From nobody Tue Feb 10 01:31:45 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.61 as permitted sender) client-ip=205.139.110.61;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
 [205.139.110.61]) by mx.zohomail.com
	with SMTPS id 1581257366597931.8598219960516;
 Sun, 9 Feb 2020 06:09:26 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-264-ZiDFM7LBPVmoqlEBCpE1-A-1; Sun, 09 Feb 2020 09:06:26 -0500
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 675AA10054E3;
	Sun,  9 Feb 2020 14:06:20 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 4318C8ED04;
	Sun,  9 Feb 2020 14:06:20 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 03AC818089D6;
	Sun,  9 Feb 2020 14:06:20 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
	[10.11.54.5])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 019E45t5018744 for <libvir-list@listman.util.phx.redhat.com>;
	Sun, 9 Feb 2020 09:04:05 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 496157D547; Sun,  9 Feb 2020 14:04:05 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 45DB67D4FF
	for <libvir-list@redhat.com>; Sun,  9 Feb 2020 14:04:05 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[207.211.31.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DDD3090084B
	for <libvir-list@redhat.com>; Sun,  9 Feb 2020 14:04:04 +0000 (UTC)
Received: from huawei.com (szxga07-in.huawei.com [45.249.212.35]) (Using
	TLS) by relay.mimecast.com with ESMTP id
	us-mta-295-wKRD0-s5M6qymXTMH_531w-1; Sun, 09 Feb 2020 09:04:02 -0500
Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.58])
	by Forcepoint Email with ESMTP id 7BFE5D5FC4DAC3CF65EE
	for <libvir-list@redhat.com>; Sun,  9 Feb 2020 22:03:56 +0800 (CST)
Received: from huawei.com (10.133.210.227) by DGGEMS412-HUB.china.huawei.com
	(10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Sun, 9 Feb 2020
	22:03:47 +0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1581257188;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=VwWsXkwfnZ6OLUQZ21uIYYLwUgiObSQz2X23FRWm6vc=;
	b=GjUrepKy+jgjFnFlEtAT5C97NBGTOVj4Y9it1XzIJmdDJ/l2Rg8EEOw38eA+SFV3ECJBlU
	p64Eot97Ov0MDbEoa7YCPTqZoZ6Hva1y3vBQ7Sfgn2fm2+NWtPe1topldnffigtu9JLIUs
	Frw5TZaWrn90kc8cV1rB4EEPLsgt0Vs=
From: Zhang Bo <oscar.zhangbo@huawei.com>
To: <libvir-list@redhat.com>
Subject: [PATCH 1/6] virnettlscontext: refactoring
	virNetTLSContextLoadCredentials
Date: Sun, 9 Feb 2020 22:03:11 +0800
Message-ID: <20200209140316.3107-2-oscar.zhangbo@huawei.com>
In-Reply-To: <20200209140316.3107-1-oscar.zhangbo@huawei.com>
References: <20200209140316.3107-1-oscar.zhangbo@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.133.210.227]
X-CFilter-Loop: Reflected
X-MC-Unique: wKRD0-s5M6qymXTMH_531w-1
X-MC-Unique: ZiDFM7LBPVmoqlEBCpE1-A-1
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-MIME-Autoconverted: from quoted-printable to 8bit by
	lists01.pubmisc.prod.ext.phx2.redhat.com id 019E45t5018744
X-loop: libvir-list@redhat.com
Cc: Zhang Bo <oscar.zhangbo@huawei.com>, dengkai1@huawei.com,
	wuqingliang4@huawei.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

Encapsulate the code for setting TLS-related files into functions,
which is convenient for other modules to call.
