[PATCH 4/4] Add mutex protection to SASL and TLS modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

The virNetSASLContext, virNetSASLSession, virNetTLSContext and
virNetTLSSession classes previously relied in their owners
(virNetClient / virNetServer / virNetServerClient) to provide
locking protection for concurrent usage. When virNetSocket
gained its own locking code, this invalidated the implicit
safety the SASL/TLS modules relied on. Thus we need to give
them all explicit locking of their own via new mutexes.

* src/rpc/virnetsaslcontext.c, src/rpc/virnettlscontext.c: Add
  a mutex per object
---
 src/rpc/virnetsaslcontext.c |  284 ++++++++++++++++++++++++++++++++-----------
 src/rpc/virnettlscontext.c  |  105 +++++++++++++---
 2 files changed, 297 insertions(+), 92 deletions(-)

diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c
index 6b2a883..71796b9 100644
--- a/src/rpc/virnetsaslcontext.c
+++ b/src/rpc/virnetsaslcontext.c
@@ -27,6 +27,7 @@
 
 #include "virterror_internal.h"
 #include "memory.h"
+#include "threads.h"
 #include "logging.h"
 
 #define VIR_FROM_THIS VIR_FROM_RPC
@@ -36,11 +37,13 @@
 
 
 struct _virNetSASLContext {
+    virMutex lock;
     const char *const*usernameWhitelist;
     int refs;
 };
 
 struct _virNetSASLSession {
+    virMutex lock;
     sasl_conn_t *conn;
     int refs;
     size_t maxbufsize;
@@ -65,6 +68,13 @@ virNetSASLContextPtr virNetSASLContextNewClient(void)
         return NULL;
     }
 
+    if (virMutexInit(&ctxt->lock) < 0) {
+        virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
+                    _("Failed to initialized mutex"));
+        VIR_FREE(ctxt);
+        return NULL;
+    }
+
     ctxt->refs = 1;
 
     return ctxt;
@@ -88,6 +98,13 @@ virNetSASLContextPtr virNetSASLContextNewServer(const char *const*usernameWhitel
         return NULL;
     }
 
+    if (virMutexInit(&ctxt->lock) < 0) {
+        virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
+                    _("Failed to initialized mutex"));
+        VIR_FREE(ctxt);
+        return NULL;
+    }
+
     ctxt->usernameWhitelist = usernameWhitelist;
     ctxt->refs = 1;
 
@@ -98,21 +115,28 @@ int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
                                    const char *identity)
 {
     const char *const*wildcards;
+    int ret = -1;
+
+    virMutexLock(&ctxt->lock);
 
     /* If the list is not set, allow any DN. */
     wildcards = ctxt->usernameWhitelist;
-    if (!wildcards)
-        return 1; /* No ACL, allow all */
+    if (!wildcards) {
+        ret = 1; /* No ACL, allow all */
+        goto cleanup;
+    }
 
     while (*wildcards) {
-        int ret = fnmatch (*wildcards, identity, 0);
-        if (ret == 0) /* Succesful match */
-            return 1;
+        int rv = fnmatch (*wildcards, identity, 0);
+        if (rv == 0) {
+            ret = 1;
+            goto cleanup; /* Succesful match */
+        }
         if (ret != FNM_NOMATCH) {
             virNetError(VIR_ERR_INTERNAL_ERROR,
                         _("Malformed TLS whitelist regular expression '%s'"),
                         *wildcards);
-            return -1;
+            goto cleanup;
         }
 
         wildcards++;
@@ -124,13 +148,19 @@ int virNetSASLContextCheckIdentity(virNetSASLContextPtr ctxt,
     /* This is the most common error: make it informative. */
     virNetError(VIR_ERR_SYSTEM_ERROR, "%s",
                 _("Client's username is not on the list of allowed clients"));
-    return 0;
+    ret = 0;
+
+cleanup:
+    virMutexUnlock(&ctxt->lock);
+    return ret;
 }
 
 
 void virNetSASLContextRef(virNetSASLContextPtr ctxt)
 {
+    virMutexLock(&ctxt->lock);
     ctxt->refs++;
+    virMutexUnlock(&ctxt->lock);
 }
 
 void virNetSASLContextFree(virNetSASLContextPtr ctxt)
@@ -138,10 +168,15 @@ void virNetSASLContextFree(virNetSASLContextPtr ctxt)
     if (!ctxt)
         return;
 
+    virMutexLock(&ctxt->lock);
     ctxt->refs--;
-    if (ctxt->refs > 0)
+    if (ctxt->refs > 0) {
+        virMutexUnlock(&ctxt->lock);
         return;
+    }
 
+    virMutexUnlock(&ctxt->lock);
+    virMutexDestroy(&ctxt->lock);
     VIR_FREE(ctxt);
 }
 
@@ -160,6 +195,13 @@ virNetSASLSessionPtr virNetSASLSessionNewClient(virNetSASLContextPtr ctxt ATTRIB
         goto cleanup;
     }
 
+    if (virMutexInit(&sasl->lock) < 0) {
+        virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
+                    _("Failed to initialized mutex"));
+        VIR_FREE(sasl);
+        return NULL;
+    }
+
     sasl->refs = 1;
     /* Arbitrary size for amount of data we can encode in a single block */
     sasl->maxbufsize = 1 << 16;
@@ -198,6 +240,13 @@ virNetSASLSessionPtr virNetSASLSessionNewServer(virNetSASLContextPtr ctxt ATTRIB
         goto cleanup;
     }
 
+    if (virMutexInit(&sasl->lock) < 0) {
+        virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
+                    _("Failed to initialized mutex"));
+        VIR_FREE(sasl);
+        return NULL;
+    }
+
     sasl->refs = 1;
     /* Arbitrary size for amount of data we can encode in a single block */
     sasl->maxbufsize = 1 << 16;
@@ -226,43 +275,56 @@ cleanup:
 
 void virNetSASLSessionRef(virNetSASLSessionPtr sasl)
 {
+    virMutexLock(&sasl->lock);
     sasl->refs++;
+    virMutexUnlock(&sasl->lock);
 }
 
 int virNetSASLSessionExtKeySize(virNetSASLSessionPtr sasl,
                                 int ssf)
 {
     int err;
+    int ret = -1;
+    virMutexLock(&sasl->lock);
 
     err = sasl_setprop(sasl->conn, SASL_SSF_EXTERNAL, &ssf);
     if (err != SASL_OK) {
         virNetError(VIR_ERR_INTERNAL_ERROR,
                     _("cannot set external SSF %d (%s)"),
                     err, sasl_errstring(err, NULL, NULL));
-        return -1;
+        goto cleanup;
     }
-    return 0;
+
+    ret = 0;
+
+cleanup:
+    virMutexLock(&sasl->lock);
+    return ret;
 }
 
 const char *virNetSASLSessionGetIdentity(virNetSASLSessionPtr sasl)
 {
-    const void *val;
+    const void *val = NULL;
     int err;
+    virMutexLock(&sasl->lock);
 
     err = sasl_getprop(sasl->conn, SASL_USERNAME, &val);
     if (err != SASL_OK) {
         virNetError(VIR_ERR_AUTH_FAILED,
                     _("cannot query SASL username on connection %d (%s)"),
                     err, sasl_errstring(err, NULL, NULL));
-        return NULL;
+        val = NULL;
+        goto cleanup;
     }
     if (val == NULL) {
         virNetError(VIR_ERR_AUTH_FAILED,
                     _("no client username was found"));
-        return NULL;
+        goto cleanup;
     }
     VIR_DEBUG("SASL client username %s", (const char *)val);
 
+cleanup:
+    virMutexUnlock(&sasl->lock);
     return (const char*)val;
 }
 
@@ -272,14 +334,20 @@ int virNetSASLSessionGetKeySize(virNetSASLSessionPtr sasl)
     int err;
     int ssf;
     const void *val;
+
+    virMutexLock(&sasl->lock);
     err = sasl_getprop(sasl->conn, SASL_SSF, &val);
     if (err != SASL_OK) {
         virNetError(VIR_ERR_AUTH_FAILED,
                     _("cannot query SASL ssf on connection %d (%s)"),
                     err, sasl_errstring(err, NULL, NULL));
-        return -1;
+        ssf = -1;
+        goto cleanup;
     }
     ssf = *(const int *)val;
+
+cleanup:
+    virMutexUnlock(&sasl->lock);
     return ssf;
 }
 
