From nobody Thu Sep 19 00:16:00 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1717771931857794.4392657461005; Fri, 7 Jun 2024 07:52:11 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 24FF5263F; Fri, 7 Jun 2024 10:52:10 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id C59C0262F; Fri, 7 Jun 2024 10:47:22 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 32E352595; Fri, 7 Jun 2024 10:47:16 -0400 (EDT) Received: from mx1.osci.io (polly.osci.io [8.43.85.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 69C3B25FA for ; Fri, 7 Jun 2024 10:44:56 -0400 (EDT) Received: by mx1.osci.io (Postfix, from userid 994) id 564282254F; Fri, 7 Jun 2024 10:44:56 -0400 (EDT) Received: from mx3.osci.io (carla.osci.io [IPv6:2607:f0d0:1e02:35::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits)) (No client certificate requested) by mx1.osci.io (Postfix) with ESMTPS id 0CAF22236E for ; Fri, 7 Jun 2024 10:44:46 -0400 (EDT) Received: by mx3.osci.io (Postfix, from userid 990) id 0DF8430721D8; Fri, 7 Jun 2024 09:33:00 -0500 (CDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by mx3.osci.io (Postfix) with ESMTPS id 4A14830721D2 for ; Fri, 7 Jun 2024 09:32:58 -0500 (CDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-101-C_9FUbipPrS_yULVF59T6g-1; Fri, 07 Jun 2024 10:26:18 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8988B185A783 for ; Fri, 7 Jun 2024 14:26:18 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.193.232]) by smtp.corp.redhat.com (Postfix) with ESMTP id D53BE492BC6; Fri, 7 Jun 2024 14:26:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717770383; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EeoGMepXA+1EGeAFXpb0X3JgXBWfWLs4onN1h4UFqGs=; b=fmWASeXdaHKF0t2SflxnYBwgf9ho6Pl88IVSzd330jT/LJM2h6fUyMfO0rsoJOlCsbjz1S ZHO9bCdZqv5cXc20WT03pA5X27Bq+CxZtrbnfuHuVO2ts63Tjta+w3JQZnzYNtXQrXJY5i EjM5z1YzA6m7rZdFlpjxh2vFQnd2AmQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717770512; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EeoGMepXA+1EGeAFXpb0X3JgXBWfWLs4onN1h4UFqGs=; b=WYklAA+t8+EXUJE7xLE9c7wq32da3JqM7c2iC15VdspTIEKR1jt5HCSQY0TPt/G/wXR/1U IlIZgftnmNe0S/Ufr4tUeAj+YPxmj8B6D2TvOuL1BDxQaxrqiajKzqBX4Ra2ajNBf3Q/fw V+QqcjmRxBZ6urQQhA3DYAzIQTxxDtc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717770643; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EeoGMepXA+1EGeAFXpb0X3JgXBWfWLs4onN1h4UFqGs=; b=ETVeR2m+ZxykNO/JEqEwvc5vYKgqoYc08PWwxcZf2psBu1dRbuvbWG50p4khJtJ1ANY0ZC BaFvIkjb2ED4ok3QNh/bEhd4owQKcyDBuY+tW6y/CweJUxQ/F5I2HCsUZJP0rtv5emRyx8 IFvHLioGONDninrq7APsBJKt6oyGzgU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717770776; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EeoGMepXA+1EGeAFXpb0X3JgXBWfWLs4onN1h4UFqGs=; b=MdiXaks2FNMlBFZYVT2NTIZDMkD0omuTLKc2loA5mn6ea+PRBME3qXGcQi2a1s7Q0jm1EQ Wy6cpMjmWq5LPR8ObaAr2Yagost2tUSPsU12KysCMmHvZlBCnWn5ZaVHXKjMSv6rwtyomR n7evyARWoodNk34yTZNOoqb0Lh618xg= X-MC-Unique: C_9FUbipPrS_yULVF59T6g-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: devel@lists.libvirt.org Cc: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 1/9] rpc: split out helpers for TLS cert path location Date: Fri, 7 Jun 2024 15:26:08 +0100 Message-ID: <20240607142616.749339-2-berrange@redhat.com> In-Reply-To: <20240607142616.749339-1-berrange@redhat.com> References: <20240607142616.749339-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: V3ZGYIICNAWFCT4BCN3FZKAYRGDH5PBT X-Message-ID-Hash: V3ZGYIICNAWFCT4BCN3FZKAYRGDH5PBT X-MailFrom: SRS0=RZ0v=NJ=redhat.com=berrange@osci.io X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (found 4 invalid signatures) X-ZM-MESSAGEID: 1717771932902100001 Content-Type: text/plain; charset="utf-8" We'll want to access these paths from outside the TLS context code, so split them into a standalone file. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/rpc/meson.build | 6 +- src/rpc/virnettlsconfig.c | 202 +++++++++++++++++++++++++++++++++++++ src/rpc/virnettlsconfig.h | 68 +++++++++++++ src/rpc/virnettlscontext.c | 70 ++----------- 4 files changed, 285 insertions(+), 61 deletions(-) create mode 100644 src/rpc/virnettlsconfig.c create mode 100644 src/rpc/virnettlsconfig.h diff --git a/src/rpc/meson.build b/src/rpc/meson.build index 9d98bc6259..d11d532d0f 100644 --- a/src/rpc/meson.build +++ b/src/rpc/meson.build @@ -1,6 +1,10 @@ gendispatch_prog =3D find_program('gendispatch.pl') =20 -socket_sources =3D [ +tlsconfig_sources =3D [ + files('virnettlsconfig.c'), +] + +socket_sources =3D tlsconfig_sources + [ 'virnettlscontext.c', 'virnetsocket.c', ] diff --git a/src/rpc/virnettlsconfig.c b/src/rpc/virnettlsconfig.c new file mode 100644 index 0000000000..d020083d6a --- /dev/null +++ b/src/rpc/virnettlsconfig.c @@ -0,0 +1,202 @@ +/* + * virnettlsconfig.c: TLS x509 configuration helpers + * + * Copyright (C) 2010-2024 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include "virnettlsconfig.h" +#include "virlog.h" +#include "virutil.h" + +#define VIR_FROM_THIS VIR_FROM_RPC + +VIR_LOG_INIT("rpc.nettlscontext"); + +char *virNetTLSConfigUserPKIBaseDir(void) +{ + g_autofree char *userdir =3D virGetUserDirectory(); + + return g_strdup_printf("%s/.pki/libvirt", userdir); +} + +static void virNetTLSConfigTrust(const char *cacertdir, + const char *cacrldir, + char **cacert, + char **cacrl) +{ + if (!*cacert) + *cacert =3D g_strdup_printf("%s/%s", cacertdir, "cacert.pem"); + if (!*cacrl) + *cacrl =3D g_strdup_printf("%s/%s", cacrldir, "cacrl.pem"); + + VIR_DEBUG("TLS CA cert %s", *cacert); + VIR_DEBUG("TLS CA CRL %s", *cacrl); +} + +static void virNetTLSConfigIdentity(int isServer, + const char *certdir, + const char *keydir, + char **cert, + char **key) +{ + if (!*key) + *key =3D g_strdup_printf("%s/%s", keydir, + isServer ? "serverkey.pem" : "clientkey.pem= "); + if (!*cert) + *cert =3D g_strdup_printf("%s/%s", certdir, + isServer ? "servercert.pem" : "clientcert.= pem"); + + VIR_DEBUG("TLS key %s", *key); + VIR_DEBUG("TLS cert %s", *cert); +} + +void virNetTLSConfigCustomTrust(const char *pkipath, + char **cacert, + char **cacrl) +{ + VIR_DEBUG("Locating trust chain in custom dir %s", pkipath); + virNetTLSConfigTrust(pkipath, + pkipath, + cacert, + cacrl); +} + +void virNetTLSConfigUserTrust(char **cacert, + char **cacrl) +{ + g_autofree char *pkipath =3D virNetTLSConfigUserPKIBaseDir(); + + VIR_DEBUG("Locating trust chain in user dir %s", pkipath); + + virNetTLSConfigTrust(pkipath, + pkipath, + cacert, + cacrl); +} + +void virNetTLSConfigSystemTrust(char **cacert, + char **cacrl) +{ + VIR_DEBUG("Locating trust chain in system dir %s", LIBVIRT_PKI_DIR); + + virNetTLSConfigTrust(LIBVIRT_CACERT_DIR, + LIBVIRT_CACRL_DIR, + cacert, + cacrl); +} + +void