Re: [PATCH v6 4/5] crypto: Add tls-cipher-suites object
On 5/27/20 1:36 PM, Daniel P. Berrangé wrote:
> On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote:
>> Example of use to dump:
>>
>> $ qemu-system-x86_64 -S \
>> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
>> Cipher suites for @SYSTEM:
>> - TLS_AES_256_GCM_SHA3840x13, 0x02
>> TLS1.3
>> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03
>> TLS1.3
>> - TLS_AES_128_GCM_SHA2560x13, 0x01
>> TLS1.3
>> - TLS_AES_128_CCM_SHA2560x13, 0x04
>> TLS1.3
>> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30
>> TLS1.2
>> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8
>> TLS1.2
>> - TLS_ECDHE_RSA_AES_256_CBC_SHA10xc0, 0x14
>> TLS1.0
>> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f
>> TLS1.2
>> - TLS_ECDHE_RSA_AES_128_CBC_SHA10xc0, 0x13
>> TLS1.0
>> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA3840xc0, 0x2c
>> TLS1.2
>> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9
>> TLS1.2
>> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad
>> TLS1.2
>> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a
>> TLS1.0
>> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA2560xc0, 0x2b
>> TLS1.2
>> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac
>> TLS1.2
>> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09
>> TLS1.0
>> - TLS_RSA_AES_256_GCM_SHA3840x00, 0x9d
>> TLS1.2
>> - TLS_RSA_AES_256_CCM 0xc0, 0x9d
>> TLS1.2
>> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35
>> TLS1.0
>> - TLS_RSA_AES_128_GCM_SHA2560x00, 0x9c
>> TLS1.2
>> - TLS_RSA_AES_128_CCM 0xc0, 0x9c
>> TLS1.2
>> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f
>> TLS1.0
>> - TLS_DHE_RSA_AES_256_GCM_SHA3840x00, 0x9f
>> TLS1.2
>> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa
>> TLS1.2
>> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f
>> TLS1.2
>> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39
>> TLS1.0
>> - TLS_DHE_RSA_AES_128_GCM_SHA2560x00, 0x9e
>> TLS1.2
>> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e
>> TLS1.2
>> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33
>> TLS1.0
>> total: 29 ciphers
>
> IMHO this "verbose" option shouldn't exist. Instead we should be
> using the QEMU trace infrastructure to log this information. This
> will make it possible to trace the info at runtime in production
> deployments too
OK, clever.
>
>> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
>> +const char *priority_name, Error **errp)
>> +{
>> +#ifdef CONFIG_GNUTLS
>
> Instead of doing this..
>
>
>> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
>> index c2a371b0b4..ce706d322a 100644
>> --- a/crypto/Makefile.objs
>> +++ b/crypto/Makefile.objs
>> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
>> crypto-obj-$(CONFIG_AF_ALG) += afalg.o
>> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
>> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
>> +crypto-obj-y += tls-cipher-suites.o
>
> Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o
>
> This lets the mgmt appliction introspect QEMU to discover whether the
> TLS cipher suits object is present & usable.
OK, thanks!
