Example of use to dump:
$ qemu-system-x86_64 -S \
-object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
Cipher suites for @SYSTEM:
- TLS_AES_256_GCM_SHA384 0x13, 0x02 TLS1.3
- TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
- TLS_AES_128_GCM_SHA256 0x13, 0x01 TLS1.3
- TLS_AES_128_CCM_SHA256 0x13, 0x04 TLS1.3
- TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
- TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
- TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 TLS1.0
- TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
- TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 TLS1.0
- TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
- TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
- TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
- TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a TLS1.0
- TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
- TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac TLS1.2
- TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 TLS1.0
- TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
- TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
- TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 TLS1.0
- TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2
- TLS_RSA_AES_128_CCM 0xc0, 0x9c TLS1.2
- TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f TLS1.0
- TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
- TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
- TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
- TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0
- TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
- TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e TLS1.2
- TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0
total: 29 ciphers
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
include/crypto/tls-cipher-suites.h | 39 +++++++++
crypto/tls-cipher-suites.c | 133 +++++++++++++++++++++++++++++
crypto/Makefile.objs | 1 +
3 files changed, 173 insertions(+)
create mode 100644 include/crypto/tls-cipher-suites.h
create mode 100644 crypto/tls-cipher-suites.c
diff --git a/include/crypto/tls-cipher-suites.h b/include/crypto/tls-cipher-suites.h
new file mode 100644
index 0000000000..31e92916e1
--- /dev/null
+++ b/include/crypto/tls-cipher-suites.h
@@ -0,0 +1,39 @@
+/*
+ * QEMU TLS Cipher Suites
+ *
+ * Copyright (c) 2019 Red Hat, Inc.
+ *
+ * Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef QCRYPTO_TLSCIPHERSUITES_H
+#define QCRYPTO_TLSCIPHERSUITES_H
+
+#include "qom/object.h"
+#include "crypto/tlscreds.h"
+
+#define TYPE_QCRYPTO_TLS_CIPHER_SUITES "tls-cipher-suites"
+#define QCRYPTO_TLS_CIPHER_SUITES(obj) \
+ OBJECT_CHECK(QCryptoTLSCipherSuites, (obj), TYPE_QCRYPTO_TLS_CIPHER_SUITES)
+
+/*
+ * IANA registered TLS ciphers:
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
+ */
+typedef struct {
+ uint8_t data[2];
+} IANA_TLS_CIPHER;
+
+typedef struct QCryptoTLSCipherSuites {
+ /* <private> */
+ QCryptoTLSCreds parent_obj;
+
+ /* <public> */
+ bool verbose;
+ IANA_TLS_CIPHER *cipher_list;
+ unsigned cipher_count;
+} QCryptoTLSCipherSuites;
+
+#endif /* QCRYPTO_TLSCIPHERSUITES_H */
diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c
new file mode 100644
index 0000000000..c6c51359bd
--- /dev/null
+++ b/crypto/tls-cipher-suites.c
@@ -0,0 +1,133 @@
+/*
+ * QEMU TLS Cipher Suites
+ *
+ * Copyright (c) 2019 Red Hat, Inc.
