From nobody Fri Nov 21 10:08:32 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762441224; cv=none; d=zohomail.com; s=zohoarc; b=KiX2wmpe1lf6GoffEbD/iFKYmtgCkRVfKHxqK81gxlLqu1dADMUxYPtJ3gXZMS8rhsO4vmTsUAbQBSoXcfRXfSefIQf5Kz3QeU9fdUrczM6pi6LpOUrREUsVbpeSqitAal17EcjXyxPl0TExuqSXVYtQeVeo0/BiiUhrYld9UTI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762441224; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=AXiQohW9GVHabBo8HCSfjvlkpMZ2tuwrWFFFBmeVp5A=; b=mvNiRjfVGKoWW4GjjSAOp3YkFmnsmfaUz8bbSyrhpooBshIr8+LVoBu9e7N1LwIdaC5TSHlZLPvp2uaIvGuTV+DOEQ0k6ersrwG7/+zFUBWvm+0lnT4mQQGQTbqOFfLYNf990vKR90lA8Rkcmh7wkwxSR8B6HZGCiykwZfCNi5Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762441224827623.1333045633976; Thu, 6 Nov 2025 07:00:24 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id C9B13441DB; Thu, 6 Nov 2025 10:00:23 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 57A0444387; Thu, 6 Nov 2025 09:53:22 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id EBB3B418F9; Thu, 6 Nov 2025 09:51:05 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id B2F46440C1 for ; Thu, 6 Nov 2025 09:51:04 -0500 (EST) Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-605-ZuB5KrcLP2SC2CohATrDxA-1; Thu, 06 Nov 2025 09:51:03 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 50BBE180057A for ; Thu, 6 Nov 2025 14:51:02 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.39]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 3085A1800451; Thu, 6 Nov 2025 14:51:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762440664; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AXiQohW9GVHabBo8HCSfjvlkpMZ2tuwrWFFFBmeVp5A=; b=aizbKvoUFmEs1Tsrm5d3aZBN4mcgS5M8TCEz4QnxY7Q0l8JK7IVQkOqiW6bJCF2YjgDx8C kAD1BL4ss2ZY++EVvaQNEoMw5dCtGEH7o7KTTRZLzxqkQzVzQ9M/Er8a2jP0kndEmmEI3W D1fc0Xv6eHGhaSJpfzoN+0dldR+qm50= X-MC-Unique: ZuB5KrcLP2SC2CohATrDxA-1 X-Mimecast-MFC-AGG-ID: ZuB5KrcLP2SC2CohATrDxA_1762440662 To: devel@lists.libvirt.org Subject: [PATCH 07/10] rpc: move file access checks into TLS config API Date: Thu, 6 Nov 2025 14:50:47 +0000 Message-ID: <20251106145050.1851526-8-berrange@redhat.com> In-Reply-To: <20251106145050.1851526-1-berrange@redhat.com> References: <20251106145050.1851526-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: wodLYTXkhxxTk-cM6GluQENolPCQ2bMqAJ2K_lcsFZA_1762440662 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 3JYE46P4FGAEYPX4FJPCW65ETYZGVI4Q X-Message-ID-Hash: 3JYE46P4FGAEYPX4FJPCW65ETYZGVI4Q X-MailFrom: berrange@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9_via_Devel?= Reply-To: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762441226231158500 From: Daniel P. Berrang=C3=A9 A future patch will require fule access checks to be done as part of locating the certificate files, as we will have the ability to load many more files, most of which will be optional. Signed-off-by: Daniel P. Berrang=C3=A9 --- po/POTFILES | 1 + src/rpc/virnettlsconfig.c | 168 +++++++++++++++++++++++++++++++++---- src/rpc/virnettlsconfig.h | 37 ++++---- src/rpc/virnettlscontext.c | 161 ++++++++++++++--------------------- 4 files changed, 236 insertions(+), 131 deletions(-) diff --git a/po/POTFILES b/po/POTFILES index 23da794f84..f0aad35c8c 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -230,6 +230,7 @@ src/rpc/virnetserverservice.c src/rpc/virnetsocket.c