@@ -290,10 +358,12 @@ int virNetSASLSessionSecProps(virNetSASLSessionPtr sasl,
 {
     sasl_security_properties_t secprops;
     int err;
+    int ret = -1;
 
     VIR_DEBUG("minSSF=%d maxSSF=%d allowAnonymous=%d maxbufsize=%zu",
               minSSF, maxSSF, allowAnonymous, sasl->maxbufsize);
 
+    virMutexLock(&sasl->lock);
     memset(&secprops, 0, sizeof secprops);
 
     secprops.min_ssf = minSSF;
@@ -307,10 +377,14 @@ int virNetSASLSessionSecProps(virNetSASLSessionPtr sasl,
         virNetError(VIR_ERR_INTERNAL_ERROR,
                     _("cannot set security props %d (%s)"),
                     err, sasl_errstring(err, NULL, NULL));
-        return -1;
+        goto cleanup;
     }
 
-    return 0;
+    ret = 0;
+
+cleanup:
+    virMutexUnlock(&sasl->lock);
+    return ret;
 }
 
 
@@ -336,9 +410,10 @@ static int virNetSASLSessionUpdateBufSize(virNetSASLSessionPtr sasl)
 char *virNetSASLSessionListMechanisms(virNetSASLSessionPtr sasl)
 {
     const char *mechlist;
-    char *ret;
+    char *ret = NULL;
     int err;
 
+    virMutexLock(&sasl->lock);
     err = sasl_listmech(sasl->conn,
                         NULL, /* Don't need to set user */
                         "", /* Prefix */
@@ -351,12 +426,15 @@ char *virNetSASLSessionListMechanisms(virNetSASLSessionPtr sasl)
         virNetError(VIR_ERR_INTERNAL_ERROR,
                     _("cannot list SASL mechanisms %d (%s)"),
                     err, sasl_errdetail(sasl->conn));
-        return NULL;
+        goto cleanup;
     }
     if (!(ret = strdup(mechlist))) {
         virReportOOMError();
-        return NULL;
+        goto cleanup;
     }
+
+cleanup:
+    virMutexUnlock(&sasl->lock);
     return ret;
 }
 
@@ -369,35 +447,44 @@ int virNetSASLSessionClientStart(virNetSASLSessionPtr sasl,
                                  const char **mech)
 {
     unsigned outlen = 0;
+    int err;
+    int ret = -1;
 
     VIR_DEBUG("sasl=%p mechlist=%s prompt_need=%p clientout=%p clientoutlen=%p mech=%p",
               sasl, mechlist, prompt_need, clientout, clientoutlen, mech);
 
-    int err = sasl_client_start(sasl->conn,
-                                mechlist,
-                                prompt_need,
-                                clientout,
-                                &outlen,
-                                mech);
+    virMutexLock(&sasl->lock);
+    err = sasl_client_start(sasl->conn,
+                            mechlist,
+                            prompt_need,
+                            clientout,
+                            &outlen,
+                            mech);
 
     *clientoutlen = outlen;
 
     switch (err) {
     case SASL_OK:
         if (virNetSASLSessionUpdateBufSize(sasl) < 0)
-            return -1;
-        return VIR_NET_SASL_COMPLETE;
+            goto cleanup;
+        ret = VIR_NET_SASL_COMPLETE;
+        break;
     case SASL_CONTINUE:
-        return VIR_NET_SASL_CONTINUE;
+        ret = VIR_NET_SASL_CONTINUE;
+        break;
     case SASL_INTERACT:
-        return VIR_NET_SASL_INTERACT;
-
+        ret = VIR_NET_SASL_INTERACT;
+        break;
     default:
         virNetError(VIR_ERR_AUTH_FAILED,
                     _("Failed to start SASL negotiation: %d (%s)"),
                     err, sasl_errdetail(sasl->conn));
-        return -1;
+        break;
     }
+
+cleanup:
+    virMutexUnlock(&sasl->lock);
+    return ret;
 }
 
 
@@ -410,34 +497,43 @@ int virNetSASLSessionClientStep(virNetSASLSessionPtr sasl,
 {
     unsigned inlen = serverinlen;
     unsigned outlen = 0;
+    int err;
+    int ret = -1;
 
     VIR_DEBUG("sasl=%p serverin=%s serverinlen=%zu prompt_need=%p clientout=%p clientoutlen=%p",
               sasl, serverin, serverinlen, prompt_need, clientout, clientoutlen);
 
-    int err = sasl_client_step(sasl->conn,
-                               serverin,
-                               inlen,
-                               prompt_need,
-                               clientout,
-                               &outlen);
+    virMutexLock(&sasl->lock);
+    err = sasl_client_step(sasl->conn,
+                           serverin,
+                           inlen,
+                           prompt_need,
+                           clientout,
+                           &outlen);
     *clientoutlen = outlen;
 
     switch (err) {
     case SASL_OK:
         if (virNetSASLSessionUpdateBufSize(sasl) < 0)
-            return -1;
-        return VIR_NET_SASL_COMPLETE;
+            goto cleanup;
+        ret = VIR_NET_SASL_COMPLETE;
+        break;
     case SASL_CONTINUE:
-        return VIR_NET_SASL_CONTINUE;
+        ret = VIR_NET_SASL_CONTINUE;
+        break;
     case SASL_INTERACT:
-        return VIR_NET_SASL_INTERACT;
-
+        ret = VIR_NET_SASL_INTERACT;
+        break;
     default:
         virNetError(VIR_ERR_AUTH_FAILED,
                     _("Failed to step SASL negotiation: %d (%s)"),
                     err, sasl_errdetail(sasl->conn));
-        return -1;
+        break;
     }
+
+cleanup:
+    virMutexUnlock(&sasl->lock);
+    return ret;
 }
 
 int virNetSASLSessionServerStart(virNetSASLSessionPtr sasl,
@@ -449,31 +545,41 @@ int virNetSASLSessionServerStart(virNetSASLSessionPtr sasl,
 {
     unsigned inlen = clientinlen;
     unsigned outlen = 0;
-    int err = sasl_server_start(sasl->conn,
-                                mechname,
-                                clientin,
-                                inlen,
-                                serverout,
-                                &outlen);
+    int err;
+    int ret = -1;
+
+    virMutexLock(&sasl->lock);
+    err = sasl_server_start(sasl->conn,
+                            mechname,
+                            clientin,
+                            inlen,
+                            serverout,
+                            &outlen);
 
     *serveroutlen = outlen;
 
     switch (err) {
     case SASL_OK:
         if (virNetSASLSessionUpdateBufSize(sasl) < 0)
-            return -1;
-        return VIR_NET_SASL_COMPLETE;
+            goto cleanup;
+        ret = VIR_NET_SASL_COMPLETE;
+        break;
     case SASL_CONTINUE:
-        return VIR_NET_SASL_CONTINUE;
+        ret = VIR_NET_SASL_CONTINUE;
+        break;
     case SASL_INTERACT:
-        return VIR_NET_SASL_INTERACT;
-
+        ret = VIR_NET_SASL_INTERACT;
+        break;
     default:
         virNetError(VIR_ERR_AUTH_FAILED,
                     _("Failed to start SASL negotiation: %d (%s)"),
                     err, sasl_errdetail(sasl->conn));
-        return -1;
+        break;
     }
+
+cleanup:
+    virMutexUnlock(&sasl->lock);
+    return ret;
 }
 
 
@@ -485,36 +591,49 @@ int virNetSASLSessionServerStep(virNetSASLSessionPtr sasl,
 {
     unsigned inlen = clientinlen;
     unsigned outlen = 0;
+    int err;
+    int ret = -1;
 
-    int err = sasl_server_step(sasl->conn,
-                               clientin,
-                               inlen,
-                               serverout,
-                               &outlen);
+    virMutexLock(&sasl->lock);
+    err = sasl_server_step(sasl->conn,
+                           clientin,
+                           inlen,
+                           serverout,
+                           &outlen);
 
