External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-06 09:55:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

virnettlscontext: Don't pass static key length to gnutls_dh_params_generate2()

Browse Source 
As encryption norms get more strict it's easy to fall on the
insecure side. For instance, so far we are generating 2048 bits
long prime for Diffie-Hellman keys. Some systems consider this
not long enough. While we may just keep increasing the value
passed to the corresponding gnutls_* function, that is not well
maintainable. Instead, we may do what's recommended in the
gnutls_* manpage. From gnutls_dh_params_generate2(3):

  It is recommended not to set the number of bits directly, but
  use gnutls_sec_param_to_pk_bits() instead.

Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048
bits corresponds to parameter MEDIUM.

1: https://www.gnutls.org/manual/gnutls.html#tab_003akey_002dsizes

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ani Sinha <ani@anisinha.ca>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Michal Privoznik 2021-12-21 10:04:21 +01:00
parent fb474c33cc
commit 4b77b19406
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/rpc/virnettlscontext.c
View File

@ -38,8 +38,6 @@
#include "virthread.h"
#include "configmake.h"
#define DH_BITS 2048
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
@ -718,6 +716,15 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
* security requirements.
*/
if (isServer) {
unsigned int bits = 0;
bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
if (bits == 0) {
virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
_("Unable to get key length for diffie-hellman parameters"));
goto error;
}
err = gnutls_dh_params_init(&ctxt->dhParams);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
@ -725,7 +732,7 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
gnutls_strerror(err));
goto error;
}
err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to generate diffie-hellman parameters: %s"),