diff options
author | Peter Maydell <peter.maydell@linaro.org> | 2021-01-29 19:51:25 +0000 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2021-01-29 19:51:25 +0000 |
commit | 74208cd252c5da9d867270a178799abd802b9338 (patch) | |
tree | a2cfcd1a4b5e1d970286c759da2faef0f891539f | |
parent | 9df52f58e76e904fb141b10318362d718f470db2 (diff) | |
parent | ecb98f5c7589ba8ecd15c8b1baa2ec7192e47c75 (diff) | |
download | qemu-74208cd252c5da9d867270a178799abd802b9338.zip qemu-74208cd252c5da9d867270a178799abd802b9338.tar.gz qemu-74208cd252c5da9d867270a178799abd802b9338.tar.bz2 |
Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging
* Replace --enable/disable-git-update with --with-git-submodules
to allow improved control over use of git submodules
* Deprecate the -enable-fips option
* Ensure docs use prefer format for bool options
* Clarify platform support rules
* Misc fixes to keymap conversions
* Fix misc problems on macOS
# gpg: Signature made Fri 29 Jan 2021 17:10:13 GMT
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full]
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* remotes/berrange-gitlab/tags/misc-fixes-pull-request:
tests: Replace deprecated ASN1 code
tests: Fix runtime error in test-authz-pam
ui: update keycodemapdb submodule commit
crypto: Add spaces around operator
configure: replace --enable/disable-git-update with --with-git-submodules
docs: fix missing backslash in certtool shell example
docs: simplify and clarify the platform support rules
Prefer 'on' | 'off' over 'yes' | 'no' for bool options
os: deprecate the -enable-fips option and QEMU's FIPS enforcement
crypto: Fix memory leaks in set_loaded for tls-*
crypto: Forbid broken unloading of secrets
crypto: Move USER_CREATABLE to secret_common base class
crypto: Fix some code style problems, add spaces around operator
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-rw-r--r-- | Makefile | 24 | ||||
-rwxr-xr-x | configure | 51 | ||||
-rw-r--r-- | crypto/aes.c | 6 | ||||
-rw-r--r-- | crypto/desrfb.c | 4 | ||||
-rw-r--r-- | crypto/secret.c | 14 | ||||
-rw-r--r-- | crypto/secret_common.c | 21 | ||||
-rw-r--r-- | crypto/secret_keyring.c | 14 | ||||
-rw-r--r-- | crypto/tlscredsanon.c | 3 | ||||
-rw-r--r-- | crypto/tlscredspsk.c | 3 | ||||
-rw-r--r-- | crypto/tlscredsx509.c | 5 | ||||
-rw-r--r-- | docs/system/build-platforms.rst | 63 | ||||
-rw-r--r-- | docs/system/deprecated.rst | 12 | ||||
-rw-r--r-- | docs/system/tls.rst | 2 | ||||
-rw-r--r-- | docs/system/vnc-security.rst | 10 | ||||
-rw-r--r-- | include/authz/listfile.h | 2 | ||||
-rw-r--r-- | os-posix.c | 3 | ||||
-rw-r--r-- | qemu-options.hx | 4 | ||||
-rwxr-xr-x | scripts/git-submodule.sh | 34 | ||||
-rw-r--r-- | tests/crypto-tls-x509-helpers.c | 10 | ||||
-rw-r--r-- | tests/crypto-tls-x509-helpers.h | 2 | ||||
-rw-r--r-- | tests/pkix_asn1_tab.c | 2 | ||||
-rwxr-xr-x | tests/qemu-iotests/233 | 4 | ||||
-rw-r--r-- | tests/test-authz-pam.c | 10 | ||||
m--------- | ui/keycodemapdb | 0 | ||||
-rw-r--r-- | ui/meson.build | 3 |
25 files changed, 160 insertions, 146 deletions
@@ -47,30 +47,10 @@ git-submodule-update: Makefile: .git-submodule-status .PHONY: git-submodule-update - -git_module_status := $(shell \ - cd '$(SRC_PATH)' && \ - GIT="$(GIT)" ./scripts/git-submodule.sh status $(GIT_SUBMODULES); \ - echo $$?; \ -) - -ifeq (1,$(git_module_status)) -ifeq (no,$(GIT_UPDATE)) git-submodule-update: $(call quiet-command, \ - echo && \ - echo "GIT submodule checkout is out of date. Please run" && \ - echo " scripts/git-submodule.sh update $(GIT_SUBMODULES)" && \ - echo "from the source directory checkout $(SRC_PATH)" && \ - echo && \ - exit 1) -else -git-submodule-update: - $(call quiet-command, \ - (cd $(SRC_PATH) && GIT="$(GIT)" ./scripts/git-submodule.sh update $(GIT_SUBMODULES)), \ - "GIT","$(GIT_SUBMODULES)") -endif -endif + (GIT="$(GIT)" "$(SRC_PATH)/scripts/git-submodule.sh" $(GIT_SUBMODULES_ACTION) $(GIT_SUBMODULES)), \ + "GIT","$(GIT_SUBMODULES)") # 0. ensure the build tree is okay @@ -255,12 +255,12 @@ gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb") if test -e "$source_path/.git" then - git_update=yes + git_submodules_action="update" git_submodules="ui/keycodemapdb" git_submodules="$git_submodules tests/fp/berkeley-testfloat-3" git_submodules="$git_submodules tests/fp/berkeley-softfloat-3" else - git_update=no + git_submodules_action="ignore" git_submodules="" if ! test -f "$source_path/ui/keycodemapdb/README" @@ -1499,9 +1499,16 @@ for opt do ;; --with-git=*) git="$optarg" ;; - --enable-git-update) git_update=yes + --enable-git-update) + git_submodules_action="update" + echo "--enable-git-update deprecated, use --with-git-submodules=update" ;; - --disable-git-update) git_update=no + --disable-git-update) + git_submodules_action="validate" + echo "--disable-git-update deprecated, use --with-git-submodules=validate" + ;; + --with-git-submodules=*) + git_submodules_action="$optarg" ;; --enable-debug-mutex) debug_mutex=yes ;; @@ -1557,6 +1564,21 @@ for opt do esac done +case $git_submodules_action in + update|validate) + if test ! -e "$source_path/.git"; then + echo "ERROR: cannot $git_submodules_action git submodules without .git" + exit 1 + fi + ;; + ignore) + ;; + *) + echo "ERROR: invalid --with-git-submodules= value '$git_submodules_action'" + exit 1 + ;; +esac + libdir="${libdir:-$prefix/lib}" libexecdir="${libexecdir:-$prefix/libexec}" includedir="${includedir:-$prefix/include}" @@ -1701,6 +1723,9 @@ Advanced options (experts only): --ninja=NINJA use specified ninja [$ninja] --smbd=SMBD use specified smbd [$smbd] --with-git=GIT use specified git [$git] + --with-git-submodules=update update git submodules (default if .git dir exists) + --with-git-submodules=validate fail if git submodules are not up to date + --with-git-submodules=ignore do not update or check git submodules (default if no .git dir) --static enable static build [$static] --mandir=PATH install man pages in PATH --datadir=PATH install firmware in PATH/$qemu_suffix @@ -1917,7 +1942,7 @@ python="$python -B" if test -z "$meson"; then if test "$explicit_python" = no && has meson && version_ge "$(meson --version)" 0.55.3; then meson=meson - elif test -e "${source_path}/.git" && test $git_update = 'yes' ; then + elif test $git_submodules_action != 'ignore' ; then meson=git elif test -e "${source_path}/meson/meson.py" ; then meson=internal @@ -1985,7 +2010,7 @@ fi # Consult white-list to determine whether to enable werror # by default. Only enable by default for git builds if test -z "$werror" ; then - if test -e "$source_path/.git" && \ + if test "$git_submodules_action" != "ignore" && \ { test "$linux" = "yes" || test "$mingw32" = "yes"; }; then werror="yes" else @@ -3558,7 +3583,7 @@ fi case "$fdt" in auto | enabled | internal) # Simpler to always update submodule, even if not needed. - if test -e "${source_path}/.git" && test $git_update = 'yes' ; then + if test "$git_submodules_action" != "ignore"; then git_submodules="${git_submodules} dtc" fi ;; @@ -4272,7 +4297,7 @@ fi case "$capstone" in auto | enabled | internal) # Simpler to always update submodule, even if not needed. - if test -e "${source_path}/.git" && test $git_update = 'yes' ; then + if test "$git_submodules_action" != "ignore"; then git_submodules="${git_submodules} capstone" fi ;; @@ -5219,7 +5244,7 @@ fi case "$slirp" in auto | enabled | internal) # Simpler to always update submodule, even if