From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Marc-André Lureau" <marcandre.lureau@redhat.com>,
devel@lists.libvirt.org
Subject: Re: [PATCH 00/21] crypto: support multiple parallel certificate identities
Date: Thu, 30 Oct 2025 15:30:56 +0000 [thread overview]
Message-ID: <aQOEsB71Sc2WQX0d@redhat.com> (raw)
In-Reply-To: <20251030144805.2239954-1-berrange@redhat.com>
Sorry, this series aborted during mail sending so is incomplete.
See the immediately following re-post for the full set of 21 patches
On Thu, Oct 30, 2025 at 02:47:44PM +0000, Daniel P. Berrangé wrote:
> This series aims to improve the support for post-quantum cryptography
> in TLS connections by allowing multiple sets of certificates to be
> loaded. The idea is that during a transition period servers will have
> a traditional RSA based certificate in parallel with an MLDSA based
> certificate for PQC, and the right one will be dynamically determined
> during the TLS handshake.
>
> The first 12 patches are trivial cleanups.
>
> The next 3 patches fix a potential use-after-free problem
>
> The last patches introduce support for multiple certificates.
>
> NB, in terms of testing this will require either CentOS Stream 10,
> or Fedora 43. Most other distros will not support PQC out of the
> box at this time even if they have new enough gnutls, since they
> don't make use of the crypto-policies package which is needed to
> enable PQC by default.
>
> Daniel P. Berrangé (21):
> crypto: remove redundant parameter checking CA certs
> crypto: add missing free of certs array
> crypto: replace stat() with access() for credential checks
> crypto: remove redundant access() checks before loading certs
> crypto: move check for TLS creds 'dir' property
> crypto: use g_autofree when loading x509 credentials
> crypto: remove needless indirection via parent_obj field
> crypto: move release of DH parameters into TLS creds parent
> crypto: shorten the endpoint == server check in TLS creds
> crypto: remove duplication loading x509 CA cert
> crypto: reduce duplication in handling TLS priority strings
> crypto: introduce method for reloading TLS creds
> crypto: introduce a wrapper around gnutls credentials
> crypto: fix lifecycle handling of gnutls credentials objects
> crypto: make TLS credentials structs private
> crypto: deprecate use of external dh-params.pem file
> crypto: avoid loading the CA certs twice
> crypto: avoid loading the identity certs twice
> crypto: expand logic to cope with multiple certificate identities
> crypto: support upto 5 parallel certificate identities
> docs: creation of x509 certs compliant with post-quantum crypto
>
> crypto/meson.build | 5 +-
> crypto/tlscreds.c | 77 ++--
> crypto/tlscredsanon.c | 62 +--
> crypto/tlscredsbox.c | 101 +++++
> crypto/tlscredsbox.h | 46 ++
> crypto/tlscredspriv.h | 36 +-
> crypto/tlscredspsk.c | 64 ++-
> crypto/tlscredsx509.c | 592 +++++++++++++++++---------
> crypto/tlssession.c | 139 ++----
> crypto/trace-events | 1 +
> docs/about/deprecated.rst | 9 +
> docs/system/tls.rst | 134 +++++-
> include/crypto/tlscreds.h | 26 ++
> include/crypto/tlscredsx509.h | 6 +
> tests/unit/test-crypto-tlscredsx509.c | 8 +-
> ui/vnc.c | 9 +-
> 16 files changed, 849 insertions(+), 466 deletions(-)
> create mode 100644 crypto/tlscredsbox.c
> create mode 100644 crypto/tlscredsbox.h
>
> --
> 2.51.1
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-10-30 15:33 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-30 14:47 [PATCH 00/21] crypto: support multiple parallel certificate identities Daniel P. Berrangé
2025-10-30 14:47 ` [PATCH 01/21] crypto: remove redundant parameter checking CA certs Daniel P. Berrangé
2025-10-30 19:30 ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 02/21] crypto: add missing free of certs array Daniel P. Berrangé
2025-10-30 19:31 ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 03/21] crypto: replace stat() with access() for credential checks Daniel P. Berrangé
2025-10-30 19:31 ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 04/21] crypto: remove redundant access() checks before loading certs Daniel P. Berrangé
2025-10-30 19:31 ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 05/21] crypto: move check for TLS creds 'dir' property Daniel P. Berrangé
2025-10-30 19:31 ` Marc-André Lureau
2025-10-30 14:47 ` [PATCH 06/21] crypto: use g_autofree when loading x509 credentials Daniel P. Berrangé
2025-10-30 19:23 ` Marc-André Lureau
2025-10-31 15:06 ` Daniel P. Berrangé
2025-10-30 15:30 ` Daniel P. Berrangé [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-10-30 14:49 [PATCH 00/21] crypto: support multiple parallel certificate identities Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQOEsB71Sc2WQX0d@redhat.com \
--to=berrange@redhat.com \
--cc=devel@lists.libvirt.org \
--cc=marcandre.lureau@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).