src/rpc/virnetsshsession.c src/rpc/virnettlscert.c +src/rpc/virnettlsconfig.c src/rpc/virnettlscontext.c src/secret/secret_driver.c src/security/security_apparmor.c diff --git a/src/rpc/virnettlsconfig.c b/src/rpc/virnettlsconfig.c index ffab3b4fc8..1479eb01ae 100644 --- a/src/rpc/virnettlsconfig.c +++ b/src/rpc/virnettlsconfig.c @@ -21,12 +21,15 @@ #include =20 #include "virnettlsconfig.h" +#include "viralloc.h" #include "virlog.h" #include "virutil.h" +#include "virfile.h" +#include "virerror.h" =20 #define VIR_FROM_THIS VIR_FROM_RPC =20 -VIR_LOG_INIT("rpc.nettlscontext"); +VIR_LOG_INIT("rpc.nettlsconfig"); =20 char *virNetTLSConfigUserPKIBaseDir(void) { @@ -142,30 +145,143 @@ void virNetTLSConfigSystemIdentity(bool isServer, key); } =20 -void virNetTLSConfigCustomCreds(const char *pkipath, - bool isServer, - char **cacert, - char **cacrl, - char **cert, - char **key) + +int virNetTLSConfigCheckTrust(const char *cacert, const char *cacrl, + bool *cacertExists, bool *cacrlExists, + bool allowMissingCA) +{ + if (cacertExists) + *cacertExists =3D true; + if (cacrlExists) + *cacrlExists =3D true; + VIR_DEBUG("Checking CA certificate '%s' and CRL '%s'", cacert, NULLSTR= (cacrl)); + if (!virFileExists(cacert)) { + if (allowMissingCA) { + VIR_DEBUG("CA certificate '%s' does not exist", cacert); + if (cacertExists) + *cacertExists =3D false; + } else { + virReportSystemError(errno, _("CA certificate '%1$s' does not = exist"), + cacert); + return -1; + } + } + if (cacrl !=3D NULL && !virFileExists(cacrl)) { + VIR_DEBUG("CA CRL '%s' does not exist", cacrl); + if (cacrlExists) + *cacrlExists =3D false; + } + return 0; +} + +static int virNetTLSConfigEnsureTrust(char **cacert, char **cacrl, + bool allowMissingCA) +{ + bool cacertExists, cacrlExists; + + if (virNetTLSConfigCheckTrust(*cacert, *cacrl, + &cacertExists, &cacrlExists, + allowMissingCA) < 0) + return -1; + + if (!cacertExists) + VIR_FREE(*cacert); + if (!cacrlExists) + VIR_FREE(*cacrl); + + return 0; +} + +int virNetTLSConfigCheckIdentity(const char *cert, const char *key, + bool *identityExists, bool allowMissing) +{ + if (identityExists) + *identityExists =3D true; + VIR_DEBUG("Checking certificate '%s' and key '%s'", cert, key); + if (!virFileExists(cert)) { + int saved_errno =3D errno; + if (allowMissing) { + if (virFileExists(key)) { + virReportSystemError( + saved_errno, + _("Certificate '%1$s' does not exist, but key '%2$s' d= oes"), + cert, key); + return -1; + } + if (identityExists) + *identityExists =3D false; + VIR_DEBUG("Missing cert '%s' / key '%s'", cert, key); + return 0; + } else { + virReportSystemError(saved_errno, _("Certificate '%1$s' does n= ot exist"), + cert); + return -1; + } + } else { + if (!virFileExists(key)) { + virReportSystemError(errno, + _("Key '%1$s' does not exist, but certifi= cate '%2$s' does"), + key, cert); + return -1; + } + } + + return 0; +} + + +static int virNetTLSConfigEnsureIdentity(char **cert, char **key, + bool allowMissing) +{ + bool identityExists; + + if (virNetTLSConfigCheckIdentity(*cert, *key, &identityExists, + allowMissing) < 0) + return -1; + + if (!identityExists) { + VIR_FREE(*cert); + VIR_FREE(*key); + } + + return 0; +} + + +int virNetTLSConfigCustomCreds(const char *pkipath, + bool isServer, + char **cacert, + char **cacrl, + char **cert, + char **key) { VIR_DEBUG("Locating