[PATCH 4/9] rpc: allow priority string to be passed to TLS context

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Extend the virNetTLSContextNew* constructors to allow
the TLS priority string to be passed in, overriding the
compile time default.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 daemon/libvirtd.c            |  2 ++
 src/remote/remote_driver.c   |  1 +
 src/rpc/virnettlscontext.c   | 27 ++++++++++++++++++++-------
 src/rpc/virnettlscontext.h   |  4 ++++
 tests/virnettlscontexttest.c |  2 ++
 tests/virnettlssessiontest.c |  2 ++
 6 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 5617e42..b844af4 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -585,6 +585,7 @@ daemonSetupNetworking(virNetServerPtr srv,
                                                        config->cert_file,
                                                        config->key_file,
                                                        (const char *const*)config->tls_allowed_dn_list,
+                                                       NULL,
                                                        config->tls_no_sanity_certificate ? false : true,
                                                        config->tls_no_verify_certificate ? false : true)))
                     goto cleanup;
@@ -592,6 +593,7 @@ daemonSetupNetworking(virNetServerPtr srv,
                 if (!(ctxt = virNetTLSContextNewServerPath(NULL,
                                                            !privileged,
                                                            (const char *const*)config->tls_allowed_dn_list,
+                                                           NULL,
                                                            config->tls_no_sanity_certificate ? false : true,
                                                            config->tls_no_verify_certificate ? false : true)))
                     goto cleanup;
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index e3cf5fb..219cf47 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -845,6 +845,7 @@ doRemoteOpen(virConnectPtr conn,
 #ifdef WITH_GNUTLS
         priv->tls = virNetTLSContextNewClientPath(pkipath,
                                                   geteuid() != 0 ? true : false,
+                                                  NULL,
                                                   sanity, verify);
         if (!priv->tls)
             goto failed;
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 975b5b8..bc15890 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -65,6 +65,7 @@ struct _virNetTLSContext {
     bool isServer;
     bool requireValidCert;
     const char *const*x509dnWhitelist;
+    char *priority;
 };
 
 struct _virNetTLSSession {
@@ -703,6 +704,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
                                                const char *cert,
                                                const char *key,
                                                const char *const*x509dnWhitelist,
+                                               const char *priority,
                                                bool sanityCheckCert,
                                                bool requireValidCert,
                                                bool isServer)
@@ -716,6 +718,9 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
     if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
         return NULL;
 
+    if (VIR_STRDUP(ctxt->priority, priority) < 0)
+        goto error;
+
     err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
     if (err) {
         virReportError(VIR_ERR_SYSTEM_ERROR,
@@ -903,6 +908,7 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
 static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
                                                    bool tryUserPkiPath,
                                                    const char *const*x509dnWhitelist,
+                                                   const char *priority,
                                                    bool sanityCheckCert,
                                                    bool requireValidCert,
                                                    bool isServer)
@@ -915,7 +921,7 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
         return NULL;
 
     ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
-                               x509dnWhitelist, sanityCheckCert,
+                               x509dnWhitelist, priority, sanityCheckCert,
                                requireValidCert, isServer);
 
     VIR_FREE(cacert);
@@ -929,19 +935,21 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
 virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
                                                   bool tryUserPkiPath,
                                                   const char *const*x509dnWhitelist,
+                                                  const char *priority,
                                                   bool sanityCheckCert,
                                                   bool requireValidCert)
 {
-    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist,
+    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority,
                                    sanityCheckCert, requireValidCert, true);
 }
 
 virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
                                                   bool tryUserPkiPath,
+                                                  const char *priority,
                                                   bool sanityCheckCert,
                                                   bool requireValidCert)
 {
-    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL,
+    return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL, priority,
                                    sanityCheckCert, requireValidCert, false);
 }
 