not needed. - if test -e "${source_path}/.git" && test $git_update = 'yes' ; then + if test "$git_submodules_action" != "ignore"; then git_submodules="${git_submodules} slirp" fi ;; @@ -5393,7 +5418,7 @@ if test "$cpu" = "s390x" ; then roms="$roms s390-ccw" # SLOF is required for building the s390-ccw firmware on s390x, # since it is using the libnet code from SLOF for network booting. - if test -e "${source_path}/.git" ; then + if test "$git_submodules_action" != "ignore"; then git_submodules="${git_submodules} roms/SLOF" fi fi @@ -5431,8 +5456,8 @@ else cxx= fi -if test $git_update = 'yes' ; then - (cd "${source_path}" && GIT="$git" "./scripts/git-submodule.sh" update "$git_submodules") +if !(GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then + exit 1 fi config_host_mak="config-host.mak" @@ -5443,7 +5468,7 @@ echo >> $config_host_mak echo all: >> $config_host_mak echo "GIT=$git" >> $config_host_mak echo "GIT_SUBMODULES=$git_submodules" >> $config_host_mak -echo "GIT_UPDATE=$git_update" >> $config_host_mak +echo "GIT_SUBMODULES_ACTION=$git_submodules_action" >> $config_host_mak echo "ARCH=$ARCH" >> $config_host_mak diff --git a/crypto/aes.c b/crypto/aes.c index 159800d..af72ff7 100644 --- a/crypto/aes.c +++ b/crypto/aes.c @@ -1080,9 +1080,9 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, rk = key->rd_key; - if (bits==128) + if (bits == 128) key->rounds = 10; - else if (bits==192) + else if (bits == 192) key->rounds = 12; else key->rounds = 14; @@ -1182,7 +1182,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits, rk = key->rd_key; /* invert the order of the round keys: */ - for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) { + for (i = 0, j = 4 * (key->rounds); i < j; i += 4, j -= 4) { temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp; temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp; temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp; diff --git a/crypto/desrfb.c b/crypto/desrfb.c index 3274c36..b2a105e 100644 --- a/crypto/desrfb.c +++ b/crypto/desrfb.c @@ -56,7 +56,7 @@ static const unsigned char pc1[56] = { 13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3 }; static const unsigned char totrot[16] = { - 1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 }; + 1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28 }; static const unsigned char pc2[48] = { 13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9, @@ -93,7 +93,7 @@ void deskey(unsigned char *key, int edf) } for( j = 0; j < 24; j++ ) { if( pcr[pc2[j]] ) kn[m] |= bigbyte[j]; - if( pcr[pc2[j+24]] ) kn[n] |= bigbyte[j]; + if( pcr[pc2[j + 24]] ) kn[n] |= bigbyte[j]; } } cookey(kn); diff --git a/crypto/secret.c b/crypto/secret.c index 281cb81..44eaff1 100644 --- a/crypto/secret.c +++ b/crypto/secret.c @@ -108,13 +108,6 @@ qcrypto_secret_prop_get_file(Object *obj, static void -qcrypto_secret_complete(UserCreatable *uc, Error **errp) -{ - object_property_set_bool(OBJECT(uc), "loaded", true, errp); -} - - -static void qcrypto_secret_finalize(Object *obj) { QCryptoSecret *secret = QCRYPTO_SECRET(obj); @@ -129,9 +122,6 @@ qcrypto_secret_class_init(ObjectClass *oc, void *data) QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc); sic->load_data = qcrypto_secret_load_data; - UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); - ucc->complete = qcrypto_secret_complete; - object_class_property_add_str(oc, "data", qcrypto_secret_prop_get_data, qcrypto_secret_prop_set_data); @@ -148,10 +138,6 @@ static const TypeInfo qcrypto_secret_info = { .instance_finalize = qcrypto_secret_finalize, .class_size = sizeof(QCryptoSecretClass), .class_init = qcrypto_secret_class_init, - .interfaces = (InterfaceInfo[]) { - { TYPE_USER_CREATABLE }, - { } - } }; diff --git a/crypto/secret_common.c b/crypto/secret_common.c index b03d530..714a15d 100644 --- a/crypto/secret_common.c +++ b/crypto/secret_common.c @@ -191,9 +191,9 @@ qcrypto_secret_prop_set_loaded(Object *obj, secret->rawdata = input; secret->rawlen = inputlen; - } else { - g_free(secret->rawdata); - secret->rawlen = 0; + } else if (secret->rawdata) { + error_setg(errp, "Cannot unload secret"); + return; } } @@ -269,6 +269,13 @@ qcrypto_secret_prop_get_keyid(Object *obj, static void +qcrypto_secret_complete(UserCreatable *uc, Error **errp) +{ + object_property_set_bool(OBJECT(uc), "loaded", true, errp); +} + + +static void qcrypto_secret_finalize(Object *obj) { QCryptoSecretCommon *secret = QCRYPTO_SECRET_COMMON(obj); @@ -281,6 +288,10 @@ qcrypto_secret_finalize(Object *obj) static void qcrypto_secret_class_init(ObjectClass *oc, void *data) { + UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); + + ucc->complete = qcrypto_secret_complete; + object_class_property_add_bool(oc, "loaded", qcrypto_secret_prop_get_loaded, qcrypto_secret_prop_set_loaded); @@ -390,6 +401,10 @@ static const TypeInfo qcrypto_secret_info = { .class_size = sizeof(QCryptoSecretCommonClass), .class_init = qcrypto_secret_class_init, .abstract = true, + .interfaces = (InterfaceInfo[]) { + { TYPE_USER_CREATABLE }, + { } + } }; diff --git a/crypto/secret_keyring.c b/crypto/secret_keyring.c index 10d8bc4..1b7edec 100644 --- a/crypto/secret_keyring.c +++ b/crypto/secret_keyring.c @@ -103,21 +103,11 @@ qcrypto_secret_prop_get_key(Object *obj, Visitor *v, static void -qcrypto_secret_keyring_complete(UserCreatable *uc, Error **errp) -{ - object_property_set_bool(OBJECT(uc), "loaded", true, errp); -} - - -static void qcrypto_secret_keyring_class_init(ObjectClass *oc, void *data) { QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc); sic->load_data = qcrypto_secret_keyring_load_data; - UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); - ucc->complete = qcrypto_secret_keyring_complete; - object_class_property_add(oc, "serial", "int32_t", qcrypto_secret_prop_get_key, qcrypto_secret_prop_set_key, @@ -130,10 +120,6 @@ static const TypeInfo qcrypto_secret_info = { .name = TYPE_QCRYPTO_SECRET_KEYRING, .instance_size = sizeof(QCryptoSecretKeyring), .class_init = qcrypto_secret_keyring_class_init, - .interfaces = (InterfaceInfo[]) { - { TYPE_USER_CREATABLE }, - { } - } }; diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c index 30275b6..bea5f76 100644 --- a/crypto/tlscredsanon.c +++ b/crypto/tlscredsanon.c @@ -123,10 +123,9 @@ qcrypto_tls_creds_anon_prop_set_loaded(Object *obj, { QCryptoTLSCredsAnon *creds = QCRYPTO_TLS_CREDS_ANON(obj); + qcrypto_tls_creds_anon_unload(creds); if (value) { qcrypto_tls_creds_anon_load(creds, errp); - } else { - qcrypto_tls_creds_anon_unload(creds); } } diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index e26807b..f5a3110 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk.c @@ -192,10 +192,9 @@ qcrypto_tls_creds_psk_prop_set_loaded(Object *obj, { QCryptoTLSCredsPSK *creds = QCRYPTO_TLS_CREDS_PSK(obj); + qcrypto_tls_creds_psk_unload(creds); if (value) { qcrypto_tls_creds_psk_load(creds, errp); - } else { - qcrypto_tls_creds_psk_unload(creds); } } diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index dd7267c..dbadad4 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -143,7 +143,7 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds, if (status < 0) { if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN : - GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT; + GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT; } else { error_setg(errp, "Unable to query certificate %s