From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52819) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZZFlC-0006ID-Pt for qemu-devel@nongnu.org; Tue, 08 Sep 2015 06:04:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZZFl9-0007yW-IO for qemu-devel@nongnu.org; Tue, 08 Sep 2015 06:04:18 -0400 Received: from mail-wi0-x22e.google.com ([2a00:1450:400c:c05::22e]:33815) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZZFl9-0007xj-Ag for qemu-devel@nongnu.org; Tue, 08 Sep 2015 06:04:15 -0400 Received: by wicfx3 with SMTP id fx3so113808049wic.1 for ; Tue, 08 Sep 2015 03:04:14 -0700 (PDT) Sender: Paolo Bonzini References: <1441192690-15413-1-git-send-email-berrange@redhat.com> From: Paolo Bonzini Message-ID: <55EEB29B.6090108@redhat.com> Date: Tue, 8 Sep 2015 12:04:11 +0200 MIME-Version: 1.0 In-Reply-To: <1441192690-15413-1-git-send-email-berrange@redhat.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v6 00/11] Extract TLS handling code from VNC server List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" , qemu-devel@nongnu.org Cc: Gerd Hoffmann On 02/09/2015 13:17, Daniel P. Berrange wrote: > This small patch series is a formal submission of another part > of my previous series > > v1: https://lists.gnu.org/archive/html/qemu-devel/2015-04/msg02038.html > v2: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg01267.html > v3: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg01386.html > v4: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg02655.html > v5: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg03159.html > > Now we have the basic crypto module defined for hash/cipher APIs, > we extend it to also cover TLS credential and TLS session handling > APIs. These new TLS related APIs obsolete the vast majority of the > TLS handling code in the current VNC server. As a result the VNC > server no longer has to worry about conditional compilation for > GNUTLS. It also gives us code reuse for future patches which intend > to add TLS support to chardevs, migration, nbd, etc. > > This series deprecates the existing way of configuring TLS for > VNC on the command line, but maintains support for back-compat > reasons. > > Since the TLS code is now totally isolated from the VNC server it > is also practical to provide significant unit test coverage of what > is security critical code. > > Aside from the new CLI syntax for configuring TLS with VNC, the > only other functional change is to allow diffie-hellman params > to be loaded from a file, instead of being generated at startup. > > Changes in v6: > > - Remove use of -Wl,--whole-archive added in v5 since it > bloated the binary sizes too much > - Move crypto code out of libqemuutil.a to allow linking > with QOM without problem of linker dropping objects only > referenced via constructors > - Allow tools to link to QOM objects > - Remove repetition in unit test object deps > - Remove trailing '.' from error messages in TLS code > - Remove leading '_' from struct name in TLS session > - Fix leak of TLS credentials in cert checking error path > - Added docs for enhancement to enum code generator > - Misc docs typos & indentation fixes > - Add more sanity checking to enum code generator > - Add tests to cover enum code generator enhancement > - Fix dereference of Error **errp variables > - Fix overwriting of already set Error * variable in tests > - Use CHAR_BIT constant in sasl code > - Fix incorrect return status in VNC TLS code errorpath I think the patches are great, and I'm not sure if anyone is in a better position than you to decide if they're ready. I don't even know if anyone really understands the VNC TLS code and thus can review patch 11. :) So I would just ask you to send a pull request. Paolo