libvirt/src/util/virstorageencryption.h

94 lines
3.0 KiB
C
Raw Normal View History

/*
* virstorageencryption.h: volume encryption information
*
* Copyright (C) 2009-2011, 2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#pragma once
#include "internal.h"
#include "virbuffer.h"
#include "virsecret.h"
#include "virenum.h"
#include <libxml/tree.h>
typedef enum {
VIR_STORAGE_ENCRYPTION_SECRET_TYPE_PASSPHRASE = 0,
VIR_STORAGE_ENCRYPTION_SECRET_TYPE_LAST
} virStorageEncryptionSecretType;
VIR_ENUM_DECL(virStorageEncryptionSecret);
typedef struct _virStorageEncryptionSecret virStorageEncryptionSecret;
typedef virStorageEncryptionSecret *virStorageEncryptionSecretPtr;
struct _virStorageEncryptionSecret {
Revert "maint: prefer enum over int for virstoragefile structs" This partially reverts commits b279e52f7 and ea18f8b2. It turns out our code base is full of: if ((struct.member = virBlahFromString(str)) < 0) goto error; Meanwhile, the C standard says it is up to the compiler whether an enum is signed or unsigned when all of its declared values happen to be positive. In my testing (Fedora 20, gcc 4.8.2), the compiler picked signed, and nothing changed. But others testing with gcc 4.7 got compiler warnings, because it picked the enum to be unsigned, but no unsigned value is less than 0. Even worse: if ((struct.member = virBlahFromString(str)) <= 0) goto error; is silently compiled without warning, but incorrectly treats -1 from a bad parse as a large positive number with no warning; and without the compiler's help to find these instances, it is a nightmare to maintain correctly. We could force signed enums with a dummy negative declaration in each enum, or cast the result of virBlahFromString back to int after assigning to an enum value, or use a temporary int for collecting results from virBlahFromString, but those actions are all uglier than what we were trying to cure by directly using enum types for struct values in the first place. It's better off to just live with int members, and use 'switch ((virFoo) struct.member)' where we want the compiler to help, than to track down all the conversions from string to enum and ensure they don't suffer from type problems. * src/util/virstorageencryption.h: Revert back to int declarations with comment about enum usage. * src/util/virstoragefile.h: Likewise. * src/conf/domain_conf.c: Restore back to casts in switches. * src/qemu/qemu_driver.c: Likewise. * src/qemu/qemu_command.c: Add cast rather than revert. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-05-16 18:50:03 -06:00
int type; /* virStorageEncryptionSecretType */
virSecretLookupTypeDef seclookupdef;
};
/* It's possible to dictate the cipher and if necessary iv */
typedef struct _virStorageEncryptionInfoDef virStorageEncryptionInfoDef;
typedef virStorageEncryptionInfoDef *virStorageEncryptionInfoDefPtr;
struct _virStorageEncryptionInfoDef {
unsigned int cipher_size;
char *cipher_name;
char *cipher_mode;
char *cipher_hash;
char *ivgen_name;
char *ivgen_hash;
};
typedef enum {
/* "default" is only valid for volume creation */
VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
} virStorageEncryptionFormatType;
VIR_ENUM_DECL(virStorageEncryptionFormat);
typedef struct _virStorageEncryption virStorageEncryption;
typedef virStorageEncryption *virStorageEncryptionPtr;
struct _virStorageEncryption {
Revert "maint: prefer enum over int for virstoragefile structs" This partially reverts commits b279e52f7 and ea18f8b2. It turns out our code base is full of: if ((struct.member = virBlahFromString(str)) < 0) goto error; Meanwhile, the C standard says it is up to the compiler whether an enum is signed or unsigned when all of its declared values happen to be positive. In my testing (Fedora 20, gcc 4.8.2), the compiler picked signed, and nothing changed. But others testing with gcc 4.7 got compiler warnings, because it picked the enum to be unsigned, but no unsigned value is less than 0. Even worse: if ((struct.member = virBlahFromString(str)) <= 0) goto error; is silently compiled without warning, but incorrectly treats -1 from a bad parse as a large positive number with no warning; and without the compiler's help to find these instances, it is a nightmare to maintain correctly. We could force signed enums with a dummy negative