[for-qemu-trad] Fix build with newer version of GNUTLS

Message ID	1462443284-20588-1-git-send-email-wei.liu2@citrix.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <xen-devel-bounces@lists.xen.org> From: Wei Liu <wei.liu2@citrix.com> To: Xen-devel <xen-devel@lists.xenproject.org> Date: Thu, 5 May 2016 11:14:44 +0100 Message-ID: <1462443284-20588-1-git-send-email-wei.liu2@citrix.com> MIME-Version: 1.0 Cc: Sjoer van der Ploeg <sfjuocekr@gmail.com>, Wei Liu <wei.liu2@citrix.com>, Ian Jackson <Ian.Jackson@eu.citrix.com> Subject: [Xen-devel] [PATCH for-qemu-trad] Fix build with newer version of GNUTLS Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>

Message ID

1462443284-20588-1-git-send-email-wei.liu2@citrix.com (mailing list archive)

State

New, archived

Headers

From: Wei Liu <wei.liu2@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Date: Thu, 5 May 2016 11:14:44 +0100
Message-ID: <1462443284-20588-1-git-send-email-wei.liu2@citrix.com>
MIME-Version: 1.0
Cc: Sjoer van der Ploeg <sfjuocekr@gmail.com>, Wei Liu <wei.liu2@citrix.com>,
	Ian Jackson <Ian.Jackson@eu.citrix.com>
Subject: [Xen-devel] [PATCH for-qemu-trad] Fix build with newer version of
	GNUTLS
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>

Commit Message

Wei Liu May 5, 2016, 10:14 a.m. UTC

gnutls_kx_set_priority, gnutls_certificate_type_set_priority and
gnutls_protocol_set_priority were deprecated and eventually removed in
GNUTLS 3.4. Application should use gnutls_priority_set_direct instead
per [0].

gnutls_anon_server_credentials was deprecated at some point. Application
should use gnutls_anon_server_credentials_t instead.

Provide compatibility layer for QEMU traditional. This commit is in fact
backport of two upstream QEMU commits:
1. f40d55081667a716312b9a8b6e13835c4074f56b
2. 7d2a929feba319c18603e324b1750830d6c8b7a1

[0] https://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html

Signed-off-by: Sjoer van der Ploeg <sfjuocekr@gmail.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
 vnc.c | 71 +++++++++++++++++++++++++++++++++++++++++++++----------------------
 1 file changed, 48 insertions(+), 23 deletions(-)

Comments

Konrad Rzeszutek Wilk May 9, 2016, 6:51 p.m. UTC | #1

On Thu, May 05, 2016 at 11:14:44AM +0100, Wei Liu wrote:
> gnutls_kx_set_priority, gnutls_certificate_type_set_priority and
> gnutls_protocol_set_priority were deprecated and eventually removed in
> GNUTLS 3.4. Application should use gnutls_priority_set_direct instead
> per [0].
> 
> gnutls_anon_server_credentials was deprecated at some point. Application
> should use gnutls_anon_server_credentials_t instead.
> 
> Provide compatibility layer for QEMU traditional. This commit is in fact
> backport of two upstream QEMU commits:
> 1. f40d55081667a716312b9a8b6e13835c4074f56b
> 2. 7d2a929feba319c18603e324b1750830d6c8b7a1
> 
> [0] https://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html
> 
> Signed-off-by: Sjoer van der Ploeg <sfjuocekr@gmail.com>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>

