Extend the virNetTLSContextNew* constructors to allow
the TLS priority string to be passed in, overriding the
compile time default.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
daemon/libvirtd.c | 2 ++
src/remote/remote_driver.c | 1 +
src/rpc/virnettlscontext.c | 27 ++++++++++++++++++++-------
src/rpc/virnettlscontext.h | 4 ++++
tests/virnettlscontexttest.c | 2 ++
tests/virnettlssessiontest.c | 2 ++
6 files changed, 31 insertions(+), 7 deletions(-)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 5617e42..b844af4 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -585,6 +585,7 @@ daemonSetupNetworking(virNetServerPtr srv,
config->cert_file,
config->key_file,
(const char *const*)config->tls_allowed_dn_list,
+ NULL,
config->tls_no_sanity_certificate ? false : true,
config->tls_no_verify_certificate ? false : true)))
goto cleanup;
@@ -592,6 +593,7 @@ daemonSetupNetworking(virNetServerPtr srv,
if (!(ctxt = virNetTLSContextNewServerPath(NULL,
!privileged,
(const char *const*)config->tls_allowed_dn_list,
+ NULL,
config->tls_no_sanity_certificate ? false : true,
config->tls_no_verify_certificate ? false : true)))
goto cleanup;
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index e3cf5fb..219cf47 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -845,6 +845,7 @@ doRemoteOpen(virConnectPtr conn,
#ifdef WITH_GNUTLS
priv->tls = virNetTLSContextNewClientPath(pkipath,
geteuid() != 0 ? true : false,
+ NULL,
sanity, verify);
if (!priv->tls)
goto failed;
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 975b5b8..bc15890 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -65,6 +65,7 @@ struct _virNetTLSContext {
bool isServer;
bool requireValidCert;
const char *const*x509dnWhitelist;
+ char *priority;
};
struct _virNetTLSSession {
@@ -703,6 +704,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
const char *cert,
const char *key,
const char *const*x509dnWhitelist,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert,
bool isServer)
@@ -716,6 +718,9 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
return NULL;
+ if (VIR_STRDUP(ctxt->priority, priority) < 0)
+ goto error;
+
err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
if (err) {
virReportError(VIR_ERR_SYSTEM_ERROR,
@@ -903,6 +908,7 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
bool tryUserPkiPath,
const char *const*x509dnWhitelist,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert,
bool isServer)
@@ -915,7 +921,7 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
return NULL;
ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
- x509dnWhitelist, sanityCheckCert,
+ x509dnWhitelist, priority, sanityCheckCert,
requireValidCert, isServer);
VIR_FREE(cacert);
@@ -929,19 +935,21 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath,
const char *const*x509dnWhitelist,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
- return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist,
+ return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority,
sanityCheckCert, requireValidCert, true);
}
virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
bool tryUserPkiPath,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
- return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL,
+ return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL, priority,
sanityCheckCert, requireValidCert, false);
}
@@ -951,10 +959,11 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
const char *cert,
const char *key,
const char *const*x509dnWhitelist,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
- return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist,
+ return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority,
sanityCheckCert, requireValidCert, true);
}
@@ -963,10 +972,11 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
const char *cacrl,
const char *cert,
const char *key,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
- return virNetTLSContextNew(cacert, cacrl, cert, key, NULL,
+ return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, priority,
sanityCheckCert, requireValidCert, false);
}
@@ -1145,6 +1155,7 @@ void virNetTLSContextDispose(void *obj)
PROBE(RPC_TLS_CONTEXT_DISPOSE,
"ctxt=%p", ctxt);
+ VIR_FREE(ctxt->priority);
gnutls_dh_params_deinit(ctxt->dhParams);
gnutls_certificate_free_credentials(ctxt->x509cred);
}
@@ -1204,10 +1215,12 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
- if ((err = gnutls_priority_set_direct(sess->session, TLS_PRIORITY, NULL)) != 0) {
+ if ((err = gnutls_priority_set_direct(sess->session,
+ ctxt->priority ? : TLS_PRIORITY,
+ NULL)) != 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Failed to set TLS session priority to %s: %s"),
- TLS_PRIORITY, gnutls_strerror(err));
+ ctxt->priority ? : TLS_PRIORITY, gnutls_strerror(err));
goto error;
}
diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h
index 21539ad..6100b45 100644
--- a/src/rpc/virnettlscontext.h
+++ b/src/rpc/virnettlscontext.h
@@ -36,11 +36,13 @@ void virNetTLSInit(void);
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath,
const char *const*x509dnWhitelist,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert);
virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
bool tryUserPkiPath,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert);
@@ -49,6 +51,7 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
const char *cert,
const char *key,
const char *const*x509dnWhitelist,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert);
@@ -56,6 +59,7 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
const char *cacrl,
const char *cert,
const char *key,
+ const char *priority,
bool sanityCheckCert,
bool requireValidCert);
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index d33b896..42c8b0c 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -72,6 +72,7 @@ static int testTLSContextInit(const void *opaque)
data->crt,
KEYFILE,
NULL,
+ NULL,
true,
true);
} else {
@@ -79,6 +80,7 @@ static int testTLSContextInit(const void *opaque)
NULL,
data->crt,
KEYFILE,
+ NULL,
true,
true);
}
diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
index 3af948a..8b79a1e 100644
--- a/tests/virnettlssessiontest.c
+++ b/tests/virnettlssessiontest.c
@@ -113,6 +113,7 @@ static int testTLSSessionInit(const void *opaque)
data->servercrt,
KEYFILE,
data->wildcards,
+ NULL,
false,
true);
@@ -120,6 +121,7 @@ static int testTLSSessionInit(const void *opaque)
NULL,
data->clientcrt,
KEYFILE,
+ NULL,
false,
true);
--
2.5.5
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list