Re: [PATCH 1/2] configure: move gnutls check into virt-gnutls.m4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 10/24/2016 04:40 AM, Pavel Hrdina wrote:
> Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx>
> ---
>  configure.ac      | 109 +-----------------------------------------------------
>  m4/virt-gnutls.m4 |  64 ++++++++++++++++++++++++++++++++
>  2 files changed, 66 insertions(+), 107 deletions(-)
>  create mode 100644 m4/virt-gnutls.m4
> 

I'm not quite sure what, but something in this change has broken
encrypted secret capabilities as the following API is not always
returning false...

bool
virCryptoHaveCipher(virCryptoCipher algorithm)
{
    switch (algorithm) {

    case VIR_CRYPTO_CIPHER_AES256CBC:

#ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
    return true;
#else
    return false;
#endif

...

Of course the virCryptoEncryptDataAESgntuls is also undefined.

In order to work around short term, if I use HAVE_GNUTLS_CRYPTO_H I can
at least get the API needed.

Just so you know I have a customer case which I'm trying to
resolve/debug that's impacted by this (naturally)!


I "hand bisected" back to

$ git co c290f216c47afbd4f3d1e082cdb98181675cd31e
$ ./autogen.sh --system
<lots of gnarly warnings about this omitted>

$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
| #define HAVE_GNUTLS_RND 1
| #define HAVE_GNUTLS_CIPHER_ENCRYPT 1
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
#define HAVE_GNUTLS_RND 1
#define HAVE_GNUTLS_CIPHER_ENCRYPT 1
...

$ git co 680d2f49dad425395de627a31006cb84848cfa65
$ ./autogen.sh --system
<lots of stuff ommitted>

$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
...
$

Note there's no HAVE_GNUTLS_CIPHER_ENCRYPT or HAVE_GNUTLS_RND


doing the similar process for some followup patches that seemed to be
related produced the same results

$ git co 0c62ccf927c60c9c248db52a23670ec2f9bce2b2
$ git co a55fdc3f251ab1800050505ac1e6158ee7535402
$ git co 943ddcb71205524fe2a34ca7a9b6cb3744a07555


Ironically the test for whether this functionality exists uses SKIP so
as to not cause failures for environments without the gnutls_cipher_encrypt