key usage: %s", @@ -694,10 +694,9 @@ qcrypto_tls_creds_x509_prop_set_loaded(Object *obj, { QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj); + qcrypto_tls_creds_x509_unload(creds); if (value) { qcrypto_tls_creds_x509_load(creds, errp); - } else { - qcrypto_tls_creds_x509_unload(creds); } } diff --git a/docs/system/build-platforms.rst b/docs/system/build-platforms.rst index 9734eba..6923236 100644 --- a/docs/system/build-platforms.rst +++ b/docs/system/build-platforms.rst @@ -25,55 +25,38 @@ software in their distro, QEMU upstream code will not add explicit support for those backports, unless the feature is auto-detectable in a manner that works for the upstream releases too. -The Repology site https://repology.org is a useful resource to identify +The `Repology`_ site is a useful resource to identify currently shipped versions of software in various operating systems, though it does not cover all distros listed below. -Linux OS --------- +Linux OS, macOS, FreeBSD, NetBSD, OpenBSD +----------------------------------------- -For distributions with frequent, short-lifetime releases, the project -will aim to support all versions that are not end of life by their -respective vendors. For the purposes of identifying supported software -versions, the project will look at Fedora, Ubuntu, and openSUSE distros. -Other short- lifetime distros will be assumed to ship similar software -versions. +The project aims to support the most recent major version at all times. Support +for the previous major version will be dropped 2 years after the new major +version is released or when the vendor itself drops support, whichever comes +first. In this context, third-party efforts to extend the lifetime of a distro +are not considered, even when they are endorsed by the vendor (eg. Debian LTS). -For distributions with long-lifetime releases, the project will aim to -support the most recent major version at all times. Support for the -previous major version will be dropped 2 years after the new major -version is released, or when it reaches "end of life". For the purposes -of identifying supported software versions, the project will look at -RHEL, Debian, Ubuntu LTS, and SLES distros. Other long-lifetime distros -will be assumed to ship similar software versions. +For the purposes of identifying supported software versions available on Linux, +the project will look at CentOS, Debian, Fedora, openSUSE, RHEL, SLES and +Ubuntu LTS. Other distros will be assumed to ship similar software versions. -Windows -------- - -The project supports building with current versions of the MinGW -toolchain, hosted on Linux. - -macOS ------ +For FreeBSD and OpenBSD, decisions will be made based on the contents of the +respective ports repository, while NetBSD will use the pkgsrc repository. -The project supports building with the two most recent versions of -macOS, with the current Homebrew package set available. +For macOS, `HomeBrew`_ will be used, although `MacPorts`_ is expected to carry +similar versions. -FreeBSD +Windows ------- -The project aims to support all versions which are not end of -life. - -NetBSD ------- +The project supports building with current versions of the MinGW toolchain, +hosted on Linux (Debian/Fedora). -The project aims to support the most recent major version at all times. -Support for the previous major version will be dropped 2 years after the -new major version is released. - -OpenBSD -------- +The version of the Windows API that's currently targeted is Vista / Server +2008. -The project aims to support all versions which are not end of -life. +.. _HomeBrew: https://brew.sh/ +.. _MacPorts: https://www.macports.org/ +.. _Repology: https://repology.org/ diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst index 9de6635..6ac757e 100644 --- a/docs/system/deprecated.rst +++ b/docs/system/deprecated.rst @@ -134,6 +134,18 @@ Boolean options such as ``share=on``/``share=off`` could be written in short form as ``share`` and ``noshare``. This is now deprecated and will cause a warning. +``--enable-fips`` (since 6.0) +''''''''''''''''''''''''''''' + +This option restricts usage of certain cryptographic algorithms when +the host is operating in FIPS mode. + +If FIPS compliance is required, QEMU should be built with the ``libgcrypt`` +library enabled as a cryptography provider. + +Neither the ``nettle`` library, or the built-in cryptography provider are +supported on FIPS enabled hosts. + QEMU Machine Protocol (QMP) commands ------------------------------------ diff --git a/docs/system/tls.rst b/docs/system/tls.rst index dc2b942..b0973af 100644 --- a/docs/system/tls.rst +++ b/docs/system/tls.rst @@ -64,7 +64,7 @@ interactive prompts from certtool:: cert_signing_key EOF # certtool --generate-self-signed \ - --load-privkey ca-key.pem + --load-privkey ca-key.pem \ --template ca.info \ --outfile ca-cert.pem diff --git a/docs/system/vnc-security.rst b/docs/system/vnc-security.rst index 558e4fa..ebca656 100644 --- a/docs/system/vnc-security.rst +++ b/docs/system/vnc-security.rst @@ -65,7 +65,7 @@ encrypted session. .. parsed-literal:: |qemu_system| [...OPTIONS...] \ - -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \ + -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=off \ -vnc :1,tls-creds=tls0 -monitor stdio In the above example ``/etc/pki/qemu`` should contain at least three @@ -84,12 +84,12 @@ connecting. The server will request that the client provide a certificate, which it will then validate against the CA certificate. This is a good choice if deploying in an environment with a private internal certificate authority. It uses the same syntax as previously, -but with ``verify-peer`` set to ``yes`` instead. +but with ``verify-peer`` set to ``on`` instead. .. parsed-literal:: |qemu_system| [...OPTIONS...] \ - -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \ + -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \ -vnc :1,tls-creds=tls0 -monitor stdio .. _vnc_005fsec_005fcertificate_005fpw: @@ -103,7 +103,7 @@ authentication to provide two layers of authentication for clients. .. parsed-literal:: |qemu_system| [...OPTIONS...] \ - -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \ + -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \ -vnc :1,tls-creds=tls0,password -monitor stdio (qemu) change vnc password Password: ******** @@ -145,7 +145,7 @@ x509 options: .. parsed-literal:: |qemu_system| [...OPTIONS...] \ - -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \ + -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \ -vnc :1,tls-creds=tls0,sasl -monitor stdio .. _vnc_005fsetup_005fsasl: diff --git a/include/authz/listfile.h b/include/authz/listfile.h index 0a1e5bd..0b7fe72 100644 --- a/include/authz/listfile.h +++ b/include/authz/listfile.h @@ -73,7 +73,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(QAuthZListFile, * The object can be created on the command line using * * -object authz-list-file,id=authz0,\ - * filename=/etc/qemu/myvm-vnc.acl,refresh=yes + * filename=/etc/qemu/myvm-vnc.acl,refresh=on * */ struct QAuthZListFile { @@ -153,6 +153,9 @@ int os_parse_cmd_args(int index, const char *optarg) break; #if defined(CONFIG_LINUX) case QEMU_OPTION_enablefips: + warn_report("-enable-fips is deprecated, please build QEMU with " + "the `libgcrypt` library as the cryptography provider " + "to enable FIPS compliance"); fips_set_state(true); break; #endif