On 11/6/25 15:50, Daniel P. Berrangé via Devel wrote:
> From: Daniel P. Berrangé <[email protected]>
>
> Future patches will make it possible to load multiple certificate
> files. This prepares the sanity checking code to support that by
> taking a NUL terminated array of cert filenames.
>
> Signed-off-by: Daniel P. Berrangé <[email protected]>
> ---
> src/rpc/virnettlscert.c | 35 ++++++++++++++++++++++-------------
> src/rpc/virnettlscert.h | 2 +-
> src/rpc/virnettlscontext.c | 6 ++++--
> tools/virt-pki-validate.c | 3 ++-
> 4 files changed, 29 insertions(+), 17 deletions(-)
>
> diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
> index 3efc4f0716..6f20b2601b 100644
> --- a/src/rpc/virnettlscert.c
> +++ b/src/rpc/virnettlscert.c
> @@ -440,40 +440,49 @@ int virNetTLSCertLoadListFromFile(const char *certFile,
> #define MAX_CERTS 16
> int virNetTLSCertSanityCheck(bool isServer,
> const char *cacertFile,
> - const char *certFile)
> + const char *const *certFiles)
> {
> - gnutls_x509_crt_t cert = NULL;
> + gnutls_x509_crt_t *certs = NULL;
This ^^ needs to be g_autofree so that it doesn't leak.
> gnutls_x509_crt_t cacerts[MAX_CERTS] = { 0 };
> size_t ncacerts = 0;
> size_t i;
> int ret = -1;
>
> - if ((access(certFile, R_OK) == 0) &&
> - !(cert = virNetTLSCertLoadFromFile(certFile, isServer)))
> - goto cleanup;
> + certs = g_new0(gnutls_x509_crt_t, g_strv_length((gchar **)certFiles));
> + for (i = 0; certFiles[i] != NULL; i++) {
> + if ((access(certFiles[i], R_OK) == 0) &&
> + !(certs[i] = virNetTLSCertLoadFromFile(certFiles[i], isServer)))
> + goto cleanup;
> + }
> if ((access(cacertFile, R_OK) == 0) &&
> virNetTLSCertLoadListFromFile(cacertFile, cacerts,
> MAX_CERTS, &ncacerts) < 0)
> goto cleanup;
>
> - if (cert &&
> - virNetTLSCertCheck(cert, certFile, isServer, false) < 0)
> - goto cleanup;
> + for (i = 0; certFiles[i] != NULL; i++) {
> + if (certs[i] &&
> + virNetTLSCertCheck(certs[i], certFiles[i], isServer, false) < 0)
> + goto cleanup;
> + }
>
> for (i = 0; i < ncacerts; i++) {
> if (virNetTLSCertCheck(cacerts[i], cacertFile, isServer, true) < 0)
> goto cleanup;
> }
>
> - if (cert && ncacerts &&
> - virNetTLSCertCheckPair(cert, certFile, cacerts, ncacerts,
> cacertFile, isServer) < 0)
> - goto cleanup;
> + for (i = 0; certFiles[i] != NULL && ncacerts; i++) {
> + if (certs[i] && ncacerts &&
> + virNetTLSCertCheckPair(certs[i], certFiles[i], cacerts,
> ncacerts, cacertFile, isServer) < 0)
> + goto cleanup;
> + }
>
> ret = 0;
>
> cleanup:
> - if (cert)
> - gnutls_x509_crt_deinit(cert);
> + for (i = 0; certFiles[i] != NULL; i++) {
> + if (certs[i])
> + gnutls_x509_crt_deinit(certs[i]);
> + }
> for (i = 0; i < ncacerts; i++)
> gnutls_x509_crt_deinit(cacerts[i]);
> return ret;
Michal
