[Qemu-devel] [PATCH 0/3] crypto: increase min required gnutls, gcrypt and nettle

[Qemu-devel] [PATCH 0/3] crypto: increase min required gnutls, gcrypt and nettle

[Daniel P. Berrangé]

Since adopting a formal policy around supported build hosts, and
increasing the minimum required glib version, it is now possible to also
increase the min required versions for gnutls, gcrypt and nettle
libraries. This allows simplification of a bunch of conditional logic.

Daniel P. Berrangé (3):
  crypto: require gnutls >= 3.1.18 for building QEMU
  crypto: require libgcrypt >= 1.5.0 for building QEMU
  crypto: require nettle >= 1.5.0 for building QEMU

 configure                        | 161 ++++++++-----------------------
 crypto/Makefile.objs             |   8 +-
 crypto/init.c                    |  23 +----
 crypto/tlscredsx509.c            |  21 ----
 crypto/tlssession.c              |   8 +-
 tests/Makefile.include           |   2 +-
 tests/crypto-tls-x509-helpers.h  |   3 +-
 tests/test-crypto-block.c        |   2 +-
 tests/test-crypto-tlscredsx509.c |   8 +-
 9 files changed, 51 insertions(+), 185 deletions(-)

-- 
2.17.1

[Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU

[Daniel P. Berrangé]

gnutls 3.0.0 was released in 2011 and all the distros that are build
target platforms for QEMU [1] include it:

  RHEL-7: 3.1.18
  Debian (Stretch): 3.5.8
  Debian (Jessie): 3.3.8
  OpenBSD (ports): 3.5.18
  FreeBSD (ports): 3.5.18
  OpenSUSE Leap 15: 3.6.2
  Ubuntu (Xenial): 3.4.10
  macOS (Homebrew): 3.5.19

Based on this, it is reasonable to require gnutls >= 3.1.18 in QEMU
which allows for all conditional version checks in the code to be
removed.

[1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 configure                        | 135 +++++++++----------------------
 crypto/Makefile.objs             |   4 +-
 crypto/init.c                    |  20 +----
 crypto/tlscredsx509.c            |  21 -----
 crypto/tlssession.c              |   8 +-
 tests/crypto-tls-x509-helpers.h  |   3 +-
 tests/test-crypto-tlscredsx509.c |   8 +-
 7 files changed, 46 insertions(+), 153 deletions(-)

diff --git a/configure b/configure
index 2a7796ea80..856cb07be5 100755
--- a/configure
+++ b/configure
@@ -456,7 +456,6 @@ gtkabi=""
 gtk_gl="no"
 tls_priority="NORMAL"
 gnutls=""
-gnutls_rnd=""
 nettle=""
 nettle_kdf="no"
 gcrypt=""
@@ -2675,79 +2674,28 @@ fi
 ##########################################
 # GNUTLS probe
 
-gnutls_works() {
-    # Unfortunately some distros have bad pkg-config information for gnutls
-    # such that it claims to exist but you get a compiler error if you try
-    # to use the options returned by --libs. Specifically, Ubuntu for --static
-    # builds doesn't work:
-    # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035
-    #
-    # So sanity check the cflags/libs before assuming gnutls can be used.
-    if ! $pkg_config --exists "gnutls"; then
-        return 1
-    fi
-
-    write_c_skeleton
-    compile_prog "$($pkg_config --cflags gnutls)" "$($pkg_config --libs gnutls)"
-}
-
-gnutls_gcrypt=no
-gnutls_nettle=no
 if test "$gnutls" != "no"; then
-    if gnutls_works; then
+    if $pkg_config --exists "gnutls >= 3.1.18"; then
         gnutls_cflags=$($pkg_config --cflags gnutls)
         gnutls_libs=$($pkg_config --libs gnutls)
         libs_softmmu="$gnutls_libs $libs_softmmu"
         libs_tools="$gnutls_libs $libs_tools"
 	QEMU_CFLAGS="$QEMU_CFLAGS $gnutls_cflags"
         gnutls="yes"
-
-	# gnutls_rnd requires >= 2.11.0
-	if $pkg_config --exists "gnutls >= 2.11.0"; then
-	    gnutls_rnd="yes"
-	else
-	    gnutls_rnd="no"
-	fi
-
-	if $pkg_config --exists 'gnutls >= 3.0'; then
-	    gnutls_gcrypt=no
-	    gnutls_nettle=yes
-	elif $pkg_config --exists 'gnutls >= 2.12'; then
-	    case $($pkg_config --libs --static gnutls) in
-		*gcrypt*)
-		    gnutls_gcrypt=yes
-		    gnutls_nettle=no
-		    ;;
-		*nettle*)
-		    gnutls_gcrypt=no
-		    gnutls_nettle=yes
-		    ;;
-		*)
-		    gnutls_gcrypt=yes
-		    gnutls_nettle=no
-		    ;;
-	    esac
-	else
-	    gnutls_gcrypt=yes
-	    gnutls_nettle=no
-	fi
     elif test "$gnutls" = "yes"; then
-	feature_not_found "gnutls" "Install gnutls devel"
+	feature_not_found "gnutls" "Install gnutls devel >= 3.1.18"
     else
         gnutls="no"
-        gnutls_rnd="no"
     fi
-else
-    gnutls_rnd="no"
 fi
 
