[v2] crypto: misc fixes and improvements to cert handling

[PATCH v2 5/6] crypto: switch to newer gnutls API for distinguished name

Posted by Daniel P. Berrangé 1 week, 2 days ago

The new API automatically allocates the right amount of memory
to hold the distinguished name, avoiding the need to loop and
realloc.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/tlssession.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index 86d407a142..0f86d1393f 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -409,20 +409,14 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession *session,
         }
 
         if (i == 0) {
-            size_t dnameSize = 1024;
-            session->peername = g_malloc(dnameSize);
-        requery:
-            ret = gnutls_x509_crt_get_dn(cert, session->peername, &dnameSize);
+            gnutls_datum_t dname = {};
+            ret = gnutls_x509_crt_get_dn2(cert, &dname);
             if (ret < 0) {
-                if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
-                    session->peername = g_realloc(session->peername,
-                                                  dnameSize);
-                    goto requery;
-                }
                 error_setg(errp, "Cannot get client distinguished name: %s",
                            gnutls_strerror(ret));
                 goto error;
             }
+            session->peername = (char *)g_steal_pointer(&dname.data);
             if (session->authzid) {
                 bool allow;
 
-- 
2.50.1

[PATCH v2 1/6] crypto: only verify CA certs in chain of trust
[PATCH v2 2/6] crypto: remove extraneous pointer usage in gnutls certs
[PATCH v2 3/6] crypto: allow client/server cert chains
[PATCH v2 4/6] crypto: stop requiring "key encipherment" usage in x509 certs
[PATCH v2 5/6] crypto: switch to newer gnutls API for distinguished name
[PATCH v2 6/6] crypto: fix error reporting in cert chain checks