提交 a219c3ab 编写于 作者: D Daniel P. Berrange

Improved error checking for cert/key files

上级 bb6476e7
Thu Jul 12 10:57:17 CEST 2007 Daniel Veillard <veillard@redhat.com>
* qemud/qemud.c: Add explicit checks for existance of x509
certificate & key files to get better error reporting than
GNU TLS offers when it can't load a file
Thu Jul 12 10:57:17 CEST 2007 Daniel Veillard <veillard@redhat.com> Thu Jul 12 10:57:17 CEST 2007 Daniel Veillard <veillard@redhat.com>
* src/xen_internal.c: applied patch from Christian Ehrhardt to * src/xen_internal.c: applied patch from Christian Ehrhardt to
......
...@@ -112,6 +112,18 @@ static int qemudRegisterClientEvent(struct qemud_server *server, ...@@ -112,6 +112,18 @@ static int qemudRegisterClientEvent(struct qemud_server *server,
struct qemud_client *client, struct qemud_client *client,
int remove); int remove);
static int
remoteCheckCertFile(const char *type, const char *file)
{
struct stat sb;
if (stat(file, &sb) < 0) {
qemudLog (QEMUD_ERR, "Cannot access %s '%s': %s (%d)",
type, file, strerror(errno), errno);
return -1;
}
return 0;
}
static int static int
remoteInitializeGnuTLS (void) remoteInitializeGnuTLS (void)
{ {
...@@ -128,6 +140,9 @@ remoteInitializeGnuTLS (void) ...@@ -128,6 +140,9 @@ remoteInitializeGnuTLS (void)
} }
if (ca_file && ca_file[0] != '\0') { if (ca_file && ca_file[0] != '\0') {
if (remoteCheckCertFile("CA certificate", ca_file) < 0)
return -1;
qemudDebug ("loading CA cert from %s", ca_file); qemudDebug ("loading CA cert from %s", ca_file);
err = gnutls_certificate_set_x509_trust_file (x509_cred, ca_file, err = gnutls_certificate_set_x509_trust_file (x509_cred, ca_file,
GNUTLS_X509_FMT_PEM); GNUTLS_X509_FMT_PEM);
...@@ -139,6 +154,9 @@ remoteInitializeGnuTLS (void) ...@@ -139,6 +154,9 @@ remoteInitializeGnuTLS (void)
} }
if (crl_file && crl_file[0] != '\0') { if (crl_file && crl_file[0] != '\0') {
if (remoteCheckCertFile("CA revocation list", ca_file) < 0)
return -1;
qemudDebug ("loading CRL from %s", crl_file); qemudDebug ("loading CRL from %s", crl_file);
err = gnutls_certificate_set_x509_crl_file (x509_cred, crl_file, err = gnutls_certificate_set_x509_crl_file (x509_cred, crl_file,
GNUTLS_X509_FMT_PEM); GNUTLS_X509_FMT_PEM);
...@@ -150,6 +168,10 @@ remoteInitializeGnuTLS (void) ...@@ -150,6 +168,10 @@ remoteInitializeGnuTLS (void)
} }
if (cert_file && cert_file[0] != '\0' && key_file && key_file[0] != '\0') { if (cert_file && cert_file[0] != '\0' && key_file && key_file[0] != '\0') {
if (remoteCheckCertFile("server certificate", cert_file) < 0)
return -1;
if (remoteCheckCertFile("server key", key_file) < 0)
return -1;
qemudDebug ("loading cert and key from %s and %s", qemudDebug ("loading cert and key from %s and %s",
cert_file, key_file); cert_file, key_file);
err = err =
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册