aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2021-01-29 19:51:25 +0000
committerPeter Maydell <peter.maydell@linaro.org>2021-01-29 19:51:25 +0000
commit74208cd252c5da9d867270a178799abd802b9338 (patch)
treea2cfcd1a4b5e1d970286c759da2faef0f891539f
parent9df52f58e76e904fb141b10318362d718f470db2 (diff)
parentecb98f5c7589ba8ecd15c8b1baa2ec7192e47c75 (diff)
downloadqemu-arm-74208cd252c5da9d867270a178799abd802b9338.tar.gz
Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging
* Replace --enable/disable-git-update with --with-git-submodules to allow improved control over use of git submodules * Deprecate the -enable-fips option * Ensure docs use prefer format for bool options * Clarify platform support rules * Misc fixes to keymap conversions * Fix misc problems on macOS # gpg: Signature made Fri 29 Jan 2021 17:10:13 GMT # gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF # gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full] # gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full] # Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF * remotes/berrange-gitlab/tags/misc-fixes-pull-request: tests: Replace deprecated ASN1 code tests: Fix runtime error in test-authz-pam ui: update keycodemapdb submodule commit crypto: Add spaces around operator configure: replace --enable/disable-git-update with --with-git-submodules docs: fix missing backslash in certtool shell example docs: simplify and clarify the platform support rules Prefer 'on' | 'off' over 'yes' | 'no' for bool options os: deprecate the -enable-fips option and QEMU's FIPS enforcement crypto: Fix memory leaks in set_loaded for tls-* crypto: Forbid broken unloading of secrets crypto: Move USER_CREATABLE to secret_common base class crypto: Fix some code style problems, add spaces around operator Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-rw-r--r--Makefile24
-rwxr-xr-xconfigure51
-rw-r--r--crypto/aes.c6
-rw-r--r--crypto/desrfb.c4
-rw-r--r--crypto/secret.c14
-rw-r--r--crypto/secret_common.c21
-rw-r--r--crypto/secret_keyring.c14
-rw-r--r--crypto/tlscredsanon.c3
-rw-r--r--crypto/tlscredspsk.c3
-rw-r--r--crypto/tlscredsx509.c5
-rw-r--r--docs/system/build-platforms.rst63
-rw-r--r--docs/system/deprecated.rst12
-rw-r--r--docs/system/tls.rst2
-rw-r--r--docs/system/vnc-security.rst10
-rw-r--r--include/authz/listfile.h2
-rw-r--r--os-posix.c3
-rw-r--r--qemu-options.hx4
-rwxr-xr-xscripts/git-submodule.sh34
-rw-r--r--tests/crypto-tls-x509-helpers.c10
-rw-r--r--tests/crypto-tls-x509-helpers.h2
-rw-r--r--tests/pkix_asn1_tab.c2
-rwxr-xr-xtests/qemu-iotests/2334
-rw-r--r--tests/test-authz-pam.c10
m---------ui/keycodemapdb0
-rw-r--r--ui/meson.build3
25 files changed, 160 insertions, 146 deletions
diff --git a/Makefile b/Makefile
index 291ea19f2e..b0dff73904 100644
--- a/Makefile
+++ b/Makefile
@@ -47,30 +47,10 @@ git-submodule-update:
Makefile: .git-submodule-status
.PHONY: git-submodule-update
-
-git_module_status := $(shell \
- cd '$(SRC_PATH)' && \
- GIT="$(GIT)" ./scripts/git-submodule.sh status $(GIT_SUBMODULES); \
- echo $$?; \
-)
-
-ifeq (1,$(git_module_status))
-ifeq (no,$(GIT_UPDATE))
git-submodule-update:
$(call quiet-command, \
- echo && \
- echo "GIT submodule checkout is out of date. Please run" && \
- echo " scripts/git-submodule.sh update $(GIT_SUBMODULES)" && \
