render / rpms / libvirt

Forked from rpms/libvirt 10 months ago
Clone
fbe740
From 881121d506d6482d4bdbf557994f31d6eb55af3f Mon Sep 17 00:00:00 2001
fbe740
Message-Id: <881121d506d6482d4bdbf557994f31d6eb55af3f@dist-git>
fbe740
From: Peter Krempa <pkrempa@redhat.com>
fbe740
Date: Mon, 16 Mar 2020 22:11:47 +0100
fbe740
Subject: [PATCH] qemuDomainSecretAESSetup: Split out lookup of secret data
fbe740
MIME-Version: 1.0
fbe740
Content-Type: text/plain; charset=UTF-8
fbe740
Content-Transfer-Encoding: 8bit
fbe740
fbe740
Split out the lookup of the secret from the secret driver into
fbe740
qemuDomainSecretAESSetupFromSecret so that we can also instantiate
fbe740
secret objects in qemu with data from other sources.
fbe740
fbe740
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
fbe740
Reviewed-by: Ján Tomko <jtomko@redhat.com>
fbe740
(cherry picked from commit 88663e59ef62346cdea7e260c5d598c2e738c674)
fbe740
fbe740
https://bugzilla.redhat.com/show_bug.cgi?id=1804750
fbe740
Message-Id: <159609ccfe0ca42a20409e83f3f0d521113d8938.1584391726.git.pkrempa@redhat.com>
fbe740
Reviewed-by: Ján Tomko <jtomko@redhat.com>
fbe740
---
fbe740
 src/qemu/qemu_domain.c | 87 ++++++++++++++++++++++++++----------------
fbe740
 1 file changed, 54 insertions(+), 33 deletions(-)
fbe740
fbe740
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
fbe740
index 37e361b1f4..c286f50650 100644
fbe740
--- a/src/qemu/qemu_domain.c
fbe740
+++ b/src/qemu/qemu_domain.c
fbe740
@@ -1522,37 +1522,28 @@ qemuDomainSecretPlainSetup(qemuDomainSecretInfoPtr secinfo,
fbe740
 
fbe740
 /* qemuDomainSecretAESSetup:
fbe740
  * @priv: pointer to domain private object
fbe740
- * @secinfo: Pointer to secret info
fbe740
- * @srcalias: Alias of the disk/hostdev used to generate the secret alias
fbe740
- * @usageType: The virSecretUsageType
fbe740
- * @username: username to use for authentication (may be NULL)
fbe740
- * @seclookupdef: Pointer to seclookupdef data
fbe740
- * @isLuks: True/False for is for luks (alias generation)
fbe740
+ * @alias: alias of the secret
fbe740
+ * @username: username to use (may be NULL)
fbe740
+ * @secret: secret data
fbe740
+ * @secretlen: length of @secret
fbe740
  *
fbe740
- * Encrypts a secret looked up via @seclookupdef for use with qemu.
fbe740
+ * Encrypts @secret for use with qemu.
fbe740
  *
fbe740
  * Returns qemuDomainSecretInfoPtr filled with the necessary information.
fbe740
  */
fbe740
 static qemuDomainSecretInfoPtr
fbe740
 qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
fbe740
-                         const char *srcalias,
fbe740
-                         virSecretUsageType usageType,
fbe740
+                         const char *alias,
fbe740
                          const char *username,
fbe740
-                         virSecretLookupTypeDefPtr seclookupdef,
fbe740
-                         bool isLuks)
fbe740
+                         uint8_t *secret,
fbe740
+                         size_t secretlen)
fbe740
 {
fbe740
     g_autoptr(qemuDomainSecretInfo) secinfo = NULL;
fbe740
-    g_autoptr(virConnect) conn = virGetConnectSecret();
fbe740
     g_autofree uint8_t *raw_iv = NULL;
fbe740
     size_t ivlen = QEMU_DOMAIN_AES_IV_LEN;
fbe740
-    uint8_t *secret = NULL;
fbe740
-    size_t secretlen = 0;
fbe740
     g_autofree uint8_t *ciphertext = NULL;
fbe740
     size_t ciphertextlen = 0;
fbe740
 
fbe740
-    if (!conn)
fbe740
-        return NULL;
fbe740
-
fbe740
     if (!qemuDomainSupportsEncryptedSecret(priv)) {
fbe740
         virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
fbe740
                        _("encrypted secrets are not supported"));
fbe740
@@ -1562,11 +1553,9 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
fbe740
     secinfo = g_new0(qemuDomainSecretInfo, 1);
fbe740
 
fbe740
     secinfo->type = VIR_DOMAIN_SECRET_INFO_TYPE_AES;
fbe740
+    secinfo->s.aes.alias = g_strdup(alias);
fbe740
     secinfo->s.aes.username = g_strdup(username);
fbe740
 
