gtls: drop support for GnuTLS < 3.6.5

Release date 2018-12-01. Has TLS 1.3 support.

Closes #19609
This commit is contained in:
Daniel Stenberg 2025-11-19 15:05:17 +01:00
parent 529f61388f
commit 49ab46c9c5
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
2 changed files with 3 additions and 48 deletions

View file

@ -26,7 +26,7 @@ versions of libs and build tools.
- OpenSSL 3.0.0 (2021-09-07)
- LibreSSL 2.9.1 (2019-04-22)
- GnuTLS 3.1.10 (2013-03-22)
- GnuTLS 3.6.5 (2018-12-01)
- mbedTLS 3.2.0 (2022-07-11)
- zlib 1.2.5.2 (2011-12-11)
- libssh2 1.9.0 (2019-06-20)

View file

@ -73,7 +73,7 @@ static void tls_log_func(int level, const char *str)
}
#endif
#if !defined(GNUTLS_VERSION_NUMBER) || (GNUTLS_VERSION_NUMBER < 0x03010a)
#if !defined(GNUTLS_VERSION_NUMBER) || (GNUTLS_VERSION_NUMBER < 0x030605)
#error "too old GnuTLS version"
#endif
@ -767,10 +767,8 @@ int Curl_glts_get_ietf_proto(gnutls_session_t session)
return CURL_IETF_PROTO_TLS1_1;
case GNUTLS_TLS1_2:
return CURL_IETF_PROTO_TLS1_2;
#if GNUTLS_VERSION_NUMBER >= 0x030603
case GNUTLS_TLS1_3:
return CURL_IETF_PROTO_TLS1_3;
#endif
default:
return CURL_IETF_PROTO_UNKNOWN;
}
@ -1841,51 +1839,8 @@ Curl_gtls_verifyserver(struct Curl_cfilter *cf,
rc = (int)gnutls_x509_crt_check_hostname(x509_cert,
peer->sni ? peer->sni :
peer->hostname);
#if GNUTLS_VERSION_NUMBER < 0x030306
/* Before 3.3.6, gnutls_x509_crt_check_hostname() did not check IP
addresses. */
if(!rc) {
#ifdef USE_IPV6
#define use_addr in6_addr
#else
#define use_addr in_addr
#endif
unsigned char addrbuf[sizeof(struct use_addr)];
size_t addrlen = 0;
if(curlx_inet_pton(AF_INET, peer->hostname, addrbuf) > 0)
addrlen = 4;
#ifdef USE_IPV6
else if(curlx_inet_pton(AF_INET6, peer->hostname, addrbuf) > 0)
addrlen = 16;
#endif
if(addrlen) {
unsigned char certaddr[sizeof(struct use_addr)];
int i;
for(i = 0; ; i++) {
size_t certaddrlen = sizeof(certaddr);
int ret = gnutls_x509_crt_get_subject_alt_name(x509_cert, i, certaddr,
&certaddrlen, NULL);
/* If this happens, it was not an IP address. */
if(ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
continue;
if(ret < 0)
break;
if(ret != GNUTLS_SAN_IPADDRESS)
continue;
if(certaddrlen == addrlen && !memcmp(addrbuf, certaddr, addrlen)) {
rc = 1;
break;
}
}
}
}
#endif
result = (!rc && config->verifyhost) ?
CURLE_PEER_FAILED_VERIFICATION : CURLE_OK;
CURLE_PEER_FAILED_VERIFICATION : CURLE_OK;
gtls_msg_verify_result(data, peer, x509_cert, rc, config->verifyhost);
if(result)
goto out;