From nobody Wed Nov 27 14:37:26 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1547624548080876.5175398354677;
 Tue, 15 Jan 2019 23:42:28 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id EE33DD4E6F;
	Wed, 16 Jan 2019 07:42:25 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B00AE1019633;
	Wed, 16 Jan 2019 07:42:25 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 588903F606;
	Wed, 16 Jan 2019 07:42:25 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
	[10.5.11.14])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0G7g1DO013964 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 16 Jan 2019 02:42:01 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 512805D967; Wed, 16 Jan 2019 07:42:01 +0000 (UTC)
Received: from lpt.brq.redhat.com (unknown [10.43.2.68])
	by smtp.corp.redhat.com (Postfix) with ESMTP id C69D75D96E
	for <libvir-list@redhat.com>; Wed, 16 Jan 2019 07:42:00 +0000 (UTC)
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
To: libvir-list@redhat.com
Date: Wed, 16 Jan 2019 08:41:49 +0100
Message-Id: 
 <39a864599a3ddfaea1f0fa25d1665ad165bba1a8.1547624106.git.jtomko@redhat.com>
In-Reply-To: <cover.1547624106.git.jtomko@redhat.com>
References: <cover.1547624106.git.jtomko@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH 7/8] qemu: add support for encrypted VNC TLS keys
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]);
 Wed, 16 Jan 2019 07:42:27 +0000 (UTC)

Use the password stored in the secret driver under
the uuid specified by the vnc_tls_x509_secret_uuid
option in qemu.conf.

https://bugzilla.redhat.com/show_bug.cgi?id=3D1602418

Signed-off-by: J=C3=A1n Tomko <jtomko@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_command.c                       | 11 +++++-
 src/qemu/qemu_domain.c                        |  9 +++++
 src/qemu/qemu_domain.h                        |  1 +
 ...graphics-vnc-tls-secret.x86_64-latest.args | 36 +++++++++++++++++++
 .../graphics-vnc-tls-secret.xml               | 30 ++++++++++++++++
 tests/qemuxml2argvtest.c                      |  5 +++
 6 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.x86_64-l=
atest.args
 create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.xml