diff --git a/qemu-options.hx b/qemu-options.hx index 9172d51..d0410f0 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -5027,7 +5027,7 @@ SRST Note the use of quotes due to the x509 distinguished name containing whitespace, and escaping of ','. - ``-object authz-listfile,id=id,filename=path,refresh=yes|no`` + ``-object authz-listfile,id=id,filename=path,refresh=on|off`` Create an authorization object that will control access to network services. @@ -5072,7 +5072,7 @@ SRST # |qemu_system| \\ ... \\ - -object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=yes \\ + -object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=on \\ ... ``-object authz-pam,id=id,service=string`` diff --git a/scripts/git-submodule.sh b/scripts/git-submodule.sh index 65ed877..e225d3a 100755 --- a/scripts/git-submodule.sh +++ b/scripts/git-submodule.sh @@ -9,9 +9,14 @@ command=$1 shift maybe_modules="$@" +# if --with-git-submodules=ignore, do nothing +test "$command" = "ignore" && exit 0 + test -z "$GIT" && GIT=git -error() { +cd "$(dirname "$0")/.." + +update_error() { echo "$0: $*" echo echo "Unable to automatically checkout GIT submodules '$modules'." @@ -24,7 +29,7 @@ error() { echo "Alternatively you may disable automatic GIT submodule checkout" echo "with:" echo - echo " $ ./configure --disable-git-update" + echo " $ ./configure --with-git-submodules=validate" echo echo "and then manually update submodules prior to running make, with:" echo @@ -33,6 +38,19 @@ error() { exit 1 } +validate_error() { + if test "$1" = "validate"; then + echo "GIT submodules checkout is out of date, and submodules" + echo "configured for validate only. Please run" + echo " scripts/git-submodule.sh update $maybe_modules" + echo "from the source directory or call configure with" + echo " --with-git-submodules=update" + echo "To disable GIT submodules validation, use" + echo " --with-git-submodules=ignore" + fi + exit 1 +} + modules="" for m in $maybe_modules do @@ -52,18 +70,18 @@ then fi case "$command" in -status) +status|validate) if test -z "$maybe_modules" then - test -s ${substat} && exit 1 || exit 0 + test -s ${substat} && validate_error "$command" || exit 0 fi - test -f "$substat" || exit 1 + test -f "$substat" || validate_error "$command" for module in $modules; do CURSTATUS=$($GIT submodule status $module) OLDSTATUS=$(cat $substat | grep $module) if test "$CURSTATUS" != "$OLDSTATUS"; then - exit 1 + validate_error "$command" fi done exit 0 @@ -76,10 +94,10 @@ update) fi $GIT submodule update --init $modules 1>/dev/null - test $? -ne 0 && error "failed to update modules" + test $? -ne 0 && update_error "failed to update modules" $GIT submodule status $modules > "${substat}" - test $? -ne 0 && error "failed to save git submodule status" >&2 + test $? -ne 0 && update_error "failed to save git submodule status" >&2 ;; esac diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c index 01b3daf..9765859 100644 --- a/tests/crypto-tls-x509-helpers.c +++ b/tests/crypto-tls-x509-helpers.c @@ -30,7 +30,7 @@ * This stores some static data that is needed when * encoding extensions in the x509 certs */ -ASN1_TYPE pkix_asn1; +asn1_node pkix_asn1; /* * To avoid consuming random entropy to generate keys, @@ -139,7 +139,7 @@ void test_tls_cleanup(const char *keyfile) /* * Turns an ASN1 object into a DER encoded byte array */ -static void test_tls_der_encode(ASN1_TYPE src, +static void test_tls_der_encode(asn1_node src, const char *src_name, gnutls_datum_t *res) { @@ -317,7 +317,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, * the 'critical' field which we want control over */ if (req->basicConstraintsEnable) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; + asn1_node