Switch from gnutls to openssl for sha1

configure.ac

@@ -257,6 +257,8 @@ fi
 
 AM_CONDITIONAL([ENABLE_API_DOCS], [test "x$HAVE_DOXYGEN" != "x"])
 
+AC_CONFIG_MACRO_DIRS([config])
+
 # Apparmor
 AC_ARG_ENABLE([apparmor],
 	[AC_HELP_STRING([--enable-apparmor], [enable apparmor support [default=auto]])],
@@ -267,20 +269,21 @@ if test "$enable_apparmor" = "auto" ; then
 fi
 AM_CONDITIONAL([ENABLE_APPARMOR], [test "x$enable_apparmor" = "xyes"])
 
-# GnuTLS
-AC_ARG_ENABLE([gnutls],
-	[AC_HELP_STRING([--enable-gnutls], [enable GnuTLS support [default=auto]])],
-	[], [enable_gnutls=auto])
+# OpenSSL
+# libssl-dev
+AC_ARG_ENABLE([openssl],
+	[AC_HELP_STRING([--enable-openssl], [enable OpenSSL support [default=auto]])],
+	[], [enable_openssl=auto])
+
+if test "$enable_openssl" = "auto" ; then
+	AC_CHECK_LIB([ssl], [OPENSSL_init_ssl], [enable_openssl=yes], [enable_openssl=no])
 
-if test "$enable_gnutls" = "auto" ; then
-	AC_CHECK_LIB([gnutls], [gnutls_hash_fast], [enable_gnutls=yes], [enable_gnutls=no])
 fi
-AM_CONDITIONAL([ENABLE_GNUTLS], [test "x$enable_gnutls" = "xyes"])
+AM_CONDITIONAL([ENABLE_OPENSSL], [test "x$enable_openssl" = "xyes"])
 
-AM_COND_IF([ENABLE_GNUTLS],
-	[AC_CHECK_HEADER([gnutls/gnutls.h],[],[AC_MSG_ERROR([You must install the GnuTLS development package in order to compile lxc])])
-	AC_CHECK_LIB([gnutls], [gnutls_hash_fast],[true],[AC_MSG_ERROR([You must install the GnuTLS development package in order to compile lxc])])
-	AC_SUBST([GNUTLS_LIBS], [-lgnutls])])
+AM_COND_IF([ENABLE_OPENSSL],
+	[AC_CHECK_HEADER([openssl/engine.h],[],[AC_MSG_ERROR([You must install the OpenSSL development package in order to compile lxc])])
+	AC_SUBST([OPENSSL_LIBS], '-lssl -lcrypto')])
 
 # SELinux
 AC_ARG_ENABLE([selinux],
@@ -992,7 +995,7 @@ Environment:
  - distribution: $with_distro
  - init script type(s): $init_script
  - rpath: $enable_rpath
- - GnuTLS: $enable_gnutls
+ - OpenSSL: $enable_openssl
  - Bash integration: $enable_bash
 
 Security features:

src/lxc/Makefile.am

@@ -207,8 +207,8 @@ if ENABLE_APPARMOR
 AM_CFLAGS += -DHAVE_APPARMOR
 endif
 
-if ENABLE_GNUTLS
-AM_CFLAGS += -DHAVE_LIBGNUTLS
+if ENABLE_OPENSSL
+AM_CFLAGS += -DHAVE_OPENSSL
 endif
 
 if ENABLE_SECCOMP
@@ -240,7 +240,7 @@ liblxc_la_LDFLAGS = -pthread \
 		    -version-info @LXC_ABI_MAJOR@
 
 liblxc_la_LIBADD = $(CAP_LIBS) \
-		   $(GNUTLS_LIBS) \
+		   $(OPENSSL_LIBS) \
 		   $(SELINUX_LIBS) \
 		   $(SECCOMP_LIBS)
 
@@ -298,7 +298,7 @@ endif
 
 LDADD = liblxc.la \
 	@CAP_LIBS@ \
-	@GNUTLS_LIBS@ \
+	@OPENSSL_LIBS@ \
 	@SECCOMP_LIBS@ \
 	@SELINUX_LIBS@
 

src/lxc/lxccontainer.c

@@ -76,6 +76,10 @@
 #include "utils.h"
 #include "version.h"
 
