[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 83599f: crypto: remove conditional around 3DE
From: |
Peter Maydell |
Subject: |
[Qemu-commits] [qemu/qemu] 83599f: crypto: remove conditional around 3DES crypto test... |
Date: |
Tue, 13 Jul 2021 01:02:29 -0700 |
Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: 83599fd70d8b7f5925cbb4b58971fd2ef918ffbd
https://github.com/qemu/qemu/commit/83599fd70d8b7f5925cbb4b58971fd2ef918ffbd
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M tests/unit/test-crypto-cipher.c
Log Message:
-----------
crypto: remove conditional around 3DES crypto test cases
The main method checks whether the cipher choice is supported
at runtime, so there is no need for compile time conditions.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: ca6bfc63c116725e9cb26024d6b7e7f1c7b559e0
https://github.com/qemu/qemu/commit/ca6bfc63c116725e9cb26024d6b7e7f1c7b559e0
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M tests/unit/test-crypto-pbkdf.c
Log Message:
-----------
crypto: remove obsolete crypto test condition
Since we now require gcrypt >= 1.8.0, there is no need
to exclude the pbkdf test case.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 4b0ca47f45a4cf2bcb3c69f759dde67da455e56f
https://github.com/qemu/qemu/commit/4b0ca47f45a4cf2bcb3c69f759dde67da455e56f
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M tests/unit/test-crypto-ivgen.c
Log Message:
-----------
crypto: skip essiv ivgen tests if AES+ECB isn't available
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 24925c48c2afb12960f7f21f1b87a4b665a37eef
https://github.com/qemu/qemu/commit/24925c48c2afb12960f7f21f1b87a4b665a37eef
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M tests/unit/test-crypto-hash.c
M tests/unit/test-crypto-hmac.c
Log Message:
-----------
crypto: use &error_fatal in crypto tests
Using error_fatal provides better diagnostics when tests
failed, than using asserts, because we see the text of
the error message.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 66b3cdb120e51d1968b3828d93929bf371da0784
https://github.com/qemu/qemu/commit/66b3cdb120e51d1968b3828d93929bf371da0784
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M meson.build
Log Message:
-----------
crypto: fix gcrypt min version 1.8 regression
The min gcrypt was bumped:
commit b33a84632a3759c00320fd80923aa963c11207fc
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Fri May 14 13:04:08 2021 +0100
crypto: bump min gcrypt to 1.8.0, dropping RHEL-7 support
but this was accidentally lost in conflict resolution for
commit 5761251138cb69c310e9df7dfc82c4c6fd2444e4
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu Jun 3 11:15:26 2021 +0200
configure, meson: convert crypto detection to meson
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 46f7ae84aacde506f75b0eb739b4d0a806927a67
https://github.com/qemu/qemu/commit/46f7ae84aacde506f75b0eb739b4d0a806927a67
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M crypto/init.c
Log Message:
-----------
crypto: drop gcrypt thread initialization code
This is only required on gcrypt < 1.6.0, and is thus obsolete
since
commit b33a84632a3759c00320fd80923aa963c11207fc
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Fri May 14 13:04:08 2021 +0100
crypto: bump min gcrypt to 1.8.0, dropping RHEL-7 support
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 492bcfe8b8af3cf41e85502e31fcb2e66ccedb9e
https://github.com/qemu/qemu/commit/492bcfe8b8af3cf41e85502e31fcb2e66ccedb9e
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M crypto/cipher-gcrypt.c.inc
M meson.build
Log Message:
-----------
crypto: drop custom XTS support in gcrypt driver
The XTS cipher mode was introduced in gcrypt 1.8.0, which
matches QEMU's current minimum version.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 1f29519797e9e83c3e73ed4cd49e6cbb57a3a258
https://github.com/qemu/qemu/commit/1f29519797e9e83c3e73ed4cd49e6cbb57a3a258
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M tests/unit/test-crypto-cipher.c
Log Message:
-----------
crypto: add crypto tests for single block DES-ECB and DES-CBC
The GNUTLS crypto provider doesn't support DES-ECB, only DES-CBC.
