From e7d7bd20b8fafaaabdd093393f4fa22167af8d3c Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Thu, 10 Aug 2023 14:53:14 +0100
Subject: openvpn: T5270: do not require classic DH params in any more Generate
 'dh none' instead and let OpenVPN use ECDH

---
 src/conf_mode/interfaces-openvpn.py | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 2a9b43f9b..26b217d98 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -189,16 +189,7 @@ def verify_pki(openvpn):
             if dict_search_args(pki, 'certificate', tls['certificate'], 'private', 'password_protected') is not None:
                 raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}')
 
-            if mode == 'server' and 'dh_params' not in tls and not is_ec_private_key(pki, tls['certificate']):
-                raise ConfigError('Must specify "tls dh-params" when not using EC keys in server mode')
-
         if 'dh_params' in tls:
-            if 'dh' not in pki:
-                raise ConfigError('There are no DH parameters in PKI configuration')
-
-            if tls['dh_params'] not in pki['dh']:
-                raise ConfigError(f'Invalid dh-params on openvpn interface {interface}')
-
             pki_dh = pki['dh'][tls['dh_params']]
             dh_params = load_dh_parameters(pki_dh['parameters'])
             dh_numbers = dh_params.parameter_numbers()
@@ -207,6 +198,7 @@ def verify_pki(openvpn):
             if dh_bits < 2048:
                 raise ConfigError(f'Minimum DH key-size is 2048 bits')
 
+
         if 'auth_key' in tls or 'crypt_key' in tls:
             if not dict_search_args(pki, 'openvpn', 'shared_secret'):
                 raise ConfigError('There are no openvpn shared-secrets in PKI configuration')
@@ -495,9 +487,6 @@ def verify(openvpn):
                 if openvpn['protocol'] == 'tcp-active':
                     raise ConfigError('Cannot specify "tcp-active" when "tls role" is "passive"')
 
-                if not dict_search('tls.dh_params', openvpn):
-                    raise ConfigError('Must specify "tls dh-params" when "tls role" is "passive"')
-
         if 'certificate' in openvpn['tls'] and is_ec_private_key(openvpn['pki'], openvpn['tls']['certificate']):
             if 'dh_params' in openvpn['tls']:
                 print('Warning: using dh-params and EC keys simultaneously will ' \
-- 
cgit v1.2.3