[PULL 00/13] Misc patches

[PULL 00/13] Misc patches

[Daniel P. Berrangé]

The following changes since commit 5101d00d2f1138a73344dc4833587f76d7a5fa5c:

  Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.0-p=
ull-request' into staging (2021-01-29 10:10:43 +0000)

are available in the Git repository at:

  https://gitlab.com/berrange/qemu tags/misc-fixes-pull-request

for you to fetch changes up to ecb98f5c7589ba8ecd15c8b1baa2ec7192e47c75:

  tests: Replace deprecated ASN1 code (2021-01-29 17:07:53 +0000)

----------------------------------------------------------------
* Replace --enable/disable-git-update with --with-git-submodules
  to allow improved control over use of git submodules
* Deprecate the -enable-fips option
* Ensure docs use prefer format for bool options
* Clarify platform support rules
* Misc fixes to keymap conversions
* Fix misc problems on macOS

----------------------------------------------------------------

Dan Streetman (1):
  configure: replace --enable/disable-git-update with
    --with-git-submodules

Daniel P. Berrang=C3=A9 (5):
  os: deprecate the -enable-fips option and QEMU's FIPS enforcement
  Prefer 'on' | 'off' over 'yes' | 'no' for bool options
  docs: simplify and clarify the platform support rules
  docs: fix missing backslash in certtool shell example
  ui: update keycodemapdb submodule commit

Kevin Wolf (3):
  crypto: Move USER_CREATABLE to secret_common base class
  crypto: Forbid broken unloading of secrets
  crypto: Fix memory leaks in set_loaded for tls-*

Stefan Weil (2):
  tests: Fix runtime error in test-authz-pam
  tests: Replace deprecated ASN1 code

shiliyang (2):
  crypto: Fix some code style problems, add spaces around operator
  crypto: Add spaces around operator

 Makefile                        | 24 ++-----------
 configure                       | 51 +++++++++++++++++++-------
 crypto/aes.c                    |  6 ++--
 crypto/desrfb.c                 |  4 +--
 crypto/secret.c                 | 14 --------
 crypto/secret_common.c          | 21 +++++++++--
 crypto/secret_keyring.c         | 14 --------
 crypto/tlscredsanon.c           |  3 +-
 crypto/tlscredspsk.c            |  3 +-
 crypto/tlscredsx509.c           |  5 ++-
 docs/system/build-platforms.rst | 63 ++++++++++++---------------------
 docs/system/deprecated.rst      | 12 +++++++
 docs/system/tls.rst             |  2 +-
 docs/system/vnc-security.rst    | 10 +++---
 include/authz/listfile.h        |  2 +-
 os-posix.c                      |  3 ++
 qemu-options.hx                 |  4 +--
 scripts/git-submodule.sh        | 34 +++++++++++++-----
 tests/crypto-tls-x509-helpers.c | 10 +++---
 tests/crypto-tls-x509-helpers.h |  2 +-
 tests/pkix_asn1_tab.c           |  2 +-
 tests/qemu-iotests/233          |  4 +--
 tests/test-authz-pam.c          | 10 +++++-
 ui/keycodemapdb                 |  2 +-
 ui/meson.build                  |  3 +-
 25 files changed, 161 insertions(+), 147 deletions(-)

--=20
2.29.2

[PULL 01/13] crypto: Fix some code style problems, add spaces around operator

[Daniel P. Berrangé]

From: shiliyang <shiliyang@huawei.com>

This patch fixes error style problems found by checkpatch.pl:
ERROR: spaces required around that '*'
ERROR: space required after that ','
ERROR: spaces required around that '|'

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Liyang Shi <shiliyang@huawei.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/aes.c          | 2 +-
 crypto/desrfb.c       | 2 +-
 crypto/tlscredsx509.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/aes.c b/crypto/aes.c
index 159800df65..56efc95196 100644
--- a/crypto/aes.c
+++ b/crypto/aes.c
@@ -1182,7 +1182,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
         rk = key->rd_key;
 
         /* invert the order of the round keys: */
-        for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) {
+        for (i = 0, j = 4 * (key->rounds); i < j; i += 4, j -= 4) {
                 temp = rk[i    ]; rk[i    ] = rk[j    ]; rk[j    ] = temp;
                 temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
                 temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
diff --git a/crypto/desrfb.c b/crypto/desrfb.c
index 3274c36510..675847c93b 100644
--- a/crypto/desrfb.c
+++ b/crypto/desrfb.c
@@ -56,7 +56,7 @@ static const unsigned char pc1[56] = {
         13,  5, 60, 52, 44, 36, 28,	20, 12,  4, 27, 19, 11,  3 };
 
 static const unsigned char totrot[16] = {
-        1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 };
+        1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28 };
 
 static const unsigned char pc2[48] = {
         13, 16, 10, 23,  0,  4,  2, 27, 14,  5, 20,  9,
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index dd7267ccdb..c89dd62435 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -143,7 +143,7 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds,
     if (status < 0) {
         if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
             usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
-                GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
+                GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT;
         } else {
             error_setg(errp,
                        "Unable to query certificate %s key usage: %s",
-- 
2.29.2

[PULL 02/13] crypto: Move USER_CREATABLE to secret_common base class

[Daniel P. Berrangé]

From: Kevin Wolf <kwolf@redhat.com>

Instead of duplicating the code for user creatable objects in secret and
secret_keyring, move it to the common base clase secret_common. As the
base class is abstract, it won't become user creatable itself.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/secret.c         | 14 --------------
 crypto/secret_common.c  | 15 +++++++++++++++
 crypto/secret_keyring.c | 14 --------------
 3 files changed, 15 insertions(+), 28 deletions(-)

diff --git a/crypto/secret.c b/crypto/secret.c
index 281cb81f0f..44eaff16f6 100644
--- a/crypto/secret.c
+++ b/crypto/secret.c
@@ -107,13 +107,6 @@ qcrypto_secret_prop_get_file(Object *obj,
 }
 
 
-static void
-qcrypto_secret_complete(UserCreatable *uc, Error **errp)
-{
-    object_property_set_bool(OBJECT(uc), "loaded", true, errp);
-}
-
-
 static void
 qcrypto_secret_finalize(Object *obj)
 {
@@ -129,9 +122,6 @@ qcrypto_secret_class_init(ObjectClass *oc, void *data)
     QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
     sic->load_data = qcrypto_secret_load_data;
 
