From nobody Thu May 2 01:57:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1641211304; cv=none; d=zohomail.com; s=zohoarc; b=NsVkPq0LbLMZEp4JgSLcC9SrX9SI5Ucki0bb4HzuIa4M51NKkWtV6DsAotV//DLO8j7rnbbHuPMR+MFg7CpJmsJaqUcf7JpPpiFxyAyISYPyE/ZJUQwrs8fTM10tBIr3Km5+Vns74jo+MPEK+h1xofVvhfixvqT3jHH8uIOQUcw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1641211304; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=x0qQvF9OHmLWa9F+vR9DrHGGSdp3Bn+wg1Ezv92G+nI=; b=oEKzRTu/C032mgfIS4VKmxlEE9gU/qIbyx8ks+hi4ClNySJEY/bTiCaDh+9JCZuhIB/scqVzazrEj3VsHrNd+RecAY3ORmbWu1+zULgKkiwDhF5mZrPtQGci35MT/6SfI/isC8Pqu6Ny2ALG/Tjc9czRdPQKrlzgZt0Wl5nhL1Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 164121130433857.26410069043277; Mon, 3 Jan 2022 04:01:44 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-673-Ze2RsOolMqGbn8oJOZTNXQ-1; Mon, 03 Jan 2022 07:01:41 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CC32018397C5; Mon, 3 Jan 2022 12:01:35 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 19E8C72414; Mon, 3 Jan 2022 12:01:35 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 85CC54BB7C; Mon, 3 Jan 2022 12:01:32 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 203C1Vi8008020 for ; Mon, 3 Jan 2022 07:01:31 -0500 Received: by smtp.corp.redhat.com (Postfix) id D890374E98; Mon, 3 Jan 2022 12:01:31 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.64]) by smtp.corp.redhat.com (Postfix) with ESMTP id 630C572414 for ; Mon, 3 Jan 2022 12:01:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1641211303; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=x0qQvF9OHmLWa9F+vR9DrHGGSdp3Bn+wg1Ezv92G+nI=; b=GZkuew2BrPZ+RDflPEUUncGcovN2t/Jzf9nEdVYlxXs6Psil5OcPul3zs2kNS9M83DTFhX Gq3RxBzeXmTkwlWrFv4j4s/ljbbWlVbtE3C88tofYL8meXQjelL3ziEw3chtrqPhOvT5s+ LY/WTFdMefwSZgXa92NZJIJpKzuRBZI= X-MC-Unique: Ze2RsOolMqGbn8oJOZTNXQ-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH] virnettlscontext: Generate longer DH keys Date: Mon, 3 Jan 2022 13:01:23 +0100 Message-Id: <3d5fb4a341802e3ad59b1e360026db45f79852a0.1641211092.git.mprivozn@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1641211305765100001 Currently, we generate 2048 bits long DH keys. This may look enough, but it's not very future proof. When system crypto policy is tightened only 3072 or longer keys are valid. From CRYPTO-POLICIES(7): FUTURE A conservative security policy that is believed to withstand any near-term future attacks. ... =E2=80=A2 DH params size: >=3D 3072 =E2=80=A2 RSA keys size: >=3D 3072 This policy corresponds to GNUTLS_SEC_PARAM_HIGH parameters. Therefore, pass that to gnutls_sec_param_to_pk_bits() to get longer key. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- Technically, this is a v2 of: https://listman.redhat.com/archives/libvir-list/2021-December/msg00827.html and was already reviewed. I'm sending it here because I've split the original patch into two. The first one, which switches to gnutls_sec_param_to_pk_bits() usage is merged. The second one (this one) which lengthens the key is not. src/rpc/virnettlscontext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 55da485f96..f0b1e8f9c1 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -718,7 +718,7 @@ static virNetTLSContext *virNetTLSContextNew(const char= *cacert, if (isServer) { unsigned int bits =3D 0; =20 - bits =3D gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARA= M_MEDIUM); + bits =3D gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARA= M_HIGH); if (bits =3D=3D 0) { virReportError(VIR_ERR_SYSTEM_ERROR, "%s", _("Unable to get key length for diffie-hellman = parameters")); --=20 2.34.1