95 lines
3.1 KiB
Diff
95 lines
3.1 KiB
Diff
|
From cd4f3bed33d5ffdba6846d270c0e11713bc1caf6 Mon Sep 17 00:00:00 2001
|
||
|
|
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||
|
|
Date: Tue, 25 Jun 2024 10:55:54 +0100
|
||
|
|
Subject: [PATCH] build: Move to minimum gnutls >= 3.5.18
|
||
|
|
MIME-Version: 1.0
|
||
|
|
Content-Type: text/plain; charset=UTF-8
|
||
|
|
Content-Transfer-Encoding: 8bit
|
||
|
|
|
||
|
|
This version matches current qemu.
|
||
|
|
|
||
|
|
RHEL 7 gnutls is too old (lacks gnutls_session_set_verify_cert), which
|
||
|
|
means TLS will be disabled on this platform. RHEL 8 has gnutls 3.6.14.
|
||
|
|
|
||
|
|
I also unconditionally enabled the gnutls/socket.h header. This
|
||
|
|
header was added in 2016 (gnutls 3.5.3), so it's not present in RHEL 7.
|
||
|
|
|
||
|
|
On RHEL 7 the configure-time test now prints:
|
||
|
|
|
||
|
|
checking for GNUTLS... no
|
||
|
|
configure: WARNING: gnutls not found or < 3.5.18, TLS support will be disabled.
|
||
|
|
...
|
||
|
|
Optional library features:
|
||
|
|
TLS support ............................ no
|
||
|
|
|
||
|
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
||
|
|
(cherry picked from commit 5ff09cdbbd19226dd2d5015d76134f88dee9321e)
|
||
|
|
(cherry picked from commit cb6df4f81a97d5d58385d89b0135039f1eddee15)
|
||
|
|
---
|
||
|
|
configure.ac | 12 +++---------
|
||
|
|
lib/crypto.c | 5 +----
|
||
|
|
2 files changed, 4 insertions(+), 13 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/configure.ac b/configure.ac
|
||
|
|
index da3dc38a..29e3b47a 100644
|
||
|
|
--- a/configure.ac
|
||
|
|
+++ b/configure.ac
|
||
|
|
@@ -94,12 +94,13 @@ AC_ARG_WITH([gnutls],
|
||
|
|
[],
|
||
|
|
[with_gnutls=check])
|
||
|
|
AS_IF([test "$with_gnutls" != "no"],[
|
||
|
|
- PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
|
||
|
|
+ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [
|
||
|
|
+ printf "gnutls version is "; $PKG_CONFIG --modversion gnutls
|
||
|
|
AC_SUBST([GNUTLS_CFLAGS])
|
||
|
|
AC_SUBST([GNUTLS_LIBS])
|
||
|
|
AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.])
|
||
|
|
], [
|
||
|
|
- AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
|
||
|
|
+ AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.])
|
||
|
|
])
|
||
|
|
])
|
||
|
|
AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
|
||
|
|
@@ -114,13 +115,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
|
||
|
|
AC_MSG_RESULT([$tls_priority])
|
||
|
|
AC_DEFINE_UNQUOTED([TLS_PRIORITY],["$tls_priority"],
|
||
|
|
[Default TLS session priority string])
|
||
|
|
-
|
||
|
|
- # Check for APIs which may not be present.
|
||
|
|
- old_LIBS="$LIBS"
|
||
|
|
- LIBS="$GNUTLS_LIBS $LIBS"
|
||
|
|
- AC_CHECK_FUNCS([\
|
||
|
|
- gnutls_session_set_verify_cert])
|
||
|
|
- LIBS="$old_LIBS"
|
||
|
|
])
|
||
|
|
|
||
|
|
dnl certtool (part of GnuTLS) for testing TLS with certificates.
|
||
|
|
diff --git a/lib/crypto.c b/lib/crypto.c
|
||
|
|
index a9b3789c..705e114a 100644
|
||
|
|
--- a/lib/crypto.c
|
||
|
|
+++ b/lib/crypto.c
|
||
|
|
@@ -28,6 +28,7 @@
|
||
|
|
|
||
|
|
#ifdef HAVE_GNUTLS
|
||
|
|
#include <gnutls/gnutls.h>
|
||
|
|
+#include <gnutls/socket.h>
|
||
|
|
#endif
|
||
|
|
|
||
|
|
#include "internal.h"
|
||
|
|
@@ -512,12 +513,8 @@ set_up_certificate_credentials (struct nbd_handle *h,
|
||
|
|
return NULL;
|
||
|
|
|
||
|
|
found_certificates:
|
||
|
|
-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
|
||
|
|
if (h->hostname && h->tls_verify_peer)
|
||
|
|
gnutls_session_set_verify_cert (session, h->hostname, 0);
|
||
|
|
-#else
|
||
|
|
- debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6");
|
||
|
|
-#endif
|
||
|
|
|
||
|
|
err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
|
||
|
|
if (err < 0) {
|
||
|
|
--
|
||
|
|
2.43.0
|
||
|
|
|