-    UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
-    ucc->complete = qcrypto_secret_complete;
-
     object_class_property_add_str(oc, "data",
                                   qcrypto_secret_prop_get_data,
                                   qcrypto_secret_prop_set_data);
@@ -148,10 +138,6 @@ static const TypeInfo qcrypto_secret_info = {
     .instance_finalize = qcrypto_secret_finalize,
     .class_size = sizeof(QCryptoSecretClass),
     .class_init = qcrypto_secret_class_init,
-    .interfaces = (InterfaceInfo[]) {
-        { TYPE_USER_CREATABLE },
-        { }
-    }
 };
 
 
diff --git a/crypto/secret_common.c b/crypto/secret_common.c
index b03d530867..35b82cb531 100644
--- a/crypto/secret_common.c
+++ b/crypto/secret_common.c
@@ -268,6 +268,13 @@ qcrypto_secret_prop_get_keyid(Object *obj,
 }
 
 
+static void
+qcrypto_secret_complete(UserCreatable *uc, Error **errp)
+{
+    object_property_set_bool(OBJECT(uc), "loaded", true, errp);
+}
+
+
 static void
 qcrypto_secret_finalize(Object *obj)
 {
@@ -281,6 +288,10 @@ qcrypto_secret_finalize(Object *obj)
 static void
 qcrypto_secret_class_init(ObjectClass *oc, void *data)
 {
+    UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+    ucc->complete = qcrypto_secret_complete;
+
     object_class_property_add_bool(oc, "loaded",
                                    qcrypto_secret_prop_get_loaded,
                                    qcrypto_secret_prop_set_loaded);
@@ -390,6 +401,10 @@ static const TypeInfo qcrypto_secret_info = {
     .class_size = sizeof(QCryptoSecretCommonClass),
     .class_init = qcrypto_secret_class_init,
     .abstract = true,
+    .interfaces = (InterfaceInfo[]) {
+        { TYPE_USER_CREATABLE },
+        { }
+    }
 };
 
 
diff --git a/crypto/secret_keyring.c b/crypto/secret_keyring.c
index 10d8bc48a0..1b7edec84a 100644
--- a/crypto/secret_keyring.c
+++ b/crypto/secret_keyring.c
@@ -102,22 +102,12 @@ qcrypto_secret_prop_get_key(Object *obj, Visitor *v,
 }
 
 
-static void
-qcrypto_secret_keyring_complete(UserCreatable *uc, Error **errp)
-{
-    object_property_set_bool(OBJECT(uc), "loaded", true, errp);
-}
-
-
 static void
 qcrypto_secret_keyring_class_init(ObjectClass *oc, void *data)
 {
     QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
     sic->load_data = qcrypto_secret_keyring_load_data;
 
-    UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
-    ucc->complete = qcrypto_secret_keyring_complete;
-
     object_class_property_add(oc, "serial", "int32_t",
                                   qcrypto_secret_prop_get_key,
                                   qcrypto_secret_prop_set_key,
@@ -130,10 +120,6 @@ static const TypeInfo qcrypto_secret_info = {
     .name = TYPE_QCRYPTO_SECRET_KEYRING,
     .instance_size = sizeof(QCryptoSecretKeyring),
     .class_init = qcrypto_secret_keyring_class_init,
-    .interfaces = (InterfaceInfo[]) {
-        { TYPE_USER_CREATABLE },
-        { }
-    }
 };
 
 
-- 
2.29.2

[PULL 03/13] crypto: Forbid broken unloading of secrets

[Daniel P. Berrangé]

From: Kevin Wolf <kwolf@redhat.com>

qcrypto_secret_prop_set_loaded() forgets to reset secret->rawdata after
unloading a secret, which will lead to a double free at some point.

Because there is no use case for unloading an already loaded secret
(apart from deleting the whole secret object) and we know that nobody
could use this because it would lead to crashes, let's just forbid the
operation instead of fixing the unloading.

Eventually, we'll want to get rid of 'loaded' in the external interface,
but for the meantime this is more consistent with rng, which has a
similar property 'opened' that also can't be reset to false after it
became true.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/secret_common.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/secret_common.c b/crypto/secret_common.c
index 35b82cb531..714a15d5e5 100644
--- a/crypto/secret_common.c
+++ b/crypto/secret_common.c
@@ -191,9 +191,9 @@ qcrypto_secret_prop_set_loaded(Object *obj,
 
         secret->rawdata = input;
         secret->rawlen = inputlen;
-    } else {
-        g_free(secret->rawdata);
-        secret->rawlen = 0;
+    } else if (secret->rawdata) {
+        error_setg(errp, "Cannot unload secret");
+        return;
     }
 }
 
-- 
2.29.2

[PULL 04/13] crypto: Fix memory leaks in set_loaded for tls-*

[Daniel P. Berrangé]

From: Kevin Wolf <kwolf@redhat.com>

If you set the loaded property to true when it was already true, the
state is overwritten without freeing the old state first. Change the
set_loaded callback so that it always frees the old state (which is a
no-op if nothing was loaded) and only then load if requestsd.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/tlscredsanon.c | 3 +--
 crypto/tlscredspsk.c  | 3 +--
 crypto/tlscredsx509.c | 3 +--
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/crypto/tlscredsanon.c b/crypto/tlscredsanon.c
index 30275b6847..bea5f76c55 100644
--- a/crypto/tlscredsanon.c
+++ b/crypto/tlscredsanon.c
@@ -123,10 +123,9 @@ qcrypto_tls_creds_anon_prop_set_loaded(Object *obj,
 {
     QCryptoTLSCredsAnon *creds = QCRYPTO_TLS_CREDS_ANON(obj);
 
+    qcrypto_tls_creds_anon_unload(creds);
     if (value) {
         qcrypto_tls_creds_anon_load(creds, errp);
-    } else {
-        qcrypto_tls_creds_anon_unload(creds);
     }
 }
 
diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c
index e26807b899..f5a31108d1 100644
--- a/crypto/tlscredspsk.c
+++ b/crypto/tlscredspsk.c
@@ -192,10 +192,9 @@ qcrypto_tls_creds_psk_prop_set_loaded(Object *obj,
 {
     QCryptoTLSCredsPSK *creds = QCRYPTO_TLS_CREDS_PSK(obj);
 
