Sorry, this series aborted during mail sending so is incomplete.
See the immediately following re-post for the full set of 21 patches
On Thu, Oct 30, 2025 at 02:47:44PM +0000, Daniel P. Berrangé wrote:
> This series aims to improve the support for post-quantum cryptography
> in TLS connections by allowing multiple sets of certificates to be
> loaded. The idea is that during a transition period servers will have
> a traditional RSA based certificate in parallel with an MLDSA based
> certificate for PQC, and the right one will be dynamically determined
> during the TLS handshake.
>
> The first 12 patches are trivial cleanups.
>
> The next 3 patches fix a potential use-after-free problem
>
> The last patches introduce support for multiple certificates.
>
> NB, in terms of testing this will require either CentOS Stream 10,
> or Fedora 43. Most other distros will not support PQC out of the
> box at this time even if they have new enough gnutls, since they
> don't make use of the crypto-policies package which is needed to
> enable PQC by default.
>
> Daniel P. Berrangé (21):
> crypto: remove redundant parameter checking CA certs
> crypto: add missing free of certs array
> crypto: replace stat() with access() for credential checks
> crypto: remove redundant access() checks before loading certs
> crypto: move check for TLS creds 'dir' property
> crypto: use g_autofree when loading x509 credentials
> crypto: remove needless indirection via parent_obj field
> crypto: move release of DH parameters into TLS creds parent
> crypto: shorten the endpoint == server check in TLS creds
> crypto: remove duplication loading x509 CA cert
> crypto: reduce duplication in handling TLS priority strings
> crypto: introduce method for reloading TLS creds
> crypto: introduce a wrapper around gnutls credentials
> crypto: fix lifecycle handling of gnutls credentials objects
> crypto: make TLS credentials structs private
> crypto: deprecate use of external dh-params.pem file
> crypto: avoid loading the CA certs twice
> crypto: avoid loading the identity certs twice
> crypto: expand logic to cope with multiple certificate identities
> crypto: support upto 5 parallel certificate identities
> docs: creation of x509 certs compliant with post-quantum crypto
>
> crypto/meson.build | 5 +-
> crypto/tlscreds.c | 77 ++--
> crypto/tlscredsanon.c | 62 +--
> crypto/tlscredsbox.c | 101 +++++
> crypto/tlscredsbox.h | 46 ++
> crypto/tlscredspriv.h | 36 +-
> crypto/tlscredspsk.c | 64 ++-
> crypto/tlscredsx509.c | 592 +++++++++++++++++---------
> crypto/tlssession.c | 139 ++----
> crypto/trace-events | 1 +
> docs/about/deprecated.rst | 9 +
> docs/system/tls.rst | 134 +++++-
> include/crypto/tlscreds.h | 26 ++
> include/crypto/tlscredsx509.h | 6 +
> tests/unit/test-crypto-tlscredsx509.c | 8 +-
> ui/vnc.c | 9 +-
> 16 files changed, 849 insertions(+), 466 deletions(-)
> create mode 100644 crypto/tlscredsbox.c
> create mode 100644 crypto/tlscredsbox.h
>
> --
> 2.51.1
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|