+ *
+ * Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "qemu/error-report.h"
+#include "crypto/tlscreds.h"
+#include "crypto/tls-cipher-suites.h"
+
+static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
+ const char *priority_name, Error **errp)
+{
+#ifdef CONFIG_GNUTLS
+ int ret;
+ unsigned int idx;
+ const char *name;
+ const char *err;
+ gnutls_protocol_t version;
+ gnutls_priority_t pcache;
+
+ assert(priority_name);
+ ret = gnutls_priority_init(&pcache, priority_name, &err);
+ if (ret < 0) {
+ error_setg(errp, "Syntax error using priority '%s': %s",
+ priority_name, gnutls_strerror(ret));
+ return;
+ }
+
+ if (s->verbose) {
+ fprintf(stderr, "Cipher suites for %s:\n", priority_name);
+ }
+ for (size_t i = 0;; i++) {
+ ret = gnutls_priority_get_cipher_suite_index(pcache, i, &idx);
+ if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+ break;
+ }
+ if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) {
+ continue;
+ }
+ s->cipher_list = g_renew(IANA_TLS_CIPHER,
+ s->cipher_list, s->cipher_count + 1);
+
+ name = gnutls_cipher_suite_info(idx,
+ s->cipher_list[s->cipher_count].data,
+ NULL, NULL, NULL, &version);
+ if (name != NULL) {
+ if (s->verbose) {
+ fprintf(stderr, "- %-50s\t0x%02x, 0x%02x\t%s\n", name,
+ s->cipher_list[s->cipher_count].data[0],
+ s->cipher_list[s->cipher_count].data[1],
+ gnutls_protocol_get_name(version));
+ }
+ s->cipher_count++;
+ }
+ }
+ if (s->verbose) {
+ fprintf(stderr, "total: %u ciphers\n", s->cipher_count);
+ }
+ gnutls_priority_deinit(pcache);
+#else
+ error_setg(errp, "GNU TLS not available");
+#endif /* CONFIG_GNUTLS */
+}
+
+static void qcrypto_tls_cipher_suites_complete(UserCreatable *uc, Error **errp)
+{
+ QCryptoTLSCreds *s = QCRYPTO_TLS_CREDS(uc);
+
+ if (!s->priority) {
+ error_setg(errp, "'priority' property is not set");
+ return;
+ }
+ parse_cipher_suites(QCRYPTO_TLS_CIPHER_SUITES(s), s->priority, errp);
+}
+
+static void qcrypto_tls_cipher_suites_set_verbose(Object *obj, bool value,
+ Error **errp G_GNUC_UNUSED)
+{
+ QCRYPTO_TLS_CIPHER_SUITES(obj)->verbose = value;
+}
+
+
+static bool qcrypto_tls_cipher_suites_get_verbose(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ return QCRYPTO_TLS_CIPHER_SUITES(obj)->verbose;
+}
+
+static void qcrypto_tls_cipher_suites_finalize(Object *obj)
+{
+ QCryptoTLSCipherSuites *s = QCRYPTO_TLS_CIPHER_SUITES(obj);
+
+ g_free(s->cipher_list);
+}
+
+static void qcrypto_tls_cipher_suites_class_init(ObjectClass *oc, void *data)
+{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = qcrypto_tls_cipher_suites_complete;
+
+ object_class_property_add_bool(oc, "verbose",
+ qcrypto_tls_cipher_suites_get_verbose,
+ qcrypto_tls_cipher_suites_set_verbose);
+}
+
+static const TypeInfo qcrypto_tls_cipher_suites_info = {
+ .parent = TYPE_QCRYPTO_TLS_CREDS,
+ .name = TYPE_QCRYPTO_TLS_CIPHER_SUITES,
+ .instance_size = sizeof(QCryptoTLSCipherSuites),
+ .instance_finalize = qcrypto_tls_cipher_suites_finalize,
+ .class_size = sizeof(QCryptoTLSCredsClass),
+ .class_init = qcrypto_tls_cipher_suites_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void qcrypto_tls_cipher_suites_register_types(void)
+{
+ type_register_static(&qcrypto_tls_cipher_suites_info);
+}
+
+type_init(qcrypto_tls_cipher_suites_register_types);
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index c2a371b0b4..ce706d322a 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
crypto-obj-$(CONFIG_AF_ALG) += afalg.o
crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
+crypto-obj-y += tls-cipher-suites.o
crypto-obj-y += tlscreds.o
crypto-obj-y += tlscredsanon.o
crypto-obj-y += tlscredspsk.o
--
2.21.3
On 05/19/20 20:20, Philippe Mathieu-Daudé wrote:
> Example of use to dump:
>
> $ qemu-system-x86_64 -S \
> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
> Cipher suites for @SYSTEM:
> - TLS_AES_256_GCM_SHA384 0x13, 0x02 TLS1.3
> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
> - TLS_AES_128_GCM_SHA256 0x13, 0x01 TLS1.3
> - TLS_AES_128_CCM_SHA256 0x13, 0x04 TLS1.3
> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
> - TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 TLS1.0
> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
> - TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 TLS1.0
> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a TLS1.0
> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 TLS1.0
> - TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
> - TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 TLS1.0
> - TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2
> - TLS_RSA_AES_128_CCM 0xc0, 0x9c TLS1.2
> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f TLS1.0
> - TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0
> - TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e TLS1.2
> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0
> total: 29 ciphers
>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
> include/crypto/tls-cipher-suites.h | 39 +++++++++
> crypto/tls-cipher-suites.c | 133 +++++++++++++++++++++++++++++
> crypto/Makefile.objs | 1 +
> 3 files changed, 173 insertions(+)
> create mode 100644 include/crypto/tls-cipher-suites.h
> create mode 100644 crypto/tls-cipher-suites.c
>
> diff --git a/include/crypto/tls-cipher-suites.h b/include/crypto/tls-cipher-suites.h
> new file mode 100644
> index 0000000000..31e92916e1
> --- /dev/null
> +++ b/include/crypto/tls-cipher-suites.h
> @@ -0,0 +1,39 @@
> +/*
> + * QEMU TLS Cipher Suites
> + *
> + * Copyright (c) 2019 Red Hat, Inc.
