From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Add checks for existance of GNUTLS and automatically disable
it if not found.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
configure.ac | 70 ++++++++++++++++++++++++++++++++-----------
daemon/libvirtd.c | 41 ++++++++++++++++++-------
daemon/remote.c | 2 ++
src/Makefile.am | 8 ++++-
src/libvirt.c | 17 ++++++++---
src/locking/lock_daemon.c | 12 ++++++--
src/lxc/lxc_controller.c | 6 ++--
src/qemu/qemu_migration.c | 15 ++++++++--
src/remote/remote_driver.c | 15 ++++++++++
src/rpc/virnetclient.c | 20 ++++++++++---
src/rpc/virnetclient.h | 8 ++++-
src/rpc/virnetserver.c | 6 ++++
src/rpc/virnetserver.h | 6 +++-
src/rpc/virnetserverclient.c | 63 ++++++++++++++++++++++++++++++++++----
src/rpc/virnetserverclient.h | 4 +++
src/rpc/virnetserverservice.c | 31 ++++++++++++++-----
src/rpc/virnetserverservice.h | 20 +++++++++----
src/rpc/virnetsocket.c | 17 ++++++++++-
src/rpc/virnetsocket.h | 6 +++-
tests/Makefile.am | 11 ++++++-
20 files changed, 311 insertions(+), 67 deletions(-)
diff --git a/configure.ac b/configure.ac
index ab08f17..bb64bf6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1025,30 +1025,62 @@ CFLAGS="$old_cflags"
LIBS="$old_libs"
dnl GnuTLS library
-GNUTLS_CFLAGS=
-GNUTLS_LIBS=
-GNUTLS_FOUND=no
-if test -x "$PKG_CONFIG" ; then
- PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED,
- [GNUTLS_FOUND=yes], [GNUTLS_FOUND=no])
-fi
-if test "$GNUTLS_FOUND" = "no"; then
+AC_ARG_WITH([gnutls],
+ AC_HELP_STRING([--with-gnutls], [use GNUTLS for encryption @<:@default=check@:>@]),
+ [],
+ [with_gnutls=check])
+
+
+if test "x$with_gnutls" != "xno"; then
+ if test "x$with_gnutls" != "xyes" && test "x$with_gnutls" != "xcheck"; then
+ GNUTLS_CFLAGS="-I$with_gnutls/include"
+ GNUTLS_LIBS="-L$with_gnutls/lib"
+ fi
fail=0
+ old_cflags="$CFLAGS"
old_libs="$LIBS"
- AC_CHECK_HEADER([gnutls/gnutls.h], [], [fail=1])
- AC_CHECK_LIB([gnutls], [gnutls_handshake],[], [fail=1], [-lgcrypt])
+ CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
+ LIBS="$LIBS $GNUTLS_LIBS"
- test $fail = 1 &&
- AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run libvirt])
+ GNUTLS_FOUND=no
+ if test -x "$PKG_CONFIG" ; then
+ PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED,
+ [GNUTLS_FOUND=yes], [GNUTLS_FOUND=no])
+ fi
+ if test "$GNUTLS_FOUND" = "no"; then
+ fail=0
+ AC_CHECK_HEADER([gnutls/gnutls.h], [], [fail=1])
+ AC_CHECK_LIB([gnutls], [gnutls_handshake],[], [fail=1], [-lgcrypt])
+
+ test $fail = 0 && GNUTLS_FOUND=yes
+
+ GNUTLS_LIBS="$GNUTLS_LIBS -lgnutls"
+ fi
+ if test "$GNUTLS_FOUND" = "no"; then
+ if test "$with_gnutls" = "check"; then
+ with_gnutls=no
+ GNUTLS_LIBS=
+ GNUTLS_CFLAGS=
+ else
+ AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run libvirt])
+ fi
+ else
+ dnl Not all versions of gnutls include -lgcrypt, and so we add
+ dnl it explicitly for the calls to gcry_control/check_version
+ GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
+
+ with_gnutls=yes
+ fi
- dnl Not all versions of gnutls include -lgcrypt, and so we add
- dnl it explicitly for the calls to gcry_control/check_version
- GNUTLS_LIBS="$LIBS -lgcrypt"
LIBS="$old_libs"
-else
- GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
+ CFLAGS="$old_CFLAGS"
fi
+if test "x$with_gnutls" = "xyes" ; then
+ AC_DEFINE_UNQUOTED([HAVE_GNUTLS], 1,
+ [whether GNUTLS is available for encryption])
+fi
+AM_CONDITIONAL([HAVE_GNUTLS], [test "x$with_gnutls" = "xyes"])
AC_SUBST([GNUTLS_CFLAGS])
AC_SUBST([GNUTLS_LIBS])
@@ -3168,7 +3200,11 @@ AC_MSG_NOTICE([ libssh2: $LIBSSH2_CFLAGS $LIBSSH2_LIBS])
else
AC_MSG_NOTICE([ libssh2: no])
fi
+if test "$with_gnutls" != "no" ; then
AC_MSG_NOTICE([ gnutls: $GNUTLS_CFLAGS $GNUTLS_LIBS])
+else
+AC_MSG_NOTICE([ gnutls: no])
+fi
if test "$with_sasl" != "no" ; then
AC_MSG_NOTICE([ sasl: $SASL_CFLAGS $SASL_LIBS])
else
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index fa4d129..ff54af3 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -449,7 +449,9 @@ static int daemonSetupNetworking(virNetServerPtr srv,
virNetServerServicePtr svc = NULL;
virNetServerServicePtr svcRO = NULL;
virNetServerServicePtr svcTCP = NULL;
+#if HAVE_GNUTLS
virNetServerServicePtr svcTLS = NULL;
+#endif
gid_t unix_sock_gid = 0;
int unix_sock_ro_mask = 0;
int unix_sock_rw_mask = 0;
@@ -474,9 +476,11 @@ static int daemonSetupNetworking(virNetServerPtr srv,
unix_sock_rw_mask,
