Re: [Qemu-devel] [PATCH v1 1/2] crypto: use glib as fallback for hash algorithm

["Daniel P. Berrange" <berrange@redhat.com>]

On Wed, Jul 06, 2016 at 08:53:56AM -0600, Eric Blake wrote:
> On 07/06/2016 05:58 AM, Alberto Garcia wrote:
> > On Tue 05 Jul 2016 12:49:59 PM CEST, "Daniel P. Berrange" <berrange@redhat.com> wrote:
> > 
> >> GLib >= 2.16 provides GChecksum API which is good enough
> >> for md5, sha1, sha256 and sha512. Use this as a final
> >> fallback if neither nettle or gcrypt are available. This
> >> lets us remove the stub hash impl, and so callers can
> >> be sure those 4 algs are always available at compile
> >> time. They may still be disabled at runtime, so a check
> >> for qcrypto_hash_supports() is still best practice to
> >> report good error messages.
> > 
> > Sorry if I missed the explanation, but how do you disable them at
> > runtime ?
> 
> FIPS is a common case where portions of a crypto lib are disabled at
> runtime based on whether the system is running in FIPS mode or not.  I
> don't think any of the hashes in the glib fallback are necessarily
> covered by FIPS disabling, so much as the qcrypto interface being
> interested in generically catering to this behavior across the various
> implementations.

Yep, currently none of the hashes are disabled by FIPS, but the QEMU
crypto API is designed to allow for that in the future, without us
needing to change the rest of QEMU code using those APIs

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|