From nobody Mon Feb 9 20:11:33 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1583580773; cv=none; d=zohomail.com; s=zohoarc; b=h+HDMmNoDEUzdhaoN2jQPlWztk88j7QJTAU0UU3BZauFZEE70bf5xnkoigrXtgDn6ZZJgvtj4KwduOUQKx4vhVRy2t9vK2etCiPfaABWQ7D9ewgDHZ1qDmi6TRsyrcWJfjdwIBSfpbg2KY6gCdsgmLJFyXzjUmz9yyS3Q3xW19Q= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1583580773; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=m84n9Q3+TpdER0HLAj6H5PhUwtT8UPRUHHMoICI8R8A=; b=eXTTZQrbSWUIXcOG7QGvRHaNC4j4E7K2q4HmdNUkOueXYhoPlvJAReAfmuQu0vY9tCa8ELoboO3WbBHQ65z8GDn8N1YRjHIRsXXrIKfxHfrt/RSdivGjIgtHsSgK+TNQOSYqESNj7A22EPfWK+3dhmS8GGxOJ9+RXg/pH/4ho38= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1583580773913185.49635519603726; Sat, 7 Mar 2020 03:32:53 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-113-shQQadswP5qghEHZt4qMmg-1; Sat, 07 Mar 2020 06:32:50 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EC5151085933; Sat, 7 Mar 2020 11:32:44 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9BA2C10016EB; Sat, 7 Mar 2020 11:32:44 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 46A2186A0F; Sat, 7 Mar 2020 11:32:44 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 027BWdnJ001111 for ; Sat, 7 Mar 2020 06:32:39 -0500 Received: by smtp.corp.redhat.com (Postfix) id 5720410F1CA5; Sat, 7 Mar 2020 11:32:39 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 51C7010F8E10 for ; Sat, 7 Mar 2020 11:32:35 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 32999101A55D for ; Sat, 7 Mar 2020 11:32:35 +0000 (UTC) Received: from huawei.com (szxga07-in.huawei.com [45.249.212.35]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-29-hqn2_Pt0Pp2_Z--hCEF05A-1; Sat, 07 Mar 2020 06:32:31 -0500 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 19D9534DAA750E1C561C for ; Sat, 7 Mar 2020 19:32:00 +0800 (CST) Received: from huawei.com (10.133.210.227) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.487.0; Sat, 7 Mar 2020 19:31:51 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583580773; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=m84n9Q3+TpdER0HLAj6H5PhUwtT8UPRUHHMoICI8R8A=; b=iXnqozjFBimry49uiQpIkOvvfqC4Fif8ePudd0FT1VFyplMUqBKShcQRiPnZpIb0C12LUB BFHO6So9GeYl9NXItU5E8HbooSIfq5HXhAC9hB4a+m4/Qo2F/QvwyBcdtABPJBONqBgmEt ucTuWHnQClV/EG5pa3B1tCRNoID2rwo= X-MC-Unique: shQQadswP5qghEHZt4qMmg-1 X-MC-Unique: hqn2_Pt0Pp2_Z--hCEF05A-1 From: Zhang Bo To: Subject: [PATCHv2 1/5] virnetserver: Introduce virNetServerUpdateTlsFiles Date: Sat, 7 Mar 2020 19:31:00 +0800 Message-ID: <20200307113104.722-2-oscar.zhangbo@huawei.com> In-Reply-To: <20200307113104.722-1-oscar.zhangbo@huawei.com> References: <20200307113104.722-1-oscar.zhangbo@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.133.210.227] X-CFilter-Loop: Reflected X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 027BWdnJ001111 X-loop: libvir-list@redhat.com Cc: Zhang Bo , dengkai1@huawei.com, wujing42@huawei.com, wuqingliang4@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Add an API to update server's tls context. Reviewed-by: Daniel P. Berrang=C3=A9 --- src/libvirt_remote.syms | 1 + src/rpc/virnetserver.c | 51 ++++++++++++++++++++++++++++++++++++++ src/rpc/virnetserver.h | 2 ++ src/rpc/virnettlscontext.c | 46 ++++++++++++++++++++++++++++++++++ src/rpc/virnettlscontext.h | 3 +++ 5 files changed, 103 insertions(+) diff --git a/src/libvirt_remote.syms b/src/libvirt_remote.syms index 0493467f46..0018a0c41d 100644 --- a/src/libvirt_remote.syms +++ b/src/libvirt_remote.syms @@ -137,6 +137,7 @@ virNetServerSetClientLimits; virNetServerSetThreadPoolParameters; virNetServerSetTLSContext; virNetServerUpdateServices; +virNetServerUpdateTlsFiles; =20 =20 # rpc/virnetserverclient.h diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index 072ffdf5a3..0bfe94d3f8 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -21,6 +21,9 @@ =20 #include =20 +#include +#include + #include "virnetserver.h" #include "virlog.h" #include "viralloc.h" @@ -1205,3 +1208,51 @@ virNetServerSetClientLimits(virNetServerPtr srv, virObjectUnlock(srv); return ret; } + +static virNetTLSContextPtr +virNetServerGetTLSContext(virNetServerPtr srv) +{ + size_t i; + virNetTLSContextPtr ctxt =3D NULL; + virNetServerServicePtr svc =3D NULL; + + /* find svcTLS from srv, get svcTLS->tls */ + for (i =3D 0; i < srv->nservices; i++) { + svc =3D srv->services[i]; + ctxt =3D virNetServerServiceGetTLSContext(svc); + if (ctxt !=3D NULL) + break; + } + + return ctxt; +} + +int +virNetServerUpdateTlsFiles(virNetServerPtr srv) +{ + int ret =3D -1; + virNetTLSContextPtr ctxt =3D NULL; + bool privileged =3D geteuid() =3D=3D 0 ? true : false; + + ctxt =3D virNetServerGetTLSContext(srv); + if (!ctxt) { + VIR_ERROR(_("no tls svc found, unable to update tls files")); + return -1; + } + + virObjectLock(srv); + virObjectLock(ctxt); + + if (virNetTLSContextReloadForServer(ctxt, !privileged)) { + VIR_ERROR(_("failed to reload server's tls context")); + goto cleanup; + } + + VIR_INFO("update tls files success"); + ret =3D 0; + + cleanup: + virObjectUnlock(ctxt); + virObjectUnlock(srv); + return ret; +} diff --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h index 260c99b22d..1c6a2efb6c 100644 --- a/src/rpc/virnetserver.h +++ b/src/rpc/virnetserver.h @@ -133,3 +133,5 @@ size_t virNetServerGetCurrentUnauthClients(virNetServer= Ptr srv); int virNetServerSetClientLimits(virNetServerPtr srv, long long int maxClients, long long int maxClientsUnauth); + +int virNetServerUpdateTlsFiles(virNetServerPtr srv); diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 44f0dfce77..02c17124a1 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -919,6 +919,52 @@ virNetTLSContextPtr virNetTLSContextNewServer(const ch= ar *cacert, } =20 =20 +int virNetTLSContextReloadForServer(virNetTLSContextPtr ctxt, + bool tryUserPkiPath) +{ + gnutls_certificate_credentials_t x509credBak; + int err; + char *cacert =3D NULL; + char *cacrl =3D NULL; + char *cert =3D NULL; + char *key =3D NULL; + + x509credBak =3D ctxt->x509cred; + ctxt->x509cred =3D NULL; + + if (virNetTLSContextLocateCredentials(NULL, tryUserPkiPath, true, + &cacert, &cacrl, &cert, &key)) + goto error; + + err =3D gnutls_certificate_allocate_credentials(&ctxt->x509cred); + if (err) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to allocate x509 credentials: %s"), + gnutls_strerror(err)); + goto error; + } + + if (virNetTLSContextSanityCheckCredentials(true, cacert, cert)) + goto error; + + if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, k= ey)) + goto error; + + gnutls_certificate_set_dh_params(ctxt->x509cred, + ctxt->dhParams); + + gnutls_certificate_free_credentials(x509credBak); + + return 0; + + error: + if (ctxt->x509cred) + gnutls_certificate_free_credentials(ctxt->x509cred); + ctxt->x509cred =3D x509credBak; + return -1; +} + + virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert, const char *cacrl, const char *cert, diff --git a/src/rpc/virnettlscontext.h b/src/rpc/virnettlscontext.h index f3273bc26a..fe885aed9a 100644 --- a/src/rpc/virnettlscontext.h +++ b/src/rpc/virnettlscontext.h @@ -62,6 +62,9 @@ virNetTLSContextPtr virNetTLSContextNewClient(const char = *cacert, bool sanityCheckCert, bool requireValidCert); =20 +int virNetTLSContextReloadForServer(virNetTLSContextPtr ctxt, + bool tryUserPkiPath); + int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt, virNetTLSSessionPtr sess); =20 --=20 2.23.0.windows.1