virnettlscontext: Don't set DH parameters ourselves

According to [1]:

  Prior to GnuTLS 3.6.0 for the ephemeral or anonymous
  Diffie-Hellman (DH) TLS ciphersuites the application was
  required to generate or provide DH parameters. That is no
  longer necessary as GnuTLS utilizes DH parameters and
  negotiation from [RFC7919].

This allows us to:

  a) drop the code that's setting DH params,
  b) drop @dhParams member from _virNetTLSContext struct. and
  c) drop gnutls_dh_params_generate2() mock.

1: https://www.gnutls.org/manual/html_node/Parameter-generation.html

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Michal Privoznik 2022-06-29 11:16:06 +02:00
parent 4d7e848418
commit 09010f7e76
2 changed files with 0 additions and 77 deletions

View File

@ -54,7 +54,6 @@ struct _virNetTLSContext {
virObjectLockable parent;
gnutls_certificate_credentials_t x509cred;
gnutls_dh_params_t dhParams;
bool isServer;
bool requireValidCert;
@ -709,40 +708,6 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
goto error;
/* Generate Diffie Hellman parameters - for use with DHE
* kx algorithms. These should be discarded and regenerated
* once a day, once a week or once a month. Depending on the
* security requirements.
*/
if (isServer) {
unsigned int bits = 0;
bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
if (bits == 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
_("Unable to get key length for diffie-hellman parameters"));
goto error;
}
err = gnutls_dh_params_init(&ctxt->dhParams);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to initialize diffie-hellman parameters: %s"),
gnutls_strerror(err));
goto error;
}
err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to generate diffie-hellman parameters: %s"),
gnutls_strerror(err));
goto error;
}
gnutls_certificate_set_dh_params(ctxt->x509cred,
ctxt->dhParams);
}
ctxt->requireValidCert = requireValidCert;
ctxt->x509dnACL = x509dnACL;
ctxt->isServer = isServer;
@ -754,8 +719,6 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
return ctxt;
error:
if (isServer)
gnutls_dh_params_deinit(ctxt->dhParams);
virObjectUnref(ctxt);
return NULL;
}
@ -950,9 +913,6 @@ int virNetTLSContextReloadForServer(virNetTLSContext *ctxt,
if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, key))
goto error;
gnutls_certificate_set_dh_params(ctxt->x509cred,
ctxt->dhParams);
gnutls_certificate_free_credentials(x509credBak);
return 0;
@ -1156,7 +1116,6 @@ void virNetTLSContextDispose(void *obj)
"ctxt=%p", ctxt);
g_free(ctxt->priority);
gnutls_dh_params_deinit(ctxt->dhParams);
gnutls_certificate_free_credentials(ctxt->x509cred);
}

View File

@ -20,8 +20,6 @@
#ifndef WIN32
# include <gnutls/gnutls.h>
# include "internal.h"
# include "virrandom.h"
# include "virmock.h"
@ -57,40 +55,6 @@ int virRandomGenerateWWN(char **wwn,
return 0;
}
static int (*real_gnutls_dh_params_generate2)(gnutls_dh_params_t dparams,
unsigned int bits);
static gnutls_dh_params_t params_cache;
static unsigned int cachebits;
int
gnutls_dh_params_generate2(gnutls_dh_params_t dparams,
unsigned int bits)
{
int rc = 0;
VIR_MOCK_REAL_INIT(gnutls_dh_params_generate2);
if (!params_cache) {
if (gnutls_dh_params_init(&params_cache) < 0) {
fprintf(stderr, "Error initializing params cache");
abort();
}
rc = real_gnutls_dh_params_generate2(params_cache, bits);
if (rc < 0)
return rc;
cachebits = bits;
}
if (cachebits != bits) {
fprintf(stderr, "Requested bits do not match the cached value");
abort();
}
return gnutls_dh_params_cpy(dparams, params_cache);
}
#else /* WIN32 */
/* Can't mock on WIN32 */
#endif