75 lines
2.8 KiB
Diff
75 lines
2.8 KiB
Diff
From 096e7bf2a9472f29b43c53fdf50ad349584677fe Mon Sep 17 00:00:00 2001
|
|
From: Michal Privoznik <mprivozn@redhat.com>
|
|
Date: Tue, 21 Dec 2021 10:04:21 +0100
|
|
Subject: [PATCH 107/108] virnettlscontext: Don't pass static key length to
|
|
gnutls_dh_params_generate2()
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
As encryption norms get more strict it's easy to fall on the
|
|
insecure side. For instance, so far we are generating 2048 bits
|
|
long prime for Diffie-Hellman keys. Some systems consider this
|
|
not long enough. While we may just keep increasing the value
|
|
passed to the corresponding gnutls_* function, that is not well
|
|
maintainable. Instead, we may do what's recommended in the
|
|
gnutls_* manpage. From gnutls_dh_params_generate2(3):
|
|
|
|
It is recommended not to set the number of bits directly, but
|
|
use gnutls_sec_param_to_pk_bits() instead.
|
|
|
|
Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048
|
|
bits corresponds to parameter MEDIUM.
|
|
|
|
1: https://www.gnutls.org/manual/gnutls.html#tab_003akey_002dsizes
|
|
|
|
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
Reviewed-by: Ani Sinha <ani@anisinha.ca>
|
|
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
(cherry picked from commit 4b77b194069f048e6efdaf5d363098ae039dc4f5)
|
|
---
|
|
src/rpc/virnettlscontext.c | 13 ++++++++++---
|
|
1 file changed, 10 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
|
|
index d648a3815c..06365e15fb 100644
|
|
--- a/src/rpc/virnettlscontext.c
|
|
+++ b/src/rpc/virnettlscontext.c
|
|
@@ -38,8 +38,6 @@
|
|
#include "virthread.h"
|
|
#include "configmake.h"
|
|
|
|
-#define DH_BITS 2048
|
|
-
|
|
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
|
|
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
|
|
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
|
|
@@ -720,6 +718,15 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
|
|
* security requirements.
|
|
*/
|
|
if (isServer) {
|
|
+ unsigned int bits = 0;
|
|
+
|
|
+ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
|
|
+ if (bits == 0) {
|
|
+ virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
|
|
+ _("Unable to get key length for diffie-hellman parameters"));
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
err = gnutls_dh_params_init(&ctxt->dhParams);
|
|
if (err < 0) {
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
@@ -727,7 +734,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
|
|
gnutls_strerror(err));
|
|
goto error;
|
|
}
|
|
- err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
|
|
+ err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
|
|
if (err < 0) {
|
|
virReportError(VIR_ERR_SYSTEM_ERROR,
|
|
_("Unable to generate diffie-hellman parameters: %s"),
|
|
--
|
|
2.33.0
|
|
|