From 80e0d46062acdad669f45514af5393bd39f7e370 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Fri, 13 Oct 2017 16:51:54 +0100
Subject: [PATCH 1/3] Use 2048-bit DHE parameters from RFC 3526 instead of 5114
 by default

The parameters from RFC 5114 are not considered trustworthy, while those from
RFC 3526 have been generated in a nothing-up-my-sleeve manner.
---
 library/ssl_tls.c | 4 ++--
 tests/ssl-opt.sh  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ba586a05e..9986ddcc9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7268,8 +7268,8 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
             if( endpoint == MBEDTLS_SSL_IS_SERVER )
             {
                 if( ( ret = mbedtls_ssl_conf_dh_param( conf,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_P,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
+                                MBEDTLS_DHM_RFC3526_MODP_2048_P,
+                                MBEDTLS_DHM_RFC3526_MODP_2048_G ) ) != 0 )
                 {
                     return( ret );
                 }
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 9c9cf4651..a8c975036 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2702,7 +2702,7 @@ run_test    "DHM parameters: reference" \
                     debug_level=3" \
             0 \
             -c "value of 'DHM: P ' (2048 bits)" \
-            -c "value of 'DHM: G ' (2048 bits)"
+            -c "value of 'DHM: G ' (2 bits)"
 
 run_test    "DHM parameters: other parameters" \
             "$P_SRV dhm_file=data_files/dhparams.pem" \

From e27543dee11a9f38a41568fa663a384896568e15 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Fri, 13 Oct 2017 16:54:58 +0100
Subject: [PATCH 2/3] Adapt ChangeLog

---
 ChangeLog | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 8f7843dc6..4ef3f1bf3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,11 @@ Bugfix
    * Fix ssl_parse_record_header() to silently discard invalid DTLS records
      as recommended in RFC 6347 Section 4.1.2.7.
 
+Security
+   * Change default choice of DHE parameters from untrustworthy RFC 5114
+     to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
+     manner.
+
 = mbed TLS 2.1.9 branch released 2017-08-10
 
 Security

From 469e93c0f621321636b565489292baa0cf4c2738 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Mon, 16 Oct 2017 09:21:33 +0100
Subject: [PATCH 3/3] Add warning on the use of RFC 5114 primes

---
 include/mbedtls/dhm.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
index cd056d1b4..433d6128d 100644
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
@@ -51,6 +51,12 @@
  *  RFC 3526 4.    3072-bit MODP Group
  *  RFC 3526 5.    4096-bit MODP Group
  *  RFC 5114 2.2.  2048-bit MODP Group with 224-bit Prime Order Subgroup
+ *
+ * \warning The primes from RFC 5114 do not come together with information
+ *          on how they were generated and are therefore not considered
+ *          trustworthy. It is recommended to avoid them and to use the
+ *          nothing-up-my-sleeve primes from RFC 3526 instead.
+ *
  */
 #define MBEDTLS_DHM_RFC3526_MODP_2048_P               \
     "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \