On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote:
> Example of use to dump:
>
> $ qemu-system-x86_64 -S \
> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
> Cipher suites for @SYSTEM:
> - TLS_AES_256_GCM_SHA384 0x13, 0x02
> TLS1.3
> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03
> TLS1.3
> - TLS_AES_128_GCM_SHA256 0x13, 0x01
> TLS1.3
> - TLS_AES_128_CCM_SHA256 0x13, 0x04
> TLS1.3
> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30
> TLS1.2
> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8
> TLS1.2
> - TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14
> TLS1.0
> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f
> TLS1.2
> - TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13
> TLS1.0
> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c
> TLS1.2
> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a
> TLS1.0
> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09
> TLS1.0
> - TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d
> TLS1.2
> - TLS_RSA_AES_256_CCM 0xc0, 0x9d
> TLS1.2
> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35
> TLS1.0
> - TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c
> TLS1.2
> - TLS_RSA_AES_128_CCM 0xc0, 0x9c
> TLS1.2
> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f
> TLS1.0
> - TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f
> TLS1.2
> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa
> TLS1.2
> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f
> TLS1.2
> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39
> TLS1.0
> - TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e
> TLS1.2
> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e
> TLS1.2
> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33
> TLS1.0
> total: 29 ciphers
IMHO this "verbose" option shouldn't exist. Instead we should be
using the QEMU trace infrastructure to log this information. This
will make it possible to trace the info at runtime in production
deployments too
> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
> + const char *priority_name, Error **errp)
> +{
> +#ifdef CONFIG_GNUTLS
Instead of doing this......
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index c2a371b0b4..ce706d322a 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
> crypto-obj-$(CONFIG_AF_ALG) += afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
> +crypto-obj-y += tls-cipher-suites.o
....Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o
This lets the mgmt appliction introspect QEMU to discover whether the
TLS cipher suits object is present & usable.
> crypto-obj-y += tlscreds.o
> crypto-obj-y += tlscredsanon.o
> crypto-obj-y += tlscredspsk.o
> --
> 2.21.3
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
