Change priority of new Diffie-Hellman groups.

In the initial commit 031d86ed5b that introduced them, I accidentally put them below the 'warn about insecurity' line, which I didn't mean to. Moved them up to just above the existing group14. Also, I've arranged them in a slightly weird order, so that the most preferred group of this collection is the medium-sized group16, followed by the larger ones (17 and 18) and then the smaller 15. Rationale: larger is better _until_ it starts costing way too much CPU time, and group18 can grind quite painfully on a slow machine. (And of course users are free to reconfigure if they have different preferences.) This isn't really ideal, of course. The idea that you might not want to use group18 *because it's slow* contradicts the basic concept of PuTTY's current crypto-preferences UI, which assumes that you rank things by security, which is why there's a dividing line below which things are assumed insecure. I hope that in a future release we'll rework the UI so that you can express more subtle ideas of what crypto you do and don't like. But this will do for the moment. The GSS versions of the same DH methods are reordered similarly.
2025-01-09 01:18:00 +00:00 · 2022-09-12 09:11:37 +01:00 · 2022-09-12 09:11:37 +01:00 · 258a36be31
commit 258a36be31
parent bbd46afd91
2 changed files with 11 additions and 6 deletions
--- a/crypto/diffie-hellman.c
+++ b/crypto/diffie-hellman.c
@ -272,9 +272,9 @@ static const ssh_kex ssh_gssk5_diffiehellman_group14_sha256 = {
 };

 static const ssh_kex *const gssk5_sha2_kex_list[] = {
-    &ssh_gssk5_diffiehellman_group18_sha512,
-    &ssh_gssk5_diffiehellman_group17_sha512,
    &ssh_gssk5_diffiehellman_group16_sha512,
+    &ssh_gssk5_diffiehellman_group17_sha512,
+    &ssh_gssk5_diffiehellman_group18_sha512,
    &ssh_gssk5_diffiehellman_group15_sha512,
    &ssh_gssk5_diffiehellman_group14_sha256,
 };
--- a/settings.c
+++ b/settings.c
@ -33,15 +33,20 @@ static const struct keyvalwhere kexnames[] = {
    { "ecdh",               KEX_ECDH,       -1, +1 },
    /* This name is misleading: it covers both SHA-256 and SHA-1 variants */
    { "dh-gex-sha1",        KEX_DHGEX,      -1, -1 },
-    { "dh-group18-sha512",  KEX_DHGROUP18,  -1, -1 },
-    { "dh-group17-sha512",  KEX_DHGROUP17,  -1, -1 },
-    { "dh-group16-sha512",  KEX_DHGROUP16,  -1, -1 },
-    { "dh-group15-sha512",  KEX_DHGROUP15,  -1, -1 },
    /* Again, this covers both SHA-256 and SHA-1, despite the name: */
    { "dh-group14-sha1",    KEX_DHGROUP14,  -1, -1 },
    /* This one really is only SHA-1, though: */
    { "dh-group1-sha1",     KEX_DHGROUP1,   KEX_WARN, +1 },
    { "rsa",                KEX_RSA,        KEX_WARN, -1 },
+    /* Larger fixed DH groups: prefer the larger 15 and 16 over 14,
+     * but by default the even larger 17 and 18 go below 16.
+     * Rationale: diminishing returns of improving the DH strength are
+     * outweighed by increased CPU cost. Group 18 is painful on a slow
+     * machine. Users can override if they need to. */
+    { "dh-group15-sha512",  KEX_DHGROUP15,  KEX_DHGROUP14, -1 },
+    { "dh-group16-sha512",  KEX_DHGROUP16,  KEX_DHGROUP15, -1 },
+    { "dh-group17-sha512",  KEX_DHGROUP17,  KEX_DHGROUP16, +1 },
+    { "dh-group18-sha512",  KEX_DHGROUP18,  KEX_DHGROUP17, +1 },
    { "WARN",               KEX_WARN,       -1, -1 }
 };