Do more complete initialization of libgcrypt

If libvirt makes any gcry_control() calls, then this
prevents gnutls for doing any initialization. As such
we must take care to do full initialization of libcrypt
on a par with what gnutls would have done. In particular
we must disable "sec mem" for cases where the user does
not have mlock() permission. We also skip our init of
libgcrypt if something else (ie the app using libvirt)
has beaten us to it.

https://bugzilla.redhat.com/show_bug.cgi?id=951630

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/libvirt.c b/src/libvirt.c
index c5221f5370e281ac4f618b3560db1180cc8c13e5..d7b441653bf4d1eada5eca2a9fa47af4b70b14eb 100644 (file)
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -409,8 +409,19 @@ virGlobalInit(void)
         goto error;
 
 #ifdef WITH_GNUTLS
-    gcry_control(GCRYCTL_SET_THREAD_CBS, &virTLSThreadImpl);
-    gcry_check_version(NULL);
+    /*
+     * This sequence of API calls it copied exactly from
+     * gnutls 2.12.23 source lib/gcrypt/init.c, with
+     * exception that GCRYCTL_ENABLE_QUICK_RANDOM, is
+     * dropped
+     */
+    if (gcry_control(GCRYCTL_ANY_INITIALIZATION_P) == 0) {
+        gcry_control(GCRYCTL_SET_THREAD_CBS, &virTLSThreadImpl);
+        gcry_check_version(NULL);
+
+        gcry_control(GCRYCTL_DISABLE_SECMEM, NULL, 0);
+        gcry_control(GCRYCTL_INITIALIZATION_FINISHED, NULL, 0);
+    }
 #endif
 
     virLogSetFromEnv();