[PATCH 2/2] virnettlscontext: Don't pass static key length to gnutls_dh_params_generate2()

Ani Sinha ani at anisinha.ca
Tue Dec 21 16:33:14 UTC 2021



On Tue, 21 Dec 2021, Michal Privoznik wrote:

> As encryption norms get more strict it's easy to fall on the
> insecure side. For instance, so far we are generating 2048 bits
> long prime for Diffie-Hellman keys. Some systems consider this
> not long enough. While we may just keep increasing the value
> passed to the corresponding gnutls_* function, that is not well
> maintainable. Instead, we may do what's recommended in the
> gnutls_* manpage. From gnutls_dh_params_generate2(3):
>
>   It is recommended not to set the number of bits directly, but
>   use gnutls_sec_param_to_pk_bits() instead.
>
> Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048
> bits corresponds to parameter MEDIUM. Therefore, we want to chose
> the next size (HIGH) to be future proof.
>
> 1: https://www.gnutls.org/manual/gnutls.html#tab_003akey_002dsizes
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>

Reviewed-by: Ani Sinha <ani at anisinha.ca>

> ---
>  src/rpc/virnettlscontext.c | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
> index 3b6687e7f4..f0b1e8f9c1 100644
> --- a/src/rpc/virnettlscontext.c
> +++ b/src/rpc/virnettlscontext.c
> @@ -38,8 +38,6 @@
>  #include "virthread.h"
>  #include "configmake.h"
>
> -#define DH_BITS 2048
> -
>  #define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
>  #define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
>  #define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
> @@ -718,6 +716,15 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
>       * security requirements.
>       */
>      if (isServer) {
> +        unsigned int bits = 0;
> +
> +        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH);
> +        if (bits == 0) {
> +            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
> +                           _("Unable to get key length for diffie-hellman parameters"));
> +            goto error;
> +        }
> +
>          err = gnutls_dh_params_init(&ctxt->dhParams);
>          if (err < 0) {
>              virReportError(VIR_ERR_SYSTEM_ERROR,
> @@ -725,7 +732,7 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
>                             gnutls_strerror(err));
>              goto error;
>          }
> -        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
> +        err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
>          if (err < 0) {
>              virReportError(VIR_ERR_SYSTEM_ERROR,
>                             _("Unable to generate diffie-hellman parameters: %s"),
> --
> 2.32.0
>
>




More information about the libvir-list mailing list