 
 # If user didn't give a --disable/enable-gcrypt flag,
 # then mark as disabled if user requested nettle
-# explicitly, or if gnutls links to nettle
+# explicitly
 if test -z "$gcrypt"
 then
-    if test "$nettle" = "yes" || test "$gnutls_nettle" = "yes"
+    if test "$nettle" = "yes"
     then
         gcrypt="no"
     fi
@@ -2755,10 +2703,10 @@ fi
 
 # If user didn't give a --disable/enable-nettle flag,
 # then mark as disabled if user requested gcrypt
-# explicitly, or if gnutls links to gcrypt
+# explicitly
 if test -z "$nettle"
 then
-    if test "$gcrypt" = "yes" || test "$gnutls_gcrypt" = "yes"
+    if test "$gcrypt" = "yes"
     then
         nettle="no"
     fi
@@ -2782,6 +2730,40 @@ has_libgcrypt_config() {
     return 0
 }
 
+
+if test "$nettle" != "no"; then
+    if $pkg_config --exists "nettle"; then
+        nettle_cflags=$($pkg_config --cflags nettle)
+        nettle_libs=$($pkg_config --libs nettle)
+        nettle_version=$($pkg_config --modversion nettle)
+        libs_softmmu="$nettle_libs $libs_softmmu"
+        libs_tools="$nettle_libs $libs_tools"
+        QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
+        nettle="yes"
+
+        cat > $TMPC << EOF
+#include <stddef.h>
+#include <nettle/pbkdf2.h>
+int main(void) {
+     pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
+     return 0;
+}
+EOF
+        if test -z "$gcrypt"; then
+           gcrypt="no"
+        fi
+        if compile_prog "$nettle_cflags" "$nettle_libs" ; then
+            nettle_kdf=yes
+        fi
+    else
+        if test "$nettle" = "yes"; then
+            feature_not_found "nettle" "Install nettle devel"
+        else
+            nettle="no"
+        fi
+    fi
+fi
+
 if test "$gcrypt" != "no"; then
     if has_libgcrypt_config; then
         gcrypt_cflags=$(libgcrypt-config --cflags)
@@ -2797,9 +2779,6 @@ if test "$gcrypt" != "no"; then
         libs_tools="$gcrypt_libs $libs_tools"
         QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags"
         gcrypt="yes"
-        if test -z "$nettle"; then
-           nettle="no"
-        fi
 