unix_sock_gid,
config->auth_unix_rw,
+#if HAVE_GNUTLS
+ NULL,
+#endif
false,
- config->max_client_requests,
- NULL)))
+ config->max_client_requests)))
goto error;
if (sock_path_ro) {
VIR_DEBUG("Registering unix socket %s", sock_path_ro);
@@ -484,9 +488,11 @@ static int daemonSetupNetworking(virNetServerPtr srv,
unix_sock_ro_mask,
unix_sock_gid,
config->auth_unix_ro,
+#if HAVE_GNUTLS
+ NULL,
+#endif
true,
- config->max_client_requests,
- NULL)))
+ config->max_client_requests)))
goto error;
}
@@ -507,9 +513,11 @@ static int daemonSetupNetworking(virNetServerPtr srv,
if (!(svcTCP = virNetServerServiceNewTCP(config->listen_addr,
config->tcp_port,
config->auth_tcp,
+#if HAVE_GNUTLS
+ NULL,
+#endif
false,
- config->max_client_requests,
- NULL)))
+ config->max_client_requests)))
goto error;
if (virNetServerAddService(srv, svcTCP,
@@ -517,6 +525,7 @@ static int daemonSetupNetworking(virNetServerPtr srv,
goto error;
}
+#if HAVE_GNUTLS
if (config->listen_tls) {
virNetTLSContextPtr ctxt = NULL;
@@ -546,9 +555,9 @@ static int daemonSetupNetworking(virNetServerPtr srv,
virNetServerServiceNewTCP(config->listen_addr,
config->tls_port,
config->auth_tls,
+ ctxt,
false,
- config->max_client_requests,
- ctxt))) {
+ config->max_client_requests))) {
virObjectUnref(ctxt);
goto error;
}
@@ -559,13 +568,23 @@ static int daemonSetupNetworking(virNetServerPtr srv,
virObjectUnref(ctxt);
}
+#else
+ (void)privileged;
+ if (config->listen_tls) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("This libvirtd build does not support TLS"));
+ goto error;
+ }
+#endif
}
#if HAVE_SASL
if (config->auth_unix_rw == REMOTE_AUTH_SASL ||
config->auth_unix_ro == REMOTE_AUTH_SASL ||
- config->auth_tcp == REMOTE_AUTH_SASL ||
- config->auth_tls == REMOTE_AUTH_SASL) {
+# if HAVE_GNUTLS
+ config->auth_tls == REMOTE_AUTH_SASL ||
+# endif
+ config->auth_tcp == REMOTE_AUTH_SASL) {
saslCtxt = virNetSASLContextNewServer(
(const char *const*)config->sasl_allowed_username_list);
if (!saslCtxt)
@@ -576,7 +595,9 @@ static int daemonSetupNetworking(virNetServerPtr srv,
return 0;
error:
+#if HAVE_GNUTLS
virObjectUnref(svcTLS);
+#endif
virObjectUnref(svcTCP);
virObjectUnref(svc);
virObjectUnref(svcRO);
diff --git a/daemon/remote.c b/daemon/remote.c
index 8767c18..67fe335 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -2464,6 +2464,7 @@ remoteDispatchAuthSaslInit(virNetServerPtr server ATTRIBUTE_UNUSED,
if (!sasl)
goto authfail;
+# if HAVE_GNUTLS
/* Inform SASL that we've got an external SSF layer from TLS */
if (virNetServerClientHasTLSSession(client)) {
int ssf;
@@ -2477,6 +2478,7 @@ remoteDispatchAuthSaslInit(virNetServerPtr server ATTRIBUTE_UNUSED,
if (virNetSASLSessionExtKeySize(sasl, ssf) < 0)
goto authfail;
}
+# endif
if (virNetServerClientIsSecure(client))
/* If we've got TLS or UNIX domain sock, we don't care about SSF */
diff --git a/src/Makefile.am b/src/Makefile.am
index 955973e..061d544 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1777,7 +1777,6 @@ libvirt_net_rpc_la_SOURCES = \
rpc/virnetmessage.h rpc/virnetmessage.c \
rpc/virnetprotocol.h rpc/virnetprotocol.c \
rpc/virnetsocket.h rpc/virnetsocket.c \
- rpc/virnettlscontext.h rpc/virnettlscontext.c \
rpc/virkeepaliveprotocol.h rpc/virkeepaliveprotocol.c \
rpc/virkeepalive.h rpc/virkeepalive.c
if HAVE_LIBSSH2
@@ -1787,6 +1786,13 @@ else
EXTRA_DIST += \
rpc/virnetsshsession.h rpc/virnetsshsession.c
endif
+if HAVE_GNUTLS
+libvirt_net_rpc_la_SOURCES += \
+ rpc/virnettlscontext.h rpc/virnettlscontext.c
+else
+EXTRA_DIST += \
+ rpc/virnettlscontext.h rpc/virnettlscontext.c
+endif
if HAVE_SASL
libvirt_net_rpc_la_SOURCES += \
rpc/virnetsaslcontext.h rpc/virnetsaslcontext.c
diff --git a/src/libvirt.c b/src/libvirt.c
index 6d1da12..e0f6185 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -55,7 +55,9 @@
#include "configmake.h"
#include "intprops.h"
#include "virconf.h"
-#include "rpc/virnettlscontext.h"
+#if HAVE_GNUTLS
+# include "rpc/virnettlscontext.h"
+#endif
#include "vircommand.h"
#include "virrandom.h"
#include "viruri.h"
@@ -268,6 +270,8 @@ winsock_init(void)
}
#endif
+
+#ifdef HAVE_GNUTLS
static int virTLSMutexInit(void **priv)
{
virMutexPtr lock = NULL;
@@ -308,11 +312,11 @@ static int virTLSMutexUnlock(void **priv)
static struct gcry_thread_cbs virTLSThreadImpl = {
/* GCRY_THREAD_OPTION_VERSION was added in gcrypt 1.4.2 */
-#ifdef GCRY_THREAD_OPTION_VERSION
+# ifdef GCRY_THREAD_OPTION_VERSION
