From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>
Subject: [Qemu-devel] [PULL v3 1/4] crypto: allow use of nettle/gcrypt to be selected explicitly
Date: Thu, 22 Oct 2015 19:05:19 +0100 [thread overview]
Message-ID: <1445537122-10982-2-git-send-email-berrange@redhat.com> (raw)
In-Reply-To: <1445537122-10982-1-git-send-email-berrange@redhat.com>
Currently the choice of whether to use nettle or gcrypt is
made based on what gnutls is linked to. There are times
when it is desirable to be able to force build against a
specific library. For example, if testing changes to QEMU's
crypto code all 3 possible backends need to be checked
regardless of what the local gnutls uses.
It is also desirable to be able to enable nettle/gcrypt
for cipher/hash algorithms, without enabling gnutls
for TLS support.
This gives two new configure flags, which allow the
following possibilities
Automatically determine nettle vs gcrypt from what
gnutls links to (recommended to minimize number of
crypto libraries linked to)
./configure
Automatically determine nettle vs gcrypt based on
which is installed
./configure --disable-gnutls
Force use of nettle
./configure --enable-nettle
Force use of gcrypt
./configure --enable-gcrypt
Force use of built-in AES & crippled-DES
./configure --disable-nettle --disable-gcrypt
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
configure | 100 +++++++++++++++++++++++++++++++++++++++++++++++++-------
crypto/cipher.c | 8 ++---
crypto/init.c | 26 +++++++--------
3 files changed, 105 insertions(+), 29 deletions(-)
diff --git a/configure b/configure
index 211bc6e..94f38a3 100755
--- a/configure
+++ b/configure
@@ -331,6 +331,8 @@ gtkabi=""
gtk_gl="no"
gnutls=""
gnutls_hash=""
+nettle=""
+gcrypt=""
vte=""
virglrenderer=""
tpm="yes"
@@ -1114,6 +1116,14 @@ for opt do
;;
--enable-gnutls) gnutls="yes"
;;
+ --disable-nettle) nettle="no"
+ ;;
+ --enable-nettle) nettle="yes"
+ ;;
+ --disable-gcrypt) gcrypt="no"
+ ;;
+ --enable-gcrypt) gcrypt="yes"
+ ;;
--enable-rdma) rdma="yes"
;;
--disable-rdma) rdma="no"
@@ -1324,6 +1334,8 @@ disabled with --disable-FEATURE, default is enabled if available:
sparse sparse checker
gnutls GNUTLS cryptography support
+ nettle nettle cryptography support
+ gcrypt libgcrypt cryptography support
sdl SDL UI
--with-sdlabi select preferred SDL ABI 1.2 or 2.0
gtk gtk UI
@@ -2254,20 +2266,76 @@ else
gnutls_hash="no"
fi
-if test "$gnutls_gcrypt" != "no"; then
- if has "libgcrypt-config"; then
+
+# If user didn't give a --disable/enable-gcrypt flag,
+# then mark as disabled if user requested nettle
+# explicitly, or if gnutls links to nettle
+if test -z "$gcrypt"
+then
+ if test "$nettle" = "yes" || test "$gnutls_nettle" = "yes"
+ then
+ gcrypt="no"
+ fi
+fi
+
+# If user didn't give a --disable/enable-nettle flag,
+# then mark as disabled if user requested gcrypt
+# explicitly, or if gnutls links to gcrypt
+if test -z "$nettle"
+then
+ if test "$gcrypt" = "yes" || test "$gnutls_gcrypt" = "yes"
+ then
+ nettle="no"
+ fi
+fi
+
+has_libgcrypt_config() {
+ if ! has "libgcrypt-config"
+ then
+ return 1
+ fi
+
+ if test -n "$cross_prefix"
+ then
+ host=`libgcrypt-config --host`
+ if test "$host-" != $cross_prefix
+ then
+ return 1
+ fi
+ fi
+
+ return 0
+}
+
+if test "$gcrypt" != "no"; then
+ if has_libgcrypt_config; then
gcrypt_cflags=`libgcrypt-config --cflags`
gcrypt_libs=`libgcrypt-config --libs`
+ # Debian has remove -lgpg-error from libgcrypt-config
+ # as it "spreads unnecessary dependencies" which in
+ # turn breaks static builds...
+ if test "$static" = "yes"
+ then
+ gcrypt_libs="$gcrypt_libs -lgpg-error"
+ fi
libs_softmmu="$gcrypt_libs $libs_softmmu"
libs_tools="$gcrypt_libs $libs_tools"
QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags"
+ gcrypt="yes"
+ if test -z "$nettle"; then
+ nettle="no"
+ fi
else
- feature_not_found "gcrypt" "Install gcrypt devel"
+ if test "$gcrypt" = "yes"; then
+ feature_not_found "gcrypt" "Install gcrypt devel"
+ else
+ gcrypt="no"
+ fi
fi
fi
-if test "$gnutls_nettle" != "no"; then
+if test "$nettle" != "no"; then
if $pkg_config --exists "nettle"; then
nettle_cflags=`$pkg_config --cflags nettle`
nettle_libs=`$pkg_config --libs nettle`
@@ -2275,11 +2343,21 @@ if test "$gnutls_nettle" != "no"; then
libs_softmmu="$nettle_libs $libs_softmmu"
libs_tools="$nettle_libs $libs_tools"
QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
+ nettle="yes"
else
- feature_not_found "nettle" "Install nettle devel"
+ if test "$nettle" = "yes"; then
+ feature_not_found "nettle" "Install nettle devel"
+ else
+ nettle="no"
+ fi
fi
fi
+if test "$gcrypt" = "yes" && test "$nettle" = "yes"
+then
+ error_exit "Only one of gcrypt & nettle can be enabled"
+fi
+
##########################################
# libtasn1 - only for the TLS creds/session test suite
@@ -4621,8 +4699,8 @@ echo "GTK support $gtk"
echo "GTK GL support $gtk_gl"
echo "GNUTLS support $gnutls"
echo "GNUTLS hash $gnutls_hash"
-echo "GNUTLS gcrypt $gnutls_gcrypt"
-echo "GNUTLS nettle $gnutls_nettle ${gnutls_nettle+($nettle_version)}"
+echo "libgcrypt $gcrypt"
+echo "nettle $nettle ${nettle+($nettle_version)}"
echo "libtasn1 $tasn1"
echo "VTE support $vte"
echo "curses support $curses"
@@ -4991,11 +5069,11 @@ fi
if test "$gnutls_hash" = "yes" ; then
echo "CONFIG_GNUTLS_HASH=y" >> $config_host_mak
fi
-if test "$gnutls_gcrypt" = "yes" ; then
- echo "CONFIG_GNUTLS_GCRYPT=y" >> $config_host_mak
+if test "$gcrypt" = "yes" ; then
+ echo "CONFIG_GCRYPT=y" >> $config_host_mak
fi
-if test "$gnutls_nettle" = "yes" ; then
- echo "CONFIG_GNUTLS_NETTLE=y" >> $config_host_mak
+if test "$nettle" = "yes" ; then
+ echo "CONFIG_NETTLE=y" >> $config_host_mak
echo "CONFIG_NETTLE_VERSION_MAJOR=${nettle_version%%.*}" >> $config_host_mak
fi
if test "$tasn1" = "yes" ; then
diff --git a/crypto/cipher.c b/crypto/cipher.c
index 024a00c..c8bd180 100644
--- a/crypto/cipher.c
+++ b/crypto/cipher.c
@@ -47,7 +47,7 @@ qcrypto_cipher_validate_key_length(QCryptoCipherAlgorithm alg,
return true;
}
-#if defined(CONFIG_GNUTLS_GCRYPT) || defined(CONFIG_GNUTLS_NETTLE)
+#if defined(CONFIG_GCRYPT) || defined(CONFIG_NETTLE)
static uint8_t *
qcrypto_cipher_munge_des_rfb_key(const uint8_t *key,
size_t nkey)
@@ -63,11 +63,11 @@ qcrypto_cipher_munge_des_rfb_key(const uint8_t *key,
}
return ret;
}
-#endif /* CONFIG_GNUTLS_GCRYPT || CONFIG_GNUTLS_NETTLE */
+#endif /* CONFIG_GCRYPT || CONFIG_NETTLE */
-#ifdef CONFIG_GNUTLS_GCRYPT
+#ifdef CONFIG_GCRYPT
#include "crypto/cipher-gcrypt.c"
-#elif defined CONFIG_GNUTLS_NETTLE
+#elif defined CONFIG_NETTLE
#include "crypto/cipher-nettle.c"
#else
#include "crypto/cipher-builtin.c"
diff --git a/crypto/init.c b/crypto/init.c
index 7447882..d94faac 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -24,8 +24,9 @@
#ifdef CONFIG_GNUTLS
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
+#endif
-#ifdef CONFIG_GNUTLS_GCRYPT
+#ifdef CONFIG_GCRYPT
#include <gcrypt.h>
#endif
@@ -37,6 +38,7 @@
* - When GNUTLS >= 2.12, we must not initialize gcrypt threading
* because GNUTLS will do that itself
* - When GNUTLS < 2.12 we must always initialize gcrypt threading
+ * - When GNUTLS is disabled we must always initialize gcrypt threading
*
* But....
*
@@ -47,12 +49,15 @@
*
* - gcrypt < 1.6.0
* AND
- * - gnutls < 2.12
+ * - gnutls < 2.12
+ * OR
+ * - gnutls is disabled
*
*/
-#if (defined(CONFIG_GNUTLS_GCRYPT) && \
- (!defined(GNUTLS_VERSION_NUMBER) || \
+#if (defined(CONFIG_GCRYPT) && \
+ (!defined(CONFIG_GNUTLS) || \
+ !defined(GNUTLS_VERSION_NUMBER) || \
(GNUTLS_VERSION_NUMBER < 0x020c00)) && \
(!defined(GCRYPT_VERSION_NUMBER) || \
(GCRYPT_VERSION_NUMBER < 0x010600)))
@@ -113,6 +118,7 @@ static struct gcry_thread_cbs qcrypto_gcrypt_thread_impl = {
int qcrypto_init(Error **errp)
{
+#ifdef CONFIG_GNUTLS
int ret;
ret = gnutls_global_init();
if (ret < 0) {
@@ -125,8 +131,9 @@ int qcrypto_init(Error **errp)
gnutls_global_set_log_level(10);
gnutls_global_set_log_function(qcrypto_gnutls_log);
#endif
+#endif
-#ifdef CONFIG_GNUTLS_GCRYPT
+#ifdef CONFIG_GCRYPT
if (!gcry_check_version(GCRYPT_VERSION)) {
error_setg(errp, "Unable to initialize gcrypt");
return -1;
@@ -139,12 +146,3 @@ int qcrypto_init(Error **errp)
return 0;
}
-
-#else /* ! CONFIG_GNUTLS */
-
-int qcrypto_init(Error **errp G_GNUC_UNUSED)
-{
- return 0;
-}
-
-#endif /* ! CONFIG_GNUTLS */
--
2.4.3
next prev parent reply other threads:[~2015-10-22 18:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-22 18:05 [Qemu-devel] [PULL v3 0/4] Misc fixes for crypto code module Daniel P. Berrange
2015-10-22 18:05 ` Daniel P. Berrange [this message]
2015-10-22 18:05 ` [Qemu-devel] [PULL v3 2/4] crypto: don't let builtin aes crash if no IV is provided Daniel P. Berrange
2015-10-22 18:05 ` [Qemu-devel] [PULL v3 3/4] crypto: add sanity checking of plaintext/ciphertext length Daniel P. Berrange
2015-10-22 18:05 ` [Qemu-devel] [PULL v3 4/4] configure: avoid polluting global CFLAGS with tasn1 flags Daniel P. Berrange
2015-10-23 12:06 ` [Qemu-devel] [PULL v3 0/4] Misc fixes for crypto code module Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1445537122-10982-2-git-send-email-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).