         cat > $TMPC << EOF
 #include <gcrypt.h>
@@ -2836,36 +2815,6 @@ EOF
 fi
 
 
-if test "$nettle" != "no"; then
-    if $pkg_config --exists "nettle"; then
-        nettle_cflags=$($pkg_config --cflags nettle)
-        nettle_libs=$($pkg_config --libs nettle)
-        nettle_version=$($pkg_config --modversion nettle)
-        libs_softmmu="$nettle_libs $libs_softmmu"
-        libs_tools="$nettle_libs $libs_tools"
-        QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
-        nettle="yes"
-
-        cat > $TMPC << EOF
-#include <stddef.h>
-#include <nettle/pbkdf2.h>
-int main(void) {
-     pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
-     return 0;
-}
-EOF
-        if compile_prog "$nettle_cflags" "$nettle_libs" ; then
-            nettle_kdf=yes
-        fi
-    else
-        if test "$nettle" = "yes"; then
-            feature_not_found "nettle" "Install nettle devel"
-        else
-            nettle="no"
-        fi
-    fi
-fi
-
 if test "$gcrypt" = "yes" && test "$nettle" = "yes"
 then
     error_exit "Only one of gcrypt & nettle can be enabled"
@@ -5903,7 +5852,6 @@ echo "GTK GL support    $gtk_gl"
 echo "VTE support       $vte $(echo_version $vte $vteversion)"
 echo "TLS priority      $tls_priority"
 echo "GNUTLS support    $gnutls"
-echo "GNUTLS rnd        $gnutls_rnd"
 echo "libgcrypt         $gcrypt"
 echo "libgcrypt kdf     $gcrypt_kdf"
 echo "nettle            $nettle $(echo_version $nettle $nettle_version)"
@@ -6351,9 +6299,6 @@ echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak
 if test "$gnutls" = "yes" ; then
   echo "CONFIG_GNUTLS=y" >> $config_host_mak
 fi
-if test "$gnutls_rnd" = "yes" ; then
-  echo "CONFIG_GNUTLS_RND=y" >> $config_host_mak
-fi
 if test "$gcrypt" = "yes" ; then
   echo "CONFIG_GCRYPT=y" >> $config_host_mak
   if test "$gcrypt_hmac" = "yes" ; then
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index 756bab111b..a62cedaf36 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -20,8 +20,8 @@ crypto-obj-y += tlscredsx509.o
 crypto-obj-y += tlssession.o
 crypto-obj-y += secret.o
 crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o
-crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS_RND)) += random-gnutls.o
-crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS_RND),n,y)) += random-platform.o
+crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
+crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
 crypto-obj-y += pbkdf.o
 crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
 crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) += pbkdf-gcrypt.o
diff --git a/crypto/init.c b/crypto/init.c
index f131c42306..10bf72463c 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -37,31 +37,13 @@
 /* #define DEBUG_GNUTLS */
 
 /*
- * If GNUTLS is built against GCrypt then
- *
- *  - When GNUTLS >= 2.12, we must not initialize gcrypt threading
- *    because GNUTLS will do that itself
- *  - When GNUTLS < 2.12 we must always initialize gcrypt threading
- *  - When GNUTLS is disabled we must always initialize gcrypt threading
- *
- * But....
- *
- *    When gcrypt >= 1.6.0 we must not initialize gcrypt threading
- *    because gcrypt will do that itself.
- *
- * So we need to init gcrypt threading if
+ * We need to init gcrypt threading if
  *
  *   - gcrypt < 1.6.0
- * AND
- *      - gnutls < 2.12
- *   OR
- *      - gnutls is disabled
  *
  */
 
 #if (defined(CONFIG_GCRYPT) &&                  \
-     (!defined(CONFIG_GNUTLS) ||                \
-     (LIBGNUTLS_VERSION_NUMBER < 0x020c00)) &&    \
      (!defined(GCRYPT_VERSION_NUMBER) ||        \
       (GCRYPT_VERSION_NUMBER < 0x010600)))
 #define QCRYPTO_INIT_GCRYPT_THREADS
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index 98ee0424e5..d6ab4a9862 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -72,14 +72,6 @@ qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
 }
 
 
-#if LIBGNUTLS_VERSION_NUMBER >= 2
-/*
- * The gnutls_x509_crt_get_basic_constraints function isn't
- * available in GNUTLS 1.0.x branches. This isn't critical
- * though, since gnutls_certificate_verify_peers2 will do
- * pretty much the same check at runtime, so we can just
- * disable this code
- */
 static int
 qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
                                                gnutls_x509_crt_t cert,
@@ -130,7 +122,6 @@ qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
 
     return 0;
 }
-#endif
 
 
 static int
@@ -299,14 +290,12 @@ qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
         return -1;
     }
 
