On 10/24/2016 04:40 AM, Pavel Hrdina wrote:

Signed-off-by: Pavel Hrdina <phrdina@redhat.com> --- configure.ac | 109 +----------------------------------------------------- m4/virt-gnutls.m4 | 64 ++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 107 deletions(-) create mode 100644 m4/virt-gnutls.m4

I'm not quite sure what, but something in this change has broken encrypted secret capabilities as the following API is not always returning false... bool virCryptoHaveCipher(virCryptoCipher algorithm) { switch (algorithm) { case VIR_CRYPTO_CIPHER_AES256CBC: #ifdef HAVE_GNUTLS_CIPHER_ENCRYPT return true; #else return false; #endif ... Of course the virCryptoEncryptDataAESgntuls is also undefined. In order to work around short term, if I use HAVE_GNUTLS_CRYPTO_H I can at least get the API needed. Just so you know I have a customer case which I'm trying to resolve/debug that's impacted by this (naturally)! I "hand bisected" back to $ git co c290f216c47afbd4f3d1e082cdb98181675cd31e $ ./autogen.sh --system <lots of gnarly warnings about this omitted> $ grep HAVE_GNUTLS config.log | #define HAVE_GNUTLS_CRYPTO_H 1 | #define HAVE_GNUTLS_RND 1 | #define HAVE_GNUTLS_CIPHER_ENCRYPT 1 | #define HAVE_GNUTLS_CRYPTO_H 1 ... #define HAVE_GNUTLS_CRYPTO_H 1 #define HAVE_GNUTLS_RND 1 #define HAVE_GNUTLS_CIPHER_ENCRYPT 1 ... $ git co 680d2f49dad425395de627a31006cb84848cfa65 $ ./autogen.sh --system <lots of stuff ommitted> $ grep HAVE_GNUTLS config.log | #define HAVE_GNUTLS_CRYPTO_H 1 ... #define HAVE_GNUTLS_CRYPTO_H 1 ... $ Note there's no HAVE_GNUTLS_CIPHER_ENCRYPT or HAVE_GNUTLS_RND doing the similar process for some followup patches that seemed to be related produced the same results $ git co 0c62ccf927c60c9c248db52a23670ec2f9bce2b2 $ git co a55fdc3f251ab1800050505ac1e6158ee7535402 $ git co 943ddcb71205524fe2a34ca7a9b6cb3744a07555 Ironically the test for whether this functionality exists uses SKIP so as to not cause failures for environments without the gnutls_cipher_encrypt John

diff --git a/configure.ac b/configure.ac index dfc536f..72bf7dd 100644 --- a/configure.ac +++ b/configure.ac @@ -117,7 +117,6 @@ fi

dnl Required minimum versions of all libs we depend on LIBXML_REQUIRED="2.6.0" -GNUTLS_REQUIRED="2.2.0" POLKIT_REQUIRED="0.6" PARTED_REQUIRED="1.8.0" DEVMAPPER_REQUIRED=1.0.0 @@ -260,6 +259,7 @@ LIBVIRT_CHECK_UDEV LIBVIRT_CHECK_WIRESHARK LIBVIRT_CHECK_NSS LIBVIRT_CHECK_YAJL +LIBVIRT_CHECK_GNUTLS

AC_MSG_CHECKING([for CPUID instruction]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM( @@ -1170,107 +1170,6 @@ AC_CHECK_MEMBER([struct _xmlURI.query_raw], CFLAGS="$old_CFLAGS" LIBS="$old_LIBS"

-dnl GnuTLS library -AC_ARG_WITH([gnutls], - [AS_HELP_STRING([--with-gnutls], - [use GNUTLS for encryption @<:@default=check@:>@])], - [], - [with_gnutls=check]) - - -if test "x$with_gnutls" != "xno"; then - if test "x$with_gnutls" != "xyes" && test "x$with_gnutls" != "xcheck"; then - GNUTLS_CFLAGS="-I$with_gnutls/include" - GNUTLS_LIBS="-L$with_gnutls/lib" - fi - fail=0 - old_CFLAGS="$CFLAGS" - old_LIBS="$LIBS" - CFLAGS="$CFLAGS $GNUTLS_CFLAGS" - LIBS="$LIBS $GNUTLS_LIBS" - - GNUTLS_FOUND=no - GNUTLS_GCRYPT=unknown - if test -x "$PKG_CONFIG" ; then - dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses - dnl only nettle, and versions in between had a configure option. - dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle, - dnl but it is a safe fallback to use gcrypt if we can't prove anything. - if $PKG_CONFIG --exists 'gnutls >= 3.0'; then - GNUTLS_GCRYPT=no - elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then - GNUTLS_GCRYPT=probe - else - GNUTLS_GCRYPT=yes - fi - PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED, - [GNUTLS_FOUND=yes], [GNUTLS_FOUND=no]) - fi - if test "$GNUTLS_FOUND" = "no"; then - dnl pkg-config couldn't help us, assume gcrypt is necessary - fail=0 - GNUTLS_GCRYPT=yes - AC_CHECK_HEADER([gnutls/gnutls.h], [], [fail=1]) - AC_CHECK_LIB([gnutls], [gnutls_handshake],[], [fail=1], [-lgcrypt]) - - test $fail = 0 && GNUTLS_FOUND=yes - - GNUTLS_LIBS="$GNUTLS_LIBS -lgnutls" - fi - if test "$GNUTLS_FOUND" = "no"; then - if test "$with_gnutls" = "check"; then - with_gnutls=no - GNUTLS_LIBS= - GNUTLS_CFLAGS= - else - AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run libvirt]) - fi - else - dnl See comments above about when to use gcrypt. - if test "$GNUTLS_GCRYPT" = probe; then - case `$PKG_CONFIG --libs --static gnutls` in - *gcrypt*) GNUTLS_GCRYPT=yes ;; - *nettle*) GNUTLS_GCRYPT=no ;; - *) GNUTLS_GCRYPT=unknown ;; - esac - fi - if test "$GNUTLS_GCRYPT" = yes || test "$GNUTLS_GCRYPT" = unknown; then - GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt" - dnl We're not using gcrypt deprecated features so define - dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings - GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED" - AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1, - [set to 1 if it is known or assumed that GNUTLS uses gcrypt]) - fi - - with_gnutls=yes - fi - - dnl GNUTLS_CFLAGS and GNUTLS_LIBS have probably been updated above, - dnl and we need the final values for function probing to work - CFLAGS="$old_CFLAGS $GNUTLS_CFLAGS" - LIBS="$old_LIBS $GNUTLS_LIBS" - - dnl gnutls 3.x moved some declarations to a new header - AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[ - #include <gnutls/gnutls.h> - ]]) - - AC_CHECK_FUNCS([gnutls_rnd]) - AC_CHECK_FUNCS([gnutls_cipher_encrypt]) - - CFLAGS="$old_CFLAGS" - LIBS="$old_LIBS" -fi - -if test "x$with_gnutls" = "xyes" ; then - AC_DEFINE_UNQUOTED([WITH_GNUTLS], 1, - [whether GNUTLS is available for encryption]) -fi -AM_CONDITIONAL([WITH_GNUTLS], [test "x$with_gnutls" = "xyes"]) -AC_SUBST([GNUTLS_CFLAGS]) -AC_SUBST([GNUTLS_LIBS]) -

AC_ARG_WITH([tls-priority], [AS_HELP_STRING([--with-tls-priority], @@ -2799,6 +2698,7 @@ LIBVIRT_RESULT_UDEV LIBVIRT_RESULT_WIRESHARK LIBVIRT_RESULT_NSS LIBVIRT_RESULT_YAJL +LIBVIRT_RESULT_GNUTLS AC_MSG_NOTICE([ libxml: $LIBXML_CFLAGS $LIBXML_LIBS]) AC_MSG_NOTICE([ dlopen: $DLOPEN_LIBS]) if test "$with_hyperv" = "yes" ; then @@ -2806,11 +2706,6 @@ AC_MSG_NOTICE([openwsman: $OPENWSMAN_CFLAGS $OPENWSMAN_LIBS]) else AC_MSG_NOTICE([openwsman: no]) fi -if test "$with_gnutls" != "no" ; then -AC_MSG_NOTICE([ gnutls: $GNUTLS_CFLAGS $GNUTLS_LIBS]) -else -AC_MSG_NOTICE([ gnutls: no]) -fi AC_MSG_NOTICE([firewalld: $with_firewalld]) if test "$with_polkit" = "yes" ; then if test "$with_polkit0" = "yes" ; then diff --git a/m4/virt-gnutls.m4 b/m4/virt-gnutls.m4 new file mode 100644 index 0000000..29490de --- /dev/null +++ b/m4/virt-gnutls.m4 @@ -0,0 +1,64 @@ +dnl The gnutls libgnutls.so library +dnl +dnl Copyright (C) 2016 Red Hat, Inc. +dnl +dnl This library is free software; you can redistribute it and/or +dnl modify it under the terms of the GNU Lesser General Public +dnl License as published by the Free Software Foundation; either +dnl version 2.1 of the License, or (at your option) any later version. +dnl +dnl This library is distributed in the hope that it will be useful, +dnl but WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl Lesser General Public License for more details. +dnl +dnl You should have received a copy of the GNU Lesser General Public +dnl License along with this library. If not, see +dnl <http://www.gnu.org/licenses/>. +dnl + +AC_DEFUN([LIBVIRT_CHECK_GNUTLS],[ + LIBVIRT_CHECK_PKG([GNUTLS], [gnutls], [2.2.0]) + + dnl Triple probe: gnutls < 2.12 only used gcrypt, gnutls >= 3.0 uses + dnl only nettle, and versions in between had a configure option. + dnl Our goal is to avoid gcrypt if we can prove gnutls uses nettle, + dnl but it is a safe fallback to use gcrypt if we can't prove anything.A + + GNUTLS_GCRYPT= + if $PKG_CONFIG --exists 'gnutls >= 3.0'; then + GNUTLS_GCRYPT="no" + elif $PKG_CONFIG --exists 'gnutls >= 2.12'; then + GNUTLS_GCRYPT="probe" + else + GNUTLS_GCRYPT="yes" + fi + + if test "$GNUTLS_GCRYPT" = "probe"; then + case $($PKG_CONFIG --libs --static gnutls) in + *gcrypt*) GNUTLS_GCRYPT=yes ;; + *nettle*) GNUTLS_GCRYPT=no ;; + *) GNUTLS_GCRYPT=unknown ;; + esac + fi + + if test "$GNUTLS_GCRYPT" = "yes" || test "$GNUTLS_GCRYPT" = "unknown"; then + GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt" + dnl We're not using gcrypt deprecated features so define + dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings + GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED" + AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1, + [set to 1 if it is known or assumed that GNUTLS uses gcrypt]) + fi + + AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[ + #include <gnutls/gnutls.h> + ]]) + + AC_CHECK_FUNC([gnutls_rnd]) + AC_CHECK_FUNC([gnutls_cipher_encrypt]) +]) + +AC_DEFUN([LIBVIRT_RESULT_GNUTLS],[ + LIBVIRT_RESULT_LIB([GNUTLS]) +])