Tested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

on
gnutls-3.4.9-1.fc23.x86_64

And it fixes the build problems.
> ---
>  vnc.c | 71 +++++++++++++++++++++++++++++++++++++++++++++----------------------
>  1 file changed, 48 insertions(+), 23 deletions(-)
> 
> diff --git a/vnc.c b/vnc.c
> index 573af3b..61d1555 100644
> --- a/vnc.c
> +++ b/vnc.c
> @@ -1925,9 +1925,9 @@ static int vnc_tls_initialize(void)
>      return 1;
>  }
>  
> -static gnutls_anon_server_credentials vnc_tls_initialize_anon_cred(void)
> +static gnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void)
>  {
> -    gnutls_anon_server_credentials anon_cred;
> +    gnutls_anon_server_credentials_t anon_cred;
>      int ret;
>  
>      if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {
> @@ -2151,13 +2151,52 @@ static void vnc_handshake_io(void *opaque) {
>       (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC ||    \
>       (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN)
>  
> +#if defined(GNUTLS_VERSION_NUMBER) && \
> +    GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
> +static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
> +{
> +    const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
> +    int rc;
>  
> -static int vnc_start_tls(struct VncState *vs) {
> -    static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
> -    static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
> -    static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
> -    static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
> +    rc = gnutls_priority_set_direct(s, priority, NULL);
> +    if (rc != GNUTLS_E_SUCCESS) {
> +        return -1;
> +    }
> +    return 0;
> +}
> +#else
> +static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
> +{
> +    static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
> +    static const int protocols[] = {
> +        GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
> +    };
> +    static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
> +    static const int kx_x509[] = {
> +        GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
> +        GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
> +    };
> +    int rc;
> +
> +    rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
> +    if (rc != GNUTLS_E_SUCCESS) {
> +        return -1;
> +    }
> +
> +    rc = gnutls_certificate_type_set_priority(s, cert_types);
> +    if (rc != GNUTLS_E_SUCCESS) {
> +        return -1;
> +    }
>  
> +    rc = gnutls_protocol_set_priority(s, protocols);
> +    if (rc != GNUTLS_E_SUCCESS) {
> +        return -1;
> +    }
> +    return 0;
> +}
> +#endif
> +
> +static int vnc_start_tls(struct VncState *vs) {
>      VNC_DEBUG("Do TLS setup\n");
>      if (vnc_tls_initialize() < 0) {
>  	VNC_DEBUG("Failed to init TLS\n");
> @@ -2177,21 +2216,7 @@ static int vnc_start_tls(struct VncState *vs) {
>  	    return -1;
>  	}
>  
> -	if (gnutls_kx_set_priority(vs->tls_session, NEED_X509_AUTH(vs) ? kx_x509 : kx_anon) < 0) {
> -	    gnutls_deinit(vs->tls_session);
> -	    vs->tls_session = NULL;
> -	    vnc_client_error(vs);
> -	    return -1;
> -	}
> -
> -	if (gnutls_certificate_type_set_priority(vs->tls_session, cert_type_priority) < 0) {
> -	    gnutls_deinit(vs->tls_session);
> -	    vs->tls_session = NULL;
> -	    vnc_client_error(vs);
> -	    return -1;
> -	}
> -
> -	if (gnutls_protocol_set_priority(vs->tls_session, protocol_priority) < 0) {
> +	if (vnc_set_gnutls_priority(vs->tls_session, !!NEED_X509_AUTH(vs)) < 0) {
>  	    gnutls_deinit(vs->tls_session);
>  	    vs->tls_session = NULL;
>  	    vnc_client_error(vs);
> @@ -2219,7 +2244,7 @@ static int vnc_start_tls(struct VncState *vs) {
>  	    }
>  
>  	} else {
> -	    gnutls_anon_server_credentials anon_cred = vnc_tls_initialize_anon_cred();
> +	    gnutls_anon_server_credentials_t anon_cred = vnc_tls_initialize_anon_cred();
>  	    if (!anon_cred) {
>  		gnutls_deinit(vs->tls_session);
>  		vs->tls_session = NULL;
> -- 
> 2.1.4
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

Ian Jackson May 18, 2016, 2:37 p.m. UTC | #2

Konrad Rzeszutek Wilk writes ("Re: [Xen-devel] [PATCH for-qemu-trad] Fix build with newer version of GNUTLS"):
> On Thu, May 05, 2016 at 11:14:44AM +0100, Wei Liu wrote:
> > Provide compatibility layer for QEMU traditional. This commit is in fact
> > backport of two upstream QEMU commits:
> > 1. f40d55081667a716312b9a8b6e13835c4074f56b
> > 2. 7d2a929feba319c18603e324b1750830d6c8b7a1
...
> > Signed-off-by: Sjoer van der Ploeg <sfjuocekr@gmail.com>
> > Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> 
> Tested-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> 
> on
> gnutls-3.4.9-1.fc23.x86_64
> 
> And it fixes the build problems.

