On 23.04.2026 15:45, Daniel P. Berrange wrote:
On Fri, Apr 17, 2026 at 03:31:02PM +0200, Maciej S. Szmigiero wrote:
On 3.04.2026 20:25, Maciej S. Szmigiero wrote:
On 3.11.2025 14:37, Daniel P. Berrangé wrote:
As described in the previous commit, the gnutls credentials need to
be kept alive for as long as the gnutls session object exists. Convert
the QCryptoTLSCreds objects to use QCryptoTLSCredsBox and holding the
gnutls credential objects. When loading the credentials into a gnutls
session, store a reference to the box into the QCryptoTLSSession object.
This has the useful side effect that the QCryptoTLSSession code no
longer needs to know about all the different credential types, it can
use the generic pointer stored in the box.
Reviewed-by: Marc-André Lureau <[email protected]>
Signed-off-by: Daniel P. Berrangé <[email protected]>
---
(..)
diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c
index 5c55b07b2f..0a728ccbf6 100644
--- a/crypto/tlscredsanon.c
+++ b/crypto/tlscredsanon.c
@@ -36,6 +36,7 @@ static int
qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds,
Error **errp)
{
+ g_autoptr(QCryptoTLSCredsBox) box = NULL;
g_autofree char *dhparams = NULL;
int ret;
@@ -43,6 +44,8 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds,
creds->parent_obj.dir ? creds->parent_obj.dir : "<nodir>");
if (creds->parent_obj.endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
+ box = qcrypto_tls_creds_box_new_server(GNUTLS_CRD_ANON);
+
if (creds->parent_obj.dir &&
qcrypto_tls_creds_get_path(&creds->parent_obj,
QCRYPTO_TLS_CREDS_DH_PARAMS,
@@ -50,7 +53,7 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds,
return -1;
}
- ret = gnutls_anon_allocate_server_credentials(&creds->data.server);
+ ret = gnutls_anon_allocate_server_credentials(&box->data.anonserver);
if (ret < 0) {
error_setg(errp, "Cannot allocate credentials: %s",
gnutls_strerror(ret));
@@ -58,42 +61,26 @@ qcrypto_tls_creds_anon_load(QCryptoTLSCredsAnon *creds,
}
if (qcrypto_tls_creds_get_dh_params_file(&creds->parent_obj,
dhparams,
- &creds->parent_obj.dh_params,
- errp) < 0) {
+ &box->dh_params, errp) < 0) {
return -1;
}
- gnutls_anon_set_server_dh_params(creds->data.server,
- creds->parent_obj.dh_params);
+ gnutls_anon_set_server_dh_params(box->data.anonserver,
+ box->dh_params);
} else {
- ret = gnutls_anon_allocate_client_credentials(&creds->data.client);
+ ret = gnutls_anon_allocate_client_credentials(&box->data.anonclient);
Pointed question - where's the object pointed to by "box" allocated in this case
of an anonymous TLS client being loaded? :)
To be clear, that was supposed to be a humorous report of a regression
introduced
by the above commit - sorry if it wasn't communicated well.
No problem. I understood your message, I simply forget to
reply to it :-(
No problem, just wanted to be sure that this won't fall through the cracks.
Reproducer:
$ qemu-system-x86_64 -object tls-creds-anon,endpoint=client,id=test
Segmentation fault
The above code branch really needs something like
"box = qcrypto_tls_creds_box_new_client(GNUTLS_CRD_ANON)".
Yep, and even more importantly we needed a test case in test-crypto-tlssession
to validate this works !
I've CC'd you on the proposal fix
I tested the proposed patch and it seems to fix the regression - thanks!
The updated QEMU test also passes for me.
Thanks,
Maciej
