1 Star 0 Fork 71

梓瑶/libvirt

forked from src-openEuler/libvirt 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
virnettlscontext-Don-t-pass-static-key-length-to-gnu.patch 2.80 KB
一键复制 编辑 原始数据 按行查看 历史
From 096e7bf2a9472f29b43c53fdf50ad349584677fe Mon Sep 17 00:00:00 2001
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 21 Dec 2021 10:04:21 +0100
Subject: [PATCH 107/108] virnettlscontext: Don't pass static key length to
gnutls_dh_params_generate2()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As encryption norms get more strict it's easy to fall on the
insecure side. For instance, so far we are generating 2048 bits
long prime for Diffie-Hellman keys. Some systems consider this
not long enough. While we may just keep increasing the value
passed to the corresponding gnutls_* function, that is not well
maintainable. Instead, we may do what's recommended in the
gnutls_* manpage. From gnutls_dh_params_generate2(3):
It is recommended not to set the number of bits directly, but
use gnutls_sec_param_to_pk_bits() instead.
Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048
bits corresponds to parameter MEDIUM.
1: https://www.gnutls.org/manual/gnutls.html#tab_003akey_002dsizes
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ani Sinha <ani@anisinha.ca>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
(cherry picked from commit 4b77b194069f048e6efdaf5d363098ae039dc4f5)
---
src/rpc/virnettlscontext.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index d648a3815c..06365e15fb 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -38,8 +38,6 @@
#include "virthread.h"
#include "configmake.h"
-#define DH_BITS 2048
-
#define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
#define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
#define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
@@ -720,6 +718,15 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
* security requirements.
*/
if (isServer) {
+ unsigned int bits = 0;
+
+ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
+ if (bits == 0) {
+ virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
+ _("Unable to get key length for diffie-hellman parameters"));
+ goto error;
+ }
+
err = gnutls_dh_params_init(&ctxt->dhParams);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
@@ -727,7 +734,7 @@ static virNetTLSContextPtr virNetTLSContextNew(const char *cacert,
gnutls_strerror(err));
goto error;
}
- err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
+ err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
if (err < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Unable to generate diffie-hellman parameters: %s"),
--
2.33.0
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/ziyao233/libvirt.git
git@gitee.com:ziyao233/libvirt.git
ziyao233
libvirt
libvirt
master

搜索帮助

0d507c66 1850385 C8b1a773 1850385