virnetserver: Introduce virNetServerUpdateTlsFiles

Add an API to update server's tls context.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhang Bo <oscar.zhangbo@huawei.com>
Signed-off-by: Wu Qingliang <wuqingliang4@huawei.com>
This commit is contained in:
Zhang Bo 2020-03-07 19:31:00 +08:00 committed by Daniel P. Berrangé
parent e81fce5fd0
commit 15d280fa97
5 changed files with 102 additions and 0 deletions

View File

@ -137,6 +137,7 @@ virNetServerSetClientLimits;
virNetServerSetThreadPoolParameters; virNetServerSetThreadPoolParameters;
virNetServerSetTLSContext; virNetServerSetTLSContext;
virNetServerUpdateServices; virNetServerUpdateServices;
virNetServerUpdateTlsFiles;
# rpc/virnetserverclient.h # rpc/virnetserverclient.h

View File

@ -28,6 +28,7 @@
#include "virthread.h" #include "virthread.h"
#include "virthreadpool.h" #include "virthreadpool.h"
#include "virstring.h" #include "virstring.h"
#include "virutil.h"
#define VIR_FROM_THIS VIR_FROM_RPC #define VIR_FROM_THIS VIR_FROM_RPC
@ -1205,3 +1206,52 @@ virNetServerSetClientLimits(virNetServerPtr srv,
virObjectUnlock(srv); virObjectUnlock(srv);
return ret; return ret;
} }
static virNetTLSContextPtr
virNetServerGetTLSContext(virNetServerPtr srv)
{
size_t i;
virNetTLSContextPtr ctxt = NULL;
virNetServerServicePtr svc = NULL;
/* find svcTLS from srv, get svcTLS->tls */
for (i = 0; i < srv->nservices; i++) {
svc = srv->services[i];
ctxt = virNetServerServiceGetTLSContext(svc);
if (ctxt != NULL)
break;
}
return ctxt;
}
int
virNetServerUpdateTlsFiles(virNetServerPtr srv)
{
int ret = -1;
virNetTLSContextPtr ctxt = NULL;
bool privileged = geteuid() == 0 ? true : false;
ctxt = virNetServerGetTLSContext(srv);
if (!ctxt) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("no tls service found, unable to update tls files"));
return -1;
}
virObjectLock(srv);
virObjectLock(ctxt);
if (virNetTLSContextReloadForServer(ctxt, !privileged)) {
VIR_DEBUG("failed to reload server's tls context");
goto cleanup;
}
VIR_DEBUG("update tls files success");
ret = 0;
cleanup:
virObjectUnlock(ctxt);
virObjectUnlock(srv);
return ret;
}

View File

@ -133,3 +133,5 @@ size_t virNetServerGetCurrentUnauthClients(virNetServerPtr srv);
int virNetServerSetClientLimits(virNetServerPtr srv, int virNetServerSetClientLimits(virNetServerPtr srv,
long long int maxClients, long long int maxClients,
long long int maxClientsUnauth); long long int maxClientsUnauth);
int virNetServerUpdateTlsFiles(virNetServerPtr srv);

View File

@ -919,6 +919,52 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
} }
int virNetTLSContextReloadForServer(virNetTLSContextPtr ctxt,
bool tryUserPkiPath)
{
gnutls_certificate_credentials_t x509credBak;
int err;
char *cacert = NULL;
char *cacrl = NULL;
char *cert = NULL;
char *key = NULL;
x509credBak = ctxt->x509cred;
ctxt->x509cred = NULL;
if (virNetTLSContextLocateCredentials(NULL, tryUserPkiPath, true,
&cacert, &cacrl, &cert, &key))
goto error;
err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
if (err) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to allocate x509 credentials: %s"),
gnutls_strerror(err));
goto error;
}
if (virNetTLSContextSanityCheckCredentials(true, cacert, cert))
goto error;
if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, key))
goto error;
gnutls_certificate_set_dh_params(ctxt->x509cred,
ctxt->dhParams);
gnutls_certificate_free_credentials(x509credBak);
return 0;
error:
if (ctxt->x509cred)
gnutls_certificate_free_credentials(ctxt->x509cred);
ctxt->x509cred = x509credBak;
return -1;
}
virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert, virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
const char *cacrl, const char *cacrl,
const char *cert, const char *cert,

View File

@ -62,6 +62,9 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
bool sanityCheckCert, bool sanityCheckCert,
bool requireValidCert); bool requireValidCert);
int virNetTLSContextReloadForServer(virNetTLSContextPtr ctxt,
bool tryUserPkiPath);
int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt, int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,
virNetTLSSessionPtr sess); virNetTLSSessionPtr sess);