From nobody Mon Feb 9 07:47:15 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 1581257366597931.8598219960516; Sun, 9 Feb 2020 06:09:26 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-264-ZiDFM7LBPVmoqlEBCpE1-A-1; Sun, 09 Feb 2020 09:06:26 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 675AA10054E3; Sun, 9 Feb 2020 14:06:20 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4318C8ED04; Sun, 9 Feb 2020 14:06:20 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 03AC818089D6; Sun, 9 Feb 2020 14:06:20 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 019E45t5018744 for ; Sun, 9 Feb 2020 09:04:05 -0500 Received: by smtp.corp.redhat.com (Postfix) id 496157D547; Sun, 9 Feb 2020 14:04:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 45DB67D4FF for ; Sun, 9 Feb 2020 14:04:05 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DDD3090084B for ; Sun, 9 Feb 2020 14:04:04 +0000 (UTC) Received: from huawei.com (szxga07-in.huawei.com [45.249.212.35]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-295-wKRD0-s5M6qymXTMH_531w-1; Sun, 09 Feb 2020 09:04:02 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 7BFE5D5FC4DAC3CF65EE for ; Sun, 9 Feb 2020 22:03:56 +0800 (CST) Received: from huawei.com (10.133.210.227) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Sun, 9 Feb 2020 22:03:47 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581257188; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=VwWsXkwfnZ6OLUQZ21uIYYLwUgiObSQz2X23FRWm6vc=; b=GjUrepKy+jgjFnFlEtAT5C97NBGTOVj4Y9it1XzIJmdDJ/l2Rg8EEOw38eA+SFV3ECJBlU p64Eot97Ov0MDbEoa7YCPTqZoZ6Hva1y3vBQ7Sfgn2fm2+NWtPe1topldnffigtu9JLIUs Frw5TZaWrn90kc8cV1rB4EEPLsgt0Vs= From: Zhang Bo To: Subject: [PATCH 1/6] virnettlscontext: refactoring virNetTLSContextLoadCredentials Date: Sun, 9 Feb 2020 22:03:11 +0800 Message-ID: <20200209140316.3107-2-oscar.zhangbo@huawei.com> In-Reply-To: <20200209140316.3107-1-oscar.zhangbo@huawei.com> References: <20200209140316.3107-1-oscar.zhangbo@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.133.210.227] X-CFilter-Loop: Reflected X-MC-Unique: wKRD0-s5M6qymXTMH_531w-1 X-MC-Unique: ZiDFM7LBPVmoqlEBCpE1-A-1 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 019E45t5018744 X-loop: libvir-list@redhat.com Cc: Zhang Bo , dengkai1@huawei.com, wuqingliang4@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Encapsulate the code for setting TLS-related files into functions, which is convenient for other modules to call. --- src/rpc/virnettlscontext.c | 135 ++++++++++++++++++++++--------------- 1 file changed, 82 insertions(+), 53 deletions(-) diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 44f0dfce77..12811bed78 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -594,6 +594,85 @@ static int virNetTLSContextSanityCheckCredentials(bool= isServer, return ret; } =20 +static int virNetTLSContextSetCACert(virNetTLSContextPtr ctxt, + const char *cacert, + bool allowMissing) +{ + int err; + if (virNetTLSContextCheckCertFile("CA certificate", cacert, allowMissi= ng) < 0) + return -1; + + VIR_DEBUG("loading CA cert from %s", cacert); + err =3D gnutls_certificate_set_x509_trust_file(ctxt->x509cred, + cacert, + GNUTLS_X509_FMT_PEM); + if (err < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to set x509 CA certificate: %s: %s"), + cacert, gnutls_strerror(err)); + return -1; + } + + return 0; +} + +static int virNetTLSContextSetCACRL(virNetTLSContextPtr ctxt, + const char *cacrl, + bool allowMissing) +{ + int rv, err; + if ((rv =3D virNetTLSContextCheckCertFile("CA revocation list", cacrl,= allowMissing)) < 0) + return -1; + + if (rv =3D=3D 0) { + VIR_DEBUG("loading CRL from %s", cacrl); + err =3D gnutls_certificate_set_x509_crl_file(ctxt->x509cred, + cacrl, + GNUTLS_X509_FMT_PEM); + if (err < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to set x509 certificate revocation li= st: %s: %s"), + cacrl, gnutls_strerror(err)); + return -1; + } + } else { + VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl); + } + + return 0; +} + +static int virNetTLSContextSetCertAndKey(virNetTLSContextPtr ctxt, + const char *cert, + const char *key, + bool allowMissing) +{ + int rv, err; + if ((rv =3D virNetTLSContextCheckCertFile("certificate", cert, allowMi= ssing)) < 0) + return -1; + if (rv =3D=3D 0 && + (rv =3D virNetTLSContextCheckCertFile("private key", key, allowMis= sing)) < 0) + return -1; + + if (rv =3D=3D 0) { + VIR_DEBUG("loading cert and key from %s and %s", cert, key); + err =3D + gnutls_certificate_set_x509_key_file(ctxt->x509cred, + cert, key, + GNUTLS_X509_FMT_PEM); + if (err < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to set x509 key and certificate: %s, = %s: %s"), + key, cert, gnutls_strerror(err)); + return -1; + } + } else { + VIR_DEBUG("Skipping non-existent cert %s key %s on client", + cert, key); + } + + return 0; +} =20 static int virNetTLSContextLoadCredentials(virNetTLSContextPtr ctxt, bool isServer, @@ -602,69 +681,19 @@ static int virNetTLSContextLoadCredentials(virNetTLSC= ontextPtr ctxt, const char *cert, const char *key) { - int err; - if (cacert && cacert[0] !=3D '\0') { - if (virNetTLSContextCheckCertFile("CA certificate", cacert, false)= < 0) - return -1; - - VIR_DEBUG("loading CA cert from %s", cacert); - err =3D gnutls_certificate_set_x509_trust_file(ctxt->x509cred, - cacert, - GNUTLS_X509_FMT_PEM); - if (err < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to set x509 CA certificate: %s: %s"), - cacert, gnutls_strerror(err)); + if (virNetTLSContextSetCACert(ctxt, cacert, false)) return -1; - } } =20 if (cacrl && cacrl[0] !=3D '\0') { - int rv; - if ((rv =3D virNetTLSContextCheckCertFile("CA revocation list", ca= crl, true)) < 0) + if (virNetTLSContextSetCACRL(ctxt, cacrl, true)) return -1; - - if (rv =3D=3D 0) { - VIR_DEBUG("loading CRL from %s", cacrl); - err =3D gnutls_certificate_set_x509_crl_file(ctxt->x509cred, - cacrl, - GNUTLS_X509_FMT_PEM= ); - if (err < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to set x509 certificate revocatio= n list: %s: %s"), - cacrl, gnutls_strerror(err)); - return -1; - } - } else { - VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl); - } } =20 if (cert && cert[0] !=3D '\0' && key && key[0] !=3D '\0') { - int rv; - if ((rv =3D virNetTLSContextCheckCertFile("certificate", cert, !is= Server)) < 0) + if (virNetTLSContextSetCertAndKey(ctxt, cert, key, !isServer)) return -1; - if (rv =3D=3D 0 && - (rv =3D virNetTLSContextCheckCertFile("private key", key, !isS= erver)) < 0) - return -1; - - if (rv =3D=3D 0) { - VIR_DEBUG("loading cert and key from %s and %s", cert, key); - err =3D - gnutls_certificate_set_x509_key_file(ctxt->x509cred, - cert, key, - GNUTLS_X509_FMT_PEM); - if (err < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to set x509 key and certificate: = %s, %s: %s"), - key, cert, gnutls_strerror(err)); - return -1; - } - } else { - VIR_DEBUG("Skipping non-existent cert %s key %s on client", - cert, key); - } } =20 return 0; --=20 2.23.0.windows.1 From nobody Mon Feb 9 07:47:15 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 1581257315168714.2803364045587; Sun, 9 Feb 2020 06:08:35 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-290-JfXEPxm0MZKexEbD7F6HxQ-1; Sun, 09 Feb 2020 09:06:22 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 711EB8010E3; Sun, 9 Feb 2020 14:06:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 495F01001925; Sun, 9 Feb 2020 14:06:16 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 01B68866C8; Sun, 9 Feb 2020 14:06:16 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 019E44iK018737 for ; Sun, 9 Feb 2020 09:04:05 -0500 Received: by smtp.corp.redhat.com (Postfix) id D78CA2166B2A; Sun, 9 Feb 2020 14:04:04 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D25642166B27 for ; Sun, 9 Feb 2020 14:04:02 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id AA4311019807 for ; Sun, 9 Feb 2020 14:04:02 +0000 (UTC) Received: from huawei.com (szxga04-in.huawei.com [45.249.212.190]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-399-6noOqK9mN56K2JU8vXHz-A-1; Sun, 09 Feb 2020 09:03:59 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id A8857BC178F90552913A for ; Sun, 9 Feb 2020 22:03:56 +0800 (CST) Received: from huawei.com (10.133.210.227) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Sun, 9 Feb 2020 22:03:48 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581257184; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=YzNKwimE14W2g/49m4ASRKKVm8ZYWyx8q3gVAzLJnug=; b=c8EJ7furQp3a97K+vOUA1+GZGj9OKNd7CgAmvBt8FgYOzYS3x5DAT9TcZv/pOXGd7BPWd6 3VM+5rubNOjONWgqUZJDALCqy7M9iryC1AQNvhOR5Gd4VdeL8g3c92cus72LxITSPYYzlt H8Vbx6LXRIdV4KWBEXL8eWx5D/0dNwM= From: Zhang Bo To: Subject: [PATCH 2/6] virnetserver: Introduce virNetServerUpdateTlsFiles Date: Sun, 9 Feb 2020 22:03:12 +0800 Message-ID: <20200209140316.3107-3-oscar.zhangbo@huawei.com> In-Reply-To: <20200209140316.3107-1-oscar.zhangbo@huawei.com> References: <20200209140316.3107-1-oscar.zhangbo@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.133.210.227] X-CFilter-Loop: Reflected X-MC-Unique: 6noOqK9mN56K2JU8vXHz-A-1 X-MC-Unique: JfXEPxm0MZKexEbD7F6HxQ-1 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 019E44iK018737 X-loop: libvir-list@redhat.com Cc: Zhang Bo , dengkai1@huawei.com, wuqingliang4@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Add an API to update server's tls context before admin method can be introduced. --- include/libvirt/libvirt-admin.h | 8 ++++ src/libvirt_remote.syms | 1 + src/rpc/virnetserver.c | 72 +++++++++++++++++++++++++++++++++ src/rpc/virnetserver.h | 3 ++ src/rpc/virnetserverclient.c | 4 ++ src/rpc/virnettlscontext.c | 41 +++++++++++++++++++ src/rpc/virnettlscontext.h | 2 + 7 files changed, 131 insertions(+) diff --git a/include/libvirt/libvirt-admin.h b/include/libvirt/libvirt-admi= n.h index abf2792926..3edc044490 100644 --- a/include/libvirt/libvirt-admin.h +++ b/include/libvirt/libvirt-admin.h @@ -392,6 +392,14 @@ int virAdmClientClose(virAdmClientPtr client, unsigned= int flags); =20 # define VIR_SERVER_CLIENTS_UNAUTH_CURRENT "nclients_unauth" =20 +/* tls related filetype flags. */ +typedef enum { + VIR_TLS_FILE_TYPE_CA_CERT =3D (1U << 0), + VIR_TLS_FILE_TYPE_CA_CRL =3D (1U << 1), + VIR_TLS_FILE_TYPE_SERVER_CERT =3D (1U << 2), + VIR_TLS_FILE_TYPE_SERVER_KEY =3D (1U << 3), +} virServerTlsFiletype; + int virAdmServerGetClientLimits(virAdmServerPtr srv, virTypedParameterPtr *params, int *nparams, diff --git a/src/libvirt_remote.syms b/src/libvirt_remote.syms index 0493467f46..0018a0c41d 100644 --- a/src/libvirt_remote.syms +++ b/src/libvirt_remote.syms @@ -137,6 +137,7 @@ virNetServerSetClientLimits; virNetServerSetThreadPoolParameters; virNetServerSetTLSContext; virNetServerUpdateServices; +virNetServerUpdateTlsFiles; =20 =20 # rpc/virnetserverclient.h diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index c87dade1a8..65ec677d0a 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -1207,3 +1207,75 @@ virNetServerSetClientLimits(virNetServerPtr srv, virObjectUnlock(srv); return ret; } + +static virNetTLSContextPtr +virNetServerGetTLSContext(virNetServerPtr srv) +{ + size_t i; + virNetTLSContextPtr ctxt =3D NULL; + virNetServerServicePtr svc =3D NULL; + + /* find svcTLS from srv, get svcTLS->tls */ + for (i =3D 0; i < srv->nservices; i++) { + svc =3D srv->services[i]; + ctxt =3D virNetServerServiceGetTLSContext(svc); + if (ctxt !=3D NULL) + break; + } + + return ctxt; +} + +static int virNetServerUpdateTlsFilesCheckParams(unsigned int filetypes) +{ + bool haveSrvCert =3D filetypes & VIR_TLS_FILE_TYPE_SERVER_CERT; + bool haveSrvKey =3D filetypes & VIR_TLS_FILE_TYPE_SERVER_KEY; + + if ((haveSrvCert && !haveSrvKey) || + (!haveSrvCert && haveSrvKey)) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("server cert/key must be updated together. " + "filetypes: %d"), filetypes); + return -1; + } + + return 0; +} + +int +virNetServerUpdateTlsFiles(virNetServerPtr srv, + unsigned int filetypes) +{ + int ret =3D -1; +#ifndef WITH_GNUTLS + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Don't support GNUTLS, can't to update filetypes: %d"= ), + filetypes); +#else + virNetTLSContextPtr ctxt =3D NULL; + + if (virNetServerUpdateTlsFilesCheckParams(filetypes)) + return -1; + + virObjectLock(srv); + + ctxt =3D virNetServerGetTLSContext(srv); + if (!ctxt) { + VIR_ERROR(_("no tls svc found, can't to update filetypes: %d"), + filetypes); + goto cleanup; + } + + if (virNetTLSContextReload(ctxt, filetypes)) { + VIR_ERROR(_("reload server's tls context fail")); + goto cleanup; + } + + VIR_INFO("update all tls files complete, filetypes: %d", filetypes); + ret =3D 0; + + cleanup: + virObjectUnlock(srv); +#endif + return ret; +} diff --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h index 260c99b22d..99466dd041 100644 --- a/src/rpc/virnetserver.h +++ b/src/rpc/virnetserver.h @@ -133,3 +133,6 @@ size_t virNetServerGetCurrentUnauthClients(virNetServer= Ptr srv); int virNetServerSetClientLimits(virNetServerPtr srv, long long int maxClients, long long int maxClientsUnauth); + +int virNetServerUpdateTlsFiles(virNetServerPtr srv, + unsigned int filetypes); diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c index 67b3bf9531..f0952cadde 100644 --- a/src/rpc/virnetserverclient.c +++ b/src/rpc/virnetserverclient.c @@ -1117,7 +1117,9 @@ int virNetServerClientInit(virNetServerClientPtr clie= nt) client->tls); =20 /* Begin the TLS handshake. */ + virObjectLock(client->tlsCtxt); ret =3D virNetTLSSessionHandshake(client->tls); + virObjectUnlock(client->tlsCtxt); if (ret =3D=3D 0) { /* Unlikely, but ... Next step is to check the certificate. */ if (virNetServerClientCheckAccess(client) < 0) @@ -1438,7 +1440,9 @@ virNetServerClientDispatchHandshake(virNetServerClien= tPtr client) { int ret; /* Continue the handshake. */ + virObjectLock(client->tlsCtxt); ret =3D virNetTLSSessionHandshake(client->tls); + virObjectUnlock(client->tlsCtxt); if (ret =3D=3D 0) { /* Finished. Next step is to check the certificate. */ if (virNetServerClientCheckAccess(client) < 0) diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 12811bed78..8baa6a15b2 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -1139,6 +1139,47 @@ void virNetTLSContextDispose(void *obj) gnutls_certificate_free_credentials(ctxt->x509cred); } =20 +int virNetTLSContextReload(virNetTLSContextPtr ctxt, + unsigned int filetypes) +{ + int ret =3D -1; + char *cacert =3D NULL; + char *cacrl =3D NULL; + char *cert =3D NULL; + char *key =3D NULL; + + virObjectLock(ctxt); + + if (virNetTLSContextLocateCredentials(NULL, false, true, + &cacert, &cacrl, &cert, &key) < = 0) + goto cleanup; + + if (filetypes & VIR_TLS_FILE_TYPE_CA_CERT) { + if (virNetTLSContextSetCACert(ctxt, cacert, false)) + goto cleanup; + } + + if (filetypes & VIR_TLS_FILE_TYPE_CA_CRL) { + if (virNetTLSContextSetCACRL(ctxt, cacrl, false)) + goto cleanup; + } + + if (filetypes & VIR_TLS_FILE_TYPE_SERVER_CERT) { + gnutls_certificate_free_keys(ctxt->x509cred); + if (virNetTLSContextSetCertAndKey(ctxt, cert, key, false)) + goto cleanup; + } + + ret =3D 0; + + cleanup: + virObjectUnlock(ctxt); + VIR_FREE(cacert); + VIR_FREE(cacrl); + VIR_FREE(key); + VIR_FREE(cert); + return ret; +} =20 static ssize_t virNetTLSSessionPush(void *opaque, const void *buf, size_t len) diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h index f3273bc26a..9e83caf255 100644 --- a/src/rpc/virnettlscontext.h +++ b/src/rpc/virnettlscontext.h @@ -65,6 +65,8 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char = *cacert, int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt, virNetTLSSessionPtr sess); =20 +int virNetTLSContextReload(virNetTLSContextPtr ctxt, + unsigned int filetypes); =20 typedef ssize_t (*virNetTLSSessionWriteFunc)(const char *buf, size_t len, void *opaque); --=20 2.23.0.windows.1 From nobody Mon Feb 9 07:47:15 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 15812573218765.1837376486602125; Sun, 9 Feb 2020 06:08:41 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-197-cpWVycCqNcmc87clqkng_g-1; Sun, 09 Feb 2020 09:06:21 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B8F4F13FC; Sun, 9 Feb 2020 14:06:15 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8DE3D1001E91; Sun, 9 Feb 2020 14:06:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 484C718089D5; Sun, 9 Feb 2020 14:06:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 019E45tg018758 for ; Sun, 9 Feb 2020 09:04:05 -0500 Received: by smtp.corp.redhat.com (Postfix) id BBB112049CA4; Sun, 9 Feb 2020 14:04:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B6DCB2038B80 for ; Sun, 9 Feb 2020 14:04:03 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6176A802FF7 for ; Sun, 9 Feb 2020 14:04:03 +0000 (UTC) Received: from huawei.com (szxga07-in.huawei.com [45.249.212.35]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-50-EcdQKCeMNiyNsrna1hC_nw-1; Sun, 09 Feb 2020 09:04:00 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 783084D24415981C18B4 for ; Sun, 9 Feb 2020 22:03:56 +0800 (CST) Received: from huawei.com (10.133.210.227) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Sun, 9 Feb 2020 22:03:48 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581257183; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=v9t7i+opFJf3KGsfEcvz0r+JF9II8P77tofa9M+/9Uc=; b=XOa6t+UrNwwudjcRnxpcaLrEoIDh5T4MmYnDo0yGyqR2DvbNJOj6JA/u5A4jSaz/ANP7e+ MNQ3sMJa22lr17prRq9TyNA/axvahOoAoEOVQPk/TmysFPb/U6vNHjITYtaQF+D4CPJLIB hKwV+EyOgIvhfTZWoeNhYVvS+17+5ks= From: Zhang Bo To: Subject: [PATCH 3/6] admin: Introduce virAdmServerUpdateTlsFiles Date: Sun, 9 Feb 2020 22:03:13 +0800 Message-ID: <20200209140316.3107-4-oscar.zhangbo@huawei.com> In-Reply-To: <20200209140316.3107-1-oscar.zhangbo@huawei.com> References: <20200209140316.3107-1-oscar.zhangbo@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.133.210.227] X-CFilter-Loop: Reflected X-MC-Unique: EcdQKCeMNiyNsrna1hC_nw-1 X-MC-Unique: cpWVycCqNcmc87clqkng_g-1 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 019E45tg018758 X-loop: libvir-list@redhat.com Cc: Zhang Bo , dengkai1@huawei.com, wuqingliang4@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" The server needs to use CA certificate, CRL, server certificate/key to complete the TLS handshake. If these files change, we need to restart libvirtd for them to take effect. This API can update the TLS context without restarting libvirtd. --- include/libvirt/libvirt-admin.h | 4 ++++ src/admin/admin_protocol.x | 13 ++++++++++- src/admin/admin_server.c | 13 +++++++++++ src/admin/admin_server.h | 4 ++++ src/admin/libvirt-admin.c | 34 ++++++++++++++++++++++++++++ src/admin/libvirt_admin_private.syms | 1 + src/admin/libvirt_admin_public.syms | 1 + 7 files changed, 69 insertions(+), 1 deletion(-) diff --git a/include/libvirt/libvirt-admin.h b/include/libvirt/libvirt-admi= n.h index 3edc044490..6e38261129 100644 --- a/include/libvirt/libvirt-admin.h +++ b/include/libvirt/libvirt-admin.h @@ -410,6 +410,10 @@ int virAdmServerSetClientLimits(virAdmServerPtr srv, int nparams, unsigned int flags); =20 +int virAdmServerUpdateTlsFiles(virAdmServerPtr srv, + unsigned int filetypes, + unsigned int flags); + int virAdmConnectGetLoggingOutputs(virAdmConnectPtr conn, char **outputs, unsigned int flags); diff --git a/src/admin/admin_protocol.x b/src/admin/admin_protocol.x index 42e215d23a..0fc8c54c80 100644 --- a/src/admin/admin_protocol.x +++ b/src/admin/admin_protocol.x @@ -181,6 +181,12 @@ struct admin_server_set_client_limits_args { unsigned int flags; }; =20 +struct admin_server_update_tls_files_args { + admin_nonnull_server srv; + unsigned int filetypes; + unsigned int flags; +}; + struct admin_connect_get_logging_outputs_args { unsigned int flags; }; @@ -314,5 +320,10 @@ enum admin_procedure { /** * @generate: both */ - ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS =3D 17 + ADMIN_PROC_CONNECT_SET_LOGGING_FILTERS =3D 17, + + /** + * @generate: both + */ + ADMIN_PROC_SERVER_UPDATE_TLS_FILES =3D 18 }; diff --git a/src/admin/admin_server.c b/src/admin/admin_server.c index ba87f701c3..558913367b 100644 --- a/src/admin/admin_server.c +++ b/src/admin/admin_server.c @@ -367,3 +367,16 @@ adminServerSetClientLimits(virNetServerPtr srv, =20 return 0; } + +int +adminServerUpdateTlsFiles(virNetServerPtr srv, + unsigned int filetypes, + unsigned int flags) +{ + virCheckFlags(0, -1); + + if (virNetServerUpdateTlsFiles(srv, filetypes) < 0) + return -1; + + return 0; +} diff --git a/src/admin/admin_server.h b/src/admin/admin_server.h index 1d5cbec55f..bd355017f2 100644 --- a/src/admin/admin_server.h +++ b/src/admin/admin_server.h @@ -67,3 +67,7 @@ int adminServerSetClientLimits(virNetServerPtr srv, virTypedParameterPtr params, int nparams, unsigned int flags); + +int adminServerUpdateTlsFiles(virNetServerPtr srv, + unsigned int filetypes, + unsigned int flags); diff --git a/src/admin/libvirt-admin.c b/src/admin/libvirt-admin.c index 4099a54854..f3f92ed91c 100644 --- a/src/admin/libvirt-admin.c +++ b/src/admin/libvirt-admin.c @@ -1082,6 +1082,40 @@ virAdmServerSetClientLimits(virAdmServerPtr srv, return ret; } =20 +/** + * virAdmServerUpdateTlsFiles: + * @srv: a valid server object reference + * @filetypes: bitwise-OR of virServerTlsFiletype + * @flags: extra flags; not used yet, so callers should always pass 0 + * + * Notify server to update tls file, such as cacert, cacrl, server cert / = key. + * Mark the files that need to be updated by the @filetypes parameter. + * See virServerTlsFiletype for detailed description of accepted filetypes. + * + * Returns 0 if the TLS files have been updated successfully or -1 in case= of an + * error. + */ +int +virAdmServerUpdateTlsFiles(virAdmServerPtr srv, + unsigned int filetypes, + unsigned int flags) +{ + int ret =3D -1; + + VIR_DEBUG("srv=3D%p, filetypes=3D%u, flags=3D0x%x", srv, filetypes, fl= ags); + virResetLastError(); + + virCheckAdmServerGoto(srv, error); + + if ((ret =3D remoteAdminServerUpdateTlsFiles(srv, filetypes, flags)) <= 0) + goto error; + + return ret; + error: + virDispatchError(NULL); + return ret; +} + /** * virAdmConnectGetLoggingOutputs: * @conn: pointer to an active admin connection diff --git a/src/admin/libvirt_admin_private.syms b/src/admin/libvirt_admin= _private.syms index 9526412de8..157a45341e 100644 --- a/src/admin/libvirt_admin_private.syms +++ b/src/admin/libvirt_admin_private.syms @@ -31,6 +31,7 @@ xdr_admin_server_lookup_client_args; xdr_admin_server_lookup_client_ret; xdr_admin_server_set_client_limits_args; xdr_admin_server_set_threadpool_parameters_args; +xdr_admin_server_update_tls_files_args; =20 # datatypes.h virAdmClientClass; diff --git a/src/admin/libvirt_admin_public.syms b/src/admin/libvirt_admin_= public.syms index 9a3f843780..8126973e5b 100644 --- a/src/admin/libvirt_admin_public.syms +++ b/src/admin/libvirt_admin_public.syms @@ -38,6 +38,7 @@ LIBVIRT_ADMIN_2.0.0 { virAdmClientClose; virAdmServerGetClientLimits; virAdmServerSetClientLimits; + virAdmServerUpdateTlsFiles; }; =20 LIBVIRT_ADMIN_3.0.0 { --=20 2.23.0.windows.1 From nobody Mon Feb 9 07:47:15 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1581257319616157.3302510123217; Sun, 9 Feb 2020 06:08:39 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-207-Zm47jT4QO7iLP2gNOU3uJw-1; Sun, 09 Feb 2020 09:06:17 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 24FD7184AEA3; Sun, 9 Feb 2020 14:06:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F3EB460BEC; Sun, 9 Feb 2020 14:06:11 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A5C6718089CF; Sun, 9 Feb 2020 14:06:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 019E45u9018742 for ; Sun, 9 Feb 2020 09:04:05 -0500 Received: by smtp.corp.redhat.com (Postfix) id 478587D555; Sun, 9 Feb 2020 14:04:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 42EC97D567 for ; Sun, 9 Feb 2020 14:04:03 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 286E8802FF1 for ; Sun, 9 Feb 2020 14:04:03 +0000 (UTC) Received: from huawei.com (szxga07-in.huawei.com [45.249.212.35]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-404-VKuGt1-rOHqTHekkCDXAJA-1; Sun, 09 Feb 2020 09:04:00 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 830685AE5BDCD0F02F13 for ; Sun, 9 Feb 2020 22:03:56 +0800 (CST) Received: from huawei.com (10.133.210.227) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Sun, 9 Feb 2020 22:03:49 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581257180; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=pI40GJzkxQ/gA+nvL3rqd7rJ3OCI7t9BNbqTWAcBgMw=; b=FDQNVAoC9vL4odGAtR9qUBXFC/nndBv6n1F5F4BC7y3rUBneWEXQ9zgdsrFvqRbY3YP/Vt jLKD/0489wwb+w71cysVMPybGdfc6GJNpnriEMPXMJi2xC4TjnQB1BRXo0i79XmuHhD7FE w7ik7ozcIFwiNdByzRz1DDEjDAD0h5o= From: Zhang Bo To: Subject: [PATCH 4/6] admin: support server cert update mode Date: Sun, 9 Feb 2020 22:03:14 +0800 Message-ID: <20200209140316.3107-5-oscar.zhangbo@huawei.com> In-Reply-To: <20200209140316.3107-1-oscar.zhangbo@huawei.com> References: <20200209140316.3107-1-oscar.zhangbo@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.133.210.227] X-CFilter-Loop: Reflected X-MC-Unique: VKuGt1-rOHqTHekkCDXAJA-1 X-MC-Unique: Zm47jT4QO7iLP2gNOU3uJw-1 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 019E45u9018742 X-loop: libvir-list@redhat.com Cc: Zhang Bo , dengkai1@huawei.com, wuqingliang4@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" virAdmServerUpdateTlsFiles: @flags specifies how to update server cert/key in tls service. Two modes are currently supported: append mode and clear mode, means whether to clear the original cert then add the new one, or just append to the original one. --- include/libvirt/libvirt-admin.h | 14 ++++++++++++++ src/admin/admin_server.c | 7 +------ src/admin/libvirt-admin.c | 7 ++++++- src/rpc/virnetserver.c | 17 +++++++++++++---- src/rpc/virnetserver.h | 3 ++- src/rpc/virnettlscontext.c | 7 +++++-- src/rpc/virnettlscontext.h | 3 ++- 7 files changed, 43 insertions(+), 15 deletions(-) diff --git a/include/libvirt/libvirt-admin.h b/include/libvirt/libvirt-admi= n.h index 6e38261129..dfdd81ae83 100644 --- a/include/libvirt/libvirt-admin.h +++ b/include/libvirt/libvirt-admin.h @@ -392,6 +392,20 @@ int virAdmClientClose(virAdmClientPtr client, unsigned= int flags); =20 # define VIR_SERVER_CLIENTS_UNAUTH_CURRENT "nclients_unauth" =20 +typedef enum { + /* free old credentials and then set new tls context. + */ + VIR_TLS_UPDATE_CLEAR =3D 0, + + /* do not clear original certificates and keys. + */ + VIR_TLS_UPDATE_APPEND =3D 1, + + /* boundary value for flag check (unreachable). + */ + VIR_TLS_UPDATE_FLAG_MAX =3D 2, +} virServerTlsUpdateFlag; + /* tls related filetype flags. */ typedef enum { VIR_TLS_FILE_TYPE_CA_CERT =3D (1U << 0), diff --git a/src/admin/admin_server.c b/src/admin/admin_server.c index 558913367b..43c7e00d90 100644 --- a/src/admin/admin_server.c +++ b/src/admin/admin_server.c @@ -373,10 +373,5 @@ adminServerUpdateTlsFiles(virNetServerPtr srv, unsigned int filetypes, unsigned int flags) { - virCheckFlags(0, -1); - - if (virNetServerUpdateTlsFiles(srv, filetypes) < 0) - return -1; - - return 0; + return virNetServerUpdateTlsFiles(srv, filetypes, flags); } diff --git a/src/admin/libvirt-admin.c b/src/admin/libvirt-admin.c index f3f92ed91c..b6ba72b577 100644 --- a/src/admin/libvirt-admin.c +++ b/src/admin/libvirt-admin.c @@ -1086,12 +1086,17 @@ virAdmServerSetClientLimits(virAdmServerPtr srv, * virAdmServerUpdateTlsFiles: * @srv: a valid server object reference * @filetypes: bitwise-OR of virServerTlsFiletype - * @flags: extra flags; not used yet, so callers should always pass 0 + * @flags: mode that specifies the update method * * Notify server to update tls file, such as cacert, cacrl, server cert / = key. * Mark the files that need to be updated by the @filetypes parameter. * See virServerTlsFiletype for detailed description of accepted filetypes. * + * @flags specifies how to update server cert/key in tls service, + * and is either the value VIR_TLS_UPDATE_APPEND, or VIR_TLS_UPDATE_CLEAR. + * The default value is VIR_TLS_UPDATE_CLEAR. See virServerTlsUpdateFlag f= or + * detailed description. + * * Returns 0 if the TLS files have been updated successfully or -1 in case= of an * error. */ diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index 65ec677d0a..72c4d37bc6 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -1226,7 +1226,8 @@ virNetServerGetTLSContext(virNetServerPtr srv) return ctxt; } =20 -static int virNetServerUpdateTlsFilesCheckParams(unsigned int filetypes) +static int virNetServerUpdateTlsFilesCheckParams(unsigned int filetypes, + unsigned int flags) { bool haveSrvCert =3D filetypes & VIR_TLS_FILE_TYPE_SERVER_CERT; bool haveSrvKey =3D filetypes & VIR_TLS_FILE_TYPE_SERVER_KEY; @@ -1239,12 +1240,20 @@ static int virNetServerUpdateTlsFilesCheckParams(un= signed int filetypes) return -1; } =20 + if (flags >=3D VIR_TLS_UPDATE_FLAG_MAX) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("don not support flags: %d"), + flags); + return -1; + } + return 0; } =20 int virNetServerUpdateTlsFiles(virNetServerPtr srv, - unsigned int filetypes) + unsigned int filetypes, + unsigned int flags) { int ret =3D -1; #ifndef WITH_GNUTLS @@ -1254,7 +1263,7 @@ virNetServerUpdateTlsFiles(virNetServerPtr srv, #else virNetTLSContextPtr ctxt =3D NULL; =20 - if (virNetServerUpdateTlsFilesCheckParams(filetypes)) + if (virNetServerUpdateTlsFilesCheckParams(filetypes, flags)) return -1; =20 virObjectLock(srv); @@ -1266,7 +1275,7 @@ virNetServerUpdateTlsFiles(virNetServerPtr srv, goto cleanup; } =20 - if (virNetTLSContextReload(ctxt, filetypes)) { + if (virNetTLSContextReload(ctxt, filetypes, flags)) { VIR_ERROR(_("reload server's tls context fail")); goto cleanup; } diff --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h index 99466dd041..1a905aa483 100644 --- a/src/rpc/virnetserver.h +++ b/src/rpc/virnetserver.h @@ -135,4 +135,5 @@ int virNetServerSetClientLimits(virNetServerPtr srv, long long int maxClientsUnauth); =20 int virNetServerUpdateTlsFiles(virNetServerPtr srv, - unsigned int filetypes); + unsigned int filetypes, + unsigned int flags); diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 8baa6a15b2..a66aaece69 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -1140,7 +1140,8 @@ void virNetTLSContextDispose(void *obj) } =20 int virNetTLSContextReload(virNetTLSContextPtr ctxt, - unsigned int filetypes) + unsigned int filetypes, + unsigned int flags) { int ret =3D -1; char *cacert =3D NULL; @@ -1165,7 +1166,9 @@ int virNetTLSContextReload(virNetTLSContextPtr ctxt, } =20 if (filetypes & VIR_TLS_FILE_TYPE_SERVER_CERT) { - gnutls_certificate_free_keys(ctxt->x509cred); + if (flags =3D=3D VIR_TLS_UPDATE_CLEAR) + gnutls_certificate_free_keys(ctxt->x509cred); + if (virNetTLSContextSetCertAndKey(ctxt, cert, key, false)) goto cleanup; } diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h index 9e83caf255..929487af99 100644 --- a/src/rpc/virnettlscontext.h +++ b/src/rpc/virnettlscontext.h @@ -66,7 +66,8 @@ int virNetTLSContextCheckCertificate(virNetTLSContextPtr = ctxt, virNetTLSSessionPtr sess); =20 int virNetTLSContextReload(virNetTLSContextPtr ctxt, - unsigned int filetypes); + unsigned int filetypes, + unsigned int flags); =20 typedef ssize_t (*virNetTLSSessionWriteFunc)(const char *buf, size_t len, void *opaque); --=20 2.23.0.windows.1 From nobody Mon Feb 9 07:47:15 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 158125732231581.88445627254384; Sun, 9 Feb 2020 06:08:42 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-344-oW1nFUU7PUyIqifsprKTLw-1; Sun, 09 Feb 2020 09:06:13 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5F8AF107ACC9; Sun, 9 Feb 2020 14:06:08 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3A7DD5C21B; Sun, 9 Feb 2020 14:06:08 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E912318089C8; Sun, 9 Feb 2020 14:06:07 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 019E45sf018743 for ; Sun, 9 Feb 2020 09:04:05 -0500 Received: by smtp.corp.redhat.com (Postfix) id 4813583B61; Sun, 9 Feb 2020 14:04:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 436FD7D569 for ; Sun, 9 Feb 2020 14:04:04 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3D4D985A33F for ; Sun, 9 Feb 2020 14:04:04 +0000 (UTC) Received: from huawei.com (szxga07-in.huawei.com [45.249.212.35]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-252-emfHLQG7PHyXEQKNAK1FYw-1; Sun, 09 Feb 2020 09:04:00 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 7FBD3B3D84028D534A84 for ; Sun, 9 Feb 2020 22:03:56 +0800 (CST) Received: from huawei.com (10.133.210.227) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Sun, 9 Feb 2020 22:03:49 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581257175; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=GhEHF9tWSw6hU/eAGy9K+R8F1W8ssFsQtKOiKtKjVVY=; b=L4kTnnPpE5x3nU8t8auiCSMUYcjslCprphTzLm9jirgezU49SwJQXmqfsUbV55Eh1iLHh0 SP3D2LDmmCn8FUlmMyOPRsxzPzSupZDbU4EuxiRD0rtJlv5xuMel0n7asgJSV1XCdz8Zxf xm9ujf3OvNDPbeCcAKL8c6qCItBABAU= From: Zhang Bo To: Subject: [PATCH 5/6] virt-admin: Introduce command srv-update-tls Date: Sun, 9 Feb 2020 22:03:15 +0800 Message-ID: <20200209140316.3107-6-oscar.zhangbo@huawei.com> In-Reply-To: <20200209140316.3107-1-oscar.zhangbo@huawei.com> References: <20200209140316.3107-1-oscar.zhangbo@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.133.210.227] X-CFilter-Loop: Reflected X-MC-Unique: emfHLQG7PHyXEQKNAK1FYw-1 X-MC-Unique: oW1nFUU7PUyIqifsprKTLw-1 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 019E45sf018743 X-loop: libvir-list@redhat.com Cc: Zhang Bo , dengkai1@huawei.com, wuqingliang4@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" wire-up virAdmServerUpdateTlsFiles API into virt-admin client. --- tools/virt-admin.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/tools/virt-admin.c b/tools/virt-admin.c index 32edfe5757..85235ae03d 100644 --- a/tools/virt-admin.c +++ b/tools/virt-admin.c @@ -957,6 +957,84 @@ cmdSrvClientsSet(vshControl *ctl, const vshCmd *cmd) goto cleanup; } =20 +/* ------------------------ + * Command srv-update-tls + * ------------------------ + */ +static const vshCmdInfo info_srv_update_tls_file[] =3D { + {.name =3D "help", + .data =3D N_("notify server to update TLS related files online.") + }, + {.name =3D "desc", + .data =3D N_("notify server to update the CA cert, " + "CA CRL, server cert / key without restarts. " + "See OPTIONS for currently supported attributes.") + }, + {.name =3D NULL} +}; + +static const vshCmdOptDef opts_srv_update_tls_file[] =3D { + {.name =3D "server", + .type =3D VSH_OT_DATA, + .flags =3D VSH_OFLAG_REQ, + .help =3D N_("Available servers on a daemon. " + "Currently only supports 'libvirtd'.") + }, + {.name =3D "filetypes", + .type =3D VSH_OT_INT, + .flags =3D VSH_OFLAG_REQ, + .help =3D N_("filetypes that need to be updated. " + "bitwise-OR of tls filetypes flags.