Re: [libvirt] [PATCH] build: avoid -lgcrypt with newer gnutls

On Thu, Jul 25, 2013 at 04:13:28PM -0600, Eric Blake wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=951637 > > Newer gnutls uses nettle, rather than gcrypt, which is a lot nicer > regarding initialization. Yet we were unconditionally initializing > gcrypt even when gnutls wouldn't be using it, and having two crypto > libraries linked into libvirt.so is pointless. > > The ldd probe in configure borrows from our libnl-1 vs. libnl-3 code. > > * configure.ac (WITH_GNUTLS): Probe whether to add -lgcrypt, and > define a witness WITH_GNUTLS_GCRYPT. > * src/libvirt.c (virTLSMutexInit, virTLSMutexDestroy) > (virTLSMutexLock, virTLSMutexUnlock, virTLSThreadImpl) > (virGlobalInit): Honor the witness. > * libvirt.spec.in (BuildRequires): Make gcrypt usage conditional, > no longer needed in Fedora 19. > > Signed-off-by: Eric Blake <eblake(a)redhat.com&gt; > --- > > Tested with 'ldd src/.libs/libvirt.so | grep -E "(gcry|net|tls)"': > - on RHEL 6.4 and Fedora 18, pre- and post-patch remain unchanged > (use of just libgnutls/libgcrypt) > - on Fedora 19, pre-patch linked against libgnutls, libgcrypt, and > libnettle, post-patch linked against just libgnutls and libnettle > > This should probably go in for 1.1.1, but it's not a build-breaker > so it needs review. > > configure.ac | 27 +++++++++++++++++++++------ > libvirt.spec.in | 2 ++ > src/libvirt.c | 10 ++++++---- > 3 files changed, 29 insertions(+), 10 deletions(-) > > diff --git a/configure.ac b/configure.ac > index cc9942a..de209e2 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -1098,13 +1098,28 @@ if test "x$with_gnutls" != "xno"; then > AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run libvirt]) > fi > else > - dnl Not all versions of gnutls include -lgcrypt, and so we add > - dnl it explicitly for the calls to gcry_control/check_version > - GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt" > > - dnl We're not using gcrypt deprecated features so define > - dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings > - GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED" > + dnl If gnutls linked against -lgcrypt, then we must initialize gcrypt > + dnl prior to using gnutls. Newer versions of gnutls use -lnettle, in > + dnl which case we don't want to drag in gcrypt ourselves. > + gnutls_ldd= > + for dir in /usr/lib64 /usr/lib /usr/lib/*-linux-gnu*; do > + if test -f $dir/libgnutls.so; then > + gnutls_ldd=`(ldd $dir/libgnutls.so) 2>&1` > + break > + fi > + done Not sure this approach to finding libgnutls.so is going to work reliably. eg, we allow --with-gnutls=/some/dir to point to say /usr/local, or /opt/gnutls. Also with pkg-config, the library can be located basically anywhere in the filesystem Gnutls had a hard cutover point from gcrypt to nettle in the 3.0.0 release. So could we just check the GNUTLS_VERSION_MAJOR value >= 3 in the header ?