From de4231c842b25d31d39e3710335b28227acd4440 Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Sun, 29 Sep 2024 14:01:14 +0100 Subject: [PATCH] Bump required gnutls to v3.3.0 Bump the requirement to v3.3.0 as available in Ubuntu 16.04 (3.4.10) and Debian 10 (3.6.7). It was released around 10 years ago and any remotely supported distribution has newer version. As result, we can remove hundred+ lines of #ifdef spaghetti code. Signed-off-by: Emil Velikov --- CMakeLists.txt | 2 +- src/core/core-network.c | 47 ------------------- src/core/hook/hook-connect.c | 4 -- src/core/hook/hook-connect.h | 8 ---- src/plugins/irc/irc-sasl.c | 28 +---------- src/plugins/irc/irc-server.c | 42 ----------------- .../relay/api/remote/relay-remote-network.c | 13 ----- src/plugins/relay/relay-client.c | 5 -- 8 files changed, 3 insertions(+), 146 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index fdd0d3ff1..ae7e5f4a6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -211,7 +211,7 @@ include_directories(${LIBGCRYPT_INCLUDE_DIRS}) list(APPEND EXTRA_LIBS ${LIBGCRYPT_LDFLAGS}) # Check for GnuTLS -pkg_check_modules(GNUTLS REQUIRED gnutls) +pkg_check_modules(GNUTLS REQUIRED gnutls>=3.3.0) include_directories(${GNUTLS_INCLUDE_DIRS}) list(APPEND EXTRA_LIBS ${GNUTLS_LDFLAGS}) diff --git a/src/core/core-network.c b/src/core/core-network.c index 3d437bf8c..f40ca9b8c 100644 --- a/src/core/core-network.c +++ b/src/core/core-network.c @@ -99,17 +99,10 @@ void network_allocate_credentials () { gnutls_certificate_allocate_credentials (&gnutls_xcred); -#if LIBGNUTLS_VERSION_NUMBER >= 0x02090a /* 2.9.10 */ gnutls_certificate_set_verify_function (gnutls_xcred, &hook_connect_gnutls_verify_certificates); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x02090a */ -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_certificate_set_retrieve_function (gnutls_xcred, &hook_connect_gnutls_set_certificates); -#else - gnutls_certificate_client_set_retrieve_function (gnutls_xcred, - &hook_connect_gnutls_set_certificates); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ } /* @@ -1535,26 +1528,6 @@ network_connect_gnutls_handshake_fd_cb (const void *pointer, void *data, { fcntl (HOOK_CONNECT(hook_connect, sock), F_SETFL, HOOK_CONNECT(hook_connect, handshake_fd_flags)); -#if LIBGNUTLS_VERSION_NUMBER < 0x02090a /* 2.9.10 */ - /* - * gnutls only has the gnutls_certificate_set_verify_function() - * function since version 2.9.10. We need to call our verify - * function manually after the handshake for old gnutls versions - */ - if (hook_connect_gnutls_verify_certificates (*HOOK_CONNECT(hook_connect, gnutls_sess)) != 0) - { - unhook (HOOK_CONNECT(hook_connect, handshake_hook_fd)); - (void) (HOOK_CONNECT(hook_connect, callback)) - (hook_connect->callback_pointer, - hook_connect->callback_data, - WEECHAT_HOOK_CONNECT_GNUTLS_HANDSHAKE_ERROR, rc, - HOOK_CONNECT(hook_connect, sock), - "Error in the certificate.", - HOOK_CONNECT(hook_connect, handshake_ip_address)); - unhook (hook_connect); - return WEECHAT_RC_OK; - } -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x02090a */ unhook (HOOK_CONNECT(hook_connect, handshake_hook_fd)); (void) (HOOK_CONNECT(hook_connect, callback)) (hook_connect->callback_pointer, @@ -1769,26 +1742,6 @@ network_connect_child_read_cb (const void *pointer, void *data, int fd) } fcntl (HOOK_CONNECT(hook_connect, sock), F_SETFL, HOOK_CONNECT(hook_connect, handshake_fd_flags)); -#if LIBGNUTLS_VERSION_NUMBER < 0x02090a /* 2.9.10 */ - /* - * gnutls only has the gnutls_certificate_set_verify_function() - * function since version 2.9.10. We need to call our verify - * function manually