-#if LIBGNUTLS_VERSION_NUMBER >= 2
     if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
                                                        cert, certFile,
                                                        isServer, isCA,
                                                        errp) < 0) {
         return -1;
     }
-#endif
 
     if (qcrypto_tls_creds_check_cert_key_usage(creds,
                                                cert, certFile,
@@ -615,7 +604,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
     }
 
     if (cert != NULL && key != NULL) {
-#if LIBGNUTLS_VERSION_NUMBER >= 0x030111
         char *password = NULL;
         if (creds->passwordid) {
             password = qcrypto_secret_lookup_as_utf8(creds->passwordid,
@@ -630,15 +618,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
                                                     password,
                                                     0);
         g_free(password);
-#else /* LIBGNUTLS_VERSION_NUMBER < 0x030111 */
-        if (creds->passwordid) {
-            error_setg(errp, "PKCS8 decryption requires GNUTLS >= 3.1.11");
-            goto cleanup;
-        }
-        ret = gnutls_certificate_set_x509_key_file(creds->data,
-                                                   cert, key,
-                                                   GNUTLS_X509_FMT_PEM);
-#endif
         if (ret < 0) {
             error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
                        cert, key, gnutls_strerror(ret));
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index 66a6fbe19c..2f28fa7f71 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -90,13 +90,7 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t len)
 }
 
 #define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"
-
-#if GNUTLS_VERSION_MAJOR >= 3
-#define TLS_ECDHE_PSK "+ECDHE-PSK:"
-#else
-#define TLS_ECDHE_PSK ""
-#endif
-#define TLS_PRIORITY_ADDITIONAL_PSK TLS_ECDHE_PSK "+DHE-PSK:+PSK"
+#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK"
 
 QCryptoTLSSession *
 qcrypto_tls_session_new(QCryptoTLSCreds *creds,
diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h
index 921341c649..88c30d7c94 100644
--- a/tests/crypto-tls-x509-helpers.h
+++ b/tests/crypto-tls-x509-helpers.h
@@ -22,8 +22,7 @@
 #include <gnutls/x509.h>
 
 #if !(defined WIN32) && \
-    defined(CONFIG_TASN1) && \
-    (LIBGNUTLS_VERSION_NUMBER >= 0x020600)
+    defined(CONFIG_TASN1)
 # define QCRYPTO_HAVE_TLS_TEST_SUPPORT
 #endif
 
diff --git a/tests/test-crypto-tlscredsx509.c b/tests/test-crypto-tlscredsx509.c
index af2f80e89c..9bc45d4619 100644
--- a/tests/test-crypto-tlscredsx509.c
+++ b/tests/test-crypto-tlscredsx509.c
@@ -290,14 +290,8 @@ int main(int argc, char **argv)
                  true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
                  0, 0);
 
-    /* Technically a CA cert with basic constraints
-     * key purpose == key signing + non-critical should
-     * be rejected. GNUTLS < 3.1 does not reject it and
-     * we don't anticipate them changing this behaviour
-     */
     TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename,
-                (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) ||
-                GNUTLS_VERSION_MAJOR > 3);
+                 true);
     TLS_TEST_REG(badca2, true,
                  cacert5req.filename, servercert5req.filename, true);
     TLS_TEST_REG(badca3, true,
-- 
2.17.1

[Qemu-devel] [PATCH 2/3] crypto: require libgcrypt >= 1.5.0 for building QEMU

[Daniel P. Berrangé]

libgcrypt 1.5.0 was released in 2011 and all the distros that are build
target platforms for QEMU [1] include it:

  RHEL-7: 1.5.3
  Debian (Stretch): 1.7.6
  Debian (Jessie): 1.6.3
  OpenBSD (ports): 1.8.2
  FreeBSD (ports): 1.8.3
  OpenSUSE Leap 15: 1.8.2
  Ubuntu (Xenial): 1.6.5
  macOS (Homebrew): 1.8.3

Based on this, it is reasonable to require libgcrypt >= 1.5.0 in QEMU
which allows for some conditional version checks in the code to be
removed.

