Increase the size of the Diffie-Hellman groups requested for a each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by RFC4419. Pointed out by Peter Backes, ok djm@. (#1010607)
This commit is contained in:
Petr Lautrbach
parent
c7eccad288
commit
05765c1225
59
openssh-6.1p1-increase-size-of-DF-groups.patch
Normal file
59
openssh-6.1p1-increase-size-of-DF-groups.patch
Normal file
@ -0,0 +1,59 @@
|
||||
diff -U0 openssh-6.2p2/ChangeLog.dh openssh-6.2p2/ChangeLog
|
||||
--- openssh-6.2p2/ChangeLog.dh 2013-11-18 12:14:09.662240103 +0100
|
||||
+++ openssh-6.2p2/ChangeLog 2013-11-18 12:14:09.665240089 +0100
|
||||
@@ -0,0 +1,8 @@
|
||||
+20131010
|
||||
+ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
||||
+ [dh.c dh.h]
|
||||
+ Increase the size of the Diffie-Hellman groups requested for a each
|
||||
+ symmetric key size. New values from NIST Special Publication 800-57 with
|
||||
+ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
|
||||
+ djm@.
|
||||
+
|
||||
diff -up openssh-6.2p2/dh.c.dh openssh-6.2p2/dh.c
|
||||
--- openssh-6.2p2/dh.c.dh 2011-12-19 00:52:52.000000000 +0100
|
||||
+++ openssh-6.2p2/dh.c 2013-11-18 12:14:09.665240089 +0100
|
||||
@@ -332,17 +332,20 @@ dh_new_group14(void)
|
||||
|
||||
/*
|
||||
* Estimates the group order for a Diffie-Hellman group that has an
|
||||
- * attack complexity approximately the same as O(2**bits). Estimate
|
||||
- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
|
||||
+ * attack complexity approximately the same as O(2**bits).
|
||||
+ * Values from NIST Special Publication 800-57: Recommendation for Key
|
||||
+ * Management Part 1 (rev 3) limited by the recommended maximum value
|
||||
+ * from RFC4419 section 3.
|
||||
*/
|
||||
|
||||
int
|
||||
dh_estimate(int bits)
|
||||
{
|
||||
-
|
||||
+ if (bits <= 112)
|
||||
+ return 2048;
|
||||
if (bits <= 128)
|
||||
- return (1024); /* O(2**86) */
|
||||
+ return 3072;
|
||||
if (bits <= 192)
|
||||
- return (2048); /* O(2**116) */
|
||||
- return (4096); /* O(2**156) */
|
||||
+ return 7680;
|
||||
+ return 8192;
|
||||
}
|
||||
diff -up openssh-6.2p2/dh.h.dh openssh-6.2p2/dh.h
|
||||
--- openssh-6.2p2/dh.h.dh 2008-06-29 14:47:04.000000000 +0200
|
||||
+++ openssh-6.2p2/dh.h 2013-11-18 12:14:09.665240089 +0100
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
|
||||
+/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
|
||||
|
||||
int dh_estimate(int);
|
||||
|
||||
+/* Min and max values from RFC4419. */
|
||||
#define DH_GRP_MIN 1024
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
@ -216,6 +216,8 @@ Patch904: openssh-6.1p1-change-max-startups.patch
|
||||
Patch908: openssh-6.1p1-sftp-multibyte.patch
|
||||
# don't show Success for EAI_SYSTEM (#985964)
|
||||
Patch909: openssh-6.1p1-ssh_gai_strerror.patch
|
||||
# increase the size of the Diffie-Hellman groups (#1010607)
|
||||
Patch910: openssh-6.1p1-increase-size-of-DF-groups.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
@ -460,6 +462,7 @@ popd
|
||||
%patch904 -p1 -b .max-startups
|
||||
%patch908 -p1 -b .sftp-multibyte
|
||||
%patch909 -p1 -b .ssh_gai_strerror
|
||||
%patch910 -p1 -b .dh
|
||||
|
||||
%if 0
|
||||
# Nothing here yet
|
||||
|
||||
Loading…
Reference in New Issue
Block a user