From nobody Mon Apr 29 08:08:13 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531915540318499.5301286893409; Wed, 18 Jul 2018 05:05:40 -0700 (PDT) Received: from localhost ([::1]:36317 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fflD9-0000cL-3D for importer@patchew.org; Wed, 18 Jul 2018 08:05:39 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49515) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fflBD-0007bp-Mg for qemu-devel@nongnu.org; Wed, 18 Jul 2018 08:03:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fflBB-00036G-LO for qemu-devel@nongnu.org; Wed, 18 Jul 2018 08:03:39 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:58114 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fflBB-00035u-DX for qemu-devel@nongnu.org; Wed, 18 Jul 2018 08:03:37 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F26D281A4EB7 for ; Wed, 18 Jul 2018 12:03:36 +0000 (UTC) Received: from t460.redhat.com (unknown [10.33.36.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id E94F3111E402; Wed, 18 Jul 2018 12:03:35 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Wed, 18 Jul 2018 13:03:32 +0100 Message-Id: <20180718120334.27138-2-berrange@redhat.com> In-Reply-To: <20180718120334.27138-1-berrange@redhat.com> References: <20180718120334.27138-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 18 Jul 2018 12:03:37 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 18 Jul 2018 12:03:37 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'berrange@redhat.com' RCPT:'' Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 1/3] crypto: require gnutls >= 3.1.18 for building QEMU X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" gnutls 3.0.0 was released in 2011 and all the distros that are build target platforms for QEMU [1] include it: RHEL-7: 3.1.18 Debian (Stretch): 3.5.8 Debian (Jessie): 3.3.8 OpenBSD (ports): 3.5.18 FreeBSD (ports): 3.5.18 OpenSUSE Leap 15: 3.6.2 Ubuntu (Xenial): 3.4.10 macOS (Homebrew): 3.5.19 Based on this, it is reasonable to require gnutls >=3D 3.1.18 in QEMU which allows for all conditional version checks in the code to be removed. [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- configure | 135 +++++++++---------------------- crypto/Makefile.objs | 4 +- crypto/init.c | 20 +---- crypto/tlscredsx509.c | 21 ----- crypto/tlssession.c | 8 +- tests/crypto-tls-x509-helpers.h | 3 +- tests/test-crypto-tlscredsx509.c | 8 +- 7 files changed, 46 insertions(+), 153 deletions(-) diff --git a/configure b/configure index 2a7796ea80..856cb07be5 100755 --- a/configure +++ b/configure @@ -456,7 +456,6 @@ gtkabi=3D"" gtk_gl=3D"no" tls_priority=3D"NORMAL" gnutls=3D"" -gnutls_rnd=3D"" nettle=3D"" nettle_kdf=3D"no" gcrypt=3D"" @@ -2675,79 +2674,28 @@ fi ########################################## # GNUTLS probe =20 -gnutls_works() { - # Unfortunately some distros have bad pkg-config information for gnutls - # such that it claims to exist but you get a compiler error if you try - # to use the options returned by --libs. Specifically, Ubuntu for --st= atic - # builds doesn't work: - # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035 - # - # So sanity check the cflags/libs before assuming gnutls can be used. - if ! $pkg_config --exists "gnutls"; then - return 1 - fi - - write_c_skeleton - compile_prog "$($pkg_config --cflags gnutls)" "$($pkg_config --libs gn= utls)" -} - -gnutls_gcrypt=3Dno -gnutls_nettle=3Dno if test "$gnutls" !