From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Laszlo Ersek <lersek@redhat.com>,
qemu-devel@nongnu.org, Eduardo Habkost <ehabkost@redhat.com>
Subject: Re: [PATCH v6 4/5] crypto: Add tls-cipher-suites object
Date: Wed, 27 May 2020 12:36:43 +0100 [thread overview]
Message-ID: <20200527113643.GL2665520@redhat.com> (raw)
In-Reply-To: <20200519182024.14638-5-philmd@redhat.com>
On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote:
> Example of use to dump:
>
> $ qemu-system-x86_64 -S \
> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
> Cipher suites for @SYSTEM:
> - TLS_AES_256_GCM_SHA384 0x13, 0x02 TLS1.3
> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
> - TLS_AES_128_GCM_SHA256 0x13, 0x01 TLS1.3
> - TLS_AES_128_CCM_SHA256 0x13, 0x04 TLS1.3
> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
> - TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 TLS1.0
> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
> - TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 TLS1.0
> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a TLS1.0
> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 TLS1.0
> - TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
> - TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 TLS1.0
> - TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2
> - TLS_RSA_AES_128_CCM 0xc0, 0x9c TLS1.2
> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f TLS1.0
> - TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0
> - TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e TLS1.2
> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0
> total: 29 ciphers
IMHO this "verbose" option shouldn't exist. Instead we should be
using the QEMU trace infrastructure to log this information. This
will make it possible to trace the info at runtime in production
deployments too
> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
> + const char *priority_name, Error **errp)
> +{
> +#ifdef CONFIG_GNUTLS
Instead of doing this......
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index c2a371b0b4..ce706d322a 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
> crypto-obj-$(CONFIG_AF_ALG) += afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
> +crypto-obj-y += tls-cipher-suites.o
....Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o
This lets the mgmt appliction introspect QEMU to discover whether the
TLS cipher suits object is present & usable.
> crypto-obj-y += tlscreds.o
> crypto-obj-y += tlscredsanon.o
> crypto-obj-y += tlscredspsk.o
> --
> 2.21.3
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-05-27 11:37 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-19 18:20 [PATCH v6 0/5] fw_cfg: Add FW_CFG_DATA_GENERATOR; crypto: Add tls-cipher-suites Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 1/5] hw/nvram/fw_cfg: Add the FW_CFG_DATA_GENERATOR interface Philippe Mathieu-Daudé
2020-05-19 22:01 ` Laszlo Ersek
2020-05-28 14:54 ` Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 2/5] softmmu/vl: Let -fw_cfg option take a 'blob_id' argument Philippe Mathieu-Daudé
2020-05-19 22:34 ` Laszlo Ersek
2020-05-28 12:07 ` Philippe Mathieu-Daudé
2020-05-27 11:38 ` Daniel P. Berrangé
2020-05-19 18:20 ` [RFC PATCH v6 3/5] softmmu/vl: Allow -fw_cfg 'blob_id' option to set any file pathname Philippe Mathieu-Daudé
2020-05-19 18:22 ` Philippe Mathieu-Daudé
2020-05-19 22:45 ` Laszlo Ersek
2020-05-28 17:03 ` Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 4/5] crypto: Add tls-cipher-suites object Philippe Mathieu-Daudé
2020-05-19 23:24 ` Laszlo Ersek
2020-05-27 11:36 ` Daniel P. Berrangé [this message]
2020-05-28 10:17 ` Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 5/5] crypto/tls-cipher-suites: Product fw_cfg consumable blob Philippe Mathieu-Daudé
2020-05-19 22:49 ` Laszlo Ersek
2020-05-27 11:29 ` [PATCH v6 0/5] fw_cfg: Add FW_CFG_DATA_GENERATOR; crypto: Add tls-cipher-suites Philippe Mathieu-Daudé
2020-05-27 11:33 ` Daniel P. Berrangé
2020-05-27 11:34 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200527113643.GL2665520@redhat.com \
--to=berrange@redhat.com \
--cc=ehabkost@redhat.com \
--cc=kraxel@redhat.com \
--cc=lersek@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).