From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 21 Dec 2021 09:04:21 +0000 (+0100)
Subject: virnettlscontext: Don't pass static key length to gnutls_dh_params_generate2()
X-Git-Tag: v8.0.0-rc1~86
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b77b194069f048e6efdaf5d363098ae039dc4f5;p=thirdparty%2Flibvirt.git

virnettlscontext: Don't pass static key length to gnutls_dh_params_generate2()

As encryption norms get more strict it's easy to fall on the
insecure side. For instance, so far we are generating 2048 bits
long prime for Diffie-Hellman keys. Some systems consider this
not long enough. While we may just keep increasing the value
passed to the corresponding gnutls_* function, that is not well
maintainable. Instead, we may do what's recommended in the
gnutls_* manpage. From gnutls_dh_params_generate2(3):

  It is recommended not to set the number of bits directly, but
  use gnutls_sec_param_to_pk_bits() instead.

Looking into the gnutls_sec_param_to_pk_bits() then [1], 2048
bits corresponds to parameter MEDIUM.

1: https://www.gnutls.org/manual/gnutls.html#tab_003akey_002dsizes

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ani Sinha <ani@anisinha.ca>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---

diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 3b6687e7f4..55da485f96 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -38,8 +38,6 @@
 #include "virthread.h"
 #include "configmake.h"
 
-#define DH_BITS 2048
-
 #define LIBVIRT_PKI_DIR SYSCONFDIR "/pki"
 #define LIBVIRT_CACERT LIBVIRT_PKI_DIR "/CA/cacert.pem"
 #define LIBVIRT_CACRL LIBVIRT_PKI_DIR "/CA/cacrl.pem"
@@ -718,6 +716,15 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
      * security requirements.
      */
     if (isServer) {
+        unsigned int bits = 0;
+
+        bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
+        if (bits == 0) {
+            virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
+                           _("Unable to get key length for diffie-hellman parameters"));
+            goto error;
+        }
+
         err = gnutls_dh_params_init(&ctxt->dhParams);
         if (err < 0) {
             virReportError(VIR_ERR_SYSTEM_ERROR,
@@ -725,7 +732,7 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert,
                            gnutls_strerror(err));
             goto error;
         }
-        err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS);
+        err = gnutls_dh_params_generate2(ctxt->dhParams, bits);
         if (err < 0) {
             virReportError(VIR_ERR_SYSTEM_ERROR,
                            _("Unable to generate diffie-hellman parameters: %s"),