fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

crypto: bump min gnutls to 3.7.5

Browse source 
Per repology, current shipping versions are:

                 RHEL-9: 3.8.3
              Debian 13: 3.8.9
       openSUSE Leap 15: 3.8.3
       Ubuntu LTS 22.04: 3.7.5
                FreeBSD: 3.8.10
              Fedora 42: 3.8.10
                OpenBSD: 3.8.10
         macOS HomeBrew: 3.8.10

Ubuntu 22.04 is our oldest constraint at this time.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2025-10-31 14:10:50 +00:00
parent 84005f4a2b
commit c4b3d0074e
4 changed files with 7 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

2
crypto/cipher.c
View file

@ -142,7 +142,7 @@ qcrypto_cipher_validate_key_length(QCryptoCipherAlgo alg,
#include "cipher-gcrypt.c.inc" #include "cipher-gcrypt.c.inc"
#elif defined CONFIG_NETTLE #elif defined CONFIG_NETTLE
#include "cipher-nettle.c.inc" #include "cipher-nettle.c.inc"
#elif defined CONFIG_GNUTLS_CRYPTO #elif defined CONFIG_GNUTLS
#include "cipher-gnutls.c.inc" #include "cipher-gnutls.c.inc"
#else #else
#include "cipher-stub.c.inc" #include "cipher-stub.c.inc"

2
crypto/meson.build
View file

@ -38,7 +38,7 @@ if nettle.found()
endif endif
elif gcrypt.found() elif gcrypt.found()
crypto_ss.add(gcrypt, files('hash-gcrypt.c', 'hmac-gcrypt.c', 'pbkdf-gcrypt.c')) crypto_ss.add(gcrypt, files('hash-gcrypt.c', 'hmac-gcrypt.c', 'pbkdf-gcrypt.c'))
elif gnutls_crypto.found() elif gnutls.found()
crypto_ss.add(gnutls, files('hash-gnutls.c', 'hmac-gnutls.c', 'pbkdf-gnutls.c')) crypto_ss.add(gnutls, files('hash-gnutls.c', 'hmac-gnutls.c', 'pbkdf-gnutls.c'))
else else
crypto_ss.add(files('hash-glib.c', 'hmac-glib.c', 'pbkdf-stub.c')) crypto_ss.add(files('hash-glib.c', 'hmac-glib.c', 'pbkdf-stub.c'))

37
meson.build
View file

@ -1823,33 +1823,11 @@ if not get_option('libcbor').auto() or have_system
endif endif
gnutls = not_found gnutls = not_found
gnutls_crypto = not_found
gnutls_bug1717_workaround = false gnutls_bug1717_workaround = false
if get_option('gnutls').enabled() or (get_option('gnutls').auto() and have_system) if get_option('gnutls').enabled() or (get_option('gnutls').auto() and have_system)
# For general TLS support our min gnutls matches gnutls = dependency('gnutls', version: '>=3.7.5',
# that implied by our platform support matrix method: 'pkg-config',
# required: get_option('gnutls'))
# For the crypto backends, we look for a newer
# gnutls:
#
# Version 3.6.8 is needed to get XTS
# Version 3.6.13 is needed to get PBKDF
# Version 3.6.14 is needed to get HW accelerated XTS
#
# If newer enough gnutls isn't available, we can
# still use a different crypto backend to satisfy
# the platform support requirements
gnutls_crypto = dependency('gnutls', version: '>=3.6.14',
method: 'pkg-config',
required: false)
if gnutls_crypto.found()
gnutls = gnutls_crypto
else
# Our min version if all we need is TLS
gnutls = dependency('gnutls', version: '>=3.5.18',
method: 'pkg-config',
required: get_option('gnutls'))
endif
#if gnutls.found() and not get_option('gnutls-bug1717-workaround').disabled() #if gnutls.found() and not get_option('gnutls-bug1717-workaround').disabled()
# XXX: when bug 1717 is resolved, add logic to probe for # XXX: when bug 1717 is resolved, add logic to probe for
@ -1874,12 +1852,7 @@ if get_option('nettle').enabled() and get_option('gcrypt').enabled()
error('Only one of gcrypt & nettle can be enabled') error('Only one of gcrypt & nettle can be enabled')
endif endif
# Explicit nettle/gcrypt request, so ignore gnutls for crypto if not gnutls.found()
if get_option('nettle').enabled() or get_option('gcrypt').enabled()
gnutls_crypto = not_found
endif
if not gnutls_crypto.found()
if (not get_option('gcrypt').auto() or have_system) and not get_option('nettle').enabled() if (not get_option('gcrypt').auto() or have_system) and not get_option('nettle').enabled()
gcrypt = dependency('libgcrypt', version: '>=1.8', gcrypt = dependency('libgcrypt', version: '>=1.8',
required: get_option('gcrypt')) required: get_option('gcrypt'))
@ -2606,7 +2579,6 @@ config_host_data.set('CONFIG_XKBCOMMON', xkbcommon.found())
config_host_data.set('CONFIG_KEYUTILS', keyutils.found()) config_host_data.set('CONFIG_KEYUTILS', keyutils.found())
config_host_data.set('CONFIG_GETTID', has_gettid) config_host_data.set('CONFIG_GETTID', has_gettid)
config_host_data.set('CONFIG_GNUTLS', gnutls.found()) config_host_data.set('CONFIG_GNUTLS', gnutls.found())
config_host_data.set('CONFIG_GNUTLS_CRYPTO', gnutls_crypto.found())
config_host_data.set('CONFIG_GNUTLS_BUG1717_WORKAROUND', gnutls_bug1717_workaround) config_host_data.set('CONFIG_GNUTLS_BUG1717_WORKAROUND', gnutls_bug1717_workaround)
config_host_data.set('CONFIG_TASN1', tasn1.found()) config_host_data.set('CONFIG_TASN1', tasn1.found())
config_host_data.set('CONFIG_GCRYPT', gcrypt.found()) config_host_data.set('CONFIG_GCRYPT', gcrypt.found())
@ -4906,7 +4878,6 @@ summary_info = {}
summary_info += {'TLS priority': get_option('tls_priority')} summary_info += {'TLS priority': get_option('tls_priority')}
summary_info += {'GNUTLS support': gnutls} summary_info += {'GNUTLS support': gnutls}
if gnutls.found() if gnutls.found()
summary_info += {' GNUTLS crypto': gnutls_crypto.found()}
summary_info += {' GNUTLS bug 1717 workaround': gnutls_bug1717_workaround } summary_info += {' GNUTLS bug 1717 workaround': gnutls_bug1717_workaround }
endif endif
summary_info += {'libgcrypt': gcrypt} summary_info += {'libgcrypt': gcrypt}

3
tests/unit/test-crypto-block.c
View file

@ -31,8 +31,7 @@
#endif #endif
#if (defined(_WIN32) || defined RUSAGE_THREAD) && \ #if (defined(_WIN32) || defined RUSAGE_THREAD) && \
(defined(CONFIG_NETTLE) || defined(CONFIG_GCRYPT) || \ (defined(CONFIG_NETTLE) || defined(CONFIG_GCRYPT))
defined(CONFIG_GNUTLS_CRYPTO))
#define TEST_LUKS #define TEST_LUKS
#else #else
#undef TEST_LUKS #undef TEST_LUKS