From f2361e6d582d4343d71d294ed1da654afe7750ee Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 2 Oct 2014 17:33:57 +0200 Subject: [PATCH] First changes for future use of NTBTLS. * configure.ac (NEED_NTBTLS_ABI, NEED_NTBTLS_VERSION): New. (HTTP_USE_NTBTLS): New. Prefer over GNUTLS. * m4/ntbtls.m4: New. * m4/Makefile.am (EXTRA_DIST): Add new file. * common/http.c: Add conditionals to eventually use NTBTLS. -- This is only the configure stuff. If you have NTBTLS installed GNUTLS will not be used but there won't be any https support either :-(. This patch is used to have a real world test bench for the forthcoming library. --- common/Makefile.am | 5 +- common/http.c | 122 ++++++++++++++++++++++++++++++--------- common/t-http.c | 19 ++++-- configure.ac | 44 +++++++++----- dirmngr/Makefile.am | 2 +- dirmngr/dirmngr.c | 25 ++++++-- m4/Makefile.am | 2 +- m4/ntbtls.m4 | 137 ++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 302 insertions(+), 54 deletions(-) create mode 100644 m4/ntbtls.m4 diff --git a/common/Makefile.am b/common/Makefile.am index 03bc5eb06..87d68208e 100644 --- a/common/Makefile.am +++ b/common/Makefile.am @@ -226,8 +226,9 @@ t_zb32_LDADD = $(t_common_ldadd) # http tests t_http_SOURCES = t-http.c -t_http_CFLAGS = $(t_common_cflags) $(LIBGNUTLS_CFLAGS) -t_http_LDADD = libcommontls.a $(t_common_ldadd) $(LIBGNUTLS_LIBS) $(DNSLIBS) +t_http_CFLAGS = $(t_common_cflags) $(NTBTLS_CFLAGS) $(LIBGNUTLS_CFLAGS) +t_http_LDADD = libcommontls.a $(t_common_ldadd) \ + $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(DNSLIBS) # All programs should depend on the created libs. $(PROGRAMS) : libcommon.a libcommonpth.a libcommontls.a libcommontlsnpth.a diff --git a/common/http.c b/common/http.c index 7e3bb5717..413efd840 100644 --- a/common/http.c +++ b/common/http.c @@ -39,7 +39,7 @@ - fixme: list other requirements. - - With HTTP_USE_GNUTLS or HTTP_USE_POLARSSL support for https is + - With HTTP_USE_NTBTLS or HTTP_USE_GNUTLS support for https is provided (this also requires estream). - With HTTP_NO_WSASTARTUP the socket initialization is not done @@ -82,17 +82,16 @@ # include #endif -#if defined (HTTP_USE_GNUTLS) && defined (HTTP_USE_POLARSSL) -# error Both, HTTP_USE_GNUTLS and HTTP_USE_POLARSSL, are defined. +#if defined (HTTP_USE_GNUTLS) && defined (HTTP_USE_NTBTLS) +# error Both, HTTP_USE_GNUTLS and HTTP_USE_NTBTLS, are defined. #endif -#ifdef HTTP_USE_GNUTLS +#ifdef HTTP_USE_NTBTLS +# include +#elif HTTP_USE_GNUTLS # include # include #endif /*HTTP_USE_GNUTLS*/ -#ifdef HTTP_USE_POLARSSL -# error Support for PolarSSL has not yet been added -#endif #include "util.h" @@ -156,8 +155,15 @@ typedef unsigned long longcounter_t; # define counter_strtoul(a) strtoul ((a), NULL, 10) #endif -#ifndef HTTP_USE_GNUTLS -typedef void * gnutls_session_t; +#if HTTP_USE_NTBTLS +typedef ntbtls_t tls_session_t; +# define USE_TLS 1 +#elif HTTP_USE_GNUTLS +typedef gnutls_session_t tls_session_t; +# define USE_TLS 1 +#else +typedef void *tls_session_t; +# undef USE_TLS #endif static gpg_err_code_t do_parse_uri (parsed_uri_t uri, int only_local_part, @@ -226,14 +232,16 @@ struct http_session_s int refcount; /* Number of references to this object. */ #ifdef HTTP_USE_GNUTLS gnutls_certificate_credentials_t certcred; - gnutls_session_t tls_session; +#endif /*HTTP_USE_GNUTLS*/ +#ifdef USE_TLS + tls_session_t tls_session; struct { int done; /* Verifciation has been done. */ - int rc; /* GnuTLS verification return code. */ + int rc; /* TLS verification return code. */ unsigned int status; /* Verification status. */ } verify; char *servername; /* Malloced server name. */ -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ /* A callback function to log details of TLS certifciates. */ void (*cert_log_cb) (http_session_t, gpg_error_t, const char *, const void **, size_t *); @@ -522,7 +530,8 @@ session_unref (int lnr, http_session_t sess) if (sess->refcount) return; -#ifdef HTTP_USE_GNUTLS +#ifdef USE_TLS +# ifdef HTTP_USE_GNUTLS if (sess->tls_session) { my_socket_t sock = gnutls_transport_get_ptr (sess->tls_session); @@ -531,8 +540,9 @@ session_unref (int lnr, http_session_t sess) } if (sess->certcred) gnutls_certificate_free_credentials (sess->certcred); +# endif /*HTTP_USE_GNUTLS*/ xfree (sess->servername); -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ xfree (sess); } @@ -560,7 +570,18 @@ http_session_new (http_session_t *r_session, const char *tls_priority) return gpg_error_from_syserror (); sess->refcount = 1; -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + { + (void)tls_priority; + + err = ntbtls_new (&sess->tls_session, NTBTLS_CLIENT); + if (err) + { + log_error ("ntbtls_new failed: %s\n", gpg_strerror (err)); + goto leave; + } + } +#elif HTTP_USE_GNUTLS { const char *errpos; int rc; @@ -616,17 +637,18 @@ http_session_new (http_session_t *r_session, const char *tls_priority) goto leave; } } - #else /*!HTTP_USE_GNUTLS*/ - (void)tls_priority; + { + (void)tls_priority; + } #endif /*!HTTP_USE_GNUTLS*/ /* log_debug ("http.c:session_new: sess %p created\n", sess); */ err = 0; -#ifdef HTTP_USE_GNUTLS +#if USE_TLS leave: -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ if (err) http_session_unref (sess); else @@ -1067,7 +1089,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part, uri->port = 11371; uri->is_http = 1; } -#ifdef HTTP_USE_GNUTLS +#ifdef USE_TLS else if (!strcmp (uri->scheme, "https") || !strcmp (uri->scheme,"hkps") || (force_tls && (!strcmp (uri->scheme, "http") || !strcmp (uri->scheme,"hkp")))) @@ -1076,7 +1098,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part, uri->is_http = 1; uri->use_tls = 1; } -#endif +#endif /*USE_TLS*/ else if (!no_scheme_check) return GPG_ERR_INV_URI; /* Unsupported scheme */ @@ -1393,22 +1415,24 @@ send_request (http_t hd, const char *httphost, const char *auth, log_error ("TLS requested but no session object provided\n"); return gpg_err_make (default_errsource, GPG_ERR_INTERNAL); } -#ifdef HTTP_USE_GNUTLS +#ifdef USE_TLS if (hd->uri->use_tls && !hd->session->tls_session) { log_error ("TLS requested but no GNUTLS context available\n"); return gpg_err_make (default_errsource, GPG_ERR_INTERNAL); } -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ server = *hd->uri->host ? hd->uri->host : "localhost"; port = hd->uri->port ? hd->uri->port : 80; /* Try to use SNI. */ -#ifdef HTTP_USE_GNUTLS +#ifdef USE_TLS if (hd->uri->use_tls) { +# if HTTP_USE_GNUTLS int rc; +# endif xfree (hd->session->servername); hd->session->servername = xtrystrdup (httphost? httphost : server); @@ -1418,13 +1442,22 @@ send_request (http_t hd, const char *httphost, const char *auth, return err; } +# if HTTP_USE_NTBTLS + err = ntbtls_set_hostname (hd->session->tls_session, server); + if (err) + { + log_info ("ntbtls_set_hostname failed: %s\n", gpg_strerror (err)); + return err; + } +# elif HTTP_USE_GNUTLS rc = gnutls_server_name_set (hd->session->tls_session, GNUTLS_NAME_DNS, server, strlen (server)); if (rc < 0) log_info ("gnutls_server_name_set failed: %s\n", gnutls_strerror (rc)); +# endif /*HTTP_USE_GNUTLS*/ } -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ if ( (proxy && *proxy) || ( (hd->flags & HTTP_FLAG_TRY_PROXY) @@ -1490,7 +1523,37 @@ send_request (http_t hd, const char *httphost, const char *auth, -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + if (hd->uri->use_tls) + { + my_socket_ref (hd->sock); + + while ((err = ntbtls_handshake (hd->session->tls_session))) + { + switch (err) + { + default: + log_info ("TLS handshake failed: %s <%s>\n", + gpg_strerror (err), gpg_strsource (err)); + xfree (proxy_authstr); + return err; + } + } + + hd->session->verify.done = 0; + if (tls_callback) + err = tls_callback (hd, hd->session, 0); + else + err = http_verify_server_credentials (hd->session); + if (err) + { + log_info ("TLS connection authentication failed: %s <%s>\n", + gpg_strerror (err), gpg_strsource (err)); + xfree (proxy_authstr); + return err; + } + } +#elif HTTP_USE_GNUTLS if (hd->uri->use_tls) { int rc; @@ -2423,7 +2486,7 @@ cookie_write (void *cookie, const void *buffer_arg, size_t size) static void send_gnutls_bye (void *opaque) { - gnutls_session_t tls_session = opaque; + tls_session_t tls_session = opaque; int ret; again: @@ -2473,7 +2536,10 @@ cookie_close (void *cookie) gpg_error_t http_verify_server_credentials (http_session_t sess) { -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + (void)sess; + return 0; /* FIXME!! */ +#elif HTTP_USE_GNUTLS static const char const errprefix[] = "TLS verification of peer failed"; int rc; unsigned int status; diff --git a/common/t-http.c b/common/t-http.c index 9872f9a74..e031ef943 100644 --- a/common/t-http.c +++ b/common/t-http.c @@ -42,7 +42,9 @@ #include "http.h" -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS +# include +#elif HTTP_USE_GNUTLS # include /* For init, logging, and deinit. */ #endif /*HTTP_USE_GNUTLS*/ @@ -97,6 +99,7 @@ static int no_verify; +#if HTTP_USE_GNUTLS static gpg_error_t verify_callback (http_t hd, http_session_t session, int reserved) { @@ -104,14 +107,15 @@ verify_callback (http_t hd, http_session_t session, int reserved) (void)reserved; return no_verify? 0 : http_verify_server_credentials (session); } +#endif - +#if HTTP_USE_GNUTLS static void my_gnutls_log (int level, const char *text) { fprintf (stderr, "gnutls:L%d: %s", level, text); } - +#endif /* Prepend FNAME with the srcdir environment variable's value and return an allocated filename. */ @@ -233,7 +237,14 @@ main (int argc, char **argv) if (!cafile) cafile = prepend_srcdir ("tls-ca.pem"); -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + + (void)err; + + ntbtls_set_debug (tls_dbg, NULL, NULL); + +#elif HTTP_USE_GNUTLS + rc = gnutls_global_init (); if (rc) log_error ("gnutls_global_init failed: %s\n", gnutls_strerror (rc)); diff --git a/configure.ac b/configure.ac index daca838af..46a0aade5 