[libvirt] [PATCHv2] build: avoid -lgcrypt with newer gnutls

Doug Goldstein cardoe at gentoo.org
Sat Jul 27 01:22:29 UTC 2013 

On Fri, Jul 26, 2013 at 5:04 PM, Eric Blake <eblake at redhat.com> wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=951637
>
> Newer gnutls uses nettle, rather than gcrypt, which is a lot nicer
> regarding initialization.  Yet we were unconditionally initializing
> gcrypt even when gnutls wouldn't be using it, and having two crypto
> libraries linked into libvirt.so is pointless.
>
> Assume that the switch to gnutls 3.0 is a reliable witness, when
> pkg-config is present; otherwise be pessimistic and use gcrypt.
>
> * configure.ac (WITH_GNUTLS): Probe whether to add -lgcrypt, and
> define a witness WITH_GNUTLS_GCRYPT.
> * src/libvirt.c (virTLSMutexInit, virTLSMutexDestroy)
> (virTLSMutexLock, virTLSMutexUnlock, virTLSThreadImpl)
> (virGlobalInit): Honor the witness.
> * libvirt.spec.in (BuildRequires): Make gcrypt usage conditional,
> no longer needed in Fedora 19.
>
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
>
> v2: use second pkg-config invocation rather than ldd to determine
> whether gnutls uses gcrypt
>
>  configure.ac    | 27 +++++++++++++++++++--------
>  libvirt.spec.in |  2 ++
>  src/libvirt.c   | 10 ++++++----
>  3 files changed, 27 insertions(+), 12 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index cc9942a..eb56b63 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -1076,12 +1076,19 @@ if test "x$with_gnutls" != "xno"; then
>    LIBS="$LIBS $GNUTLS_LIBS"
>
>    GNUTLS_FOUND=no
> +  GNUTLS_GCRYPT=no
>    if test -x "$PKG_CONFIG" ; then
> +    dnl double probe, since we know that gnutls 3.0 switched to nettle instead of
> +    dnl gcrypt
>      PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED,
> -      [GNUTLS_FOUND=yes], [GNUTLS_FOUND=no])
> +      [GNUTLS_FOUND=yes
> +       PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.0], [], [GNUTLS_GCRYPT=yes])],
> +      [GNUTLS_FOUND=no])
>    fi
>    if test "$GNUTLS_FOUND" = "no"; then
> +    dnl pkg-config couldn't help us, assume gcrypt is necessary
>      fail=0
> +    GNUTLS_GCRYPT=yes
>      AC_CHECK_HEADER([gnutls/gnutls.h], [], [fail=1])
>      AC_CHECK_LIB([gnutls], [gnutls_handshake],[], [fail=1], [-lgcrypt])
>
> @@ -1098,13 +1105,17 @@ if test "x$with_gnutls" != "xno"; then
>        AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run libvirt])
>      fi
>    else
> -    dnl Not all versions of gnutls include -lgcrypt, and so we add
> -    dnl it explicitly for the calls to gcry_control/check_version
> -    GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
> -
> -    dnl We're not using gcrypt deprecated features so define
> -    dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
> -    GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
> +    dnl If gnutls linked against -lgcrypt, then we must initialize gcrypt
> +    dnl prior to using gnutls.  Newer versions of gnutls use -lnettle, in
> +    dnl which case we don't want to drag in gcrypt ourselves.
> +    if test "$GNUTLS_GCRYPT" = yes; then
> +      GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
> +      dnl We're not using gcrypt deprecated features so define
> +      dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
> +      GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
> +      AC_DEFINE_UNQUOTED([WITH_GNUTLS_GCRYPT], 1,
> +        [set to 1 if it is known or assumed that GNUTLS uses gcrypt])
> +    fi
>
>      dnl gnutls 3.x moved some declarations to a new header
>      AC_CHECK_HEADERS([gnutls/crypto.h], [], [], [[
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index e0e0004..4320281 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -422,7 +422,9 @@ BuildRequires: readline-devel
>  BuildRequires: ncurses-devel
>  BuildRequires: gettext
>  BuildRequires: libtasn1-devel
> +%if (0%{?rhel} && 0%{?rhel} < 7) || (0%{?fedora} && 0%{?fedora} < 19)
>  BuildRequires: libgcrypt-devel
> +%endif
>  BuildRequires: gnutls-devel
>  BuildRequires: libattr-devel
>  %if %{with_libvirtd}
> diff --git a/src/libvirt.c b/src/libvirt.c
> index 8157488..66e8248 100644
> --- a/src/libvirt.c
> +++ b/src/libvirt.c
> @@ -55,7 +55,9 @@
>  #include "intprops.h"
>  #include "virconf.h"
>  #if WITH_GNUTLS
> -# include <gcrypt.h>
> +# if WITH_GNUTLS_GCRYPT
> +#  include <gcrypt.h>
> +# endif
>  # include "rpc/virnettlscontext.h"
>  #endif
>  #include "vircommand.h"
> @@ -270,7 +272,7 @@ winsock_init(void)
>  #endif
>
>
> -#ifdef WITH_GNUTLS
> +#ifdef WITH_GNUTLS_GCRYPT
>  static int virTLSMutexInit(void **priv)
>  {
>      virMutexPtr lock = NULL;
> @@ -323,7 +325,7 @@ static struct gcry_thread_cbs virTLSThreadImpl = {
>      virTLSMutexUnlock,
>      NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
>  };
> -#endif
> +#endif /* WITH_GNUTLS_GCRYPT */
>
>  /* Helper macros to implement VIR_DOMAIN_DEBUG using just C99.  This
>   * assumes you pass fewer than 15 arguments to VIR_DOMAIN_DEBUG, but
> @@ -407,7 +409,7 @@ virGlobalInit(void)
>          virErrorInitialize() < 0)
>          goto error;
>
> -#ifdef WITH_GNUTLS
> +#ifdef WITH_GNUTLS_GCRYPT
>      /*
>       * This sequence of API calls it copied exactly from
>       * gnutls 2.12.23 source lib/gcrypt/init.c, with
> --
> 1.8.3.1
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