[1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 configure                 | 32 +++++++++++---------------------
 crypto/Makefile.objs      |  2 +-
 crypto/init.c             |  3 +--
 tests/Makefile.include    |  2 +-
 tests/test-crypto-block.c |  2 +-
 5 files changed, 15 insertions(+), 26 deletions(-)

diff --git a/configure b/configure
index 856cb07be5..84c2f91a1f 100755
--- a/configure
+++ b/configure
@@ -460,7 +460,6 @@ nettle=""
 nettle_kdf="no"
 gcrypt=""
 gcrypt_hmac="no"
-gcrypt_kdf="no"
 vte=""
 virglrenderer=""
 tpm="yes"
@@ -2712,7 +2711,7 @@ then
     fi
 fi
 
-has_libgcrypt_config() {
+has_libgcrypt() {
     if ! has "libgcrypt-config"
     then
 	return 1
@@ -2727,6 +2726,14 @@ has_libgcrypt_config() {
 	fi
     fi
 
+    maj=`libgcrypt-config --version | awk -F . '{print $1}'`
+    min=`libgcrypt-config --version | awk -F . '{print $2}'`
+
+    if test $maj != 1 || test $min -lt 5
+    then
+       return 1
+    fi
+
     return 0
 }
 
@@ -2765,7 +2772,7 @@ EOF
 fi
 
 if test "$gcrypt" != "no"; then
-    if has_libgcrypt_config; then
+    if has_libgcrypt; then
         gcrypt_cflags=$(libgcrypt-config --cflags)
         gcrypt_libs=$(libgcrypt-config --libs)
         # Debian has remove -lgpg-error from libgcrypt-config
@@ -2782,19 +2789,6 @@ if test "$gcrypt" != "no"; then
 
         cat > $TMPC << EOF
 #include <gcrypt.h>
-int main(void) {
-  gcry_kdf_derive(NULL, 0, GCRY_KDF_PBKDF2,
-                  GCRY_MD_SHA256,
-                  NULL, 0, 0, 0, NULL);
- return 0;
-}
-EOF
-        if compile_prog "$gcrypt_cflags" "$gcrypt_libs" ; then
-            gcrypt_kdf=yes
-        fi
-
-        cat > $TMPC << EOF
-#include <gcrypt.h>
 int main(void) {
   gcry_mac_hd_t handle;
   gcry_mac_open(&handle, GCRY_MAC_HMAC_MD5,
@@ -2807,7 +2801,7 @@ EOF
         fi
     else
         if test "$gcrypt" = "yes"; then
-            feature_not_found "gcrypt" "Install gcrypt devel"
+            feature_not_found "gcrypt" "Install gcrypt devel >= 1.5.0"
         else
             gcrypt="no"
         fi
@@ -5853,7 +5847,6 @@ echo "VTE support       $vte $(echo_version $vte $vteversion)"
 echo "TLS priority      $tls_priority"
 echo "GNUTLS support    $gnutls"
 echo "libgcrypt         $gcrypt"
-echo "libgcrypt kdf     $gcrypt_kdf"
 echo "nettle            $nettle $(echo_version $nettle $nettle_version)"
 echo "nettle kdf        $nettle_kdf"
 echo "libtasn1          $tasn1"
@@ -6304,9 +6297,6 @@ if test "$gcrypt" = "yes" ; then
   if test "$gcrypt_hmac" = "yes" ; then
     echo "CONFIG_GCRYPT_HMAC=y" >> $config_host_mak
   fi
-  if test "$gcrypt_kdf" = "yes" ; then
-    echo "CONFIG_GCRYPT_KDF=y" >> $config_host_mak
-  fi
 fi
 if test "$nettle" = "yes" ; then
   echo "CONFIG_NETTLE=y" >> $config_host_mak
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index a62cedaf36..6a908f51f5 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -24,7 +24,7 @@ crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
 crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
 crypto-obj-y += pbkdf.o
 crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
-crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) += pbkdf-gcrypt.o
+crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
 crypto-obj-y += ivgen.o
 crypto-obj-y += ivgen-essiv.o
 crypto-obj-y += ivgen-plain.o
diff --git a/crypto/init.c b/crypto/init.c
index 10bf72463c..c30156405a 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -44,8 +44,7 @@
  */
 
