From 30810a1795f1098bd130f24c8f62ef873a237077 Mon Sep 17 00:00:00 2001
From: Ilya Maximets <i.maximets@ovn.org>
Date: Mon, 9 Dec 2024 17:38:51 +0100
Subject: [PATCH] ovs-pki: Use 3072-bit keys by default and drop 1024-bit ones.

NIST Special Publication 800-57 Part 1 Revision 5 "Recommendation for
Key Management" [1] estimates 2024-bit RSA keys as having 112 bits of
security strength.  At the same time keys with 112 bits of security
strength are deemed acceptable only through 2030 and disallowed after
that year.

Let's be safe and generate 3072-bit keys by default.  These should
have 128 bits of security strength and are allowed after 2030.

Also, 1024-bit keys are estimated to have only 80 bits of security
strength and are generally disallowed today.  Let's not allow creation
of such keys by default.

[1] https://doi.org/10.6028/NIST.SP.800-57pt1r5

Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: 0-day Robot <robot@bytheb.org>
---
 NEWS                 | 1 +
 utilities/ovs-pki.in | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 115b18b8bc6..e422b876afe 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,7 @@ Post-v3.4.0
          - "TLSv1-TLSv1.2" to enable all protocols between TLSv1 and TLSv1.2.
          - "TLSv1.2+" to enable protocol TLSv1.2 and later.
        The value must be a list of protocols or exactly one protocol range.
+     * ovs-pki now generates 3072-bit keys by default.
    - Userspace datapath:
      * The default zone limit, if set, is now inherited by any zone
        that does not have a specific value defined, rather than being
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 69060b4ace4..f1b101b0f37 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -24,7 +24,7 @@ batch=no
 unique_name=no
 log='@LOGDIR@/ovs-pki.log'
 keytype=rsa
-bits=2048
+bits=3072
 
 # OS-specific compatibility routines
 case $(uname -s) in
@@ -171,7 +171,7 @@ Each TYPE above is a certificate type: 'switch' (default) or 'controller'.
 
 Options for 'init', 'req', and 'req+sign' only:
   -k, --key=rsa|dsa    Type of keys to use (default: rsa)
-  -B, --bits=NBITS     Number of bits in keys (default: 2048).  For DSA keys,
+  -B, --bits=NBITS     Number of bits in keys (default: $bits).  For DSA keys,
                          this has an effect only on 'init'.
   -D, --dsaparam=FILE  File with DSA parameters (DSA only)
                          (default: dsaparam.pem within PKI directory)
@@ -263,8 +263,8 @@ if test "$keytype" != rsa && test "$keytype" != dsa; then
     echo "$0: argument to -k or --key must be rsa or dsa" >&2
     exit 1
 fi
-if test "$bits" -lt 1024; then
-    echo "$0: argument to -B or --bits must be at least 1024" >&2
+if test "$bits" -lt 2048; then
+    echo "$0: argument to -B or --bits must be at least 2048" >&2
     exit 1
 fi
 if test -z "$dsaparam"; then