summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2016-06-06 10:05:06 +0100
committerDaniel P. Berrange <berrange@redhat.com>2016-07-04 15:53:19 +0100
commita1c5e949ddc3234dcb85a44b9cb9312cd9f3522f (patch)
tree64d6aca0612b3ab851f97fa028a4445876901290
parent13f12430d48b62e2304e0e5a7c607279af68b98a (diff)
downloadqemu-a1c5e949ddc3234dcb85a44b9cb9312cd9f3522f.zip
crypto: allow default TLS priority to be chosen at build time
Modern gnutls can use a global config file to control the crypto priority settings for TLS connections. For example the priority string "@SYSTEM" instructs gnutls to find the priority setting named "SYSTEM" in the global config file. Latest gnutls GIT codebase gained the ability to reference multiple priority strings in the config file, with the first one that is found to existing winning. This means it is now possible to configure QEMU out of the box with a default priority of "@QEMU,SYSTEM", which says to look for the settings "QEMU" first, and if not found, use the "SYSTEM" settings. To make use of this facility, we introduce the ability to set the QEMU default priority at build time via a new configure argument. It is anticipated that distro vendors will set this when building QEMU to a suitable value for use with distro crypto policy setup. eg current Fedora would run ./configure --tls-priority=@SYSTEM while future Fedora would run ./configure --tls-priority=@QEMU,SYSTEM Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-rwxr-xr-xconfigure6
-rw-r--r--crypto/tlssession.c4
2 files changed, 8 insertions, 2 deletions
diff --git a/configure b/configure
index 65bd1ff86c..67beb47aca 100755
--- a/configure
+++ b/configure
@@ -305,6 +305,7 @@ archipelago="no"
gtk=""
gtkabi=""
gtk_gl="no"
+tls_priority="NORMAL"
gnutls=""
gnutls_rnd=""
nettle=""
@@ -1096,6 +1097,8 @@ for opt do
;;
--enable-gtk) gtk="yes"
;;
+ --tls-priority=*) tls_priority="$optarg"
+ ;;
--disable-gnutls) gnutls="no"
;;
--enable-gnutls) gnutls="yes"
@@ -1307,6 +1310,7 @@ Advanced options (experts only):
--disable-blobs disable installing provided firmware blobs
--with-vss-sdk=SDK-path enable Windows VSS support in QEMU Guest Agent
--with-win-sdk=SDK-path path to Windows Platform SDK (to build VSS .tlb)
+ --tls-priority default TLS protocol/cipher priority string
Optional features, enabled with --enable-FEATURE and
disabled with --disable-FEATURE, default is enabled if available:
@@ -4802,6 +4806,7 @@ echo "SDL support $sdl $(echo_version $sdl $sdlversion)"
echo "GTK support $gtk $(echo_version $gtk $gtk_version)"
echo "GTK GL support $gtk_gl"
echo "VTE support $vte $(echo_version $vte $vteversion)"
+echo "TLS priority $tls_priority"
echo "GNUTLS support $gnutls"
echo "GNUTLS rnd $gnutls_rnd"
echo "libgcrypt $gcrypt"
@@ -5165,6 +5170,7 @@ if test "$gtk" = "yes" ; then
echo "CONFIG_GTK_GL=y" >> $config_host_mak
fi
fi
+echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak
if test "$gnutls" = "yes" ; then
echo "CONFIG_GNUTLS=y" >> $config_host_mak
fi
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index 2112d2934a..2de42c61cb 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -137,7 +137,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
if (creds->priority != NULL) {
prio = g_strdup_printf("%s:+ANON-DH", creds->priority);
} else {
- prio = g_strdup("NORMAL:+ANON-DH");
+ prio = g_strdup(CONFIG_TLS_PRIORITY ":+ANON-DH");
}
ret = gnutls_priority_set_direct(session->handle, prio, NULL);
@@ -167,7 +167,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds,
QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds);
const char *prio = creds->priority;
if (!prio) {
- prio = "NORMAL";
+ prio = CONFIG_TLS_PRIORITY;
}
ret = gnutls_priority_set_direct(session->handle, prio, NULL);