From 11f740aae4221f000da5363c33805be60dc70721 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 13 Oct 2017 16:56:15 +0100 Subject: [PATCH 1/4] Use 2048-bit DHE parameters from RFC 3526 instead of 5114 by default The parameters from RFC 5114 are not considered trustworthy, while those from RFC 3526 have been generated in a nothing-up-my-sleeve manner. --- library/ssl_tls.c | 4 ++-- tests/ssl-opt.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bae8433fe..228e3839b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3702,9 +3702,9 @@ int ssl_init( ssl_context *ssl ) #if defined(POLARSSL_DHM_C) if( ( ret = mpi_read_string( &ssl->dhm_P, 16, - POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 || + POLARSSL_DHM_RFC3526_MODP_2048_P) ) != 0 || ( ret = mpi_read_string( &ssl->dhm_G, 16, - POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 ) + POLARSSL_DHM_RFC3526_MODP_2048_G) ) != 0 ) { SSL_DEBUG_RET( 1, "mpi_read_string", ret ); return( ret ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ed695cb6d..d7597528b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2269,7 +2269,7 @@ run_test "DHM parameters: reference" \ debug_level=3" \ 0 \ -c "value of 'DHM: P ' (2048 bits)" \ - -c "value of 'DHM: G ' (2048 bits)" + -c "value of 'DHM: G ' (2 bits)" run_test "DHM parameters: other parameters" \ "$P_SRV dhm_file=data_files/dhparams.pem" \ From fffe3bddb09f358629405030cd705b6ca1fe27c9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 13 Oct 2017 17:00:12 +0100 Subject: [PATCH 2/4] Change choice of DHM parameters in ssl_server2 example application --- programs/ssl/ssl_server2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 2c5d9eb86..65080470e 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1598,8 +1598,8 @@ int main( int argc, char *argv[] ) ret = ssl_set_dh_param_ctx( &ssl, &dhm ); else #endif - ret = ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC5114_MODP_2048_P, - POLARSSL_DHM_RFC5114_MODP_2048_G ); + ret = ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC3526_MODP_2048_P, + POLARSSL_DHM_RFC3526_MODP_2048_G ); if( ret != 0 ) { From 2bfb234f6ab09a1dcee1216528dbc3e694931d99 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 13 Oct 2017 16:57:30 +0100 Subject: [PATCH 3/4] Adapt ChangeLog --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index a3171d7eb..36ffbee99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.xx branch released xxxx-xx-xx + +Security + * Change default choice of DHE parameters from untrustworthy RFC 5114 + to RFC 3526 containing parameters generated in a nothing-up-my-sleeve + manner. + = mbed TLS 1.3.21 branch released 2017-08-10 Security From 1e520e0882d4a8d029fd3f1f39e7a3eee647e1e2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 16 Oct 2017 09:21:33 +0100 Subject: [PATCH 4/4] Add warning on the use of RFC 5114 primes --- include/polarssl/dhm.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/polarssl/dhm.h b/include/polarssl/dhm.h index 8d64a5f91..e8ea1725c 100644 --- a/include/polarssl/dhm.h +++ b/include/polarssl/dhm.h @@ -55,6 +55,12 @@ * RFC 3526 4. 3072-bit MODP Group * RFC 5114 2.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup + * + * \warning The primes from RFC 5114 do not come together with information + * on how they were generated and are therefore not considered + * trustworthy. It is recommended to avoid them and to use the + * nothing-up-my-sleeve primes from RFC 3526 instead. + * */ #define POLARSSL_DHM_RFC2409_MODP_1024_P \ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \