Improved error checking for cert/key files

a219c3ab · Daniel P. Berrange · bb6476e7 · a219c3ab · a219c3ab
显示空白变更内容
内联并排

Showing with 28 addition and 0 deletion

ChangeLog ChangeLog +6 -0

qemud/qemud.c qemud/qemud.c +22 -0

未找到文件。
--- a/ChangeLog
+++ b/ChangeLog
+Thu Jul 12 10:57:17 CEST 2007 Daniel Veillard <veillard@redhat.com>
+
+	* qemud/qemud.c: Add explicit checks for existance of x509
+	certificate & key files to get better error reporting than
+	GNU TLS offers when it can't load a file
+
 Thu Jul 12 10:57:17 CEST 2007 Daniel Veillard <veillard@redhat.com>

 	* src/xen_internal.c: applied patch from Christian Ehrhardt to

--- a/qemud/qemud.c
+++ b/qemud/qemud.c
@@ -112,6 +112,18 @@ static int qemudRegisterClientEvent(struct qemud_server *server,
                                    struct qemud_client *client,
                                    int remove);

+static int
+remoteCheckCertFile(const char *type, const char *file)
+{
+    struct stat sb;
+    if (stat(file, &sb) < 0) {
+        qemudLog (QEMUD_ERR, "Cannot access %s '%s': %s (%d)",
+                  type, file, strerror(errno), errno);
+        return -1;
+    }
+    return 0;
+}
+
 static int
 remoteInitializeGnuTLS (void)
 {
@@ -128,6 +140,9 @@ remoteInitializeGnuTLS (void)
    }

    if (ca_file && ca_file[0] != '\0') {
+        if (remoteCheckCertFile("CA certificate", ca_file) < 0)
+            return -1;
+
        qemudDebug ("loading CA cert from %s", ca_file);
        err = gnutls_certificate_set_x509_trust_file (x509_cred, ca_file,
                                                      GNUTLS_X509_FMT_PEM);
@@ -139,6 +154,9 @@ remoteInitializeGnuTLS (void)
    }

    if (crl_file && crl_file[0] != '\0') {
+        if (remoteCheckCertFile("CA revocation list", ca_file) < 0)
+            return -1;
+
        qemudDebug ("loading CRL from %s", crl_file);
        err = gnutls_certificate_set_x509_crl_file (x509_cred, crl_file,
                                                    GNUTLS_X509_FMT_PEM);
@@ -150,6 +168,10 @@ remoteInitializeGnuTLS (void)
    }

    if (cert_file && cert_file[0] != '\0' && key_file && key_file[0] != '\0') {
+        if (remoteCheckCertFile("server certificate", cert_file) < 0)
+            return -1;
+        if (remoteCheckCertFile("server key", key_file) < 0)
+            return -1;
        qemudDebug ("loading cert and key from %s and %s",
                    cert_file, key_file);
        err =