[openssh] Increase the size of the Diffie-Hellman groups requested for a each symmetric key size. New values
plautrba
plautrba at fedoraproject.org
Wed Oct 23 21:14:54 UTC 2013
commit 1f364068334012bb2cdf59ac1c28644941bf234c
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Wed Oct 23 22:41:53 2013 +0200
Increase the size of the Diffie-Hellman groups requested for a each
symmetric key size. New values from NIST Special Publication 800-57 with
the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
djm at . (#1010607)
openssh-6.3p1-increase-size-of-DF-groups.patch | 65 ++++++++++++++++++++++++
openssh.spec | 3 +
2 files changed, 68 insertions(+), 0 deletions(-)
---
diff --git a/openssh-6.3p1-increase-size-of-DF-groups.patch b/openssh-6.3p1-increase-size-of-DF-groups.patch
new file mode 100644
index 0000000..941aa72
--- /dev/null
+++ b/openssh-6.3p1-increase-size-of-DF-groups.patch
@@ -0,0 +1,65 @@
+diff -U0 openssh-6.3p1/ChangeLog.df openssh-6.3p1/ChangeLog
+--- openssh-6.3p1/ChangeLog.df 2013-10-23 22:38:03.476272461 +0200
++++ openssh-6.3p1/ChangeLog 2013-10-23 22:39:46.051788366 +0200
+@@ -0,0 +1,8 @@
++20131010
++ - dtucker at cvs.openbsd.org 2013/10/08 11:42:13
++ [dh.c dh.h]
++ Increase the size of the Diffie-Hellman groups requested for a each
++ symmetric key size. New values from NIST Special Publication 800-57 with
++ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
++ djm at .
++
+diff -up openssh-6.3p1/dh.c.df openssh-6.3p1/dh.c
+--- openssh-6.3p1/dh.c.df 2013-07-18 08:12:07.000000000 +0200
++++ openssh-6.3p1/dh.c 2013-10-23 22:38:03.476272461 +0200
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */
++/* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */
+ /*
+ * Copyright (c) 2000 Niels Provos. All rights reserved.
+ *
+@@ -352,17 +352,20 @@ dh_new_group14(void)
+
+ /*
+ * Estimates the group order for a Diffie-Hellman group that has an
+- * attack complexity approximately the same as O(2**bits). Estimate
+- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
++ * attack complexity approximately the same as O(2**bits).
++ * Values from NIST Special Publication 800-57: Recommendation for Key
++ * Management Part 1 (rev 3) limited by the recommended maximum value
++ * from RFC4419 section 3.
+ */
+
+ int
+ dh_estimate(int bits)
+ {
+-
++ if (bits <= 112)
++ return 2048;
+ if (bits <= 128)
+- return (1024); /* O(2**86) */
++ return 3072;
+ if (bits <= 192)
+- return (2048); /* O(2**116) */
+- return (4096); /* O(2**156) */
++ return 7680;
++ return 8192;
+ }
+diff -up openssh-6.3p1/dh.h.df openssh-6.3p1/dh.h
+--- openssh-6.3p1/dh.h.df 2008-06-29 14:47:04.000000000 +0200
++++ openssh-6.3p1/dh.h 2013-10-23 22:38:03.476272461 +0200
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
++/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
+
+ /*
+ * Copyright (c) 2000 Niels Provos. All rights reserved.
+@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
+
+ int dh_estimate(int);
+
++/* Min and max values from RFC4419. */
+ #define DH_GRP_MIN 1024
+ #define DH_GRP_MAX 8192
+
diff --git a/openssh.spec b/openssh.spec
index d829fba..acf7d0e 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -178,6 +178,8 @@ Patch900: openssh-6.1p1-gssapi-canohost.patch
Patch901: openssh-6.3p1-kuserok.patch
# use default_ccache_name from /etc/krb5.conf (#991186)
Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
+# increase the size of the Diffie-Hellman groups (#1010607)
+Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch
License: BSD
@@ -398,6 +400,7 @@ popd
%patch900 -p1 -b .canohost
%patch901 -p1 -b .kuserok
%patch902 -p1 -b .ccache_name
+%patch903 -p1 -b .dh
%if 0
# Nothing here yet
More information about the scm-commits
mailing list