mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 17:34:18 +03:00
virnettlscontext: Don't set DH parameters ourselves
According to [1]: Prior to GnuTLS 3.6.0 for the ephemeral or anonymous Diffie-Hellman (DH) TLS ciphersuites the application was required to generate or provide DH parameters. That is no longer necessary as GnuTLS utilizes DH parameters and negotiation from [RFC7919]. This allows us to: a) drop the code that's setting DH params, b) drop @dhParams member from _virNetTLSContext struct. and c) drop gnutls_dh_params_generate2() mock. 1: https://www.gnutls.org/manual/html_node/Parameter-generation.html Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
parent
4d7e848418
commit
09010f7e76
@ -54,7 +54,6 @@ struct _virNetTLSContext {
|
|||||||
virObjectLockable parent;
|
virObjectLockable parent;
|
||||||
|
|
||||||
gnutls_certificate_credentials_t x509cred;
|
gnutls_certificate_credentials_t x509cred;
|
||||||
gnutls_dh_params_t dhParams;
|
|
||||||
|
|
||||||
bool isServer;
|
bool isServer;
|
||||||
bool requireValidCert;
|
bool requireValidCert;
|
||||||
@ -709,40 +708,6 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
|
|||||||
if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
|
if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cert, key) < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
/* Generate Diffie Hellman parameters - for use with DHE
|
|
||||||
* kx algorithms. These should be discarded and regenerated
|
|
||||||
* once a day, once a week or once a month. Depending on the
|
|
||||||
* security requirements.
|
|
||||||
*/
|
|
||||||
if (isServer) {
|
|
||||||
unsigned int bits = 0;
|
|
||||||
|
|
||||||
bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
|
|
||||||
if (bits == 0) {
|
|
||||||
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
|
|
||||||
_("Unable to get key length for diffie-hellman parameters"));
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
err = gnutls_dh_params_init(&ctxt->dhParams);
|
|
||||||
if (err < 0) {
|
|
||||||
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
||||||
_("Unable to initialize diffie-hellman parameters: %s"),
|
|
||||||
gnutls_strerror(err));
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
|
|
||||||
if (err < 0) {
|
|
||||||
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
||||||
_("Unable to generate diffie-hellman parameters: %s"),
|
|
||||||
gnutls_strerror(err));
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
gnutls_certificate_set_dh_params(ctxt->x509cred,
|
|
||||||
ctxt->dhParams);
|
|
||||||
}
|
|
||||||
|
|
||||||
ctxt->requireValidCert = requireValidCert;
|
ctxt->requireValidCert = requireValidCert;
|
||||||
ctxt->x509dnACL = x509dnACL;
|
ctxt->x509dnACL = x509dnACL;
|
||||||
ctxt->isServer = isServer;
|
ctxt->isServer = isServer;
|
||||||
@ -754,8 +719,6 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
|
|||||||
return ctxt;
|
return ctxt;
|
||||||
|
|
||||||
error:
|
error:
|
||||||
if (isServer)
|
|
||||||
gnutls_dh_params_deinit(ctxt->dhParams);
|
|
||||||
virObjectUnref(ctxt);
|
virObjectUnref(ctxt);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -950,9 +913,6 @@ int virNetTLSContextReloadForServer(virNetTLSContext *ctxt,
|
|||||||
if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, key))
|
if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, key))
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
gnutls_certificate_set_dh_params(ctxt->x509cred,
|
|
||||||
ctxt->dhParams);
|
|
||||||
|
|
||||||
gnutls_certificate_free_credentials(x509credBak);
|
gnutls_certificate_free_credentials(x509credBak);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
@ -1156,7 +1116,6 @@ void virNetTLSContextDispose(void *obj)
|
|||||||
"ctxt=%p", ctxt);
|
"ctxt=%p", ctxt);
|
||||||
|
|
||||||
g_free(ctxt->priority);
|
g_free(ctxt->priority);
|
||||||
gnutls_dh_params_deinit(ctxt->dhParams);
|
|
||||||
gnutls_certificate_free_credentials(ctxt->x509cred);
|
gnutls_certificate_free_credentials(ctxt->x509cred);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -20,8 +20,6 @@
|
|||||||
|
|
||||||
#ifndef WIN32
|
#ifndef WIN32
|
||||||
|
|
||||||
# include <gnutls/gnutls.h>
|
|
||||||
|
|
||||||
# include "internal.h"
|
# include "internal.h"
|
||||||
# include "virrandom.h"
|
# include "virrandom.h"
|
||||||
# include "virmock.h"
|
# include "virmock.h"
|
||||||
@ -57,40 +55,6 @@ int virRandomGenerateWWN(char **wwn,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static int (*real_gnutls_dh_params_generate2)(gnutls_dh_params_t dparams,
|
|
||||||
unsigned int bits);
|
|
||||||
|
|
||||||
static gnutls_dh_params_t params_cache;
|
|
||||||
static unsigned int cachebits;
|
|
||||||
|
|
||||||
int
|
|
||||||
gnutls_dh_params_generate2(gnutls_dh_params_t dparams,
|
|
||||||
unsigned int bits)
|
|
||||||
{
|
|
||||||
int rc = 0;
|
|
||||||
|
|
||||||
VIR_MOCK_REAL_INIT(gnutls_dh_params_generate2);
|
|
||||||
|
|
||||||
if (!params_cache) {
|
|
||||||
if (gnutls_dh_params_init(¶ms_cache) < 0) {
|
|
||||||
fprintf(stderr, "Error initializing params cache");
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
rc = real_gnutls_dh_params_generate2(params_cache, bits);
|
|
||||||
|
|
||||||
if (rc < 0)
|
|
||||||
return rc;
|
|
||||||
cachebits = bits;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (cachebits != bits) {
|
|
||||||
fprintf(stderr, "Requested bits do not match the cached value");
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
|
|
||||||
return gnutls_dh_params_cpy(dparams, params_cache);
|
|
||||||
}
|
|
||||||
#else /* WIN32 */
|
#else /* WIN32 */
|
||||||
/* Can't mock on WIN32 */
|
/* Can't mock on WIN32 */
|
||||||
#endif
|
#endif
|
||||||
|
Loading…
Reference in New Issue
Block a user