aboutsummaryrefslogtreecommitdiff
path: root/configure
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2015-04-13 14:01:39 +0100
committerDaniel P. Berrange <berrange@redhat.com>2015-09-15 15:05:09 +0100
commit9a2fd4347c40321f5cbb4ab4220e759fcbf87d03 (patch)
tree25449f7fa2cd329313c25e69b5ec5fb740d91c45 /configure
parent85bcbc789eb65b54548a507b747ffffe6175b404 (diff)
crypto: add sanity checking of TLS x509 credentials
If the administrator incorrectly sets up their x509 certificates, the errors seen at runtime during connection attempts are very obscure and difficult to diagnose. This has been a particular problem for people using openssl to generate their certificates instead of the gnutls certtool, because the openssl tools don't turn on the various x509 extensions that gnutls expects to be present by default. This change thus adds support in the TLS credentials object to sanity check the certificates when QEMU first loads them. This gives the administrator immediate feedback for the majority of common configuration mistakes, reducing the pain involved in setting up TLS. The code is derived from equivalent code that has been part of libvirt's TLS support and has been seen to be valuable in assisting admins. It is possible to disable the sanity checking, however, via the new 'sanity-check' property on the tls-creds object type, with a value of 'no'. Unit tests are included in this change to verify the correctness of the sanity checking code in all the key scenarios it is intended to cope with. As part of the test suite, the pkix_asn1_tab.c from gnutls is imported. This file is intentionally copied from the (long since obsolete) gnutls 1.6.3 source tree, since that version was still under GPLv2+, rather than the GPLv3+ of gnutls >= 2.0. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Diffstat (limited to 'configure')
-rwxr-xr-xconfigure22
1 files changed, 22 insertions, 0 deletions
diff --git a/configure b/configure
index d7c24cdaa0..bdd302c3bf 100755
--- a/configure
+++ b/configure
@@ -416,6 +416,9 @@ if test "$debug_info" = "yes"; then
LDFLAGS="-g $LDFLAGS"
fi
+test_cflags=""
+test_libs=""
+
# make source path absolute
source_path=`cd "$source_path"; pwd`
@@ -2249,6 +2252,19 @@ if test "$gnutls_nettle" != "no"; then
fi
fi
+##########################################
+# libtasn1 - only for the TLS creds/session test suite
+
+tasn1=yes
+if $pkg_config --exists "libtasn1"; then
+ tasn1_cflags=`$pkg_config --cflags libtasn1`
+ tasn1_libs=`$pkg_config --libs libtasn1`
+ test_cflags="$test_cflags $tasn1_cflags"
+ test_libs="$test_libs $tasn1_libs"
+else
+ tasn1=no
+fi
+
##########################################
# VTE probe
@@ -4574,6 +4590,7 @@ echo "GNUTLS support $gnutls"
echo "GNUTLS hash $gnutls_hash"
echo "GNUTLS gcrypt $gnutls_gcrypt"
echo "GNUTLS nettle $gnutls_nettle ${gnutls_nettle+($nettle_version)}"
+echo "libtasn1 $tasn1"
echo "VTE support $vte"
echo "curses support $curses"
echo "curl support $curl"
@@ -4945,6 +4962,9 @@ if test "$gnutls_nettle" = "yes" ; then
echo "CONFIG_GNUTLS_NETTLE=y" >> $config_host_mak
echo "CONFIG_NETTLE_VERSION_MAJOR=${nettle_version%%.*}" >> $config_host_mak
fi
+if test "$tasn1" = "yes" ; then
+ echo "CONFIG_TASN1=y" >> $config_host_mak
+fi
if test "$vte" = "yes" ; then
echo "CONFIG_VTE=y" >> $config_host_mak
echo "VTE_CFLAGS=$vte_cflags" >> $config_host_mak
@@ -5268,6 +5288,8 @@ echo "EXESUF=$EXESUF" >> $config_host_mak
echo "DSOSUF=$DSOSUF" >> $config_host_mak
echo "LDFLAGS_SHARED=$LDFLAGS_SHARED" >> $config_host_mak
echo "LIBS_QGA+=$libs_qga" >> $config_host_mak
+echo "TEST_LIBS=$test_libs" >> $config_host_mak
+echo "TEST_CFLAGS=$test_cflags" >> $config_host_mak
echo "POD2MAN=$POD2MAN" >> $config_host_mak
echo "TRANSLATE_OPT_CFLAGS=$TRANSLATE_OPT_CFLAGS" >> $config_host_mak
if test "$gcov" = "yes" ; then