[Qemu-devel] [PATCH 1/2] crypto: add support for TLS priority string override

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH 1/2] crypto: add support for TLS priority string override
Date: Mon, 13 Jun 2016 13:13:52 +0100	[thread overview]
Message-ID: <1465820033-5078-2-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1465820033-5078-1-git-send-email-berrange@redhat.com>

The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.

Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.

This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.

For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:

  $QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
                priority="NORMAL:-VERS-SSL3.0" \
        ..other args...

If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
 crypto/tlscreds.c         | 26 ++++++++++++++++++++++++++
 crypto/tlssession.c       | 26 +++++++++++++++++++-------
 include/crypto/tlscreds.h |  1 +
 3 files changed, 46 insertions(+), 7 deletions(-)

diff --git a/crypto/tlscreds.c b/crypto/tlscreds.c
index 1620e12..a896553 100644
--- a/crypto/tlscreds.c
+++ b/crypto/tlscreds.c
@@ -179,6 +179,27 @@ qcrypto_tls_creds_prop_get_dir(Object *obj,
 
 
 static void
+qcrypto_tls_creds_prop_set_priority(Object *obj,
+                                    const char *value,
+                                    Error **errp G_GNUC_UNUSED)
+{
+    QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+    creds->priority = g_strdup(value);
+}
+
+
+static char *
+qcrypto_tls_creds_prop_get_priority(Object *obj,
+                                    Error **errp G_GNUC_UNUSED)
+{
+    QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
+
+    return g_strdup(creds->priority);
+}
+
+
+static void
 qcrypto_tls_creds_prop_set_endpoint(Object *obj,
                                     int value,
                                     Error **errp G_GNUC_UNUSED)
@@ -216,6 +237,10 @@ qcrypto_tls_creds_class_init(ObjectClass *oc, void *data)
                                    qcrypto_tls_creds_prop_get_endpoint,
                                    qcrypto_tls_creds_prop_set_endpoint,
                                    NULL);
+    object_class_property_add_str(oc, "priority",
+                                  qcrypto_tls_creds_prop_get_priority,
+                                  qcrypto_tls_creds_prop_set_priority,
+                                  NULL);
 }
 
 
@@ -234,6 +259,7 @@ qcrypto_tls_creds_finalize(Object *obj)
     QCryptoTLSCreds *creds = QCRYPTO_TLS_CREDS(obj);
 
     g_free(creds->dir);
+    g_free(creds->priority);
 }
 
 
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index a543e5a..2112d29 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -132,14 +132,22 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
     if (object_dynamic_cast(OBJECT(creds),
                             TYPE_QCRYPTO_TLS_CREDS_ANON)) {
         QCryptoTLSCredsAnon *acreds = QCRYPTO_TLS_CREDS_ANON(creds);
+        char *prio;
 
-        ret = gnutls_priority_set_direct(session->handle,
-                                         "NORMAL:+ANON-DH", NULL);
+        if (creds->priority != NULL) {
+            prio = g_strdup_printf("%s:+ANON-DH", creds->priority);
+        } else {
+            prio = g_strdup("NORMAL:+ANON-DH");
+        }
+
+        ret = gnutls_priority_set_direct(session->handle, prio, NULL);
         if (ret < 0) {
-            error_setg(errp, "Unable to set TLS session priority: %s",
-                       gnutls_strerror(ret));
+            error_setg(errp, "Unable to set TLS session priority %s: %s",
+                       prio, gnutls_strerror(ret));
+            g_free(prio);
             goto error;
         }
+        g_free(prio);
         if (creds->endpoint == QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
             ret = gnutls_credentials_set(session->handle,
                                          GNUTLS_CRD_ANON,
@@ -157,11 +165,15 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
     } else if (object_dynamic_cast(OBJECT(creds),
                                    TYPE_QCRYPTO_TLS_CREDS_X509)) {
         QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds);
+        const char *prio = creds->priority;
+        if (!prio) {
+            prio = "NORMAL";
+        }
 
-        ret = gnutls_set_default_priority(session->handle);
+        ret = gnutls_priority_set_direct(session->handle, prio, NULL);
         if (ret < 0) {
-            error_setg(errp, "Cannot set default TLS session priority: %s",
-                       gnutls_strerror(ret));
+            error_setg(errp, "Cannot set default TLS session priority %s: %s",
+                       prio, gnutls_strerror(ret));
             goto error;
         }
         ret = gnutls_credentials_set(session->handle,
diff --git a/include/crypto/tlscreds.h b/include/crypto/tlscreds.h
index 8e2babd..59e9187 100644
--- a/include/crypto/tlscreds.h
+++ b/include/crypto/tlscreds.h
@@ -54,6 +54,7 @@ struct QCryptoTLSCreds {
     gnutls_dh_params_t dh_params;
 #endif
     bool verifyPeer;
+    char *priority;
 };
 
 
-- 
2.5.5

next prev parent reply	other threads:[~2016-06-13 12:14 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-13 12:13 [Qemu-devel] [PATCH 0/2] crypto: add flexibility in TLS priority setup Daniel P. Berrange
2016-06-13 12:13 ` Daniel P. Berrange [this message]
2016-06-13 12:13 ` [Qemu-devel] [PATCH 2/2] crypto: allow default TLS priority to be chosen at build time Daniel P. Berrange
2016-06-27  9:36 ` [Qemu-devel] [PATCH 0/2] crypto: add flexibility in TLS priority setup Daniel P. Berrange

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1620e12 dfblob:a896553 dfblob:a543e5a dfblob:2112d29
dfblob:8e2babd dfblob:59e9187 )
 OR (
bs:"[Qemu-devel] [PATCH 1/2] crypto: add support for TLS priority string override" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1465820033-5078-2-git-send-email-berrange@redhat.com \
    --to=berrange@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.