提交 214489f5 编写于 作者: D Daniel P. Berrange

rpc: allow priority string to be passed to TLS context

Extend the virNetTLSContextNew* constructors to allow
the TLS priority string to be passed in, overriding the
compile time default.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 cbb2e91e
......@@ -585,6 +585,7 @@ daemonSetupNetworking(virNetServerPtr srv,
config->cert_file,
config->key_file,
(const char *const*)config->tls_allowed_dn_list,
NULL,
config->tls_no_sanity_certificate ? false : true,
config->tls_no_verify_certificate ? false : true)))
goto cleanup;
......@@ -592,6 +593,7 @@ daemonSetupNetworking(virNetServerPtr srv,
if (!(ctxt = virNetTLSContextNewServerPath(NULL,
!privileged,
(const char *const*)config->tls_allowed_dn_list,
NULL,
config->tls_no_sanity_certificate ? false : true,
config->tls_no_verify_certificate ? false : true)))
goto cleanup;
......
......@@ -845,6 +845,7 @@ doRemoteOpen(virConnectPtr conn,
#ifdef WITH_GNUTLS
priv->tls = virNetTLSContextNewClientPath(pkipath,
geteuid() != 0 ? true : false,
NULL,
sanity, verify);
if (!priv->tls)
goto failed;
......
......@@ -65,6 +65,7 @@ struct _virNetTLSContext {
bool isServer;
bool requireValidCert;
const char *const*x509dnWhitelist;
char *priority;
};
struct _virNetTLSSession {
......@@ -696,6 +697,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
const char *cert,
const char *key,
const char *const*x509dnWhitelist,
const char *priority,
bool sanityCheckCert,
bool requireValidCert,
bool isServer)
......@@ -709,6 +711,9 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
if (!(ctxt = virObjectLockableNew(virNetTLSContextClass)))
return NULL;
if (VIR_STRDUP(ctxt->priority, priority) < 0)
goto error;
err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
if (err) {
virReportError(VIR_ERR_SYSTEM_ERROR,
......@@ -896,6 +901,7 @@ static int virNetTLSContextLocateCredentials(const char *pkipath,
static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
bool tryUserPkiPath,
const char *const*x509dnWhitelist,
const char *priority,
bool sanityCheckCert,
bool requireValidCert,
bool isServer)
......@@ -908,7 +914,7 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
return NULL;
ctxt = virNetTLSContextNew(cacert, cacrl, cert, key,
x509dnWhitelist, sanityCheckCert,
x509dnWhitelist, priority, sanityCheckCert,
requireValidCert, isServer);
VIR_FREE(cacert);
......@@ -922,19 +928,21 @@ static virNetTLSContextPtr virNetTLSContextNewPath(const char *pkipath,
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath,
const char *const*x509dnWhitelist,
const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist,
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, x509dnWhitelist, priority,
sanityCheckCert, requireValidCert, true);
}
virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
bool tryUserPkiPath,
const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL,
return virNetTLSContextNewPath(pkipath, tryUserPkiPath, NULL, priority,
sanityCheckCert, requireValidCert, false);
}
......@@ -944,10 +952,11 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
const char *cert,
const char *key,
const char *const*x509dnWhitelist,
const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist,
return virNetTLSContextNew(cacert, cacrl, cert, key, x509dnWhitelist, priority,
sanityCheckCert, requireValidCert, true);
}
......@@ -956,10 +965,11 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
const char *cacrl,
const char *cert,
const char *key,
const char *priority,
bool sanityCheckCert,
bool requireValidCert)
{
return virNetTLSContextNew(cacert, cacrl, cert, key, NULL,
return virNetTLSContextNew(cacert, cacrl, cert, key, NULL, priority,
sanityCheckCert, requireValidCert, false);
}
......@@ -1138,6 +1148,7 @@ void virNetTLSContextDispose(void *obj)
PROBE(RPC_TLS_CONTEXT_DISPOSE,
"ctxt=%p", ctxt);
VIR_FREE(ctxt->priority);
gnutls_dh_params_deinit(ctxt->dhParams);
gnutls_certificate_free_credentials(ctxt->x509cred);
}
......@@ -1197,10 +1208,12 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
/* avoid calling all the priority functions, since the defaults
* are adequate.
*/
if ((err = gnutls_priority_set_direct(sess->session, TLS_PRIORITY, NULL)) != 0) {
if ((err = gnutls_priority_set_direct(sess->session,
ctxt->priority ? ctxt->priority : TLS_PRIORITY,
NULL)) != 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Failed to set TLS session priority to %s: %s"),
TLS_PRIORITY, gnutls_strerror(err));
ctxt->priority ? ctxt->priority : TLS_PRIORITY, gnutls_strerror(err));
goto error;
}
......
......@@ -36,11 +36,13 @@ void virNetTLSInit(void);
virNetTLSContextPtr virNetTLSContextNewServerPath(const char *pkipath,
bool tryUserPkiPath,
const char *const*x509dnWhitelist,
const char *priority,
bool sanityCheckCert,
bool requireValidCert);
virNetTLSContextPtr virNetTLSContextNewClientPath(const char *pkipath,
bool tryUserPkiPath,
const char *priority,
bool sanityCheckCert,
bool requireValidCert);
......@@ -49,6 +51,7 @@ virNetTLSContextPtr virNetTLSContextNewServer(const char *cacert,
const char *cert,
const char *key,
const char *const*x509dnWhitelist,
const char *priority,
bool sanityCheckCert,
bool requireValidCert);
......@@ -56,6 +59,7 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
const char *cacrl,
const char *cert,
const char *key,
const char *priority,
bool sanityCheckCert,
bool requireValidCert);
......
......@@ -72,6 +72,7 @@ static int testTLSContextInit(const void *opaque)
data->crt,
KEYFILE,
NULL,
NULL,
true,
true);
} else {
......@@ -79,6 +80,7 @@ static int testTLSContextInit(const void *opaque)
NULL,
data->crt,
KEYFILE,
NULL,
true,
true);
}
......
......@@ -113,6 +113,7 @@ static int testTLSSessionInit(const void *opaque)
data->servercrt,
KEYFILE,
data->wildcards,
NULL,
false,
true);
......@@ -120,6 +121,7 @@ static int testTLSSessionInit(const void *opaque)
NULL,
data->clientcrt,
KEYFILE,
NULL,
false,
true);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册