shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-11 09:17:52 +03:00
Code Releases Activity

qemu: Simplify qemuDomainSecretInfo

Browse Source 
Now that we've removed support for plaintext secrets qemuDomainSecretInfo
can be simplified by removing the 'type' field and merging in all the
fields from 'qemuDomainSecretAES'.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Peter Krempa 2021-09-22 09:34:31 +02:00
parent c4d4b10826
commit db66d0247a
8 changed files with 56 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/qemu/qemu_backup.c
View File

@ -723,7 +723,7 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm,
if (qemuBuildSecretInfoProps(secinfo, tlsSecretProps) < 0) if (qemuBuildSecretInfoProps(secinfo, tlsSecretProps) < 0)
return -1; return -1;
tlsKeySecretAlias = secinfo->s.aes.alias; tlsKeySecretAlias = secinfo->alias;
} }
if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true, if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true,

40
src/qemu/qemu_block.c
View File

@ -746,12 +746,12 @@ qemuBlockStorageSourceGetCURLProps(virStorageSource *src,
if (!onlytarget) { if (!onlytarget) {
if (src->auth) { if (src->auth) {
username = src->auth->username; username = src->auth->username;
passwordalias = srcPriv->secinfo->s.aes.alias; passwordalias = srcPriv->secinfo->alias;
} }
if (srcPriv && if (srcPriv &&
srcPriv->httpcookie) srcPriv->httpcookie)
cookiealias = srcPriv->httpcookie->s.aes.alias; cookiealias = srcPriv->httpcookie->alias;
} else { } else {
/* format target string along with cookies */ /* format target string along with cookies */
cookiestr = qemuBlockStorageSourceGetCookieString(src); cookiestr = qemuBlockStorageSourceGetCookieString(src);
@ -819,7 +819,7 @@ qemuBlockStorageSourceGetISCSIProps(virStorageSource *src,
if (!onlytarget && src->auth) { if (!onlytarget && src->auth) {
username = src->auth->username; username = src->auth->username;
objalias = srcPriv->secinfo->s.aes.alias; objalias = srcPriv->secinfo->alias;
} }
ignore_value(virJSONValueObjectCreate(&ret, ignore_value(virJSONValueObjectCreate(&ret,
@ -885,8 +885,8 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
return NULL; return NULL;
if (!onlytarget && src->auth) { if (!onlytarget && src->auth) {
username = srcPriv->secinfo->s.aes.username; username = srcPriv->secinfo->username;
keysecret = srcPriv->secinfo->s.aes.alias; keysecret = srcPriv->secinfo->alias;
/* the auth modes are modelled after our old command line generator */ /* the auth modes are modelled after our old command line generator */
authmodes = virJSONValueNewArray(); authmodes = virJSONValueNewArray();
@ -1267,7 +1267,7 @@ qemuBlockStorageSourceGetFormatLUKSProps(virStorageSource *src,
{ {
qemuDomainStorageSourcePrivate *srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src); qemuDomainStorageSourcePrivate *srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
if (!srcPriv || !srcPriv->encinfo || !srcPriv->encinfo->s.aes.alias) { if (!srcPriv || !srcPriv->encinfo || !srcPriv->encinfo->alias) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("missing secret info for 'luks' driver")); _("missing secret info for 'luks' driver"));
return -1; return -1;
@ -1275,7 +1275,7 @@ qemuBlockStorageSourceGetFormatLUKSProps(virStorageSource *src,
if (virJSONValueObjectAdd(props, if (virJSONValueObjectAdd(props,
"s:driver", "luks", "s:driver", "luks",
"s:key-secret", srcPriv->encinfo->s.aes.alias, "s:key-secret", srcPriv->encinfo->alias,
NULL) < 0) NULL) < 0)
return -1; return -1;
@ -1313,14 +1313,9 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
*encprops = NULL; *encprops = NULL;
/* qemu requires encrypted secrets regardless of encryption method used when
* passed using the blockdev infrastructure, thus only
* VIR_DOMAIN_SECRET_INFO_TYPE_AES works here. The correct type needs to be
* instantiated elsewhere. */
if (!src->encryption || if (!src->encryption ||
!srcpriv || !srcpriv ||
!srcpriv->encinfo || !srcpriv->encinfo)
srcpriv->encinfo->type != VIR_DOMAIN_SECRET_INFO_TYPE_AES)
return 0; return 0;
switch ((virStorageEncryptionFormatType) src->encryption->format) { switch ((virStorageEncryptionFormatType) src->encryption->format) {
@ -1342,7 +1337,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
return virJSONValueObjectCreate(encprops, return virJSONValueObjectCreate(encprops,
"s:format", encformat, "s:format", encformat,
"s:key-secret", srcpriv->encinfo->s.aes.alias, "s:key-secret", srcpriv->encinfo->alias,
NULL); NULL);
} }
@ -1906,17 +1901,17 @@ qemuBlockStorageSourceDetachPrepare(virStorageSource *src,
data->tlsAlias = g_strdup(src->tlsAlias); data->tlsAlias = g_strdup(src->tlsAlias);
if (srcpriv) { if (srcpriv) {
if (srcpriv->secinfo && srcpriv->secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) if (srcpriv->secinfo)
data->authsecretAlias = g_strdup(srcpriv->secinfo->s.aes.alias); data->authsecretAlias = g_strdup(srcpriv->secinfo->alias);
if (srcpriv->encinfo && srcpriv->encinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) if (srcpriv->encinfo)
data->encryptsecretAlias = g_strdup(srcpriv->encinfo->s.aes.alias); data->encryptsecretAlias = g_strdup(srcpriv->encinfo->alias);
if (srcpriv->httpcookie) if (srcpriv->httpcookie)
data->httpcookiesecretAlias = g_strdup(srcpriv->httpcookie->s.aes.alias); data->httpcookiesecretAlias = g_strdup(srcpriv->httpcookie->alias);
if (srcpriv->tlsKeySecret) if (srcpriv->tlsKeySecret)
data->tlsKeySecretAlias = g_strdup(srcpriv->tlsKeySecret->s.aes.alias); data->tlsKeySecretAlias = g_strdup(srcpriv->tlsKeySecret->alias);
} }
return g_steal_pointer(&data); return g_steal_pointer(&data);
@ -2319,9 +2314,8 @@ qemuBlockStorageSourceCreateGetEncryptionLUKS(virStorageSource *src,
const char *keysecret = NULL; const char *keysecret = NULL;
if (srcpriv && if (srcpriv &&
srcpriv->encinfo && srcpriv->encinfo)
srcpriv->encinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) keysecret = srcpriv->encinfo->alias;
keysecret = srcpriv->encinfo->s.aes.alias;
if (virJSONValueObjectCreate(&props, if (virJSONValueObjectCreate(&props,
"s:key-secret", keysecret, "s:key-secret", keysecret,

