Salvatore Benedetto <salvatore.benedetto@xxxxxxxxx> wrote: >> > > > +static int dh_check_params_length(unsigned int p_len) >> > > > +{ >> > > > + switch (p_len) { >> > > > + case 768: >> > > > + case 1024: >> > > > + case 1536: >> > > > + case 2048: >> > > > + case 3072: >> > > > + case 4096: >> > > > + return 0; >> > > > + } >> > > > + return -EINVAL; >> > > > +} As far back as 1999, the FreeS/WAN project refused to implement the 768-bit IPsec group 1 (even though it was the only one required by the RFCs) because it was not thought secure enough. I think the most-used group was 1536-bit group 5; it wasn't in the original RFCs but nearly everyone implemented it. >> And besides, I would like to disallow all < 2048 right from the start. I'm not up-to-date on the performance of attacks. You may be right, or perhaps the minimum should be even higher. Certainly there is no reason to support 768 or 1024-bit groups. On the other hand, we should consider keeping the 1536-bit group since it is very widely used, likely including by people we'll want to interoperate with. > Hmm.. What range would you suggest? There are at least two RFCs which define additional groups. Why not just add some or all of those? https://tools.ietf.org/html/rfc3526 https://tools.ietf.org/html/rfc5114 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html