On 10/24/2016 04:40 AM, Pavel Hrdina wrote:
> Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx>
> ---
> configure.ac | 109 +-----------------------------------------------------
> m4/virt-gnutls.m4 | 64 ++++++++++++++++++++++++++++++++
> 2 files changed, 66 insertions(+), 107 deletions(-)
> create mode 100644 m4/virt-gnutls.m4
>
I'm not quite sure what, but something in this change has broken
encrypted secret capabilities as the following API is not always
returning false...
bool
virCryptoHaveCipher(virCryptoCipher algorithm)
{
switch (algorithm) {
case VIR_CRYPTO_CIPHER_AES256CBC:
#ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
return true;
#else
return false;
#endif
...
Of course the virCryptoEncryptDataAESgntuls is also undefined.
In order to work around short term, if I use HAVE_GNUTLS_CRYPTO_H I can
at least get the API needed.
Just so you know I have a customer case which I'm trying to
resolve/debug that's impacted by this (naturally)!
I "hand bisected" back to
$ git co c290f216c47afbd4f3d1e082cdb98181675cd31e
$ ./autogen.sh --system
<lots of gnarly warnings about this omitted>
$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
| #define HAVE_GNUTLS_RND 1
| #define HAVE_GNUTLS_CIPHER_ENCRYPT 1
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
#define HAVE_GNUTLS_RND 1
#define HAVE_GNUTLS_CIPHER_ENCRYPT 1
...
$ git co 680d2f49dad425395de627a31006cb84848cfa65
$ ./autogen.sh --system
<lots of stuff ommitted>
$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
...
$
Note there's no HAVE_GNUTLS_CIPHER_ENCRYPT or HAVE_GNUTLS_RND
doing the similar process for some followup patches that seemed to be
related produced the same results
$ git co 0c62ccf927c60c9c248db52a23670ec2f9bce2b2
$ git co a55fdc3f251ab1800050505ac1e6158ee7535402
$ git co 943ddcb71205524fe2a34ca7a9b6cb3744a07555
Ironically the test for whether this functionality exists uses SKIP so
as to not cause failures for environments without the gnutls_cipher_encrypt
John
> diff --git a/configure.ac b/configure.ac
> index dfc536f..72bf7dd 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -117,7 +117,6 @@ fi
>
> dnl Required minimum versions of all libs we depend on
> LIBXML_REQUIRED="2.6.0"
> -GNUTLS_REQUIRED="2.2.0"
> POLKIT_REQUIRED="0.6"
> PARTED_REQUIRED="1.8.0"
> DEVMAPPER_REQUIRED=1.0.0
> @@ -260,6 +259,7 @@ LIBVIRT_CHECK_UDEV
> LIBVIRT_CHECK_WIRESHARK
> LIBVIRT_CHECK_NSS
> LIBVIRT_CHECK_YAJL
> +LIBVIRT_CHECK_GNUTLS
>
> AC_MSG_CHECKING([for CPUID instruction])
> AC_COMPILE_IFELSE([AC_LANG_PROGRAM(
> @@ -1170,107 +1170,6 @@ AC_CHECK_MEMBER([struct _xmlURI.query_raw],
> CFLAGS="$old_CFLAGS"
> LIBS="$old_LIBS"
>
> -dnl GnuTLS library
> -AC_ARG_WITH([gnutls],
> - [AS_HELP_STRING([--with-gnutls],
> - [use GNUTLS for encryption @<:@default=check@:>@])],
> - [],
> - [with_gnutls=check])
> -
> -
> -if test "x$with_gnutls" != "xno"; then
> - if test "x$with_gnutls" != "xyes" && test "x$with_gnutls" != "xcheck"; then
> - GNUTLS_CFLAGS="-I$with_gnutls/include"
> - GNUTLS_LIBS="-L$with_gnutls/lib"
> - fi
> - fail=0
> - old_CFLAGS="$CFLAGS"
> - old_LIBS="$LIBS"
> - CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
> - LIBS="$LIBS $GNUTLS_LIBS"
> -
> - GNUTLS_FOUND=no
> - GNUTLS_GCRYPT=unknown
> - if test -x "$PKG_CONFIG" ; then
> - dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses
> - dnl only nettle, and versions in between had a configure option.
> - dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle,
> - dnl but it is a safe fallback to use gcrypt if we can't prove anything.
> - if $PKG_CONFIG --exists 'gnutls >= 3.0'; then
> - GNUTLS_GCRYPT=no
> - elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then
> - GNUTLS_GCRYPT=probe
> - else
> - GNUTLS_GCRYPT=yes
> - fi
> - PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED,
> - [GNUTLS_FOUND=yes], [GNUTLS_FOUND=no])
> - fi
> - if test "$GNUTLS_FOUND" = "no"; then
> - dnl pkg-config couldn't help us, assume gcrypt is necessary
> - fail=0
> - GNUTLS_GCRYPT=yes
> - AC_CHECK_HEADER([gnutls/gnutls.h], [], [fail=1])
> - AC_CHECK_LIB([gnutls], [gnutls_handshake],[], [fail=1], [-lgcrypt])
> -
> - test $fail = 0 && GNUTLS_FOUND=yes
> -
> - GNUTLS_LIBS="$GNUTLS_LIBS -lgnutls"
> - fi
> - if test "$GNUTLS_FOUND" = "no"; then
> - if test "$with_gnutls" = "check"; then
> - with_gnutls=no
> - GNUTLS_LIBS=
> - GNUTLS_CFLAGS=
> - else
> - AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run libvirt])
> - fi
> - else
> - dnl See comments above about when to use gcrypt.
> - if test "$GNUTLS_GCRYPT" = probe; then
> - case `$PKG_CONFIG --libs --static gnutls` in
> - *gcrypt*) GNUTLS_GCRYPT=yes ;;
> - *nettle*) GNUTLS_GCRYPT=no ;;
> - *) GNUTLS_GCRYPT=unknown ;;
> - esac
> - fi
> - if test "$GNUTLS_GCRYPT" = yes || test "$GNUTLS_GCRYPT" = unknown; then
> - GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
> - dnl We're not using gcrypt deprecated features so define
> - dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
> - GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
> - AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
> - [set to 1 if it is known or assumed that GNUTLS uses gcrypt])
> - fi
> -
> - with_gnutls=yes
> - fi
> -
> - dnl GNUTLS_CFLAGS and GNUTLS_LIBS have probably been updated above,
> - dnl and we need the final values for function probing to work
> - CFLAGS="$old_CFLAGS $GNUTLS_CFLAGS"
> - LIBS="$old_LIBS $GNUTLS_LIBS"
> -
> - dnl gnutls 3.x moved some declarations to a new header
> - AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
> - #include <gnutls/gnutls.h>
> - ]])
> -
> - AC_CHECK_FUNCS([gnutls_rnd])
> - AC_CHECK_FUNCS([gnutls_cipher_encrypt])
> -
> - CFLAGS="$old_CFLAGS"
> - LIBS="$old_LIBS"
> -fi
> -
> -if test "x$with_gnutls" = "xyes" ; then
> - AC_DEFINE_UNQUOTED([WITH_GNUTLS], 1,
> - [whether GNUTLS is available for encryption])
> -fi
> -AM_CONDITIONAL([WITH_GNUTLS], [test "x$with_gnutls" = "xyes"])
> -AC_SUBST([GNUTLS_CFLAGS])
> -AC_SUBST([GNUTLS_LIBS])
> -
>
> AC_ARG_WITH([tls-priority],
> [AS_HELP_STRING([--with-tls-priority],
> @@ -2799,6 +2698,7 @@ LIBVIRT_RESULT_UDEV
> LIBVIRT_RESULT_WIRESHARK
> LIBVIRT_RESULT_NSS
> LIBVIRT_RESULT_YAJL
> +LIBVIRT_RESULT_GNUTLS
> AC_MSG_NOTICE([ libxml: $LIBXML_CFLAGS $LIBXML_LIBS])
> AC_MSG_NOTICE([ dlopen: $DLOPEN_LIBS])
> if test "$with_hyperv" = "yes" ; then
