1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 09:27:59 +00:00

Change priority of new Diffie-Hellman groups.

In the initial commit 031d86ed5b that introduced them, I
accidentally put them below the 'warn about insecurity' line, which I
didn't mean to. Moved them up to just above the existing group14.

Also, I've arranged them in a slightly weird order, so that the most
preferred group of this collection is the medium-sized group16,
followed by the larger ones (17 and 18) and then the smaller 15.
Rationale: larger is better _until_ it starts costing way too much CPU
time, and group18 can grind quite painfully on a slow machine. (And of
course users are free to reconfigure if they have different
preferences.)

This isn't really ideal, of course. The idea that you might not want
to use group18 *because it's slow* contradicts the basic concept of
PuTTY's current crypto-preferences UI, which assumes that you rank
things by security, which is why there's a dividing line below which
things are assumed insecure. I hope that in a future release we'll
rework the UI so that you can express more subtle ideas of what crypto
you do and don't like. But this will do for the moment.

The GSS versions of the same DH methods are reordered similarly.
This commit is contained in:
Simon Tatham 2022-09-12 09:11:37 +01:00
parent bbd46afd91
commit 258a36be31
2 changed files with 11 additions and 6 deletions

View File

@ -272,9 +272,9 @@ static const ssh_kex ssh_gssk5_diffiehellman_group14_sha256 = {
}; };
static const ssh_kex *const gssk5_sha2_kex_list[] = { static const ssh_kex *const gssk5_sha2_kex_list[] = {
&ssh_gssk5_diffiehellman_group18_sha512,
&ssh_gssk5_diffiehellman_group17_sha512,
&ssh_gssk5_diffiehellman_group16_sha512, &ssh_gssk5_diffiehellman_group16_sha512,
&ssh_gssk5_diffiehellman_group17_sha512,
&ssh_gssk5_diffiehellman_group18_sha512,
&ssh_gssk5_diffiehellman_group15_sha512, &ssh_gssk5_diffiehellman_group15_sha512,
&ssh_gssk5_diffiehellman_group14_sha256, &ssh_gssk5_diffiehellman_group14_sha256,
}; };

View File

@ -33,15 +33,20 @@ static const struct keyvalwhere kexnames[] = {
{ "ecdh", KEX_ECDH, -1, +1 }, { "ecdh", KEX_ECDH, -1, +1 },
/* This name is misleading: it covers both SHA-256 and SHA-1 variants */ /* This name is misleading: it covers both SHA-256 and SHA-1 variants */
{ "dh-gex-sha1", KEX_DHGEX, -1, -1 }, { "dh-gex-sha1", KEX_DHGEX, -1, -1 },
{ "dh-group18-sha512", KEX_DHGROUP18, -1, -1 },
{ "dh-group17-sha512", KEX_DHGROUP17, -1, -1 },
{ "dh-group16-sha512", KEX_DHGROUP16, -1, -1 },
{ "dh-group15-sha512", KEX_DHGROUP15, -1, -1 },
/* Again, this covers both SHA-256 and SHA-1, despite the name: */ /* Again, this covers both SHA-256 and SHA-1, despite the name: */
{ "dh-group14-sha1", KEX_DHGROUP14, -1, -1 }, { "dh-group14-sha1", KEX_DHGROUP14, -1, -1 },
/* This one really is only SHA-1, though: */ /* This one really is only SHA-1, though: */
{ "dh-group1-sha1", KEX_DHGROUP1, KEX_WARN, +1 }, { "dh-group1-sha1", KEX_DHGROUP1, KEX_WARN, +1 },
{ "rsa", KEX_RSA, KEX_WARN, -1 }, { "rsa", KEX_RSA, KEX_WARN, -1 },
/* Larger fixed DH groups: prefer the larger 15 and 16 over 14,
* but by default the even larger 17 and 18 go below 16.
* Rationale: diminishing returns of improving the DH strength are
* outweighed by increased CPU cost. Group 18 is painful on a slow
* machine. Users can override if they need to. */
{ "dh-group15-sha512", KEX_DHGROUP15, KEX_DHGROUP14, -1 },
{ "dh-group16-sha512", KEX_DHGROUP16, KEX_DHGROUP15, -1 },
{ "dh-group17-sha512", KEX_DHGROUP17, KEX_DHGROUP16, +1 },
{ "dh-group18-sha512", KEX_DHGROUP18, KEX_DHGROUP17, +1 },
{ "WARN", KEX_WARN, -1, -1 } { "WARN", KEX_WARN, -1, -1 }
}; };