master

分支 (18)

标签 (15)

管理

管理

master

sync-pr221--to-openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS-SP1

openEuler-22.03-LTS-Next

openEuler-22.03-LTS

openEuler-23.03

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-22.09

openEuler-20.03-LTS-Next

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS

openEuler-21.09

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

libvirt
/
virnettlscontext-Don-t-pass-static-ke...

From 096e7bf2a9472f29b43c53fdf50ad349584677fe Mon Sep 17 00:00:00 2001
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 21 Dec 2021 10:04:21 +0100
Subject: [PATCH 107/108] virnettlscontext: Don't pass static key length to
 gnutls_dh_params_generate2()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As encryption norms get more strict it's easy to fall on the
insecure side. For instance, so far we are generating 2048 bits
long prime for Diffie-Hellman keys. Some systems consider this
not long enough. While we may just keep increasing the value
passed to the corresponding gnutls_* function, that is not well
maintainable. Instead, we may do what's recommended in the
gnutls_* manpage. From gnutls_dh_params_generate2(3):

  It is recommended not to set the number of bits directly, but
  use gnutls_sec_param_to_pk_bits() instead.

Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048
bits corresponds to parameter MEDIUM.

1: https://www.gnutls.org/manual/gnutls.html#tab_003akey_002dsizes

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ani Sinha <ani@anisinha.ca>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 4b77b194069f048e6efdaf5d363098ae039dc4f5)
---
 src/rpc/virnettlscontext.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index d648a3815c..06365e15fb 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -38,8 +38,6 @@
 #include "virthread.h"
 #include "configmake.h"

-#define DH_BITS 2048
-
 #define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
 #define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
 #define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
@@ -720,6 +718,15 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
      * security requirements.
      */
     if (isServer) {
+        unsigned int bits = 0;
+
+        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
+        if (bits == 0) {
+            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
+                           _("Unable to get key length for diffie-hellman parameters"));
+            goto error;
+        }
+
         err = gnutls_dh_params_init(&ctxt->dhParams);
         if (err < 0) {
             virReportError(VIR_ERR_SYSTEM_ERROR,
@@ -727,7 +734,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
                            gnutls_strerror(err));
             goto error;
         }
-        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
+        err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
         if (err < 0) {
             virReportError(VIR_ERR_SYSTEM_ERROR,
                            _("Unable to generate diffie-hellman parameters: %s"),
--
2.33.0