Do more complete initialization of libgcrypt

If libvirt makes any gcry_control() calls, then this prevents gnutls for doing any initialization. As such we must take care to do full initialization of libcrypt on a par with what gnutls would have done. In particular we must disable "sec mem" for cases where the user does not have mlock() permission. We also skip our init of libgcrypt if something else (ie the app using libvirt) has beaten us to it. https://bugzilla.redhat.com/show_bug.cgi?id=951630Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>

Do more complete initialization of libgcrypt
If libvirt makes any gcry_control() calls, then this prevents gnutls for doing any initialization. As such we must take care to do full initialization of libcrypt on a par with what gnutls would have done. In particular we must disable "sec mem" for cases where the user does not have mlock() permission. We also skip our init of libgcrypt if something else (ie the app using libvirt) has beaten us to it. https://bugzilla.redhat.com/show_bug.cgi?id=951630Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>
e16e2a8b · Daniel P. Berrange · 63b68f3c · e16e2a8b
隐藏空白更改
内联并排

Showing with 13 addition and 2 deletion

src/libvirt.c src/libvirt.c +13 -2

未找到文件。
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -409,8 +409,19 @@ virGlobalInit(void)
        goto error;
 #ifdef WITH_GNUTLS
-    gcry_control(GCRYCTL_SET_THREAD_CBS, &virTLSThreadImpl);
+    /*
-    gcry_check_version(NULL);
+     * This sequence of API calls it copied exactly from
+     * gnutls 2.12.23 source lib/gcrypt/init.c, with
+     * exception that GCRYCTL_ENABLE_QUICK_RANDOM, is
+     * dropped
+     */
+    if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0) {
+        gcry_control(GCRYCTL_SET_THREAD_CBS, &virTLSThreadImpl);
+        gcry_check_version(NULL);
+        gcry_control(GCRYCTL_DISABLE_SECMEM, NULL, 0);
+        gcry_control(GCRYCTL_INITIALIZATION_FINISHED, NULL, 0);
+    }
 #endif
    virLogSetFromEnv();