creds in custom dir %s", pkipath); virNetTLSConfigTrust(pkipath, pkipath, cacert, cacrl); + + if (virNetTLSConfigEnsureTrust(cacert, cacrl, false) < 0) + return -1; + virNetTLSConfigIdentity(isServer, pkipath, pkipath, cert, key); + + + if (virNetTLSConfigEnsureIdentity(cert, key, !isServer) < 0) + return -1; + + return 0; } =20 -void virNetTLSConfigUserCreds(bool isServer, - char **cacert, - char **cacrl, - char **cert, - char **key) +int virNetTLSConfigUserCreds(bool isServer, + char **cacert, + char **cacrl, + char **cert, + char **key) { g_autofree char *pkipath =3D virNetTLSConfigUserPKIBaseDir(); =20 @@ -175,18 +291,27 @@ void virNetTLSConfigUserCreds(bool isServer, pkipath, cacert, cacrl); + + if (virNetTLSConfigEnsureTrust(cacert, cacrl, true) < 0) + return -1; + virNetTLSConfigIdentity(isServer, pkipath, pkipath, cert, key); + + if (virNetTLSConfigEnsureIdentity(cert, key, true) < 0) + return -1; + + return 0; } =20 -void virNetTLSConfigSystemCreds(bool isServer, - char **cacert, - char **cacrl, - char **cert, - char **key) +int virNetTLSConfigSystemCreds(bool isServer, + char **cacert, + char **cacrl, + char **cert, + char **key) { VIR_DEBUG("Locating creds in system dir %s", LIBVIRT_PKI_DIR); =20 @@ -194,9 +319,18 @@ void virNetTLSConfigSystemCreds(bool isServer, LIBVIRT_CACRL_DIR, cacert, cacrl); + + if (virNetTLSConfigEnsureTrust(cacert, cacrl, false) < 0) + return -1; + virNetTLSConfigIdentity(isServer, LIBVIRT_CERT_DIR, LIBVIRT_KEY_DIR, cert, key); + + if (virNetTLSConfigEnsureIdentity(cert, key, !isServer) < 0) + return -1; + + return 0; } diff --git a/src/rpc/virnettlsconfig.h b/src/rpc/virnettlsconfig.h index a9378c18b7..9ad213fe06 100644 --- a/src/rpc/virnettlsconfig.h +++ b/src/rpc/virnettlsconfig.h @@ -50,20 +50,25 @@ void virNetTLSConfigSystemIdentity(bool isServer, char **cert, char **key); =20 +int virNetTLSConfigCheckIdentity(const char *cert, const char *key, + bool *identityExists, bool allowMissing); +int virNetTLSConfigCheckTrust(const char *cacert, const char *cacrl, + bool *cacertExists, bool *cacrlExists, + bool allowMissingCA); =20 -void virNetTLSConfigCustomCreds(const char *pkipath, - bool isServer, - char **cacert, - char **cacrl, - char **cert, - char **key); -void virNetTLSConfigUserCreds(bool isServer, - char **cacert, - char **cacrl, - char **cert, - char **key); -void virNetTLSConfigSystemCreds(bool isServer, - char **cacert, - char **cacrl, - char **cert, - char **key); +int virNetTLSConfigCustomCreds(const char *pkipath, + bool isServer, + char **cacert, + char **cacrl, + char **cert, + char **key); +int virNetTLSConfigUserCreds(bool isServer, + char **cacert, + char **cacrl, + char **cert, + char **key); +int virNetTLSConfigSystemCreds(bool isServer, + char **cacert, + char **cacrl, + char **cert, + char **key); diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 37f635f47f..7061eb5953 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -31,7 +31,6 @@ #include "virnettlscert.h" #include "virstring.h" =20 -#include "viralloc.h" #include "virerror.h" #include "virfile.h" #include "virutil.h" @@ -88,22 +87,6 @@ static int virNetTLSContextOnceInit(void) VIR_ONCE_GLOBAL_INIT(virNetTLSContext); =20 =20 -static int -virNetTLSContextCheckCertFile(const char *type, const char *file, bool all= owMissing) -{ - if (!virFileExists(file)) { - if (allowMissing) - return 1; - - virReportSystemError(errno, - _("Cannot read %1$s '%2$s'"), - type, file); - return -1; - } - return 0; -} - - static void virNetTLSLog(int level G_GNUC_UNUSED, const char *str G_GNUC_UNUSED) { @@ -112,7 +95,6 @@ static void virNetTLSLog(int level G_GNUC_UNUSED, =20 =20 static int virNetTLSContextLoadCredentials(virNetTLSContext *ctxt, - bool isServer, const char *cacert, const char *cacrl, const char *const *certs, @@ -121,66 +103,42 @@ static int virNetTLSContextLoadCredentials(virNetTLSC= ontext *ctxt, int err; size_t i; =20 - if (cacert && cacert[0] !=3D '\0') { - if (virNetTLSContextCheckCertFile("CA certificate", cacert, false)= < 0) - return -1; + VIR_DEBUG("loading CA cert from %s", cacert); + err =3D gnutls_certificate_set_x509_trust_file(ctxt->x509cred, + cacert, + GNUTLS_X509_FMT_PEM); + if (err < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to set x509 CA certificate: %1$s: %2$s"), + cacert, gnutls_strerror(err)); + return -1; + } =20 - VIR_DEBUG("loading CA cert from %s", cacert); - err =3D gnutls_certificate_set_x509_trust_file(ctxt->x509cred, - cacert, - GNUTLS_X509_FMT_PEM); + if (cacrl) { + VIR_DEBUG("loading CRL from %s", cacrl); + err =3D gnutls_certificate_set_x509_crl_file(ctxt->x509cred, + cacrl, + GNUTLS_X509_FMT_PEM); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to set x509 CA certificate: %1$s: %2$= s"), - cacert, gnutls_strerror(err)); - return -1; - } - } - - if (cacrl && cacrl[0] !=3D '\0') { - int rv; - if ((rv =3D virNetTLSContextCheckCertFile("CA revocation list", ca= crl, true)) < 0) + _("Unable to set x509 certificate revocation li= st: %1$s: %2$s"), + cacrl, gnutls_strerror(err)); return -1; - - if (rv =3D=3D 0) { - VIR_DEBUG("loading CRL from %s", cacrl); - err =3D gnutls_certificate_set_x509_crl_file(ctxt->x509cred, - cacrl, - GNUTLS_X509_FMT_PEM= ); - if (err < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to set x509 certificate revocatio= n list: %1$s: %2$s"), - cacrl, gnutls_strerror(err)); - return -1; - } - } else { - VIR_DEBUG("Skipping non-existent CA CRL %s", cacrl); } + } else { + VIR_DEBUG("no CRL file to load"); } =20 for (i =3D 0; certs[i] !=3D NULL && keys[i] !=3D NULL; i++) { - int rv; - if ((rv =3D virNetTLSContextCheckCertFile("certificate", certs[i],= !isServer)) < 0) - return -1; - if (rv =3D=3D 0 && - (rv =3D virNetTLSContextCheckCertFile("private key", keys[i], = !isServer)) < 0) + VIR_DEBUG("loading cert and key from %s and %s", certs[i], keys[i]= ); + err =3D gnutls_certificate_set_x509_key_file(ctxt->x509cred, + certs[i], keys[i], + GNUTLS_X509_FMT_PEM); + if (err < 0) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Unable to set x509 key and certificate: %1$s= , %2$s: %3$s"), + keys[i], certs[i], gnutls_strerror(err)); return -1; - - if (rv =3D=3D 0) { - VIR_DEBUG("loading cert and key from %s and %s", certs[i], key= s[i]); - err =3D - gnutls_certificate_set_x509_key_file(ctxt->x509cred, - certs[i], keys[i], - GNUTLS_X509_FMT_PEM); - if (err < 0) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Unable to set x509 key and certificate: = %1$s, %2$s: %3$s"), - keys[i], certs[i], gnutls_strerror(err)); - return -1; - } - } else { - VIR_DEBUG("Skipping non-existent cert %s key %s on client", - certs[i], keys[i]); } } =20 @@ -200,6 +158,15 @@ static virNetTLSContext *virNetTLSContextNew(const cha= r *cacert, { virNetTLSContext *ctxt; int err; + g_autofree char *certlist =3D certs ? g_strjoinv(", ", (char **)certs)= : NULL; + g_autofree char *keylist =3D keys ? g_strjoinv(", ", (char **)keys) : = NULL; + g_autofree char *acllist =3D x509dnACL ? g_strjoinv(", ", (char **)x50= 9dnACL) : NULL; + + VIR_DEBUG("CA cert=3D%s CRL=3D%s certs=3D'%s' keys=3D'%s' ACL=3D'%s' " + "priority=3D%s sanity-check=3D%d require-valid=3D%d is-serve= r=3D%d", + cacert, NULLSTR(cacrl), NULLSTR(certlist), NULLSTR(keylist), + NULLSTR(acllist), priority, sanityCheckCert, requireValidCer= t, + isServer); =20 if (virNetTLSContextInitialize() < 0) return NULL; @@ -228,7 +195,7 @@ static virNetTLSContext *virNetTLSContextNew(const char= *cacert, virNetTLSCertSanityCheck(isServer, cacert, certs) < 0) goto error; =20 - if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, + if (virNetTLSContextLoadCredentials(ctxt, cacert, cacrl, certs, keys) < 0) goto error; =20 @@ -268,38 +235,22 @@ static int virNetTLSContextLocateCredentials(const ch= ar *pkipath, * files actually exist there */ if (pkipath) { - virNetTLSConfigCustomCreds(pkipath, isServer, - cacert, cacrl, - cert, key); + if (virNetTLSConfigCustomCreds(pkipath, isServer, + cacert, cacrl, + cert, key) < 0) + return -1; } else { - if (tryUserPkiPath) { + if (tryUserPkiPath && virNetTLSConfigUserCreds(isServer, cacert, cacrl, - cert, key); - - /* - * If some of the files can't be found, fallback - * to the global location for them - */ - if (!virFileExists(*cacert)) - VIR_FREE(*cacert); - if (!virFileExists(*cacrl)) - VIR_FREE(*cacrl); - - /* Check these as a pair, since it they are - * mutually dependent - */ - if (!virFileExists(*key) || !virFileExists(*cert)) { - VIR_FREE(*key); - VIR_FREE(*cert); - } - } + cert, key) < 0) + return -1; =20 - virNetTLSConfigSystemCreds(isServer, - cacert, cacrl, - cert, key); + if (virNetTLSConfigSystemCreds(isServer, + cacert, cacrl, + cert, key) < 0) + return -1; } - return 0; } =20 @@ -359,6 +310,13 @@ virNetTLSContext *virNetTLSContextNewServer(const char= *cacert, bool sanityCheckCert, bool requireValidCert) { + size_t i; + if (virNetTLSConfigCheckTrust(cacert, cacrl, NULL, NULL, false) < 0) + return NULL; + for (i =3D 0; certs[i] !=3D NULL && keys[i] !=3D NULL; i++) { + if (virNetTLSConfigCheckIdentity(certs[i], keys[i], NULL, false) <= 0) + return NULL; + } return virNetTLSContextNew(cacert, cacrl, certs, keys, x509dnACL, prio= rity, sanityCheckCert, requireValidCert, true); } @@ -393,7 +351,7 @@ int virNetTLSContextReloadForServer(virNetTLSContext *c= txt, if (virNetTLSCertSanityCheck(true, cacert, certs)) goto error; =20 - if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, + if (virNetTLSContextLoadCredentials(ctxt, cacert, cacrl, certs, keys)) goto error; =20 @@ -417,6 +375,13 @@ virNetTLSContext *virNetTLSContextNewClient(const char= *cacert, bool sanityCheckCert, bool requireValidCert) { + size_t i; + if (virNetTLSConfigCheckTrust(cacert, cacrl, NULL, NULL, false) < 0) + return NULL; + for (i =3D 0; certs[i] !=3D NULL && keys[i] !=3D NULL; i++) { + if (virNetTLSConfigCheckIdentity(certs[i], keys[i], NULL, false) <= 0) + return NULL; + } return virNetTLSContextNew(cacert, cacrl, certs, keys, NULL, priority, sanityCheckCert, requireValidCert, false); } --=20 2.51.1