[v1] crypto: support multiple parallel certificate identities

[PATCH 08/21] crypto: move release of DH parameters into TLS creds parent

Posted by Daniel P. Berrangé 2 weeks, 1 day ago

The code for releasing DH parameters is common to all credential
subclasses, so can be moved into the parent.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/tlscreds.c     | 4 ++++
 crypto/tlscredsanon.c | 4 ----
 crypto/tlscredspsk.c  | 4 ----
 crypto/tlscredsx509.c | 7 +++----
 4 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
index 65e97ddd11..1e39ee1141 100644
--- a/crypto/tlscreds.c
+++ b/crypto/tlscreds.c
@@ -246,6 +246,10 @@ qcrypto_tls_creds_finalize(Object *obj)
 {
     QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
 
+    if (creds->dh_params) {
+        gnutls_dh_params_deinit(creds->dh_params);
+    }
+
     g_free(creds->dir);
     g_free(creds->priority);
 }
diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c
index bc3351b5d6..1ddfe4eb31 100644
--- a/crypto/tlscredsanon.c
+++ b/crypto/tlscredsanon.c
@@ -92,10 +92,6 @@ qcrypto_tls_creds_anon_unload(QCryptoTLSCredsAnon *creds)
             creds->data.server = NULL;
         }
     }
-    if (creds->parent_obj.dh_params) {
-        gnutls_dh_params_deinit(creds->parent_obj.dh_params);
-        creds->parent_obj.dh_params = NULL;
-    }
 }
 
 #else /* ! CONFIG_GNUTLS */
diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c
index 545d3e45db..bf4efe2114 100644
--- a/crypto/tlscredspsk.c
+++ b/crypto/tlscredspsk.c
@@ -175,10 +175,6 @@ qcrypto_tls_creds_psk_unload(QCryptoTLSCredsPSK *creds)
             creds->data.server = NULL;
         }
     }
-    if (creds->parent_obj.dh_params) {
-        gnutls_dh_params_deinit(creds->parent_obj.dh_params);
-        creds->parent_obj.dh_params = NULL;
-    }
 }
 
 #else /* ! CONFIG_GNUTLS */
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index 39f80b33ad..1555285910 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -685,10 +685,6 @@ qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds)
         gnutls_certificate_free_credentials(creds->data);
         creds->data = NULL;
     }
-    if (creds->parent_obj.dh_params) {
-        gnutls_dh_params_deinit(creds->parent_obj.dh_params);
-        creds->parent_obj.dh_params = NULL;
-    }
 }
 
 
@@ -780,6 +776,9 @@ qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, Error **errp)
     qcrypto_tls_creds_x509_load(x509_creds, &local_err);
     if (local_err) {
         qcrypto_tls_creds_x509_unload(x509_creds);
+        if (creds->dh_params) {
+            gnutls_dh_params_deinit(creds->dh_params);
+        }
         x509_creds->data = creds_data;
         creds->dh_params = creds_dh_params;
         error_propagate(errp, local_err);
-- 
2.51.1

Re: [PATCH 08/21] crypto: move release of DH parameters into TLS creds parent

Posted by Marc-André Lureau 2 weeks ago

Hi

On Thu, Oct 30, 2025 at 6:49 PM Daniel P. Berrangé <berrange@redhat.com>
wrote:

> The code for releasing DH parameters is common to all credential
> subclasses, so can be moved into the parent.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>

and unload() was only called from finalize
(and qcrypto_tls_creds_x509_reload())

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>


> ---
>  crypto/tlscreds.c     | 4 ++++
>  crypto/tlscredsanon.c | 4 ----
>  crypto/tlscredspsk.c  | 4 ----
>  crypto/tlscredsx509.c | 7 +++----
>  4 files changed, 7 insertions(+), 12 deletions(-)
>
> diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
> index 65e97ddd11..1e39ee1141 100644
> --- a/crypto/tlscreds.c
> +++ b/crypto/tlscreds.c
> @@ -246,6 +246,10 @@ qcrypto_tls_creds_finalize(Object *obj)
>  {
>      QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
>
> +    if (creds->dh_params) {
> +        gnutls_dh_params_deinit(creds->dh_params);
> +    }
> +
>      g_free(creds->dir);
>      g_free(creds->priority);
>  }
> diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c
> index bc3351b5d6..1ddfe4eb31 100644
> --- a/crypto/tlscredsanon.c
> +++ b/crypto/tlscredsanon.c
> @@ -92,10 +92,6 @@ qcrypto_tls_creds_anon_unload(QCryptoTLSCredsAnon
> *creds)
>              creds->data.server = NULL;
>          }
>      }
> -    if (creds->parent_obj.dh_params) {
> -        gnutls_dh_params_deinit(creds->parent_obj.dh_params);
> -        creds->parent_obj.dh_params = NULL;
> -    }
>  }
>
>  #else /* ! CONFIG_GNUTLS */
> diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c
> index 545d3e45db..bf4efe2114 100644
> --- a/crypto/tlscredspsk.c
> +++ b/crypto/tlscredspsk.c
> @@ -175,10 +175,6 @@ qcrypto_tls_creds_psk_unload(QCryptoTLSCredsPSK
> *creds)
>              creds->data.server = NULL;
>          }
>      }
> -    if (creds->parent_obj.dh_params) {
> -        gnutls_dh_params_deinit(creds->parent_obj.dh_params);
> -        creds->parent_obj.dh_params = NULL;
> -    }
>  }
>
>  #else /* ! CONFIG_GNUTLS */
> diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
> index 39f80b33ad..1555285910 100644
> --- a/crypto/tlscredsx509.c
> +++ b/crypto/tlscredsx509.c
> @@ -685,10 +685,6 @@ qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509
> *creds)
>          gnutls_certificate_free_credentials(creds->data);
>          creds->data = NULL;
>      }
> -    if (creds->parent_obj.dh_params) {
> -        gnutls_dh_params_deinit(creds->parent_obj.dh_params);
> -        creds->parent_obj.dh_params = NULL;
> -    }
>  }
>
>
> @@ -780,6 +776,9 @@ qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds,
> Error **errp)
>      qcrypto_tls_creds_x509_load(x509_creds, &local_err);
>      if (local_err) {
>          qcrypto_tls_creds_x509_unload(x509_creds);
> +        if (creds->dh_params) {
> +            gnutls_dh_params_deinit(creds->dh_params);
> +        }
>          x509_creds->data = creds_data;
>          creds->dh_params = creds_dh_params;
>          error_propagate(errp, local_err);
> --
> 2.51.1
>
>