[libvirt] [PATCH v2 0/5] Require GnuTLS
v2 of: diff to v1: - Reworded commit message of 1/3 - Broken 2/3 into three separate patches: 1) removing WITH_GNUTLS conditional from src/ 2) removing libvirt_gnutls.syms 3) removing WITH_GNUTLS conditional from tests/ Michal Privoznik (5): configure: Require GnuTLS src: Always build virnettlscontext into libvirt-net-rpc.la src: Dissolve libvirt_gnutls.syms in libvirt_remote.syms tests: Always build TLS related tests src: Drop most of #ifdef WITH_GNUTLS configure.ac | 2 -- m4/virt-gnutls.m4 | 4 --- src/Makefile.am | 6 ---- src/libvirt_gnutls.syms | 48 ------------------------------- src/libvirt_remote.syms | 25 ++++++++++++++++ src/locking/lock_daemon.c | 4 --- src/logging/log_daemon.c | 4 --- src/lxc/lxc_controller.c | 2 -- src/qemu/qemu_migration_cookie.c | 12 +++----- src/remote/remote_daemon.c | 23 --------------- src/remote/remote_daemon_dispatch.c | 2 -- src/rpc/Makefile.inc.am | 14 ++------- src/rpc/virnetdaemon.h | 4 +-- src/rpc/virnetserver.c | 6 ---- src/rpc/virnetserver.h | 6 +--- src/rpc/virnetserverclient.c | 57 +++---------------------------------- src/rpc/virnetserverclient.h | 8 ------ src/rpc/virnetserverservice.c | 24 ---------------- src/rpc/virnetserverservice.h | 10 ------- src/util/vircrypto.c | 43 ++-------------------------- tests/Makefile.am | 12 ++------ tests/qemuxml2argvtest.c | 15 ---------- tests/vircryptotest.c | 24 +++++----------- tests/virfilecachetest.c | 18 +++--------- tests/virnetdaemontest.c | 8 ------ tests/virnetserverclienttest.c | 2 -- tests/virrandommock.c | 8 ++---- 27 files changed, 56 insertions(+), 335 deletions(-) delete mode 100644 src/libvirt_gnutls.syms -- 2.16.4
We are building with GnuTLS everywhere because GnuTLS is widely available. Also, it is desirable to prefer cryptographically strong PRNG over "/dev/urandom" which is just a fallback. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- configure.ac | 2 -- m4/virt-gnutls.m4 | 4 ---- 2 files changed, 6 deletions(-) diff --git a/configure.ac b/configure.ac index 5378e49c0b..e25bf0a6ec 100644 --- a/configure.ac +++ b/configure.ac @@ -216,7 +216,6 @@ fi # RPC, we don't need several libraries. if test "$with_remote" = "no" ; then with_libvirtd=no - with_gnutls=no with_ssh2=no with_sasl=no with_libssh=no @@ -250,7 +249,6 @@ LIBVIRT_ARG_DBUS LIBVIRT_ARG_FIREWALLD LIBVIRT_ARG_FUSE LIBVIRT_ARG_GLUSTER -LIBVIRT_ARG_GNUTLS LIBVIRT_ARG_HAL LIBVIRT_ARG_LIBPCAP LIBVIRT_ARG_LIBSSH diff --git a/m4/virt-gnutls.m4 b/m4/virt-gnutls.m4 index 426a1a0348..6829ca55cf 100644 --- a/m4/virt-gnutls.m4 +++ b/m4/virt-gnutls.m4 @@ -17,10 +17,6 @@ dnl License along with this library. If not, see dnl <http://www.gnu.org/licenses/>. dnl -AC_DEFUN([LIBVIRT_ARG_GNUTLS],[ - LIBVIRT_ARG_WITH_FEATURE([GNUTLS], [gnutls], [check], [3.2.0]) -]) - AC_DEFUN([LIBVIRT_CHECK_GNUTLS],[ LIBVIRT_CHECK_PKG([GNUTLS], [gnutls], [3.2.0]) -- 2.16.4
On Tue, Jun 05, 2018 at 01:55:54PM +0200, Michal Privoznik wrote:
We are building with GnuTLS everywhere because GnuTLS is widely available. Also, it is desirable to prefer cryptographically strong PRNG over "/dev/urandom" which is just a fallback.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- configure.ac | 2 -- m4/virt-gnutls.m4 | 4 ---- 2 files changed, 6 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 06/05/2018 02:04 PM, Daniel P. Berrangé wrote:
On Tue, Jun 05, 2018 at 01:55:54PM +0200, Michal Privoznik wrote:
We are building with GnuTLS everywhere because GnuTLS is widely available. Also, it is desirable to prefer cryptographically strong PRNG over "/dev/urandom" which is just a fallback.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- configure.ac | 2 -- m4/virt-gnutls.m4 | 4 ---- 2 files changed, 6 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Thanks, I've pushed these. Michal
On Tue, 2018-06-05 at 14:38 +0200, Michal Privoznik wrote:
On 06/05/2018 02:04 PM, Daniel P. Berrangé wrote:
On Tue, Jun 05, 2018 at 01:55:54PM +0200, Michal Privoznik wrote:
We are building with GnuTLS everywhere because GnuTLS is widely available. Also, it is desirable to prefer cryptographically strong PRNG over "/dev/urandom" which is just a fallback.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- configure.ac | 2 -- m4/virt-gnutls.m4 | 4 ---- 2 files changed, 6 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Thanks, I've pushed these.
Well, this is awkward: https://ci.centos.org/view/libvirt/job/libvirt-master-build-website/124/syst... We don't actually build libvirt on CentOS 6 anymore, just the documentation and release archives, ie. what's necessary to keep libvirt.org (which is still on that OS) running; still, after this patch the configure step will very understandably fail, and I can't imagine things going over much better on the actual live instance of the website: no nightlies[1] today, I'm afraid! I'm likewise afraid I don't have any bright ideas on how to solve this, so any input on the matter will be very much appreciated. [1] Assuming anyone actually uses those. -- Andrea Bolognani / Red Hat / Virtualization
On Tue, Jun 05, 2018 at 06:50:53PM +0200, Andrea Bolognani wrote:
On Tue, 2018-06-05 at 14:38 +0200, Michal Privoznik wrote:
On 06/05/2018 02:04 PM, Daniel P. Berrangé wrote:
On Tue, Jun 05, 2018 at 01:55:54PM +0200, Michal Privoznik wrote:
We are building with GnuTLS everywhere because GnuTLS is widely available. Also, it is desirable to prefer cryptographically strong PRNG over "/dev/urandom" which is just a fallback.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- configure.ac | 2 -- m4/virt-gnutls.m4 | 4 ---- 2 files changed, 6 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Thanks, I've pushed these.
Well, this is awkward:
https://ci.centos.org/view/libvirt/job/libvirt-master-build-website/124/syst...
We don't actually build libvirt on CentOS 6 anymore, just the documentation and release archives, ie. what's necessary to keep libvirt.org (which is still on that OS) running; still, after this patch the configure step will very understandably fail, and I can't imagine things going over much better on the actual live instance of the website: no nightlies[1] today, I'm afraid!
I'm likewise afraid I don't have any bright ideas on how to solve this, so any input on the matter will be very much appreciated.
We can't use docker on centos6 either and believe it or not the host doesn't have hardware virt either. I could possibly setup libvirt lxc to run the jobs though. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Tue, 2018-06-05 at 18:03 +0100, Daniel P. Berrangé wrote:
We can't use docker on centos6 either and believe it or not the host doesn't have hardware virt either.
I could possibly setup libvirt lxc to run the jobs though.
I believe running build jobs on libvirt.org in a CentOS 7 container was one of the approaches I mentioned when we initially discussed dropping CentOS 6 support, so if you could make that happen it would certainly be okay with me :) -- Andrea Bolognani / Red Hat / Virtualization
On Wed, Jun 06, 2018 at 08:24:59AM +0200, Andrea Bolognani wrote:
On Tue, 2018-06-05 at 18:03 +0100, Daniel P. Berrangé wrote:
We can't use docker on centos6 either and believe it or not the host doesn't have hardware virt either.
I could possibly setup libvirt lxc to run the jobs though.
I believe running build jobs on libvirt.org in a CentOS 7 container was one of the approaches I mentioned when we initially discussed dropping CentOS 6 support, so if you could make that happen it would certainly be okay with me :)
A more radical option would be to move libvirt.org off onto openshift, but that comes with the complexity that I'd need to transparently proxy back to real libvirt.org to make /git and /sources URLs continue to work Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Wed, 2018-06-06 at 09:45 +0100, Daniel P. Berrangé wrote:
On Wed, Jun 06, 2018 at 08:24:59AM +0200, Andrea Bolognani wrote:
On Tue, 2018-06-05 at 18:03 +0100, Daniel P. Berrangé wrote:
We can't use docker on centos6 either and believe it or not the host doesn't have hardware virt either.
I could possibly setup libvirt lxc to run the jobs though.
I believe running build jobs on libvirt.org in a CentOS 7 container was one of the approaches I mentioned when we initially discussed dropping CentOS 6 support, so if you could make that happen it would certainly be okay with me :)
A more radical option would be to move libvirt.org off onto openshift, but that comes with the complexity that I'd need to transparently proxy back to real libvirt.org to make /git and /sources URLs continue to work
As long as we need to keep the current box running any part of libvirt.org, that looks like it would only increase complexity. The lxc route sounds like a decent stop-gap measure until either the current box is upgraded or everything is moved off to a new box running CentOS 7, whenever that might be. Either way it seems pretty clear that we're not going to take back making GnuTLS mandatory (neither I think we should), so the CI job running on CentOS 6 is entirely useless now. I'll post patches to get rid of it. -- Andrea Bolognani / Red Hat / Virtualization
On Wed, Jun 06, 2018 at 11:44:37 +0200, Andrea Bolognani wrote:
On Wed, 2018-06-06 at 09:45 +0100, Daniel P. Berrangé wrote:
On Wed, Jun 06, 2018 at 08:24:59AM +0200, Andrea Bolognani wrote:
On Tue, 2018-06-05 at 18:03 +0100, Daniel P. Berrangé wrote:
We can't use docker on centos6 either and believe it or not the host doesn't have hardware virt either.
I could possibly setup libvirt lxc to run the jobs though.
I believe running build jobs on libvirt.org in a CentOS 7 container was one of the approaches I mentioned when we initially discussed dropping CentOS 6 support, so if you could make that happen it would certainly be okay with me :)
A more radical option would be to move libvirt.org off onto openshift, but that comes with the complexity that I'd need to transparently proxy back to real libvirt.org to make /git and /sources URLs continue to work
As long as we need to keep the current box running any part of libvirt.org, that looks like it would only increase complexity.
The lxc route sounds like a decent stop-gap measure until either the current box is upgraded or everything is moved off to a new box running CentOS 7, whenever that might be.
Well, so we need to be able to run configure so that we can create makefiles which build the docs. If we extract the steps to build the docs from makefile into a standalone script called by the makefile we still can build the web without the need to configure everything. Doing containers and stuff seems to be quite a waste just to process some html files.
On Wed, 2018-06-06 at 11:54 +0200, Peter Krempa wrote:
Well, so we need to be able to run configure so that we can create makefiles which build the docs.
If we extract the steps to build the docs from makefile into a standalone script called by the makefile we still can build the web without the need to configure everything.
Doing containers and stuff seems to be quite a waste just to process some html files.
We also need to be able to run 'make dist' in order to produce nightly snapshots. Whether those are actually useful to anyone in $currentyear is of course up for debate, but as long as we need to produce them then we can't really get away with a standalone script. -- Andrea Bolognani / Red Hat / Virtualization
On Wed, Jun 06, 2018 at 12:05:28PM +0200, Andrea Bolognani wrote:
On Wed, 2018-06-06 at 11:54 +0200, Peter Krempa wrote:
Well, so we need to be able to run configure so that we can create makefiles which build the docs.
If we extract the steps to build the docs from makefile into a standalone script called by the makefile we still can build the web without the need to configure everything.
Doing containers and stuff seems to be quite a waste just to process some html files.
We also need to be able to run 'make dist' in order to produce nightly snapshots.
Whether those are actually useful to anyone in $currentyear is of course up for debate, but as long as we need to produce them then we can't really get away with a standalone script.
We could perhaps just utilize jenkins for creating the nightly snapshots ? IIUC, you can publish artifacts from builds, so we could have a job building a dist and publish that. Even without the GNULTS/CentOS6 problem I thnk using jenkins would be a better approach that a cronjob shell script, as we know exactly what environment we'd be creating the dist in. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Wed, 2018-06-06 at 11:20 +0100, Daniel P. Berrangé wrote:
On Wed, Jun 06, 2018 at 12:05:28PM +0200, Andrea Bolognani wrote:
We also need to be able to run 'make dist' in order to produce nightly snapshots.
Whether those are actually useful to anyone in $currentyear is of course up for debate, but as long as we need to produce them then we can't really get away with a standalone script.
We could perhaps just utilize jenkins for creating the nightly snapshots ? IIUC, you can publish artifacts from builds, so we could have a job building a dist and publish that. Even without the GNULTS/CentOS6 problem I thnk using jenkins would be a better approach that a cronjob shell script, as we know exactly what environment we'd be creating the dist in.
So we'd have a cron task on libvirt.org fetching the latest archive from Jenkins every hour? Or would we just point people to Jenkins directly? Either look feasible, but the latter would cause the URL to change. Note that we're currently only publishing hourly snapshots for libvirt itself, not for any of the dozen plus projects that are hosted on libvirt.org alongside it. Doesn't that kinda show that they're not that useful after all? Do we have download statistics proving people actually care about them? -- Andrea Bolognani / Red Hat / Virtualization
On Wed, Jun 06, 2018 at 11:54:41AM +0200, Peter Krempa wrote:
On Wed, Jun 06, 2018 at 11:44:37 +0200, Andrea Bolognani wrote:
On Wed, 2018-06-06 at 09:45 +0100, Daniel P. Berrangé wrote:
On Wed, Jun 06, 2018 at 08:24:59AM +0200, Andrea Bolognani wrote:
On Tue, 2018-06-05 at 18:03 +0100, Daniel P. Berrangé wrote:
We can't use docker on centos6 either and believe it or not the host doesn't have hardware virt either.
I could possibly setup libvirt lxc to run the jobs though.
I believe running build jobs on libvirt.org in a CentOS 7 container was one of the approaches I mentioned when we initially discussed dropping CentOS 6 support, so if you could make that happen it would certainly be okay with me :)
A more radical option would be to move libvirt.org off onto openshift, but that comes with the complexity that I'd need to transparently proxy back to real libvirt.org to make /git and /sources URLs continue to work
As long as we need to keep the current box running any part of libvirt.org, that looks like it would only increase complexity.
The lxc route sounds like a decent stop-gap measure until either the current box is upgraded or everything is moved off to a new box running CentOS 7, whenever that might be.
Well, so we need to be able to run configure so that we can create makefiles which build the docs.
If we extract the steps to build the docs from makefile into a standalone script called by the makefile we still can build the web without the need to configure everything.
Yeah, we could try to create a sepearate Makefile.inc that holds the website build pieces, and include that from the main automake generated Makefile. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Wed, 2018-06-06 at 11:21 +0100, Daniel P. Berrangé wrote:
On Wed, Jun 06, 2018 at 11:54:41AM +0200, Peter Krempa wrote:
If we extract the steps to build the docs from makefile into a standalone script called by the makefile we still can build the web without the need to configure everything.
Yeah, we could try to create a sepearate Makefile.inc that holds the website build pieces, and include that from the main automake generated Makefile.
We'd lose the ability to use autotools features, though. Another thing to keep in mind is that moving the website build to a CentOS 7 container would allow us to remove the last remnants of CentOS 6 support from libvirt-jenkins-ci.git and delete the corresponding virtual machine from the CentOS CI environment, freeing up resources for other tasks. -- Andrea Bolognani / Red Hat / Virtualization
On Wed, 2018-06-06 at 12:45 +0200, Andrea Bolognani wrote:
Another thing to keep in mind is that moving the website build to a CentOS 7 container would allow us to remove the last remnants of CentOS 6 support from libvirt-jenkins-ci.git and delete the corresponding virtual machine from the CentOS CI environment, freeing up resources for other tasks.
I've started building Docker containers with all libvirt build dependencies already installed[1], mainly for use in Travis CI; the CentOS 7 container could easily be used to also solve the issue at hand. I've already tried building libvirt inside said container on a CentOS 6 host running Docker from EPEL without encountering any issue; all that's left to do is install Docker on libvirt.org and script the integration, which shouldn't be too difficult. Does that sound like a sensible way forward? [1] https://www.redhat.com/archives/libvir-list/2018-June/msg00920.html -- Andrea Bolognani / Red Hat / Virtualization
On Tue, Jun 12, 2018 at 12:24:14PM +0200, Andrea Bolognani wrote:
On Wed, 2018-06-06 at 12:45 +0200, Andrea Bolognani wrote:
Another thing to keep in mind is that moving the website build to a CentOS 7 container would allow us to remove the last remnants of CentOS 6 support from libvirt-jenkins-ci.git and delete the corresponding virtual machine from the CentOS CI environment, freeing up resources for other tasks.
I've started building Docker containers with all libvirt build dependencies already installed[1], mainly for use in Travis CI; the CentOS 7 container could easily be used to also solve the issue at hand.
I've already tried building libvirt inside said container on a CentOS 6 host running Docker from EPEL without encountering any issue; all that's left to do is install Docker on libvirt.org and script the integration, which shouldn't be too difficult.
Does that sound like a sensible way forward?
AFAIK, Docker is explicitly unsupported on CentOS 6 now. https://github.com/moby/moby/issues/14365 I was actually intending to take a simpler approach - just compile a newer gnutls into /opt and let the website build use that. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Tue, 2018-06-12 at 11:41 +0100, Daniel P. Berrangé wrote:
On Tue, Jun 12, 2018 at 12:24:14PM +0200, Andrea Bolognani wrote:
I've started building Docker containers with all libvirt build dependencies already installed[1], mainly for use in Travis CI; the CentOS 7 container could easily be used to also solve the issue at hand.
I've already tried building libvirt inside said container on a CentOS 6 host running Docker from EPEL without encountering any issue; all that's left to do is install Docker on libvirt.org and script the integration, which shouldn't be too difficult.
Does that sound like a sensible way forward?
AFAIK, Docker is explicitly unsupported on CentOS 6 now.
Yeah, the Docker version available in CentOS 6 EPEL is fairly old and I doubt it's getting a lot of updates these days. That said, we would be using it exclusively with images we've crafted ourselves starting from official (and thus arguably trustworthy) base images, and only to run build jobs locally, so I'm not sure there's much to be concerned about security-wise.
I was actually intending to take a simpler approach - just compile a newer gnutls into /opt and let the website build use that.
Sure, that would probably do the trick as far as libvirt.org itself is concerned; however, we would not only have to keep CentOS 6 around in the CentOS CI environment, but also figure out a way to reproduce the same hack there if we want to make sure changes in libvirt don't accidentally break building the website. That doesn't sound too attractive overall, and more specifically I'm not sure it would be much better than running an unsupported Docker version. -- Andrea Bolognani / Red Hat / Virtualization
On Tue, Jun 12, 2018 at 01:26:05PM +0200, Andrea Bolognani wrote:
On Tue, 2018-06-12 at 11:41 +0100, Daniel P. Berrangé wrote:
On Tue, Jun 12, 2018 at 12:24:14PM +0200, Andrea Bolognani wrote:
I've started building Docker containers with all libvirt build dependencies already installed[1], mainly for use in Travis CI; the CentOS 7 container could easily be used to also solve the issue at hand.
I've already tried building libvirt inside said container on a CentOS 6 host running Docker from EPEL without encountering any issue; all that's left to do is install Docker on libvirt.org and script the integration, which shouldn't be too difficult.
Does that sound like a sensible way forward?
AFAIK, Docker is explicitly unsupported on CentOS 6 now.
Yeah, the Docker version available in CentOS 6 EPEL is fairly old and I doubt it's getting a lot of updates these days.
That said, we would be using it exclusively with images we've crafted ourselves starting from official (and thus arguably trustworthy) base images, and only to run build jobs locally, so I'm not sure there's much to be concerned about security-wise.
I was actually intending to take a simpler approach - just compile a newer gnutls into /opt and let the website build use that.
Sure, that would probably do the trick as far as libvirt.org itself is concerned; however, we would not only have to keep CentOS 6 around in the CentOS CI environment, but also figure out a way to reproduce the same hack there if we want to make sure changes in libvirt don't accidentally break building the website.
I'd just drop the CI job and we'll deal with problems with the website build if and when we find them Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Tue, 2018-06-12 at 13:22 +0100, Daniel P. Berrangé wrote:
On Tue, Jun 12, 2018 at 01:26:05PM +0200, Andrea Bolognani wrote:
I was actually intending to take a simpler approach - just compile a newer gnutls into /opt and let the website build use that.
Sure, that would probably do the trick as far as libvirt.org itself is concerned; however, we would not only have to keep CentOS 6 around in the CentOS CI environment, but also figure out a way to reproduce the same hack there if we want to make sure changes in libvirt don't accidentally break building the website.
I'd just drop the CI job and we'll deal with problems with the website build if and when we find them
In that case, going for the local GnuTLS build on libvirt.org is perfectly fine with me. -- Andrea Bolognani / Red Hat / Virtualization
On 06/06/2018 11:44 AM, Andrea Bolognani wrote:
On Wed, 2018-06-06 at 09:45 +0100, Daniel P. Berrangé wrote:
On Wed, Jun 06, 2018 at 08:24:59AM +0200, Andrea Bolognani wrote:
On Tue, 2018-06-05 at 18:03 +0100, Daniel P. Berrangé wrote:
We can't use docker on centos6 either and believe it or not the host doesn't have hardware virt either.
I could possibly setup libvirt lxc to run the jobs though.
I believe running build jobs on libvirt.org in a CentOS 7 container was one of the approaches I mentioned when we initially discussed dropping CentOS 6 support, so if you could make that happen it would certainly be okay with me :)
A more radical option would be to move libvirt.org off onto openshift, but that comes with the complexity that I'd need to transparently proxy back to real libvirt.org to make /git and /sources URLs continue to work
As long as we need to keep the current box running any part of libvirt.org, that looks like it would only increase complexity.
The lxc route sounds like a decent stop-gap measure until either the current box is upgraded or everything is moved off to a new box running CentOS 7, whenever that might be.
I think this is actually the right solution. To either upgrade old box to CentOS 7 or to move to new box running it. Another idea that I had was to not require GnuTLS-3.2.0 every time. I mean, what are the reasons we want GnuTLS? For better TLS in general (where it makes sense to require 3.2.0 or newer) and for PRNG (where 1.2.0 or what is it that CentOS 6 has is sufficient). So what I am suggesting is loosen the minimal requirement to whatever version CentOS 6 has unless remote/qemu drivers are built in which case 3.2.0 or newer is required. Michal
On Wed, 2018-06-06 at 12:51 +0200, Michal Privoznik wrote:
On 06/06/2018 11:44 AM, Andrea Bolognani wrote:
The lxc route sounds like a decent stop-gap measure until either the current box is upgraded or everything is moved off to a new box running CentOS 7, whenever that might be.
I think this is actually the right solution. To either upgrade old box to CentOS 7 or to move to new box running it.
Of course it is. We're talking stop-gap measures here :)
Another idea that I had was to not require GnuTLS-3.2.0 every time. I mean, what are the reasons we want GnuTLS? For better TLS in general (where it makes sense to require 3.2.0 or newer) and for PRNG (where 1.2.0 or what is it that CentOS 6 has is sufficient). So what I am suggesting is loosen the minimal requirement to whatever version CentOS 6 has unless remote/qemu drivers are built in which case 3.2.0 or newer is required.
If that doesn't end up looking *too* disgusting it's certainly a possiblity. I still like the container route better because, as mentioned elsewhere in the thread, it would allow us to drop CentOS 6 entirely from the CI environment. -- Andrea Bolognani / Red Hat / Virtualization
