[libvirt] [PATCH 0/3] Require GnuTLS

As mentioned in discussion to my PRNG patches [1] we use GnuTLS functions widely. Therefore, make GnuTLS required at build time. This enables us to drop most of #ifdef WITH_GNULS we have. Not all of them though because we still want libvirt-setuid-rpc-client.la to build without GnuTLS. I should also mention that surprisingly this breaks travis. This time, it's Ubuntu that lacks new enough GnuTLS and not OSX. But after Peter's patches travis is broken anyway (on GnuTLS). Michal Privoznik (3): configure: Require GnuTLS build: Build gnutls related sources unconditionally src: Drop most of #ifdef WITH_GNUTLS configure.ac | 2 -- m4/virt-gnutls.m4 | 4 --- src/Makefile.am | 7 +---- src/locking/lock_daemon.c | 4 --- src/logging/log_daemon.c | 4 --- src/lxc/lxc_controller.c | 2 -- src/qemu/qemu_migration_cookie.c | 12 +++----- src/remote/remote_daemon.c | 23 --------------- src/remote/remote_daemon_dispatch.c | 2 -- src/rpc/Makefile.inc.am | 14 ++------- src/rpc/virnetdaemon.h | 4 +-- src/rpc/virnetserver.c | 6 ---- src/rpc/virnetserver.h | 6 +--- src/rpc/virnetserverclient.c | 57 +++---------------------------------- src/rpc/virnetserverclient.h | 8 ------ src/rpc/virnetserverservice.c | 24 ---------------- src/rpc/virnetserverservice.h | 10 ------- src/util/vircrypto.c | 43 ++-------------------------- tests/Makefile.am | 12 ++------ tests/qemuxml2argvtest.c | 15 ---------- tests/vircryptotest.c | 24 +++++----------- tests/virfilecachetest.c | 18 +++--------- tests/virnetdaemontest.c | 8 ------ tests/virnetserverclienttest.c | 2 -- tests/virrandommock.c | 8 ++---- 25 files changed, 32 insertions(+), 287 deletions(-) -- 2.16.4

We are building with GnuTLS everywhere because GnuTLS is widely available. In addition after recent patches Libvirt relies on GnuTLS' PRNG. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- configure.ac | 2 -- m4/virt-gnutls.m4 | 4 ---- 2 files changed, 6 deletions(-) diff --git a/configure.ac b/configure.ac index 5378e49c0b..e25bf0a6ec 100644 --- a/configure.ac +++ b/configure.ac @@ -216,7 +216,6 @@ fi # RPC, we don't need several libraries. if test "$with_remote" = "no" ; then with_libvirtd=no - with_gnutls=no with_ssh2=no with_sasl=no with_libssh=no @@ -250,7 +249,6 @@ LIBVIRT_ARG_DBUS LIBVIRT_ARG_FIREWALLD LIBVIRT_ARG_FUSE LIBVIRT_ARG_GLUSTER -LIBVIRT_ARG_GNUTLS LIBVIRT_ARG_HAL LIBVIRT_ARG_LIBPCAP LIBVIRT_ARG_LIBSSH diff --git a/m4/virt-gnutls.m4 b/m4/virt-gnutls.m4 index 426a1a0348..6829ca55cf 100644 --- a/m4/virt-gnutls.m4 +++ b/m4/virt-gnutls.m4 @@ -17,10 +17,6 @@ dnl License along with this library. If not, see dnl <http://www.gnu.org/licenses/>. dnl -AC_DEFUN([LIBVIRT_ARG_GNUTLS],[ - LIBVIRT_ARG_WITH_FEATURE([GNUTLS], [gnutls], [check], [3.2.0]) -]) - AC_DEFUN([LIBVIRT_CHECK_GNUTLS],[ LIBVIRT_CHECK_PKG([GNUTLS], [gnutls], [3.2.0]) -- 2.16.4

On Tue, Jun 05, 2018 at 10:45:55AM +0200, Michal Privoznik wrote:
We are building with GnuTLS everywhere because GnuTLS is widely available. In addition after recent patches Libvirt relies on GnuTLS' PRNG.
This second sentance isn't true AFAIK - we still have fallback to /dev/urandom - GNUTLS is merely the first choice. None the less I think its desirable to make GNUTLS mandatory since it is on all the platforms we care about and I prefer that we can assume a good crypto impl all the time. This mostly frees us from worrying about fallback impls which have higher risk of security problems.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- configure.ac | 2 -- m4/virt-gnutls.m4 | 4 ---- 2 files changed, 6 deletions(-)
diff --git a/configure.ac b/configure.ac index 5378e49c0b..e25bf0a6ec 100644 --- a/configure.ac +++ b/configure.ac @@ -216,7 +216,6 @@ fi # RPC, we don't need several libraries. if test "$with_remote" = "no" ; then with_libvirtd=no - with_gnutls=no with_ssh2=no with_sasl=no with_libssh=no @@ -250,7 +249,6 @@ LIBVIRT_ARG_DBUS LIBVIRT_ARG_FIREWALLD LIBVIRT_ARG_FUSE LIBVIRT_ARG_GLUSTER -LIBVIRT_ARG_GNUTLS LIBVIRT_ARG_HAL LIBVIRT_ARG_LIBPCAP LIBVIRT_ARG_LIBSSH diff --git a/m4/virt-gnutls.m4 b/m4/virt-gnutls.m4 index 426a1a0348..6829ca55cf 100644 --- a/m4/virt-gnutls.m4 +++ b/m4/virt-gnutls.m4 @@ -17,10 +17,6 @@ dnl License along with this library. If not, see dnl <http://www.gnu.org/licenses/>. dnl
-AC_DEFUN([LIBVIRT_ARG_GNUTLS],[ - LIBVIRT_ARG_WITH_FEATURE([GNUTLS], [gnutls], [check], [3.2.0]) -]) - AC_DEFUN([LIBVIRT_CHECK_GNUTLS],[ LIBVIRT_CHECK_PKG([GNUTLS], [gnutls], [3.2.0])
-- 2.16.4
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On 06/05/2018 11:43 AM, Daniel P. Berrangé wrote:
On Tue, Jun 05, 2018 at 10:45:55AM +0200, Michal Privoznik wrote:
We are building with GnuTLS everywhere because GnuTLS is widely available. In addition after recent patches Libvirt relies on GnuTLS' PRNG.
This second sentance isn't true AFAIK - we still have fallback to /dev/urandom - GNUTLS is merely the first choice.
Okay. But after Peter's patches we do rely on GnuTLS more than ever ;-) I'll reword and resend though. Michal
None the less I think its desirable to make GNUTLS mandatory since it is on all the platforms we care about and I prefer that we can assume a good crypto impl all the time. This mostly frees us from worrying about fallback impls which have higher risk of security problems.
