Self-NACK I've discovered this fails on CFI enabled builds, because gnutls_malloc/gnutls_free are incompatible with CFI due to requiring bad function pointer casts. Fortunately gnutls 3.3.0 dropped support for replacing the system allocators, so we can assume C library malloc/free are acceptable, just as with glib.
I'll post a v2 PULL shortly. On Fri, Oct 24, 2025 at 02:19:24PM +0100, Daniel P. Berrangé wrote: > The following changes since commit e8779f3d1509cd07620c6166a9a280376e01ff2f: > > Merge tag 'pull-riscv-to-apply-20251024' of > https://github.com/alistair23/qemu into staging (2025-10-24 10:53:02 +0200) > > are available in the Git repository at: > > https://gitlab.com/berrange/qemu tags/next-pr-pull-request > > for you to fetch changes up to 608be310a9c0a8501480a8ba76de3df8feaaf0d8: > > crypto: switch to newer gnutls API for distinguished name (2025-10-24 > 13:06:05 +0100) > > ---------------------------------------------------------------- > Merge misc, crypto and I/O subsystems changes > > * Fix use after free in websocket handshake (CVE-2025-11234) > * Improved stack traces fatal errors/aborts raised for > user creatable objects > * Stop requiring 'key encipherment' usage in x509 certs > * Only sanity check CA certs needed in the chain of trust > * Allow intermediate CA certs to be present in client/server > cert file > * Fix regression propagating errors in premature shutdown > of TLS connections > > ---------------------------------------------------------------- > > Daniel P. Berrangé (11): > crypto: propagate Error object on premature termination > qom: use ERRP_GUARD in user_creatable_complete > tests: use macros for registering char tests for sockets > io: release active GSource in TLS channel finalizer > io: move websock resource release to close method > io: fix use after free in websocket handshake code > crypto: remove extraneous pointer usage in gnutls certs > crypto: validate an error is reported in test expected fails > crypto: fix error reporting in cert chain checks > crypto: stop requiring "key encipherment" usage in x509 certs > crypto: switch to newer gnutls API for distinguished name > > Henry Kleynhans (1): > crypto: only verify CA certs in chain of trust > > matoro (1): > crypto: allow client/server cert chains > > crypto/tlscredsx509.c | 223 +++++++++++++++----------- > crypto/tlssession.c | 20 +-- > docs/system/tls.rst | 13 +- > include/io/channel-websock.h | 3 +- > io/channel-tls.c | 23 ++- > io/channel-websock.c | 33 +++- > qom/object_interfaces.c | 7 +- > tests/unit/crypto-tls-x509-helpers.h | 6 +- > tests/unit/test-char.c | 8 +- > tests/unit/test-crypto-tlscredsx509.c | 155 +++++++++++++++--- > tests/unit/test-crypto-tlssession.c | 14 +- > tests/unit/test-io-channel-tls.c | 4 +- > 12 files changed, 336 insertions(+), 173 deletions(-) > > -- > 2.50.1 > With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
