Commit 7acd80e8 authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/berrange/tags/qcrypto-next-pull-request' into staging 



Update min required crypto library versions

The min required versions for crypto libraries are now

 - gnutls >= 3.1.18
 - nettle >= 2.7.1
 - gcrypt >= 1.5.0

# gpg: Signature made Fri 19 Oct 2018 14:42:35 BST
# gpg:                using RSA key BE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>"
# gpg:                 aka "Daniel P. Berrange <berrange@redhat.com>"
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E  8E3F BE86 EBB4 1510 4FDF

* remotes/berrange/tags/qcrypto-next-pull-request:
  crypto: require nettle >= 2.7.1 for building QEMU
  crypto: require libgcrypt >= 1.5.0 for building QEMU
  crypto: require gnutls >= 3.1.18 for building QEMU

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents 3ebee3b1 64dd2f3b

configure

+40 −121
Original line number Diff line number Diff line
@@ -457,12 +457,9 @@ gtk="" 
gtk_gl="no"

tls_priority="NORMAL"

gnutls=""

gnutls_rnd=""

nettle=""

nettle_kdf="no"

gcrypt=""

gcrypt_hmac="no"

gcrypt_kdf="no"

vte=""

virglrenderer=""

tpm="yes"
@@ -2666,79 +2663,28 @@ fi 
##########################################

# GNUTLS probe



gnutls_works() {

    # Unfortunately some distros have bad pkg-config information for gnutls

    # such that it claims to exist but you get a compiler error if you try

    # to use the options returned by --libs. Specifically, Ubuntu for --static

    # builds doesn't work:

    # https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1478035

    #

    # So sanity check the cflags/libs before assuming gnutls can be used.

    if ! $pkg_config --exists "gnutls"; then

        return 1

    fi



    write_c_skeleton

    compile_prog "$($pkg_config --cflags gnutls)" "$($pkg_config --libs gnutls)"

}



gnutls_gcrypt=no

gnutls_nettle=no

if test "$gnutls" != "no"; then

    if gnutls_works; then

    if $pkg_config --exists "gnutls >= 3.1.18"; then

        gnutls_cflags=$($pkg_config --cflags gnutls)

        gnutls_libs=$($pkg_config --libs gnutls)

        libs_softmmu="$gnutls_libs $libs_softmmu"

        libs_tools="$gnutls_libs $libs_tools"

	QEMU_CFLAGS="$QEMU_CFLAGS $gnutls_cflags"

        gnutls="yes"



	# gnutls_rnd requires >= 2.11.0

	if $pkg_config --exists "gnutls >= 2.11.0"; then

	    gnutls_rnd="yes"

	else

	    gnutls_rnd="no"

	fi



	if $pkg_config --exists 'gnutls >= 3.0'; then

	    gnutls_gcrypt=no

	    gnutls_nettle=yes

	elif $pkg_config --exists 'gnutls >= 2.12'; then

	    case $($pkg_config --libs --static gnutls) in

		*gcrypt*)

		    gnutls_gcrypt=yes

		    gnutls_nettle=no

		    ;;

		*nettle*)

		    gnutls_gcrypt=no

		    gnutls_nettle=yes

		    ;;

		*)

		    gnutls_gcrypt=yes

		    gnutls_nettle=no

		    ;;

	    esac

	else

	    gnutls_gcrypt=yes

	    gnutls_nettle=no

	fi

    elif test "$gnutls" = "yes"; then

	feature_not_found "gnutls" "Install gnutls devel"

	feature_not_found "gnutls" "Install gnutls devel >= 3.1.18"

    else

        gnutls="no"

        gnutls_rnd="no"

    fi

else

    gnutls_rnd="no"

fi





# If user didn't give a --disable/enable-gcrypt flag,

# then mark as disabled if user requested nettle

# explicitly, or if gnutls links to nettle

# explicitly

if test -z "$gcrypt"

