From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836054; cv=none; d=zohomail.com; s=zohoarc; b=V35/OvfG7W51h/8mLrKy/MTMqnJeNC/3p3wShZKazNHqqtH7na6kp+e9R31OWJ3Ur0Ci2K/hj25Ubve4kvtxE/0lOM1DrRv1kq0UNaVrJU+HIXWP3YoT5wHCN+k0pM+NdRmG9n81PqtWeftd3Iv468O5mLb36iN42FOkcdaA6KE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836054; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=PlevrSvzWBhggmPHA7hhe6GL7fX65li+MyacTeAvpos=; b=XLMg7E/6UdLsGGMYuyqStWWvzzc2YQzb06j/Ie/niTm1eMV2DE0EOXxeKs7cu2hOTneHnfJphxoPoLWTCZz8J76vzobZ2xxiVTkNebIWSeYLD99rgB7rpjgCQV65r5a3NzH4MWWw9gRf+yd67DHTIDtzeHRBRvlm10F6EEjk7Hg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836054402603.4255296811784; Thu, 30 Oct 2025 07:54:14 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyL-0000Ye-Fc; Thu, 30 Oct 2025 10:49:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyF-0000WC-BP for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:49:47 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETy7-0001Ox-Fr for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:49:47 -0400 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-47-cE0AdseLMoKZnX5gMmStdw-1; Thu, 30 Oct 2025 10:49:33 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6C3281954231; Thu, 30 Oct 2025 14:49:32 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 24E8130001A1; Thu, 30 Oct 2025 14:49:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835774; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PlevrSvzWBhggmPHA7hhe6GL7fX65li+MyacTeAvpos=; b=Y36Bz35ccav5PpoJRZTw/8kTdCCHoGei5XsI5L1fRYgBCVvqIpFO8gq0JQHdBMTj+XX9eo E2GFff0jPnxj3sxKn3GZd88bvs00wgnbfrV0lSApsyrZ6Q8A14yp8Xd9yjZvysRNEzUg82 DYQEGwaBueES1Szidn40yn52bFQn//I= X-MC-Unique: cE0AdseLMoKZnX5gMmStdw-1 X-Mimecast-MFC-AGG-ID: cE0AdseLMoKZnX5gMmStdw_1761835772 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 01/21] crypto: remove redundant parameter checking CA certs Date: Thu, 30 Oct 2025 14:49:07 +0000 Message-ID: <20251030144927.2241109-2-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836063740158500 The only caller of qcrypto_tls_creds_check_authority_chain always passes 'true' for the 'isCA' parameter. The point of this method is to check the CA chani, so no other value would ever make sense. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- crypto/tlscredsx509.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index db2b74bafa..847fd4d9fa 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -315,7 +315,6 @@ qcrypto_tls_creds_check_authority_chain(QCryptoTLSCreds= X509 *creds, unsigned int ncacerts, const char *cacertFile, bool isServer, - bool isCA, Error **errp) { gnutls_x509_crt_t cert_to_check =3D certs[ncerts - 1]; @@ -356,7 +355,7 @@ qcrypto_tls_creds_check_authority_chain(QCryptoTLSCreds= X509 *creds, */ return qcrypto_tls_creds_check_cert( creds, cert_to_check, cacertFile, - isServer, isCA, errp); + isServer, true, errp); } for (int i =3D 0; i < ncacerts; i++) { if (gnutls_x509_crt_check_issuer(cert_to_check, @@ -370,7 +369,7 @@ qcrypto_tls_creds_check_authority_chain(QCryptoTLSCreds= X509 *creds, } =20 if (qcrypto_tls_creds_check_cert(creds, cert_issuer, cacertFile, - isServer, isCA, errp) < 0) { + isServer, true, errp) < 0) { return -1; } =20 @@ -534,7 +533,7 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509= *creds, certs, ncerts, cacerts, ncacerts, cacertFile, isServer, - true, errp) < 0) { + errp) < 0) { goto cleanup; } =20 --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835828; cv=none; d=zohomail.com; s=zohoarc; b=f1pwkffxUJOB69dR+isUXckjEbgf+hdhiPtlWVWPIRVFAMThQbeNAjIUeG9O7ABiGGRxFUKcNZxdNWID5enbk8Wkc8o3r14tXecfxq/knHVPLTxWPQeMnuJsdrvCSLhX2DiXF7kvoiYU7wEuOBn/KtrmGIgAzM/Iag8528SHYuc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835828; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=zl1F1h/cTdYd+yfEU5oHb4PBW5Tv4gvZzJamHqxtuXg=; b=cfCzus2wXDHdk6Kv420hIfFV0FWNqkwJRLehV1J4Wwt9JWcZsyWWDOJD6k0vgup4vuQSD8wwWKFXphSQ5/Wu5llS+m4eLc9qxJOHvbWztA69hCZsp6NX5HOP9lp8l6mv2hGXF63Z9D+NKCg3oA7c6L9ntx0jkzlAQCJBfsQoRAI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835828472169.19791405458705; Thu, 30 Oct 2025 07:50:28 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyS-0000gS-EN; Thu, 30 Oct 2025 10:50:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyK-0000Yz-VG for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:49:53 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETy9-0001P5-57 for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:49:51 -0400 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-22-vpfPoIRzMcW6DnFbIP3XPA-1; Thu, 30 Oct 2025 10:49:35 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2FB66180AEBC; Thu, 30 Oct 2025 14:49:34 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id CDA6130001A6; Thu, 30 Oct 2025 14:49:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835776; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zl1F1h/cTdYd+yfEU5oHb4PBW5Tv4gvZzJamHqxtuXg=; b=CJ6dMm4uLu6PuB9X4EOrlPBln7m2Z/SKCeqr86sDpaNtho5mGB25Lh12gcDS8ROvZxBxdq /JwXXSNPx471nHzezHX46tFMvg/ppTn/pFK1PD4yrW9Aehn3u4G0+NbCYEOOiOiMMMULG5 ODe7kQqlbcJErK8GUmZCRM/0Nju8m3c= X-MC-Unique: vpfPoIRzMcW6DnFbIP3XPA-1 X-Mimecast-MFC-AGG-ID: vpfPoIRzMcW6DnFbIP3XPA_1761835774 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 02/21] crypto: add missing free of certs array Date: Thu, 30 Oct 2025 14:49:08 +0000 Message-ID: <20251030144927.2241109-3-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835831007158500 Signed-off-by: Daniel P. Berrang=C3=A9 --- crypto/tlscredsx509.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 847fd4d9fa..75c70af522 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -550,6 +550,7 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509= *creds, for (i =3D 0; i < ncerts; i++) { gnutls_x509_crt_deinit(certs[i]); } + g_free(certs); for (i =3D 0; i < ncacerts; i++) { gnutls_x509_crt_deinit(cacerts[i]); } --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835922; cv=none; d=zohomail.com; s=zohoarc; b=AuaoNdsiMS/t4+E3fGKhGV7++bLbcmb/3NZcwN4UjPQmWVqxcytFaH49Uf5De/DN6bGb2gVOPihFH9lpFpwQ4tD2rsMrQj9460Oft1+DlbwUCTszhmy8brME4jo8YQ+kWfNSLtFckjNFbkvIxmRsN8EmzDTvpX8US1ccx950MJc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835922; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=V63kLovDtLxShSX97e1gMJ0rHkzBCZtg+z1997cvzJc=; b=FV/Tta+LPnV077tb15ZuiP6FXgN98lFieOW7Q7AaDzs9su70v/ZE2knkyf0scmOLcZN3oaI7R47Vw+4ZKoVQkiluHPTRXelSZ0OwMQqYgvYH2KgCWGOjP293Xpjctvx72Oshq1fEL09ujiytQG/KMmB4paaPju0CqE3vt7N/cnA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835922325721.5520637411925; Thu, 30 Oct 2025 07:52:02 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyP-0000dK-TK; Thu, 30 Oct 2025 10:49:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyG-0000Xv-KO for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:49:48 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyA-0001PL-UA for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:49:48 -0400 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-184-1UX14ERMPBuiJoy155Izzw-1; Thu, 30 Oct 2025 10:49:36 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E8F1A19541AD; Thu, 30 Oct 2025 14:49:35 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 9947130001A1; Thu, 30 Oct 2025 14:49:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=V63kLovDtLxShSX97e1gMJ0rHkzBCZtg+z1997cvzJc=; b=TyfOeYq9NfdQOBN9VpjaNBQei4j23UEAJtVzrkuDEO82GwbExRFamz2zGq3XG4SKyQybc5 zHwOshX+mJctJWG2GafreuyvTYfWwFTl6fyc6PjBw7WidKYOxa2pqxQvhIL5ks4/KWrAX5 MSMNmMZUOIoIDiR1W3mBwybA9/rOXvc= X-MC-Unique: 1UX14ERMPBuiJoy155Izzw-1 X-Mimecast-MFC-AGG-ID: 1UX14ERMPBuiJoy155Izzw_1761835776 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 03/21] crypto: replace stat() with access() for credential checks Date: Thu, 30 Oct 2025 14:49:09 +0000 Message-ID: <20251030144927.2241109-4-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835928112158500 Readability of the credential files is what matters for our usage, so access() is more appropriate than stat(). Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- crypto/tlscreds.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 9e59594d67..208a7e6d8f 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -100,7 +100,6 @@ qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds, char **cred, Error **errp) { - struct stat sb; int ret =3D -1; =20 if (!creds->dir) { @@ -114,7 +113,7 @@ qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds, =20 *cred =3D g_strdup_printf("%s/%s", creds->dir, filename); =20 - if (stat(*cred, &sb) < 0) { + if (access(*cred, R_OK) < 0) { if (errno =3D=3D ENOENT && !required) { ret =3D 0; } else { --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835923; cv=none; d=zohomail.com; s=zohoarc; b=jMXW2CSLJ6bCeceiuewfTlD3zkTjVNUzIQ9ktoI1KslzoFl0A2aBMDMname33Yhk8trNnsiukm8ISlXi4iotH7m5677zti1/N0RyexLRek7cFlIo8WyJkOHRFitFlj9wZKWp6MLyxiAiiFIIh8ut2bveHXgs4LQ0CBSym565Nus= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835923; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=IMJuSZEo3BXsqMSLuhmXkaE3L5ZQCca3i5r8L+BsH1k=; b=WukBoX6J1ASJgi3mxpCuk3+DSZps021U5eYXBBk6dJkMvpL7dNd7QstG9LDgMcc/YogCi5AFhkdWMwSJeO7Oreg6FNvSK59mE8U+5iVjbSmA5MkljWrIHpKUXGZjM5fUXQcDhWuwmGpeYSxh1p56hvhiijbm8mskTqQy4kFTiBk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835923143981.594122712984; Thu, 30 Oct 2025 07:52:03 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyU-0000iB-FU; Thu, 30 Oct 2025 10:50:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyO-0000dM-CW for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:49:57 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyE-0001Pe-AC for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:49:56 -0400 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-304-AqsN4dzcNZqFWbzGnuijUA-1; Thu, 30 Oct 2025 10:49:39 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C4A1B180AEC0; Thu, 30 Oct 2025 14:49:37 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 577D730001A1; Thu, 30 Oct 2025 14:49:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835783; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IMJuSZEo3BXsqMSLuhmXkaE3L5ZQCca3i5r8L+BsH1k=; b=LPxUaktA7bH3iu2uTNptFp4AYyTPPP02caKM8QoLO6brQpUIRyFyMc8hcmUfwpIre+yrPl iw4ndnoNhUb5cIns3NsGDoJhTyo4kZHa7TYz4iXr8Tl0+ml/+R648TCTY07DqeaEnbjwQQ bvKWuyKrtxrFtXqElSFUN+keN8xowx8= X-MC-Unique: AqsN4dzcNZqFWbzGnuijUA-1 X-Mimecast-MFC-AGG-ID: AqsN4dzcNZqFWbzGnuijUA_1761835777 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 04/21] crypto: remove redundant access() checks before loading certs Date: Thu, 30 Oct 2025 14:49:10 +0000 Message-ID: <20251030144927.2241109-5-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835924916154100 The qcrypto_tls_creds_get_path method will perform an access() check on the file and return a NULL path if it fails. By the time we get to loading the cert files we know they must exist on disk and thus the second access() check is redundant. Signed-off-by: Daniel P. Berrang=C3=A9 --- crypto/tlscredsx509.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 75c70af522..0acb17b6ec 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -496,8 +496,7 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509= *creds, size_t i; int ret =3D -1; =20 - if (certFile && - access(certFile, R_OK) =3D=3D 0) { + if (certFile) { if (qcrypto_tls_creds_load_cert_list(creds, certFile, &certs, @@ -508,16 +507,15 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX5= 09 *creds, goto cleanup; } } - if (access(cacertFile, R_OK) =3D=3D 0) { - if (qcrypto_tls_creds_load_cert_list(creds, - cacertFile, - &cacerts, - &ncacerts, - isServer, - true, - errp) < 0) { - goto cleanup; - } + + if (qcrypto_tls_creds_load_cert_list(creds, + cacertFile, + &cacerts, + &ncacerts, + isServer, + true, + errp) < 0) { + goto cleanup; } =20 for (i =3D 0; i < ncerts; i++) { --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836001; cv=none; d=zohomail.com; s=zohoarc; b=dRxEOMWWQ9bQqeCicsvw8yTfA0Ass3q9IlTEcbiWI4GLmDceNuKK9yR+HTLFxVK+0Wt9kHbfcvOY9aTm7OixOIGwF4J1+WSYxQ2urZnaN4y0oy/TTVC+jr/ke4c0VYyLoH3X9WOn78nkd65647aMi3s+GA6t09vFVL0CLkbs4m4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836001; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=km7AsvS0Hy+p+cOLwUHk2GTaBgkLMSAGv7etznpKIRw=; b=aTDYlGsS5prwK5DE13gPHUNGN4SDkmvxxBQuX4r71cDHaeCZSEVKrMAuN4Qd4aO/LJjdDlbdthUfT8WezPWtcD2IeUKiSry7KPDoVUxP4RxaV9LQUX3oKL7rz6kbqxL5Tf05rpb1578g2CBY2vrJlG9C2NrtDWwHJk+0A8a2OBU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836001604314.8657042759754; Thu, 30 Oct 2025 07:53:21 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyb-0000tG-Dk; Thu, 30 Oct 2025 10:50:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyW-0000lS-Fm for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:05 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyK-0001Pj-KS for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:03 -0400 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-225-zDVRx_NEO3KUE1ILHvplpg-1; Thu, 30 Oct 2025 10:49:40 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 877D61809C9F; Thu, 30 Oct 2025 14:49:39 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 36C9E30001A6; Thu, 30 Oct 2025 14:49:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835785; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=km7AsvS0Hy+p+cOLwUHk2GTaBgkLMSAGv7etznpKIRw=; b=H2kWXcHBhwHcqandy2/doPzq9E4bZlMWRphT5/zkFGcJ1r+b1I1p8i3Ab1fmSN6By5qeSy R5Ggq1HQ6xLDzhIxqHaaN2sey23f7mj8voECW5a8oiYpeY9ZnyvGjvGb99zi4fhQ1Oz5rT ccMvp5CjlrrfRKfXT2A7eK5nPhjkTUA= X-MC-Unique: zDVRx_NEO3KUE1ILHvplpg-1 X-Mimecast-MFC-AGG-ID: zDVRx_NEO3KUE1ILHvplpg_1761835779 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 05/21] crypto: move check for TLS creds 'dir' property Date: Thu, 30 Oct 2025 14:49:11 +0000 Message-ID: <20251030144927.2241109-6-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836009131158500 The check for the 'dir' property is being repeated for every credential file to be loaded, but this results in incorrect logic for optional credentials. The 'dir' property is mandatory for PSK and x509 creds, even if some individual files are optional. Address this by separating the check for the 'dir' property. Signed-off-by: Daniel P. Berrang=C3=A9 --- crypto/tlscreds.c | 9 --------- crypto/tlscredsanon.c | 3 ++- crypto/tlscredspsk.c | 5 +++++ crypto/tlscredsx509.c | 8 ++++++-- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 208a7e6d8f..65e97ddd11 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -102,15 +102,6 @@ qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds, { int ret =3D -1; =20 - if (!creds->dir) { - if (required) { - error_setg(errp, "Missing 'dir' property value"); - return -1; - } else { - return 0; - } - } - *cred =3D g_strdup_printf("%s/%s", creds->dir, filename); =20 if (access(*cred, R_OK) < 0) { diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c index 44af9e6c9a..bc3351b5d6 100644 --- a/crypto/tlscredsanon.c +++ b/crypto/tlscredsanon.c @@ -43,7 +43,8 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, creds->parent_obj.dir ? creds->parent_obj.dir : ""); =20 if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { - if (qcrypto_tls_creds_get_path(&creds->parent_obj, + if (creds->parent_obj.dir && + qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_DH_PARAMS, false, &dhparams, errp) < 0) { return -1; diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index 5b68a6b7ba..545d3e45db 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk.c @@ -81,6 +81,11 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, trace_qcrypto_tls_creds_psk_load(creds, creds->parent_obj.dir ? creds->parent_obj.dir : ""); =20 + if (!creds->parent_obj.dir) { + error_setg(errp, "Missing 'dir' property value"); + goto cleanup; + } + if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { if (creds->username) { error_setg(errp, "username should not be set when endpoint=3Ds= erver"); diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 0acb17b6ec..8fe6cc8e93 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -567,8 +567,12 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, int ret; int rv =3D -1; =20 - trace_qcrypto_tls_creds_x509_load(creds, - creds->parent_obj.dir ? creds->parent_obj.dir : ""); + if (!creds->parent_obj.dir) { + error_setg(errp, "Missing 'dir' property value"); + return -1; + } + + trace_qcrypto_tls_creds_x509_load(creds, creds->parent_obj.dir); =20 if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { if (qcrypto_tls_creds_get_path(&creds->parent_obj, --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835949; cv=none; d=zohomail.com; s=zohoarc; b=ZWP1UuX5CeCHvTXbxUFpDr4lEWfv0trdveMec0gQx2h+Kpn+ODbSkJfvl5bZ/9rJ5R2kRJT0BNbMNLdYPOUdcQ1WpEqvlLYAsH3Bu5EzUdzZ2PvYpKzoVwdtTVYYI66DddHWhRbzZd5uOJKGf75DAlnc5kW05VxsHwXC1BBQlQY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835949; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=KSnnNfVNIJzHqlsNlJyg3a8mhruvQnJerkqtoff8Uj8=; b=I1J/ipeuljiLgO6xiOZyb+k+VFX6iskh4ZRe1MNLcXW++5ueO9S4Jakl53tDmRwjWGubPgeO0/h8axoTcP6nCpmwMIZiCcjaRCX0EZBqs/0NPFgl7ruX4W8Mmn/icefc/EM9jkX3xCSKPos75DouMWELyxvbDNPJgtVy2xGprw0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835949153926.6876380803682; Thu, 30 Oct 2025 07:52:29 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyZ-0000p1-81; Thu, 30 Oct 2025 10:50:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyS-0000h3-Gs for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:00 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyI-0001Q5-8J for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:00 -0400 Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-407-vZAv3oulNiSoX1EF74xe9Q-1; Thu, 30 Oct 2025 10:49:43 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A0AB5180AAAE; Thu, 30 Oct 2025 14:49:42 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id EC29130001A1; Thu, 30 Oct 2025 14:49:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835786; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KSnnNfVNIJzHqlsNlJyg3a8mhruvQnJerkqtoff8Uj8=; b=AzBZknJyqgp2mukBBU+cs7+wOPFGa9SPQMJD9knsUspiv5Z8bMjpE8sbpMWnM5GyZDXlV3 n/wMO9algDJmhd1usQ/EbH/UnzmuGmUlEGnQV3EDJrB64fN9doskEJMDLkXp77mE10x1po LlMHYnFW4Ye2IRgwo8TttPQisktZUAI= X-MC-Unique: vZAv3oulNiSoX1EF74xe9Q-1 X-Mimecast-MFC-AGG-ID: vZAv3oulNiSoX1EF74xe9Q_1761835782 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 06/21] crypto: use g_autofree when loading x509 credentials Date: Thu, 30 Oct 2025 14:49:12 +0000 Message-ID: <20251030144927.2241109-7-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835951352154100 This allows removal of goto jumps during loading of the credentials and will simplify the diff in following commits. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- crypto/tlscredsx509.c | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 8fe6cc8e93..e5b869a35f 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -562,10 +562,12 @@ static int qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, Error **errp) { - char *cacert =3D NULL, *cacrl =3D NULL, *cert =3D NULL, - *key =3D NULL, *dhparams =3D NULL; + g_autofree char *cacert =3D NULL; + g_autofree char *cacrl =3D NULL; + g_autofree char *cert =3D NULL; + g_autofree char *key =3D NULL; + g_autofree char *dhparams =3D NULL; int ret; - int rv =3D -1; =20 if (!creds->parent_obj.dir) { error_setg(errp, "Missing 'dir' property value"); @@ -590,7 +592,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_DH_PARAMS, false, &dhparams, errp) < 0) { - goto cleanup; + return -1; } } else { if (qcrypto_tls_creds_get_path(&creds->parent_obj, @@ -602,7 +604,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_X509_CLIENT_KEY, false, &key, errp) < 0) { - goto cleanup; + return -1; } } =20 @@ -610,14 +612,14 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *cred= s, qcrypto_tls_creds_x509_sanity_check(creds, creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_S= ERVER, cacert, cert, errp) < 0) { - goto cleanup; + return -1; } =20 ret =3D gnutls_certificate_allocate_credentials(&creds->data); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: '%s'", gnutls_strerror(ret)); - goto cleanup; + return -1; } =20 ret =3D gnutls_certificate_set_x509_trust_file(creds->data, @@ -626,7 +628,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, if (ret < 0) { error_setg(errp, "Cannot load CA certificate '%s': %s", cacert, gnutls_strerror(ret)); - goto cleanup; + return -1; } =20 if (cert !=3D NULL && key !=3D NULL) { @@ -635,7 +637,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, password =3D qcrypto_secret_lookup_as_utf8(creds->passwordid, errp); if (!password) { - goto cleanup; + return -1; } } ret =3D gnutls_certificate_set_x509_key_file2(creds->data, @@ -647,7 +649,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, if (ret < 0) { error_setg(errp, "Cannot load certificate '%s' & key '%s': %s", cert, key, gnutls_strerror(ret)); - goto cleanup; + return -1; } } =20 @@ -658,7 +660,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, if (ret < 0) { error_setg(errp, "Cannot load CRL '%s': %s", cacrl, gnutls_strerror(ret)); - goto cleanup; + return -1; } } =20 @@ -666,20 +668,13 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *cred= s, if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhpar= ams, &creds->parent_obj.dh_par= ams, errp) < 0) { - goto cleanup; + return -1; } gnutls_certificate_set_dh_params(creds->data, creds->parent_obj.dh_params); } =20 - rv =3D 0; - cleanup: - g_free(cacert); - g_free(cacrl); - g_free(cert); - g_free(key); - g_free(dhparams); - return rv; + return 0; } =20 =20 --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836059; cv=none; d=zohomail.com; s=zohoarc; b=g0eVugGbzl6D/BIiY/pMsxAZfHSpOHQ9s2OkUDlg3mltZ+o9TEhKkcuKdX+TKHyT94IKYE54MdnunnImHjekb5dLb6TYhNAWFQBS+RSTathHvhWYptpvI95v21mwYPy90mhjcVvqckHpWGLaKCLPkUM0P5l33QZ9D14iftpDvUw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836059; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=9VCUq/HIHBYwxvVt40JsI8yTa5W9mzMEdms0e8ecB5c=; b=hj44gcsuwJgji9/fbLMeSKa2m+kQ21LnNmywKuc5LfOhEbLjQkBtXhXeUb31Mjav7fWeD8icO/4W3qHOtg7Az4IMfol45+/FXiD5camu7vqRLSLp+sw/XV4uor63VfwzgLMcTi7mlu1fIAWiVLj9U7EkcrVFEpN4oEF8c+CYe/0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836059649496.20987872141404; Thu, 30 Oct 2025 07:54:19 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyb-0000vO-2x; Thu, 30 Oct 2025 10:50:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyW-0000mE-UZ for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:06 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyK-0001Qi-Kv for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:04 -0400 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-503--0NIDpVHNjOjfqo2twqpyQ-1; Thu, 30 Oct 2025 10:49:45 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 921921955DCF; Thu, 30 Oct 2025 14:49:44 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 35C4130001A1; Thu, 30 Oct 2025 14:49:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9VCUq/HIHBYwxvVt40JsI8yTa5W9mzMEdms0e8ecB5c=; b=jShu7x8T8HSA7BgSngDjUajwQlvUuGmINC4MewZjaotIZDjpxUhikRQaKCQM52EybWYxcf p3mufIirxcgW5r3M5KxVLCzGxjSwrU/f1lJvRO8AZXhwN33+okI4NcK60eArIEDS0/2dtC 3Ky9qQMJxjnhjzR4E5+nVKD1otJcnZA= X-MC-Unique: -0NIDpVHNjOjfqo2twqpyQ-1 X-Mimecast-MFC-AGG-ID: -0NIDpVHNjOjfqo2twqpyQ_1761835784 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 07/21] crypto: remove needless indirection via parent_obj field Date: Thu, 30 Oct 2025 14:49:13 +0000 Message-ID: <20251030144927.2241109-8-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836062468154100 The reload method already has a pointer to the parent object in the 'creds' parameter that is passed in, so indirect access via the subclass 'parent_obj' field is redundant. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- crypto/tlscredsx509.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index e5b869a35f..39f80b33ad 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -773,15 +773,15 @@ qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds,= Error **errp) QCryptoTLSCredsX509 *x509_creds =3D QCRYPTO_TLS_CREDS_X509(creds); Error *local_err =3D NULL; gnutls_certificate_credentials_t creds_data =3D x509_creds->data; - gnutls_dh_params_t creds_dh_params =3D x509_creds->parent_obj.dh_param= s; + gnutls_dh_params_t creds_dh_params =3D creds->dh_params; =20 x509_creds->data =3D NULL; - x509_creds->parent_obj.dh_params =3D NULL; + creds->dh_params =3D NULL; qcrypto_tls_creds_x509_load(x509_creds, &local_err); if (local_err) { qcrypto_tls_creds_x509_unload(x509_creds); x509_creds->data =3D creds_data; - x509_creds->parent_obj.dh_params =3D creds_dh_params; + creds->dh_params =3D creds_dh_params; error_propagate(errp, local_err); return false; } --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835860; cv=none; d=zohomail.com; s=zohoarc; b=BLldKzdnvo+5iVK4x90XrGGiTPMiaBhzeYqb2Ev/kC1GIlGMZPvuQh5duIx7lw8RsAr7qDmzoMvedSyxgLMMsD1xAB8obh05PNCf2Hg3Jxqd1rIGRTC2rrje4hJSW5t40yuuXP+BMQyhv7eZLQsRR2lwkpjlN5UzJwmwLvK8gt0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835860; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=/3X5XCrMZXOxui7n99jnxvbDl8uJabdHOyLgglkaZOw=; b=G9kE8Qs7/qYvjynfFAE5GR+xMv7srBVUKLyhYVEcQPkNfLxI8JUYeY7AKPuLQLPZzDkAbqP0W8/4hdx0ghvDkEFUBXy2mViglhQcqBKvEtN/gMaGAXe6omLkbqIwEikH+E2ycHZSy/F9SOvXz7mY0qJ7Xy8FnEmepmKtAvqPRVQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835860534168.83314894020032; Thu, 30 Oct 2025 07:51:00 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyi-00018o-Sv; Thu, 30 Oct 2025 10:50:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyg-00014q-Ip for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:14 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyP-0001S7-El for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:14 -0400 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-504-XHGqlm0DPM-lZYgktpY33A-1; Thu, 30 Oct 2025 10:49:47 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B2466183451B; Thu, 30 Oct 2025 14:49:46 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 1762F30001A1; Thu, 30 Oct 2025 14:49:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/3X5XCrMZXOxui7n99jnxvbDl8uJabdHOyLgglkaZOw=; b=IHCGnPrfofXMxQKEkQQiOB5agsPRPdYyVHbac7ylKK5V5HymSXYBC5RgOJwNV8Z9vH0GUD NWNviqvONABrljcJxvefUQff1vut8X1f2t+2Ug1KsQH/F9lgfcjFRd9wmFc1baykcpVGJ4 3077jkajz48tnq2I9y5SG6VBB+aqE1s= X-MC-Unique: XHGqlm0DPM-lZYgktpY33A-1 X-Mimecast-MFC-AGG-ID: XHGqlm0DPM-lZYgktpY33A_1761835786 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 08/21] crypto: move release of DH parameters into TLS creds parent Date: Thu, 30 Oct 2025 14:49:14 +0000 Message-ID: <20251030144927.2241109-9-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835867453158500 The code for releasing DH parameters is common to all credential subclasses, so can be moved into the parent. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscreds.c | 4 ++++ crypto/tlscredsanon.c | 4 ---- crypto/tlscredspsk.c | 4 ---- crypto/tlscredsx509.c | 7 +++---- 4 files changed, 7 insertions(+), 12 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 65e97ddd11..1e39ee1141 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -246,6 +246,10 @@ qcrypto_tls_creds_finalize(Object *obj) { QCryptoTLSCreds *creds =3D QCRYPTO_TLS_CREDS(obj); =20 + if (creds->dh_params) { + gnutls_dh_params_deinit(creds->dh_params); + } + g_free(creds->dir); g_free(creds->priority); } diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c index bc3351b5d6..1ddfe4eb31 100644 --- a/crypto/tlscredsanon.c +++ b/crypto/tlscredsanon.c @@ -92,10 +92,6 @@ qcrypto_tls_creds_anon_unload(QCryptoTLSCredsAnon *creds) creds->data.server =3D NULL; } } - if (creds->parent_obj.dh_params) { - gnutls_dh_params_deinit(creds->parent_obj.dh_params); - creds->parent_obj.dh_params =3D NULL; - } } =20 #else /* ! CONFIG_GNUTLS */ diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index 545d3e45db..bf4efe2114 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk.c @@ -175,10 +175,6 @@ qcrypto_tls_creds_psk_unload(QCryptoTLSCredsPSK *creds) creds->data.server =3D NULL; } } - if (creds->parent_obj.dh_params) { - gnutls_dh_params_deinit(creds->parent_obj.dh_params); - creds->parent_obj.dh_params =3D NULL; - } } =20 #else /* ! CONFIG_GNUTLS */ diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 39f80b33ad..1555285910 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -685,10 +685,6 @@ qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *cre= ds) gnutls_certificate_free_credentials(creds->data); creds->data =3D NULL; } - if (creds->parent_obj.dh_params) { - gnutls_dh_params_deinit(creds->parent_obj.dh_params); - creds->parent_obj.dh_params =3D NULL; - } } =20 =20 @@ -780,6 +776,9 @@ qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds, E= rror **errp) qcrypto_tls_creds_x509_load(x509_creds, &local_err); if (local_err) { qcrypto_tls_creds_x509_unload(x509_creds); + if (creds->dh_params) { + gnutls_dh_params_deinit(creds->dh_params); + } x509_creds->data =3D creds_data; creds->dh_params =3D creds_dh_params; error_propagate(errp, local_err); --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835854; cv=none; d=zohomail.com; s=zohoarc; b=LqxUtB+VrUHtsHXBaUfzgrE4XpAzpSxly4uvLwgwftf6mSL6NcJVUZ+McwUh3WTtSVylzGPxamnAGxdOCokY27OjtDzIp3h9igizUCGGK2YPP82xa87tKcdJZUQ9jUtCobTCMMfjqc/NcYvSSakl7V2Duw90ctYuSgJxG0+pu+w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835854; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ijiDla8PCG3Gdp62DJdl6trpnwJuNRk9+TxJP6qIEkY=; b=kSnk/0PuhroC2N3nbg5S7A4femK8hPe+5evmjl33ub9Sos96BsWXponUlnV7aXKwUH6c+ZCRnMVsMNd8nFmLSGomUrqn/LpKLVdfCnAFL4H1Uot9n5GBx+QoVmKOEOlEp7OrdF3WWB18kS+zea5bw42QuKTn4ObiLX0vnxG8zG0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835854338593.5939912681852; Thu, 30 Oct 2025 07:50:54 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyf-00011T-8u; Thu, 30 Oct 2025 10:50:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyY-0000qk-JW for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:07 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyO-0001S4-Bz for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:06 -0400 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-163-Oebbgh6rML2j1AfFM8Nh0A-1; Thu, 30 Oct 2025 10:49:49 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9FB211801F02; Thu, 30 Oct 2025 14:49:48 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 201E230001A1; Thu, 30 Oct 2025 14:49:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ijiDla8PCG3Gdp62DJdl6trpnwJuNRk9+TxJP6qIEkY=; b=i79KfQdwhbEFvzC33hoNXX4zDrNqr/e6IBHuZuWmDQpahTtrDIZ4xbALDtnLAaRGobReTf 7PZrerS6ABz8RqXR7IgI67o5uWBoK07uERm6M6/ZgM85dDyJXxazaHk0lif/9OXvJJNDY+ Ur8XKV2EPmXv43Gh0gRWOqGjiTt8v9o= X-MC-Unique: Oebbgh6rML2j1AfFM8Nh0A-1 X-Mimecast-MFC-AGG-ID: Oebbgh6rML2j1AfFM8Nh0A_1761835788 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 09/21] crypto: shorten the endpoint == server check in TLS creds Date: Thu, 30 Oct 2025 14:49:15 +0000 Message-ID: <20251030144927.2241109-10-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835856110154100 This eliminates a number of long lines aiding readability. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscredsx509.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 1555285910..08223781d7 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -567,6 +567,8 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, g_autofree char *cert =3D NULL; g_autofree char *key =3D NULL; g_autofree char *dhparams =3D NULL; + bool isServer =3D (creds->parent_obj.endpoint =3D=3D + QCRYPTO_TLS_CREDS_ENDPOINT_SERVER); int ret; =20 if (!creds->parent_obj.dir) { @@ -576,7 +578,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, =20 trace_qcrypto_tls_creds_x509_load(creds, creds->parent_obj.dir); =20 - if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { + if (isServer) { if (qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_X509_CA_CERT, true, &cacert, errp) < 0 || @@ -609,9 +611,8 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, } =20 if (creds->sanityCheck && - qcrypto_tls_creds_x509_sanity_check(creds, - creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_S= ERVER, - cacert, cert, errp) < 0) { + qcrypto_tls_creds_x509_sanity_check(creds, isServer, + cacert, cert, errp) < 0) { return -1; } =20 @@ -664,7 +665,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, } } =20 - if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { + if (isServer) { if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhpar= ams, &creds->parent_obj.dh_par= ams, errp) < 0) { --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835934; cv=none; d=zohomail.com; s=zohoarc; b=NAJFpO8K/NEmVzPnTLJlCFHpCZrmTnc6vTymwGsR6QmTx+8fzsnRvZduIXj95pXMWUsqV1hWxQn5A8qb1FVj6wd+RPR2KK/rw+Lzy6vQQYd3p2onE6OISJh8o+JhDRnWakprENOTAwUrIMuHdPLfYS0mnqLkBI6Shy1B26PbWZs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835934; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=A2bIVn1en+y5IQjSuVDqmm22Qs1faF+vOyoYo8QG8ac=; b=ZFVKgZa3x6kXjMzvL3hkdDiZ/Q1Js+CTVX/WxPB7W8TMoF9cLJg+k5rSrZi6UPsFE1KuN9/bGjE3YWUm58xp4ZIefqirLagEjZ9YRJrgdvYdamaPDLAUY0cLN5y4VVr7oPnygourkMOixEjfPrfvpsKV8tmq71rSq6+RYSFUJxQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835934417914.0925710827754; Thu, 30 Oct 2025 07:52:14 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyi-00018E-IW; Thu, 30 Oct 2025 10:50:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyf-00010m-9w for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:13 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyP-0001ST-RL for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:11 -0400 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-75-YxgDfzIdNOiuXMw8DhN1tA-1; Thu, 30 Oct 2025 10:49:52 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 766BA1954231; Thu, 30 Oct 2025 14:49:50 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 12C4F30001A1; Thu, 30 Oct 2025 14:49:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=A2bIVn1en+y5IQjSuVDqmm22Qs1faF+vOyoYo8QG8ac=; b=P/Sr1z/TYNupddqDvc80kHNxIwlk/WXW+0a/GRboGYSXg3LenQGt02PoS/4KBo78qAG317 URaamu4avqVLWkq9Ts9lzIBqAiYt+Mvw2cplMly6QKlaD4A8s4NWnJWP007ohVXgD5t+pJ DW3o9i3UFtxMqP2B40BDz0csMvn1ZE4= X-MC-Unique: YxgDfzIdNOiuXMw8DhN1tA-1 X-Mimecast-MFC-AGG-ID: YxgDfzIdNOiuXMw8DhN1tA_1761835790 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 10/21] crypto: remove duplication loading x509 CA cert Date: Thu, 30 Oct 2025 14:49:16 +0000 Message-ID: <20251030144927.2241109-11-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835935205154100 The CA cert is mandatory in both client and server scenarios. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscredsx509.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 08223781d7..f2f1aa2815 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -578,11 +578,14 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *cred= s, =20 trace_qcrypto_tls_creds_x509_load(creds, creds->parent_obj.dir); =20 + if (qcrypto_tls_creds_get_path(&creds->parent_obj, + QCRYPTO_TLS_CREDS_X509_CA_CERT, + true, &cacert, errp) < 0) { + return -1; + } + if (isServer) { if (qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_CA_CERT, - true, &cacert, errp) < 0 || - qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_X509_CA_CRL, false, &cacrl, errp) < 0 || qcrypto_tls_creds_get_path(&creds->parent_obj, @@ -598,9 +601,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, } } else { if (qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_CA_CERT, - true, &cacert, errp) < 0 || - qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_X509_CLIENT_CERT, false, &cert, errp) < 0 || qcrypto_tls_creds_get_path(&creds->parent_obj, --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836138; cv=none; d=zohomail.com; s=zohoarc; b=W9OTHoD+zrUCeVeMMh6kuIB1wNM/g0sk6peZN8IsO7SkrnFkEX3A8gmeDyjJNJ5+7VzWwuHUnmN2MMs71iBIN8PQLZbqLudlB4LcFsBUUz5vcd4PBlr+8cM1UXVtbQWkDoUgCWiKxHyagGdjJs/Qy4H/YWKwWJ9fVdJ0ZBfUzdw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836138; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=1/TcgQUiCdapKKHWZc83OShVFUx0RFm4INGOOHFwMHM=; b=CkjbFm30r4/Er0Md6+U48djttcYq0Hub4mi7oWNQK8AF2r52DP10wltjOUdcepxumSo/zl3RqTJ4Jfol6PPIonLvJcTRPY/yOol0JpV9zhZvPuUJq+jOG7caUV8DMq6neKB5nCs30NaaoJfU/x/FOxa/V3kTnPrCMtOWd2v7Wfs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836138455882.3032145035745; Thu, 30 Oct 2025 07:55:38 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETym-0001KB-UU; Thu, 30 Oct 2025 10:50:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyj-0001Bk-KV for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:17 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyT-0001Sf-0M for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:17 -0400 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-441-NNCidmVMPl2r1Hj1ggqbJQ-1; Thu, 30 Oct 2025 10:49:53 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 247F71954B00; Thu, 30 Oct 2025 14:49:52 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C0E6230001A1; Thu, 30 Oct 2025 14:49:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835796; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1/TcgQUiCdapKKHWZc83OShVFUx0RFm4INGOOHFwMHM=; b=g2B0A4FRkz3wQHgpVYZyU9i8tOwQjpu2K6BKArboT+lk9oISjpt1tNWNzPxOsH5zM1tc6g qG37mu1wfHPh5F16zIr1Nzx0UjyvNSkqN/a2gPRW2Bq35IZ/imqm/K7GxdU6lDbBbW3/t5 FLL0NzaEsSTcBHGOlE6ohidCIt927Jw= X-MC-Unique: NNCidmVMPl2r1Hj1ggqbJQ-1 X-Mimecast-MFC-AGG-ID: NNCidmVMPl2r1Hj1ggqbJQ_1761835792 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 11/21] crypto: reduce duplication in handling TLS priority strings Date: Thu, 30 Oct 2025 14:49:17 +0000 Message-ID: <20251030144927.2241109-12-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836144646158500 The logic for setting the TLS priority string on a session object has a significant amount of logic duplication across the different credential types. By recording the extra priority string suffix against the credential class, we can introduce a common method for building the priority string. The TLS session can now set the priority string without caring about the credential type. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscreds.c | 15 ++++++++++ crypto/tlscredsanon.c | 2 ++ crypto/tlscredspsk.c | 2 ++ crypto/tlssession.c | 60 ++++++--------------------------------- include/crypto/tlscreds.h | 13 +++++++++ 5 files changed, 41 insertions(+), 51 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 1e39ee1141..49c7eb46a5 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -266,6 +266,21 @@ bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds = *creds, return true; } =20 + +char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *creds) +{ + QCryptoTLSCredsClass *tcc =3D QCRYPTO_TLS_CREDS_GET_CLASS(creds); + const char *priorityBase =3D + creds->priority ? creds->priority : CONFIG_TLS_PRIORITY; + + if (tcc->prioritySuffix) { + return g_strdup_printf("%s:%s", priorityBase, tcc->prioritySuffix); + } else { + return g_strdup(priorityBase); + } +} + + static const TypeInfo qcrypto_tls_creds_info =3D { .parent =3D TYPE_OBJECT, .name =3D TYPE_QCRYPTO_TLS_CREDS, diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c index 1ddfe4eb31..5c55b07b2f 100644 --- a/crypto/tlscredsanon.c +++ b/crypto/tlscredsanon.c @@ -137,8 +137,10 @@ static void qcrypto_tls_creds_anon_class_init(ObjectClass *oc, const void *data) { UserCreatableClass *ucc =3D USER_CREATABLE_CLASS(oc); + QCryptoTLSCredsClass *tcc =3D QCRYPTO_TLS_CREDS_CLASS(oc); =20 ucc->complete =3D qcrypto_tls_creds_anon_complete; + tcc->prioritySuffix =3D "+ANON-DH"; } =20 =20 diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index bf4efe2114..6c2feae077 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk.c @@ -240,8 +240,10 @@ static void qcrypto_tls_creds_psk_class_init(ObjectClass *oc, const void *data) { UserCreatableClass *ucc =3D USER_CREATABLE_CLASS(oc); + QCryptoTLSCredsClass *tcc =3D QCRYPTO_TLS_CREDS_CLASS(oc); =20 ucc->complete =3D qcrypto_tls_creds_psk_complete; + tcc->prioritySuffix =3D "+ECDHE-PSK:+DHE-PSK:+PSK"; =20 object_class_property_add_str(oc, "username", qcrypto_tls_creds_psk_prop_get_username, diff --git a/crypto/tlssession.c b/crypto/tlssession.c index 92fe4f0380..77f334add3 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -155,9 +155,6 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_= t len) } } =20 -#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH" -#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK" - QCryptoTLSSession * qcrypto_tls_session_new(QCryptoTLSCreds *creds, const char *hostname, @@ -167,6 +164,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, { QCryptoTLSSession *session; int ret; + g_autofree char *prio =3D NULL; =20 session =3D g_new0(QCryptoTLSSession, 1); trace_qcrypto_tls_session_new( @@ -200,28 +198,17 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, goto error; } =20 + prio =3D qcrypto_tls_creds_get_priority(creds); + ret =3D gnutls_priority_set_direct(session->handle, prio, NULL); + if (ret < 0) { + error_setg(errp, "Unable to set TLS session priority %s: %s", + prio, gnutls_strerror(ret)); + goto error; + } + if (object_dynamic_cast(OBJECT(creds), TYPE_QCRYPTO_TLS_CREDS_ANON)) { QCryptoTLSCredsAnon *acreds =3D QCRYPTO_TLS_CREDS_ANON(creds); - char *prio; - - if (creds->priority !=3D NULL) { - prio =3D g_strdup_printf("%s:%s", - creds->priority, - TLS_PRIORITY_ADDITIONAL_ANON); - } else { - prio =3D g_strdup(CONFIG_TLS_PRIORITY ":" - TLS_PRIORITY_ADDITIONAL_ANON); - } - - ret =3D gnutls_priority_set_direct(session->handle, prio, NULL); - if (ret < 0) { - error_setg(errp, "Unable to set TLS session priority %s: %s", - prio, gnutls_strerror(ret)); - g_free(prio); - goto error; - } - g_free(prio); if (creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { ret =3D gnutls_credentials_set(session->handle, GNUTLS_CRD_ANON, @@ -239,25 +226,6 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, } else if (object_dynamic_cast(OBJECT(creds), TYPE_QCRYPTO_TLS_CREDS_PSK)) { QCryptoTLSCredsPSK *pcreds =3D QCRYPTO_TLS_CREDS_PSK(creds); - char *prio; - - if (creds->priority !=3D NULL) { - prio =3D g_strdup_printf("%s:%s", - creds->priority, - TLS_PRIORITY_ADDITIONAL_PSK); - } else { - prio =3D g_strdup(CONFIG_TLS_PRIORITY ":" - TLS_PRIORITY_ADDITIONAL_PSK); - } - - ret =3D gnutls_priority_set_direct(session->handle, prio, NULL); - if (ret < 0) { - error_setg(errp, "Unable to set TLS session priority %s: %s", - prio, gnutls_strerror(ret)); - g_free(prio); - goto error; - } - g_free(prio); if (creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { ret =3D gnutls_credentials_set(session->handle, GNUTLS_CRD_PSK, @@ -275,17 +243,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, } else if (object_dynamic_cast(OBJECT(creds), TYPE_QCRYPTO_TLS_CREDS_X509)) { QCryptoTLSCredsX509 *tcreds =3D QCRYPTO_TLS_CREDS_X509(creds); - const char *prio =3D creds->priority; - if (!prio) { - prio =3D CONFIG_TLS_PRIORITY; - } =20 - ret =3D gnutls_priority_set_direct(session->handle, prio, NULL); - if (ret < 0) { - error_setg(errp, "Cannot set default TLS session priority %s: = %s", - prio, gnutls_strerror(ret)); - goto error; - } ret =3D gnutls_credentials_set(session->handle, GNUTLS_CRD_CERTIFICATE, tcreds->data); diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h index 2a8a857010..afd1016088 100644 --- a/include/crypto/tlscreds.h +++ b/include/crypto/tlscreds.h @@ -47,6 +47,7 @@ typedef bool (*CryptoTLSCredsReload)(QCryptoTLSCreds *, E= rror **); struct QCryptoTLSCredsClass { ObjectClass parent_class; CryptoTLSCredsReload reload; + const char *prioritySuffix; }; =20 /** @@ -64,4 +65,16 @@ bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds *c= reds, QCryptoTLSCredsEndpoint endpoint, Error **errp); =20 + +/** + * qcrypto_tls_creds_get_priority: + * @creds: pointer to a TLS credentials object + * + * Get the TLS credentials priority string. The caller + * must free the returned string when no longer required. + * + * Returns: a non-NULL priority string + */ +char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *creds); + #endif /* QCRYPTO_TLSCREDS_H */ --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836081; cv=none; d=zohomail.com; s=zohoarc; b=UXebfVfMPw7CvCumW1gzYk7ibjYnraVkKGEn2b2PLvXJ528744C7suYPFi4DvnOSA5aPnx4D8q+kbiSa/Rf1ZFj2pN/y5QlrCWevY5BBDZOR01MZGj9LAywu4Dnpr90m988za0h27QhIaHtpckMhY+pvE2y1zQvuNCLKSu+Z9tc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836081; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=PrE8bgi9PjoBLwGNc3WEHWoyWqp5DjsEI2dDgZnafyA=; b=EmvQyVUwvs7kLWGjRYEgxAUqERQUMbR+IVu/18Xs1chPKd/ssca+HdS5Q5XcEabd8thY6/yBEl4dCqlK/emplVBeQiePZ4pg6hZzooaKLHtkQ+warLFNZqw40o1TIKbCvgd446tycVlixqZKuHgTuoAJk5qDhhyFv2Ix7o5luOU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836081808385.4829715113101; Thu, 30 Oct 2025 07:54:41 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyn-0001La-Ku; Thu, 30 Oct 2025 10:50:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyk-0001Am-Aq for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:18 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyS-0001T6-D9 for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:16 -0400 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-379-gbsvE6fCPhuGrv-GWeNUxw-1; Thu, 30 Oct 2025 10:49:56 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id F17C61801A13; Thu, 30 Oct 2025 14:49:53 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8C16930001A1; Thu, 30 Oct 2025 14:49:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835798; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PrE8bgi9PjoBLwGNc3WEHWoyWqp5DjsEI2dDgZnafyA=; b=PJYN9c3itjghvF7yYiMk8Qzooxrq1IZjBmc1rW5ZIovjOWDzOgcw2yC1NBldjQn6pi01Gd eRYYBNuWgCW4p6UZS+SrOwmzsbND+8tJ10WBbjJ8h8+D9NarD0t2ZVAZBLZgRyPcDbMyDk Tsmja9b+N1EwQMVRAP6qaDcJJVHOZUU= X-MC-Unique: gbsvE6fCPhuGrv-GWeNUxw-1 X-Mimecast-MFC-AGG-ID: gbsvE6fCPhuGrv-GWeNUxw_1761835794 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 12/21] crypto: introduce method for reloading TLS creds Date: Thu, 30 Oct 2025 14:49:18 +0000 Message-ID: <20251030144927.2241109-13-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836089952158500 This prevents direct access of the class members by the VNC display code. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscreds.c | 15 +++++++++++++++ include/crypto/tlscreds.h | 13 +++++++++++++ ui/vnc.c | 9 +-------- 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 49c7eb46a5..9433b4c363 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -281,6 +281,21 @@ char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *= creds) } =20 =20 +bool qcrypto_tls_creds_reload(QCryptoTLSCreds *creds, + Error **errp) +{ + QCryptoTLSCredsClass *credscls =3D QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(= creds)); + + if (credscls->reload) { + return credscls->reload(creds, errp); + } + + error_setg(errp, "%s does not support reloading credentials", + object_get_typename(OBJECT(creds))); + return false; +} + + static const TypeInfo qcrypto_tls_creds_info =3D { .parent =3D TYPE_OBJECT, .name =3D TYPE_QCRYPTO_TLS_CREDS, diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h index afd1016088..bb9280ed1a 100644 --- a/include/crypto/tlscreds.h +++ b/include/crypto/tlscreds.h @@ -77,4 +77,17 @@ bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds *c= reds, */ char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *creds); =20 + +/** + * qcrypto_tls_creds_reload: + * @creds: pointer to a TLS credentials object + * @errp: pointer to a NULL-initialized error object + * + * Request a reload of the TLS credentials, if supported + * + * Returns: true on success, false on error or if not supported + */ +bool qcrypto_tls_creds_reload(QCryptoTLSCreds *creds, + Error **errp); + #endif /* QCRYPTO_TLSCREDS_H */ diff --git a/ui/vnc.c b/ui/vnc.c index 77c823bf2e..6b32dd0fe9 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -578,7 +578,6 @@ VncInfo2List *qmp_query_vnc_servers(Error **errp) bool vnc_display_reload_certs(const char *id, Error **errp) { VncDisplay *vd =3D vnc_display_find(id); - QCryptoTLSCredsClass *creds =3D NULL; =20 if (!vd) { error_setg(errp, "Can not find vnc display"); @@ -590,13 +589,7 @@ bool vnc_display_reload_certs(const char *id, Error **= errp) return false; } =20 - creds =3D QCRYPTO_TLS_CREDS_GET_CLASS(OBJECT(vd->tlscreds)); - if (creds->reload =3D=3D NULL) { - error_setg(errp, "%s doesn't support to reload TLS credential", - object_get_typename(OBJECT(vd->tlscreds))); - return false; - } - if (!creds->reload(vd->tlscreds, errp)) { + if (!qcrypto_tls_creds_reload(vd->tlscreds, errp)) { return false; } =20 --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836089; cv=none; d=zohomail.com; s=zohoarc; b=CMAe2XCqkHnEyJKmuSH/DiUlCzEDAv2s8v0UCfVDoUO6dJ4YxSL5wlHrnDM7d4CtO/s1m6bivPUbihyyZbkPAR2R4onB+EPv0bCah8Kizzd8b6ZA+NNMg1da6MpOAvZof0BUJxNllQ69a0KTCrT6y+PW91+G5RcAzjVCLV4dsXs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836089; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=srbXD/gRg5rZ/UxqrQerd29F8bBGqCt/OYfKexte/J8=; b=V+xkMLwif77MPE4rypiLSpQnCrTsG+Xu/5RBd6bPIUrGk4sg3gLl4O36CAU1Rv0ruNo7S7WWMdAT5qDZtb2/I77562aakPJM3BJ5APovnyRD6oMTbk5YeQ/ebhC+mqc6uP8MBNt8WlgY6IsaoxrytUf3SApTCP5CJr9JYbiirDI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836089320303.64910444250404; Thu, 30 Oct 2025 07:54:49 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyq-0001Wu-D7; Thu, 30 Oct 2025 10:50:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyn-0001Kr-2A for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:21 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyW-0001Th-CH for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:20 -0400 Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-161-jSyok26tPriRDmz81nIvbg-1; Thu, 30 Oct 2025 10:49:56 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A677319540DE; Thu, 30 Oct 2025 14:49:55 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4CA4430001B9; Thu, 30 Oct 2025 14:49:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835801; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=srbXD/gRg5rZ/UxqrQerd29F8bBGqCt/OYfKexte/J8=; b=DRYvDaFlv5QRfUjqct7CWrnYlvsO3jPBQ1Lw2lKDStMyJ6EX2pMnsxofnoTZaeBqlszi+3 w67mNCfPSbrFmeoUNg9E7yc4dYHZo3vtj7y+KwIPGEJYie1iyhAZ97gBf0PBNk4jtPBl2i fbU322G6eWppqTOLAXn8o5R8FN4ExU0= X-MC-Unique: jSyok26tPriRDmz81nIvbg-1 X-Mimecast-MFC-AGG-ID: jSyok26tPriRDmz81nIvbg_1761835795 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 13/21] crypto: introduce a wrapper around gnutls credentials Date: Thu, 30 Oct 2025 14:49:19 +0000 Message-ID: <20251030144927.2241109-14-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836090015158500 The gnutls_credentials_set() method has a very suprising API contract that requires the caller to preserve the passed in credentials pointer for as long as the gnutls_session_t object is alive. QEMU is failing to ensure this happens. In QEMU the GNUTLS credentials object is owned by the QCryptoTLSCreds object instance while the GNUTLS session object is owned by the QCryptoTLSSession object instance. Their lifetimes are not guaranteed to be the same, though in most common usage the credentials will outlive the session. This is notably not the case, however, after the VNC server gained the ability to reload credentials on the fly with: commit 1f08e3415120637cad7f540d9ceb4dba3136dbdd Author: Zihao Chang Date: Tue Mar 16 15:58:44 2021 +0800 vnc: support reload x509 certificates for vnc If that is triggered while a VNC client is in the middle of performing a TLS handshake, we might hit a use-after-free. It is difficult to correct this problem because there's no way to deep- clone a GNUTLS credentials object, nor is it reference counted. Thus we introduce a QCryptoTLSCredsBox object whose only purpose is to add reference counting around the GNUTLS credentials object. The DH parameters set against a credentials object also have to be kept alive for as long as the credentials exist. So the box must also hold the DH parameters pointer. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/meson.build | 5 ++- crypto/tlscredsbox.c | 101 +++++++++++++++++++++++++++++++++++++++++++ crypto/tlscredsbox.h | 46 ++++++++++++++++++++ 3 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 crypto/tlscredsbox.c create mode 100644 crypto/tlscredsbox.h diff --git a/crypto/meson.build b/crypto/meson.build index 735635de1f..1fc14b2a04 100644 --- a/crypto/meson.build +++ b/crypto/meson.build @@ -25,7 +25,10 @@ crypto_ss.add(files( )) =20 if gnutls.found() - crypto_ss.add(files('x509-utils.c')) + crypto_ss.add(files( + 'tlscredsbox.c', + 'x509-utils.c', + )) endif =20 if nettle.found() diff --git a/crypto/tlscredsbox.c b/crypto/tlscredsbox.c new file mode 100644 index 0000000000..b8d9846af8 --- /dev/null +++ b/crypto/tlscredsbox.c @@ -0,0 +1,101 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * QEMU crypto TLS credential support + * + * Copyright (c) 2025 Red Hat, Inc. + */ + +#include "qemu/osdep.h" +#include "crypto/tlscredsbox.h" +#include "qemu/atomic.h" + + +static QCryptoTLSCredsBox * +qcrypto_tls_creds_box_new_impl(int type, bool server) +{ + QCryptoTLSCredsBox *credsbox =3D g_new0(QCryptoTLSCredsBox, 1); + credsbox->ref =3D 1; + credsbox->server =3D server; + credsbox->type =3D type; + return credsbox; +} + + +QCryptoTLSCredsBox * +qcrypto_tls_creds_box_new_server(int type) +{ + return qcrypto_tls_creds_box_new_impl(type, true); +} + + +QCryptoTLSCredsBox * +qcrypto_tls_creds_box_new_client(int type) +{ + return qcrypto_tls_creds_box_new_impl(type, false); +} + +static void qcrypto_tls_creds_box_free(QCryptoTLSCredsBox *credsbox) +{ + switch (credsbox->type) { + case GNUTLS_CRD_CERTIFICATE: + if (credsbox->data.cert) { + gnutls_certificate_free_credentials(credsbox->data.cert); + } + break; + case GNUTLS_CRD_PSK: + if (credsbox->server) { + if (credsbox->data.pskserver) { + gnutls_psk_free_server_credentials(credsbox->data.pskserve= r); + } + } else { + if (credsbox->data.pskclient) { + gnutls_psk_free_client_credentials(credsbox->data.pskclien= t); + } + } + break; + case GNUTLS_CRD_ANON: + if (credsbox->server) { + if (credsbox->data.anonserver) { + gnutls_anon_free_server_credentials(credsbox->data.anonser= ver); + } + } else { + if (credsbox->data.anonclient) { + gnutls_anon_free_client_credentials(credsbox->data.anoncli= ent); + } + } + break; + default: + g_assert_not_reached(); + } + + if (credsbox->dh_params) { + gnutls_dh_params_deinit(credsbox->dh_params); + } + + g_free(credsbox); +} + + +void qcrypto_tls_creds_box_ref(QCryptoTLSCredsBox *credsbox) +{ + uint32_t ref =3D qatomic_fetch_inc(&credsbox->ref); + /* Assert waaay before the integer overflows */ + g_assert(ref < INT_MAX); +} + + +void qcrypto_tls_creds_box_unref(QCryptoTLSCredsBox *credsbox) +{ + if (!credsbox) { + return; + } + + g_assert(credsbox->ref > 0); + + if (qatomic_fetch_dec(&credsbox->ref) =3D=3D 1) { + qcrypto_tls_creds_box_free(credsbox); + } + +} + diff --git a/crypto/tlscredsbox.h b/crypto/tlscredsbox.h new file mode 100644 index 0000000000..5d89335f46 --- /dev/null +++ b/crypto/tlscredsbox.h @@ -0,0 +1,46 @@ +/* + * SPDX-License-Identifier: GPL-2.0-or-later + * + * QEMU crypto TLS credential support + * + * Copyright (c) 2025 Red Hat, Inc. + */ + +#ifndef QCRYPTO_TLSCREDS_BOX_H +#define QCRYPTO_TLSCREDS_BOX_H + +#include "qom/object.h" + +#ifdef CONFIG_GNUTLS +#include +#endif + +typedef struct QCryptoTLSCredsBox QCryptoTLSCredsBox; + +struct QCryptoTLSCredsBox { + uint32_t ref; + bool server; + int type; + union { + void *any; +#ifdef CONFIG_GNUTLS + gnutls_anon_server_credentials_t anonserver; + gnutls_anon_client_credentials_t anonclient; + gnutls_psk_server_credentials_t pskserver; + gnutls_psk_client_credentials_t pskclient; + gnutls_certificate_credentials_t cert; +#endif + } data; +#ifdef CONFIG_GNUTLS + gnutls_dh_params_t dh_params; +#endif +}; + +QCryptoTLSCredsBox *qcrypto_tls_creds_box_new_server(int type); +QCryptoTLSCredsBox *qcrypto_tls_creds_box_new_client(int type); +void qcrypto_tls_creds_box_ref(QCryptoTLSCredsBox *credsbox); +void qcrypto_tls_creds_box_unref(QCryptoTLSCredsBox *credsbox); + +G_DEFINE_AUTOPTR_CLEANUP_FUNC(QCryptoTLSCredsBox, qcrypto_tls_creds_box_un= ref); + +#endif /* QCRYPTO_TLSCREDS_BOX_H */ --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835964; cv=none; d=zohomail.com; s=zohoarc; b=IHA5ggOWQ+iHjTtw06t7B1VEmpkSf0t1DuePXZ4GVuSHHLHpIsSp5y74fg8R7q9zOP99QJ7Clf9+W84Jt2gMwJwZSQABHTwE3Ofttyl9DMz6jYziVGz3YnZrESlDAHCrSiRPPyhRHdAHv2Fec6JvUkc8XXQxMiNwZSojWIGu1uE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835964; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=f/D70kzgtrLBwWgSU65b5pxR7c12Wlbw6pWyofFb2I4=; b=b0f7tXZCqXe3sdG9tyhVU45Uaq1dZavpvuSK1Sq93YevCQRIGDWeZ4epVvyjrQYsGguGeco/neOFLkDW+LkrCf7j/EMBgLHTzdBej+IedGrwcOhrIN7TtAYRxSyw/pFiMhHROHWiY05POy/kllwPGEPSnQqCW8c+ITBwuuvnI7U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835964105859.0182166725002; Thu, 30 Oct 2025 07:52:44 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETzg-0002MD-JQ; Thu, 30 Oct 2025 10:51:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyq-0001Wf-LK for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:24 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyX-0001Ul-6w for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:23 -0400 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-553-c3kzRg5zOjyZMHzvv7eSEA-1; Thu, 30 Oct 2025 10:49:58 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 938861801A13; Thu, 30 Oct 2025 14:49:57 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 1890B30001A1; Thu, 30 Oct 2025 14:49:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835802; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f/D70kzgtrLBwWgSU65b5pxR7c12Wlbw6pWyofFb2I4=; b=cXsDslGvnsBOcKibO8UJQXr5f2k/4tpzBwviyn6LOacvZ91NJL0V40MbniCp4M8spEGoFw eYiZ010vKJUt9fl40IGbC47aug8HxQXvET4nTQ9JnBPzCPNWy/fm6KXD2YzCmbXlib83Iw At3Rq8bzgxnPGHpXUuqX6llEGgOCfQc= X-MC-Unique: c3kzRg5zOjyZMHzvv7eSEA-1 X-Mimecast-MFC-AGG-ID: c3kzRg5zOjyZMHzvv7eSEA_1761835797 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 14/21] crypto: fix lifecycle handling of gnutls credentials objects Date: Thu, 30 Oct 2025 14:49:20 +0000 Message-ID: <20251030144927.2241109-15-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835964777158500 As described in the previous commit, the gnutls credentials need to be kept alive for as long as the gnutls session object exists. Convert the QCryptoTLSCreds objects to use QCryptoTLSCredsBox and holding the gnutls credential objects. When loading the credentials into a gnutls session, store a reference to the box into the QCryptoTLSSession object. This has the useful side effect that the QCryptoTLSSession code no longer needs to know about all the different credential types, it can use the generic pointer stored in the box. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscreds.c | 5 +-- crypto/tlscredsanon.c | 48 +++++--------------------- crypto/tlscredspriv.h | 20 ++--------- crypto/tlscredspsk.c | 46 ++++++++----------------- crypto/tlscredsx509.c | 71 +++++++++++++------------------------- crypto/tlssession.c | 80 ++++++++++++++----------------------------- 6 files changed, 75 insertions(+), 195 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 9433b4c363..798c9712fb 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -246,10 +246,7 @@ qcrypto_tls_creds_finalize(Object *obj) { QCryptoTLSCreds *creds =3D QCRYPTO_TLS_CREDS(obj); =20 - if (creds->dh_params) { - gnutls_dh_params_deinit(creds->dh_params); - } - + qcrypto_tls_creds_box_unref(creds->box); g_free(creds->dir); g_free(creds->priority); } diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c index 5c55b07b2f..0a728ccbf6 100644 --- a/crypto/tlscredsanon.c +++ b/crypto/tlscredsanon.c @@ -36,6 +36,7 @@ static int qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, Error **errp) { + g_autoptr(QCryptoTLSCredsBox) box =3D NULL; g_autofree char *dhparams =3D NULL; int ret; =20 @@ -43,6 +44,8 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, creds->parent_obj.dir ? creds->parent_obj.dir : ""); =20 if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { + box =3D qcrypto_tls_creds_box_new_server(GNUTLS_CRD_ANON); + if (creds->parent_obj.dir && qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_DH_PARAMS, @@ -50,7 +53,7 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, return -1; } =20 - ret =3D gnutls_anon_allocate_server_credentials(&creds->data.serve= r); + ret =3D gnutls_anon_allocate_server_credentials(&box->data.anonser= ver); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); @@ -58,42 +61,26 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, } =20 if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhpar= ams, - &creds->parent_obj.dh_par= ams, - errp) < 0) { + &box->dh_params, errp) < = 0) { return -1; } =20 - gnutls_anon_set_server_dh_params(creds->data.server, - creds->parent_obj.dh_params); + gnutls_anon_set_server_dh_params(box->data.anonserver, + box->dh_params); } else { - ret =3D gnutls_anon_allocate_client_credentials(&creds->data.clien= t); + ret =3D gnutls_anon_allocate_client_credentials(&box->data.anoncli= ent); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); return -1; } } + creds->parent_obj.box =3D g_steal_pointer(&box); =20 return 0; } =20 =20 -static void -qcrypto_tls_creds_anon_unload(QCryptoTLSCredsAnon *creds) -{ - if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_CLIEN= T) { - if (creds->data.client) { - gnutls_anon_free_client_credentials(creds->data.client); - creds->data.client =3D NULL; - } - } else { - if (creds->data.server) { - gnutls_anon_free_server_credentials(creds->data.server); - creds->data.server =3D NULL; - } - } -} - #else /* ! CONFIG_GNUTLS */ =20 =20 @@ -105,13 +92,6 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds = G_GNUC_UNUSED, } =20 =20 -static void -qcrypto_tls_creds_anon_unload(QCryptoTLSCredsAnon *creds G_GNUC_UNUSED) -{ - /* nada */ -} - - #endif /* ! CONFIG_GNUTLS */ =20 =20 @@ -124,15 +104,6 @@ qcrypto_tls_creds_anon_complete(UserCreatable *uc, Err= or **errp) } =20 =20 -static void -qcrypto_tls_creds_anon_finalize(Object *obj) -{ - QCryptoTLSCredsAnon *creds =3D QCRYPTO_TLS_CREDS_ANON(obj); - - qcrypto_tls_creds_anon_unload(creds); -} - - static void qcrypto_tls_creds_anon_class_init(ObjectClass *oc, const void *data) { @@ -148,7 +119,6 @@ static const TypeInfo qcrypto_tls_creds_anon_info =3D { .parent =3D TYPE_QCRYPTO_TLS_CREDS, .name =3D TYPE_QCRYPTO_TLS_CREDS_ANON, .instance_size =3D sizeof(QCryptoTLSCredsAnon), - .instance_finalize =3D qcrypto_tls_creds_anon_finalize, .class_size =3D sizeof(QCryptoTLSCredsAnonClass), .class_init =3D qcrypto_tls_creds_anon_class_init, .interfaces =3D (const InterfaceInfo[]) { diff --git a/crypto/tlscredspriv.h b/crypto/tlscredspriv.h index df9815a286..4e6dffa22f 100644 --- a/crypto/tlscredspriv.h +++ b/crypto/tlscredspriv.h @@ -22,6 +22,7 @@ #define QCRYPTO_TLSCREDSPRIV_H =20 #include "crypto/tlscreds.h" +#include "crypto/tlscredsbox.h" =20 #ifdef CONFIG_GNUTLS #include @@ -31,39 +32,22 @@ struct QCryptoTLSCreds { Object parent_obj; char *dir; QCryptoTLSCredsEndpoint endpoint; -#ifdef CONFIG_GNUTLS - gnutls_dh_params_t dh_params; -#endif bool verifyPeer; char *priority; + QCryptoTLSCredsBox *box; }; =20 struct QCryptoTLSCredsAnon { QCryptoTLSCreds parent_obj; -#ifdef CONFIG_GNUTLS - union { - gnutls_anon_server_credentials_t server; - gnutls_anon_client_credentials_t client; - } data; -#endif }; =20 struct QCryptoTLSCredsPSK { QCryptoTLSCreds parent_obj; char *username; -#ifdef CONFIG_GNUTLS - union { - gnutls_psk_server_credentials_t server; - gnutls_psk_client_credentials_t client; - } data; -#endif }; =20 struct QCryptoTLSCredsX509 { QCryptoTLSCreds parent_obj; -#ifdef CONFIG_GNUTLS - gnutls_certificate_credentials_t data; -#endif bool sanityCheck; char *passwordid; }; diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index 6c2feae077..5568f1ad0c 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk.c @@ -71,6 +71,7 @@ static int qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, Error **errp) { + g_autoptr(QCryptoTLSCredsBox) box =3D NULL; g_autofree char *pskfile =3D NULL; g_autofree char *dhparams =3D NULL; const char *username; @@ -87,6 +88,8 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, } =20 if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { + box =3D qcrypto_tls_creds_box_new_server(GNUTLS_CRD_PSK); + if (creds->username) { error_setg(errp, "username should not be set when endpoint=3Ds= erver"); goto cleanup; @@ -101,7 +104,7 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, goto cleanup; } =20 - ret =3D gnutls_psk_allocate_server_credentials(&creds->data.server= ); + ret =3D gnutls_psk_allocate_server_credentials(&box->data.pskserve= r); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); @@ -109,20 +112,23 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, } =20 if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhpar= ams, - &creds->parent_obj.dh_par= ams, + &box->dh_params, errp) < 0) { goto cleanup; } =20 - ret =3D gnutls_psk_set_server_credentials_file(creds->data.server,= pskfile); + ret =3D gnutls_psk_set_server_credentials_file(box->data.pskserver, + pskfile); if (ret < 0) { error_setg(errp, "Cannot set PSK server credentials: %s", gnutls_strerror(ret)); goto cleanup; } - gnutls_psk_set_server_dh_params(creds->data.server, - creds->parent_obj.dh_params); + gnutls_psk_set_server_dh_params(box->data.pskserver, + box->dh_params); } else { + box =3D qcrypto_tls_creds_box_new_client(GNUTLS_CRD_PSK); + if (qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_PSKFILE, true, &pskfile, errp) < 0) { @@ -138,14 +144,14 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, goto cleanup; } =20 - ret =3D gnutls_psk_allocate_client_credentials(&creds->data.client= ); + ret =3D gnutls_psk_allocate_client_credentials(&box->data.pskclien= t); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); goto cleanup; } =20 - ret =3D gnutls_psk_set_client_credentials(creds->data.client, + ret =3D gnutls_psk_set_client_credentials(box->data.pskclient, username, &key, GNUTLS_PSK= _KEY_HEX); if (ret < 0) { error_setg(errp, "Cannot set PSK client credentials: %s", @@ -153,6 +159,7 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, goto cleanup; } } + creds->parent_obj.box =3D g_steal_pointer(&box); =20 rv =3D 0; cleanup: @@ -160,23 +167,6 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, return rv; } =20 - -static void -qcrypto_tls_creds_psk_unload(QCryptoTLSCredsPSK *creds) -{ - if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_CLIEN= T) { - if (creds->data.client) { - gnutls_psk_free_client_credentials(creds->data.client); - creds->data.client =3D NULL; - } - } else { - if (creds->data.server) { - gnutls_psk_free_server_credentials(creds->data.server); - creds->data.server =3D NULL; - } - } -} - #else /* ! CONFIG_GNUTLS */ =20 =20 @@ -188,13 +178,6 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds G= _GNUC_UNUSED, } =20 =20 -static void -qcrypto_tls_creds_psk_unload(QCryptoTLSCredsPSK *creds G_GNUC_UNUSED) -{ - /* nada */ -} - - #endif /* ! CONFIG_GNUTLS */ =20 =20 @@ -212,7 +195,6 @@ qcrypto_tls_creds_psk_finalize(Object *obj) { QCryptoTLSCredsPSK *creds =3D QCRYPTO_TLS_CREDS_PSK(obj); =20 - qcrypto_tls_creds_psk_unload(creds); g_free(creds->username); } =20 diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index f2f1aa2815..ef31ea664c 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -562,6 +562,7 @@ static int qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, Error **errp) { + g_autoptr(QCryptoTLSCredsBox) box =3D NULL; g_autofree char *cacert =3D NULL; g_autofree char *cacrl =3D NULL; g_autofree char *cert =3D NULL; @@ -578,6 +579,19 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, =20 trace_qcrypto_tls_creds_x509_load(creds, creds->parent_obj.dir); =20 + if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { + box =3D qcrypto_tls_creds_box_new_server(GNUTLS_CRD_CERTIFICATE); + } else { + box =3D qcrypto_tls_creds_box_new_client(GNUTLS_CRD_CERTIFICATE); + } + + ret =3D gnutls_certificate_allocate_credentials(&box->data.cert); + if (ret < 0) { + error_setg(errp, "Cannot allocate credentials: '%s'", + gnutls_strerror(ret)); + return -1; + } + if (qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_X509_CA_CERT, true, &cacert, errp) < 0) { @@ -616,14 +630,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, return -1; } =20 - ret =3D gnutls_certificate_allocate_credentials(&creds->data); - if (ret < 0) { - error_setg(errp, "Cannot allocate credentials: '%s'", - gnutls_strerror(ret)); - return -1; - } - - ret =3D gnutls_certificate_set_x509_trust_file(creds->data, + ret =3D gnutls_certificate_set_x509_trust_file(box->data.cert, cacert, GNUTLS_X509_FMT_PEM); if (ret < 0) { @@ -641,7 +648,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, return -1; } } - ret =3D gnutls_certificate_set_x509_key_file2(creds->data, + ret =3D gnutls_certificate_set_x509_key_file2(box->data.cert, cert, key, GNUTLS_X509_FMT_PEM, password, @@ -655,7 +662,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, } =20 if (cacrl !