1. Patchew
  2. QEMU
  3. [PATCH 00/21] crypto: support multiple parallel certificate identities
  4. View patch

[PATCH 12/21] crypto: introduce method for reloading TLS creds

Daniel P. Berrangé posted 21 patches 2 weeks, 1 day ago
Maintainers: "Daniel P. Berrangé" <berrange@redhat.com>, "Marc-André Lureau" <marcandre.lureau@redhat.com>
[PATCH 12/21] crypto: introduce method for reloading TLS creds
Posted by Daniel P. Berrangé 2 weeks, 1 day ago 
This prevents direct access of the class members by the VNC
display code.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/tlscreds.c         | 15 +++++++++++++++
 include/crypto/tlscreds.h | 13 +++++++++++++
 ui/vnc.c                  |  9 +--------
 3 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
index 49c7eb46a5..9433b4c363 100644
--- a/crypto/tlscreds.c
+++ b/crypto/tlscreds.c
@@ -281,6 +281,21 @@ char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *creds)
 }
 
 
+bool qcrypto_tls_creds_reload(QCryptoTLSCreds *creds,
+                              Error **errp)
+{
+    QCryptoTLSCredsClass *credscls = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(creds));
+
+    if (credscls->reload) {
+        return credscls->reload(creds, errp);
+    }
+
+    error_setg(errp, "%s does not support reloading credentials",
+               object_get_typename(OBJECT(creds)));
+    return false;
+}
+
+
 static const TypeInfo qcrypto_tls_creds_info = {
     .parent = TYPE_OBJECT,
     .name = TYPE_QCRYPTO_TLS_CREDS,
diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h
index afd1016088..bb9280ed1a 100644
--- a/include/crypto/tlscreds.h
+++ b/include/crypto/tlscreds.h
@@ -77,4 +77,17 @@ bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds *creds,
  */
 char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *creds);
 
+
+/**
+ * qcrypto_tls_creds_reload:
+ * @creds: pointer to a TLS credentials object
+ * @errp: pointer to a NULL-initialized error object
+ *
+ * Request a reload of the TLS credentials, if supported
+ *
+ * Returns: true on success, false on error or if not supported
+ */
+bool qcrypto_tls_creds_reload(QCryptoTLSCreds *creds,
+                              Error **errp);
+
 #endif /* QCRYPTO_TLSCREDS_H */
diff --git a/ui/vnc.c b/ui/vnc.c
index 77c823bf2e..6b32dd0fe9 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -578,7 +578,6 @@ VncInfo2List *qmp_query_vnc_servers(Error **errp)
 bool vnc_display_reload_certs(const char *id, Error **errp)
 {
     VncDisplay *vd = vnc_display_find(id);
-    QCryptoTLSCredsClass *creds = NULL;
 
     if (!vd) {
         error_setg(errp, "Can not find vnc display");
@@ -590,13 +589,7 @@ bool vnc_display_reload_certs(const char *id, Error **errp)
         return false;
     }
 
-    creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
-    if (creds->reload == NULL) {
-        error_setg(errp, "%s doesn't support to reload TLS credential",
-                   object_get_typename(OBJECT(vd->tlscreds)));
-        return false;
-    }
-    if (!creds->reload(vd->tlscreds, errp)) {
+    if (!qcrypto_tls_creds_reload(vd->tlscreds, errp)) {
         return false;
     }
 
-- 
2.51.1
Re: [PATCH 12/21] crypto: introduce method for reloading TLS creds
Posted by Marc-André Lureau 2 weeks ago 
On Thu, Oct 30, 2025 at 6:49 PM Daniel P. Berrangé <berrange@redhat.com>
wrote:

> This prevents direct access of the class members by the VNC
> display code.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>


