3:39 a.m.
Pavel Hrdina (2):
configure: move gnutls check into virt-gnutls.m4
m4/virt-gnutls: remove code for gnutls < 2.2.0
configure.ac | 109 +-----------------------------------------------------
m4/virt-gnutls.m4 | 62 +++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+), 107 deletions(-)
create mode 100644 m4/virt-gnutls.m4
--
2.10.1
3:40 a.m.
New subject: [libvirt] [PATCH 1/2] configure: move gnutls check into virt-gnutls.m4
Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
---
configure.ac | 109 +-----------------------------------------------------
m4/virt-gnutls.m4 | 64 ++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 107 deletions(-)
create mode 100644 m4/virt-gnutls.m4
diff --git a/configure.ac b/configure.ac
index dfc536f..72bf7dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -117,7 +117,6 @@ fi
dnl Required minimum versions of all libs we depend on
LIBXML_REQUIRED="2.6.0"
-GNUTLS_REQUIRED="2.2.0"
POLKIT_REQUIRED="0.6"
PARTED_REQUIRED="1.8.0"
DEVMAPPER_REQUIRED=1.0.0
@@ -260,6 +259,7 @@ LIBVIRT_CHECK_UDEV
LIBVIRT_CHECK_WIRESHARK
LIBVIRT_CHECK_NSS
LIBVIRT_CHECK_YAJL
+LIBVIRT_CHECK_GNUTLS
AC_MSG_CHECKING([for CPUID instruction])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM(
@@ -1170,107 +1170,6 @@ AC_CHECK_MEMBER([struct _xmlURI.query_raw],
CFLAGS="$old_CFLAGS"
LIBS="$old_LIBS"
-dnl GnuTLS library
-AC_ARG_WITH([gnutls],
- [AS_HELP_STRING([--with-gnutls],
- [use GNUTLS for encryption @<:@default=check@:>@])],
- [],
- [with_gnutls=check])
-
-
-if test "x$with_gnutls" != "xno"; then
- if test "x$with_gnutls" != "xyes" && test
"x$with_gnutls" != "xcheck"; then
- GNUTLS_CFLAGS="-I$with_gnutls/include"
- GNUTLS_LIBS="-L$with_gnutls/lib"
- fi
- fail=0
- old_CFLAGS="$CFLAGS"
- old_LIBS="$LIBS"
- CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
- LIBS="$LIBS $GNUTLS_LIBS"
-
- GNUTLS_FOUND=no
- GNUTLS_GCRYPT=unknown
- if test -x "$PKG_CONFIG" ; then
- dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses
- dnl only nettle, and versions in between had a configure option.
- dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle,
- dnl but it is a safe fallback to use gcrypt if we can't prove anything.
- if $PKG_CONFIG --exists 'gnutls >= 3.0'; then
- GNUTLS_GCRYPT=no
- elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then
- GNUTLS_GCRYPT=probe
- else
- GNUTLS_GCRYPT=yes
- fi
- PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED,
- [GNUTLS_FOUND=yes], [GNUTLS_FOUND=no])
- fi
- if test "$GNUTLS_FOUND" = "no"; then
- dnl pkg-config couldn't help us, assume gcrypt is necessary
- fail=0
- GNUTLS_GCRYPT=yes
- AC_CHECK_HEADER([gnutls/gnutls.h], [], [fail=1])
- AC_CHECK_LIB([gnutls], [gnutls_handshake],[], [fail=1], [-lgcrypt])
-
- test $fail = 0 && GNUTLS_FOUND=yes
-
- GNUTLS_LIBS="$GNUTLS_LIBS -lgnutls"
- fi
- if test "$GNUTLS_FOUND" = "no"; then
- if test "$with_gnutls" = "check"; then
- with_gnutls=no
- GNUTLS_LIBS=
- GNUTLS_CFLAGS=
- else
- AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run
libvirt])
- fi
- else
- dnl See comments above about when to use gcrypt.
- if test "$GNUTLS_GCRYPT" = probe; then
- case `$PKG_CONFIG --libs --static gnutls` in
- *gcrypt*) GNUTLS_GCRYPT=yes ;;
- *nettle*) GNUTLS_GCRYPT=no ;;
- *) GNUTLS_GCRYPT=unknown ;;
- esac
- fi
- if test "$GNUTLS_GCRYPT" = yes || test "$GNUTLS_GCRYPT" =
unknown; then
- GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
- dnl We're not using gcrypt deprecated features so define
- dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
- GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
- AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
- [set to 1 if it is known or assumed that GNUTLS uses gcrypt])
- fi
-
- with_gnutls=yes
- fi
-
- dnl GNUTLS_CFLAGS and GNUTLS_LIBS have probably been updated above,
- dnl and we need the final values for function probing to work
- CFLAGS="$old_CFLAGS $GNUTLS_CFLAGS"
- LIBS="$old_LIBS $GNUTLS_LIBS"
-
- dnl gnutls 3.x moved some declarations to a new header
- AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
- #include <gnutls/gnutls.h>
- ]])
-
- AC_CHECK_FUNCS([gnutls_rnd])
- AC_CHECK_FUNCS([gnutls_cipher_encrypt])
-
- CFLAGS="$old_CFLAGS"
- LIBS="$old_LIBS"
-fi
-
-if test "x$with_gnutls" = "xyes" ; then
- AC_DEFINE_UNQUOTED([WITH_GNUTLS], 1,
- [whether GNUTLS is available for encryption])
-fi
-AM_CONDITIONAL([WITH_GNUTLS], [test "x$with_gnutls" = "xyes"])
-AC_SUBST([GNUTLS_CFLAGS])
-AC_SUBST([GNUTLS_LIBS])
-
AC_ARG_WITH([tls-priority],
[AS_HELP_STRING([--with-tls-priority],
@@ -2799,6 +2698,7 @@ LIBVIRT_RESULT_UDEV
LIBVIRT_RESULT_WIRESHARK
LIBVIRT_RESULT_NSS
LIBVIRT_RESULT_YAJL
+LIBVIRT_RESULT_GNUTLS
AC_MSG_NOTICE([ libxml: $LIBXML_CFLAGS $LIBXML_LIBS])
AC_MSG_NOTICE([ dlopen: $DLOPEN_LIBS])
if test "$with_hyperv" = "yes" ; then
@@ -2806,11 +2706,6 @@ AC_MSG_NOTICE([openwsman: $OPENWSMAN_CFLAGS $OPENWSMAN_LIBS])
else
AC_MSG_NOTICE([openwsman: no])
fi
-if test "$with_gnutls" != "no" ; then
-AC_MSG_NOTICE([ gnutls: $GNUTLS_CFLAGS $GNUTLS_LIBS])
-else
-AC_MSG_NOTICE([ gnutls: no])
-fi
AC_MSG_NOTICE([firewalld: $with_firewalld])
if test "$with_polkit" = "yes" ; then
if test "$with_polkit0" = "yes" ; then
diff --git a/m4/virt-gnutls.m4 b/m4/virt-gnutls.m4
new file mode 100644
index 0000000..29490de
--- /dev/null
+++ b/m4/virt-gnutls.m4
@@ -0,0 +1,64 @@
+dnl The gnutls libgnutls.so library
+dnl
+dnl Copyright (C) 2016 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library. If not, see
+dnl <http://www.gnu.org/licenses/>;.
+dnl
+
+AC_DEFUN([LIBVIRT_CHECK_GNUTLS],[
+ LIBVIRT_CHECK_PKG([GNUTLS], [gnutls], [2.2.0])
+
+ dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses
+ dnl only nettle, and versions in between had a configure option.
+ dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle,
+ dnl but it is a safe fallback to use gcrypt if we can't prove anything.A
+
+ GNUTLS_GCRYPT=
+ if $PKG_CONFIG --exists 'gnutls >= 3.0'; then
+ GNUTLS_GCRYPT="no"
+ elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then
+ GNUTLS_GCRYPT="probe"
+ else
+ GNUTLS_GCRYPT="yes"
+ fi
+
+ if test "$GNUTLS_GCRYPT" = "probe"; then
+ case $($PKG_CONFIG --libs --static gnutls) in
+ *gcrypt*) GNUTLS_GCRYPT=yes ;;
+ *nettle*) GNUTLS_GCRYPT=no ;;
+ *) GNUTLS_GCRYPT=unknown ;;
+ esac
+ fi
+
+ if test "$GNUTLS_GCRYPT" = "yes" || test "$GNUTLS_GCRYPT"
= "unknown"; then
+ GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
+ dnl We're not using gcrypt deprecated features so define
+ dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
+ GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
+ AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
+ [set to 1 if it is known or assumed that GNUTLS uses gcrypt])
+ fi
+
+ AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
+ #include <gnutls/gnutls.h>
+ ]])
+
+ AC_CHECK_FUNC([gnutls_rnd])
+ AC_CHECK_FUNC([gnutls_cipher_encrypt])
+])
+
+AC_DEFUN([LIBVIRT_RESULT_GNUTLS],[
+ LIBVIRT_RESULT_LIB([GNUTLS])
+])
--
2.10.1
5:34 p.m.
New subject: [libvirt] [PATCH 1/2] configure: move gnutls check into virt-gnutls.m4
On 10/24/2016 04:40 AM, Pavel Hrdina wrote:
Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
---
configure.ac | 109 +-----------------------------------------------------
m4/virt-gnutls.m4 | 64 ++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+), 107 deletions(-)
create mode 100644 m4/virt-gnutls.m4
I'm not quite sure what, but something in this change has broken
encrypted secret capabilities as the following API is not always
returning false...
bool
virCryptoHaveCipher(virCryptoCipher algorithm)
{
switch (algorithm) {
case VIR_CRYPTO_CIPHER_AES256CBC:
#ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
return true;
#else
return false;
#endif
...
Of course the virCryptoEncryptDataAESgntuls is also undefined.
In order to work around short term, if I use HAVE_GNUTLS_CRYPTO_H I can
at least get the API needed.
Just so you know I have a customer case which I'm trying to
resolve/debug that's impacted by this (naturally)!
I "hand bisected" back to
$ git co c290f216c47afbd4f3d1e082cdb98181675cd31e
$ ./autogen.sh --system
<lots of gnarly warnings about this omitted>
$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
| #define HAVE_GNUTLS_RND 1
| #define HAVE_GNUTLS_CIPHER_ENCRYPT 1
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
#define HAVE_GNUTLS_RND 1
#define HAVE_GNUTLS_CIPHER_ENCRYPT 1
...
$ git co 680d2f49dad425395de627a31006cb84848cfa65
$ ./autogen.sh --system
<lots of stuff ommitted>
$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
...
$
Note there's no HAVE_GNUTLS_CIPHER_ENCRYPT or HAVE_GNUTLS_RND
doing the similar process for some followup patches that seemed to be
related produced the same results
$ git co 0c62ccf927c60c9c248db52a23670ec2f9bce2b2
$ git co a55fdc3f251ab1800050505ac1e6158ee7535402
$ git co 943ddcb71205524fe2a34ca7a9b6cb3744a07555
Ironically the test for whether this functionality exists uses SKIP so
as to not cause failures for environments without the gnutls_cipher_encrypt
John
diff --git a/configure.ac b/configure.ac
index dfc536f..72bf7dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -117,7 +117,6 @@ fi
dnl Required minimum versions of all libs we depend on
LIBXML_REQUIRED="2.6.0"
-GNUTLS_REQUIRED="2.2.0"
POLKIT_REQUIRED="0.6"
PARTED_REQUIRED="1.8.0"
DEVMAPPER_REQUIRED=1.0.0
@@ -260,6 +259,7 @@ LIBVIRT_CHECK_UDEV
LIBVIRT_CHECK_WIRESHARK
LIBVIRT_CHECK_NSS
LIBVIRT_CHECK_YAJL
+LIBVIRT_CHECK_GNUTLS
AC_MSG_CHECKING([for CPUID instruction])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM(
@@ -1170,107 +1170,6 @@ AC_CHECK_MEMBER([struct _xmlURI.query_raw],
CFLAGS="$old_CFLAGS"
LIBS="$old_LIBS"
-dnl GnuTLS library
-AC_ARG_WITH([gnutls],
- [AS_HELP_STRING([--with-gnutls],
- [use GNUTLS for encryption @<:@default=check@:>@])],
- [],
- [with_gnutls=check])
-
-
-if test "x$with_gnutls" != "xno"; then
- if test "x$with_gnutls" != "xyes" && test
"x$with_gnutls" != "xcheck"; then
- GNUTLS_CFLAGS="-I$with_gnutls/include"
- GNUTLS_LIBS="-L$with_gnutls/lib"
- fi
- fail=0
- old_CFLAGS="$CFLAGS"
- old_LIBS="$LIBS"
- CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
- LIBS="$LIBS $GNUTLS_LIBS"
-
- GNUTLS_FOUND=no
- GNUTLS_GCRYPT=unknown
- if test -x "$PKG_CONFIG" ; then
- dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses
- dnl only nettle, and versions in between had a configure option.
- dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle,
- dnl but it is a safe fallback to use gcrypt if we can't prove anything.
- if $PKG_CONFIG --exists 'gnutls >= 3.0'; then
- GNUTLS_GCRYPT=no
- elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then
- GNUTLS_GCRYPT=probe
- else
- GNUTLS_GCRYPT=yes
- fi
- PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED,
- [GNUTLS_FOUND=yes], [GNUTLS_FOUND=no])
- fi
- if test "$GNUTLS_FOUND" = "no"; then
- dnl pkg-config couldn't help us, assume gcrypt is necessary
- fail=0
- GNUTLS_GCRYPT=yes
- AC_CHECK_HEADER([gnutls/gnutls.h], [], [fail=1])
- AC_CHECK_LIB([gnutls], [gnutls_handshake],[], [fail=1], [-lgcrypt])
-
- test $fail = 0 && GNUTLS_FOUND=yes
-
- GNUTLS_LIBS="$GNUTLS_LIBS -lgnutls"
- fi
- if test "$GNUTLS_FOUND" = "no"; then
- if test "$with_gnutls" = "check"; then
- with_gnutls=no
- GNUTLS_LIBS=
- GNUTLS_CFLAGS=
- else
- AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run
libvirt])
- fi
- else
- dnl See comments above about when to use gcrypt.
- if test "$GNUTLS_GCRYPT" = probe; then
- case `$PKG_CONFIG --libs --static gnutls` in
- *gcrypt*) GNUTLS_GCRYPT=yes ;;
- *nettle*) GNUTLS_GCRYPT=no ;;
- *) GNUTLS_GCRYPT=unknown ;;
- esac
- fi
- if test "$GNUTLS_GCRYPT" = yes || test "$GNUTLS_GCRYPT" =
unknown; then
- GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
- dnl We're not using gcrypt deprecated features so define
- dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
- GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
- AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
- [set to 1 if it is known or assumed that GNUTLS uses gcrypt])
- fi
-
- with_gnutls=yes
- fi
-
- dnl GNUTLS_CFLAGS and GNUTLS_LIBS have probably been updated above,
- dnl and we need the final values for function probing to work
- CFLAGS="$old_CFLAGS $GNUTLS_CFLAGS"
- LIBS="$old_LIBS $GNUTLS_LIBS"
-
- dnl gnutls 3.x moved some declarations to a new header
- AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
- #include <gnutls/gnutls.h>
- ]])
-
- AC_CHECK_FUNCS([gnutls_rnd])
- AC_CHECK_FUNCS([gnutls_cipher_encrypt])
-
- CFLAGS="$old_CFLAGS"
- LIBS="$old_LIBS"
-fi
-
-if test "x$with_gnutls" = "xyes" ; then
- AC_DEFINE_UNQUOTED([WITH_GNUTLS], 1,
- [whether GNUTLS is available for encryption])
-fi
-AM_CONDITIONAL([WITH_GNUTLS], [test "x$with_gnutls" = "xyes"])
-AC_SUBST([GNUTLS_CFLAGS])
-AC_SUBST([GNUTLS_LIBS])
-
AC_ARG_WITH([tls-priority],
[AS_HELP_STRING([--with-tls-priority],
@@ -2799,6 +2698,7 @@ LIBVIRT_RESULT_UDEV
LIBVIRT_RESULT_WIRESHARK
LIBVIRT_RESULT_NSS
LIBVIRT_RESULT_YAJL
+LIBVIRT_RESULT_GNUTLS
AC_MSG_NOTICE([ libxml: $LIBXML_CFLAGS $LIBXML_LIBS])
AC_MSG_NOTICE([ dlopen: $DLOPEN_LIBS])
if test "$with_hyperv" = "yes" ; then
@@ -2806,11 +2706,6 @@ AC_MSG_NOTICE([openwsman: $OPENWSMAN_CFLAGS $OPENWSMAN_LIBS])
else
AC_MSG_NOTICE([openwsman: no])
fi
-if test "$with_gnutls" != "no" ; then
-AC_MSG_NOTICE([ gnutls: $GNUTLS_CFLAGS $GNUTLS_LIBS])
-else
-AC_MSG_NOTICE([ gnutls: no])
-fi
AC_MSG_NOTICE([firewalld: $with_firewalld])
if test "$with_polkit" = "yes" ; then
if test "$with_polkit0" = "yes" ; then
diff --git a/m4/virt-gnutls.m4 b/m4/virt-gnutls.m4
new file mode 100644
index 0000000..29490de
--- /dev/null
+++ b/m4/virt-gnutls.m4
@@ -0,0 +1,64 @@
+dnl The gnutls libgnutls.so library
+dnl
+dnl Copyright (C) 2016 Red Hat, Inc.
+dnl
+dnl This library is free software; you can redistribute it and/or
+dnl modify it under the terms of the GNU Lesser General Public
+dnl License as published by the Free Software Foundation; either
+dnl version 2.1 of the License, or (at your option) any later version.
+dnl
+dnl This library is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+dnl Lesser General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU Lesser General Public
+dnl License along with this library. If not, see
+dnl <http://www.gnu.org/licenses/>;.
+dnl
+
+AC_DEFUN([LIBVIRT_CHECK_GNUTLS],[
+ LIBVIRT_CHECK_PKG([GNUTLS], [gnutls], [2.2.0])
+
+ dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses
+ dnl only nettle, and versions in between had a configure option.
+ dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle,
+ dnl but it is a safe fallback to use gcrypt if we can't prove anything.A
+
+ GNUTLS_GCRYPT=
+ if $PKG_CONFIG --exists 'gnutls >= 3.0'; then
+ GNUTLS_GCRYPT="no"
+ elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then
+ GNUTLS_GCRYPT="probe"
+ else
+ GNUTLS_GCRYPT="yes"
+ fi
+
+ if test "$GNUTLS_GCRYPT" = "probe"; then
+ case $($PKG_CONFIG --libs --static gnutls) in
+ *gcrypt*) GNUTLS_GCRYPT=yes ;;
+ *nettle*) GNUTLS_GCRYPT=no ;;
+ *) GNUTLS_GCRYPT=unknown ;;
+ esac
+ fi
+
+ if test "$GNUTLS_GCRYPT" = "yes" || test
"$GNUTLS_GCRYPT" = "unknown"; then
+ GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
+ dnl We're not using gcrypt deprecated features so define
+ dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
+ GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
+ AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
+ [set to 1 if it is known or assumed that GNUTLS uses gcrypt])
+ fi
+
+ AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
+ #include <gnutls/gnutls.h>
+ ]])
+
+ AC_CHECK_FUNC([gnutls_rnd])
+ AC_CHECK_FUNC([gnutls_cipher_encrypt])
+])
+
+AC_DEFUN([LIBVIRT_RESULT_GNUTLS],[
+ LIBVIRT_RESULT_LIB([GNUTLS])
+])
3:20 a.m.