Unfortunately not. Both suid and nss libs build with virhash.c which requires virRandom*(). But this is a bogus dependency and hash tables are not really used (at least in NSS module, did not bother to check for suid lib). So we need a stub for virRandom*(). Michal

On Tue, Jun 05, 2018 at 13:17:46 +0200, Michal Privoznik wrote:
On 06/05/2018 11:43 AM, Daniel P. Berrangé wrote:
On Tue, Jun 05, 2018 at 10:45:55AM +0200, Michal Privoznik wrote:
We are building with GnuTLS everywhere because GnuTLS is widely available. In addition after recent patches Libvirt relies on GnuTLS' PRNG.
This second sentance isn't true AFAIK - we still have fallback to /dev/urandom - GNUTLS is merely the first choice.
Okay. But after Peter's patches we do rely on GnuTLS more than ever ;-) I'll reword and resend though.
Not really. I just consolidated some code paths so now we actually check that gnutls is present for disks with secret. It would hit the error in a different place otherwise, this just broke the testsuite. A naive fix would be to disable those tests when gnutls is not present, but if we are going to make it always present it seems a waste of effort.

Now that GnuTLS is required these source files must be compiled in. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/Makefile.am | 7 +------ src/rpc/Makefile.inc.am | 14 ++------------ tests/Makefile.am | 12 ++---------- 3 files changed, 5 insertions(+), 28 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index b2db1e9db9..b0e2171eea 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -440,6 +440,7 @@ EXTRA_DIST += $(top_srcdir)/build-aux/augeas-gentest.pl # USED_SYM_FILES += $(srcdir)/libvirt_driver_modules.syms +USED_SYM_FILES += $(srcdir)/libvirt_gnutls.syms if WITH_LINUX USED_SYM_FILES += $(srcdir)/libvirt_linux.syms @@ -453,12 +454,6 @@ else ! WITH_SASL SYM_FILES += $(srcdir)/libvirt_sasl.syms endif ! WITH_SASL -if WITH_GNUTLS -USED_SYM_FILES += $(srcdir)/libvirt_gnutls.syms -else ! WITH_GNUTLS -SYM_FILES += $(srcdir)/libvirt_gnutls.syms -endif ! WITH_GNUTLS - if WITH_SSH2 USED_SYM_FILES += $(srcdir)/libvirt_libssh2.syms else ! WITH_SSH2 diff --git a/src/rpc/Makefile.inc.am b/src/rpc/Makefile.inc.am index 14c798d05d..b8c80528d2 100644 --- a/src/rpc/Makefile.inc.am +++ b/src/rpc/Makefile.inc.am @@ -31,6 +31,8 @@ libvirt_la_BUILT_LIBADD += \ libvirt_net_rpc_la_SOURCES = \ rpc/virnetmessage.h \ rpc/virnetmessage.c \ + rpc/virnettlscontext.h \ + rpc/virnettlscontext.c \ rpc/virnetsocket.h \ rpc/virnetsocket.c \ rpc/virkeepalive.h \ @@ -50,18 +52,6 @@ EXTRA_DIST += \ $(NULL) endif ! WITH_SSH2 -if WITH_GNUTLS -libvirt_net_rpc_la_SOURCES += \ - rpc/virnettlscontext.h \ - rpc/virnettlscontext.c \ - $(NULL) -else ! WITH_GNUTLS -EXTRA_DIST += \ - rpc/virnettlscontext.h \ - rpc/virnettlscontext.c \ - $(NULL) -endif ! WITH_GNUTLS - if WITH_SASL libvirt_net_rpc_la_SOURCES += \ rpc/virnetsaslcontext.h \ diff --git a/tests/Makefile.am b/tests/Makefile.am index 1ce3dbb50f..99c79e3208 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -227,10 +227,9 @@ test_programs += \ virnetsockettest \ virnetdaemontest \ virnetserverclienttest \ + virnettlscontexttest \ + virnettlssessiontest \ $(NULL) -if WITH_GNUTLS -test_programs += virnettlscontexttest virnettlssessiontest -endif WITH_GNUTLS endif WITH_REMOTE if WITH_LINUX @@ -1027,7 +1026,6 @@ virnetserverclientmock_la_SOURCES = \ virnetserverclientmock_la_LDFLAGS = $(MOCKLIBS_LDFLAGS) virnetserverclientmock_la_LIBADD = $(MOCKLIBS_LIBS) -if WITH_GNUTLS virnettlscontexttest_SOURCES = \ virnettlscontexttest.c \ virnettlshelpers.h virnettlshelpers.c \ @@ -1046,12 +1044,6 @@ virnettlssessiontest_LDADD += -ltasn1 else ! HAVE_LIBTASN1 EXTRA_DIST += pkix_asn1_tab.c endif ! HAVE_LIBTASN1 -else ! WITH_GNUTLS -EXTRA_DIST += \ - virnettlscontexttest.c virnettlssessiontest.c \ - virnettlshelpers.h virnettlshelpers.c \ - testutils.h testutils.c pkix_asn1_tab.c -endif ! WITH_GNUTLS virtimetest_SOURCES = \ virtimetest.c testutils.h testutils.c -- 2.16.4

On Tue, Jun 05, 2018 at 10:45:56AM +0200, Michal Privoznik wrote:
Now that GnuTLS is required these source files must be compiled in.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/Makefile.am | 7 +------ src/rpc/Makefile.inc.am | 14 ++------------ tests/Makefile.am | 12 ++---------- 3 files changed, 5 insertions(+), 28 deletions(-)
diff --git a/src/Makefile.am b/src/Makefile.am index b2db1e9db9..b0e2171eea 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -440,6 +440,7 @@ EXTRA_DIST += $(top_srcdir)/build-aux/augeas-gentest.pl #
USED_SYM_FILES += $(srcdir)/libvirt_driver_modules.syms +USED_SYM_FILES += $(srcdir)/libvirt_gnutls.syms
if WITH_LINUX USED_SYM_FILES += $(srcdir)/libvirt_linux.syms @@ -453,12 +454,6 @@ else ! WITH_SASL SYM_FILES += $(srcdir)/libvirt_sasl.syms endif ! WITH_SASL
-if WITH_GNUTLS -USED_SYM_FILES += $(srcdir)/libvirt_gnutls.syms -else ! WITH_GNUTLS -SYM_FILES += $(srcdir)/libvirt_gnutls.syms -endif ! WITH_GNUTLS
The libvirt_gnutls.syms file only exists because gnutls was optional, so shouldn't this just get merged into libvirt_private.syms or libvirt_rpc.syms as appropriate ? Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On 06/05/2018 11:44 AM, Daniel P. Berrangé wrote:
On Tue, Jun 05, 2018 at 10:45:56AM +0200, Michal Privoznik wrote:
Now that GnuTLS is required these source files must be compiled in.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/Makefile.am | 7 +------ src/rpc/Makefile.inc.am | 14 ++------------ tests/Makefile.am | 12 ++---------- 3 files changed, 5 insertions(+), 28 deletions(-)
diff --git a/src/Makefile.am b/src/Makefile.am index b2db1e9db9..b0e2171eea 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -440,6 +440,7 @@ EXTRA_DIST += $(top_srcdir)/build-aux/augeas-gentest.pl #
USED_SYM_FILES += $(srcdir)/libvirt_driver_modules.syms +USED_SYM_FILES += $(srcdir)/libvirt_gnutls.syms
if WITH_LINUX USED_SYM_FILES += $(srcdir)/libvirt_linux.syms @@ -453,12 +454,6 @@ else ! WITH_SASL SYM_FILES += $(srcdir)/libvirt_sasl.syms endif ! WITH_SASL
-if WITH_GNUTLS -USED_SYM_FILES += $(srcdir)/libvirt_gnutls.syms -else ! WITH_GNUTLS -SYM_FILES += $(srcdir)/libvirt_gnutls.syms -endif ! WITH_GNUTLS
The libvirt_gnutls.syms file only exists because gnutls was optional, so shouldn't this just get merged into libvirt_private.syms or libvirt_rpc.syms as appropriate ?
