From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Laszlo Ersek" <lersek@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: [PATCH v6 4/5] crypto: Add tls-cipher-suites object
Date: Tue, 19 May 2020 20:20:23 +0200 [thread overview]
Message-ID: <20200519182024.14638-5-philmd@redhat.com> (raw)
In-Reply-To: <20200519182024.14638-1-philmd@redhat.com>
Example of use to dump:
$ qemu-system-x86_64 -S \
-object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
Cipher suites for @SYSTEM:
- TLS_AES_256_GCM_SHA384 0x13, 0x02 TLS1.3
- TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
- TLS_AES_128_GCM_SHA256 0x13, 0x01 TLS1.3
- TLS_AES_128_CCM_SHA256 0x13, 0x04 TLS1.3
- TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
- TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
- TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 TLS1.0
- TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
- TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 TLS1.0
- TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
- TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
- TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
- TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a TLS1.0
- TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
- TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac TLS1.2
- TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 TLS1.0
- TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
- TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
- TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 TLS1.0
- TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2
- TLS_RSA_AES_128_CCM 0xc0, 0x9c TLS1.2
- TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f TLS1.0
- TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
- TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
- TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
- TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0
- TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
- TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e TLS1.2
- TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0
total: 29 ciphers
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
include/crypto/tls-cipher-suites.h | 39 +++++++++
crypto/tls-cipher-suites.c | 133 +++++++++++++++++++++++++++++
crypto/Makefile.objs | 1 +
3 files changed, 173 insertions(+)
create mode 100644 include/crypto/tls-cipher-suites.h
create mode 100644 crypto/tls-cipher-suites.c
diff --git a/include/crypto/tls-cipher-suites.h b/include/crypto/tls-cipher-suites.h
new file mode 100644
index 0000000000..31e92916e1
--- /dev/null
+++ b/include/crypto/tls-cipher-suites.h
@@ -0,0 +1,39 @@
+/*
+ * QEMU TLS Cipher Suites
+ *
+ * Copyright (c) 2019 Red Hat, Inc.
+ *
+ * Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef QCRYPTO_TLSCIPHERSUITES_H
+#define QCRYPTO_TLSCIPHERSUITES_H
+
+#include "qom/object.h"
+#include "crypto/tlscreds.h"
+
+#define TYPE_QCRYPTO_TLS_CIPHER_SUITES "tls-cipher-suites"
+#define QCRYPTO_TLS_CIPHER_SUITES(obj) \
+ OBJECT_CHECK(QCryptoTLSCipherSuites, (obj), TYPE_QCRYPTO_TLS_CIPHER_SUITES)
+
+/*
+ * IANA registered TLS ciphers:
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
+ */
+typedef struct {
+ uint8_t data[2];
+} IANA_TLS_CIPHER;
+
+typedef struct QCryptoTLSCipherSuites {
+ /* <private> */
+ QCryptoTLSCreds parent_obj;
+
+ /* <public> */
+ bool verbose;
+ IANA_TLS_CIPHER *cipher_list;
+ unsigned cipher_count;
+} QCryptoTLSCipherSuites;
+
+#endif /* QCRYPTO_TLSCIPHERSUITES_H */
diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c
new file mode 100644
index 0000000000..c6c51359bd
--- /dev/null
+++ b/crypto/tls-cipher-suites.c
@@ -0,0 +1,133 @@
+/*
+ * QEMU TLS Cipher Suites
+ *
+ * Copyright (c) 2019 Red Hat, Inc.
+ *
+ * Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "qemu/error-report.h"
+#include "crypto/tlscreds.h"
+#include "crypto/tls-cipher-suites.h"
+
+static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
+ const char *priority_name, Error **errp)
+{
+#ifdef CONFIG_GNUTLS
+ int ret;
+ unsigned int idx;
+ const char *name;
+ const char *err;
+ gnutls_protocol_t version;
+ gnutls_priority_t pcache;
+
+ assert(priority_name);
+ ret = gnutls_priority_init(&pcache, priority_name, &err);
+ if (ret < 0) {
+ error_setg(errp, "Syntax error using priority '%s': %s",
+ priority_name, gnutls_strerror(ret));
+ return;
+ }
+
+ if (s->verbose) {
+ fprintf(stderr, "Cipher suites for %s:\n", priority_name);
+ }
+ for (size_t i = 0;; i++) {
