cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] Support for GnuTLS/nettle

From: Martin Storsj� <martin_at_martin.st>
Date: Fri, 18 Nov 2011 14:23:49 +0200 (EET)

On Tue, 15 Nov 2011, Martin Storsj� wrote:

> On Tue, 15 Nov 2011, Daniel Stenberg wrote:
>
>> On Tue, 15 Nov 2011, Martin Storsj� wrote:
>>
>>> The big question that remains, however, is how to detect this setup - the
>>> current gnutls+gcrypt check in configure simply checks that we can link to
>>> gcrypt.
>>
>> The check for gcrypt explicitly is actually there for a reason. We rely on
>> gcrypt for the NTLM code when GnuTLS is used. So unless you modified that
>> part of the code, you actually need both nettle and gcrypt for the moment.
>
> This is exactly what the patch I attached does - it adds code for using
> nettle instead of gcrypt in the NTLM (and md5), which I've tested to pass all
> tests.
>
>> Once add support to the NTLM code to use nettle instead, we could probably
>> use the GnuTLS version as a way to tell which crypto layer to check for
>> first (nettle, gcrypt) and if the primary fails we can check for the other.
>
> That might also be a good indicator, yeah.

Actually, I figured out a new, even better approach. First, it tries
linking to libnettle functions by only using -lgnutls, and similarly for a
gcrypt function. If either of these succeed, we're sure of which backend
gnutls uses. If not (e.g. building for windows, or using a linker which
doesn't allow implicit transitive linking like this, e.g. gold afaik), we
try to link to a nettle function using -lnettle (since nettle is the
default now in newer gnutls versions), and if not found, we try gcrypt
(just as we did before).

For cases where both gcrypt and nettle libraries exist, and the linker
doesn't allow implicit transitive linking, we can't (easily, without
trying to parse info about that library) know which one gnutls uses, so in
the attached patch, it will favor nettle at the moment, but if you prefer
gcrypt, you can change it to use that instead.

Except for this, the rest of the patch (for actually using the nettle
crypt functions) is the same as in the previous submission.

// Martin

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

TEXT/x-diff attachment: 0001-Add-support-for-using-nettle-instead-of-gcrypt-as-gn.patch

Received on 2011-11-18

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Download Averaging Issue"
Previous message: Rob Ward: "Download Averaging Issue"
In reply to: Martin Storsj�: "Re: Support for GnuTLS/nettle"
Next in thread: Daniel Stenberg: "Re: [PATCH] Support for GnuTLS/nettle"
Reply: Daniel Stenberg: "Re: [PATCH] Support for GnuTLS/nettle"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]