(GCRY_THREAD_OPTION_PTHREAD | (GCRY_THREAD_OPTION_VERSION << 8)),
-#else
+# else
GCRY_THREAD_OPTION_PTHREAD,
-#endif
+# endif
NULL,
virTLSMutexInit,
virTLSMutexDestroy,
@@ -320,6 +324,7 @@ static struct gcry_thread_cbs virTLSThreadImpl = {
virTLSMutexUnlock,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
};
+#endif
/* Helper macros to implement VIR_DOMAIN_DEBUG using just C99. This
* assumes you pass fewer than 15 arguments to VIR_DOMAIN_DEBUG, but
@@ -403,12 +408,16 @@ virGlobalInit(void)
virErrorInitialize() < 0)
goto error;
+#ifdef HAVE_GNUTLS
gcry_control(GCRYCTL_SET_THREAD_CBS, &virTLSThreadImpl);
gcry_check_version(NULL);
+#endif
virLogSetFromEnv();
+#ifdef HAVE_GNUTLS
virNetTLSInit();
+#endif
#if HAVE_LIBCURL
curl_global_init(CURL_GLOBAL_DEFAULT);
diff --git a/src/locking/lock_daemon.c b/src/locking/lock_daemon.c
index 7288f7a..ba42c00 100644
--- a/src/locking/lock_daemon.c
+++ b/src/locking/lock_daemon.c
@@ -654,7 +654,11 @@ virLockDaemonSetupNetworkingSystemD(virNetServerPtr srv)
/* Systemd passes FDs, starting immediately after stderr,
* so the first FD we'll get is '3'. */
- if (!(svc = virNetServerServiceNewFD(3, 0, false, 1, NULL)))
+ if (!(svc = virNetServerServiceNewFD(3, 0,
+#if HAVE_GNUTLS
+ NULL,
+#endif
+ false, 1)))
return -1;
if (virNetServerAddService(srv, svc, NULL) < 0) {
@@ -672,7 +676,11 @@ virLockDaemonSetupNetworkingNative(virNetServerPtr srv, const char *sock_path)
VIR_DEBUG("Setting up networking natively");
- if (!(svc = virNetServerServiceNewUNIX(sock_path, 0700, 0, 0, false, 1, NULL)))
+ if (!(svc = virNetServerServiceNewUNIX(sock_path, 0700, 0, 0,
+#if HAVE_GNUTLS
+ NULL,
+#endif
+ false, 1)))
return -1;
if (virNetServerAddService(srv, svc, NULL) < 0) {
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index c9d96b3..ddc921e 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -631,9 +631,11 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl)
0700,
0,
0,
+#if HAVE_GNUTLS
+ NULL,
+#endif
false,
- 5,
- NULL)))
+ 5)))
goto error;
if (virNetServerAddService(ctrl->server, svc, NULL) < 0)
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 9c7247b..e235677 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -23,8 +23,10 @@
#include <config.h>
#include <sys/time.h>
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
+#ifdef HAVE_GNUTLS
+# include <gnutls/gnutls.h>
+# include <gnutls/x509.h>
+#endif
#include <fcntl.h>
#include <poll.h>
@@ -196,6 +198,7 @@ static void qemuMigrationCookieFree(qemuMigrationCookiePtr mig)
}
+#ifdef HAVE_GNUTLS
static char *
qemuDomainExtractTLSSubject(const char *certdir)
{
@@ -254,7 +257,7 @@ error:
VIR_FREE(pemdata);
return NULL;
}
-
+#endif
static qemuMigrationCookieGraphicsPtr
qemuMigrationCookieGraphicsAlloc(virQEMUDriverPtr driver,
@@ -273,9 +276,11 @@ qemuMigrationCookieGraphicsAlloc(virQEMUDriverPtr driver,
if (!listenAddr)
listenAddr = driver->vncListen;
+#ifdef HAVE_GNUTLS
if (driver->vncTLS &&
!(mig->tlsSubject = qemuDomainExtractTLSSubject(driver->vncTLSx509certdir)))
goto error;
+#endif
} else {
mig->port = def->data.spice.port;
if (driver->spiceTLS)
@@ -286,9 +291,11 @@ qemuMigrationCookieGraphicsAlloc(virQEMUDriverPtr driver,
if (!listenAddr)
listenAddr = driver->spiceListen;
+#ifdef HAVE_GNUTLS
if (driver->spiceTLS &&
!(mig->tlsSubject = qemuDomainExtractTLSSubject(driver->spiceTLSx509certdir)))
goto error;
+#endif
}
if (!(mig->listen = strdup(listenAddr)))
goto no_memory;
@@ -297,7 +304,9 @@ qemuMigrationCookieGraphicsAlloc(virQEMUDriverPtr driver,
no_memory:
virReportOOMError();
+#ifdef HAVE_GNUTLS
error:
+#endif
qemuMigrationCookieGraphicsFree(mig);
return NULL;
}
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index c078cb5..f10c68a 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -80,7 +80,9 @@ struct private_data {
int counter; /* Serial number for RPC */
+#ifdef HAVE_GNUTLS
virNetTLSContextPtr tls;
+#endif
int is_secure; /* Secure if TLS or SASL or UNIX sockets */
char *type; /* Cached return from remoteType. */
@@ -596,12 +598,19 @@ doRemoteOpen(virConnectPtr conn,
/* Connect to the remote service. */
switch (transport) {
case trans_tls:
+#ifdef HAVE_GNUTLS
priv->tls = virNetTLSContextNewClientPath(pkipath,
geteuid() != 0 ? true : false,
sanity, verify);
if (!priv->tls)
goto failed;
priv->is_secure = 1;
+#else
+ (void)sanity;
+ virReportError(VIR_ERR_INVALID_ARG, "%s",
+ _("GNUTLS support not available in this build"));