- echo "from the source directory checkout $(SRC_PATH)" && \
- echo && \
- exit 1)
-else
-git-submodule-update:
- $(call quiet-command, \
- (cd $(SRC_PATH) && GIT="$(GIT)" ./scripts/git-submodule.sh update $(GIT_SUBMODULES)), \
- "GIT","$(GIT_SUBMODULES)")
-endif
-endif
+ (GIT="$(GIT)" "$(SRC_PATH)/scripts/git-submodule.sh" $(GIT_SUBMODULES_ACTION) $(GIT_SUBMODULES)), \
+ "GIT","$(GIT_SUBMODULES)")
# 0. ensure the build tree is okay
diff --git a/configure b/configure
index dd2225010b..e85d6baf8f 100755
--- a/configure
+++ b/configure
@@ -255,12 +255,12 @@ gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb")
if test -e "$source_path/.git"
then
- git_update=yes
+ git_submodules_action="update"
git_submodules="ui/keycodemapdb"
git_submodules="$git_submodules tests/fp/berkeley-testfloat-3"
git_submodules="$git_submodules tests/fp/berkeley-softfloat-3"
else
- git_update=no
+ git_submodules_action="ignore"
git_submodules=""
if ! test -f "$source_path/ui/keycodemapdb/README"
@@ -1499,9 +1499,16 @@ for opt do
;;
--with-git=*) git="$optarg"
;;
- --enable-git-update) git_update=yes
+ --enable-git-update)
+ git_submodules_action="update"
+ echo "--enable-git-update deprecated, use --with-git-submodules=update"
;;
- --disable-git-update) git_update=no
+ --disable-git-update)
+ git_submodules_action="validate"
+ echo "--disable-git-update deprecated, use --with-git-submodules=validate"
+ ;;
+ --with-git-submodules=*)
+ git_submodules_action="$optarg"
;;
--enable-debug-mutex) debug_mutex=yes
;;
@@ -1557,6 +1564,21 @@ for opt do
esac
done
+case $git_submodules_action in
+ update|validate)
+ if test ! -e "$source_path/.git"; then
+ echo "ERROR: cannot $git_submodules_action git submodules without .git"
+ exit 1
+ fi
+ ;;
+ ignore)
+ ;;
+ *)
+ echo "ERROR: invalid --with-git-submodules= value '$git_submodules_action'"
+ exit 1
+ ;;
+esac
+
libdir="${libdir:-$prefix/lib}"
libexecdir="${libexecdir:-$prefix/libexec}"
includedir="${includedir:-$prefix/include}"
@@ -1701,6 +1723,9 @@ Advanced options (experts only):
--ninja=NINJA use specified ninja [$ninja]
--smbd=SMBD use specified smbd [$smbd]
--with-git=GIT use specified git [$git]
+ --with-git-submodules=update update git submodules (default if .git dir exists)
+ --with-git-submodules=validate fail if git submodules are not up to date
+ --with-git-submodules=ignore do not update or check git submodules (default if no .git dir)
--static enable static build [$static]
--mandir=PATH install man pages in PATH
--datadir=PATH install firmware in PATH/$qemu_suffix
@@ -1917,7 +1942,7 @@ python="$python -B"
if test -z "$meson"; then
if test "$explicit_python" = no && has meson && version_ge "$(meson --version)" 0.55.3; then
meson=meson
- elif test -e "${source_path}/.git" && test $git_update = 'yes' ; then
+ elif test $git_submodules_action != 'ignore' ; then
meson=git
elif test -e "${source_path}/meson/meson.py" ; then
meson=internal
@@ -1985,7 +2010,7 @@ fi
# Consult white-list to determine whether to enable werror
# by default. Only enable by default for git builds
if test -z "$werror" ; then
- if test -e "$source_path/.git" && \
+ if test "$git_submodules_action" != "ignore" && \
{ test "$linux" = "yes" || test "$mingw32" = "yes"; }; then
werror="yes"
else
@@ -3558,7 +3583,7 @@ fi
case "$fdt" in
auto | enabled | internal)
