* [Qemu-devel] [PATCH 0/3] crypto: increase min required gnutls, gcrypt and nettle
@ 2018-07-18 12:03 Daniel P. Berrangé
2018-07-18 12:03 ` [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU Daniel P. Berrangé
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Daniel P. Berrangé @ 2018-07-18 12:03 UTC (permalink / raw)
To: qemu-devel
Since adopting a formal policy around supported build hosts, and
increasing the minimum required glib version, it is now possible to also
increase the min required versions for gnutls, gcrypt and nettle
libraries. This allows simplification of a bunch of conditional logic.
Daniel P. Berrangé (3):
crypto: require gnutls >= 3.1.18 for building QEMU
crypto: require libgcrypt >= 1.5.0 for building QEMU
crypto: require nettle >= 1.5.0 for building QEMU
configure | 161 ++++++++-----------------------
crypto/Makefile.objs | 8 +-
crypto/init.c | 23 +----
crypto/tlscredsx509.c | 21 ----
crypto/tlssession.c | 8 +-
tests/Makefile.include | 2 +-
tests/crypto-tls-x509-helpers.h | 3 +-
tests/test-crypto-block.c | 2 +-
tests/test-crypto-tlscredsx509.c | 8 +-
9 files changed, 51 insertions(+), 185 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU
2018-07-18 12:03 [Qemu-devel] [PATCH 0/3] crypto: increase min required gnutls, gcrypt and nettle Daniel P. Berrangé
@ 2018-07-18 12:03 ` Daniel P. Berrangé
2018-08-06 16:58 ` Eric Blake
2018-07-18 12:03 ` [Qemu-devel] [PATCH 2/3] crypto: require libgcrypt >= 1.5.0 " Daniel P. Berrangé
2018-07-18 12:03 ` [Qemu-devel] [PATCH 3/3] crypto: require nettle " Daniel P. Berrangé
2 siblings, 1 reply; 8+ messages in thread
From: Daniel P. Berrangé @ 2018-07-18 12:03 UTC (permalink / raw)
To: qemu-devel
gnutls 3.0.0 was released in 2011 and all the distros that are build
target platforms for QEMU [1] include it:
RHEL-7: 3.1.18
Debian (Stretch): 3.5.8
Debian (Jessie): 3.3.8
OpenBSD (ports): 3.5.18
FreeBSD (ports): 3.5.18
OpenSUSE Leap 15: 3.6.2
Ubuntu (Xenial): 3.4.10
macOS (Homebrew): 3.5.19
Based on this, it is reasonable to require gnutls >= 3.1.18 in QEMU
which allows for all conditional version checks in the code to be
removed.
[1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
configure | 135 +++++++++----------------------
crypto/Makefile.objs | 4 +-
crypto/init.c | 20 +----
crypto/tlscredsx509.c | 21 -----
crypto/tlssession.c | 8 +-
tests/crypto-tls-x509-helpers.h | 3 +-
tests/test-crypto-tlscredsx509.c | 8 +-
7 files changed, 46 insertions(+), 153 deletions(-)
diff --git a/configure b/configure
index 2a7796ea80..856cb07be5 100755
--- a/configure
+++ b/configure
@@ -456,7 +456,6 @@ gtkabi=""
gtk_gl="no"
tls_priority="NORMAL"
gnutls=""
-gnutls_rnd=""
nettle=""
nettle_kdf="no"
gcrypt=""
@@ -2675,79 +2674,28 @@ fi
##########################################
# GNUTLS probe
-gnutls_works() {
- # Unfortunately some distros have bad pkg-config information for gnutls
- # such that it claims to exist but you get a compiler error if you try
- # to use the options returned by --libs. Specifically, Ubuntu for --static
- # builds doesn't work:
- # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035
- #
- # So sanity check the cflags/libs before assuming gnutls can be used.