+ goto failed;
+#endif
/*FALLTHROUGH*/
case trans_tcp:
@@ -609,11 +618,13 @@ doRemoteOpen(virConnectPtr conn,
if (!priv->client)
goto failed;
+#ifdef HAVE_GNUTLS
if (priv->tls) {
VIR_DEBUG("Starting TLS session");
if (virNetClientSetTLSSession(priv->client, priv->tls) < 0)
goto failed;
}
+#endif
break;
@@ -1001,8 +1012,10 @@ doRemoteClose(virConnectPtr conn, struct private_data *priv)
(xdrproc_t) xdr_void, (char *) NULL) == -1)
ret = -1;
+#ifdef HAVE_GNUTLS
virObjectUnref(priv->tls);
priv->tls = NULL;
+#endif
virNetClientSetCloseCallback(priv->client,
NULL,
NULL,
@@ -3879,6 +3892,7 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
saslcb)))
goto cleanup;
+# ifdef HAVE_GNUTLS
/* Initialize some connection props we care about */
if (priv->tls) {
if ((ssf = virNetClientGetTLSKeySize(priv->client)) < 0)
@@ -3890,6 +3904,7 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
if (virNetSASLSessionExtKeySize(sasl, ssf) < 0)
goto cleanup;
}
+# endif
/* If we've got a secure channel (TLS or UNIX sock), we don't care about SSF */
/* If we're not secure, then forbid any anonymous or trivially crackable auth */
diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
index 208e2e9..e933529 100644
--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -70,7 +70,9 @@ struct _virNetClient {
virNetSocketPtr sock;
bool asyncIO;
+#if HAVE_GNUTLS
virNetTLSSessionPtr tls;
+#endif
char *hostname;
virNetClientProgramPtr *programs;
@@ -627,7 +629,9 @@ void virNetClientDispose(void *obj)
if (client->sock)
virNetSocketRemoveIOCallback(client->sock);
virObjectUnref(client->sock);
+#if HAVE_GNUTLS
virObjectUnref(client->tls);
+#endif
#if HAVE_SASL
virObjectUnref(client->sasl);
#endif
@@ -663,8 +667,10 @@ virNetClientCloseLocked(virNetClientPtr client)
virObjectUnref(client->sock);
client->sock = NULL;
+#if HAVE_GNUTLS
virObjectUnref(client->tls);
client->tls = NULL;
+#endif
#if HAVE_SASL
virObjectUnref(client->sasl);
client->sasl = NULL;
@@ -745,6 +751,7 @@ void virNetClientSetSASLSession(virNetClientPtr client,
#endif
+#if HAVE_GNUTLS
int virNetClientSetTLSSession(virNetClientPtr client,
virNetTLSContextPtr tls)
{
@@ -755,12 +762,12 @@ int virNetClientSetTLSSession(virNetClientPtr client,
sigset_t oldmask, blockedsigs;
sigemptyset(&blockedsigs);
-#ifdef SIGWINCH
+# ifdef SIGWINCH
sigaddset(&blockedsigs, SIGWINCH);
-#endif
-#ifdef SIGCHLD
+# endif
+# ifdef SIGCHLD
sigaddset(&blockedsigs, SIGCHLD);
-#endif
+# endif
sigaddset(&blockedsigs, SIGPIPE);
virNetClientLock(client);
@@ -847,13 +854,16 @@ error:
virNetClientUnlock(client);
return -1;
}
+#endif
bool virNetClientIsEncrypted(virNetClientPtr client)
{
bool ret = false;
virNetClientLock(client);
+#if HAVE_GNUTLS
if (client->tls)
ret = true;
+#endif
#if HAVE_SASL
if (client->sasl)
ret = true;
@@ -956,6 +966,7 @@ const char *virNetClientRemoteAddrString(virNetClientPtr client)
return virNetSocketRemoteAddrString(client->sock);
}
+#if HAVE_GNUTLS
int virNetClientGetTLSKeySize(virNetClientPtr client)
{
int ret = 0;
@@ -965,6 +976,7 @@ int virNetClientGetTLSKeySize(virNetClientPtr client)
virNetClientUnlock(client);
return ret;
}
+#endif
static int
virNetClientCallDispatchReply(virNetClientPtr client)
diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h
index 139cf32..d594add 100644
--- a/src/rpc/virnetclient.h
+++ b/src/rpc/virnetclient.h
@@ -23,7 +23,9 @@
#ifndef __VIR_NET_CLIENT_H__
# define __VIR_NET_CLIENT_H__
-# include "virnettlscontext.h"
+# ifdef HAVE_GNUTLS
+# include "virnettlscontext.h"
+# endif
# include "virnetmessage.h"
# ifdef HAVE_SASL
# include "virnetsaslcontext.h"
@@ -107,8 +109,10 @@ void virNetClientSetSASLSession(virNetClientPtr client,
virNetSASLSessionPtr sasl);
# endif
+# ifdef HAVE_GNUTLS
int virNetClientSetTLSSession(virNetClientPtr client,
virNetTLSContextPtr tls);
+# endif
bool virNetClientIsEncrypted(virNetClientPtr client);
bool virNetClientIsOpen(virNetClientPtr client);
@@ -116,7 +120,9 @@ bool virNetClientIsOpen(virNetClientPtr client);
const char *virNetClientLocalAddrString(virNetClientPtr client);
const char *virNetClientRemoteAddrString(virNetClientPtr client);
+# ifdef HAVE_GNUTLS
int virNetClientGetTLSKeySize(virNetClientPtr client);
+# endif
void virNetClientClose(virNetClientPtr client);
diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c
index 5674309..b9df71b 100644
--- a/src/rpc/virnetserver.c
