[libvirt] [PATCH] Sanity check explicit TLS file paths
When providing explicit x509 cert/key paths in libvirtd.conf, the user must provide all three. If one or more is missed, this leads to obscure errors at runtime when negotiating the TLS session Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- daemon/libvirtd.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index 9b98f33..40aa2b6 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -544,6 +544,22 @@ daemonSetupNetworking(virNetServerPtr srv, if (config->ca_file || config->cert_file || config->key_file) { + if (!config->ca_file) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + "No CA certificate path set to match server key/cert"); + goto cleanup; + } + if (!config->cert_file) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + "No server certificate path set to match server key"); + goto cleanup; + } + if (!config->key_file) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + "No server key path set to match server cert"); + goto cleanup; + } + VIR_DEBUG("Using CA='%s' cert='%s' key='%s'", config->ca_file, config->cert_file, config->key_file); if (!(ctxt = virNetTLSContextNewServer(config->ca_file, config->crl_file, config->cert_file, -- 2.9.3
On Wed, Mar 15, 2017 at 18:05:00 +0000, Daniel Berrange wrote:
When providing explicit x509 cert/key paths in libvirtd.conf, the user must provide all three. If one or more is missed, this leads to obscure errors at runtime when negotiating the TLS session
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- daemon/libvirtd.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c index 9b98f33..40aa2b6 100644 --- a/daemon/libvirtd.c +++ b/daemon/libvirtd.c @@ -544,6 +544,22 @@ daemonSetupNetworking(virNetServerPtr srv, if (config->ca_file || config->cert_file || config->key_file) { + if (!config->ca_file) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + "No CA certificate path set to match server key/cert"); + goto cleanup; + } + if (!config->cert_file) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + "No server certificate path set to match server key"); + goto cleanup; + } + if (!config->key_file) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + "No server key path set to match server cert"); + goto cleanup;
Fails syntax-check due to missing gettext macros on the messages: daemon/libvirtd.c-549- "No CA certificate path set to match server key/cert"); daemon/libvirtd.c-554- "No server certificate path set to match server key"); daemon/libvirtd.c-559- "No server key path set to match server cert"); maint.mk: found unmarked diagnostic(s)
+ } + VIR_DEBUG("Using CA='%s' cert='%s' key='%s'", config->ca_file, config->cert_file, config->key_file);
This line is super long and easy to shorten. Please do so.
if (!(ctxt = virNetTLSContextNewServer(config->ca_file, config->crl_file, config->cert_file,
ACK with the above fixed.
participants (2)
-
Daniel P. Berrange -
Peter Krempa