100644 --- a/configure.ac +++ b/configure.ac @@ -61,9 +61,13 @@ NEED_LIBASSUAN_VERSION=2.1.0 NEED_KSBA_API=1 NEED_KSBA_VERSION=1.2.0 +NEED_NTBTLS_API=1 +NEED_NTBTLS_VERSION=0.1.0 + NEED_NPTH_API=1 NEED_NPTH_VERSION=0.91 + NEED_GNUTLS_VERSION=3.0 @@ -88,6 +92,7 @@ have_gpg_error=no have_libgcrypt=no have_libassuan=no have_ksba=no +have_ntbtls=no have_npth=no have_libusb=no have_adns=no @@ -101,6 +106,7 @@ card_support=yes use_ccid_driver=yes use_standard_socket=yes dirmngr_auto_start=yes +use_tls_library=no GNUPG_BUILD_PROGRAM(gpg, yes) GNUPG_BUILD_PROGRAM(gpgsm, yes) @@ -126,6 +132,8 @@ AC_DEFINE_UNQUOTED(NEED_LIBGCRYPT_VERSION, "$NEED_LIBGCRYPT_VERSION", [Required version of Libgcrypt]) AC_DEFINE_UNQUOTED(NEED_KSBA_VERSION, "$NEED_KSBA_VERSION", [Required version of Libksba]) +AC_DEFINE_UNQUOTED(NEED_NTBTLS_VERSION, "$NEED_NTBTLS_VERSION", + [Required version of NTBTLS]) @@ -841,27 +849,37 @@ else ***]]) fi + # -# Check whether GNUTLS is available +# NTBTLS is our TLS library. If it is not available fallback to +# GNUTLS. # -PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $NEED_GNUTLS_VERSION], - [have_gnutls=yes], - [have_gnutls=no]) -if test "$have_gnutls" = "yes"; then - AC_SUBST([LIBGNUTLS_CFLAGS]) - AC_SUBST([LIBGNUTLS_LIBS]) - AC_DEFINE(HTTP_USE_GNUTLS, 1, [Enable GNUTLS support in http.c]) +AM_PATH_NTBTLS("$NEED_NTBTLS_API:$NEED_NTBTLS_VERSION", + [have_ntbtls=yes],[have_ntbtls=no]) + +if test "$have_ntbtls" = yes ; then + use_tls_library=ntbtls + AC_DEFINE(HTTP_USE_NTBTLS, 1, [Enable NTBTLS support in http.c]) else - tmp=$(echo "$LIBGNUTLS_PKG_ERRORS" | tr '\n' '\v' | sed 's/\v/\n*** /g') - AC_MSG_WARN([[ + PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $NEED_GNUTLS_VERSION], + [have_gnutls=yes], + [have_gnutls=no]) + if test "$have_gnutls" = "yes"; then + AC_SUBST([LIBGNUTLS_CFLAGS]) + AC_SUBST([LIBGNUTLS_LIBS]) + use_tls_library=gnutls + AC_DEFINE(HTTP_USE_GNUTLS, 1, [Enable GNUTLS support in http.c]) + else + tmp=$(echo "$LIBGNUTLS_PKG_ERRORS" | tr '\n' '\v' | sed 's/\v/\n*** /g') + AC_MSG_WARN([[ *** -*** Building without GNUTLS - no TLS access to keyservers. +*** Building without NTBTLS and GNUTLS - no TLS access to keyservers. *** *** $tmp]]) + fi fi - AC_MSG_NOTICE([checking for networking options]) # @@ -1788,7 +1806,7 @@ echo " Dirmngr auto start: $dirmngr_auto_start Readline support: $gnupg_cv_have_readline DNS SRV support: $use_dns_srv - TLS support: $have_gnutls + TLS support: $use_tls_library " if test x"$use_regex" != xyes ; then echo " diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index 7e2449fc3..d0226a3e8 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -63,7 +63,7 @@ endif dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \ ../gl/libgnu.a $(DNSLIBS) $(LIBASSUAN_LIBS) \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \ - $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) + $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) if !USE_LDAPWRAPPER dirmngr_LDADD += $(LDAPLIBS) endif diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index 48fa80be7..8110df235 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -40,7 +40,12 @@ # include #endif #include -#ifdef HTTP_USE_GNUTLS + +#include "dirmngr-err.h" + +#if HTTP_USE_NTBTLS +# include +#elif HTTP_USE_GNUTLS # include #endif /*HTTP_USE_GNUTLS*/ @@ -210,6 +215,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_p_u (oDebug, "debug", "@"), ARGPARSE_s_n (oDebugAll, "debug-all", "@"), ARGPARSE_s_i (oGnutlsDebug, "gnutls-debug", "@"), + ARGPARSE_s_i (oGnutlsDebug, "tls-debug", "@"), ARGPARSE_s_i (oDebugWait, "debug-wait", "@"), ARGPARSE_s_n (oNoGreeting, "no-greeting", "@"), ARGPARSE_s_s (oHomedir, "homedir", "@"), @@ -244,7 +250,7 @@ static char *current_logfile; /* Helper to implement --debug-level. */ static const char *debug_level; -/* Helper to set the GNUTLS log level. */ +/* Helper to set the NTBTLS or GNUTLS log level. */ static int opt_gnutls_debug = -1; /* Flag indicating that a shutdown has been requested. */ @@ -410,7 +416,12 @@ set_debug (void) if (opt.debug & DBG_CRYPTO_VALUE ) gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1); -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + if (opt_gnutls_debug >= 0) + { + ntbtls_set_debug (opt_gnutls_debug, NULL, NULL); + } +#elif HTTP_USE_GNUTLS if (opt_gnutls_debug >= 0) { gnutls_global_set_log_function (my_gnutls_log); @@ -669,8 +680,12 @@ main (int argc, char **argv) ksba_set_malloc_hooks (gcry_malloc, gcry_realloc, gcry_free ); ksba_set_hash_buffer_function (my_ksba_hash_buffer, NULL); - /* Init GNUTLS. */ -#ifdef HTTP_USE_GNUTLS + /* Init TLS library. */ +#if HTTP_USE_NTBTLS + if (!ntbtls_check_version (NEED_NTBTLS_VERSION) ) + log_fatal( _("%s is too old (need %s, have %s)\n"), "ntbtls", + NEED_NTBTLS_VERSION, ntbtls_check_version (NULL) ); +#elif HTTP_USE_GNUTLS rc = gnutls_global_init (); if (rc) log_fatal ("gnutls_global_init failed: %s\n", gnutls_strerror (rc)); diff --git a/m4/Makefile.am b/m4/Makefile.am index 05a2be366..f1b8df9bd 100644 --- a/m4/Makefile.am +++ b/m4/Makefile.am @@ -4,7 +4,7 @@ EXTRA_DIST += ldap.m4 libcurl.m4 libusb.m4 tar-ustar.m4 readline.m4 EXTRA_DIST += gnupg-pth.m4 -EXTRA_DIST += gpg-error.m4 libgcrypt.m4 libassuan.m4 ksba.m4 +EXTRA_DIST += gpg-error.m4 libgcrypt.m4 libassuan.m4 ksba.m4 ntbtls.m4 EXTRA_DIST += autobuild.m4 diff --git a/m4/ntbtls.m4 b/m4/ntbtls.m4 new file mode 100644 index 000000000..85c8ee9a0 --- /dev/null +++ b/m4/ntbtls.m4 @@ -0,0 +1,137 @@ +dnl Autoconf macros for NTBTLS +dnl Copyright (C) 2002, 2004, 2011 Free Software Foundation, Inc. +dnl +dnl This file is free software; as a special exception the author gives +dnl unlimited permission to copy and/or distribute it, with or without +dnl modifications, as long as this notice is preserved. +dnl +dnl This file is distributed in the hope that it will be useful, but +dnl WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +dnl implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + + +dnl AM_PATH_NTBTLS([MINIMUM-VERSION, +dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]]) +dnl +dnl Test for NTBTLS and define NTBTLS_CFLAGS and NTBTLS_LIBS. +dnl MINIMUN-VERSION is a string with the version number optionalliy prefixed +dnl with the API version to also check the API compatibility. Example: +dnl a MINIMUN-VERSION of 1:1.2.5 won't pass the test unless the installed +dnl version of libgcrypt is at least 1.2.5 *and* the API number is 1. Using +dnl this features allows to prevent build against newer versions of libgcrypt +dnl with a changed API. +dnl +AC_DEFUN([AM_PATH_NTBTLS], +[ AC_REQUIRE([AC_CANONICAL_HOST]) + AC_ARG_WITH(ntbtls-prefix, + AC_HELP_STRING([--with-ntbtls-prefix=PFX], + [prefix where NTBTLS is installed (optional)]), + ntbtls_config_prefix="$withval", ntbtls_config_prefix="") + if test x"${NTBTLS_CONFIG}" = x ; then + if test x"${ntbtls_config_prefix}" != x ; then + NTBTLS_CONFIG="${ntbtls_config_prefix}/bin/ntbtls-config" + else + case "${SYSROOT}" in + /*) + if test -x "${SYSROOT}/bin/ntbtls-config" ; then + NTBTLS_CONFIG="${SYSROOT}/bin/ntbtls-config" + fi + ;; + '') + ;; + *) + AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.]) + ;; + esac + fi + fi + + AC_PATH_PROG(NTBTLS_CONFIG, ntbtls-config, no) + tmp=ifelse([$1], ,1:1.0.0,$1) + if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then + req_ntbtls_api=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\1/'` + min_ntbtls_version=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\2/'` + else + req_ntbtls_api=0 + min_ntbtls_version="$tmp" + fi + + AC_MSG_CHECKING(for NTBTLS - version >= $min_ntbtls_version) + ok=no + if test "$NTBTLS_CONFIG" != "no" ; then + req_major=`echo $min_ntbtls_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'` + req_minor=`echo $min_ntbtls_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'` + req_micro=`echo $min_ntbtls_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'` + ntbtls_config_version=`$NTBTLS_CONFIG --version` + major=`echo $ntbtls_config_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'` + minor=`echo $ntbtls_config_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'` + micro=`echo $ntbtls_config_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'` + if test "$major" -gt "$req_major"; then + ok=yes + else + if test "$major" -eq "$req_major"; then + if test "$minor" -gt "$req_minor"; then + ok=yes + else + if test "$minor" -eq "$req_minor"; then + if test "$micro" -ge "$req_micro"; then + ok=yes + fi + fi + fi + fi + fi + fi + if test $ok = yes; then + AC_MSG_RESULT([yes ($ntbtls_config_version)]) + else + AC_MSG_RESULT(no) + fi + if test $ok = yes; then + # If we have a recent ntbtls, we should also check that the + # API is compatible + if test "$req_ntbtls_api" -gt 0 ; then + tmp=`$NTBTLS_CONFIG --api-version 2>/dev/null || echo 0` + if test "$tmp" -gt 0 ; then + AC_MSG_CHECKING([NTBTLS API version]) + if test "$req_ntbtls_api" -eq "$tmp" ; then + AC_MSG_RESULT([okay]) + else + ok=no + AC_MSG_RESULT([does not match. want=$req_ntbtls_api got=$tmp]) + fi + fi + fi + fi + if test $ok = yes; then + NTBTLS_CFLAGS=`$NTBTLS_CONFIG --cflags` + NTBTLS_LIBS=`$NTBTLS_CONFIG --libs` + ifelse([$2], , :, [$2]) + ntbtls_config_host=`$NTBTLS_CONFIG --host 2>/dev/null || echo none` + if test x"$ntbtls_config_host" != xnone ; then + if test x"$ntbtls_config_host" != x"$host" ; then + AC_MSG_WARN([[ +*** +*** The config script $NTBTLS_CONFIG was +*** built for $ntbtls_config_host and thus may not match the +*** used host $host. +*** You may want to use the configure option --with-ntbtls-prefix +*** to specify a matching config script or use \$SYSROOT. +***]]) + gpg_config_script_warn="$gpg_config_script_warn ntbtls" + fi + fi + else + NTBTLS_CFLAGS="" + NTBTLS_LIBS="" + ifelse([$3], , :, [$3]) + fi + AC_SUBST(NTBTLS_CFLAGS) + AC_SUBST(NTBTLS_LIBS) +])