+#if HAVE_OPENSSL
+#include <openssl/evp.h>
+#endif
+
 /* major()/minor() */
 #ifdef MAJOR_IN_MKDEV
 #include <sys/mkdev.h>
@@ -1632,9 +1636,9 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[])
 	char *contents;
 	FILE *f;
 	int ret = -1;
-#if HAVE_LIBGNUTLS
-	int i;
-	unsigned char md_value[SHA_DIGEST_LENGTH];
+#if HAVE_OPENSSL
+	int i, md_len = 0;
+	unsigned char md_value[EVP_MAX_MD_SIZE];
 	char *tpath;
 #endif
 
@@ -1675,14 +1679,14 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[])
 	if (ret < 0)
 		goto out_free_contents;
 
-#if HAVE_LIBGNUTLS
+#if HAVE_OPENSSL
 	tpath = get_template_path(t);
 	if (!tpath) {
 		ERROR("Invalid template \"%s\" specified", t);
 		goto out_free_contents;
 	}
 
-	ret = sha1sum_file(tpath, md_value);
+	ret = sha1sum_file(tpath, md_value, &md_len);
 	if (ret < 0) {
 		ERROR("Failed to get sha1sum of %s", tpath);
 		free(tpath);
@@ -1708,9 +1712,9 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[])
 		fprintf(f, "\n");
 	}
 
-#if HAVE_LIBGNUTLS
+#if HAVE_OPENSSL
 	fprintf(f, "# Template script checksum (SHA-1): ");
-	for (i=0; i<SHA_DIGEST_LENGTH; i++)
+	for (i=0; i<md_len; i++)
 		fprintf(f, "%02x", md_value[i]);
 	fprintf(f, "\n");
 #endif

src/lxc/utils.c

@@ -330,17 +330,30 @@ again:
 	return status;
 }
 
-#if HAVE_LIBGNUTLS
-#include <gnutls/gnutls.h>
-#include <gnutls/crypto.h>
+#ifdef HAVE_OPENSSL
+#include <openssl/evp.h>
 
-__attribute__((constructor))
-static void gnutls_lxc_init(void)
+static int do_sha1_hash(const char *buf, int buflen, unsigned char *md_value, int *md_len)
 {
-	gnutls_global_init();
+	EVP_MD_CTX *mdctx;
+	const EVP_MD *md;
+
+	md = EVP_get_digestbyname("sha1");
+	if(!md) {
+		printf("Unknown message digest: sha1\n");
+		return -1;
+	}
+
+	mdctx = EVP_MD_CTX_new();
+	EVP_DigestInit_ex(mdctx, md, NULL);
+	EVP_DigestUpdate(mdctx, buf, buflen);
+	EVP_DigestFinal_ex(mdctx, md_value, md_len);
+	EVP_MD_CTX_free(mdctx);
+
+	return 0;
 }
 
-int sha1sum_file(char *fnam, unsigned char *digest)
+int sha1sum_file(char *fnam, unsigned char *digest, int *md_len)
 {
 	char *buf;
 	int ret;
@@ -394,7 +407,7 @@ int sha1sum_file(char *fnam, unsigned char *digest)
 	}
 
 	buf[flen] = '\0';
-	ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, buf, flen, (void *)digest);
+	ret = do_sha1_hash(buf, flen, (void *)digest, md_len);
 	free(buf);
 	return ret;
 }

src/lxc/utils.h

@@ -98,9 +98,8 @@ extern int lxc_pclose(struct lxc_popen_FILE *fp);
 extern int wait_for_pid(pid_t pid);
 extern int lxc_wait_for_pid_status(pid_t pid);
 
-#if HAVE_LIBGNUTLS
-#define SHA_DIGEST_LENGTH 20
-extern int sha1sum_file(char *fnam, unsigned char *md_value);
+#if HAVE_OPENSSL
+extern int sha1sum_file(char *fnam, unsigned char *md_value, int *md_len);
 #endif
 
 /* initialize rand with urandom */