From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Richard W.M. Jones" <rjones@redhat.com>
Cc: qemu-devel@nongnu.org, eblake@redhat.com, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v5] crypto: Implement TLS Pre-Shared Keys (PSK).
Date: Mon, 2 Jul 2018 08:52:01 +0100 [thread overview]
Message-ID: <20180702075201.GA4257@redhat.com> (raw)
In-Reply-To: <20180629174029.GR1455@redhat.com>
On Fri, Jun 29, 2018 at 06:40:29PM +0100, Richard W.M. Jones wrote:
> On Fri, Jun 29, 2018 at 06:03:43PM +0100, Daniel P. Berrangé wrote:
> > On Thu, Jun 28, 2018 at 07:46:24PM +0100, Richard W.M. Jones wrote:
> > > diff --git a/crypto/tlssession.c b/crypto/tlssession.c
> > > index 96a02deb69..50df64e0a9 100644
> > > --- a/crypto/tlssession.c
> > > +++ b/crypto/tlssession.c
> > > @@ -21,6 +21,7 @@
> > > #include "qemu/osdep.h"
> > > #include "crypto/tlssession.h"
> > > #include "crypto/tlscredsanon.h"
> > > +#include "crypto/tlscredspsk.h"
> > > #include "crypto/tlscredsx509.h"
> > > #include "qapi/error.h"
> > > #include "qemu/acl.h"
> > > @@ -88,6 +89,8 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t len)
> > > return session->readFunc(buf, len, session->opaque);
> > > }
> > >
> > > +#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"
> > > +#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK"
> >
> > Unfortunately in testing this I learn ECDHE-PSK is only supported when
> > using GNUTLS >= 3.0, so can you make this conditional based on
> > GNUTLS_VERSION_MAJOR >= 3
>
> GnuTLS 3.0 was released in 2011, and the last 2.x version seems to be
> from 2009. Do we need to support such old versions?
With our recently introduced platform support guidelines, I think we can
likely drop 2.x. The issue is timing though - feature freeze deadline is
tomorrow, and I really want to get your PSK patch included without more
delay. So just making it conditional is the simplest way to achieve it.
> I looked at the configure script. It seems as if we will try to use
> any version of GnuTLS, even ancient ones (although other sub-features
> require later versions of GnuTLS). But if I'm understanding it
> correctly, by forcing both GnuTLS >= 3.0.0 and Nettle we could
> eliminate all the conditionals there, except for one Nettle test.
We still need support for gcrypt unfortunately, since nettle is not covered
by FIPS certs. So while we will be able to delete a bunch of compat code,
we'll need to refactor much of the configure test logic. I don't want to
risk doing that the day before feature freeze.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2018-07-02 7:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-28 18:46 [Qemu-devel] [PATCH v5] crypto: Implement TLS Pre-Shared Keys (PSK) Richard W.M. Jones
2018-06-28 18:46 ` Richard W.M. Jones
2018-06-29 17:03 ` Daniel P. Berrangé
2018-06-29 17:40 ` Richard W.M. Jones
2018-07-02 7:52 ` Daniel P. Berrangé [this message]
2018-07-02 11:54 ` Eric Blake
2018-07-02 12:18 ` Daniel P. Berrangé
2018-07-03 7:56 ` Richard W.M. Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180702075201.GA4257@redhat.com \
--to=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).