> + *
> + * Author: Philippe Mathieu-Daudé <philmd@redhat.com>
> + *
> + * SPDX-License-Identifier: GPL-2.0-or-later
> + */
> +
> +#ifndef QCRYPTO_TLSCIPHERSUITES_H
> +#define QCRYPTO_TLSCIPHERSUITES_H
> +
> +#include "qom/object.h"
> +#include "crypto/tlscreds.h"
> +
> +#define TYPE_QCRYPTO_TLS_CIPHER_SUITES "tls-cipher-suites"
> +#define QCRYPTO_TLS_CIPHER_SUITES(obj) \
> + OBJECT_CHECK(QCryptoTLSCipherSuites, (obj), TYPE_QCRYPTO_TLS_CIPHER_SUITES)
> +
> +/*
> + * IANA registered TLS ciphers:
> + * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
> + */
> +typedef struct {
> + uint8_t data[2];
> +} IANA_TLS_CIPHER;
(1) I propose marking this as QEMU_PACKED, even if only for
documentation purposes.
> +
> +typedef struct QCryptoTLSCipherSuites {
> + /* <private> */
> + QCryptoTLSCreds parent_obj;
> +
> + /* <public> */
> + bool verbose;
> + IANA_TLS_CIPHER *cipher_list;
> + unsigned cipher_count;
> +} QCryptoTLSCipherSuites;
> +
> +#endif /* QCRYPTO_TLSCIPHERSUITES_H */
> diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c
> new file mode 100644
> index 0000000000..c6c51359bd
> --- /dev/null
> +++ b/crypto/tls-cipher-suites.c
> @@ -0,0 +1,133 @@
> +/*
> + * QEMU TLS Cipher Suites
> + *
> + * Copyright (c) 2019 Red Hat, Inc.
> + *
> + * Author: Philippe Mathieu-Daudé <philmd@redhat.com>
> + *
> + * SPDX-License-Identifier: GPL-2.0-or-later
> + */
> +
> +#include "qemu/osdep.h"
> +#include "qapi/error.h"
> +#include "qom/object_interfaces.h"
> +#include "qemu/error-report.h"
> +#include "crypto/tlscreds.h"
> +#include "crypto/tls-cipher-suites.h"
> +
> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
> + const char *priority_name, Error **errp)
> +{
> +#ifdef CONFIG_GNUTLS
> + int ret;
> + unsigned int idx;
> + const char *name;
> + const char *err;
> + gnutls_protocol_t version;
> + gnutls_priority_t pcache;
> +
> + assert(priority_name);
> + ret = gnutls_priority_init(&pcache, priority_name, &err);
> + if (ret < 0) {
> + error_setg(errp, "Syntax error using priority '%s': %s",
> + priority_name, gnutls_strerror(ret));
> + return;
> + }
> +
> + if (s->verbose) {
> + fprintf(stderr, "Cipher suites for %s:\n", priority_name);
> + }
> + for (size_t i = 0;; i++) {
> + ret = gnutls_priority_get_cipher_suite_index(pcache, i, &idx);
> + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
> + break;
> + }
> + if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) {
> + continue;
> + }
> + s->cipher_list = g_renew(IANA_TLS_CIPHER,
> + s->cipher_list, s->cipher_count + 1);
> +
> + name = gnutls_cipher_suite_info(idx,
> + s->cipher_list[s->cipher_count].data,
> + NULL, NULL, NULL, &version);
> + if (name != NULL) {
> + if (s->verbose) {
> + fprintf(stderr, "- %-50s\t0x%02x, 0x%02x\t%s\n", name,
> + s->cipher_list[s->cipher_count].data[0],
> + s->cipher_list[s->cipher_count].data[1],
> + gnutls_protocol_get_name(version));
> + }
> + s->cipher_count++;
> + }
> + }
(2) I propose turning this into two loops (in sequence), so that we
don't have to call g_renew() in any loop body. The first loop would just
filter & count, then we'd allocate once, and the second loop would
filter and populate.