=3D "no"; then - if gnutls_works; then + if $pkg_config --exists "gnutls >=3D 3.1.18"; then gnutls_cflags=3D$($pkg_config --cflags gnutls) gnutls_libs=3D$($pkg_config --libs gnutls) libs_softmmu=3D"$gnutls_libs $libs_softmmu" libs_tools=3D"$gnutls_libs $libs_tools" QEMU_CFLAGS=3D"$QEMU_CFLAGS $gnutls_cflags" gnutls=3D"yes" - - # gnutls_rnd requires >=3D 2.11.0 - if $pkg_config --exists "gnutls >=3D 2.11.0"; then - gnutls_rnd=3D"yes" - else - gnutls_rnd=3D"no" - fi - - if $pkg_config --exists 'gnutls >=3D 3.0'; then - gnutls_gcrypt=3Dno - gnutls_nettle=3Dyes - elif $pkg_config --exists 'gnutls >=3D 2.12'; then - case $($pkg_config --libs --static gnutls) in - *gcrypt*) - gnutls_gcrypt=3Dyes - gnutls_nettle=3Dno - ;; - *nettle*) - gnutls_gcrypt=3Dno - gnutls_nettle=3Dyes - ;; - *) - gnutls_gcrypt=3Dyes - gnutls_nettle=3Dno - ;; - esac - else - gnutls_gcrypt=3Dyes - gnutls_nettle=3Dno - fi elif test "$gnutls" =3D "yes"; then - feature_not_found "gnutls" "Install gnutls devel" + feature_not_found "gnutls" "Install gnutls devel >=3D 3.1.18" else gnutls=3D"no" - gnutls_rnd=3D"no" fi -else - gnutls_rnd=3D"no" fi =20 =20 # If user didn't give a --disable/enable-gcrypt flag, # then mark as disabled if user requested nettle -# explicitly, or if gnutls links to nettle +# explicitly if test -z "$gcrypt" then - if test "$nettle" =3D "yes" || test "$gnutls_nettle" =3D "yes" + if test "$nettle" =3D "yes" then gcrypt=3D"no" fi @@ -2755,10 +2703,10 @@ fi =20 # If user didn't give a --disable/enable-nettle flag, # then mark as disabled if user requested gcrypt -# explicitly, or if gnutls links to gcrypt +# explicitly if test -z "$nettle" then - if test "$gcrypt" =3D "yes" || test "$gnutls_gcrypt" =3D "yes" + if test "$gcrypt" =3D "yes" then nettle=3D"no" fi @@ -2782,6 +2730,40 @@ has_libgcrypt_config() { return 0 } =20 + +if test "$nettle" !=3D "no"; then + if $pkg_config --exists "nettle"; then + nettle_cflags=3D$($pkg_config --cflags nettle) + nettle_libs=3D$($pkg_config --libs nettle) + nettle_version=3D$($pkg_config --modversion nettle) + libs_softmmu=3D"$nettle_libs $libs_softmmu" + libs_tools=3D"$nettle_libs $libs_tools" + QEMU_CFLAGS=3D"$QEMU_CFLAGS $nettle_cflags" + nettle=3D"yes" + + cat > $TMPC << EOF +#include +#include +int main(void) { + pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL); + return 0; +} +EOF + if test -z "$gcrypt"; then + gcrypt=3D"no" + fi + if compile_prog "$nettle_cflags" "$nettle_libs" ; then + nettle_kdf=3Dyes + fi + else + if test "$nettle" =3D "yes"; then + feature_not_found "nettle" "Install nettle devel" + else + nettle=3D"no" + fi + fi +fi + if test "$gcrypt" !=3D "no"; then if has_libgcrypt_config; then gcrypt_cflags=3D$(libgcrypt-config --cflags) @@ -2797,9 +2779,6 @@ if test "$gcrypt" !=3D "no"; then libs_tools=3D"$gcrypt_libs $libs_tools" QEMU_CFLAGS=3D"$QEMU_CFLAGS $gcrypt_cflags" gcrypt=3D"yes" - if test -z "$nettle"; then - nettle=3D"no" - fi =20 cat > $TMPC << EOF #include @@ -2836,36 +2815,6 @@ EOF fi =20 =20 -if test "$nettle" !