Store whether "default_tls_x509_verify" was provided and enhance the SET_TLS_VERIFY_DEFAULT macro so that indiviual users can provide their own default if "default_tls_x509_verify" config option was not provided. For now we keep setting it to 'false'. Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> --- src/qemu/qemu.conf | 6 ++++++ src/qemu/qemu_conf.c | 22 ++++++++++++++-------- src/qemu/qemu_conf.h | 1 + 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 6f7d2b14f7..6f9d940477 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -40,6 +40,12 @@ # client-cert.pem - the client certificate signed with the ca-cert.pem # client-key.pem - the client private key # +# If this option is supplied it provides the default for the "_verify" option +# of specific TLS users such as vnc, backups, migration, etc. The specific +# users of TLS may override this by setting the specific "_verify" option. +# +# When not supplied the specific TLS users provide their own defaults. +# #default_tls_x509_verify = 1 # diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 2fb2f021c2..c3a61816a4 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -406,8 +406,10 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfigPtr cfg, if ((rv = virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir)) < 0) return -1; cfg->defaultTLSx509certdirPresent = (rv == 1); - if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0) + if ((rv = virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify)) < 0) return -1; + if (rv == 1) + cfg->defaultTLSx509verifyPresent = true; if (virConfGetValueString(conf, "default_tls_x509_secret_uuid", &cfg->defaultTLSx509secretUUID) < 0) return -1; @@ -1240,16 +1242,20 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg) #undef SET_TLS_X509_CERT_DEFAULT -#define SET_TLS_VERIFY_DEFAULT(val) \ +#define SET_TLS_VERIFY_DEFAULT(val, defaultverify) \ do { \ - if (!cfg->val## TLSx509verifyPresent) \ - cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \ + if (!cfg->val## TLSx509verifyPresent) {\ + if (cfg->defaultTLSx509verifyPresent) \ + cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \ + else \ + cfg->val## TLSx509verify = defaultverify;\ + }\ } while (0) - SET_TLS_VERIFY_DEFAULT(vnc); - SET_TLS_VERIFY_DEFAULT(chardev); - SET_TLS_VERIFY_DEFAULT(migrate); - SET_TLS_VERIFY_DEFAULT(backup); + SET_TLS_VERIFY_DEFAULT(vnc, false); + SET_TLS_VERIFY_DEFAULT(chardev, false); + SET_TLS_VERIFY_DEFAULT(migrate, false); + SET_TLS_VERIFY_DEFAULT(backup, false); #undef SET_TLS_VERIFY_DEFAULT diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index da03a184c1..8748212a82 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -108,6 +108,7 @@ struct _virQEMUDriverConfig { char *defaultTLSx509certdir; bool defaultTLSx509certdirPresent; bool defaultTLSx509verify; + bool defaultTLSx509verifyPresent; char *defaultTLSx509secretUUID; bool vncAutoUnixSocket; -- 2.28.0