vnc tls-creds=tls0'
@subsection -tftp (since 2.6.0) @subsection -tftp (since 2.6.0)
The ``-tftp /some/dir'' argument is replaced by either The ``-tftp /some/dir'' argument is replaced by either

43
qemu-options.hx
View File

@ -1632,49 +1632,6 @@ will cause the VNC server socket to enable the VeNCrypt auth
mechanism. The credentials should have been previously created mechanism. The credentials should have been previously created
using the @option{-object tls-creds} argument. using the @option{-object tls-creds} argument.
The @option{tls-creds} parameter obsoletes the @option{tls},
@option{x509}, and @option{x509verify} options, and as such
it is not permitted to set both new and old type options at
the same time.
@item tls
Require that client use TLS when communicating with the VNC server. This
uses anonymous TLS credentials so is susceptible to a man-in-the-middle
attack. It is recommended that this option be combined with either the
@option{x509} or @option{x509verify} options.
This option is now deprecated in favor of using the @option{tls-creds}
argument.
@item x509=@var{/path/to/certificate/dir}
Valid if @option{tls} is specified. Require that x509 credentials are used
for negotiating the TLS session. The server will send its x509 certificate
to the client. It is recommended that a password be set on the VNC server
to provide authentication of the client when this is used. The path following
this option specifies where the x509 certificates are to be loaded from.
See the @ref{vnc_security} section for details on generating certificates.
This option is now deprecated in favour of using the @option{tls-creds}
argument.
@item x509verify=@var{/path/to/certificate/dir}
Valid if @option{tls} is specified. Require that x509 credentials are used
for negotiating the TLS session. The server will send its x509 certificate
to the client, and request that the client send its own x509 certificate.
The server will validate the client's certificate against the CA certificate,
and reject clients when validation fails. If the certificate authority is
trusted, this is a sufficient authentication mechanism. You may still wish
to set a password on the VNC server as a second authentication layer. The
path following this option specifies where the x509 certificates are to
be loaded from. See the @ref{vnc_security} section for details on generating
certificates.
This option is now deprecated in favour of using the @option{tls-creds}
argument.
@item sasl @item sasl
Require that the client use SASL to authenticate with the VNC server. Require that the client use SASL to authenticate with the VNC server.

91
ui/vnc.c
View File

@ -3344,10 +3344,6 @@ static QemuOptsList qemu_vnc_opts = {
},{ },{
.name = "tls-creds", .name = "tls-creds",
.type = QEMU_OPT_STRING, .type = QEMU_OPT_STRING,
},{
/* Deprecated in favour of tls-creds */
.name = "x509",
.type = QEMU_OPT_STRING,
},{ },{
.name = "share", .name = "share",
.type = QEMU_OPT_STRING, .type = QEMU_OPT_STRING,
@ -3384,14 +3380,6 @@ static QemuOptsList qemu_vnc_opts = {
},{ },{
.name = "sasl", .name = "sasl",
.type = QEMU_OPT_BOOL, .type = QEMU_OPT_BOOL,
},{
/* Deprecated in favour of tls-creds */
.name = "tls",
.type = QEMU_OPT_BOOL,
},{
/* Deprecated in favour of tls-creds */
.name = "x509verify",
.type = QEMU_OPT_STRING,
},{ },{
.name = "acl", .name = "acl",
.type = QEMU_OPT_BOOL, .type = QEMU_OPT_BOOL,
@ -3519,51 +3507,6 @@ vnc_display_setup_auth(int *auth,
} }
/*
* Handle back compat with old CLI syntax by creating some
* suitable QCryptoTLSCreds objects
*/
static QCryptoTLSCreds *
vnc_display_create_creds(bool x509,
bool x509verify,
const char *dir,
const char *id,
Error **errp)
{
gchar *credsid = g_strdup_printf("tlsvnc%s", id);
Object *parent = object_get_objects_root();
Object *creds;
Error *err = NULL;
if (x509) {
creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_X509,
parent,
credsid,
&err,
"endpoint", "server",
"dir", dir,
"verify-peer", x509verify ? "yes" : "no",
NULL);
} else {
creds = object_new_with_props(TYPE_QCRYPTO_TLS_CREDS_ANON,
parent,
credsid,
&err,
"endpoint", "server",
NULL);
}
g_free(credsid);
if (err) {
error_propagate(errp, err);
return NULL;
}
return QCRYPTO_TLS_CREDS(creds);
}
static int vnc_display_get_address(const char *addrstr, static int vnc_display_get_address(const char *addrstr,
bool websocket, bool websocket,
bool reverse, bool reverse,
@ -3930,15 +3873,6 @@ void vnc_display_open(const char *id, Error **errp)
credid = qemu_opt_get(opts, "tls-creds"); credid = qemu_opt_get(opts, "tls-creds");
if (credid) { if (credid) {
Object *creds; Object *creds;
if (qemu_opt_get(opts, "tls") ||
qemu_opt_get(opts, "x509") ||
qemu_opt_get(opts, "x509verify")) {
error_setg(errp,
"'tls-creds' parameter is mutually exclusive with "
"'tls', 'x509' and 'x509verify' parameters");
goto fail;
}
creds = object_resolve_path_component( creds = object_resolve_path_component(
object_get_objects_root(), credid); object_get_objects_root(), credid);
if (!creds) { if (!creds) {
@ -3961,31 +3895,6 @@ void vnc_display_open(const char *id, Error **errp)
"Expecting TLS credentials with a server endpoint"); "Expecting TLS credentials with a server endpoint");
goto fail; goto fail;
} }
} else {
const char *path;
bool tls = false, x509 = false, x509verify = false;
tls = qemu_opt_get_bool(opts, "tls", false);
if (tls) {
path = qemu_opt_get(opts, "x509");
if (path) {
x509 = true;
} else {
path = qemu_opt_get(opts, "x509verify");
if (path) {
x509 = true;
x509verify = true;
}
}
vd->tlscreds = vnc_display_create_creds(x509,
x509verify,
path,
vd->id,
errp);
if (!vd->tlscreds) {
goto fail;
}
}
} }
acl = qemu_opt_get_bool(opts, "acl", false); acl = qemu_opt_get_bool(opts, "acl", false);

Write Preview
Loading…
Cancel
Save