* [Qemu-devel] [PULL 0/3] Qcrypto next patches
@ 2018-10-19 13:43 Daniel P. Berrangé
2018-10-19 13:43 ` [Qemu-devel] [PULL 1/3] crypto: require gnutls >= 3.1.18 for building QEMU Daniel P. Berrangé
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Daniel P. Berrangé @ 2018-10-19 13:43 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, Daniel P. Berrangé
The following changes since commit 2ec24af2379e331d062a6fc1cda65bc262c7c17b:
Merge remote-tracking branch 'remotes/amarkovic/tags/mips-queue-october-2018-part1-v2' into staging (2018-10-19 10:08:31 +0100)
are available in the Git repository at:
https://github.com/berrange/qemu tags/qcrypto-next-pull-request
for you to fetch changes up to 64dd2f3b5b090c21c3e82142de3fe7b4793ce6c8:
crypto: require nettle >= 2.7.1 for building QEMU (2018-10-19 14:41:47 +0100)
----------------------------------------------------------------
Update min required crypto library versions
The min required versions for crypto libraries are now
- gnutls >= 3.1.18
- nettle >= 2.7.1
- libgcrypt >= 1.5.0
----------------------------------------------------------------
Daniel P. Berrangé (3):
crypto: require gnutls >= 3.1.18 for building QEMU
crypto: require libgcrypt >= 1.5.0 for building QEMU
crypto: require nettle >= 2.7.1 for building QEMU
configure | 161 ++++++++-----------------------
tests/crypto-tls-x509-helpers.h | 3 +-
crypto/init.c | 23 +----
crypto/tlscredsx509.c | 21 ----
crypto/tlssession.c | 8 +-
tests/test-crypto-block.c | 2 +-
tests/test-crypto-tlscredsx509.c | 8 +-
crypto/Makefile.objs | 8 +-
tests/Makefile.include | 2 +-
9 files changed, 51 insertions(+), 185 deletions(-)
--
2.17.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 1/3] crypto: require gnutls >= 3.1.18 for building QEMU
2018-10-19 13:43 [Qemu-devel] [PULL 0/3] Qcrypto next patches Daniel P. Berrangé
@ 2018-10-19 13:43 ` Daniel P. Berrangé
2018-10-19 13:43 ` [Qemu-devel] [PULL 2/3] crypto: require libgcrypt >= 1.5.0 " Daniel P. Berrangé
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Daniel P. Berrangé @ 2018-10-19 13:43 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, Daniel P. Berrangé
gnutls 3.0.0 was released in 2011 and all the distros that are build
target platforms for QEMU [1] include it:
RHEL-7: 3.1.18
Debian (Stretch): 3.5.8
Debian (Jessie): 3.3.8
OpenBSD (ports): 3.5.18
FreeBSD (ports): 3.5.18
OpenSUSE Leap 15: 3.6.2
Ubuntu (Xenial): 3.4.10
macOS (Homebrew): 3.5.19
Based on this, it is reasonable to require gnutls >= 3.1.18 in QEMU
which allows for all conditional version checks in the code to be
removed.
[1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
configure | 135 +++++++++----------------------
tests/crypto-tls-x509-helpers.h | 3 +-
crypto/init.c | 20 +----
crypto/tlscredsx509.c | 21 -----
crypto/tlssession.c | 8 +-
tests/test-crypto-tlscredsx509.c | 8 +-
crypto/Makefile.objs | 4 +-
7 files changed, 46 insertions(+), 153 deletions(-)
diff --git a/configure b/configure
index 9138af37f8..008f666c83 100755
--- a/configure
+++ b/configure
@@ -457,7 +457,6 @@ gtk=""
gtk_gl="no"
tls_priority="NORMAL"
gnutls=""
-gnutls_rnd=""
nettle=""
nettle_kdf="no"
gcrypt=""
@@ -2666,79 +2665,28 @@ fi
##########################################
# GNUTLS probe
-gnutls_works() {
- # Unfortunately some distros have bad pkg-config information for gnutls
- # such that it claims to exist but you get a compiler error if you try
- # to use the options returned by --libs. Specifically, Ubuntu for --static
- # builds doesn't work:
- # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035
- #
- # So sanity check the cflags/libs before assuming gnutls can be used.