Alternatively, I sometimes use the following pattern:
unsigned mode;
for (mode = 0; mode < 2; mode++) {
size_t i;
for (i = 0;; i++) {
int ret;
unsigned idx;
const char *name;
IANA_TLS_CIPHER cipher;
gnutls_protocol_t version;
ret = gnutls_priority_get_cipher_suite_index(pcache, i, &idx);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
break;
}
if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE) {
continue;
}
name = gnutls_cipher_suite_info(idx, &cipher, NULL, NULL, NULL,
&version);
if (name == NULL) {
continue;
}
if (mode == 1) {
if (s->verbose) {
/* ... log "name" and "cipher" ... */
}
s->cipher_list[s->cipher_count] = cipher;
}
s->cipher_count++;
}
if (mode == 0) {
if (s->cipher_count == 0) {
break;
}
s->cipher_list = g_new(IANA_TLS_CIPHER, s->cipher_count);
s->cipher_count = 0;
}
}
Feel free to ignore either point I've brought up.
No other comments from me for this patch.
Thanks,
Laszlo
> + if (s->verbose) {
> + fprintf(stderr, "total: %u ciphers\n", s->cipher_count);
> + }
> + gnutls_priority_deinit(pcache);
> +#else
> + error_setg(errp, "GNU TLS not available");
> +#endif /* CONFIG_GNUTLS */
> +}
> +
> +static void qcrypto_tls_cipher_suites_complete(UserCreatable *uc, Error **errp)
> +{
> + QCryptoTLSCreds *s = QCRYPTO_TLS_CREDS(uc);
> +
> + if (!s->priority) {
> + error_setg(errp, "'priority' property is not set");
> + return;
> + }
> + parse_cipher_suites(QCRYPTO_TLS_CIPHER_SUITES(s), s->priority, errp);
> +}
> +
> +static void qcrypto_tls_cipher_suites_set_verbose(Object *obj, bool value,
> + Error **errp G_GNUC_UNUSED)
> +{
> + QCRYPTO_TLS_CIPHER_SUITES(obj)->verbose = value;
> +}
> +
> +
> +static bool qcrypto_tls_cipher_suites_get_verbose(Object *obj,
> + Error **errp G_GNUC_UNUSED)
> +{
> + return QCRYPTO_TLS_CIPHER_SUITES(obj)->verbose;
> +}
> +
> +static void qcrypto_tls_cipher_suites_finalize(Object *obj)
> +{
> + QCryptoTLSCipherSuites *s = QCRYPTO_TLS_CIPHER_SUITES(obj);
> +
> + g_free(s->cipher_list);
> +}
> +
> +static void qcrypto_tls_cipher_suites_class_init(ObjectClass *oc, void *data)
> +{
> + UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
> +
> + ucc->complete = qcrypto_tls_cipher_suites_complete;
> +
> + object_class_property_add_bool(oc, "verbose",
> + qcrypto_tls_cipher_suites_get_verbose,
> + qcrypto_tls_cipher_suites_set_verbose);
> +}
> +
> +static const TypeInfo qcrypto_tls_cipher_suites_info = {
> + .parent = TYPE_QCRYPTO_TLS_CREDS,
> + .name = TYPE_QCRYPTO_TLS_CIPHER_SUITES,
> + .instance_size = sizeof(QCryptoTLSCipherSuites),
> + .instance_finalize = qcrypto_tls_cipher_suites_finalize,
> + .class_size = sizeof(QCryptoTLSCredsClass),
> + .class_init = qcrypto_tls_cipher_suites_class_init,
> + .interfaces = (InterfaceInfo[]) {
> + { TYPE_USER_CREATABLE },
> + { }
> + }
> +};
> +
> +static void qcrypto_tls_cipher_suites_register_types(void)
> +{
> + type_register_static(&qcrypto_tls_cipher_suites_info);
> +}
> +
> +type_init(qcrypto_tls_cipher_suites_register_types);
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index c2a371b0b4..ce706d322a 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
> crypto-obj-$(CONFIG_AF_ALG) += afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
> +crypto-obj-y += tls-cipher-suites.o
> crypto-obj-y += tlscreds.o
> crypto-obj-y += tlscredsanon.o
> crypto-obj-y += tlscredspsk.o
>
On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote:
> Example of use to dump:
>
> $ qemu-system-x86_64 -S \
> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
> Cipher suites for @SYSTEM:
> - TLS_AES_256_GCM_SHA384 0x13, 0x02 TLS1.3
> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
> - TLS_AES_128_GCM_SHA256 0x13, 0x01 TLS1.3
> - TLS_AES_128_CCM_SHA256 0x13, 0x04 TLS1.3
> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
> - TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 TLS1.0
> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
> - TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 TLS1.0
> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a TLS1.0
> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 TLS1.0
> - TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
> - TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 TLS1.0
> - TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2
> - TLS_RSA_AES_128_CCM 0xc0, 0x9c TLS1.2
> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f TLS1.0
> - TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0
> - TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e TLS1.2
> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0
> total: 29 ciphers
IMHO this "verbose" option shouldn't exist. Instead we should be
using the QEMU trace infrastructure to log this information. This
will make it possible to trace the info at runtime in production
deployments too
> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
> + const char *priority_name, Error **errp)
> +{
> +#ifdef CONFIG_GNUTLS
Instead of doing this......
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index c2a371b0b4..ce706d322a 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
> crypto-obj-$(CONFIG_AF_ALG) += afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
> +crypto-obj-y += tls-cipher-suites.o
....Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o
This lets the mgmt appliction introspect QEMU to discover whether the
TLS cipher suits object is present & usable.
> crypto-obj-y += tlscreds.o
> crypto-obj-y += tlscredsanon.o
> crypto-obj-y += tlscredspsk.o
> --
> 2.21.3
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 5/27/20 1:36 PM, Daniel P. Berrangé wrote:
> On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote:
>> Example of use to dump:
>>
>> $ qemu-system-x86_64 -S \
>> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
>> Cipher suites for @SYSTEM:
>> - TLS_AES_256_GCM_SHA384 0x13, 0x02 TLS1.3
>> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
>> - TLS_AES_128_GCM_SHA256 0x13, 0x01 TLS1.3
>> - TLS_AES_128_CCM_SHA256 0x13, 0x04 TLS1.3
>> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
>> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
>> - TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 TLS1.0
>> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
>> - TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 TLS1.0
>> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2
>> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
>> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
>> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a TLS1.0
>> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
>> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac TLS1.2
>> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 TLS1.0
>> - TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d TLS1.2
>> - TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
>> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 TLS1.0
>> - TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c TLS1.2
>> - TLS_RSA_AES_128_CCM 0xc0, 0x9c TLS1.2
>> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f TLS1.0
>> - TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f TLS1.2
>> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
>> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
>> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0
>> - TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e TLS1.2
>> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e TLS1.2
>> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0
>> total: 29 ciphers
>
> IMHO this "verbose" option shouldn't exist. Instead we should be
> using the QEMU trace infrastructure to log this information. This
> will make it possible to trace the info at runtime in production
> deployments too
OK, clever.
>
>> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
>> + const char *priority_name, Error **errp)
>> +{
>> +#ifdef CONFIG_GNUTLS
>
> Instead of doing this......
>
>
>> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
>> index c2a371b0b4..ce706d322a 100644
>> --- a/crypto/Makefile.objs
>> +++ b/crypto/Makefile.objs
>> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
>> crypto-obj-$(CONFIG_AF_ALG) += afalg.o
>> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
>> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
>> +crypto-obj-y += tls-cipher-suites.o
>
> ....Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o
>
> This lets the mgmt appliction introspect QEMU to discover whether the
> TLS cipher suits object is present & usable.
OK, thanks!
>
>> crypto-obj-y += tlscreds.o
>> crypto-obj-y += tlscredsanon.o
>> crypto-obj-y += tlscredspsk.o
>> --
>> 2.21.3
>>
>
> Regards,
> Daniel
>
© 2016 - 2025 Red Hat, Inc.