From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
If libvirt makes any gcry_control() calls, then this
prevents gnutls for doing any initialization. As such
we must take care to do full initialization of libcrypt
on a par with what gnutls would have done. In particular
we must disable "sec mem" for cases where the user does
not have mlock() permission. We also skip our init of
libgcrypt if something else (ie the app using libvirt)
has beaten us to it.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/libvirt.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/libvirt.c b/src/libvirt.c
index c5221f5..7c0a873 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -409,8 +409,14 @@ virGlobalInit(void)
goto error;
#ifdef WITH_GNUTLS
- gcry_control(GCRYCTL_SET_THREAD_CBS, &virTLSThreadImpl);
- gcry_check_version(NULL);
+ if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0) {
+ gcry_control(GCRYCTL_SET_THREAD_CBS, &virTLSThreadImpl);
+ gcry_check_version(NULL);
+
+ gcry_control(GCRYCTL_DISABLE_SECMEM, NULL, 0);
+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, NULL, 0);
+ gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+ }
#endif
virLogSetFromEnv();
--
1.8.1.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list