 #if (defined(CONFIG_GCRYPT) &&                  \
-     (!defined(GCRYPT_VERSION_NUMBER) ||        \
-      (GCRYPT_VERSION_NUMBER < 0x010600)))
+     (GCRYPT_VERSION_NUMBER < 0x010600))
 #define QCRYPTO_INIT_GCRYPT_THREADS
 #else
 #undef QCRYPTO_INIT_GCRYPT_THREADS
diff --git a/tests/Makefile.include b/tests/Makefile.include
index a49282704e..3712de22cf 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -156,7 +156,7 @@ check-unit-$(CONFIG_GNUTLS) += tests/test-io-channel-tls$(EXESUF)
 check-unit-y += tests/test-io-channel-command$(EXESUF)
 check-unit-y += tests/test-io-channel-buffer$(EXESUF)
 check-unit-y += tests/test-base64$(EXESUF)
-check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT_KDF)) += tests/test-crypto-pbkdf$(EXESUF)
+check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT)) += tests/test-crypto-pbkdf$(EXESUF)
 check-unit-y += tests/test-crypto-ivgen$(EXESUF)
 check-unit-y += tests/test-crypto-afsplit$(EXESUF)
 check-unit-y += tests/test-crypto-xts$(EXESUF)
diff --git a/tests/test-crypto-block.c b/tests/test-crypto-block.c
index fd29a045d2..bd512cc79a 100644
--- a/tests/test-crypto-block.c
+++ b/tests/test-crypto-block.c
@@ -29,7 +29,7 @@
 #endif
 
 #if (defined(_WIN32) || defined RUSAGE_THREAD) && \
-    (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT_KDF))
+    (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT))
 #define TEST_LUKS
 #else
 #undef TEST_LUKS
-- 
2.17.1

[Qemu-devel] [PATCH 3/3] crypto: require nettle >= 1.5.0 for building QEMU

[Daniel P. Berrangé]

nettle 2.7.1 was released in 2013 and all the distros that are build
target platforms for QEMU [1] include it:

  RHEL-7: 2.7.1
  Debian (Stretch): 3.3
  Debian (Jessie): 2.7.1
  OpenBSD (ports): 3.4
  FreeBSD (ports): 3.4
  OpenSUSE Leap 15: 3.4
  Ubuntu (Xenial): 3.2
  macOS (Homebrew): 3.4

Based on this, it is reasonable to require nettle >= 2.7.1 in QEMU
which allows for some conditional version checks in the code to be
removed.

[1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 configure                 | 20 ++------------------
 crypto/Makefile.objs      |  4 ++--
 tests/Makefile.include    |  2 +-
 tests/test-crypto-block.c |  2 +-
 4 files changed, 6 insertions(+), 22 deletions(-)

diff --git a/configure b/configure
index 84c2f91a1f..2e319a51c5 100755
--- a/configure
+++ b/configure
@@ -457,7 +457,6 @@ gtk_gl="no"
 tls_priority="NORMAL"
 gnutls=""
 nettle=""
-nettle_kdf="no"
 gcrypt=""
 gcrypt_hmac="no"
 vte=""
@@ -2739,7 +2738,7 @@ has_libgcrypt() {
 
 
 if test "$nettle" != "no"; then
-    if $pkg_config --exists "nettle"; then
+    if $pkg_config --exists "nettle >= 2.7.1"; then
         nettle_cflags=$($pkg_config --cflags nettle)
         nettle_libs=$($pkg_config --libs nettle)
         nettle_version=$($pkg_config --modversion nettle)
@@ -2748,23 +2747,12 @@ if test "$nettle" != "no"; then
         QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
         nettle="yes"
 