- if ! $pkg_config --exists "gnutls"; then
- return 1
- fi
-
- write_c_skeleton
- compile_prog "$($pkg_config --cflags gnutls)" "$($pkg_config --libs gnutls)"
-}
-
-gnutls_gcrypt=no
-gnutls_nettle=no
if test "$gnutls" != "no"; then
- if gnutls_works; then
+ if $pkg_config --exists "gnutls >= 3.1.18"; then
gnutls_cflags=$($pkg_config --cflags gnutls)
gnutls_libs=$($pkg_config --libs gnutls)
libs_softmmu="$gnutls_libs $libs_softmmu"
libs_tools="$gnutls_libs $libs_tools"
QEMU_CFLAGS="$QEMU_CFLAGS $gnutls_cflags"
gnutls="yes"
-
- # gnutls_rnd requires >= 2.11.0
- if $pkg_config --exists "gnutls >= 2.11.0"; then
- gnutls_rnd="yes"
- else
- gnutls_rnd="no"
- fi
-
- if $pkg_config --exists 'gnutls >= 3.0'; then
- gnutls_gcrypt=no
- gnutls_nettle=yes
- elif $pkg_config --exists 'gnutls >= 2.12'; then
- case $($pkg_config --libs --static gnutls) in
- *gcrypt*)
- gnutls_gcrypt=yes
- gnutls_nettle=no
- ;;
- *nettle*)
- gnutls_gcrypt=no
- gnutls_nettle=yes
- ;;
- *)
- gnutls_gcrypt=yes
- gnutls_nettle=no
- ;;
- esac
- else
- gnutls_gcrypt=yes
- gnutls_nettle=no
- fi
elif test "$gnutls" = "yes"; then
- feature_not_found "gnutls" "Install gnutls devel"
+ feature_not_found "gnutls" "Install gnutls devel >= 3.1.18"
else
gnutls="no"
- gnutls_rnd="no"
fi
-else
- gnutls_rnd="no"
fi
# If user didn't give a --disable/enable-gcrypt flag,
# then mark as disabled if user requested nettle
-# explicitly, or if gnutls links to nettle
+# explicitly
if test -z "$gcrypt"
then
- if test "$nettle" = "yes" || test "$gnutls_nettle" = "yes"
+ if test "$nettle" = "yes"
then
gcrypt="no"
fi
@@ -2755,10 +2703,10 @@ fi
# If user didn't give a --disable/enable-nettle flag,
# then mark as disabled if user requested gcrypt
-# explicitly, or if gnutls links to gcrypt
+# explicitly
if test -z "$nettle"
then
- if test "$gcrypt" = "yes" || test "$gnutls_gcrypt" = "yes"
+ if test "$gcrypt" = "yes"
then
nettle="no"
fi
@@ -2782,6 +2730,40 @@ has_libgcrypt_config() {
return 0
}
+
+if test "$nettle" != "no"; then
+ if $pkg_config --exists "nettle"; then
+ nettle_cflags=$($pkg_config --cflags nettle)
+ nettle_libs=$($pkg_config --libs nettle)
+ nettle_version=$($pkg_config --modversion nettle)
+ libs_softmmu="$nettle_libs $libs_softmmu"
+ libs_tools="$nettle_libs $libs_tools"
+ QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
+ nettle="yes"
+
+ cat > $TMPC << EOF
+#include <stddef.h>
+#include <nettle/pbkdf2.h>
+int main(void) {
+ pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
+ return 0;
+}
+EOF
+ if test -z "$gcrypt"; then
+ gcrypt="no"
+ fi
+ if compile_prog "$nettle_cflags" "$nettle_libs" ; then
+ nettle_kdf=yes
+ fi
+ else
+ if test "$nettle" = "yes"; then
+ feature_not_found "nettle" "Install nettle devel"
+ else
+ nettle="no"
+ fi
+ fi
+fi
+
if test "$gcrypt" != "no"; then
if has_libgcrypt_config; then
gcrypt_cflags=$(libgcrypt-config --cflags)
@@ -2797,9 +2779,6 @@ if test "$gcrypt" != "no"; then
libs_tools="$gcrypt_libs $libs_tools"
QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags"
gcrypt="yes"
- if test -z "$nettle"; then
- nettle="no"
- fi
cat > $TMPC << EOF
#include <gcrypt.h>
@@ -2836,36 +2815,6 @@ EOF
fi
-if test "$nettle" != "no"; then
- if $pkg_config --exists "nettle"; then
- nettle_cflags=$($pkg_config --cflags nettle)
- nettle_libs=$($pkg_config --libs nettle)
- nettle_version=$($pkg_config --modversion nettle)
- libs_softmmu="$nettle_libs $libs_softmmu"
- libs_tools="$nettle_libs $libs_tools"
- QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
- nettle="yes"
-
- cat > $TMPC << EOF
-#include <stddef.h>
-#include <nettle/pbkdf2.h>
-int main(void) {
- pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
- return 0;
-}
-EOF
- if compile_prog "$nettle_cflags" "$nettle_libs" ; then
- nettle_kdf=yes
- fi
- else
- if test "$nettle" = "yes"; then
- feature_not_found "nettle" "Install nettle devel"
- else
- nettle="no"
- fi
- fi
-fi
-
if test "$gcrypt" = "yes" && test "$nettle" = "yes"
then
error_exit "Only one of gcrypt & nettle can be enabled"
@@ -5903,7 +5852,6 @@ echo "GTK GL support $gtk_gl"
echo "VTE support $vte $(echo_version $vte $vteversion)"
echo "TLS priority $tls_priority"
echo "GNUTLS support $gnutls"
-echo "GNUTLS rnd $gnutls_rnd"
echo "libgcrypt $gcrypt"
echo "libgcrypt kdf $gcrypt_kdf"
echo "nettle $nettle $(echo_version $nettle $nettle_version)"
@@ -6351,9 +6299,6 @@ echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak
if test "$gnutls" = "yes" ; then
echo "CONFIG_GNUTLS=y" >> $config_host_mak
fi
-if test "$gnutls_rnd" = "yes" ; then
- echo "CONFIG_GNUTLS_RND=y" >> $config_host_mak
-fi
if test "$gcrypt" = "yes" ; then
echo "CONFIG_GCRYPT=y" >> $config_host_mak
if test "$gcrypt_hmac" = "yes" ; then
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index 756bab111b..a62cedaf36 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -20,8 +20,8 @@ crypto-obj-y += tlscredsx509.o
crypto-obj-y += tlssession.o
crypto-obj-y += secret.o
crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o
-crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS_RND)) += random-gnutls.o
-crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS_RND),n,y)) += random-platform.o
+crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
+crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
crypto-obj-y += pbkdf.o
crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) += pbkdf-gcrypt.o
diff --git a/crypto/init.c b/crypto/init.c
index f131c42306..10bf72463c 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -37,31 +37,13 @@
/* #define DEBUG_GNUTLS */
/*
- * If GNUTLS is built against GCrypt then
- *
- * - When GNUTLS >= 2.12, we must not initialize gcrypt threading
- * because GNUTLS will do that itself
- * - When GNUTLS < 2.12 we must always initialize gcrypt threading
- * - When GNUTLS is disabled we must always initialize gcrypt threading
- *
- * But....
- *
- * When gcrypt >= 1.6.0 we must not initialize gcrypt threading
- * because gcrypt will do that itself.
- *
- * So we need to init gcrypt threading if
+ * We need to init gcrypt threading if
*
* - gcrypt < 1.6.0
- * AND
- * - gnutls < 2.12
- * OR
- * - gnutls is disabled
*
*/
#if (defined(CONFIG_GCRYPT) && \
- (!defined(CONFIG_GNUTLS) || \
- (LIBGNUTLS_VERSION_NUMBER < 0x020c00)) && \
(!defined(GCRYPT_VERSION_NUMBER) || \
(GCRYPT_VERSION_NUMBER < 0x010600)))
#define QCRYPTO_INIT_GCRYPT_THREADS
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index 98ee0424e5..d6ab4a9862 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -72,14 +72,6 @@ qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
}
-#if LIBGNUTLS_VERSION_NUMBER >= 2
-/*
- * The gnutls_x509_crt_get_basic_constraints function isn't
- * available in GNUTLS 1.0.x branches. This isn't critical
- * though, since gnutls_certificate_verify_peers2 will do
- * pretty much the same check at runtime, so we can just
- * disable this code
- */
static int
qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
gnutls_x509_crt_t cert,
@@ -130,7 +122,6 @@ qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
return 0;
}
-#endif
static int
@@ -299,14 +290,12 @@ qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
return -1;
}
-#if LIBGNUTLS_VERSION_NUMBER >= 2
if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
cert, certFile,
