From patchwork Fri Oct 19 13:43:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 10649549 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0404C109C for ; Fri, 19 Oct 2018 13:55:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E508128BB3 for ; Fri, 19 Oct 2018 13:55:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D992328BBC; Fri, 19 Oct 2018 13:55:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id ED53328BB3 for ; Fri, 19 Oct 2018 13:55:26 +0000 (UTC) Received: from localhost ([::1]:50711 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gDVFO-0001zl-2N for patchwork-qemu-devel@patchwork.kernel.org; Fri, 19 Oct 2018 09:55:26 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39554) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gDV4M-0000St-Cx for qemu-devel@nongnu.org; Fri, 19 Oct 2018 09:44:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gDV4H-00083Y-RR for qemu-devel@nongnu.org; Fri, 19 Oct 2018 09:44:02 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41770) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gDV3t-0006sB-76 for qemu-devel@nongnu.org; Fri, 19 Oct 2018 09:43:57 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9D3DB88307; Fri, 19 Oct 2018 13:43:21 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2FA9965327; Fri, 19 Oct 2018 13:43:20 +0000 (UTC) From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Fri, 19 Oct 2018 14:43:16 +0100 Message-Id: <20181019134318.17155-2-berrange@redhat.com> In-Reply-To: <20181019134318.17155-1-berrange@redhat.com> References: <20181019134318.17155-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 19 Oct 2018 13:43:21 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/3] crypto: require gnutls >= 3.1.18 for building QEMU X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP gnutls 3.0.0 was released in 2011 and all the distros that are build target platforms for QEMU [1] include it: RHEL-7: 3.1.18 Debian (Stretch): 3.5.8 Debian (Jessie): 3.3.8 OpenBSD (ports): 3.5.18 FreeBSD (ports): 3.5.18 OpenSUSE Leap 15: 3.6.2 Ubuntu (Xenial): 3.4.10 macOS (Homebrew): 3.5.19 Based on this, it is reasonable to require gnutls >= 3.1.18 in QEMU which allows for all conditional version checks in the code to be removed. [1] https://qemu.weilnetz.de/doc/qemu-doc.html#Supported-build-platforms Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrangé --- configure | 135 +++++++++---------------------- tests/crypto-tls-x509-helpers.h | 3 +- crypto/init.c | 20 +---- crypto/tlscredsx509.c | 21 ----- crypto/tlssession.c | 8 +- tests/test-crypto-tlscredsx509.c | 8 +- crypto/Makefile.objs | 4 +- 7 files changed, 46 insertions(+), 153 deletions(-) diff --git a/configure b/configure index 9138af37f8..008f666c83 100755 --- a/configure +++ b/configure @@ -457,7 +457,6 @@ gtk="" gtk_gl="no" tls_priority="NORMAL" gnutls="" -gnutls_rnd="" nettle="" nettle_kdf="no" gcrypt="" @@ -2666,79 +2665,28 @@ fi ########################################## # GNUTLS probe -gnutls_works() { - # Unfortunately some distros have bad pkg-config information for gnutls - # such that it claims to exist but you get a compiler error if you try - # to use the options returned by --libs. Specifically, Ubuntu for --static - # builds doesn't work: - # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035 - # - # So sanity check the cflags/libs before assuming gnutls can be used. - if ! $pkg_config --exists "gnutls"; then - return 1 - fi - - write_c_skeleton - compile_prog "$($pkg_config --cflags gnutls)" "$($pkg_config --libs gnutls)" -} - -gnutls_gcrypt=no -gnutls_nettle=no if test "$gnutls" != "no"; then - if gnutls_works; then + if $pkg_config --exists "gnutls >= 3.1.18"; then gnutls_cflags=$($pkg_config --cflags gnutls) gnutls_libs=$($pkg_config --libs gnutls) libs_softmmu="$gnutls_libs $libs_softmmu" libs_tools="$gnutls_libs $libs_tools" QEMU_CFLAGS="$QEMU_CFLAGS $gnutls_cflags" gnutls="yes" - - # gnutls_rnd requires >= 2.11.0 - if $pkg_config --exists "gnutls >= 2.11.0"; then - gnutls_rnd="yes" - else - gnutls_rnd="no" - fi - - if $pkg_config --exists 'gnutls >= 3.0'; then - gnutls_gcrypt=no - gnutls_nettle=yes - elif $pkg_config --exists 'gnutls >= 2.12'; then - case $($pkg_config --libs --static gnutls) in - *gcrypt*) - gnutls_gcrypt=yes - gnutls_nettle=no - ;; - *nettle*) - gnutls_gcrypt=no - gnutls_nettle=yes - ;; - *) - gnutls_gcrypt=yes - gnutls_nettle=no - ;; - esac - else - gnutls_gcrypt=yes - gnutls_nettle=no - fi elif test "$gnutls" = "yes"; then - feature_not_found "gnutls" "Install gnutls devel" + feature_not_found "gnutls" "Install gnutls devel >= 3.1.18" else gnutls="no" - gnutls_rnd="no" fi -else - gnutls_rnd="no" fi # If user didn't give a --disable/enable-gcrypt flag, # then mark as disabled if user requested nettle -# explicitly, or if gnutls links to nettle +# explicitly if test -z "$gcrypt" then - if test "$nettle" = "yes" || test "$gnutls_nettle" = "yes" + if test "$nettle" = "yes" then gcrypt="no" fi @@ -2746,10 +2694,10 @@ fi # If user didn't give a --disable/enable-nettle flag, # then mark as disabled if user requested gcrypt -# explicitly, or if gnutls links to gcrypt +# explicitly if test -z "$nettle" then - if test "$gcrypt" = "yes" || test "$gnutls_gcrypt" = "yes" + if test "$gcrypt" = "yes" then nettle="no" fi @@ -2773,6 +2721,40 @@ has_libgcrypt_config() { return 0 } + +if test "$nettle" != "no"; then + if $pkg_config --exists "nettle"; then + nettle_cflags=$($pkg_config --cflags nettle) + nettle_libs=$($pkg_config --libs nettle) + nettle_version=$($pkg_config --modversion nettle) + libs_softmmu="$nettle_libs $libs_softmmu" + libs_tools="$nettle_libs $libs_tools" + QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags" + nettle="yes" + + cat > $TMPC << EOF +#include +#include +int main(void) { + pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL); + return 0; +} +EOF + if test -z "$gcrypt"; then + gcrypt="no" + fi + if compile_prog "$nettle_cflags" "$nettle_libs" ; then + nettle_kdf=yes + fi + else + if test "$nettle" = "yes"; then + feature_not_found "nettle" "Install nettle devel" + else + nettle="no" + fi + fi +fi + if test "$gcrypt" != "no"; then if has_libgcrypt_config; then gcrypt_cflags=$(libgcrypt-config --cflags) @@ -2788,9 +2770,6 @@ if test "$gcrypt" != "no"; then libs_tools="$gcrypt_libs $libs_tools" QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags" gcrypt="yes" - if test -z "$nettle"; then - nettle="no" - fi cat > $TMPC << EOF #include @@ -2827,36 +2806,6 @@ EOF fi -if test "$nettle" != "no"; then - if $pkg_config --exists "nettle"; then - nettle_cflags=$($pkg_config --cflags nettle) - nettle_libs=$($pkg_config --libs nettle) - nettle_version=$($pkg_config --modversion nettle) - libs_softmmu="$nettle_libs $libs_softmmu" - libs_tools="$nettle_libs $libs_tools" - QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags" - nettle="yes" - - cat > $TMPC << EOF -#include -#include -int main(void) { - pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL); - return 0; -} -EOF - if compile_prog "$nettle_cflags" "$nettle_libs" ; then - nettle_kdf=yes - fi - else - if test "$nettle" = "yes"; then - feature_not_found "nettle" "Install nettle devel" - else - nettle="no" - fi - fi -fi - if test "$gcrypt" = "yes" && test "$nettle" = "yes" then error_exit "Only one of gcrypt & nettle can be enabled" @@ -5961,7 +5910,6 @@ echo "GTK GL support $gtk_gl" echo "VTE support $vte $(echo_version $vte $vteversion)" echo "TLS priority $tls_priority" echo "GNUTLS support $gnutls" -echo "GNUTLS rnd $gnutls_rnd" echo "libgcrypt $gcrypt" echo "libgcrypt kdf $gcrypt_kdf" echo "nettle $nettle $(echo_version $nettle $nettle_version)" @@ -6401,9 +6349,6 @@ echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak if test "$gnutls" = "yes" ; then echo "CONFIG_GNUTLS=y" >> $config_host_mak fi -if test "$gnutls_rnd" = "yes" ; then - echo "CONFIG_GNUTLS_RND=y" >> $config_host_mak -fi if test "$gcrypt" = "yes" ; then echo "CONFIG_GCRYPT=y" >> $config_host_mak if test "$gcrypt_hmac" = "yes" ; then diff --git a/tests/crypto-tls-x509-helpers.h b/tests/crypto-tls-x509-helpers.h index 921341c649..88c30d7c94 100644 --- a/tests/crypto-tls-x509-helpers.h +++ b/tests/crypto-tls-x509-helpers.h @@ -22,8 +22,7 @@ #include #if !(defined WIN32) && \ - defined(CONFIG_TASN1) && \ - (LIBGNUTLS_VERSION_NUMBER >= 0x020600) + defined(CONFIG_TASN1) # define QCRYPTO_HAVE_TLS_TEST_SUPPORT #endif diff --git a/crypto/init.c b/crypto/init.c index f131c42306..10bf72463c 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -37,31 +37,13 @@ /* #define DEBUG_GNUTLS */ /* - * If GNUTLS is built against GCrypt then - * - * - When GNUTLS >= 2.12, we must not initialize gcrypt threading - * because GNUTLS will do that itself - * - When GNUTLS < 2.12 we must always initialize gcrypt threading - * - When GNUTLS is disabled we must always initialize gcrypt threading - * - * But.... - * - * When gcrypt >= 1.6.0 we must not initialize gcrypt threading - * because gcrypt will do that itself. - * - * So we need to init gcrypt threading if + * We need to init gcrypt threading if * * - gcrypt < 1.6.0 - * AND - * - gnutls < 2.12 - * OR - * - gnutls is disabled * */ #if (defined(CONFIG_GCRYPT) && \ - (!defined(CONFIG_GNUTLS) || \ - (LIBGNUTLS_VERSION_NUMBER < 0x020c00)) && \ (!defined(GCRYPT_VERSION_NUMBER) || \ (GCRYPT_VERSION_NUMBER < 0x010600))) #define QCRYPTO_INIT_GCRYPT_THREADS diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index 98ee0424e5..d6ab4a9862 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -72,14 +72,6 @@ qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert, } -#if LIBGNUTLS_VERSION_NUMBER >= 2 -/* - * The gnutls_x509_crt_get_basic_constraints function isn't - * available in GNUTLS 1.0.x branches. This isn't critical - * though, since gnutls_certificate_verify_peers2 will do - * pretty much the same check at runtime, so we can just - * disable this code - */ static int qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds, gnutls_x509_crt_t cert, @@ -130,7 +122,6 @@ qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds, return 0; } -#endif static int @@ -299,14 +290,12 @@ qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds, return -1; } -#if LIBGNUTLS_VERSION_NUMBER >= 2 if (qcrypto_tls_creds_check_cert_basic_constraints(creds, cert, certFile, isServer, isCA, errp) < 0) { return -1; } -#endif if (qcrypto_tls_creds_check_cert_key_usage(creds, cert, certFile, @@ -615,7 +604,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, } if (cert != NULL && key != NULL) { -#if LIBGNUTLS_VERSION_NUMBER >= 0x030111 char *password = NULL; if (creds->passwordid) { password = qcrypto_secret_lookup_as_utf8(creds->passwordid, @@ -630,15 +618,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, password, 0); g_free(password); -#else /* LIBGNUTLS_VERSION_NUMBER < 0x030111 */ - if (creds->passwordid) { - error_setg(errp, "PKCS8 decryption requires GNUTLS >= 3.1.11"); - goto cleanup; - } - ret = gnutls_certificate_set_x509_key_file(creds->data, - cert, key, - GNUTLS_X509_FMT_PEM); -#endif if (ret < 0) { error_setg(errp, "Cannot load certificate '%s' & key '%s': %s", cert, key, gnutls_strerror(ret)); diff --git a/crypto/tlssession.c b/crypto/tlssession.c index 66a6fbe19c..2f28fa7f71 100644 --- a/crypto/tlssession.c +++ b/crypto/tlssession.c @@ -90,13 +90,7 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t len) } #define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH" - -#if GNUTLS_VERSION_MAJOR >= 3 -#define TLS_ECDHE_PSK "+ECDHE-PSK:" -#else -#define TLS_ECDHE_PSK "" -#endif -#define TLS_PRIORITY_ADDITIONAL_PSK TLS_ECDHE_PSK "+DHE-PSK:+PSK" +#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK" QCryptoTLSSession * qcrypto_tls_session_new(QCryptoTLSCreds *creds, diff --git a/tests/test-crypto-tlscredsx509.c b/tests/test-crypto-tlscredsx509.c index 30f9ac4bbf..940a026c6e 100644 --- a/tests/test-crypto-tlscredsx509.c +++ b/tests/test-crypto-tlscredsx509.c @@ -283,14 +283,8 @@ int main(int argc, char **argv) true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); - /* Technically a CA cert with basic constraints - * key purpose == key signing + non-critical should - * be rejected. GNUTLS < 3.1 does not reject it and - * we don't anticipate them changing this behaviour - */ TLS_TEST_REG(badca1, true, cacert4req.filename, servercert4req.filename, - (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >= 1) || - GNUTLS_VERSION_MAJOR > 3); + true); TLS_TEST_REG(badca2, true, cacert5req.filename, servercert5req.filename, true); TLS_TEST_REG(badca3, true, diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs index 756bab111b..a62cedaf36 100644 --- a/crypto/Makefile.objs +++ b/crypto/Makefile.objs @@ -20,8 +20,8 @@ crypto-obj-y += tlscredsx509.o crypto-obj-y += tlssession.o crypto-obj-y += secret.o crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o -crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS_RND)) += random-gnutls.o -crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS_RND),n,y)) += random-platform.o +crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o +crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o crypto-obj-y += pbkdf.o crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) += pbkdf-gcrypt.o