[libvirt] [PATCH] Sanity check explicit TLS file paths

Peter Krempa pkrempa at redhat.com
Thu Mar 16 06:43:38 UTC 2017 

On Wed, Mar 15, 2017 at 18:05:00 +0000, Daniel Berrange wrote:
> When providing explicit x509 cert/key paths in libvirtd.conf,
> the user must provide all three. If one or more is missed,
> this leads to obscure errors at runtime when negotiating
> the TLS session
> 
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
>  daemon/libvirtd.c | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
> index 9b98f33..40aa2b6 100644
> --- a/daemon/libvirtd.c
> +++ b/daemon/libvirtd.c
> @@ -544,6 +544,22 @@ daemonSetupNetworking(virNetServerPtr srv,
>              if (config->ca_file ||
>                  config->cert_file ||
>                  config->key_file) {
> +                if (!config->ca_file) {
> +                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                                   "No CA certificate path set to match server key/cert");
> +                    goto cleanup;
> +                }
> +                if (!config->cert_file) {
> +                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                                   "No server certificate path set to match server key");
> +                    goto cleanup;
> +                }
> +                if (!config->key_file) {
> +                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                                   "No server key path set to match server cert");
> +                    goto cleanup;

Fails syntax-check due to missing gettext macros on the messages:

daemon/libvirtd.c-549-                                   "No CA certificate path set to match server key/cert");
daemon/libvirtd.c-554-                                   "No server certificate path set to match server key");
daemon/libvirtd.c-559-                                   "No server key path set to match server cert");
maint.mk: found unmarked diagnostic(s)



> +                }
> +                VIR_DEBUG("Using CA='%s' cert='%s' key='%s'", config->ca_file, config->cert_file, config->key_file);

This line is super long and easy to shorten. Please do so.

>                  if (!(ctxt = virNetTLSContextNewServer(config->ca_file,
>                                                         config->crl_file,
>                                                         config->cert_file,

ACK with the above fixed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170316/4e05ce0f/attachment-0001.sig>

More information about the libvir-list mailing list