mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-11 04:15:49 +00:00
rpc: allow priority string to be passed to TLS context
Extend the virNetTLSContextNew* constructors to allow the TLS priority string to be passed in, overriding the compile time default. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
parent
cbb2e91ecc
commit
214489f550
@ -585,6 +585,7 @@ daemonSetupNetworking(virNetServerPtr srv,
|
|||||||
config->cert_file,
|
config->cert_file,
|
||||||
config->key_file,
|
config->key_file,
|
||||||
(const char *const*)config->tls_allowed_dn_list,
|
(const char *const*)config->tls_allowed_dn_list,
|
||||||
|
NULL,
|
||||||
config->tls_no_sanity_certificate ? false : true,
|
config->tls_no_sanity_certificate ? false : true,
|
||||||
config->tls_no_verify_certificate ? false : true)))
|
config->tls_no_verify_certificate ? false : true)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@ -592,6 +593,7 @@ daemonSetupNetworking(virNetServerPtr srv,
|
|||||||
if (!(ctxt = virNetTLSContextNewServerPath(NULL,
|
if (!(ctxt = virNetTLSContextNewServerPath(NULL,
|
||||||
!privileged,
|
!privileged,
|
||||||
(const char *const*)config->tls_allowed_dn_list,
|
(const char *const*)config->tls_allowed_dn_list,
|
||||||
|
NULL,
|
||||||
config->tls_no_sanity_certificate ? false : true,
|
config->tls_no_sanity_certificate ? false : true,
|
||||||
config->tls_no_verify_certificate ? false : true)))
|
config->tls_no_verify_certificate ? false : true)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
@ -845,6 +845,7 @@ doRemoteOpen(virConnectPtr conn,
|
|||||||
#ifdef WITH_GNUTLS
|
#ifdef WITH_GNUTLS
|
||||||
priv->tls = virNetTLSContextNewClientPath(pkipath,
|
priv->tls = virNetTLSContextNewClientPath(pkipath,
|
||||||
geteuid() != 0 ? true : false,
|
geteuid() != 0 ? true : false,
|
||||||
|
NULL,
|
||||||
sanity, verify);
|
sanity, verify);
|
||||||
if (!priv->tls)
|
if (!priv->tls)
|
||||||
goto failed;
|
goto failed;
|
||||||
|
@ -65,6 +65,7 @@ struct _virNetTLSContext {
|
|||||||
bool isServer;
|
bool isServer;
|
||||||
bool requireValidCert;
|
bool requireValidCert;
|
||||||
const char *const*x509dnWhitelist;
|
const char *const*x509dnWhitelist;
|
||||||
|
char *priority;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct _virNetTLSSession {
|
struct _virNetTLSSession {
|
||||||
@ -696,6 +697,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
|
|||||||
const char *cert,
|
const char *cert,
|
||||||
const char *key,
|
const char *key,
|
||||||
const char *const*x509dnWhitelist,
|
const char *const*x509dnWhitelist,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert,
|
bool requireValidCert,
|
||||||
bool isServer)
|
bool isServer)
|
||||||
@ -709,6 +711,9 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
|
|||||||
if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
|
if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
|
if (VIR_STRDUP(ctxt->priority, priority) < 0)
|
||||||
|
goto error;
|
||||||
|
|
||||||
err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
|
err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
|
||||||
if (err) {
|
if (err) {
|
||||||
virReportError(VIR_ERR_SYSTEM_ERROR,
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
||||||
@ -896,6 +901,7 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
|
|||||||
static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
|
static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
|
||||||
bool tryUserPkiPath,
|
bool tryUserPkiPath,
|
||||||
const char *const*x509dnWhitelist,
|
const char *const*x509dnWhitelist,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert,
|
bool requireValidCert,
|
||||||
bool isServer)
|
bool isServer)
|
||||||
@ -908,7 +914,7 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
|
|||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
|
ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
|
||||||
x509dnWhitelist, sanityCheckCert,
|
x509dnWhitelist, priority, sanityCheckCert,
|
||||||
requireValidCert, isServer);
|
requireValidCert, isServer);
|
||||||
|
|
||||||
VIR_FREE(cacert);
|
VIR_FREE(cacert);
|
||||||
@ -922,19 +928,21 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
|
|||||||
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
|
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
|
||||||
bool tryUserPkiPath,
|
bool tryUserPkiPath,
|
||||||
const char *const*x509dnWhitelist,
|
const char *const*x509dnWhitelist,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert)
|
bool requireValidCert)
|
||||||
{
|
{
|
||||||
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist,
|
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority,
|
||||||
sanityCheckCert, requireValidCert, true);
|
sanityCheckCert, requireValidCert, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
|
virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
|
||||||
bool tryUserPkiPath,
|
bool tryUserPkiPath,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert)
|
bool requireValidCert)
|
||||||
{
|
{
|
||||||
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL,
|
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL, priority,
|
||||||