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index d130d0463c..e17d7ddec7 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -8037,11 +8037,20 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfig=
Ptr cfg,
     if (cfg->vncTLS) {
         qemuDomainGraphicsPrivatePtr gfxPriv =3D QEMU_DOMAIN_GRAPHICS_PRIV=
ATE(graphics);
         if (gfxPriv->tlsAlias) {
+            const char *secretAlias =3D NULL;
+
+            if (gfxPriv && gfxPriv->secinfo) {
+                if (qemuBuildObjectSecretCommandLine(cmd,
+                                                     gfxPriv->secinfo) < 0)
+                    goto error;
+                secretAlias =3D gfxPriv->secinfo->s.aes.alias;
+            }
+
             if (qemuBuildTLSx509CommandLine(cmd,
                                             cfg->vncTLSx509certdir,
                                             true,
                                             cfg->vncTLSx509verify,
-                                            NULL,
+                                            secretAlias,
                                             gfxPriv->tlsAlias,
                                             qemuCaps) < 0)
                 goto error;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 6960f0569b..da9c4e566d 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1269,6 +1269,7 @@ qemuDomainGraphicsPrivateDispose(void *obj)
     qemuDomainGraphicsPrivatePtr priv =3D obj;
=20
     VIR_FREE(priv->tlsAlias);
+    qemuDomainSecretInfoFree(&priv->secinfo);
 }
=20
=20
@@ -1750,6 +1751,7 @@ qemuDomainSecretGraphicsDestroy(virDomainGraphicsDefP=
tr graphics)
         return;
=20
     VIR_FREE(gfxPriv->tlsAlias);
+    qemuDomainSecretInfoFree(&gfxPriv->secinfo);
 }
=20
=20
@@ -1773,6 +1775,13 @@ qemuDomainSecretGraphicsPrepare(virQEMUDriverConfigP=
tr cfg,
     if (VIR_STRDUP(gfxPriv->tlsAlias, "vnc-tls-creds0") < 0)
         return -1;
=20
+    if (cfg->vncTLSx509secretUUID) {
+        gfxPriv->secinfo =3D qemuDomainSecretInfoTLSNew(priv, gfxPriv->tls=
Alias,
+                                                      cfg->vncTLSx509secre=
tUUID);
+        if (!gfxPriv->secinfo)
+            return -1;
+    }
+
     return 0;
 }
=20
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 01e47996f5..e706ddca31 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -490,6 +490,7 @@ struct _qemuDomainGraphicsPrivate {
     virObject parent;
=20
     char *tlsAlias;
+    qemuDomainSecretInfoPtr secinfo;
 };
=20
=20
diff --git a/tests/qemuxml2argvdata/graphics-vnc-tls-secret.x86_64-latest.a=
rgs b/tests/qemuxml2argvdata/graphics-vnc-tls-secret.x86_64-latest.args
new file mode 100644
index 0000000000..737c4fe8fb
--- /dev/null
+++ b/tests/qemuxml2argvdata/graphics-vnc-tls-secret.x86_64-latest.args
@@ -0,0 +1,36 @@
+LC_ALL=3DC \
+PATH=3D/bin \
+HOME=3D/home/test \
+USER=3Dtest \
+LOGNAME=3Dtest \
+SASL_CONF_PATH=3D/root/.sasl2 \
+QEMU_AUDIO_DRV=3Dnone \
+/usr/bin/qemu-system-i686 \
+-name guest=3DQEMUGuest1,debug-threads=3Don \
+-S \
+-object secret,id=3DmasterKey0,format=3Draw,\
+file=3D/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
+-machine pc,accel=3Dtcg,usb=3Doff,dump-guest-core=3Doff \
+-m 214 \
+-realtime mlock=3Doff \
+-smp 1,sockets=3D1,cores=3D1,threads=3D1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=3Dcharmonitor,fd=3D1729,server,nowait \
+-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \
+-rtc base=3Dutc \
+-no-shutdown \
+-no-acpi \
+-boot strict=3Don \
+-device piix3-usb-uhci,id=3Dusb,bus=3Dpci.0,addr=3D0x1.0x2 \
+-object secret,id=3Dvnc-tls-creds0-secret0,\
+data=3D9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=3DmasterKey0,iv=3DAAECAwQFBgcICQoLDA0ODw=3D=3D,format=3Dbase64 \
+-object tls-creds-x509,id=3Dvnc-tls-creds0,dir=3D/etc/pki/libvirt-vnc,\
+endpoint=3Dserver,verify-peer=3Dyes,passwordid=3Dvnc-tls-creds0-secret0 \
+-vnc 127.0.0.1:3,tls-creds=3Dvnc-tls-creds0,sasl \
+-device cirrus-vga,id=3Dvideo0,bus=3Dpci.0,addr=3D0x2 \
+-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,\
+resourcecontrol=3Ddeny \
+-msg timestamp=3Don
diff --git a/tests/qemuxml2argvdata/graphics-vnc-tls-secret.xml b/tests/qem=
uxml2argvdata/graphics-vnc-tls-secret.xml
new file mode 100644
index 0000000000..079f6241c4
--- /dev/null
+++ b/tests/qemuxml2argvdata/graphics-vnc-tls-secret.xml
@@ -0,0 +1,30 @@
+<domain type=3D'qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit=3D'KiB'>219100</memory>
+  <currentMemory unit=3D'KiB'>219100</currentMemory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os>
+    <type arch=3D'i686' machine=3D'pc'>hvm</type>
+    <boot dev=3D'hd'/>
+  </os>
+  <clock offset=3D'utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-i686</emulator>
+    <controller type=3D'usb' index=3D'0'/>
+    <controller type=3D'ide' index=3D'0'/>
+    <controller type=3D'pci' index=3D'0' model=3D'pci-root'/>
+    <input type=3D'mouse' bus=3D'ps2'/>
+    <input type=3D'keyboard' bus=3D'ps2'/>
+    <graphics type=3D'vnc' port=3D'5903' autoport=3D'no' listen=3D'127.0.0=
.1'>
+      <listen type=3D'address' address=3D'127.0.0.1'/>
+    </graphics>
+    <video>
+      <model type=3D'cirrus' vram=3D'16384' heads=3D'1'/>
+    </video>
+    <memballoon model=3D'none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 2cb8860d26..ba6fd4db35 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1290,6 +1290,11 @@ mymain(void)
     DO_TEST("graphics-vnc-tls", QEMU_CAPS_VNC, QEMU_CAPS_DEVICE_CIRRUS_VGA=
);
     DO_TEST_CAPS_VER("graphics-vnc-tls", "2.4.0");
     DO_TEST_CAPS_LATEST("graphics-vnc-tls");
+    if (VIR_STRDUP_QUIET(driver.config->vncTLSx509secretUUID,
+                         "6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea") < 0)
+        return EXIT_FAILURE;
+    DO_TEST_CAPS_LATEST("graphics-vnc-tls-secret");
+    VIR_FREE(driver.config->vncTLSx509secretUUID);
     driver.config->vncSASL =3D driver.config->vncTLSx509verify =3D driver.=
config->vncTLS =3D 0;
     VIR_FREE(driver.config->vncSASLdir);
     VIR_FREE(driver.config->vncTLSx509certdir);
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list