\n" + " parameter Description:\n" + " --filetypes 1 =3D=3D=3D> cacert\n" + " --filetypes 2 =3D=3D=3D> cacrl\n" + " --filetypes 4 =3D=3D=3D> server-cert\n" + " --filetypes 8 =3D=3D=3D> server-key\n" + " or a combination of several values. eg:\n" + " --filetypes 3 =3D=3D=3D> cacert | cacrl\n" + " notice:\n" + " server cert and key must be updated together.\n") + }, + {.name =3D NULL} +}; + +static bool +cmdSrvUpdateTlsFiles(vshControl *ctl, const vshCmd *cmd) +{ + bool ret =3D false; + const char *srvname =3D NULL; + unsigned int filetypes; + + virAdmServerPtr srv =3D NULL; + vshAdmControlPtr priv =3D ctl->privData; + + if (vshCommandOptStringReq(ctl, cmd, "server", &srvname) < 0) + return false; + + if (vshCommandOptUInt(ctl, cmd, "filetypes", &filetypes) < 0) + return false; + + if (filetypes =3D=3D 0) { + vshError(ctl, "%s", _("filetypes can not be 0.")); + goto cleanup; + } + + if (!(srv =3D virAdmConnectLookupServer(priv->conn, srvname, 0))) + goto cleanup; + + if (virAdmServerUpdateTlsFiles(srv, filetypes, VIR_TLS_UPDATE_CLEAR) <= 0) { + vshError(ctl, "%s", _("Unable to update server's tls related files= .")); + goto cleanup; + } + + ret =3D true; + vshPrint(ctl, "update tls related files succeed\n"); + + cleanup: + virAdmServerFree(srv); + return ret; +} + /* -------------------------- * Command daemon-log-filters * -------------------------- @@ -1436,6 +1514,16 @@ static const vshCmdDef managementCmds[] =3D { .info =3D info_srv_clients_set, .flags =3D 0 }, + {.name =3D "srv-update-tls", + .flags =3D VSH_CMD_FLAG_ALIAS, + .alias =3D "server-update-tls" + }, + {.name =3D "server-update-tls", + .handler =3D cmdSrvUpdateTlsFiles, + .opts =3D opts_srv_update_tls_file, + .info =3D info_srv_update_tls_file, + .flags =3D 0 + }, {.name =3D "daemon-log-filters", .handler =3D cmdDaemonLogFilters, .opts =3D opts_daemon_log_filters, --=20 2.23.0.windows.1 From nobody Mon Feb 9 07:47:15 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 1581257319339227.10919961079787; Sun, 9 Feb 2020 06:08:39 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-378-zh8tLE9WMjWyAASs_jX7pw-1; Sun, 09 Feb 2020 09:05:41 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 764CE1800D42; Sun, 9 Feb 2020 14:05:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 141A45C21B; Sun, 9 Feb 2020 14:05:35 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0D7DA866BC; Sun, 9 Feb 2020 14:05:34 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 019E4AIR018804 for ; Sun, 9 Feb 2020 09:04:10 -0500 Received: by smtp.corp.redhat.com (Postfix) id A997011422DB; Sun, 9 Feb 2020 14:04:10 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A534E11422D9 for ; Sun, 9 Feb 2020 14:04:08 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B4335800185 for ; Sun, 9 Feb 2020 14:04:08 +0000 (UTC) Received: from huawei.com (szxga06-in.huawei.com [45.249.212.32]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-128-lXTAi6SWNJmq9q4c-JJDUA-1; Sun, 09 Feb 2020 09:04:06 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id 85B7EC0DF97C9AB535C1 for ; Sun, 9 Feb 2020 22:04:01 +0800 (CST) Received: from huawei.com (10.133.210.227) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Sun, 9 Feb 2020 22:03:50 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581257143; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=zFNG3rwRbY7Zplow1uQZTKAKtL2B1zcKNKMBEANO0j0=; b=CoTvDVLGX7KObU92qQ7lmj8jxVFmN0CT8b5P1DgvlBH2uRewjpAbVtnQWd/Egd4Lau/d6+ 8eWsKc7xstsqXxxbCgsihz64jUJAM3Irc+pNWWIC4hxh4XypKrX82c902VY21bdmhRHgUf rxXaqRJkO3z6Y3b1kC2zielR7vyS/n8= From: Zhang Bo To: Subject: [PATCH 6/6] docs: update virt-admin.rst for server-update-tls Date: Sun, 9 Feb 2020 22:03:16 +0800 Message-ID: <20200209140316.3107-7-oscar.zhangbo@huawei.com> In-Reply-To: <20200209140316.3107-1-oscar.zhangbo@huawei.com> References: <20200209140316.3107-1-oscar.zhangbo@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.133.210.227] X-CFilter-Loop: Reflected X-MC-Unique: lXTAi6SWNJmq9q4c-JJDUA-1 X-MC-Unique: zh8tLE9WMjWyAASs_jX7pw-1 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 019E4AIR018804 X-loop: libvir-list@redhat.com Cc: Zhang Bo , dengkai1@huawei.com, wuqingliang4@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Update the manpage for the 'server-update-tls' command --- docs/manpages/virt-admin.rst | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/manpages/virt-admin.rst b/docs/manpages/virt-admin.rst index 51c3d3917e..e19d1f1577 100644 --- a/docs/manpages/virt-admin.rst +++ b/docs/manpages/virt-admin.rst @@ -442,6 +442,27 @@ Set new client-related limits on *server*. *--max-clients*. =20 =20 +server-update-tls +----------------- + +**Syntax:** + +.. code-block:: + + server-update-tls server [--filetypes types] + +Update tls context on *server*. + +- *server* + + Available servers on a daemon. Currently only supports 'libvirtd'. + +- *--filetypes* + + Indicate which TLS related files need to be updated, such as CA cert, CA= CRL, + server cert/key. ``types`` is bitwise-OR of tls related files. + + CLIENT COMMANDS =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 --=20 2.23.0.windows.1