diff --git a/CMakeLists.txt b/CMakeLists.txt index fdd0d3ff1..ae7e5f4a6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -211,7 +211,7 @@ include_directories(${LIBGCRYPT_INCLUDE_DIRS}) list(APPEND EXTRA_LIBS ${LIBGCRYPT_LDFLAGS}) # Check for GnuTLS -pkg_check_modules(GNUTLS REQUIRED gnutls) +pkg_check_modules(GNUTLS REQUIRED gnutls>=3.3.0) include_directories(${GNUTLS_INCLUDE_DIRS}) list(APPEND EXTRA_LIBS ${GNUTLS_LDFLAGS}) diff --git a/src/core/core-network.c b/src/core/core-network.c index 3d437bf8c..f40ca9b8c 100644 --- a/src/core/core-network.c +++ b/src/core/core-network.c @@ -99,17 +99,10 @@ void network_allocate_credentials () { gnutls_certificate_allocate_credentials (&gnutls_xcred); -#if LIBGNUTLS_VERSION_NUMBER >= 0x02090a /* 2.9.10 */ gnutls_certificate_set_verify_function (gnutls_xcred, &hook_connect_gnutls_verify_certificates); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x02090a */ -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_certificate_set_retrieve_function (gnutls_xcred, &hook_connect_gnutls_set_certificates); -#else - gnutls_certificate_client_set_retrieve_function (gnutls_xcred, - &hook_connect_gnutls_set_certificates); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ } /* @@ -1535,26 +1528,6 @@ network_connect_gnutls_handshake_fd_cb (const void *pointer, void *data, { fcntl (HOOK_CONNECT(hook_connect, sock), F_SETFL, HOOK_CONNECT(hook_connect, handshake_fd_flags)); -#if LIBGNUTLS_VERSION_NUMBER < 0x02090a /* 2.9.10 */ - /* - * gnutls only has the gnutls_certificate_set_verify_function() - * function since version 2.9.10. We need to call our verify - * function manually after the handshake for old gnutls versions - */ - if (hook_connect_gnutls_verify_certificates (*HOOK_CONNECT(hook_connect, gnutls_sess)) != 0) - { - unhook (HOOK_CONNECT(hook_connect, handshake_hook_fd)); - (void) (HOOK_CONNECT(hook_connect, callback)) - (hook_connect->callback_pointer, - hook_connect->callback_data, - WEECHAT_HOOK_CONNECT_GNUTLS_HANDSHAKE_ERROR, rc, - HOOK_CONNECT(hook_connect, sock), - "Error in the certificate.", - HOOK_CONNECT(hook_connect, handshake_ip_address)); - unhook (hook_connect); - return WEECHAT_RC_OK; - } -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x02090a */ unhook (HOOK_CONNECT(hook_connect, handshake_hook_fd)); (void) (HOOK_CONNECT(hook_connect, callback)) (hook_connect->callback_pointer, @@ -1769,26 +1742,6 @@ network_connect_child_read_cb (const void *pointer, void *data, int fd) } fcntl (HOOK_CONNECT(hook_connect, sock), F_SETFL, HOOK_CONNECT(hook_connect, handshake_fd_flags)); -#if LIBGNUTLS_VERSION_NUMBER < 0x02090a /* 2.9.10 */ - /* - * gnutls only has the gnutls_certificate_set_verify_function() - * function since version 2.9.10. We need to call our verify - * function manually after the handshake for old gnutls versions - */ - if (hook_connect_gnutls_verify_certificates (*HOOK_CONNECT(hook_connect, gnutls_sess)) != 0) - { - (void) (HOOK_CONNECT(hook_connect, callback)) - (hook_connect->callback_pointer, - hook_connect->callback_data, - WEECHAT_HOOK_CONNECT_GNUTLS_HANDSHAKE_ERROR, - rc, sock, - "Error in the certificate.", - cb_ip_address); - unhook (hook_connect); - free (cb_ip_address); - return WEECHAT_RC_OK; - } -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x02090a */ } } else diff --git a/src/core/hook/hook-connect.c b/src/core/hook/hook-connect.c index f93b902e2..586b2cf14 100644 --- a/src/core/hook/hook-connect.c +++ b/src/core/hook/hook-connect.c @@ -178,11 +178,7 @@ hook_connect_gnutls_set_certificates (gnutls_session_t tls_session, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer) -#else - gnutls_retr_st *answer) -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ { struct t_hook *ptr_hook; int rc; diff --git a/src/core/hook/hook-connect.h b/src/core/hook/hook-connect.h index 7bc7d42f6..14459e36d 100644 --- a/src/core/hook/hook-connect.h +++ b/src/core/hook/hook-connect.h @@ -41,11 +41,7 @@ typedef int (gnutls_callback_t)(const void *pointer, void *data, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer, -#else - gnutls_retr_st *answer, -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ int action); struct t_hook_connect @@ -94,11 +90,7 @@ extern int hook_connect_gnutls_set_certificates (gnutls_session_t tls_session, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer); -#else - gnutls_retr_st *answer); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ extern void hook_connect_free_data (struct t_hook *hook); extern