From: Ben Pfaff Date: Wed, 19 Mar 2008 16:37:11 +0000 (-0700) Subject: Remove support for 512- and 1024-bit Diffie-Hellman. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc1ff3f88a7e7fcc0881e8355d50cabee0037c37;p=openvswitch Remove support for 512- and 1024-bit Diffie-Hellman. As Justin points out, these key lengths are too low-security to be acceptable any longer. --- diff --git a/lib/Makefile.am b/lib/Makefile.am index 1ef8bd03..58b9b9e5 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -30,10 +30,8 @@ if HAVE_OPENSSL libopenflow_la_SOURCES += \ vconn-ssl.c \ dhparams.c -dhparams.c: dh512.pem dh1024.pem dh2048.pem dh4096.pem +dhparams.c: dh2048.pem dh4096.pem (echo '#include "dhparams.h"' && \ - openssl dhparam -C -in $(srcdir)/dh512.pem -noout && \ - openssl dhparam -C -in $(srcdir)/dh1024.pem -noout && \ openssl dhparam -C -in $(srcdir)/dh2048.pem -noout && \ openssl dhparam -C -in $(srcdir)/dh4096.pem -noout) \ | sed 's/\(get_dh[0-9]*\)()/\1(void)/' > dhparams.c.tmp diff --git a/lib/dh1024.pem b/lib/dh1024.pem deleted file mode 100644 index 6eaeca9b..00000000 --- a/lib/dh1024.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY -jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6 -ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC ------END DH PARAMETERS----- - -These are the 1024 bit DH parameters from "Assigned Number for SKIP Protocols" -(http://www.skip-vpn.org/spec/numbers.html). -See there for how they were generated. -Note that g is not a generator, but this is not a problem since p is a safe prime. diff --git a/lib/dh512.pem b/lib/dh512.pem deleted file mode 100644 index 200d16cd..00000000 --- a/lib/dh512.pem +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN DH PARAMETERS----- -MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak -XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC ------END DH PARAMETERS----- - -These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols" -(http://www.skip-vpn.org/spec/numbers.html). -See there for how they were generated. -Note that g is not a generator, but this is not a problem since p is a safe prime. diff --git a/lib/dhparams.h b/lib/dhparams.h index 75e0ebee..0daeb55f 100644 --- a/lib/dhparams.h +++ b/lib/dhparams.h @@ -3,8 +3,6 @@ #include -DH *get_dh512(void); -DH *get_dh1024(void); DH *get_dh2048(void); DH *get_dh4096(void); diff --git a/lib/vconn-ssl.c b/lib/vconn-ssl.c index 32c61f12..e243b3c9 100644 --- a/lib/vconn-ssl.c +++ b/lib/vconn-ssl.c @@ -673,8 +673,6 @@ tmp_dh_callback(SSL *ssl, int is_export UNUSED, int keylength) }; static struct dh dh_table[] = { - {512, NULL, get_dh512}, - {1024, NULL, get_dh1024}, {2048, NULL, get_dh2048}, {4096, NULL, get_dh4096}, };