41
src/qemu/qemu_command.c
View File

@ -707,9 +707,9 @@ qemuBuildSecretInfoProps(qemuDomainSecretInfo *secinfo,
return -1; return -1;
return qemuMonitorCreateObjectProps(propsret, "secret", return qemuMonitorCreateObjectProps(propsret, "secret",
secinfo->s.aes.alias, "s:data", secinfo->alias, "s:data",
secinfo->s.aes.ciphertext, "s:keyid", secinfo->ciphertext, "s:keyid",
keyid, "s:iv", secinfo->s.aes.iv, keyid, "s:iv", secinfo->iv,
"s:format", "base64", NULL); "s:format", "base64", NULL);
} }
@ -763,20 +763,11 @@ static int
qemuBuildRBDSecinfoURI(virBuffer *buf, qemuBuildRBDSecinfoURI(virBuffer *buf,
qemuDomainSecretInfo *secinfo) qemuDomainSecretInfo *secinfo)
{ {
if (!secinfo) { if (!secinfo)
virBufferAddLit(buf, ":auth_supported=none"); virBufferAddLit(buf, ":auth_supported=none");
return 0; else
}
switch ((qemuDomainSecretInfoType) secinfo->type) {
case VIR_DOMAIN_SECRET_INFO_TYPE_AES:
virBufferEscape(buf, '\\', ":", ":id=%s:auth_supported=cephx\\;none", virBufferEscape(buf, '\\', ":", ":id=%s:auth_supported=cephx\\;none",
secinfo->s.aes.username); secinfo->username);
break;
case VIR_DOMAIN_SECRET_INFO_TYPE_LAST:
return -1;
}
return 0; return 0;
} }
@ -1264,8 +1255,8 @@ qemuBuildDriveSourceStr(virDomainDiskDef *disk,
virQEMUBuildBufferEscapeComma(buf, source); virQEMUBuildBufferEscapeComma(buf, source);
if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) if (secinfo)
virBufferAsprintf(buf, ",file.password-secret=%s", secinfo->s.aes.alias); virBufferAsprintf(buf, ",file.password-secret=%s", secinfo->alias);
if (disk->src->debug) if (disk->src->debug)
virBufferAsprintf(buf, ",file.debug=%d", disk->src->debugLevel); virBufferAsprintf(buf, ",file.debug=%d", disk->src->debugLevel);
@ -1282,12 +1273,12 @@ qemuBuildDriveSourceStr(virDomainDiskDef *disk,
if (encinfo) { if (encinfo) {
if (disk->src->format == VIR_STORAGE_FILE_RAW) { if (disk->src->format == VIR_STORAGE_FILE_RAW) {
virBufferAsprintf(buf, "key-secret=%s,", encinfo->s.aes.alias); virBufferAsprintf(buf, "key-secret=%s,", encinfo->alias);
rawluks = true; rawluks = true;
} else if (disk->src->format == VIR_STORAGE_FILE_QCOW2 && } else if (disk->src->format == VIR_STORAGE_FILE_QCOW2 &&
disk->src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) { disk->src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
virBufferAddLit(buf, "encrypt.format=luks,"); virBufferAddLit(buf, "encrypt.format=luks,");
virBufferAsprintf(buf, "encrypt.key-secret=%s,", encinfo->s.aes.alias); virBufferAsprintf(buf, "encrypt.key-secret=%s,", encinfo->alias);
} }
} }
@ -4886,7 +4877,7 @@ qemuBuildChrChardevStr(virLogManager *logManager,
qemuCaps) < 0) qemuCaps) < 0)
return NULL; return NULL;
tlsCertEncSecAlias = chrSourcePriv->secinfo->s.aes.alias; tlsCertEncSecAlias = chrSourcePriv->secinfo->alias;
} }
if (!(objalias = qemuAliasTLSObjFromSrcAlias(charAlias))) if (!(objalias = qemuAliasTLSObjFromSrcAlias(charAlias)))
@ -5046,9 +5037,8 @@ qemuBuildHostdevSCSIDetachPrepare(virDomainHostdevDef *hostdev,
ret->storageNodeName = src->nodestorage; ret->storageNodeName = src->nodestorage;
ret->storageAttached = true; ret->storageAttached = true;
if (srcpriv && srcpriv->secinfo && if (srcpriv && srcpriv->secinfo)
srcpriv->secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) ret->authsecretAlias = g_strdup(srcpriv->secinfo->alias);
ret->authsecretAlias = g_strdup(srcpriv->secinfo->s.aes.alias);
} else { } else {
ret->driveAlias = qemuAliasFromHostdev(hostdev); ret->driveAlias = qemuAliasFromHostdev(hostdev);
@ -8012,7 +8002,7 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfig *cfg,
gfxPriv->secinfo, gfxPriv->secinfo,
qemuCaps) < 0) qemuCaps) < 0)
return -1; return -1;
secretAlias = gfxPriv->secinfo->s.aes.alias; secretAlias = gfxPriv->secinfo->alias;
} }
if (qemuBuildTLSx509CommandLine(cmd, if (qemuBuildTLSx509CommandLine(cmd,
@ -10898,7 +10888,6 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSource *src,
if (srcpriv) { if (srcpriv) {
if (srcpriv->secinfo && if (srcpriv->secinfo &&
srcpriv->secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES &&
qemuBuildSecretInfoProps(srcpriv->secinfo, &data->authsecretProps) < 0) qemuBuildSecretInfoProps(srcpriv->secinfo, &data->authsecretProps) < 0)
return -1; return -1;
@ -10914,7 +10903,7 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSource *src,
if (qemuBuildSecretInfoProps(srcpriv->tlsKeySecret, &data->tlsKeySecretProps) < 0) if (qemuBuildSecretInfoProps(srcpriv->tlsKeySecret, &data->tlsKeySecretProps) < 0)
return -1; return -1;
tlsKeySecretAlias = srcpriv->tlsKeySecret->s.aes.alias; tlsKeySecretAlias = srcpriv->tlsKeySecret->alias;
} }
} }