We can use the latter to simulate the former, if we encrypt only
1 block (8 bytes) of data at a time, using an all-zeros IV. This
is a very inefficient way to use the QCryptoCipher APIs, but
since the VNC authentication challenge is only 16 bytes, this
is acceptable. No other part of QEMU should be using DES. This
test case demonstrates the equivalence of ECB and CBC for the
single-block case.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: bb89b83d8bcc88e37dab04b21aff4dbedbe01dbf
https://github.com/qemu/qemu/commit/bb89b83d8bcc88e37dab04b21aff4dbedbe01dbf
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M crypto/cipher-builtin.c.inc
R crypto/desrfb.c
M crypto/meson.build
Log Message:
-----------
crypto: delete built-in DES implementation
The built-in DES implementation is used for the VNC server password
authentication scheme. When building system emulators it is reasonable
to expect that an external crypto library is being used. It is thus
not worth keeping a home grown DES implementation in tree.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 6ac506b932b31e56689d69c674c1a002bee752a7
https://github.com/qemu/qemu/commit/6ac506b932b31e56689d69c674c1a002bee752a7
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M crypto/cipher-builtin.c.inc
M crypto/meson.build
M meson.build
Log Message:
-----------
crypto: delete built-in XTS cipher mode support
The built-in AES+XTS implementation is used for the LUKS encryption
When building system emulators it is reasonable to expect that an
external crypto library is being used instead. The performance of the
builtin XTS implementation is terrible as it has no CPU acceleration
support. It is thus not worth keeping a home grown XTS implementation
for the built-in cipher backend.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: ff0564a5c472abe3d4ef81f760d10be05b5c5ec7
https://github.com/qemu/qemu/commit/ff0564a5c472abe3d4ef81f760d10be05b5c5ec7
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M crypto/cipher-gcrypt.c.inc
M crypto/cipher-nettle.c.inc
M crypto/cipher.c
M qapi/crypto.json
M tests/unit/test-crypto-cipher.c
M ui/vnc.c
Log Message:
-----------
crypto: replace 'des-rfb' cipher with 'des'
Currently the crypto layer exposes support for a 'des-rfb'
algorithm which is just normal single-DES, with the bits
in each key byte reversed. This special key munging is
required by the RFB protocol password authentication
mechanism.
Since the crypto layer is generic shared code, it makes
more sense to do the key byte munging in the VNC server
code, and expose normal single-DES support.
Replacing cipher 'des-rfb' by 'des' looks like an incompatible
interface change, but it doesn't matter. While the QMP schema
allows any QCryptoCipherAlgorithm for the 'cipher-alg' field
in QCryptoBlockCreateOptionsLUKS, the code restricts what can
be used at runtime. Thus the only effect is a change in error
message.
Original behaviour:
$ qemu-img create -f luks --object secret,id=sec0,data=123 -o
cipher-alg=des-rfb,key-secret=sec0 demo.luks 1G
Formatting 'demo.luks', fmt=luks size=1073741824 key-secret=sec0
cipher-alg=des-rfb
qemu-img: demo.luks: Algorithm 'des-rfb' not supported
New behaviour:
$ qemu-img create -f luks --object secret,id=sec0,data=123 -o
cipher-alg=des-rfb,key-secret=sec0 demo.luks 1G
Formatting 'demo.luks', fmt=luks size=1073741824 key-secret=sec0
cipher-alg=des-fish
qemu-img: demo.luks: Invalid parameter 'des-rfb'
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: e1295f32023f01e4fc2fb6c601f3359c718363a2
https://github.com/qemu/qemu/commit/e1295f32023f01e4fc2fb6c601f3359c718363a2
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M meson.build
Log Message:
-----------
crypto: flip priority of backends to prefer gcrypt
Originally we preferred to use nettle over gcrypt because
gnutls already links to nettle and thus it minimizes the
dependencies. In retrospect this was the wrong criteria to
optimize for.
