[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v6 4/5] crypto: Add tls-cipher-suites object
From: |
Philippe Mathieu-Daudé |
Subject: |
Re: [PATCH v6 4/5] crypto: Add tls-cipher-suites object |
Date: |
Thu, 28 May 2020 12:17:08 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 |
On 5/27/20 1:36 PM, Daniel P. Berrangé wrote:
> On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote:
>> Example of use to dump:
>>
>> $ qemu-system-x86_64 -S \
>> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
>> Cipher suites for @SYSTEM:
>> - TLS_AES_256_GCM_SHA384 0x13, 0x02
>> TLS1.3
>> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03
>> TLS1.3
>> - TLS_AES_128_GCM_SHA256 0x13, 0x01
>> TLS1.3
>> - TLS_AES_128_CCM_SHA256 0x13, 0x04
>> TLS1.3
>> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30
>> TLS1.2
>> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8
>> TLS1.2
>> - TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14
>> TLS1.0
>> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f
>> TLS1.2
>> - TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13
>> TLS1.0
>> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c
>> TLS1.2
>> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9
>> TLS1.2
>> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad
>> TLS1.2
>> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a
>> TLS1.0
>> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b
>> TLS1.2
>> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac
>> TLS1.2
>> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09
>> TLS1.0
>> - TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d
>> TLS1.2
>> - TLS_RSA_AES_256_CCM 0xc0, 0x9d
>> TLS1.2
>> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35
>> TLS1.0
>> - TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c
>> TLS1.2
>> - TLS_RSA_AES_128_CCM 0xc0, 0x9c
>> TLS1.2
>> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f
>> TLS1.0
>> - TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f
>> TLS1.2
>> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa
>> TLS1.2
>> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f
>> TLS1.2
>> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39
>> TLS1.0
>> - TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e
>> TLS1.2
>> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e
>> TLS1.2
>> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33
>> TLS1.0
>> total: 29 ciphers
>
> IMHO this "verbose" option shouldn't exist. Instead we should be
> using the QEMU trace infrastructure to log this information. This
> will make it possible to trace the info at runtime in production
> deployments too
OK, clever.
>
>> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
>> + const char *priority_name, Error **errp)
>> +{
>> +#ifdef CONFIG_GNUTLS
>
> Instead of doing this......
>
>
>> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
>> index c2a371b0b4..ce706d322a 100644
>> --- a/crypto/Makefile.objs
>> +++ b/crypto/Makefile.objs
>> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
>> crypto-obj-$(CONFIG_AF_ALG) += afalg.o
>> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
>> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
>> +crypto-obj-y += tls-cipher-suites.o
>
> ....Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o
>
> This lets the mgmt appliction introspect QEMU to discover whether the
> TLS cipher suits object is present & usable.
OK, thanks!
>
>> crypto-obj-y += tlscreds.o
>> crypto-obj-y += tlscredsanon.o
>> crypto-obj-y += tlscredspsk.o
>> --
>> 2.21.3
>>
>
> Regards,
> Daniel
>
- Re: [PATCH v6 1/5] hw/nvram/fw_cfg: Add the FW_CFG_DATA_GENERATOR interface, (continued)