virnettlscontext: Don't set DH parameters ourselves

According to [1]: Prior to GnuTLS 3.6.0 for the ephemeral or anonymous Diffie-Hellman (DH) TLS ciphersuites the application was required to generate or provide DH parameters. That is no longer necessary as GnuTLS utilizes DH parameters and negotiation from [RFC7919]. This allows us to: a) drop the code that's setting DH params, b) drop @dhParams member from _virNetTLSContext struct. and c) drop gnutls_dh_params_generate2() mock. 1: https://www.gnutls.org/manual/html_node/Parameter-generation.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2022-06-29 11:16:06 +02:00 · 2022-06-29 11:16:06 +02:00 · 09010f7e76
parent 4d7e848418
commit 09010f7e76
2 changed files with 0 additions and 77 deletions
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@ -54,7 +54,6 @@ struct _virNetTLSContext {
    virObjectLockable parent;

    gnutls_certificate_credentials_t x509cred;
-    gnutls_dh_params_t dhParams;

    bool isServer;
    bool requireValidCert;
@ -709,40 +708,6 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
    if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
        goto error;

-    /* Generate Diffie Hellman parameters - for use with DHE
-     * kx algorithms. These should be discarded and regenerated
-     * once a day, once a week or once a month. Depending on the
-     * security requirements.
-     */
-    if (isServer) {
-        unsigned int bits = 0;
-
-        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
-        if (bits == 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
-                           _("Unable to get key length for diffie-hellman parameters"));
-            goto error;
-        }
-
-        err = gnutls_dh_params_init(&ctxt->dhParams);
-        if (err < 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR,
-                           _("Unable to initialize diffie-hellman parameters: %s"),
-                           gnutls_strerror(err));
-            goto error;
-        }
-        err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
-        if (err < 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR,
-                           _("Unable to generate diffie-hellman parameters: %s"),
-                           gnutls_strerror(err));
-            goto error;
-        }
-
-        gnutls_certificate_set_dh_params(ctxt->x509cred,
-                                         ctxt->dhParams);
-    }
-
    ctxt->requireValidCert = requireValidCert;
    ctxt->x509dnACL = x509dnACL;
    ctxt->isServer = isServer;
@ -754,8 +719,6 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
    return ctxt;

 error:
-    if (isServer)
-        gnutls_dh_params_deinit(ctxt->dhParams);
    virObjectUnref(ctxt);
    return NULL;
 }
@ -950,9 +913,6 @@ int virNetTLSContextReloadForServer(virNetTLSContext *ctxt,
    if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, key))
        goto error;

-    gnutls_certificate_set_dh_params(ctxt->x509cred,
-                                     ctxt->dhParams);
-
    gnutls_certificate_free_credentials(x509credBak);

    return 0;
@ -1156,7 +1116,6 @@ void virNetTLSContextDispose(void *obj)
          "ctxt=%p", ctxt);

    g_free(ctxt->priority);
-    gnutls_dh_params_deinit(ctxt->dhParams);
    gnutls_certificate_free_credentials(ctxt->x509cred);
 }

--- a/tests/virrandommock.c
+++ b/tests/virrandommock.c
@ -20,8 +20,6 @@

 #ifndef WIN32

-# include <gnutls/gnutls.h>
-
 # include "internal.h"
 # include "virrandom.h"
 # include "virmock.h"
@ -57,40 +55,6 @@ int virRandomGenerateWWN(char **wwn,
    return 0;
 }

-
-static int (*real_gnutls_dh_params_generate2)(gnutls_dh_params_t dparams,
-                                              unsigned int bits);
-
-static gnutls_dh_params_t params_cache;
-static unsigned int cachebits;
-
-int
-gnutls_dh_params_generate2(gnutls_dh_params_t dparams,
-                           unsigned int bits)
-{
-    int rc = 0;
-
-    VIR_MOCK_REAL_INIT(gnutls_dh_params_generate2);
-
-    if (!params_cache) {
-        if (gnutls_dh_params_init(&params_cache) < 0) {
-            fprintf(stderr, "Error initializing params cache");
-            abort();
-        }
-        rc = real_gnutls_dh_params_generate2(params_cache, bits);
-
-        if (rc < 0)
-            return rc;
-        cachebits = bits;
-    }
-
-    if (cachebits != bits) {
-        fprintf(stderr, "Requested bits do not match the cached value");
-        abort();
-    }
-
-    return gnutls_dh_params_cpy(dparams, params_cache);
-}
 #else /* WIN32 */
 /* Can't mock on WIN32 */
 #endif