From nobody Wed May 15 20:49:38 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1656579420; cv=none;
	d=zohomail.com; s=zohoarc;
	b=H+yn/KbDLHPquzL07kaq+Q+s3IjOmI6UqbTVS9X+E6Reyk/Rk/NKZGTqyAGHi+sGIIH0R7yqaXqZG83YkWo7nUEQFpcxQTZi+XwY8u4/U4EUL5hTBF01zAy1BBtNzox5KdvcXkFPiX9yzWm8G4pDVHGYl5k/7q1E/v+L3hjfZaY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1656579420;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=xKuv720iGhNqcybTwg2t7qexLl6GX/IxF930C3l1hzQ=;
	b=ky9ZdRJt1sSExIMYB8JoVqjLfEvfnYYZZnLP9XUCTvtnknH0Fo5VALDTX+zpbBdwWGB2OhAHIVRFoTbMKmU4SCtNLUDDZlNvd61JX7KQ0dlQ+LOvmzoMK92NTSGyUXDVtn+ZSPBtlg16yrg58WDF2kNa8R1EMCuAixTpw81FKDc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 165657942008983.13084025648709;
 Thu, 30 Jun 2022 01:57:00 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-368-P86odcbjN9-VicPE2FuQPA-1; Thu, 30 Jun 2022 04:56:57 -0400
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 63CCC80B2A2;
	Thu, 30 Jun 2022 08:56:55 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 6EA222166B29;
	Thu, 30 Jun 2022 08:56:54 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 471AC19451F0;
	Thu, 30 Jun 2022 08:56:53 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 8533C1947058 for <libvir-list@listman.corp.redhat.com>;
 Thu, 30 Jun 2022 08:56:52 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 7808A415F5E; Thu, 30 Jun 2022 08:56:52 +0000 (UTC)
Received: from maggie.redhat.com (unknown [10.43.2.39])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 228B040334D
 for <libvir-list@redhat.com>; Thu, 30 Jun 2022 08:56:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1656579419;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=xKuv720iGhNqcybTwg2t7qexLl6GX/IxF930C3l1hzQ=;
	b=byOpNR56Tkx2HLKqZ8uYRlzKUZIop3eAL9CBXbCvtkbHS0herJSTvn5Bw7KNWxeyOunoje
	DJ28a7XGeSPq4ZCaHao+UR38PaTcP1rUdTYGt7w3z1VWiK3Bj1LDtED+8L1rK17A0Rwl9l
	GLFj42fVYKvb9VCY+47m1V1Ds177jVQ=
X-MC-Unique: P86odcbjN9-VicPE2FuQPA-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 1/2] meson: Require gnutls-3.6.0 or newer
Date: Thu, 30 Jun 2022 10:56:49 +0200
Message-Id: 
 <41cdff9278d202365c7e22227b49c11b5c1dac9a.1656579323.git.mprivozn@redhat.com>
In-Reply-To: <cover.1656579323.git.mprivozn@redhat.com>
References: <cover.1656579323.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1656579420750100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

Released almost 5 years ago, gnutls-3.6.0 brings some important
features (which are utilized in next commit). Hence, require that
version at least.

Per repology, currently shipped versions are:

                 RHEL-8: 3.6.16
                 RHEL-9: 3.7.3
              Debian 11: 3.7.1
              Debian 12: 3.7.6
     openSUSE Leap 15.3: 3.6.7
       Ubuntu LTS 20.04: 3.6.13
       Ubuntu LTS 22.04: 3.7.3
             FreeBSD 12: 3.7.6
              Fedora 34: 3.7.4
              Fedora 35: 3.7.6

