Store whether "default_tls_x509_verify" was provided and enhance the
SET_TLS_VERIFY_DEFAULT macro so that indiviual users can provide their
own default if "default_tls_x509_verify" config option was not provided.
For now we keep setting it to 'false'.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu.conf | 6 ++++++
src/qemu/qemu_conf.c | 22 ++++++++++++++--------
src/qemu/qemu_conf.h | 1 +
3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 6f7d2b14f7..6f9d940477 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -40,6 +40,12 @@
# client-cert.pem - the client certificate signed with the ca-cert.pem
# client-key.pem - the client private key
#
+# If this option is supplied it provides the default for the "_verify" option
+# of specific TLS users such as vnc, backups, migration, etc. The specific
+# users of TLS may override this by setting the specific "_verify" option.
+#
+# When not supplied the specific TLS users provide their own defaults.
+#
#default_tls_x509_verify = 1
#
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 2fb2f021c2..c3a61816a4 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -406,8 +406,10 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfigPtr cfg,
if ((rv = virConfGetValueString(conf, "default_tls_x509_cert_dir",
&cfg->defaultTLSx509certdir)) < 0)
return -1;
cfg->defaultTLSx509certdirPresent = (rv == 1);
- if (virConfGetValueBool(conf, "default_tls_x509_verify",
&cfg->defaultTLSx509verify) < 0)
+ if ((rv = virConfGetValueBool(conf, "default_tls_x509_verify",
&cfg->defaultTLSx509verify)) < 0)
return -1;
+ if (rv == 1)
+ cfg->defaultTLSx509verifyPresent = true;
if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
&cfg->defaultTLSx509secretUUID) < 0)
return -1;
@@ -1240,16 +1242,20 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
#undef SET_TLS_X509_CERT_DEFAULT
-#define SET_TLS_VERIFY_DEFAULT(val) \
+#define SET_TLS_VERIFY_DEFAULT(val, defaultverify) \
do { \
- if (!cfg->val## TLSx509verifyPresent) \
- cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \
+ if (!cfg->val## TLSx509verifyPresent) {\
+ if (cfg->defaultTLSx509verifyPresent) \
+ cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \
+ else \
+ cfg->val## TLSx509verify = defaultverify;\
+ }\
} while (0)
- SET_TLS_VERIFY_DEFAULT(vnc);
- SET_TLS_VERIFY_DEFAULT(chardev);
- SET_TLS_VERIFY_DEFAULT(migrate);
- SET_TLS_VERIFY_DEFAULT(backup);
+ SET_TLS_VERIFY_DEFAULT(vnc, false);
+ SET_TLS_VERIFY_DEFAULT(chardev, false);
+ SET_TLS_VERIFY_DEFAULT(migrate, false);
+ SET_TLS_VERIFY_DEFAULT(backup, false);
#undef SET_TLS_VERIFY_DEFAULT
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index da03a184c1..8748212a82 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -108,6 +108,7 @@ struct _virQEMUDriverConfig {
char *defaultTLSx509certdir;
bool defaultTLSx509certdirPresent;
bool defaultTLSx509verify;
+ bool defaultTLSx509verifyPresent;
char *defaultTLSx509secretUUID;
bool vncAutoUnixSocket;
--
2.28.0