[libvirt] [PATCH 4/7] Refactor TLS to facilitate dynamic probing

Friday, 7 October 2011

From: "Daniel P. Berrange" <berrange(a)redhat.com&gt;

Pull the call to gnutls_x509_crt_get_dn up into a higher function
so that the 'dname' variable will be available for probe points

* src/rpc/virnettlscontext.c: Pull gnutls_x509_crt_get_dn up
  one level
---
 src/rpc/virnettlscontext.c |   34 +++++++++++++++++-----------------
 1 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 971fb80..58accaf 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -383,24 +383,11 @@ static int
 virNetTLSContextCheckCertDN(gnutls_x509_crt_t cert,
                             const char *certFile,
                             const char *hostname,
+                            const char *dname,
                             const char *const* whitelist)
 {
-    int ret;
-    char name[256];
-    size_t namesize = sizeof name;
-
-    memset(name, 0, namesize);
-
-    ret = gnutls_x509_crt_get_dn(cert, name, &namesize);
-    if (ret != 0) {
-        virNetError(VIR_ERR_SYSTEM_ERROR,
-                    _("Failed to get certificate %s distinguished name: %s"),
-                    certFile, gnutls_strerror(ret));
-        return -1;
-    }
-    VIR_DEBUG("Peer DN is %s", name);
-    if (whitelist &&
-        virNetTLSContextCheckCertDNWhitelist(name, whitelist) <= 0)
+    if (whitelist && dname &&
+        virNetTLSContextCheckCertDNWhitelist(dname, whitelist) <= 0)
         return -1;
 
     if (hostname &&
@@ -955,6 +942,10 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr
ctxt,
     unsigned int status;
     const gnutls_datum_t *certs;
     unsigned int nCerts, i;
+    char dname[256];
+    size_t dnamesize = sizeof(dname);
+
+    memset(dname, 0, dnamesize);
 
     if ((ret = gnutls_certificate_verify_peers2(sess->session, &status)) < 0){
         virNetError(VIR_ERR_SYSTEM_ERROR,
@@ -1021,7 +1012,16 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr
ctxt,
         }
 
         if (i == 0) {
-            if (virNetTLSContextCheckCertDN(cert, "[session]",
sess->hostname,
+            ret = gnutls_x509_crt_get_dn(cert, dname, &dnamesize);
+            if (ret != 0) {
+                virNetError(VIR_ERR_SYSTEM_ERROR,
+                            _("Failed to get certificate %s distinguished name:
%s"),
+                            "[session]", gnutls_strerror(ret));
+                goto authfail;
+            }
+            VIR_DEBUG("Peer DN is %s", dname);
+
+            if (virNetTLSContextCheckCertDN(cert, "[session]",
sess->hostname, dname,
                                             ctxt->x509dnWhitelist) < 0) {
                 gnutls_x509_crt_deinit(cert);
                 goto authdeny;
-- 
1.7.6.4


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH 4/7] Refactor TLS to facilitate dynamic probing