{"id":2227381,"url":"http://patchwork.ozlabs.org/api/patches/2227381/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260423134422.688862-1-dan@berrange.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260423134422.688862-1-dan@berrange.com>","list_archive_url":null,"date":"2026-04-23T13:44:22","name":"crypto: fix client side anonymous TLS credentials","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"4d47541a8696228706232fd947b2ee7ae348e74e","submitter":{"id":5728,"url":"http://patchwork.ozlabs.org/api/people/5728/?format=json","name":"Daniel P. Berrangé","email":"dan@berrange.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260423134422.688862-1-dan@berrange.com/mbox/","series":[{"id":501205,"url":"http://patchwork.ozlabs.org/api/series/501205/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=501205","date":"2026-04-23T13:44:22","name":"crypto: fix client side anonymous TLS credentials","version":1,"mbox":"http://patchwork.ozlabs.org/series/501205/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2227381/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2227381/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":"legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)","Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1f9Q58hJz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 24 Apr 2026 00:48:41 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wFvLO-0003Iz-Vx; Thu, 23 Apr 2026 10:47:55 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <dan@berrange.com>) id 1wFuMH-0007c2-4w\n for qemu-devel@nongnu.org; Thu, 23 Apr 2026 09:44:46 -0400","from us-smtp-delivery-44.mimecast.com ([207.211.30.44])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <dan@berrange.com>) id 1wFuMA-0001Xc-Ic\n for qemu-devel@nongnu.org; Thu, 23 Apr 2026 09:44:41 -0400","from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-191-4Uoe15FXOMGiXf6VkzzCbw-1; Thu,\n 23 Apr 2026 09:44:28 -0400","from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 7B1AD19560BD; Thu, 23 Apr 2026 13:44:27 +0000 (UTC)","from thinkbook.redhat.com (unknown [10.44.33.238])\n by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id D41811943295; Thu, 23 Apr 2026 13:44:24 +0000 (UTC)"],"X-MC-Unique":"4Uoe15FXOMGiXf6VkzzCbw-1","X-Mimecast-MFC-AGG-ID":"4Uoe15FXOMGiXf6VkzzCbw_1776951868","From":"=?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <dan@berrange.com>","To":"qemu-devel@nongnu.org","Cc":"=?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= <berrange@redhat.com>, =?utf-8?q?D?=\n\t=?utf-8?q?aniel_P=2E_Berrang=C3=A9?= <dan@berrange.com>,\n \"Maciej S. Szmigiero\" <mail@maciej.szmigiero.name>","Subject":"[PATCH] crypto: fix client side anonymous TLS credentials","Date":"Thu, 23 Apr 2026 14:44:22 +0100","Message-ID":"<20260423134422.688862-1-dan@berrange.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit","X-Scanned-By":"MIMEDefang 3.0 on 10.30.177.17","Received-SPF":"softfail client-ip=207.211.30.44;\n envelope-from=dan@berrange.com;\n helo=us-smtp-delivery-44.mimecast.com","X-Spam_score_int":"14","X-Spam_score":"1.4","X-Spam_bar":"+","X-Spam_report":"(1.4 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001,\n SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no","X-Spam_action":"no action","X-Mailman-Approved-At":"Thu, 23 Apr 2026 10:47:50 -0400","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"The previous refactoring of credential creation failed to allocate\nstorage fo the anonymous TLS credentials on the client endpoint.\n\nFixes: 70f9fd8dbf7233bee497055a9b7825e3729ce853\nReported-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>\nSigned-off-by: Daniel P. Berrangé <dan@berrange.com>\n---\n crypto/tlscredsanon.c               |   2 +\n tests/unit/test-crypto-tlssession.c | 120 +++++++++++++++++++++++++++-\n 2 files changed, 121 insertions(+), 1 deletion(-)","diff":"diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c\nindex 1551382e1f..190c9833a7 100644\n--- a/crypto/tlscredsanon.c\n+++ b/crypto/tlscredsanon.c\n@@ -73,6 +73,8 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds,\n                                              box->dh_params);\n         }\n     } else {\n+        box = qcrypto_tls_creds_box_new_client(GNUTLS_CRD_ANON);\n+\n         ret = gnutls_anon_allocate_client_credentials(&box->data.anonclient);\n         if (ret < 0) {\n             error_setg(errp, \"Cannot allocate credentials: %s\",\ndiff --git a/tests/unit/test-crypto-tlssession.c b/tests/unit/test-crypto-tlssession.c\nindex 0d06a6892e..dc7a01bb06 100644\n--- a/tests/unit/test-crypto-tlssession.c\n+++ b/tests/unit/test-crypto-tlssession.c\n@@ -24,6 +24,7 @@\n #include \"crypto-tls-psk-helpers.h\"\n #include \"crypto/tlscredsx509.h\"\n #include \"crypto/tlscredspsk.h\"\n+#include \"crypto/tlscredsanon.h\"\n #include \"crypto/tlssession.h\"\n #include \"qom/object_interfaces.h\"\n #include \"qapi/error.h\"\n@@ -190,6 +191,121 @@ static void test_crypto_tls_session_psk(void)\n }\n \n \n+static QCryptoTLSCreds *test_tls_creds_anon_create(\n+    QCryptoTLSCredsEndpoint endpoint)\n+{\n+    Object *parent = object_get_objects_root();\n+    Object *creds = object_new_with_props(\n+        TYPE_QCRYPTO_TLS_CREDS_ANON,\n+        parent,\n+        (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?