From d8a8af3492194089d1f101e10305421fba2d1760 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Mon, 6 Jun 2016 10:17:25 +0100 Subject: [PATCH] tls: remove support for gnutls 1.x.x, require 2.2.0 We need to use the gnutls_priority_set_direct method which was not introduced until 2.1.7, so bump version to 2.2.0 which is the first stable release with it included. This release dates from Dec 2007 so it is reasonable to ditch support for the 1.x.x series for gnutls releases entirely. Signed-off-by: Daniel P. Berrange --- configure.ac | 2 +- src/Makefile.am | 1 - src/gnutls_1_0_compat.h | 43 -------------------------------------- src/rpc/virnettlscontext.c | 18 ---------------- tests/virnettlshelpers.h | 1 - 5 files changed, 1 insertion(+), 64 deletions(-) delete mode 100644 src/gnutls_1_0_compat.h diff --git a/configure.ac b/configure.ac index 12eb3b3fb6..73ce586fed 100644 --- a/configure.ac +++ b/configure.ac @@ -117,7 +117,7 @@ fi dnl Required minimum versions of all libs we depend on LIBXML_REQUIRED="2.6.0" -GNUTLS_REQUIRED="1.0.25" +GNUTLS_REQUIRED="2.2.0" POLKIT_REQUIRED="0.6" PARTED_REQUIRED="1.8.0" DEVMAPPER_REQUIRED=1.0.0 diff --git a/src/Makefile.am b/src/Makefile.am index f020b9227f..8c83b0cd0f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -437,7 +437,6 @@ remote/qemu_client_bodies.h: $(srcdir)/rpc/gendispatch.pl \ > $(srcdir)/remote/qemu_client_bodies.h REMOTE_DRIVER_SOURCES = \ - gnutls_1_0_compat.h \ remote/remote_driver.c remote/remote_driver.h \ $(REMOTE_DRIVER_GENERATED) diff --git a/src/gnutls_1_0_compat.h b/src/gnutls_1_0_compat.h deleted file mode 100644 index b006e2b541..0000000000 --- a/src/gnutls_1_0_compat.h +++ /dev/null @@ -1,43 +0,0 @@ -/* - * gnutls_1_0_compat.h: GnuTLS 1.0 compatibility - * - * Copyright (C) 2007, 2013 Red Hat, Inc. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library. If not, see - * . - * - * Author: Richard W.M. Jones - */ - -#ifndef LIBVIRT_GNUTLS_1_0_COMPAT_H__ -# define LIBVIRT_GNUTLS_1_0_COMPAT_H__ - -# include - -/* enable backward compatibility macros for gnutls 1.x.y */ -# if LIBGNUTLS_VERSION_MAJOR < 2 -# define GNUTLS_1_0_COMPAT -# endif - -# ifdef GNUTLS_1_0_COMPAT -# define gnutls_session_t gnutls_session -# define gnutls_x509_crt_t gnutls_x509_crt -# define gnutls_dh_params_t gnutls_dh_params -# define gnutls_transport_ptr_t gnutls_transport_ptr -# define gnutls_datum_t gnutls_datum -# define gnutls_certificate_credentials_t gnutls_certificate_credentials -# define gnutls_cipher_algorithm_t gnutls_cipher_algorithm -# endif - -#endif /* LIBVIRT_GNUTLS_1_0_COMPAT_H__ */ diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 6e78623f3f..9919556bc7 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -29,7 +29,6 @@ # include #endif #include -#include "gnutls_1_0_compat.h" #include "virnettlscontext.h" #include "virstring.h" @@ -170,14 +169,6 @@ static int virNetTLSContextCheckCertTimes(gnutls_x509_crt_t cert, } -#ifndef GNUTLS_1_0_COMPAT -/* - * The gnutls_x509_crt_get_basic_constraints function isn't - * available in GNUTLS 1.0.x branches. This isn't critical - * though, since gnutls_certificate_verify_peers2 will do - * pretty much the same check at runtime, so we can just - * disable this code - */ static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert, const char *certFile, bool isServer, @@ -219,7 +210,6 @@ static int virNetTLSContextCheckCertBasicConstraints(gnutls_x509_crt_t cert, return 0; } -#endif static int virNetTLSContextCheckCertKeyUsage(gnutls_x509_crt_t cert, @@ -438,11 +428,9 @@ static int virNetTLSContextCheckCert(gnutls_x509_crt_t cert, isServer, isCA) < 0) return -1; -#ifndef GNUTLS_1_0_COMPAT if (virNetTLSContextCheckCertBasicConstraints(cert, certFile, isServer, isCA) < 0) return -1; -#endif if (virNetTLSContextCheckCertKeyUsage(cert, certFile, isCA) < 0) @@ -489,10 +477,8 @@ static int virNetTLSContextCheckCertPair(gnutls_x509_crt_t cert, if (status & GNUTLS_CERT_REVOKED) reason = _("The certificate has been revoked."); -#ifndef GNUTLS_1_0_COMPAT if (status & GNUTLS_CERT_INSECURE_ALGORITHM) reason = _("The certificate uses an insecure algorithm"); -#endif virReportError(VIR_ERR_SYSTEM_ERROR, _("Our own certificate %s failed validation against %s: %s"), @@ -1022,10 +1008,8 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt, if (status & GNUTLS_CERT_REVOKED) reason = _("The certificate has been revoked."); -#ifndef GNUTLS_1_0_COMPAT if (status & GNUTLS_CERT_INSECURE_ALGORITHM) reason = _("The certificate uses an insecure algorithm"); -#endif virReportError(VIR_ERR_SYSTEM_ERROR, _("Certificate failed validation: %s"), @@ -1088,13 +1072,11 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt, /* !sess->isServer, since on the client, we're validating the * server's cert, and on the server, the client's cert */ -#ifndef GNUTLS_1_0_COMPAT if (virNetTLSContextCheckCertBasicConstraints(cert, "[session]", !sess->isServer, false) < 0) { gnutls_x509_crt_deinit(cert); goto authdeny; } -#endif if (virNetTLSContextCheckCertKeyUsage(cert, "[session]", false) < 0) { diff --git a/tests/virnettlshelpers.h b/tests/virnettlshelpers.h index 3f6afb997a..48e743134e 100644 --- a/tests/virnettlshelpers.h +++ b/tests/virnettlshelpers.h @@ -22,7 +22,6 @@ #include #if !defined WIN32 && HAVE_LIBTASN1_H && LIBGNUTLS_VERSION_NUMBER >= 0x020600 -# include "gnutls_1_0_compat.h" # include