after the handshake for old gnutls versions - */ - if (hook_connect_gnutls_verify_certificates (*HOOK_CONNECT(hook_connect, gnutls_sess)) != 0) - { - (void) (HOOK_CONNECT(hook_connect, callback)) - (hook_connect->callback_pointer, - hook_connect->callback_data, - WEECHAT_HOOK_CONNECT_GNUTLS_HANDSHAKE_ERROR, - rc, sock, - "Error in the certificate.", - cb_ip_address); - unhook (hook_connect); - free (cb_ip_address); - return WEECHAT_RC_OK; - } -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x02090a */ } } else diff --git a/src/core/hook/hook-connect.c b/src/core/hook/hook-connect.c index f93b902e2..586b2cf14 100644 --- a/src/core/hook/hook-connect.c +++ b/src/core/hook/hook-connect.c @@ -178,11 +178,7 @@ hook_connect_gnutls_set_certificates (gnutls_session_t tls_session, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer) -#else - gnutls_retr_st *answer) -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ { struct t_hook *ptr_hook; int rc; diff --git a/src/core/hook/hook-connect.h b/src/core/hook/hook-connect.h index 7bc7d42f6..14459e36d 100644 --- a/src/core/hook/hook-connect.h +++ b/src/core/hook/hook-connect.h @@ -41,11 +41,7 @@ typedef int (gnutls_callback_t)(const void *pointer, void *data, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer, -#else - gnutls_retr_st *answer, -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ int action); struct t_hook_connect @@ -94,11 +90,7 @@ extern int hook_connect_gnutls_set_certificates (gnutls_session_t tls_session, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer); -#else - gnutls_retr_st *answer); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ extern void hook_connect_free_data (struct t_hook *hook); extern int hook_connect_add_to_infolist (struct t_infolist_item *item, struct t_hook *hook); diff --git a/src/plugins/irc/irc-sasl.c b/src/plugins/irc/irc-sasl.c index 5028794fa..5832299ca 100644 --- a/src/plugins/irc/irc-sasl.c +++ b/src/plugins/irc/irc-sasl.c @@ -27,9 +27,7 @@ #include #include -#if LIBGNUTLS_VERSION_NUMBER >= 0x020a01 /* 2.10.1 */ #include -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020a01 */ #include "../weechat-plugin.h" #include "irc.h" @@ -507,18 +505,15 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, const char *sasl_key, char **sasl_error) { -#if LIBGNUTLS_VERSION_NUMBER >= 0x030015 /* 3.0.21 */ char *answer_base64, *string, *data, str_error[4096]; int length_data, length_username, length, ret; char *str_privkey; gnutls_x509_privkey_t x509_privkey; gnutls_privkey_t privkey; gnutls_datum_t filedatum, decoded_data, signature; -#if LIBGNUTLS_VERSION_NUMBER >= 0x030300 /* 3.3.0 */ gnutls_ecc_curve_t curve; gnutls_datum_t x, y, k; char *pubkey, *pubkey_base64; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x030300 */ answer_base64 = NULL; string = NULL; @@ -577,7 +572,6 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, return NULL; } -#if LIBGNUTLS_VERSION_NUMBER >= 0x030300 /* 3.3.0 */ /* read raw values in key, to display public key */ ret = gnutls_x509_privkey_export_ecc_raw (x509_privkey, &curve, &x, &y, &k); @@ -610,10 +604,9 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, gnutls_free (y.data); gnutls_free (k.data); } -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x030300 */ /* import private key in an abstract key structure */ - ret = gnutls_privkey_import_x509 (privkey, x509_privkey, 0); /* gnutls >= 2.11.0 */ + ret = gnutls_privkey_import_x509 (privkey, x509_privkey, 0); if (ret != GNUTLS_E_SUCCESS) { if (sasl_error) @@ -632,7 +625,7 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, decoded_data.data = (unsigned char *)data; decoded_data.size = length_data; - ret = gnutls_privkey_sign_hash (privkey, GNUTLS_DIG_SHA256, 0, /* gnutls >= 2.11.0 */ + ret = gnutls_privkey_sign_hash (privkey, GNUTLS_DIG_SHA256, 0, &decoded_data, &signature); if (ret != GNUTLS_E_SUCCESS) { @@ -680,21 +673,4 @@ irc_sasl_mechanism_ecdsa_nist256p_challenge (struct t_irc_server *server, free (string); return answer_base64; - -#else /* GnuTLS < 3.0.21 */ - - /* make C compiler happy */ - (void) data_base64; - (void) sasl_username; - (void) sasl_key; - - if (sasl_error) - { - *sasl_error = strdup ( - _("%sgnutls: version >= 3.0.21 is required for SASL " - "\"ecdsa-nist256p-challenge\"")); - } - - return NULL; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x030015 */ } diff --git a/src/plugins/irc/irc-server.c b/src/plugins/irc/irc-server.c index 798919b1a..90a67e88d 100644 --- a/src/plugins/irc/irc-server.c +++ b/src/plugins/irc/irc-server.c @@ -5052,19 +5052,11 @@ irc_server_gnutls_callback (const void *pointer, void *data, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer, -#else - gnutls_retr_st *answer, -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ int action) { struct t_irc_server *server; -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st tls_struct; -#else - gnutls_retr_st tls_struct; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ gnutls_x509_crt_t cert_temp; const gnutls_datum_t *cert_list; gnutls_datum_t filedatum; @@ -5075,10 +5067,8 @@ irc_server_gnutls_callback (const void *pointer, void *data, const char *ptr_cert_path, *ptr_fingerprint; int rc, ret, fingerprint_match, hostname_match, cert_temp_init; struct t_hashtable *options; -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ gnutls_datum_t cinfo; int rinfo; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ /* make C compiler happy */ (void) data; @@ -5170,15 +5160,9 @@ irc_server_gnutls_callback (const void *pointer, void *data, hostname_match = 1; } } -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ /* display infos about certificate */ -#if LIBGNUTLS_VERSION_NUMBER < 0x020400 /* 2.4.0 */ - rinfo = gnutls_x509_crt_print (cert_temp, - GNUTLS_X509_CRT_ONELINE, &cinfo); -#else rinfo = gnutls_x509_crt_print (cert_temp, GNUTLS_CRT_PRINT_ONELINE, &cinfo); -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020400 */ if (rinfo == 0) { weechat_printf ( @@ -5191,7 +5175,6 @@ irc_server_gnutls_callback (const void *pointer, void *data, weechat_prefix ("network"), cinfo.data); gnutls_free (cinfo.data); } -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ /* check dates, only if fingerprint is not set */ if (!ptr_fingerprint || !ptr_fingerprint[0]) { @@ -5347,23 +5330,11 @@ irc_server_gnutls_callback (const void *pointer, void *data, /* key */ gnutls_x509_privkey_init (&server->tls_cert_key); -/* - * gnutls_x509_privkey_import2 has no "Since: ..." in GnuTLS manual but - * GnuTLS NEWS file lists it being added in 3.1.0: - * https://gitlab.com/gnutls/gnutls/blob/2b715b9564681acb3008a5574dcf25464de8b038/NEWS#L2552 - */ -#if LIBGNUTLS_VERSION_NUMBER >= 0x030100 /* 3.1.0 */ ret = gnutls_x509_privkey_import2 (server->tls_cert_key, &filedatum, GNUTLS_X509_FMT_PEM, tls_password, 0); -#else - ret = gnutls_x509_privkey_import (server->tls_cert_key, - &filedatum, - GNUTLS_X509_FMT_PEM); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x0301000 */ - if (ret < 0) { ret = gnutls_x509_privkey_import_pkcs8 ( @@ -5385,28 +5356,16 @@ irc_server_gnutls_callback (const void *pointer, void *data, } else { - -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ tls_struct.cert_type = GNUTLS_CRT_X509; tls_struct.key_type = GNUTLS_PRIVKEY_X509; -#else - tls_struct.type = GNUTLS_CRT_X509; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ tls_struct.ncerts = 1; tls_struct.deinit_all = 0; tls_struct.cert.x509 = &server->tls_cert; tls_struct.key.x509 = server->tls_cert_key; -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ /* client certificate info */ -#if LIBGNUTLS_VERSION_NUMBER < 0x020400 /* 2.4.0 */ - rinfo = gnutls_x509_crt_print (server->tls_cert, - GNUTLS_X509_CRT_ONELINE, - &cinfo); -#else rinfo = gnutls_x509_crt_print (server->tls_cert, GNUTLS_CRT_PRINT_ONELINE, &cinfo); -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020400 */ if (rinfo == 0) { weechat_printf ( @@ -5418,7 +5377,6 @@ irc_server_gnutls_callback (const void *pointer, void *data, weechat_prefix ("network"), cinfo.data); gnutls_free (cinfo.data); } -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ memcpy (answer, &tls_struct, sizeof (tls_struct)); free (cert_str); } diff --git a/src/plugins/relay/api/remote/relay-remote-network.c b/src/plugins/relay/api/remote/relay-remote-network.c index 108fe637d..245092e1a 100644 --- a/src/plugins/relay/api/remote/relay-remote-network.c +++ b/src/plugins/relay/api/remote/relay-remote-network.c @@ -970,11 +970,7 @@ relay_remote_network_gnutls_callback (const void *pointer, void *data, const gnutls_datum_t *req_ca, int nreq, const gnutls_pk_algorithm_t *pk_algos, int pk_algos_len, -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ gnutls_retr2_st *answer, -#else - gnutls_retr_st *answer, -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ int action) { struct t_relay_remote *remote; @@ -983,10 +979,8 @@ relay_remote_network_gnutls_callback (const void *pointer, void *data, unsigned int i, cert_list_len, status; time_t cert_time; int rc, hostname_match, cert_temp_init; -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ gnutls_datum_t cinfo; int rinfo; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ /* make C compiler happy */ (void) data; @@ -1061,15 +1055,9 @@ relay_remote_network_gnutls_callback (const void *pointer, void *data, hostname_match = 1; } } -#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */ /* display infos about certificate */ -#if LIBGNUTLS_VERSION_NUMBER < 0x020400 /* 2.4.0 */ - rinfo = gnutls_x509_crt_print (cert_temp, - GNUTLS_X509_CRT_ONELINE, &cinfo); -#else rinfo = gnutls_x509_crt_print (cert_temp, GNUTLS_CRT_PRINT_ONELINE, &cinfo); -#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020400 */ if (rinfo == 0) { weechat_printf ( @@ -1082,7 +1070,6 @@ relay_remote_network_gnutls_callback (const void *pointer, void *data, remote->name, cinfo.data); gnutls_free (cinfo.data); } -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */ /* check expiration date */ cert_time = gnutls_x509_crt_get_expiration_time (cert_temp); if (cert_time < time (NULL)) diff --git a/src/plugins/relay/relay-client.c b/src/plugins/relay/relay-client.c index 327d31cd3..e4975a2f6 100644 --- a/src/plugins/relay/relay-client.c +++ b/src/plugins/relay/relay-client.c @@ -1447,13 +1447,8 @@ relay_client_new (int sock, const char *address, struct t_relay_server *server) if (relay_gnutls_dh_params) { gnutls_dh_params_init (relay_gnutls_dh_params); -#if LIBGNUTLS_VERSION_NUMBER >= 0x020c00 /* 2.12.0 */ bits = gnutls_sec_param_to_pk_bits (GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW); -#else - /* default for old gnutls */ - bits = 1024; -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020c00 */ gnutls_dh_params_generate2 (*relay_gnutls_dh_params, bits); gnutls_certificate_set_dh_params (relay_gnutls_x509_cred, *relay_gnutls_dh_params);