John

> diff --git a/configure.ac b/configure.ac
> index dfc536f..72bf7dd 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -117,7 +117,6 @@ fi
>  
>  dnl Required minimum versions of all libs we depend on
>  LIBXML_REQUIRED="2.6.0"
> -GNUTLS_REQUIRED="2.2.0"
>  POLKIT_REQUIRED="0.6"
>  PARTED_REQUIRED="1.8.0"
>  DEVMAPPER_REQUIRED=1.0.0
> @@ -260,6 +259,7 @@ LIBVIRT_CHECK_UDEV
>  LIBVIRT_CHECK_WIRESHARK
>  LIBVIRT_CHECK_NSS
>  LIBVIRT_CHECK_YAJL
> +LIBVIRT_CHECK_GNUTLS
>  
>  AC_MSG_CHECKING([for CPUID instruction])
>  AC_COMPILE_IFELSE([AC_LANG_PROGRAM(
> @@ -1170,107 +1170,6 @@ AC_CHECK_MEMBER([struct _xmlURI.query_raw],
>  CFLAGS="$old_CFLAGS"
>  LIBS="$old_LIBS"
>  
> -dnl GnuTLS library
> -AC_ARG_WITH([gnutls],
> -  [AS_HELP_STRING([--with-gnutls],
> -    [use GNUTLS for encryption @<:@default=check@:>@])],
> -  [],
> -  [with_gnutls=check])
> -
> -
> -if test "x$with_gnutls" != "xno"; then
> -  if test "x$with_gnutls" != "xyes" && test "x$with_gnutls" != "xcheck"; then
> -    GNUTLS_CFLAGS="-I$with_gnutls/include"
> -    GNUTLS_LIBS="-L$with_gnutls/lib"
> -  fi
> -  fail=0
> -  old_CFLAGS="$CFLAGS"
> -  old_LIBS="$LIBS"
> -  CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
> -  LIBS="$LIBS $GNUTLS_LIBS"
> -
> -  GNUTLS_FOUND=no
> -  GNUTLS_GCRYPT=unknown
> -  if test -x "$PKG_CONFIG" ; then
> -    dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses
> -    dnl only nettle, and versions in between had a configure option.
> -    dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle,
> -    dnl but it is a safe fallback to use gcrypt if we can't prove anything.
> -    if $PKG_CONFIG --exists 'gnutls >= 3.0'; then
> -      GNUTLS_GCRYPT=no
> -    elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then
> -      GNUTLS_GCRYPT=probe
> -    else
> -      GNUTLS_GCRYPT=yes
> -    fi
> -    PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED,
> -      [GNUTLS_FOUND=yes], [GNUTLS_FOUND=no])
> -  fi
> -  if test "$GNUTLS_FOUND" = "no"; then
> -    dnl pkg-config couldn't help us, assume gcrypt is necessary
> -    fail=0
> -    GNUTLS_GCRYPT=yes
> -    AC_CHECK_HEADER([gnutls/gnutls.h], [], [fail=1])
> -    AC_CHECK_LIB([gnutls], [gnutls_handshake],[], [fail=1], [-lgcrypt])
> -
> -    test $fail = 0 && GNUTLS_FOUND=yes
> -
> -    GNUTLS_LIBS="$GNUTLS_LIBS -lgnutls"
> -  fi
> -  if test "$GNUTLS_FOUND" = "no"; then
> -    if test "$with_gnutls" = "check"; then
> -      with_gnutls=no
> -      GNUTLS_LIBS=
> -      GNUTLS_CFLAGS=
> -    else
> -      AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run libvirt])
> -    fi
> -  else
> -    dnl See comments above about when to use gcrypt.
> -    if test "$GNUTLS_GCRYPT" = probe; then
> -      case `$PKG_CONFIG --libs --static gnutls` in
> -        *gcrypt*) GNUTLS_GCRYPT=yes     ;;
> -        *nettle*) GNUTLS_GCRYPT=no      ;;
> -        *)        GNUTLS_GCRYPT=unknown ;;
> -      esac
> -    fi
> -    if test "$GNUTLS_GCRYPT" = yes || test "$GNUTLS_GCRYPT" = unknown; then
> -      GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
> -      dnl We're not using gcrypt deprecated features so define
> -      dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
> -      GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
> -      AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
> -        [set to 1 if it is known or assumed that GNUTLS uses gcrypt])
> -    fi
> -
> -    with_gnutls=yes
> -  fi
> -
> -  dnl GNUTLS_CFLAGS and GNUTLS_LIBS have probably been updated above,
> -  dnl and we need the final values for function probing to work
> -  CFLAGS="$old_CFLAGS $GNUTLS_CFLAGS"
> -  LIBS="$old_LIBS $GNUTLS_LIBS"
> -
> -  dnl gnutls 3.x moved some declarations to a new header
> -  AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
> -    #include <gnutls/gnutls.h>
> -  ]])
> -