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 meson.build | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meson.build b/meson.build
index e03f330f3d..864462c6dc 100644
--- a/meson.build
+++ b/meson.build
@@ -982,7 +982,7 @@ conf.set('GLIB_VERSION_MAX_ALLOWED', glib_version_str)
 glusterfs_version =3D '3.4.1'
 glusterfs_dep =3D dependency('glusterfs-api', version: '>=3D' + glusterfs_=
version, required: get_option('glusterfs'))
=20
-gnutls_version =3D '3.2.0'
+gnutls_version =3D '3.6.0'
 gnutls_dep =3D dependency('gnutls', version: '>=3D' + gnutls_version)
=20
 # Check for BSD kvm (kernel memory interface)
--=20
2.35.1
From nobody Wed May 15 20:49:38 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1656579421; cv=none;
	d=zohomail.com; s=zohoarc;
	b=T5SD3J54tSxq+AtwsGbEo7r9ZEww1nsrc5YckeF8MNA2n6NsXf31cZu3Xgh6VhNa8pIGgJTI+fMH2dXbT0FbndDApHC1ZViicETqASPzuiXpY+wA5c6SWi7wu0fu/yr4YDnlX2ZQNywPWiAHCuDJcPxNbWXugaqaUydBL9TFfQg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1656579421;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=W9oW/bXloBXKJQHTTWtLU2ywrWg4PaU59AckwmkzVV0=;
	b=UqeasVgJ4PUejh5XneSReQNQyqDEgNwqhHEKnNFmDSriGEQYue+MnyLg7dC0xnRjH7aVF7Xp10CSPj6h6jqaJsOZEskns3JcCbRlBW9WdC9wEexEuzHNuf5Wo8lZHipPJC9NBK3wV+N789Cp2s69ZvO4tabEM3TLZCiMs5HgxuI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1656579421605185.15337846586021;
 Thu, 30 Jun 2022 01:57:01 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-642-fJWeLwu2PtGdXcojW0YefA-1; Thu, 30 Jun 2022 04:56:57 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
 [10.11.54.3])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 639C51019C9D;
	Thu, 30 Jun 2022 08:56:55 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 4A81A1121314;
	Thu, 30 Jun 2022 08:56:55 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 5A8341947061;
	Thu, 30 Jun 2022 08:56:54 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 461EF19451EF for <libvir-list@listman.corp.redhat.com>;
 Thu, 30 Jun 2022 08:56:53 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 1063340334D; Thu, 30 Jun 2022 08:56:53 +0000 (UTC)
Received: from maggie.redhat.com (unknown [10.43.2.39])
 by smtp.corp.redhat.com (Postfix) with ESMTP id AF47641637B
 for <libvir-list@redhat.com>; Thu, 30 Jun 2022 08:56:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1656579420;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=W9oW/bXloBXKJQHTTWtLU2ywrWg4PaU59AckwmkzVV0=;
	b=doCdAm0tjzi2TxQ6PAR8rYBUrRj9JbZxmrSzF8xFcaW4kcOM2zTdmGmshfIKimjZQjaonn
	/AE3jOzxFmx3aEiD8jrMO0zNW2si5b2mHm8JYvehM581Nzd2juUXdveKfAh5yWxUQSWE9y
	0Ys1UCYuL++kYj0ShDjfTfuS2WAZxQQ=
X-MC-Unique: fJWeLwu2PtGdXcojW0YefA-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 2/2] virnettlscontext: Don't set DH parameters ourselves
Date: Thu, 30 Jun 2022 10:56:50 +0200
Message-Id: 
 <c34cbe42681f64f4eea45e41a52fe1039db9f489.1656579323.git.mprivozn@redhat.com>
In-Reply-To: <cover.1656579323.git.mprivozn@redhat.com>
References: <cover.1656579323.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1656579422809100005
Content-Type: text/plain; charset="utf-8"; x-default="true"

According to [1]:

  Prior to GnuTLS 3.6.0 for the ephemeral or anonymous
  Diffie-Hellman (DH) TLS ciphersuites the application was
  required to generate or provide DH parameters. That is no
  longer necessary as GnuTLS utilizes DH parameters and
  negotiation from [RFC7919].

This allows us to:

  a) drop the code that's setting DH params,
  b) drop @dhParams member from _virNetTLSContext struct. and
  c) drop gnutls_dh_params_generate2() mock.