     *serveroutlen = outlen;
 
     switch (err) {
     case SASL_OK:
         if (virNetSASLSessionUpdateBufSize(sasl) < 0)
-            return -1;
-        return VIR_NET_SASL_COMPLETE;
+            goto cleanup;
+        ret = VIR_NET_SASL_COMPLETE;
+        break;
     case SASL_CONTINUE:
-        return VIR_NET_SASL_CONTINUE;
+        ret = VIR_NET_SASL_CONTINUE;
+        break;
     case SASL_INTERACT:
-        return VIR_NET_SASL_INTERACT;
-
+        ret = VIR_NET_SASL_INTERACT;
+        break;
     default:
         virNetError(VIR_ERR_AUTH_FAILED,
                     _("Failed to start SASL negotiation: %d (%s)"),
                     err, sasl_errdetail(sasl->conn));
-        return -1;
+        break;
     }
+
+cleanup:
+    virMutexUnlock(&sasl->lock);
+    return ret;
 }
 
 size_t virNetSASLSessionGetMaxBufSize(virNetSASLSessionPtr sasl)
 {
-    return sasl->maxbufsize;
+    size_t ret;
+    virMutexLock(&sasl->lock);
+    ret = sasl->maxbufsize;
+    virMutexUnlock(&sasl->lock);
+    return ret;
 }
 
 ssize_t virNetSASLSessionEncode(virNetSASLSessionPtr sasl,
@@ -526,12 +645,14 @@ ssize_t virNetSASLSessionEncode(virNetSASLSessionPtr sasl,
     unsigned inlen = inputLen;
     unsigned outlen = 0;
     int err;
+    ssize_t ret = -1;
 
+    virMutexLock(&sasl->lock);
     if (inputLen > sasl->maxbufsize) {
         virReportSystemError(EINVAL,
                              _("SASL data length %zu too long, max %zu"),
                              inputLen, sasl->maxbufsize);
-        return -1;
+        goto cleanup;
     }
 
     err = sasl_encode(sasl->conn,
@@ -545,9 +666,13 @@ ssize_t virNetSASLSessionEncode(virNetSASLSessionPtr sasl,
         virNetError(VIR_ERR_INTERNAL_ERROR,
                     _("failed to encode SASL data: %d (%s)"),
                     err, sasl_errstring(err, NULL, NULL));
-        return -1;
+        goto cleanup;
     }
-    return 0;
+    ret = 0;
+
+cleanup:
+    virMutexUnlock(&sasl->lock);
+    return ret;
 }
 
 ssize_t virNetSASLSessionDecode(virNetSASLSessionPtr sasl,
@@ -559,12 +684,14 @@ ssize_t virNetSASLSessionDecode(virNetSASLSessionPtr sasl,
     unsigned inlen = inputLen;
     unsigned outlen = 0;
     int err;
+    ssize_t ret = -1;
 
+    virMutexLock(&sasl->lock);
     if (inputLen > sasl->maxbufsize) {
         virReportSystemError(EINVAL,
                              _("SASL data length %zu too long, max %zu"),
                              inputLen, sasl->maxbufsize);
-        return -1;
+        goto cleanup;
     }
 
     err = sasl_decode(sasl->conn,
@@ -577,9 +704,13 @@ ssize_t virNetSASLSessionDecode(virNetSASLSessionPtr sasl,
         virNetError(VIR_ERR_INTERNAL_ERROR,
                     _("failed to decode SASL data: %d (%s)"),
                     err, sasl_errstring(err, NULL, NULL));
-        return -1;
+        goto cleanup;
     }
-    return 0;
+    ret = 0;
+
+cleanup:
+    virMutexUnlock(&sasl->lock);
+    return ret;
 }
 
 void virNetSASLSessionFree(virNetSASLSessionPtr sasl)
@@ -587,12 +718,17 @@ void virNetSASLSessionFree(virNetSASLSessionPtr sasl)
     if (!sasl)
         return;
 
+    virMutexLock(&sasl->lock);
     sasl->refs--;
-    if (sasl->refs > 0)
+    if (sasl->refs > 0) {
+        virMutexUnlock(&sasl->lock);
         return;
+    }
 
     if (sasl->conn)
         sasl_dispose(&sasl->conn);
 
+    virMutexUnlock(&sasl->lock);
+    virMutexDestroy(&sasl->lock);
     VIR_FREE(sasl);
 }
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index bde4e7a..db03669 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -34,6 +34,7 @@
 #include "virterror_internal.h"
 #include "util.h"
 #include "logging.h"
+#include "threads.h"
 #include "configmake.h"
 
