On 2015/5/22 19:37, Daniel P. Berrange wrote: > On Fri, May 22, 2015 at 07:29:05PM +0800, Gonglei wrote: >> On 2015/5/21 18:56, Daniel P. Berrange wrote: >>> This small series covers the crypto consolidation patches >>> I previously posted as part of a larger RFC for the TLS work >>> >>> https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html >>> >>> Currently there are a 5 main places in QEMU which use some >>> form of cryptographic hash or cipher algorithm. These are >>> the quorum block driver (hash), qcow[2] block driver (cipher), >>> VNC password auth (cipher), VNC websockets (hash) and some >>> of the CPU instruction emulation (cipher). >>> >>> For ciphers the code is using the in-tree implementations >>> of AES and/or the RFB cripple-DES. While there is nothing >>> broken about these implementations, it is none the less >>> desirable to be able to use the GNUTLS provided impls in >>> cases whre we are already linking to GNUTLS. This will >>> allow QEMU to use FIPS certified implementations, which >>> have been well audited, have some protection against >>> side-channel leakage and are generally actively maintained >>> by people knowledgable about encryption. >>> >> Can we use OpenSSL library in Qemu? If not, that's because of the license? > > There are differing opinions on OpenSSL licensing. Personally I consider > it to be GPL incompatible because I don't accept the suggestion that openssl > is exempt under the system libraries clause. In any case QEMU is already > using GNUTLS and IME it has a more friendly API with better documentation > than openssl or nss. > > That all said, one benefit of the crypto consolidation is that it makes it > more feasible to plug in alternative crypto libraries, because all the > gnutls specific code is isolated in one place, instead of spread across > the entire codebase. I don't intend to do any work to support other > crypto libraries though as I don't think there's any compelling benefit > to them. > OK, I see, thanks. BTW do you have a github branch which can be easier to test?
Regards, -Gonglei
