diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c index 4f1e3b7bad..d7583e7399 100644 --- a/src/qemu/qemu_backup.c +++ b/src/qemu/qemu_backup.c @@ -723,7 +723,7 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm, if (qemuBuildSecretInfoProps(secinfo, tlsSecretProps) < 0) return -1; - tlsKeySecretAlias = secinfo->s.aes.alias; + tlsKeySecretAlias = secinfo->alias; } if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true, diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index 0bc92f6a23..393d3f44d7 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -746,12 +746,12 @@ qemuBlockStorageSourceGetCURLProps(virStorageSource *src, if (!onlytarget) { if (src->auth) { username = src->auth->username; - passwordalias = srcPriv->secinfo->s.aes.alias; + passwordalias = srcPriv->secinfo->alias; } if (srcPriv && srcPriv->httpcookie) - cookiealias = srcPriv->httpcookie->s.aes.alias; + cookiealias = srcPriv->httpcookie->alias; } else { /* format target string along with cookies */ cookiestr = qemuBlockStorageSourceGetCookieString(src); @@ -819,7 +819,7 @@ qemuBlockStorageSourceGetISCSIProps(virStorageSource *src, if (!onlytarget && src->auth) { username = src->auth->username; - objalias = srcPriv->secinfo->s.aes.alias; + objalias = srcPriv->secinfo->alias; } ignore_value(virJSONValueObjectCreate(&ret, @@ -885,8 +885,8 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src, return NULL; if (!onlytarget && src->auth) { - username = srcPriv->secinfo->s.aes.username; - keysecret = srcPriv->secinfo->s.aes.alias; + username = srcPriv->secinfo->username; + keysecret = srcPriv->secinfo->alias; /* the auth modes are modelled after our old command line generator */ authmodes = virJSONValueNewArray(); @@ -1267,7 +1267,7 @@ qemuBlockStorageSourceGetFormatLUKSProps(virStorageSource *src, { qemuDomainStorageSourcePrivate *srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src); - if (!srcPriv || !srcPriv->encinfo || !srcPriv->encinfo->s.aes.alias) { + if (!srcPriv || !srcPriv->encinfo || !srcPriv->encinfo->alias) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("missing secret info for 'luks' driver")); return -1; @@ -1275,7 +1275,7 @@ qemuBlockStorageSourceGetFormatLUKSProps(virStorageSource *src, if (virJSONValueObjectAdd(props, "s:driver", "luks", - "s:key-secret", srcPriv->encinfo->s.aes.alias, + "s:key-secret", srcPriv->encinfo->alias, NULL) < 0) return -1; @@ -1313,14 +1313,9 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src, *encprops = NULL; - /* qemu requires encrypted secrets regardless of encryption method used when - * passed using the blockdev infrastructure, thus only - * VIR_DOMAIN_SECRET_INFO_TYPE_AES works here. The correct type needs to be - * instantiated elsewhere. */ if (!src->encryption || !srcpriv || - !srcpriv->encinfo || - srcpriv->encinfo->type != VIR_DOMAIN_SECRET_INFO_TYPE_AES) + !srcpriv->encinfo) return 0; switch ((virStorageEncryptionFormatType) src->encryption->format) { @@ -1342,7 +1337,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src, return virJSONValueObjectCreate(encprops, "s:format", encformat, - "s:key-secret", srcpriv->encinfo->s.aes.alias, + "s:key-secret", srcpriv->encinfo->alias, NULL); } @@ -1906,17 +1901,17 @@ qemuBlockStorageSourceDetachPrepare(virStorageSource *src, data->tlsAlias = g_strdup(src->tlsAlias); if (srcpriv) { - if (srcpriv->secinfo && srcpriv->secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) - data->authsecretAlias = g_strdup(srcpriv->secinfo->s.aes.alias); + if (srcpriv->secinfo) + data->authsecretAlias = g_strdup(srcpriv->secinfo->alias); - if (srcpriv->encinfo && srcpriv->encinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) - data->encryptsecretAlias = g_strdup(srcpriv->encinfo->s.aes.alias); + if (srcpriv->encinfo) + data->encryptsecretAlias = g_strdup(srcpriv->encinfo->alias); if (srcpriv->httpcookie) - data->httpcookiesecretAlias = g_strdup(srcpriv->httpcookie->s.aes.alias); + data->httpcookiesecretAlias = g_strdup(srcpriv->httpcookie->alias); if (srcpriv->tlsKeySecret) - data->tlsKeySecretAlias = g_strdup(srcpriv->tlsKeySecret->s.aes.alias); + data->tlsKeySecretAlias = g_strdup(srcpriv->tlsKeySecret->alias); } return g_steal_pointer(&data); @@ -2319,9 +2314,8 @@ qemuBlockStorageSourceCreateGetEncryptionLUKS(virStorageSource *src, const char *keysecret = NULL; if (srcpriv && - srcpriv->encinfo && - srcpriv->encinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) - keysecret = srcpriv->encinfo->s.aes.alias; + srcpriv->encinfo) + keysecret = srcpriv->encinfo->alias; if (virJSONValueObjectCreate(&props, "s:key-secret", keysecret, diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 0b87719f75..5b738b230e 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -707,9 +707,9 @@ qemuBuildSecretInfoProps(qemuDomainSecretInfo *secinfo, return -1; return qemuMonitorCreateObjectProps(propsret, "secret", - secinfo->s.aes.alias, "s:data", - secinfo->s.aes.ciphertext, "s:keyid", - keyid, "s:iv", secinfo->s.aes.iv, + secinfo->alias, "s:data", + secinfo->ciphertext, "s:keyid", + keyid, "s:iv", secinfo->iv, "s:format", "base64", NULL); } @@ -763,20 +763,11 @@ static int qemuBuildRBDSecinfoURI(virBuffer *buf, qemuDomainSecretInfo *secinfo) { - if (!secinfo) { + if (!secinfo) virBufferAddLit(buf, ":auth_supported=none"); - return 0; - } - - switch ((qemuDomainSecretInfoType) secinfo->type) { - case VIR_DOMAIN_SECRET_INFO_TYPE_AES: + else virBufferEscape(buf, '\\', ":", ":id=%s:auth_supported=cephx\\;none", - secinfo->s.aes.username); - break; - - case VIR_DOMAIN_SECRET_INFO_TYPE_LAST: - return -1; - } + secinfo->username); return 0; } @@ -1264,8 +1255,8 @@ qemuBuildDriveSourceStr(virDomainDiskDef *disk, virQEMUBuildBufferEscapeComma(buf, source); - if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) - virBufferAsprintf(buf, ",file.password-secret=%s", secinfo->s.aes.alias); + if (secinfo) + virBufferAsprintf(buf, ",file.password-secret=%s", secinfo->alias); if (disk->src->debug) virBufferAsprintf(buf, ",file.debug=%d", disk->src->debugLevel); @@ -1282,12 +1273,12 @@ qemuBuildDriveSourceStr(virDomainDiskDef *disk, if (encinfo) { if (disk->src->format == VIR_STORAGE_FILE_RAW) { - virBufferAsprintf(buf, "key-secret=%s,", encinfo->s.aes.alias); + virBufferAsprintf(buf, "key-secret=%s,", encinfo->alias); rawluks = true; } else if (disk->src->format == VIR_STORAGE_FILE_QCOW2 && disk->src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) { virBufferAddLit(buf, "encrypt.format=luks,"); - virBufferAsprintf(buf, "encrypt.key-secret=%s,", encinfo->s.aes.alias); + virBufferAsprintf(buf, "encrypt.key-secret=%s,", encinfo->alias); } } @@ -4886,7 +4877,7 @@ qemuBuildChrChardevStr(virLogManager *logManager, qemuCaps) < 0) return NULL; - tlsCertEncSecAlias = chrSourcePriv->secinfo->s.aes.alias; + tlsCertEncSecAlias = chrSourcePriv->secinfo->alias; } if (!