Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2227381/?format=api
{ "id": 2227381, "url": "http://patchwork.ozlabs.org/api/patches/2227381/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260423134422.688862-1-dan@berrange.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260423134422.688862-1-dan@berrange.com>", "list_archive_url": null, "date": "2026-04-23T13:44:22", "name": "crypto: fix client side anonymous TLS credentials", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "4d47541a8696228706232fd947b2ee7ae348e74e", "submitter": { "id": 5728, "url": "http://patchwork.ozlabs.org/api/people/5728/?format=api", "name": "Daniel P. Berrangé", "email": "dan@berrange.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260423134422.688862-1-dan@berrange.com/mbox/", "series": [ { "id": 501205, "url": "http://patchwork.ozlabs.org/api/series/501205/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=501205", "date": "2026-04-23T13:44:22", "name": "crypto: fix client side anonymous TLS credentials", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501205/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2227381/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2227381/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)", "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1f9Q58hJz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 24 Apr 2026 00:48:41 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wFvLO-0003Iz-Vx; Thu, 23 Apr 2026 10:47:55 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <dan@berrange.com>) id 1wFuMH-0007c2-4w\n for qemu-devel@nongnu.org; Thu, 23 Apr 2026 09:44:46 -0400", "from us-smtp-delivery-44.mimecast.com ([207.211.30.44])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <dan@berrange.com>) id 1wFuMA-0001Xc-Ic\n for qemu-devel@nongnu.org; Thu, 23 Apr 2026 09:44:41 -0400", "from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-191-4Uoe15FXOMGiXf6VkzzCbw-1; Thu,\n 23 Apr 2026 09:44:28 -0400", "from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 7B1AD19560BD; Thu, 23 Apr 2026 13:44:27 +0000 (UTC)", "from thinkbook.redhat.com (unknown [10.44.33.238])\n by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id D41811943295; Thu, 23 Apr 2026 13:44:24 +0000 (UTC)" ], "X-MC-Unique": "4Uoe15FXOMGiXf6VkzzCbw-1", "X-Mimecast-MFC-AGG-ID": "4Uoe15FXOMGiXf6VkzzCbw_1776951868", "From": "=?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <dan@berrange.com>", "To": "qemu-devel@nongnu.org", "Cc": "=?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>, =?utf-8?q?D?=\n\t=?utf-8?q?aniel_P=2E_Berrang=C3=A9?= <dan@berrange.com>,\n \"Maciej S. Szmigiero\" <mail@maciej.szmigiero.name>", "Subject": "[PATCH] crypto: fix client side anonymous TLS credentials", "Date": "Thu, 23 Apr 2026 14:44:22 +0100", "Message-ID": "<20260423134422.688862-1-dan@berrange.com>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=UTF-8", "Content-Transfer-Encoding": "8bit", "X-Scanned-By": "MIMEDefang 3.0 on 10.30.177.17", "Received-SPF": "softfail client-ip=207.211.30.44;\n envelope-from=dan@berrange.com;\n helo=us-smtp-delivery-44.mimecast.com", "X-Spam_score_int": "14", "X-Spam_score": "1.4", "X-Spam_bar": "+", "X-Spam_report": "(1.4 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001,\n SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no", "X-Spam_action": "no action", "X-Mailman-Approved-At": "Thu, 23 Apr 2026 10:47:50 -0400", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "The previous refactoring of credential creation failed to allocate\nstorage fo the anonymous TLS credentials on the client endpoint.\n\nFixes: 70f9fd8dbf7233bee497055a9b7825e3729ce853\nReported-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>\nSigned-off-by: Daniel P. Berrangé <dan@berrange.com>\n---\n crypto/tlscredsanon.c | 2 +\n tests/unit/test-crypto-tlssession.c | 120 +++++++++++++++++++++++++++-\n 2 files changed, 121 insertions(+), 1 deletion(-)", "diff": "diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c\nindex 1551382e1f..190c9833a7 100644\n--- a/crypto/tlscredsanon.c\n+++ b/crypto/tlscredsanon.c\n@@ -73,6 +73,8 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds,\n box->dh_params);\n }\n } else {\n+ box = qcrypto_tls_creds_box_new_client(GNUTLS_CRD_ANON);\n+\n ret = gnutls_anon_allocate_client_credentials(&box->data.anonclient);\n if (ret < 0) {\n error_setg(errp, \"Cannot allocate credentials: %s\",\ndiff --git a/tests/unit/test-crypto-tlssession.c