From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Fabiano Rosas" <farosas@suse.de>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
devel@lists.libvirt.org, "Laurent Vivier" <lvivier@redhat.com>
Subject: [PULL 22/32] crypto: reduce duplication in handling TLS priority strings
Date: Mon, 3 Nov 2025 13:37:16 +0000 [thread overview]
Message-ID: <20251103133727.423041-23-berrange@redhat.com> (raw)
In-Reply-To: <20251103133727.423041-1-berrange@redhat.com>
The logic for setting the TLS priority string on a session object has a
significant amount of logic duplication across the different credential
types. By recording the extra priority string suffix against the
credential class, we can introduce a common method for building the
priority string. The TLS session can now set the priority string without
caring about the credential type.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
crypto/tlscreds.c | 15 ++++++++++
crypto/tlscredsanon.c | 2 ++
crypto/tlscredspsk.c | 2 ++
crypto/tlssession.c | 60 ++++++---------------------------------
include/crypto/tlscreds.h | 13 +++++++++
5 files changed, 41 insertions(+), 51 deletions(-)
diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
index a9e0caf864..c302b3cd72 100644
--- a/crypto/tlscreds.c
+++ b/crypto/tlscreds.c
@@ -268,6 +268,21 @@ bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds *creds,
return true;
}
+
+char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *creds)
+{
+ QCryptoTLSCredsClass *tcc = QCRYPTO_TLS_CREDS_GET_CLASS(creds);
+ const char *priorityBase =
+ creds->priority ? creds->priority : CONFIG_TLS_PRIORITY;
+
+ if (tcc->prioritySuffix) {
+ return g_strdup_printf("%s:%s", priorityBase, tcc->prioritySuffix);
+ } else {
+ return g_strdup(priorityBase);
+ }
+}
+
+
static const TypeInfo qcrypto_tls_creds_info = {
.parent = TYPE_OBJECT,
.name = TYPE_QCRYPTO_TLS_CREDS,
diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c
index 1ddfe4eb31..5c55b07b2f 100644
--- a/crypto/tlscredsanon.c
+++ b/crypto/tlscredsanon.c
@@ -137,8 +137,10 @@ static void
qcrypto_tls_creds_anon_class_init(ObjectClass *oc, const void *data)
{
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+ QCryptoTLSCredsClass *tcc = QCRYPTO_TLS_CREDS_CLASS(oc);
ucc->complete = qcrypto_tls_creds_anon_complete;
+ tcc->prioritySuffix = "+ANON-DH";
}
diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c
index bf4efe2114..6c2feae077 100644
--- a/crypto/tlscredspsk.c
+++ b/crypto/tlscredspsk.c
@@ -240,8 +240,10 @@ static void
qcrypto_tls_creds_psk_class_init(ObjectClass *oc, const void *data)
{
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+ QCryptoTLSCredsClass *tcc = QCRYPTO_TLS_CREDS_CLASS(oc);
ucc->complete = qcrypto_tls_creds_psk_complete;
+ tcc->prioritySuffix = "+ECDHE-PSK:+DHE-PSK:+PSK";
object_class_property_add_str(oc, "username",
qcrypto_tls_creds_psk_prop_get_username,
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index 92fe4f0380..77f334add3 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -155,9 +155,6 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t len)
}
}
-#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"
-#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK"
-
QCryptoTLSSession *
qcrypto_tls_session_new(QCryptoTLSCreds *creds,
const char *hostname,
@@ -167,6 +164,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
{
QCryptoTLSSession *session;
int ret;
+ g_autofree char *prio = NULL;
session = g_new0(QCryptoTLSSession, 1);
trace_qcrypto_tls_session_new(
@@ -200,28 +198,17 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
goto error;
}
+ prio = qcrypto_tls_creds_get_priority(creds);
+ ret = gnutls_priority_set_direct(session->handle, prio, NULL);
+ if (ret < 0) {
+ error_setg(errp, "Unable to set TLS session priority %s: %s",
+ prio, gnutls_strerror(ret));
+ goto error;
+ }
+
if (object_dynamic_cast(OBJECT(creds),
TYPE_QCRYPTO_TLS_CREDS_ANON)) {
QCryptoTLSCredsAnon *acreds = QCRYPTO_TLS_CREDS_ANON(creds);
- char *prio;
-
- if (creds->priority != NULL) {
- prio = g_strdup_printf("%s:%s",
- creds->priority,
- TLS_PRIORITY_ADDITIONAL_ANON);
- } else {
- prio = g_strdup(CONFIG_TLS_PRIORITY ":"
- TLS_PRIORITY_ADDITIONAL_ANON);
- }
-
- ret = gnutls_priority_set_direct(session->handle, prio, NULL);
- if (ret < 0) {
- error_setg(errp, "Unable to set TLS session priority %s: %s",
- prio, gnutls_strerror(ret));
- g_free(prio);
- goto error;
- }
- g_free(prio);
if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
ret = gnutls_credentials_set(session->handle,
GNUTLS_CRD_ANON,
@@ -239,25 +226,6 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
} else if (object_dynamic_cast(OBJECT(creds),
TYPE_QCRYPTO_TLS_CREDS_PSK)) {
QCryptoTLSCredsPSK *pcreds = QCRYPTO_TLS_CREDS_PSK(creds);
- char *prio;
-
- if (creds->priority != NULL) {
- prio = g_strdup_printf("%s:%s",
- creds->priority,
- TLS_PRIORITY_ADDITIONAL_PSK);
- } else {
- prio = g_strdup(CONFIG_TLS_PRIORITY ":"
- TLS_PRIORITY_ADDITIONAL_PSK);
- }
-
- ret = gnutls_priority_set_direct(session->handle, prio, NULL);
- if (ret < 0) {
- error_setg(errp, "Unable to set TLS session priority %s: %s",
- prio, gnutls_strerror(ret));
- g_free(prio);
- goto error;
- }
- g_free(prio);
if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
ret = gnutls_credentials_set(session->handle,
GNUTLS_CRD_PSK,
@@ -275,17 +243,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
