QEMU-TRAD Re: [PATCH] Fixed building with newer GNUTLS versions.

Commit Message

Wei Liu May 4, 2016, 10:28 a.m. UTC

On Tue, May 03, 2016 at 12:49:07PM -0400, Konrad Rzeszutek Wilk wrote:
> On Tue, May 03, 2016 at 05:35:45PM +0100, Wei Liu wrote:
> > The original patch seems to malformed.
> > 
> > I skim the code, the refactoring parts look correct to me. What I'm not
> > sure is whether the replacement is correct or not.
> > 
> > The reference to gnutls_priority_set_direct in [0] is from a section
> > called "Upgrading to 3.4.x from 3.3.x", while the version check in the
> > proposed patch checks for 2.2.0.
> > 
> > Do I miss anything here? What version does Fedora have?
> 
> gnutls-3.4.9-1.fc23.x86_64
> 
> qemu-trad builds fine under 
> gnutls-2.8.5-4.fc13.x86_64
> 

Can you try the attached patch?

A higher level question to ask is whether the priority list in the patch
is really correct. Specifically:

+    const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";

---8<---
From c6d6259ee09620f46e3630b01949f62d6d3777fd Mon Sep 17 00:00:00 2001
From: Wei Liu <wei.liu2@citrix.com>
Date: Thu, 31 Mar 2016 22:58:19 +0200
Subject: [PATCH] Fix build with GNUTLS > 3.4

gnutls_kx_set_priority, gnutls_certificate_type_set_priority and
gnutls_protocol_set_priority are removed in 3.4. Application should use
gnutls_priority_set_direct instead.

Provide compatibility layer for QEMU traditional.

[0] https://www.gnutls.org/manual/html_node/Upgrading-from-previous-versions.html

Signed-off-by: Sjoer van der Ploeg <sfjuocekr@gmail.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
 vnc.c | 71 +++++++++++++++++++++++++++++++++++++++++++++----------------------
 1 file changed, 48 insertions(+), 23 deletions(-)

Comments

Olaf Hering May 4, 2016, 1:06 p.m. UTC | #1

On Wed, May 04, Wei Liu wrote:

> gnutls_kx_set_priority, gnutls_certificate_type_set_priority and
> gnutls_protocol_set_priority are removed in 3.4. Application should use
> gnutls_priority_set_direct instead.

> +#if defined(GNUTLS_VERSION_NUMBER) && \
> +    GNUTLS_VERSION_NUMBER >= 0x030400 /* 3.4.0 */

Quoting their NEWS file:

...
* Version 2.1.7 (released 2007-11-29)
...
** The gnutls_*_convert_priority() functions were deprecated by
the gnutls_priority_set() and gnutls_priority_set_direct().
...

The initial variant of that patch looks more correct. It would cover
each and every distribution Xen runs on.

Olaf

Wei Liu May 4, 2016, 1:29 p.m. UTC | #2

On Wed, May 04, 2016 at 03:06:04PM +0200, Olaf Hering wrote:
> On Wed, May 04, Wei Liu wrote:
> 
> > gnutls_kx_set_priority, gnutls_certificate_type_set_priority and
> > gnutls_protocol_set_priority are removed in 3.4. Application should use
> > gnutls_priority_set_direct instead.
> 
> > +#if defined(GNUTLS_VERSION_NUMBER) && \
> > +    GNUTLS_VERSION_NUMBER >= 0x030400 /* 3.4.0 */
> 
> Quoting their NEWS file:
> 
> ...
> * Version 2.1.7 (released 2007-11-29)
> ...
> ** The gnutls_*_convert_priority() functions were deprecated by
> the gnutls_priority_set() and gnutls_priority_set_direct().

These seem to be a different set of functions.

Do you have a link to the NEWS file so that I can read and put it into
the commit message?  https://www.gnutls.org/news.html doesn't seem to
cover release that old.

Wei.

> ...
> 
> The initial variant of that patch looks more correct. It would cover
> each and every distribution Xen runs on.
> 
> Olaf

Olaf Hering May 4, 2016, 1:38 p.m. UTC | #3

On Wed, May 04, Wei Liu wrote:

> Do you have a link to the NEWS file so that I can read and put it into
> the commit message?  https://www.gnutls.org/news.html doesn't seem to
> cover release that old.

I cloned their git tree.

git clone https://gitlab.com/gnutls/gnutls.git

Thanks anyway for making progress on this error.

Olaf

Wei Liu May 4, 2016, 1:50 p.m. UTC | #4

On Wed, May 04, 2016 at 03:38:01PM +0200, Olaf Hering wrote:
> On Wed, May 04, Wei Liu wrote:
> 
> > Do you have a link to the NEWS file so that I can read and put it into
> > the commit message?  https://www.gnutls.org/news.html doesn't seem to
> > cover release that old.
> 
> I cloned their git tree.
> 
> git clone https://gitlab.com/gnutls/gnutls.git
> 

OK. That works for me.

I will go check the gnutls repo and update this patch accordingly. In
the meantime I will wait for comment on the priority list. If you know
any documents please let me know.

> Thanks anyway for making progress on this error.
> 

Yeah, trying to tie up some loose ends for the release.

Wei.

> Olaf

Olaf Hering May 4, 2016, 2:03 p.m. UTC | #5

On Wed, May 04, Wei Liu wrote:

> I will go check the gnutls repo and update this patch accordingly. In
> the meantime I will wait for comment on the priority list. If you know
> any documents please let me know.

I cant help with that.

My xen.rpm carries upstream commits
f40d55081667a716312b9a8b6e13835c4074f56b and
7d2a929feba319c18603e324b1750830d6c8b7a1 since some time.

