On 5/27/20 1:36 PM, Daniel P. Berrangé wrote: > On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote: >> Example of use to dump: >> >> $ qemu-system-x86_64 -S \ >> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes >> Cipher suites for @SYSTEM: >> - TLS_AES_256_GCM_SHA384 0x13, 0x02 >> TLS1.3 >> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 >> TLS1.3 >> - TLS_AES_128_GCM_SHA256 0x13, 0x01 >> TLS1.3 >> - TLS_AES_128_CCM_SHA256 0x13, 0x04 >> TLS1.3 >> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 >> TLS1.2 >> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 >> TLS1.2 >> - TLS_ECDHE_RSA_AES_256_CBC_SHA1 0xc0, 0x14 >> TLS1.0 >> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f >> TLS1.2 >> - TLS_ECDHE_RSA_AES_128_CBC_SHA1 0xc0, 0x13 >> TLS1.0 >> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c >> TLS1.2 >> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 >> TLS1.2 >> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad >> TLS1.2 >> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a >> TLS1.0 >> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b >> TLS1.2 >> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac >> TLS1.2 >> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 >> TLS1.0 >> - TLS_RSA_AES_256_GCM_SHA384 0x00, 0x9d >> TLS1.2 >> - TLS_RSA_AES_256_CCM 0xc0, 0x9d >> TLS1.2 >> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 >> TLS1.0 >> - TLS_RSA_AES_128_GCM_SHA256 0x00, 0x9c >> TLS1.2 >> - TLS_RSA_AES_128_CCM 0xc0, 0x9c >> TLS1.2 >> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f >> TLS1.0 >> - TLS_DHE_RSA_AES_256_GCM_SHA384 0x00, 0x9f >> TLS1.2 >> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa >> TLS1.2 >> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f >> TLS1.2 >> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 >> TLS1.0 >> - TLS_DHE_RSA_AES_128_GCM_SHA256 0x00, 0x9e >> TLS1.2 >> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e >> TLS1.2 >> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 >> TLS1.0 >> total: 29 ciphers > > IMHO this "verbose" option shouldn't exist. Instead we should be > using the QEMU trace infrastructure to log this information. This > will make it possible to trace the info at runtime in production > deployments too
OK, clever. > >> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s, >> + const char *priority_name, Error **errp) >> +{ >> +#ifdef CONFIG_GNUTLS > > Instead of doing this...... > > >> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs >> index c2a371b0b4..ce706d322a 100644 >> --- a/crypto/Makefile.objs >> +++ b/crypto/Makefile.objs >> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o >> crypto-obj-$(CONFIG_AF_ALG) += afalg.o >> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o >> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o >> +crypto-obj-y += tls-cipher-suites.o > > ....Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o > > This lets the mgmt appliction introspect QEMU to discover whether the > TLS cipher suits object is present & usable. OK, thanks! > >> crypto-obj-y += tlscreds.o >> crypto-obj-y += tlscredsanon.o >> crypto-obj-y += tlscredspsk.o >> -- >> 2.21.3 >> > > Regards, > Daniel >