int hook_connect_add_to_infolist (struct t_infolist_item *item, struct t_hook *hook); diff --git a/src/plugins/irc/irc-sasl.c b/src/plugins/irc/irc-sasl.c index 5028794fa..5832299ca 100644 --- a/src/plugins/irc/irc-sasl.c +++ b/src/plugins/irc/irc-sasl.c @@ -27,9 +27,7 @@ #include #include -#if LIBGNUTLS_VERSION_NUMBER >= 0x020a01 /* 2.10.1 */ #include -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020a01 */ #include "../weechat-plugin.h" #include "irc.h" @@ -507,18 +505,15 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, const char *sasl_key, char **sasl_error) { -#if LIBGNUTLS_VERSION_NUMBER >= 0x030015 /* 3.0.21 */ char *answer_base64, *string, *data, str_error[4096]; int length_data, length_username, length, ret; char *str_privkey; gnutls_x509_privkey_t x509_privkey; gnutls_privkey_t privkey; gnutls_datum_t filedatum, decoded_data, signature; -#if LIBGNUTLS_VERSION_NUMBER >= 0x030300 /* 3.3.0 */ gnutls_ecc_curve_t curve; gnutls_datum_t x, y, k; char *pubkey, *pubkey_base64; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x030300 */ answer_base64 = NULL; string = NULL; @@ -577,7 +572,6 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, return NULL; } -#if LIBGNUTLS_VERSION_NUMBER >= 0x030300 /* 3.3.0 */ /* read raw values in key, to display public key */ ret = gnutls_x509_privkey_export_ecc_raw (x509_privkey, &curve, &x, &y, &k); @@ -610,10 +604,9 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, gnutls_free (y.data); gnutls_free (k.data); } -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x030300 */ /* import private key in an abstract key structure */ - ret = gnutls_privkey_import_x509 (privkey, x509_privkey, 0); /* gnutls >= 2.11.0 */ + ret = gnutls_privkey_import_x509 (privkey, x509_privkey, 0); if (ret != GNUTLS_E_SUCCESS) { if (sasl_error) @@ -632,7 +625,7 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, decoded_data.data = (unsigned char *)data; decoded_data.size = length_data; - ret = gnutls_privkey_sign_hash (privkey, GNUTLS_DIG_SHA256, 0, /* gnutls >= 2.11.0 */ + ret = gnutls_privkey_sign_hash (privkey, GNUTLS_DIG_SHA256, 0, &decoded_data, &signature); if (ret != GNUTLS_E_SUCCESS) { @@ -680,21 +673,4 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, free (string); return answer_base64; - -#else /* GnuTLS < 3.0.21 */ - - /* make C compiler happy */ - (void) data_base64; - (void) sasl_username; - (void) sasl_key; - - if (sasl_error) - { - *sasl_error = strdup ( - _("%sgnutls: version >= 3.0.21 is required for SASL " - "\"ecdsa-nist256p-challenge\"")); - } - - return NULL; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x030015 */ } diff --git a/src/plugins/irc/irc-server.c b/src/plugins/irc/irc-server.c index 798919b1a..90a67e88d 100644 --- a/src/plugins/irc/irc-server.c +++ b/src/plugins/irc/irc-server.c @@ -5052,19 +5052,11 @@ irc_server_gnutls_callback (const void *pointer, void *data, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer, -#else - gnutls_retr_st *answer, -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ int action) { struct t_irc_server *server; -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st tls_struct; -#else - gnutls_retr_st tls_struct; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ gnutls_x509_crt_t cert_temp; const gnutls_datum_t *cert_list; gnutls_datum_t filedatum; @@ -5075,10 +5067,8 @@ irc_server_gnutls_callback (const void *pointer, void *data, const char *ptr_cert_path, *ptr_fingerprint; int rc, ret, fingerprint_match, hostname_match, cert_temp_init; struct t_hashtable *options; -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ gnutls_datum_t cinfo; int rinfo; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ /* make C compiler happy */ (void) data; @@ -5170,15 +5160,9 @@ irc_server_gnutls_callback (const void *pointer, void *data, hostname_match = 1; } } -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ /* display infos about certificate */ -#if LIBGNUTLS_VERSION_NUMBER < 0x020400 /* 2.4.0 */ - rinfo = gnutls_x509_crt_print (cert_temp, - GNUTLS_X509_CRT_ONELINE, &cinfo); -#else rinfo = gnutls_x509_crt_print (cert_temp, GNUTLS_CRT_PRINT_ONELINE, &cinfo); -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020400 */ if (rinfo == 0) { weechat_printf ( @@ -5191,7 +5175,6 @@ irc_server_gnutls_callback (const void *pointer, void *data, weechat_prefix ("network"), cinfo.data); gnutls_free (cinfo.data); } -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ /* check dates, only if fingerprint is not set */ if (!ptr_fingerprint || !ptr_fingerprint[0]) { @@ -5347,23 +5330,11 @@ irc_server_gnutls_callback (const void *pointer, void *data, /* key */ gnutls_x509_privkey_init (&server->tls_cert_key); -/* - * gnutls_x509_privkey_import2 has no "Since: ..." in GnuTLS manual but - * GnuTLS NEWS file lists it being added in 3.1.0: - * https://gitlab.com/gnutls/gnutls/blob/2b715b9564681acb3008a5574dcf25464de8b038/NEWS#L2552 - */ -#if LIBGNUTLS_VERSION_NUMBER >= 0x030100 /* 3.1.0 */ ret = gnutls_x509_privkey_import2 (server->tls_cert_key, &filedatum, GNUTLS_X509_FMT_PEM, tls_password, 0); -#else - ret = gnutls_x509_privkey_import (server->tls_cert_key, - &filedatum, - GNUTLS_X509_FMT_PEM); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x0301000 */ - if (ret < 0) { ret = gnutls_x509_privkey_import_pkcs8 ( @@ -5385,28 +5356,16 @@ irc_server_gnutls_callback (const void *pointer, void *data, } else { - -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ tls_struct.cert_type = GNUTLS_CRT_X509; tls_struct.key_type = GNUTLS_PRIVKEY_X509; -#else - tls_struct.type = GNUTLS_CRT_X509; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ tls_struct.ncerts = 1; tls_struct.deinit_all = 0; tls_struct.cert.x509 = &server->tls_cert; tls_struct.key.x509 = server->tls_cert_key; -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ /* client certificate info */ -#if LIBGNUTLS_VERSION_NUMBER < 0x020400 /* 2.4.0 */ - rinfo = gnutls_x509_crt_print (server->tls_cert, - GNUTLS_X509_CRT_ONELINE, - &cinfo); -#else rinfo = gnutls_x509_crt_print (server->tls_cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo); -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020400 */ if (rinfo == 0) { weechat_printf ( @@ -5418,7 +5377,6 @@ irc_server_gnutls_callback (const void *pointer, void *data, weechat_prefix ("network"), cinfo.data); gnutls_free (cinfo.data); } -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ memcpy (answer, &tls_struct, sizeof (tls_struct)); free (cert_str); } diff --git a/src/plugins/relay/api/remote/relay-remote-network.c b/src/plugins/relay/api/remote/relay-remote-network.c index 108fe637d..245092e1a 100644 --- a/src/plugins/relay/api/remote/relay-remote-network.c +++ b/src/plugins/relay/api/remote/relay-remote-network.c @@ -970,11 +970,7 @@ relay_remote_network_gnutls_callback (const void *pointer, void *data, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer, -#else - gnutls_retr_st *answer, -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ int action) { struct t_relay_remote *remote; @@ -983,10 +979,8 @@ relay_remote_network_gnutls_callback (const void *pointer, void *data, unsigned int i, cert_list_len, status; time_t cert_time; int rc, hostname_match, cert_temp_init; -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ gnutls_datum_t cinfo; int rinfo; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ /* make C compiler happy */ (void) data; @@ -1061,15 +1055,9 @@ relay_remote_network_gnutls_callback (const void *pointer, void *data, hostname_match = 1; } } -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ /* display infos about certificate */ -#if LIBGNUTLS_VERSION_NUMBER < 0x020400 /* 2.4.0 */ - rinfo = gnutls_x509_crt_print (cert_temp, - GNUTLS_X509_CRT_ONELINE, &cinfo); -#else rinfo = gnutls_x509_crt_print (cert_temp, GNUTLS_CRT_PRINT_ONELINE, &cinfo); -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020400 */ if (rinfo == 0) { weechat_printf ( @@ -1082,7 +1070,6 @@ relay_remote_network_gnutls_callback (const void *pointer, void *data, remote->name, cinfo.data); gnutls_free (cinfo.data); } -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ /* check expiration date */ cert_time = gnutls_x509_crt_get_expiration_time (cert_temp); if (cert_time < time (NULL)) diff --git a/src/plugins/relay/relay-client.c b/src/plugins/relay/relay-client.c index 327d31cd3..e4975a2f6 100644 --- a/src/plugins/relay/relay-client.c +++ b/src/plugins/relay/relay-client.c @@ -1447,13 +1447,8 @@ relay_client_new (int sock, const char *address, struct t_relay_server *server) if (relay_gnutls_dh_params) { gnutls_dh_params_init (relay_gnutls_dh_params); -#if LIBGNUTLS_VERSION_NUMBER >= 0x020c00 /* 2.12.0 */ bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW); -#else - /* default for old gnutls */ - bits = 1024; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020c00 */ gnutls_dh_params_generate2 (*relay_gnutls_dh_params, bits); gnutls_certificate_set_dh_params (relay_gnutls_x509_cred, *relay_gnutls_dh_params);