# Simpler to always update submodule, even if not needed.
- if test -e "${source_path}/.git" && test $git_update = 'yes' ; then
+ if test "$git_submodules_action" != "ignore"; then
git_submodules="${git_submodules} dtc"
fi
;;
@@ -4272,7 +4297,7 @@ fi
case "$capstone" in
auto | enabled | internal)
# Simpler to always update submodule, even if not needed.
- if test -e "${source_path}/.git" && test $git_update = 'yes' ; then
+ if test "$git_submodules_action" != "ignore"; then
git_submodules="${git_submodules} capstone"
fi
;;
@@ -5219,7 +5244,7 @@ fi
case "$slirp" in
auto | enabled | internal)
# Simpler to always update submodule, even if not needed.
- if test -e "${source_path}/.git" && test $git_update = 'yes' ; then
+ if test "$git_submodules_action" != "ignore"; then
git_submodules="${git_submodules} slirp"
fi
;;
@@ -5393,7 +5418,7 @@ if test "$cpu" = "s390x" ; then
roms="$roms s390-ccw"
# SLOF is required for building the s390-ccw firmware on s390x,
# since it is using the libnet code from SLOF for network booting.
- if test -e "${source_path}/.git" ; then
+ if test "$git_submodules_action" != "ignore"; then
git_submodules="${git_submodules} roms/SLOF"
fi
fi
@@ -5431,8 +5456,8 @@ else
cxx=
fi
-if test $git_update = 'yes' ; then
- (cd "${source_path}" && GIT="$git" "./scripts/git-submodule.sh" update "$git_submodules")
+if !(GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then
+ exit 1
fi
config_host_mak="config-host.mak"
@@ -5443,7 +5468,7 @@ echo >> $config_host_mak
echo all: >> $config_host_mak
echo "GIT=$git" >> $config_host_mak
echo "GIT_SUBMODULES=$git_submodules" >> $config_host_mak
-echo "GIT_UPDATE=$git_update" >> $config_host_mak
+echo "GIT_SUBMODULES_ACTION=$git_submodules_action" >> $config_host_mak
echo "ARCH=$ARCH" >> $config_host_mak
diff --git a/crypto/aes.c b/crypto/aes.c
index 159800df65..af72ff7779 100644
--- a/crypto/aes.c
+++ b/crypto/aes.c
@@ -1080,9 +1080,9 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
rk = key->rd_key;
- if (bits==128)
+ if (bits == 128)
key->rounds = 10;
- else if (bits==192)
+ else if (bits == 192)
key->rounds = 12;
else
key->rounds = 14;
@@ -1182,7 +1182,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
rk = key->rd_key;
/* invert the order of the round keys: */
- for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) {
+ for (i = 0, j = 4 * (key->rounds); i < j; i += 4, j -= 4) {
temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp;
temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
diff --git a/crypto/desrfb.c b/crypto/desrfb.c
index 3274c36510..b2a105ebbc 100644
--- a/crypto/desrfb.c
+++ b/crypto/desrfb.c
@@ -56,7 +56,7 @@ static const unsigned char pc1[56] = {
13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3 };
static const unsigned char totrot[16] = {
- 1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 };
+ 1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28 };
static const unsigned char pc2[48] = {
13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9,
@@ -93,7 +93,7 @@ void deskey(unsigned char *key, int edf)
}
for( j = 0; j < 24; j++ ) {
if( pcr[pc2[j]] ) kn[m] |= bigbyte[j];
- if( pcr[pc2[j+24]] ) kn[n] |= bigbyte[j];
+ if( pcr[pc2[j + 24]] ) kn[n] |= bigbyte[j];
}
}
cookey(kn);
diff --git a/crypto/secret.c b/crypto/secret.c
index 281cb81f0f..44eaff16f6 100644
--- a/crypto/secret.c
+++ b/crypto/secret.c
@@ -108,13 +108,6 @@ qcrypto_secret_prop_get_file(Object *obj,
static void
-qcrypto_secret_complete(UserCreatable *uc, Error **errp)
-{
- object_property_set_bool(OBJECT(uc), "loaded", true, errp);
-}
-
-
-static void
qcrypto_secret_finalize(Object *obj)
{
QCryptoSecret *secret = QCRYPTO_SECRET(obj);