-        cat > $TMPC << EOF
-#include <stddef.h>
-#include <nettle/pbkdf2.h>
-int main(void) {
-     pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
-     return 0;
-}
-EOF
         if test -z "$gcrypt"; then
            gcrypt="no"
         fi
-        if compile_prog "$nettle_cflags" "$nettle_libs" ; then
-            nettle_kdf=yes
-        fi
     else
         if test "$nettle" = "yes"; then
-            feature_not_found "nettle" "Install nettle devel"
+            feature_not_found "nettle" "Install nettle devel >= 2.7.1"
         else
             nettle="no"
         fi
@@ -5848,7 +5836,6 @@ echo "TLS priority      $tls_priority"
 echo "GNUTLS support    $gnutls"
 echo "libgcrypt         $gcrypt"
 echo "nettle            $nettle $(echo_version $nettle $nettle_version)"
-echo "nettle kdf        $nettle_kdf"
 echo "libtasn1          $tasn1"
 echo "curses support    $curses"
 echo "virgl support     $virglrenderer $(echo_version $virglrenderer $virgl_version)"
@@ -6301,9 +6288,6 @@ fi
 if test "$nettle" = "yes" ; then
   echo "CONFIG_NETTLE=y" >> $config_host_mak
   echo "CONFIG_NETTLE_VERSION_MAJOR=${nettle_version%%.*}" >> $config_host_mak
-  if test "$nettle_kdf" = "yes" ; then
-    echo "CONFIG_NETTLE_KDF=y" >> $config_host_mak
-  fi
 fi
 if test "$tasn1" = "yes" ; then
   echo "CONFIG_TASN1=y" >> $config_host_mak
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index 6a908f51f5..256c9aca1f 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -23,8 +23,8 @@ crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o
 crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
 crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
 crypto-obj-y += pbkdf.o
-crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
-crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
+crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
+crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
 crypto-obj-y += ivgen.o
 crypto-obj-y += ivgen-essiv.o
 crypto-obj-y += ivgen-plain.o
diff --git a/tests/Makefile.include b/tests/Makefile.include
index 3712de22cf..9d7976ff62 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -156,7 +156,7 @@ check-unit-$(CONFIG_GNUTLS) += tests/test-io-channel-tls$(EXESUF)
 check-unit-y += tests/test-io-channel-command$(EXESUF)
 check-unit-y += tests/test-io-channel-buffer$(EXESUF)
 check-unit-y += tests/test-base64$(EXESUF)
-check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT)) += tests/test-crypto-pbkdf$(EXESUF)
+check-unit-$(if $(CONFIG_NETTLE),y,$(CONFIG_GCRYPT)) += tests/test-crypto-pbkdf$(EXESUF)
 check-unit-y += tests/test-crypto-ivgen$(EXESUF)
 check-unit-y += tests/test-crypto-afsplit$(EXESUF)
 check-unit-y += tests/test-crypto-xts$(EXESUF)
diff --git a/tests/test-crypto-block.c b/tests/test-crypto-block.c
index bd512cc79a..fae4ffc453 100644
--- a/tests/test-crypto-block.c
+++ b/tests/test-crypto-block.c
@@ -29,7 +29,7 @@
 #endif
 
 #if (defined(_WIN32) || defined RUSAGE_THREAD) && \
-    (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT))
+    (defined(CONFIG_NETTLE) || defined(CONFIG_GCRYPT))
 #define TEST_LUKS
 #else
 #undef TEST_LUKS
-- 
2.17.1

Re: [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU

[Eric Blake]

On 07/18/2018 07:03 AM, Daniel P. Berrangé wrote:
> gnutls 3.0.0 was released in 2011 and all the distros that are build
> target platforms for QEMU [1] include it:
> 
>    RHEL-7: 3.1.18
>    Debian (Stretch): 3.5.8
>    Debian (Jessie): 3.3.8
>    OpenBSD (ports): 3.5.18
>    FreeBSD (ports): 3.5.18
>    OpenSUSE Leap 15: 3.6.2
>    Ubuntu (Xenial): 3.4.10
>    macOS (Homebrew): 3.5.19
> 
> Based on this, it is reasonable to require gnutls >= 3.1.18 in QEMU
> which allows for all conditional version checks in the code to be
> removed.

Looks reasonable.

> 
> [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
> 

Any chance we can get http builds of the docs hosted directly on 
qemu.org someday?  But unrelated to your patch.

> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> @@ -2675,79 +2674,28 @@ fi
>   ##########################################
>   # GNUTLS probe
>   
> -gnutls_works() {
> -    # Unfortunately some distros have bad pkg-config information for gnutls
> -    # such that it claims to exist but you get a compiler error if you try
> -    # to use the options returned by --libs. Specifically, Ubuntu for --static
> -    # builds doesn't work:
> -    # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035

This bug is still in state NEW, but targets Ubuntu 14.04 and "Package: 
libgnutls-dev 2.12.23-12ubuntu2.2", so is probably indeed old enough 
that it is hopefully a non-issue for gnutls > 3 in the versions of 
Ubuntu we specifically support. However, I'm not enough of an Ubuntu 
user myself to confirm whether things still work, so you'll probably 
want to collect additional R-b or Tested-by before accepting this for 
qemu 3.1.