+    qcrypto_tls_creds_psk_unload(creds);
     if (value) {
         qcrypto_tls_creds_psk_load(creds, errp);
-    } else {
-        qcrypto_tls_creds_psk_unload(creds);
     }
 }
 
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index c89dd62435..dbadad4df2 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -694,10 +694,9 @@ qcrypto_tls_creds_x509_prop_set_loaded(Object *obj,
 {
     QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
 
+    qcrypto_tls_creds_x509_unload(creds);
     if (value) {
         qcrypto_tls_creds_x509_load(creds, errp);
-    } else {
-        qcrypto_tls_creds_x509_unload(creds);
     }
 }
 
-- 
2.29.2

[PULL 05/13] os: deprecate the -enable-fips option and QEMU's FIPS enforcement

[Daniel P. Berrangé]

The -enable-fips option was added a long time ago to prevent the use of
single DES when VNC when FIPS mode is enabled. It should never have been
added, because apps are supposed to unconditionally honour FIPS mode
based on the '/proc/sys/crypto/fips_enabled' file contents.

In addition there is more to achieving FIPS compliance than merely
blocking use of certain algorithms. Those algorithms which are used
need to perform self-tests at runtime.

QEMU's built-in cryptography provider has no support for self-tests,
and neither does the nettle library.

If QEMU is required to be used in a FIPS enabled host, then it must be
built with the libgcrypt library enabled, which will unconditionally
enforce FIPS compliance in any algorithm usage.

Thus there is no need to keep either the -enable-fips option in QEMU, or
QEMU's internal FIPS checking methods.

Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 docs/system/deprecated.rst | 12 ++++++++++++
 os-posix.c                 |  3 +++
 2 files changed, 15 insertions(+)

diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index 9de663526a..6ac757ed9f 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -134,6 +134,18 @@ Boolean options such as ``share=on``/``share=off`` could be written
 in short form as ``share`` and ``noshare``.  This is now deprecated
 and will cause a warning.
 
+``--enable-fips`` (since 6.0)
+'''''''''''''''''''''''''''''
+
+This option restricts usage of certain cryptographic algorithms when
+the host is operating in FIPS mode.
+
+If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
+library enabled as a cryptography provider.
+
+Neither the ``nettle`` library, or the built-in cryptography provider are
+supported on FIPS enabled hosts.
+
 QEMU Machine Protocol (QMP) commands
 ------------------------------------
 
diff --git a/os-posix.c b/os-posix.c
index 1de2839554..a6846f51c1 100644
--- a/os-posix.c
+++ b/os-posix.c
@@ -153,6 +153,9 @@ int os_parse_cmd_args(int index, const char *optarg)
         break;
 #if defined(CONFIG_LINUX)
     case QEMU_OPTION_enablefips:
+        warn_report("-enable-fips is deprecated, please build QEMU with "
+                    "the `libgcrypt` library as the cryptography provider "
+                    "to enable FIPS compliance");
         fips_set_state(true);
         break;
 #endif
-- 
2.29.2

[PULL 06/13] Prefer 'on' | 'off' over 'yes' | 'no' for bool options

[Daniel P. Berrangé]

Update some docs and test cases to use 'on' | 'off' as the preferred
value for bool options.

Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 docs/system/vnc-security.rst | 10 +++++-----
 include/authz/listfile.h     |  2 +-
 qemu-options.hx              |  4 ++--
 tests/qemu-iotests/233       |  4 ++--
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/docs/system/vnc-security.rst b/docs/system/vnc-security.rst
index 558e4faffc..ebca656d87 100644
--- a/docs/system/vnc-security.rst
+++ b/docs/system/vnc-security.rst
@@ -65,7 +65,7 @@ encrypted session.
 .. parsed-literal::
 
    |qemu_system| [...OPTIONS...] \
-     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
+     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=off \
      -vnc :1,tls-creds=tls0 -monitor stdio
 
 In the above example ``/etc/pki/qemu`` should contain at least three
@@ -84,12 +84,12 @@ connecting. The server will request that the client provide a
 certificate, which it will then validate against the CA certificate.
 This is a good choice if deploying in an environment with a private
 internal certificate authority. It uses the same syntax as previously,
-but with ``verify-peer`` set to ``yes`` instead.
+but with ``verify-peer`` set to ``on`` instead.
 
 .. parsed-literal::
 
    |qemu_system| [...OPTIONS...] \
-     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
      -vnc :1,tls-creds=tls0 -monitor stdio
 
 .. _vnc_005fsec_005fcertificate_005fpw:
@@ -103,7 +103,7 @@ authentication to provide two layers of authentication for clients.
 .. parsed-literal::
 
    |qemu_system| [...OPTIONS...] \
-     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
      -vnc :1,tls-creds=tls0,password -monitor stdio
    (qemu) change vnc password
    Password: ********
@@ -145,7 +145,7 @@ x509 options:
 .. parsed-literal::
 
    |qemu_system| [...OPTIONS...] \
-     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
      -vnc :1,tls-creds=tls0,sasl -monitor stdio
 
 .. _vnc_005fsetup_005fsasl:
diff --git a/include/authz/listfile.h b/include/authz/listfile.h
index 0a1e5bddd3..0b7fe72198 100644
--- a/include/authz/listfile.h
+++ b/include/authz/listfile.h
@@ -73,7 +73,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(QAuthZListFile,
  * The object can be created on the command line using
  *
  *   -object authz-list-file,id=authz0,\
- *           filename=/etc/qemu/myvm-vnc.acl,refresh=yes
+ *           filename=/etc/qemu/myvm-vnc.acl,refresh=on
  *
  */
 struct QAuthZListFile {
diff --git a/qemu-options.hx b/qemu-options.hx
index 9172d51659..d0410f0512 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -5027,7 +5027,7 @@ SRST
         Note the use of quotes due to the x509 distinguished name
         containing whitespace, and escaping of ','.
 
-    ``-object authz-listfile,id=id,filename=path,refresh=yes|no``
+    ``-object authz-listfile,id=id,filename=path,refresh=on|off``
         Create an authorization object that will control access to
         network services.
 