=3D "no"; then - if $pkg_config --exists "nettle"; then - nettle_cflags=3D$($pkg_config --cflags nettle) - nettle_libs=3D$($pkg_config --libs nettle) - nettle_version=3D$($pkg_config --modversion nettle) - libs_softmmu=3D"$nettle_libs $libs_softmmu" - libs_tools=3D"$nettle_libs $libs_tools" - QEMU_CFLAGS=3D"$QEMU_CFLAGS $nettle_cflags" - nettle=3D"yes" - - cat > $TMPC << EOF -#include -#include -int main(void) { - pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL); - return 0; -} -EOF - if compile_prog "$nettle_cflags" "$nettle_libs" ; then - nettle_kdf=3Dyes - fi - else - if test "$nettle" =3D "yes"; then - feature_not_found "nettle" "Install nettle devel" - else - nettle=3D"no" - fi - fi -fi - if test "$gcrypt" =3D "yes" && test "$nettle" =3D "yes" then error_exit "Only one of gcrypt & nettle can be enabled" @@ -5903,7 +5852,6 @@ echo "GTK GL support $gtk_gl" echo "VTE support $vte $(echo_version $vte $vteversion)" echo "TLS priority $tls_priority" echo "GNUTLS support $gnutls" -echo "GNUTLS rnd $gnutls_rnd" echo "libgcrypt $gcrypt" echo "libgcrypt kdf $gcrypt_kdf" echo "nettle $nettle $(echo_version $nettle $nettle_version)" @@ -6351,9 +6299,6 @@ echo "CONFIG_TLS_PRIORITY=3D\"$tls_priority\"" >> $co= nfig_host_mak if test "$gnutls" =3D "yes" ; then echo "CONFIG_GNUTLS=3Dy" >> $config_host_mak fi -if test "$gnutls_rnd" =3D "yes" ; then - echo "CONFIG_GNUTLS_RND=3Dy" >> $config_host_mak -fi if test "$gcrypt" =3D "yes" ; then echo "CONFIG_GCRYPT=3Dy" >> $config_host_mak if test "$gcrypt_hmac" =3D "yes" ; then diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs index 756bab111b..a62cedaf36 100644 --- a/crypto/Makefile.objs +++ b/crypto/Makefile.objs @@ -20,8 +20,8 @@ crypto-obj-y +=3D tlscredsx509.o crypto-obj-y +=3D tlssession.o crypto-obj-y +=3D secret.o crypto-obj-$(CONFIG_GCRYPT) +=3D random-gcrypt.o -crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS_RND)) +=3D random-gnutl= s.o -crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS_RND),n,y)) +=3D ra= ndom-platform.o +crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) +=3D random-gnutls.o +crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) +=3D random= -platform.o crypto-obj-y +=3D pbkdf.o crypto-obj-$(CONFIG_NETTLE_KDF) +=3D pbkdf-nettle.o crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) +=3D pbkdf-gc= rypt.o diff --git a/crypto/init.c b/crypto/init.c index f131c42306..10bf72463c 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -37,31 +37,13 @@ /* #define DEBUG_GNUTLS */ =20 /* - * If GNUTLS is built against GCrypt then - * - * - When GNUTLS >=3D 2.12, we must not initialize gcrypt threading - * because GNUTLS will do that itself - * - When GNUTLS < 2.12 we must always initialize gcrypt threading - * - When GNUTLS is disabled we must always initialize gcrypt threading - * - * But.... - * - * When gcrypt >=3D 1.6.0 we must not initialize gcrypt threading - * because gcrypt will do that itself. - * - * So we need to init gcrypt threading if + * We need to init gcrypt threading if * * - gcrypt < 1.6.0 - * AND - * - gnutls < 2.12 - * OR - * - gnutls is disabled * */ =20 #if (defined(CONFIG_GCRYPT) && \ - (!defined(CONFIG_GNUTLS) || \ - (LIBGNUTLS_VERSION_NUMBER < 0x020c00)) && \ (!defined(GCRYPT_VERSION_NUMBER) || \ (GCRYPT_VERSION_NUMBER < 0x010600))) #define QCRYPTO_INIT_GCRYPT_THREADS diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 98ee0424e5..d6ab4a9862 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -72,14 +72,6 @@ qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cer= t, } =20 =20 -#if LIBGNUTLS_VERSION_NUMBER >=3D 2 -/* - * The gnutls_x509_crt_get_basic_constraints function isn't - * available in GNUTLS 1.0.x branches. This isn't critical - * though, since gnutls_certificate_verify_peers2 will do - * pretty much the same check at runtime, so we can just - * disable this code - */ static int qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds, gnutls_x509_crt_t cert, @@ -130,7 +122,6 @@ qcrypto_tls_creds_check_cert_basic_constraints(QCryptoT= LSCredsX509 *creds, =20 return 0; } -#endif =20 =20 static int @@ -299,14 +290,12 @@ qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *cre= ds, return -1; } =20 -#if LIBGNUTLS_VERSION_NUMBER >=3D 2 if (qcrypto_tls_creds_check_cert_basic_constraints(creds, cert, certFile, isServer, isCA, errp) < 0) { return -1; } -#endif =20 if (qcrypto_tls_creds_check_cert_key_usage(creds, cert, certFile, @@ -615,7 +604,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, } =20 if (cert !=3D NULL && key !=3D NULL) { -#if LIBGNUTLS_VERSION_NUMBER >=3D 0x030111 char *password =3D NULL; if (creds->passwordid) { password =3D qcrypto_secret_lookup_as_utf8(creds->passwordid, @@ -630,15 +618,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, password, 0); g_free(password); -#else /* LIBGNUTLS_VERSION_NUMBER < 0x030111 */ - if (creds->passwordid) { - error_setg(errp, "PKCS8 decryption requires GNUTLS >=3D 3.1.11= "); - goto cleanup; - } - ret =3D gnutls_certificate_set_x509_key_file(creds->data, - cert, key, - GNUTLS_X509_FMT_PEM); -#endif if (ret < 0) { error_setg(errp, "Cannot load certificate '%s' & key '%s': %s", cert, key, gnutls_strerror(ret)); diff --git a/crypto/tlssession.c b/crypto/tlssession.c index 66a6fbe19c..2f28fa7f71 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -90,13 +90,7 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t= len) } =20 #define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH" - -#if GNUTLS_VERSION_MAJOR >=3D 3 -#define TLS_ECDHE_PSK "+ECDHE-PSK:" -#else -#define TLS_ECDHE_PSK "" -#endif -#define TLS_PRIORITY_ADDITIONAL_PSK TLS_ECDHE_PSK "+DHE-PSK:+PSK" +#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK" =20 QCryptoTLSSession * qcrypto_tls_session_new(QCryptoTLSCreds *creds, diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helper= s.h index 921341c649..88c30d7c94 100644 --- a/tests/crypto-tls-x509-helpers.h +++ b/tests/crypto-tls-x509-helpers.h @@ -22,8 +22,7 @@ #include =20 #if !(defined WIN32) && \ - defined(CONFIG_TASN1) && \ - (LIBGNUTLS_VERSION_NUMBER >=3D 0x020600) + defined(CONFIG_TASN1) # define QCRYPTO_HAVE_TLS_TEST_SUPPORT #endif =20 diff --git a/tests/test-crypto-tlscredsx509.c b/tests/test-crypto-tlscredsx= 509.c index af2f80e89c..9bc45d4619 100644 --- a/tests/test-crypto-tlscredsx509.c +++ b/tests/test-crypto-tlscredsx509.c @@ -290,14 +290,8 @@ int main(int argc, char **argv) true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 - /* Technically a CA cert with basic constraints - * key purpose =3D=3D key signing + non-critical should - * be rejected. GNUTLS < 3.1 does not reject it and - * we don't anticipate them changing this behaviour - */ TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filenam= e, - (GNUTLS_VERSION_MAJOR =3D=3D 3 && GNUTLS_VERSION_MINOR >= =3D 1) || - GNUTLS_VERSION_MAJOR > 3); + true); TLS_TEST_REG(badca2, true, cacert5req.filename, servercert5req.filename, true); TLS_TEST_REG(badca3, true, --=20 2.17.1 From nobody Mon Apr 29 08:08:13 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531915744160760.6190334590228; Wed, 18 Jul 2018 05:09:04 -0700 (PDT) Received: from localhost ([::1]:36333 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fflGK-0002kh-1n for importer@patchew.org; Wed, 18 Jul 2018 08:08:56 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49518) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fflBD-0007bu-W1 for qemu-devel@nongnu.org; Wed, 18 Jul 2018 08:03:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fflBC-00036V-J0 for qemu-devel@nongnu.org; Wed, 18 Jul 2018 08:03:40 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:39512 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fflBC-00036O-DN for qemu-devel@nongnu.org; Wed, 18 Jul 2018 08:03:38 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0498C4023132 for ; Wed, 18 Jul 2018 12:03:38 +0000 (UTC) Received: from t460.redhat.com (unknown [10.33.36.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 41EFD111E402; Wed, 18 Jul 2018 12:03:37 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Wed, 18 Jul 2018 13:03:33 +0100 Message-Id: <20180718120334.27138-3-berrange@redhat.com> In-Reply-To: <20180718120334.27138-1-berrange@redhat.com> References: <20180718120334.27138-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 18 Jul 2018 12:03:38 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Wed, 18 Jul 2018 12:03:38 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'berrange@redhat.com' RCPT:'' Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 2/3] crypto: require libgcrypt >= 1.5.0 for building QEMU X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" libgcrypt 1.5.0 was released in 2011 and all the distros that are build target platforms for QEMU [1] include it: RHEL-7: 1.5.3 Debian (Stretch): 1.7.6 Debian (Jessie): 1.6.3 OpenBSD (ports): 1.8.2 FreeBSD (ports): 1.8.3 OpenSUSE Leap 15: 1.8.2 Ubuntu (Xenial): 1.6.5 macOS (Homebrew): 1.8.3 Based on this, it is reasonable to require libgcrypt >=3D 1.5.0 in QEMU which allows for some conditional version checks in the code to be removed. [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- configure | 32 +++++++++++--------------------- crypto/Makefile.objs | 2 +- crypto/init.c | 3 +-- tests/Makefile.include | 2 +- tests/test-crypto-block.c | 2 +- 5 files changed, 15 insertions(+), 26 deletions(-) diff --git a/configure b/configure index 856cb07be5..84c2f91a1f 100755 --- a/configure +++ b/configure @@ -460,7 +460,6 @@ nettle=3D"" nettle_kdf=3D"no" gcrypt=3D"" gcrypt_hmac=3D"no" -gcrypt_kdf=3D"no" vte=3D"" virglrenderer=3D"" tpm=3D"yes" @@ -2712,7 +2711,7 @@ then fi fi =20 -has_libgcrypt_config() { +has_libgcrypt() { if ! has "libgcrypt-config" then return 1 @@ -2727,6 +2726,14 @@ has_libgcrypt_config() { fi fi =20 + maj=3D`libgcrypt-config --version | awk -F . '{print $1}'` + min=3D`libgcrypt-config --version | awk -F . '{print $2}'` + + if test $maj !