From 258a36be315436d050d1096d97ed4b668ece4593 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Mon, 12 Sep 2022 09:11:37 +0100 Subject: [PATCH] Change priority of new Diffie-Hellman groups. In the initial commit 031d86ed5ba4dd4 that introduced them, I accidentally put them below the 'warn about insecurity' line, which I didn't mean to. Moved them up to just above the existing group14. Also, I've arranged them in a slightly weird order, so that the most preferred group of this collection is the medium-sized group16, followed by the larger ones (17 and 18) and then the smaller 15. Rationale: larger is better _until_ it starts costing way too much CPU time, and group18 can grind quite painfully on a slow machine. (And of course users are free to reconfigure if they have different preferences.) This isn't really ideal, of course. The idea that you might not want to use group18 *because it's slow* contradicts the basic concept of PuTTY's current crypto-preferences UI, which assumes that you rank things by security, which is why there's a dividing line below which things are assumed insecure. I hope that in a future release we'll rework the UI so that you can express more subtle ideas of what crypto you do and don't like. But this will do for the moment. The GSS versions of the same DH methods are reordered similarly. --- crypto/diffie-hellman.c | 4 ++-- settings.c | 13 +++++++++---- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/crypto/diffie-hellman.c b/crypto/diffie-hellman.c index bf262f2d..4da2d471 100644 --- a/crypto/diffie-hellman.c +++ b/crypto/diffie-hellman.c @@ -272,9 +272,9 @@ static const ssh_kex ssh_gssk5_diffiehellman_group14_sha256 = { }; static const ssh_kex *const gssk5_sha2_kex_list[] = { - &ssh_gssk5_diffiehellman_group18_sha512, - &ssh_gssk5_diffiehellman_group17_sha512, &ssh_gssk5_diffiehellman_group16_sha512, + &ssh_gssk5_diffiehellman_group17_sha512, + &ssh_gssk5_diffiehellman_group18_sha512, &ssh_gssk5_diffiehellman_group15_sha512, &ssh_gssk5_diffiehellman_group14_sha256, }; diff --git a/settings.c b/settings.c index 44ec1978..cd286eb4 100644 --- a/settings.c +++ b/settings.c @@ -33,15 +33,20 @@ static const struct keyvalwhere kexnames[] = { { "ecdh", KEX_ECDH, -1, +1 }, /* This name is misleading: it covers both SHA-256 and SHA-1 variants */ { "dh-gex-sha1", KEX_DHGEX, -1, -1 }, - { "dh-group18-sha512", KEX_DHGROUP18, -1, -1 }, - { "dh-group17-sha512", KEX_DHGROUP17, -1, -1 }, - { "dh-group16-sha512", KEX_DHGROUP16, -1, -1 }, - { "dh-group15-sha512", KEX_DHGROUP15, -1, -1 }, /* Again, this covers both SHA-256 and SHA-1, despite the name: */ { "dh-group14-sha1", KEX_DHGROUP14, -1, -1 }, /* This one really is only SHA-1, though: */ { "dh-group1-sha1", KEX_DHGROUP1, KEX_WARN, +1 }, { "rsa", KEX_RSA, KEX_WARN, -1 }, + /* Larger fixed DH groups: prefer the larger 15 and 16 over 14, + * but by default the even larger 17 and 18 go below 16. + * Rationale: diminishing returns of improving the DH strength are + * outweighed by increased CPU cost. Group 18 is painful on a slow + * machine. Users can override if they need to. */ + { "dh-group15-sha512", KEX_DHGROUP15, KEX_DHGROUP14, -1 }, + { "dh-group16-sha512", KEX_DHGROUP16, KEX_DHGROUP15, -1 }, + { "dh-group17-sha512", KEX_DHGROUP17, KEX_DHGROUP16, +1 }, + { "dh-group18-sha512", KEX_DHGROUP18, KEX_DHGROUP17, +1 }, { "WARN", KEX_WARN, -1, -1 } };