Re: [libvirt] [PATCH 7/8] qemu: add support for encrypted VNC TLS keys
On 1/16/19 2:41 AM, Ján Tomko wrote:
Use the password stored in the secret driver under
the uuid specified by the vnc_tls_x509_secret_uuid
option in qemu.conf.
https://bugzilla.redhat.com/show_bug.cgi?id=1602418
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
---
src/qemu/qemu_command.c | 11 +++++-
src/qemu/qemu_domain.c | 9 +++++
src/qemu/qemu_domain.h | 1 +
...graphics-vnc-tls-secret.x86_64-latest.args | 36 +++++++++++++++++++
.../graphics-vnc-tls-secret.xml | 30 ++++++++++++++++
tests/qemuxml2argvtest.c | 5 +++
6 files changed, 91 insertions(+), 1 deletion(-)
create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.xml
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index d130d0463c..e17d7ddec7 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -8037,11 +8037,20 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfigPtr cfg,
if (cfg->vncTLS) {
qemuDomainGraphicsPrivatePtr gfxPriv = QEMU_DOMAIN_GRAPHICS_PRIVATE(graphics);
if (gfxPriv->tlsAlias) {
+ const char *secretAlias = NULL;
+
+ if (gfxPriv && gfxPriv->secinfo) {
"gfxPriv" check is unnecessary, we would have already died dereffing
tlsAlias.
+ if (qemuBuildObjectSecretCommandLine(cmd,
+ gfxPriv->secinfo) < 0)
+ goto error;
+ secretAlias = gfxPriv->secinfo->s.aes.alias;
+ }
+
if (qemuBuildTLSx509CommandLine(cmd,
cfg->vncTLSx509certdir,
true,
cfg->vncTLSx509verify,
- NULL,
+ secretAlias,
gfxPriv->tlsAlias,
qemuCaps) < 0)
goto error;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 6960f0569b..da9c4e566d 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1269,6 +1269,7 @@ qemuDomainGraphicsPrivateDispose(void *obj)
qemuDomainGraphicsPrivatePtr priv = obj;
VIR_FREE(priv->tlsAlias);
+ qemuDomainSecretInfoFree(&priv->secinfo);> }
@@ -1750,6 +1751,7 @@ qemuDomainSecretGraphicsDestroy(virDomainGraphicsDefPtr graphics)
return;
VIR_FREE(gfxPriv->tlsAlias);
+ qemuDomainSecretInfoFree(&gfxPriv->secinfo);
If you use virObjectUnref as noted in patch4, then the change in the
hunk above gives you this for free.
}
@@ -1773,6 +1775,13 @@ qemuDomainSecretGraphicsPrepare(virQEMUDriverConfigPtr cfg,
if (VIR_STRDUP(gfxPriv->tlsAlias, "vnc-tls-creds0") < 0)
return -1;
+ if (cfg->vncTLSx509secretUUID) {
+ gfxPriv->secinfo = qemuDomainSecretInfoTLSNew(priv, gfxPriv->tlsAlias,
+ cfg->vncTLSx509secretUUID);
+ if (!gfxPriv->secinfo)
+ return -1;
+ }
+
return 0;
}
Reviewed-by: John Ferlan <jferlan(a)redhat.com>
John
[...]