---
 src/rpc/virnettlscontext.c | 135 ++++++++++++++++++++++---------------
 1 file changed, 82 insertions(+), 53 deletions(-)

diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 44f0dfce77..12811bed78 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -594,6 +594,85 @@ static int virNetTLSContextSanityCheckCredentials(bool=
 isServer,
     return ret;
 }
=20
+static int virNetTLSContextSetCACert(virNetTLSContextPtr ctxt,
+                                     const char *cacert,
+                                     bool allowMissing)
+{
+    int err;
+    if (virNetTLSContextCheckCertFile("CA certificate", cacert, allowMissi=
ng) < 0)
+        return -1;
+
+    VIR_DEBUG("loading CA cert from %s", cacert);
+    err =3D gnutls_certificate_set_x509_trust_file(ctxt->x509cred,
+                                                 cacert,
+                                                 GNUTLS_X509_FMT_PEM);
+    if (err < 0) {
+        virReportError(VIR_ERR_SYSTEM_ERROR,
+                       _("Unable to set x509 CA certificate: %s: %s"),
+                       cacert, gnutls_strerror(err));
+        return -1;
+    }
+
+    return 0;
+}
+
+static int virNetTLSContextSetCACRL(virNetTLSContextPtr ctxt,
+                                    const char *cacrl,
+                                    bool allowMissing)
+{
+    int rv, err;
+    if ((rv =3D virNetTLSContextCheckCertFile("CA revocation list", cacrl,=
 allowMissing)) < 0)
+        return -1;
+
+    if (rv =3D=3D 0) {
+        VIR_DEBUG("loading CRL from %s", cacrl);
+        err =3D gnutls_certificate_set_x509_crl_file(ctxt->x509cred,
+                                                   cacrl,
+                                                   GNUTLS_X509_FMT_PEM);
+        if (err < 0) {
+            virReportError(VIR_ERR_SYSTEM_ERROR,
+                           _("Unable to set x509 certificate revocation li=
st: %s: %s"),
+                           cacrl, gnutls_strerror(err));
+            return -1;
+        }
+    } else {
+        VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl);
+    }
+
+    return 0;
+}
+
+static int virNetTLSContextSetCertAndKey(virNetTLSContextPtr ctxt,
+                                         const char *cert,
+                                         const char *key,
+                                         bool allowMissing)
+{
+    int rv, err;
+    if ((rv =3D virNetTLSContextCheckCertFile("certificate", cert, allowMi=
ssing)) < 0)
+        return -1;
+    if (rv =3D=3D 0 &&
+        (rv =3D virNetTLSContextCheckCertFile("private key", key, allowMis=
sing)) < 0)
+        return -1;
+
+    if (rv =3D=3D 0) {
+        VIR_DEBUG("loading cert and key from %s and %s", cert, key);
+        err =3D
+            gnutls_certificate_set_x509_key_file(ctxt->x509cred,
+                                                 cert, key,
+                                                 GNUTLS_X509_FMT_PEM);
+        if (err < 0) {
+            virReportError(VIR_ERR_SYSTEM_ERROR,
+                           _("Unable to set x509 key and certificate: %s, =
%s: %s"),
+                           key, cert, gnutls_strerror(err));
+            return -1;
+        }
+    } else {
+        VIR_DEBUG("Skipping non-existent cert %s key %s on client",
+                  cert, key);
+    }
+
+    return 0;
+}
=20
 static int virNetTLSContextLoadCredentials(virNetTLSContextPtr ctxt,
                                            bool isServer,
@@ -602,69 +681,19 @@ static int virNetTLSContextLoadCredentials(virNetTLSC=
ontextPtr ctxt,
                                            const char *cert,
                                            const char *key)
 {
-    int err;
-
     if (cacert && cacert[0] !=3D '\0') {
-        if (virNetTLSContextCheckCertFile("CA certificate", cacert, false)=
 < 0)
-            return -1;
-
-        VIR_DEBUG("loading CA cert from %s", cacert);
-        err =3D gnutls_certificate_set_x509_trust_file(ctxt->x509cred,
-                                                     cacert,
-                                                     GNUTLS_X509_FMT_PEM);
-        if (err < 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR,
-                           _("Unable to set x509 CA certificate: %s: %s"),
-                           cacert, gnutls_strerror(err));
+        if (virNetTLSContextSetCACert(ctxt, cacert, false))
             return -1;
-        }
     }
=20
     if (cacrl && cacrl[0] !=3D '\0') {
-        int rv;
-        if ((rv =3D virNetTLSContextCheckCertFile("CA revocation list", ca=
crl, true)) < 0)
+        if (virNetTLSContextSetCACRL(ctxt, cacrl, true))
             return -1;
-
-        if (rv =3D=3D 0) {
-            VIR_DEBUG("loading CRL from %s", cacrl);
-            err =3D gnutls_certificate_set_x509_crl_file(ctxt->x509cred,
-                                                       cacrl,
-                                                       GNUTLS_X509_FMT_PEM=
);
-            if (err < 0) {
-                virReportError(VIR_ERR_SYSTEM_ERROR,
-                               _("Unable to set x509 certificate revocatio=
n list: %s: %s"),
-                               cacrl, gnutls_strerror(err));
-                return -1;
-            }
-        } else {
-            VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl);
-        }
     }
=20
     if (cert && cert[0] !=3D '\0' && key && key[0] !=3D '\0') {
-        int rv;
-        if ((rv =3D virNetTLSContextCheckCertFile("certificate", cert, !is=
Server)) < 0)
+        if (virNetTLSContextSetCertAndKey(ctxt, cert, key, !isServer))
             return -1;
-        if (rv =3D=3D 0 &&
-            (rv =3D virNetTLSContextCheckCertFile("private key", key, !isS=
erver)) < 0)
-            return -1;
-
-        if (rv =3D=3D 0) {
-            VIR_DEBUG("loading cert and key from %s and %s", cert, key);
-            err =3D
-                gnutls_certificate_set_x509_key_file(ctxt->x509cred,
-                                                     cert, key,
-                                                     GNUTLS_X509_FMT_PEM);
-            if (err < 0) {
-                virReportError(VIR_ERR_SYSTEM_ERROR,
-                               _("Unable to set x509 key and certificate: =
%s, %s: %s"),
-                               key, cert, gnutls_strerror(err));
-                return -1;
-            }
-        } else {
-            VIR_DEBUG("Skipping non-existent cert %s key %s on client",
-                      cert, key);
-        }
     }
=20
     return 0;
--=20
2.23.0.windows.1