5:13 p.m.
https://bugzilla.redhat.com/show_bug.cgi?id=951637
Newer gnutls uses nettle, rather than gcrypt, which is a lot nicer
regarding initialization. Yet we were unconditionally initializing
gcrypt even when gnutls wouldn't be using it, and having two crypto
libraries linked into libvirt.so is pointless.
The ldd probe in configure borrows from our libnl-1 vs. libnl-3 code.
* configure.ac (WITH_GNUTLS): Probe whether to add -lgcrypt, and
define a witness WITH_GNUTLS_GCRYPT.
* src/libvirt.c (virTLSMutexInit, virTLSMutexDestroy)
(virTLSMutexLock, virTLSMutexUnlock, virTLSThreadImpl)
(virGlobalInit): Honor the witness.
* libvirt.spec.in (BuildRequires): Make gcrypt usage conditional,
no longer needed in Fedora 19.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
Tested with 'ldd src/.libs/libvirt.so | grep -E "(gcry|net|tls)"':
- on RHEL 6.4 and Fedora 18, pre- and post-patch remain unchanged
(use of just libgnutls/libgcrypt)
- on Fedora 19, pre-patch linked against libgnutls, libgcrypt, and
libnettle, post-patch linked against just libgnutls and libnettle
This should probably go in for 1.1.1, but it's not a build-breaker
so it needs review.
configure.ac | 27 +++++++++++++++++++++------
libvirt.spec.in | 2 ++
src/libvirt.c | 10 ++++++----
3 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index cc9942a..de209e2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1098,13 +1098,28 @@ if test "x$with_gnutls" != "xno"; then
AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run
libvirt])
fi
else
- dnl Not all versions of gnutls include -lgcrypt, and so we add
- dnl it explicitly for the calls to gcry_control/check_version
- GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
- dnl We're not using gcrypt deprecated features so define
- dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
- GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
+ dnl If gnutls linked against -lgcrypt, then we must initialize gcrypt
+ dnl prior to using gnutls. Newer versions of gnutls use -lnettle, in
+ dnl which case we don't want to drag in gcrypt ourselves.
+ gnutls_ldd=
+ for dir in /usr/lib64 /usr/lib /usr/lib/*-linux-gnu*; do
+ if test -f $dir/libgnutls.so; then
+ gnutls_ldd=`(ldd $dir/libgnutls.so) 2>&1`
+ break
+ fi
+ done
+ case $gnutls_ldd in
+ '' | *libgcrypt.so*)
+ GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
+ dnl We're not using gcrypt deprecated features so define
+ dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
+ GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
+ AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
+ [whether GNUTLS uses gcrypt])
+ ;;
+ *) ;; # Assume no gcrypt usage
+ esac
dnl gnutls 3.x moved some declarations to a new header
AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
diff --git a/libvirt.spec.in b/libvirt.spec.in
index e0e0004..4320281 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -422,7 +422,9 @@ BuildRequires: readline-devel
BuildRequires: ncurses-devel
BuildRequires: gettext
BuildRequires: libtasn1-devel
+%if (0%{?rhel} && 0%{?rhel} < 7) || (0%{?fedora} && 0%{?fedora} <
19)
BuildRequires: libgcrypt-devel
+%endif
BuildRequires: gnutls-devel
BuildRequires: libattr-devel
%if %{with_libvirtd}
diff --git a/src/libvirt.c b/src/libvirt.c
index 444c1c3..9775b97 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -55,7 +55,9 @@
#include "intprops.h"
#include "virconf.h"
#if WITH_GNUTLS
-# include <gcrypt.h>
+# if WITH_GNUTLS_GCRYPT
+# include <gcrypt.h>
+# endif
# include "rpc/virnettlscontext.h"
#endif
#include "vircommand.h"
@@ -270,7 +272,7 @@ winsock_init(void)
#endif
-#ifdef WITH_GNUTLS
+#ifdef WITH_GNUTLS_GCRYPT
static int virTLSMutexInit(void **priv)
{
virMutexPtr lock = NULL;
@@ -323,7 +325,7 @@ static struct gcry_thread_cbs virTLSThreadImpl = {
virTLSMutexUnlock,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
};
-#endif
+#endif /* WITH_GNUTLS_GCRYPT */
/* Helper macros to implement VIR_DOMAIN_DEBUG using just C99. This
* assumes you pass fewer than 15 arguments to VIR_DOMAIN_DEBUG, but
@@ -407,7 +409,7 @@ virGlobalInit(void)
virErrorInitialize() < 0)
goto error;
-#ifdef WITH_GNUTLS
+#ifdef WITH_GNUTLS_GCRYPT
/*
* This sequence of API calls it copied exactly from
* gnutls 2.12.23 source lib/gcrypt/init.c, with
--
1.8.3.1
7:26 a.m.