then

    if test "$nettle" = "yes" || test "$gnutls_nettle" = "yes"

    if test "$nettle" = "yes"

    then

        gcrypt="no"

    fi
@@ -2746,16 +2692,16 @@ fi 


# If user didn't give a --disable/enable-nettle flag,

# then mark as disabled if user requested gcrypt

# explicitly, or if gnutls links to gcrypt

# explicitly

if test -z "$nettle"

then

    if test "$gcrypt" = "yes" || test "$gnutls_gcrypt" = "yes"

    if test "$gcrypt" = "yes"

    then

        nettle="no"

    fi

fi



has_libgcrypt_config() {

has_libgcrypt() {

    if ! has "libgcrypt-config"

    then

	return 1
@@ -2770,11 +2716,42 @@ has_libgcrypt_config() { 
	fi

    fi



    maj=`libgcrypt-config --version | awk -F . '{print $1}'`

    min=`libgcrypt-config --version | awk -F . '{print $2}'`



    if test $maj != 1 || test $min -lt 5

    then

       return 1

    fi



    return 0

}





if test "$nettle" != "no"; then

    if $pkg_config --exists "nettle >= 2.7.1"; then

        nettle_cflags=$($pkg_config --cflags nettle)

        nettle_libs=$($pkg_config --libs nettle)

        nettle_version=$($pkg_config --modversion nettle)

        libs_softmmu="$nettle_libs $libs_softmmu"

        libs_tools="$nettle_libs $libs_tools"

        QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"

        nettle="yes"



        if test -z "$gcrypt"; then

           gcrypt="no"

        fi

    else

        if test "$nettle" = "yes"; then

            feature_not_found "nettle" "Install nettle devel >= 2.7.1"

        else

            nettle="no"

        fi

    fi

fi



if test "$gcrypt" != "no"; then

    if has_libgcrypt_config; then

    if has_libgcrypt; then

        gcrypt_cflags=$(libgcrypt-config --cflags)

        gcrypt_libs=$(libgcrypt-config --libs)

        # Debian has remove -lgpg-error from libgcrypt-config
@@ -2788,22 +2765,6 @@ if test "$gcrypt" != "no"; then 
        libs_tools="$gcrypt_libs $libs_tools"

        QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags"

        gcrypt="yes"

        if test -z "$nettle"; then

           nettle="no"

        fi



        cat > $TMPC << EOF

#include <gcrypt.h>

int main(void) {

  gcry_kdf_derive(NULL, 0, GCRY_KDF_PBKDF2,

                  GCRY_MD_SHA256,

                  NULL, 0, 0, 0, NULL);

 return 0;

}

EOF

        if compile_prog "$gcrypt_cflags" "$gcrypt_libs" ; then

            gcrypt_kdf=yes

        fi



        cat > $TMPC << EOF

#include <gcrypt.h>
@@ -2819,7 +2780,7 @@ EOF 
        fi

    else

        if test "$gcrypt" = "yes"; then

            feature_not_found "gcrypt" "Install gcrypt devel"

            feature_not_found "gcrypt" "Install gcrypt devel >= 1.5.0"

        else

            gcrypt="no"

        fi
@@ -2827,36 +2788,6 @@ EOF 
fi





if test "$nettle" != "no"; then

    if $pkg_config --exists "nettle"; then

        nettle_cflags=$($pkg_config --cflags nettle)

        nettle_libs=$($pkg_config --libs nettle)

        nettle_version=$($pkg_config --modversion nettle)

        libs_softmmu="$nettle_libs $libs_softmmu"

        libs_tools="$nettle_libs $libs_tools"

        QEMU_CFLAGS="$QEMU_CFLAGS $nettle_cflags"

        nettle="yes"



        cat > $TMPC << EOF

#include <stddef.h>

#include <nettle/pbkdf2.h>

int main(void) {

     pbkdf2_hmac_sha256(8, NULL, 1000, 8, NULL, 8, NULL);

     return 0;

