From b0a46b609e8bf06a76ba40a9715710b73fd0afad Mon Sep 17 00:00:00 2001
From: Peter Krempa <pkrempa@redhat.com>
Date: Fri, 20 Oct 2017 15:33:35 +0200
Subject: [PATCH] qemu: domain: Prepare TLS data for the whole backing chain

Iterate through the backing chain when setting up TLS for disks.
---
 src/qemu/qemu_domain.c | 41 ++++++++++++++++++++++-------------------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index d355999e94..19e2af8070 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -7880,28 +7880,31 @@ int
 qemuDomainPrepareDiskSourceTLS(virStorageSourcePtr src,
                                virQEMUDriverConfigPtr cfg)
 {
+    virStorageSourcePtr next;
 
-    /* VxHS uses only client certificates and thus has no need for
-     * the server-key.pem nor a secret that could be used to decrypt
-     * the it, so no need to add a secinfo for a secret UUID. */
-    if (src->type == VIR_STORAGE_TYPE_NETWORK &&
-        src->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS) {
-
-        if (src->haveTLS == VIR_TRISTATE_BOOL_ABSENT) {
-            if (cfg->vxhsTLS)
-                src->haveTLS = VIR_TRISTATE_BOOL_YES;
-            else
-                src->haveTLS = VIR_TRISTATE_BOOL_NO;
-            src->tlsFromConfig = true;
-        }
+    for (next = src; virStorageSourceIsBacking(next); next = next->backingStore) {
+        /* VxHS uses only client certificates and thus has no need for
+         * the server-key.pem nor a secret that could be used to decrypt
+         * the it, so no need to add a secinfo for a secret UUID. */
+        if (next->type == VIR_STORAGE_TYPE_NETWORK &&
+            next->protocol == VIR_STORAGE_NET_PROTOCOL_VXHS) {
+
+            if (next->haveTLS == VIR_TRISTATE_BOOL_ABSENT) {
+                if (cfg->vxhsTLS)
+                    next->haveTLS = VIR_TRISTATE_BOOL_YES;
+                else
+                    next->haveTLS = VIR_TRISTATE_BOOL_NO;
+                next->tlsFromConfig = true;
+            }
 
-        if (src->haveTLS == VIR_TRISTATE_BOOL_YES) {
-            /* Grab the vxhsTLSx509certdir and set the verify/listen values.
-             * NB: tlsAlias filled in during qemuDomainGetTLSObjects. */
-            if (VIR_STRDUP(src->tlsCertdir, cfg->vxhsTLSx509certdir) < 0)
-                return -1;
+            if (next->haveTLS == VIR_TRISTATE_BOOL_YES) {
+                /* Grab the vxhsTLSx509certdir and set the verify/listen values.
+                 * NB: tlsAlias filled in during qemuDomainGetTLSObjects. */
+                if (VIR_STRDUP(next->tlsCertdir, cfg->vxhsTLSx509certdir) < 0)
+                    return -1;
 
-            src->tlsVerify = true;
+                next->tlsVerify = true;
+            }
         }
     }
 
-- 
GitLab