From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45269) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YvlT5-0008FG-3G for qemu-devel@nongnu.org; Fri, 22 May 2015 07:50:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YvlT1-0008VA-Lb for qemu-devel@nongnu.org; Fri, 22 May 2015 07:50:22 -0400 Received: from szxga02-in.huawei.com ([119.145.14.65]:64852) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YvlT0-0008Qn-Sm for qemu-devel@nongnu.org; Fri, 22 May 2015 07:50:19 -0400 Message-ID: <555F17EB.1010401@huawei.com> Date: Fri, 22 May 2015 19:50:03 +0800 From: Gonglei MIME-Version: 1.0 References: <1432205817-16414-1-git-send-email-berrange@redhat.com> <555F1301.8070900@huawei.com> <20150522113721.GI14428@redhat.com> In-Reply-To: <20150522113721.GI14428@redhat.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: Kevin Wolf , Paolo Bonzini , qemu-devel@nongnu.org, Gerd Hoffmann On 2015/5/22 19:37, Daniel P. Berrange wrote: > On Fri, May 22, 2015 at 07:29:05PM +0800, Gonglei wrote: >> On 2015/5/21 18:56, Daniel P. Berrange wrote: >>> This small series covers the crypto consolidation patches >>> I previously posted as part of a larger RFC for the TLS work >>> >>> https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html >>> >>> Currently there are a 5 main places in QEMU which use some >>> form of cryptographic hash or cipher algorithm. These are >>> the quorum block driver (hash), qcow[2] block driver (cipher), >>> VNC password auth (cipher), VNC websockets (hash) and some >>> of the CPU instruction emulation (cipher). >>> >>> For ciphers the code is using the in-tree implementations >>> of AES and/or the RFB cripple-DES. While there is nothing >>> broken about these implementations, it is none the less >>> desirable to be able to use the GNUTLS provided impls in >>> cases whre we are already linking to GNUTLS. This will >>> allow QEMU to use FIPS certified implementations, which >>> have been well audited, have some protection against >>> side-channel leakage and are generally actively maintained >>> by people knowledgable about encryption. >>> >> Can we use OpenSSL library in Qemu? If not, that's because of the license? > > There are differing opinions on OpenSSL licensing. Personally I consider > it to be GPL incompatible because I don't accept the suggestion that openssl > is exempt under the system libraries clause. In any case QEMU is already > using GNUTLS and IME it has a more friendly API with better documentation > than openssl or nss. > > That all said, one benefit of the crypto consolidation is that it makes it > more feasible to plug in alternative crypto libraries, because all the > gnutls specific code is isolated in one place, instead of spread across > the entire codebase. I don't intend to do any work to support other > crypto libraries though as I don't think there's any compelling benefit > to them. > OK, I see, thanks. BTW do you have a github branch which can be easier to test? Regards, -Gonglei