@@ -951,10 +959,11 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
                                               const char *cert,
                                               const char *key,
                                               const char *const*x509dnWhitelist,
+                                              const char *priority,
                                               bool sanityCheckCert,
                                               bool requireValidCert)
 {
-    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist,
+    return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority,
                                sanityCheckCert, requireValidCert, true);
 }
 
@@ -963,10 +972,11 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
+                                              const char *priority,
                                               bool sanityCheckCert,
                                               bool requireValidCert)
 {
-    return virNetTLSContextNew(cacert, cacrl, cert, key, NULL,
+    return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, priority,
                                sanityCheckCert, requireValidCert, false);
 }
 
@@ -1145,6 +1155,7 @@ void virNetTLSContextDispose(void *obj)
     PROBE(RPC_TLS_CONTEXT_DISPOSE,
           "ctxt=%p", ctxt);
 
+    VIR_FREE(ctxt->priority);
     gnutls_dh_params_deinit(ctxt->dhParams);
     gnutls_certificate_free_credentials(ctxt->x509cred);
 }
@@ -1204,10 +1215,12 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
     /* avoid calling all the priority functions, since the defaults
      * are adequate.
      */
-    if ((err = gnutls_priority_set_direct(sess->session, TLS_PRIORITY, NULL)) != 0) {
+    if ((err = gnutls_priority_set_direct(sess->session,
+                                          ctxt->priority ? : TLS_PRIORITY,
+                                          NULL)) != 0) {
         virReportError(VIR_ERR_SYSTEM_ERROR,
                        _("Failed to set TLS session priority to %s: %s"),
-                       TLS_PRIORITY, gnutls_strerror(err));
+                       ctxt->priority ? : TLS_PRIORITY, gnutls_strerror(err));
         goto error;
     }
 
diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h
index 21539ad..6100b45 100644
--- a/src/rpc/virnettlscontext.h
+++ b/src/rpc/virnettlscontext.h
@@ -36,11 +36,13 @@ void virNetTLSInit(void);
 virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
                                                   bool tryUserPkiPath,
                                                   const char *const*x509dnWhitelist,
+                                                  const char *priority,
                                                   bool sanityCheckCert,
                                                   bool requireValidCert);
 
 virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
                                                   bool tryUserPkiPath,
+                                                  const char *priority,
                                                   bool sanityCheckCert,
                                                   bool requireValidCert);
 
@@ -49,6 +51,7 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
                                               const char *cert,
                                               const char *key,
                                               const char *const*x509dnWhitelist,
+                                              const char *priority,
                                               bool sanityCheckCert,
                                               bool requireValidCert);
 
@@ -56,6 +59,7 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
                                               const char *cacrl,
                                               const char *cert,
                                               const char *key,
+                                              const char *priority,
                                               bool sanityCheckCert,
                                               bool requireValidCert);
 
diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c
index d33b896..42c8b0c 100644
--- a/tests/virnettlscontexttest.c
+++ b/tests/virnettlscontexttest.c
@@ -72,6 +72,7 @@ static int testTLSContextInit(const void *opaque)
                                          data->crt,
                                          KEYFILE,
                                          NULL,
+                                         NULL,
                                          true,
                                          true);
     } else {
@@ -79,6 +80,7 @@ static int testTLSContextInit(const void *opaque)
                                          NULL,
                                          data->crt,
                                          KEYFILE,
+                                         NULL,
                                          true,
                                          true);
     }
diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c
index 3af948a..8b79a1e 100644
--- a/tests/virnettlssessiontest.c
+++ b/tests/virnettlssessiontest.c
@@ -113,6 +113,7 @@ static int testTLSSessionInit(const void *opaque)
                                            data->servercrt,
                                            KEYFILE,
                                            data->wildcards,
+                                           NULL,
                                            false,
                                            true);
 
@@ -120,6 +121,7 @@ static int testTLSSessionInit(const void *opaque)
                                            NULL,
                                            data->clientcrt,
                                            KEYFILE,
+                                           NULL,
                                            false,
                                            true);
 
-- 
2.5.5

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]