isServer, isCA,
errp) < 0) {
return -1;
}
-#endif
if (qcrypto_tls_creds_check_cert_key_usage(creds,
cert, certFile,
@@ -615,7 +604,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
}
if (cert != NULL && key != NULL) {
-#if LIBGNUTLS_VERSION_NUMBER >= 0x030111
char *password = NULL;
if (creds->passwordid) {
password = qcrypto_secret_lookup_as_utf8(creds->passwordid,
@@ -630,15 +618,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
password,
0);
g_free(password);
-#else /* LIBGNUTLS_VERSION_NUMBER < 0x030111 */
- if (creds->passwordid) {
- error_setg(errp, "PKCS8 decryption requires GNUTLS >= 3.1.11");
- goto cleanup;
- }
- ret = gnutls_certificate_set_x509_key_file(creds->data,
- cert, key,
- GNUTLS_X509_FMT_PEM);
-#endif
if (ret < 0) {
error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
cert, key, gnutls_strerror(ret));
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index 66a6fbe19c..2f28fa7f71 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -90,13 +90,7 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t len)
}
#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"
-
-#if GNUTLS_VERSION_MAJOR >= 3
-#define TLS_ECDHE_PSK "+ECDHE-PSK:"
-#else
-#define TLS_ECDHE_PSK ""
-#endif
-#define TLS_PRIORITY_ADDITIONAL_PSK TLS_ECDHE_PSK "+DHE-PSK:+PSK"
+#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK"
QCryptoTLSSession *
qcrypto_tls_session_new(QCryptoTLSCreds *creds,
diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h
index 921341c649..88c30d7c94 100644
--- a/tests/crypto-tls-x509-helpers.h
+++ b/tests/crypto-tls-x509-helpers.h
@@ -22,8 +22,7 @@
#include <gnutls/x509.h>
#if !(defined WIN32) && \
- defined(CONFIG_TASN1) && \
- (LIBGNUTLS_VERSION_NUMBER >= 0x020600)
+ defined(CONFIG_TASN1)
# define QCRYPTO_HAVE_TLS_TEST_SUPPORT
#endif
diff --git a/tests/test-crypto-tlscredsx509.c b/tests/test-crypto-tlscredsx509.c
index af2f80e89c..9bc45d4619 100644
--- a/tests/test-crypto-tlscredsx509.c
+++ b/tests/test-crypto-tlscredsx509.c
@@ -290,14 +290,8 @@ int main(int argc, char **argv)
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
- /* Technically a CA cert with basic constraints
- * key purpose == key signing + non-critical should
- * be rejected. GNUTLS < 3.1 does not reject it and
- * we don't anticipate them changing this behaviour
- */
TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename,
- (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) ||
- GNUTLS_VERSION_MAJOR > 3);
+ true);
TLS_TEST_REG(badca2, true,
cacert5req.filename, servercert5req.filename, true);
TLS_TEST_REG(badca3, true,
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH 2/3] crypto: require libgcrypt >= 1.5.0 for building QEMU
2018-07-18 12:03 [Qemu-devel] [PATCH 0/3] crypto: increase min required gnutls, gcrypt and nettle Daniel P. Berrangé
2018-07-18 12:03 ` [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU Daniel P. Berrangé
@ 2018-07-18 12:03 ` Daniel P. Berrangé
2018-08-06 18:01 ` Eric Blake
2018-07-18 12:03 ` [Qemu-devel] [PATCH 3/3] crypto: require nettle " Daniel P. Berrangé
2 siblings, 1 reply; 8+ messages in thread
From: Daniel P. Berrangé @ 2018-07-18 12:03 UTC (permalink / raw)
To: qemu-devel
libgcrypt 1.5.0 was released in 2011 and all the distros that are build
target platforms for QEMU [1] include it:
RHEL-7: 1.5.3
Debian (Stretch): 1.7.6
Debian (Jessie): 1.6.3
OpenBSD (ports): 1.8.2
FreeBSD (ports): 1.8.3
OpenSUSE Leap 15: 1.8.2
Ubuntu (Xenial): 1.6.5
macOS (Homebrew): 1.8.3
Based on this, it is reasonable to require libgcrypt >= 1.5.0 in QEMU
which allows for some conditional version checks in the code to be
removed.