45
src/qemu/qemu_domain.c
View File

@ -657,19 +657,6 @@ qemuDomainMasterKeyCreate(virDomainObj *vm)
} }
static void
qemuDomainSecretAESClear(struct _qemuDomainSecretAES *secret,
bool keepAlias)
{
if (!keepAlias)
VIR_FREE(secret->alias);
VIR_FREE(secret->username);
VIR_FREE(secret->iv);
VIR_FREE(secret->ciphertext);
}
static void static void
qemuDomainSecretInfoClear(qemuDomainSecretInfo *secinfo, qemuDomainSecretInfoClear(qemuDomainSecretInfo *secinfo,
bool keepAlias) bool keepAlias)
@ -677,14 +664,12 @@ qemuDomainSecretInfoClear(qemuDomainSecretInfo *secinfo,
if (!secinfo) if (!secinfo)
return; return;
switch ((qemuDomainSecretInfoType) secinfo->type) { if (!keepAlias)
case VIR_DOMAIN_SECRET_INFO_TYPE_AES: VIR_FREE(secinfo->alias);
qemuDomainSecretAESClear(&secinfo->s.aes, keepAlias);
break;
case VIR_DOMAIN_SECRET_INFO_TYPE_LAST: VIR_FREE(secinfo->username);
break; VIR_FREE(secinfo->iv);
} VIR_FREE(secinfo->ciphertext);
} }
@ -1106,9 +1091,8 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivate *priv,
secinfo = g_new0(qemuDomainSecretInfo, 1); secinfo = g_new0(qemuDomainSecretInfo, 1);
secinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES; secinfo->alias = g_strdup(alias);
secinfo->s.aes.alias = g_strdup(alias); secinfo->username = g_strdup(username);
secinfo->s.aes.username = g_strdup(username);
raw_iv = g_new0(uint8_t, ivlen); raw_iv = g_new0(uint8_t, ivlen);
@ -1117,7 +1101,7 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivate *priv,
return NULL; return NULL;
/* Encode the IV and save that since qemu will need it */ /* Encode the IV and save that since qemu will need it */
secinfo->s.aes.iv = g_base64_encode(raw_iv, ivlen); secinfo->iv = g_base64_encode(raw_iv, ivlen);
if (virCryptoEncryptData(VIR_CRYPTO_CIPHER_AES256CBC, if (virCryptoEncryptData(VIR_CRYPTO_CIPHER_AES256CBC,
priv->masterKey, QEMU_DOMAIN_MASTER_KEY_LEN, priv->masterKey, QEMU_DOMAIN_MASTER_KEY_LEN,
@ -1126,8 +1110,7 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivate *priv,
return NULL; return NULL;
/* Now encode the ciphertext and store to be passed to qemu */ /* Now encode the ciphertext and store to be passed to qemu */
secinfo->s.aes.ciphertext = g_base64_encode(ciphertext, secinfo->ciphertext = g_base64_encode(ciphertext, ciphertextlen);
ciphertextlen);
return g_steal_pointer(&secinfo); return g_steal_pointer(&secinfo);
} }
@ -1809,11 +1792,9 @@ qemuStorageSourcePrivateDataAssignSecinfo(qemuDomainSecretInfo **secinfo,
if (!*secinfo) { if (!*secinfo) {
*secinfo = g_new0(qemuDomainSecretInfo, 1); *secinfo = g_new0(qemuDomainSecretInfo, 1);
(*secinfo)->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES;
} }
if ((*secinfo)->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) (*secinfo)->alias = g_steal_pointer(&*alias);
(*secinfo)->s.aes.alias = g_steal_pointer(&*alias);
return 0; return 0;
} }
@ -1881,13 +1862,11 @@ qemuStorageSourcePrivateDataFormatSecinfo(virBuffer *buf,
qemuDomainSecretInfo *secinfo, qemuDomainSecretInfo *secinfo,
const char *type) const char *type)
{ {
if (!secinfo || if (!secinfo || !secinfo->alias)
secinfo->type != VIR_DOMAIN_SECRET_INFO_TYPE_AES ||
!secinfo->s.aes.alias)
return; return;
virBufferAsprintf(buf, "<secret type='%s' alias='%s'/>\n", virBufferAsprintf(buf, "<secret type='%s' alias='%s'/>\n",
type, secinfo->s.aes.alias); type, secinfo->alias);
} }

