From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Laszlo Ersek <lersek@redhat.com>,
qemu-devel@nongnu.org, Eduardo Habkost <ehabkost@redhat.com>
Subject: Re: [PATCH v6 4/5] crypto: Add tls-cipher-suites object
Date: Thu, 28 May 2020 12:17:08 +0200 [thread overview]
Message-ID: <0207f87c-4dc0-431c-935b-a1f6d437be15@redhat.com> (raw)
In-Reply-To: <20200527113643.GL2665520@redhat.com>
On 5/27/20 1:36 PM, Daniel P. Berrangé wrote:
> On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote:
>> Example of use to dump:
>>
>> $ qemu-system-x86_64 -S \
>> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
>> Cipher suites for @SYSTEM:
>> - TLS_AES_256_GCM_SHA384 0x13, 0x02 TLS1.3
>> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
>> - TLS_AES_128_GCM_SHA256 0x13, 0x01 TLS1.3
>> - TLS_AES_128_CCM_SHA256 0x13, 0x04 TLS1.3
>> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
>> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
>> - TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 TLS1.0
>> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
>> - TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 TLS1.0
>> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
>> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
>> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
>> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a TLS1.0
>> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
>> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac TLS1.2
>> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 TLS1.0
>> - TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
>> - TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
>> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 TLS1.0
>> - TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2
>> - TLS_RSA_AES_128_CCM 0xc0, 0x9c TLS1.2
>> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f TLS1.0
>> - TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
>> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
>> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
>> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0
>> - TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
>> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e TLS1.2
>> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0
>> total: 29 ciphers
>
> IMHO this "verbose" option shouldn't exist. Instead we should be
> using the QEMU trace infrastructure to log this information. This
> will make it possible to trace the info at runtime in production
> deployments too
OK, clever.
>
>> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
>> + const char *priority_name, Error **errp)
>> +{
>> +#ifdef CONFIG_GNUTLS
>
> Instead of doing this......
>
>
>> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
>> index c2a371b0b4..ce706d322a 100644
>> --- a/crypto/Makefile.objs
>> +++ b/crypto/Makefile.objs
>> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
>> crypto-obj-$(CONFIG_AF_ALG) += afalg.o
>> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
>> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
>> +crypto-obj-y += tls-cipher-suites.o
>
> ....Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o
>
> This lets the mgmt appliction introspect QEMU to discover whether the
> TLS cipher suits object is present & usable.
OK, thanks!
>
>> crypto-obj-y += tlscreds.o
>> crypto-obj-y += tlscredsanon.o
>> crypto-obj-y += tlscredspsk.o
>> --
>> 2.21.3
>>
>
> Regards,
> Daniel
>
next prev parent reply other threads:[~2020-05-28 10:18 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-19 18:20 [PATCH v6 0/5] fw_cfg: Add FW_CFG_DATA_GENERATOR; crypto: Add tls-cipher-suites Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 1/5] hw/nvram/fw_cfg: Add the FW_CFG_DATA_GENERATOR interface Philippe Mathieu-Daudé
2020-05-19 22:01 ` Laszlo Ersek
2020-05-28 14:54 ` Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 2/5] softmmu/vl: Let -fw_cfg option take a 'blob_id' argument Philippe Mathieu-Daudé
2020-05-19 22:34 ` Laszlo Ersek
2020-05-28 12:07 ` Philippe Mathieu-Daudé
2020-05-27 11:38 ` Daniel P. Berrangé
2020-05-19 18:20 ` [RFC PATCH v6 3/5] softmmu/vl: Allow -fw_cfg 'blob_id' option to set any file pathname Philippe Mathieu-Daudé
2020-05-19 18:22 ` Philippe Mathieu-Daudé
2020-05-19 22:45 ` Laszlo Ersek
2020-05-28 17:03 ` Philippe Mathieu-Daudé
2020-05-19 18:20 ` [PATCH v6 4/5] crypto: Add tls-cipher-suites object Philippe Mathieu-Daudé
2020-05-19 23:24 ` Laszlo Ersek
2020-05-27 11:36 ` Daniel P. Berrangé
2020-05-28 10:17 ` Philippe Mathieu-Daudé [this message]
2020-05-19 18:20 ` [PATCH v6 5/5] crypto/tls-cipher-suites: Product fw_cfg consumable blob Philippe Mathieu-Daudé
2020-05-19 22:49 ` Laszlo Ersek
2020-05-27 11:29 ` [PATCH v6 0/5] fw_cfg: Add FW_CFG_DATA_GENERATOR; crypto: Add tls-cipher-suites Philippe Mathieu-Daudé
2020-05-27 11:33 ` Daniel P. Berrangé
2020-05-27 11:34 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0207f87c-4dc0-431c-935b-a1f6d437be15@redhat.com \
--to=philmd@redhat.com \
--cc=berrange@redhat.com \
--cc=ehabkost@redhat.com \
--cc=kraxel@redhat.com \
--cc=lersek@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).