[1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
configure | 32 +++++++++++---------------------
crypto/Makefile.objs | 2 +-
crypto/init.c | 3 +--
tests/Makefile.include | 2 +-
tests/test-crypto-block.c | 2 +-
5 files changed, 15 insertions(+), 26 deletions(-)
diff --git a/configure b/configure
index 856cb07be5..84c2f91a1f 100755
--- a/configure
+++ b/configure
@@ -460,7 +460,6 @@ nettle=""
nettle_kdf="no"
gcrypt=""
gcrypt_hmac="no"
-gcrypt_kdf="no"
vte=""
virglrenderer=""
tpm="yes"
@@ -2712,7 +2711,7 @@ then
fi
fi
-has_libgcrypt_config() {
+has_libgcrypt() {
if ! has "libgcrypt-config"
then
return 1
@@ -2727,6 +2726,14 @@ has_libgcrypt_config() {
fi
fi
+ maj=`libgcrypt-config --version | awk -F . '{print $1}'`
+ min=`libgcrypt-config --version | awk -F . '{print $2}'`
+
+ if test $maj != 1 || test $min -lt 5
+ then
+ return 1
+ fi
+
return 0
}
@@ -2765,7 +2772,7 @@ EOF
fi
if test "$gcrypt" != "no"; then
- if has_libgcrypt_config; then
+ if has_libgcrypt; then
gcrypt_cflags=$(libgcrypt-config --cflags)
gcrypt_libs=$(libgcrypt-config --libs)
# Debian has remove -lgpg-error from libgcrypt-config
@@ -2782,19 +2789,6 @@ if test "$gcrypt" != "no"; then
cat > $TMPC << EOF
#include <gcrypt.h>
-int main(void) {
- gcry_kdf_derive(NULL, 0, GCRY_KDF_PBKDF2,
- GCRY_MD_SHA256,
- NULL, 0, 0, 0, NULL);
- return 0;
-}
-EOF
- if compile_prog "$gcrypt_cflags" "$gcrypt_libs" ; then
- gcrypt_kdf=yes
- fi
-
- cat > $TMPC << EOF
-#include <gcrypt.h>
int main(void) {
gcry_mac_hd_t handle;
gcry_mac_open(&handle, GCRY_MAC_HMAC_MD5,
@@ -2807,7 +2801,7 @@ EOF
fi
else
if test "$gcrypt" = "yes"; then
- feature_not_found "gcrypt" "Install gcrypt devel"
+ feature_not_found "gcrypt" "Install gcrypt devel >= 1.5.0"
else
gcrypt="no"
fi
@@ -5853,7 +5847,6 @@ echo "VTE support $vte $(echo_version $vte $vteversion)"
echo "TLS priority $tls_priority"
echo "GNUTLS support $gnutls"
echo "libgcrypt $gcrypt"
-echo "libgcrypt kdf $gcrypt_kdf"
echo "nettle $nettle $(echo_version $nettle $nettle_version)"
echo "nettle kdf $nettle_kdf"
echo "libtasn1 $tasn1"
@@ -6304,9 +6297,6 @@ if test "$gcrypt" = "yes" ; then
if test "$gcrypt_hmac" = "yes" ; then
echo "CONFIG_GCRYPT_HMAC=y" >> $config_host_mak
fi
- if test "$gcrypt_kdf" = "yes" ; then
- echo "CONFIG_GCRYPT_KDF=y" >> $config_host_mak
- fi
fi
if test "$nettle" = "yes" ; then
echo "CONFIG_NETTLE=y" >> $config_host_mak
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index a62cedaf36..6a908f51f5 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -24,7 +24,7 @@ crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
crypto-obj-y += pbkdf.o
crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
-crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) += pbkdf-gcrypt.o
+crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
crypto-obj-y += ivgen.o
crypto-obj-y += ivgen-essiv.o
crypto-obj-y += ivgen-plain.o
diff --git a/crypto/init.c b/crypto/init.c
index 10bf72463c..c30156405a 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -44,8 +44,7 @@
*/
#if (defined(CONFIG_GCRYPT) && \
- (!defined(GCRYPT_VERSION_NUMBER) || \
- (GCRYPT_VERSION_NUMBER < 0x010600)))
+ (GCRYPT_VERSION_NUMBER < 0x010600))
#define QCRYPTO_INIT_GCRYPT_THREADS
#else
#undef QCRYPTO_INIT_GCRYPT_THREADS
diff --git a/tests/Makefile.include b/tests/Makefile.include
index a49282704e..3712de22cf 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -156,7 +156,7 @@ check-unit-$(CONFIG_GNUTLS) += tests/test-io-channel-tls$(EXESUF)
check-unit-y += tests/test-io-channel-command$(EXESUF)
check-unit-y += tests/test-io-channel-buffer$(EXESUF)
check-unit-y += tests/test-base64$(EXESUF)
-check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT_KDF)) += tests/test-crypto-pbkdf$(EXESUF)
+check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT)) += tests/test-crypto-pbkdf$(EXESUF)
check-unit-y += tests/test-crypto-ivgen$(EXESUF)
check-unit-y += tests/test-crypto-afsplit$(EXESUF)
check-unit-y += tests/test-crypto-xts$(EXESUF)
diff --git a/tests/test-crypto-block.c b/tests/test-crypto-block.c