@@ -5072,7 +5072,7 @@ SRST
 
              # |qemu_system| \\
                  ... \\
-                 -object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=yes \\
+                 -object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=on \\
                  ...
 
     ``-object authz-pam,id=id,service=string``
diff --git a/tests/qemu-iotests/233 b/tests/qemu-iotests/233
index 7ce5764903..da150cd27b 100755
--- a/tests/qemu-iotests/233
+++ b/tests/qemu-iotests/233
@@ -84,7 +84,7 @@ echo
 echo "== check plain client to TLS server fails =="
 
 nbd_server_start_tcp_socket \
-    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
+    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
     --tls-creds tls0 \
     -f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
 
@@ -129,7 +129,7 @@ echo "== check TLS with authorization =="
 nbd_server_stop
 
 nbd_server_start_tcp_socket \
-    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
+    --object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
     --object "authz-simple,id=authz0,identity=CN=localhost,, \
       O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
     --tls-authz authz0 \
-- 
2.29.2

[PULL 07/13] docs: simplify and clarify the platform support rules

[Daniel P. Berrangé]

The distinction between short life and long life Linux distributions
turned out to be redundant. They can both be covered in a simple way
by noting support will target the current release, and the previous
release for a period of two years or until its EOL. This rule can also
apply to the other UNIX based distros, leaving only Windows needing a
different set of rules.

This also clarifies that Debian LTS is out of scope, because the LTS
support is provided by a separate group from the main Debian maintainer
team.

Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 docs/system/build-platforms.rst | 63 ++++++++++++---------------------
 1 file changed, 23 insertions(+), 40 deletions(-)

diff --git a/docs/system/build-platforms.rst b/docs/system/build-platforms.rst
index 9734eba2f1..692323609e 100644
--- a/docs/system/build-platforms.rst
+++ b/docs/system/build-platforms.rst
@@ -25,55 +25,38 @@ software in their distro, QEMU upstream code will not add explicit
 support for those backports, unless the feature is auto-detectable in a
 manner that works for the upstream releases too.
 
-The Repology site https://repology.org is a useful resource to identify
+The `Repology`_ site is a useful resource to identify
 currently shipped versions of software in various operating systems,
 though it does not cover all distros listed below.
 
-Linux OS
---------
+Linux OS, macOS, FreeBSD, NetBSD, OpenBSD
+-----------------------------------------
 
-For distributions with frequent, short-lifetime releases, the project
-will aim to support all versions that are not end of life by their
-respective vendors. For the purposes of identifying supported software
-versions, the project will look at Fedora, Ubuntu, and openSUSE distros.
-Other short- lifetime distros will be assumed to ship similar software
-versions.
+The project aims to support the most recent major version at all times. Support
+for the previous major version will be dropped 2 years after the new major
+version is released or when the vendor itself drops support, whichever comes
+first. In this context, third-party efforts to extend the lifetime of a distro
+are not considered, even when they are endorsed by the vendor (eg. Debian LTS).
 
-For distributions with long-lifetime releases, the project will aim to
-support the most recent major version at all times. Support for the
-previous major version will be dropped 2 years after the new major
-version is released, or when it reaches "end of life". For the purposes
-of identifying supported software versions, the project will look at
-RHEL, Debian, Ubuntu LTS, and SLES distros. Other long-lifetime distros
-will be assumed to ship similar software versions.
+For the purposes of identifying supported software versions available on Linux,
+the project will look at CentOS, Debian, Fedora, openSUSE, RHEL, SLES and
+Ubuntu LTS. Other distros will be assumed to ship similar software versions.
 
-Windows
--------
-
-The project supports building with current versions of the MinGW
-toolchain, hosted on Linux.
-
-macOS
------
+For FreeBSD and OpenBSD, decisions will be made based on the contents of the
+respective ports repository, while NetBSD will use the pkgsrc repository.
 
-The project supports building with the two most recent versions of
-macOS, with the current Homebrew package set available.
+For macOS, `HomeBrew`_ will be used, although `MacPorts`_ is expected to carry
+similar versions.
 
-FreeBSD
+Windows
 -------
 
-The project aims to support all versions which are not end of
-life.
-
-NetBSD
-------
+The project supports building with current versions of the MinGW toolchain,
+hosted on Linux (Debian/Fedora).
 
-The project aims to support the most recent major version at all times.
-Support for the previous major version will be dropped 2 years after the
-new major version is released.
-
-OpenBSD
--------
+The version of the Windows API that's currently targeted is Vista / Server
+2008.
 
-The project aims to support all versions which are not end of
-life.
+.. _HomeBrew: https://brew.sh/
+.. _MacPorts: https://www.macports.org/
+.. _Repology: https://repology.org/
-- 
2.29.2

[PULL 08/13] docs: fix missing backslash in certtool shell example

[Daniel P. Berrangé]

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 docs/system/tls.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/system/tls.rst b/docs/system/tls.rst
index dc2b94257f..b0973afe1b 100644
--- a/docs/system/tls.rst
+++ b/docs/system/tls.rst
@@ -64,7 +64,7 @@ interactive prompts from certtool::
    cert_signing_key
    EOF
    # certtool --generate-self-signed \
-              --load-privkey ca-key.pem
+              --load-privkey ca-key.pem \
               --template ca.info \
               --outfile ca-cert.pem
 
-- 
2.29.2

[PULL 09/13] configure: replace --enable/disable-git-update with --with-git-submodules

[Daniel P. Berrangé]

From: Dan Streetman <ddstreet@canonical.com>

Replace the --enable-git-update and --disable-git-update configure params
with the param --with-git-submodules=(update|validate|ignore) to
allow 3 options for building from a git repo.

This is needed because downstream packagers, e.g. Debian, Ubuntu, etc,
also keep the source code in git, but do not want to enable the
'git_update' mode; with the current code, that's not possible even
if the downstream package specifies --disable-git-update.

The previous parameters are deprecated but still available; the
--enable-git-update parameter maps to --with-git-submodules=update and
--disable-git-update parameter maps to --with-git-submodules=validate.

The configure script behavior is slightly modified, where previously
the dtc, capstone, and slirp submodules were not validated when
--disable-git-update was specified (but were updated with git-update
enabled), now they are validated when using --with-git-submodules=validate
and are only ignored when using --with-git-submodules=ignore.

