fix: raise wolfSSH crypto minimums#1101
Open
MarkAtwood wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Raises wolfSSH’s baseline cryptographic acceptance thresholds to improve security posture, rejecting peers that negotiate below the new minimums (with build-time overrides intended for deployments that must relax them).
Changes:
- Increase DH group-exchange minimum modulus size from 1024 to 2048 bits (
WOLFSSH_DEFAULT_GEXDH_MIN). - Enforce a minimum RSA public-key size for user authentication (new
WOLFSSH_RSA_MIN_KEY_BITS, default 2048) and reject smaller keys withWS_CERT_KEY_SIZE_E.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| wolfssh/internal.h | Raises default DH GEX minimum and introduces WOLFSSH_RSA_MIN_KEY_BITS build-time minimum. |
| src/internal.c | Adds RSA user-auth raw public-key size enforcement using WOLFSSH_RSA_MIN_KEY_BITS. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+517
to
+521
| #ifndef WOLFSSH_RSA_MIN_KEY_BITS | ||
| /* Minimum accepted RSA public-key size (bits) for user authentication. | ||
| * Per NIST SP 800-131A; override at build time if a smaller key must be | ||
| * accepted. */ | ||
| #define WOLFSSH_RSA_MIN_KEY_BITS 2048 |
Comment on lines
+8217
to
+8222
| if (ret == WS_SUCCESS) { | ||
| int keySz = wc_RsaEncryptSize(key) * 8; | ||
| if (keySz < WOLFSSH_RSA_MIN_KEY_BITS) { | ||
| WLOG(WS_LOG_DEBUG, "RSA auth key too small (%d bits)", keySz); | ||
| ret = WS_CERT_KEY_SIZE_E; | ||
| } |
Raise two cryptographic minimums to current guidance. Both reject peers below the new floor by design. - DH group-exchange minimum 1024 -> 2048 bits (Fenrir 2869), implementing RFC 8270 which updates RFC 4419. Override via WOLFSSH_DEFAULT_GEXDH_MIN. - Reject RSA user-authentication keys smaller than 2048 bits (Fenrir 6517) with WS_CERT_KEY_SIZE_E, per NIST SP 800-131A. The floor is configurable via a new WOLFSSH_RSA_MIN_KEY_BITS define (default 2048).
2470ad3 to
ac14a5c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security minimums (behavior change — please read)
Two changes raise cryptographic minimums and reject peers below them by design — good hardening, but calling it out explicitly since it affects interop.
DH group-exchange minimum 1024 → 2048 bits (Fenrir #2869)
Implements RFC 8270 — "Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits" — which updates RFC 4419. Overridable at build time via
WOLFSSH_DEFAULT_GEXDH_MIN.RSA user-authentication keys must be ≥ 2048 bits (Fenrir #6517)
Per NIST SP 800-131A; matches OpenSSH's floor. The
DoUserAuthRequestRsapath previously enforced no minimum (the cert pathDoUserAuthRequestRsaCertalready did). Added the missing check, and introduced aWOLFSSH_RSA_MIN_KEY_BITSdefine (default 2048) that both RSA auth paths now use, so the minimum is uniform and configurable. Smaller keys fail withWS_CERT_KEY_SIZE_E.Compatibility: deployments still using 1024-bit DH groups or sub-2048-bit RSA keys will be rejected and must regenerate.
Split out from #1097 so the uncontroversial protocol fixes there can merge independently of this policy decision. Build-verified (
--enable-all) against wolfSSL. Reported by static analysis (Fenrir #2869, #6517).