fbe740
-    if (!(secinfo->s.aes.alias = qemuDomainGetSecretAESAlias(srcalias, isLuks)))
fbe740
-        return NULL;
fbe740
-
fbe740
     raw_iv = g_new0(uint8_t, ivlen);
fbe740
 
fbe740
     /* Create a random initialization vector */
fbe740
@@ -1576,29 +1565,61 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
fbe740
     /* Encode the IV and save that since qemu will need it */
fbe740
     secinfo->s.aes.iv = g_base64_encode(raw_iv, ivlen);
fbe740
 
fbe740
-    /* Grab the unencoded secret */
fbe740
-    if (virSecretGetSecretString(conn, seclookupdef, usageType,
fbe740
-                                 &secret, &secretlen) < 0)
fbe740
-        goto error;
fbe740
-
fbe740
     if (virCryptoEncryptData(VIR_CRYPTO_CIPHER_AES256CBC,
fbe740
                              priv->masterKey, QEMU_DOMAIN_MASTER_KEY_LEN,
fbe740
                              raw_iv, ivlen, secret, secretlen,
fbe740
                              &ciphertext, &ciphertextlen) < 0)
fbe740
-        goto error;
fbe740
-
fbe740
-    /* Clear out the secret */
fbe740
-    memset(secret, 0, secretlen);
fbe740
+        return NULL;
fbe740
 
fbe740
     /* Now encode the ciphertext and store to be passed to qemu */
fbe740
     secinfo->s.aes.ciphertext = g_base64_encode(ciphertext,
fbe740
                                                 ciphertextlen);
fbe740
 
fbe740
     return g_steal_pointer(&secinfo);
fbe740
+}
fbe740
+
fbe740
+
fbe740
+/**
fbe740
+ * qemuDomainSecretAESSetupFromSecret:
fbe740
+ * @priv: pointer to domain private object
fbe740
+ * @srcalias: Alias of the disk/hostdev used to generate the secret alias
fbe740
+ * @usageType: The virSecretUsageType
fbe740
+ * @username: username to use for authentication (may be NULL)
fbe740
+ * @seclookupdef: Pointer to seclookupdef data
fbe740
+ * @isLuks: True/False for is for luks (alias generation)
fbe740
+ *
fbe740
+ * Looks up a secret in the secret driver based on @usageType and @seclookupdef
fbe740
+ * and builds qemuDomainSecretInfoPtr from it.
fbe740
+ */
fbe740
+static qemuDomainSecretInfoPtr
fbe740
+qemuDomainSecretAESSetupFromSecret(qemuDomainObjPrivatePtr priv,
fbe740
+                                   const char *srcalias,
fbe740
+                                   virSecretUsageType usageType,
fbe740
+                                   const char *username,
fbe740
+                                   virSecretLookupTypeDefPtr seclookupdef,
fbe740
+                                   bool isLuks)
fbe740
+{
fbe740
+    g_autoptr(virConnect) conn = virGetConnectSecret();
fbe740
+    qemuDomainSecretInfoPtr secinfo;
fbe740
+    g_autofree char *alias = NULL;
fbe740
+    uint8_t *secret = NULL;
fbe740
+    size_t secretlen = 0;
fbe740
+
fbe740
+    if (!conn)
fbe740
+        return NULL;
fbe740
+
fbe740
+    if (!(alias = qemuDomainGetSecretAESAlias(srcalias, isLuks)))
fbe740
+        return NULL;
fbe740
+
fbe740
+    if (virSecretGetSecretString(conn, seclookupdef, usageType,
fbe740
+                                 &secret, &secretlen) < 0)
fbe740
+        return NULL;
fbe740
+
fbe740
+    secinfo = qemuDomainSecretAESSetup(priv, alias, username, secret, secretlen);
fbe740
 
fbe740
- error:
fbe740
     VIR_DISPOSE_N(secret, secretlen);
fbe740
-    return NULL;
fbe740
+
fbe740
+    return secinfo;
fbe740
 }
fbe740
 
fbe740
 
fbe740
@@ -1670,8 +1691,8 @@ qemuDomainSecretInfoNew(qemuDomainObjPrivatePtr priv,
fbe740
                         virSecretLookupTypeDefPtr lookupDef,
fbe740
                         bool isLuks)
fbe740
 {
fbe740
-    return qemuDomainSecretAESSetup(priv, srcAlias, usageType, username,
fbe740
-                                    lookupDef, isLuks);
fbe740
+    return qemuDomainSecretAESSetupFromSecret(priv, srcAlias, usageType, username,
fbe740
+                                              lookupDef, isLuks);
fbe740
 }
fbe740
 
fbe740
 
fbe740
-- 
fbe740
2.25.1
fbe740