[PATCH 0/2] gnutls: Be more clever about DH key size

Michal Privoznik posted 2 patches 2 years, 3 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/cover.1640096347.git.mprivozn@redhat.com
src/rpc/virnettlscontext.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
[PATCH 0/2] gnutls: Be more clever about DH key size
Posted by Michal Privoznik 2 years, 3 months ago
See 2/2 for explanation.

Ideally, we wouldn't use gnutls_dh_params_generate2() at all, per [1].
But that would require bumping minimal required version to gnutls-3.6.0
and I'm not sure how available it is in OSes we support. Therefore, for
now let's stick with patch 2/2.

1: https://www.gnutls.org/manual/html_node/Parameter-generation.html

Michal Prívozník (2):
  virnettlscontext: Drop gnutls_dh_set_prime_bits()
  virnettlscontext: Don't pass static key length to
    gnutls_dh_params_generate2()

 src/rpc/virnettlscontext.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

-- 
2.32.0

Re: [PATCH 0/2] gnutls: Be more clever about DH key size
Posted by Martin Kletzander 2 years, 3 months ago
On Tue, Dec 21, 2021 at 03:22:57PM +0100, Michal Privoznik wrote:
>See 2/2 for explanation.
>
>Ideally, we wouldn't use gnutls_dh_params_generate2() at all, per [1].
>But that would require bumping minimal required version to gnutls-3.6.0
>and I'm not sure how available it is in OSes we support. Therefore, for

As far as I can tell from repology.org all the major distros have 3.6.x
in more than one version and definitely all those that we have in the
CI, so I'd say bump that.

>now let's stick with patch 2/2.
>
>1: https://www.gnutls.org/manual/html_node/Parameter-generation.html
>
>Michal Prívozník (2):
>  virnettlscontext: Drop gnutls_dh_set_prime_bits()
>  virnettlscontext: Don't pass static key length to
>    gnutls_dh_params_generate2()
>
> src/rpc/virnettlscontext.c | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
>-- 
>2.32.0
>
Re: [PATCH 0/2] gnutls: Be more clever about DH key size
Posted by Ján Tomko 2 years, 3 months ago
On a Wednesday in 2021, Martin Kletzander wrote:
>On Tue, Dec 21, 2021 at 03:22:57PM +0100, Michal Privoznik wrote:
>>See 2/2 for explanation.
>>
>>Ideally, we wouldn't use gnutls_dh_params_generate2() at all, per [1].
>>But that would require bumping minimal required version to gnutls-3.6.0
>>and I'm not sure how available it is in OSes we support. Therefore, for
>
>As far as I can tell from repology.org all the major distros have 3.6.x
>in more than one version and definitely all those that we have in the
>CI, so I'd say bump that.
>

There's Ubuntu 18.04 with 3.5.18.

But we could #ifndef the old code out and use the pre-generated
parameters on every other distro, as recommended.

Jano
Re: [PATCH 0/2] gnutls: Be more clever about DH key size
Posted by Martin Kletzander 2 years, 3 months ago
On Wed, Dec 22, 2021 at 02:14:59PM +0100, Ján Tomko wrote:
>On a Wednesday in 2021, Martin Kletzander wrote:
>>On Tue, Dec 21, 2021 at 03:22:57PM +0100, Michal Privoznik wrote:
>>>See 2/2 for explanation.
>>>
>>>Ideally, we wouldn't use gnutls_dh_params_generate2() at all, per [1].
>>>But that would require bumping minimal required version to gnutls-3.6.0
>>>and I'm not sure how available it is in OSes we support. Therefore, for
>>
>>As far as I can tell from repology.org all the major distros have 3.6.x
>>in more than one version and definitely all those that we have in the
>>CI, so I'd say bump that.
>>
>
>There's Ubuntu 18.04 with 3.5.18.
>

And we consider only LTS, so we can drop that in April when 20.04 is out
for 2 years.  I finally found the exact spelling in docs/platform.rst
(available online at https://libvirt.org/platforms.html as well) which I
always struggle to find.

>But we could #ifndef the old code out and use the pre-generated
>parameters on every other distro, as recommended.
>

Since counting the bits is so discouraged I would also prefer this
option with the hopes for us remembering to remove that.

Actually, can we have like a commit hook that would check current date
against some file in the repository and just let us know that there
might be something to remove? O:-)

>Jano