s/libvirt_rpc/libvirt_remote/ Yes, I'll send v2. Michal

Now that GnuTLS is a requirement, we can drop a lot of conditionally built code. However, not all ifdef-s can go because we still want libvirt_setuid to build without gnutls. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/locking/lock_daemon.c | 4 --- src/logging/log_daemon.c | 4 --- src/lxc/lxc_controller.c | 2 -- src/qemu/qemu_migration_cookie.c | 12 +++----- src/remote/remote_daemon.c | 23 --------------- src/remote/remote_daemon_dispatch.c | 2 -- src/rpc/virnetdaemon.h | 4 +-- src/rpc/virnetserver.c | 6 ---- src/rpc/virnetserver.h | 6 +--- src/rpc/virnetserverclient.c | 57 +++---------------------------------- src/rpc/virnetserverclient.h | 8 ------ src/rpc/virnetserverservice.c | 24 ---------------- src/rpc/virnetserverservice.h | 10 ------- src/util/vircrypto.c | 43 ++-------------------------- tests/qemuxml2argvtest.c | 15 ---------- tests/vircryptotest.c | 24 +++++----------- tests/virfilecachetest.c | 18 +++--------- tests/virnetdaemontest.c | 8 ------ tests/virnetserverclienttest.c | 2 -- tests/virrandommock.c | 8 ++---- 20 files changed, 27 insertions(+), 253 deletions(-) diff --git a/src/locking/lock_daemon.c b/src/locking/lock_daemon.c index 78c33bd29c..272d2e3ae9 100644 --- a/src/locking/lock_daemon.c +++ b/src/locking/lock_daemon.c @@ -619,9 +619,7 @@ virLockDaemonSetupNetworkingSystemD(virNetServerPtr lockSrv, virNetServerPtr adm /* Systemd passes FDs, starting immediately after stderr, * so the first FD we'll get is '3'. */ if (!(svc = virNetServerServiceNewFD(3 + i, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 1))) return -1; @@ -642,9 +640,7 @@ virLockDaemonSetupNetworkingNative(virNetServerPtr srv, const char *sock_path) VIR_DEBUG("Setting up networking natively"); if (!(svc = virNetServerServiceNewUNIX(sock_path, 0700, 0, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 1))) return -1; diff --git a/src/logging/log_daemon.c b/src/logging/log_daemon.c index 91bd9d0b90..4415a61d03 100644 --- a/src/logging/log_daemon.c +++ b/src/logging/log_daemon.c @@ -554,9 +554,7 @@ virLogDaemonSetupNetworkingSystemD(virNetServerPtr logSrv, virNetServerPtr admin /* Systemd passes FDs, starting immediately after stderr, * so the first FD we'll get is '3'. */ if (!(svc = virNetServerServiceNewFD(3 + i, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 1))) return -1; @@ -577,9 +575,7 @@ virLogDaemonSetupNetworkingNative(virNetServerPtr srv, const char *sock_path) VIR_DEBUG("Setting up networking natively"); if (!(svc = virNetServerServiceNewUNIX(sock_path, 0700, 0, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 1))) return -1; diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index d5636b808c..03077af1ec 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -957,9 +957,7 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl) 0700, 0, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 5))) diff --git a/src/qemu/qemu_migration_cookie.c b/src/qemu/qemu_migration_cookie.c index eca1b74d63..60df449d53 100644 --- a/src/qemu/qemu_migration_cookie.c +++ b/src/qemu/qemu_migration_cookie.c @@ -18,10 +18,8 @@ #include <config.h> -#ifdef WITH_GNUTLS -# include <gnutls/gnutls.h> -# include <gnutls/x509.h> -#endif +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> #include "locking/domain_lock.h" #include "viralloc.h" @@ -131,7 +129,6 @@ qemuMigrationCookieFree(qemuMigrationCookiePtr mig) } -#ifdef WITH_GNUTLS static char * qemuDomainExtractTLSSubject(const char *certdir) { @@ -188,7 +185,7 @@ qemuDomainExtractTLSSubject(const char *certdir) VIR_FREE(pemdata); return NULL; } -#endif + static qemuMigrationCookieGraphicsPtr qemuMigrationCookieGraphicsSpiceAlloc(virQEMUDriverPtr driver, @@ -212,11 +209,10 @@ qemuMigrationCookieGraphicsSpiceAlloc(virQEMUDriverPtr driver, if (!glisten || !(listenAddr = glisten->address)) listenAddr = cfg->spiceListen; -#ifdef WITH_GNUTLS if (cfg->spiceTLS && !(mig->tlsSubject = qemuDomainExtractTLSSubject(cfg->spiceTLSx509certdir))) goto error; -#endif + if (VIR_STRDUP(mig->listen, listenAddr) < 0) goto error; diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index 27377fe3bc..21ab22499d 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -375,9 +375,7 @@ daemonSetupNetworking(virNetServerPtr srv, virNetServerServicePtr svcAdm = NULL; virNetServerServicePtr svcRO = NULL; virNetServerServicePtr svcTCP = NULL; -#if WITH_GNUTLS virNetServerServicePtr svcTLS = NULL; -#endif gid_t unix_sock_gid = 0; int unix_sock_ro_mask = 0; int unix_sock_rw_mask = 0; @@ -416,9 +414,7 @@ daemonSetupNetworking(virNetServerPtr srv, unix_sock_rw_mask, unix_sock_gid, config->auth_unix_rw, -#if WITH_GNUTLS NULL, -#endif false, config->max_queued_clients, config->max_client_requests, @@ -429,9 +425,7 @@ daemonSetupNetworking(virNetServerPtr srv, unix_sock_ro_mask, unix_sock_gid, config->auth_unix_ro, -#if WITH_GNUTLS NULL, -#endif true, config->max_queued_clients, config->max_client_requests, @@ -455,9 +449,7 @@ daemonSetupNetworking(virNetServerPtr srv, unix_sock_adm_mask, unix_sock_gid, REMOTE_AUTH_NONE, -#if WITH_GNUTLS NULL, -#endif false, config->admin_max_queued_clients, config->admin_max_client_requests))) @@ -475,9 +467,7 @@ daemonSetupNetworking(virNetServerPtr srv, config->tcp_port, AF_UNSPEC, config->auth_tcp, -#if WITH_GNUTLS NULL, -#endif false, config->max_queued_clients, config->max_client_requests))) @@ -488,7 +478,6 @@ daemonSetupNetworking(virNetServerPtr srv, goto cleanup; } -#if WITH_GNUTLS if (config->listen_tls) { virNetTLSContextPtr