> -  AC_CHECK_FUNCS([gnutls_rnd])
> -  AC_CHECK_FUNCS([gnutls_cipher_encrypt])
> -
> -  CFLAGS="$old_CFLAGS"
> -  LIBS="$old_LIBS"
> -fi
> -
> -if test "x$with_gnutls" = "xyes" ; then
> -  AC_DEFINE_UNQUOTED([WITH_GNUTLS], 1,
> -      [whether GNUTLS is available for encryption])
> -fi
> -AM_CONDITIONAL([WITH_GNUTLS], [test "x$with_gnutls" = "xyes"])
> -AC_SUBST([GNUTLS_CFLAGS])
> -AC_SUBST([GNUTLS_LIBS])
> -
>  
>  AC_ARG_WITH([tls-priority],
>    [AS_HELP_STRING([--with-tls-priority],
> @@ -2799,6 +2698,7 @@ LIBVIRT_RESULT_UDEV
>  LIBVIRT_RESULT_WIRESHARK
>  LIBVIRT_RESULT_NSS
>  LIBVIRT_RESULT_YAJL
> +LIBVIRT_RESULT_GNUTLS
>  AC_MSG_NOTICE([  libxml: $LIBXML_CFLAGS $LIBXML_LIBS])
>  AC_MSG_NOTICE([  dlopen: $DLOPEN_LIBS])
>  if test "$with_hyperv" = "yes" ; then
> @@ -2806,11 +2706,6 @@ AC_MSG_NOTICE([openwsman: $OPENWSMAN_CFLAGS $OPENWSMAN_LIBS])
>  else
>  AC_MSG_NOTICE([openwsman: no])
>  fi
> -if test "$with_gnutls" != "no" ; then
> -AC_MSG_NOTICE([  gnutls: $GNUTLS_CFLAGS $GNUTLS_LIBS])
> -else
> -AC_MSG_NOTICE([  gnutls: no])
> -fi
>  AC_MSG_NOTICE([firewalld: $with_firewalld])
>  if test "$with_polkit" = "yes" ; then
>  if test "$with_polkit0" = "yes" ; then
> diff --git a/m4/virt-gnutls.m4 b/m4/virt-gnutls.m4
> new file mode 100644
> index 0000000..29490de
> --- /dev/null
> +++ b/m4/virt-gnutls.m4
> @@ -0,0 +1,64 @@
> +dnl The gnutls libgnutls.so library
> +dnl
> +dnl Copyright (C) 2016 Red Hat, Inc.
> +dnl
> +dnl This library is free software; you can redistribute it and/or
> +dnl modify it under the terms of the GNU Lesser General Public
> +dnl License as published by the Free Software Foundation; either
> +dnl version 2.1 of the License, or (at your option) any later version.
> +dnl
> +dnl This library is distributed in the hope that it will be useful,
> +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
> +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +dnl Lesser General Public License for more details.
> +dnl
> +dnl You should have received a copy of the GNU Lesser General Public
> +dnl License along with this library.  If not, see
> +dnl <http://www.gnu.org/licenses/>.
> +dnl
> +
> +AC_DEFUN([LIBVIRT_CHECK_GNUTLS],[
> +  LIBVIRT_CHECK_PKG([GNUTLS], [gnutls], [2.2.0])
> +
> +  dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses
> +  dnl only nettle, and versions in between had a configure option.
> +  dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle,
> +  dnl but it is a safe fallback to use gcrypt if we can't prove anything.A
> +
> +  GNUTLS_GCRYPT=
> +  if $PKG_CONFIG --exists 'gnutls >= 3.0'; then
> +    GNUTLS_GCRYPT="no"
> +  elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then
> +    GNUTLS_GCRYPT="probe"
> +  else
> +    GNUTLS_GCRYPT="yes"
> +  fi
> +
> +  if test "$GNUTLS_GCRYPT" = "probe"; then
> +    case $($PKG_CONFIG --libs --static gnutls) in
> +      *gcrypt*) GNUTLS_GCRYPT=yes       ;;
> +      *nettle*) GNUTLS_GCRYPT=no        ;;
> +      *)        GNUTLS_GCRYPT=unknown   ;;
> +    esac
> +  fi
> +
> +  if test "$GNUTLS_GCRYPT" = "yes" || test "$GNUTLS_GCRYPT" = "unknown"; then
> +    GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
> +    dnl We're not using gcrypt deprecated features so define
> +    dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
> +    GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
> +    AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
> +                       [set to 1 if it is known or assumed that GNUTLS uses gcrypt])
> +  fi
> +
> +  AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
> +    #include <gnutls/gnutls.h>
> +  ]])
> +
> +  AC_CHECK_FUNC([gnutls_rnd])
> +  AC_CHECK_FUNC([gnutls_cipher_encrypt])
> +])
> +
> +AC_DEFUN([LIBVIRT_RESULT_GNUTLS],[
> +  LIBVIRT_RESULT_LIB([GNUTLS])
> +])
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux