diff options
author | Daniel P. Berrange <berrange@redhat.com> | 2016-06-06 10:05:06 +0100 |
---|---|---|
committer | Daniel P. Berrange <berrange@redhat.com> | 2016-07-04 15:53:19 +0100 |
commit | a1c5e949ddc3234dcb85a44b9cb9312cd9f3522f (patch) | |
tree | 64d6aca0612b3ab851f97fa028a4445876901290 | |
parent | 13f12430d48b62e2304e0e5a7c607279af68b98a (diff) | |
download | qemu-a1c5e949ddc3234dcb85a44b9cb9312cd9f3522f.zip |
crypto: allow default TLS priority to be chosen at build time
Modern gnutls can use a global config file to control the
crypto priority settings for TLS connections. For example
the priority string "@SYSTEM" instructs gnutls to find the
priority setting named "SYSTEM" in the global config file.
Latest gnutls GIT codebase gained the ability to reference
multiple priority strings in the config file, with the first
one that is found to existing winning. This means it is now
possible to configure QEMU out of the box with a default
priority of "@QEMU,SYSTEM", which says to look for the
settings "QEMU" first, and if not found, use the "SYSTEM"
settings.
To make use of this facility, we introduce the ability to
set the QEMU default priority at build time via a new
configure argument. It is anticipated that distro vendors
will set this when building QEMU to a suitable value for
use with distro crypto policy setup. eg current Fedora
would run
./configure --tls-priority=@SYSTEM
while future Fedora would run
./configure --tls-priority=@QEMU,SYSTEM
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-rwxr-xr-x | configure | 6 | ||||
-rw-r--r-- | crypto/tlssession.c | 4 |
2 files changed, 8 insertions, 2 deletions
@@ -305,6 +305,7 @@ archipelago="no" gtk="" gtkabi="" gtk_gl="no" +tls_priority="NORMAL" gnutls="" gnutls_rnd="" nettle="" @@ -1096,6 +1097,8 @@ for opt do ;; --enable-gtk) gtk="yes" ;; + --tls-priority=*) tls_priority="$optarg" + ;; --disable-gnutls) gnutls="no" ;; --enable-gnutls) gnutls="yes" @@ -1307,6 +1310,7 @@ Advanced options (experts only): --disable-blobs disable installing provided firmware blobs --with-vss-sdk=SDK-path enable Windows VSS support in QEMU Guest Agent --with-win-sdk=SDK-path path to Windows Platform SDK (to build VSS .tlb) + --tls-priority default TLS protocol/cipher priority string Optional features, enabled with --enable-FEATURE and disabled with --disable-FEATURE, default is enabled if available: @@ -4802,6 +4806,7 @@ echo "SDL support $sdl $(echo_version $sdl $sdlversion)" echo "GTK support $gtk $(echo_version $gtk $gtk_version)" echo "GTK GL support $gtk_gl" echo "VTE support $vte $(echo_version $vte $vteversion)" +echo "TLS priority $tls_priority" echo "GNUTLS support $gnutls" echo "GNUTLS rnd $gnutls_rnd" echo "libgcrypt $gcrypt" @@ -5165,6 +5170,7 @@ if test "$gtk" = "yes" ; then echo "CONFIG_GTK_GL=y" >> $config_host_mak fi fi +echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak if test "$gnutls" = "yes" ; then echo "CONFIG_GNUTLS=y" >> $config_host_mak fi diff --git a/crypto/tlssession.c b/crypto/tlssession.c index 2112d2934a..2de42c61cb 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -137,7 +137,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, if (creds->priority != NULL) { prio = g_strdup_printf("%s:+ANON-DH", creds->priority); } else { - prio = g_strdup("NORMAL:+ANON-DH"); + prio = g_strdup(CONFIG_TLS_PRIORITY ":+ANON-DH"); } ret = gnutls_priority_set_direct(session->handle, prio, NULL); @@ -167,7 +167,7 @@ qcrypto_tls_session_new(QCryptoTLSCreds *creds, QCryptoTLSCredsX509 *tcreds = QCRYPTO_TLS_CREDS_X509(creds); const char *prio = creds->priority; if (!prio) { - prio = "NORMAL"; + prio = CONFIG_TLS_PRIORITY; } ret = gnutls_priority_set_direct(session->handle, prio, NULL); |