ctxt = NULL; @@ -552,22 +541,12 @@ daemonSetupNetworking(virNetServerPtr srv, virObjectUnref(ctxt); } -#else - (void)privileged; - if (config->listen_tls) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("This libvirtd build does not support TLS")); - goto cleanup; - } -#endif } #if WITH_SASL if (config->auth_unix_rw == REMOTE_AUTH_SASL || (sock_path_ro && config->auth_unix_ro == REMOTE_AUTH_SASL) || -# if WITH_GNUTLS (ipsock && config->listen_tls && config->auth_tls == REMOTE_AUTH_SASL) || -# endif (ipsock && config->listen_tcp && config->auth_tcp == REMOTE_AUTH_SASL)) { saslCtxt = virNetSASLContextNewServer( (const char *const*)config->sasl_allowed_username_list); @@ -579,9 +558,7 @@ daemonSetupNetworking(virNetServerPtr srv, ret = 0; cleanup: -#if WITH_GNUTLS virObjectUnref(svcTLS); -#endif virObjectUnref(svcTCP); virObjectUnref(svcRO); virObjectUnref(svcAdm); diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c index a8a5932d71..81d0445e43 100644 --- a/src/remote/remote_daemon_dispatch.c +++ b/src/remote/remote_daemon_dispatch.c @@ -3353,7 +3353,6 @@ remoteDispatchAuthSaslInit(virNetServerPtr server ATTRIBUTE_UNUSED, if (!sasl) goto authfail; -# if WITH_GNUTLS /* Inform SASL that we've got an external SSF layer from TLS */ if (virNetServerClientHasTLSSession(client)) { int ssf; @@ -3367,7 +3366,6 @@ remoteDispatchAuthSaslInit(virNetServerPtr server ATTRIBUTE_UNUSED, if (virNetSASLSessionExtKeySize(sasl, ssf) < 0) goto authfail; } -# endif if (virNetServerClientIsSecure(client)) /* If we've got TLS or UNIX domain sock, we don't care about SSF */ diff --git a/src/rpc/virnetdaemon.h b/src/rpc/virnetdaemon.h index 6576c463b5..09ed5adf36 100644 --- a/src/rpc/virnetdaemon.h +++ b/src/rpc/virnetdaemon.h @@ -25,9 +25,7 @@ # include <signal.h> -# ifdef WITH_GNUTLS -# include "virnettlscontext.h" -# endif +# include "virnettlscontext.h" # include "virobject.h" # include "virjson.h" # include "virnetserverprogram.h" diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index 5aeb188900..5c7f7dd08f 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -73,9 +73,7 @@ struct _virNetServer { int keepaliveInterval; unsigned int keepaliveCount; -#ifdef WITH_GNUTLS virNetTLSContextPtr tls; -#endif virNetServerClientPrivNew clientPrivNew; virNetServerClientPrivPreExecRestart clientPrivPreExecRestart; @@ -320,9 +318,7 @@ static int virNetServerDispatchNewClient(virNetServerServicePtr svc, virNetServerServiceGetAuth(svc), virNetServerServiceIsReadonly(svc), virNetServerServiceGetMaxRequests(svc), -#if WITH_GNUTLS virNetServerServiceGetTLSContext(svc), -#endif srv->clientPrivNew, srv->clientPrivPreExecRestart, srv->clientPrivFree, @@ -728,14 +724,12 @@ int virNetServerAddProgram(virNetServerPtr srv, return -1; } -#if WITH_GNUTLS int virNetServerSetTLSContext(virNetServerPtr srv, virNetTLSContextPtr tls) { srv->tls = virObjectRef(tls); return 0; } -#endif /** diff --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h index a79c39fdb2..26cec43c22 100644 --- a/src/rpc/virnetserver.h +++ b/src/rpc/virnetserver.h @@ -24,9 +24,7 @@ #ifndef __VIR_NET_SERVER_H__ # define __VIR_NET_SERVER_H__ -# ifdef WITH_GNUTLS -# include "virnettlscontext.h" -# endif +# include "virnettlscontext.h" # include "virnetserverprogram.h" # include "virnetserverclient.h" # include "virnetserverservice.h" @@ -71,10 +69,8 @@ int virNetServerAddService(virNetServerPtr srv, int virNetServerAddProgram(virNetServerPtr srv, virNetServerProgramPtr prog); -# if WITH_GNUTLS int virNetServerSetTLSContext(virNetServerPtr srv, virNetTLSContextPtr tls); -# endif int virNetServerAddClient(virNetServerPtr srv, diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c index ffd4fbc5e6..97cf126f56 100644 --- a/src/rpc/virnetserverclient.c +++ b/src/rpc/virnetserverclient.c @@ -73,10 +73,8 @@ struct _virNetServerClient int auth; bool auth_pending; bool readonly; -#if WITH_GNUTLS virNetTLSContextPtr tlsCtxt; virNetTLSSessionPtr tls; -#endif #if WITH_SASL virNetSASLSessionPtr sasl; #endif @@ -154,18 +152,13 @@ virNetServerClientCalculateHandleMode(virNetServerClientPtr client) VIR_DEBUG("tls=%p hs=%d, rx=%p tx=%p", -#ifdef WITH_GNUTLS client->tls, client->tls ? virNetTLSSessionGetHandshakeStatus(client->tls) : -1, -#else - NULL, -1, -#endif client->rx, client->tx); if (!client->sock || client->wantClose) return 0; -#if WITH_GNUTLS if (client->tls) { switch (virNetTLSSessionGetHandshakeStatus(client->tls)) { case VIR_NET_TLS_HANDSHAKE_RECVING: @@ -182,7 +175,6 @@ virNetServerClientCalculateHandleMode(virNetServerClientPtr client) mode |= VIR_EVENT_HANDLE_WRITABLE; } } else { -#endif /* If there is a message on the rx queue, and * we're not in middle of a delayedClose, then * we're wanting more input */ @@ -193,9 +185,7 @@ virNetServerClientCalculateHandleMode(virNetServerClientPtr client) then monitor for writability on socket */ if (client->tx) mode |= VIR_EVENT_HANDLE_WRITABLE; -#if WITH_GNUTLS } -#endif VIR_DEBUG("mode=0%o", mode); return mode; } @@ -300,7 +290,6 @@ void virNetServerClientRemoveFilter(virNetServerClientPtr client, } -#ifdef WITH_GNUTLS /* Check the client's access. */ static int virNetServerClientCheckAccess(virNetServerClientPtr client) @@ -335,7 +324,7 @@ virNetServerClientCheckAccess(virNetServerClientPtr client) return 0; } -#endif + static void virNetServerClientDispatchMessage(virNetServerClientPtr client, virNetMessagePtr msg) @@ -396,9 +385,7 @@ virNetServerClientNewInternal(unsigned long long id, virNetSocketPtr sock, int auth, bool