[PATCH 2/2] virnettlscontext: Don't set DH parameters ourselves

Michal Privoznik mprivozn at redhat.com
Thu Jun 30 08:56:50 UTC 2022 

According to [1]:

  Prior to GnuTLS 3.6.0 for the ephemeral or anonymous
  Diffie-Hellman (DH) TLS ciphersuites the application was
  required to generate or provide DH parameters. That is no
  longer necessary as GnuTLS utilizes DH parameters and
  negotiation from [RFC7919].

This allows us to:

  a) drop the code that's setting DH params,
  b) drop @dhParams member from _virNetTLSContext struct. and
  c) drop gnutls_dh_params_generate2() mock.

1: https://www.gnutls.org/manual/html_node/Parameter-generation.html

Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
---
 src/rpc/virnettlscontext.c | 41 --------------------------------------
 tests/virrandommock.c      | 36 ---------------------------------
 2 files changed, 77 deletions(-)

diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index bdbf01855d..acfc4f9323 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -54,7 +54,6 @@ struct _virNetTLSContext {
     virObjectLockable parent;
 
     gnutls_certificate_credentials_t x509cred;
-    gnutls_dh_params_t dhParams;
 
     bool isServer;
     bool requireValidCert;
@@ -709,40 +708,6 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
     if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
         goto error;
 
-    /* Generate Diffie Hellman parameters - for use with DHE
-     * kx algorithms. These should be discarded and regenerated
-     * once a day, once a week or once a month. Depending on the
-     * security requirements.
-     */
-    if (isServer) {
-        unsigned int bits = 0;
-
-        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
-        if (bits == 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
-                           _("Unable to get key length for diffie-hellman parameters"));
-            goto error;
-        }
-
-        err = gnutls_dh_params_init(&ctxt->dhParams);
-        if (err < 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR,
-                           _("Unable to initialize diffie-hellman parameters: %s"),
-                           gnutls_strerror(err));
-            goto error;
-        }
-        err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
-        if (err < 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR,
-                           _("Unable to generate diffie-hellman parameters: %s"),
-                           gnutls_strerror(err));
-            goto error;
-        }
-
-        gnutls_certificate_set_dh_params(ctxt->x509cred,
-                                         ctxt->dhParams);
-    }
-
     ctxt->requireValidCert = requireValidCert;
     ctxt->x509dnACL = x509dnACL;
     ctxt->isServer = isServer;
@@ -754,8 +719,6 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
     return ctxt;
 
  error:
-    if (isServer)
-        gnutls_dh_params_deinit(ctxt->dhParams);
     virObjectUnref(ctxt);
     return NULL;
 }
@@ -950,9 +913,6 @@ int virNetTLSContextReloadForServer(virNetTLSContext *ctxt,
     if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, key))
         goto error;
 
-    gnutls_certificate_set_dh_params(ctxt->x509cred,
-                                     ctxt->dhParams);
-
     gnutls_certificate_free_credentials(x509credBak);
 
     return 0;
@@ -1156,7 +1116,6 @@ void virNetTLSContextDispose(void *obj)
           "ctxt=%p", ctxt);
 
     g_free(ctxt->priority);
-    gnutls_dh_params_deinit(ctxt->dhParams);
     gnutls_certificate_free_credentials(ctxt->x509cred);
 }
 
diff --git a/tests/virrandommock.c b/tests/virrandommock.c
index e295f74446..2673230cf7 100644
--- a/tests/virrandommock.c
+++ b/tests/virrandommock.c
@@ -20,8 +20,6 @@
 
 #ifndef WIN32
 
-# include <gnutls/gnutls.h>
-
 # include "internal.h"
 # include "virrandom.h"
 # include "virmock.h"
@@ -57,40 +55,6 @@ int virRandomGenerateWWN(char **wwn,
     return 0;
 }
 
-
-static int (*real_gnutls_dh_params_generate2)(gnutls_dh_params_t dparams,
-                                              unsigned int bits);
-
-static gnutls_dh_params_t params_cache;
-static unsigned int cachebits;
-
-int
-gnutls_dh_params_generate2(gnutls_dh_params_t dparams,
-                           unsigned int bits)
-{
-    int rc = 0;
-
-    VIR_MOCK_REAL_INIT(gnutls_dh_params_generate2);
-
-    if (!params_cache) {
-        if (gnutls_dh_params_init(&params_cache) < 0) {
-            fprintf(stderr, "Error initializing params cache");
-            abort();
-        }
-        rc = real_gnutls_dh_params_generate2(params_cache, bits);
-
-        if (rc < 0)
-            return rc;
-        cachebits = bits;
-    }
-
-    if (cachebits != bits) {
-        fprintf(stderr, "Requested bits do not match the cached value");
-        abort();
-    }
-
-    return gnutls_dh_params_cpy(dparams, params_cache);
-}
 #else /* WIN32 */
 /* Can't mock on WIN32 */
 #endif
-- 
2.35.1

More information about the libvir-list mailing list