From 214489f550b95e4accf55896afb39a45be1175df Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Fri, 3 Jun 2016 17:44:55 +0100 Subject: [PATCH] rpc: allow priority string to be passed to TLS context Extend the virNetTLSContextNew* constructors to allow the TLS priority string to be passed in, overriding the compile time default. Signed-off-by: Daniel P. Berrange --- daemon/libvirtd.c | 2 ++ src/remote/remote_driver.c | 1 + src/rpc/virnettlscontext.c | 27 ++++++++++++++++++++------- src/rpc/virnettlscontext.h | 4 ++++ tests/virnettlscontexttest.c | 2 ++ tests/virnettlssessiontest.c | 2 ++ 6 files changed, 31 insertions(+), 7 deletions(-) diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index 5617e42afa..b844af46d8 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -585,6 +585,7 @@ daemonSetupNetworking(virNetServerPtr srv, config->cert_file, config->key_file, (const char *const*)config->tls_allowed_dn_list, + NULL, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto cleanup; @@ -592,6 +593,7 @@ daemonSetupNetworking(virNetServerPtr srv, if (!(ctxt = virNetTLSContextNewServerPath(NULL, !privileged, (const char *const*)config->tls_allowed_dn_list, + NULL, config->tls_no_sanity_certificate ? false : true, config->tls_no_verify_certificate ? false : true))) goto cleanup; diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index e3cf5fbead..219cf478ca 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -845,6 +845,7 @@ doRemoteOpen(virConnectPtr conn, #ifdef WITH_GNUTLS priv->tls = virNetTLSContextNewClientPath(pkipath, geteuid() != 0 ? true : false, + NULL, sanity, verify); if (!priv->tls) goto failed; diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index dd22630de6..847d457611 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -65,6 +65,7 @@ struct _virNetTLSContext { bool isServer; bool requireValidCert; const char *const*x509dnWhitelist; + char *priority; }; struct _virNetTLSSession { @@ -696,6 +697,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert, const char *cert, const char *key, const char *const*x509dnWhitelist, + const char *priority, bool sanityCheckCert, bool requireValidCert, bool isServer) @@ -709,6 +711,9 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert, if (!(ctxt = virObjectLockableNew(virNetTLSContextClass))) return NULL; + if (VIR_STRDUP(ctxt->priority, priority) < 0) + goto error; + err = gnutls_certificate_allocate_credentials(&ctxt->x509cred); if (err) { virReportError(VIR_ERR_SYSTEM_ERROR, @@ -896,6 +901,7 @@ static int virNetTLSContextLocateCredentials(const char *pkipath, static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath, bool tryUserPkiPath, const char *const*x509dnWhitelist, + const char *priority, bool sanityCheckCert, bool requireValidCert, bool isServer) @@ -908,7 +914,7 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath, return NULL; ctxt = virNetTLSContextNew(cacert, cacrl, cert, key, - x509dnWhitelist, sanityCheckCert, + x509dnWhitelist, priority, sanityCheckCert, requireValidCert, isServer); VIR_FREE(cacert); @@ -922,19 +928,21 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath, virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath, bool tryUserPkiPath, const char *const*x509dnWhitelist, + const char *priority, bool sanityCheckCert, bool requireValidCert) { - return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, + return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority, sanityCheckCert, requireValidCert, true); } virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath, bool tryUserPkiPath, + const char *priority, bool sanityCheckCert, bool requireValidCert) { - return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL, + return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL, priority, sanityCheckCert, requireValidCert, false); } @@ -944,10 +952,11 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert, const char *cert, const char *key, const char *const*x509dnWhitelist, + const char *priority, bool sanityCheckCert, bool requireValidCert) { - return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, + return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority, sanityCheckCert, requireValidCert, true); } @@ -956,10 +965,11 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert, const char *cacrl, const char *cert, const char *key, + const char *priority, bool sanityCheckCert, bool requireValidCert) { - return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, + return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, priority, sanityCheckCert, requireValidCert, false); } @@ -1138,6 +1148,7 @@ void virNetTLSContextDispose(void *obj) PROBE(RPC_TLS_CONTEXT_DISPOSE, "ctxt=%p", ctxt); + VIR_FREE(ctxt->priority); gnutls_dh_params_deinit(ctxt->dhParams); gnutls_certificate_free_credentials(ctxt->x509cred); } @@ -1197,10 +1208,12 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt, /* avoid calling all the priority functions, since the defaults * are adequate. */ - if ((err = gnutls_priority_set_direct(sess->session, TLS_PRIORITY, NULL)) != 0) { + if ((err = gnutls_priority_set_direct(sess->session, + ctxt->priority ? ctxt->priority : TLS_PRIORITY, + NULL)) != 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Failed to set TLS session priority to %s: %s"), - TLS_PRIORITY, gnutls_strerror(err)); + ctxt->priority ? ctxt->priority : TLS_PRIORITY, gnutls_strerror(err)); goto error; } diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h index 21539adb99..6100b45c39 100644 --- a/src/rpc/virnettlscontext.h +++ b/src/rpc/virnettlscontext.h @@ -36,11 +36,13 @@ void virNetTLSInit(void); virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath, bool tryUserPkiPath, const char *const*x509dnWhitelist, + const char *priority, bool sanityCheckCert, bool requireValidCert); virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath, bool tryUserPkiPath, + const char *priority, bool sanityCheckCert, bool requireValidCert); @@ -49,6 +51,7 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert, const char *cert, const char *key, const char *const*x509dnWhitelist, + const char *priority, bool sanityCheckCert, bool requireValidCert); @@ -56,6 +59,7 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert, const char *cacrl, const char *cert, const char *key, + const char *priority, bool sanityCheckCert, bool requireValidCert); diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c index d33b896327..42c8b0cc12 100644 --- a/tests/virnettlscontexttest.c +++ b/tests/virnettlscontexttest.c @@ -72,6 +72,7 @@ static int testTLSContextInit(const void *opaque) data->crt, KEYFILE, NULL, + NULL, true, true); } else { @@ -79,6 +80,7 @@ static int testTLSContextInit(const void *opaque) NULL, data->crt, KEYFILE, + NULL, true, true); } diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c index 3af948a9cd..8b79a1e834 100644 --- a/tests/virnettlssessiontest.c +++ b/tests/virnettlssessiontest.c @@ -113,6 +113,7 @@ static int testTLSSessionInit(const void *opaque) data->servercrt, KEYFILE, data->wildcards, + NULL, false, true); @@ -120,6 +121,7 @@ static int testTLSSessionInit(const void *opaque) NULL, data->clientcrt, KEYFILE, + NULL, false, true);