Hate to throw a monkey wrench in the plan, but GnuTLS 3.0 isn't the
nettle cut over. On my stable Gentoo box with GnuTLS 2.12.23, its
using nettle as seen by ldd.

 ldd /usr/lib64/libgnutls.so.26
	linux-vdso.so.1 (0x00007fffad3ff000)
	libnettle.so.4 => /usr/lib64/libnettle.so.4 (0x00007f60fa4f4000)
	libgmp.so.10 => /usr/lib64/libgmp.so.10 (0x00007f60fa284000)
	libhogweed.so.2 => /usr/lib64/libhogweed.so.2 (0x00007f60fa054000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f60f9e3e000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f60f9c21000)
	libtasn1.so.3 => /usr/lib64/libtasn1.so.3 (0x00007f60f9a0f000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f60f9661000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f60fa9ec000)

It appears it was an optional cutover and I guess Gentoo made the
plunge. Another idea, that you might hate would be to use pkg-config
directly and pass --static so we can get the private libraries. I'm
not running Fedora 19 yet so the best I can do is give you Fedora 18
as a comp, but that works out great since its using 2.12.23 as well.

stable Gentoo:

Name: GnuTLS
Description: Transport Security Layer implementation for the GNU system
URL: http://www.gnu.org/software/gnutls/
Version: 2.12.23
Libs: -L${libdir} -lgnutls
Libs.private:  -L/usr/lib64 -lnettle -lgmp -lhogweed
Requires.private: libtasn1 , zlib
Cflags: -I${includedir}

$ pkg-config --libs --static gnutls
-lgnutls -ltasn1 -lz -lnettle -lgmp -lhogweed

Fedora 18:

Name: GnuTLS
Description: Transport Security Layer implementation for the GNU system
URL: http://www.gnu.org/software/gnutls/
Version: 2.12.23
Libs: -L${libdir} -lgnutls
Libs.private: -L/usr/lib64 -lgcrypt -L/usr/lib64 -lgpg-error
Requires.private: libtasn1 , zlib, p11-kit-1
Cflags: -I${includedir}

$ pkg-config --libs --static gnutls
-lgnutls -lgcrypt -lgpg-error -ltasn1 -lz -lp11-kit

With GnuTLS 3.2 I get the following:

 pkg-config --libs --static gnutls
-lgnutls -lhogweed -lnettle -lz  -lgmp


Maybe that helps?
-- 
Doug Goldstein

More information about the libvir-list mailing list