Salvatore Benedetto <salvatore.benedetto@xxxxxxxxx> wrote:
>> > > > +static int dh_check_params_length(unsigned int p_len)
>> > > > +{
>> > > > + switch (p_len) {
>> > > > + case 768:
>> > > > + case 1024:
>> > > > + case 1536:
>> > > > + case 2048:
>> > > > + case 3072:
>> > > > + case 4096:
>> > > > + return 0;
>> > > > + }
>> > > > + return -EINVAL;
>> > > > +}
As far back as 1999, the FreeS/WAN project refused to
implement the 768-bit IPsec group 1 (even though it was
the only one required by the RFCs) because it was not thought
secure enough. I think the most-used group was 1536-bit
group 5; it wasn't in the original RFCs but nearly everyone
implemented it.
>> And besides, I would like to disallow all < 2048 right from the start.
I'm not up-to-date on the performance of attacks. You may be right,
or perhaps the minimum should be even higher. Certainly there is
no reason to support 768 or 1024-bit groups.
On the other hand, we should consider keeping the 1536-bit
group since it is very widely used, likely including by people
we'll want to interoperate with.
> Hmm.. What range would you suggest?
There are at least two RFCs which define additional groups.
Why not just add some or all of those?
https://tools.ietf.org/html/rfc3526
https://tools.ietf.org/html/rfc5114
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
