[libvirt] [PATCH] build: avoid -lgcrypt with newer gnutls

Daniel P. Berrange berrange at redhat.com
Fri Jul 26 12:29:12 UTC 2013


On Fri, Jul 26, 2013 at 01:26:56PM +0100, Daniel P. Berrange wrote:
> On Thu, Jul 25, 2013 at 04:13:28PM -0600, Eric Blake wrote:
> > https://bugzilla.redhat.com/show_bug.cgi?id=951637
> > 
> > Newer gnutls uses nettle, rather than gcrypt, which is a lot nicer
> > regarding initialization.  Yet we were unconditionally initializing
> > gcrypt even when gnutls wouldn't be using it, and having two crypto
> > libraries linked into libvirt.so is pointless.
> > 
> > The ldd probe in configure borrows from our libnl-1 vs. libnl-3 code.
> > 
> > * configure.ac (WITH_GNUTLS): Probe whether to add -lgcrypt, and
> > define a witness WITH_GNUTLS_GCRYPT.
> > * src/libvirt.c (virTLSMutexInit, virTLSMutexDestroy)
> > (virTLSMutexLock, virTLSMutexUnlock, virTLSThreadImpl)
> > (virGlobalInit): Honor the witness.
> > * libvirt.spec.in (BuildRequires): Make gcrypt usage conditional,
> > no longer needed in Fedora 19.
> > 
> > Signed-off-by: Eric Blake <eblake at redhat.com>
> > ---
> > 
> > Tested with 'ldd src/.libs/libvirt.so | grep -E "(gcry|net|tls)"':
> > - on RHEL 6.4 and Fedora 18, pre- and post-patch remain unchanged
> > (use of just libgnutls/libgcrypt)
> > - on Fedora 19, pre-patch linked against libgnutls, libgcrypt, and
> > libnettle, post-patch linked against just libgnutls and libnettle
> > 
> > This should probably go in for 1.1.1, but it's not a build-breaker
> > so it needs review.
> > 
> >  configure.ac    | 27 +++++++++++++++++++++------
> >  libvirt.spec.in |  2 ++
> >  src/libvirt.c   | 10 ++++++----
> >  3 files changed, 29 insertions(+), 10 deletions(-)
> > 
> > diff --git a/configure.ac b/configure.ac
> > index cc9942a..de209e2 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -1098,13 +1098,28 @@ if test "x$with_gnutls" != "xno"; then
> >        AC_MSG_ERROR([You must install the GnuTLS library in order to compile and run libvirt])
> >      fi
> >    else
> > -    dnl Not all versions of gnutls include -lgcrypt, and so we add
> > -    dnl it explicitly for the calls to gcry_control/check_version
> > -    GNUTLS_LIBS="$GNUTLS_LIBS -lgcrypt"
> > 
> > -    dnl We're not using gcrypt deprecated features so define
> > -    dnl GCRYPT_NO_DEPRECATED to avoid deprecated warnings
> > -    GNUTLS_CFLAGS="$GNUTLS_CFLAGS -DGCRYPT_NO_DEPRECATED"
> > +    dnl If gnutls linked against -lgcrypt, then we must initialize gcrypt
> > +    dnl prior to using gnutls.  Newer versions of gnutls use -lnettle, in
> > +    dnl which case we don't want to drag in gcrypt ourselves.
> > +    gnutls_ldd=
> > +    for dir in /usr/lib64 /usr/lib /usr/lib/*-linux-gnu*; do
> > +        if test -f $dir/libgnutls.so; then
> > +            gnutls_ldd=`(ldd $dir/libgnutls.so) 2>&1`
> > +            break
> > +        fi
> > +    done
> 
> Not sure this approach to finding libgnutls.so is going to work
> reliably. eg, we allow  --with-gnutls=/some/dir to point to
> say /usr/local, or /opt/gnutls.
> 
> Also with pkg-config, the library can be located basically
> anywhere in the filesystem
> 
> Gnutls had a hard cutover point from gcrypt to nettle
> in the 3.0.0 release. So could we just check the
> GNUTLS_VERSION_MAJOR value >= 3 in the header ?

Oh, actually we don't even need todo that. We can rely on pkgconfig

   PKG_CHECK_MODULES(GNUTLS, gnutls >= 3.0.0,
                    [GNUTLS_FOUND=yes GNUTLS_NETTLE=0], [
                     GNUTLS_GCRYPT=1
                     PKG_CHECK_MODULES(GNUTLS, gnutls >= $GNUTLS_REQUIRED,
                        [GNUTLS_FOUND=yes], [GNUTLS_FOUND=no])])


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list