From nobody Fri Nov 14 18:17:31 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1761835964; cv=none; d=zohomail.com; s=zohoarc; b=IHA5ggOWQ+iHjTtw06t7B1VEmpkSf0t1DuePXZ4GVuSHHLHpIsSp5y74fg8R7q9zOP99QJ7Clf9+W84Jt2gMwJwZSQABHTwE3Ofttyl9DMz6jYziVGz3YnZrESlDAHCrSiRPPyhRHdAHv2Fec6JvUkc8XXQxMiNwZSojWIGu1uE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761835964; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=f/D70kzgtrLBwWgSU65b5pxR7c12Wlbw6pWyofFb2I4=; b=b0f7tXZCqXe3sdG9tyhVU45Uaq1dZavpvuSK1Sq93YevCQRIGDWeZ4epVvyjrQYsGguGeco/neOFLkDW+LkrCf7j/EMBgLHTzdBej+IedGrwcOhrIN7TtAYRxSyw/pFiMhHROHWiY05POy/kllwPGEPSnQqCW8c+ITBwuuvnI7U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1761835964105859.0182166725002; Thu, 30 Oct 2025 07:52:44 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vETzg-0002MD-JQ; Thu, 30 Oct 2025 10:51:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyq-0001Wf-LK for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:24 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vETyX-0001Ul-6w for qemu-devel@nongnu.org; Thu, 30 Oct 2025 10:50:23 -0400 Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-553-c3kzRg5zOjyZMHzvv7eSEA-1; Thu, 30 Oct 2025 10:49:58 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 938861801A13; Thu, 30 Oct 2025 14:49:57 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.122]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 1890B30001A1; Thu, 30 Oct 2025 14:49:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1761835802; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f/D70kzgtrLBwWgSU65b5pxR7c12Wlbw6pWyofFb2I4=; b=cXsDslGvnsBOcKibO8UJQXr5f2k/4tpzBwviyn6LOacvZ91NJL0V40MbniCp4M8spEGoFw eYiZ010vKJUt9fl40IGbC47aug8HxQXvET4nTQ9JnBPzCPNWy/fm6KXD2YzCmbXlib83Iw At3Rq8bzgxnPGHpXUuqX6llEGgOCfQc= X-MC-Unique: c3kzRg5zOjyZMHzvv7eSEA-1 X-Mimecast-MFC-AGG-ID: c3kzRg5zOjyZMHzvv7eSEA_1761835797 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , devel@lists.libvirt.org Subject: [PATCH 14/21] crypto: fix lifecycle handling of gnutls credentials objects Date: Thu, 30 Oct 2025 14:49:20 +0000 Message-ID: <20251030144927.2241109-15-berrange@redhat.com> In-Reply-To: <20251030144927.2241109-1-berrange@redhat.com> References: <20251030144927.2241109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1761835964777158500 As described in the previous commit, the gnutls credentials need to be kept alive for as long as the gnutls session object exists. Convert the QCryptoTLSCreds objects to use QCryptoTLSCredsBox and holding the gnutls credential objects. When loading the credentials into a gnutls session, store a reference to the box into the QCryptoTLSSession object. This has the useful side effect that the QCryptoTLSSession code no longer needs to know about all the different credential types, it can use the generic pointer stored in the box. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Marc-Andr=C3=A9 Lureau --- crypto/tlscreds.c | 5 +-- crypto/tlscredsanon.c | 48 +++++--------------------- crypto/tlscredspriv.h | 20 ++--------- crypto/tlscredspsk.c | 46 ++++++++----------------- crypto/tlscredsx509.c | 71 +++++++++++++------------------------- crypto/tlssession.c | 80 ++++++++++++++----------------------------- 6 files changed, 75 insertions(+), 195 deletions(-) diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c index 9433b4c363..798c9712fb 100644 --- a/crypto/tlscreds.c +++ b/crypto/tlscreds.c @@ -246,10 +246,7 @@ qcrypto_tls_creds_finalize(Object *obj) { QCryptoTLSCreds *creds =3D QCRYPTO_TLS_CREDS(obj); =20 - if (creds->dh_params) { - gnutls_dh_params_deinit(creds->dh_params); - } - + qcrypto_tls_creds_box_unref(creds->box); g_free(creds->dir); g_free(creds->priority); } diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c