> @@ -2806,11 +2706,6 @@ AC_MSG_NOTICE([openwsman: $OPENWSMAN_CFLAGS $OPENWSMAN_LIBS])
> else
> AC_MSG_NOTICE([openwsman: no])
> fi
> -if test "$with_gnutls" != "no" ; then
> -AC_MSG_NOTICE([ gnutls: $GNUTLS_CFLAGS $GNUTLS_LIBS])
> -else
> -AC_MSG_NOTICE([ gnutls: no])
> -fi
> AC_MSG_NOTICE([firewalld: $with_firewalld])
> if test "$with_polkit" = "yes" ; then
> if test "$with_polkit0" = "yes" ; then
> diff --git a/m4/virt-gnutls.m4 b/m4/virt-gnutls.m4
> new file mode 100644
> index 0000000..29490de
> --- /dev/null
> +++ b/m4/virt-gnutls.m4
> @@ -0,0 +1,64 @@
> +dnl The gnutls libgnutls.so library
> +dnl
> +dnl Copyright (C) 2016 Red Hat, Inc.
> +dnl
> +dnl This library is free software; you can redistribute it and/or
> +dnl modify it under the terms of the GNU Lesser General Public
> +dnl License as published by the Free Software Foundation; either
> +dnl version 2.1 of the License, or (at your option) any later version.
> +dnl
> +dnl This library is distributed in the hope that it will be useful,
> +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
> +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +dnl Lesser General Public License for more details.
> +dnl
> +dnl You should have received a copy of the GNU Lesser General Public
> +dnl License along with this library. If not, see
> +dnl <http://www.gnu.org/licenses/>.
> +dnl
> +
> +AC_DEFUN([LIBVIRT_CHECK_GNUTLS],[
> + LIBVIRT_CHECK_PKG([GNUTLS], [gnutls], [2.2.0])
> +
> + dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses
> + dnl only nettle, and versions in between had a configure option.
> + dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle,
> + dnl but it is a safe fallback to use gcrypt if we can't prove anything.A
> +
> + GNUTLS_GCRYPT=
> + if $PKG_CONFIG --exists 'gnutls >= 3.0'; then
> + GNUTLS_GCRYPT="no"
> + elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then
> + GNUTLS_GCRYPT="probe"
> + else
> + GNUTLS_GCRYPT="yes"
> + fi
> +
> + if test "$GNUTLS_GCRYPT" = "probe"; then
> + case $($PKG_CONFIG --libs --static gnutls) in
> + *gcrypt*) GNUTLS_GCRYPT=yes ;;
> + *nettle*) GNUTLS_GCRYPT=no ;;
> + *) GNUTLS_GCRYPT=unknown ;;
> + esac
> + fi
> +
> + if test "$GNUTLS_GCRYPT" = "yes" || test "$GNUTLS_GCRYPT" = "unknown"; then
> + GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
> + dnl We're not using gcrypt deprecated features so define
> + dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
> + GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
> + AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
> + [set to 1 if it is known or assumed that GNUTLS uses gcrypt])
> + fi
> +
> + AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
> + #include <gnutls/gnutls.h>
> + ]])
> +
> + AC_CHECK_FUNC([gnutls_rnd])
> + AC_CHECK_FUNC([gnutls_cipher_encrypt])
> +])
> +
> +AC_DEFUN([LIBVIRT_RESULT_GNUTLS],[
> + LIBVIRT_RESULT_LIB([GNUTLS])
> +])
>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
