commit bfafd127893f9f6a81de06e984335ce52c8db681
author Jaeden Amero <jaeden.amero@arm.com> Fri Jan 26 18:09:14 2018 +0000
committer Jaeden Amero <jaeden.amero@arm.com> Fri Jan 26 18:09:14 2018 +0000
tree 2fe7d751f65ffb972753c0747a5ad47ad1a4d727
parent 3b8d82a1aa3ca1240d26063c6e1eb63b6aace092
parent 469e93c0f621321636b565489292baa0cf4c2738

Merge remote-tracking branch 'upstream-restricted/pr/414' into mbedtls-2.1-restricted

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index b40b77e..2802fe9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,9 @@
    * Fix a potential heap buffer overread in ALPN extension parsing
      (server-side). Could result in application crash, but only if an ALPN
      name larger than 16 bytes had been configured on the server.
+   * Change default choice of DHE parameters from untrustworthy RFC 5114
+     to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
+     manner.
 
 Features
    * Allow comments in test data files.

include/mbedtls/dhm.h

diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
index cd056d1..433d612 100644
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
@@ -51,6 +51,12 @@
  *  RFC 3526 4.    3072-bit MODP Group
  *  RFC 3526 5.    4096-bit MODP Group
  *  RFC 5114 2.2.  2048-bit MODP Group with 224-bit Prime Order Subgroup
+ *
+ * \warning The primes from RFC 5114 do not come together with information
+ *          on how they were generated and are therefore not considered
+ *          trustworthy. It is recommended to avoid them and to use the
+ *          nothing-up-my-sleeve primes from RFC 3526 instead.
+ *
  */
 #define MBEDTLS_DHM_RFC3526_MODP_2048_P               \
     "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9d45532..7193809 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7325,8 +7325,8 @@
             if( endpoint == MBEDTLS_SSL_IS_SERVER )
             {
                 if( ( ret = mbedtls_ssl_conf_dh_param( conf,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_P,
-                                MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
+                                MBEDTLS_DHM_RFC3526_MODP_2048_P,
+                                MBEDTLS_DHM_RFC3526_MODP_2048_G ) ) != 0 )
                 {
                     return( ret );
                 }

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 0cae9ac..36797e3 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2828,7 +2828,7 @@
                     debug_level=3" \
             0 \
             -c "value of 'DHM: P ' (2048 bits)" \
-            -c "value of 'DHM: G ' (2048 bits)"
+            -c "value of 'DHM: G ' (2 bits)"
 
 run_test    "DHM parameters: other parameters" \
             "$P_SRV dhm_file=data_files/dhparams.pem" \