Thanks to everyone.  I have applied this to my local tree and queued
it for push.  I have also queued it for backport.

Ian.

diff --git a/vnc.c b/vnc.c
index 573af3b..61d1555 100644
--- a/vnc.c
+++ b/vnc.c
@@ -1925,9 +1925,9 @@  static int vnc_tls_initialize(void)
     return 1;
 }
 
-static gnutls_anon_server_credentials vnc_tls_initialize_anon_cred(void)
+static gnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void)
 {
-    gnutls_anon_server_credentials anon_cred;
+    gnutls_anon_server_credentials_t anon_cred;
     int ret;
 
     if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {
@@ -2151,13 +2151,52 @@  static void vnc_handshake_io(void *opaque) {
      (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC ||    \
      (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN)
 
+#if defined(GNUTLS_VERSION_NUMBER) && \
+    GNUTLS_VERSION_NUMBER >= 0x020200 /* 2.2.0 */
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+    const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
+    int rc;
 
-static int vnc_start_tls(struct VncState *vs) {
-    static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
-    static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
-    static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
-    static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
+    rc = gnutls_priority_set_direct(s, priority, NULL);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+    return 0;
+}
+#else
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+    static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
+    static const int protocols[] = {
+        GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
+    };
+    static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
+    static const int kx_x509[] = {
+        GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
+        GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
+    };
+    int rc;
+
+    rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+
+    rc = gnutls_certificate_type_set_priority(s, cert_types);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
 
+    rc = gnutls_protocol_set_priority(s, protocols);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+    return 0;
+}
+#endif
+
+static int vnc_start_tls(struct VncState *vs) {
     VNC_DEBUG("Do TLS setup\n");
     if (vnc_tls_initialize() < 0) {
 	VNC_DEBUG("Failed to init TLS\n");
@@ -2177,21 +2216,7 @@  static int vnc_start_tls(struct VncState *vs) {
 	    return -1;
 	}
 
-	if (gnutls_kx_set_priority(vs->tls_session, NEED_X509_AUTH(vs) ? kx_x509 : kx_anon) < 0) {
-	    gnutls_deinit(vs->tls_session);
-	    vs->tls_session = NULL;
-	    vnc_client_error(vs);
-	    return -1;
-	}
-
-	if (gnutls_certificate_type_set_priority(vs->tls_session, cert_type_priority) < 0) {
-	    gnutls_deinit(vs->tls_session);
-	    vs->tls_session = NULL;
-	    vnc_client_error(vs);
-	    return -1;
-	}
-
-	if (gnutls_protocol_set_priority(vs->tls_session, protocol_priority) < 0) {
+	if (vnc_set_gnutls_priority(vs->tls_session, !!NEED_X509_AUTH(vs)) < 0) {
 	    gnutls_deinit(vs->tls_session);
 	    vs->tls_session = NULL;
 	    vnc_client_error(vs);
@@ -2219,7 +2244,7 @@  static int vnc_start_tls(struct VncState *vs) {
 	    }
 
 	} else {
-	    gnutls_anon_server_credentials anon_cred = vnc_tls_initialize_anon_cred();
+	    gnutls_anon_server_credentials_t anon_cred = vnc_tls_initialize_anon_cred();
 	    if (!anon_cred) {
 		gnutls_deinit(vs->tls_session);
 		vs->tls_session = NULL;

[for-qemu-trad] Fix build with newer version of GNUTLS

Commit Message

Comments

Patch