 #define DH_BITS 1024
@@ -52,6 +53,7 @@
                          __FUNCTION__, __LINE__, __VA_ARGS__)
 
 struct _virNetTLSContext {
+    virMutex lock;
     int refs;
 
     gnutls_certificate_credentials_t x509cred;
@@ -63,6 +65,8 @@ struct _virNetTLSContext {
 };
 
 struct _virNetTLSSession {
+    virMutex lock;
+
     int refs;
 
     bool handshakeComplete;
@@ -653,6 +657,13 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
         return NULL;
     }
 
+    if (virMutexInit(&ctxt->lock) < 0) {
+        virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
+                    _("Failed to initialized mutex"));
+        VIR_FREE(ctxt);
+        return NULL;
+    }
+
     ctxt->refs = 1;
 
     /* Initialise GnuTLS. */
@@ -1053,18 +1064,29 @@ authfail:
 int virNetTLSContextCheckCertificate(virNetTLSContextPtr ctxt,
                                      virNetTLSSessionPtr sess)
 {
+    int ret = -1;
+
+    virMutexLock(&ctxt->lock);
+    virMutexLock(&sess->lock);
     if (virNetTLSContextValidCertificate(ctxt, sess) < 0) {
         virErrorPtr err = virGetLastError();
         VIR_WARN("Certificate check failed %s", err && err->message ? err->message : "<unknown>");
         if (ctxt->requireValidCert) {
             virNetError(VIR_ERR_AUTH_FAILED, "%s",
                         _("Failed to verify peer's certificate"));
-            return -1;
+            goto cleanup;
         }
         virResetLastError();
         VIR_INFO("Ignoring bad certificate at user request");
     }
-    return 0;
+
+    ret = 0;
+
+cleanup:
+    virMutexUnlock(&ctxt->lock);
+    virMutexUnlock(&sess->lock);
+
+    return ret;
 }
 
 void virNetTLSContextFree(virNetTLSContextPtr ctxt)
@@ -1072,12 +1094,17 @@ void virNetTLSContextFree(virNetTLSContextPtr ctxt)
     if (!ctxt)
         return;
 
+    virMutexLock(&ctxt->lock);
     ctxt->refs--;
-    if (ctxt->refs > 0)
+    if (ctxt->refs > 0) {
+        virMutexUnlock(&ctxt->lock);
         return;
+    }
 
     gnutls_dh_params_deinit(ctxt->dhParams);
     gnutls_certificate_free_credentials(ctxt->x509cred);
+    virMutexUnlock(&ctxt->lock);
+    virMutexDestroy(&ctxt->lock);
     VIR_FREE(ctxt);
 }
 
@@ -1124,6 +1151,13 @@ virNetTLSSessionPtr virNetTLSSessionNew(virNetTLSContextPtr ctxt,
         return NULL;
     }
 
+    if (virMutexInit(&sess->lock) < 0) {
+        virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
+                    _("Failed to initialized mutex"));
+        VIR_FREE(ctxt);
+        return NULL;
+    }
+
     sess->refs = 1;
     if (hostname &&
         !(sess->hostname = strdup(hostname))) {
@@ -1184,7 +1218,9 @@ error:
 
 void virNetTLSSessionRef(virNetTLSSessionPtr sess)
 {
+    virMutexLock(&sess->lock);
     sess->refs++;
+    virMutexUnlock(&sess->lock);
 }
 
 void virNetTLSSessionSetIOCallbacks(virNetTLSSessionPtr sess,
@@ -1192,9 +1228,11 @@ void virNetTLSSessionSetIOCallbacks(virNetTLSSessionPtr sess,
                                     virNetTLSSessionReadFunc readFunc,
                                     void *opaque)
 {
+    virMutexLock(&sess->lock);
     sess->writeFunc = writeFunc;
     sess->readFunc = readFunc;
     sess->opaque = opaque;
+    virMutexUnlock(&sess->lock);
 }
 
 
@@ -1202,10 +1240,12 @@ ssize_t virNetTLSSessionWrite(virNetTLSSessionPtr sess,
                               const char *buf, size_t len)
 {
     ssize_t ret;
+
+    virMutexLock(&sess->lock);
     ret = gnutls_record_send(sess->session, buf, len);
 
     if (ret >= 0)
-        return ret;
+        goto cleanup;
 
     switch (ret) {
     case GNUTLS_E_AGAIN:
@@ -1222,7 +1262,11 @@ ssize_t virNetTLSSessionWrite(virNetTLSSessionPtr sess,
         break;
     }
 
