On 06/28/2018 09:42 AM, Eric Blake wrote:
On 06/28/2018 08:22 AM, Richard W.M. Jones wrote:
In the subject line: most commit summaries don't have a trailing '.'.
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object
tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Otherwise, I'm not spotting problems, but as it touches crypto, I'd also
get Dan's review.
Because of the immediate use for NBD, I'm willing to take this through
the NBD tree if Dan gives a review or ack. Or, if Dan wants it through
the crypto tree (and my minor nits are addressed),
Acked-by: Eric Blake <ebl...@redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
