|
|
a41c76 |
From fe42b8bb2e4a456a5b2297313f3859221013fdfc Mon Sep 17 00:00:00 2001
|
|
|
a41c76 |
Message-Id: <fe42b8bb2e4a456a5b2297313f3859221013fdfc@dist-git>
|
|
|
a41c76 |
From: Peter Krempa <pkrempa@redhat.com>
|
|
|
a41c76 |
Date: Mon, 16 Mar 2020 22:11:46 +0100
|
|
|
a41c76 |
Subject: [PATCH] qemuDomainSecretAESSetup: Allocate and return 'secinfo' here
|
|
|
a41c76 |
MIME-Version: 1.0
|
|
|
a41c76 |
Content-Type: text/plain; charset=UTF-8
|
|
|
a41c76 |
Content-Transfer-Encoding: 8bit
|
|
|
a41c76 |
|
|
|
a41c76 |
Rather than passing in an empty qemuDomainSecretInfoPtr allocate it
|
|
|
a41c76 |
in this function and return it. This is done by absorbing the check from
|
|
|
a41c76 |
qemuDomainSecretInfoNew and removing the internals of
|
|
|
a41c76 |
qemuDomainSecretInfoNew.
|
|
|
a41c76 |
|
|
|
a41c76 |
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
|
|
|
a41c76 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
a41c76 |
(cherry picked from commit bad8637892ae8fc310b252651876738ca4fdee0d)
|
|
|
a41c76 |
https://bugzilla.redhat.com/show_bug.cgi?id=1804750
|
|
|
a41c76 |
Message-Id: <94071336dbc97ed64a1a5dcbb82da32e5199f117.1584391726.git.pkrempa@redhat.com>
|
|
|
a41c76 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
a41c76 |
---
|
|
|
a41c76 |
src/qemu/qemu_domain.c | 53 ++++++++++++++++++------------------------
|
|
|
a41c76 |
1 file changed, 22 insertions(+), 31 deletions(-)
|
|
|
a41c76 |
|
|
|
a41c76 |
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
|
|
|
a41c76 |
index b26187659e..37e361b1f4 100644
|
|
|
a41c76 |
--- a/src/qemu/qemu_domain.c
|
|
|
a41c76 |
+++ b/src/qemu/qemu_domain.c
|
|
|
a41c76 |
@@ -1529,21 +1529,20 @@ qemuDomainSecretPlainSetup(qemuDomainSecretInfoPtr secinfo,
|
|
|
a41c76 |
* @seclookupdef: Pointer to seclookupdef data
|
|
|
a41c76 |
* @isLuks: True/False for is for luks (alias generation)
|
|
|
a41c76 |
*
|
|
|
a41c76 |
- * Taking a secinfo, fill in the AES specific information using the
|
|
|
a41c76 |
+ * Encrypts a secret looked up via @seclookupdef for use with qemu.
|
|
|
a41c76 |
*
|
|
|
a41c76 |
- * Returns 0 on success, -1 on failure with error message
|
|
|
a41c76 |
+ * Returns qemuDomainSecretInfoPtr filled with the necessary information.
|
|
|
a41c76 |
*/
|
|
|
a41c76 |
-static int
|
|
|
a41c76 |
+static qemuDomainSecretInfoPtr
|
|
|
a41c76 |
qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
|
|
|
a41c76 |
- qemuDomainSecretInfoPtr secinfo,
|
|
|
a41c76 |
const char *srcalias,
|
|
|
a41c76 |
virSecretUsageType usageType,
|
|
|
a41c76 |
const char *username,
|
|
|
a41c76 |
virSecretLookupTypeDefPtr seclookupdef,
|
|
|
a41c76 |
bool isLuks)
|
|
|
a41c76 |
{
|
|
|
a41c76 |
+ g_autoptr(qemuDomainSecretInfo) secinfo = NULL;
|
|
|
a41c76 |
g_autoptr(virConnect) conn = virGetConnectSecret();
|
|
|
a41c76 |
- int ret = -1;
|
|
|
a41c76 |
g_autofree uint8_t *raw_iv = NULL;
|
|
|
a41c76 |
size_t ivlen = QEMU_DOMAIN_AES_IV_LEN;
|
|
|
a41c76 |
uint8_t *secret = NULL;
|
|
|
a41c76 |
@@ -1552,19 +1551,27 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
|
|
|
a41c76 |
size_t ciphertextlen = 0;
|
|
|
a41c76 |
|
|
|
a41c76 |
if (!conn)
|
|
|
a41c76 |
- return -1;
|
|
|
a41c76 |
+ return NULL;
|
|
|
a41c76 |
+
|
|
|
a41c76 |
+ if (!qemuDomainSupportsEncryptedSecret(priv)) {
|
|
|
a41c76 |
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
|
|
a41c76 |
+ _("encrypted secrets are not supported"));
|
|
|
a41c76 |
+ return NULL;
|
|
|
a41c76 |
+ }
|
|
|
a41c76 |
+
|
|
|
a41c76 |
+ secinfo = g_new0(qemuDomainSecretInfo, 1);
|
|
|
a41c76 |
|
|
|
a41c76 |
secinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES;
|
|
|
a41c76 |
secinfo->s.aes.username = g_strdup(username);
|
|
|
a41c76 |
|
|
|
a41c76 |
if (!(secinfo->s.aes.alias = qemuDomainGetSecretAESAlias(srcalias, isLuks)))
|
|
|
a41c76 |
- return -1;
|
|
|
a41c76 |
+ return NULL;
|
|
|
a41c76 |
|
|
|
a41c76 |
raw_iv = g_new0(uint8_t, ivlen);
|
|
|
a41c76 |
|
|
|
a41c76 |
/* Create a random initialization vector */
|
|
|
a41c76 |
if (virRandomBytes(raw_iv, ivlen) < 0)
|
|
|
a41c76 |
- return -1;
|
|
|
a41c76 |
+ return NULL;
|
|
|
a41c76 |
|
|
|
a41c76 |
/* Encode the IV and save that since qemu will need it */
|
|
|
a41c76 |
secinfo->s.aes.iv = g_base64_encode(raw_iv, ivlen);
|
|
|
a41c76 |
@@ -1572,13 +1579,13 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
|
|
|
a41c76 |
/* Grab the unencoded secret */
|
|
|
a41c76 |
if (virSecretGetSecretString(conn, seclookupdef, usageType,
|
|
|
a41c76 |
&secret, &secretlen) < 0)
|
|
|
a41c76 |
- goto cleanup;
|
|
|
a41c76 |
+ goto error;
|
|
|
a41c76 |
|
|
|
a41c76 |
if (virCryptoEncryptData(VIR_CRYPTO_CIPHER_AES256CBC,
|
|
|
a41c76 |
priv->masterKey, QEMU_DOMAIN_MASTER_KEY_LEN,
|
|
|
a41c76 |
raw_iv, ivlen, secret, secretlen,
|
|
|
a41c76 |
&ciphertext, &ciphertextlen) < 0)
|
|
|
a41c76 |
- goto cleanup;
|
|
|
a41c76 |
+ goto error;
|
|
|
a41c76 |
|
|
|
a41c76 |
/* Clear out the secret */
|
|
|
a41c76 |
memset(secret, 0, secretlen);
|
|
|
a41c76 |
@@ -1587,11 +1594,11 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
|
|
|
a41c76 |
secinfo->s.aes.ciphertext = g_base64_encode(ciphertext,
|
|
|
a41c76 |
ciphertextlen);
|
|
|
a41c76 |
|
|
|
a41c76 |
- ret = 0;
|
|
|
a41c76 |
+ return g_steal_pointer(&secinfo);
|
|
|
a41c76 |
|
|
|
a41c76 |
- cleanup:
|
|
|
a41c76 |
+ error:
|
|
|
a41c76 |
VIR_DISPOSE_N(secret, secretlen);
|
|
|
a41c76 |
- return ret;
|
|
|
a41c76 |
+ return NULL;
|
|
|
a41c76 |
}
|
|
|
a41c76 |
|
|
|
a41c76 |
|
|
|
a41c76 |
@@ -1663,24 +1670,8 @@ qemuDomainSecretInfoNew(qemuDomainObjPrivatePtr priv,
|
|
|
a41c76 |
virSecretLookupTypeDefPtr lookupDef,
|
|
|
a41c76 |
bool isLuks)
|
|
|
a41c76 |
{
|
|
|
a41c76 |
- qemuDomainSecretInfoPtr secinfo = NULL;
|
|
|
a41c76 |
-
|
|
|
a41c76 |
- if (!qemuDomainSupportsEncryptedSecret(priv)) {
|
|
|
a41c76 |
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
|
|
a41c76 |
- _("encrypted secrets are not supported"));
|
|
|
a41c76 |
- return NULL;
|
|
|
a41c76 |
- }
|
|
|
a41c76 |
-
|
|
|
a41c76 |
- if (VIR_ALLOC(secinfo) < 0)
|
|
|
a41c76 |
- return NULL;
|
|
|
a41c76 |
-
|
|
|
a41c76 |
- if (qemuDomainSecretAESSetup(priv, secinfo, srcAlias, usageType, username,
|
|
|
a41c76 |
- lookupDef, isLuks) < 0) {
|
|
|
a41c76 |
- g_clear_pointer(&secinfo, qemuDomainSecretInfoFree);
|
|
|
a41c76 |
- return NULL;
|
|
|
a41c76 |
- }
|
|
|
a41c76 |
-
|
|
|
a41c76 |
- return secinfo;
|
|
|
a41c76 |
+ return qemuDomainSecretAESSetup(priv, srcAlias, usageType, username,
|
|
|
a41c76 |
+ lookupDef, isLuks);
|
|
|
a41c76 |
}
|
|
|
a41c76 |
|
|
|
a41c76 |
|
|
|
a41c76 |
--
|
|
|
a41c76 |
2.25.1
|
|
|
a41c76 |
|