>
>> crypto-obj-y += tlscreds.o
>> crypto-obj-y += tlscredsanon.o
>> crypto-obj-y += tlscredspsk.o
>> --
>> 2.21.3
>>
>
> Regards,
> Daniel
>
Re: [PATCH v6 4/5] crypto: Add tls-cipher-suites object
On Tue, May 19, 2020 at 08:20:23PM +0200, Philippe Mathieu-Daudé wrote:
> Example of use to dump:
>
> $ qemu-system-x86_64 -S \
> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
> Cipher suites for @SYSTEM:
> - TLS_AES_256_GCM_SHA3840x13, 0x02
> TLS1.3
> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03
> TLS1.3
> - TLS_AES_128_GCM_SHA2560x13, 0x01
> TLS1.3
> - TLS_AES_128_CCM_SHA2560x13, 0x04
> TLS1.3
> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30
> TLS1.2
> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8
> TLS1.2
> - TLS_ECDHE_RSA_AES_256_CBC_SHA10xc0, 0x14
> TLS1.0
> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f
> TLS1.2
> - TLS_ECDHE_RSA_AES_128_CBC_SHA10xc0, 0x13
> TLS1.0
> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA3840xc0, 0x2c
> TLS1.2
> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a
> TLS1.0
> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA2560xc0, 0x2b
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09
> TLS1.0
> - TLS_RSA_AES_256_GCM_SHA3840x00, 0x9d
> TLS1.2
> - TLS_RSA_AES_256_CCM 0xc0, 0x9d
> TLS1.2
> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35
> TLS1.0
> - TLS_RSA_AES_128_GCM_SHA2560x00, 0x9c
> TLS1.2
> - TLS_RSA_AES_128_CCM 0xc0, 0x9c
> TLS1.2
> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f
> TLS1.0
> - TLS_DHE_RSA_AES_256_GCM_SHA3840x00, 0x9f
> TLS1.2
> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa
> TLS1.2
> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f
> TLS1.2
> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39
> TLS1.0
> - TLS_DHE_RSA_AES_128_GCM_SHA2560x00, 0x9e
> TLS1.2
> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e
> TLS1.2
> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33
> TLS1.0
> total: 29 ciphers
IMHO this "verbose" option shouldn't exist. Instead we should be
using the QEMU trace infrastructure to log this information. This
will make it possible to trace the info at runtime in production
deployments too
> +static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
> +const char *priority_name, Error **errp)
> +{
> +#ifdef CONFIG_GNUTLS
Instead of doing this..
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index c2a371b0b4..ce706d322a 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -13,6 +13,7 @@ crypto-obj-y += cipher.o
> crypto-obj-$(CONFIG_AF_ALG) += afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
> crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
> +crypto-obj-y += tls-cipher-suites.o
Use crypto-obj-$(CONFIG_GNUTLS) += tls-cipher-suites.o
This lets the mgmt appliction introspect QEMU to discover whether the
TLS cipher suits object is present & usable.
> crypto-obj-y += tlscreds.o
> crypto-obj-y += tlscredsanon.o
> crypto-obj-y += tlscredspsk.o
> --
> 2.21.3
>
Regards,
Daniel
--
|: https://berrange.com -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [PATCH v6 4/5] crypto: Add tls-cipher-suites object
On 05/19/20 20:20, Philippe Mathieu-Daudé wrote:
> Example of use to dump:
>
> $ qemu-system-x86_64 -S \
> -object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
> Cipher suites for @SYSTEM:
> - TLS_AES_256_GCM_SHA3840x13, 0x02
> TLS1.3
> - TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03
> TLS1.3
> - TLS_AES_128_GCM_SHA2560x13, 0x01
> TLS1.3
> - TLS_AES_128_CCM_SHA2560x13, 0x04
> TLS1.3
> - TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30
> TLS1.2
> - TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8
> TLS1.2
> - TLS_ECDHE_RSA_AES_256_CBC_SHA10xc0, 0x14
> TLS1.0
> - TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f
> TLS1.2
> - TLS_ECDHE_RSA_AES_128_CBC_SHA10xc0, 0x13
> TLS1.0
> - TLS_ECDHE_ECDSA_AES_256_GCM_SHA3840xc0, 0x2c
> TLS1.2
> - TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a
> TLS1.0
> - TLS_ECDHE_ECDSA_AES_128_GCM_SHA2560xc0, 0x2b
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac
> TLS1.2
> - TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09
> TLS1.0
> - TLS_RSA_AES_256_GCM_SHA3840x00, 0x9d
> TLS1.2
> - TLS_RSA_AES_256_CCM 0xc0, 0x9d
> TLS1.2
> - TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35
> TLS1.0
> - TLS_RSA_AES_128_GCM_SHA2560x00, 0x9c
> TLS1.2
> - TLS_RSA_AES_128_CCM 0xc0, 0x9c
> TLS1.2
> - TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f
> TLS1.0
> - TLS_DHE_RSA_AES_256_GCM_SHA3840x00, 0x9f
> TLS1.2
> - TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa
> TLS1.2
> - TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f
> TLS1.2
> - TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39
> TLS1.0
> - TLS_DHE_RSA_AES_128_GCM_SHA2560x00, 0x9e
> TLS1.2
> - TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e
> TLS1.2
> - TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33
> TLS1.0
> total: 29 ciphers
>
> Signed-off-by: Philippe Mathieu-Daudé
> ---
> include/crypto/tls-cipher-suites.h | 39 +
> crypto/tls-cipher-suites.c | 133 +
> crypto/Makefile.objs | 1 +
> 3 files changed, 173 insertions(+)
> create mode 100644 include/crypto/tls-cipher-suites.h
> create mode 100644 crypto/tls-cipher-suites.c
>
> diff --git a/include/crypto/tls-cipher-suites.h
> b/include/crypto/tls-cipher-suites.h
> new file mode 100644
> index 00..31e92916e1
> --- /dev/null
> +++ b/include/crypto/tls-cipher-suites.h
> @@ -0,0 +1,39 @@
> +/*
> + * QEMU TLS Cipher Suites
> + *
> + * Copyright (c) 2019 Red Hat, Inc.
