From 0e6dc84f3ec1e67a93dc3221ccd605da79589da4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 11:48:02 +0100 Subject: [PATCH 01/29] Deprecate Diffie-Hellman groups from RFC 5114 Also, change the way the standardized Diffie-Hellman groups are provided from macro-based string-literals to global variables. --- include/mbedtls/dhm.h | 127 +++++++++++++++--------------------------- library/dhm.c | 97 ++++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+), 82 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index d7ab1522e..f3ee14f65 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -38,6 +38,14 @@ #define MBEDTLS_ERR_DHM_ALLOC_FAILED -0x3400 /**< Allocation of memory failed. */ #define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read/write of file failed. */ +#if ! defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +#endif + /** * RFC 3526 defines a number of standardized Diffie-Hellman groups * for IKE. @@ -51,93 +59,48 @@ * RFC 3526 4. 3072-bit MODP Group * RFC 3526 5. 4096-bit MODP Group * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup + * The constants with suffix "_p" denote the chosen prime moduli, while + * the constants with suffix "_g" denote the chosen generator + * of the associated prime field. + * + * All constants are represented as null-terminated strings containing the + * hexadecimal presentation of the respective numbers. + * + * \warning The origin of the primes in RFC 5114 is not documented and + * their use therefore constitutes a security risk! + * + * \deprecated The primes from RFC 5114 are superseded by the primes + * from RFC 3526 and RFC 7919 and should no longer be used. + * They will be removed in the next major revision. */ -#define MBEDTLS_DHM_RFC3526_MODP_2048_P \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ - "15728E5A8AACAA68FFFFFFFFFFFFFFFF" -#define MBEDTLS_DHM_RFC3526_MODP_2048_G "02" +const char *mbedtls_dhm_rfc3526_modp_2048_p; +const char *mbedtls_dhm_rfc3526_modp_2048_g; +const char *mbedtls_dhm_rfc3526_modp_3072_p; +const char *mbedtls_dhm_rfc3526_modp_3072_g; +const char *mbedtls_dhm_rfc3526_modp_4096_p; +const char *mbedtls_dhm_rfc3526_modp_4096_g; -#define MBEDTLS_DHM_RFC3526_MODP_3072_P \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ - "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" -#define MBEDTLS_DHM_RFC3526_MODP_3072_G "02" +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_p; +MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_g; +#endif -#define MBEDTLS_DHM_RFC3526_MODP_4096_P \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ - "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" \ - "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" \ - "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" \ - "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" \ - "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" \ - "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \ - "FFFFFFFFFFFFFFFF" - -#define MBEDTLS_DHM_RFC3526_MODP_4096_G "02" - -#define MBEDTLS_DHM_RFC5114_MODP_2048_P \ - "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" \ - "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" \ - "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" \ - "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" \ - "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" \ - "B3BF8A317091883681286130BC8985DB1602E714415D9330" \ - "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" \ - "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" \ - "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" \ - "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" \ - "CF9DE5384E71B81C0AC4DFFE0C10E64F" - -#define MBEDTLS_DHM_RFC5114_MODP_2048_G \ - "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"\ - "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"\ - "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7"\ - "C17669101999024AF4D027275AC1348BB8A762D0521BC98A"\ - "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE"\ - "F180EB34118E98D119529A45D6F834566E3025E316A330EF"\ - "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB"\ - "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381"\ - "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269"\ - "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179"\ - "81BC087F2A7065B384B890D3191F2BFA" +/** + * \deprecated These macros are superseded by direct access to the corresponding + * global variables and will be removed in the next major revision. + */ +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#define MBEDTLS_DHM_RFC5114_MODP_2048_P mbedtls_dhm_rfc5114_modp_2048_p +#define MBEDTLS_DHM_RFC5114_MODP_2048_G mbedtls_dhm_rfc5114_modp_2048_g +#define MBEDTLS_DHM_RFC3526_MODP_2048_P mbedtls_dhm_rfc3526_modp_2048_p +#define MBEDTLS_DHM_RFC3526_MODP_2048_G mbedtls_dhm_rfc3526_modp_2048_g +#define MBEDTLS_DHM_RFC3526_MODP_3072_P