From nobody Tue Sep 9 19:04:46 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1752766246; cv=none; d=zohomail.com; s=zohoarc; b=LyjHxHpY6dvnSu4S1nWJx6B3Pn701mtoSYFozs4x/w26myzyvoAOLSpDd7Ep0lEtgwbOErDmSec4WNCAlCsFSHiktO0IDdsGp7gnNv44n1Z17DQevIxzCfOQP9Ok8bsphJMxITjmDnjTjaamhYVttOPg+gHYQL0ChMPU873wZeI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1752766246; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=KQohI3x0+c8x6+ATsPk6yUdDtfwMQRVqeTgwK6vzljw=; b=nL5YZ4heJ3rFrgBfYTnE1tu+SywZ+jX6/r6mL11WhbrdGHv9Gg5bHCkkW4ItcU8BAB5tyHh3VEcmnoxCmBdcQUqyt1a3JT7Lyh2jjCP1F/WBShivB1O50/IVFfIHUwiuy9Owlz18Wv99CCnBd9aoxd2aq0dDPlRCcWjE82HqmGk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1752766246177916.6265635824285; Thu, 17 Jul 2025 08:30:46 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 2F03A14C1; Thu, 17 Jul 2025 11:30:45 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 17D6B15B8; Thu, 17 Jul 2025 11:28:43 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id C76AA13F8; Thu, 17 Jul 2025 11:28:34 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id E765E13F8 for ; Thu, 17 Jul 2025 11:28:22 -0400 (EDT) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-10-3AxMuKW7Pu-ElCy8S7G4_g-1; Thu, 17 Jul 2025 11:28:21 -0400 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8742719783AE for ; Thu, 17 Jul 2025 15:28:20 +0000 (UTC) Received: from speedmetal.redhat.com (unknown [10.45.242.5]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id BCCB7180049D for ; Thu, 17 Jul 2025 15:28:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1752766102; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=77XYYB0Zn58UqhDuo5Rwr3C0cfvR6TwBp/Go0YghyPI=; b=g55V/V1R+R4cwHE/ZMcbbgbi98LFu6WY53OVkbmgxwQ4bBwI8v9jBMUiThVjZBYXuqgoPY gcxkQ9FEeI0javCsCj5CY/TLv1IPsm13R8k7dMauv/Km7qofqNBpru1pK+m6fVHLv35Q2D EEGm+3DKa92zzaBABI2JvmvKlv7OxGk= X-MC-Unique: 3AxMuKW7Pu-ElCy8S7G4_g-1 X-Mimecast-MFC-AGG-ID: 3AxMuKW7Pu-ElCy8S7G4_g_1752766100 To: devel@lists.libvirt.org Subject: [PATCH 6/7] virNetTLSCertSanityCheck: Validate all concatenated certs Date: Thu, 17 Jul 2025 17:28:09 +0200 Message-ID: <3ead3dc0d38d7bb1f954dacdb004f8a9041e8835.1752766013.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: R8Wf0Jg_gObrXjdKTOMBCMwFW2KeihSuruk3YyZB0cc_1752766100 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: FHG6IVJWOXLVCWV2TCNC5T4AI5VX6Y43 X-Message-ID-Hash: FHG6IVJWOXLVCWV2TCNC5T4AI5VX6Y43 X-MailFrom: pkrempa@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Peter Krempa via Devel Reply-To: Peter Krempa X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1752766246737116600 Content-Type: text/plain; charset="utf-8" From: Peter Krempa Similarly to how we iterate the list of CAs in the concatenated bundle there's a possibility of the server/client certificates to be concatenated as well. If for some case the first certificate is okay but the further one have e.g. invalid signatures the validation code would not reject them but we'd encounter failures later when gnutls tries to use them. Iterate also the client/server certs rather than just the CAs. Signed-off-by: Peter Krempa --- src/rpc/virnettlscert.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c index 3efc4f0716..2724f55bbe 100644 --- a/src/rpc/virnettlscert.c +++ b/src/rpc/virnettlscert.c @@ -442,38 +442,43 @@ int virNetTLSCertSanityCheck(bool isServer, const char *cacertFile, const char *certFile) { - gnutls_x509_crt_t cert =3D NULL; + gnutls_x509_crt_t certs[MAX_CERTS] =3D { 0 }; + size_t ncerts =3D 0; gnutls_x509_crt_t cacerts[MAX_CERTS] =3D { 0 }; size_t ncacerts =3D 0; size_t i; int ret =3D -1; if ((access(certFile, R_OK) =3D=3D 0) && - !(cert =3D virNetTLSCertLoadFromFile(certFile, isServer))) + virNetTLSCertLoadListFromFile(certFile, certs, MAX_CERTS, &ncerts)= < 0) goto cleanup; + if ((access(cacertFile, R_OK) =3D=3D 0) && virNetTLSCertLoadListFromFile(cacertFile, cacerts, MAX_CERTS, &ncacerts) < 0) goto cleanup; - if (cert && - virNetTLSCertCheck(cert, certFile, isServer, false) < 0) - goto cleanup; - for (i =3D 0; i < ncacerts; i++) { - if (virNetTLSCertCheck(cacerts[i], cacertFile, isServer, true) < 0) + g_autofree char *cacertid =3D g_strdup_printf("%s[%zu]", cacertFil= e, i); + if (virNetTLSCertCheck(cacerts[i], cacertid, isServer, true) < 0) goto cleanup; } - if (cert && ncacerts && - virNetTLSCertCheckPair(cert, certFile, cacerts, ncacerts, cacertFi= le, isServer) < 0) - goto cleanup; + for (i =3D 0; i < ncerts; i++) { + g_autofree char *certid =3D g_strdup_printf("%s[%zu]", certFile, i= ); + if (virNetTLSCertCheck(certs[i], certid, isServer, false) < 0) + goto cleanup; + + if (ncacerts && + virNetTLSCertCheckPair(certs[i], certid, cacerts, ncacerts, ca= certFile, isServer) < 0) + goto cleanup; + } ret =3D 0; cleanup: - if (cert) - gnutls_x509_crt_deinit(cert); + for (i =3D 0; i < ncerts; i++) + gnutls_x509_crt_deinit(certs[i]); for (i =3D 0; i < ncacerts; i++) gnutls_x509_crt_deinit(cacerts[i]); return ret; --=20 2.50.0