auth_pending, -#ifdef WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t nrequests_max, long long timestamp) @@ -416,9 +403,7 @@ virNetServerClientNewInternal(unsigned long long id, client->auth = auth; client->auth_pending = auth_pending; client->readonly = readonly; -#ifdef WITH_GNUTLS client->tlsCtxt = virObjectRef(tls); -#endif client->nrequests_max = nrequests_max; client->conn_time = timestamp; @@ -452,9 +437,7 @@ virNetServerClientPtr virNetServerClientNew(unsigned long long id, int auth, bool readonly, size_t nrequests_max, -#ifdef WITH_GNUTLS virNetTLSContextPtr tls, -#endif virNetServerClientPrivNew privNew, virNetServerClientPrivPreExecRestart privPreExecRestart, virFreeCallback privFree, @@ -464,13 +447,7 @@ virNetServerClientPtr virNetServerClientNew(unsigned long long id, time_t now; bool auth_pending = !virNetServerClientAuthMethodImpliesAuthenticated(auth); - VIR_DEBUG("sock=%p auth=%d tls=%p", sock, auth, -#ifdef WITH_GNUTLS - tls -#else - NULL -#endif - ); + VIR_DEBUG("sock=%p auth=%d tls=%p", sock, auth, tls); if ((now = time(NULL)) == (time_t)-1) { virReportSystemError(errno, "%s", _("failed to get current time")); @@ -478,10 +455,7 @@ virNetServerClientPtr virNetServerClientNew(unsigned long long id, } if (!(client = virNetServerClientNewInternal(id, sock, auth, auth_pending, -#ifdef WITH_GNUTLS - tls, -#endif - readonly, nrequests_max, + tls, readonly, nrequests_max, now))) return NULL; @@ -586,9 +560,7 @@ virNetServerClientPtr virNetServerClientNewPostExecRestart(virNetServerPtr srv, sock, auth, auth_pending, -#ifdef WITH_GNUTLS NULL, -#endif readonly, nrequests_max, timestamp))) { @@ -720,7 +692,6 @@ long long virNetServerClientGetTimestamp(virNetServerClientPtr client) return client->conn_time; } -#ifdef WITH_GNUTLS bool virNetServerClientHasTLSSession(virNetServerClientPtr client) { bool has; @@ -749,7 +720,6 @@ int virNetServerClientGetTLSKeySize(virNetServerClientPtr client) virObjectUnlock(client); return size; } -#endif int virNetServerClientGetFD(virNetServerClientPtr client) { @@ -837,13 +807,11 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) } #endif -#if WITH_GNUTLS if (client->tls) { const char *identity = virNetTLSSessionGetX509DName(client->tls); if (virIdentitySetX509DName(ret, identity) < 0) goto error; } -#endif if (client->sock && virNetSocketGetSELinuxContext(client->sock, &seccontext) < 0) @@ -895,10 +863,8 @@ bool virNetServerClientIsSecure(virNetServerClientPtr client) { bool secure = false; virObjectLock(client); -#if WITH_GNUTLS if (client->tls) secure = true; -#endif #if WITH_SASL if (client->sasl) secure = true; @@ -1019,10 +985,8 @@ void virNetServerClientDispose(void *obj) #endif if (client->sockTimer > 0) virEventRemoveTimeout(client->sockTimer); -#if WITH_GNUTLS virObjectUnref(client->tls); virObjectUnref(client->tlsCtxt); -#endif virObjectUnref(client->sock); } @@ -1071,12 +1035,10 @@ virNetServerClientCloseLocked(virNetServerClientPtr client) if (client->sock) virNetSocketRemoveIOCallback(client->sock); -#if WITH_GNUTLS if (client->tls) { virObjectUnref(client->tls); client->tls = NULL; } -#endif client->wantClose = true; while (client->rx) { @@ -1139,13 +1101,10 @@ int virNetServerClientInit(virNetServerClientPtr client) { virObjectLock(client); -#if WITH_GNUTLS if (!client->tlsCtxt) { -#endif /* Plain socket, so prepare to read first message */ if (virNetServerClientRegisterEvent(client) < 0) goto error; -#if WITH_GNUTLS } else { int ret; @@ -1174,7 +1133,6 @@ int virNetServerClientInit(virNetServerClientPtr client) goto error; } } -#endif virObjectUnlock(client); return 0; @@ -1475,7 +1433,6 @@ virNetServerClientDispatchWrite(virNetServerClientPtr client) } -#if WITH_GNUTLS static void virNetServerClientDispatchHandshake(virNetServerClientPtr client) { @@ -1498,7 +1455,7 @@ virNetServerClientDispatchHandshake(virNetServerClientPtr client) client->wantClose = true; } } -#endif + static void virNetServerClientDispatchEvent(virNetSocketPtr sock, int events, void *opaque) @@ -1516,21 +1473,17 @@ virNetServerClientDispatchEvent(virNetSocketPtr sock, int events, void *opaque) if (events & (VIR_EVENT_HANDLE_WRITABLE | VIR_EVENT_HANDLE_READABLE)) { -#if WITH_GNUTLS if (client->tls && virNetTLSSessionGetHandshakeStatus(client->tls) != VIR_NET_TLS_HANDSHAKE_COMPLETE) { virNetServerClientDispatchHandshake(client); } else { -#endif if (events & VIR_EVENT_HANDLE_WRITABLE) virNetServerClientDispatchWrite(client); if (events & VIR_EVENT_HANDLE_READABLE && client->rx) msg = virNetServerClientDispatchRead(client); -#if WITH_GNUTLS } -#endif } /* NB, will get HANGUP + READABLE at same time upon @@ -1687,10 +1640,8 @@ virNetServerClientGetTransport(virNetServerClientPtr client) else ret = VIR_CLIENT_TRANS_TCP; -#ifdef WITH_GNUTLS if (client->tls) ret = VIR_CLIENT_TRANS_TLS; -#endif virObjectUnlock(client); diff --git a/src/rpc/virnetserverclient.h b/src/rpc/virnetserverclient.h index b21446eeb7..b7ff660eef 100644 --- a/src/rpc/virnetserverclient.h +++ b/src/rpc/virnetserverclient.h @@ -69,18 +69,12 @@ virNetServerClientPtr virNetServerClientNew(unsigned long long id, int auth, bool readonly, size_t nrequests_max, -# ifdef WITH_GNUTLS virNetTLSContextPtr tls, -# endif virNetServerClientPrivNew privNew, virNetServerClientPrivPreExecRestart privPreExecRestart, virFreeCallback privFree, void *privOpaque) -# ifdef WITH_GNUTLS ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(7) ATTRIBUTE_NONNULL(9); -# else - ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(6) ATTRIBUTE_NONNULL(8); -# endif