virNetTLSConfigCustomIdentity(const char *pkipath, + int isServer, + char **cert, + char **key) +{ + VIR_DEBUG("Locating creds in custom dir %s", pkipath); + virNetTLSConfigIdentity(isServer, + pkipath, + pkipath, + cert, + key); +} + +void virNetTLSConfigUserIdentity(int isServer, + char **cert, + char **key) +{ + g_autofree char *pkipath =3D virNetTLSConfigUserPKIBaseDir(); + + VIR_DEBUG("Locating creds in user dir %s", pkipath); + + virNetTLSConfigIdentity(isServer, + pkipath, + pkipath, + cert, + key); +} + +void virNetTLSConfigSystemIdentity(int isServer, + char **cert, + char **key) +{ + VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR); + + virNetTLSConfigIdentity(isServer, + LIBVIRT_CERT_DIR, + LIBVIRT_KEY_DIR, + cert, + key); +} + +void virNetTLSConfigCustomCreds(const char *pkipath, + int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key) +{ + VIR_DEBUG("Locating creds in custom dir %s", pkipath); + virNetTLSConfigTrust(pkipath, + pkipath, + cacert, + cacrl); + virNetTLSConfigIdentity(isServer, + pkipath, + pkipath, + cert, + key); +} + +void virNetTLSConfigUserCreds(int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key) +{ + g_autofree char *pkipath =3D virNetTLSConfigUserPKIBaseDir(); + + VIR_DEBUG("Locating creds in user dir %s", pkipath); + + virNetTLSConfigTrust(pkipath, + pkipath, + cacert, + cacrl); + virNetTLSConfigIdentity(isServer, + pkipath, + pkipath, + cert, + key); +} + +void virNetTLSConfigSystemCreds(int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key) +{ + VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR); + + virNetTLSConfigTrust(LIBVIRT_CACERT_DIR, + LIBVIRT_CACRL_DIR, + cacert, + cacrl); + virNetTLSConfigIdentity(isServer, + LIBVIRT_CERT_DIR, + LIBVIRT_KEY_DIR, + cert, + key); +} diff --git a/src/rpc/virnettlsconfig.h b/src/rpc/virnettlsconfig.h new file mode 100644 index 0000000000..797b3e3ac5 --- /dev/null +++ b/src/rpc/virnettlsconfig.h @@ -0,0 +1,68 @@ +/* + * virnettlsconfig.h: TLS x509 configuration helpers + * + * Copyright (C) 2010-2024 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#pragma once + +#include "configmake.h" + +#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki" +#define LIBVIRT_CACERT_DIR LIBVIRT_PKI_DIR "/CA" +#define LIBVIRT_CACRL_DIR LIBVIRT_PKI_DIR "/CA" +#define LIBVIRT_KEY_DIR LIBVIRT_PKI_DIR "/libvirt/private" +#define LIBVIRT_CERT_DIR LIBVIRT_PKI_DIR "/libvirt" + +char *virNetTLSConfigUserPKIBaseDir(void); + +void virNetTLSConfigCustomTrust(const char *pkipath, + char **cacert, + char **cacrl); +void virNetTLSConfigUserTrust(char **cacert, + char **cacrl); +void virNetTLSConfigSystemTrust(char **cacert, + char **cacrl); + +void virNetTLSConfigCustomIdentity(const char *pkipath, + int isServer, + char **cert, + char **key); +void virNetTLSConfigUserIdentity(int isServer, + char **cert, + char **key); +void virNetTLSConfigSystemIdentity(int isServer, + char **cert, + char **key); + + +void virNetTLSConfigCustomCreds(const char *pkipath, + int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key); +void virNetTLSConfigUserCreds(int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key); +void virNetTLSConfigSystemCreds(int isServer, + char **cacert, + char **cacrl, + char **cert, + char **key); diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index dc60244927..4223043bc9 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -27,6 +27,7 @@ #include =20 #include "virnettlscontext.h" +#include "virnettlsconfig.h" #include "virstring.h" =20 #include "viralloc.h" @@ -36,15 +37,6 @@ #include "virlog.h" #include "virprobe.h" #include "virthread.h" -#include "configmake.h" - -#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki" -#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem" -#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem" -#define LIBVIRT_CLIENTKEY LIBVIRT_PKI_DIR "/libvirt/private/clientkey.pem" -#define LIBVIRT_CLIENTCERT LIBVIRT_PKI_DIR "/libvirt/clientcert.pem" -#define LIBVIRT_SERVERKEY LIBVIRT_PKI_DIR "/libvirt/private/serverkey.pem" -#define LIBVIRT_SERVERCERT LIBVIRT_PKI_DIR "/libvirt/servercert.pem" =20 #define VIR_FROM_THIS VIR_FROM_RPC =20 @@ -721,9 +713,6 @@ static int virNetTLSContextLocateCredentials(const char= *pkipath, char **cert, char **key) { - char *userdir =3D NULL; - char *user_pki_path =3D NULL; - *cacert =3D NULL; *cacrl =3D NULL; *key =3D NULL; @@ -736,33 +725,13 @@ static int virNetTLSContextLocateCredentials(const ch= ar *pkipath, * files actually exist there */ if (pkipath) { - VIR_DEBUG("Told to use TLS credentials in %s", pkipath); - *cacert =3D g_strdup_printf("%s/%s", pkipath, "cacert.pem"); - *cacrl =3D g_strdup_printf("%s/%s", pkipath, "cacrl.pem"); - *key =3D g_strdup_printf("%s/%s", pkipath, - isServer ? "serverkey.pem" : "clientkey.pem= "); - - *cert =3D g_strdup_printf("%s/%s", pkipath, - isServer ? "servercert.pem" : "clientcert.= pem"); + virNetTLSConfigCustomCreds(pkipath, isServer, + cacert, cacrl, + cert, key); } else if (tryUserPkiPath) { - /* Check to see if $HOME/.pki contains at least one of the - * files and if so, use that - */ - userdir =3D virGetUserDirectory(); - - user_pki_path =3D g_strdup_printf("%s/.pki/libvirt", userdir); - - VIR_DEBUG("Trying to find TLS user credentials in %s", user_pki_pa= th); - - *cacert =3D g_strdup_printf("%s/%s", user_pki_path, "cacert.pem"); - - *cacrl =3D g_strdup_printf("%s/%s", user_pki_path, "cacrl.pem"); - - *key =3D g_strdup_printf("%s/%s", user_pki_path, - isServer ? "serverkey.pem" : "clientkey.pem= "); - - *cert =3D g_strdup_printf("%s/%s", user_pki_path, - isServer ? "servercert.pem" : "clientcert.= pem"); + virNetTLSConfigUserCreds(isServer, + cacert, cacrl, + cert, key); =20 /* * If some of the files can't be found, fallback @@ -782,28 +751,9 @@ static int virNetTLSContextLocateCredentials(const cha= r *pkipath, } } =20 - /* No explicit path, or user path didn't exist, so - * fallback to global defaults - */ - if (!*cacert) { - VIR_DEBUG("Using default TLS CA certificate path"); - *cacert =3D g_strdup(LIBVIRT_CACERT); - } - - if (!*cacrl) { - VIR_DEBUG("Using default TLS CA revocation list path"); - *cacrl =3D g_strdup(LIBVIRT_CACRL); - } - - if (!*key && !*cert) { - VIR_DEBUG("Using default TLS key/certificate path"); - *key =3D g_strdup(isServer ? LIBVIRT_SERVERKEY : LIBVIRT_CLIENTKEY= ); - - *cert =3D g_strdup(isServer ? LIBVIRT_SERVERCERT : LIBVIRT_CLIENTC= ERT); - } - - VIR_FREE(user_pki_path); - VIR_FREE(userdir); + virNetTLSConfigSystemCreds(isServer, + cacert, cacrl, + cert, key); =20 return 0; } --=20 2.43.0