+++ b/src/rpc/virnetserver.c
@@ -98,7 +98,9 @@ struct _virNetServer {
unsigned int quit :1;
+#ifdef HAVE_GNUTLS
virNetTLSContextPtr tls;
+#endif
unsigned int autoShutdownTimeout;
size_t autoShutdownInhibitions;
@@ -309,7 +311,9 @@ static int virNetServerDispatchNewClient(virNetServerServicePtr svc,
virNetServerServiceGetAuth(svc),
virNetServerServiceIsReadonly(svc),
virNetServerServiceGetMaxRequests(svc),
+#if HAVE_GNUTLS
virNetServerServiceGetTLSContext(svc),
+#endif
srv->clientPrivNew,
srv->clientPrivPreExecRestart,
srv->clientPrivFree,
@@ -1034,12 +1038,14 @@ no_memory:
return -1;
}
+#if HAVE_GNUTLS
int virNetServerSetTLSContext(virNetServerPtr srv,
virNetTLSContextPtr tls)
{
srv->tls = virObjectRef(tls);
return 0;
}
+#endif
static void virNetServerAutoShutdownTimer(int timerid ATTRIBUTE_UNUSED,
diff --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h
index da7dc9e..d906dd1 100644
--- a/src/rpc/virnetserver.h
+++ b/src/rpc/virnetserver.h
@@ -26,7 +26,9 @@
# include <signal.h>
-# include "virnettlscontext.h"
+# ifdef HAVE_GNUTLS
+# include "virnettlscontext.h"
+# endif
# include "virnetserverprogram.h"
# include "virnetserverclient.h"
# include "virnetserverservice.h"
@@ -79,8 +81,10 @@ int virNetServerAddService(virNetServerPtr srv,
int virNetServerAddProgram(virNetServerPtr srv,
virNetServerProgramPtr prog);
+# if HAVE_GNUTLS
int virNetServerSetTLSContext(virNetServerPtr srv,
virNetTLSContextPtr tls);
+# endif
void virNetServerUpdateServices(virNetServerPtr srv,
bool enabled);
diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
index aefc511..bf23d24 100644
--- a/src/rpc/virnetserverclient.c
+++ b/src/rpc/virnetserverclient.c
@@ -66,8 +66,10 @@ struct _virNetServerClient
int auth;
bool readonly;
char *identity;
+#if HAVE_GNUTLS
virNetTLSContextPtr tlsCtxt;
virNetTLSSessionPtr tls;
+#endif
#if HAVE_SASL
virNetSASLSessionPtr sasl;
#endif
@@ -147,13 +149,18 @@ virNetServerClientCalculateHandleMode(virNetServerClientPtr client) {
VIR_DEBUG("tls=%p hs=%d, rx=%p tx=%p",
+#ifdef HAVE_GNUTLS
client->tls,
client->tls ? virNetTLSSessionGetHandshakeStatus(client->tls) : -1,
+#else
+ NULL, -1,
+#endif
client->rx,
client->tx);
if (!client->sock || client->wantClose)
return 0;
+#if HAVE_GNUTLS
if (client->tls) {
switch (virNetTLSSessionGetHandshakeStatus(client->tls)) {
case VIR_NET_TLS_HANDSHAKE_RECVING:
@@ -170,6 +177,7 @@ virNetServerClientCalculateHandleMode(virNetServerClientPtr client) {
mode |= VIR_EVENT_HANDLE_WRITABLE;
}
} else {
+#endif
/* If there is a message on the rx queue, and
* we're not in middle of a delayedClose, then
* we're wanting more input */
@@ -180,7 +188,9 @@ virNetServerClientCalculateHandleMode(virNetServerClientPtr client) {
then monitor for writability on socket */
if (client->tx)
mode |= VIR_EVENT_HANDLE_WRITABLE;
+#if HAVE_GNUTLS
}
+#endif
VIR_DEBUG("mode=%o", mode);
return mode;
}
@@ -287,6 +297,7 @@ void virNetServerClientRemoveFilter(virNetServerClientPtr client,
}
+#ifdef HAVE_GNUTLS
/* Check the client's access. */
static int
virNetServerClientCheckAccess(virNetServerClientPtr client)
@@ -322,6 +333,8 @@ virNetServerClientCheckAccess(virNetServerClientPtr client)
return 0;
}
+#endif
+
static void virNetServerClientSockTimerFunc(int timer,
void *opaque)
@@ -340,9 +353,11 @@ static void virNetServerClientSockTimerFunc(int timer,
static virNetServerClientPtr
virNetServerClientNewInternal(virNetSocketPtr sock,
int auth,
+#ifdef HAVE_GNUTLS
+ virNetTLSContextPtr tls,
+#endif
bool readonly,
- size_t nrequests_max,
- virNetTLSContextPtr tls)
+ size_t nrequests_max)
{
virNetServerClientPtr client;
@@ -360,7 +375,9 @@ virNetServerClientNewInternal(virNetSocketPtr sock,
client->sock = virObjectRef(sock);
client->auth = auth;
client->readonly = readonly;
+#ifdef HAVE_GNUTLS
client->tlsCtxt = virObjectRef(tls);
+#endif
client->nrequests_max = nrequests_max;
client->sockTimer = virEventAddTimeout(-1, virNetServerClientSockTimerFunc,
@@ -394,7 +411,9 @@ virNetServerClientPtr virNetServerClientNew(virNetSocketPtr sock,
int auth,
bool readonly,
size_t nrequests_max,
+#ifdef HAVE_GNUTLS
virNetTLSContextPtr tls,
+#endif
virNetServerClientPrivNew privNew,
virNetServerClientPrivPreExecRestart privPreExecRestart,
virFreeCallback privFree,
@@ -402,9 +421,19 @@ virNetServerClientPtr virNetServerClientNew(virNetSocketPtr sock,
{
virNetServerClientPtr client;
- VIR_DEBUG("sock=%p auth=%d tls=%p", sock, auth, tls);
