proposal: Remove RFC 5114 MODP DH groups from default proposal
authorMartin Willi <martin@strongswan.org>
Thu, 20 Oct 2016 05:12:32 +0000 (07:12 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 15 Nov 2016 16:20:40 +0000 (17:20 +0100)
Recent research demonstrates that at least for 1024-bit DH groups, it is
possible to create specially crafted primes having a backdoor. From the
prime itself this is not detectable, creating a perfect NOBUS attack.

http://eprint.iacr.org/2016/961

For the primes defined in RFC 5114 no information is provided on how these
have been selected. In the default proposal we included one of the 2048-bit
primes only, where it is questionable if constructing a backdoored prime is
feasible. Nevertheless, this patch removes the group from the set of default
proposals as well.

src/libcharon/config/proposal.c

index 698ff40..e1305ce 100644 (file)
@@ -958,9 +958,12 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
                        case MODP_768_BIT:
                                /* weak */
                                break;
+                       case MODP_1024_160:
                        case MODP_2048_224:
+                       case MODP_2048_256:
+                               /* RFC 5114 primes are of questionable source */
+                               break;
                        case MODP_1536_BIT:
-                       case MODP_1024_160:
                        case ECP_224_BIT:
                        case ECP_224_BP:
                        case ECP_192_BIT:
@@ -968,7 +971,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
                                /* rarely used */
                                break;
                        case MODP_2048_BIT:
-                       case MODP_2048_256:
                        case MODP_1024_BIT:
                                add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
                                break;