20
src/qemu/qemu_domain.h
View File

@ -90,31 +90,17 @@ struct _qemuDomainUnpluggingDevice {
#define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control" #define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
/* Type of domain secret */
typedef enum {
VIR_DOMAIN_SECRET_INFO_TYPE_AES, /* utilize GNUTLS_CIPHER_AES_256_CBC */
VIR_DOMAIN_SECRET_INFO_TYPE_LAST
} qemuDomainSecretInfoType;
#define QEMU_DOMAIN_AES_IV_LEN 16 /* 16 bytes for 128 bit random */ #define QEMU_DOMAIN_AES_IV_LEN 16 /* 16 bytes for 128 bit random */
/* initialization vector */ /* initialization vector */
typedef struct _qemuDomainSecretAES qemuDomainSecretAES;
struct _qemuDomainSecretAES { typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo;
struct _qemuDomainSecretInfo {
char *username; char *username;
char *alias; /* generated alias for secret */ char *alias; /* generated alias for secret */
char *iv; /* base64 encoded initialization vector */ char *iv; /* base64 encoded initialization vector */
char *ciphertext; /* encoded/encrypted secret */ char *ciphertext; /* encoded/encrypted secret */
}; };
typedef struct _qemuDomainSecretInfo qemuDomainSecretInfo;
struct _qemuDomainSecretInfo {
qemuDomainSecretInfoType type;
union {
qemuDomainSecretAES aes;
} s;
};
typedef struct _qemuDomainObjPrivate qemuDomainObjPrivate; typedef struct _qemuDomainObjPrivate qemuDomainObjPrivate;
struct _qemuDomainObjPrivate { struct _qemuDomainObjPrivate {
virQEMUDriver *driver; virQEMUDriver *driver;

4
src/qemu/qemu_hotplug.c
View File

@ -1846,7 +1846,7 @@ qemuDomainGetTLSObjects(virQEMUCaps *qemuCaps,
if (qemuBuildSecretInfoProps(secinfo, secProps) < 0) if (qemuBuildSecretInfoProps(secinfo, secProps) < 0)
return -1; return -1;
secAlias = secinfo->s.aes.alias; secAlias = secinfo->alias;
} }
if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify,
@ -1890,7 +1890,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver,
secinfo = chrSourcePriv->secinfo; secinfo = chrSourcePriv->secinfo;
if (secinfo) if (secinfo)
*secAlias = secinfo->s.aes.alias; *secAlias = secinfo->alias;
if (!(*tlsAlias = qemuAliasTLSObjFromSrcAlias(charAlias))) if (!(*tlsAlias = qemuAliasTLSObjFromSrcAlias(charAlias)))
goto cleanup; goto cleanup;

2
src/qemu/qemu_migration_params.c
View File

@ -955,7 +955,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver,
qemuDomainSecretInfoTLSNew(priv, QEMU_MIGRATION_TLS_ALIAS_BASE, qemuDomainSecretInfoTLSNew(priv, QEMU_MIGRATION_TLS_ALIAS_BASE,
cfg->migrateTLSx509secretUUID))) cfg->migrateTLSx509secretUUID)))
return -1; return -1;
secAlias = priv->migSecinfo->s.aes.alias; secAlias = priv->migSecinfo->alias;
} }
if (!(*tlsAlias = qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE))) if (!(*tlsAlias = qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE)))

13
tests/qemublocktest.c
View File

@ -235,19 +235,16 @@ testQemuDiskXMLToJSONFakeSecrets(virStorageSource *src)
if (src->auth) { if (src->auth) {
srcpriv->secinfo = g_new0(qemuDomainSecretInfo, 1); srcpriv->secinfo = g_new0(qemuDomainSecretInfo, 1);
srcpriv->secinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES; srcpriv->secinfo->username = g_strdup(src->auth->username);
srcpriv->secinfo->s.aes.username = g_strdup(src->auth->username); srcpriv->secinfo->alias = g_strdup_printf("%s-secalias",
NULLSTR(src->nodestorage));
srcpriv->secinfo->s.aes.alias = g_strdup_printf("%s-secalias",
NULLSTR(src->nodestorage));
} }
if (src->encryption) { if (src->encryption) {
srcpriv->encinfo = g_new0(qemuDomainSecretInfo, 1); srcpriv->encinfo = g_new0(qemuDomainSecretInfo, 1);
srcpriv->encinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES; srcpriv->encinfo->alias = g_strdup_printf("%s-encalias",
srcpriv->encinfo->s.aes.alias = g_strdup_printf("%s-encalias", NULLSTR(src->nodeformat));
NULLSTR(src->nodeformat));
} }
return 0; return 0;