+ VIR_DEBUG("sock=%p auth=%d tls=%p", sock, auth,
+#ifdef HAVE_GNUTLS
+ tls
+#else
+ NULL
+#endif
+ );
- if (!(client = virNetServerClientNewInternal(sock, auth, readonly, nrequests_max, tls)))
+ if (!(client = virNetServerClientNewInternal(sock, auth,
+#ifdef HAVE_GNUTLS
+ tls,
+#endif
+ readonly, nrequests_max)))
return NULL;
if (privNew) {
@@ -470,9 +499,11 @@ virNetServerClientPtr virNetServerClientNewPostExecRestart(virJSONValuePtr objec
if (!(client = virNetServerClientNewInternal(sock,
auth,
+#ifdef HAVE_GNUTLS
+ NULL,
+#endif
readonly,
- nrequests_max,
- NULL))) {
+ nrequests_max))) {
virObjectUnref(sock);
return NULL;
}
@@ -571,6 +602,7 @@ bool virNetServerClientGetReadonly(virNetServerClientPtr client)
}
+#ifdef HAVE_GNUTLS
bool virNetServerClientHasTLSSession(virNetServerClientPtr client)
{
bool has;
@@ -589,6 +621,7 @@ int virNetServerClientGetTLSKeySize(virNetServerClientPtr client)
virNetServerClientUnlock(client);
return size;
}
+#endif
int virNetServerClientGetFD(virNetServerClientPtr client)
{
@@ -615,8 +648,10 @@ bool virNetServerClientIsSecure(virNetServerClientPtr client)
{
bool secure = false;
virNetServerClientLock(client);
+#if HAVE_GNUTLS
if (client->tls)
secure = true;
+#endif
#if HAVE_SASL
if (client->sasl)
secure = true;
@@ -628,6 +663,7 @@ bool virNetServerClientIsSecure(virNetServerClientPtr client)
}
+
#if HAVE_SASL
void virNetServerClientSetSASLSession(virNetServerClientPtr client,
virNetSASLSessionPtr sasl)
@@ -730,8 +766,10 @@ void virNetServerClientDispose(void *obj)
#endif
if (client->sockTimer > 0)
virEventRemoveTimeout(client->sockTimer);
+#if HAVE_GNUTLS
virObjectUnref(client->tls);
virObjectUnref(client->tlsCtxt);
+#endif
virObjectUnref(client->sock);
virNetServerClientUnlock(client);
virMutexDestroy(&client->lock);
@@ -784,10 +822,12 @@ void virNetServerClientClose(virNetServerClientPtr client)
if (client->sock)
virNetSocketRemoveIOCallback(client->sock);
+#if HAVE_GNUTLS
if (client->tls) {
virObjectUnref(client->tls);
client->tls = NULL;
}
+#endif
client->wantClose = true;
while (client->rx) {
@@ -847,10 +887,13 @@ int virNetServerClientInit(virNetServerClientPtr client)
{
virNetServerClientLock(client);
+#if HAVE_GNUTLS
if (!client->tlsCtxt) {
+#endif
/* Plain socket, so prepare to read first message */
if (virNetServerClientRegisterEvent(client) < 0)
goto error;
+#if HAVE_GNUTLS
} else {
int ret;
@@ -879,6 +922,7 @@ int virNetServerClientInit(virNetServerClientPtr client)
goto error;
}
}
+#endif
virNetServerClientUnlock(client);
return 0;
@@ -1180,6 +1224,8 @@ virNetServerClientDispatchWrite(virNetServerClientPtr client)
}
}
+
+#if HAVE_GNUTLS
static void
virNetServerClientDispatchHandshake(virNetServerClientPtr client)
{
@@ -1202,6 +1248,7 @@ virNetServerClientDispatchHandshake(virNetServerClientPtr client)
client->wantClose = true;
}
}
+#endif
static void
virNetServerClientDispatchEvent(virNetSocketPtr sock, int events, void *opaque)
@@ -1218,17 +1265,21 @@ virNetServerClientDispatchEvent(virNetSocketPtr sock, int events, void *opaque)
if (events & (VIR_EVENT_HANDLE_WRITABLE |
VIR_EVENT_HANDLE_READABLE)) {
+#if HAVE_GNUTLS
if (client->tls &&
virNetTLSSessionGetHandshakeStatus(client->tls) !=
VIR_NET_TLS_HANDSHAKE_COMPLETE) {
virNetServerClientDispatchHandshake(client);
} else {
+#endif
if (events & VIR_EVENT_HANDLE_WRITABLE)
virNetServerClientDispatchWrite(client);
if (events & VIR_EVENT_HANDLE_READABLE &&
client->rx)
virNetServerClientDispatchRead(client);
+#if HAVE_GNUTLS
}
+#endif
}
/* NB, will get HANGUP + READABLE at same time upon
diff --git a/src/rpc/virnetserverclient.h b/src/rpc/virnetserverclient.h
index 65084e2..b11b9a9 100644
--- a/src/rpc/virnetserverclient.h
+++ b/src/rpc/virnetserverclient.h
@@ -52,7 +52,9 @@ virNetServerClientPtr virNetServerClientNew(virNetSocketPtr sock,
int auth,
bool readonly,
size_t nrequests_max,
+# ifdef HAVE_GNUTLS
virNetTLSContextPtr tls,
+# endif
virNetServerClientPrivNew privNew,
virNetServerClientPrivPreExecRestart privPreExecRestart,
virFreeCallback privFree,
@@ -76,8 +78,10 @@ void virNetServerClientRemoveFilter(virNetServerClientPtr client,
int virNetServerClientGetAuth(virNetServerClientPtr client);
bool virNetServerClientGetReadonly(virNetServerClientPtr client);
+# ifdef HAVE_GNUTLS
bool virNetServerClientHasTLSSession(virNetServerClientPtr client);
int virNetServerClientGetTLSKeySize(virNetServerClientPtr client);