Olaf

Wei Liu May 4, 2016, 2:08 p.m. UTC | #6

On Wed, May 04, 2016 at 04:03:57PM +0200, Olaf Hering wrote:
> On Wed, May 04, Wei Liu wrote:
> 
> > I will go check the gnutls repo and update this patch accordingly. In
> > the meantime I will wait for comment on the priority list. If you know
> > any documents please let me know.
> 
> I cant help with that.
> 
> My xen.rpm carries upstream commits
> f40d55081667a716312b9a8b6e13835c4074f56b and
> 7d2a929feba319c18603e324b1750830d6c8b7a1 since some time.
> 

Are these gnutls.git commits?

$ cd gnutls
$ git show f40d55081667a716312b9a8b6e13835c4074f56b
fatal: bad object f40d55081667a716312b9a8b6e13835c4074f56b

Same for the other commit.

Wei.

> Olaf

Olaf Hering May 4, 2016, 2:13 p.m. UTC | #7

On Wed, May 04, Wei Liu wrote:

> Are these gnutls.git commits?

Its from qemu.git, after all its a bug in qemu.

Olaf

Wei Liu May 4, 2016, 2:16 p.m. UTC | #8

On Wed, May 04, 2016 at 04:13:48PM +0200, Olaf Hering wrote:
> On Wed, May 04, Wei Liu wrote:
> 
> > Are these gnutls.git commits?
> 
> Its from qemu.git, after all its a bug in qemu.
> 

Oh, right. That makes sense!

In that case I can just use those commits. This is very useful
information. Thank you very much!

Wei.

> Olaf

Patch

diff --git a/vnc.c b/vnc.c
index 573af3b..c5505fb 100644
--- a/vnc.c
+++ b/vnc.c
@@ -1925,9 +1925,9 @@  static int vnc_tls_initialize(void)
     return 1;
 }
 
-static gnutls_anon_server_credentials vnc_tls_initialize_anon_cred(void)
+static gnutls_anon_server_credentials_t vnc_tls_initialize_anon_cred(void)
 {
-    gnutls_anon_server_credentials anon_cred;
+    gnutls_anon_server_credentials_t anon_cred;
     int ret;
 
     if ((ret = gnutls_anon_allocate_server_credentials(&anon_cred)) < 0) {
@@ -2151,13 +2151,52 @@  static void vnc_handshake_io(void *opaque) {
      (vs)->subauth == VNC_AUTH_VENCRYPT_X509VNC ||    \
      (vs)->subauth == VNC_AUTH_VENCRYPT_X509PLAIN)
 
+#if defined(GNUTLS_VERSION_NUMBER) && \
+    GNUTLS_VERSION_NUMBER >= 0x030400 /* 3.4.0 */
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+    const char *priority = x509 ? "NORMAL" : "NORMAL:+ANON-DH";
+    int rc;
 
-static int vnc_start_tls(struct VncState *vs) {
-    static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
-    static const int protocol_priority[]= { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
-    static const int kx_anon[] = {GNUTLS_KX_ANON_DH, 0};
-    static const int kx_x509[] = {GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0};
+    rc = gnutls_priority_set_direct(s, priority, NULL);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+    return 0;
+}
+#else
+static int vnc_set_gnutls_priority(gnutls_session_t s, int x509)
+{
+    static const int cert_types[] = { GNUTLS_CRT_X509, 0 };
+    static const int protocols[] = {
+        GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0
+    };
+    static const int kx_anon[] = { GNUTLS_KX_ANON_DH, 0 };
+    static const int kx_x509[] = {
+        GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
+        GNUTLS_KX_DHE_RSA, GNUTLS_KX_SRP, 0
+    };
+    int rc;
+
+    rc = gnutls_kx_set_priority(s, x509 ? kx_x509 : kx_anon);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+
+    rc = gnutls_certificate_type_set_priority(s, cert_types);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
 
+    rc = gnutls_protocol_set_priority(s, protocols);
+    if (rc != GNUTLS_E_SUCCESS) {
+        return -1;
+    }
+    return 0;
+}
+#endif
+
+static int vnc_start_tls(struct VncState *vs) {
     VNC_DEBUG("Do TLS setup\n");
     if (vnc_tls_initialize() < 0) {
 	VNC_DEBUG("Failed to init TLS\n");
@@ -2177,21 +2216,7 @@  static int vnc_start_tls(struct VncState *vs) {
 	    return -1;
 	}
 
-	if (gnutls_kx_set_priority(vs->tls_session, NEED_X509_AUTH(vs) ? kx_x509 : kx_anon) < 0) {
-	    gnutls_deinit(vs->tls_session);
-	    vs->tls_session = NULL;
-	    vnc_client_error(vs);
-	    return -1;
-	}
-
-	if (gnutls_certificate_type_set_priority(vs->tls_session, cert_type_priority) < 0) {
-	    gnutls_deinit(vs->tls_session);
-	    vs->tls_session = NULL;
-	    vnc_client_error(vs);
-	    return -1;
-	}
-
-	if (gnutls_protocol_set_priority(vs->tls_session, protocol_priority) < 0) {
+	if (vnc_set_gnutls_priority(vs->tls_session, !!NEED_X509_AUTH(vs)) < 0) {
 	    gnutls_deinit(vs->tls_session);
 	    vs->tls_session = NULL;
 	    vnc_client_error(vs);
@@ -2219,7 +2244,7 @@  static int vnc_start_tls(struct VncState *vs) {
 	    }
 
 	} else {
-	    gnutls_anon_server_credentials anon_cred = vnc_tls_initialize_anon_cred();
+	    gnutls_anon_server_credentials_t anon_cred = vnc_tls_initialize_anon_cred();
 	    if (!anon_cred) {
 		gnutls_deinit(vs->tls_session);
 		vs->tls_session = NULL;