[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 8b7cdb: crypto: fix handling of iv generator
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 8b7cdb: crypto: fix handling of iv generator hash defaults |
|
Date: |
Mon, 04 Jul 2016 09:30:03 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 8b7cdba386d55ecee2caa26973c1d6c31822e801
https://github.com/qemu/qemu/commit/8b7cdba386d55ecee2caa26973c1d6c31822e801
Author: Daniel P. Berrange <address@hidden>
Date: 2016-07-04 (Mon, 04 Jul 2016)
Changed paths:
M crypto/block-luks.c
M tests/qemu-iotests/149
M tests/qemu-iotests/149.out
Log Message:
-----------
crypto: fix handling of iv generator hash defaults
When opening an existing LUKS volume, if the iv generator is
essiv, then the iv hash algorithm is mandatory to provide. We
must report an error if it is omitted in the cipher mode spec,
not silently default to hash 0 (md5). If the iv generator is
not essiv, then we explicitly ignore any iv hash algorithm,
rather than report an error, for compatibility with dm-crypt.
When creating a new LUKS volume, if the iv generator is essiv
and no iv hsah algorithm is provided, we should default to
using the sha256 hash.
Reported-by: Paolo Bonzini <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 8cbfc94269e37a001d501cca3f4e4cb4ba6dbe0a
https://github.com/qemu/qemu/commit/8cbfc94269e37a001d501cca3f4e4cb4ba6dbe0a
Author: Daniel P. Berrange <address@hidden>
Date: 2016-07-04 (Mon, 04 Jul 2016)
Changed paths:
M tests/test-crypto-xts.c
Log Message:
-----------
crypto: rename OUT to out in xts test to avoid clash on MinGW
On MinGW one of the system headers already has "OUT" defined
which causes a compile failure of the test suite. Rename the
test suite var to 'out' to avoid this clash
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 0c16c056a4f9dec18fdd56feec82a5db9ff3c15e
https://github.com/qemu/qemu/commit/0c16c056a4f9dec18fdd56feec82a5db9ff3c15e
Author: Daniel P. Berrange <address@hidden>
Date: 2016-07-04 (Mon, 04 Jul 2016)
Changed paths:
M configure
M crypto/Makefile.objs
A crypto/hash-gcrypt.c
A crypto/hash-nettle.c
A crypto/hash-stub.c
M crypto/hash.c
M tests/Makefile.include
M tests/test-crypto-hash.c
Log Message:
-----------
crypto: switch hash code to use nettle/gcrypt directly
Currently the internal hash code is using the gnutls hash APIs.
GNUTLS in turn is wrapping either nettle or gcrypt. Not only
were the GNUTLS hash APIs not added until GNUTLS 2.9.10, but
they don't expose support for all the algorithms QEMU needs
to use with LUKS.
Address this by directly wrapping nettle/gcrypt in QEMU and
avoiding GNUTLS's extra layer of indirection. This gives us
support for hash functions on a much wider range of platforms
and opens up ability to support more hash functions. It also
avoids a GNUTLS bug which would not correctly handle hashing
of large data blocks if int != size_t.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 9164b89762224db414676973172c26994aa9e2e5
https://github.com/qemu/qemu/commit/9164b89762224db414676973172c26994aa9e2e5
Author: Daniel P. Berrange <address@hidden>
Date: 2016-07-04 (Mon, 04 Jul 2016)
Changed paths:
M crypto/hash-gcrypt.c
M crypto/hash-nettle.c
M crypto/hash.c
M qapi/crypto.json
M tests/test-crypto-hash.c
Log Message:
-----------
crypto: implement sha224, sha384, sha512 and ripemd160 hashes
Wire up the nettle and gcrypt hash backends so that they can
support the sha224, sha384, sha512 and ripemd160 hash algorithms.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 13f12430d48b62e2304e0e5a7c607279af68b98a
https://github.com/qemu/qemu/commit/13f12430d48b62e2304e0e5a7c607279af68b98a
Author: Daniel P. Berrange <address@hidden>
Date: 2016-07-04 (Mon, 04 Jul 2016)
Changed paths:
M crypto/tlscreds.c
M crypto/tlssession.c
M include/crypto/tlscreds.h
Log Message:
-----------
crypto: add support for TLS priority string override
The gnutls default priority is either "NORMAL" (most historical
versions of gnutls) which is a built-in label in gnutls code,
or "@SYSTEM" (latest gnutls on Fedora at least) which refers
to an admin customizable entry in a gnutls config file.
