[libvirt] [PATCH] Introduce gnutls_priority config option

Ján Tomko jtomko at redhat.com
Wed May 18 11:54:47 UTC 2016


The defaults provided by gnutls_set_default_priority are not configurable
at runtime. Introduce a new config option to libvirt.conf that will
be passed to gnutls_priority_set.

One of the possible options is "@SYSTEM", where gnutls will get the settings
from /etc/gnutls/default-priorities.

Note that the /etc/libvirt/libvirt.conf file is only used by libvirt
processes running as root, for regular users the file in
$XDG_CONFIG_HOME or ~/.config is used.

https://bugzilla.redhat.com/show_bug.cgi?id=1333404
---
 src/libvirt.conf           |  6 +++++
 src/rpc/virnettlscontext.c | 59 +++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 56 insertions(+), 9 deletions(-)

diff --git a/src/libvirt.conf b/src/libvirt.conf
index da4dfbe..688c572 100644
--- a/src/libvirt.conf
+++ b/src/libvirt.conf
@@ -16,3 +16,9 @@
 # (@uri_default also prevents probing of the hypervisor driver).
 #
 #uri_default = "qemu:///system"
+
+#
+# Override the priority of exchange methods, ciphers etc. used by gnutls.
+# See gnutls_priority_set_direct(3).
+#
+#gnutls_priority = "@SYSTEM"
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 947038d..e93887c 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -35,6 +35,7 @@
 #include "virstring.h"
 
 #include "viralloc.h"
+#include "virconf.h"
 #include "virerror.h"
 #include "virfile.h"
 #include "virutil.h"
@@ -86,10 +87,17 @@ static virClassPtr virNetTLSContextClass;
 static virClassPtr virNetTLSSessionClass;
 static void virNetTLSContextDispose(void *obj);
 static void virNetTLSSessionDispose(void *obj);
+static gnutls_priority_t *virNetTLSPriorityCache;
 
 
 static int virNetTLSContextOnceInit(void)
 {
+    virConfPtr conf = NULL;
+    virConfValuePtr value = NULL;
+    const char *err_pos;
+    int ret = -1;
+    int rc;
+
     if (!(virNetTLSContextClass = virClassNew(virClassForObjectLockable(),
                                               "virNetTLSContext",
                                               sizeof(virNetTLSContext),
@@ -102,7 +110,32 @@ static int virNetTLSContextOnceInit(void)
                                               virNetTLSSessionDispose)))
         return -1;
 
-    return 0;
+    if (virConfLoadConfig(&conf, NULL) < 0)
+        return -1;
+
+    if ((value = virConfGetValue(conf, "gnutls_priority"))) {
+        if (value->type != VIR_CONF_STRING) {
+            virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                           _("Expected a string for 'gnutls_priority' config parameter"));
+            goto cleanup;
+        }
+        VIR_DEBUG("Using gnutls priority '%s'", value->str);
+        if (VIR_ALLOC(virNetTLSPriorityCache) < 0)
+            goto cleanup;
+        if ((rc = gnutls_priority_init(virNetTLSPriorityCache, value->str,
+                                       &err_pos)) != 0) {
+            VIR_FREE(virNetTLSPriorityCache);
+            virReportError(VIR_ERR_SYSTEM_ERROR,
+                           _("Failed to initialize TLS session priority \"%s\": %s"),
+                           err_pos, gnutls_strerror(rc));
+            goto cleanup;
+        }
+    }
+
+    ret = 0;
+ cleanup:
+    virConfFree(conf);
+    return ret;
 }
 
 VIR_ONCE_GLOBAL_INIT(virNetTLSContext)
@@ -1224,14 +1257,22 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
         goto error;
     }
 
-    /* avoid calling all the priority functions, since the defaults
-     * are adequate.
-     */
-    if ((err = gnutls_set_default_priority(sess->session)) != 0) {
-        virReportError(VIR_ERR_SYSTEM_ERROR,
-                       _("Failed to set TLS session priority %s"),
-                       gnutls_strerror(err));
-        goto error;
+    /* Use the defaults unless a priority string was specified in the
+     * config file */
+    if (virNetTLSPriorityCache) {
+        if ((err = gnutls_priority_set(sess->session, *virNetTLSPriorityCache)) != 0) {
+            virReportError(VIR_ERR_SYSTEM_ERROR,
+                           _("Failed to set TLS session priority %s"),
+                           gnutls_strerror(err));
+            goto error;
+        }
+    } else {
+        if ((err = gnutls_set_default_priority(sess->session)) != 0) {
+            virReportError(VIR_ERR_SYSTEM_ERROR,
+                           _("Failed to set TLS session priority %s"),
+                           gnutls_strerror(err));
+            goto error;
+        }
     }
 
     if ((err = gnutls_credentials_set(sess->session,
-- 
2.7.3




More information about the libvir-list mailing list