declaration in each enum, or cast the result of virBlahFromString back to int after assigning to an enum value, or use a temporary int for collecting results from virBlahFromString, but those actions are all uglier than what we were trying to cure by directly using enum types for struct values in the first place. It's better off to just live with int members, and use 'switch ((virFoo) struct.member)' where we want the compiler to help, than to track down all the conversions from string to enum and ensure they don't suffer from type problems. * src/util/virstorageencryption.h: Revert back to int declarations with comment about enum usage. * src/util/virstoragefile.h: Likewise. * src/conf/domain_conf.c: Restore back to casts in switches. * src/qemu/qemu_driver.c: Likewise. * src/qemu/qemu_command.c: Add cast rather than revert. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-05-16 18:50:03 -06:00
int format; /* virStorageEncryptionFormatType */
int payload_offset;
size_t nsecrets;
virStorageEncryptionSecretPtr *secrets;
virStorageEncryptionInfoDef encinfo;
};
virStorageEncryptionPtr virStorageEncryptionCopy(const virStorageEncryption *src)
ATTRIBUTE_NONNULL(1);
void virStorageEncryptionFree(virStorageEncryptionPtr enc);
Fix UUID handling in secrets/storage encryption APIs Convert all the secret/storage encryption APIs / wire format to handle UUIDs in raw format instead of non-canonical printable format. Guarentees data format correctness. * docs/schemas/storageencryption.rng: Make UUID mandatory for a secret and validate fully * docs/schemas/secret.rng: Fully validate UUID * include/libvirt/libvirt.h, include/libvirt/libvirt.h.in, Add virSecretLookupByUUID and virSecretGetUUID. Make virSecretGetUUIDString follow normal API design pattern * python/generator.py: Skip generation of virSecretGetUUID, virSecretGetUUIDString and virSecretLookupByUUID * python/libvir.c, python/libvirt-python-api.xml: Manual impl of virSecretGetUUID,virSecretGetUUIDString and virSecretLookupByUUID * qemud/remote.c: s/virSecretLookupByUUIDString/virSecretLookupByUUID/ Fix get_nonnull_secret/make_nonnull_secret to use unsigned char * qemud/remote_protocol.x: Fix remote_nonnull_secret to use a remote_uuid instead of remote_nonnull_string for UUID field. Rename REMOTE_PROC_SECRET_LOOKUP_BY_UUID_STRING to REMOTE_PROC_SECRET_LOOKUP_BY_UUID_STRING and make it take an remote_uuid value * qemud/remote_dispatch_args.h, qemud/remote_dispatch_prototypes.h, qemud/remote_dispatch_ret.h, qemud/remote_dispatch_table.h, qemud/remote_protocol.c, qemud/remote_protocol.h: Re-generate * src/datatypes.h, src/datatypes.c: Store UUID in raw format instead of printable. Change virGetSecret to use raw format UUID * src/driver.h: Rename virDrvSecretLookupByUUIDString to virDrvSecretLookupByUUID and use raw format UUID * src/libvirt.c: Add virSecretLookupByUUID and virSecretGetUUID and re-implement virSecretLookupByUUIDString and virSecretGetUUIDString in terms of those * src/libvirt_public.syms: Add virSecretLookupByUUID and virSecretGetUUID * src/remote_internal.c: Rename remoteSecretLookupByUUIDString to remoteSecretLookupByUUID. Fix typo in args for remoteSecretDefineXML impl. Use raw UUID format for get_nonnull_secret and make_nonnull_secret * src/storage_encryption_conf.c, src/storage_encryption_conf.h: Storage UUID in raw format, and require it to be present in XML. Use UUID parser to validate. * secret_conf.h, secret_conf.c: Generate a UUID if none is provided. Storage UUID in raw format. * src/secret_driver.c: Adjust to deal with raw UUIDs. Save secrets in a filed with printable UUID, instead of base64 UUID. * src/virsh.c: Adjust for changed public API contract of virSecretGetUUIDString. * src/storage_Backend.c: DOn't undefine secret we just generated upon successful volume creation. Fix to handle raw UUIDs. Generate a non-clashing UUID * src/qemu_driver.c: Change to use lookupByUUID instead of lookupByUUIDString
2009-09-10 17:44:12 +01:00
virStorageEncryptionPtr virStorageEncryptionParseNode(xmlNodePtr node,
xmlXPathContextPtr ctxt);
int virStorageEncryptionFormat(virBufferPtr buf,
virStorageEncryptionPtr enc);
/* A helper for VIR_STORAGE_ENCRYPTION_FORMAT_QCOW */
enum {
VIR_STORAGE_QCOW_PASSPHRASE_SIZE = 16
};
int virStorageGenerateQcowPassphrase(unsigned char *dest);