=3D 1 || test $min -lt 5 + then + return 1 + fi + return 0 } =20 @@ -2765,7 +2772,7 @@ EOF fi =20 if test "$gcrypt" !=3D "no"; then - if has_libgcrypt_config; then + if has_libgcrypt; then gcrypt_cflags=3D$(libgcrypt-config --cflags) gcrypt_libs=3D$(libgcrypt-config --libs) # Debian has remove -lgpg-error from libgcrypt-config @@ -2782,19 +2789,6 @@ if test "$gcrypt" !=3D "no"; then =20 cat > $TMPC << EOF #include -int main(void) { - gcry_kdf_derive(NULL, 0, GCRY_KDF_PBKDF2, - GCRY_MD_SHA256, - NULL, 0, 0, 0, NULL); - return 0; -} -EOF - if compile_prog "$gcrypt_cflags" "$gcrypt_libs" ; then - gcrypt_kdf=3Dyes - fi - - cat > $TMPC << EOF -#include int main(void) { gcry_mac_hd_t handle; gcry_mac_open(&handle, GCRY_MAC_HMAC_MD5, @@ -2807,7 +2801,7 @@ EOF fi else if test "$gcrypt" =3D "yes"; then - feature_not_found "gcrypt" "Install gcrypt devel" + feature_not_found "gcrypt" "Install gcrypt devel >=3D 1.5.0" else gcrypt=3D"no" fi @@ -5853,7 +5847,6 @@ echo "VTE support $vte $(echo_version $vte $vte= version)" echo "TLS priority $tls_priority" echo "GNUTLS support $gnutls" echo "libgcrypt $gcrypt" -echo "libgcrypt kdf $gcrypt_kdf" echo "nettle $nettle $(echo_version $nettle $nettle_version)" echo "nettle kdf $nettle_kdf" echo "libtasn1 $tasn1" @@ -6304,9 +6297,6 @@ if test "$gcrypt" =3D "yes" ; then if test "$gcrypt_hmac" =3D "yes" ; then echo "CONFIG_GCRYPT_HMAC=3Dy" >> $config_host_mak fi - if test "$gcrypt_kdf" =3D "yes" ; then - echo "CONFIG_GCRYPT_KDF=3Dy" >> $config_host_mak - fi fi if test "$nettle" =3D "yes" ; then echo "CONFIG_NETTLE=3Dy" >> $config_host_mak diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs index a62cedaf36..6a908f51f5 100644 --- a/crypto/Makefile.objs +++ b/crypto/Makefile.objs @@ -24,7 +24,7 @@ crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) +=3D= random-gnutls.o crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) +=3D random= -platform.o crypto-obj-y +=3D pbkdf.o crypto-obj-$(CONFIG_NETTLE_KDF) +=3D pbkdf-nettle.o -crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) +=3D pbkdf-gc= rypt.o +crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT)) +=3D pbkdf-gcrypt= .o crypto-obj-y +=3D ivgen.o crypto-obj-y +=3D ivgen-essiv.o crypto-obj-y +=3D ivgen-plain.o diff --git a/crypto/init.c b/crypto/init.c index 10bf72463c..c30156405a 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -44,8 +44,7 @@ */ =20 #if (defined(CONFIG_GCRYPT) && \ - (!defined(GCRYPT_VERSION_NUMBER) || \ - (GCRYPT_VERSION_NUMBER < 0x010600))) + (GCRYPT_VERSION_NUMBER < 0x010600)) #define QCRYPTO_INIT_GCRYPT_THREADS #else #undef QCRYPTO_INIT_GCRYPT_THREADS diff --git a/tests/Makefile.include b/tests/Makefile.include index a49282704e..3712de22cf 100644 --- a/tests/Makefile.include +++ b/tests/Makefile.include @@ -156,7 +156,7 @@ check-unit-$(CONFIG_GNUTLS) +=3D tests/test-io-channel-= tls$(EXESUF) check-unit-y +=3D tests/test-io-channel-command$(EXESUF) check-unit-y +=3D tests/test-io-channel-buffer$(EXESUF) check-unit-y +=3D tests/test-base64$(EXESUF) -check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT_KDF)) +=3D tests/te= st-crypto-pbkdf$(EXESUF) +check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT)) +=3D tests/test-c= rypto-pbkdf$(EXESUF) check-unit-y +=3D tests/test-crypto-ivgen$(EXESUF) check-unit-y +=3D tests/test-crypto-afsplit$(EXESUF) check-unit-y +=3D tests/test-crypto-xts$(EXESUF) diff --git a/tests/test-crypto-block.c b/tests/test-crypto-block.c index fd29a045d2..bd512cc79a 100644 --- a/tests/test-crypto-block.c +++ b/tests/test-crypto-block.c @@ -29,7 +29,7 @@ #endif =20 #if (defined(_WIN32) || defined RUSAGE_THREAD) && \ - (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT_KDF)) + (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT)) #define TEST_LUKS #else #undef TEST_LUKS --=20 2.17.1 From nobody Mon Apr 29 08:08:13 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1531915659578353.0932860122574; Wed, 18 Jul 2018 05:07:39 -0700 (PDT) Received: from localhost ([::1]:36328 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fflF4-00026L-Ky for importer@patchew.org; Wed, 18 Jul 2018 08:07:38 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49528) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fflBE-0007dS-Ly for qemu-devel@nongnu.org; Wed, 18 Jul 2018 08:03:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fflBD-00036i-Go for qemu-devel@nongnu.org; Wed, 18 Jul 2018 08:03:40 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:58118 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fflBD-00036d-B6 for qemu-devel@nongnu.org; Wed, 18 Jul 2018 08:03:39 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E72D781A4EB7 for ; Wed, 18 Jul 2018 12:03:38 +0000 (UTC) Received: from t460.redhat.com (unknown [10.33.36.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 60D26111E402; Wed, 18 Jul 2018 12:03:38 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Wed, 18 Jul 2018 13:03:34 +0100 Message-Id: <20180718120334.27138-4-berrange@redhat.com> In-Reply-To: <20180718120334.27138-1-berrange@redhat.com> References: <20180718120334.27138-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 18 Jul 2018 12:03:38 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 18 Jul 2018 12:03:38 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'berrange@redhat.com' RCPT:'' Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 3/3] crypto: require nettle >= 1.5.0 for building QEMU X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" nettle 2.7.1 was released in 2013 and all the distros that are build target platforms for QEMU [1] include it: RHEL-7: 2.7.1 Debian (Stretch): 3.3 Debian (Jessie): 2.7.1 OpenBSD (ports): 3.4 FreeBSD (ports): 3.4 OpenSUSE Leap 15: 3.4 Ubuntu (Xenial): 3.2 macOS (Homebrew): 3.4 Based on this, it is reasonable to require nettle >=3D 2.7.1 in QEMU which allows for some conditional version checks in the code to be removed. [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Eric Blake --- configure | 20 ++------------------ crypto/Makefile.objs | 4 ++-- tests/Makefile.include | 2 +- tests/test-crypto-block.c | 2 +- 4 files changed, 6 insertions(+), 22 deletions(-) diff --git a/configure b/configure index 84c2f91a1f..2e319a51c5 100755 --- a/configure +++ b/configure @@ -457,7 +457,6 @@ gtk_gl=3D"no" tls_priority=3D"NORMAL" gnutls=3D"" nettle=3D"" -nettle_kdf=3D"no" gcrypt=3D"" gcrypt_hmac=3D"no" vte=3D"" @@ -2739,7 +2738,7 @@ has_libgcrypt() { =20 =20 if test "$nettle" !