Signed-off-by: Dan Streetman <ddstreet@canonical.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 Makefile                 | 24 ++-----------------
 configure                | 51 ++++++++++++++++++++++++++++++----------
 scripts/git-submodule.sh | 34 ++++++++++++++++++++-------
 3 files changed, 66 insertions(+), 43 deletions(-)

diff --git a/Makefile b/Makefile
index 291ea19f2e..b0dff73904 100644
--- a/Makefile
+++ b/Makefile
@@ -47,30 +47,10 @@ git-submodule-update:
 Makefile: .git-submodule-status
 
 .PHONY: git-submodule-update
-
-git_module_status := $(shell \
-  cd '$(SRC_PATH)' && \
-  GIT="$(GIT)" ./scripts/git-submodule.sh status $(GIT_SUBMODULES); \
-  echo $$?; \
-)
-
-ifeq (1,$(git_module_status))
-ifeq (no,$(GIT_UPDATE))
 git-submodule-update:
 	$(call quiet-command, \
-            echo && \
-            echo "GIT submodule checkout is out of date. Please run" && \
-            echo "  scripts/git-submodule.sh update $(GIT_SUBMODULES)" && \
-            echo "from the source directory checkout $(SRC_PATH)" && \
-            echo && \
-            exit 1)
-else
-git-submodule-update:
-	$(call quiet-command, \
-          (cd $(SRC_PATH) && GIT="$(GIT)" ./scripts/git-submodule.sh update $(GIT_SUBMODULES)), \
-          "GIT","$(GIT_SUBMODULES)")
-endif
-endif
+		(GIT="$(GIT)" "$(SRC_PATH)/scripts/git-submodule.sh" $(GIT_SUBMODULES_ACTION) $(GIT_SUBMODULES)), \
+		"GIT","$(GIT_SUBMODULES)")
 
 # 0. ensure the build tree is okay
 
diff --git a/configure b/configure
index 87de49e2c2..8fc59848b2 100755
--- a/configure
+++ b/configure
@@ -254,12 +254,12 @@ gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb")
 
 if test -e "$source_path/.git"
 then
-    git_update=yes
+    git_submodules_action="update"
     git_submodules="ui/keycodemapdb"
     git_submodules="$git_submodules tests/fp/berkeley-testfloat-3"
     git_submodules="$git_submodules tests/fp/berkeley-softfloat-3"
 else
-    git_update=no
+    git_submodules_action="ignore"
     git_submodules=""
 
     if ! test -f "$source_path/ui/keycodemapdb/README"
@@ -1508,9 +1508,16 @@ for opt do
   ;;
   --with-git=*) git="$optarg"
   ;;
-  --enable-git-update) git_update=yes
+  --enable-git-update)
+      git_submodules_action="update"
+      echo "--enable-git-update deprecated, use --with-git-submodules=update"
   ;;
-  --disable-git-update) git_update=no
+  --disable-git-update)
+      git_submodules_action="validate"
+      echo "--disable-git-update deprecated, use --with-git-submodules=validate"
+  ;;
+  --with-git-submodules=*)
+      git_submodules_action="$optarg"
   ;;
   --enable-debug-mutex) debug_mutex=yes
   ;;
@@ -1566,6 +1573,21 @@ for opt do
   esac
 done
 
+case $git_submodules_action in
+    update|validate)
+        if test ! -e "$source_path/.git"; then
+            echo "ERROR: cannot $git_submodules_action git submodules without .git"
+            exit 1
+        fi
+    ;;
+    ignore)
+    ;;
+    *)
+        echo "ERROR: invalid --with-git-submodules= value '$git_submodules_action'"
+        exit 1
+    ;;
+esac
+
 libdir="${libdir:-$prefix/lib}"
 libexecdir="${libexecdir:-$prefix/libexec}"
 includedir="${includedir:-$prefix/include}"
@@ -1710,6 +1732,9 @@ Advanced options (experts only):
   --ninja=NINJA            use specified ninja [$ninja]
   --smbd=SMBD              use specified smbd [$smbd]
   --with-git=GIT           use specified git [$git]
+  --with-git-submodules=update   update git submodules (default if .git dir exists)
+  --with-git-submodules=validate fail if git submodules are not up to date
+  --with-git-submodules=ignore   do not update or check git submodules (default if no .git dir)
   --static                 enable static build [$static]
   --mandir=PATH            install man pages in PATH
   --datadir=PATH           install firmware in PATH/$qemu_suffix
@@ -1926,7 +1951,7 @@ python="$python -B"
 if test -z "$meson"; then
     if test "$explicit_python" = no && has meson && version_ge "$(meson --version)" 0.55.3; then
         meson=meson
-    elif test -e "${source_path}/.git" && test $git_update = 'yes' ; then
+    elif test $git_submodules_action != 'ignore' ; then
         meson=git
     elif test -e "${source_path}/meson/meson.py" ; then
         meson=internal
@@ -1994,7 +2019,7 @@ fi
 # Consult white-list to determine whether to enable werror
 # by default.  Only enable by default for git builds
 if test -z "$werror" ; then
-    if test -e "$source_path/.git" && \
+    if test "$git_submodules_action" != "ignore" && \
         { test "$linux" = "yes" || test "$mingw32" = "yes"; }; then
         werror="yes"
     else
@@ -3550,7 +3575,7 @@ fi
 case "$fdt" in
   auto | enabled | internal)
     # Simpler to always update submodule, even if not needed.
-    if test -e "${source_path}/.git" && test $git_update = 'yes' ; then
+    if test "$git_submodules_action" != "ignore"; then
       git_submodules="${git_submodules} dtc"
     fi
     ;;
@@ -4264,7 +4289,7 @@ fi
 case "$capstone" in
   auto | enabled | internal)
     # Simpler to always update submodule, even if not needed.
-    if test -e "${source_path}/.git" && test $git_update = 'yes' ; then
+    if test "$git_submodules_action" != "ignore"; then
       git_submodules="${git_submodules} capstone"
     fi
     ;;
@@ -5211,7 +5236,7 @@ fi
 case "$slirp" in
   auto | enabled | internal)
     # Simpler to always update submodule, even if not needed.
-    if test -e "${source_path}/.git" && test $git_update = 'yes' ; then
+    if test "$git_submodules_action" != "ignore"; then
       git_submodules="${git_submodules} slirp"
     fi
     ;;
@@ -5385,7 +5410,7 @@ if test "$cpu" = "s390x" ; then
     roms="$roms s390-ccw"
     # SLOF is required for building the s390-ccw firmware on s390x,
     # since it is using the libnet code from SLOF for network booting.
-    if test -e "${source_path}/.git" ; then
+    if test "$git_submodules_action" != "ignore"; then
       git_submodules="${git_submodules} roms/SLOF"
     fi
   fi
@@ -5423,8 +5448,8 @@ else
     cxx=
 fi
 