> ---
>  crypto/tlscreds.c         | 15 +++++++++++++++
>  include/crypto/tlscreds.h | 13 +++++++++++++
>  ui/vnc.c                  |  9 +--------
>  3 files changed, 29 insertions(+), 8 deletions(-)
>
> diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
> index 49c7eb46a5..9433b4c363 100644
> --- a/crypto/tlscreds.c
> +++ b/crypto/tlscreds.c
> @@ -281,6 +281,21 @@ char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds
> *creds)
>  }
>
>
> +bool qcrypto_tls_creds_reload(QCryptoTLSCreds *creds,
> +                              Error **errp)
> +{
> +    QCryptoTLSCredsClass *credscls =
> QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(creds));
> +
>

OBJECT() unnecessary here


> +    if (credscls->reload) {
> +        return credscls->reload(creds, errp);
> +    }
> +
> +    error_setg(errp, "%s does not support reloading credentials",
> +               object_get_typename(OBJECT(creds)));
> +    return false;
> +}
> +
> +
>  static const TypeInfo qcrypto_tls_creds_info = {
>      .parent = TYPE_OBJECT,
>      .name = TYPE_QCRYPTO_TLS_CREDS,
> diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h
> index afd1016088..bb9280ed1a 100644
> --- a/include/crypto/tlscreds.h
> +++ b/include/crypto/tlscreds.h
> @@ -77,4 +77,17 @@ bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds
> *creds,
>   */
>  char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *creds);
>
> +
> +/**
> + * qcrypto_tls_creds_reload:
> + * @creds: pointer to a TLS credentials object
> + * @errp: pointer to a NULL-initialized error object
> + *
> + * Request a reload of the TLS credentials, if supported
> + *
> + * Returns: true on success, false on error or if not supported
> + */
> +bool qcrypto_tls_creds_reload(QCryptoTLSCreds *creds,
> +                              Error **errp);
> +
>  #endif /* QCRYPTO_TLSCREDS_H */
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 77c823bf2e..6b32dd0fe9 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -578,7 +578,6 @@ VncInfo2List *qmp_query_vnc_servers(Error **errp)
>  bool vnc_display_reload_certs(const char *id, Error **errp)
>  {
>      VncDisplay *vd = vnc_display_find(id);
> -    QCryptoTLSCredsClass *creds = NULL;
>
>      if (!vd) {
>          error_setg(errp, "Can not find vnc display");
> @@ -590,13 +589,7 @@ bool vnc_display_reload_certs(const char *id, Error
> **errp)
>          return false;
>      }
>
> -    creds = QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds));
> -    if (creds->reload == NULL) {
> -        error_setg(errp, "%s doesn't support to reload TLS credential",
> -                   object_get_typename(OBJECT(vd->tlscreds)));
> -        return false;
> -    }
> -    if (!creds->reload(vd->tlscreds, errp)) {
> +    if (!qcrypto_tls_creds_reload(vd->tlscreds, errp)) {
>          return false;
>      }
>
> --
> 2.51.1
>
>
Re: [PATCH 12/21] crypto: introduce method for reloading TLS creds
Posted by Daniel P. Berrangé 2 weeks ago 
On Thu, Oct 30, 2025 at 11:43:29PM +0400, Marc-André Lureau wrote:
> On Thu, Oct 30, 2025 at 6:49 PM Daniel P. Berrangé <berrange@redhat.com>
> wrote:
> 
> > This prevents direct access of the class members by the VNC
> > display code.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> >
> 
> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> 
> 
> > ---
> >  crypto/tlscreds.c         | 15 +++++++++++++++
> >  include/crypto/tlscreds.h | 13 +++++++++++++
> >  ui/vnc.c                  |  9 +--------
> >  3 files changed, 29 insertions(+), 8 deletions(-)
> >
> > diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
> > index 49c7eb46a5..9433b4c363 100644
> > --- a/crypto/tlscreds.c
> > +++ b/crypto/tlscreds.c
> > @@ -281,6 +281,21 @@ char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds
> > *creds)
> >  }
> >
> >
> > +bool qcrypto_tls_creds_reload(QCryptoTLSCreds *creds,
> > +                              Error **errp)
> > +{
> > +    QCryptoTLSCredsClass *credscls =
> > QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(creds));
> > +
> >
> 
> OBJECT() unnecessary here

Ah yes, will remove it.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.