qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v6 4/5] crypto: Add tls-cipher-suites object


From: Philippe Mathieu-Daudé
Subject: Re: [PATCH v6 4/5] crypto: Add tls-cipher-suites object
Date: Thu, 28 May 2020 12:17:08 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0

On 5/27/20 1:36 PM, Daniel P. Berrangé wrote:
> On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote:
>> Example of use to dump:
>>
>>   $ qemu-system-x86_64 -S \
>>     -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
>>   Cipher suites for @SYSTEM:
>>   - TLS_AES_256_GCM_SHA384                                0x13, 0x02      
>> TLS1.3
>>   - TLS_CHACHA20_POLY1305_SHA256                          0x13, 0x03      
>> TLS1.3
>>   - TLS_AES_128_GCM_SHA256                                0x13, 0x01      
>> TLS1.3
>>   - TLS_AES_128_CCM_SHA256                                0x13, 0x04      
>> TLS1.3
>>   - TLS_ECDHE_RSA_AES_256_GCM_SHA384                      0xc0, 0x30      
>> TLS1.2
>>   - TLS_ECDHE_RSA_CHACHA20_POLY1305                       0xcc, 0xa8      
>> TLS1.2
>>   - TLS_ECDHE_RSA_AES_256_CBC_SHA1                        0xc0, 0x14      
>> TLS1.0
>>   - TLS_ECDHE_RSA_AES_128_GCM_SHA256                      0xc0, 0x2f      
>> TLS1.2
>>   - TLS_ECDHE_RSA_AES_128_CBC_SHA1                        0xc0, 0x13      
>> TLS1.0
>>   - TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                    0xc0, 0x2c      
>> TLS1.2
>>   - TLS_ECDHE_ECDSA_CHACHA20_POLY1305                     0xcc, 0xa9      
>> TLS1.2
>>   - TLS_ECDHE_ECDSA_AES_256_CCM                           0xc0, 0xad      
>> TLS1.2
>>   - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1                      0xc0, 0x0a      
>> TLS1.0
>>   - TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                    0xc0, 0x2b      
>> TLS1.2
>>   - TLS_ECDHE_ECDSA_AES_128_CCM                           0xc0, 0xac      
>> TLS1.2
>>   - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1                      0xc0, 0x09      
>> TLS1.0
>>   - TLS_RSA_AES_256_GCM_SHA384                            0x00, 0x9d      
>> TLS1.2
>>   - TLS_RSA_AES_256_CCM                                   0xc0, 0x9d      
>> TLS1.2
>>   - TLS_RSA_AES_256_CBC_SHA1                              0x00, 0x35      
>> TLS1.0
>>   - TLS_RSA_AES_128_GCM_SHA256                            0x00, 0x9c      
>> TLS1.2
>>   - TLS_RSA_AES_128_CCM                                   0xc0, 0x9c      
>> TLS1.2
>>   - TLS_RSA_AES_128_CBC_SHA1                              0x00, 0x2f      
>> TLS1.0
>>   - TLS_DHE_RSA_AES_256_GCM_SHA384                        0x00, 0x9f      
>> TLS1.2
>>   - TLS_DHE_RSA_CHACHA20_POLY1305                         0xcc, 0xaa      
>> TLS1.2
>>   - TLS_DHE_RSA_AES_256_CCM                               0xc0, 0x9f      
>> TLS1.2
>>   - TLS_DHE_RSA_AES_256_CBC_SHA1                          0x00, 0x39      
>> TLS1.0
>>   - TLS_DHE_RSA_AES_128_GCM_SHA256                        0x00, 0x9e      
>> TLS1.2
>>   - TLS_DHE_RSA_AES_128_CCM                               0xc0, 0x9e      
>> TLS1.2
>>   - TLS_DHE_RSA_AES_128_CBC_SHA1                          0x00, 0x33      
>> TLS1.0
>>   total: 29 ciphers
> 
> IMHO this "verbose" option shouldn't exist. Instead we should be
> using the QEMU trace infrastructure to log this information. This
> will make it possible to trace the info at runtime in production
> deployments too

OK, clever.

> 
>> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
>> +                                const char *priority_name, Error **errp)
>> +{
>> +#ifdef CONFIG_GNUTLS
> 
> Instead of doing this......
> 
> 
>> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
>> index c2a371b0b4..ce706d322a 100644
>> --- a/crypto/Makefile.objs
>> +++ b/crypto/Makefile.objs
>> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
>>  crypto-obj-$(CONFIG_AF_ALG) += afalg.o
>>  crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
>>  crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
>> +crypto-obj-y += tls-cipher-suites.o
> 
> ....Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o
> 
> This lets the mgmt appliction introspect QEMU to discover whether the
> TLS cipher suits object is present & usable.

OK, thanks!

> 
>>  crypto-obj-y += tlscreds.o
>>  crypto-obj-y += tlscredsanon.o
>>  crypto-obj-y += tlscredspsk.o
>> -- 
>> 2.21.3
>>
> 
> Regards,
> Daniel
> 




reply via email to

[Prev in Thread] Current Thread [Next in Thread]