3des cipher and DH group size

Darren Tucker dtucker at zip.com.au
Sat Jan 25 08:00:28 EST 2014


On Sat, Jan 25, 2014 at 3:28 AM, Petr Lautrbach <plautrba at redhat.com> wrote:
> It was confirmed that openssh can't connect to the server with a server string
> 'SSH-2.0-cryptlib' using diffie-hellman-group-exchange-sha1 and 3des-cbc with
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192).
>
> It's due to a issue in its code [1] which takes only requested value

Well, that's a bug in cryptlib, but I'll let you follow that one up.

> and is limited only to 4096 bits.

RFC4419 says supporting groups up to 8k is a SHOULD, so that seems ok.

> So I've made a patch [2] as a POF which adds a security length column and
> uses this value for dh_estimation. For 3des-cbc it's 14 which makes 2048 of preferred
> DH group size:
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192)
>
> and I've got confirmed that is solves the issue with this particular server.
[...]
> [2] http://fedorapeople.org/~plautrba/openssh/cipher-security-size.patch

BTW I think there's a bug in your patch:

+ u_int mode, ctos, need, dh_need, authlen;
[...]
+ if (dh_need < newkeys->enc.sec_len)
+ dh_need = newkeys->enc.sec_len;
[...]
+ kex->dh_need = ( dh_need ? dh_need : need );

dh_need is used uninitialized.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list