qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS en

From: Daniel P. Berrange
Subject: Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend
Date: Wed, 6 May 2015 11:18:23 +0100
User-agent: Mutt/1.5.23 (2014-03-12) 
On Wed, May 06, 2015 at 10:34:06AM +0200, Kashyap Chamarthy wrote:
> On Tue, May 05, 2015 at 04:54:44PM +0200, Kashyap Chamarthy wrote:
> 
> [. . .]
> 
> > While running QEMU as TLS server, the TLS handshake completes
> > successfully when connected via `gnutls-cli`.
> > 
> > However, when using QEMU as client to connect to an existing GnuTLS
> > server, I notice a segmentation fault:
> > 
> >   $ /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64 \
> >       -nodefconfig -nodefaults -device sga -display none \
> >       -chardev socket,id=s0,host=localhost,port=9000,tls-cred=tls0 \
> >       -device isa-serial,chardev=s0 \
> >       -object 
> > qcrypto-tls-creds,id=tls0,credtype=x509,endpoint=client,dir=/export/security/gnutls
> >   Segmentation fault (core dumped)
> 
> Some debugging with `gdb` below.
> 
> QEMU was built with:
> 
>     ./configure --target-list=x86_64-softmmu --enable-debug
>     make -j4
> 
> Stack traces:
> 
> $ gdb /home/kashyapc/build/tls-qemu/x86_64-softmmu/qemu-system-x86_64

> #2  0x00007ffff1c6b3d9 in gnutls_certificate_set_x509_key_file2 () at 
> /lib64/libgnutls.so.28
> #3  0x00005555559aba85 in qcrypto_tls_creds_load_x509 (creds=0x55555639ac60, 
> errp=0x7fffffffd8d8) at /home/kashyapc/tinker-space/qemu/crypto/tlscreds.c:728
>         cacert = 0x55555639a8c0 "/export/security/gnutls/ca-cert.pem"
>         cacrl = 0x0
>         cert = 0x0
>         key = 0x0
>         dhparams = 0x0
>         ret = 1
>         rv = -1

Ah, with QEMU running in client mode, the client cert + key are optional. In 
this
case you've not provided them (cert & key are 0x0 ie NULL). We are then 
mistakenly
calling gnutls_certificate_set_x509_key_file2 - if I simply skip that I'll avoid
the crash. Thanks for testing this - I'll add a test case to validate this 
scenario
too

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
reply via email to
[Prev in Thread] Current Thread [Next in Thread]