Add an API to update server's tls context.
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Zhang Bo <oscar.zhangbo@huawei.com>
Signed-off-by: Wu Qingliang <wuqingliang4@huawei.com>
virNetServerSetThreadPoolParameters;
virNetServerSetTLSContext;
virNetServerUpdateServices;
+virNetServerUpdateTlsFiles;
# rpc/virnetserverclient.h
#include "virthread.h"
#include "virthreadpool.h"
#include "virstring.h"
+#include "virutil.h"
#define VIR_FROM_THIS VIR_FROM_RPC
virObjectUnlock(srv);
return ret;
}
+
+static virNetTLSContextPtr
+virNetServerGetTLSContext(virNetServerPtr srv)
+{
+ size_t i;
+ virNetTLSContextPtr ctxt = NULL;
+ virNetServerServicePtr svc = NULL;
+
+ /* find svcTLS from srv, get svcTLS->tls */
+ for (i = 0; i < srv->nservices; i++) {
+ svc = srv->services[i];
+ ctxt = virNetServerServiceGetTLSContext(svc);
+ if (ctxt != NULL)
+ break;
+ }
+
+ return ctxt;
+}
+
+int
+virNetServerUpdateTlsFiles(virNetServerPtr srv)
+{
+ int ret = -1;
+ virNetTLSContextPtr ctxt = NULL;
+ bool privileged = geteuid() == 0 ? true : false;
+
+ ctxt = virNetServerGetTLSContext(srv);
+ if (!ctxt) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("no tls service found, unable to update tls files"));
+ return -1;
+ }
+
+ virObjectLock(srv);
+ virObjectLock(ctxt);
+
+ if (virNetTLSContextReloadForServer(ctxt, !privileged)) {
+ VIR_DEBUG("failed to reload server's tls context");
+ goto cleanup;
+ }
+
+ VIR_DEBUG("update tls files success");
+ ret = 0;
+
+ cleanup:
+ virObjectUnlock(ctxt);
+ virObjectUnlock(srv);
+ return ret;
+}
int virNetServerSetClientLimits(virNetServerPtr srv,
long long int maxClients,
long long int maxClientsUnauth);
+
+int virNetServerUpdateTlsFiles(virNetServerPtr srv);
}
+int virNetTLSContextReloadForServer(virNetTLSContextPtr ctxt,
+ bool tryUserPkiPath)
+{
+ gnutls_certificate_credentials_t x509credBak;
+ int err;
+ char *cacert = NULL;
+ char *cacrl = NULL;
+ char *cert = NULL;
+ char *key = NULL;
+
+ x509credBak = ctxt->x509cred;
+ ctxt->x509cred = NULL;
+
+ if (virNetTLSContextLocateCredentials(NULL, tryUserPkiPath, true,
+ &cacert, &cacrl, &cert, &key))
+ goto error;
+
+ err = gnutls_certificate_allocate_credentials(&ctxt->x509cred);
+ if (err) {
+ virReportError(VIR_ERR_SYSTEM_ERROR,
+ _("Unable to allocate x509 credentials: %s"),
+ gnutls_strerror(err));
+ goto error;
+ }
+
+ if (virNetTLSContextSanityCheckCredentials(true, cacert, cert))
+ goto error;
+
+ if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, key))
+ goto error;
+
+ gnutls_certificate_set_dh_params(ctxt->x509cred,
+ ctxt->dhParams);
+
+ gnutls_certificate_free_credentials(x509credBak);
+
+ return 0;
+
+ error:
+ if (ctxt->x509cred)
+ gnutls_certificate_free_credentials(ctxt->x509cred);
+ ctxt->x509cred = x509credBak;
+ return -1;
+}
+
+
virNetTLSContextPtr virNetTLSContextNewClient(const char *cacert,
const char *cacrl,
const char *cert,
bool sanityCheckCert,
bool requireValidCert);
+int virNetTLSContextReloadForServer(virNetTLSContextPtr ctxt,
+ bool tryUserPkiPath);
+
int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,
virNetTLSSessionPtr sess);
projects / thirdparty / libvirt.git / commitdiff