On Thu, Jul 25, 2013 at 04:13:28PM -0600, Eric Blake wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=951637
Newer gnutls uses nettle, rather than gcrypt, which is a lot nicer
regarding initialization. Yet we were unconditionally initializing
gcrypt even when gnutls wouldn't be using it, and having two crypto
libraries linked into libvirt.so is pointless.
The ldd probe in configure borrows from our libnl-1 vs. libnl-3 code.
* configure.ac (WITH_GNUTLS): Probe whether to add -lgcrypt, and
define a witness WITH_GNUTLS_GCRYPT.
* src/libvirt.c (virTLSMutexInit, virTLSMutexDestroy)
(virTLSMutexLock, virTLSMutexUnlock, virTLSThreadImpl)
(virGlobalInit): Honor the witness.
* libvirt.spec.in (BuildRequires): Make gcrypt usage conditional,
no longer needed in Fedora 19.
Signed-off-by: Eric Blake <eblake(a)redhat.com>
---
Tested with 'ldd src/.libs/libvirt.so | grep -E "(gcry|net|tls)"':
- on RHEL 6.4 and Fedora 18, pre- and post-patch remain unchanged
(use of just libgnutls/libgcrypt)
- on Fedora 19, pre-patch linked against libgnutls, libgcrypt, and
libnettle, post-patch linked against just libgnutls and libnettle
This should probably go in for 1.1.1, but it's not a build-breaker
so it needs review.
configure.ac | 27 +++++++++++++++++++++------
libvirt.spec.in | 2 ++
src/libvirt.c | 10 ++++++----
3 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index cc9942a..de209e2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1098,13 +1098,28 @@ if test "x$with_gnutls" != "xno"; then
AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run
libvirt])
fi
else
- dnl Not all versions of gnutls include -lgcrypt, and so we add
- dnl it explicitly for the calls to gcry_control/check_version
- GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
- dnl We're not using gcrypt deprecated features so define
- dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
- GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
+ dnl If gnutls linked against -lgcrypt, then we must initialize gcrypt
+ dnl prior to using gnutls. Newer versions of gnutls use -lnettle, in
+ dnl which case we don't want to drag in gcrypt ourselves.
+ gnutls_ldd=
+ for dir in /usr/lib64 /usr/lib /usr/lib/*-linux-gnu*; do
+ if test -f $dir/libgnutls.so; then
+ gnutls_ldd=`(ldd $dir/libgnutls.so) 2>&1`
+ break
+ fi
+ done
Not sure this approach to finding libgnutls.so is going to work
reliably. eg, we allow --with-gnutls=/some/dir to point to
say /usr/local, or /opt/gnutls.
Also with pkg-config, the library can be located basically
anywhere in the filesystem
Gnutls had a hard cutover point from gcrypt to nettle
in the 3.0.0 release. So could we just check the
GNUTLS_VERSION_MAJOR value >= 3 in the header ?
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
7:29 a.m.
On Fri, Jul 26, 2013 at 01:26:56PM +0100, Daniel P. Berrange wrote:
On Thu, Jul 25, 2013 at 04:13:28PM -0600, Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=951637
>
> Newer gnutls uses nettle, rather than gcrypt, which is a lot nicer
> regarding initialization. Yet we were unconditionally initializing
> gcrypt even when gnutls wouldn't be using it, and having two crypto
> libraries linked into libvirt.so is pointless.
