Our use of gnutls_rnd(), introduced with commit ad7520e8, is conditional to the availability of the <gnutls/crypto.h> header file. Such check, however, turns out not to be strict enough, as there are some versions of GnuTLS (eg. 2.8.5 from CentOS 6) that provide the header file, but not the function itself, which was introduced only in GnuTLS 2.12.0. Introduce an explicit check for the function. --- configure.ac | 7 +++++++ src/qemu/qemu_domain.c | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 6442674..c8c2895 100644 --- a/configure.ac +++ b/configure.ac @@ -1289,6 +1289,13 @@ if test "x$with_gnutls" != "xno"; then with_gnutls=yes fi + dnl GNUTLS_CFLAGS and GNUTLS_LIBS have probably been updated above, + dnl and we need the final values for function probing to work + CFLAGS="$old_CFLAGS $GNUTLS_CFLAGS" + LIBS="$old_LIBS $GNUTLS_LIBS" + + AC_CHECK_FUNCS([gnutls_rnd]) + CFLAGS="$old_CFLAGS" LIBS="$old_LIBS" fi diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index fa7cfc9..55dcba8 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -635,8 +635,8 @@ qemuDomainGenerateRandomKey(size_t nbytes) if (VIR_ALLOC_N(key, nbytes) < 0) return NULL; -#if HAVE_GNUTLS_CRYPTO_H - /* Generate a master key using gnutls if possible */ +#if HAVE_GNUTLS_RND + /* Generate a master key using gnutls_rnd() if possible */ if ((ret = gnutls_rnd(GNUTLS_RND_RANDOM, key, nbytes)) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, _("failed to generate master key, ret=%d"), ret); @@ -644,7 +644,7 @@ qemuDomainGenerateRandomKey(size_t nbytes) return NULL; } #else - /* If we don't have gnutls, we will generate a less cryptographically + /* If we don't have gnutls_rnd(), we will generate a less cryptographically * strong master key from /dev/urandom. */ if ((ret = virRandomBytes(key, nbytes)) < 0) { -- 2.5.5 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list