From: Ben Pfaff <blp@nicira.com>
Date: Wed, 19 Mar 2008 16:37:11 +0000 (-0700)
Subject: Remove support for 512- and 1024-bit Diffie-Hellman.
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc1ff3f88a7e7fcc0881e8355d50cabee0037c37;p=openvswitch

Remove support for 512- and 1024-bit Diffie-Hellman.

As Justin points out, these key lengths are too low-security to be acceptable
any longer.
---

diff --git a/lib/Makefile.am b/lib/Makefile.am
index 1ef8bd03..58b9b9e5 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -30,10 +30,8 @@ if HAVE_OPENSSL
 libopenflow_la_SOURCES += \
 	vconn-ssl.c \
 	dhparams.c
-dhparams.c: dh512.pem dh1024.pem dh2048.pem dh4096.pem
+dhparams.c: dh2048.pem dh4096.pem
 	(echo '#include "dhparams.h"' &&			\
-	 openssl dhparam -C -in $(srcdir)/dh512.pem -noout &&	\
-	 openssl dhparam -C -in $(srcdir)/dh1024.pem -noout &&	\
 	 openssl dhparam -C -in $(srcdir)/dh2048.pem -noout &&	\
 	 openssl dhparam -C -in $(srcdir)/dh4096.pem -noout)	\
 	| sed 's/\(get_dh[0-9]*\)()/\1(void)/' > dhparams.c.tmp
diff --git a/lib/dh1024.pem b/lib/dh1024.pem
deleted file mode 100644
index 6eaeca9b..00000000
--- a/lib/dh1024.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
-jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
-ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC
------END DH PARAMETERS-----
-
-These are the 1024 bit DH parameters from "Assigned Number for SKIP Protocols"
-(http://www.skip-vpn.org/spec/numbers.html).
-See there for how they were generated.
-Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/lib/dh512.pem b/lib/dh512.pem
deleted file mode 100644
index 200d16cd..00000000
--- a/lib/dh512.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN DH PARAMETERS-----
-MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
-XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
------END DH PARAMETERS-----
-
-These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
-(http://www.skip-vpn.org/spec/numbers.html).
-See there for how they were generated.
-Note that g is not a generator, but this is not a problem since p is a safe prime.
diff --git a/lib/dhparams.h b/lib/dhparams.h
index 75e0ebee..0daeb55f 100644
--- a/lib/dhparams.h
+++ b/lib/dhparams.h
@@ -3,8 +3,6 @@
 
 #include <openssl/dh.h>
 
-DH *get_dh512(void);
-DH *get_dh1024(void);
 DH *get_dh2048(void);
 DH *get_dh4096(void);
 
diff --git a/lib/vconn-ssl.c b/lib/vconn-ssl.c
index 32c61f12..e243b3c9 100644
--- a/lib/vconn-ssl.c
+++ b/lib/vconn-ssl.c
@@ -673,8 +673,6 @@ tmp_dh_callback(SSL *ssl, int is_export UNUSED, int keylength)
     };
 
     static struct dh dh_table[] = {
-        {512, NULL, get_dh512},
-        {1024, NULL, get_dh1024},
         {2048, NULL, get_dh2048},
         {4096, NULL, get_dh4096},
     };