index fd29a045d2..bd512cc79a 100644
--- a/tests/test-crypto-block.c
+++ b/tests/test-crypto-block.c
@@ -29,7 +29,7 @@
#endif
#if (defined(_WIN32) || defined RUSAGE_THREAD) && \
- (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT_KDF))
+ (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT))
#define TEST_LUKS
#else
#undef TEST_LUKS
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Qemu-devel] [PATCH 3/3] crypto: require nettle >= 1.5.0 for building QEMU
2018-07-18 12:03 [Qemu-devel] [PATCH 0/3] crypto: increase min required gnutls, gcrypt and nettle Daniel P. Berrangé
2018-07-18 12:03 ` [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU Daniel P. Berrangé
2018-07-18 12:03 ` [Qemu-devel] [PATCH 2/3] crypto: require libgcrypt >= 1.5.0 " Daniel P. Berrangé
@ 2018-07-18 12:03 ` Daniel P. Berrangé
2018-08-06 18:02 ` Eric Blake
2 siblings, 1 reply; 8+ messages in thread
From: Daniel P. Berrangé @ 2018-07-18 12:03 UTC (permalink / raw)
To: qemu-devel
nettle 2.7.1 was released in 2013 and all the distros that are build
target platforms for QEMU [1] include it:
RHEL-7: 2.7.1
Debian (Stretch): 3.3
Debian (Jessie): 2.7.1
OpenBSD (ports): 3.4
FreeBSD (ports): 3.4
OpenSUSE Leap 15: 3.4
Ubuntu (Xenial): 3.2
macOS (Homebrew): 3.4
Based on this, it is reasonable to require nettle >= 2.7.1 in QEMU
which allows for some conditional version checks in the code to be
removed.
[1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
configure | 20 ++------------------
crypto/Makefile.objs | 4 ++--
tests/Makefile.include | 2 +-
tests/test-crypto-block.c | 2 +-
4 files changed, 6 insertions(+), 22 deletions(-)
diff --git a/configure b/configure
index 84c2f91a1f..2e319a51c5 100755
--- a/configure
+++ b/configure
@@ -457,7 +457,6 @@ gtk_gl="no"
tls_priority="NORMAL"
gnutls=""
nettle=""
-nettle_kdf="no"
gcrypt=""
gcrypt_hmac="no"
vte=""
@@ -2739,7 +2738,7 @@ has_libgcrypt() {
if test "$nettle" != "no"; then
- if $pkg_config --exists "nettle"; then
+ if $pkg_config --exists "nettle >= 2.7.1"; then
nettle_cflags=$($pkg_config --cflags nettle)
nettle_libs=$($pkg_config --libs nettle)
nettle_version=$($pkg_config --modversion nettle)
@@ -2748,23 +2747,12 @@ if test "$nettle" != "no"; then
QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
nettle="yes"
- cat > $TMPC << EOF
-#include <stddef.h>
-#include <nettle/pbkdf2.h>
-int main(void) {
- pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
- return 0;
-}
-EOF
if test -z "$gcrypt"; then
gcrypt="no"
fi
- if compile_prog "$nettle_cflags" "$nettle_libs" ; then
- nettle_kdf=yes
- fi
else
if test "$nettle" = "yes"; then
- feature_not_found "nettle" "Install nettle devel"
+ feature_not_found "nettle" "Install nettle devel >= 2.7.1"
else
nettle="no"
fi
@@ -5848,7 +5836,6 @@ echo "TLS priority $tls_priority"
echo "GNUTLS support $gnutls"
echo "libgcrypt $gcrypt"
echo "nettle $nettle $(echo_version $nettle $nettle_version)"
-echo "nettle kdf $nettle_kdf"
echo "libtasn1 $tasn1"
echo "curses support $curses"
echo "virgl support $virglrenderer $(echo_version $virglrenderer $virgl_version)"
@@ -6301,9 +6288,6 @@ fi
if test "$nettle" = "yes" ; then
echo "CONFIG_NETTLE=y" >> $config_host_mak
echo "CONFIG_NETTLE_VERSION_MAJOR=${nettle_version%%.*}" >> $config_host_mak
- if test "$nettle_kdf" = "yes" ; then
- echo "CONFIG_NETTLE_KDF=y" >> $config_host_mak
- fi
fi
if test "$tasn1" = "yes" ; then
echo "CONFIG_TASN1=y" >> $config_host_mak
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index 6a908f51f5..256c9aca1f 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -23,8 +23,8 @@ crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o
crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
crypto-obj-y += pbkdf.o
-crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
-crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
+crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
+crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
crypto-obj-y += ivgen.o
crypto-obj-y += ivgen-essiv.o
crypto-obj-y += ivgen-plain.o
