From: Henry Kleynhans <hkleynh...@fb.com>
Some CA files may contain multiple intermediaries and roots of trust.
These may not fit into the hard-coded limit of 16.
Extend the validation code to allocate enough space to load all of the
certificates present in the CA file and ensure they are cleaned up.
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
Signed-off-by: Henry Kleynhans <hkleynh...@fb.com>
[DB: drop MAX_CERTS constant & whitespace tweaks]
Signed-off-by: Daniel P. Berrangé <berra...@redhat.com>
---
crypto/tlscredsx509.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index 63a72fe47c..cd1f504471 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -426,9 +426,8 @@ qcrypto_tls_creds_load_cert(QCryptoTLSCredsX509 *creds,
static int
qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds,
const char *certFile,
- gnutls_x509_crt_t *certs,
- unsigned int certMax,
- size_t *ncerts,
+ gnutls_x509_crt_t **certs,
+ unsigned int *ncerts,
Error **errp)
{
gnutls_datum_t data;
@@ -449,20 +448,18 @@ qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509
*creds,
data.data = (unsigned char *)buf;
data.size = strlen(buf);
- if (gnutls_x509_crt_list_import(certs, &certMax, &data,
- GNUTLS_X509_FMT_PEM, 0) < 0) {
+ if (gnutls_x509_crt_list_import2(certs, ncerts, &data,
+ GNUTLS_X509_FMT_PEM, 0) < 0) {
error_setg(errp,
"Unable to import CA certificate list %s",
certFile);
return -1;
}
- *ncerts = certMax;
return 0;
}
-#define MAX_CERTS 16
static int
qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds,
bool isServer,
@@ -471,12 +468,11 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509
*creds,
Error **errp)
{
gnutls_x509_crt_t cert = NULL;
- gnutls_x509_crt_t cacerts[MAX_CERTS];
- size_t ncacerts = 0;
+ gnutls_x509_crt_t *cacerts = NULL;
+ unsigned int ncacerts = 0;
size_t i;
int ret = -1;
- memset(cacerts, 0, sizeof(cacerts));
if (certFile &&
access(certFile, R_OK) == 0) {
cert = qcrypto_tls_creds_load_cert(creds,
@@ -488,8 +484,9 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509
*creds,
}
if (access(cacertFile, R_OK) == 0) {
if (qcrypto_tls_creds_load_ca_cert_list(creds,
- cacertFile, cacerts,
- MAX_CERTS, &ncacerts,
+ cacertFile,
+ &cacerts,
+ &ncacerts,
errp) < 0) {
goto cleanup;
}
@@ -526,6 +523,8 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509
*creds,
for (i = 0; i < ncacerts; i++) {
gnutls_x509_crt_deinit(cacerts[i]);
}
+ g_free(cacerts);
+
return ret;
}
--
2.50.1
