[libvirt] [PATCH 7/8] qemu: add support for encrypted VNC TLS keys
John Ferlan
jferlan at redhat.com
Thu Jan 17 16:11:15 UTC 2019
On 1/16/19 2:41 AM, Ján Tomko wrote:
> Use the password stored in the secret driver under
> the uuid specified by the vnc_tls_x509_secret_uuid
> option in qemu.conf.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1602418
>
> Signed-off-by: Ján Tomko <jtomko at redhat.com>
> ---
> src/qemu/qemu_command.c | 11 +++++-
> src/qemu/qemu_domain.c | 9 +++++
> src/qemu/qemu_domain.h | 1 +
> ...graphics-vnc-tls-secret.x86_64-latest.args | 36 +++++++++++++++++++
> .../graphics-vnc-tls-secret.xml | 30 ++++++++++++++++
> tests/qemuxml2argvtest.c | 5 +++
> 6 files changed, 91 insertions(+), 1 deletion(-)
> create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.x86_64-latest.args
> create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.xml
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index d130d0463c..e17d7ddec7 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -8037,11 +8037,20 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfigPtr cfg,
> if (cfg->vncTLS) {
> qemuDomainGraphicsPrivatePtr gfxPriv = QEMU_DOMAIN_GRAPHICS_PRIVATE(graphics);
> if (gfxPriv->tlsAlias) {
> + const char *secretAlias = NULL;
> +
> + if (gfxPriv && gfxPriv->secinfo) {
"gfxPriv" check is unnecessary, we would have already died dereffing
tlsAlias.
> + if (qemuBuildObjectSecretCommandLine(cmd,
> + gfxPriv->secinfo) < 0)
> + goto error;
> + secretAlias = gfxPriv->secinfo->s.aes.alias;
> + }
> +
> if (qemuBuildTLSx509CommandLine(cmd,
> cfg->vncTLSx509certdir,
> true,
> cfg->vncTLSx509verify,
> - NULL,
> + secretAlias,
> gfxPriv->tlsAlias,
> qemuCaps) < 0)
> goto error;
> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index 6960f0569b..da9c4e566d 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -1269,6 +1269,7 @@ qemuDomainGraphicsPrivateDispose(void *obj)
> qemuDomainGraphicsPrivatePtr priv = obj;
>
> VIR_FREE(priv->tlsAlias);
> + qemuDomainSecretInfoFree(&priv->secinfo);> }
>
>
> @@ -1750,6 +1751,7 @@ qemuDomainSecretGraphicsDestroy(virDomainGraphicsDefPtr graphics)
> return;
>
> VIR_FREE(gfxPriv->tlsAlias);
> + qemuDomainSecretInfoFree(&gfxPriv->secinfo);
If you use virObjectUnref as noted in patch4, then the change in the
hunk above gives you this for free.
> }
>
>
> @@ -1773,6 +1775,13 @@ qemuDomainSecretGraphicsPrepare(virQEMUDriverConfigPtr cfg,
> if (VIR_STRDUP(gfxPriv->tlsAlias, "vnc-tls-creds0") < 0)
> return -1;
>
> + if (cfg->vncTLSx509secretUUID) {
> + gfxPriv->secinfo = qemuDomainSecretInfoTLSNew(priv, gfxPriv->tlsAlias,
> + cfg->vncTLSx509secretUUID);
> + if (!gfxPriv->secinfo)
> + return -1;
> + }
> +
> return 0;
> }
>
Reviewed-by: John Ferlan <jferlan at redhat.com>
John
[...]
More information about the libvir-list
mailing list