From 279f2a2da1d878f259efd635ba34fb2a7f415951 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 28 Aug 2024 13:28:05 +0200 Subject: [PATCH] daemon/tls: bump gnutls version requirement It simplifies a bit. No need to support ancient versions. --- NEWS | 4 ++++ daemon/tls.c | 14 -------------- daemon/tls.h | 6 ------ daemon/tls_session_ticket-srv.c | 6 ------ meson.build | 2 +- 5 files changed, 5 insertions(+), 27 deletions(-) diff --git a/NEWS b/NEWS index a533561b3..53d39a194 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,10 @@ Bugfixes - daemon/proxyv2: fix informing the engine about TCP/TLS from the actual client (!1578) - forward: fix wrong pin-sha256 length; also log pins on mismatch (!1601, #813) +Incompatible changes +-------------------- +- gnutls < 3.4 support is dropped, released over 9 years ago (!1601) + Knot Resolver 6.0.8 (2024-07-23) ================================ diff --git a/daemon/tls.c b/daemon/tls.c index 1aa24b299..231bff2d5 100644 --- a/daemon/tls.c +++ b/daemon/tls.c @@ -340,7 +340,6 @@ static void tls_close(struct pl_tls_sess_data *tls, struct session2 *session, bo } } -#if TLS_CAN_USE_PINS /* DNS-over-TLS Out of band key-pinned authentication profile uses the same form of pins as HPKP: @@ -428,12 +427,6 @@ void tls_credentials_log_pins(struct tls_credentials *tls_credentials) gnutls_free(certs); } } -#else -void tls_credentials_log_pins(struct tls_credentials *tls_credentials) -{ - kr_log_debug(TLS, "could not calculate RFC 7858 OOB key-pin; GnuTLS 3.4.0+ required\n"); -} -#endif static int str_replace(char **where_ptr, const char *with) { @@ -761,7 +754,6 @@ static int client_verify_pin(const unsigned int cert_list_size, { if (kr_fails_assert(params->pins.len > 0)) return GNUTLS_E_CERTIFICATE_ERROR; -#if TLS_CAN_USE_PINS for (int i = 0; i < cert_list_size; i++) { gnutls_x509_crt_t cert; int ret = gnutls_x509_crt_init(&cert); @@ -798,12 +790,6 @@ static int client_verify_pin(const unsigned int cert_list_size, log_all_pins(params); log_all_certificates(cert_list_size, cert_list); return GNUTLS_E_CERTIFICATE_ERROR; - -#else /* TLS_CAN_USE_PINS */ - kr_log_error(TLSCLIENT, "internal inconsistency: TLS_CAN_USE_PINS\n"); - kr_assert(false); - return GNUTLS_E_CERTIFICATE_ERROR; -#endif } /** diff --git a/daemon/tls.h b/daemon/tls.h index ff1bbea2c..b24b61658 100644 --- a/daemon/tls.h +++ b/daemon/tls.h @@ -51,12 +51,6 @@ struct tls_credentials { /** Required buffer length for pin_sha256, including the zero terminator. */ #define TLS_SHA256_BASE64_BUFLEN (((TLS_SHA256_RAW_LEN * 8 + 4) / 6) + 3 + 1) -#if GNUTLS_VERSION_NUMBER >= 0x030400 - #define TLS_CAN_USE_PINS 1 -#else - #define TLS_CAN_USE_PINS 0 -#endif - /** TLS authentication parameters for a single address-port pair. */ typedef struct { diff --git a/daemon/tls_session_ticket-srv.c b/daemon/tls_session_ticket-srv.c index 26d41862f..ed8a5005b 100644 --- a/daemon/tls_session_ticket-srv.c +++ b/daemon/tls_session_ticket-srv.c @@ -33,12 +33,6 @@ #define TST_HASH abort() #endif -#if GNUTLS_VERSION_NUMBER < 0x030400 - /* It's of little use anyway. We may get the secret through lua, - * which creates a copy outside of our control. */ - #define gnutls_memset memset -#endif - /** Fields are internal to tst_key_* functions. */ typedef struct tls_session_ticket_ctx { uv_timer_t timer; /**< timer for rotation of the key */ diff --git a/meson.build b/meson.build index d2e85b0be..b8c5bc866 100644 --- a/meson.build +++ b/meson.build @@ -27,7 +27,7 @@ lmdb = dependency('lmdb', required: false) if not lmdb.found() # darwin workaround: missing pkgconfig lmdb = meson.get_compiler('c').find_library('lmdb') endif -gnutls = dependency('gnutls') +gnutls = dependency('gnutls', version: '>=3.4') luajit = dependency('luajit') message('------------------------------') -- 2.47.2