> + *
> + * Author: Philippe Mathieu-Daudé
> + *
> + * SPDX-License-Identifier: GPL-2.0-or-later
> + */
> +
> +#ifndef QCRYPTO_TLSCIPHERSUITES_H
> +#define QCRYPTO_TLSCIPHERSUITES_H
> +
> +#include "qom/object.h"
> +#include "crypto/tlscreds.h"
> +
> +#define TYPE_QCRYPTO_TLS_CIPHER_SUITES "tls-cipher-suites"
> +#define QCRYPTO_TLS_CIPHER_SUITES(obj) \
> +OBJECT_CHECK(QCryptoTLSCipherSuites, (obj),
> TYPE_QCRYPTO_TLS_CIPHER_SUITES)
> +
> +/*
> + * IANA registered TLS ciphers:
> + *
> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
> + */
> +typedef struct {
> +uint8_t data[2];
> +} IANA_TLS_CIPHER;
(1) I propose marking this as QEMU_PACKED, even if only for
documentation purposes.
> +
> +typedef struct QCryptoTLSCipherSuites {
> +/* */
> +QCryptoTLSCreds parent_obj;
> +
> +/* */
> +bool verbose;
> +IANA_TLS_CIPHER *cipher_list;
> +unsigned cipher_count;
> +} QCryptoTLSCipherSuites;
> +
> +#endif /* QCRYPTO_TLSCIPHERSUITES_H */
> diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c
> new file mode 100644
> index 00..c6c51359bd
> --- /dev/null
> +++ b/crypto/tls-cipher-suites.c
> @@ -0,0 +1,133 @@
> +/*
> + * QEMU TLS Cipher Suites
> + *
> + * Copyright (c) 2019 Red Hat, Inc.
> + *
> + * Author: Philippe Mathieu-Daudé
> + *
> + * SPDX-License-Identifier: GPL-2.0-or-later
> + */
> +
> +#include "qemu/osdep.h"
> +#include "qapi/error.h"
> +#include "qom/object_interfaces.h"
> +#include "qemu/error-report.h"
> +#include "crypto/tlscreds.h"
> +#include "crypto/tls-cipher-suites.h"
[PATCH v6 4/5] crypto: Add tls-cipher-suites object
Example of use to dump:
$ qemu-system-x86_64 -S \
-object tls-cipher-suites,id=mysuite,priority=@SYSTEM,verbose=yes
Cipher suites for @SYSTEM:
- TLS_AES_256_GCM_SHA3840x13, 0x02 TLS1.3
- TLS_CHACHA20_POLY1305_SHA256 0x13, 0x03 TLS1.3
- TLS_AES_128_GCM_SHA2560x13, 0x01 TLS1.3
- TLS_AES_128_CCM_SHA2560x13, 0x04 TLS1.3
- TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
- TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
- TLS_ECDHE_RSA_AES_256_CBC_SHA10xc0, 0x14 TLS1.0
- TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
- TLS_ECDHE_RSA_AES_128_CBC_SHA10xc0, 0x13 TLS1.0
- TLS_ECDHE_ECDSA_AES_256_GCM_SHA3840xc0, 0x2c TLS1.2
- TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
- TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2
- TLS_ECDHE_ECDSA_AES_256_CBC_SHA1 0xc0, 0x0a TLS1.0
- TLS_ECDHE_ECDSA_AES_128_GCM_SHA2560xc0, 0x2b TLS1.2
- TLS_ECDHE_ECDSA_AES_128_CCM 0xc0, 0xac TLS1.2
- TLS_ECDHE_ECDSA_AES_128_CBC_SHA1 0xc0, 0x09 TLS1.0
- TLS_RSA_AES_256_GCM_SHA3840x00, 0x9d TLS1.2
- TLS_RSA_AES_256_CCM 0xc0, 0x9d TLS1.2
- TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 TLS1.0
