From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Thomas Huth" <thuth@redhat.com>
Subject: [PULL 6/8] crypto: query gcrypt for cipher availability
Date: Tue, 19 Mar 2024 20:21:19 +0000 [thread overview]
Message-ID: <20240319202121.233130-7-berrange@redhat.com> (raw)
In-Reply-To: <20240319202121.233130-1-berrange@redhat.com>
Just because a cipher is defined in the gcrypt header file, does not
imply that it can be used. Distros can filter the list of ciphers when
building gcrypt. For example, RHEL-9 disables the SM4 cipher. It is
also possible that running in FIPS mode might dynamically change what
ciphers are available at runtime.
qcrypto_cipher_supports must therefore query gcrypt directly to check
for cipher availability.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
crypto/cipher-gcrypt.c.inc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/crypto/cipher-gcrypt.c.inc b/crypto/cipher-gcrypt.c.inc
index 6b82280f90..4a8314746d 100644
--- a/crypto/cipher-gcrypt.c.inc
+++ b/crypto/cipher-gcrypt.c.inc
@@ -93,6 +93,11 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
return false;
}
+ if (gcry_cipher_algo_info(qcrypto_cipher_alg_to_gcry_alg(alg),
+ GCRYCTL_TEST_ALGO, NULL, NULL) != 0) {
+ return false;
+ }
+
switch (mode) {
case QCRYPTO_CIPHER_MODE_ECB:
case QCRYPTO_CIPHER_MODE_CBC:
--
2.43.0
next prev parent reply other threads:[~2024-03-19 20:22 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-19 20:21 [PULL 0/8] Misc fixes patches Daniel P. Berrangé
2024-03-19 20:21 ` [PULL 1/8] seccomp: report EPERM instead of killing process for spawn set Daniel P. Berrangé
2024-03-19 20:21 ` [PULL 2/8] chardev: lower priority of the HUP GSource in socket chardev Daniel P. Berrangé
2024-03-19 20:21 ` [PULL 3/8] Revert "chardev/char-socket: Fix TLS io channels sending too much data to the backend" Daniel P. Berrangé
2024-03-19 20:21 ` [PULL 4/8] Revert "chardev: use a child source for qio input source" Daniel P. Berrangé
2024-03-19 20:21 ` [PULL 5/8] crypto: factor out conversion of QAPI to gcrypt constants Daniel P. Berrangé
2024-03-19 20:21 ` Daniel P. Berrangé [this message]
2024-03-19 20:21 ` [PULL 7/8] crypto: use error_abort for unexpected failures Daniel P. Berrangé
2024-03-19 20:21 ` [PULL 8/8] crypto: report which ciphers are being skipped during tests Daniel P. Berrangé
2024-03-20 15:04 ` [PULL 0/8] Misc fixes patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240319202121.233130-7-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.