@@ -129,9 +122,6 @@ qcrypto_secret_class_init(ObjectClass *oc, void *data)
QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
sic->load_data = qcrypto_secret_load_data;
- UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
- ucc->complete = qcrypto_secret_complete;
-
object_class_property_add_str(oc, "data",
qcrypto_secret_prop_get_data,
qcrypto_secret_prop_set_data);
@@ -148,10 +138,6 @@ static const TypeInfo qcrypto_secret_info = {
.instance_finalize = qcrypto_secret_finalize,
.class_size = sizeof(QCryptoSecretClass),
.class_init = qcrypto_secret_class_init,
- .interfaces = (InterfaceInfo[]) {
- { TYPE_USER_CREATABLE },
- { }
- }
};
diff --git a/crypto/secret_common.c b/crypto/secret_common.c
index b03d530867..714a15d5e5 100644
--- a/crypto/secret_common.c
+++ b/crypto/secret_common.c
@@ -191,9 +191,9 @@ qcrypto_secret_prop_set_loaded(Object *obj,
secret->rawdata = input;
secret->rawlen = inputlen;
- } else {
- g_free(secret->rawdata);
- secret->rawlen = 0;
+ } else if (secret->rawdata) {
+ error_setg(errp, "Cannot unload secret");
+ return;
}
}
@@ -269,6 +269,13 @@ qcrypto_secret_prop_get_keyid(Object *obj,
static void
+qcrypto_secret_complete(UserCreatable *uc, Error **errp)
+{
+ object_property_set_bool(OBJECT(uc), "loaded", true, errp);
+}
+
+
+static void
qcrypto_secret_finalize(Object *obj)
{
QCryptoSecretCommon *secret = QCRYPTO_SECRET_COMMON(obj);
@@ -281,6 +288,10 @@ qcrypto_secret_finalize(Object *obj)
static void
qcrypto_secret_class_init(ObjectClass *oc, void *data)
{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = qcrypto_secret_complete;
+
object_class_property_add_bool(oc, "loaded",
qcrypto_secret_prop_get_loaded,
qcrypto_secret_prop_set_loaded);
@@ -390,6 +401,10 @@ static const TypeInfo qcrypto_secret_info = {
.class_size = sizeof(QCryptoSecretCommonClass),
.class_init = qcrypto_secret_class_init,
.abstract = true,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
};
diff --git a/crypto/secret_keyring.c b/crypto/secret_keyring.c
index 10d8bc48a0..1b7edec84a 100644
--- a/crypto/secret_keyring.c
+++ b/crypto/secret_keyring.c
@@ -103,21 +103,11 @@ qcrypto_secret_prop_get_key(Object *obj, Visitor *v,
static void
-qcrypto_secret_keyring_complete(UserCreatable *uc, Error **errp)
-{
- object_property_set_bool(OBJECT(uc), "loaded", true, errp);
-}
-
-
-static void
qcrypto_secret_keyring_class_init(ObjectClass *oc, void *data)
{
QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
sic->load_data = qcrypto_secret_keyring_load_data;
- UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
- ucc->complete = qcrypto_secret_keyring_complete;
-
object_class_property_add(oc, "serial", "int32_t",
qcrypto_secret_prop_get_key,
qcrypto_secret_prop_set_key,
@@ -130,10 +120,6 @@ static const TypeInfo qcrypto_secret_info = {
.name = TYPE_QCRYPTO_SECRET_KEYRING,
.instance_size = sizeof(QCryptoSecretKeyring),
.class_init = qcrypto_secret_keyring_class_init,
- .interfaces = (InterfaceInfo[]) {
- { TYPE_USER_CREATABLE },
- { }
- }
};
diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c
index 30275b6847..bea5f76c55 100644
--- a/crypto/tlscredsanon.c
+++ b/crypto/tlscredsanon.c
@@ -123,10 +123,9 @@ qcrypto_tls_creds_anon_prop_set_loaded(Object *obj,
{
QCryptoTLSCredsAnon *creds = QCRYPTO_TLS_CREDS_ANON(obj);
+ qcrypto_tls_creds_anon_unload(creds);
if (value) {
qcrypto_tls_creds_anon_load(creds, errp);
- } else {
- qcrypto_tls_creds_anon_unload(creds);
}
}
diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c
index e26807b899..f5a31108d1 100644
--- a/crypto/tlscredspsk.c
+++ b/crypto/tlscredspsk.c
@@ -192,10 +192,9 @@ qcrypto_tls_creds_psk_prop_set_loaded(Object *obj,
{
QCryptoTLSCredsPSK *creds = QCRYPTO_TLS_CREDS_PSK(obj);
+ qcrypto_tls_creds_psk_unload(creds);
