proposal: Remove RFC 5114 MODP DH groups from default proposal
[strongswan.git] / src / libcharon / config / proposal.c
index 698ff40..e1305ce 100644 (file)
@@ -958,9 +958,12 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
                        case MODP_768_BIT:
                                /* weak */
                                break;
+                       case MODP_1024_160:
                        case MODP_2048_224:
+                       case MODP_2048_256:
+                               /* RFC 5114 primes are of questionable source */
+                               break;
                        case MODP_1536_BIT:
-                       case MODP_1024_160:
                        case ECP_224_BIT:
                        case ECP_224_BP:
                        case ECP_192_BIT:
@@ -968,7 +971,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
                                /* rarely used */
                                break;
                        case MODP_2048_BIT:
-                       case MODP_2048_256:
                        case MODP_1024_BIT:
                                add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
                                break;