mbedtls_dhm_rfc3526_modp_3072_p +#define MBEDTLS_DHM_RFC3526_MODP_3072_G mbedtls_dhm_rfc3526_modp_3072_g +#define MBEDTLS_DHM_RFC3526_MODP_4096_P mbedtls_dhm_rfc3526_modp_4096_p +#define MBEDTLS_DHM_RFC3526_MODP_4096_G mbedtls_dhm_rfc3526_modp_4096_g +#endif #ifdef __cplusplus extern "C" { diff --git a/library/dhm.c b/library/dhm.c index bec52a11d..9da33c901 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -57,6 +57,103 @@ #define mbedtls_free free #endif +/* + * Diffie-Hellman groups from RFC 5114 + * + * \warning The origin of the primes in RFC 5114 is not documented and + * their use therefore constitutes a security risk! + * + * \deprecated The primes from RFC 5114 are superseded by the primes + * from RFC 3526 and RFC 7919 and should no longer be used. + * They will be removed in the next major version. + */ + +const char * mbedtls_dhm_rfc5114_modp_2048_p = + "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" + "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" + "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" + "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" + "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" + "B3BF8A317091883681286130BC8985DB1602E714415D9330" + "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" + "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" + "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" + "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" + "CF9DE5384E71B81C0AC4DFFE0C10E64F"; +const char * mbedtls_dhm_rfc5114_modp_2048_g = + "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" + "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" + "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" + "C17669101999024AF4D027275AC1348BB8A762D0521BC98A" + "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE" + "F180EB34118E98D119529A45D6F834566E3025E316A330EF" + "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB" + "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" + "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" + "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" + "81BC087F2A7065B384B890D3191F2BFA"; + +/* + * Diffie-Hellman groups from RFC 3526 + */ + +const char * mbedtls_dhm_rfc3526_modp_2048_p = + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc3526_modp_2048_g = "02"; + +const char * mbedtls_dhm_rfc3526_modp_3072_p = + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" + "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc3526_modp_3072_g = "02"; + +const char * mbedtls_dhm_rfc3526_modp_4096_p = + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" + "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" + "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" + "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" + "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" + "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" + "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" + "FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc3526_modp_4096_g = "02"; /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; From b2bad800e4df444eacd8230d56cc6fb0f32eea82 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 11:49:31 +0100 Subject: [PATCH 02/29] Introduce Diffie-Hellman parameters from RFC 7919 --- include/mbedtls/dhm.h | 29 +++++++-- library/dhm.c | 146 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 168 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index f3ee14f65..c26b5a2d6 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -47,18 +47,23 @@ #endif /** - * RFC 3526 defines a number of standardized Diffie-Hellman groups - * for IKE. - * RFC 5114 defines a number of standardized Diffie-Hellman groups - * that can be used. - * - * Some are included here for convenience. + * RFC 3526, RFC 5114 and RFC 7919 standardize a number of + * Diffie-Hellman groups, some of which are included here + * for use within the SSL/TLS module and the user's convenience + * when configuring the Diffie-Hellman parameters by hand + * through \c mbedtls_ssl_conf_dh_param. * * Included are: + * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup * RFC 3526 3. 2048-bit MODP Group * RFC 3526 4. 3072-bit MODP Group * RFC 3526 5. 4096-bit MODP Group - * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup + * RFC 7919 A.1 ffdhe2048 + * RFC 7919 A.2 ffdhe3072 + * RFC 7919 A.3 ffdhe4096 + * RFC 7919 A.4 ffdhe6144 + * RFC 7919 A.5 ffdhe8192 + * * The constants with suffix "_p" denote the chosen prime moduli, while * the constants with suffix "_g" denote the chosen generator * of the associated prime field. @@ -81,6 +86,16 @@ const char *mbedtls_dhm_rfc3526_modp_3072_g; const char *mbedtls_dhm_rfc3526_modp_4096_p; const char *mbedtls_dhm_rfc3526_modp_4096_g; +const char *mbedtls_dhm_rfc7919_ffdhe2048_p; +const char *mbedtls_dhm_rfc7919_ffdhe2048_g; +const char *mbedtls_dhm_rfc7919_ffdhe3072_p; +const char *mbedtls_dhm_rfc7919_ffdhe3072_g; +const char *mbedtls_dhm_rfc7919_ffdhe4096_p; +const char *mbedtls_dhm_rfc7919_ffdhe4096_g; +const char *mbedtls_dhm_rfc7919_ffdhe6144_p; +const char *mbedtls_dhm_rfc7919_ffdhe6144_g; +const char *mbedtls_dhm_rfc7919_ffdhe8192_p; +const char *mbedtls_dhm_rfc7919_ffdhe8192_g; #if !defined(MBEDTLS_DEPRECATED_REMOVED) MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_p; diff --git a/library/dhm.c b/library/dhm.c index 9da33c901..e98148dcd 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -154,6 +154,152 @@ const char * mbedtls_dhm_rfc3526_modp_4096_p = "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" "FFFFFFFFFFFFFFFF"; const char * mbedtls_dhm_rfc3526_modp_4096_g = "02"; + +/* + * Diffie-Hellman groups from RFC 7919 + */ + +const char * mbedtls_dhm_rfc7919_ffdhe2048_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B423861285C97FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe2048_g = "02"; + +const char * mbedtls_dhm_rfc7919_ffdhe3072_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + "3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe3072_g = "02"; + +const char * mbedtls_dhm_rfc7919_ffdhe4096_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" + "FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe4096_g = "02"; + +const char * mbedtls_dhm_rfc7919_ffdhe6144_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" + "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" + "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" + "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" + "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" + "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" + "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" + "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" + "D72B03746AE77F5E62292C311562A846505DC82DB854338A" + "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" + "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" + "A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe6144_g = "02"; + +const char * mbedtls_dhm_rfc7919_ffdhe8192_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" + "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" + "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" + "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" + "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" + "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" + "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" + "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" + "D72B03746AE77F5E62292C311562A846505DC82DB854338A" + "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" + "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" + "A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C838" + "1E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E" + "0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665" + "CB2C0F1CC01BD70229388839D2AF05E454504AC78B758282" + "2846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022" + "BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C" + "51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9" + "D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA457" + "1EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30" + "FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D" + "97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" + "D68C8BB7C5C6424CFFFFFFFF" + "FFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe8192_g = "02"; + + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; From 8c8b0ab8779255ee98e22d885f286b1b890830f0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 11:49:49 +0100 Subject: [PATCH 03/29] Change default Diffie-Hellman parameters from RFC 5114 to RFC 7919 The origin of the primes in RFC 5114 is undocumented and their use therefore constitutes a security risk. --- library/ssl_tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b388156df..1ef50c244 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7538,8 +7538,8 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, if( endpoint == MBEDTLS_SSL_IS_SERVER ) { if( ( ret = mbedtls_ssl_conf_dh_param( conf, - MBEDTLS_DHM_RFC5114_MODP_2048_P, - MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) + mbedtls_dhm_rfc7919_ffdhe2048_p, + mbedtls_dhm_rfc7919_ffdhe2048_g ) ) != 0 ) { return( ret ); } From b1d4d1fa6e59fa8207466cd26203012b5f5b6ff7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 12:42:59 +0100 Subject: [PATCH 04/29] Add description of how the primes from RFC 3526/7919 were generated --- include/mbedtls/dhm.