libvirtd: add config option for TLS priority

Add a "tls_priority" config option to /etc/libvirt/libvirtd.conf
to allow the administrator to override the built-in default
setting. This only affects the server side configuration.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

daemon/libvirtd-config.c

@@ -367,6 +367,7 @@ daemonConfigFree(struct daemonConfig *data)
         tmp++;
     }
     VIR_FREE(data->sasl_allowed_username_list);
+    VIR_FREE(data->tls_priority);
 
     VIR_FREE(data->key_file);
     VIR_FREE(data->ca_file);
@@ -442,6 +443,7 @@ daemonConfigLoadOptions(struct daemonConfig *data,
                                   &data->sasl_allowed_username_list, filename) < 0)
         goto error;
 
+    GET_CONF_STR(conf, filename, tls_priority);
 
     GET_CONF_UINT(conf, filename, min_workers);
     GET_CONF_UINT(conf, filename, max_workers);

daemon/libvirtd-config.h

@@ -56,6 +56,7 @@ struct daemonConfig {
     int tls_no_sanity_certificate;
     char **tls_allowed_dn_list;
     char **sasl_allowed_username_list;
+    char *tls_priority;
 
     char *key_file;
     char *cert_file;

daemon/libvirtd.aug

@@ -53,6 +53,7 @@ module Libvirtd =
                            | str_array_entry "tls_allowed_dn_list"
                            | str_array_entry "sasl_allowed_username_list"
                            | str_array_entry "access_drivers"
+                           | str_entry "tls_priority"
 
    let processing_entry = int_entry "min_workers"
                         | int_entry "max_workers"

daemon/libvirtd.c

@@ -585,7 +585,7 @@ daemonSetupNetworking(virNetServerPtr srv,
                                                        config->cert_file,
                                                        config->key_file,
                                                        (const char *const*)config->tls_allowed_dn_list,
-                                                       NULL,
+                                                       config->tls_priority,
                                                        config->tls_no_sanity_certificate ? false : true,
                                                        config->tls_no_verify_certificate ? false : true)))
                     goto cleanup;
@@ -593,7 +593,7 @@ daemonSetupNetworking(virNetServerPtr srv,
                 if (!(ctxt = virNetTLSContextNewServerPath(NULL,
                                                            !privileged,
                                                            (const char *const*)config->tls_allowed_dn_list,
-                                                           NULL,
+                                                           config->tls_priority,
                                                            config->tls_no_sanity_certificate ? false : true,
                                                            config->tls_no_verify_certificate ? false : true)))
                     goto cleanup;

daemon/libvirtd.conf

@@ -242,7 +242,7 @@
 #tls_allowed_dn_list = ["DN1", "DN2"]
 
 
-# A whitelist of allowed SASL usernames. The format for usernames
+# A whitelist of allowed SASL usernames. The format for username
 # depends on the SASL authentication mechanism. Kerberos usernames
 # look like username@REALM
 #
@@ -259,6 +259,13 @@
 #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
 
 
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
 
 #################################################################
 #

daemon/test_libvirtd.aug.in

@@ -35,6 +35,7 @@ module Test_libvirtd =
              { "1" = "joe@EXAMPLE.COM" }
              { "2" = "fred@EXAMPLE.COM" }
         }
+        { "tls_priority" = "NORMAL" }
         { "max_clients" = "5000" }
         { "max_queued_clients" = "1000" }
         { "max_anonymous_clients" = "20" }