Since GnuTLS is required there is no way to go with !WITH_GNUTLS branch and just distribute these files. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/libvirt_gnutls.syms | 17 ----------------- src/libvirt_remote.syms | 17 +++++++++++++++++ src/rpc/Makefile.inc.am | 14 ++------------ 3 files changed, 19 insertions(+), 29 deletions(-) diff --git a/src/libvirt_gnutls.syms b/src/libvirt_gnutls.syms index 6eb674101f..1adf3af164 100644 --- a/src/libvirt_gnutls.syms +++ b/src/libvirt_gnutls.syms @@ -25,23 +25,6 @@ virNetServerServiceGetTLSContext; virNetSocketSetTLSSession; -# rpc/virnettlscontext.h -virNetTLSContextCheckCertificate; -virNetTLSContextNewClient; -virNetTLSContextNewClientPath; -virNetTLSContextNewServer; -virNetTLSContextNewServerPath; -virNetTLSInit; -virNetTLSSessionGetHandshakeStatus; -virNetTLSSessionGetKeySize; -virNetTLSSessionGetX509DName; -virNetTLSSessionHandshake; -virNetTLSSessionNew; -virNetTLSSessionRead; -virNetTLSSessionSetIOCallbacks; -virNetTLSSessionWrite; - - # Let emacs know we want case-insensitive sorting # Local Variables: # sort-fold-case: t diff --git a/src/libvirt_remote.syms b/src/libvirt_remote.syms index 97e22275b9..cab93ab27f 100644 --- a/src/libvirt_remote.syms +++ b/src/libvirt_remote.syms @@ -257,6 +257,23 @@ virNetSocketUpdateIOCallback; virNetSocketWrite; +# rpc/virnettlscontext.h +virNetTLSContextCheckCertificate; +virNetTLSContextNewClient; +virNetTLSContextNewClientPath; +virNetTLSContextNewServer; +virNetTLSContextNewServerPath; +virNetTLSInit; +virNetTLSSessionGetHandshakeStatus; +virNetTLSSessionGetKeySize; +virNetTLSSessionGetX509DName; +virNetTLSSessionHandshake; +virNetTLSSessionNew; +virNetTLSSessionRead; +virNetTLSSessionSetIOCallbacks; +virNetTLSSessionWrite; + + # Let emacs know we want case-insensitive sorting # Local Variables: # sort-fold-case: t diff --git a/src/rpc/Makefile.inc.am b/src/rpc/Makefile.inc.am index 14c798d05d..b8c80528d2 100644 --- a/src/rpc/Makefile.inc.am +++ b/src/rpc/Makefile.inc.am @@ -31,6 +31,8 @@ libvirt_la_BUILT_LIBADD += \ libvirt_net_rpc_la_SOURCES = \ rpc/virnetmessage.h \ rpc/virnetmessage.c \ + rpc/virnettlscontext.h \ + rpc/virnettlscontext.c \ rpc/virnetsocket.h \ rpc/virnetsocket.c \ rpc/virkeepalive.h \ @@ -50,18 +52,6 @@ EXTRA_DIST += \ $(NULL) endif ! WITH_SSH2 -if WITH_GNUTLS -libvirt_net_rpc_la_SOURCES += \ - rpc/virnettlscontext.h \ - rpc/virnettlscontext.c \ - $(NULL) -else ! WITH_GNUTLS -EXTRA_DIST += \ - rpc/virnettlscontext.h \ - rpc/virnettlscontext.c \ - $(NULL) -endif ! WITH_GNUTLS - if WITH_SASL libvirt_net_rpc_la_SOURCES += \ rpc/virnetsaslcontext.h \ -- 2.16.4
On Tue, Jun 05, 2018 at 01:55:55PM +0200, Michal Privoznik wrote:
Since GnuTLS is required there is no way to go with !WITH_GNUTLS branch and just distribute these files.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/libvirt_gnutls.syms | 17 ----------------- src/libvirt_remote.syms | 17 +++++++++++++++++ src/rpc/Makefile.inc.am | 14 ++------------ 3 files changed, 19 insertions(+), 29 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Now that GnuTLS is required these symbols are going to be present all the time. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/Makefile.am | 6 ------ src/libvirt_gnutls.syms | 31 ------------------------------- src/libvirt_remote.syms | 8 ++++++++ 3 files changed, 8 insertions(+), 37 deletions(-) delete mode 100644 src/libvirt_gnutls.syms diff --git a/src/Makefile.am b/src/Makefile.am index b2db1e9db9..db8c8ebd1a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -453,12 +453,6 @@ else ! WITH_SASL SYM_FILES += $(srcdir)/libvirt_sasl.syms endif ! WITH_SASL -if WITH_GNUTLS -USED_SYM_FILES += $(srcdir)/libvirt_gnutls.syms -else ! WITH_GNUTLS -SYM_FILES += $(srcdir)/libvirt_gnutls.syms -endif ! WITH_GNUTLS - if WITH_SSH2 USED_SYM_FILES += $(srcdir)/libvirt_libssh2.syms else ! WITH_SSH2 diff --git a/src/libvirt_gnutls.syms b/src/libvirt_gnutls.syms deleted file mode 100644 index 1adf3af164..0000000000 --- a/src/libvirt_gnutls.syms +++ /dev/null @@ -1,31 +0,0 @@ -# -# GNUTLS-specific symbols -# - -# rpc/virnetclient.h -virNetClientGetTLSKeySize; -virNetClientSetTLSSession; - - -# rpc/virnetserver.h -virNetServerSetTLSContext; - - -# rpc/virnetserverclient.h -virNetServerClientGetTLSKeySize; -virNetServerClientGetTLSSession; -virNetServerClientHasTLSSession; - - -# rpc/virnetserverservice.h -virNetServerServiceGetTLSContext; - - -# rpc/virnetsocket.h -virNetSocketSetTLSSession; - - -# Let emacs know we want case-insensitive sorting -# Local Variables: -# sort-fold-case: t -# End: diff --git a/src/libvirt_remote.syms b/src/libvirt_remote.syms index cab93ab27f..9a33626ec6 100644 --- a/src/libvirt_remote.syms +++ b/src/libvirt_remote.syms @@ -20,6 +20,7 @@ virNetClientAddStream; virNetClientClose; virNetClientDupFD; virNetClientGetFD; +virNetClientGetTLSKeySize; virNetClientHasPassFD; virNetClientIsEncrypted; virNetClientIsOpen; @@ -41,6 +42,7 @@ virNetClientSendNoReply; virNetClientSendWithReply; virNetClientSendWithReplyStream; virNetClientSetCloseCallback; +virNetClientSetTLSSession; # rpc/virnetclientprogram.h @@ -130,6 +132,7 @@ virNetServerProcessClients; virNetServerSetClientAuthenticated; virNetServerSetClientLimits; virNetServerSetThreadPoolParameters; +virNetServerSetTLSContext; virNetServerStart; virNetServerUpdateServices; @@ -148,8 +151,11 @@ virNetServerClientGetPrivateData; virNetServerClientGetReadonly; virNetServerClientGetSELinuxContext; virNetServerClientGetTimestamp; +virNetServerClientGetTLSKeySize; +virNetServerClientGetTLSSession; virNetServerClientGetTransport; virNetServerClientGetUNIXIdentity; +virNetServerClientHasTLSSession; virNetServerClientImmediateClose; virNetServerClientInit; virNetServerClientInitKeepAlive; @@ -207,6 +213,7 @@ virNetServerServiceClose; virNetServerServiceGetAuth; virNetServerServiceGetMaxRequests; virNetServerServiceGetPort; +virNetServerServiceGetTLSContext; virNetServerServiceIsReadonly; virNetServerServiceNewFD; virNetServerServiceNewFDOrUNIX; @@ -253,6 +260,7 @@ virNetSocketRemoteAddrStringURI; virNetSocketRemoveIOCallback; virNetSocketSendFD; virNetSocketSetBlocking; +virNetSocketSetTLSSession; virNetSocketUpdateIOCallback; virNetSocketWrite; -- 2.16.4
On Tue, Jun 05, 2018 at 01:55:56PM +0200, Michal Privoznik wrote:
Now that GnuTLS is required these symbols are going to be present all the time.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/Makefile.am | 6 ------ src/libvirt_gnutls.syms | 31 ------------------------------- src/libvirt_remote.syms | 8 ++++++++ 3 files changed, 8 insertions(+), 37 deletions(-) delete mode 100644 src/libvirt_gnutls.syms
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Since GnuTLS is required there is no way to go with !WITH_GNUTLS branch and just distribute these files. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- tests/Makefile.am | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/tests/Makefile.am b/tests/Makefile.am index 1ce3dbb50f..99c79e3208 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -227,10 +227,9 @@ test_programs += \ virnetsockettest \ virnetdaemontest \ virnetserverclienttest \ + virnettlscontexttest \ + virnettlssessiontest \ $(NULL) -if WITH_GNUTLS -test_programs += virnettlscontexttest virnettlssessiontest -endif WITH_GNUTLS endif WITH_REMOTE if WITH_LINUX @@ -1027,7 +1026,6 @@ virnetserverclientmock_la_SOURCES = \ virnetserverclientmock_la_LDFLAGS = $(MOCKLIBS_LDFLAGS) virnetserverclientmock_la_LIBADD = $(MOCKLIBS_LIBS) -if WITH_GNUTLS virnettlscontexttest_SOURCES = \ virnettlscontexttest.c \ virnettlshelpers.h virnettlshelpers.c \ @@ -1046,12 +1044,6 @@ virnettlssessiontest_LDADD += -ltasn1 else ! HAVE_LIBTASN1 EXTRA_DIST += pkix_asn1_tab.c endif ! HAVE_LIBTASN1 -else ! WITH_GNUTLS -EXTRA_DIST += \ - virnettlscontexttest.c virnettlssessiontest.c \ - virnettlshelpers.h virnettlshelpers.c \ - testutils.h testutils.c pkix_asn1_tab.c -endif ! WITH_GNUTLS virtimetest_SOURCES = \ virtimetest.c testutils.h testutils.c -- 2.16.4
On Tue, Jun 05, 2018 at 01:55:57PM +0200, Michal Privoznik wrote:
Since GnuTLS is required there is no way to go with !WITH_GNUTLS branch and just distribute these files.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- tests/Makefile.am | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Now that GnuTLS is a requirement, we can drop a lot of conditionally built code. However, not all ifdef-s can go because we still want libvirt_setuid to build without gnutls. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/locking/lock_daemon.c | 4 --- src/logging/log_daemon.c | 4 --- src/lxc/lxc_controller.c | 2 -- src/qemu/qemu_migration_cookie.c | 12 +++----- src/remote/remote_daemon.c | 23 --------------- src/remote/remote_daemon_dispatch.c | 2 -- src/rpc/virnetdaemon.h | 4 +-- src/rpc/virnetserver.c | 6 ---- src/rpc/virnetserver.h | 6 +--- src/rpc/virnetserverclient.c | 57 +++---------------------------------- src/rpc/virnetserverclient.h | 8 ------ src/rpc/virnetserverservice.c | 24 ---------------- src/rpc/virnetserverservice.h | 10 ------- src/util/vircrypto.c | 43 ++-------------------------- tests/qemuxml2argvtest.c | 15 ---------- tests/vircryptotest.c | 24 +++++----------- tests/virfilecachetest.c | 18 +++--------- tests/virnetdaemontest.c | 8 ------ tests/virnetserverclienttest.c | 2 -- tests/virrandommock.c | 8 ++---- 20 files changed, 27 insertions(+), 253 deletions(-) diff --git a/src/locking/lock_daemon.c b/src/locking/lock_daemon.c index 78c33bd29c..272d2e3ae9 100644 --- a/src/locking/lock_daemon.c +++ b/src/locking/lock_daemon.c @@ -619,9 +619,7 @@ virLockDaemonSetupNetworkingSystemD(virNetServerPtr lockSrv, virNetServerPtr adm /* Systemd passes FDs, starting immediately after stderr, * so the first FD we'll get is '3'. */ if (!(svc = virNetServerServiceNewFD(3 + i, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 1))) return -1; @@ -642,9 +640,7 @@ virLockDaemonSetupNetworkingNative(virNetServerPtr srv, const char *sock_path) VIR_DEBUG("Setting up networking natively"); if (!(svc = virNetServerServiceNewUNIX(sock_path, 0700, 0, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 1))) return -1; diff --git a/src/logging/log_daemon.c b/src/logging/log_daemon.c index 91bd9d0b90..4415a61d03 100644 --- a/src/logging/log_daemon.c +++ b/src/logging/log_daemon.c @@ -554,9 +554,7 @@ virLogDaemonSetupNetworkingSystemD(virNetServerPtr logSrv, virNetServerPtr admin /* Systemd passes FDs, starting immediately after stderr, * so the first FD we'll get is '3'. */ if (!(svc = virNetServerServiceNewFD(3 + i, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 1))) return -1; @@ -577,9 +575,7 @@ virLogDaemonSetupNetworkingNative(virNetServerPtr srv, const char *sock_path) VIR_DEBUG("Setting up networking natively"); if (!(svc = virNetServerServiceNewUNIX(sock_path, 0700, 0, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 1))) return -1; diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index d5636b808c..03077af1ec 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -957,9 +957,7 @@ static int virLXCControllerSetupServer(virLXCControllerPtr ctrl) 0700, 0, 0, -#if WITH_GNUTLS NULL, -#endif false, 0, 5))) diff --git a/src/qemu/qemu_migration_cookie.c b/src/qemu/qemu_migration_cookie.c index eca1b74d63..60df449d53 100644 --- a/src/qemu/qemu_migration_cookie.c +++ b/src/qemu/qemu_migration_cookie.c @@ -18,10 +18,8 @@ #include <config.h> -#ifdef WITH_GNUTLS -# include <gnutls/gnutls.h> -# include <gnutls/x509.h> -#endif +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> #include "locking/domain_lock.h" #include "viralloc.h" @@ -131,7 +129,6 @@ qemuMigrationCookieFree(qemuMigrationCookiePtr mig) } -#ifdef WITH_GNUTLS static char * qemuDomainExtractTLSSubject(const char *certdir) { @@ -188,7 +185,7 @@ qemuDomainExtractTLSSubject(const char *certdir) VIR_FREE(pemdata); return NULL; } -#endif + static qemuMigrationCookieGraphicsPtr qemuMigrationCookieGraphicsSpiceAlloc(virQEMUDriverPtr driver, @@ -212,11 +209,10 @@ qemuMigrationCookieGraphicsSpiceAlloc(virQEMUDriverPtr driver, if (!glisten || !(listenAddr = glisten->address)) listenAddr = cfg->spiceListen; -#ifdef WITH_GNUTLS if (cfg->spiceTLS && !(mig->tlsSubject = qemuDomainExtractTLSSubject(cfg->spiceTLSx509certdir))) goto error; -#endif + if (VIR_STRDUP(mig->listen, listenAddr) < 0) goto error; diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index 27377fe3bc..21ab22499d 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -375,9 +375,7 @@ daemonSetupNetworking(virNetServerPtr srv, virNetServerServicePtr svcAdm = NULL; virNetServerServicePtr svcRO = NULL; virNetServerServicePtr svcTCP = NULL; -#if WITH_GNUTLS virNetServerServicePtr svcTLS = NULL; -#endif gid_t unix_sock_gid = 0; int unix_sock_ro_mask = 0; int unix_sock_rw_mask = 0; @@ -416,9 +414,7 @@ daemonSetupNetworking(virNetServerPtr srv, unix_sock_rw_mask, unix_sock_gid, config->auth_unix_rw, -#if WITH_GNUTLS NULL, -#endif false, config->max_queued_clients, config->max_client_requests, @@ -429,9 +425,7 @@ daemonSetupNetworking(virNetServerPtr srv, unix_sock_ro_mask, unix_sock_gid, config->auth_unix_ro, -#if WITH_GNUTLS NULL, -#endif true, config->max_queued_clients, config->max_client_requests, @@ -455,9 +449,7 @@ daemonSetupNetworking(virNetServerPtr srv, unix_sock_adm_mask, unix_sock_gid, REMOTE_AUTH_NONE, -#if WITH_GNUTLS NULL, -#endif false, config->admin_max_queued_clients, config->admin_max_client_requests))) @@ -475,9 +467,7 @@ daemonSetupNetworking(virNetServerPtr srv, config->tcp_port, AF_UNSPEC, config->auth_tcp, -#if WITH_GNUTLS NULL, -#endif false, config->max_queued_clients, config->max_client_requests))) @@ -488,7 +478,6 @@ daemonSetupNetworking(virNetServerPtr srv, goto cleanup; } -#if WITH_GNUTLS if (config->listen_tls) { virNetTLSContextPtr ctxt = NULL; @@ -552,22 +541,12 @@ daemonSetupNetworking(virNetServerPtr srv, virObjectUnref(ctxt); } -#else - (void)privileged; - if (config->listen_tls) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("This libvirtd build does not support TLS")); - goto cleanup; - } -#endif } #if WITH_SASL if (config->auth_unix_rw == REMOTE_AUTH_SASL || (sock_path_ro && config->auth_unix_ro == REMOTE_AUTH_SASL) || -# if WITH_GNUTLS (ipsock && config->listen_tls && config->auth_tls == REMOTE_AUTH_SASL) || -# endif (ipsock && config->listen_tcp && config->auth_tcp == REMOTE_AUTH_SASL)) { saslCtxt = virNetSASLContextNewServer( (const char *const*)config->sasl_allowed_username_list); @@ -579,9 +558,7 @@ daemonSetupNetworking(virNetServerPtr srv, ret = 0; cleanup: -#if WITH_GNUTLS virObjectUnref(svcTLS); -#endif virObjectUnref(svcTCP); virObjectUnref(svcRO); virObjectUnref(svcAdm); diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c index a8a5932d71..81d0445e43 100644 --- a/src/remote/remote_daemon_dispatch.c +++ b/src/remote/remote_daemon_dispatch.c @@ -3353,7 +3353,6 @@ remoteDispatchAuthSaslInit(virNetServerPtr server ATTRIBUTE_UNUSED, if (!sasl) goto authfail; -# if WITH_GNUTLS /* Inform SASL that we've got an external SSF layer from TLS */ if (virNetServerClientHasTLSSession(client)) { int ssf; @@ -3367,7 +3366,6 @@ remoteDispatchAuthSaslInit(virNetServerPtr server ATTRIBUTE_UNUSED, if (virNetSASLSessionExtKeySize(sasl, ssf) < 0) goto authfail; } -# endif if (virNetServerClientIsSecure(client)) /* If we've got TLS or UNIX domain sock, we don't care about SSF */ diff --git a/src/rpc/virnetdaemon.h b/src/rpc/virnetdaemon.h index 6576c463b5..09ed5adf36 100644 --- a/src/rpc/virnetdaemon.h +++ b/src/rpc/virnetdaemon.h @@ -25,9 +25,7 @@ # include <signal.h> -# ifdef WITH_GNUTLS -# include "virnettlscontext.h" -# endif +# include "virnettlscontext.h" # include "virobject.h" # include "virjson.h" # include "virnetserverprogram.h" diff --git a/src/rpc/virnetserver.c b/src/rpc/virnetserver.c index 5aeb188900..5c7f7dd08f 100644 --- a/src/rpc/virnetserver.c +++ b/src/rpc/virnetserver.c @@ -73,9 +73,7 @@ struct _virNetServer { int keepaliveInterval; unsigned int keepaliveCount; -#ifdef WITH_GNUTLS virNetTLSContextPtr tls; -#endif virNetServerClientPrivNew clientPrivNew; virNetServerClientPrivPreExecRestart clientPrivPreExecRestart; @@ -320,9 +318,7 @@ static int virNetServerDispatchNewClient(virNetServerServicePtr svc, virNetServerServiceGetAuth(svc), virNetServerServiceIsReadonly(svc), virNetServerServiceGetMaxRequests(svc), -#if WITH_GNUTLS virNetServerServiceGetTLSContext(svc), -#endif srv->clientPrivNew, srv->clientPrivPreExecRestart, srv->clientPrivFree, @@ -728,14 +724,12 @@ int virNetServerAddProgram(virNetServerPtr srv, return -1; } -#if WITH_GNUTLS int virNetServerSetTLSContext(virNetServerPtr srv, virNetTLSContextPtr tls) { srv->tls = virObjectRef(tls); return 0; } -#endif /** diff --git a/src/rpc/virnetserver.h b/src/rpc/virnetserver.h index a79c39fdb2..26cec43c22 100644 --- a/src/rpc/virnetserver.h +++ b/src/rpc/virnetserver.h @@ -24,9 +24,7 @@ #ifndef __VIR_NET_SERVER_H__ # define __VIR_NET_SERVER_H__ -# ifdef WITH_GNUTLS -# include "virnettlscontext.h" -# endif +# include "virnettlscontext.h" # include "virnetserverprogram.h" # include "virnetserverclient.h" # include "virnetserverservice.h" @@ -71,10 +69,8 @@ int virNetServerAddService(virNetServerPtr srv, int virNetServerAddProgram(virNetServerPtr srv, virNetServerProgramPtr prog); -# if WITH_GNUTLS int virNetServerSetTLSContext(virNetServerPtr srv, virNetTLSContextPtr tls); -# endif int virNetServerAddClient(virNetServerPtr srv, diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c index ffd4fbc5e6..97cf126f56 100644 --- a/src/rpc/virnetserverclient.c +++ b/src/rpc/virnetserverclient.c @@ -73,10 +73,8 @@ struct _virNetServerClient int auth; bool auth_pending; bool readonly; -#if WITH_GNUTLS virNetTLSContextPtr tlsCtxt; virNetTLSSessionPtr tls; -#endif #if WITH_SASL virNetSASLSessionPtr sasl; #endif @@ -154,18 +152,13 @@ virNetServerClientCalculateHandleMode(virNetServerClientPtr client) VIR_DEBUG("tls=%p hs=%d, rx=%p tx=%p", -#ifdef WITH_GNUTLS client->tls, client->tls ? virNetTLSSessionGetHandshakeStatus(client->tls) : -1, -#else - NULL, -1, -#endif client->rx, client->tx); if (!client->sock || client->wantClose) return 0; -#if WITH_GNUTLS if (client->tls) { switch (virNetTLSSessionGetHandshakeStatus(client->tls)) { case VIR_NET_TLS_HANDSHAKE_RECVING: @@ -182,7 +175,6 @@ virNetServerClientCalculateHandleMode(virNetServerClientPtr client) mode |= VIR_EVENT_HANDLE_WRITABLE; } } else { -#endif /* If there is a message on the rx queue, and * we're not in middle of a delayedClose, then * we're wanting more input */ @@ -193,9 +185,7 @@ virNetServerClientCalculateHandleMode(virNetServerClientPtr client) then monitor for writability on socket */ if (client->tx) mode |= VIR_EVENT_HANDLE_WRITABLE; -#if WITH_GNUTLS } -#endif VIR_DEBUG("mode=0%o", mode); return mode; } @@ -300,7 +290,6 @@ void virNetServerClientRemoveFilter(virNetServerClientPtr client, } -#ifdef WITH_GNUTLS /* Check the client's access. */ static int virNetServerClientCheckAccess(virNetServerClientPtr client) @@ -335,7 +324,7 @@ virNetServerClientCheckAccess(virNetServerClientPtr client) return 0; } -#endif + static void virNetServerClientDispatchMessage(virNetServerClientPtr client, virNetMessagePtr msg) @@ -396,9 +385,7 @@ virNetServerClientNewInternal(unsigned long long id, virNetSocketPtr sock, int auth, bool auth_pending, -#ifdef WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t nrequests_max, long long timestamp) @@ -416,9 +403,7 @@ virNetServerClientNewInternal(unsigned long long id, client->auth = auth; client->auth_pending = auth_pending; client->readonly = readonly; -#ifdef WITH_GNUTLS client->tlsCtxt = virObjectRef(tls); -#endif client->nrequests_max = nrequests_max; client->conn_time = timestamp; @@ -452,9 +437,7 @@ virNetServerClientPtr virNetServerClientNew(unsigned long long id, int auth, bool readonly, size_t nrequests_max, -#ifdef WITH_GNUTLS virNetTLSContextPtr tls, -#endif virNetServerClientPrivNew privNew, virNetServerClientPrivPreExecRestart privPreExecRestart, virFreeCallback privFree, @@ -464,13 +447,7 @@ virNetServerClientPtr virNetServerClientNew(unsigned long long id, time_t now; bool auth_pending = !virNetServerClientAuthMethodImpliesAuthenticated(auth); - VIR_DEBUG("sock=%p auth=%d tls=%p", sock, auth, -#ifdef WITH_GNUTLS - tls -#else - NULL -#endif - ); + VIR_DEBUG("sock=%p auth=%d tls=%p", sock, auth, tls); if ((now = time(NULL)) == (time_t)-1) { virReportSystemError(errno, "%s", _("failed to get current time")); @@ -478,10 +455,7 @@ virNetServerClientPtr virNetServerClientNew(unsigned long long id, } if (!(client = virNetServerClientNewInternal(id, sock, auth, auth_pending, -#ifdef WITH_GNUTLS - tls, -#endif - readonly, nrequests_max, + tls, readonly, nrequests_max, now))) return NULL; @@ -586,9 +560,7 @@ virNetServerClientPtr virNetServerClientNewPostExecRestart(virNetServerPtr srv, sock, auth, auth_pending, -#ifdef WITH_GNUTLS NULL, -#endif readonly, nrequests_max, timestamp))) { @@ -720,7 +692,6 @@ long long virNetServerClientGetTimestamp(virNetServerClientPtr client) return client->conn_time; } -#ifdef WITH_GNUTLS bool virNetServerClientHasTLSSession(virNetServerClientPtr client) { bool has; @@ -749,7 +720,6 @@ int virNetServerClientGetTLSKeySize(virNetServerClientPtr client) virObjectUnlock(client); return size; } -#endif int virNetServerClientGetFD(virNetServerClientPtr client) { @@ -837,13 +807,11 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) } #endif -#if WITH_GNUTLS if (client->tls) { const char *identity = virNetTLSSessionGetX509DName(client->tls); if (virIdentitySetX509DName(ret, identity) < 0) goto error; } -#endif if (client->sock && virNetSocketGetSELinuxContext(client->sock, &seccontext) < 0) @@ -895,10 +863,8 @@ bool virNetServerClientIsSecure(virNetServerClientPtr client) { bool secure = false; virObjectLock(client); -#if WITH_GNUTLS if (client->tls) secure = true; -#endif #if WITH_SASL if (client->sasl) secure = true; @@ -1019,10 +985,8 @@ void virNetServerClientDispose(void *obj) #endif if (client->sockTimer > 0) virEventRemoveTimeout(client->sockTimer); -#if WITH_GNUTLS virObjectUnref(client->tls); virObjectUnref(client->tlsCtxt); -#endif virObjectUnref(client->sock); } @@ -1071,12 +1035,10 @@ virNetServerClientCloseLocked(virNetServerClientPtr client) if (client->sock) virNetSocketRemoveIOCallback(client->sock); -#if WITH_GNUTLS if (client->tls) { virObjectUnref(client->tls); client->tls = NULL; } -#endif client->wantClose = true; while (client->rx) { @@ -1139,13 +1101,10 @@ int virNetServerClientInit(virNetServerClientPtr client) { virObjectLock(client); -#if WITH_GNUTLS if (!client->tlsCtxt) { -#endif /* Plain socket, so prepare to read first message */ if (virNetServerClientRegisterEvent(client) < 0) goto error; -#if WITH_GNUTLS } else { int ret; @@ -1174,7 +1133,6 @@ int virNetServerClientInit(virNetServerClientPtr client) goto error; } } -#endif virObjectUnlock(client); return 0; @@ -1475,7 +1433,6 @@ virNetServerClientDispatchWrite(virNetServerClientPtr client) } -#if WITH_GNUTLS static void virNetServerClientDispatchHandshake(virNetServerClientPtr client) { @@ -1498,7 +1455,7 @@ virNetServerClientDispatchHandshake(virNetServerClientPtr client) client->wantClose = true; } } -#endif + static void virNetServerClientDispatchEvent(virNetSocketPtr sock, int events, void *opaque) @@ -1516,21 +1473,17 @@ virNetServerClientDispatchEvent(virNetSocketPtr sock, int events, void *opaque) if (events & (VIR_EVENT_HANDLE_WRITABLE | VIR_EVENT_HANDLE_READABLE)) { -#if WITH_GNUTLS if (client->tls && virNetTLSSessionGetHandshakeStatus(client->tls) != VIR_NET_TLS_HANDSHAKE_COMPLETE) { virNetServerClientDispatchHandshake(client); } else { -#endif if (events & VIR_EVENT_HANDLE_WRITABLE) virNetServerClientDispatchWrite(client); if (events & VIR_EVENT_HANDLE_READABLE && client->rx) msg = virNetServerClientDispatchRead(client); -#if WITH_GNUTLS } -#endif } /* NB, will get HANGUP + READABLE