- if ! $pkg_config --exists "gnutls"; then
- return 1
- fi
-
- write_c_skeleton
- compile_prog "$($pkg_config --cflags gnutls)" "$($pkg_config --libs gnutls)"
-}
-
-gnutls_gcrypt=no
-gnutls_nettle=no
if test "$gnutls" != "no"; then
- if gnutls_works; then
+ if $pkg_config --exists "gnutls >= 3.1.18"; then
gnutls_cflags=$($pkg_config --cflags gnutls)
gnutls_libs=$($pkg_config --libs gnutls)
libs_softmmu="$gnutls_libs $libs_softmmu"
libs_tools="$gnutls_libs $libs_tools"
QEMU_CFLAGS="$QEMU_CFLAGS $gnutls_cflags"
gnutls="yes"
-
- # gnutls_rnd requires >= 2.11.0
- if $pkg_config --exists "gnutls >= 2.11.0"; then
- gnutls_rnd="yes"
- else
- gnutls_rnd="no"
- fi
-
- if $pkg_config --exists 'gnutls >= 3.0'; then
- gnutls_gcrypt=no
- gnutls_nettle=yes
- elif $pkg_config --exists 'gnutls >= 2.12'; then
- case $($pkg_config --libs --static gnutls) in
- *gcrypt*)
- gnutls_gcrypt=yes
- gnutls_nettle=no
- ;;
- *nettle*)
- gnutls_gcrypt=no
- gnutls_nettle=yes
- ;;
- *)
- gnutls_gcrypt=yes
- gnutls_nettle=no
- ;;
- esac
- else
- gnutls_gcrypt=yes
- gnutls_nettle=no
- fi
elif test "$gnutls" = "yes"; then
- feature_not_found "gnutls" "Install gnutls devel"
+ feature_not_found "gnutls" "Install gnutls devel >= 3.1.18"
else
gnutls="no"
- gnutls_rnd="no"
fi
-else
- gnutls_rnd="no"
fi
# If user didn't give a --disable/enable-gcrypt flag,
# then mark as disabled if user requested nettle
-# explicitly, or if gnutls links to nettle
+# explicitly
if test -z "$gcrypt"
then
- if test "$nettle" = "yes" || test "$gnutls_nettle" = "yes"
+ if test "$nettle" = "yes"
then
gcrypt="no"
fi
@@ -2746,10 +2694,10 @@ fi
# If user didn't give a --disable/enable-nettle flag,
# then mark as disabled if user requested gcrypt
-# explicitly, or if gnutls links to gcrypt
+# explicitly
if test -z "$nettle"
then
- if test "$gcrypt" = "yes" || test "$gnutls_gcrypt" = "yes"
+ if test "$gcrypt" = "yes"
then
nettle="no"
fi
@@ -2773,6 +2721,40 @@ has_libgcrypt_config() {
return 0
}
+
+if test "$nettle" != "no"; then
+ if $pkg_config --exists "nettle"; then
+ nettle_cflags=$($pkg_config --cflags nettle)
+ nettle_libs=$($pkg_config --libs nettle)
+ nettle_version=$($pkg_config --modversion nettle)
+ libs_softmmu="$nettle_libs $libs_softmmu"
+ libs_tools="$nettle_libs $libs_tools"
+ QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
+ nettle="yes"
+
+ cat > $TMPC << EOF
+#include <stddef.h>
+#include <nettle/pbkdf2.h>
+int main(void) {
+ pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
+ return 0;
+}
+EOF
+ if test -z "$gcrypt"; then
+ gcrypt="no"
+ fi
+ if compile_prog "$nettle_cflags" "$nettle_libs" ; then
+ nettle_kdf=yes
+ fi
+ else
+ if test "$nettle" = "yes"; then
+ feature_not_found "nettle" "Install nettle devel"
+ else
+ nettle="no"
+ fi
+ fi
+fi
+
if test "$gcrypt" != "no"; then
if has_libgcrypt_config; then
gcrypt_cflags=$(libgcrypt-config --cflags)
@@ -2788,9 +2770,6 @@ if test "$gcrypt" != "no"; then
libs_tools="$gcrypt_libs $libs_tools"
QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags"
gcrypt="yes"
- if test -z "$nettle"; then
- nettle="no"
- fi
cat > $TMPC << EOF
#include <gcrypt.h>
@@ -2827,36 +2806,6 @@ EOF
fi
-if test "$nettle" != "no"; then
- if $pkg_config --exists "nettle"; then
- nettle_cflags=$($pkg_config --cflags nettle)
- nettle_libs=$($pkg_config --libs nettle)
- nettle_version=$($pkg_config --modversion nettle)
- libs_softmmu="$nettle_libs $libs_softmmu"
- libs_tools="$nettle_libs $libs_tools"
- QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
- nettle="yes"
-
- cat > $TMPC << EOF
-#include <stddef.h>
-#include <nettle/pbkdf2.h>
-int main(void) {
- pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
- return 0;
-}
-EOF
- if compile_prog "$nettle_cflags" "$nettle_libs" ; then
- nettle_kdf=yes
- fi
- else
- if test "$nettle" = "yes"; then
- feature_not_found "nettle" "Install nettle devel"
- else
- nettle="no"
- fi
- fi
-fi
-
if test "$gcrypt" = "yes" && test "$nettle" = "yes"
then
error_exit "Only one of gcrypt & nettle can be enabled"
@@ -5961,7 +5910,6 @@ echo "GTK GL support $gtk_gl"
echo "VTE support $vte $(echo_version $vte $vteversion)"
echo "TLS priority $tls_priority"
echo "GNUTLS support $gnutls"
-echo "GNUTLS rnd $gnutls_rnd"
echo "libgcrypt $gcrypt"
echo "libgcrypt kdf $gcrypt_kdf"
echo "nettle $nettle $(echo_version $nettle $nettle_version)"
@@ -6401,9 +6349,6 @@ echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak
if test "$gnutls" = "yes" ; then
echo "CONFIG_GNUTLS=y" >> $config_host_mak
fi
-if test "$gnutls_rnd" = "yes" ; then
- echo "CONFIG_GNUTLS_RND=y" >> $config_host_mak
-fi
if test "$gcrypt" = "yes" ; then
echo "CONFIG_GCRYPT=y" >> $config_host_mak
if test "$gcrypt_hmac" = "yes" ; then
diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h
index 921341c649..88c30d7c94 100644
--- a/tests/crypto-tls-x509-helpers.h
+++ b/tests/crypto-tls-x509-helpers.h
@@ -22,8 +22,7 @@
#include <gnutls/x509.h>
#if !(defined WIN32) && \
- defined(CONFIG_TASN1) && \
- (LIBGNUTLS_VERSION_NUMBER >= 0x020600)
+ defined(CONFIG_TASN1)
# define QCRYPTO_HAVE_TLS_TEST_SUPPORT
#endif
diff --git a/crypto/init.c b/crypto/init.c
index f131c42306..10bf72463c 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -37,31 +37,13 @@
/* #define DEBUG_GNUTLS */
/*
- * If GNUTLS is built against GCrypt then
- *
- * - When GNUTLS >= 2.12, we must not initialize gcrypt threading
- * because GNUTLS will do that itself
- * - When GNUTLS < 2.12 we must always initialize gcrypt threading
- * - When GNUTLS is disabled we must always initialize gcrypt threading
- *
- * But....
- *
- * When gcrypt >= 1.6.0 we must not initialize gcrypt threading
- * because gcrypt will do that itself.
- *
- * So we need to init gcrypt threading if
+ * We need to init gcrypt threading if
*
* - gcrypt < 1.6.0
- * AND
- * - gnutls < 2.12
- * OR
- * - gnutls is disabled
*
*/
#if (defined(CONFIG_GCRYPT) && \
- (!defined(CONFIG_GNUTLS) || \
- (LIBGNUTLS_VERSION_NUMBER < 0x020c00)) && \
(!defined(GCRYPT_VERSION_NUMBER) || \
(GCRYPT_VERSION_NUMBER < 0x010600)))
#define QCRYPTO_INIT_GCRYPT_THREADS
diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c
index 98ee0424e5..d6ab4a9862 100644
--- a/crypto/tlscredsx509.c
+++ b/crypto/tlscredsx509.c
@@ -72,14 +72,6 @@ qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert,
}
-#if LIBGNUTLS_VERSION_NUMBER >= 2
-/*
- * The gnutls_x509_crt_get_basic_constraints function isn't
- * available in GNUTLS 1.0.x branches. This isn't critical
- * though, since gnutls_certificate_verify_peers2 will do
- * pretty much the same check at runtime, so we can just
- * disable this code
- */
static int
qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
gnutls_x509_crt_t cert,
@@ -130,7 +122,6 @@ qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,
return 0;
}
-#endif
static int
@@ -299,14 +290,12 @@ qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds,
return -1;
}
-#if LIBGNUTLS_VERSION_NUMBER >= 2
if (qcrypto_tls_creds_check_cert_basic_constraints(creds,
cert, certFile,
isServer, isCA,
errp) < 0) {
return -1;
}
-#endif
if (qcrypto_tls_creds_check_cert_key_usage(creds,
cert, certFile,
@@ -615,7 +604,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
}
if (cert != NULL && key != NULL) {
-#if LIBGNUTLS_VERSION_NUMBER >= 0x030111
char *password = NULL;
if (creds->passwordid) {
password = qcrypto_secret_lookup_as_utf8(creds->passwordid,
@@ -630,15 +618,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds,
password,
0);
g_free(password);
-#else /* LIBGNUTLS_VERSION_NUMBER < 0x030111 */
- if (creds->passwordid) {
- error_setg(errp, "PKCS8 decryption requires GNUTLS >= 3.1.11");
- goto cleanup;
- }
- ret = gnutls_certificate_set_x509_key_file(creds->data,
- cert, key,
- GNUTLS_X509_FMT_PEM);
-#endif
if (ret < 0) {
error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",
cert, key, gnutls_strerror(ret));
diff --git a/crypto/tlssession.c b/crypto/tlssession.c
index 66a6fbe19c..2f28fa7f71 100644
--- a/crypto/tlssession.c
+++ b/crypto/tlssession.c
@@ -90,13 +90,7 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t len)
}
#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"
-
-#if GNUTLS_VERSION_MAJOR >= 3
-#define TLS_ECDHE_PSK "+ECDHE-PSK:"
-#else
-#define TLS_ECDHE_PSK ""
-#endif
-#define TLS_PRIORITY_ADDITIONAL_PSK TLS_ECDHE_PSK "+DHE-PSK:+PSK"
+#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK"
QCryptoTLSSession *
qcrypto_tls_session_new(QCryptoTLSCreds *creds,
diff --git a/tests/test-crypto-tlscredsx509.c b/tests/test-crypto-tlscredsx509.c
index 30f9ac4bbf..940a026c6e 100644
--- a/tests/test-crypto-tlscredsx509.c
+++ b/tests/test-crypto-tlscredsx509.c
@@ -283,14 +283,8 @@ int main(int argc, char **argv)
true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL,
0, 0);
- /* Technically a CA cert with basic constraints
- * key purpose == key signing + non-critical should
- * be rejected. GNUTLS < 3.1 does not reject it and
- * we don't anticipate them changing this behaviour
- */
TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename,
- (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) ||
- GNUTLS_VERSION_MAJOR > 3);
+ true);
TLS_TEST_REG(badca2, true,
cacert5req.filename, servercert5req.filename, true);
TLS_TEST_REG(badca3, true,
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index 756bab111b..a62cedaf36 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -20,8 +20,8 @@ crypto-obj-y += tlscredsx509.o
crypto-obj-y += tlssession.o
crypto-obj-y += secret.o
crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o
-crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS_RND)) += random-gnutls.o
-crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS_RND),n,y)) += random-platform.o
+crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
+crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
crypto-obj-y += pbkdf.o
crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) += pbkdf-gcrypt.o
--
2.17.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 2/3] crypto: require libgcrypt >= 1.5.0 for building QEMU
2018-10-19 13:43 [Qemu-devel] [PULL 0/3] Qcrypto next patches Daniel P. Berrangé
2018-10-19 13:43 ` [Qemu-devel] [PULL 1/3] crypto: require gnutls >= 3.1.18 for building QEMU Daniel P. Berrangé
@ 2018-10-19 13:43 ` Daniel P. Berrangé
2018-10-19 13:43 ` [Qemu-devel] [PULL 3/3] crypto: require nettle >= 2.7.1 " Daniel P. Berrangé
2018-10-23 13:06 ` [Qemu-devel] [PULL 0/3] Qcrypto next patches Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Daniel P. Berrangé @ 2018-10-19 13:43 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, Daniel P. Berrangé
libgcrypt 1.5.0 was released in 2011 and all the distros that are build
target platforms for QEMU [1] include it:
RHEL-7: 1.5.3
Debian (Stretch): 1.7.6
Debian (Jessie): 1.6.3
OpenBSD (ports): 1.8.2
FreeBSD (ports): 1.8.3
OpenSUSE Leap 15: 1.8.2
Ubuntu (Xenial): 1.6.5
macOS (Homebrew): 1.8.3
Based on this, it is reasonable to require libgcrypt >= 1.5.0 in QEMU
which allows for some conditional version checks in the code to be
removed.
[1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
configure | 32 +++++++++++---------------------
crypto/init.c | 3 +--
tests/test-crypto-block.c | 2 +-
crypto/Makefile.objs | 2 +-
tests/Makefile.include | 2 +-
5 files changed, 15 insertions(+), 26 deletions(-)
diff --git a/configure b/configure
index 008f666c83..f943d6618a 100755
--- a/configure
+++ b/configure
@@ -461,7 +461,6 @@ nettle=""
nettle_kdf="no"
gcrypt=""
gcrypt_hmac="no"
-gcrypt_kdf="no"
vte=""
virglrenderer=""
tpm="yes"
@@ -2703,7 +2702,7 @@ then
fi
fi
-has_libgcrypt_config() {
+has_libgcrypt() {
if ! has "libgcrypt-config"
then
return 1
@@ -2718,6 +2717,14 @@ has_libgcrypt_config() {
fi
fi
+ maj=`libgcrypt-config --version | awk -F . '{print $1}'`
+ min=`libgcrypt-config --version | awk -F . '{print $2}'`
+
+ if test $maj != 1 || test $min -lt 5
+ then
+ return 1
+ fi
+
return 0
}
@@ -2756,7 +2763,7 @@ EOF
fi
if test "$gcrypt" != "no"; then
- if has_libgcrypt_config; then
+ if has_libgcrypt; then
gcrypt_cflags=$(libgcrypt-config --cflags)
gcrypt_libs=$(libgcrypt-config --libs)
# Debian has remove -lgpg-error from libgcrypt-config
@@ -2773,19 +2780,6 @@ if test "$gcrypt" != "no"; then
cat > $TMPC << EOF
#include <gcrypt.h>
-int main(void) {
- gcry_kdf_derive(NULL, 0, GCRY_KDF_PBKDF2,
- GCRY_MD_SHA256,
- NULL, 0, 0, 0, NULL);
- return 0;
-}
-EOF
- if compile_prog "$gcrypt_cflags" "$gcrypt_libs" ; then
- gcrypt_kdf=yes
- fi
-
- cat > $TMPC << EOF
-#include <gcrypt.h>
int main(void) {
gcry_mac_hd_t handle;
gcry_mac_open(&handle, GCRY_MAC_HMAC_MD5,
@@ -2798,7 +2792,7 @@ EOF
fi
else
if test "$gcrypt" = "yes"; then
- feature_not_found "gcrypt" "Install gcrypt devel"
+ feature_not_found "gcrypt" "Install gcrypt devel >= 1.5.0"
else
gcrypt="no"
fi
@@ -5911,7 +5905,6 @@ echo "VTE support $vte $(echo_version $vte $vteversion)"
echo "TLS priority $tls_priority"
echo "GNUTLS support $gnutls"
echo "libgcrypt $gcrypt"
-echo "libgcrypt kdf $gcrypt_kdf"
echo "nettle $nettle $(echo_version $nettle $nettle_version)"
echo "nettle kdf $nettle_kdf"
echo "libtasn1 $tasn1"
@@ -6354,9 +6347,6 @@ if test "$gcrypt" = "yes" ; then
if test "$gcrypt_hmac" = "yes" ; then
echo "CONFIG_GCRYPT_HMAC=y" >> $config_host_mak
fi
- if test "$gcrypt_kdf" = "yes" ; then
- echo "CONFIG_GCRYPT_KDF=y" >> $config_host_mak
- fi
fi
if test "$nettle" = "yes" ; then
echo "CONFIG_NETTLE=y" >> $config_host_mak
diff --git a/crypto/init.c b/crypto/init.c
index 10bf72463c..c30156405a 100644
--- a/crypto/init.c
+++ b/crypto/init.c
@@ -44,8 +44,7 @@
*/
#if (defined(CONFIG_GCRYPT) && \
- (!defined(GCRYPT_VERSION_NUMBER) || \
- (GCRYPT_VERSION_NUMBER < 0x010600)))
+ (GCRYPT_VERSION_NUMBER < 0x010600))
#define QCRYPTO_INIT_GCRYPT_THREADS
#else
#undef QCRYPTO_INIT_GCRYPT_THREADS
diff --git a/tests/test-crypto-block.c b/tests/test-crypto-block.c
index fd29a045d2..bd512cc79a 100644
--- a/tests/test-crypto-block.c
+++ b/tests/test-crypto-block.c
@@ -29,7 +29,7 @@
#endif
#if (defined(_WIN32) || defined RUSAGE_THREAD) && \
- (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT_KDF))
+ (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT))
#define TEST_LUKS
#else
#undef TEST_LUKS
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index a62cedaf36..6a908f51f5 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -24,7 +24,7 @@ crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
crypto-obj-y += pbkdf.o
crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
-crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) += pbkdf-gcrypt.o
+crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
crypto-obj-y += ivgen.o
crypto-obj-y += ivgen-essiv.o
crypto-obj-y += ivgen-plain.o
diff --git a/tests/Makefile.include b/tests/Makefile.include
index 7fe8578972..0c8113ffa6 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -115,7 +115,7 @@ check-unit-$(CONFIG_GNUTLS) += tests/test-io-channel-tls$(EXESUF)
check-unit-y += tests/test-io-channel-command$(EXESUF)
check-unit-y += tests/test-io-channel-buffer$(EXESUF)
check-unit-y += tests/test-base64$(EXESUF)
-check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT_KDF)) += tests/test-crypto-pbkdf$(EXESUF)
+check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT)) += tests/test-crypto-pbkdf$(EXESUF)
check-unit-y += tests/test-crypto-ivgen$(EXESUF)
check-unit-y += tests/test-crypto-afsplit$(EXESUF)
check-unit-y += tests/test-crypto-xts$(EXESUF)
--
2.17.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 3/3] crypto: require nettle >= 2.7.1 for building QEMU
2018-10-19 13:43 [Qemu-devel] [PULL 0/3] Qcrypto next patches Daniel P. Berrangé
2018-10-19 13:43 ` [Qemu-devel] [PULL 1/3] crypto: require gnutls >= 3.1.18 for building QEMU Daniel P. Berrangé
2018-10-19 13:43 ` [Qemu-devel] [PULL 2/3] crypto: require libgcrypt >= 1.5.0 " Daniel P. Berrangé
@ 2018-10-19 13:43 ` Daniel P. Berrangé
2018-10-23 13:06 ` [Qemu-devel] [PULL 0/3] Qcrypto next patches Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Daniel P. Berrangé @ 2018-10-19 13:43 UTC (permalink / raw)
To: qemu-devel; +Cc: Peter Maydell, Daniel P. Berrangé
nettle 2.7.1 was released in 2013 and all the distros that are build
target platforms for QEMU [1] include it:
RHEL-7: 2.7.1
Debian (Stretch): 3.3
Debian (Jessie): 2.7.1
OpenBSD (ports): 3.4
FreeBSD (ports): 3.4
OpenSUSE Leap 15: 3.4
Ubuntu (Xenial): 3.2
macOS (Homebrew): 3.4
Based on this, it is reasonable to require nettle >= 2.7.1 in QEMU
which allows for some conditional version checks in the code to be
removed.
[1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
configure | 20 ++------------------
tests/test-crypto-block.c | 2 +-
crypto/Makefile.objs | 4 ++--
tests/Makefile.include | 2 +-
4 files changed, 6 insertions(+), 22 deletions(-)
diff --git a/configure b/configure
index f943d6618a..5a508206e1 100755
--- a/configure
+++ b/configure
@@ -458,7 +458,6 @@ gtk_gl="no"
tls_priority="NORMAL"
gnutls=""
nettle=""
-nettle_kdf="no"
gcrypt=""
gcrypt_hmac="no"
vte=""
@@ -2730,7 +2729,7 @@ has_libgcrypt() {
if test "$nettle" != "no"; then
- if $pkg_config --exists "nettle"; then
+ if $pkg_config --exists "nettle >= 2.7.1"; then
nettle_cflags=$($pkg_config --cflags nettle)
nettle_libs=$($pkg_config --libs nettle)
nettle_version=$($pkg_config --modversion nettle)
@@ -2739,23 +2738,12 @@ if test "$nettle" != "no"; then
QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"
nettle="yes"
- cat > $TMPC << EOF
-#include <stddef.h>
-#include <nettle/pbkdf2.h>
-int main(void) {
- pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);
- return 0;
-}
-EOF
if test -z "$gcrypt"; then
gcrypt="no"
fi
- if compile_prog "$nettle_cflags" "$nettle_libs" ; then
- nettle_kdf=yes
- fi
else
if test "$nettle" = "yes"; then
- feature_not_found "nettle" "Install nettle devel"
+ feature_not_found "nettle" "Install nettle devel >= 2.7.1"
else
nettle="no"
fi
@@ -5906,7 +5894,6 @@ echo "TLS priority $tls_priority"
echo "GNUTLS support $gnutls"
echo "libgcrypt $gcrypt"
echo "nettle $nettle $(echo_version $nettle $nettle_version)"
-echo "nettle kdf $nettle_kdf"
echo "libtasn1 $tasn1"
echo "curses support $curses"
echo "virgl support $virglrenderer $(echo_version $virglrenderer $virgl_version)"
@@ -6351,9 +6338,6 @@ fi
if test "$nettle" = "yes" ; then
echo "CONFIG_NETTLE=y" >> $config_host_mak
echo "CONFIG_NETTLE_VERSION_MAJOR=${nettle_version%%.*}" >> $config_host_mak
- if test "$nettle_kdf" = "yes" ; then
- echo "CONFIG_NETTLE_KDF=y" >> $config_host_mak
- fi
fi
if test "$tasn1" = "yes" ; then
echo "CONFIG_TASN1=y" >> $config_host_mak
diff --git a/tests/test-crypto-block.c b/tests/test-crypto-block.c
index bd512cc79a..fae4ffc453 100644
--- a/tests/test-crypto-block.c
+++ b/tests/test-crypto-block.c
@@ -29,7 +29,7 @@
#endif
#if (defined(_WIN32) || defined RUSAGE_THREAD) && \
- (defined(CONFIG_NETTLE_KDF) || defined(CONFIG_GCRYPT))
+ (defined(CONFIG_NETTLE) || defined(CONFIG_GCRYPT))
#define TEST_LUKS
#else
#undef TEST_LUKS
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index 6a908f51f5..256c9aca1f 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -23,8 +23,8 @@ crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o
crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
crypto-obj-y += pbkdf.o
-crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
-crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
+crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
+crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
crypto-obj-y += ivgen.o
crypto-obj-y += ivgen-essiv.o
crypto-obj-y += ivgen-plain.o
diff --git a/tests/Makefile.include b/tests/Makefile.include
index 0c8113ffa6..f77a495109 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -115,7 +115,7 @@ check-unit-$(CONFIG_GNUTLS) += tests/test-io-channel-tls$(EXESUF)
check-unit-y += tests/test-io-channel-command$(EXESUF)
check-unit-y += tests/test-io-channel-buffer$(EXESUF)
check-unit-y += tests/test-base64$(EXESUF)
-check-unit-$(if $(CONFIG_NETTLE_KDF),y,$(CONFIG_GCRYPT)) += tests/test-crypto-pbkdf$(EXESUF)
+check-unit-$(if $(CONFIG_NETTLE),y,$(CONFIG_GCRYPT)) += tests/test-crypto-pbkdf$(EXESUF)
check-unit-y += tests/test-crypto-ivgen$(EXESUF)
check-unit-y += tests/test-crypto-afsplit$(EXESUF)
check-unit-y += tests/test-crypto-xts$(EXESUF)
--
2.17.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PULL 0/3] Qcrypto next patches
2018-10-19 13:43 [Qemu-devel] [PULL 0/3] Qcrypto next patches Daniel P. Berrangé
` (2 preceding siblings ...)
2018-10-19 13:43 ` [Qemu-devel] [PULL 3/3] crypto: require nettle >= 2.7.1 " Daniel P. Berrangé
@ 2018-10-23 13:06 ` Peter Maydell
3 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2018-10-23 13:06 UTC (permalink / raw)
To: Daniel P. Berrangé; +Cc: QEMU Developers
On 19 October 2018 at 14:43, Daniel P. Berrangé <berrange@redhat.com> wrote:
> The following changes since commit 2ec24af2379e331d062a6fc1cda65bc262c7c17b:
>
> Merge remote-tracking branch 'remotes/amarkovic/tags/mips-queue-october-2018-part1-v2' into staging (2018-10-19 10:08:31 +0100)
>
> are available in the Git repository at:
>
> https://github.com/berrange/qemu tags/qcrypto-next-pull-request
>
> for you to fetch changes up to 64dd2f3b5b090c21c3e82142de3fe7b4793ce6c8:
>
> crypto: require nettle >= 2.7.1 for building QEMU (2018-10-19 14:41:47 +0100)
>
> ----------------------------------------------------------------
> Update min required crypto library versions
>
> The min required versions for crypto libraries are now
>
> - gnutls >= 3.1.18
> - nettle >= 2.7.1
> - libgcrypt >= 1.5.0
>
Applied, thanks.
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-10-23 13:07 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-10-19 13:43 [Qemu-devel] [PULL 0/3] Qcrypto next patches Daniel P. Berrangé
2018-10-19 13:43 ` [Qemu-devel] [PULL 1/3] crypto: require gnutls >= 3.1.18 for building QEMU Daniel P. Berrangé
2018-10-19 13:43 ` [Qemu-devel] [PULL 2/3] crypto: require libgcrypt >= 1.5.0 " Daniel P. Berrangé
2018-10-19 13:43 ` [Qemu-devel] [PULL 3/3] crypto: require nettle >= 2.7.1 " Daniel P. Berrangé
2018-10-23 13:06 ` [Qemu-devel] [PULL 0/3] Qcrypto next patches Peter Maydell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).