daemon/tls: bump gnutls version requirement

It simplifies a bit.  No need to support ancient versions.

diff --git a/NEWS b/NEWS
index a533561b3cf3d63a34f8890af279dd6cc16677a3..53d39a194bd0415b0fc1af99b0c5e5757f88c6c1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,10 @@ Bugfixes
 - daemon/proxyv2: fix informing the engine about TCP/TLS from the actual client (!1578)
 - forward: fix wrong pin-sha256 length; also log pins on mismatch (!1601, #813)
 
+Incompatible changes
+--------------------
+- gnutls < 3.4 support is dropped, released over 9 years ago (!1601)
+
 
 Knot Resolver 6.0.8 (2024-07-23)
 ================================

diff --git a/daemon/tls.c b/daemon/tls.c
index 1aa24b299047e6f54dca2227ff386f26c3af4058..231bff2d5a608c058dfbc324dabaeceda4573e9f 100644 (file)
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -340,7 +340,6 @@ static void tls_close(struct pl_tls_sess_data *tls, struct session2 *session, bo
        }
 }
 
-#if TLS_CAN_USE_PINS
 /*
   DNS-over-TLS Out of band key-pinned authentication profile uses the
   same form of pins as HPKP:
@@ -428,12 +427,6 @@ void tls_credentials_log_pins(struct tls_credentials *tls_credentials)
                gnutls_free(certs);
        }
 }
-#else
-void tls_credentials_log_pins(struct tls_credentials *tls_credentials)
-{
-       kr_log_debug(TLS, "could not calculate RFC 7858 OOB key-pin; GnuTLS 3.4.0+ required\n");
-}
-#endif
 
 static int str_replace(char **where_ptr, const char *with)
 {
@@ -761,7 +754,6 @@ static int client_verify_pin(const unsigned int cert_list_size,
 {
        if (kr_fails_assert(params->pins.len > 0))
                return GNUTLS_E_CERTIFICATE_ERROR;
-#if TLS_CAN_USE_PINS
        for (int i = 0; i < cert_list_size; i++) {
                gnutls_x509_crt_t cert;
                int ret = gnutls_x509_crt_init(&cert);
@@ -798,12 +790,6 @@ static int client_verify_pin(const unsigned int cert_list_size,
        log_all_pins(params);
        log_all_certificates(cert_list_size, cert_list);
        return GNUTLS_E_CERTIFICATE_ERROR;
-
-#else /* TLS_CAN_USE_PINS */
-       kr_log_error(TLSCLIENT, "internal inconsistency: TLS_CAN_USE_PINS\n");
-       kr_assert(false);
-       return GNUTLS_E_CERTIFICATE_ERROR;
-#endif
 }
 
 /**

diff --git a/daemon/tls.h b/daemon/tls.h
index ff1bbea2cfc02e8cf99d4cabbb9b117eb59719cb..b24b6165881cad1a40ca434cf118eb4697be717b 100644 (file)
--- a/daemon/tls.h
+++ b/daemon/tls.h
@@ -51,12 +51,6 @@ struct tls_credentials {
 /** Required buffer length for pin_sha256, including the zero terminator. */
 #define TLS_SHA256_BASE64_BUFLEN (((TLS_SHA256_RAW_LEN * 8 + 4) / 6) + 3 + 1)
 
-#if GNUTLS_VERSION_NUMBER >= 0x030400
-       #define TLS_CAN_USE_PINS 1
-#else
-       #define TLS_CAN_USE_PINS 0
-#endif
-
 
 /** TLS authentication parameters for a single address-port pair. */
 typedef struct {

diff --git a/daemon/tls_session_ticket-srv.c b/daemon/tls_session_ticket-srv.c
index 26d41862f6179f27d1c481834a7b69042d2c326a..ed8a5005b548f917a6dbd727b10fc8e8680bcb7a 100644 (file)
--- a/daemon/tls_session_ticket-srv.c
+++ b/daemon/tls_session_ticket-srv.c
@@ -33,12 +33,6 @@
        #define TST_HASH abort()
 #endif
 
-#if GNUTLS_VERSION_NUMBER < 0x030400
-       /* It's of little use anyway.  We may get the secret through lua,
-        * which creates a copy outside of our control. */
-       #define gnutls_memset memset
-#endif
-
 /** Fields are internal to tst_key_* functions. */
 typedef struct tls_session_ticket_ctx {
        uv_timer_t timer;       /**< timer for rotation of the key */

diff --git a/meson.build b/meson.build
index d2e85b0be4ea9def36e23ee3766f9517a1d02dbc..b8c5bc86638db38553a145f4a836683f1ccccf46 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -27,7 +27,7 @@ lmdb = dependency('lmdb', required: false)
 if not lmdb.found()  # darwin workaround: missing pkgconfig
   lmdb = meson.get_compiler('c').find_library('lmdb')
 endif
-gnutls = dependency('gnutls')
+gnutls = dependency('gnutls', version: '>=3.4')
 luajit = dependency('luajit')
 message('------------------------------')