diff --git a/tests/Makefile.include b/tests/Makefile.include
index 3712de22cf..9d7976ff62 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -156,7 +156,7 @@ check-unit-$(CONFIG_GNUTLS) += tests/test-io-channel-tls$(EXESUF)
check-unit-y += tests/test-io-channel-command$(EXESUF)
check-unit-y += tests/test-io-channel-buffer$(EXESUF)
check-unit-y += tests/test-base64$(EXESUF)
-check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT)) += tests/test-crypto-pbkdf$(EXESUF)
+check-unit-$(if $(CONFIG_NETTLE),y,$(CONFIG_GCRYPT)) += tests/test-crypto-pbkdf$(EXESUF)
check-unit-y += tests/test-crypto-ivgen$(EXESUF)
check-unit-y += tests/test-crypto-afsplit$(EXESUF)
check-unit-y += tests/test-crypto-xts$(EXESUF)
diff --git a/tests/test-crypto-block.c b/tests/test-crypto-block.c
index bd512cc79a..fae4ffc453 100644
--- a/tests/test-crypto-block.c
+++ b/tests/test-crypto-block.c
@@ -29,7 +29,7 @@
#endif
#if (defined(_WIN32) || defined RUSAGE_THREAD) && \
- (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT))
+ (defined(CONFIG_NETTLE) || defined(CONFIG_GCRYPT))
#define TEST_LUKS
#else
#undef TEST_LUKS
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU
2018-07-18 12:03 ` [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU Daniel P. Berrangé
@ 2018-08-06 16:58 ` Eric Blake
2018-08-06 17:08 ` Daniel P. Berrangé
0 siblings, 1 reply; 8+ messages in thread
From: Eric Blake @ 2018-08-06 16:58 UTC (permalink / raw)
To: Daniel P. Berrangé, qemu-devel, Stefan Hajnoczi, Paolo Bonzini
On 07/18/2018 07:03 AM, Daniel P. Berrangé wrote:
> gnutls 3.0.0 was released in 2011 and all the distros that are build
> target platforms for QEMU [1] include it:
>
> RHEL-7: 3.1.18
> Debian (Stretch): 3.5.8
> Debian (Jessie): 3.3.8
> OpenBSD (ports): 3.5.18
> FreeBSD (ports): 3.5.18
> OpenSUSE Leap 15: 3.6.2
> Ubuntu (Xenial): 3.4.10
> macOS (Homebrew): 3.5.19
>
> Based on this, it is reasonable to require gnutls >= 3.1.18 in QEMU
> which allows for all conditional version checks in the code to be
> removed.
Looks reasonable.
>
> [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
>
Any chance we can get http builds of the docs hosted directly on
qemu.org someday? But unrelated to your patch.
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> @@ -2675,79 +2674,28 @@ fi
> ##########################################
> # GNUTLS probe
>
> -gnutls_works() {
> - # Unfortunately some distros have bad pkg-config information for gnutls
> - # such that it claims to exist but you get a compiler error if you try
> - # to use the options returned by --libs. Specifically, Ubuntu for --static
> - # builds doesn't work:
> - # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035
This bug is still in state NEW, but targets Ubuntu 14.04 and "Package:
libgnutls-dev 2.12.23-12ubuntu2.2", so is probably indeed old enough
that it is hopefully a non-issue for gnutls > 3 in the versions of
Ubuntu we specifically support. However, I'm not enough of an Ubuntu
user myself to confirm whether things still work, so you'll probably
want to collect additional R-b or Tested-by before accepting this for
qemu 3.1.
Everything else looks clean to me, so
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU
2018-08-06 16:58 ` Eric Blake
@ 2018-08-06 17:08 ` Daniel P. Berrangé
0 siblings, 0 replies; 8+ messages in thread
From: Daniel P. Berrangé @ 2018-08-06 17:08 UTC (permalink / raw)
To: Eric Blake; +Cc: qemu-devel, Stefan Hajnoczi, Paolo Bonzini
On Mon, Aug 06, 2018 at 11:58:41AM -0500, Eric Blake wrote:
> On 07/18/2018 07:03 AM, Daniel P. Berrangé wrote:
> > gnutls 3.0.0 was released in 2011 and all the distros that are build
> > target platforms for QEMU [1] include it:
> >
> > RHEL-7: 3.1.18
> > Debian (Stretch): 3.5.8
> > Debian (Jessie): 3.3.8
> > OpenBSD (ports): 3.5.18
> > FreeBSD (ports): 3.5.18
> > OpenSUSE Leap 15: 3.6.2
> > Ubuntu (Xenial): 3.4.10
> > macOS (Homebrew): 3.5.19
> >
> > Based on this, it is reasonable to require gnutls >= 3.1.18 in QEMU
> > which allows for all conditional version checks in the code to be
> > removed.