-if test $git_update = 'yes' ; then
-    (cd "${source_path}" && GIT="$git" "./scripts/git-submodule.sh" update "$git_submodules")
+if !(GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then
+    exit 1
 fi
 
 config_host_mak="config-host.mak"
@@ -5435,7 +5460,7 @@ echo >> $config_host_mak
 echo all: >> $config_host_mak
 echo "GIT=$git" >> $config_host_mak
 echo "GIT_SUBMODULES=$git_submodules" >> $config_host_mak
-echo "GIT_UPDATE=$git_update" >> $config_host_mak
+echo "GIT_SUBMODULES_ACTION=$git_submodules_action" >> $config_host_mak
 
 echo "ARCH=$ARCH" >> $config_host_mak
 
diff --git a/scripts/git-submodule.sh b/scripts/git-submodule.sh
index 65ed877aef..e225d3a963 100755
--- a/scripts/git-submodule.sh
+++ b/scripts/git-submodule.sh
@@ -9,9 +9,14 @@ command=$1
 shift
 maybe_modules="$@"
 
+# if --with-git-submodules=ignore, do nothing
+test "$command" = "ignore" && exit 0
+
 test -z "$GIT" && GIT=git
 
-error() {
+cd "$(dirname "$0")/.."
+
+update_error() {
     echo "$0: $*"
     echo
     echo "Unable to automatically checkout GIT submodules '$modules'."
@@ -24,7 +29,7 @@ error() {
     echo "Alternatively you may disable automatic GIT submodule checkout"
     echo "with:"
     echo
-    echo " $ ./configure --disable-git-update"
+    echo " $ ./configure --with-git-submodules=validate"
     echo
     echo "and then manually update submodules prior to running make, with:"
     echo
@@ -33,6 +38,19 @@ error() {
     exit 1
 }
 
+validate_error() {
+    if test "$1" = "validate"; then
+        echo "GIT submodules checkout is out of date, and submodules"
+        echo "configured for validate only. Please run"
+        echo "  scripts/git-submodule.sh update $maybe_modules"
+        echo "from the source directory or call configure with"
+        echo "  --with-git-submodules=update"
+        echo "To disable GIT submodules validation, use"
+        echo "  --with-git-submodules=ignore"
+    fi
+    exit 1
+}
+
 modules=""
 for m in $maybe_modules
 do
@@ -52,18 +70,18 @@ then
 fi
 
 case "$command" in
-status)
+status|validate)
     if test -z "$maybe_modules"
     then
-         test -s ${substat} && exit 1 || exit 0
+         test -s ${substat} && validate_error "$command" || exit 0
     fi
 
-    test -f "$substat" || exit 1
+    test -f "$substat" || validate_error "$command"
     for module in $modules; do
         CURSTATUS=$($GIT submodule status $module)
         OLDSTATUS=$(cat $substat | grep $module)
         if test "$CURSTATUS" != "$OLDSTATUS"; then
-            exit 1
+            validate_error "$command"
         fi
     done
     exit 0
@@ -76,10 +94,10 @@ update)
     fi
 
     $GIT submodule update --init $modules 1>/dev/null
-    test $? -ne 0 && error "failed to update modules"
+    test $? -ne 0 && update_error "failed to update modules"
 
     $GIT submodule status $modules > "${substat}"
-    test $? -ne 0 && error "failed to save git submodule status" >&2
+    test $? -ne 0 && update_error "failed to save git submodule status" >&2
     ;;
 esac
 
-- 
2.29.2

[PULL 10/13] crypto: Add spaces around operator

[Daniel P. Berrangé]

From: shiliyang <shiliyang@huawei.com>

I am reading crypto related code, find some code style problems while
using checkpatch.pl to check crypto folder. Fix the error style
problems.

Signed-off-by: Liyang Shi <shiliyang@huawei.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 crypto/aes.c    | 4 ++--
 crypto/desrfb.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/aes.c b/crypto/aes.c
index 56efc95196..af72ff7779 100644
--- a/crypto/aes.c
+++ b/crypto/aes.c
@@ -1080,9 +1080,9 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 
         rk = key->rd_key;
 
-        if (bits==128)
+        if (bits == 128)
                 key->rounds = 10;
-        else if (bits==192)
+        else if (bits == 192)
                 key->rounds = 12;
         else
                 key->rounds = 14;
diff --git a/crypto/desrfb.c b/crypto/desrfb.c
index 675847c93b..b2a105ebbc 100644
--- a/crypto/desrfb.c
+++ b/crypto/desrfb.c
@@ -93,7 +93,7 @@ void deskey(unsigned char *key, int edf)
                     }
                 for( j = 0; j < 24; j++ ) {
                         if( pcr[pc2[j]] ) kn[m] |= bigbyte[j];
-                        if( pcr[pc2[j+24]] ) kn[n] |= bigbyte[j];
+                        if( pcr[pc2[j + 24]] ) kn[n] |= bigbyte[j];
                         }
                 }
         cookey(kn);
-- 
2.29.2

[PULL 11/13] ui: update keycodemapdb submodule commit

[Daniel P. Berrangé]

Primarily this is to pull in a fix for Win32 keycodes. The other useful
change is the removal of build timestamp from generated files which is
desirable for reproducable builds.

The make rules need updating due to slightly changed CLI syntax - more
args must now come after the command name.