ext = NULL; asn1_create_element(pkix_asn1, "PKIX1.BasicConstraints", &ext); asn1_write_value(ext, "cA", @@ -344,7 +344,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, * to be 'critical' */ if (req->keyUsageEnable) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; + asn1_node ext = NULL; char str[2]; str[0] = req->keyUsageValue & 0xff; @@ -374,7 +374,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req, * set this the hard way building up ASN1 data ourselves */ if (req->keyPurposeEnable) { - ASN1_TYPE ext = ASN1_TYPE_EMPTY; + asn1_node ext = NULL; asn1_create_element(pkix_asn1, "PKIX1.ExtKeyUsageSyntax", &ext); if (req->keyPurposeOID1) { diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h index 08efba4..8fcd778 100644 --- a/tests/crypto-tls-x509-helpers.h +++ b/tests/crypto-tls-x509-helpers.h @@ -125,7 +125,7 @@ void test_tls_cleanup(const char *keyfile); }; \ test_tls_generate_cert(&varname, NULL) -extern const ASN1_ARRAY_TYPE pkix_asn1_tab[]; +extern const asn1_static_node pkix_asn1_tab[]; #endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */ diff --git a/tests/pkix_asn1_tab.c b/tests/pkix_asn1_tab.c index f15fc51..4aaf736 100644 --- a/tests/pkix_asn1_tab.c +++ b/tests/pkix_asn1_tab.c @@ -8,7 +8,7 @@ #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT -const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { +const asn1_static_node pkix_asn1_tab[] = { {"PKIX1", 536875024, 0}, {0, 1073741836, 0}, {"id-ce", 1879048204, 0}, diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233 index 7ce5764..da150cd 100755 --- a/tests/qemu-iotests/233 +++ b/tests/qemu-iotests/233 @@ -84,7 +84,7 @@ echo echo "== check plain client to TLS server fails ==" nbd_server_start_tcp_socket \ - --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \ + --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \ --tls-creds tls0 \ -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log" @@ -129,7 +129,7 @@ echo "== check TLS with authorization ==" nbd_server_stop nbd_server_start_tcp_socket \ - --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \ + --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \ --object "authz-simple,id=authz0,identity=CN=localhost,, \ O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \ --tls-authz authz0 \ diff --git a/tests/test-authz-pam.c b/tests/test-authz-pam.c index 1baeade..4fe1ef2 100644 --- a/tests/test-authz-pam.c +++ b/tests/test-authz-pam.c @@ -28,7 +28,7 @@ static bool failauth; /* - * These two functions are exported by libpam.so. + * These three functions are exported by libpam.so. * * By defining them again here, our impls are resolved * by the linker instead of those in libpam.so @@ -50,6 +50,7 @@ pam_start(const char *service_name, const char *user, failauth = false; } + *pamh = (pam_handle_t *)0xbadeaffe; return PAM_SUCCESS; } @@ -65,6 +66,13 @@ pam_acct_mgmt(pam_handle_t *pamh, int flags) } +int +pam_end(pam_handle_t *pamh, int status) +{ + return PAM_SUCCESS; +} + + static void test_authz_unknown_service(void) { Error *local_err = NULL; diff --git a/ui/keycodemapdb b/ui/keycodemapdb -Subproject 6b3d716e2b6472eb7189d3220552280ef3d832c +Subproject 6119e6e19a050df847418de7babe5166779955e diff --git a/ui/meson.build b/ui/meson.build index 634faba..156b600 100644 --- a/ui/meson.build +++ b/ui/meson.build @@ -127,9 +127,10 @@ if have_system or xkbcommon.found() capture: true, input: files('keycodemapdb/data/keymaps.csv'), command: [python.full_path(), files('keycodemapdb/tools/keymap-gen'), + 'code-map', '--lang', 'glib2', '--varname', 'qemu_input_map_@0@_to_@1@'.format(e[0], e[1]), - 'code-map', '@INPUT0@', e[0], e[1]]) + '@INPUT0@', e[0], e[1]]) endforeach endif |