- TLS_RSA_AES_128_GCM_SHA2560x00, 0x9c TLS1.2
- TLS_RSA_AES_128_CCM 0xc0, 0x9c TLS1.2
- TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f TLS1.0
- TLS_DHE_RSA_AES_256_GCM_SHA3840x00, 0x9f TLS1.2
- TLS_DHE_RSA_CHACHA20_POLY1305 0xcc, 0xaa TLS1.2
- TLS_DHE_RSA_AES_256_CCM 0xc0, 0x9f TLS1.2
- TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 TLS1.0
- TLS_DHE_RSA_AES_128_GCM_SHA2560x00, 0x9e TLS1.2
- TLS_DHE_RSA_AES_128_CCM 0xc0, 0x9e TLS1.2
- TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 TLS1.0
total: 29 ciphers
Signed-off-by: Philippe Mathieu-Daudé
---
include/crypto/tls-cipher-suites.h | 39 +
crypto/tls-cipher-suites.c | 133 +
crypto/Makefile.objs | 1 +
3 files changed, 173 insertions(+)
create mode 100644 include/crypto/tls-cipher-suites.h
create mode 100644 crypto/tls-cipher-suites.c
diff --git a/include/crypto/tls-cipher-suites.h
b/include/crypto/tls-cipher-suites.h
new file mode 100644
index 00..31e92916e1
--- /dev/null
+++ b/include/crypto/tls-cipher-suites.h
@@ -0,0 +1,39 @@
+/*
+ * QEMU TLS Cipher Suites
+ *
+ * Copyright (c) 2019 Red Hat, Inc.
+ *
+ * Author: Philippe Mathieu-Daudé
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef QCRYPTO_TLSCIPHERSUITES_H
+#define QCRYPTO_TLSCIPHERSUITES_H
+
+#include "qom/object.h"
+#include "crypto/tlscreds.h"
+
+#define TYPE_QCRYPTO_TLS_CIPHER_SUITES "tls-cipher-suites"
+#define QCRYPTO_TLS_CIPHER_SUITES(obj) \
+OBJECT_CHECK(QCryptoTLSCipherSuites, (obj), TYPE_QCRYPTO_TLS_CIPHER_SUITES)
+
+/*
+ * IANA registered TLS ciphers:
+ *
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
+ */
+typedef struct {
+uint8_t data[2];
+} IANA_TLS_CIPHER;
+
+typedef struct QCryptoTLSCipherSuites {
+/* */
+QCryptoTLSCreds parent_obj;
+
+/* */
+bool verbose;
+IANA_TLS_CIPHER *cipher_list;
+unsigned cipher_count;
+} QCryptoTLSCipherSuites;
+
+#endif /* QCRYPTO_TLSCIPHERSUITES_H */
diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c
new file mode 100644
index 00..c6c51359bd
--- /dev/null
+++ b/crypto/tls-cipher-suites.c
@@ -0,0 +1,133 @@
+/*
+ * QEMU TLS Cipher Suites
+ *
+ * Copyright (c) 2019 Red Hat, Inc.
+ *
+ * Author: Philippe Mathieu-Daudé
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "qemu/error-report.h"
+#include "crypto/tlscreds.h"
+#include "crypto/tls-cipher-suites.h"
+
+static void parse_cipher_suites(QCryptoTLSCipherSuites *s,
+const char *priority_name, Error **errp)
+{
+#ifdef CONFIG_GNUTLS
+int ret;
+unsigned int idx;
+const char *name;
+const char *err;
+gnutls_protocol_t version;
+gnutls_priority_t pcache;
+
+assert(priority_name);
+ret = gnutls_priority_init(, priority_name, );
+if (ret < 0) {
+error_setg(errp, "Syntax error