Currently shipping versions of gcrypt have cipher impls that
are massively faster than those in nettle and this is way
more important. The nettle library is also not capable of
enforcing FIPS compliance, since it considers that out of
scope. It merely aims to provide general purpose impls of
algorithms, and usage policy is left upto the layer above,
such as GNUTLS.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 8959343d0700ea67b245765fd12d9adbc70109e8
https://github.com/qemu/qemu/commit/8959343d0700ea67b245765fd12d9adbc70109e8
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M meson.build
Log Message:
-----------
crypto: introduce build system for gnutls crypto backend
This introduces the build logic needed to decide whether we can
use gnutls as a crypto driver backend. The actual implementations
will be introduced in following patches. We only wish to use
gnutls if it has version 3.6.14 or newer, because that is what
finally brings HW accelerated AES-XTS mode for x86_64.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 54e5e84a7dd10250ebc4151d3ff5cfc44c5620c0
https://github.com/qemu/qemu/commit/54e5e84a7dd10250ebc4151d3ff5cfc44c5620c0
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
A crypto/cipher-gnutls.c.inc
M crypto/cipher.c
Log Message:
-----------
crypto: add gnutls cipher provider
Add an implementation of the QEMU cipher APIs to the gnutls
crypto backend. XTS support is only available for gnutls
version >= 3.6.8. Since ECB mode is not exposed by gnutls
APIs, we can't use the private XTS code for compatibility.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: e6a919b06621790880c5956715f3494461aedfc9
https://github.com/qemu/qemu/commit/e6a919b06621790880c5956715f3494461aedfc9
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
A crypto/hash-gnutls.c
M crypto/meson.build
Log Message:
-----------
crypto: add gnutls hash provider
This adds support for using gnutls as a provider of the crypto
hash APIs.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 3eb289875c2c877be8ec7a7a84fd97ea48053f39
https://github.com/qemu/qemu/commit/3eb289875c2c877be8ec7a7a84fd97ea48053f39
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
A crypto/hmac-gnutls.c
Log Message:
-----------
crypto: add gnutls hmac provider
This adds support for using gnutls as a provider of the crypto
hmac APIs.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 4cb87ac75a08b791c2ec2ffc48d2724cacb70690
https://github.com/qemu/qemu/commit/4cb87ac75a08b791c2ec2ffc48d2724cacb70690
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M crypto/meson.build
A crypto/pbkdf-gnutls.c
Log Message:
-----------
crypto: add gnutls pbkdf provider
This adds support for using gnutls as a provider of the crypto
pbkdf APIs.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 8b2174f35aadc51877517cc2bdf74bb2027505e3
https://github.com/qemu/qemu/commit/8b2174f35aadc51877517cc2bdf74bb2027505e3
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M meson.build
Log Message:
-----------
crypto: prefer gnutls as the crypto backend if new enough
If we have gnutls >= 3.6.13, then it has enough functionality
and performance that we can use it as the preferred crypto
backend.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 6f5e626e1a4938d2321486f0fb2079c1a86a9b04
https://github.com/qemu/qemu/commit/6f5e626e1a4938d2321486f0fb2079c1a86a9b04
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M hw/net/rocker/rocker.h
Log Message:
-----------
net/rocker: use GDateTime for formatting timestamp in debug messages
The GDateTime APIs provided by GLib avoid portability pitfalls, such
as some platforms where 'struct timeval.tv_sec' field is still 'long'
instead of 'time_t'. When combined with automatic cleanup, GDateTime
often results in simpler code too.
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 053c7a45d59f40e02e16683c75e3cc50e7b02cc0
https://github.com/qemu/qemu/commit/053c7a45d59f40e02e16683c75e3cc50e7b02cc0
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M io/channel-websock.c
Log Message:
-----------
io: use GDateTime for formatting timestamp for websock headers
The GDateTime APIs provided by GLib avoid portability pitfalls, such
as some platforms where 'struct timeval.tv_sec' field is still 'long'
instead of 'time_t'. When combined with automatic cleanup, GDateTime
often results in simpler code too.
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: daff06ecc5d5f05242d53c17d97076a0e0f78ea0
https://github.com/qemu/qemu/commit/daff06ecc5d5f05242d53c17d97076a0e0f78ea0
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M softmmu/qemu-seccomp.c
Log Message:
-----------
seccomp: don't block getters for resource control syscalls
Recent GLibC calls sched_getaffinity in code paths related to malloc and
when QEMU blocks access, it sends it off into a bad codepath resulting
in stack exhaustion[1]. The GLibC bug is being fixed[2], but none the
less, GLibC has valid reasons to want to use sched_getaffinity.
It is not unreasonable for code to want to run many resource syscalls
for information gathering, so it is a bit too harsh for QEMU to block
them.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1975693
[2] https://sourceware.org/pipermail/libc-alpha/2021-June/128271.html
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Acked-by: Eduardo Otubo <otubo@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 1fc9958410c8683950ea22084b133a755561398b
https://github.com/qemu/qemu/commit/1fc9958410c8683950ea22084b133a755561398b
Author: Hyman <huangy81@chinatelecom.cn>
Date: 2021-07-12 (Mon, 12 Jul 2021)
Changed paths:
M tests/migration/guestperf/engine.py
Log Message:
-----------
tests/migration: fix unix socket migration
The test aborts and error message as the following be throwed:
"No such file or directory: '/var/tmp/qemu-migrate-{pid}.migrate",
when the unix socket migration test nearly done. The reason is
qemu removes the unix socket file after migration before
guestperf.py script do it. So pre-check if the socket file exists
when removing it to prevent the guestperf program from aborting.
See also commit f9cc00346d3 ("tests/migration: fix unix socket batch
migration").
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Signed-off-by: Hyman <huangy81@chinatelecom.cn>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit: 9a0e86aeeabe1da3bca1f355284aaa7b64101e0e
https://github.com/qemu/qemu/commit/9a0e86aeeabe1da3bca1f355284aaa7b64101e0e
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2021-07-13 (Tue, 13 Jul 2021)
Changed paths:
M crypto/cipher-builtin.c.inc
M crypto/cipher-gcrypt.c.inc
A crypto/cipher-gnutls.c.inc
M crypto/cipher-nettle.c.inc
M crypto/cipher.c
R crypto/desrfb.c
A crypto/hash-gnutls.c
A crypto/hmac-gnutls.c
M crypto/init.c
M crypto/meson.build
A crypto/pbkdf-gnutls.c
M hw/net/rocker/rocker.h
M io/channel-websock.c
M meson.build
M qapi/crypto.json
M softmmu/qemu-seccomp.c
M tests/migration/guestperf/engine.py
M tests/unit/test-crypto-cipher.c
M tests/unit/test-crypto-hash.c
M tests/unit/test-crypto-hmac.c
M tests/unit/test-crypto-ivgen.c
M tests/unit/test-crypto-pbkdf.c
M ui/vnc.c
Log Message:
-----------
Merge remote-tracking branch
'remotes/berrange-gitlab/tags/crypto-and-more-pull-request' into staging
Merge crypto updates and misc fixes
* Introduce a GNUTLS backend for crypto algorithms
* Change crypto library preference gnutls > gcrypt > nettle > built-in
* Remove built-in DES impl
* Remove XTS mode from built-in AES impl
* Fix seccomp rules to allow resource info getters
* Fix migration performance test
* Use GDateTime in io/ and net/rocker/ code
# gpg: Signature made Mon 12 Jul 2021 14:01:58 BST
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full]
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* remotes/berrange-gitlab/tags/crypto-and-more-pull-request: (22 commits)
tests/migration: fix unix socket migration
seccomp: don't block getters for resource control syscalls
io: use GDateTime for formatting timestamp for websock headers
net/rocker: use GDateTime for formatting timestamp in debug messages
crypto: prefer gnutls as the crypto backend if new enough
crypto: add gnutls pbkdf provider
crypto: add gnutls hmac provider
crypto: add gnutls hash provider
crypto: add gnutls cipher provider
crypto: introduce build system for gnutls crypto backend
crypto: flip priority of backends to prefer gcrypt
crypto: replace 'des-rfb' cipher with 'des'
crypto: delete built-in XTS cipher mode support
crypto: delete built-in DES implementation
crypto: add crypto tests for single block DES-ECB and DES-CBC
crypto: drop custom XTS support in gcrypt driver
crypto: drop gcrypt thread initialization code
crypto: fix gcrypt min version 1.8 regression
crypto: use &error_fatal in crypto tests
crypto: skip essiv ivgen tests if AES+ECB isn't available
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/eca73713358f...9a0e86aeeabe
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 83599f: crypto: remove conditional around 3DES crypto test...,
Peter Maydell <=