[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/3] crypto: Add qcrypto_tls_shutdown()

From: Eric Blake
Subject: Re: [PATCH 1/3] crypto: Add qcrypto_tls_shutdown()
Date: Tue, 31 Mar 2020 10:17:49 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0

On 3/31/20 3:30 AM, Markus Armbruster wrote:
Eric Blake <address@hidden> writes:

Gnutls documents that applications that want to distinguish between a
clean end-of-communication and a malicious client abruptly tearing the
underlying transport out of under our feet need to use gnutls_bye().
Our channel code is already set up to allow shutdown requests, but we
weren't forwarding those to gnutls.  To make that work, we first need
a new entry point that can isolate the rest of our code from the
gnutls interface.

+int qcrypto_tls_session_shutdown(QCryptoTLSSession *session,
+                                 QCryptoShutdownMode how)

This is a thin wrapper around gnutls_bye().  I understand this is an
abstraction layer backed by GnuTLS.  Not sure abstracting from just one
concrete thing is a good idea, but that's way out of scope here.

If we ever add an alternative TLS implementation to gnutls, then the abstraction is useful. But I'm not sure how likely that is, so maybe Dan has more insight why he chose this design originally.

In scope: why do you need QCryptoShutdownMode be a QAPI type?

I don't, other than the fact that other TLS parameters were also QAPI types (such as QCryptoTLSCredsEndpoint).

But that may be moot, as Dan argued that this series adds more complexity than it is worth (I originally wrote it while trying to debug an nbdkit bug; but in the meantime, I have fixed the nbdkit bug without any change to qemu behavior). So at this point, I will probably not be posting a v2 of this series.

Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

reply via email to

[Prev in Thread] Current Thread [Next in Thread]