b/tests/unit/test-crypto-tlssession.c\nindex 0d06a6892e..dc7a01bb06 100644\n--- a/tests/unit/test-crypto-tlssession.c\n+++ b/tests/unit/test-crypto-tlssession.c\n@@ -24,6 +24,7 @@\n #include \"crypto-tls-psk-helpers.h\"\n #include \"crypto/tlscredsx509.h\"\n #include \"crypto/tlscredspsk.h\"\n+#include \"crypto/tlscredsanon.h\"\n #include \"crypto/tlssession.h\"\n #include \"qom/object_interfaces.h\"\n #include \"qapi/error.h\"\n@@ -190,6 +191,121 @@ static void test_crypto_tls_session_psk(void)\n }\n \n \n+static QCryptoTLSCreds *test_tls_creds_anon_create(\n+ QCryptoTLSCredsEndpoint endpoint)\n+{\n+ Object *parent = object_get_objects_root();\n+ Object *creds = object_new_with_props(\n+ TYPE_QCRYPTO_TLS_CREDS_ANON,\n+ parent,\n+ (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?\n+ \"testtlscredsserver\" : \"testtlscredsclient\"),\n+ &error_abort,\n+ \"endpoint\", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?\n+ \"server\" : \"client\"),\n+ \"priority\", \"NORMAL\",\n+ NULL\n+ );\n+ return QCRYPTO_TLS_CREDS(creds);\n+}\n+\n+\n+static void test_crypto_tls_session_anon(void)\n+{\n+ QCryptoTLSCreds *clientCreds;\n+ QCryptoTLSCreds *serverCreds;\n+ QCryptoTLSSession *clientSess = NULL;\n+ QCryptoTLSSession *serverSess = NULL;\n+ int channel[2];\n+ bool clientShake = false;\n+ bool serverShake = false;\n+ int ret;\n+\n+ /* We'll use this for our fake client-server connection */\n+ ret = qemu_socketpair(AF_UNIX, SOCK_STREAM, 0, channel);\n+ g_assert(ret == 0);\n+\n+ /*\n+ * We have an evil loop to do the handshake in a single\n+ * thread, so we need these non-blocking to avoid deadlock\n+ * of ourselves\n+ */\n+ qemu_set_blocking(channel[0], false, &error_abort);\n+ qemu_set_blocking(channel[1], false, &error_abort);\n+\n+ clientCreds = test_tls_creds_anon_create(\n+ QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT);\n+ g_assert(clientCreds != NULL);\n+\n+ serverCreds = test_tls_creds_anon_create(\n+ QCRYPTO_TLS_CREDS_ENDPOINT_SERVER);\n+ g_assert(serverCreds != NULL);\n+\n+ /* Now the real part of the test, setup the sessions */\n+ clientSess = qcrypto_tls_session_new(\n+ clientCreds, NULL, NULL,\n+ QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);\n+ g_assert(clientSess != NULL);\n+\n+ serverSess = qcrypto_tls_session_new(\n+ serverCreds, NULL, NULL,\n+ QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);\n+ g_assert(serverSess != NULL);\n+\n+ /* For handshake to work, we need to set the I/O callbacks\n+ * to read/write over the socketpair\n+ */\n+ qcrypto_tls_session_set_callbacks(serverSess,\n+ testWrite, testRead,\n+ &channel[0]);\n+ qcrypto_tls_session_set_callbacks(clientSess,\n+ testWrite, testRead,\n+ &channel[1]);\n+\n+ /*\n+ * Finally we loop around & around doing handshake on each\n+ * session until we get an error, or the handshake completes.\n+ * This relies on the socketpair being nonblocking to avoid\n+ * deadlocking ourselves upon handshake\n+ */\n+ do {\n+ int rv;\n+ if (!serverShake) {\n+ rv = qcrypto_tls_session_handshake(serverSess,\n+ &error_abort);\n+ g_assert(rv >= 0);\n+ if (rv == QCRYPTO_TLS_HANDSHAKE_COMPLETE) {\n+ serverShake = true;\n+ }\n+ }\n+ if (!clientShake) {\n+ rv = qcrypto_tls_session_handshake(clientSess,\n+ &error_abort);\n+ g_assert(rv >= 0);\n+ if (rv == QCRYPTO_TLS_HANDSHAKE_COMPLETE) {\n+ clientShake = true;\n+ }\n+ }\n+ } while (!clientShake || !serverShake);\n+\n+\n+ /* Finally make sure the server & client validation is successful. */\n+ g_assert(qcrypto_tls_session_check_credentials(serverSess,\n+ &error_abort) == 0);\n+ g_assert(qcrypto_tls_session_check_credentials(clientSess,\n+ &error_abort) == 0);\n+\n+ object_unparent(OBJECT(serverCreds));\n+ object_unparent(OBJECT(clientCreds));\n+\n+ qcrypto_tls_session_free(serverSess);\n+ qcrypto_tls_session_free(clientSess);\n+\n+ close(channel[0]);\n+ close(channel[1]);\n+}\n+\n+\n struct QCryptoTLSSessionTestData {\n const char *servercacrt;\n const char *clientcacrt;\n@@ -421,9 +537,11 @@ int main(int argc, char **argv)\n test_tls_init(KEYFILE);\n test_tls_psk_init(PSKFILE);\n \n- /* Simple initial test using Pre-Shared Keys. */\n+ /* Simple initial tests using Pre-Shared Keys & anon creds */\n g_test_add_func(\"/qcrypto/tlssession/psk\",\n test_crypto_tls_session_psk);\n+ g_test_add_func(\"/qcrypto/tlssession/anon\",\n+ test_crypto_tls_session_anon);\n \n /* More complex tests using X.509 certificates. */\n # define TEST_SESS_REG(name, caCrt, \\\n", "prefixes": [] }