[PATCH] virnettlscontext: Generate longer DH keys

Martin Kletzander mkletzan at redhat.com
Mon Jan 3 12:21:59 UTC 2022 

On Mon, Jan 03, 2022 at 01:01:23PM +0100, Michal Privoznik wrote:
>Currently, we generate 2048 bits long DH keys. This may look
>enough, but it's not very future proof. When system crypto policy
>is tightened only 3072 or longer keys are valid. From
>CRYPTO-POLICIES(7):
>
>  FUTURE
>    A conservative security policy that is believed to withstand
>    any near-term future attacks. ...
>
>      •   DH params size: >= 3072
>      •   RSA keys size: >= 3072
>
>This policy corresponds to GNUTLS_SEC_PARAM_HIGH parameters.
>Therefore, pass that to gnutls_sec_param_to_pk_bits() to get
>longer key.
>
>Signed-off-by: Michal Privoznik <mprivozn at redhat.com>

Reviewed-by: Martin Kletzander <mkletzan at redhat.com>

>---
>
>Technically, this is a v2 of:
>
>https://listman.redhat.com/archives/libvir-list/2021-December/msg00827.html
>
>and was already reviewed. I'm sending it here because I've split the
>original patch into two. The first one, which switches to
>gnutls_sec_param_to_pk_bits() usage is merged. The second one (this one)
>which lengthens the key is not.
>
> src/rpc/virnettlscontext.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
>index 55da485f96..f0b1e8f9c1 100644
>--- a/src/rpc/virnettlscontext.c
>+++ b/src/rpc/virnettlscontext.c
>@@ -718,7 +718,7 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
>     if (isServer) {
>         unsigned int bits = 0;
>
>-        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
>+        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH);
>         if (bits == 0) {
>             virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
>                            _("Unable to get key length for diffie-hellman parameters"));
>-- 
>2.34.1
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20220103/100b294d/attachment-0001.sig>

More information about the libvir-list mailing list