if (value) {
qcrypto_tls_creds_psk_load(creds, errp);
- } else {
- qcrypto_tls_creds_psk_unload(creds);
}
}
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index dd7267ccdb..dbadad4df2 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -143,7 +143,7 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds,
if (status < 0) {
if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
- GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
+ GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT;
} else {
error_setg(errp,
"Unable to query certificate %s key usage: %s",
@@ -694,10 +694,9 @@ qcrypto_tls_creds_x509_prop_set_loaded(Object *obj,
{
QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
+ qcrypto_tls_creds_x509_unload(creds);
if (value) {
qcrypto_tls_creds_x509_load(creds, errp);
- } else {
- qcrypto_tls_creds_x509_unload(creds);
}
}
diff --git a/docs/system/build-platforms.rst b/docs/system/build-platforms.rst
index 9734eba2f1..692323609e 100644
--- a/docs/system/build-platforms.rst
+++ b/docs/system/build-platforms.rst
@@ -25,55 +25,38 @@ software in their distro, QEMU upstream code will not add explicit
support for those backports, unless the feature is auto-detectable in a
manner that works for the upstream releases too.
-The Repology site https://repology.org is a useful resource to identify
+The `Repology`_ site is a useful resource to identify
currently shipped versions of software in various operating systems,
though it does not cover all distros listed below.
-Linux OS
---------
+Linux OS, macOS, FreeBSD, NetBSD, OpenBSD
+-----------------------------------------
-For distributions with frequent, short-lifetime releases, the project
-will aim to support all versions that are not end of life by their
-respective vendors. For the purposes of identifying supported software
-versions, the project will look at Fedora, Ubuntu, and openSUSE distros.
-Other short- lifetime distros will be assumed to ship similar software
-versions.
+The project aims to support the most recent major version at all times. Support
+for the previous major version will be dropped 2 years after the new major
+version is released or when the vendor itself drops support, whichever comes
+first. In this context, third-party efforts to extend the lifetime of a distro
+are not considered, even when they are endorsed by the vendor (eg. Debian LTS).
-For distributions with long-lifetime releases, the project will aim to
-support the most recent major version at all times. Support for the
-previous major version will be dropped 2 years after the new major
-version is released, or when it reaches "end of life". For the purposes
-of identifying supported software versions, the project will look at
-RHEL, Debian, Ubuntu LTS, and SLES distros. Other long-lifetime distros
-will be assumed to ship similar software versions.
+For the purposes of identifying supported software versions available on Linux,
+the project will look at CentOS, Debian, Fedora, openSUSE, RHEL, SLES and
+Ubuntu LTS. Other distros will be assumed to ship similar software versions.
-Windows
--------
-
-The project supports building with current versions of the MinGW
-toolchain, hosted on Linux.
-
-macOS
------
+For FreeBSD and OpenBSD, decisions will be made based on the contents of the
+respective ports repository, while NetBSD will use the pkgsrc repository.
-The project supports building with the two most recent versions of
-macOS, with the current Homebrew package set available.
+For macOS, `HomeBrew`_ will be used, although `MacPorts`_ is expected to carry
+similar versions.
-FreeBSD
+Windows
-------
-The project aims to support all versions which are not end of
-life.
