Sorry, this series aborted during mail sending so is incomplete. See the immediately following re-post for the full set of 21 patches
On Thu, Oct 30, 2025 at 02:47:44PM +0000, Daniel P. Berrangé wrote: > This series aims to improve the support for post-quantum cryptography > in TLS connections by allowing multiple sets of certificates to be > loaded. The idea is that during a transition period servers will have > a traditional RSA based certificate in parallel with an MLDSA based > certificate for PQC, and the right one will be dynamically determined > during the TLS handshake. > > The first 12 patches are trivial cleanups. > > The next 3 patches fix a potential use-after-free problem > > The last patches introduce support for multiple certificates. > > NB, in terms of testing this will require either CentOS Stream 10, > or Fedora 43. Most other distros will not support PQC out of the > box at this time even if they have new enough gnutls, since they > don't make use of the crypto-policies package which is needed to > enable PQC by default. > > Daniel P. Berrangé (21): > crypto: remove redundant parameter checking CA certs > crypto: add missing free of certs array > crypto: replace stat() with access() for credential checks > crypto: remove redundant access() checks before loading certs > crypto: move check for TLS creds 'dir' property > crypto: use g_autofree when loading x509 credentials > crypto: remove needless indirection via parent_obj field > crypto: move release of DH parameters into TLS creds parent > crypto: shorten the endpoint == server check in TLS creds > crypto: remove duplication loading x509 CA cert > crypto: reduce duplication in handling TLS priority strings > crypto: introduce method for reloading TLS creds > crypto: introduce a wrapper around gnutls credentials > crypto: fix lifecycle handling of gnutls credentials objects > crypto: make TLS credentials structs private > crypto: deprecate use of external dh-params.pem file > crypto: avoid loading the CA certs twice > crypto: avoid loading the identity certs twice > crypto: expand logic to cope with multiple certificate identities > crypto: support upto 5 parallel certificate identities > docs: creation of x509 certs compliant with post-quantum crypto > > crypto/meson.build | 5 +- > crypto/tlscreds.c | 77 ++-- > crypto/tlscredsanon.c | 62 +-- > crypto/tlscredsbox.c | 101 +++++ > crypto/tlscredsbox.h | 46 ++ > crypto/tlscredspriv.h | 36 +- > crypto/tlscredspsk.c | 64 ++- > crypto/tlscredsx509.c | 592 +++++++++++++++++--------- > crypto/tlssession.c | 139 ++---- > crypto/trace-events | 1 + > docs/about/deprecated.rst | 9 + > docs/system/tls.rst | 134 +++++- > include/crypto/tlscreds.h | 26 ++ > include/crypto/tlscredsx509.h | 6 + > tests/unit/test-crypto-tlscredsx509.c | 8 +- > ui/vnc.c | 9 +- > 16 files changed, 849 insertions(+), 466 deletions(-) > create mode 100644 crypto/tlscredsbox.c > create mode 100644 crypto/tlscredsbox.h > > -- > 2.51.1 > With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