New subject: [libvirt] [PATCH 1/2] configure: move gnutls check into virt-gnutls.m4
On Wed, Dec 21, 2016 at 06:34:05PM -0500, John Ferlan wrote:
On 10/24/2016 04:40 AM, Pavel Hrdina wrote:
> Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
> ---
> configure.ac | 109 +-----------------------------------------------------
> m4/virt-gnutls.m4 | 64 ++++++++++++++++++++++++++++++++
> 2 files changed, 66 insertions(+), 107 deletions(-)
> create mode 100644 m4/virt-gnutls.m4
>
I'm not quite sure what, but something in this change has broken
encrypted secret capabilities as the following API is not always
returning false...
bool
virCryptoHaveCipher(virCryptoCipher algorithm)
{
switch (algorithm) {
case VIR_CRYPTO_CIPHER_AES256CBC:
#ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
return true;
#else
return false;
#endif
...
Of course the virCryptoEncryptDataAESgntuls is also undefined.
In order to work around short term, if I use HAVE_GNUTLS_CRYPTO_H I can
at least get the API needed.
Just so you know I have a customer case which I'm trying to
resolve/debug that's impacted by this (naturally)!
I "hand bisected" back to
$ git co c290f216c47afbd4f3d1e082cdb98181675cd31e
$ ./autogen.sh --system
<lots of gnarly warnings about this omitted>
$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
| #define HAVE_GNUTLS_RND 1
| #define HAVE_GNUTLS_CIPHER_ENCRYPT 1
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
#define HAVE_GNUTLS_RND 1
#define HAVE_GNUTLS_CIPHER_ENCRYPT 1
...
$ git co 680d2f49dad425395de627a31006cb84848cfa65
$ ./autogen.sh --system
<lots of stuff ommitted>
$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
...
$
Note there's no HAVE_GNUTLS_CIPHER_ENCRYPT or HAVE_GNUTLS_RND
You'll be wanting this fix:
ommit 943ddcb71205524fe2a34ca7a9b6cb3744a07555
Author: Nikos Mavrogiannopoulos <nmav(a)redhat.com>
Date: Fri Nov 25 16:51:13 2016 +0100
virt-gnutls.m4: fixed check for gnutls_rnd and gnutls_cipher_encrypt
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
3:30 a.m.
New subject: [libvirt] [PATCH 1/2] configure: move gnutls check into virt-gnutls.m4
On Wed, Dec 21, 2016 at 06:34:05PM -0500, John Ferlan wrote:
On 10/24/2016 04:40 AM, Pavel Hrdina wrote:
> Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
> ---
> configure.ac | 109 +-----------------------------------------------------
> m4/virt-gnutls.m4 | 64 ++++++++++++++++++++++++++++++++
> 2 files changed, 66 insertions(+), 107 deletions(-)
> create mode 100644 m4/virt-gnutls.m4
>
I'm not quite sure what, but something in this change has broken
encrypted secret capabilities as the following API is not always
returning false...
bool
virCryptoHaveCipher(virCryptoCipher algorithm)
{
switch (algorithm) {
case VIR_CRYPTO_CIPHER_AES256CBC:
#ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
return true;
#else
return false;
#endif
...
Of course the virCryptoEncryptDataAESgntuls is also undefined.
In order to work around short term, if I use HAVE_GNUTLS_CRYPTO_H I can
at least get the API needed.
