Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop workarounds for GnuTLS <3.4.6 #3790

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Drop workarounds for GnuTLS <3.4.6 #3790

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4bae382
Refactor: libcrmcommon: Use gnutls_transport_set_int()
nrwahl2 Jan 8, 2025
73526d8
Refactor: libcrmcommon: Drop calls to gnutls_global_init()/deinit()
nrwahl2 Jan 8, 2025
939fd11
Refactor: libcrmcommon: Use gnutls_session_set_verify_cert()
nrwahl2 Jan 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions include/crm/common/tls_internal.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,8 @@ int pcmk__init_tls_dh(gnutls_dh_params_t *dh_params);
* \internal
* \brief Initialize a new TLS session
*
* \param[in] tls A TLS environment object
* \param[in] csock Connected socket for TLS session
* \param[in] tls TLS environment object
* \param[in] csock Connected TCP socket for TLS session
*
* \return Pointer to newly created session object, or NULL on error
*/
Expand Down
66 changes: 4 additions & 62 deletions lib/common/tls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,6 @@
#include <gnutls/x509.h>
#include <stdlib.h>

#include <glib.h> // gpointer, GPOINTER_TO_INT(), GINT_TO_POINTER()

#include <crm/common/tls_internal.h>

static char *
Expand Down Expand Up @@ -101,44 +99,6 @@ tls_load_x509_data(pcmk__tls_t *tls)
return pcmk_rc_ok;
}

/*!
* \internal
* \brief Verify a peer's certificate
*
* \return 0 if the certificate is trusted and the gnutls handshake should
* continue, -1 otherwise
*/
static int
verify_peer_cert(gnutls_session_t session)
{
int rc;
int type;
unsigned int status;
gnutls_datum_t out;

/* NULL = no hostname comparison will be performed */
rc = gnutls_certificate_verify_peers3(session, NULL, &status);

/* Success means it was able to perform the verification. We still have
* to check status to see whether the cert is valid or not.
*/
if (rc != GNUTLS_E_SUCCESS) {
crm_err("Failed to verify peer certificate: %s", gnutls_strerror(rc));
return -1;
}

if (status == 0) {
/* The certificate is trusted. */
return 0;
}

type = gnutls_certificate_type_get(session);
gnutls_certificate_verification_status_print(status, type, &out, 0);
crm_err("Peer certificate invalid: %s", out.data);
gnutls_free(out.data);
return GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR;
}

static void
_gnutls_log_func(int level, const char *msg)
{
Expand Down Expand Up @@ -175,8 +135,6 @@ pcmk__free_tls(pcmk__tls_t *tls)

free(tls);
tls = NULL;

gnutls_global_deinit();
}

int
Expand All @@ -192,14 +150,6 @@ pcmk__init_tls(pcmk__tls_t **tls, bool server, gnutls_credentials_type_t cred_ty

signal(SIGPIPE, SIG_IGN);

/* gnutls_global_init is safe to call multiple times, but we have to call
* gnutls_global_deinit the same number of times for that function to do
* anything.
*
* FIXME: When we can use gnutls >= 3.3.0, we don't have to call
* gnutls_global_init anymore.
*/
gnutls_global_init();
gnutls_global_set_log_level(8);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While you're here, can you also add a comment to remind us to not bump the log level beyond 8, since higher levels can log sensitive information? I should have done this when I added the code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure

gnutls_global_set_log_function(_gnutls_log_func);

Expand Down Expand Up @@ -349,8 +299,7 @@ pcmk__new_tls_session(pcmk__tls_t *tls, int csock)
goto error;
}

gnutls_transport_set_ptr(session,
(gnutls_transport_ptr_t) GINT_TO_POINTER(csock));
gnutls_transport_set_int(session, csock);

/* gnutls does not make this easy */
if (tls->cred_type == GNUTLS_CRD_ANON && tls->server) {
Expand Down Expand Up @@ -381,12 +330,8 @@ pcmk__new_tls_session(pcmk__tls_t *tls, int csock)
gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE);
}

/* Register a function to verify the peer's certificate.
*
* FIXME: When we can require gnutls >= 3.4.6, remove verify_peer_cert
* and use gnutls_session_set_verify_cert instead.
*/
gnutls_certificate_set_verify_function(tls->credentials.cert, verify_peer_cert);
// Register a function to verify the peer's certificate
gnutls_session_set_verify_cert(session, NULL, 0);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you get a chance to test this out, or should I do that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly no, though I traced the gnutls source code and documentation, which made this seem like a drop-in replacement.

Feel free to test if you want. I can, but I need to figure out how to test good and bad (and possibly absent on one end, if relevant) certificates. That will happen after business hours today, as I'm running out of time.

}

return session;
Expand Down Expand Up @@ -417,12 +362,9 @@ pcmk__new_tls_session(pcmk__tls_t *tls, int csock)
int
pcmk__tls_get_client_sock(const pcmk__remote_t *remote)
{
gpointer sock_ptr = NULL;

pcmk__assert((remote != NULL) && (remote->tls_session != NULL));

sock_ptr = (gpointer) gnutls_transport_get_ptr(remote->tls_session);
return GPOINTER_TO_INT(sock_ptr);
return gnutls_transport_get_int(remote->tls_session);
}

int
Expand Down
4 changes: 3 additions & 1 deletion lib/common/utils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2004-2024 the Pacemaker project contributors
* Copyright 2004-2025 the Pacemaker project contributors
*
* The version control history for this file may have further details.
*
Expand Down Expand Up @@ -445,6 +445,8 @@ pcmk__timeout_ms2s(guint timeout_ms)
// Deprecated functions kept only for backward API compatibility
// LCOV_EXCL_START

#include <gnutls/gnutls.h> // gnutls_global_init(), etc.

#include <crm/common/util_compat.h>

static void
Expand Down