From 596626369b90016f6852610c217da22668158521 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 25 Jun 2024 10:55:54 +0100
Subject: [PATCH] build: Move to minimum gnutls >= 3.5.18
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This version matches current qemu.

RHEL 7 gnutls is too old (lacks gnutls_session_set_verify_cert), which
means TLS will be disabled on this platform.  RHEL 8 has gnutls 3.6.14.

I also unconditionally enabled the gnutls/socket.h header.  This
header was added in 2016 (gnutls 3.5.3), so it's not present in RHEL 7.

On RHEL 7 the configure-time test now prints:

  checking for GNUTLS... no
  configure: WARNING: gnutls not found or < 3.5.18, TLS support will be disabled.
  ...
  Optional library features:
      TLS support ............................ no

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 5ff09cdbbd19226dd2d5015d76134f88dee9321e)
(cherry picked from commit 177fd0847723640829eff8d1ab102f8d28a7328e)
---
 configure.ac | 5 ++---
 lib/crypto.c | 6 ------
 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/configure.ac b/configure.ac
index 91fe004b..c0d6a472 100644
--- a/configure.ac
+++ b/configure.ac
@@ -178,13 +178,13 @@ AC_ARG_WITH([gnutls],
     [],
     [with_gnutls=check])
 AS_IF([test "$with_gnutls" != "no"],[
-    PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
+    PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [
         printf "gnutls version is "; $PKG_CONFIG --modversion gnutls
         AC_SUBST([GNUTLS_CFLAGS])
         AC_SUBST([GNUTLS_LIBS])
         AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.])
     ], [
-        AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
+        AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.])
     ])
 ])
 AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
@@ -210,7 +210,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
     old_LIBS="$LIBS"
     LIBS="$GNUTLS_LIBS $LIBS"
     AC_CHECK_FUNCS([\
-        gnutls_session_set_verify_cert \
         gnutls_transport_is_ktls_enabled \
     ])
     LIBS="$old_LIBS"
diff --git a/lib/crypto.c b/lib/crypto.c
index 22a1cfa5..d131f1d0 100644
--- a/lib/crypto.c
+++ b/lib/crypto.c
@@ -28,10 +28,8 @@
 
 #ifdef HAVE_GNUTLS
 #include <gnutls/gnutls.h>
-#ifdef HAVE_GNUTLS_SOCKET_H
 #include <gnutls/socket.h>
 #endif
-#endif
 
 #include "internal.h"
 #include "nbdkit-string.h"
@@ -532,12 +530,8 @@ set_up_certificate_credentials (struct nbd_handle *h,
   return NULL;
 
  found_certificates:
-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
   if (h->hostname && h->tls_verify_peer)
     gnutls_session_set_verify_cert (session, h->hostname, 0);
-#else
-  debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6");
-#endif
 
   err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
   if (err < 0) {
-- 
2.43.0