6119e6e19a050df847418de7babe5166779955e4 Fix scan codes for Korean keys
685684a8404301780714e8a89a871981e7cae988 Fix argument order in output headers
b3774853042c951b200d767697285781cc59a83c Add HTML entries for Korean layout keys
8e54850d800e4697a2798fb82ac740e760f8530b Add macOS entries for Japanese keyboards
27acf0ef828bf719b2053ba398b195829413dbdd Fix win32 keycode for VK_OEM_102
317d3eeb963a515e15a63fa356d8ebcda7041a51 Add support for generating RST formatted docs pages
7381b9bfadd31c4c9e9a10b5bb5032f9189d4352 Introduce separate args for title & subtitle with docs generator
6280c94f306df6a20bbc100ba15a5a81af0366e6 keymap-gen: Name sections in pod output
df4e56f8fab65ba714ec18f4e7338a966a1620ad Add an empty meson project
16e5b0787687d8904dad2c026107409eb9bfcb95 remove buildtime from generated files
044f21dd0d4f62519aae9f1d53a026407a0b664f add header file generators
7779876a6b06755e3bb2c94ee3ded50635bcb0fa c++: add extern declaration to the generated file
0e0a317889464397d6f1ae03aad0d2ca593aab04 move CLanguageGenerator closer to CLanguageGenerator itself

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 ui/keycodemapdb | 2 +-
 ui/meson.build  | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ui/keycodemapdb b/ui/keycodemapdb
index 6b3d716e2b..6119e6e19a 160000
--- a/ui/keycodemapdb
+++ b/ui/keycodemapdb
@@ -1 +1 @@
-Subproject commit 6b3d716e2b6472eb7189d3220552280ef3d832ce
+Subproject commit 6119e6e19a050df847418de7babe5166779955e4
diff --git a/ui/meson.build b/ui/meson.build
index 634fabab0d..156b600a99 100644
--- a/ui/meson.build
+++ b/ui/meson.build
@@ -127,9 +127,10 @@ if have_system or xkbcommon.found()
                   capture: true,
                   input: files('keycodemapdb/data/keymaps.csv'),
                   command: [python.full_path(), files('keycodemapdb/tools/keymap-gen'),
+                            'code-map',
                             '--lang', 'glib2',
                             '--varname', 'qemu_input_map_@0@_to_@1@'.format(e[0], e[1]),
-                            'code-map', '@INPUT0@', e[0], e[1]])
+                            '@INPUT0@', e[0], e[1]])
   endforeach
 endif
 
-- 
2.29.2

[PULL 12/13] tests: Fix runtime error in test-authz-pam

[Daniel P. Berrangé]

From: Stefan Weil <sw@weilnetz.de>

A test with sanitizers on macOS shows this error:

    authz/pamacct.c:50:25: runtime error: null pointer passed as argument 1, which is declared to never be null
    /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/security/pam_appl.h:56:2: note: nonnull attribute specified here

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 tests/test-authz-pam.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tests/test-authz-pam.c b/tests/test-authz-pam.c
index 1baeadee03..4fe1ef2603 100644
--- a/tests/test-authz-pam.c
+++ b/tests/test-authz-pam.c
@@ -28,7 +28,7 @@
 static bool failauth;
 
 /*
- * These two functions are exported by libpam.so.
+ * These three functions are exported by libpam.so.
  *
  * By defining them again here, our impls are resolved
  * by the linker instead of those in libpam.so
@@ -50,6 +50,7 @@ pam_start(const char *service_name, const char *user,
         failauth = false;
     }
 
+    *pamh = (pam_handle_t *)0xbadeaffe;
     return PAM_SUCCESS;
 }
 
@@ -65,6 +66,13 @@ pam_acct_mgmt(pam_handle_t *pamh, int flags)
 }
 
 
+int
+pam_end(pam_handle_t *pamh, int status)
+{
+    return PAM_SUCCESS;
+}
+
+
 static void test_authz_unknown_service(void)
 {
     Error *local_err = NULL;
-- 
2.29.2

[PULL 13/13] tests: Replace deprecated ASN1 code

[Daniel P. Berrangé]

From: Stefan Weil <sw@weilnetz.de>

This fixes several compiler warnings on MacOS with Homebrew. The
git development branch for forthcoming libtasn1 4.17.0 has introduced
deprecation warnings for several macros/types that we use.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 tests/crypto-tls-x509-helpers.c | 10 +++++-----
 tests/crypto-tls-x509-helpers.h |  2 +-
 tests/pkix_asn1_tab.c           |  2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/tests/crypto-tls-x509-helpers.c b/tests/crypto-tls-x509-helpers.c
index 01b3daf358..97658592a2 100644
--- a/tests/crypto-tls-x509-helpers.c
+++ b/tests/crypto-tls-x509-helpers.c
@@ -30,7 +30,7 @@
  * This stores some static data that is needed when
  * encoding extensions in the x509 certs
  */
-ASN1_TYPE pkix_asn1;
+asn1_node pkix_asn1;
 
 /*
  * To avoid consuming random entropy to generate keys,
@@ -139,7 +139,7 @@ void test_tls_cleanup(const char *keyfile)
 /*
  * Turns an ASN1 object into a DER encoded byte array
  */
-static void test_tls_der_encode(ASN1_TYPE src,
+static void test_tls_der_encode(asn1_node src,
                                 const char *src_name,
                                 gnutls_datum_t *res)
 {
@@ -317,7 +317,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
      * the 'critical' field which we want control over
      */
     if (req->basicConstraintsEnable) {
-        ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+        asn1_node ext = NULL;
 
         asn1_create_element(pkix_asn1, "PKIX1.BasicConstraints", &ext);
         asn1_write_value(ext, "cA",
@@ -344,7 +344,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
      * to be 'critical'
      */
     if (req->keyUsageEnable) {
-        ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+        asn1_node ext = NULL;
         char str[2];
 
         str[0] = req->keyUsageValue & 0xff;
@@ -374,7 +374,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
      * set this the hard way building up ASN1 data ourselves
      */
     if (req->keyPurposeEnable) {
-        ASN1_TYPE ext = ASN1_TYPE_EMPTY;
+        asn1_node ext = NULL;
 
         asn1_create_element(pkix_asn1, "PKIX1.ExtKeyUsageSyntax", &ext);
         if (req->keyPurposeOID1) {
diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h
index 08efba4e19..8fcd7785ab 100644
--- a/tests/crypto-tls-x509-helpers.h
+++ b/tests/crypto-tls-x509-helpers.h
@@ -125,7 +125,7 @@ void test_tls_cleanup(const char *keyfile);
     };                                                                  \
     test_tls_generate_cert(&varname, NULL)
 
-extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
+extern const asn1_static_node pkix_asn1_tab[];
 
 #endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */
 
diff --git a/tests/pkix_asn1_tab.c b/tests/pkix_asn1_tab.c
index f15fc515cb..4aaf736d3f 100644
--- a/tests/pkix_asn1_tab.c
+++ b/tests/pkix_asn1_tab.c
@@ -8,7 +8,7 @@
 
 #ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
 
-const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
+const asn1_static_node pkix_asn1_tab[] = {
   {"PKIX1", 536875024, 0},
   {0, 1073741836, 0},
   {"id-ce", 1879048204, 0},
-- 
2.29.2

Re: [PULL 00/13] Misc patches

[no-reply]

Patchew URL: https://patchew.org/QEMU/20210129171102.4109641-1-berrange@redhat.com/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 20210129171102.4109641-1-berrange@redhat.com
Subject: [PULL 00/13] Misc patches

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 * [new tag]         patchew/20210129171102.4109641-1-berrange@redhat.com -> patchew/20210129171102.4109641-1-berrange@redhat.com
Switched to a new branch 'test'
d1a54cc tests: Replace deprecated ASN1 code
fa7ea70 tests: Fix runtime error in test-authz-pam
085f233 ui: update keycodemapdb submodule commit
60edf69 crypto: Add spaces around operator
b9680cd configure: replace --enable/disable-git-update with --with-git-submodules
6db8348 docs: fix missing backslash in certtool shell example
4a5ba18 docs: simplify and clarify the platform support rules
89433ae Prefer 'on' | 'off' over 'yes' | 'no' for bool options
de66ba1 os: deprecate the -enable-fips option and QEMU's FIPS enforcement
aadd818 crypto: Fix memory leaks in set_loaded for tls-*
e5056b8 crypto: Forbid broken unloading of secrets
96f48a1 crypto: Move USER_CREATABLE to secret_common base class
0a666a6 crypto: Fix some code style problems, add spaces around operator

=== OUTPUT BEGIN ===
1/13 Checking commit 0a666a653a56 (crypto: Fix some code style problems, add spaces around operator)
2/13 Checking commit 96f48a1f4123 (crypto: Move USER_CREATABLE to secret_common base class)
3/13 Checking commit e5056b897b03 (crypto: Forbid broken unloading of secrets)
4/13 Checking commit aadd818a731a (crypto: Fix memory leaks in set_loaded for tls-*)
5/13 Checking commit de66ba1527d2 (os: deprecate the -enable-fips option and QEMU's FIPS enforcement)
6/13 Checking commit 89433ae1e17b (Prefer 'on' | 'off' over 'yes' | 'no' for bool options)
7/13 Checking commit 4a5ba182d293 (docs: simplify and clarify the platform support rules)
8/13 Checking commit 6db83486e869 (docs: fix missing backslash in certtool shell example)
9/13 Checking commit b9680cded03f (configure: replace --enable/disable-git-update with --with-git-submodules)
10/13 Checking commit 60edf69c0fbf (crypto: Add spaces around operator)
ERROR: braces {} are necessary for all arms of this statement
#28: FILE: crypto/aes.c:1083:
+        if (bits == 128)
[...]
-        else if (bits==192)
[...]
                 key->rounds = 12;
[...]

ERROR: braces {} are necessary for all arms of this statement
#31: FILE: crypto/aes.c:1085:
+        else if (bits == 192)
[...]
         else
[...]

ERROR: space prohibited after that open parenthesis '('
#44: FILE: crypto/desrfb.c:96:
+                        if( pcr[pc2[j + 24]] ) kn[n] |= bigbyte[j];

ERROR: space prohibited before that close parenthesis ')'
#44: FILE: crypto/desrfb.c:96:
+                        if( pcr[pc2[j + 24]] ) kn[n] |= bigbyte[j];

ERROR: space required before the open parenthesis '('
#44: FILE: crypto/desrfb.c:96:
+                        if( pcr[pc2[j + 24]] ) kn[n] |= bigbyte[j];

ERROR: trailing statements should be on next line
#44: FILE: crypto/desrfb.c:96:
+                        if( pcr[pc2[j + 24]] ) kn[n] |= bigbyte[j];

ERROR: braces {} are necessary for all arms of this statement
#44: FILE: crypto/desrfb.c:96:
+                        if( pcr[pc2[j + 24]] ) kn[n] |= bigbyte[j];
[...]

total: 7 errors, 0 warnings, 19 lines checked

Patch 10/13 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

11/13 Checking commit 085f2338c909 (ui: update keycodemapdb submodule commit)
12/13 Checking commit fa7ea706d673 (tests: Fix runtime error in test-authz-pam)
13/13 Checking commit d1a54cc3e1b1 (tests: Replace deprecated ASN1 code)
=== OUTPUT END ===

Test command exited with code: 1


The full log is available at
http://patchew.org/logs/20210129171102.4109641-1-berrange@redhat.com/testing.checkpatch/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com

Re: [PULL 00/13] Misc patches

[Peter Maydell]

On Fri, 29 Jan 2021 at 17:27, Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> The following changes since commit 5101d00d2f1138a73344dc4833587f76d7a5fa5c:
>
>   Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.0-p=
> ull-request' into staging (2021-01-29 10:10:43 +0000)
>
> are available in the Git repository at:
>
>   https://gitlab.com/berrange/qemu tags/misc-fixes-pull-request
>
> for you to fetch changes up to ecb98f5c7589ba8ecd15c8b1baa2ec7192e47c75:
>
>   tests: Replace deprecated ASN1 code (2021-01-29 17:07:53 +0000)
>
> ----------------------------------------------------------------
> * Replace --enable/disable-git-update with --with-git-submodules
>   to allow improved control over use of git submodules
> * Deprecate the -enable-fips option
> * Ensure docs use prefer format for bool options
> * Clarify platform support rules
> * Misc fixes to keymap conversions
> * Fix misc problems on macOS
>
> ----------------------------------------------------------------



Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.0
for any user-visible changes.

-- PMM