From: Martin Willi <martin@strongswan.org>
Date: Thu, 20 Oct 2016 05:12:32 +0000 (+0200)
Subject: proposal: Remove RFC 5114 MODP DH groups from default proposal
X-Git-Tag: 5.5.2dr3~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=649537ee8dc75952c37df227a24e05d95dbc7594;p=thirdparty%2Fstrongswan.git

proposal: Remove RFC 5114 MODP DH groups from default proposal

Recent research demonstrates that at least for 1024-bit DH groups, it is
possible to create specially crafted primes having a backdoor. From the
prime itself this is not detectable, creating a perfect NOBUS attack.

http://eprint.iacr.org/2016/961

For the primes defined in RFC 5114 no information is provided on how these
have been selected. In the default proposal we included one of the 2048-bit
primes only, where it is questionable if constructing a backdoored prime is
feasible. Nevertheless, this patch removes the group from the set of default
proposals as well.
---

diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 698ff40d36..e1305ce910 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -958,9 +958,12 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case MODP_768_BIT:
 				/* weak */
 				break;
+			case MODP_1024_160:
 			case MODP_2048_224:
+			case MODP_2048_256:
+				/* RFC 5114 primes are of questionable source */
+				break;
 			case MODP_1536_BIT:
-			case MODP_1024_160:
 			case ECP_224_BIT:
 			case ECP_224_BP:
 			case ECP_192_BIT:
@@ -968,7 +971,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 				/* rarely used */
 				break;
 			case MODP_2048_BIT:
-			case MODP_2048_256:
 			case MODP_1024_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;