1: https://www.gnutls.org/manual/html_node/Parameter-generation.html

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 src/rpc/virnettlscontext.c | 41 --------------------------------------
 tests/virrandommock.c      | 36 ---------------------------------
 2 files changed, 77 deletions(-)

diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index bdbf01855d..acfc4f9323 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -54,7 +54,6 @@ struct _virNetTLSContext {
     virObjectLockable parent;
=20
     gnutls_certificate_credentials_t x509cred;
-    gnutls_dh_params_t dhParams;
=20
     bool isServer;
     bool requireValidCert;
@@ -709,40 +708,6 @@ static virNetTLSContext *virNetTLSContextNew(const cha=
r *cacert,
     if (virNetTLSContextLoadCredentials(ctxt, isServer, cacert, cacrl, cer=
t, key) < 0)
         goto error;
=20
-    /* Generate Diffie Hellman parameters - for use with DHE
-     * kx algorithms. These should be discarded and regenerated
-     * once a day, once a week or once a month. Depending on the
-     * security requirements.
-     */
-    if (isServer) {
-        unsigned int bits =3D 0;
-
-        bits =3D gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARA=
M_MEDIUM);
-        if (bits =3D=3D 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
-                           _("Unable to get key length for diffie-hellman =
parameters"));
-            goto error;
-        }
-
-        err =3D gnutls_dh_params_init(&ctxt->dhParams);
-        if (err < 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR,
-                           _("Unable to initialize diffie-hellman paramete=
rs: %s"),
-                           gnutls_strerror(err));
-            goto error;
-        }
-        err =3D gnutls_dh_params_generate2(ctxt->dhParams, bits);
-        if (err < 0) {
-            virReportError(VIR_ERR_SYSTEM_ERROR,
-                           _("Unable to generate diffie-hellman parameters=
: %s"),
-                           gnutls_strerror(err));
-            goto error;
-        }
-
-        gnutls_certificate_set_dh_params(ctxt->x509cred,
-                                         ctxt->dhParams);
-    }
-
     ctxt->requireValidCert =3D requireValidCert;
     ctxt->x509dnACL =3D x509dnACL;
     ctxt->isServer =3D isServer;
@@ -754,8 +719,6 @@ static virNetTLSContext *virNetTLSContextNew(const char=
 *cacert,
     return ctxt;
=20
  error:
-    if (isServer)
-        gnutls_dh_params_deinit(ctxt->dhParams);
     virObjectUnref(ctxt);
     return NULL;
 }
@@ -950,9 +913,6 @@ int virNetTLSContextReloadForServer(virNetTLSContext *c=
txt,
     if (virNetTLSContextLoadCredentials(ctxt, true, cacert, cacrl, cert, k=
ey))
         goto error;
=20
-    gnutls_certificate_set_dh_params(ctxt->x509cred,
-                                     ctxt->dhParams);
-
     gnutls_certificate_free_credentials(x509credBak);
=20
     return 0;
@@ -1156,7 +1116,6 @@ void virNetTLSContextDispose(void *obj)
           "ctxt=3D%p", ctxt);
=20
     g_free(ctxt->priority);
-    gnutls_dh_params_deinit(ctxt->dhParams);
     gnutls_certificate_free_credentials(ctxt->x509cred);
 }
=20
diff --git a/tests/virrandommock.c b/tests/virrandommock.c
index e295f74446..2673230cf7 100644
--- a/tests/virrandommock.c
+++ b/tests/virrandommock.c
@@ -20,8 +20,6 @@
=20
 #ifndef WIN32
=20
-# include <gnutls/gnutls.h>
-
 # include "internal.h"
 # include "virrandom.h"
 # include "virmock.h"
@@ -57,40 +55,6 @@ int virRandomGenerateWWN(char **wwn,
     return 0;
 }
=20
-
-static int (*real_gnutls_dh_params_generate2)(gnutls_dh_params_t dparams,
-                                              unsigned int bits);
-
-static gnutls_dh_params_t params_cache;
-static unsigned int cachebits;
-
-int
-gnutls_dh_params_generate2(gnutls_dh_params_t dparams,
-                           unsigned int bits)
-{
-    int rc =3D 0;
-
-    VIR_MOCK_REAL_INIT(gnutls_dh_params_generate2);
-
-    if (!params_cache) {
-        if (gnutls_dh_params_init(&params_cache) < 0) {
-            fprintf(stderr, "Error initializing params cache");
-            abort();
-        }
-        rc =3D real_gnutls_dh_params_generate2(params_cache, bits);
-
-        if (rc < 0)
-            return rc;
-        cachebits =3D bits;
-    }
-
-    if (cachebits !=3D bits) {
-        fprintf(stderr, "Requested bits do not match the cached value");
-        abort();
-    }
-
-    return gnutls_dh_params_cpy(dparams, params_cache);
-}
 #else /* WIN32 */
 /* Can't mock on WIN32 */
 #endif
--=20
2.35.1