+# endif
# ifdef HAVE_SASL
void virNetServerClientSetSASLSession(virNetServerClientPtr client,
diff --git a/src/rpc/virnetserverservice.c b/src/rpc/virnetserverservice.c
index 7d671f0..61dd682 100644
--- a/src/rpc/virnetserverservice.c
+++ b/src/rpc/virnetserverservice.c
@@ -41,7 +41,9 @@ struct _virNetServerService {
bool readonly;
size_t nrequests_client_max;
+#if HAVE_GNUTLS
virNetTLSContextPtr tls;
+#endif
virNetServerServiceDispatchFunc dispatchFunc;
void *dispatchOpaque;
@@ -90,9 +92,11 @@ cleanup:
virNetServerServicePtr virNetServerServiceNewTCP(const char *nodename,
const char *service,
int auth,
+#if HAVE_GNUTLS
+ virNetTLSContextPtr tls,
+#endif
bool readonly,
- size_t nrequests_client_max,
- virNetTLSContextPtr tls)
+ size_t nrequests_client_max)
{
virNetServerServicePtr svc;
size_t i;
@@ -106,7 +110,9 @@ virNetServerServicePtr virNetServerServiceNewTCP(const char *nodename,
svc->auth = auth;
svc->readonly = readonly;
svc->nrequests_client_max = nrequests_client_max;
+#if HAVE_GNUTLS
svc->tls = virObjectRef(tls);
+#endif
if (virNetSocketNewListenTCP(nodename,
service,
@@ -144,9 +150,11 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path,
mode_t mask,
gid_t grp,
int auth,
+#if HAVE_GNUTLS
+ virNetTLSContextPtr tls,
+#endif
bool readonly,
- size_t nrequests_client_max,
- virNetTLSContextPtr tls)
+ size_t nrequests_client_max)
{
virNetServerServicePtr svc;
int i;
@@ -160,7 +168,9 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path,
svc->auth = auth;
svc->readonly = readonly;
svc->nrequests_client_max = nrequests_client_max;
+#if HAVE_GNUTLS
svc->tls = virObjectRef(tls);
+#endif
svc->nsocks = 1;
if (VIR_ALLOC_N(svc->socks, svc->nsocks) < 0)
@@ -202,9 +212,11 @@ error:
virNetServerServicePtr virNetServerServiceNewFD(int fd,
int auth,
+#if HAVE_GNUTLS
+ virNetTLSContextPtr tls,
+#endif
bool readonly,
- size_t nrequests_client_max,
- virNetTLSContextPtr tls)
+ size_t nrequests_client_max)
{
virNetServerServicePtr svc;
int i;
@@ -218,7 +230,9 @@ virNetServerServicePtr virNetServerServiceNewFD(int fd,
svc->auth = auth;
svc->readonly = readonly;
svc->nrequests_client_max = nrequests_client_max;
+#if HAVE_GNUTLS
svc->tls = virObjectRef(tls);
+#endif
svc->nsocks = 1;
if (VIR_ALLOC_N(svc->socks, svc->nsocks) < 0)
@@ -401,11 +415,12 @@ size_t virNetServerServiceGetMaxRequests(virNetServerServicePtr svc)
return svc->nrequests_client_max;
}
+#if HAVE_GNUTLS
virNetTLSContextPtr virNetServerServiceGetTLSContext(virNetServerServicePtr svc)
{
return svc->tls;
}
-
+#endif
void virNetServerServiceSetDispatcher(virNetServerServicePtr svc,
virNetServerServiceDispatchFunc func,
@@ -425,7 +440,9 @@ void virNetServerServiceDispose(void *obj)
virObjectUnref(svc->socks[i]);
VIR_FREE(svc->socks);
+#if HAVE_GNUTLS
virObjectUnref(svc->tls);
+#endif
}
void virNetServerServiceToggle(virNetServerServicePtr svc,
diff --git a/src/rpc/virnetserverservice.h b/src/rpc/virnetserverservice.h
index 615b572..934b8d3 100644
--- a/src/rpc/virnetserverservice.h
+++ b/src/rpc/virnetserverservice.h
@@ -40,21 +40,27 @@ typedef int (*virNetServerServiceDispatchFunc)(virNetServerServicePtr svc,
virNetServerServicePtr virNetServerServiceNewTCP(const char *nodename,
const char *service,
int auth,
+# if HAVE_GNUTLS
+ virNetTLSContextPtr tls,
+# endif
bool readonly,
- size_t nrequests_client_max,
- virNetTLSContextPtr tls);
+ size_t nrequests_client_max);
virNetServerServicePtr virNetServerServiceNewUNIX(const char *path,
mode_t mask,
gid_t grp,
int auth,
+# if HAVE_GNUTLS
+ virNetTLSContextPtr tls,
+# endif
bool readonly,
- size_t nrequests_client_max,
- virNetTLSContextPtr tls);
+ size_t nrequests_client_max);
virNetServerServicePtr virNetServerServiceNewFD(int fd,
int auth,
+# if HAVE_GNUTLS
+ virNetTLSContextPtr tls,
+# endif
bool readonly,
- size_t nrequests_client_max,
- virNetTLSContextPtr tls);
+ size_t nrequests_client_max);
virNetServerServicePtr virNetServerServiceNewPostExecRestart(virJSONValuePtr object);
@@ -65,7 +71,9 @@ int virNetServerServiceGetPort(virNetServerServicePtr svc);
int virNetServerServiceGetAuth(virNetServerServicePtr svc);
bool virNetServerServiceIsReadonly(virNetServerServicePtr svc);
size_t virNetServerServiceGetMaxRequests(virNetServerServicePtr svc);
+# ifdef HAVE_GNUTLS
virNetTLSContextPtr virNetServerServiceGetTLSContext(virNetServerServicePtr svc);
+# endif
void virNetServerServiceSetDispatcher(virNetServerServicePtr svc,