-
-NetBSD
-------
+The project supports building with current versions of the MinGW toolchain,
+hosted on Linux (Debian/Fedora).
-The project aims to support the most recent major version at all times.
-Support for the previous major version will be dropped 2 years after the
-new major version is released.
-
-OpenBSD
--------
+The version of the Windows API that's currently targeted is Vista / Server
+2008.
-The project aims to support all versions which are not end of
-life.
+.. _HomeBrew: https://brew.sh/
+.. _MacPorts: https://www.macports.org/
+.. _Repology: https://repology.org/
diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index 9de663526a..6ac757ed9f 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -134,6 +134,18 @@ Boolean options such as ``share=on``/``share=off`` could be written
in short form as ``share`` and ``noshare``. This is now deprecated
and will cause a warning.
+``--enable-fips`` (since 6.0)
+'''''''''''''''''''''''''''''
+
+This option restricts usage of certain cryptographic algorithms when
+the host is operating in FIPS mode.
+
+If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
+library enabled as a cryptography provider.
+
+Neither the ``nettle`` library, or the built-in cryptography provider are
+supported on FIPS enabled hosts.
+
QEMU Machine Protocol (QMP) commands
------------------------------------
diff --git a/docs/system/tls.rst b/docs/system/tls.rst
index dc2b94257f..b0973afe1b 100644
--- a/docs/system/tls.rst
+++ b/docs/system/tls.rst
@@ -64,7 +64,7 @@ interactive prompts from certtool::
cert_signing_key
EOF
# certtool --generate-self-signed \
- --load-privkey ca-key.pem
+ --load-privkey ca-key.pem \
--template ca.info \
--outfile ca-cert.pem
diff --git a/docs/system/vnc-security.rst b/docs/system/vnc-security.rst
index 558e4faffc..ebca656d87 100644
--- a/docs/system/vnc-security.rst
+++ b/docs/system/vnc-security.rst
@@ -65,7 +65,7 @@ encrypted session.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=off \
-vnc :1,tls-creds=tls0 -monitor stdio
In the above example ``/etc/pki/qemu`` should contain at least three
@@ -84,12 +84,12 @@ connecting. The server will request that the client provide a
certificate, which it will then validate against the CA certificate.
This is a good choice if deploying in an environment with a private
internal certificate authority. It uses the same syntax as previously,
-but with ``verify-peer`` set to ``yes`` instead.
+but with ``verify-peer`` set to ``on`` instead.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0 -monitor stdio
.. _vnc_005fsec_005fcertificate_005fpw:
@@ -103,7 +103,7 @@ authentication to provide two layers of authentication for clients.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0,password -monitor stdio
(qemu) change vnc password
Password: ********
@@ -145,7 +145,7 @@ x509 options:
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0,sasl -monitor stdio
.. _vnc_005fsetup_005fsasl:
diff --git a/include/authz/listfile.h b/include/authz/listfile.h
index 0a1e5bddd3..0b7fe72198 100644
--- a/include/authz/listfile.h
+++ b/include/authz/listfile.h
@@ -73,7 +73,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(QAuthZListFile,
* The object can be created on the command line using
*
* -object authz-list-file,id=authz0,\
- * filename=/etc/qemu/myvm-vnc.acl,refresh=yes
+ * filename=/etc/qemu/myvm-vnc.acl,refresh=on
*
*/
struct QAuthZListFile {
diff --git a/os-posix.c b/os-posix.c
index 1de2839554..a6846f51c1 100644
--- a/os-posix.c
+++ b/os-posix.c
@@ -153,6 +153,9 @@ int os_parse_cmd_args(int index, const char *optarg)
break;
#if defined(CONFIG_LINUX)
case QEMU_OPTION_enablefips:
+ warn_report("-enable-fips is deprecated, please build QEMU with "
+ "the `libgcrypt` library as the cryptography provider "
+ "to enable FIPS compliance");
fips_set_state(true);
break;
#endif
diff --git a/qemu-options.hx b/qemu-options.hx
index 9172d51659..d0410f0512 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -5027,7 +5027,7 @@ SRST
Note the use of quotes due to the x509 distinguished name
containing whitespace, and escaping of ','.
