1. Patchew
  2. Libvirt
  3. [PATCH 0/6] qemu: Enable client TLS certificate validation by default for chardev, migration, and backup servers
  4. View patch

[PATCH 1/6] qemu: conf: Allow individual control of default value for *_tls_x509_verify

Peter Krempa posted 6 patches 5 years, 2 months ago
[PATCH 1/6] qemu: conf: Allow individual control of default value for *_tls_x509_verify
Posted by Peter Krempa 5 years, 2 months ago 
Store whether "default_tls_x509_verify" was provided and enhance the
SET_TLS_VERIFY_DEFAULT macro so that indiviual users can provide their
own default if "default_tls_x509_verify" config option was not provided.

For now we keep setting it to 'false'.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu.conf   |  6 ++++++
 src/qemu/qemu_conf.c | 22 ++++++++++++++--------
 src/qemu/qemu_conf.h |  1 +
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 6f7d2b14f7..6f9d940477 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -40,6 +40,12 @@
 #  client-cert.pem - the client certificate signed with the ca-cert.pem
 #  client-key.pem - the client private key
 #
+# If this option is supplied it provides the default for the "_verify" option
+# of specific TLS users such as vnc, backups, migration, etc. The specific
+# users of TLS may override this by setting the specific "_verify" option.
+#
+# When not supplied the specific TLS users provide their own defaults.
+#
 #default_tls_x509_verify = 1

 #
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 2fb2f021c2..c3a61816a4 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -406,8 +406,10 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfigPtr cfg,
     if ((rv = virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir)) < 0)
         return -1;
     cfg->defaultTLSx509certdirPresent = (rv == 1);
-    if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0)
+    if ((rv = virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify)) < 0)
         return -1;
+    if (rv == 1)
+        cfg->defaultTLSx509verifyPresent = true;
     if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
                               &cfg->defaultTLSx509secretUUID) < 0)
         return -1;
@@ -1240,16 +1242,20 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)

 #undef SET_TLS_X509_CERT_DEFAULT

-#define SET_TLS_VERIFY_DEFAULT(val) \
+#define SET_TLS_VERIFY_DEFAULT(val, defaultverify) \
     do { \
-        if (!cfg->val## TLSx509verifyPresent) \
-            cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \
+        if (!cfg->val## TLSx509verifyPresent) {\
+            if (cfg->defaultTLSx509verifyPresent) \
+              cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \
+            else \
+            cfg->val## TLSx509verify = defaultverify;\
+        }\
     } while (0)

-    SET_TLS_VERIFY_DEFAULT(vnc);
-    SET_TLS_VERIFY_DEFAULT(chardev);
-    SET_TLS_VERIFY_DEFAULT(migrate);
-    SET_TLS_VERIFY_DEFAULT(backup);
+    SET_TLS_VERIFY_DEFAULT(vnc, false);
+    SET_TLS_VERIFY_DEFAULT(chardev, false);
+    SET_TLS_VERIFY_DEFAULT(migrate, false);
+    SET_TLS_VERIFY_DEFAULT(backup, false);

 #undef SET_TLS_VERIFY_DEFAULT

diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index da03a184c1..8748212a82 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -108,6 +108,7 @@ struct _virQEMUDriverConfig {
     char *defaultTLSx509certdir;
     bool defaultTLSx509certdirPresent;
     bool defaultTLSx509verify;
+    bool defaultTLSx509verifyPresent;
     char *defaultTLSx509secretUUID;

     bool vncAutoUnixSocket;
-- 
2.28.0
Re: [PATCH 1/6] qemu: conf: Allow individual control of default value for *_tls_x509_verify
Posted by Michal Privoznik 5 years, 2 months ago 
On 11/13/20 4:01 PM, Peter Krempa wrote:
> Store whether "default_tls_x509_verify" was provided and enhance the
> SET_TLS_VERIFY_DEFAULT macro so that indiviual users can provide their
> own default if "default_tls_x509_verify" config option was not provided.
> 
> For now we keep setting it to 'false'.
> 
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
>   src/qemu/qemu.conf   |  6 ++++++
>   src/qemu/qemu_conf.c | 22 ++++++++++++++--------
>   src/qemu/qemu_conf.h |  1 +
>   3 files changed, 21 insertions(+), 8 deletions(-)
> 

> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index 2fb2f021c2..c3a61816a4 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -406,8 +406,10 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfigPtr cfg,
>       if ((rv = virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir)) < 0)
>           return -1;
>       cfg->defaultTLSx509certdirPresent = (rv == 1);
> -    if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0)
> +    if ((rv = virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify)) < 0)
>           return -1;
> +    if (rv == 1)
> +        cfg->defaultTLSx509verifyPresent = true;
>       if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
>                                 &cfg->defaultTLSx509secretUUID) < 0)
>           return -1;
> @@ -1240,16 +1242,20 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
> 
>   #undef SET_TLS_X509_CERT_DEFAULT
> 
> -#define SET_TLS_VERIFY_DEFAULT(val) \
> +#define SET_TLS_VERIFY_DEFAULT(val, defaultverify) \
>       do { \
> -        if (!cfg->val## TLSx509verifyPresent) \
> -            cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \
> +        if (!cfg->val## TLSx509verifyPresent) {\
> +            if (cfg->defaultTLSx509verifyPresent) \
> +              cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \
> +            else \
> +            cfg->val## TLSx509verify = defaultverify;\

Alignment.

> +        }\
>       } while (0)
> 

Michal

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.