* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
+ * version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
#include "qemu/osdep.h"
#include "crypto/tlscredsx509.h"
-#include "crypto/tlscredspriv.h"
+#include "tlscredspriv.h"
#include "crypto/secret.h"
#include "qapi/error.h"
+#include "qemu/module.h"
#include "qom/object_interfaces.h"
#include "trace.h"
}
-#if LIBGNUTLS_VERSION_NUMBER >= 2
-/*
- * The gnutls_x509_crt_get_basic_constraints function isn't
- * available in GNUTLS 1.0.x branches. This isn't critical
- * though, since gnutls_certificate_verify_peers2 will do
- * pretty much the same check at runtime, so we can just
- * disable this code
- */
static int
qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
gnutls_x509_crt_t cert,
return 0;
}
-#endif
static int
return -1;
}
-#if LIBGNUTLS_VERSION_NUMBER >= 2
if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
cert, certFile,
isServer, isCA,
errp) < 0) {
return -1;
}
-#endif
if (qcrypto_tls_creds_check_cert_key_usage(creds,
cert, certFile,
{
gnutls_datum_t data;
gnutls_x509_crt_t cert = NULL;
- char *buf = NULL;
+ g_autofree char *buf = NULL;
gsize buflen;
GError *gerr;
int ret = -1;
+ int err;
trace_qcrypto_tls_creds_x509_load_cert(creds, isServer, certFile);
- if (gnutls_x509_crt_init(&cert) < 0) {
- error_setg(errp, "Unable to initialize certificate");
+ err = gnutls_x509_crt_init(&cert);
+ if (err < 0) {
+ error_setg(errp, "Unable to initialize certificate: %s",
+ gnutls_strerror(err));
goto cleanup;
}
data.data = (unsigned char *)buf;
data.size = strlen(buf);
- if (gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM) < 0) {
+ err = gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM);
+ if (err < 0) {
error_setg(errp, isServer ?
- "Unable to import server certificate %s" :
- "Unable to import client certificate %s",
- certFile);
+ "Unable to import server certificate %s: %s" :
+ "Unable to import client certificate %s: %s",
+ certFile,
+ gnutls_strerror(err));
goto cleanup;
}
gnutls_x509_crt_deinit(cert);
cert = NULL;
}
- g_free(buf);
return cert;
}
Error **errp)
{
gnutls_datum_t data;
- char *buf = NULL;
+ g_autofree char *buf = NULL;
gsize buflen;
- int ret = -1;
GError *gerr = NULL;
*ncerts = 0;
error_setg(errp, "Cannot load CA cert list %s: %s",
certFile, gerr->message);
g_error_free(gerr);
- goto cleanup;
+ return -1;
}
data.data = (unsigned char *)buf;
error_setg(errp,
"Unable to import CA certificate list %s",
certFile);
- goto cleanup;
+ return -1;
}
*ncerts = certMax;
- ret = 0;
-
- cleanup:
- g_free(buf);
- return ret;
+ return 0;
}
}
if (cert != NULL && key != NULL) {
-#if GNUTLS_VERSION_NUMBER >= 0x030111
char *password = NULL;
if (creds->passwordid) {
password = qcrypto_secret_lookup_as_utf8(creds->passwordid,
password,
0);
g_free(password);
-#else /* GNUTLS_VERSION_NUMBER < 0x030111 */
- if (creds->passwordid) {
- error_setg(errp, "PKCS8 decryption requires GNUTLS >= 3.1.11");
- goto cleanup;
- }
- ret = gnutls_certificate_set_x509_key_file(creds->data,
- cert, key,
- GNUTLS_X509_FMT_PEM);
-#endif /* GNUTLS_VERSION_NUMBER < 0x030111 */
if (ret < 0) {
error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
cert, key, gnutls_strerror(ret));