=3D "no"; then - if $pkg_config --exists "nettle"; then + if $pkg_config --exists "nettle >=3D 2.7.1"; then nettle_cflags=3D$($pkg_config --cflags nettle) nettle_libs=3D$($pkg_config --libs nettle) nettle_version=3D$($pkg_config --modversion nettle) @@ -2748,23 +2747,12 @@ if test "$nettle" !=3D "no"; then QEMU_CFLAGS=3D"$QEMU_CFLAGS $nettle_cflags" nettle=3D"yes" =20 - cat > $TMPC << EOF -#include -#include -int main(void) { - pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL); - return 0; -} -EOF if test -z "$gcrypt"; then gcrypt=3D"no" fi - if compile_prog "$nettle_cflags" "$nettle_libs" ; then - nettle_kdf=3Dyes - fi else if test "$nettle" =3D "yes"; then - feature_not_found "nettle" "Install nettle devel" + feature_not_found "nettle" "Install nettle devel >=3D 2.7.1" else nettle=3D"no" fi @@ -5848,7 +5836,6 @@ echo "TLS priority $tls_priority" echo "GNUTLS support $gnutls" echo "libgcrypt $gcrypt" echo "nettle $nettle $(echo_version $nettle $nettle_version)" -echo "nettle kdf $nettle_kdf" echo "libtasn1 $tasn1" echo "curses support $curses" echo "virgl support $virglrenderer $(echo_version $virglrenderer $virg= l_version)" @@ -6301,9 +6288,6 @@ fi if test "$nettle" =3D "yes" ; then echo "CONFIG_NETTLE=3Dy" >> $config_host_mak echo "CONFIG_NETTLE_VERSION_MAJOR=3D${nettle_version%%.*}" >> $config_ho= st_mak - if test "$nettle_kdf" =3D "yes" ; then - echo "CONFIG_NETTLE_KDF=3Dy" >> $config_host_mak - fi fi if test "$tasn1" =3D "yes" ; then echo "CONFIG_TASN1=3Dy" >> $config_host_mak diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs index 6a908f51f5..256c9aca1f 100644 --- a/crypto/Makefile.objs +++ b/crypto/Makefile.objs @@ -23,8 +23,8 @@ crypto-obj-$(CONFIG_GCRYPT) +=3D random-gcrypt.o crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) +=3D random-gnutls.o crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) +=3D random= -platform.o crypto-obj-y +=3D pbkdf.o -crypto-obj-$(CONFIG_NETTLE_KDF) +=3D pbkdf-nettle.o -crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT)) +=3D pbkdf-gcrypt= .o +crypto-obj-$(CONFIG_NETTLE) +=3D pbkdf-nettle.o +crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) +=3D pbkdf-gcrypt.o crypto-obj-y +=3D ivgen.o crypto-obj-y +=3D ivgen-essiv.o crypto-obj-y +=3D ivgen-plain.o diff --git a/tests/Makefile.include b/tests/Makefile.include index 3712de22cf..9d7976ff62 100644 --- a/tests/Makefile.include +++ b/tests/Makefile.include @@ -156,7 +156,7 @@ check-unit-$(CONFIG_GNUTLS) +=3D tests/test-io-channel-= tls$(EXESUF) check-unit-y +=3D tests/test-io-channel-command$(EXESUF) check-unit-y +=3D tests/test-io-channel-buffer$(EXESUF) check-unit-y +=3D tests/test-base64$(EXESUF) -check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT)) +=3D tests/test-c= rypto-pbkdf$(EXESUF) +check-unit-$(if $(CONFIG_NETTLE),y,$(CONFIG_GCRYPT)) +=3D tests/test-crypt= o-pbkdf$(EXESUF) check-unit-y +=3D tests/test-crypto-ivgen$(EXESUF) check-unit-y +=3D tests/test-crypto-afsplit$(EXESUF) check-unit-y +=3D tests/test-crypto-xts$(EXESUF) diff --git a/tests/test-crypto-block.c b/tests/test-crypto-block.c index bd512cc79a..fae4ffc453 100644 --- a/tests/test-crypto-block.c +++ b/tests/test-crypto-block.c @@ -29,7 +29,7 @@ #endif =20 #if (defined(_WIN32) || defined RUSAGE_THREAD) && \ - (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT)) + (defined(CONFIG_NETTLE) || defined(CONFIG_GCRYPT)) #define TEST_LUKS #else #undef TEST_LUKS --=20 2.17.1