Everything else looks clean to me, so

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU

[Daniel P. Berrangé]

On Mon, Aug 06, 2018 at 11:58:41AM -0500, Eric Blake wrote:
> On 07/18/2018 07:03 AM, Daniel P. Berrangé wrote:
> > gnutls 3.0.0 was released in 2011 and all the distros that are build
> > target platforms for QEMU [1] include it:
> > 
> >    RHEL-7: 3.1.18
> >    Debian (Stretch): 3.5.8
> >    Debian (Jessie): 3.3.8
> >    OpenBSD (ports): 3.5.18
> >    FreeBSD (ports): 3.5.18
> >    OpenSUSE Leap 15: 3.6.2
> >    Ubuntu (Xenial): 3.4.10
> >    macOS (Homebrew): 3.5.19
> > 
> > Based on this, it is reasonable to require gnutls >= 3.1.18 in QEMU
> > which allows for all conditional version checks in the code to be
> > removed.
> 
> Looks reasonable.
> 
> > 
> > [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
> > 
> 
> Any chance we can get http builds of the docs hosted directly on qemu.org
> someday?  But unrelated to your patch.
> 
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > @@ -2675,79 +2674,28 @@ fi
> >   ##########################################
> >   # GNUTLS probe
> > -gnutls_works() {
> > -    # Unfortunately some distros have bad pkg-config information for gnutls
> > -    # such that it claims to exist but you get a compiler error if you try
> > -    # to use the options returned by --libs. Specifically, Ubuntu for --static
> > -    # builds doesn't work:
> > -    # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035
> 
> This bug is still in state NEW, but targets Ubuntu 14.04 and "Package:
> libgnutls-dev 2.12.23-12ubuntu2.2", so is probably indeed old enough that it
> is hopefully a non-issue for gnutls > 3 in the versions of Ubuntu we
> specifically support. However, I'm not enough of an Ubuntu user myself to
> confirm whether things still work, so you'll probably want to collect
> additional R-b or Tested-by before accepting this for qemu 3.1.

FYI, I checked the pkg-config file with gnutls 3 on ubuntu and it did not
appear to have the bug that existed in gnutls 2, so I believe removing
this cruft is safe.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 2/3] crypto: require libgcrypt >= 1.5.0 for building QEMU

[Eric Blake]

On 07/18/2018 07:03 AM, Daniel P. Berrangé wrote:
> libgcrypt 1.5.0 was released in 2011 and all the distros that are build
> target platforms for QEMU [1] include it:
> 
>    RHEL-7: 1.5.3
>    Debian (Stretch): 1.7.6
>    Debian (Jessie): 1.6.3
>    OpenBSD (ports): 1.8.2
>    FreeBSD (ports): 1.8.3
>    OpenSUSE Leap 15: 1.8.2
>    Ubuntu (Xenial): 1.6.5
>    macOS (Homebrew): 1.8.3
> 
> Based on this, it is reasonable to require libgcrypt >= 1.5.0 in QEMU
> which allows for some conditional version checks in the code to be
> removed.
> 
> [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PATCH 3/3] crypto: require nettle >= 1.5.0 for building QEMU

[Eric Blake]

On 07/18/2018 07:03 AM, Daniel P. Berrangé wrote:
> nettle 2.7.1 was released in 2013 and all the distros that are build
> target platforms for QEMU [1] include it:
> 
>    RHEL-7: 2.7.1
>    Debian (Stretch): 3.3
>    Debian (Jessie): 2.7.1
>    OpenBSD (ports): 3.4
>    FreeBSD (ports): 3.4
>    OpenSUSE Leap 15: 3.4
>    Ubuntu (Xenial): 3.2
>    macOS (Homebrew): 3.4
> 
> Based on this, it is reasonable to require nettle >= 2.7.1 in QEMU
> which allows for some conditional version checks in the code to be
> removed.
> 
> [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org