From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Eric Blake" <eblake@redhat.com>
Subject: [PATCH v3 0/7] crypto: misc fixes and improvements to cert handling
Date: Mon, 20 Oct 2025 15:12:30 +0100 [thread overview]
Message-ID: <20251020141237.2621796-1-berrange@redhat.com> (raw)
This series includes three patches that were posted a fairly
long time ago. They are borderline between a feature request
and a bug fix, but I'm classing them more bug fix, since they
addressing issues with cert acceptance that we really should
not have had.
The patches by Henry had outstanding comments from myself,
and I've chosen to simply fix them in two followup commits
of my own now to get this over the line.
The patch from "matoro" was not accepted because they were
contributed under a github alias. With our change to have
a more relaxed interpretation of the DCO allowing any
"known identity", we can now accept this patch. It had
some conflicts with Henry's patch which I've fixed up.
Then there is one other small bug fix and one improvement
to use a newer gnutls API.
Changed in v3:
- Re-ordered patch for fixing error reporting to be
near start of series, instead of end
- Add unit test for validating error reporting with
incomplete CA chains
- Unit test to validate that an Error is filled on
expected failures
Changed in v2:
- Update to latest upstream
Daniel P. Berrangé (5):
crypto: remove extraneous pointer usage in gnutls certs
crypto: validate an error is reported in test expected fails
crypto: fix error reporting in cert chain checks
crypto: stop requiring "key encipherment" usage in x509 certs
crypto: switch to newer gnutls API for distinguished name
Henry Kleynhans (1):
crypto: only verify CA certs in chain of trust
matoro (1):
crypto: allow client/server cert chains
crypto/tlscredsx509.c | 223 +++++++++++++++-----------
crypto/tlssession.c | 12 +-
docs/system/tls.rst | 13 +-
tests/unit/crypto-tls-x509-helpers.h | 6 +-
tests/unit/test-crypto-tlscredsx509.c | 155 +++++++++++++++---
tests/unit/test-crypto-tlssession.c | 14 +-
tests/unit/test-io-channel-tls.c | 4 +-
7 files changed, 280 insertions(+), 147 deletions(-)
--
2.50.1
next reply other threads:[~2025-10-20 14:13 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-20 14:12 Daniel P. Berrangé [this message]
2025-10-20 14:12 ` [PATCH v3 1/7] crypto: only verify CA certs in chain of trust Daniel P. Berrangé
2025-10-20 14:12 ` [PATCH v3 2/7] crypto: remove extraneous pointer usage in gnutls certs Daniel P. Berrangé
2025-10-20 14:12 ` [PATCH v3 3/7] crypto: validate an error is reported in test expected fails Daniel P. Berrangé
2025-10-20 19:40 ` Eric Blake
2025-10-20 20:14 ` Philippe Mathieu-Daudé
2025-10-20 14:12 ` [PATCH v3 4/7] crypto: fix error reporting in cert chain checks Daniel P. Berrangé
2025-10-20 19:50 ` Eric Blake
2025-10-20 14:12 ` [PATCH v3 5/7] crypto: allow client/server cert chains Daniel P. Berrangé
2025-10-20 14:12 ` [PATCH v3 6/7] crypto: stop requiring "key encipherment" usage in x509 certs Daniel P. Berrangé
2025-10-20 14:12 ` [PATCH v3 7/7] crypto: switch to newer gnutls API for distinguished name Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251020141237.2621796-1-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.