sanityCheckCert, requireValidCert, false);
|
sanityCheckCert, requireValidCert, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -944,10 +952,11 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
|
|||||||
const char *cert,
|
const char *cert,
|
||||||
const char *key,
|
const char *key,
|
||||||
const char *const*x509dnWhitelist,
|
const char *const*x509dnWhitelist,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert)
|
bool requireValidCert)
|
||||||
{
|
{
|
||||||
return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist,
|
return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority,
|
||||||
sanityCheckCert, requireValidCert, true);
|
sanityCheckCert, requireValidCert, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -956,10 +965,11 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
|
|||||||
const char *cacrl,
|
const char *cacrl,
|
||||||
const char *cert,
|
const char *cert,
|
||||||
const char *key,
|
const char *key,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert)
|
bool requireValidCert)
|
||||||
{
|
{
|
||||||
return virNetTLSContextNew(cacert, cacrl, cert, key, NULL,
|
return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, priority,
|
||||||
sanityCheckCert, requireValidCert, false);
|
sanityCheckCert, requireValidCert, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1138,6 +1148,7 @@ void virNetTLSContextDispose(void *obj)
|
|||||||
PROBE(RPC_TLS_CONTEXT_DISPOSE,
|
PROBE(RPC_TLS_CONTEXT_DISPOSE,
|
||||||
"ctxt=%p", ctxt);
|
"ctxt=%p", ctxt);
|
||||||
|
|
||||||
|
VIR_FREE(ctxt->priority);
|
||||||
gnutls_dh_params_deinit(ctxt->dhParams);
|
gnutls_dh_params_deinit(ctxt->dhParams);
|
||||||
gnutls_certificate_free_credentials(ctxt->x509cred);
|
gnutls_certificate_free_credentials(ctxt->x509cred);
|
||||||
}
|
}
|
||||||
@ -1197,10 +1208,12 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
|
|||||||
/* avoid calling all the priority functions, since the defaults
|
/* avoid calling all the priority functions, since the defaults
|
||||||
* are adequate.
|
* are adequate.
|
||||||
*/
|
*/
|
||||||
if ((err = gnutls_priority_set_direct(sess->session, TLS_PRIORITY, NULL)) != 0) {
|
if ((err = gnutls_priority_set_direct(sess->session,
|
||||||
|
ctxt->priority ? ctxt->priority : TLS_PRIORITY,
|
||||||
|
NULL)) != 0) {
|
||||||
virReportError(VIR_ERR_SYSTEM_ERROR,
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
||||||
_("Failed to set TLS session priority to %s: %s"),
|
_("Failed to set TLS session priority to %s: %s"),
|
||||||
TLS_PRIORITY, gnutls_strerror(err));
|
ctxt->priority ? ctxt->priority : TLS_PRIORITY, gnutls_strerror(err));
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -36,11 +36,13 @@ void virNetTLSInit(void);
|
|||||||
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
|
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
|
||||||
bool tryUserPkiPath,
|
bool tryUserPkiPath,
|
||||||
const char *const*x509dnWhitelist,
|
const char *const*x509dnWhitelist,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert);
|
bool requireValidCert);
|
||||||
|
|
||||||
virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
|
virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
|
||||||
bool tryUserPkiPath,
|
bool tryUserPkiPath,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert);
|
bool requireValidCert);
|
||||||
|
|
||||||
@ -49,6 +51,7 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
|
|||||||
const char *cert,
|
const char *cert,
|
||||||
const char *key,
|
const char *key,
|
||||||
const char *const*x509dnWhitelist,
|
const char *const*x509dnWhitelist,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert);
|
bool requireValidCert);
|
||||||
|
|
||||||
@ -56,6 +59,7 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
|
|||||||
const char *cacrl,
|
const char *cacrl,
|
||||||
const char *cert,
|
const char *cert,
|
||||||
const char *key,
|
const char *key,
|
||||||
|
const char *priority,
|
||||||
bool sanityCheckCert,
|
bool sanityCheckCert,
|
||||||
bool requireValidCert);
|
bool requireValidCert);
|
||||||
|
|
||||||
|
@ -72,6 +72,7 @@ static int testTLSContextInit(const void *opaque)
|
|||||||
data->crt,
|
data->crt,
|
||||||
KEYFILE,
|
KEYFILE,
|
||||||
NULL,
|
NULL,
|
||||||
|
NULL,
|
||||||
true,
|
true,
|
||||||
true);
|
true);
|
||||||
} else {
|
} else {
|
||||||
@ -79,6 +80,7 @@ static int testTLSContextInit(const void *opaque)
|
|||||||
NULL,
|
NULL,
|
||||||
data->crt,
|
data->crt,
|
||||||
KEYFILE,
|
KEYFILE,
|
||||||
|
NULL,
|
||||||
true,
|
true,
|
||||||
true);
|
true);
|
||||||
}
|
}
|
||||||
|
@ -113,6 +113,7 @@ static int testTLSSessionInit(const void *opaque)
|
|||||||
data->servercrt,
|
data->servercrt,
|
||||||
KEYFILE,
|
KEYFILE,
|
||||||
data->wildcards,
|
data->wildcards,
|
||||||
|
NULL,
|
||||||
false,
|
false,
|
||||||
true);
|
true);
|
||||||
|
|
||||||
@ -120,6 +121,7 @@ static int testTLSSessionInit(const void *opaque)
|
|||||||
NULL,
|
NULL,
|
||||||
data->clientcrt,
|
data->clientcrt,
|
||||||
KEYFILE,
|
KEYFILE,
|
||||||
|
NULL,
|
||||||
false,
|
false,
|
||||||
true);
|
true);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user