Merge remote-tracking branch 'upstream-restricted/pr/413' into mbedtls-1.3-restricted
diff --git a/ChangeLog b/ChangeLog
index ea41611..ee2fc46 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,9 @@
Reported by Marco Macchetti, Kudelski Group.
* Wipe stack buffer temporarily holding EC private exponent
after keypair generation.
+ * Change default choice of DHE parameters from untrustworthy RFC 5114
+ to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
+ manner.
Features
* Allow comments in test data files.
diff --git a/include/polarssl/dhm.h b/include/polarssl/dhm.h
index 8d64a5f..e8ea172 100644
--- a/include/polarssl/dhm.h
+++ b/include/polarssl/dhm.h
@@ -55,6 +55,12 @@
* RFC 3526 4. 3072-bit MODP Group
* RFC 5114 2.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup
* RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup
+ *
+ * \warning The primes from RFC 5114 do not come together with information
+ * on how they were generated and are therefore not considered
+ * trustworthy. It is recommended to avoid them and to use the
+ * nothing-up-my-sleeve primes from RFC 3526 instead.
+ *
*/
#define POLARSSL_DHM_RFC2409_MODP_1024_P \
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 855872b..aa478e2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3711,9 +3711,9 @@
#if defined(POLARSSL_DHM_C)
if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
- POLARSSL_DHM_RFC5114_MODP_2048_P) ) != 0 ||
+ POLARSSL_DHM_RFC3526_MODP_2048_P) ) != 0 ||
( ret = mpi_read_string( &ssl->dhm_G, 16,
- POLARSSL_DHM_RFC5114_MODP_2048_G) ) != 0 )
+ POLARSSL_DHM_RFC3526_MODP_2048_G) ) != 0 )
{
SSL_DEBUG_RET( 1, "mpi_read_string", ret );
return( ret );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index b99aeb6..2e76efe 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1598,8 +1598,8 @@
ret = ssl_set_dh_param_ctx( &ssl, &dhm );
else
#endif
- ret = ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC5114_MODP_2048_P,
- POLARSSL_DHM_RFC5114_MODP_2048_G );
+ ret = ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC3526_MODP_2048_P,
+ POLARSSL_DHM_RFC3526_MODP_2048_G );
if( ret != 0 )
{
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index c027bc0..567e73f 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2331,7 +2331,7 @@
debug_level=3" \
0 \
-c "value of 'DHM: P ' (2048 bits)" \
- -c "value of 'DHM: G ' (2048 bits)"
+ -c "value of 'DHM: G ' (2 bits)"
run_test "DHM parameters: other parameters" \
"$P_SRV dhm_file=data_files/dhparams.pem" \