Regardless of which default is used by a distro, they are both
global defaults applying to all applications using gnutls. If
a single application on the system needs to use a weaker set
of crypto priorities, this potentially forces the weakness onto
all applications. Or conversely if a single application wants a
strong default than all others, it can't do this via the global
config file.
This adds an extra parameter to the tls credential object which
allows the mgmt app / user to explicitly provide a priority
string to QEMU when configuring TLS.
For example, to use the "NORMAL" priority, but disable SSL 3.0
one can now configure QEMU thus:
$QEMU -object tls-creds-x509,id=tls0,dir=/home/berrange/qemutls,\
priority="NORMAL:-VERS-SSL3.0" \
..other args...
If creating tls-creds-anon, whatever priority the user specifies
will always have "+ANON-DH" appended to it, since that's mandatory
to make the anonymous credentials work.
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: a1c5e949ddc3234dcb85a44b9cb9312cd9f3522f
https://github.com/qemu/qemu/commit/a1c5e949ddc3234dcb85a44b9cb9312cd9f3522f
Author: Daniel P. Berrange <address@hidden>
Date: 2016-07-04 (Mon, 04 Jul 2016)
Changed paths:
M configure
M crypto/tlssession.c
Log Message:
-----------
crypto: allow default TLS priority to be chosen at build time
Modern gnutls can use a global config file to control the
crypto priority settings for TLS connections. For example
the priority string "@SYSTEM" instructs gnutls to find the
priority setting named "SYSTEM" in the global config file.
Latest gnutls GIT codebase gained the ability to reference
multiple priority strings in the config file, with the first
one that is found to existing winning. This means it is now
possible to configure QEMU out of the box with a default
priority of "@QEMU,SYSTEM", which says to look for the
settings "QEMU" first, and if not found, use the "SYSTEM"
settings.
To make use of this facility, we introduce the ability to
set the QEMU default priority at build time via a new
configure argument. It is anticipated that distro vendors
will set this when building QEMU to a suitable value for
use with distro crypto policy setup. eg current Fedora
would run
./configure address@hidden
while future Fedora would run
./configure address@hidden,SYSTEM
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 0d7e96c9b505b2afb1db08732c3a87288ccbbdd3
https://github.com/qemu/qemu/commit/0d7e96c9b505b2afb1db08732c3a87288ccbbdd3
Author: Peter Maydell <address@hidden>
Date: 2016-07-04 (Mon, 04 Jul 2016)
Changed paths:
M configure
M crypto/Makefile.objs
M crypto/block-luks.c
A crypto/hash-gcrypt.c
A crypto/hash-nettle.c
A crypto/hash-stub.c
M crypto/hash.c
M crypto/tlscreds.c
M crypto/tlssession.c
M include/crypto/tlscreds.h
M qapi/crypto.json
M tests/Makefile.include
M tests/qemu-iotests/149
M tests/qemu-iotests/149.out
M tests/test-crypto-hash.c
M tests/test-crypto-xts.c
Log Message:
-----------
Merge remote-tracking branch
'remotes/berrange/tags/pull-qcrypto-2016-07-04-1' into staging
Merge qcrypto 2016/07/04 v1
# gpg: Signature made Mon 04 Jul 2016 15:54:26 BST
# gpg: using RSA key 0xBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <address@hidden>"
# gpg: aka "Daniel P. Berrange <address@hidden>"
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* remotes/berrange/tags/pull-qcrypto-2016-07-04-1:
crypto: allow default TLS priority to be chosen at build time
crypto: add support for TLS priority string override
crypto: implement sha224, sha384, sha512 and ripemd160 hashes
crypto: switch hash code to use nettle/gcrypt directly
crypto: rename OUT to out in xts test to avoid clash on MinGW
crypto: fix handling of iv generator hash defaults
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/3173a1fd549b...0d7e96c9b505
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 8b7cdb: crypto: fix handling of iv generator hash defaults,
GitHub <=