virNetServerClientPtr virNetServerClientNewPostExecRestart(virNetServerPtr srv, virJSONValuePtr object, @@ -107,11 +101,9 @@ void virNetServerClientSetReadonly(virNetServerClientPtr client, bool readonly); unsigned long long virNetServerClientGetID(virNetServerClientPtr client); long long virNetServerClientGetTimestamp(virNetServerClientPtr client); -# ifdef WITH_GNUTLS bool virNetServerClientHasTLSSession(virNetServerClientPtr client); virNetTLSSessionPtr virNetServerClientGetTLSSession(virNetServerClientPtr client); int virNetServerClientGetTLSKeySize(virNetServerClientPtr client); -# endif # ifdef WITH_SASL bool virNetServerClientHasSASLSession(virNetServerClientPtr client); diff --git a/src/rpc/virnetserverservice.c b/src/rpc/virnetserverservice.c index 23fc23cab4..e6762366ab 100644 --- a/src/rpc/virnetserverservice.c +++ b/src/rpc/virnetserverservice.c @@ -43,9 +43,7 @@ struct _virNetServerService { bool readonly; size_t nrequests_client_max; -#if WITH_GNUTLS virNetTLSContextPtr tls; -#endif virNetServerServiceDispatchFunc dispatchFunc; void *dispatchOpaque; @@ -94,9 +92,7 @@ virNetServerServiceNewFDOrUNIX(const char *path, mode_t mask, gid_t grp, int auth, -#if WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max, @@ -112,9 +108,7 @@ virNetServerServiceNewFDOrUNIX(const char *path, mask, grp, auth, -#if WITH_GNUTLS tls, -#endif readonly, max_queued_clients, nrequests_client_max); @@ -128,9 +122,7 @@ virNetServerServiceNewFDOrUNIX(const char *path, */ return virNetServerServiceNewFD((*cur_fd)++, auth, -#if WITH_GNUTLS tls, -#endif readonly, max_queued_clients, nrequests_client_max); @@ -142,9 +134,7 @@ virNetServerServicePtr virNetServerServiceNewTCP(const char *nodename, const char *service, int family, int auth, -#if WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max) @@ -161,9 +151,7 @@ virNetServerServicePtr virNetServerServiceNewTCP(const char *nodename, svc->auth = auth; svc->readonly = readonly; svc->nrequests_client_max = nrequests_client_max; -#if WITH_GNUTLS svc->tls = virObjectRef(tls); -#endif if (virNetSocketNewListenTCP(nodename, service, @@ -202,9 +190,7 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path, mode_t mask, gid_t grp, int auth, -#if WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max) @@ -221,9 +207,7 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path, svc->auth = auth; svc->readonly = readonly; svc->nrequests_client_max = nrequests_client_max; -#if WITH_GNUTLS svc->tls = virObjectRef(tls); -#endif if (VIR_ALLOC_N(svc->socks, 1) < 0) goto error; @@ -263,9 +247,7 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path, virNetServerServicePtr virNetServerServiceNewFD(int fd, int auth, -#if WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max) @@ -282,9 +264,7 @@ virNetServerServicePtr virNetServerServiceNewFD(int fd, svc->auth = auth; svc->readonly = readonly; svc->nrequests_client_max = nrequests_client_max; -#if WITH_GNUTLS svc->tls = virObjectRef(tls); -#endif if (VIR_ALLOC_N(svc->socks, 1) < 0) goto error; @@ -469,12 +449,10 @@ size_t virNetServerServiceGetMaxRequests(virNetServerServicePtr svc) return svc->nrequests_client_max; } -#if WITH_GNUTLS virNetTLSContextPtr virNetServerServiceGetTLSContext(virNetServerServicePtr svc) { return svc->tls; } -#endif void virNetServerServiceSetDispatcher(virNetServerServicePtr svc, virNetServerServiceDispatchFunc func, @@ -494,9 +472,7 @@ void virNetServerServiceDispose(void *obj) virObjectUnref(svc->socks[i]); VIR_FREE(svc->socks); -#if WITH_GNUTLS virObjectUnref(svc->tls); -#endif } void virNetServerServiceToggle(virNetServerServicePtr svc, diff --git a/src/rpc/virnetserverservice.h b/src/rpc/virnetserverservice.h index 5d8c583db2..a50cb19b6d 100644 --- a/src/rpc/virnetserverservice.h +++ b/src/rpc/virnetserverservice.h @@ -41,9 +41,7 @@ virNetServerServicePtr virNetServerServiceNewFDOrUNIX(const char *path, mode_t mask, gid_t grp, int auth, -# if WITH_GNUTLS virNetTLSContextPtr tls, -# endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max, @@ -53,9 +51,7 @@ virNetServerServicePtr virNetServerServiceNewTCP(const char *nodename, const char *service, int family, int auth, -# if WITH_GNUTLS virNetTLSContextPtr tls, -# endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max); @@ -63,17 +59,13 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path, mode_t mask, gid_t grp, int auth, -# if WITH_GNUTLS virNetTLSContextPtr tls, -# endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max); virNetServerServicePtr virNetServerServiceNewFD(int fd, int auth, -# if WITH_GNUTLS virNetTLSContextPtr tls, -# endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max); @@ -87,9 +79,7 @@ int virNetServerServiceGetPort(virNetServerServicePtr svc); int virNetServerServiceGetAuth(virNetServerServicePtr svc); bool virNetServerServiceIsReadonly(virNetServerServicePtr svc); size_t virNetServerServiceGetMaxRequests(virNetServerServicePtr svc); -# ifdef WITH_GNUTLS virNetTLSContextPtr virNetServerServiceGetTLSContext(virNetServerServicePtr svc); -# endif void virNetServerServiceSetDispatcher(virNetServerServicePtr svc, virNetServerServiceDispatchFunc func, diff --git a/src/util/vircrypto.c b/src/util/vircrypto.c index d734ce6ad7..bdb83c5fd3 100644 --- a/src/util/vircrypto.c +++ b/src/util/vircrypto.c @@ -26,10 +26,8 @@ #include "viralloc.h" #include "virrandom.h" -#ifdef WITH_GNUTLS -# include <gnutls/gnutls.h> -# include <gnutls/crypto.h> -#endif +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> VIR_LOG_INIT("util.crypto"); @@ -39,7 +37,6 @@ static const char hex[] = "0123456789abcdef"; #define VIR_CRYPTO_LARGEST_DIGEST_SIZE VIR_CRYPTO_HASH_SIZE_SHA256 -#if WITH_GNUTLS struct virHashInfo { gnutls_digest_algorithm_t algorithm; @@ -74,17 +71,7 @@ virCryptoHashBuf(virCryptoHash hash, return hashinfo[hash].hashlen; } -#else -ssize_t -virCryptoHashBuf(virCryptoHash hash, - const char *input ATTRIBUTE_UNUSED, - unsigned char *output ATTRIBUTE_UNUSED) -{ - virReportError(VIR_ERR_INVALID_ARG, - _("algorithm=%d is not supported"), hash); - return -1; -} -#endif + int virCryptoHashString(virCryptoHash hash, @@ -129,11 +116,7 @@ virCryptoHaveCipher(virCryptoCipher algorithm) switch (algorithm) { case VIR_CRYPTO_CIPHER_AES256CBC: -#ifdef WITH_GNUTLS return true; -#else - return false; -#endif case VIR_CRYPTO_CIPHER_NONE: case VIR_CRYPTO_CIPHER_LAST: @@ -144,7 +127,6 @@ virCryptoHaveCipher(virCryptoCipher algorithm) } -#ifdef WITH_GNUTLS /* virCryptoEncryptDataAESgntuls: * * Performs the AES gnutls encryption @@ -295,22 +277,3 @@ virCryptoEncryptData(virCryptoCipher algorithm, _("algorithm=%d is not supported"), algorithm); return -1; } - -#else - -int -virCryptoEncryptData(virCryptoCipher algorithm, - uint8_t *enckey ATTRIBUTE_UNUSED, - size_t enckeylen ATTRIBUTE_UNUSED, - uint8_t *iv ATTRIBUTE_UNUSED, - size_t ivlen ATTRIBUTE_UNUSED, - uint8_t *data ATTRIBUTE_UNUSED, - size_t datalen ATTRIBUTE_UNUSED, - uint8_t **ciphertext ATTRIBUTE_UNUSED, - size_t *ciphertextlen ATTRIBUTE_UNUSED) -{ - virReportError(VIR_ERR_INVALID_ARG, - _("algorithm=%d is not supported"), algorithm); - return -1; -} -#endif diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 14a994523f..36bff26d33 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1043,10 +1043,8 @@ mymain(void) DO_TEST("disk-drive-network-sheepdog", NONE); DO_TEST("disk-drive-network-rbd-auth", NONE); DO_TEST("disk-drive-network-source-auth", NONE); -# ifdef WITH_GNUTLS DO_TEST("disk-drive-network-rbd-auth-AES", QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_VIRTIO_SCSI); -# endif DO_TEST("disk-drive-network-rbd-ipv6", NONE); DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE); DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS); @@ -1339,17 +1337,10 @@ mymain(void) if (VIR_STRDUP_QUIET(driver.config->chardevTLSx509secretUUID, "6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea") < 0) return EXIT_FAILURE; -# ifdef WITH_GNUTLS DO_TEST("serial-tcp-tlsx509-secret-chardev", QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_DEVICE_ISA_SERIAL, QEMU_CAPS_OBJECT_TLS_CREDS_X509); -# else - DO_TEST_FAILURE("serial-tcp-tlsx509-secret-chardev", - QEMU_CAPS_OBJECT_SECRET, - QEMU_CAPS_DEVICE_ISA_SERIAL, - QEMU_CAPS_OBJECT_TLS_CREDS_X509); -# endif driver.config->chardevTLS = 0; VIR_FREE(driver.config->chardevTLSx509certdir); DO_TEST("serial-many-chardev", @@ -1653,14 +1644,10 @@ mymain(void) DO_TEST("encrypted-disk", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET); DO_TEST("encrypted-disk-usage", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET); -# ifdef WITH_GNUTLS DO_TEST("luks-disks", QEMU_CAPS_OBJECT_SECRET); DO_TEST("luks-disks-source", QEMU_CAPS_OBJECT_SECRET); DO_TEST_PARSE_ERROR("luks-disks-source-qcow2", QEMU_CAPS_OBJECT_SECRET); DO_TEST("luks-disks-source-qcow2", QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_QCOW2_LUKS); -# else - DO_TEST_FAILURE("luks-disks", QEMU_CAPS_OBJECT_SECRET); -# endif DO_TEST_PARSE_ERROR("luks-disk-invalid", NONE); DO_TEST_PARSE_ERROR("luks-disks-source-both", QEMU_CAPS_OBJECT_SECRET); @@ -2351,12 +2338,10 @@ mymain(void) DO_TEST("hostdev-scsi-virtio-iscsi-auth", QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE_SCSI_GENERIC); -# ifdef WITH_GNUTLS DO_TEST("disk-hostdev-scsi-virtio-iscsi-auth-AES", QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE_SCSI_GENERIC, QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_ISCSI_PASSWORD_SECRET); -# endif DO_TEST("hostdev-scsi-vhost-scsi-ccw", QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE_VHOST_SCSI, QEMU_CAPS_DEVICE_SCSI_GENERIC, QEMU_CAPS_CCW); diff --git a/tests/vircryptotest.c b/tests/vircryptotest.c index b6313e73ad..6841d74901 100644 --- a/tests/vircryptotest.c +++ b/tests/vircryptotest.c @@ -22,11 +22,10 @@ #include "testutils.h" -#if WITH_GNUTLS -# include "vircrypto.h" -# include "virrandom.h" +#include "vircrypto.h" +#include "virrandom.h" -# define VIR_FROM_THIS VIR_FROM_NONE +#define VIR_FROM_THIS VIR_FROM_NONE struct testCryptoHashData { virCryptoHash hash; @@ -130,7 +129,7 @@ mymain(void) 0x1b, 0x8c, 0x3f, 0x48, 0x27, 0xae, 0xb6, 0x7a}; -# define VIR_CRYPTO_HASH(h, i, o) \ +#define VIR_CRYPTO_HASH(h, i, o) \ do { \ struct testCryptoHashData data = { \ .hash = h, \ @@ -153,9 +152,9 @@ mymain(void) VIR_CRYPTO_HASH(VIR_CRYPTO_HASH_MD5, "The quick brown fox", "a2004f37730b9445670a738fa0fc9ee5"); VIR_CRYPTO_HASH(VIR_CRYPTO_HASH_SHA256, "The quick brown fox", "5cac4f980fedc3d3f1f99b4be3472c9b30d56523e632d151237ec9309048bda9"); -# undef VIR_CRYPTO_HASH +#undef VIR_CRYPTO_HASH -# define VIR_CRYPTO_ENCRYPT(a, n, i, il, c, cl) \ +#define VIR_CRYPTO_ENCRYPT(a, n, i, il, c, cl) \ do { \ struct testCryptoEncryptData data = { \ .algorithm = a, \ @@ -174,19 +173,10 @@ mymain(void) VIR_CRYPTO_ENCRYPT(VIR_CRYPTO_CIPHER_AES256CBC, "aes265cbc", secretdata, 7, expected_ciphertext, 16); -# undef VIR_CRYPTO_ENCRYPT +#undef VIR_CRYPTO_ENCRYPT return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; } /* Forces usage of not so random virRandomBytes */ VIR_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virrandommock.so") -#else -static int -mymain(void) -{ - return EXIT_AM_SKIP; -} - -VIR_TEST_MAIN(mymain); -#endif /* WITH_GNUTLS */ diff --git a/tests/virfilecachetest.c b/tests/virfilecachetest.c index 44386742e1..82c2286752 100644 --- a/tests/virfilecachetest.c +++ b/tests/virfilecachetest.c @@ -21,12 +21,11 @@ #include "testutils.h" -#if WITH_GNUTLS -# include "virfile.h" -# include "virfilecache.h" +#include "virfile.h" +#include "virfilecache.h" -# define VIR_FROM_THIS VIR_FROM_NONE +#define VIR_FROM_THIS VIR_FROM_NONE struct _testFileCacheObj { @@ -214,7 +213,7 @@ mymain(void) virFileCacheSetPriv(cache, &testPriv); -# define TEST_RUN(name, newData, expectData, expectSave) \ +#define TEST_RUN(name, newData, expectData, expectSave) \ do { \ testFileCacheData data = { \ cache, name, newData, expectData, expectSave \ @@ -235,12 +234,3 @@ mymain(void) } VIR_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virfilecachemock.so") -#else -static int -mymain(void) -{ - return EXIT_AM_SKIP; -} - -VIR_TEST_MAIN(mymain); -#endif /* WITH_GNUTLS */ diff --git a/tests/virnetdaemontest.c b/tests/virnetdaemontest.c index ef869b16e3..6f4957fc4c 100644 --- a/tests/virnetdaemontest.c +++ b/tests/virnetdaemontest.c @@ -117,9 +117,7 @@ testCreateServer(const char *server_name, const char *host, int family) NULL, family, VIR_NET_SERVER_SERVICE_AUTH_NONE, -# ifdef WITH_GNUTLS NULL, -# endif true, 5, 2))) @@ -129,9 +127,7 @@ testCreateServer(const char *server_name, const char *host, int family) NULL, family, VIR_NET_SERVER_SERVICE_AUTH_POLKIT, -# ifdef WITH_GNUTLS NULL, -# endif false, 25, 5))) @@ -152,9 +148,7 @@ testCreateServer(const char *server_name, const char *host, int family) VIR_NET_SERVER_SERVICE_AUTH_SASL, true, 15, -# ifdef WITH_GNUTLS NULL, -# endif testClientNew, testClientPreExec, testClientFree, @@ -166,9 +160,7 @@ testCreateServer(const char *server_name, const char *host, int family) VIR_NET_SERVER_SERVICE_AUTH_POLKIT, true, 66, -# ifdef WITH_GNUTLS NULL, -# endif testClientNew, testClientPreExec, testClientFree, diff --git a/tests/virnetserverclienttest.c b/tests/virnetserverclienttest.c index 1759d76630..3f801902ca 100644 --- a/tests/virnetserverclienttest.c +++ b/tests/virnetserverclienttest.c @@ -73,9 +73,7 @@ static int testIdentity(const void *opaque ATTRIBUTE_UNUSED) sv[0] = -1; if (!(client = virNetServerClientNew(1, sock, 0, false, 1, -# ifdef WITH_GNUTLS NULL, -# endif testClientNew, NULL, testClientFree, diff --git a/tests/virrandommock.c b/tests/virrandommock.c index fd1a61f673..99a55a576a 100644 --- a/tests/virrandommock.c +++ b/tests/virrandommock.c @@ -22,6 +22,9 @@ #ifndef WIN32 +# include <stdio.h> +# include <gnutls/gnutls.h> + # include "internal.h" # include "virstring.h" # include "virrandom.h" @@ -50,10 +53,6 @@ int virRandomGenerateWWN(char **wwn, } -# ifdef WITH_GNUTLS -# include <stdio.h> -# include <gnutls/gnutls.h> - static int (*real_gnutls_dh_params_generate2)(gnutls_dh_params_t dparams, unsigned int bits); @@ -87,7 +86,6 @@ gnutls_dh_params_generate2(gnutls_dh_params_t dparams, return gnutls_dh_params_cpy(dparams, params_cache); } -# endif #else /* WIN32 */ /* Can't mock on WIN32 */ #endif -- 2.16.4

On Tue, Jun 05, 2018 at 10:45:57AM +0200, Michal Privoznik wrote:
Now that GnuTLS is a requirement, we can drop a lot of conditionally built code. However, not all ifdef-s can go because we still want libvirt_setuid to build without gnutls.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/locking/lock_daemon.c | 4 --- src/logging/log_daemon.c | 4 --- src/lxc/lxc_controller.c | 2 -- src/qemu/qemu_migration_cookie.c | 12 +++----- src/remote/remote_daemon.c | 23 --------------- src/remote/remote_daemon_dispatch.c | 2 -- src/rpc/virnetdaemon.h | 4 +-- src/rpc/virnetserver.c | 6 ---- src/rpc/virnetserver.h | 6 +--- src/rpc/virnetserverclient.c | 57 +++---------------------------------- src/rpc/virnetserverclient.h | 8 ------ src/rpc/virnetserverservice.c | 24 ---------------- src/rpc/virnetserverservice.h | 10 ------- src/util/vircrypto.c | 43 ++-------------------------- tests/qemuxml2argvtest.c | 15 ---------- tests/vircryptotest.c | 24 +++++----------- tests/virfilecachetest.c | 18 +++--------- tests/virnetdaemontest.c | 8 ------ tests/virnetserverclienttest.c | 2 -- tests/virrandommock.c | 8 ++---- 20 files changed, 27 insertions(+), 253 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On Tue, 2018-06-05 at 10:45 +0200, Michal Privoznik wrote:
I should also mention that surprisingly this breaks travis. This time, it's Ubuntu that lacks new enough GnuTLS and not OSX. But after Peter's patches travis is broken anyway (on GnuTLS).
As mentioned elsewhere, I believe the way to go here is to just drop Linux builds from Travis CI. They only offer Ubuntu 14.04, which is not supported as per our support policy[1], but having it on Travis makes it de-facto supported and holds us back. We can have Ubuntu 16.04 and 18.04 (actual supported platforms) builders up and running in no time in the CentOS CI environment, once we have been assigned more hardware - or at the expense of overall slower builds to due to overcommittment. Either way, even taking the performance hit would IMHO be preferable than keeping 14.04 compatibility around, especially now that we finally managed to leave RHEL 6 behind. [1] https://libvirt.org/platforms.html -- Andrea Bolognani / Red Hat / Virtualization
participants (4)
-
Andrea Bolognani
-
Daniel P. Berrangé
-
Michal Privoznik
-
Peter Krempa