=3D NULL) { - ret =3D gnutls_certificate_set_x509_crl_file(creds->data, + ret =3D gnutls_certificate_set_x509_crl_file(box->data.cert, cacrl, GNUTLS_X509_FMT_PEM); if (ret < 0) { @@ -667,28 +674,18 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *cred= s, =20 if (isServer) { if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhpar= ams, - &creds->parent_obj.dh_par= ams, + &box->dh_params, errp) < 0) { return -1; } - gnutls_certificate_set_dh_params(creds->data, - creds->parent_obj.dh_params); + gnutls_certificate_set_dh_params(box->data.cert, box->dh_params); } + creds->parent_obj.box =3D g_steal_pointer(&box); =20 return 0; } =20 =20 -static void -qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds) -{ - if (creds->data) { - gnutls_certificate_free_credentials(creds->data); - creds->data =3D NULL; - } -} - - #else /* ! CONFIG_GNUTLS */ =20 =20 @@ -700,13 +697,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds= G_GNUC_UNUSED, } =20 =20 -static void -qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED) -{ - /* nada */ -} - - #endif /* ! CONFIG_GNUTLS */ =20 =20 @@ -769,29 +759,17 @@ qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds,= Error **errp) { QCryptoTLSCredsX509 *x509_creds =3D QCRYPTO_TLS_CREDS_X509(creds); Error *local_err =3D NULL; - gnutls_certificate_credentials_t creds_data =3D x509_creds->data; - gnutls_dh_params_t creds_dh_params =3D creds->dh_params; + QCryptoTLSCredsBox *creds_box =3D creds->box; =20 - x509_creds->data =3D NULL; - creds->dh_params =3D NULL; + creds->box =3D NULL; qcrypto_tls_creds_x509_load(x509_creds, &local_err); if (local_err) { - qcrypto_tls_creds_x509_unload(x509_creds); - if (creds->dh_params) { - gnutls_dh_params_deinit(creds->dh_params); - } - x509_creds->data =3D creds_data; - creds->dh_params =3D creds_dh_params; + creds->box =3D creds_box; error_propagate(errp, local_err); return false; } =20 - if (creds_data) { - gnutls_certificate_free_credentials(creds_data); - } - if (creds_dh_params) { - gnutls_dh_params_deinit(creds_dh_params); - } + qcrypto_tls_creds_box_unref(creds_box); return true; } =20 @@ -824,7 +802,6 @@ qcrypto_tls_creds_x509_finalize(Object *obj) QCryptoTLSCredsX509 *creds =3D QCRYPTO_TLS_CREDS_X509(obj); =20 g_free(creds->passwordid); - qcrypto_tls_creds_x509_unload(creds); } =20 =20 diff --git a/crypto/tlssession.c b/crypto/tlssession.c index 77f334add3..a1dc3b3ce0 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -38,6 +38,7 @@ =20 struct QCryptoTLSSession { QCryptoTLSCreds *creds; + QCryptoTLSCredsBox *credsbox; gnutls_session_t handle; char *hostname; char *authzid; @@ -78,6 +79,7 @@ qcrypto_tls_session_free(QCryptoTLSSession *session) g_free(session->hostname); g_free(session->peername); g_free(session->authzid); + qcrypto_tls_creds_box_unref(session->credsbox); object_unref(OBJECT(session->creds)); qemu_mutex_destroy(&session->lock); g_free(session); @@ -206,63 +208,31 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, goto error; } =20 - if (object_dynamic_cast(OBJECT(creds), - TYPE_QCRYPTO_TLS_CREDS_ANON)) { - QCryptoTLSCredsAnon *acreds =3D QCRYPTO_TLS_CREDS_ANON(creds); - if (creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_ANON, - acreds->data.server); - } else { - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_ANON, - acreds->data.client); - } - if (ret < 0) { - error_setg(errp, "Cannot set session credentials: %s", - gnutls_strerror(ret)); - goto error; - } - } else if (object_dynamic_cast(OBJECT(creds), - TYPE_QCRYPTO_TLS_CREDS_PSK)) { - QCryptoTLSCredsPSK *pcreds =3D QCRYPTO_TLS_CREDS_PSK(creds); - if (creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_PSK, - pcreds->data.server); - } else { - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_PSK, - pcreds->data.client); - } - if (ret < 0) { - error_setg(errp, "Cannot set session credentials: %s", - gnutls_strerror(ret)); - goto error; - } - } else if (object_dynamic_cast(OBJECT(creds), - TYPE_QCRYPTO_TLS_CREDS_X509)) { - QCryptoTLSCredsX509 *tcreds =3D QCRYPTO_TLS_CREDS_X509(creds); + ret =3D gnutls_credentials_set(session->handle, + creds->box->type, + creds->box->data.any); + if (ret < 0) { + error_setg(errp, "Cannot set session credentials: %s", + gnutls_strerror(ret)); + goto error; + } =20 - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_CERTIFICATE, - tcreds->data); - if (ret < 0) { - error_setg(errp, "Cannot set session credentials: %s", - gnutls_strerror(ret)); - goto error; - } + /* + * creds->box->data.any must be kept alive for as long + * as the gnutls_session_t is alive, so acquire a ref + */ + qcrypto_tls_creds_box_ref(creds->box); + session->credsbox =3D creds->box; =20 - if (creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { - /* This requests, but does not enforce a client cert. - * The cert checking code later does enforcement */ - gnutls_certificate_server_set_request(session->handle, - GNUTLS_CERT_REQUEST); - } - } else { - error_setg(errp, "Unsupported TLS credentials type %s", - object_get_typename(OBJECT(creds))); - goto error; + if (object_dynamic_cast(OBJECT(creds), + TYPE_QCRYPTO_TLS_CREDS_X509) && + creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { + /* + * This requests, but does not enforce a client cert. + * The cert checking code later does enforcement + */ + gnutls_certificate_server_set_request(session->handle, + GNUTLS_CERT_REQUEST); } =20 gnutls_transport_set_ptr(session->handle, session); --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836185; cv=none; d=zohomail.com; s=zohoarc; b=S5cSk/SmtsG8boQzkpReXO+RwVZaBL9FzNgqlEfNMq3PaHltNXX1mTKJcL8RIvO5MNgxNLbAWloFhMx+7PgvNIXEbLGasZ7WwHRUxAC6PQCIwPJyzP3XPhsDYEnA+Xjr0KarNYpCxKjueNcZaHTPdtsPT2E4Ow/Psej/3c0GPmU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836185; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=wAZEG03ZQWoQ1rAmFed0mIn2oPfoyTflGi5QHhoCFX8=; b=US0hiYOr7bANpWfGJRpTrz+acEWmPvzS5ApZEzguJ8RyqvLQowlHxeEvF0YsyEjfQeAYk3DxO/a2HBUztu8732OOfDQyEQK+mUf1qqBejRr+Pdw8yjoWe5FGA+YQ3DhbCbJs0PKZCLQZsut4qBbm89xaRwWWNWA+eMV0/25Qm+E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836185643237.09766973990224; Thu, 30 Oct 2025 07:56:25 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETyu-0001dZ-3n; Thu, 30 Oct 2025 10:50:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyq-0001ZF-Pz for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:24 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyc-0001gY-0h for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:24 -0400 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-435-ac8s4WDCM7-8KQzk3tc-mg-1; Thu, 30 Oct 2025 10:50:00 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 7F8671956078; Thu, 30 Oct 2025 14:49:59 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0668E30001A1; Thu, 30 Oct 2025 14:49:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wAZEG03ZQWoQ1rAmFed0mIn2oPfoyTflGi5QHhoCFX8=; b=G00qpNrQ1/bGI0FBKrE1rvmjsFiNVqAS4jYpSEy+ag0zCGnJskKiSY8RBzBs9vpxt7xBio AZMJJphW7LH2Pz25ckOsWUfrXu8hNLBagvR5vBu6B4n5zXd8yIcUct0RP8nVfvvsh1P4Fk vL5zsXGUzP0Ppa4A8E69GQzBA6tl8qU= X-MC-Unique: ac8s4WDCM7-8KQzk3tc-mg-1 X-Mimecast-MFC-AGG-ID: ac8s4WDCM7-8KQzk3tc-mg_1761835799 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 15/21] crypto: make TLS credentials structs private Date: Thu, 30 Oct 2025 14:49:21 +0000 Message-ID: <20251030144927.2241109-16-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836191101158500 Now that the TLS session code no longer needs to look at the TLS credential structs, they can be made private. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscredsanon.c | 3 +++ crypto/tlscredspriv.h | 15 --------------- crypto/tlscredspsk.c | 5 +++++ crypto/tlscredsx509.c | 6 ++++++ 4 files changed, 14 insertions(+), 15 deletions(-) diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c index 0a728ccbf6..69ed1d792a 100644 --- a/crypto/tlscredsanon.c +++ b/crypto/tlscredsanon.c @@ -31,6 +31,9 @@ =20 #include =20 +struct QCryptoTLSCredsAnon { + QCryptoTLSCreds parent_obj; +}; =20 static int qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, diff --git a/crypto/tlscredspriv.h b/crypto/tlscredspriv.h index 4e6dffa22f..69dac02437 100644 --- a/crypto/tlscredspriv.h +++ b/crypto/tlscredspriv.h @@ -37,21 +37,6 @@ struct QCryptoTLSCreds { QCryptoTLSCredsBox *box; }; =20 -struct QCryptoTLSCredsAnon { - QCryptoTLSCreds parent_obj; -}; - -struct QCryptoTLSCredsPSK { - QCryptoTLSCreds parent_obj; - char *username; -}; - -struct QCryptoTLSCredsX509 { - QCryptoTLSCreds parent_obj; - bool sanityCheck; - char *passwordid; -}; - #ifdef CONFIG_GNUTLS =20 int qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds, diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index 5568f1ad0c..e437985260 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk.c @@ -31,6 +31,11 @@ =20 #include =20 +struct QCryptoTLSCredsPSK { + QCryptoTLSCreds parent_obj; + char *username; +}; + static int lookup_key(const char *pskfile, const char *username, gnutls_datum_t *key, Error **errp) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index ef31ea664c..2fc0872627 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -33,6 +33,12 @@ #include #include =20 +struct QCryptoTLSCredsX509 { + QCryptoTLSCreds parent_obj; + bool sanityCheck; + char *passwordid; +}; + =20 static int qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert, --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835927; cv=none; d=zohomail.com; s=zohoarc; b=A49Ww+WVYv3jiWDmH//0OmQyYT3duuwS4hD7BoI0pO82aPdDrw6FMOh3xmAzP0VK45Ji6MxLxQ2gMJP3PjLvq2nRN8wavMXr2OxoYfXJFFVWSDshafH9aGWylObRtDZia+KC7VVYWnyVd3e2ShxgoKsMo3QKcdMUwodK0m4iYBU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835927; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=1U4pzjNfu8oJgRpaD00KUGO9poOiqlcj3lvTJn8MMAQ=; b=jUFvc8OYC91fcr/CLCxCjVIqMA282igeMCmXbM6A0R/HwMHlxAxQBJOXARePuXF5bOentz0wPdos0M52fnghvEZAp1O5t2e+ePZkxd+sL0dIQyxCFiUSAGTpARCIPAXUIHZXKW8pxnkE3T5P8roptu6rWYZh6K2WNeAGR+xTqEk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835927616187.35702570553565; Thu, 30 Oct 2025 07:52:07 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETz2-0001hu-Vv; Thu, 30 Oct 2025 10:50:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyq-0001ZI-VM for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:25 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyY-0001aO-Hj for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:24 -0400 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-47-i34hIp8eP36gxRs9Z26gvA-1; Thu, 30 Oct 2025 10:50:02 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 375F0195607C; Thu, 30 Oct 2025 14:50:01 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E463E30001A1; Thu, 30 Oct 2025 14:49:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835803; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1U4pzjNfu8oJgRpaD00KUGO9poOiqlcj3lvTJn8MMAQ=; b=Aa+CFuAxyt3IOA4PAkDf9V+sLn/W+dIx9BjWo03dsq3tV6zaPRfSrFLozP+otKxnx3b5Zu 94YXhpXQJn+ABYupekKRVys/rX5Z949Bo7Dl27aM+oqNLjjv6qmaDxNObi/5QeMYsCaKFa hMRtq03m5p6tdMahUxQ9Ay5YOwv+Z3U= X-MC-Unique: i34hIp8eP36gxRs9Z26gvA-1 X-Mimecast-MFC-AGG-ID: i34hIp8eP36gxRs9Z26gvA_1761835801 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 16/21] crypto: deprecate use of external dh-params.pem file Date: Thu, 30 Oct 2025 14:49:22 +0000 Message-ID: <20251030144927.2241109-17-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835929018154100 GNUTLS has deprecated use of externally provided diffie-hellman parameters, since it will automatically negotiate DH params in accordance with RFC7919. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscreds.c | 24 ++++++++---------------- crypto/tlscredsanon.c | 6 ++++-- crypto/tlscredspsk.c | 6 ++++-- crypto/tlscredsx509.c | 4 +++- docs/about/deprecated.rst | 9 +++++++++ docs/system/tls.rst | 12 +++++++----- 6 files changed, 35 insertions(+), 26 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 798c9712fb..85268f3b57 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -22,6 +22,7 @@ #include "qapi/error.h" #include "qapi-types-crypto.h" #include "qemu/module.h" +#include "qemu/error-report.h" #include "tlscredspriv.h" #include "trace.h" =20 @@ -38,22 +39,7 @@ qcrypto_tls_creds_get_dh_params_file(QCryptoTLSCreds *cr= eds, =20 trace_qcrypto_tls_creds_load_dh(creds, filename ? filename : ""); =20 - if (filename =3D=3D NULL) { - ret =3D gnutls_dh_params_init(dh_params); - if (ret < 0) { - error_setg(errp, "Unable to initialize DH parameters: %s", - gnutls_strerror(ret)); - return -1; - } - ret =3D gnutls_dh_params_generate2(*dh_params, DH_BITS); - if (ret < 0) { - gnutls_dh_params_deinit(*dh_params); - *dh_params =3D NULL; - error_setg(errp, "Unable to generate DH parameters: %s", - gnutls_strerror(ret)); - return -1; - } - } else { + if (filename !=3D NULL) { GError *gerr =3D NULL; gchar *contents; gsize len; @@ -67,6 +53,10 @@ qcrypto_tls_creds_get_dh_params_file(QCryptoTLSCreds *cr= eds, g_error_free(gerr); return -1; } + warn_report_once("Use of an external DH parameters file '%s' is " + "deprecated and will be removed in a future relea= se", + filename); + data.data =3D (unsigned char *)contents; data.size =3D len; ret =3D gnutls_dh_params_init(dh_params); @@ -87,6 +77,8 @@ qcrypto_tls_creds_get_dh_params_file(QCryptoTLSCreds *cre= ds, filename, gnutls_strerror(ret)); return -1; } + } else { + *dh_params =3D NULL; } =20 return 0; diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c index 69ed1d792a..777cc4f5bb 100644 --- a/crypto/tlscredsanon.c +++ b/crypto/tlscredsanon.c @@ -68,8 +68,10 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, return -1; } =20 - gnutls_anon_set_server_dh_params(box->data.anonserver, - box->dh_params); + if (box->dh_params) { + gnutls_anon_set_server_dh_params(box->data.anonserver, + box->dh_params); + } } else { ret =3D gnutls_anon_allocate_client_credentials(&box->data.anoncli= ent); if (ret < 0) { diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index e437985260..801da50625 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk.c @@ -129,8 +129,10 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, gnutls_strerror(ret)); goto cleanup; } - gnutls_psk_set_server_dh_params(box->data.pskserver, - box->dh_params); + if (box->dh_params) { + gnutls_psk_set_server_dh_params(box->data.pskserver, + box->dh_params); + } } else { box =3D qcrypto_tls_creds_box_new_client(GNUTLS_CRD_PSK); =20 diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 2fc0872627..7e79af4266 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -684,7 +684,9 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, errp) < 0) { return -1; } - gnutls_certificate_set_dh_params(box->data.cert, box->dh_params); + if (box->dh_params) { + gnutls_certificate_set_dh_params(box->data.cert, box->dh_param= s); + } } creds->parent_obj.box =3D g_steal_pointer(&box); =20 diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index ca6b3769b5..694a69da64 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -365,6 +365,15 @@ Options are: - move backing file to NVDIMM storage and keep ``pmem=3Don`` (to have NVDIMM with persistence guaranties). =20 +Using an external DH (Diffie-Hellman) parameters file (since 10.2) +'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +Loading of external Diffie-Hellman parameters from a 'dh-params.pem' +file is deprecated and will be removed with no replacement in a +future release. Where no 'dh-params.pem' file is provided, the DH +parameters will be automatically negotiated in accordance with +RFC7919. + Device options -------------- =20 diff --git a/docs/system/tls.rst b/docs/system/tls.rst index a4f6781d62..44c4bf04e9 100644 --- a/docs/system/tls.rst +++ b/docs/system/tls.rst @@ -251,11 +251,13 @@ When specifying the object, the ``dir`` parameters sp= ecifies which directory contains the credential files. This directory is expected to contain files with the names mentioned previously, ``ca-cert.pem``, ``server-key.pem``, ``server-cert.pem``, ``client-key.pem`` and -``client-cert.pem`` as appropriate. It is also possible to include a set -of pre-generated Diffie-Hellman (DH) parameters in a file -``dh-params.pem``, which can be created using the -``certtool --generate-dh-params`` command. If omitted, QEMU will -dynamically generate DH parameters when loading the credentials. +``client-cert.pem`` as appropriate. + +While it is possible to include a set of pre-generated Diffie-Hellman +(DH) parameters in a file ``dh-params.pem``, this facility is now +deprecated and will be removed in a future release. When omitted the +DH parameters will be automatically negotiated in accordance with +RFC7919. =20 The ``endpoint`` parameter indicates whether the credentials will be used for a network client or server, and determines which PEM files are --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835922; cv=none; d=zohomail.com; s=zohoarc; b=U5rsvVLRq0Xt9Gbr24MjAFHd1qeeW2hy7FoKvBsBt4O6TgN+6dI84nfir0SeGGIODHbRawffAhrR7kkGGcISEae+WDJ8FoKB8fOHENQL+nkckpD3AUOFFcNxqW/RxYAtOYMOkKz7GkGnZ3QdjLrrKYtSR79wuWMdYmCLwjijPc0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835922; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=pfUzoy7k9LtADot2hUDiq9U77vytf71oOy77E1LTbCQ=; b=Xze6r5Hq0r3iZ2pNivCxpFdPnm8dNjyZoXsbjXO5fAcfvpxlu0NIiooLYL6lKoOilxKTUP8AOx6e0J4J5da+fHPQXikPooF1FWRJomgDIKZjOWVJ8f4lmL6Hn/rTilDcOiU5PO7swPcHSG3/DiZ92T7jTKPMq6a5Sj+0VTuL9Rc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835922977293.85140965932715; Thu, 30 Oct 2025 07:52:02 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETzS-0002DP-7A; Thu, 30 Oct 2025 10:51:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyv-0001iR-4c for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:35 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyf-0001gm-BE for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:28 -0400 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-197-Y84tBdtyMNuqfK7pBc4Txg-1; Thu, 30 Oct 2025 10:50:04 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3D1AE195606F; Thu, 30 Oct 2025 14:50:03 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 9F57930001A1; Thu, 30 Oct 2025 14:50:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pfUzoy7k9LtADot2hUDiq9U77vytf71oOy77E1LTbCQ=; b=DMcS6pYX+RxRywWIIJ35CXD5L4uy4xolaoG8Fxh8qG173I7PTNUE1LGrXxJskoO3OeI8N9 rg2ycWBD/napbTP9Wl6HlCOFoHylOAYH2joWsaQztWw7ntuYYJtjq/WZ35qOQnySQ1H7yI +nvQ6O5YUC3+xzMfsMGj8ZWxc43LkPc= X-MC-Unique: Y84tBdtyMNuqfK7pBc4Txg-1 X-Mimecast-MFC-AGG-ID: Y84tBdtyMNuqfK7pBc4Txg_1761835803 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 17/21] crypto: avoid loading the CA certs twice Date: Thu, 30 Oct 2025 14:49:23 +0000 Message-ID: <20251030144927.2241109-18-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835925007154100 The x509 TLS credentials code will load the CA certs once to perform sanity chcking on the certs, then discard the certificate objects and let gnutls load them a second time. This introduces a new QCryptoTLSCredsX509Files struct which will hold the CA certificates loaded for sanity checking and pass them on to gnutls, avoiding the duplicated loading. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscredsx509.c | 141 ++++++++++++++++++++++++++---------------- 1 file changed, 87 insertions(+), 54 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 7e79af4266..6a830af50d 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -40,6 +40,35 @@ struct QCryptoTLSCredsX509 { }; =20 =20 +typedef struct QCryptoTLSCredsX509Files QCryptoTLSCredsX509Files; +struct QCryptoTLSCredsX509Files { + char *cacertpath; + gnutls_x509_crt_t *cacerts; + unsigned int ncacerts; +}; + +static QCryptoTLSCredsX509Files * +qcrypto_tls_creds_x509_files_new(void) +{ + return g_new0(QCryptoTLSCredsX509Files, 1); +} + + +static void +qcrypto_tls_creds_x509_files_free(QCryptoTLSCredsX509Files *files) +{ + size_t i; + for (i =3D 0; i < files->ncacerts; i++) { + gnutls_x509_crt_deinit(files->cacerts[i]); + } + g_free(files->cacerts); + g_free(files->cacertpath); + g_free(files); +} + +G_DEFINE_AUTOPTR_CLEANUP_FUNC(QCryptoTLSCredsX509Files, + qcrypto_tls_creds_x509_files_free); + static int qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert, const char *certFile, @@ -315,11 +344,9 @@ qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *cred= s, =20 static int qcrypto_tls_creds_check_authority_chain(QCryptoTLSCredsX509 *creds, + QCryptoTLSCredsX509Files *files, gnutls_x509_crt_t *certs, unsigned int ncerts, - gnutls_x509_crt_t *cacerts, - unsigned int ncacerts, - const char *cacertFile, bool isServer, Error **errp) { @@ -360,13 +387,13 @@ qcrypto_tls_creds_check_authority_chain(QCryptoTLSCre= dsX509 *creds, * reached the root of trust. */ return qcrypto_tls_creds_check_cert( - creds, cert_to_check, cacertFile, + creds, cert_to_check, files->cacertpath, isServer, true, errp); } - for (int i =3D 0; i < ncacerts; i++) { + for (int i =3D 0; i < files->ncacerts; i++) { if (gnutls_x509_crt_check_issuer(cert_to_check, - cacerts[i])) { - cert_issuer =3D cacerts[i]; + files->cacerts[i])) { + cert_issuer =3D files->cacerts[i]; break; } } @@ -374,7 +401,7 @@ qcrypto_tls_creds_check_authority_chain(QCryptoTLSCreds= X509 *creds, break; } =20 - if (qcrypto_tls_creds_check_cert(creds, cert_issuer, cacertFile, + if (qcrypto_tls_creds_check_cert(creds, cert_issuer, files->cacert= path, isServer, true, errp) < 0) { return -1; } @@ -394,19 +421,17 @@ qcrypto_tls_creds_check_authority_chain(QCryptoTLSCre= dsX509 *creds, } =20 static int -qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t *certs, +qcrypto_tls_creds_check_cert_pair(QCryptoTLSCredsX509Files *files, + gnutls_x509_crt_t *certs, size_t ncerts, const char *certFile, - gnutls_x509_crt_t *cacerts, - size_t ncacerts, - const char *cacertFile, bool isServer, Error **errp) { unsigned int status; =20 if (gnutls_x509_crt_list_verify(certs, ncerts, - cacerts, ncacerts, + files->cacerts, files->ncacerts, NULL, 0, 0, &status) < 0) { error_setg(errp, isServer ? @@ -414,7 +439,7 @@ qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t *ce= rts, "CA certificate %s" : "Unable to verify client certificate %s against " "CA certificate %s", - certFile, cacertFile); + certFile, files->cacertpath); return -1; } =20 @@ -439,7 +464,7 @@ qcrypto_tls_creds_check_cert_pair(gnutls_x509_crt_t *ce= rts, =20 error_setg(errp, "Our own certificate %s failed validation against %s: %= s", - certFile, cacertFile, reason); + certFile, files->cacertpath, reason); return -1; } =20 @@ -490,15 +515,13 @@ qcrypto_tls_creds_load_cert_list(QCryptoTLSCredsX509 = *creds, =20 static int qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds, + QCryptoTLSCredsX509Files *files, bool isServer, - const char *cacertFile, const char *certFile, Error **errp) { gnutls_x509_crt_t *certs =3D NULL; unsigned int ncerts =3D 0; - gnutls_x509_crt_t *cacerts =3D NULL; - unsigned int ncacerts =3D 0; size_t i; int ret =3D -1; =20 @@ -514,16 +537,6 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX50= 9 *creds, } } =20 - if (qcrypto_tls_creds_load_cert_list(creds, - cacertFile, - &cacerts, - &ncacerts, - isServer, - true, - errp) < 0) { - goto cleanup; - } - for (i =3D 0; i < ncerts; i++) { if (qcrypto_tls_creds_check_cert(creds, certs[i], certFile, @@ -533,17 +546,14 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX5= 09 *creds, } =20 if (ncerts && - qcrypto_tls_creds_check_authority_chain(creds, + qcrypto_tls_creds_check_authority_chain(creds, files, certs, ncerts, - cacerts, ncacerts, - cacertFile, isServer, - errp) < 0) { + isServer, errp) < 0) { goto cleanup; } =20 - if (ncerts && ncacerts && - qcrypto_tls_creds_check_cert_pair(certs, ncerts, certFile, - cacerts, ncacerts, cacertFile, + if (ncerts && + qcrypto_tls_creds_check_cert_pair(files, certs, ncerts, certFile, isServer, errp) < 0) { goto cleanup; } @@ -555,21 +565,53 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX5= 09 *creds, gnutls_x509_crt_deinit(certs[i]); } g_free(certs); - for (i =3D 0; i < ncacerts; i++) { - gnutls_x509_crt_deinit(cacerts[i]); - } - g_free(cacerts); =20 return ret; } =20 =20 +static int +qcrypto_tls_creds_x509_load_ca(QCryptoTLSCredsX509 *creds, + QCryptoTLSCredsBox *box, + QCryptoTLSCredsX509Files *files, + bool isServer, + Error **errp) +{ + int ret; + + if (qcrypto_tls_creds_get_path(&creds->parent_obj, + QCRYPTO_TLS_CREDS_X509_CA_CERT, + true, &files->cacertpath, errp) < 0) { + return -1; + } + + if (qcrypto_tls_creds_load_cert_list(creds, + files->cacertpath, + &files->cacerts, + &files->ncacerts, + isServer, + true, + errp) < 0) { + return -1; + } + + ret =3D gnutls_certificate_set_x509_trust(box->data.cert, + files->cacerts, files->ncacert= s); + if (ret < 0) { + error_setg(errp, "Cannot set CA certificate '%s': %s", + files->cacertpath, gnutls_strerror(ret)); + return -1; + } + + return 0; +} + static int qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, Error **errp) { g_autoptr(QCryptoTLSCredsBox) box =3D NULL; - g_autofree char *cacert =3D NULL; + g_autoptr(QCryptoTLSCredsX509Files) files =3D NULL; g_autofree char *cacrl =3D NULL; g_autofree char *cert =3D NULL; g_autofree char *key =3D NULL; @@ -598,9 +640,9 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, return -1; } =20 - if (qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_CA_CERT, - true, &cacert, errp) < 0) { + files =3D qcrypto_tls_creds_x509_files_new(); + + if (qcrypto_tls_creds_x509_load_ca(creds, box, files, isServer, errp) = < 0) { return -1; } =20 @@ -631,17 +673,8 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, } =20 if (creds->sanityCheck && - qcrypto_tls_creds_x509_sanity_check(creds, isServer, - cacert, cert, errp) < 0) { - return -1; - } - - ret =3D gnutls_certificate_set_x509_trust_file(box->data.cert, - cacert, - GNUTLS_X509_FMT_PEM); - if (ret < 0) { - error_setg(errp, "Cannot load CA certificate '%s': %s", - cacert, gnutls_strerror(ret)); + qcrypto_tls_creds_x509_sanity_check(creds, files, isServer, + cert, errp) < 0) { return -1; } =20 --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836072; cv=none; d=zohomail.com; s=zohoarc; b=N0mHXqgGG7hFf1W8qdSwcL1MM7AXJdjUxleAgar8DDvv+IZLegJMa8xih5d4bPz3DIHuO67y8s0E3cruehe8qF8Fa4xoeP/b5YVSN6rcwWSfThTkokT9+U2mKjxIQ5RsGcaPl1iePfYxn8izpsRdDVAxyDnD5QyLRtrADoU/hYw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836072; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=s9iLP7M7Vi5pc1c6uLFjWenHWv0UUttMVV55YFRBohM=; b=Ri+hkpBTLcGfa1GuBrBlcwbgUJ0xOBXJkvb6gVFuNRA+FFT+Sd3yPcxMeSmtw0oZ7+wOpBLvE2/BAnhJ3lXyNq1qRNlokAw9jae79M3v4a28d7uFhiotLrcPTypsTjU0peieHosO9ImY+iQtT9hrBmRYapHwq7Xm384YhGuCQwA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836072299513.8095910119107; Thu, 30 Oct 2025 07:54:32 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETzo-0002iY-Rv; Thu, 30 Oct 2025 10:51:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyw-0001nL-Tj for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:39 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyc-0001gk-WD for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:30 -0400 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-354-T-Vs6CXzNz-O3j6p4h7rsg-1; Thu, 30 Oct 2025 10:50:05 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 16DE0195607C; Thu, 30 Oct 2025 14:50:05 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id A7F8430001A1; Thu, 30 Oct 2025 14:50:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=s9iLP7M7Vi5pc1c6uLFjWenHWv0UUttMVV55YFRBohM=; b=XmGFpAVSiDoM1CpE2rG7DlNgsz/rkQ1fO0c06ca7F6Jc916yVmICAgupUoPAFR1yiFm+OO DVs9GOU64RWVl0U4sz8mB5ws/aoP7ww6/QjJU9R31HJ3k+cmD3Q224FgL1QTAvzhZiWaUs UdRT7NMo5dIwTuvfp8s8SE1gt13TFoA= X-MC-Unique: T-Vs6CXzNz-O3j6p4h7rsg-1 X-Mimecast-MFC-AGG-ID: T-Vs6CXzNz-O3j6p4h7rsg_1761835805 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 18/21] crypto: avoid loading the identity certs twice Date: Thu, 30 Oct 2025 14:49:24 +0000 Message-ID: <20251030144927.2241109-19-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836074735154101 The x509 TLS credentials code will load the identity certs once to perform sanity chcking on the certs, then discard the certificate objects and let gnutls load them a second time. This extends the previous QCryptoTLSCredsX509Files struct to also hold the identity certificates & key loaded for sanity checking and pass them on to gnutls, avoiding the duplicated loading. The unit tests need updating because we now correctly diagnose the error scenario where the cert PEM file exists, without its matching key PEM file. Previously that error was mistakenly ignored. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscredsx509.c | 247 +++++++++++++++++--------- tests/unit/test-crypto-tlscredsx509.c | 8 +- 2 files changed, 164 insertions(+), 91 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 6a830af50d..3cb0a6c31f 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -45,6 +45,12 @@ struct QCryptoTLSCredsX509Files { char *cacertpath; gnutls_x509_crt_t *cacerts; unsigned int ncacerts; + + char *certpath; + char *keypath; + gnutls_x509_crt_t *certs; + unsigned int ncerts; + gnutls_x509_privkey_t key; }; =20 static QCryptoTLSCredsX509Files * @@ -63,6 +69,13 @@ qcrypto_tls_creds_x509_files_free(QCryptoTLSCredsX509Fil= es *files) } g_free(files->cacerts); g_free(files->cacertpath); + for (i =3D 0; i < files->ncerts; i++) { + gnutls_x509_crt_deinit(files->certs[i]); + } + gnutls_x509_privkey_deinit(files->key); + g_free(files->certs); + g_free(files->certpath); + g_free(files->keypath); g_free(files); } =20 @@ -477,14 +490,13 @@ qcrypto_tls_creds_load_cert_list(QCryptoTLSCredsX509 = *creds, const char *certFile, gnutls_x509_crt_t **certs, unsigned int *ncerts, - bool isServer, - bool isCA, Error **errp) { gnutls_datum_t data; g_autofree char *buf =3D NULL; gsize buflen; GError *gerr =3D NULL; + int ret; =20 *ncerts =3D 0; trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile); @@ -499,13 +511,60 @@ qcrypto_tls_creds_load_cert_list(QCryptoTLSCredsX509 = *creds, data.data =3D (unsigned char *)buf; data.size =3D strlen(buf); =20 - if (gnutls_x509_crt_list_import2(certs, ncerts, &data, - GNUTLS_X509_FMT_PEM, 0) < 0) { - error_setg(errp, - isCA ? "Unable to import CA certificate list %s" : - (isServer ? "Unable to import server certificate %s" : - "Unable to import client certificate %s"), - certFile); + ret =3D gnutls_x509_crt_list_import2(certs, ncerts, &data, + GNUTLS_X509_FMT_PEM, 0); + if (ret < 0) { + error_setg(errp, "Unable to import certificate %s: %s", + certFile, gnutls_strerror(ret)); + return -1; + } + + return 0; +} + + +static int +qcrypto_tls_creds_load_privkey(QCryptoTLSCredsX509 *creds, + const char *keyFile, + gnutls_x509_privkey_t *key, + Error **errp) +{ + gnutls_datum_t data; + g_autofree char *buf =3D NULL; + g_autofree char *password =3D NULL; + gsize buflen; + GError *gerr =3D NULL; + int ret; + + ret =3D gnutls_x509_privkey_init(key); + if (ret < 0) { + error_setg(errp, "Unable to initialize private key: %s", + gnutls_strerror(ret)); + return -1; + } + + if (!g_file_get_contents(keyFile, &buf, &buflen, &gerr)) { + error_setg(errp, "Cannot load private key %s: %s", + keyFile, gerr->message); + g_error_free(gerr); + return -1; + } + + data.data =3D (unsigned char *)buf; + data.size =3D strlen(buf); + + if (creds->passwordid) { + password =3D qcrypto_secret_lookup_as_utf8(creds->passwordid, + errp); + if (!password) { + return -1; + } + } + + if (gnutls_x509_privkey_import2(*key, &data, + GNUTLS_X509_FMT_PEM, + password, 0) < 0) { + error_setg(errp, "Unable to import private key %s", keyFile); return -1; } =20 @@ -517,56 +576,34 @@ static int qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds, QCryptoTLSCredsX509Files *files, bool isServer, - const char *certFile, Error **errp) { - gnutls_x509_crt_t *certs =3D NULL; - unsigned int ncerts =3D 0; size_t i; - int ret =3D -1; - - if (certFile) { - if (qcrypto_tls_creds_load_cert_list(creds, - certFile, - &certs, - &ncerts, - isServer, - false, - errp) < 0) { - goto cleanup; - } - } =20 - for (i =3D 0; i < ncerts; i++) { + for (i =3D 0; i < files->ncerts; i++) { if (qcrypto_tls_creds_check_cert(creds, - certs[i], certFile, + files->certs[i], files->certpath, isServer, i !