- ``-object authz-listfile,id=id,filename=path,refresh=yes|no``
+ ``-object authz-listfile,id=id,filename=path,refresh=on|off``
Create an authorization object that will control access to
network services.
@@ -5072,7 +5072,7 @@ SRST
# |qemu_system| \\
... \\
- -object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=yes \\
+ -object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=on \\
...
``-object authz-pam,id=id,service=string``
diff --git a/scripts/git-submodule.sh b/scripts/git-submodule.sh
index 65ed877aef..e225d3a963 100755
--- a/scripts/git-submodule.sh
+++ b/scripts/git-submodule.sh
@@ -9,9 +9,14 @@ command=$1
shift
maybe_modules="$@"
+# if --with-git-submodules=ignore, do nothing
+test "$command" = "ignore" && exit 0
+
test -z "$GIT" && GIT=git
-error() {
+cd "$(dirname "$0")/.."
+
+update_error() {
echo "$0: $*"
echo
echo "Unable to automatically checkout GIT submodules '$modules'."
@@ -24,7 +29,7 @@ error() {
echo "Alternatively you may disable automatic GIT submodule checkout"
echo "with:"
echo
- echo " $ ./configure --disable-git-update"
+ echo " $ ./configure --with-git-submodules=validate"
echo
echo "and then manually update submodules prior to running make, with:"
echo
@@ -33,6 +38,19 @@ error() {
exit 1
}
+validate_error() {
+ if test "$1" = "validate"; then
+ echo "GIT submodules checkout is out of date, and submodules"
+ echo "configured for validate only. Please run"
+ echo " scripts/git-submodule.sh update $maybe_modules"
+ echo "from the source directory or call configure with"
+ echo " --with-git-submodules=update"
+ echo "To disable GIT submodules validation, use"
+ echo " --with-git-submodules=ignore"
+ fi
+ exit 1
+}
+
modules=""
for m in $maybe_modules
do
@@ -52,18 +70,18 @@ then
fi
case "$command" in
-status)
+status|validate)
if test -z "$maybe_modules"
then
- test -s ${substat} && exit 1 || exit 0
+ test -s ${substat} && validate_error "$command" || exit 0
fi
- test -f "$substat" || exit 1
+ test -f "$substat" || validate_error "$command"
for module in $modules; do
CURSTATUS=$($GIT submodule status $module)
OLDSTATUS=$(cat $substat | grep $module)
if test "$CURSTATUS" != "$OLDSTATUS"; then
- exit 1
+ validate_error "$command"
fi
done
exit 0
@@ -76,10 +94,10 @@ update)
fi
$GIT submodule update --init $modules 1>/dev/null
- test $? -ne 0 && error "failed to update modules"
+ test $? -ne 0 && update_error "failed to update modules"
$GIT submodule status $modules > "${substat}"
- test $? -ne 0 && error "failed to save git submodule status" >&2
+ test $? -ne 0 && update_error "failed to save git submodule status" >&2
;;
esac
diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c
index 01b3daf358..97658592a2 100644
--- a/tests/crypto-tls-x509-helpers.c
+++ b/tests/crypto-tls-x509-helpers.c
@@ -30,7 +30,7 @@
* This stores some static data that is needed when
* encoding extensions in the x509 certs
*/
-ASN1_TYPE pkix_asn1;
+asn1_node pkix_asn1;
/*
* To avoid consuming random entropy to generate keys,
@@ -139,7 +139,7 @@ void test_tls_cleanup(const char *keyfile)
/*
* Turns an ASN1 object into a DER encoded byte array
*/
-static void test_tls_der_encode(ASN1_TYPE src,
+static void test_tls_der_encode(asn1_node src,
const char *src_name,
gnutls_datum_t *res)
{
@@ -317,7 +317,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
* the 'critical' field which we want control over
*/
if (req->basicConstraintsEnable) {
- ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+ asn1_node ext = NULL;
asn1_create_element(pkix_asn1, "PKIX1.BasicConstraints", &ext);
asn1_write_value(ext, "cA",
@@ -344,7 +344,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
* to be 'critical'
*/
if (req->keyUsageEnable) {
- ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+ asn1_node ext = NULL;
char str[2];
str[0] = req->keyUsageValue & 0xff;
@@ -374,7 +374,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
* set this the hard way building up ASN1 data ourselves
*/
if (req->keyPurposeEnable) {
- ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+ asn1_node ext = NULL;
asn1_create_element(pkix_asn1, "PKIX1.ExtKeyUsageSyntax", &ext);
if (req->keyPurposeOID1) {
diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h
index 08efba4e19..8fcd7785ab 100644
--- a/tests/crypto-tls-x509-helpers.h
+++ b/tests/crypto-tls-x509-helpers.h
@@ -125,7 +125,7 @@ void test_tls_cleanup(const char *keyfile);
}; \
test_tls_generate_cert(&varname, NULL)
-extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
+extern const asn1_static_node pkix_asn1_tab[];
#endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */
diff --git a/tests/pkix_asn1_tab.c b/tests/pkix_asn1_tab.c
index f15fc515cb..4aaf736d3f 100644
--- a/tests/pkix_asn1_tab.c
+++ b/tests/pkix_asn1_tab.c
@@ -8,7 +8,7 @@
#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
-const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
+const asn1_static_node pkix_asn1_tab[] = {
{"PKIX1", 536875024, 0},
{0, 1073741836, 0},
{"id-ce", 1879048204, 0},
diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233
index 7ce5764903..da150cd27b 100755
--- a/tests/qemu-iotests/233
+++ b/tests/qemu-iotests/233
@@ -84,7 +84,7 @@ echo
echo "== check plain client to TLS server fails =="
nbd_server_start_tcp_socket \
- --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
+ --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
--tls-creds tls0 \
-f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
@@ -129,7 +129,7 @@ echo "== check TLS with authorization =="
nbd_server_stop
nbd_server_start_tcp_socket \
- --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
+ --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
--object "authz-simple,id=authz0,identity=CN=localhost,, \
O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
--tls-authz authz0 \
diff --git a/tests/test-authz-pam.c b/tests/test-authz-pam.c
index 1baeadee03..4fe1ef2603 100644
--- a/tests/test-authz-pam.c
+++ b/tests/test-authz-pam.c
@@ -28,7 +28,7 @@
static bool failauth;
/*
- * These two functions are exported by libpam.so.
+ * These three functions are exported by libpam.so.
*
* By defining them again here, our impls are resolved
* by the linker instead of those in libpam.so
@@ -50,6 +50,7 @@ pam_start(const char *service_name, const char *user,
failauth = false;
}
+ *pamh = (pam_handle_t *)0xbadeaffe;
return PAM_SUCCESS;
}
@@ -65,6 +66,13 @@ pam_acct_mgmt(pam_handle_t *pamh, int flags)
}
+int
+pam_end(pam_handle_t *pamh, int status)
+{
+ return PAM_SUCCESS;
+}
+
+
static void test_authz_unknown_service(void)
{
Error *local_err = NULL;
diff --git a/ui/keycodemapdb b/ui/keycodemapdb
-Subproject 6b3d716e2b6472eb7189d3220552280ef3d832c
+Subproject 6119e6e19a050df847418de7babe5166779955e
diff --git a/ui/meson.build b/ui/meson.build
index 634fabab0d..156b600a99 100644
--- a/ui/meson.build
+++ b/ui/meson.build
@@ -127,9 +127,10 @@ if have_system or xkbcommon.found()
capture: true,
input: files('keycodemapdb/data/keymaps.csv'),
command: [python.full_path(), files('keycodemapdb/tools/keymap-gen'),
+ 'code-map',
'--lang', 'glib2',
'--varname', 'qemu_input_map_@0@_to_@1@'.format(e[0], e[1]),
- 'code-map', '@INPUT0@', e[0], e[1]])
+ '@INPUT0@', e[0], e[1]])
endforeach
endif