index 5c55b07b2f..0a728ccbf6 100644 --- a/crypto/tlscredsanon.c +++ b/crypto/tlscredsanon.c @@ -36,6 +36,7 @@ static int qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, Error **errp) { + g_autoptr(QCryptoTLSCredsBox) box =3D NULL; g_autofree char *dhparams =3D NULL; int ret; =20 @@ -43,6 +44,8 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, creds->parent_obj.dir ? creds->parent_obj.dir : ""); =20 if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { + box =3D qcrypto_tls_creds_box_new_server(GNUTLS_CRD_ANON); + if (creds->parent_obj.dir && qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_DH_PARAMS, @@ -50,7 +53,7 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, return -1; } =20 - ret =3D gnutls_anon_allocate_server_credentials(&creds->data.serve= r); + ret =3D gnutls_anon_allocate_server_credentials(&box->data.anonser= ver); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); @@ -58,42 +61,26 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds, } =20 if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhpar= ams, - &creds->parent_obj.dh_par= ams, - errp) < 0) { + &box->dh_params, errp) < = 0) { return -1; } =20 - gnutls_anon_set_server_dh_params(creds->data.server, - creds->parent_obj.dh_params); + gnutls_anon_set_server_dh_params(box->data.anonserver, + box->dh_params); } else { - ret =3D gnutls_anon_allocate_client_credentials(&creds->data.clien= t); + ret =3D gnutls_anon_allocate_client_credentials(&box->data.anoncli= ent); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); return -1; } } + creds->parent_obj.box =3D g_steal_pointer(&box); =20 return 0; } =20 =20 -static void -qcrypto_tls_creds_anon_unload(QCryptoTLSCredsAnon *creds) -{ - if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_CLIEN= T) { - if (creds->data.client) { - gnutls_anon_free_client_credentials(creds->data.client); - creds->data.client =3D NULL; - } - } else { - if (creds->data.server) { - gnutls_anon_free_server_credentials(creds->data.server); - creds->data.server =3D NULL; - } - } -} - #else /* ! CONFIG_GNUTLS */ =20 =20 @@ -105,13 +92,6 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds = G_GNUC_UNUSED, } =20 =20 -static void -qcrypto_tls_creds_anon_unload(QCryptoTLSCredsAnon *creds G_GNUC_UNUSED) -{ - /* nada */ -} - - #endif /* ! CONFIG_GNUTLS */ =20 =20 @@ -124,15 +104,6 @@ qcrypto_tls_creds_anon_complete(UserCreatable *uc, Err= or **errp) } =20 =20 -static void -qcrypto_tls_creds_anon_finalize(Object *obj) -{ - QCryptoTLSCredsAnon *creds =3D QCRYPTO_TLS_CREDS_ANON(obj); - - qcrypto_tls_creds_anon_unload(creds); -} - - static void qcrypto_tls_creds_anon_class_init(ObjectClass *oc, const void *data) { @@ -148,7 +119,6 @@ static const TypeInfo qcrypto_tls_creds_anon_info =3D { .parent =3D TYPE_QCRYPTO_TLS_CREDS, .name =3D TYPE_QCRYPTO_TLS_CREDS_ANON, .instance_size =3D sizeof(QCryptoTLSCredsAnon), - .instance_finalize =3D qcrypto_tls_creds_anon_finalize, .class_size =3D sizeof(QCryptoTLSCredsAnonClass), .class_init =3D qcrypto_tls_creds_anon_class_init, .interfaces =3D (const InterfaceInfo[]) { diff --git a/crypto/tlscredspriv.h b/crypto/tlscredspriv.h index df9815a286..4e6dffa22f 100644 --- a/crypto/tlscredspriv.h +++ b/crypto/tlscredspriv.h @@ -22,6 +22,7 @@ #define QCRYPTO_TLSCREDSPRIV_H =20 #include "crypto/tlscreds.h" +#include "crypto/tlscredsbox.h" =20 #ifdef CONFIG_GNUTLS #include @@ -31,39 +32,22 @@ struct QCryptoTLSCreds { Object parent_obj; char *dir; QCryptoTLSCredsEndpoint endpoint; -#ifdef CONFIG_GNUTLS - gnutls_dh_params_t dh_params; -#endif bool verifyPeer; char *priority; + QCryptoTLSCredsBox *box; }; =20 struct QCryptoTLSCredsAnon { QCryptoTLSCreds parent_obj; -#ifdef CONFIG_GNUTLS - union { - gnutls_anon_server_credentials_t server; - gnutls_anon_client_credentials_t client; - } data; -#endif }; =20 struct QCryptoTLSCredsPSK { QCryptoTLSCreds parent_obj; char *username; -#ifdef CONFIG_GNUTLS - union { - gnutls_psk_server_credentials_t server; - gnutls_psk_client_credentials_t client; - } data; -#endif }; =20 struct QCryptoTLSCredsX509 { QCryptoTLSCreds parent_obj; -#ifdef CONFIG_GNUTLS - gnutls_certificate_credentials_t data; -#endif bool sanityCheck; char *passwordid; }; diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c index 6c2feae077..5568f1ad0c 100644 --- a/crypto/tlscredspsk.c +++ b/crypto/tlscredspsk.c @@ -71,6 +71,7 @@ static int qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, Error **errp) { + g_autoptr(QCryptoTLSCredsBox) box =3D NULL; g_autofree char *pskfile =3D NULL; g_autofree char *dhparams =3D NULL; const char *username; @@ -87,6 +88,8 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, } =20 if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { + box =3D qcrypto_tls_creds_box_new_server(GNUTLS_CRD_PSK); + if (creds->username) { error_setg(errp, "username should not be set when endpoint=3Ds= erver"); goto cleanup; @@ -101,7 +104,7 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, goto cleanup; } =20 - ret =3D gnutls_psk_allocate_server_credentials(&creds->data.server= ); + ret =3D gnutls_psk_allocate_server_credentials(&box->data.pskserve= r); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); @@ -109,20 +112,23 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, } =20 if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhpar= ams, - &creds->parent_obj.dh_par= ams, + &box->dh_params, errp) < 0) { goto cleanup; } =20 - ret =3D gnutls_psk_set_server_credentials_file(creds->data.server,= pskfile); + ret =3D gnutls_psk_set_server_credentials_file(box->data.pskserver, + pskfile); if (ret < 0) { error_setg(errp, "Cannot set PSK server credentials: %s", gnutls_strerror(ret)); goto cleanup; } - gnutls_psk_set_server_dh_params(creds->data.server, - creds->parent_obj.dh_params); + gnutls_psk_set_server_dh_params(box->data.pskserver, + box->dh_params); } else { + box =3D qcrypto_tls_creds_box_new_client(GNUTLS_CRD_PSK); + if (qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_PSKFILE, true, &pskfile, errp) < 0) { @@ -138,14 +144,14 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, goto cleanup; } =20 - ret =3D gnutls_psk_allocate_client_credentials(&creds->data.client= ); + ret =3D gnutls_psk_allocate_client_credentials(&box->data.pskclien= t); if (ret < 0) { error_setg(errp, "Cannot allocate credentials: %s", gnutls_strerror(ret)); goto cleanup; } =20 - ret =3D gnutls_psk_set_client_credentials(creds->data.client, + ret =3D gnutls_psk_set_client_credentials(box->data.pskclient, username, &key, GNUTLS_PSK= _KEY_HEX); if (ret < 0) { error_setg(errp, "Cannot set PSK client credentials: %s", @@ -153,6 +159,7 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, goto cleanup; } } + creds->parent_obj.box =3D g_steal_pointer(&box); =20 rv =3D 0; cleanup: @@ -160,23 +167,6 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds, return rv; } =20 - -static void -qcrypto_tls_creds_psk_unload(QCryptoTLSCredsPSK *creds) -{ - if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_CLIEN= T) { - if (creds->data.client) { - gnutls_psk_free_client_credentials(creds->data.client); - creds->data.client =3D NULL; - } - } else { - if (creds->data.server) { - gnutls_psk_free_server_credentials(creds->data.server); - creds->data.server =3D NULL; - } - } -} - #else /* ! CONFIG_GNUTLS */ =20 =20 @@ -188,13 +178,6 @@ qcrypto_tls_creds_psk_load(QCryptoTLSCredsPSK *creds G= _GNUC_UNUSED, } =20 =20 -static void -qcrypto_tls_creds_psk_unload(QCryptoTLSCredsPSK *creds G_GNUC_UNUSED) -{ - /* nada */ -} - - #endif /* ! CONFIG_GNUTLS */ =20 =20 @@ -212,7 +195,6 @@ qcrypto_tls_creds_psk_finalize(Object *obj) { QCryptoTLSCredsPSK *creds =3D QCRYPTO_TLS_CREDS_PSK(obj); =20 - qcrypto_tls_creds_psk_unload(creds); g_free(creds->username); } =20 diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index f2f1aa2815..ef31ea664c 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -562,6 +562,7 @@ static int qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, Error **errp) { + g_autoptr(QCryptoTLSCredsBox) box =3D NULL; g_autofree char *cacert =3D NULL; g_autofree char *cacrl =3D NULL; g_autofree char *cert =3D NULL; @@ -578,6 +579,19 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, =20 trace_qcrypto_tls_creds_x509_load(creds, creds->parent_obj.dir); =20 + if (creds->parent_obj.endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVE= R) { + box =3D qcrypto_tls_creds_box_new_server(GNUTLS_CRD_CERTIFICATE); + } else { + box =3D qcrypto_tls_creds_box_new_client(GNUTLS_CRD_CERTIFICATE); + } + + ret =3D gnutls_certificate_allocate_credentials(&box->data.cert); + if (ret < 0) { + error_setg(errp, "Cannot allocate credentials: '%s'", + gnutls_strerror(ret)); + return -1; + } + if (qcrypto_tls_creds_get_path(&creds->parent_obj, QCRYPTO_TLS_CREDS_X509_CA_CERT, true, &cacert, errp) < 0) { @@ -616,14 +630,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, return -1; } =20 - ret =3D gnutls_certificate_allocate_credentials(&creds->data); - if (ret < 0) { - error_setg(errp, "Cannot allocate credentials: '%s'", - gnutls_strerror(ret)); - return -1; - } - - ret =3D gnutls_certificate_set_x509_trust_file(creds->data, + ret =3D gnutls_certificate_set_x509_trust_file(box->data.cert, cacert, GNUTLS_X509_FMT_PEM); if (ret < 0) { @@ -641,7 +648,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, return -1; } } - ret =3D gnutls_certificate_set_x509_key_file2(creds->data, + ret =3D gnutls_certificate_set_x509_key_file2(box->data.cert, cert, key, GNUTLS_X509_FMT_PEM, password, @@ -655,7 +662,7 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, } =20 if (cacrl !=3D NULL) { - ret =3D gnutls_certificate_set_x509_crl_file(creds->data, + ret =3D gnutls_certificate_set_x509_crl_file(box->data.cert, cacrl, GNUTLS_X509_FMT_PEM); if (ret < 0) { @@ -667,28 +674,18 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *cred= s, =20 if (isServer) { if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj, dhpar= ams, - &creds->parent_obj.dh_par= ams, + &box->dh_params, errp) < 0) { return -1; } - gnutls_certificate_set_dh_params(creds->data, - creds->parent_obj.dh_params); + gnutls_certificate_set_dh_params(box->data.cert, box->dh_params); } + creds->parent_obj.box =3D g_steal_pointer(&box); =20 return 0; } =20 =20 -static void -qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds) -{ - if (creds->data) { - gnutls_certificate_free_credentials(creds->data); - creds->data =3D NULL; - } -} - - #else /* ! CONFIG_GNUTLS */ =20 =20 @@ -700,13 +697,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds= G_GNUC_UNUSED, } =20 =20 -static void -qcrypto_tls_creds_x509_unload(QCryptoTLSCredsX509 *creds G_GNUC_UNUSED) -{ - /* nada */ -} - - #endif /* ! CONFIG_GNUTLS */ =20 =20 @@ -769,29 +759,17 @@ qcrypto_tls_creds_x509_reload(QCryptoTLSCreds *creds,= Error **errp) { QCryptoTLSCredsX509 *x509_creds =3D QCRYPTO_TLS_CREDS_X509(creds); Error *local_err =3D NULL; - gnutls_certificate_credentials_t creds_data =3D x509_creds->data; - gnutls_dh_params_t creds_dh_params =3D creds->dh_params; + QCryptoTLSCredsBox *creds_box =3D creds->box; =20 - x509_creds->data =3D NULL; - creds->dh_params =3D NULL; + creds->box =3D NULL; qcrypto_tls_creds_x509_load(x509_creds, &local_err); if (local_err) { - qcrypto_tls_creds_x509_unload(x509_creds); - if (creds->dh_params) { - gnutls_dh_params_deinit(creds->dh_params); - } - x509_creds->data =3D creds_data; - creds->dh_params =3D creds_dh_params; + creds->box =3D creds_box; error_propagate(errp, local_err); return false; } =20 - if (creds_data) { - gnutls_certificate_free_credentials(creds_data); - } - if (creds_dh_params) { - gnutls_dh_params_deinit(creds_dh_params); - } + qcrypto_tls_creds_box_unref(creds_box); return true; } =20 @@ -824,7 +802,6 @@ qcrypto_tls_creds_x509_finalize(Object *obj) QCryptoTLSCredsX509 *creds =3D QCRYPTO_TLS_CREDS_X509(obj); =20 g_free(creds->passwordid); - qcrypto_tls_creds_x509_unload(creds); } =20 =20 diff --git a/crypto/tlssession.c b/crypto/tlssession.c index 77f334add3..a1dc3b3ce0 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -38,6 +38,7 @@ =20 struct QCryptoTLSSession { QCryptoTLSCreds *creds; + QCryptoTLSCredsBox *credsbox; gnutls_session_t handle; char *hostname; char *authzid; @@ -78,6 +79,7 @@ qcrypto_tls_session_free(QCryptoTLSSession *session) g_free(session->hostname); g_free(session->peername); g_free(session->authzid); + qcrypto_tls_creds_box_unref(session->credsbox); object_unref(OBJECT(session->creds)); qemu_mutex_destroy(&session->lock); g_free(session); @@ -206,63 +208,31 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, goto error; } =20 - if (object_dynamic_cast(OBJECT(creds), - TYPE_QCRYPTO_TLS_CREDS_ANON)) { - QCryptoTLSCredsAnon *acreds =3D QCRYPTO_TLS_CREDS_ANON(creds); - if (creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_ANON, - acreds->data.server); - } else { - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_ANON, - acreds->data.client); - } - if (ret < 0) { - error_setg(errp, "Cannot set session credentials: %s", - gnutls_strerror(ret)); - goto error; - } - } else if (object_dynamic_cast(OBJECT(creds), - TYPE_QCRYPTO_TLS_CREDS_PSK)) { - QCryptoTLSCredsPSK *pcreds =3D QCRYPTO_TLS_CREDS_PSK(creds); - if (creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_PSK, - pcreds->data.server); - } else { - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_PSK, - pcreds->data.client); - } - if (ret < 0) { - error_setg(errp, "Cannot set session credentials: %s", - gnutls_strerror(ret)); - goto error; - } - } else if (object_dynamic_cast(OBJECT(creds), - TYPE_QCRYPTO_TLS_CREDS_X509)) { - QCryptoTLSCredsX509 *tcreds =3D QCRYPTO_TLS_CREDS_X509(creds); + ret =3D gnutls_credentials_set(session->handle, + creds->box->type, + creds->box->data.any); + if (ret < 0) { + error_setg(errp, "Cannot set session credentials: %s", + gnutls_strerror(ret)); + goto error; + } =20 - ret =3D gnutls_credentials_set(session->handle, - GNUTLS_CRD_CERTIFICATE, - tcreds->data); - if (ret < 0) { - error_setg(errp, "Cannot set session credentials: %s", - gnutls_strerror(ret)); - goto error; - } + /* + * creds->box->data.any must be kept alive for as long + * as the gnutls_session_t is alive, so acquire a ref + */ + qcrypto_tls_creds_box_ref(creds->box); + session->credsbox =3D creds->box; =20 - if (creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { - /* This requests, but does not enforce a client cert. - * The cert checking code later does enforcement */ - gnutls_certificate_server_set_request(session->handle, - GNUTLS_CERT_REQUEST); - } - } else { - error_setg(errp, "Unsupported TLS credentials type %s", - object_get_typename(OBJECT(creds))); - goto error; + if (object_dynamic_cast(OBJECT(creds), + TYPE_QCRYPTO_TLS_CREDS_X509) && + creds->endpoint =3D=3D QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) { + /* + * This requests, but does not enforce a client cert. + * The cert checking code later does enforcement + */ + gnutls_certificate_server_set_request(session->handle, + GNUTLS_CERT_REQUEST); } =20 gnutls_transport_set_ptr(session->handle, session); --=20 2.51.1