(objalias = qemuAliasTLSObjFromSrcAlias(charAlias))) @@ -5046,9 +5037,8 @@ qemuBuildHostdevSCSIDetachPrepare(virDomainHostdevDef *hostdev, ret->storageNodeName = src->nodestorage; ret->storageAttached = true; - if (srcpriv && srcpriv->secinfo && - srcpriv->secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) - ret->authsecretAlias = g_strdup(srcpriv->secinfo->s.aes.alias); + if (srcpriv && srcpriv->secinfo) + ret->authsecretAlias = g_strdup(srcpriv->secinfo->alias); } else { ret->driveAlias = qemuAliasFromHostdev(hostdev); @@ -8012,7 +8002,7 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfig *cfg, gfxPriv->secinfo, qemuCaps) < 0) return -1; - secretAlias = gfxPriv->secinfo->s.aes.alias; + secretAlias = gfxPriv->secinfo->alias; } if (qemuBuildTLSx509CommandLine(cmd, @@ -10898,7 +10888,6 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSource *src, if (srcpriv) { if (srcpriv->secinfo && - srcpriv->secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES && qemuBuildSecretInfoProps(srcpriv->secinfo, &data->authsecretProps) < 0) return -1; @@ -10914,7 +10903,7 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSource *src, if (qemuBuildSecretInfoProps(srcpriv->tlsKeySecret, &data->tlsKeySecretProps) < 0) return -1; - tlsKeySecretAlias = srcpriv->tlsKeySecret->s.aes.alias; + tlsKeySecretAlias = srcpriv->tlsKeySecret->alias; } } diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index e9c1f3eacb..befe6bd476 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -657,19 +657,6 @@ qemuDomainMasterKeyCreate(virDomainObj *vm) } -static void -qemuDomainSecretAESClear(struct _qemuDomainSecretAES *secret, - bool keepAlias) -{ - if (!keepAlias) - VIR_FREE(secret->alias); - - VIR_FREE(secret->username); - VIR_FREE(secret->iv); - VIR_FREE(secret->ciphertext); -} - - static void qemuDomainSecretInfoClear(qemuDomainSecretInfo *secinfo, bool keepAlias) @@ -677,14 +664,12 @@ qemuDomainSecretInfoClear(qemuDomainSecretInfo *secinfo, if (!secinfo) return; - switch ((qemuDomainSecretInfoType) secinfo->type) { - case VIR_DOMAIN_SECRET_INFO_TYPE_AES: - qemuDomainSecretAESClear(&secinfo->s.aes, keepAlias); - break; + if (!keepAlias) + VIR_FREE(secinfo->alias); - case VIR_DOMAIN_SECRET_INFO_TYPE_LAST: - break; - } + VIR_FREE(secinfo->username); + VIR_FREE(secinfo->iv); + VIR_FREE(secinfo->ciphertext); } @@ -1106,9 +1091,8 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivate *priv, secinfo = g_new0(qemuDomainSecretInfo, 1); - secinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES; - secinfo->s.aes.alias = g_strdup(alias); - secinfo->s.aes.username = g_strdup(username); + secinfo->alias = g_strdup(alias); + secinfo->username = g_strdup(username); raw_iv = g_new0(uint8_t, ivlen); @@ -1117,7 +1101,7 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivate *priv, return NULL; /* Encode the IV and save that since qemu will need it */ - secinfo->s.aes.iv = g_base64_encode(raw_iv, ivlen); + secinfo->iv = g_base64_encode(raw_iv, ivlen); if (virCryptoEncryptData(VIR_CRYPTO_CIPHER_AES256CBC, priv->masterKey, QEMU_DOMAIN_MASTER_KEY_LEN, @@ -1126,8 +1110,7 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivate *priv, return NULL; /* Now encode the ciphertext and store to be passed to qemu */ - secinfo->s.aes.ciphertext = g_base64_encode(ciphertext, - ciphertextlen); + secinfo->ciphertext = g_base64_encode(ciphertext, ciphertextlen); return g_steal_pointer(&secinfo); } @@ -1809,11 +1792,9 @@ qemuStorageSourcePrivateDataAssignSecinfo(qemuDomainSecretInfo **secinfo, if (!