}

EOF

        if compile_prog "$nettle_cflags" "$nettle_libs" ; then

            nettle_kdf=yes

        fi

    else

        if test "$nettle" = "yes"; then

            feature_not_found "nettle" "Install nettle devel"

        else

            nettle="no"

        fi

    fi

fi



if test "$gcrypt" = "yes" && test "$nettle" = "yes"

then

    error_exit "Only one of gcrypt & nettle can be enabled"
@@ -5983,11 +5914,8 @@ echo "GTK GL support $gtk_gl" 
echo "VTE support       $vte $(echo_version $vte $vteversion)"

echo "TLS priority      $tls_priority"

echo "GNUTLS support    $gnutls"

echo "GNUTLS rnd        $gnutls_rnd"

echo "libgcrypt         $gcrypt"

echo "libgcrypt kdf     $gcrypt_kdf"

echo "nettle            $nettle $(echo_version $nettle $nettle_version)"

echo "nettle kdf        $nettle_kdf"

echo "libtasn1          $tasn1"

echo "curses support    $curses"

echo "virgl support     $virglrenderer $(echo_version $virglrenderer $virgl_version)"
@@ -6426,24 +6354,15 @@ echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak 
if test "$gnutls" = "yes" ; then

  echo "CONFIG_GNUTLS=y" >> $config_host_mak

fi

if test "$gnutls_rnd" = "yes" ; then

  echo "CONFIG_GNUTLS_RND=y" >> $config_host_mak

fi

if test "$gcrypt" = "yes" ; then

  echo "CONFIG_GCRYPT=y" >> $config_host_mak

  if test "$gcrypt_hmac" = "yes" ; then

    echo "CONFIG_GCRYPT_HMAC=y" >> $config_host_mak

  fi

  if test "$gcrypt_kdf" = "yes" ; then

    echo "CONFIG_GCRYPT_KDF=y" >> $config_host_mak

  fi

fi

if test "$nettle" = "yes" ; then

  echo "CONFIG_NETTLE=y" >> $config_host_mak

  echo "CONFIG_NETTLE_VERSION_MAJOR=${nettle_version%%.*}" >> $config_host_mak

  if test "$nettle_kdf" = "yes" ; then

    echo "CONFIG_NETTLE_KDF=y" >> $config_host_mak

  fi

fi

if test "$tasn1" = "yes" ; then

  echo "CONFIG_TASN1=y" >> $config_host_mak

crypto/Makefile.objs

+4 −4
Original line number Diff line number Diff line
@@ -20,11 +20,11 @@ crypto-obj-y += tlscredsx509.o 
crypto-obj-y += tlssession.o

crypto-obj-y += secret.o

crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o

crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS_RND)) += random-gnutls.o

crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS_RND),n,y)) += random-platform.o

crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o

crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o

crypto-obj-y += pbkdf.o

crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o

crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) += pbkdf-gcrypt.o

crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o

crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o

crypto-obj-y += ivgen.o

crypto-obj-y += ivgen-essiv.o

crypto-obj-y += ivgen-plain.o

crypto/init.c

+2 −21
Original line number Diff line number Diff line
@@ -37,33 +37,14 @@ 
/* #define DEBUG_GNUTLS */



/*

 * If GNUTLS is built against GCrypt then

 *

 *  - When GNUTLS >= 2.12, we must not initialize gcrypt threading

 *    because GNUTLS will do that itself

 *  - When GNUTLS < 2.12 we must always initialize gcrypt threading

 *  - When GNUTLS is disabled we must always initialize gcrypt threading

 *

 * But....

 *

 *    When gcrypt >= 1.6.0 we must not initialize gcrypt threading

 *    because gcrypt will do that itself.

