mirror of
https://github.com/qemu/qemu.git
synced 2026-07-08 17:46:10 +00:00
crypto: reduce duplication in handling TLS priority strings
The logic for setting the TLS priority string on a session object has a significant amount of logic duplication across the different credential types. By recording the extra priority string suffix against the credential class, we can introduce a common method for building the priority string. The TLS session can now set the priority string without caring about the credential type. Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
@@ -268,6 +268,21 @@ bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds *creds,
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *creds)
|
||||
{
|
||||
QCryptoTLSCredsClass *tcc = QCRYPTO_TLS_CREDS_GET_CLASS(creds);
|
||||
const char *priorityBase =
|
||||
creds->priority ? creds->priority : CONFIG_TLS_PRIORITY;
|
||||
|
||||
if (tcc->prioritySuffix) {
|
||||
return g_strdup_printf("%s:%s", priorityBase, tcc->prioritySuffix);
|
||||
} else {
|
||||
return g_strdup(priorityBase);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static const TypeInfo qcrypto_tls_creds_info = {
|
||||
.parent = TYPE_OBJECT,
|
||||
.name = TYPE_QCRYPTO_TLS_CREDS,
|
||||
|
||||
@@ -137,8 +137,10 @@ static void
|
||||
qcrypto_tls_creds_anon_class_init(ObjectClass *oc, const void *data)
|
||||
{
|
||||
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
|
||||
QCryptoTLSCredsClass *tcc = QCRYPTO_TLS_CREDS_CLASS(oc);
|
||||
|
||||
ucc->complete = qcrypto_tls_creds_anon_complete;
|
||||
tcc->prioritySuffix = "+ANON-DH";
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -240,8 +240,10 @@ static void
|
||||
qcrypto_tls_creds_psk_class_init(ObjectClass *oc, const void *data)
|
||||
{
|
||||
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
|
||||
QCryptoTLSCredsClass *tcc = QCRYPTO_TLS_CREDS_CLASS(oc);
|
||||
|
||||
ucc->complete = qcrypto_tls_creds_psk_complete;
|
||||
tcc->prioritySuffix = "+ECDHE-PSK:+DHE-PSK:+PSK";
|
||||
|
||||
object_class_property_add_str(oc, "username",
|
||||
qcrypto_tls_creds_psk_prop_get_username,
|
||||
|
||||
@@ -155,9 +155,6 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t len)
|
||||
}
|
||||
}
|
||||
|
||||
#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"
|
||||
#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK"
|
||||
|
||||
QCryptoTLSSession *
|
||||
qcrypto_tls_session_new(QCryptoTLSCreds *creds,
|
||||
const char *hostname,
|
||||
@@ -167,6 +164,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
|
||||
{
|
||||
QCryptoTLSSession *session;
|
||||
int ret;
|
||||
g_autofree char *prio = NULL;
|
||||
|
||||
session = g_new0(QCryptoTLSSession, 1);
|
||||
trace_qcrypto_tls_session_new(
|
||||
@@ -200,28 +198,17 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
|
||||
goto error;
|
||||
}
|
||||
|
||||
prio = qcrypto_tls_creds_get_priority(creds);
|
||||
ret = gnutls_priority_set_direct(session->handle, prio, NULL);
|
||||
if (ret < 0) {
|
||||
error_setg(errp, "Unable to set TLS session priority %s: %s",
|
||||
prio, gnutls_strerror(ret));
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (object_dynamic_cast(OBJECT(creds),
|
||||
TYPE_QCRYPTO_TLS_CREDS_ANON)) {
|
||||
QCryptoTLSCredsAnon *acreds = QCRYPTO_TLS_CREDS_ANON(creds);
|
||||
char *prio;
|
||||
|
||||
if (creds->priority != NULL) {
|
||||
prio = g_strdup_printf("%s:%s",
|
||||
creds->priority,
|
||||
TLS_PRIORITY_ADDITIONAL_ANON);
|
||||
} else {
|
||||
prio = g_strdup(CONFIG_TLS_PRIORITY ":"
|
||||
TLS_PRIORITY_ADDITIONAL_ANON);
|
||||
}
|
||||
|
||||
ret = gnutls_priority_set_direct(session->handle, prio, NULL);
|
||||
if (ret < 0) {
|
||||
error_setg(errp, "Unable to set TLS session priority %s: %s",
|
||||
prio, gnutls_strerror(ret));
|
||||
g_free(prio);
|
||||
goto error;
|
||||
}
|
||||
g_free(prio);
|
||||
if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
|
||||
ret = gnutls_credentials_set(session->handle,
|
||||
GNUTLS_CRD_ANON,
|
||||
@@ -239,25 +226,6 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
|
||||
} else if (object_dynamic_cast(OBJECT(creds),
|
||||
TYPE_QCRYPTO_TLS_CREDS_PSK)) {
|
||||
QCryptoTLSCredsPSK *pcreds = QCRYPTO_TLS_CREDS_PSK(creds);
|
||||
char *prio;
|
||||
|
||||
if (creds->priority != NULL) {
|
||||
prio = g_strdup_printf("%s:%s",
|
||||
creds->priority,
|
||||
TLS_PRIORITY_ADDITIONAL_PSK);
|
||||
} else {
|
||||
prio = g_strdup(CONFIG_TLS_PRIORITY ":"
|
||||
TLS_PRIORITY_ADDITIONAL_PSK);
|
||||
}
|
||||
|
||||
ret = gnutls_priority_set_direct(session->handle, prio, NULL);
|
||||
if (ret < 0) {
|
||||
error_setg(errp, "Unable to set TLS session priority %s: %s",
|
||||
prio, gnutls_strerror(ret));
|
||||
g_free(prio);
|
||||
goto error;
|
||||
}
|
||||
g_free(prio);
|
||||
if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
|
||||
ret = gnutls_credentials_set(session->handle,
|
||||
GNUTLS_CRD_PSK,
|
||||
@@ -275,17 +243,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
|
||||
} else if (object_dynamic_cast(OBJECT(creds),
|
||||
TYPE_QCRYPTO_TLS_CREDS_X509)) {
|
||||
QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds);
|
||||
const char *prio = creds->priority;
|
||||
if (!prio) {
|
||||
prio = CONFIG_TLS_PRIORITY;
|
||||
}
|
||||
|
||||
ret = gnutls_priority_set_direct(session->handle, prio, NULL);
|
||||
if (ret < 0) {
|
||||
error_setg(errp, "Cannot set default TLS session priority %s: %s",
|
||||
prio, gnutls_strerror(ret));
|
||||
goto error;
|
||||
}
|
||||
ret = gnutls_credentials_set(session->handle,
|
||||
GNUTLS_CRD_CERTIFICATE,
|
||||
tcreds->data);
|
||||
|
||||
Reference in New Issue
Block a user