-    return -1;
+    ret = -1;
+
+cleanup:
+    virMutexUnlock(&sess->lock);
+    return ret;
 }
 
 ssize_t virNetTLSSessionRead(virNetTLSSessionPtr sess,
@@ -1230,10 +1274,11 @@ ssize_t virNetTLSSessionRead(virNetTLSSessionPtr sess,
 {
     ssize_t ret;
 
+    virMutexLock(&sess->lock);
     ret = gnutls_record_recv(sess->session, buf, len);
 
     if (ret >= 0)
-        return ret;
+        goto cleanup;
 
     switch (ret) {
     case GNUTLS_E_AGAIN:
@@ -1247,21 +1292,29 @@ ssize_t virNetTLSSessionRead(virNetTLSSessionPtr sess,
         break;
     }
 
-    return -1;
+    ret = -1;
+
+cleanup:
+    virMutexUnlock(&sess->lock);
+    return ret;
 }
 
 int virNetTLSSessionHandshake(virNetTLSSessionPtr sess)
 {
+    int ret;
     VIR_DEBUG("sess=%p", sess);
-    int ret = gnutls_handshake(sess->session);
+    virMutexLock(&sess->lock);
+    ret = gnutls_handshake(sess->session);
     VIR_DEBUG("Ret=%d", ret);
     if (ret == 0) {
         sess->handshakeComplete = true;
         VIR_DEBUG("Handshake is complete");
-        return 0;
+        goto cleanup;
+    }
+    if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN) {
+        ret = 1;
+        goto cleanup;
     }
-    if (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN)
-        return 1;
 
 #if 0
     PROBE(CLIENT_TLS_FAIL, "fd=%d",
@@ -1271,32 +1324,43 @@ int virNetTLSSessionHandshake(virNetTLSSessionPtr sess)
     virNetError(VIR_ERR_AUTH_FAILED,
                 _("TLS handshake failed %s"),
                 gnutls_strerror(ret));
-    return -1;
+    ret = -1;
+
+cleanup:
+    virMutexUnlock(&sess->lock);
+    return ret;
 }
 
 virNetTLSSessionHandshakeStatus
 virNetTLSSessionGetHandshakeStatus(virNetTLSSessionPtr sess)
 {
+    virNetTLSSessionHandshakeStatus ret;
+    virMutexLock(&sess->lock);
     if (sess->handshakeComplete)
-        return VIR_NET_TLS_HANDSHAKE_COMPLETE;
+        ret = VIR_NET_TLS_HANDSHAKE_COMPLETE;
     else if (gnutls_record_get_direction(sess->session) == 0)
-        return VIR_NET_TLS_HANDSHAKE_RECVING;
+        ret = VIR_NET_TLS_HANDSHAKE_RECVING;
     else
-        return VIR_NET_TLS_HANDSHAKE_SENDING;
+        ret = VIR_NET_TLS_HANDSHAKE_SENDING;
+    virMutexUnlock(&sess->lock);
+    return ret;
 }
 
 int virNetTLSSessionGetKeySize(virNetTLSSessionPtr sess)
 {
     gnutls_cipher_algorithm_t cipher;
     int ssf;
-
+    virMutexLock(&sess->lock);
     cipher = gnutls_cipher_get(sess->session);
     if (!(ssf = gnutls_cipher_get_key_size(cipher))) {
         virNetError(VIR_ERR_INTERNAL_ERROR, "%s",
                     _("invalid cipher size for TLS session"));
-        return -1;
+        ssf = -1;
+        goto cleanup;
     }
 
+cleanup:
+    virMutexUnlock(&sess->lock);
     return ssf;
 }
 
@@ -1306,11 +1370,16 @@ void virNetTLSSessionFree(virNetTLSSessionPtr sess)
     if (!sess)
         return;
 
+    virMutexLock(&sess->lock);
     sess->refs--;
-    if (sess->refs > 0)
+    if (sess->refs > 0) {
+        virMutexUnlock(&sess->lock);
         return;
+    }
 
     VIR_FREE(sess->hostname);
     gnutls_deinit(sess->session);
+    virMutexUnlock(&sess->lock);
+    virMutexDestroy(&sess->lock);
     VIR_FREE(sess);
 }
-- 
1.7.6

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]