>
> Looks reasonable.
>
> >
> > [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
> >
>
> Any chance we can get http builds of the docs hosted directly on qemu.org
> someday? But unrelated to your patch.
>
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > @@ -2675,79 +2674,28 @@ fi
> > ##########################################
> > # GNUTLS probe
> > -gnutls_works() {
> > - # Unfortunately some distros have bad pkg-config information for gnutls
> > - # such that it claims to exist but you get a compiler error if you try
> > - # to use the options returned by --libs. Specifically, Ubuntu for --static
> > - # builds doesn't work:
> > - # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035
>
> This bug is still in state NEW, but targets Ubuntu 14.04 and "Package:
> libgnutls-dev 2.12.23-12ubuntu2.2", so is probably indeed old enough that it
> is hopefully a non-issue for gnutls > 3 in the versions of Ubuntu we
> specifically support. However, I'm not enough of an Ubuntu user myself to
> confirm whether things still work, so you'll probably want to collect
> additional R-b or Tested-by before accepting this for qemu 3.1.
FYI, I checked the pkg-config file with gnutls 3 on ubuntu and it did not
appear to have the bug that existed in gnutls 2, so I believe removing
this cruft is safe.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 2/3] crypto: require libgcrypt >= 1.5.0 for building QEMU
2018-07-18 12:03 ` [Qemu-devel] [PATCH 2/3] crypto: require libgcrypt >= 1.5.0 " Daniel P. Berrangé
@ 2018-08-06 18:01 ` Eric Blake
0 siblings, 0 replies; 8+ messages in thread
From: Eric Blake @ 2018-08-06 18:01 UTC (permalink / raw)
To: Daniel P. Berrangé, qemu-devel
On 07/18/2018 07:03 AM, Daniel P. Berrangé wrote:
> libgcrypt 1.5.0 was released in 2011 and all the distros that are build
> target platforms for QEMU [1] include it:
>
> RHEL-7: 1.5.3
> Debian (Stretch): 1.7.6
> Debian (Jessie): 1.6.3
> OpenBSD (ports): 1.8.2
> FreeBSD (ports): 1.8.3
> OpenSUSE Leap 15: 1.8.2
> Ubuntu (Xenial): 1.6.5
> macOS (Homebrew): 1.8.3
>
> Based on this, it is reasonable to require libgcrypt >= 1.5.0 in QEMU
> which allows for some conditional version checks in the code to be
> removed.
>
> [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Qemu-devel] [PATCH 3/3] crypto: require nettle >= 1.5.0 for building QEMU
2018-07-18 12:03 ` [Qemu-devel] [PATCH 3/3] crypto: require nettle " Daniel P. Berrangé
@ 2018-08-06 18:02 ` Eric Blake
0 siblings, 0 replies; 8+ messages in thread
From: Eric Blake @ 2018-08-06 18:02 UTC (permalink / raw)
To: Daniel P. Berrangé, qemu-devel
On 07/18/2018 07:03 AM, Daniel P. Berrangé wrote:
> nettle 2.7.1 was released in 2013 and all the distros that are build
> target platforms for QEMU [1] include it:
>
> RHEL-7: 2.7.1
> Debian (Stretch): 3.3
> Debian (Jessie): 2.7.1
> OpenBSD (ports): 3.4
> FreeBSD (ports): 3.4
> OpenSUSE Leap 15: 3.4
> Ubuntu (Xenial): 3.2
> macOS (Homebrew): 3.4
>
> Based on this, it is reasonable to require nettle >= 2.7.1 in QEMU
> which allows for some conditional version checks in the code to be
> removed.
>
> [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-08-06 18:02 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-18 12:03 [Qemu-devel] [PATCH 0/3] crypto: increase min required gnutls, gcrypt and nettle Daniel P. Berrangé
2018-07-18 12:03 ` [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU Daniel P. Berrangé
2018-08-06 16:58 ` Eric Blake
2018-08-06 17:08 ` Daniel P. Berrangé
2018-07-18 12:03 ` [Qemu-devel] [PATCH 2/3] crypto: require libgcrypt >= 1.5.0 " Daniel P. Berrangé
2018-08-06 18:01 ` Eric Blake
2018-07-18 12:03 ` [Qemu-devel] [PATCH 3/3] crypto: require nettle " Daniel P. Berrangé
2018-08-06 18:02 ` Eric Blake
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.