From: Daniel P. Berrange <berrange@redhat.com>
Date: Wed, 15 Mar 2017 18:02:40 +0000 (+0000)
Subject: Sanity check explicit TLS file paths
X-Git-Tag: v3.2.0-rc1~236
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=887450cbdfc25e99d07c06245108064de2c41b1b;p=thirdparty%2Flibvirt.git

Sanity check explicit TLS file paths

When providing explicit x509 cert/key paths in libvirtd.conf,
the user must provide all three. If one or more is missed,
this leads to obscure errors at runtime when negotiating
the TLS session

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---

diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index 9b98f33735..891238bcbe 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -544,6 +544,23 @@ daemonSetupNetworking(virNetServerPtr srv,
             if (config->ca_file ||
                 config->cert_file ||
                 config->key_file) {
+                if (!config->ca_file) {
+                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                                   _("No CA certificate path set to match server key/cert"));
+                    goto cleanup;
+                }
+                if (!config->cert_file) {
+                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                                   _("No server certificate path set to match server key"));
+                    goto cleanup;
+                }
+                if (!config->key_file) {
+                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                                   _("No server key path set to match server cert"));
+                    goto cleanup;
+                }
+                VIR_DEBUG("Using CA='%s' cert='%s' key='%s'",
+                          config->ca_file, config->cert_file, config->key_file);
                 if (!(ctxt = virNetTLSContextNewServer(config->ca_file,
                                                        config->crl_file,
                                                        config->cert_file,