>
> The ldd probe in configure borrows from our libnl-1 vs. libnl-3 code.
>
> * configure.ac (WITH_GNUTLS): Probe whether to add -lgcrypt, and
> define a witness WITH_GNUTLS_GCRYPT.
> * src/libvirt.c (virTLSMutexInit, virTLSMutexDestroy)
> (virTLSMutexLock, virTLSMutexUnlock, virTLSThreadImpl)
> (virGlobalInit): Honor the witness.
> * libvirt.spec.in (BuildRequires): Make gcrypt usage conditional,
> no longer needed in Fedora 19.
>
> Signed-off-by: Eric Blake <eblake(a)redhat.com>
> ---
>
> Tested with 'ldd src/.libs/libvirt.so | grep -E
"(gcry|net|tls)"':
> - on RHEL 6.4 and Fedora 18, pre- and post-patch remain unchanged
> (use of just libgnutls/libgcrypt)
> - on Fedora 19, pre-patch linked against libgnutls, libgcrypt, and
> libnettle, post-patch linked against just libgnutls and libnettle
>
> This should probably go in for 1.1.1, but it's not a build-breaker
> so it needs review.
>
> configure.ac | 27 +++++++++++++++++++++------
> libvirt.spec.in | 2 ++
> src/libvirt.c | 10 ++++++----
> 3 files changed, 29 insertions(+), 10 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index cc9942a..de209e2 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -1098,13 +1098,28 @@ if test "x$with_gnutls" != "xno"; then
> AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run
libvirt])
> fi
> else
> - dnl Not all versions of gnutls include -lgcrypt, and so we add
> - dnl it explicitly for the calls to gcry_control/check_version
> - GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
>
> - dnl We're not using gcrypt deprecated features so define
> - dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
> - GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
> + dnl If gnutls linked against -lgcrypt, then we must initialize gcrypt
> + dnl prior to using gnutls. Newer versions of gnutls use -lnettle, in
> + dnl which case we don't want to drag in gcrypt ourselves.
> + gnutls_ldd=
> + for dir in /usr/lib64 /usr/lib /usr/lib/*-linux-gnu*; do
> + if test -f $dir/libgnutls.so; then
> + gnutls_ldd=`(ldd $dir/libgnutls.so) 2>&1`
> + break
> + fi
> + done
Not sure this approach to finding libgnutls.so is going to work
reliably. eg, we allow --with-gnutls=/some/dir to point to
say /usr/local, or /opt/gnutls.
Also with pkg-config, the library can be located basically
anywhere in the filesystem
Gnutls had a hard cutover point from gcrypt to nettle
in the 3.0.0 release. So could we just check the
GNUTLS_VERSION_MAJOR value >= 3 in the header ?
Oh, actually we don't even need todo that. We can rely on pkgconfig
PKG_CHECK_MODULES(GNUTLS, gnutls >= 3.0.0,
[GNUTLS_FOUND=yes GNUTLS_NETTLE=0], [
GNUTLS_GCRYPT=1
PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED,
[GNUTLS_FOUND=yes], [GNUTLS_FOUND=no])])
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
7:34 a.m.
On 07/26/2013 06:29 AM, Daniel P. Berrange wrote:
>> This should probably go in for 1.1.1, but it's not a
build-breaker
>> so it needs review.
Glad I waited for a review.
>
> Not sure this approach to finding libgnutls.so is going to work
> reliably. eg, we allow --with-gnutls=/some/dir to point to
> say /usr/local, or /opt/gnutls.
>
> Also with pkg-config, the library can be located basically
> anywhere in the filesystem
>
> Gnutls had a hard cutover point from gcrypt to nettle
> in the 3.0.0 release. So could we just check the
> GNUTLS_VERSION_MAJOR value >= 3 in the header ?
Oh, actually we don't even need todo that. We can rely on pkgconfig
Good idea; I'll post a v2.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
4137
days inactive
4138
days old
3 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Eric Blake