[PATCH] virnettlscontext: Generate longer DH keys
Martin Kletzander
mkletzan at redhat.com
Mon Jan 3 12:21:59 UTC 2022
On Mon, Jan 03, 2022 at 01:01:23PM +0100, Michal Privoznik wrote:
>Currently, we generate 2048 bits long DH keys. This may look
>enough, but it's not very future proof. When system crypto policy
>is tightened only 3072 or longer keys are valid. From
>CRYPTO-POLICIES(7):
>
> FUTURE
> A conservative security policy that is believed to withstand
> any near-term future attacks. ...
>
> • DH params size: >= 3072
> • RSA keys size: >= 3072
>
>This policy corresponds to GNUTLS_SEC_PARAM_HIGH parameters.
>Therefore, pass that to gnutls_sec_param_to_pk_bits() to get
>longer key.
>
>Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
Reviewed-by: Martin Kletzander <mkletzan at redhat.com>
>---
>
>Technically, this is a v2 of:
>
>https://listman.redhat.com/archives/libvir-list/2021-December/msg00827.html
>
>and was already reviewed. I'm sending it here because I've split the
>original patch into two. The first one, which switches to
>gnutls_sec_param_to_pk_bits() usage is merged. The second one (this one)
>which lengthens the key is not.
>
> src/rpc/virnettlscontext.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
>index 55da485f96..f0b1e8f9c1 100644
>--- a/src/rpc/virnettlscontext.c
>+++ b/src/rpc/virnettlscontext.c
>@@ -718,7 +718,7 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
> if (isServer) {
> unsigned int bits = 0;
>
>- bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
>+ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH);
> if (bits == 0) {
> virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
> _("Unable to get key length for diffie-hellman parameters"));
>--
>2.34.1
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20220103/100b294d/attachment-0001.sig>
More information about the libvir-list
mailing list