=3D 0, errp) < 0) { - goto cleanup; + return -1; } } =20 - if (ncerts && + if (files->ncerts && qcrypto_tls_creds_check_authority_chain(creds, files, - certs, ncerts, + files->certs, files->ncert= s, isServer, errp) < 0) { - goto cleanup; - } - - if (ncerts && - qcrypto_tls_creds_check_cert_pair(files, certs, ncerts, certFile, - isServer, errp) < 0) { - goto cleanup; + return -1; } =20 - ret =3D 0; - - cleanup: - for (i =3D 0; i < ncerts; i++) { - gnutls_x509_crt_deinit(certs[i]); + if (files->ncerts && + qcrypto_tls_creds_check_cert_pair(files, + files->certs, files->ncerts, + files->certpath, isServer, + errp) < 0) { + return -1; } - g_free(certs); =20 - return ret; + return 0; } =20 =20 @@ -589,8 +626,6 @@ qcrypto_tls_creds_x509_load_ca(QCryptoTLSCredsX509 *cre= ds, files->cacertpath, &files->cacerts, &files->ncacerts, - isServer, - true, errp) < 0) { return -1; } @@ -606,6 +641,79 @@ qcrypto_tls_creds_x509_load_ca(QCryptoTLSCredsX509 *cr= eds, return 0; } =20 + +static int +qcrypto_tls_creds_x509_load_identity(QCryptoTLSCredsX509 *creds, + QCryptoTLSCredsBox *box, + QCryptoTLSCredsX509Files *files, + bool isServer, + Error **errp) +{ + int ret; + + if (isServer) { + if (qcrypto_tls_creds_get_path(&creds->parent_obj, + QCRYPTO_TLS_CREDS_X509_SERVER_CERT, + true, &files->certpath, errp) < 0 || + qcrypto_tls_creds_get_path(&creds->parent_obj, + QCRYPTO_TLS_CREDS_X509_SERVER_KEY, + true, &files->keypath, errp) < 0) { + return -1; + } + } else { + if (qcrypto_tls_creds_get_path(&creds->parent_obj, + QCRYPTO_TLS_CREDS_X509_CLIENT_CERT, + false, &files->certpath, errp) < 0 = || + qcrypto_tls_creds_get_path(&creds->parent_obj, + QCRYPTO_TLS_CREDS_X509_CLIENT_KEY, + false, &files->keypath, errp) < 0) { + return -1; + } + } + + if (!files->certpath && + !files->keypath) { + return 0; + } + if (files->certpath && !files->keypath) { + error_setg(errp, "Cert '%s' without corresponding key", + files->certpath); + return -1; + } + if (!files->certpath && files->keypath) { + error_setg(errp, "Key '%s' without corresponding cert", + files->keypath); + return -1; + } + + if (qcrypto_tls_creds_load_cert_list(creds, + files->certpath, + &files->certs, + &files->ncerts, + errp) < 0) { + return -1; + } + + if (qcrypto_tls_creds_load_privkey(creds, + files->keypath, + &files->key, + errp) < 0) { + return -1; + } + + ret =3D gnutls_certificate_set_x509_key(box->data.cert, + files->certs, + files->ncerts, + files->key); + if (ret < 0) { + error_setg(errp, "Cannot set certificate '%s' & key '%s': %s", + files->certpath, files->keypath, gnutls_strerror(ret)); + return -1; + } + return 0; +} + + static int qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, Error **errp) @@ -613,8 +721,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, g_autoptr(QCryptoTLSCredsBox) box =3D NULL; g_autoptr(QCryptoTLSCredsX509Files) files =3D NULL; g_autofree char *cacrl =3D NULL; - g_autofree char *cert =3D NULL; - g_autofree char *key =3D NULL; g_autofree char *dhparams =3D NULL; bool isServer =3D (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER); @@ -646,60 +752,27 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *cred= s, return -1; } =20 + if (qcrypto_tls_creds_x509_load_identity(creds, box, files, + isServer, errp) < 0) { + return -1; + } + if (isServer) { if (qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_X509_CA_CRL, false, &cacrl, errp) < 0 || - qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_SERVER_CERT, - true, &cert, errp) < 0 || - qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_SERVER_KEY, - true, &key, errp) < 0 || qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_DH_PARAMS, false, &dhparams, errp) < 0) { return -1; } - } else { - if (qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_CLIENT_CERT, - false, &cert, errp) < 0 || - qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_CLIENT_KEY, - false, &key, errp) < 0) { - return -1; - } } =20 if (creds->sanityCheck && - qcrypto_tls_creds_x509_sanity_check(creds, files, isServer, - cert, errp) < 0) { + qcrypto_tls_creds_x509_sanity_check(creds, files, isServer, errp) = < 0) { return -1; } =20 - if (cert !=3D NULL && key !=3D NULL) { - char *password =3D NULL; - if (creds->passwordid) { - password =3D qcrypto_secret_lookup_as_utf8(creds->passwordid, - errp); - if (!password) { - return -1; - } - } - ret =3D gnutls_certificate_set_x509_key_file2(box->data.cert, - cert, key, - GNUTLS_X509_FMT_PEM, - password, - 0); - g_free(password); - if (ret < 0) { - error_setg(errp, "Cannot load certificate '%s' & key '%s': %s", - cert, key, gnutls_strerror(ret)); - return -1; - } - } - if (cacrl !=3D NULL) { ret =3D gnutls_certificate_set_x509_crl_file(box->data.cert, cacrl, diff --git a/tests/unit/test-crypto-tlscredsx509.c b/tests/unit/test-crypto= -tlscredsx509.c index a5f21728d4..b1ad7d5c0d 100644 --- a/tests/unit/test-crypto-tlscredsx509.c +++ b/tests/unit/test-crypto-tlscredsx509.c @@ -95,16 +95,16 @@ static void test_tls_creds(const void *opaque) if (access(data->crt, R_OK) =3D=3D 0) { g_assert(link(data->crt, CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_CERT) =3D= =3D 0); + g_assert(link(KEYFILE, + CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) =3D= =3D 0); } - g_assert(link(KEYFILE, - CERT_DIR QCRYPTO_TLS_CREDS_X509_SERVER_KEY) =3D=3D 0= ); } else { if (access(data->crt, R_OK) =3D=3D 0) { g_assert(link(data->crt, CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_CERT) =3D= =3D 0); + g_assert(link(KEYFILE, + CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) =3D= =3D 0); } - g_assert(link(KEYFILE, - CERT_DIR QCRYPTO_TLS_CREDS_X509_CLIENT_KEY) =3D=3D 0= ); } =20 creds =3D test_tls_creds_create( --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836014; cv=none; d=zohomail.com; s=zohoarc; b=U3FB2/9u4emqK4XEtINfgjsjIxtHMpahH6NE7IpoXP9daexvsfW6eq/1rG4yu7LT3lGt2ko00NgSmvCKGdS/+LE/X0vImWmTQUxeUAGJ0Y0aGoFQXtuTQD61Y+Rvzf9zIS0i2SHdouL0I36XCOCBAoCfV9U842iDq5Ksn8Hr2G4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836014; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=FmJwRcYHph7YCK5pTSk0YLKu0sRfJX3dwWiIh3rSYPw=; b=CXWBRdGDNxRrZF0Q41EJwFjYhTBhCwA3+oU3HdA2LkdHtIEO04b1S9oIsQBN1n9FHLRR40b4xF5ZvNeL9IKni+fqECqzlCz4XjPFeHYGiFhAUTVYwhtGXOpCa7KyXEa+w4GRrhC9Px5y3lHMU26mIGcjyBLj+WzqHUvvHrpMcGQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836014585440.8672262025044; Thu, 30 Oct 2025 07:53:34 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETzp-0002jp-Fe; Thu, 30 Oct 2025 10:51:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyy-0001ov-Uu for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:39 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyf-0001hX-N0 for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:31 -0400 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-225-Ax8BtAWNM52QW4U-YJ38qg-1; Thu, 30 Oct 2025 10:50:07 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id E22C11955DC2; Thu, 30 Oct 2025 14:50:06 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 794AB30001A1; Thu, 30 Oct 2025 14:50:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835809; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FmJwRcYHph7YCK5pTSk0YLKu0sRfJX3dwWiIh3rSYPw=; b=V3U/TR2UE3IeDdvVjo4G2Xn7ZstP2W1BJpLHHVaHiAuH2w/44iQ+vxDw5RR6QXoSbxxSib Nv7dlAJ9RvlbAUOVvXOnFUWpEY438rdUYskM9UtM+iyCaUEfK6CpWJFsf0geYCYGUHVdhO jE1bOFifYp73V34fxgNbJTP2zuT/BGY= X-MC-Unique: Ax8BtAWNM52QW4U-YJ38qg-1 X-Mimecast-MFC-AGG-ID: Ax8BtAWNM52QW4U-YJ38qg_1761835807 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 19/21] crypto: expand logic to cope with multiple certificate identities Date: Thu, 30 Oct 2025 14:49:25 +0000 Message-ID: <20251030144927.2241109-20-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836016094154100 Currently only a single set of certificates can be loaded for a server / client. Certificates are created using a particular key algorithm and in some scenarios it can be useful to support multiple algorithms in parallel. This requires the ability to load multiple sets of certificates. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscredsx509.c | 164 ++++++++++++++++++++++++++++-------------- 1 file changed, 112 insertions(+), 52 deletions(-) diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 3cb0a6c31f..d7d1f594c0 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -39,6 +39,14 @@ struct QCryptoTLSCredsX509 { char *passwordid; }; =20 +typedef struct QCryptoTLSCredsX509IdentFiles QCryptoTLSCredsX509IdentFiles; +struct QCryptoTLSCredsX509IdentFiles { + char *certpath; + char *keypath; + gnutls_x509_crt_t *certs; + unsigned int ncerts; + gnutls_x509_privkey_t key; +}; =20 typedef struct QCryptoTLSCredsX509Files QCryptoTLSCredsX509Files; struct QCryptoTLSCredsX509Files { @@ -46,11 +54,8 @@ struct QCryptoTLSCredsX509Files { gnutls_x509_crt_t *cacerts; unsigned int ncacerts; =20 - char *certpath; - char *keypath; - gnutls_x509_crt_t *certs; - unsigned int ncerts; - gnutls_x509_privkey_t key; + QCryptoTLSCredsX509IdentFiles **identities; + size_t nidentities; }; =20 static QCryptoTLSCredsX509Files * @@ -61,14 +66,9 @@ qcrypto_tls_creds_x509_files_new(void) =20 =20 static void -qcrypto_tls_creds_x509_files_free(QCryptoTLSCredsX509Files *files) +qcrypto_tls_creds_x509_ident_files_free(QCryptoTLSCredsX509IdentFiles *fil= es) { size_t i; - for (i =3D 0; i < files->ncacerts; i++) { - gnutls_x509_crt_deinit(files->cacerts[i]); - } - g_free(files->cacerts); - g_free(files->cacertpath); for (i =3D 0; i < files->ncerts; i++) { gnutls_x509_crt_deinit(files->certs[i]); } @@ -79,6 +79,26 @@ qcrypto_tls_creds_x509_files_free(QCryptoTLSCredsX509Fil= es *files) g_free(files); } =20 +G_DEFINE_AUTOPTR_CLEANUP_FUNC(QCryptoTLSCredsX509IdentFiles, + qcrypto_tls_creds_x509_ident_files_free); + + +static void +qcrypto_tls_creds_x509_files_free(QCryptoTLSCredsX509Files *files) +{ + size_t i; + for (i =3D 0; i < files->ncacerts; i++) { + gnutls_x509_crt_deinit(files->cacerts[i]); + } + g_free(files->cacerts); + g_free(files->cacertpath); + for (i =3D 0; i < files->nidentities; i++) { + qcrypto_tls_creds_x509_ident_files_free(files->identities[i]); + } + g_free(files->identities); + g_free(files); +} + G_DEFINE_AUTOPTR_CLEANUP_FUNC(QCryptoTLSCredsX509Files, qcrypto_tls_creds_x509_files_free); =20 @@ -573,33 +593,32 @@ qcrypto_tls_creds_load_privkey(QCryptoTLSCredsX509 *c= reds, =20 =20 static int -qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds, - QCryptoTLSCredsX509Files *files, - bool isServer, - Error **errp) +qcrypto_tls_creds_x509_sanity_check_identity(QCryptoTLSCredsX509 *creds, + QCryptoTLSCredsX509Files *fil= es, + QCryptoTLSCredsX509IdentFiles= *ifiles, + bool isServer, + Error **errp) { size_t i; =20 - for (i =3D 0; i < files->ncerts; i++) { + for (i =3D 0; i < ifiles->ncerts; i++) { if (qcrypto_tls_creds_check_cert(creds, - files->certs[i], files->certpath, + ifiles->certs[i], ifiles->certpat= h, isServer, i !=3D 0, errp) < 0) { return -1; } } =20 - if (files->ncerts && + if (ifiles->ncerts && qcrypto_tls_creds_check_authority_chain(creds, files, - files->certs, files->ncert= s, + ifiles->certs, ifiles->nce= rts, isServer, errp) < 0) { return -1; } =20 - if (files->ncerts && - qcrypto_tls_creds_check_cert_pair(files, - files->certs, files->ncerts, - files->certpath, isServer, - errp) < 0) { + if (ifiles->ncerts && + qcrypto_tls_creds_check_cert_pair(files, ifiles->certs, ifiles->nc= erts, + ifiles->certpath, isServer, errp= ) < 0) { return -1; } =20 @@ -607,6 +626,26 @@ qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX50= 9 *creds, } =20 =20 +static int +qcrypto_tls_creds_x509_sanity_check(QCryptoTLSCredsX509 *creds, + QCryptoTLSCredsX509Files *files, + bool isServer, + Error **errp) +{ + size_t i; + for (i =3D 0; i < files->nidentities; i++) { + if (qcrypto_tls_creds_x509_sanity_check_identity(creds, + files, + files->identities= [i], + isServer, + errp) < 0) { + return -1; + } + } + return 0; +} + + static int qcrypto_tls_creds_x509_load_ca(QCryptoTLSCredsX509 *creds, QCryptoTLSCredsBox *box, @@ -642,48 +681,38 @@ qcrypto_tls_creds_x509_load_ca(QCryptoTLSCredsX509 *c= reds, } =20 =20 -static int +static QCryptoTLSCredsX509IdentFiles * qcrypto_tls_creds_x509_load_identity(QCryptoTLSCredsX509 *creds, QCryptoTLSCredsBox *box, - QCryptoTLSCredsX509Files *files, - bool isServer, + const char *certbase, + const char *keybase, + bool isOptional, Error **errp) { + g_autoptr(QCryptoTLSCredsX509IdentFiles) files =3D + g_new0(QCryptoTLSCredsX509IdentFiles, 1); int ret; =20 - if (isServer) { - if (qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_SERVER_CERT, - true, &files->certpath, errp) < 0 || - qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_SERVER_KEY, - true, &files->keypath, errp) < 0) { - return -1; - } - } else { - if (qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_CLIENT_CERT, - false, &files->certpath, errp) < 0 = || - qcrypto_tls_creds_get_path(&creds->parent_obj, - QCRYPTO_TLS_CREDS_X509_CLIENT_KEY, - false, &files->keypath, errp) < 0) { - return -1; - } + if (qcrypto_tls_creds_get_path(&creds->parent_obj, certbase, + !isOptional, &files->certpath, errp) < = 0 || + qcrypto_tls_creds_get_path(&creds->parent_obj, keybase, + !isOptional, &files->keypath, errp) < 0= ) { + return NULL; } =20 if (!files->certpath && !files->keypath) { - return 0; + return NULL; } if (files->certpath && !files->keypath) { error_setg(errp, "Cert '%s' without corresponding key", files->certpath); - return -1; + return NULL; } if (!files->certpath && files->keypath) { error_setg(errp, "Key '%s' without corresponding cert", files->keypath); - return -1; + return NULL; } =20 if (qcrypto_tls_creds_load_cert_list(creds, @@ -691,14 +720,14 @@ qcrypto_tls_creds_x509_load_identity(QCryptoTLSCredsX= 509 *creds, &files->certs, &files->ncerts, errp) < 0) { - return -1; + return NULL; } =20 if (qcrypto_tls_creds_load_privkey(creds, files->keypath, &files->key, errp) < 0) { - return -1; + return NULL; } =20 ret =3D gnutls_certificate_set_x509_key(box->data.cert, @@ -708,8 +737,39 @@ qcrypto_tls_creds_x509_load_identity(QCryptoTLSCredsX5= 09 *creds, if (ret < 0) { error_setg(errp, "Cannot set certificate '%s' & key '%s': %s", files->certpath, files->keypath, gnutls_strerror(ret)); + return NULL; + } + return g_steal_pointer(&files); +} + + +static int +qcrypto_tls_creds_x509_load_identities(QCryptoTLSCredsX509 *creds, + QCryptoTLSCredsBox *box, + QCryptoTLSCredsX509Files *files, + bool isServer, + Error **errp) +{ + QCryptoTLSCredsX509IdentFiles *ifiles; + + ifiles =3D qcrypto_tls_creds_x509_load_identity( + creds, box, + isServer ? + QCRYPTO_TLS_CREDS_X509_SERVER_CERT : + QCRYPTO_TLS_CREDS_X509_CLIENT_CERT, + isServer ? + QCRYPTO_TLS_CREDS_X509_SERVER_KEY : + QCRYPTO_TLS_CREDS_X509_CLIENT_KEY, + !isServer, errp); + if (!ifiles) { return -1; } + + files->identities =3D g_renew(QCryptoTLSCredsX509IdentFiles *, + files->identities, + files->nidentities + 1); + files->identities[files->nidentities++] =3D ifiles; + return 0; } =20 @@ -752,8 +812,8 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, return -1; } =20 - if (qcrypto_tls_creds_x509_load_identity(creds, box, files, - isServer, errp) < 0) { + if (qcrypto_tls_creds_x509_load_identities(creds, box, files, + isServer, errp) < 0) { return -1; } =20 --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836134; cv=none; d=zohomail.com; s=zohoarc; b=CzqOUCVRO/Zecpc0McWRtAMp2FGJA9GOjceJltXz8MKdWzbIsWQ65r+RYQ1X0UmS0JqrehvGpFtfAub8Ue9yKI8uxRlUNIpXZBkyIZ/KuMJlrdbd0ybyWRja802sA0QvDC4iUnC4ok17TZmXYIpxLNbdajxKeQG5quJzQ/82wY8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836134; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=5b0G7DlKryO7aA2zIVWjWtCI0gCcKIDrnDbWNJYakbg=; b=O5wwMz1AmHpoo1HeCm4R0uBbuush2vs9lwlDcpsVfXA+OUZdCfp7K8vUD10SZtD1YfGdzUaw7AXS0A9eOX6TguBHVtoq1kOBeEL4aGL/vnyr4prAKX/2HDYnA6ECo5qw0DzcXOBILiVE0FW37wGp06j/2SvLcD3XHyi7ynrBCug= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836134184415.31562416820407; Thu, 30 Oct 2025 07:55:34 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETzs-00030C-2B; Thu, 30 Oct 2025 10:51:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETz7-0001vc-SF for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:49 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyh-0001hg-3w for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:32 -0400 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-315-Ww4pMXJ-NrKZFr_8l92wzQ-1; Thu, 30 Oct 2025 10:50:09 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id DD1331955F19; Thu, 30 Oct 2025 14:50:08 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 51F5F30001A1; Thu, 30 Oct 2025 14:50:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835811; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5b0G7DlKryO7aA2zIVWjWtCI0gCcKIDrnDbWNJYakbg=; b=RQMYrPAxdS3i/bixSnfzOwc1vZ8vyHjtDfOz5SUjdXO14dGIUKJG44mTBwx2/b+0IdT7CO FuTh9kPX8d3fR9o663LoHtZEKzCwaw2ZEQsBEO3Po57F/6hJdorA3Ka3DcFEptgFr790Fx IMiHQ7xovQ/9TdlE8Bs+UmtpwUw51jA= X-MC-Unique: Ww4pMXJ-NrKZFr_8l92wzQ-1 X-Mimecast-MFC-AGG-ID: Ww4pMXJ-NrKZFr_8l92wzQ_1761835809 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 20/21] crypto: support upto 5 parallel certificate identities Date: Thu, 30 Oct 2025 14:49:26 +0000 Message-ID: <20251030144927.2241109-21-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836140704158500 The default (required) identity is stored in server-cert.pem / client-cert.pem and server-key.pem / client-key.pem. The 4 extra (optional) identities are stored in server-cert-$N.pem / client-cert-$N.pem and server-key-$N.pem / client-key-$N.pem. The numbering starts at 0 and the first missing cert/key pair will terminate the loading process. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscreds.c | 10 +++++- crypto/tlscredspriv.h | 3 ++ crypto/tlscredsx509.c | 68 ++++++++++++++++++++++++++++------- crypto/tlssession.c | 1 + crypto/trace-events | 1 + docs/system/tls.rst | 54 ++++++++++++++++++++++++++-- include/crypto/tlscredsx509.h | 6 ++++ 7 files changed, 127 insertions(+), 16 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 85268f3b57..b7e77f6285 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -85,6 +85,14 @@ qcrypto_tls_creds_get_dh_params_file(QCryptoTLSCreds *cr= eds, } =20 =20 +char * +qcrypto_tls_creds_build_path(QCryptoTLSCreds *creds, + const char *filename) +{ + return g_strdup_printf("%s/%s", creds->dir, filename); +} + + int qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds, const char *filename, @@ -94,7 +102,7 @@ qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds, { int ret =3D -1; =20 - *cred =3D g_strdup_printf("%s/%s", creds->dir, filename); + *cred =3D qcrypto_tls_creds_build_path(creds, filename); =20 if (access(*cred, R_OK) < 0) { if (errno =3D=3D ENOENT && !required) { diff --git a/crypto/tlscredspriv.h b/crypto/tlscredspriv.h index 69dac02437..8f2d096c7f 100644 --- a/crypto/tlscredspriv.h +++ b/crypto/tlscredspriv.h @@ -39,6 +39,9 @@ struct QCryptoTLSCreds { =20 #ifdef CONFIG_GNUTLS =20 +char *qcrypto_tls_creds_build_path(QCryptoTLSCreds *creds, + const char *filename); + int qcrypto_tls_creds_get_path(QCryptoTLSCreds *creds, const char *filename, bool required, diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index d7d1f594c0..fa92431906 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -686,7 +686,6 @@ qcrypto_tls_creds_x509_load_identity(QCryptoTLSCredsX50= 9 *creds, QCryptoTLSCredsBox *box, const char *certbase, const char *keybase, - bool isOptional, Error **errp) { g_autoptr(QCryptoTLSCredsX509IdentFiles) files =3D @@ -694,9 +693,9 @@ qcrypto_tls_creds_x509_load_identity(QCryptoTLSCredsX50= 9 *creds, int ret; =20 if (qcrypto_tls_creds_get_path(&creds->parent_obj, certbase, - !isOptional, &files->certpath, errp) < = 0 || + false, &files->certpath, errp) < 0 || qcrypto_tls_creds_get_path(&creds->parent_obj, keybase, - !isOptional, &files->keypath, errp) < 0= ) { + false, &files->keypath, errp) < 0) { return NULL; } =20 @@ -705,13 +704,17 @@ qcrypto_tls_creds_x509_load_identity(QCryptoTLSCredsX= 509 *creds, return NULL; } if (files->certpath && !files->keypath) { - error_setg(errp, "Cert '%s' without corresponding key", - files->certpath); + g_autofree char *keypath =3D + qcrypto_tls_creds_build_path(&creds->parent_obj, keybase); + error_setg(errp, "Cert '%s' without corresponding key '%s'", + files->certpath, keypath); return NULL; } if (!files->certpath && files->keypath) { - error_setg(errp, "Key '%s' without corresponding cert", - files->keypath); + g_autofree char *certpath =3D + qcrypto_tls_creds_build_path(&creds->parent_obj, certbase); + error_setg(errp, "Key '%s' without corresponding cert '%s'", + files->keypath, certpath); return NULL; } =20 @@ -750,7 +753,9 @@ qcrypto_tls_creds_x509_load_identities(QCryptoTLSCredsX= 509 *creds, bool isServer, Error **errp) { + ERRP_GUARD(); QCryptoTLSCredsX509IdentFiles *ifiles; + size_t i; =20 ifiles =3D qcrypto_tls_creds_x509_load_identity( creds, box, @@ -760,15 +765,52 @@ qcrypto_tls_creds_x509_load_identities(QCryptoTLSCred= sX509 *creds, isServer ? QCRYPTO_TLS_CREDS_X509_SERVER_KEY : QCRYPTO_TLS_CREDS_X509_CLIENT_KEY, - !isServer, errp); - if (!ifiles) { + errp); + if (!ifiles && *errp) { return -1; } =20 - files->identities =3D g_renew(QCryptoTLSCredsX509IdentFiles *, - files->identities, - files->nidentities + 1); - files->identities[files->nidentities++] =3D ifiles; + if (ifiles) { + files->identities =3D g_renew(QCryptoTLSCredsX509IdentFiles *, + files->identities, + files->nidentities + 1); + files->identities[files->nidentities++] =3D ifiles; + } + + for (i =3D 0; i < QCRYPTO_TLS_CREDS_X509_IDENTITY_MAX; i++) { + g_autofree char *cert =3D g_strdup_printf( + isServer ? + QCRYPTO_TLS_CREDS_X509_SERVER_CERT_N : + QCRYPTO_TLS_CREDS_X509_CLIENT_CERT_N, i); + g_autofree char *key =3D g_strdup_printf( + isServer ? + QCRYPTO_TLS_CREDS_X509_SERVER_KEY_N : + QCRYPTO_TLS_CREDS_X509_CLIENT_KEY_N, i); + + ifiles =3D qcrypto_tls_creds_x509_load_identity(creds, box, + cert, key, errp); + if (!ifiles && *errp) { + return -1; + } + if (!ifiles) { + break; + } + + files->identities =3D g_renew(QCryptoTLSCredsX509IdentFiles *, + files->identities, + files->nidentities + 1); + files->identities[files->nidentities++] =3D ifiles; + } + + if (files->nidentities =3D=3D 0 && isServer) { + g_autofree char *certpath =3D qcrypto_tls_creds_build_path( + &creds->parent_obj, QCRYPTO_TLS_CREDS_X509_SERVER_CERT); + g_autofree char *keypath =3D qcrypto_tls_creds_build_path( + &creds->parent_obj, QCRYPTO_TLS_CREDS_X509_SERVER_KEY); + error_setg(errp, "Missing server cert '%s' & key '%s'", + certpath, keypath); + return -1; + } =20 return 0; } diff --git a/crypto/tlssession.c b/crypto/tlssession.c index a1dc3b3ce0..314e3e96ba 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -345,6 +345,7 @@ qcrypto_tls_session_check_certificate(QCryptoTLSSession= *session, goto error; } session->peername =3D (char *)g_steal_pointer(&dname.data); + trace_qcrypto_tls_session_check_x509_dn(session, session->peer= name); if (session->authzid) { bool allow; =20 diff --git a/crypto/trace-events b/crypto/trace-events index d0e33427fa..771f9b8a6e 100644 --- a/crypto/trace-events +++ b/crypto/trace-events @@ -21,6 +21,7 @@ qcrypto_tls_creds_x509_load_cert_list(void *creds, const = char *file) "TLS creds # tlssession.c qcrypto_tls_session_new(void *session, void *creds, const char *hostname, = const char *authzid, int endpoint) "TLS session new session=3D%p creds=3D%p= hostname=3D%s authzid=3D%s endpoint=3D%d" qcrypto_tls_session_check_creds(void *session, const char *status) "TLS se= ssion check creds session=3D%p status=3D%s" +qcrypto_tls_session_check_x509_dn(void *session, const char *dname) "TLS s= ession check x509 distinguished name session=3D%p dname=3D%s" qcrypto_tls_session_parameters(void *session, int threadSafety, int protoc= ol, int cipher) "TLS session parameters session=3D%p threadSafety=3D%d prot= ocol=3D%d cipher=3D%d" qcrypto_tls_session_bug1717_workaround(void *session) "TLS session bug1717= workaround session=3D%p" =20 diff --git a/docs/system/tls.rst b/docs/system/tls.rst index 44c4bf04e9..7cec4ac3df 100644 --- a/docs/system/tls.rst +++ b/docs/system/tls.rst @@ -36,8 +36,58 @@ server and exposing it directly to remote browser client= s. In such a case it might be useful to use a commercial CA to avoid needing to install custom CA certs in the web browsers. =20 -The recommendation is for the server to keep its certificates in either -``/etc/pki/qemu`` or for unprivileged users in ``$HOME/.pki/qemu``. +.. _tls_cert_file_naming: + +Certificate file naming +~~~~~~~~~~~~~~~~~~~~~~~ + +In a simple setup, where all QEMU instances on a machine share the +same TLS configuration, it is suggested that QEMU certificates be +kept in either ``/etc/pki/qemu`` or, for unprivileged users, in +``$HOME/.pki/qemu``. Where different QEMU subsystems require +different certificate configurations, sub-dirs of these locations +may be chosen. + +The default file names that QEMU will traditionally load are: + +* ``ca-cert.pem`` - mandatory; for both client and server configurations +* ``ca-crl.pem`` - optional; for server configurations only +* ``server-cert.pem`` - mandatory; for server configurations only +* ``server-key.pem`` - mandatory; for server configurations only +* ``client-cert.pem`` - optional; for client configurations only +* ``client-key.pem`` - optional; for client configurations only +* ``dh-params.pem`` - optional; for server configurations only + +Since QEMU 10.2.0, there is support for loading upto four additional +identities: + +* ``server-cert-[IDX].pem`` - optional; for server configurations only +* ``server-key-[IDX].pem`` - optional; for server configurations only +* ``client-cert-[IDX].pem`` - optional; for client configurations only +* ``client-key-[IDX].pem`` - optional; for client configurations only + +where ``-[IDX]`` is one of the digits 0-3. Loading will terminate at +the first absent index. The index based certificate files may be used +as a replacement for, or in addition to, the traditional non-index +based certificate files. The traditional certificate files will be +loaded first, if present, then the index based certificates. Where +multiple certificates are compatible with a TLS session, the first +loaded certificate will preferred. IOW file naming can influence +which certificates are used for a session. + +The use of multiple sets of certificates is intended to allow an +incremental transition to certificates using different crytographic +algorithms. This allows a newly deployed QEMU to introduce use of +stronger cryptographic algorithms that will be preferred when talking +to other newly deployed QEMU instances, while retaining compatbility +with certificates issued to a historically deployed QEMU. This is +notably useful to support live migration from an old QEMU deployed +on older operating system releases, which may support fewer crypto +algorithm choices than the current OS. + +The certificate creation commands below will be illustrated using +the traditional naming scheme, but their args can be substituted +to use the indexed naming in the obvious manner. =20 .. _tls_005fgenerate_005fca: =20 diff --git a/include/crypto/tlscredsx509.h b/include/crypto/tlscredsx509.h index c4daba21a6..61b7f73573 100644 --- a/include/crypto/tlscredsx509.h +++ b/include/crypto/tlscredsx509.h @@ -37,7 +37,13 @@ typedef struct QCryptoTLSCredsX509Class QCryptoTLSCredsX= 509Class; #define QCRYPTO_TLS_CREDS_X509_SERVER_CERT "server-cert.pem" #define QCRYPTO_TLS_CREDS_X509_CLIENT_KEY "client-key.pem" #define QCRYPTO_TLS_CREDS_X509_CLIENT_CERT "client-cert.pem" +#define QCRYPTO_TLS_CREDS_X509_SERVER_KEY_N "server-key-%zu.pem" +#define QCRYPTO_TLS_CREDS_X509_SERVER_CERT_N "server-cert-%zu.pem" +#define QCRYPTO_TLS_CREDS_X509_CLIENT_KEY_N "client-key-%zu.pem" +#define QCRYPTO_TLS_CREDS_X509_CLIENT_CERT_N "client-cert-%zu.pem" =20 +/* Max number of additional cert/key pairs (ie _N constants) */ +#define QCRYPTO_TLS_CREDS_X509_IDENTITY_MAX 4 =20 /** * QCryptoTLSCredsX509: --=20 2.51.1 From nobody Fri Nov 14 16:53:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761836156; cv=none; d=zohomail.com; s=zohoarc; b=gMXNIxJWz3tRQw8XVR4Pl80IKWpAZiIylx31yp1XznSq68uNywvi/yM2d5Q5zCtDlSTTOk7rCt+A8nTBYlb/RS5O/YCmckLVgXvnVuDVuECMCNPBhmWLIVY8sv4ZZ/X5ym9/vjISzXvII1AZ/yBbb01OtY900Y6KGBIza+UOCFs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761836156; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=1HUW2bAUEctcyCyOr0Tl74VLm7ZQzbdaATf7DQ31s3Q=; b=RTVBN9hXuIqnNsd7twFCNsDuGZ9TxvmzeKZ1TlCD9rHqVU8Gso4pBTb6yOObarc4/+DF5KFtTWdLQaEcTJ4QPmHaMybgToFru9LFj1/Z7HTfonWAkx1e5zN8QBTYQ3aT8Q/pE/O+rb9p7qj3/KFncz8QBWmsRrfnoh1WfSKedn4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761836156173905.028736697126; Thu, 30 Oct 2025 07:55:56 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETzt-00034l-Bs; Thu, 30 Oct 2025 10:51:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETzA-0001w8-Tt for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:49 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETym-0001iG-40 for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:37 -0400 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-611-De7n0kFXMTuzgLIIz1KOyA-1; Thu, 30 Oct 2025 10:50:11 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A8C731834508; Thu, 30 Oct 2025 14:50:10 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4AACE30001A8; Thu, 30 Oct 2025 14:50:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835813; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1HUW2bAUEctcyCyOr0Tl74VLm7ZQzbdaATf7DQ31s3Q=; b=aR19rvHXcnWZSM+EGvMaEF4D04xAl4XPrEMNRkSvn9yP8fUyMef7uk1T/mh176ViDgJNCn ZbIcTCzHlSBS1CZ1/zyKmoyUx1q5SdpxQC1I2Kbbu+FuHxL5xKZPNYWkyjLgFwHh9hkUFN pmenF7iC1P3whLpnr7o5pHpTLnmJ+9Q= X-MC-Unique: De7n0kFXMTuzgLIIz1KOyA-1 X-Mimecast-MFC-AGG-ID: De7n0kFXMTuzgLIIz1KOyA_1761835810 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 21/21] docs: creation of x509 certs compliant with post-quantum crypto Date: Thu, 30 Oct 2025 14:49:27 +0000 Message-ID: <20251030144927.2241109-22-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761836158765158500 Explain how to alter the certtool commands for creating certficates, so that they can use algorithms that are compliant with post-quantum crytography standards. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- docs/system/tls.rst | 68 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/docs/system/tls.rst b/docs/system/tls.rst index 7cec4ac3df..03fa1d8166 100644 --- a/docs/system/tls.rst +++ b/docs/system/tls.rst @@ -345,6 +345,74 @@ example with VNC: =20 .. _tls_005fpsk: =20 +TLS certificates for Post-Quantum Cryptography +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Given a new enough gnutls release, suitably integrated & configured with t= he +operating system crypto policies, QEMU is able to support post-quantum +crytography on TLS enabled services, either exclusively or in a hybrid mod= e. + +In exclusive mode, only a single set of certificates need to be configured +for QEMU, with PQC compliant algorithms. Such a QEMU configuration will on= ly +be able to interoperate with other services (including other QEMU's) that +also have PQC enabled. This can result in compatibility concerns during the +period of transition over to PQC compliant algorithms. + +In hybrid mode, multiple sets of certificates need to be configured for QE= MU, +at least one set with traditional (non-PQC compliant) algorithms, and at l= east +one other set with modern (PQC compliant) algorithms. At time of the TLS +handshake, the GNUTLS algorithm priorities should ensure that PQC compliant +algorithms are negotiated if both sides of the connection support PQC. If = one +side lacks PQC, the TLS handshake should fallback to the non-PQC algorithm= s. +This can assist with interoperability during the transition to PQC, but ha= s a +potential weakness wrt downgrade attacks forcing use of non-PQC algorithms. +Exclusive PQC mode should be preferred where both peers in the TLS connect= ions +are known to support PQC. + +Key generation parameters +^^^^^^^^^^^^^^^^^^^^^^^^^ + +To create certificates with PQC compliant algorithms, the ``--key-type`` +argument must be passed to ``certtool`` when creating private keys. No +extra arguments are required for the other ``certtool`` commands, as +their behaviour will be determined by the private key type. + +The typical PQC compliant algorithms to use are ``ML-DSA-44``, ``ML-DSA-65= `` +and ``ML-DSA-87``, with ``ML-DSA-65`` being a suitable default choice in +the absence of explicit requirements. + +Taking the example earlier, for creating a key for a client certificate, +to use ``ML-DSA-65`` the command line would be modified to look like:: + + # certtool --generate-privkey --key-type=3Dmldsa65 > client-hostNNN-key= .pem + +The equivalent modification applies to the creation of the private keys +used for server certs, or root/intermediate CA certs. + +For hybrid mode, the additional indexed certificate naming must be used. +If multiple configured certificates are compatible with the mutually +supported crypto algorithms between the client and server, then the +first matching certificate will be used. + +IOW, to ensure that PQC certificates are preferred, they must use a +non-index based filename, or use an index that is smaller than any +non-PQC certificates. ie, ``server-cert.pem`` for PQC and ``server-cert-0.= pem`` +for non-PQC, or ``server-cert-0.pem`` for PQC and ``server-cert-1.pem`` for +non-PQC. + +Force disabling PQC via crypto priority +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +In the OS configuration for system crypto algorithm priorities has +enabled PQC, this can (optionally) be overriden in QEMU configuration +disable use of PQC using the ``priority`` parameter to the ``tls-creds-x50= 9`` +object:: + + NO_MLDSA=3D"-SIGN-ML-DSA-65:-SIGN-ML-DSA-44:-SIGN-ML-DSA-87" + NO_MLKEM=3D"-GROUP-X25519-MLKEM768:-GROUP-SECP256R1-MLKEM768:-GROUP-SECP= 384R1-MLKEM1024" + # qemu-nbd --object tls-creds-x509,id=3Dtls0,endpoint=3Dserver,dir=3D...= .,priority=3D@SYSTEM:$NO_MLDSA:$NO_MLKEM + + TLS Pre-Shared Keys (PSK) ~~~~~~~~~~~~~~~~~~~~~~~~~ =20 --=20 2.51.1