On Fri, Nov 07, 2025 at 10:03:30AM +0100, Michal Prívozník wrote:
> On 11/6/25 15:50, Daniel P. Berrangé via Devel wrote:
> > From: Daniel P. Berrangé <[email protected]>
> >
> > Future patches will make it possible to load multiple certificate
> > files. This prepares the sanity checking code to support that by
> > taking a NUL terminated array of cert filenames.
> >
> > Signed-off-by: Daniel P. Berrangé <[email protected]>
> > ---
> > src/rpc/virnettlscert.c | 35 ++++++++++++++++++++++-------------
> > src/rpc/virnettlscert.h | 2 +-
> > src/rpc/virnettlscontext.c | 6 ++++--
> > tools/virt-pki-validate.c | 3 ++-
> > 4 files changed, 29 insertions(+), 17 deletions(-)
> >
> > diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
> > index 3efc4f0716..6f20b2601b 100644
> > --- a/src/rpc/virnettlscert.c
> > +++ b/src/rpc/virnettlscert.c
> > @@ -440,40 +440,49 @@ int virNetTLSCertLoadListFromFile(const char
> > *certFile,
> > #define MAX_CERTS 16
> > int virNetTLSCertSanityCheck(bool isServer,
> > const char *cacertFile,
> > - const char *certFile)
> > + const char *const *certFiles)
> > {
> > - gnutls_x509_crt_t cert = NULL;
> > + gnutls_x509_crt_t *certs = NULL;
>
> This ^^ needs to be g_autofree so that it doesn't leak.
I'll do a manual free for this one - since we have to manually
free the elements, IMHO it would be confusing to have a mix
of manual free and auto-free.
>
> > gnutls_x509_crt_t cacerts[MAX_CERTS] = { 0 };
> > size_t ncacerts = 0;
> > size_t i;
> > int ret = -1;
> >
> > - if ((access(certFile, R_OK) == 0) &&
> > - !(cert = virNetTLSCertLoadFromFile(certFile, isServer)))
> > - goto cleanup;
> > + certs = g_new0(gnutls_x509_crt_t, g_strv_length((gchar **)certFiles));
> > + for (i = 0; certFiles[i] != NULL; i++) {
> > + if ((access(certFiles[i], R_OK) == 0) &&
> > + !(certs[i] = virNetTLSCertLoadFromFile(certFiles[i],
> > isServer)))
> > + goto cleanup;
> > + }
> > if ((access(cacertFile, R_OK) == 0) &&
> > virNetTLSCertLoadListFromFile(cacertFile, cacerts,
> > MAX_CERTS, &ncacerts) < 0)
> > goto cleanup;
> >
> > - if (cert &&
> > - virNetTLSCertCheck(cert, certFile, isServer, false) < 0)
> > - goto cleanup;
> > + for (i = 0; certFiles[i] != NULL; i++) {
> > + if (certs[i] &&
> > + virNetTLSCertCheck(certs[i], certFiles[i], isServer, false) <
> > 0)
> > + goto cleanup;
> > + }
> >
> > for (i = 0; i < ncacerts; i++) {
> > if (virNetTLSCertCheck(cacerts[i], cacertFile, isServer, true) < 0)
> > goto cleanup;
> > }
> >
> > - if (cert && ncacerts &&
> > - virNetTLSCertCheckPair(cert, certFile, cacerts, ncacerts,
> > cacertFile, isServer) < 0)
> > - goto cleanup;
> > + for (i = 0; certFiles[i] != NULL && ncacerts; i++) {
> > + if (certs[i] && ncacerts &&
> > + virNetTLSCertCheckPair(certs[i], certFiles[i], cacerts,
> > ncacerts, cacertFile, isServer) < 0)
> > + goto cleanup;
> > + }
> >
> > ret = 0;
> >
> > cleanup:
> > - if (cert)
> > - gnutls_x509_crt_deinit(cert);
> > + for (i = 0; certFiles[i] != NULL; i++) {
> > + if (certs[i])
> > + gnutls_x509_crt_deinit(certs[i]);
> > + }
> > for (i = 0; i < ncacerts; i++)
> > gnutls_x509_crt_deinit(cacerts[i]);
> > return ret;
>
> Michal
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
