mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-10 14:57:42 +00:00
qemuDomainSecretAESSetup: Split out lookup of secret data
Split out the lookup of the secret from the secret driver into qemuDomainSecretAESSetupFromSecret so that we can also instantiate secret objects in qemu with data from other sources. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
parent
bad8637892
commit
88663e59ef
@ -1514,37 +1514,28 @@ qemuDomainSecretPlainSetup(qemuDomainSecretInfoPtr secinfo,
|
|||||||
|
|
||||||
/* qemuDomainSecretAESSetup:
|
/* qemuDomainSecretAESSetup:
|
||||||
* @priv: pointer to domain private object
|
* @priv: pointer to domain private object
|
||||||
* @secinfo: Pointer to secret info
|
* @alias: alias of the secret
|
||||||
* @srcalias: Alias of the disk/hostdev used to generate the secret alias
|
* @username: username to use (may be NULL)
|
||||||
* @usageType: The virSecretUsageType
|
* @secret: secret data
|
||||||
* @username: username to use for authentication (may be NULL)
|
* @secretlen: length of @secret
|
||||||
* @seclookupdef: Pointer to seclookupdef data
|
|
||||||
* @isLuks: True/False for is for luks (alias generation)
|
|
||||||
*
|
*
|
||||||
* Encrypts a secret looked up via @seclookupdef for use with qemu.
|
* Encrypts @secret for use with qemu.
|
||||||
*
|
*
|
||||||
* Returns qemuDomainSecretInfoPtr filled with the necessary information.
|
* Returns qemuDomainSecretInfoPtr filled with the necessary information.
|
||||||
*/
|
*/
|
||||||
static qemuDomainSecretInfoPtr
|
static qemuDomainSecretInfoPtr
|
||||||
qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
|
qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
|
||||||
const char *srcalias,
|
const char *alias,
|
||||||
virSecretUsageType usageType,
|
|
||||||
const char *username,
|
const char *username,
|
||||||
virSecretLookupTypeDefPtr seclookupdef,
|
uint8_t *secret,
|
||||||
bool isLuks)
|
size_t secretlen)
|
||||||
{
|
{
|
||||||
g_autoptr(qemuDomainSecretInfo) secinfo = NULL;
|
g_autoptr(qemuDomainSecretInfo) secinfo = NULL;
|
||||||
g_autoptr(virConnect) conn = virGetConnectSecret();
|
|
||||||
g_autofree uint8_t *raw_iv = NULL;
|
g_autofree uint8_t *raw_iv = NULL;
|
||||||
size_t ivlen = QEMU_DOMAIN_AES_IV_LEN;
|
size_t ivlen = QEMU_DOMAIN_AES_IV_LEN;
|
||||||
uint8_t *secret = NULL;
|
|
||||||
size_t secretlen = 0;
|
|
||||||
g_autofree uint8_t *ciphertext = NULL;
|
g_autofree uint8_t *ciphertext = NULL;
|
||||||
size_t ciphertextlen = 0;
|
size_t ciphertextlen = 0;
|
||||||
|
|
||||||
if (!conn)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
if (!qemuDomainSupportsEncryptedSecret(priv)) {
|
if (!qemuDomainSupportsEncryptedSecret(priv)) {
|
||||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||||
_("encrypted secrets are not supported"));
|
_("encrypted secrets are not supported"));
|
||||||
@ -1554,11 +1545,9 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
|
|||||||
secinfo = g_new0(qemuDomainSecretInfo, 1);
|
secinfo = g_new0(qemuDomainSecretInfo, 1);
|
||||||
|
|
||||||
secinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES;
|
secinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES;
|
||||||
|
secinfo->s.aes.alias = g_strdup(alias);
|
||||||
secinfo->s.aes.username = g_strdup(username);
|
secinfo->s.aes.username = g_strdup(username);
|
||||||
|
|
||||||
if (!(secinfo->s.aes.alias = qemuDomainGetSecretAESAlias(srcalias, isLuks)))
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
raw_iv = g_new0(uint8_t, ivlen);
|
raw_iv = g_new0(uint8_t, ivlen);
|
||||||
|
|
||||||
/* Create a random initialization vector */
|
/* Create a random initialization vector */
|
||||||
@ -1568,29 +1557,61 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
|
|||||||
/* Encode the IV and save that since qemu will need it */
|
/* Encode the IV and save that since qemu will need it */
|
||||||
secinfo->s.aes.iv = g_base64_encode(raw_iv, ivlen);
|
secinfo->s.aes.iv = g_base64_encode(raw_iv, ivlen);
|
||||||
|
|
||||||
/* Grab the unencoded secret */
|
|
||||||
if (virSecretGetSecretString(conn, seclookupdef, usageType,
|
|
||||||
&secret, &secretlen) < 0)
|
|
||||||
goto error;
|
|
||||||
|
|
||||||
if (virCryptoEncryptData(VIR_CRYPTO_CIPHER_AES256CBC,
|
if (virCryptoEncryptData(VIR_CRYPTO_CIPHER_AES256CBC,
|
||||||
priv->masterKey, QEMU_DOMAIN_MASTER_KEY_LEN,
|
priv->masterKey, QEMU_DOMAIN_MASTER_KEY_LEN,
|
||||||
raw_iv, ivlen, secret, secretlen,
|
raw_iv, ivlen, secret, secretlen,
|
||||||
&ciphertext, &ciphertextlen) < 0)
|
&ciphertext, &ciphertextlen) < 0)
|
||||||
goto error;
|
return NULL;
|
||||||
|
|
||||||
/* Clear out the secret */
|
|
||||||
memset(secret, 0, secretlen);
|
|
||||||
|
|
||||||
/* Now encode the ciphertext and store to be passed to qemu */
|
/* Now encode the ciphertext and store to be passed to qemu */
|
||||||
secinfo->s.aes.ciphertext = g_base64_encode(ciphertext,
|
secinfo->s.aes.ciphertext = g_base64_encode(ciphertext,
|
||||||
ciphertextlen);
|
ciphertextlen);
|
||||||
|
|
||||||
return g_steal_pointer(&secinfo);
|
return g_steal_pointer(&secinfo);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* qemuDomainSecretAESSetupFromSecret:
|
||||||
|
* @priv: pointer to domain private object
|
||||||
|
* @srcalias: Alias of the disk/hostdev used to generate the secret alias
|
||||||
|
* @usageType: The virSecretUsageType
|
||||||
|
* @username: username to use for authentication (may be NULL)
|
||||||
|
* @seclookupdef: Pointer to seclookupdef data
|
||||||
|
* @isLuks: True/False for is for luks (alias generation)
|
||||||
|
*
|
||||||
|
* Looks up a secret in the secret driver based on @usageType and @seclookupdef
|
||||||
|
* and builds qemuDomainSecretInfoPtr from it.
|
||||||
|
*/
|
||||||
|
static qemuDomainSecretInfoPtr
|
||||||
|
qemuDomainSecretAESSetupFromSecret(qemuDomainObjPrivatePtr priv,
|
||||||
|
const char *srcalias,
|
||||||
|
virSecretUsageType usageType,
|
||||||
|
const char *username,
|
||||||
|
virSecretLookupTypeDefPtr seclookupdef,
|
||||||
|
bool isLuks)
|
||||||
|
{
|
||||||
|
g_autoptr(virConnect) conn = virGetConnectSecret();
|
||||||
|
qemuDomainSecretInfoPtr secinfo;
|
||||||
|
g_autofree char *alias = NULL;
|
||||||
|
uint8_t *secret = NULL;
|
||||||
|
size_t secretlen = 0;
|
||||||
|
|
||||||
|
if (!conn)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
if (!(alias = qemuDomainGetSecretAESAlias(srcalias, isLuks)))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
if (virSecretGetSecretString(conn, seclookupdef, usageType,
|
||||||
|
&secret, &secretlen) < 0)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
secinfo = qemuDomainSecretAESSetup(priv, alias, username, secret, secretlen);
|
||||||
|
|
||||||
error:
|
|
||||||
VIR_DISPOSE_N(secret, secretlen);
|
VIR_DISPOSE_N(secret, secretlen);
|
||||||
return NULL;
|
|
||||||
|
return secinfo;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -1662,8 +1683,8 @@ qemuDomainSecretInfoNew(qemuDomainObjPrivatePtr priv,
|
|||||||
virSecretLookupTypeDefPtr lookupDef,
|
virSecretLookupTypeDefPtr lookupDef,
|
||||||
bool isLuks)
|
bool isLuks)
|
||||||
{
|
{
|
||||||
return qemuDomainSecretAESSetup(priv, srcAlias, usageType, username,
|
return qemuDomainSecretAESSetupFromSecret(priv, srcAlias, usageType, username,
|
||||||
lookupDef, isLuks);
|
lookupDef, isLuks);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user