Re: [Qemu-block] [PATCH v5] crypto: Implement TLS Pre-Shared Keys (PSK).

[Richard W.M. Jones]

On Fri, Jun 29, 2018 at 06:03:43PM +0100, Daniel P. Berrangé wrote:
> On Thu, Jun 28, 2018 at 07:46:24PM +0100, Richard W.M. Jones wrote:
> > diff --git a/crypto/tlssession.c b/crypto/tlssession.c
> > index 96a02deb69..50df64e0a9 100644
> > --- a/crypto/tlssession.c
> > +++ b/crypto/tlssession.c
> > @@ -21,6 +21,7 @@
> >  #include "qemu/osdep.h"
> >  #include "crypto/tlssession.h"
> >  #include "crypto/tlscredsanon.h"
> > +#include "crypto/tlscredspsk.h"
> >  #include "crypto/tlscredsx509.h"
> >  #include "qapi/error.h"
> >  #include "qemu/acl.h"
> > @@ -88,6 +89,8 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t 
> > len)
> >      return session->readFunc(buf, len, session->opaque);
> >  }
> >  
> > +#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"
> > +#define TLS_PRIORITY_ADDITIONAL_PSK  "+ECDHE-PSK:+DHE-PSK:+PSK"
> 
> Unfortunately in testing this I learn ECDHE-PSK is only supported when
> using GNUTLS >= 3.0, so can you make this conditional based on 
> GNUTLS_VERSION_MAJOR  >= 3

GnuTLS 3.0 was released in 2011, and the last 2.x version seems to be
from 2009.  Do we need to support such old versions?

I looked at the configure script.  It seems as if we will try to use
any version of GnuTLS, even ancient ones (although other sub-features
require later versions of GnuTLS).  But if I'm understanding it
correctly, by forcing both GnuTLS >= 3.0.0 and Nettle we could
eliminate all the conditionals there, except for one Nettle test.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top