Just so you know I have a customer case which I'm trying to
resolve/debug that's impacted by this (naturally)!
I "hand bisected" back to
$ git co c290f216c47afbd4f3d1e082cdb98181675cd31e
$ ./autogen.sh --system
<lots of gnarly warnings about this omitted>
$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
| #define HAVE_GNUTLS_RND 1
| #define HAVE_GNUTLS_CIPHER_ENCRYPT 1
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
#define HAVE_GNUTLS_RND 1
#define HAVE_GNUTLS_CIPHER_ENCRYPT 1
...
$ git co 680d2f49dad425395de627a31006cb84848cfa65
$ ./autogen.sh --system
<lots of stuff ommitted>
$ grep HAVE_GNUTLS config.log
| #define HAVE_GNUTLS_CRYPTO_H 1
...
#define HAVE_GNUTLS_CRYPTO_H 1
...
$
Note there's no HAVE_GNUTLS_CIPHER_ENCRYPT or HAVE_GNUTLS_RND
doing the similar process for some followup patches that seemed to be
related produced the same results
$ git co 0c62ccf927c60c9c248db52a23670ec2f9bce2b2
$ git co a55fdc3f251ab1800050505ac1e6158ee7535402
$ git co 943ddcb71205524fe2a34ca7a9b6cb3744a07555
Ironically the test for whether this functionality exists uses SKIP so
as to not cause failures for environments without the gnutls_cipher_encrypt
Hi John,
nice job with the analysis. The issue is with usage of AC_CHECK_FUNC and
AC_CHECK_FUNCS. I'll send a patch shortly.
Pavel
3:40 a.m.
New subject: [libvirt] [PATCH 2/2] m4/virt-gnutls: remove code for gnutls < 2.2.0
Commit d8a8af3492 changed the minimal required version of gnutls
so it's safe to remove the code for older versions.
Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
---
m4/virt-gnutls.m4 | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/m4/virt-gnutls.m4 b/m4/virt-gnutls.m4
index 29490de..9e8bfb1 100644
--- a/m4/virt-gnutls.m4
+++ b/m4/virt-gnutls.m4
@@ -20,18 +20,16 @@ dnl
AC_DEFUN([LIBVIRT_CHECK_GNUTLS],[
LIBVIRT_CHECK_PKG([GNUTLS], [gnutls], [2.2.0])
- dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses
- dnl only nettle, and versions in between had a configure option.
- dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle,
- dnl but it is a safe fallback to use gcrypt if we can't prove anything.A
+ dnl Double probe: gnutls >= 2.12 had a configure option for gcrypt and
+ dnl gnutls >= 3.0 uses only nettle. Our goal is to avoid gcrypt if we
+ dnl can prove gnutls uses nettle, but it is a safe fallback to use gcrypt
+ dnl if we can't prove anything.
GNUTLS_GCRYPT=
if $PKG_CONFIG --exists 'gnutls >= 3.0'; then
GNUTLS_GCRYPT="no"
- elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then
- GNUTLS_GCRYPT="probe"
else
- GNUTLS_GCRYPT="yes"
+ GNUTLS_GCRYPT="probe"
fi
if test "$GNUTLS_GCRYPT" = "probe"; then
--
2.10.1
4:51 p.m.
On 24.10.2016 16:39, Pavel Hrdina wrote:
Pavel Hrdina (2):
configure: move gnutls check into virt-gnutls.m4
m4/virt-gnutls: remove code for gnutls < 2.2.0
configure.ac | 109 +-----------------------------------------------------
m4/virt-gnutls.m4 | 62 +++++++++++++++++++++++++++++++
2 files changed, 64 insertions(+), 107 deletions(-)
create mode 100644 m4/virt-gnutls.m4
ACK, but I'm not sure this is a release material. Please push after it.
Michal
2891
days inactive
2950
days old
6 comments
4 participants
participants (4)
-
Daniel P. Berrange -
John Ferlan -
Michal Privoznik -
Pavel Hrdina