qemu: conf: Allow individual control of default value for *_tls_x509_verify

Store whether "default_tls_x509_verify" was provided and enhance the SET_TLS_VERIFY_DEFAULT macro so that indiviual users can provide their own default if "default_tls_x509_verify" config option was not provided. For now we keep setting it to 'false'. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2024-12-23 21:34:54 +03:00 · 2020-11-13 15:13:29 +01:00 · 2020-11-13 15:13:29 +01:00 · 9ba2a06e47
commit 9ba2a06e47
parent 6a1bb797a7
3 changed files with 21 additions and 8 deletions
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@ -40,6 +40,12 @@
 #  client-cert.pem - the client certificate signed with the ca-cert.pem
 #  client-key.pem - the client private key
 #
+# If this option is supplied it provides the default for the "_verify" option
+# of specific TLS users such as vnc, backups, migration, etc. The specific
+# users of TLS may override this by setting the specific "_verify" option.
+#
+# When not supplied the specific TLS users provide their own defaults.
+#
 #default_tls_x509_verify = 1

 #
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@ -406,8 +406,10 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfigPtr cfg,
    if ((rv = virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir)) < 0)
        return -1;
    cfg->defaultTLSx509certdirPresent = (rv == 1);
-    if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0)
+    if ((rv = virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify)) < 0)
        return -1;
+    if (rv == 1)
+        cfg->defaultTLSx509verifyPresent = true;
    if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
                              &cfg->defaultTLSx509secretUUID) < 0)
        return -1;
@ -1240,16 +1242,20 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)

 #undef SET_TLS_X509_CERT_DEFAULT

-#define SET_TLS_VERIFY_DEFAULT(val) \
+#define SET_TLS_VERIFY_DEFAULT(val, defaultverify) \
    do { \
-        if (!cfg->val## TLSx509verifyPresent) \
-            cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \
+        if (!cfg->val## TLSx509verifyPresent) {\
+            if (cfg->defaultTLSx509verifyPresent) \
+                cfg->val## TLSx509verify = cfg->defaultTLSx509verify; \
+            else \
+                cfg->val## TLSx509verify = defaultverify;\
+        }\
    } while (0)

-    SET_TLS_VERIFY_DEFAULT(vnc);
-    SET_TLS_VERIFY_DEFAULT(chardev);
-    SET_TLS_VERIFY_DEFAULT(migrate);
-    SET_TLS_VERIFY_DEFAULT(backup);
+    SET_TLS_VERIFY_DEFAULT(vnc, false);
+    SET_TLS_VERIFY_DEFAULT(chardev, false);
+    SET_TLS_VERIFY_DEFAULT(migrate, false);
+    SET_TLS_VERIFY_DEFAULT(backup, false);

 #undef SET_TLS_VERIFY_DEFAULT

--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@ -108,6 +108,7 @@ struct _virQEMUDriverConfig {
    char *defaultTLSx509certdir;
    bool defaultTLSx509certdirPresent;
    bool defaultTLSx509verify;
+    bool defaultTLSx509verifyPresent;
    char *defaultTLSx509secretUUID;

    bool vncAutoUnixSocket;