+ ret = gnutls_priority_get_cipher_suite_index(pcache, i, &idx);
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ break;
+ }
+ if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) {
+ continue;
+ }
+ s->cipher_list = g_renew(IANA_TLS_CIPHER,
+ s->cipher_list, s->cipher_count + 1);
+
+ name = gnutls_cipher_suite_info(idx,
+ s->cipher_list[s->cipher_count].data,
+ NULL, NULL, NULL, &version);
+ if (name != NULL) {
+ if (s->verbose) {
+ fprintf(stderr, "- %-50s\t0x%02x, 0x%02x\t%s\n", name,
+ s->cipher_list[s->cipher_count].data[0],
+ s->cipher_list[s->cipher_count].data[1],
+ gnutls_protocol_get_name(version));
+ }
+ s->cipher_count++;
+ }
+ }
+ if (s->verbose) {
+ fprintf(stderr, "total: %u ciphers\n", s->cipher_count);
+ }
+ gnutls_priority_deinit(pcache);
+#else
+ error_setg(errp, "GNU TLS not available");
+#endif /* CONFIG_GNUTLS */
+}
+
+static void qcrypto_tls_cipher_suites_complete(UserCreatable *uc, Error **errp)
+{
+ QCryptoTLSCreds *s = QCRYPTO_TLS_CREDS(uc);
+
+ if (!s->priority) {
+ error_setg(errp, "'priority' property is not set");
+ return;
+ }
+ parse_cipher_suites(QCRYPTO_TLS_CIPHER_SUITES(s), s->priority, errp);
+}
+
+static void qcrypto_tls_cipher_suites_set_verbose(Object *obj, bool value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCRYPTO_TLS_CIPHER_SUITES(obj)->verbose = value;
+}
+
+
+static bool qcrypto_tls_cipher_suites_get_verbose(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ return QCRYPTO_TLS_CIPHER_SUITES(obj)->verbose;
+}
+
+static void qcrypto_tls_cipher_suites_finalize(Object *obj)
+{
+ QCryptoTLSCipherSuites *s = QCRYPTO_TLS_CIPHER_SUITES(obj);
+
+ g_free(s->cipher_list);
+}
+
+static void qcrypto_tls_cipher_suites_class_init(ObjectClass *oc, void *data)
+{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = qcrypto_tls_cipher_suites_complete;
+
+ object_class_property_add_bool(oc, "verbose",
+ qcrypto_tls_cipher_suites_get_verbose,
+ qcrypto_tls_cipher_suites_set_verbose);
+}
+
+static const TypeInfo qcrypto_tls_cipher_suites_info = {
+ .parent = TYPE_QCRYPTO_TLS_CREDS,
+ .name = TYPE_QCRYPTO_TLS_CIPHER_SUITES,
+ .instance_size = sizeof(QCryptoTLSCipherSuites),
+ .instance_finalize = qcrypto_tls_cipher_suites_finalize,
+ .class_size = sizeof(QCryptoTLSCredsClass),
+ .class_init = qcrypto_tls_cipher_suites_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void qcrypto_tls_cipher_suites_register_types(void)
+{
+ type_register_static(&qcrypto_tls_cipher_suites_info);
+}
+
+type_init(qcrypto_tls_cipher_suites_register_types);
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index c2a371b0b4..ce706d322a 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
crypto-obj-$(CONFIG_AF_ALG) += afalg.o
crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
+crypto-obj-y += tls-cipher-suites.o
crypto-obj-y += tlscreds.o
crypto-obj-y += tlscredsanon.o
crypto-obj-y += tlscredspsk.o
--
2.21.3
next prev parent reply other threads:[~2020-05-19 18:25 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-19 18:20 [PATCH v6 0/5] fw_cfg: Add FW_CFG_DATA_GENERATOR; crypto: Add tls-cipher-suites Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 1/5] hw/nvram/fw_cfg: Add the FW_CFG_DATA_GENERATOR interface Philippe Mathieu-Daudé
2020-05-19 22:01 ` Laszlo Ersek
2020-05-28 14:54 ` Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 2/5] softmmu/vl: Let -fw_cfg option take a 'blob_id' argument Philippe Mathieu-Daudé
2020-05-19 22:34 ` Laszlo Ersek
2020-05-28 12:07 ` Philippe Mathieu-Daudé
2020-05-27 11:38 ` Daniel P. Berrangé
2020-05-19 18:20 ` [RFC PATCH v6 3/5] softmmu/vl: Allow -fw_cfg 'blob_id' option to set any file pathname Philippe Mathieu-Daudé
2020-05-19 18:22 ` Philippe Mathieu-Daudé
2020-05-19 22:45 ` Laszlo Ersek
2020-05-28 17:03 ` Philippe Mathieu-Daudé
2020-05-19 18:20 ` Philippe Mathieu-Daudé [this message]
2020-05-19 23:24 ` [PATCH v6 4/5] crypto: Add tls-cipher-suites object Laszlo Ersek
2020-05-27 11:36 ` Daniel P. Berrangé
2020-05-28 10:17 ` Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 5/5] crypto/tls-cipher-suites: Product fw_cfg consumable blob Philippe Mathieu-Daudé
2020-05-19 22:49 ` Laszlo Ersek
2020-05-27 11:29 ` [PATCH v6 0/5] fw_cfg: Add FW_CFG_DATA_GENERATOR; crypto: Add tls-cipher-suites Philippe Mathieu-Daudé
2020-05-27 11:33 ` Daniel P. Berrangé
2020-05-27 11:34 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200519182024.14638-5-philmd@redhat.com \
--to=philmd@redhat.com \
--cc=berrange@redhat.com \
--cc=ehabkost@redhat.com \
--cc=kraxel@redhat.com \
--cc=lersek@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.