From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E358CC07E99 for ; Mon, 12 Jul 2021 13:27:01 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AC7BF61006 for ; Mon, 12 Jul 2021 13:27:01 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org AC7BF61006 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:48814 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m2vxc-0005A8-MQ for qemu-devel@archiver.kernel.org; Mon, 12 Jul 2021 09:27:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47076) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m2vcY-0004qD-Lp for qemu-devel@nongnu.org; Mon, 12 Jul 2021 09:05:19 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:55840) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m2vcV-0006WR-Q7 for qemu-devel@nongnu.org; Mon, 12 Jul 2021 09:05:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1626095111; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Ljca2EtDsyBCHMiMaqIVmcRcA5xgzDpG3uLMPhbHmyM=; b=g2kjKKhiv2J8gEJspzdA3ZIopZH+h6/TEXzt0OUIOI51+jZP/Zeu+6SPrHjfRlV7NAMQhx 8N0nOlwEKvdx1/+oucPfROQK9aqbqI37rV89QT9eD+FBZX+xpsLQSMykhATbtXTkro0OcX P8JC/VB0s93w1WIDV03sN7HzwHDLkn0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-131-PR2pD8jvML2Ur82NdvD5Qw-1; Mon, 12 Jul 2021 09:05:09 -0400 X-MC-Unique: PR2pD8jvML2Ur82NdvD5Qw-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BC355100CF71; Mon, 12 Jul 2021 13:05:08 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-114-105.ams2.redhat.com [10.36.114.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8DC865C1D1; Mon, 12 Jul 2021 13:04:47 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Subject: [PULL 12/22] crypto: flip priority of backends to prefer gcrypt Date: Mon, 12 Jul 2021 14:02:13 +0100 Message-Id: <20210712130223.1825930-13-berrange@redhat.com> In-Reply-To: <20210712130223.1825930-1-berrange@redhat.com> References: <20210712130223.1825930-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=berrange@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=216.205.24.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.699, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Otubo , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Juan Quintela , Jason Wang , "Dr. David Alan Gilbert" , Markus Armbruster , Gerd Hoffmann , Jiri Pirko , Eric Blake Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Originally we preferred to use nettle over gcrypt because gnutls already links to nettle and thus it minimizes the dependencies. In retrospect this was the wrong criteria to optimize for. Currently shipping versions of gcrypt have cipher impls that are massively faster than those in nettle and this is way more important. The nettle library is also not capable of enforcing FIPS compliance, since it considers that out of scope. It merely aims to provide general purpose impls of algorithms, and usage policy is left upto the layer above, such as GNUTLS. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé --- meson.build | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/meson.build b/meson.build index 2cf2e8b0b8..cc08561fbd 100644 --- a/meson.build +++ b/meson.build @@ -827,22 +827,13 @@ if not get_option('gnutls').auto() or have_system kwargs: static_kwargs) endif -# Nettle has priority over gcrypt +# Gcrypt has priority over nettle gcrypt = not_found nettle = not_found xts = 'none' if get_option('nettle').enabled() and get_option('gcrypt').enabled() error('Only one of gcrypt & nettle can be enabled') -elif (not get_option('nettle').auto() or have_system) and not get_option('gcrypt').enabled() - nettle = dependency('nettle', version: '>=3.4', - method: 'pkg-config', - required: get_option('nettle'), - kwargs: static_kwargs) - if nettle.found() and not cc.has_header('nettle/xts.h', dependencies: nettle) - xts = 'private' - endif -endif -if (not get_option('gcrypt').auto() or have_system) and not nettle.found() +elif (not get_option('gcrypt').auto() or have_system) and not get_option('nettle').enabled() gcrypt = dependency('libgcrypt', version: '>=1.8', method: 'config-tool', required: get_option('gcrypt'), @@ -856,6 +847,15 @@ if (not get_option('gcrypt').auto() or have_system) and not nettle.found() cc.find_library('gpg-error', required: true, kwargs: static_kwargs)]) endif endif +if (not get_option('nettle').auto() or have_system) and not gcrypt.found() + nettle = dependency('nettle', version: '>=3.4', + method: 'pkg-config', + required: get_option('nettle'), + kwargs: static_kwargs) + if nettle.found() and not cc.has_header('nettle/xts.h', dependencies: nettle) + xts = 'private' + endif +endif gtk = not_found gtkx11 = not_found -- 2.31.1