tls: remove support for gnutls 1.x.x, require 2.2.0

We need to use the gnutls_priority_set_direct method which
was not introduced until 2.1.7, so bump version to 2.2.0
which is the first stable release with it included. This
release dates from Dec 2007 so it is reasonable to ditch
support for the 1.x.x series for gnutls releases entirely.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

configure.ac

@@ -117,7 +117,7 @@ fi
 
 dnl Required minimum versions of all libs we depend on
 LIBXML_REQUIRED="2.6.0"
-GNUTLS_REQUIRED="1.0.25"
+GNUTLS_REQUIRED="2.2.0"
 POLKIT_REQUIRED="0.6"
 PARTED_REQUIRED="1.8.0"
 DEVMAPPER_REQUIRED=1.0.0

src/Makefile.am

@@ -437,7 +437,6 @@ remote/qemu_client_bodies.h: $(srcdir)/rpc/gendispatch.pl \
 	  > $(srcdir)/remote/qemu_client_bodies.h
 
 REMOTE_DRIVER_SOURCES =						\
-		gnutls_1_0_compat.h				\
 		remote/remote_driver.c remote/remote_driver.h	\
 		$(REMOTE_DRIVER_GENERATED)
 

src/gnutls_1_0_compat.h

@@ -1,43 +0,0 @@
-/*
- * gnutls_1_0_compat.h: GnuTLS 1.0 compatibility
- *
- * Copyright (C) 2007, 2013 Red Hat, Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library.  If not, see
- * <http://www.gnu.org/licenses/>.
- *
- * Author: Richard W.M. Jones <rjones@redhat.com>
- */
-
-#ifndef LIBVIRT_GNUTLS_1_0_COMPAT_H__
-# define LIBVIRT_GNUTLS_1_0_COMPAT_H__
-
-# include <gnutls/gnutls.h>
-
-/* enable backward compatibility macros for gnutls 1.x.y */
-# if LIBGNUTLS_VERSION_MAJOR < 2
-#  define GNUTLS_1_0_COMPAT
-# endif
-
-# ifdef GNUTLS_1_0_COMPAT
-#  define gnutls_session_t                 gnutls_session
-#  define gnutls_x509_crt_t                gnutls_x509_crt
-#  define gnutls_dh_params_t               gnutls_dh_params
-#  define gnutls_transport_ptr_t           gnutls_transport_ptr
-#  define gnutls_datum_t                   gnutls_datum
-#  define gnutls_certificate_credentials_t gnutls_certificate_credentials
-#  define gnutls_cipher_algorithm_t        gnutls_cipher_algorithm
-# endif
-
-#endif /* LIBVIRT_GNUTLS_1_0_COMPAT_H__ */

src/rpc/virnettlscontext.c

@@ -29,7 +29,6 @@
 # include <gnutls/crypto.h>
 #endif
 #include <gnutls/x509.h>
-#include "gnutls_1_0_compat.h"
 
 #include "virnettlscontext.h"
 #include "virstring.h"
@@ -170,14 +169,6 @@ static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert,
 }
 
 
-#ifndef GNUTLS_1_0_COMPAT
-/*
- * The gnutls_x509_crt_get_basic_constraints function isn't
- * available in GNUTLS 1.0.x branches. This isn't critical
- * though, since gnutls_certificate_verify_peers2 will do
- * pretty much the same check at runtime, so we can just
- * disable this code
- */
 static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert,
                                                      const char *certFile,
                                                      bool isServer,
@@ -219,7 +210,6 @@ static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert,
 
     return 0;
 }
-#endif
 
 
 static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert,
@@ -438,11 +428,9 @@ static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert,
                                        isServer, isCA) < 0)
         return -1;
 
-#ifndef GNUTLS_1_0_COMPAT
     if (virNetTLSContextCheckCertBasicConstraints(cert, certFile,
                                                   isServer, isCA) < 0)
         return -1;
-#endif
 
     if (virNetTLSContextCheckCertKeyUsage(cert, certFile,
                                           isCA) < 0)
@@ -489,10 +477,8 @@ static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert,
         if (status & GNUTLS_CERT_REVOKED)
             reason = _("The certificate has been revoked.");
 
-#ifndef GNUTLS_1_0_COMPAT
         if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
             reason = _("The certificate uses an insecure algorithm");
-#endif
 
         virReportError(VIR_ERR_SYSTEM_ERROR,
                        _("Our own certificate %s failed validation against %s: %s"),
@@ -1022,10 +1008,8 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
         if (status & GNUTLS_CERT_REVOKED)
             reason = _("The certificate has been revoked.");
 
-#ifndef GNUTLS_1_0_COMPAT
         if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
             reason = _("The certificate uses an insecure algorithm");
-#endif
 
         virReportError(VIR_ERR_SYSTEM_ERROR,
                        _("Certificate failed validation: %s"),
@@ -1088,13 +1072,11 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
             /* !sess->isServer, since on the client, we're validating the
              * server's cert, and on the server, the client's cert
              */
-#ifndef GNUTLS_1_0_COMPAT
             if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]",
                                                           !sess->isServer, false) < 0) {
                 gnutls_x509_crt_deinit(cert);
                 goto authdeny;
             }
-#endif
 
             if (virNetTLSContextCheckCertKeyUsage(cert, "[session]",
                                                   false) < 0) {

tests/virnettlshelpers.h

@@ -22,7 +22,6 @@
 #include <gnutls/x509.h>
 
 #if !defined WIN32 && HAVE_LIBTASN1_H && LIBGNUTLS_VERSION_NUMBER >= 0x020600
-# include "gnutls_1_0_compat.h"
 
 # include <libtasn1.h>