virNetServerServiceDispatchFunc func,
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index ef93892..a817999 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -79,7 +79,9 @@ struct _virNetSocket {
char *localAddrStr;
char *remoteAddrStr;
+#if HAVE_GNUTLS
virNetTLSSessionPtr tlsSession;
+#endif
#if HAVE_SASL
virNetSASLSessionPtr saslSession;
@@ -948,11 +950,13 @@ virJSONValuePtr virNetSocketPreExecRestart(virNetSocketPtr sock)
goto error;
}
#endif
+#if HAVE_GNUTLS
if (sock->tlsSession) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
_("Unable to save socket state when TLS session is active"));
goto error;
}
+#endif
if (!(object = virJSONValueNewObject()))
goto error;
@@ -1011,10 +1015,12 @@ void virNetSocketDispose(void *obj)
unlink(sock->localAddr.data.un.sun_path);
#endif
+#if HAVE_GNUTLS
/* Make sure it can't send any more I/O during shutdown */
if (sock->tlsSession)
virNetTLSSessionSetIOCallbacks(sock->tlsSession, NULL, NULL, NULL);
virObjectUnref(sock->tlsSession);
+#endif
#if HAVE_SASL
virObjectUnref(sock->saslSession);
#endif
@@ -1178,6 +1184,7 @@ const char *virNetSocketRemoteAddrString(virNetSocketPtr sock)
}
+#if HAVE_GNUTLS
static ssize_t virNetSocketTLSSessionWrite(const char *buf,
size_t len,
void *opaque)
@@ -1208,7 +1215,7 @@ void virNetSocketSetTLSSession(virNetSocketPtr sock,
sock);
virMutexUnlock(&sock->lock);
}
-
+#endif
#if HAVE_SASL
void virNetSocketSetSASLSession(virNetSocketPtr sock,
@@ -1280,13 +1287,17 @@ static ssize_t virNetSocketReadWire(virNetSocketPtr sock, char *buf, size_t len)
#endif
reread:
+#if HAVE_GNUTLS
if (sock->tlsSession &&
virNetTLSSessionGetHandshakeStatus(sock->tlsSession) ==
VIR_NET_TLS_HANDSHAKE_COMPLETE) {
ret = virNetTLSSessionRead(sock->tlsSession, buf, len);
} else {
+#endif
ret = read(sock->fd, buf, len);
+#if HAVE_GNUTLS
}
+#endif
if ((ret < 0) && (errno == EINTR))
goto reread;
@@ -1335,13 +1346,17 @@ static ssize_t virNetSocketWriteWire(virNetSocketPtr sock, const char *buf, size
#endif
rewrite:
+#if HAVE_GNUTLS
if (sock->tlsSession &&
virNetTLSSessionGetHandshakeStatus(sock->tlsSession) ==
VIR_NET_TLS_HANDSHAKE_COMPLETE) {
ret = virNetTLSSessionWrite(sock->tlsSession, buf, len);
} else {
+#endif
ret = write(sock->fd, buf, len);
+#if HAVE_GNUTLS
}
+#endif
if (ret < 0) {
if (errno == EINTR)
diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
index 7016c09..ce15bb8 100644
--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -26,7 +26,9 @@
# include "virsocketaddr.h"
# include "vircommand.h"
-# include "virnettlscontext.h"
+# ifdef HAVE_GNUTLS
+# include "virnettlscontext.h"
+# endif
# include "virobject.h"
# ifdef HAVE_SASL
# include "virnetsaslcontext.h"
@@ -122,8 +124,10 @@ ssize_t virNetSocketWrite(virNetSocketPtr sock, const char *buf, size_t len);
int virNetSocketSendFD(virNetSocketPtr sock, int fd);
int virNetSocketRecvFD(virNetSocketPtr sock, int *fd);
+# ifdef HAVE_GNUTLS
void virNetSocketSetTLSSession(virNetSocketPtr sock,
virNetTLSSessionPtr sess);
+# endif
# ifdef HAVE_SASL
void virNetSocketSetSASLSession(virNetSocketPtr sock,
diff --git a/tests/Makefile.am b/tests/Makefile.am
index b603ea3..9c7c6fb 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -91,7 +91,7 @@ test_programs = virshtest sockettest \
commandtest seclabeltest \
virhashtest virnetmessagetest virnetsockettest \
viratomictest \
- utiltest virnettlscontexttest shunloadtest \
+ utiltest shunloadtest \
virtimetest viruritest virkeyfiletest \
virauthconfigtest \
virbitmaptest \
@@ -100,6 +100,10 @@ test_programs = virshtest sockettest \
sysinfotest \
$(NULL)
+if HAVE_GNUTLS
+test_programs += virnettlscontexttest
+endif
+
if WITH_SECDRIVER_SELINUX
test_programs += securityselinuxtest
endif
@@ -526,6 +530,7 @@ virnetsockettest_SOURCES = \
virnetsockettest_CFLAGS = -Dabs_builddir="\"$(abs_builddir)\"" $(AM_CFLAGS)
virnetsockettest_LDADD = $(LDADDS)
+if HAVE_GNUTLS
virnettlscontexttest_SOURCES = \
virnettlscontexttest.c testutils.h testutils.c
virnettlscontexttest_CFLAGS = -Dabs_builddir="\"$(abs_builddir)\"" $(AM_CFLAGS)
@@ -536,6 +541,10 @@ virnettlscontexttest_LDADD += -ltasn1
else
EXTRA_DIST += pkix_asn1_tab.c
endif
+else
+EXTRA_DIST += \
+ virnettlscontexttest.c testutils.h testutils.c pkix_asn1_tab.c
+endif
virtimetest_SOURCES = \
virtimetest.c testutils.h testutils.c
--
1.8.0.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list