From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 19 Nov 2025 14:05:17 +0000 (+0100)
Subject: gtls: drop support for GnuTLS < 3.6.5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=49ab46c9c50511dcc304a92f3a2e458d4a9fa131;p=thirdparty%2Fcurl.git

gtls: drop support for GnuTLS < 3.6.5

Release date 2018-12-01. Has TLS 1.3 support.

Closes #19609
---

diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md
index d957c69ab7..e9bb82a33d 100644
--- a/docs/INTERNALS.md
+++ b/docs/INTERNALS.md
@@ -26,7 +26,7 @@ versions of libs and build tools.
 
  - OpenSSL      3.0.0 (2021-09-07)
  - LibreSSL     2.9.1 (2019-04-22)
- - GnuTLS       3.1.10 (2013-03-22)
+ - GnuTLS       3.6.5 (2018-12-01)
  - mbedTLS      3.2.0 (2022-07-11)
  - zlib         1.2.5.2 (2011-12-11)
  - libssh2      1.9.0 (2019-06-20)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index c0e248642b..dbb442f363 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -73,7 +73,7 @@ static void tls_log_func(int level, const char *str)
 }
 #endif
 
-#if !defined(GNUTLS_VERSION_NUMBER) || (GNUTLS_VERSION_NUMBER < 0x03010a)
+#if !defined(GNUTLS_VERSION_NUMBER) || (GNUTLS_VERSION_NUMBER < 0x030605)
 #error "too old GnuTLS version"
 #endif
 
@@ -767,10 +767,8 @@ int Curl_glts_get_ietf_proto(gnutls_session_t session)
     return CURL_IETF_PROTO_TLS1_1;
   case GNUTLS_TLS1_2:
     return CURL_IETF_PROTO_TLS1_2;
-#if GNUTLS_VERSION_NUMBER >= 0x030603
   case GNUTLS_TLS1_3:
     return CURL_IETF_PROTO_TLS1_3;
-#endif
   default:
     return CURL_IETF_PROTO_UNKNOWN;
   }
@@ -1841,51 +1839,8 @@ Curl_gtls_verifyserver(struct Curl_cfilter *cf,
   rc = (int)gnutls_x509_crt_check_hostname(x509_cert,
                                            peer->sni ? peer->sni :
                                            peer->hostname);
-#if GNUTLS_VERSION_NUMBER < 0x030306
-  /* Before 3.3.6, gnutls_x509_crt_check_hostname() did not check IP
-     addresses. */
-  if(!rc) {
-#ifdef USE_IPV6
-    #define use_addr in6_addr
-#else
-    #define use_addr in_addr
-#endif
-    unsigned char addrbuf[sizeof(struct use_addr)];
-    size_t addrlen = 0;
-
-    if(curlx_inet_pton(AF_INET, peer->hostname, addrbuf) > 0)
-      addrlen = 4;
-#ifdef USE_IPV6
-    else if(curlx_inet_pton(AF_INET6, peer->hostname, addrbuf) > 0)
-      addrlen = 16;
-#endif
-
-    if(addrlen) {
-      unsigned char certaddr[sizeof(struct use_addr)];
-      int i;
-
-      for(i = 0; ; i++) {
-        size_t certaddrlen = sizeof(certaddr);
-        int ret = gnutls_x509_crt_get_subject_alt_name(x509_cert, i, certaddr,
-                                                       &certaddrlen, NULL);
-        /* If this happens, it was not an IP address. */
-        if(ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
-          continue;
-        if(ret < 0)
-          break;
-        if(ret != GNUTLS_SAN_IPADDRESS)
-          continue;
-        if(certaddrlen == addrlen && !memcmp(addrbuf, certaddr, addrlen)) {
-          rc = 1;
-          break;
-        }
-      }
-    }
-  }
-#endif
-
   result = (!rc && config->verifyhost) ?
-           CURLE_PEER_FAILED_VERIFICATION : CURLE_OK;
+    CURLE_PEER_FAILED_VERIFICATION : CURLE_OK;
   gtls_msg_verify_result(data, peer, x509_cert, rc, config->verifyhost);
   if(result)
     goto out;