at same time upon @@ -1687,10 +1640,8 @@ virNetServerClientGetTransport(virNetServerClientPtr client) else ret = VIR_CLIENT_TRANS_TCP; -#ifdef WITH_GNUTLS if (client->tls) ret = VIR_CLIENT_TRANS_TLS; -#endif virObjectUnlock(client); diff --git a/src/rpc/virnetserverclient.h b/src/rpc/virnetserverclient.h index b21446eeb7..b7ff660eef 100644 --- a/src/rpc/virnetserverclient.h +++ b/src/rpc/virnetserverclient.h @@ -69,18 +69,12 @@ virNetServerClientPtr virNetServerClientNew(unsigned long long id, int auth, bool readonly, size_t nrequests_max, -# ifdef WITH_GNUTLS virNetTLSContextPtr tls, -# endif virNetServerClientPrivNew privNew, virNetServerClientPrivPreExecRestart privPreExecRestart, virFreeCallback privFree, void *privOpaque) -# ifdef WITH_GNUTLS ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(7) ATTRIBUTE_NONNULL(9); -# else - ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(6) ATTRIBUTE_NONNULL(8); -# endif virNetServerClientPtr virNetServerClientNewPostExecRestart(virNetServerPtr srv, virJSONValuePtr object, @@ -107,11 +101,9 @@ void virNetServerClientSetReadonly(virNetServerClientPtr client, bool readonly); unsigned long long virNetServerClientGetID(virNetServerClientPtr client); long long virNetServerClientGetTimestamp(virNetServerClientPtr client); -# ifdef WITH_GNUTLS bool virNetServerClientHasTLSSession(virNetServerClientPtr client); virNetTLSSessionPtr virNetServerClientGetTLSSession(virNetServerClientPtr client); int virNetServerClientGetTLSKeySize(virNetServerClientPtr client); -# endif # ifdef WITH_SASL bool virNetServerClientHasSASLSession(virNetServerClientPtr client); diff --git a/src/rpc/virnetserverservice.c b/src/rpc/virnetserverservice.c index 23fc23cab4..e6762366ab 100644 --- a/src/rpc/virnetserverservice.c +++ b/src/rpc/virnetserverservice.c @@ -43,9 +43,7 @@ struct _virNetServerService { bool readonly; size_t nrequests_client_max; -#if WITH_GNUTLS virNetTLSContextPtr tls; -#endif virNetServerServiceDispatchFunc dispatchFunc; void *dispatchOpaque; @@ -94,9 +92,7 @@ virNetServerServiceNewFDOrUNIX(const char *path, mode_t mask, gid_t grp, int auth, -#if WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max, @@ -112,9 +108,7 @@ virNetServerServiceNewFDOrUNIX(const char *path, mask, grp, auth, -#if WITH_GNUTLS tls, -#endif readonly, max_queued_clients, nrequests_client_max); @@ -128,9 +122,7 @@ virNetServerServiceNewFDOrUNIX(const char *path, */ return virNetServerServiceNewFD((*cur_fd)++, auth, -#if WITH_GNUTLS tls, -#endif readonly, max_queued_clients, nrequests_client_max); @@ -142,9 +134,7 @@ virNetServerServicePtr virNetServerServiceNewTCP(const char *nodename, const char *service, int family, int auth, -#if WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max) @@ -161,9 +151,7 @@ virNetServerServicePtr virNetServerServiceNewTCP(const char *nodename, svc->auth = auth; svc->readonly = readonly; svc->nrequests_client_max = nrequests_client_max; -#if WITH_GNUTLS svc->tls = virObjectRef(tls); -#endif if (virNetSocketNewListenTCP(nodename, service, @@ -202,9 +190,7 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path, mode_t mask, gid_t grp, int auth, -#if WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max) @@ -221,9 +207,7 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path, svc->auth = auth; svc->readonly = readonly; svc->nrequests_client_max = nrequests_client_max; -#if WITH_GNUTLS svc->tls = virObjectRef(tls); -#endif if (VIR_ALLOC_N(svc->socks, 1) < 0) goto error; @@ -263,9 +247,7 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path, virNetServerServicePtr virNetServerServiceNewFD(int fd, int auth, -#if WITH_GNUTLS virNetTLSContextPtr tls, -#endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max) @@ -282,9 +264,7 @@ virNetServerServicePtr virNetServerServiceNewFD(int fd, svc->auth = auth; svc->readonly = readonly; svc->nrequests_client_max = nrequests_client_max; -#if WITH_GNUTLS svc->tls = virObjectRef(tls); -#endif if (VIR_ALLOC_N(svc->socks, 1) < 0) goto error; @@ -469,12 +449,10 @@ size_t virNetServerServiceGetMaxRequests(virNetServerServicePtr svc) return svc->nrequests_client_max; } -#if WITH_GNUTLS virNetTLSContextPtr virNetServerServiceGetTLSContext(virNetServerServicePtr svc) { return svc->tls; } -#endif void virNetServerServiceSetDispatcher(virNetServerServicePtr svc, virNetServerServiceDispatchFunc func, @@ -494,9 +472,7 @@ void virNetServerServiceDispose(void *obj) virObjectUnref(svc->socks[i]); VIR_FREE(svc->socks); -#if WITH_GNUTLS virObjectUnref(svc->tls); -#endif } void virNetServerServiceToggle(virNetServerServicePtr svc, diff --git a/src/rpc/virnetserverservice.h b/src/rpc/virnetserverservice.h index 5d8c583db2..a50cb19b6d 100644 --- a/src/rpc/virnetserverservice.h +++ b/src/rpc/virnetserverservice.h @@ -41,9 +41,7 @@ virNetServerServicePtr virNetServerServiceNewFDOrUNIX(const char *path, mode_t mask, gid_t grp, int auth, -# if WITH_GNUTLS virNetTLSContextPtr tls, -# endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max, @@ -53,9 +51,7 @@ virNetServerServicePtr virNetServerServiceNewTCP(const char *nodename, const char *service, int family, int auth, -# if WITH_GNUTLS virNetTLSContextPtr tls, -# endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max); @@ -63,17 +59,13 @@ virNetServerServicePtr virNetServerServiceNewUNIX(const char *path, mode_t mask, gid_t grp, int auth, -# if WITH_GNUTLS virNetTLSContextPtr tls, -# endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max); virNetServerServicePtr virNetServerServiceNewFD(int fd, int auth, -# if WITH_GNUTLS virNetTLSContextPtr tls, -# endif bool readonly, size_t max_queued_clients, size_t nrequests_client_max); @@ -87,9 +79,7 @@ int virNetServerServiceGetPort(virNetServerServicePtr svc); int virNetServerServiceGetAuth(virNetServerServicePtr svc); bool virNetServerServiceIsReadonly(virNetServerServicePtr svc); size_t virNetServerServiceGetMaxRequests(virNetServerServicePtr svc); -# ifdef WITH_GNUTLS virNetTLSContextPtr virNetServerServiceGetTLSContext(virNetServerServicePtr svc); -# endif void virNetServerServiceSetDispatcher(virNetServerServicePtr svc, virNetServerServiceDispatchFunc func, diff --git a/src/util/vircrypto.c b/src/util/vircrypto.c index d734ce6ad7..bdb83c5fd3 100644 --- a/src/util/vircrypto.c +++ b/src/util/vircrypto.c @@ -26,10 +26,8 @@ #include "viralloc.h" #include "virrandom.h" -#ifdef WITH_GNUTLS -# include <gnutls/gnutls.h> -# include <gnutls/crypto.h> -#endif +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> VIR_LOG_INIT("util.crypto"); @@ -39,7 +37,6 @@ static const char hex[] = "0123456789abcdef"; #define VIR_CRYPTO_LARGEST_DIGEST_SIZE VIR_CRYPTO_HASH_SIZE_SHA256 -#if WITH_GNUTLS struct virHashInfo { gnutls_digest_algorithm_t algorithm; @@ -74,17 +71,7 @@ virCryptoHashBuf(virCryptoHash hash, return hashinfo[hash].hashlen; } -#else -ssize_t -virCryptoHashBuf(virCryptoHash hash, - const char *input ATTRIBUTE_UNUSED, - unsigned char *output ATTRIBUTE_UNUSED) -{ - virReportError(VIR_ERR_INVALID_ARG, - _("algorithm=%d is not supported"), hash); - return -1; -} -#endif + int virCryptoHashString(virCryptoHash hash, @@ -129,11 +116,7 @@ virCryptoHaveCipher(virCryptoCipher algorithm) switch (algorithm) { case VIR_CRYPTO_CIPHER_AES256CBC: -#ifdef WITH_GNUTLS return true; -#else - return false; -#endif case VIR_CRYPTO_CIPHER_NONE: case VIR_CRYPTO_CIPHER_LAST: @@ -144,7 +127,6 @@ virCryptoHaveCipher(virCryptoCipher algorithm) } -#ifdef WITH_GNUTLS /* virCryptoEncryptDataAESgntuls: * * Performs the AES gnutls encryption @@ -295,22 +277,3 @@ virCryptoEncryptData(virCryptoCipher algorithm, _("algorithm=%d is not supported"), algorithm); return -1; } - -#else - -int -virCryptoEncryptData(virCryptoCipher algorithm, - uint8_t *enckey ATTRIBUTE_UNUSED, - size_t enckeylen ATTRIBUTE_UNUSED, - uint8_t *iv ATTRIBUTE_UNUSED, - size_t ivlen ATTRIBUTE_UNUSED, - uint8_t *data ATTRIBUTE_UNUSED, - size_t datalen ATTRIBUTE_UNUSED, - uint8_t **ciphertext ATTRIBUTE_UNUSED, - size_t *ciphertextlen ATTRIBUTE_UNUSED) -{ - virReportError(VIR_ERR_INVALID_ARG, - _("algorithm=%d is not supported"), algorithm); - return -1; -} -#endif diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 14a994523f..36bff26d33 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1043,10 +1043,8 @@ mymain(void) DO_TEST("disk-drive-network-sheepdog", NONE); DO_TEST("disk-drive-network-rbd-auth", NONE); DO_TEST("disk-drive-network-source-auth", NONE); -# ifdef WITH_GNUTLS DO_TEST("disk-drive-network-rbd-auth-AES", QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_VIRTIO_SCSI); -# endif DO_TEST("disk-drive-network-rbd-ipv6", NONE); DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE); DO_TEST("disk-drive-network-vxhs", QEMU_CAPS_VXHS); @@ -1339,17 +1337,10 @@ mymain(void) if (VIR_STRDUP_QUIET(driver.config->chardevTLSx509secretUUID, "6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea") < 0) return EXIT_FAILURE; -# ifdef WITH_GNUTLS DO_TEST("serial-tcp-tlsx509-secret-chardev", QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_DEVICE_ISA_SERIAL, QEMU_CAPS_OBJECT_TLS_CREDS_X509); -# else - DO_TEST_FAILURE("serial-tcp-tlsx509-secret-chardev", - QEMU_CAPS_OBJECT_SECRET, - QEMU_CAPS_DEVICE_ISA_SERIAL, - QEMU_CAPS_OBJECT_TLS_CREDS_X509); -# endif driver.config->chardevTLS = 0; VIR_FREE(driver.config->chardevTLSx509certdir); DO_TEST("serial-many-chardev", @@ -1653,14 +1644,10 @@ mymain(void) DO_TEST("encrypted-disk", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET); DO_TEST("encrypted-disk-usage", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET); -# ifdef WITH_GNUTLS DO_TEST("luks-disks", QEMU_CAPS_OBJECT_SECRET); DO_TEST("luks-disks-source", QEMU_CAPS_OBJECT_SECRET); DO_TEST_PARSE_ERROR("luks-disks-source-qcow2", QEMU_CAPS_OBJECT_SECRET); DO_TEST("luks-disks-source-qcow2", QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_QCOW2_LUKS); -# else - DO_TEST_FAILURE("luks-disks", QEMU_CAPS_OBJECT_SECRET); -# endif DO_TEST_PARSE_ERROR("luks-disk-invalid", NONE); DO_TEST_PARSE_ERROR("luks-disks-source-both", QEMU_CAPS_OBJECT_SECRET); @@ -2351,12 +2338,10 @@ mymain(void) DO_TEST("hostdev-scsi-virtio-iscsi-auth", QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE_SCSI_GENERIC); -# ifdef WITH_GNUTLS DO_TEST("disk-hostdev-scsi-virtio-iscsi-auth-AES", QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE_SCSI_GENERIC, QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_ISCSI_PASSWORD_SECRET); -# endif DO_TEST("hostdev-scsi-vhost-scsi-ccw", QEMU_CAPS_VIRTIO_SCSI, QEMU_CAPS_DEVICE_VHOST_SCSI, QEMU_CAPS_DEVICE_SCSI_GENERIC, QEMU_CAPS_CCW); diff --git a/tests/vircryptotest.c b/tests/vircryptotest.c index b6313e73ad..6841d74901 100644 --- a/tests/vircryptotest.c +++ b/tests/vircryptotest.c @@ -22,11 +22,10 @@ #include "testutils.h" -#if WITH_GNUTLS -# include "vircrypto.h" -# include "virrandom.h" +#include "vircrypto.h" +#include "virrandom.h" -# define VIR_FROM_THIS VIR_FROM_NONE +#define VIR_FROM_THIS VIR_FROM_NONE struct testCryptoHashData { virCryptoHash hash; @@ -130,7 +129,7 @@ mymain(void) 0x1b, 0x8c, 0x3f, 0x48, 0x27, 0xae, 0xb6, 0x7a}; -# define VIR_CRYPTO_HASH(h, i, o) \ +#define VIR_CRYPTO_HASH(h, i, o) \ do { \ struct testCryptoHashData data = { \ .hash = h, \ @@ -153,9 +152,9 @@ mymain(void) VIR_CRYPTO_HASH(VIR_CRYPTO_HASH_MD5, "The quick brown fox", "a2004f37730b9445670a738fa0fc9ee5"); VIR_CRYPTO_HASH(VIR_CRYPTO_HASH_SHA256, "The quick brown fox", "5cac4f980fedc3d3f1f99b4be3472c9b30d56523e632d151237ec9309048bda9"); -# undef VIR_CRYPTO_HASH +#undef VIR_CRYPTO_HASH -# define VIR_CRYPTO_ENCRYPT(a, n, i, il, c, cl) \ +#define VIR_CRYPTO_ENCRYPT(a, n, i, il, c, cl) \ do { \ struct testCryptoEncryptData data = { \ .algorithm = a, \ @@ -174,19 +173,10 @@ mymain(void) VIR_CRYPTO_ENCRYPT(VIR_CRYPTO_CIPHER_AES256CBC, "aes265cbc", secretdata, 7, expected_ciphertext, 16); -# undef VIR_CRYPTO_ENCRYPT +#undef VIR_CRYPTO_ENCRYPT return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; } /* Forces usage of not so random virRandomBytes */ VIR_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virrandommock.so") -#else -static int -mymain(void) -{ - return EXIT_AM_SKIP; -} - -VIR_TEST_MAIN(mymain); -#endif /* WITH_GNUTLS */ diff --git a/tests/virfilecachetest.c b/tests/virfilecachetest.c index 44386742e1..82c2286752 100644 --- a/tests/virfilecachetest.c +++ b/tests/virfilecachetest.c @@ -21,12 +21,11 @@ #include "testutils.h" -#if WITH_GNUTLS -# include "virfile.h" -# include "virfilecache.h" +#include "virfile.h" +#include "virfilecache.h" -# define VIR_FROM_THIS VIR_FROM_NONE +#define VIR_FROM_THIS VIR_FROM_NONE struct _testFileCacheObj { @@ -214,7 +213,7 @@ mymain(void) virFileCacheSetPriv(cache, &testPriv); -# define TEST_RUN(name, newData, expectData, expectSave) \ +#define TEST_RUN(name, newData, expectData, expectSave) \ do { \ testFileCacheData data = { \ cache, name, newData, expectData, expectSave \ @@ -235,12 +234,3 @@ mymain(void) } VIR_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virfilecachemock.so") -#else -static int -mymain(void) -{ - return EXIT_AM_SKIP; -} - -VIR_TEST_MAIN(mymain); -#endif /* WITH_GNUTLS */ diff --git a/tests/virnetdaemontest.c b/tests/virnetdaemontest.c index ef869b16e3..6f4957fc4c 100644 --- a/tests/virnetdaemontest.c +++ b/tests/virnetdaemontest.c @@ -117,9 +117,7 @@ testCreateServer(const char *server_name, const char *host, int family) NULL, family, VIR_NET_SERVER_SERVICE_AUTH_NONE, -# ifdef WITH_GNUTLS NULL, -# endif true, 5, 2))) @@ -129,9 +127,7 @@ testCreateServer(const char *server_name, const char *host, int family) NULL, family, VIR_NET_SERVER_SERVICE_AUTH_POLKIT, -# ifdef WITH_GNUTLS NULL, -# endif false, 25, 5))) @@ -152,9 +148,7 @@ testCreateServer(const char *server_name, const char *host, int family) VIR_NET_SERVER_SERVICE_AUTH_SASL, true, 15, -# ifdef WITH_GNUTLS NULL, -# endif testClientNew, testClientPreExec, testClientFree, @@ -166,9 +160,7 @@ testCreateServer(const char *server_name, const char *host, int family) VIR_NET_SERVER_SERVICE_AUTH_POLKIT, true, 66, -# ifdef WITH_GNUTLS NULL, -# endif testClientNew, testClientPreExec, testClientFree, diff --git a/tests/virnetserverclienttest.c b/tests/virnetserverclienttest.c index 1759d76630..3f801902ca 100644 --- a/tests/virnetserverclienttest.c +++ b/tests/virnetserverclienttest.c @@ -73,9 +73,7 @@ static int testIdentity(const void *opaque ATTRIBUTE_UNUSED) sv[0] = -1; if (!(client = virNetServerClientNew(1, sock, 0, false, 1, -# ifdef WITH_GNUTLS NULL, -# endif testClientNew, NULL, testClientFree, diff --git a/tests/virrandommock.c b/tests/virrandommock.c index fd1a61f673..99a55a576a 100644 --- a/tests/virrandommock.c +++ b/tests/virrandommock.c @@ -22,6 +22,9 @@ #ifndef WIN32 +# include <stdio.h> +# include <gnutls/gnutls.h> + # include "internal.h" # include "virstring.h" # include "virrandom.h" @@ -50,10 +53,6 @@ int virRandomGenerateWWN(char **wwn, } -# ifdef WITH_GNUTLS -# include <stdio.h> -# include <gnutls/gnutls.h> - static int (*real_gnutls_dh_params_generate2)(gnutls_dh_params_t dparams, unsigned int bits); @@ -87,7 +86,6 @@ gnutls_dh_params_generate2(gnutls_dh_params_t dparams, return gnutls_dh_params_cpy(dparams, params_cache); } -# endif #else /* WIN32 */ /* Can't mock on WIN32 */ #endif -- 2.16.4
participants (4)
-
Andrea Bolognani -
Daniel P. Berrangé -
Michal Privoznik -
Peter Krempa