*secinfo) { *secinfo = g_new0(qemuDomainSecretInfo, 1); - (*secinfo)->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES; } - if ((*secinfo)->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) - (*secinfo)->s.aes.alias = g_steal_pointer(&*alias); + (*secinfo)->alias = g_steal_pointer(&*alias); return 0; } @@ -1881,13 +1862,11 @@ qemuStorageSourcePrivateDataFormatSecinfo(virBuffer *buf, qemuDomainSecretInfo *secinfo, const char *type) { - if (!secinfo || - secinfo->type != VIR_DOMAIN_SECRET_INFO_TYPE_AES || - !secinfo->s.aes.alias) + if (!secinfo || !secinfo->alias) return; virBufferAsprintf(buf, "\n", - type, secinfo->s.aes.alias); + type, secinfo->alias); } diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index cb5c665766..f8004efbb1 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -90,31 +90,17 @@ struct _qemuDomainUnpluggingDevice { #define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control" -/* Type of domain secret */ -typedef enum { - VIR_DOMAIN_SECRET_INFO_TYPE_AES, /* utilize GNUTLS_CIPHER_AES_256_CBC */ - - VIR_DOMAIN_SECRET_INFO_TYPE_LAST -} qemuDomainSecretInfoType; - #define QEMU_DOMAIN_AES_IV_LEN 16 /* 16 bytes for 128 bit random */ /* initialization vector */ -typedef struct _qemuDomainSecretAES qemuDomainSecretAES; -struct _qemuDomainSecretAES { + +typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo; +struct _qemuDomainSecretInfo { char *username; char *alias; /* generated alias for secret */ char *iv; /* base64 encoded initialization vector */ char *ciphertext; /* encoded/encrypted secret */ }; -typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo; -struct _qemuDomainSecretInfo { - qemuDomainSecretInfoType type; - union { - qemuDomainSecretAES aes; - } s; -}; - typedef struct _qemuDomainObjPrivate qemuDomainObjPrivate; struct _qemuDomainObjPrivate { virQEMUDriver *driver; diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 9c16ab4567..9b0dcf2629 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1846,7 +1846,7 @@ qemuDomainGetTLSObjects(virQEMUCaps *qemuCaps, if (qemuBuildSecretInfoProps(secinfo, secProps) < 0) return -1; - secAlias = secinfo->s.aes.alias; + secAlias = secinfo->alias; } if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, @@ -1890,7 +1890,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver, secinfo = chrSourcePriv->secinfo; if (secinfo) - *secAlias = secinfo->s.aes.alias; + *secAlias = secinfo->alias; if (!(*tlsAlias = qemuAliasTLSObjFromSrcAlias(charAlias))) goto cleanup; diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index 018e62cf6e..88dba3b999 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -955,7 +955,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver, qemuDomainSecretInfoTLSNew(priv, QEMU_MIGRATION_TLS_ALIAS_BASE, cfg->migrateTLSx509secretUUID))) return -1; - secAlias = priv->migSecinfo->s.aes.alias; + secAlias = priv->migSecinfo->alias; } if (!(*tlsAlias = qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE))) diff --git a/tests/qemublocktest.c b/tests/qemublocktest.c index 4af8862c5b..3e61e923a9 100644 --- a/tests/qemublocktest.c +++ b/tests/qemublocktest.c @@ -235,19 +235,16 @@ testQemuDiskXMLToJSONFakeSecrets(virStorageSource *src) if (src->auth) { srcpriv->secinfo = g_new0(qemuDomainSecretInfo, 1); - srcpriv->secinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES; - srcpriv->secinfo->s.aes.username = g_strdup(src->auth->username); - - srcpriv->secinfo->s.aes.alias = g_strdup_printf("%s-secalias", - NULLSTR(src->nodestorage)); + srcpriv->secinfo->username = g_strdup(src->auth->username); + srcpriv->secinfo->alias = g_strdup_printf("%s-secalias", + NULLSTR(src->nodestorage)); } if (src->encryption) { srcpriv->encinfo = g_new0(qemuDomainSecretInfo, 1); - srcpriv->encinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES; - srcpriv->encinfo->s.aes.alias = g_strdup_printf("%s-encalias", - NULLSTR(src->nodeformat)); + srcpriv->encinfo->alias = g_strdup_printf("%s-encalias", + NULLSTR(src->nodeformat)); } return 0;