\n+         \"testtlscredsserver\" : \"testtlscredsclient\"),\n+        &error_abort,\n+        \"endpoint\", (endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER ?\n+                     \"server\" : \"client\"),\n+        \"priority\", \"NORMAL\",\n+        NULL\n+        );\n+    return QCRYPTO_TLS_CREDS(creds);\n+}\n+\n+\n+static void test_crypto_tls_session_anon(void)\n+{\n+    QCryptoTLSCreds *clientCreds;\n+    QCryptoTLSCreds *serverCreds;\n+    QCryptoTLSSession *clientSess = NULL;\n+    QCryptoTLSSession *serverSess = NULL;\n+    int channel[2];\n+    bool clientShake = false;\n+    bool serverShake = false;\n+    int ret;\n+\n+    /* We'll use this for our fake client-server connection */\n+    ret = qemu_socketpair(AF_UNIX, SOCK_STREAM, 0, channel);\n+    g_assert(ret == 0);\n+\n+    /*\n+     * We have an evil loop to do the handshake in a single\n+     * thread, so we need these non-blocking to avoid deadlock\n+     * of ourselves\n+     */\n+    qemu_set_blocking(channel[0], false, &error_abort);\n+    qemu_set_blocking(channel[1], false, &error_abort);\n+\n+    clientCreds = test_tls_creds_anon_create(\n+        QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT);\n+    g_assert(clientCreds != NULL);\n+\n+    serverCreds = test_tls_creds_anon_create(\n+        QCRYPTO_TLS_CREDS_ENDPOINT_SERVER);\n+    g_assert(serverCreds != NULL);\n+\n+    /* Now the real part of the test, setup the sessions */\n+    clientSess = qcrypto_tls_session_new(\n+        clientCreds, NULL, NULL,\n+        QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT, &error_abort);\n+    g_assert(clientSess != NULL);\n+\n+    serverSess = qcrypto_tls_session_new(\n+        serverCreds, NULL, NULL,\n+        QCRYPTO_TLS_CREDS_ENDPOINT_SERVER, &error_abort);\n+    g_assert(serverSess != NULL);\n+\n+    /* For handshake to work, we need to set the I/O callbacks\n+     * to read/write over the socketpair\n+     */\n+    qcrypto_tls_session_set_callbacks(serverSess,\n+                                      testWrite, testRead,\n+                                      &channel[0]);\n+    qcrypto_tls_session_set_callbacks(clientSess,\n+                                      testWrite, testRead,\n+                                      &channel[1]);\n+\n+    /*\n+     * Finally we loop around & around doing handshake on each\n+     * session until we get an error, or the handshake completes.\n+     * This relies on the socketpair being nonblocking to avoid\n+     * deadlocking ourselves upon handshake\n+     */\n+    do {\n+        int rv;\n+        if (!serverShake) {\n+            rv = qcrypto_tls_session_handshake(serverSess,\n+                                               &error_abort);\n+            g_assert(rv >= 0);\n+            if (rv == QCRYPTO_TLS_HANDSHAKE_COMPLETE) {\n+                serverShake = true;\n+            }\n+        }\n+        if (!clientShake) {\n+            rv = qcrypto_tls_session_handshake(clientSess,\n+                                               &error_abort);\n+            g_assert(rv >= 0);\n+            if (rv == QCRYPTO_TLS_HANDSHAKE_COMPLETE) {\n+                clientShake = true;\n+            }\n+        }\n+    } while (!clientShake || !serverShake);\n+\n+\n+    /* Finally make sure the server & client validation is successful. */\n+    g_assert(qcrypto_tls_session_check_credentials(serverSess,\n+                                                   &error_abort) == 0);\n+    g_assert(qcrypto_tls_session_check_credentials(clientSess,\n+                                                   &error_abort) == 0);\n+\n+    object_unparent(OBJECT(serverCreds));\n+    object_unparent(OBJECT(clientCreds));\n+\n+    qcrypto_tls_session_free(serverSess);\n+    qcrypto_tls_session_free(clientSess);\n+\n+    close(channel[0]);\n+    close(channel[1]);\n+}\n+\n+\n struct QCryptoTLSSessionTestData {\n     const char *servercacrt;\n     const char *clientcacrt;\n@@ -421,9 +537,11 @@ int main(int argc, char **argv)\n     test_tls_init(KEYFILE);\n     test_tls_psk_init(PSKFILE);\n \n-    /* Simple initial test using Pre-Shared Keys. */\n+    /* Simple initial tests using Pre-Shared Keys & anon creds */\n     g_test_add_func(\"/qcrypto/tlssession/psk\",\n                     test_crypto_tls_session_psk);\n+    g_test_add_func(\"/qcrypto/tlssession/anon\",\n+                    test_crypto_tls_session_anon);\n \n     /* More complex tests using X.509 certificates. */\n # define TEST_SESS_REG(name, caCrt,                                     \\\n","prefixes":[]}