128 bit default security strength requires 3072 bit prime DH group

author: Andreas Steffen <andreas.steffen@strongswan.org> 2015-12-14 10:39:40 +0100
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2015-12-14 10:39:40 +0100
commit: 5e2b740a009a29cd560f00199ecbeb25fa7a4b29 (patch)
tree: a85ed7494aeb0a60b56e603eac3c38a06253f1d2 /src
parent: 47e56403780e417da67edc5f3e9753c60c9f2d21 (diff)
download: strongswan-5e2b740a009a29cd560f00199ecbeb25fa7a4b29.tar.bz2
strongswan-5e2b740a009a29cd560f00199ecbeb25fa7a4b29.tar.xz
4 files changed, 18 insertions, 18 deletions
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 04f1f43ef..7ecba8fa9 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -98,14 +98,14 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(HASHER, HASH_SHA512),
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, gcrypt_dh_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-			PLUGIN_PROVIDE(DH, MODP_2048_224),
-			PLUGIN_PROVIDE(DH, MODP_2048_256),
-			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 			PLUGIN_PROVIDE(DH, MODP_6144_BIT),
 			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_160),
 			PLUGIN_PROVIDE(DH, MODP_768_BIT),
diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c
index d93aa14a1..ea75896a1 100644
--- a/src/libstrongswan/plugins/gmp/gmp_plugin.c
+++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c
@@ -45,14 +45,6 @@ METHOD(plugin_t, get_features, int,
 	static plugin_feature_t f[] = {
 		/* DH groups */
 		PLUGIN_REGISTER(DH, gmp_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-			PLUGIN_PROVIDE(DH, MODP_2048_224),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-			PLUGIN_PROVIDE(DH, MODP_2048_256),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
-				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
@@ -61,6 +53,14 @@ METHOD(plugin_t, get_features, int,
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
+				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
 				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(DH, MODP_1024_160),
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index e48efe3e9..2b05adbdf 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -379,14 +379,14 @@ METHOD(plugin_t, get_features, int,
 #ifndef OPENSSL_NO_DH
 		/* MODP DH groups */
 		PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
-			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-			PLUGIN_PROVIDE(DH, MODP_2048_224),
-			PLUGIN_PROVIDE(DH, MODP_2048_256),
-			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
 			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
 			PLUGIN_PROVIDE(DH, MODP_6144_BIT),
 			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
 			PLUGIN_PROVIDE(DH, MODP_1024_160),
 			PLUGIN_PROVIDE(DH, MODP_768_BIT),
diff --git a/src/starter/confread.c b/src/starter/confread.c
index c3a0ac07f..897aa423e 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -40,8 +40,8 @@
 #define SA_REPLACEMENT_RETRIES_DEFAULT   3
 #define SA_REPLAY_WINDOW_DEFAULT        -1 /* use charon.replay_window */
 
-static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
-static const char esp_defaults[] = "aes128-sha1,3des-sha1";
+static const char ike_defaults[] = "aes128-sha256-modp3072";
+static const char esp_defaults[] = "aes128-sha256";
 
 static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
author	Andreas Steffen <andreas.steffen@strongswan.org>	2015-12-14 10:39:40 +0100
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2015-12-14 10:39:40 +0100
commit	5e2b740a009a29cd560f00199ecbeb25fa7a4b29 (patch)
tree	a85ed7494aeb0a60b56e603eac3c38a06253f1d2 /src
parent	47e56403780e417da67edc5f3e9753c60c9f2d21 (diff)
download	strongswan-5e2b740a009a29cd560f00199ecbeb25fa7a4b29.tar.bz2 strongswan-5e2b740a009a29cd560f00199ecbeb25fa7a4b29.tar.xz