 *

 * So we need to init gcrypt threading if

 * We need to init gcrypt threading if

 *

 *   - gcrypt < 1.6.0

 * AND

 *      - gnutls < 2.12

 *   OR

 *      - gnutls is disabled

 *

 */



#if (defined(CONFIG_GCRYPT) &&                  \

     (!defined(CONFIG_GNUTLS) ||                \

     (LIBGNUTLS_VERSION_NUMBER < 0x020c00)) &&    \

     (!defined(GCRYPT_VERSION_NUMBER) ||        \

      (GCRYPT_VERSION_NUMBER < 0x010600)))

     (GCRYPT_VERSION_NUMBER < 0x010600))

#define QCRYPTO_INIT_GCRYPT_THREADS

#else

#undef QCRYPTO_INIT_GCRYPT_THREADS

crypto/tlscredsx509.c

+0 −21
Original line number Diff line number Diff line
@@ -72,14 +72,6 @@ qcrypto_tls_creds_check_cert_times(gnutls_x509_crt_t cert, 
}





#if LIBGNUTLS_VERSION_NUMBER >= 2

/*

 * The gnutls_x509_crt_get_basic_constraints function isn't

 * available in GNUTLS 1.0.x branches. This isn't critical

 * though, since gnutls_certificate_verify_peers2 will do

 * pretty much the same check at runtime, so we can just

 * disable this code

 */

static int

qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds,

                                               gnutls_x509_crt_t cert,
@@ -130,7 +122,6 @@ qcrypto_tls_creds_check_cert_basic_constraints(QCryptoTLSCredsX509 *creds, 


    return 0;

}

#endif





static int
@@ -299,14 +290,12 @@ qcrypto_tls_creds_check_cert(QCryptoTLSCredsX509 *creds, 
        return -1;

    }



#if LIBGNUTLS_VERSION_NUMBER >= 2

    if (qcrypto_tls_creds_check_cert_basic_constraints(creds,

                                                       cert, certFile,

                                                       isServer, isCA,

                                                       errp) < 0) {

        return -1;

    }

#endif



    if (qcrypto_tls_creds_check_cert_key_usage(creds,

                                               cert, certFile,
@@ -615,7 +604,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, 
    }



    if (cert != NULL && key != NULL) {

#if LIBGNUTLS_VERSION_NUMBER >= 0x030111

        char *password = NULL;

        if (creds->passwordid) {

            password = qcrypto_secret_lookup_as_utf8(creds->passwordid,
@@ -630,15 +618,6 @@ qcrypto_tls_creds_x509_load(QCryptoTLSCredsX509 *creds, 
                                                    password,

                                                    0);

        g_free(password);

#else /* LIBGNUTLS_VERSION_NUMBER < 0x030111 */

        if (creds->passwordid) {

            error_setg(errp, "PKCS8 decryption requires GNUTLS >= 3.1.11");

            goto cleanup;

        }

        ret = gnutls_certificate_set_x509_key_file(creds->data,

                                                   cert, key,

                                                   GNUTLS_X509_FMT_PEM);

#endif

        if (ret < 0) {

            error_setg(errp, "Cannot load certificate '%s' & key '%s': %s",

                       cert, key, gnutls_strerror(ret));

crypto/tlssession.c

+1 −7
Original line number Diff line number Diff line
@@ -90,13 +90,7 @@ qcrypto_tls_session_pull(void *opaque, void *buf, size_t len) 
}



#define TLS_PRIORITY_ADDITIONAL_ANON "+ANON-DH"



#if GNUTLS_VERSION_MAJOR >= 3

#define TLS_ECDHE_PSK "+ECDHE-PSK:"

#else

#define TLS_ECDHE_PSK ""

#endif

#define TLS_PRIORITY_ADDITIONAL_PSK TLS_ECDHE_PSK "+DHE-PSK:+PSK"

#define TLS_PRIORITY_ADDITIONAL_PSK "+ECDHE-PSK:+DHE-PSK:+PSK"



QCryptoTLSSession *

qcrypto_tls_session_new(QCryptoTLSCreds *creds,