} else if (object_dynamic_cast(OBJECT(creds),
TYPE_QCRYPTO_TLS_CREDS_X509)) {
QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds);
- const char *prio = creds->priority;
- if (!prio) {
- prio = CONFIG_TLS_PRIORITY;
- }
- ret = gnutls_priority_set_direct(session->handle, prio, NULL);
- if (ret < 0) {
- error_setg(errp, "Cannot set default TLS session priority %s: %s",
- prio, gnutls_strerror(ret));
- goto error;
- }
ret = gnutls_credentials_set(session->handle,
GNUTLS_CRD_CERTIFICATE,
tcreds->data);
diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h
index 2a8a857010..afd1016088 100644
--- a/include/crypto/tlscreds.h
+++ b/include/crypto/tlscreds.h
@@ -47,6 +47,7 @@ typedef bool (*CryptoTLSCredsReload)(QCryptoTLSCreds *, Error **);
struct QCryptoTLSCredsClass {
ObjectClass parent_class;
CryptoTLSCredsReload reload;
+ const char *prioritySuffix;
};
/**
@@ -64,4 +65,16 @@ bool qcrypto_tls_creds_check_endpoint(QCryptoTLSCreds *creds,
QCryptoTLSCredsEndpoint endpoint,
Error **errp);
+
+/**
+ * qcrypto_tls_creds_get_priority:
+ * @creds: pointer to a TLS credentials object
+ *
+ * Get the TLS credentials priority string. The caller
+ * must free the returned string when no longer required.
+ *
+ * Returns: a non-NULL priority string
+ */
+char *qcrypto_tls_creds_get_priority(QCryptoTLSCreds *creds);
+
#endif /* QCRYPTO_TLSCREDS_H */
--
2.51.1
next prev parent reply other threads:[~2025-11-03 13:45 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-03 13:36 [PULL 00/32] Next pr patches Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 01/32] Implement -run-with exit-with-parent=on Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 02/32] tests/qtest: Use exit-with-parent=on in qtest invocations Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 03/32] crypto/hash: Have hashing functions take void * buffer argument Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 04/32] io/channel: Have read/write " Daniel P. Berrangé
2025-11-03 13:36 ` [PULL 05/32] io: add a "blocking" field to QIOChannelSocket Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 06/32] io: flush zerocopy socket error queue on sendmsg failure due to ENOBUF Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 07/32] crypto: bump min gnutls to 3.7.5 Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 08/32] crypto: unconditionally enable gnutls XTS support Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 09/32] crypto: bump min libgcrypt to 1.9.4 Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 10/32] crypto: bump min nettle to 3.7.3 Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 11/32] crypto: drop in-tree XTS cipher mode impl Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 12/32] crypto: remove redundant parameter checking CA certs Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 13/32] crypto: add missing free of certs array Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 14/32] crypto: replace stat() with access() for credential checks Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 15/32] crypto: remove redundant access() checks before loading certs Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 16/32] crypto: move check for TLS creds 'dir' property Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 17/32] crypto: use g_autofree when loading x509 credentials Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 18/32] crypto: remove needless indirection via parent_obj field Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 19/32] crypto: move release of DH parameters into TLS creds parent Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 20/32] crypto: shorten the endpoint == server check in TLS creds Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 21/32] crypto: remove duplication loading x509 CA cert Daniel P. Berrangé
2025-11-03 13:37 ` Daniel P. Berrangé [this message]
2025-11-03 13:37 ` [PULL 23/32] crypto: introduce method for reloading TLS creds Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 24/32] crypto: introduce a wrapper around gnutls credentials Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 25/32] crypto: fix lifecycle handling of gnutls credentials objects Daniel P. Berrangé
2026-04-03 18:25 ` Maciej S. Szmigiero
2026-04-17 13:31 ` Maciej S. Szmigiero
2026-04-23 13:45 ` Daniel P. Berrange
2026-04-23 19:07 ` Maciej S. Szmigiero
2025-11-03 13:37 ` [PULL 26/32] crypto: make TLS credentials structs private Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 27/32] crypto: deprecate use of external dh-params.pem file Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 28/32] crypto: avoid loading the CA certs twice Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 29/32] crypto: avoid loading the identity " Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 30/32] crypto: expand logic to cope with multiple certificate identities Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 31/32] crypto: support upto 5 parallel " Daniel P. Berrangé
2025-11-03 13:37 ` [PULL 32/32] docs: creation of x509 certs compliant with post-quantum crypto Daniel P. Berrangé
2025-11-04 15:19 ` [PULL 00/32] Next pr patches Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251103133727.423041-23-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=devel@lists.libvirt.org \
--cc=farosas@suse.de \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.