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index c26b5a2d6..57c8acb6c 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -77,6 +77,22 @@ * \deprecated The primes from RFC 5114 are superseded by the primes * from RFC 3526 and RFC 7919 and should no longer be used. * They will be removed in the next major revision. + * + * The primes from RFC 3526 and RFC 7919 have been generating by the following + * trust-worthy procedure: + * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number + * the first and last 64 bits are all 1, and the remaining N - 128 bits of + * which are 0x7ff...ff. + * - Add the smallest multiple of the first N - 129 bits of the binary expansion + * of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string + * such that the resulting integer is a safe-prime. + * - The result is the respective RFC 3526 / 7919 prime, and the corresponding + * generator is always chosen to be 2 (which is a square for these prime, + * hence the corresponding subgroup has order (p-1)/2 and avoids leaking a + * bit in the private exponent). + * + * The above description can be validated using the + * the program programs/util/rfc_3526_7919_verify. */ const char *mbedtls_dhm_rfc3526_modp_2048_p; From 4c72b000cb19e037622576b7f4de8957d70eced7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 16:06:22 +0100 Subject: [PATCH 05/29] Add const-qualifiers to prime constants --- include/mbedtls/dhm.h | 36 ++++++++++++++++++------------------ library/dhm.c | 36 ++++++++++++++++++------------------ 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 57c8acb6c..a9185ec08 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -95,27 +95,27 @@ * the program programs/util/rfc_3526_7919_verify. */ -const char *mbedtls_dhm_rfc3526_modp_2048_p; -const char *mbedtls_dhm_rfc3526_modp_2048_g; -const char *mbedtls_dhm_rfc3526_modp_3072_p; -const char *mbedtls_dhm_rfc3526_modp_3072_g; -const char *mbedtls_dhm_rfc3526_modp_4096_p; -const char *mbedtls_dhm_rfc3526_modp_4096_g; +const char * const mbedtls_dhm_rfc3526_modp_2048_p; +const char * const mbedtls_dhm_rfc3526_modp_2048_g; +const char * const mbedtls_dhm_rfc3526_modp_3072_p; +const char * const mbedtls_dhm_rfc3526_modp_3072_g; +const char * const mbedtls_dhm_rfc3526_modp_4096_p; +const char * const mbedtls_dhm_rfc3526_modp_4096_g; -const char *mbedtls_dhm_rfc7919_ffdhe2048_p; -const char *mbedtls_dhm_rfc7919_ffdhe2048_g; -const char *mbedtls_dhm_rfc7919_ffdhe3072_p; -const char *mbedtls_dhm_rfc7919_ffdhe3072_g; -const char *mbedtls_dhm_rfc7919_ffdhe4096_p; -const char *mbedtls_dhm_rfc7919_ffdhe4096_g; -const char *mbedtls_dhm_rfc7919_ffdhe6144_p; -const char *mbedtls_dhm_rfc7919_ffdhe6144_g; -const char *mbedtls_dhm_rfc7919_ffdhe8192_p; -const char *mbedtls_dhm_rfc7919_ffdhe8192_g; +const char * const mbedtls_dhm_rfc7919_ffdhe2048_p; +const char * const mbedtls_dhm_rfc7919_ffdhe2048_g; +const char * const mbedtls_dhm_rfc7919_ffdhe3072_p; +const char * const mbedtls_dhm_rfc7919_ffdhe3072_g; +const char * const mbedtls_dhm_rfc7919_ffdhe4096_p; +const char * const mbedtls_dhm_rfc7919_ffdhe4096_g; +const char * const mbedtls_dhm_rfc7919_ffdhe6144_p; +const char * const mbedtls_dhm_rfc7919_ffdhe6144_g; +const char * const mbedtls_dhm_rfc7919_ffdhe8192_p; +const char * const mbedtls_dhm_rfc7919_ffdhe8192_g; #if !defined(MBEDTLS_DEPRECATED_REMOVED) -MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_p; -MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_g; +MBEDTLS_DEPRECATED const char * const mbedtls_dhm_rfc5114_modp_2048_p; +MBEDTLS_DEPRECATED const char * const mbedtls_dhm_rfc5114_modp_2048_g; #endif /** diff --git a/library/dhm.c b/library/dhm.c index e98148dcd..dbfb6538e 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -68,7 +68,7 @@ * They will be removed in the next major version. */ -const char * mbedtls_dhm_rfc5114_modp_2048_p = +const char * const mbedtls_dhm_rfc5114_modp_2048_p = "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" @@ -80,7 +80,7 @@ const char * mbedtls_dhm_rfc5114_modp_2048_p = "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" "CF9DE5384E71B81C0AC4DFFE0C10E64F"; -const char * mbedtls_dhm_rfc5114_modp_2048_g = +const char * const mbedtls_dhm_rfc5114_modp_2048_g = "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" @@ -97,7 +97,7 @@ const char * mbedtls_dhm_rfc5114_modp_2048_g = * Diffie-Hellman groups from RFC 3526 */ -const char * mbedtls_dhm_rfc3526_modp_2048_p = +const char * const mbedtls_dhm_rfc3526_modp_2048_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" @@ -109,9 +109,9 @@ const char * mbedtls_dhm_rfc3526_modp_2048_p = "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc3526_modp_2048_g = "02"; +const char * const mbedtls_dhm_rfc3526_modp_2048_g = "02"; -const char * mbedtls_dhm_rfc3526_modp_3072_p = +const char * const mbedtls_dhm_rfc3526_modp_3072_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" @@ -128,9 +128,9 @@ const char * mbedtls_dhm_rfc3526_modp_3072_p = "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc3526_modp_3072_g = "02"; +const char * const mbedtls_dhm_rfc3526_modp_3072_g = "02"; -const char * mbedtls_dhm_rfc3526_modp_4096_p = +const char * const mbedtls_dhm_rfc3526_modp_4096_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" @@ -153,13 +153,13 @@ const char * mbedtls_dhm_rfc3526_modp_4096_p = "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" "FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc3526_modp_4096_g = "02"; +const char * const mbedtls_dhm_rfc3526_modp_4096_g = "02"; /* * Diffie-Hellman groups from RFC 7919 */ -const char * mbedtls_dhm_rfc7919_ffdhe2048_p = +const char * const mbedtls_dhm_rfc7919_ffdhe2048_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -171,9 +171,9 @@ const char * mbedtls_dhm_rfc7919_ffdhe2048_p = "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" "886B423861285C97FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe2048_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe2048_g = "02"; -const char * mbedtls_dhm_rfc7919_ffdhe3072_p = +const char * const mbedtls_dhm_rfc7919_ffdhe3072_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -190,9 +190,9 @@ const char * mbedtls_dhm_rfc7919_ffdhe3072_p = "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" "3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe3072_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe3072_g = "02"; -const char * mbedtls_dhm_rfc7919_ffdhe4096_p = +const char * const mbedtls_dhm_rfc7919_ffdhe4096_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -215,9 +215,9 @@ const char * mbedtls_dhm_rfc7919_ffdhe4096_p = "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" "FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe4096_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe4096_g = "02"; -const char * mbedtls_dhm_rfc7919_ffdhe6144_p = +const char * const mbedtls_dhm_rfc7919_ffdhe6144_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -250,9 +250,9 @@ const char * mbedtls_dhm_rfc7919_ffdhe6144_p = "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" "A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe6144_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe6144_g = "02"; -const char * mbedtls_dhm_rfc7919_ffdhe8192_p = +const char * const mbedtls_dhm_rfc7919_ffdhe8192_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -297,7 +297,7 @@ const char * mbedtls_dhm_rfc7919_ffdhe8192_p = "97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" "D68C8BB7C5C6424CFFFFFFFF" "FFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe8192_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe8192_g = "02"; /* Implementation that should never be optimized out by the compiler */ From 13be9901147efcb4c8cf6e52e2caecdb8957f601 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 17:17:30 +0100 Subject: [PATCH 06/29] Correct expectation in DHM test in ssl-opt.sh The previous test expected a DHM group generator of size 2048 bits, while with the change to RFC 7919, the base is 2, so has bit-size 2. --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 280fc6348..de2058885 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2903,7 +2903,7 @@ run_test "DHM parameters: reference" \ debug_level=3" \ 0 \ -c "value of 'DHM: P ' (2048 bits)" \ - -c "value of 'DHM: G ' (2048 bits)" + -c "value of 'DHM: G ' (2 bits)" run_test "DHM parameters: other parameters" \ "$P_SRV dhm_file=data_files/dhparams.pem" \ From e71ad12cd5d87d15d6862d603ffb34961992c99d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 28 Sep 2017 10:32:25 +0100 Subject: [PATCH 07/29] Minor code-improvements in dhm.c --- library/dhm.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/library/dhm.c b/library/dhm.c index dbfb6538e..a29b02992 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -430,10 +430,13 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, /* * export P, G, GX */ -#define DHM_MPI_EXPORT(X,n) \ - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( X, p + 2, n ) ); \ - *p++ = (unsigned char)( n >> 8 ); \ - *p++ = (unsigned char)( n ); p += n; +#define DHM_MPI_EXPORT(X,n) \ + do { \ + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( X, p + 2, n ) ); \ + *p++ = (unsigned char)( n >> 8 ); \ + *p++ = (unsigned char)( n ); \ + p += n; \ + } while( 0 ) n1 = mbedtls_mpi_size( &ctx->P ); n2 = mbedtls_mpi_size( &ctx->G ); @@ -444,7 +447,7 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, DHM_MPI_EXPORT( &ctx->G , n2 ); DHM_MPI_EXPORT( &ctx->GX, n3 ); - *olen = p - output; + *olen = p - output; ctx->len = n1; @@ -643,10 +646,11 @@ cleanup: */ void mbedtls_dhm_free( mbedtls_dhm_context *ctx ) { - mbedtls_mpi_free( &ctx->pX); mbedtls_mpi_free( &ctx->Vf ); mbedtls_mpi_free( &ctx->Vi ); - mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->K ); mbedtls_mpi_free( &ctx->GY ); - mbedtls_mpi_free( &ctx->GX ); mbedtls_mpi_free( &ctx->X ); mbedtls_mpi_free( &ctx->G ); - mbedtls_mpi_free( &ctx->P ); + mbedtls_mpi_free( &ctx->pX ); mbedtls_mpi_free( &ctx->Vf ); + mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->RP ); + mbedtls_mpi_free( &ctx->K ); mbedtls_mpi_free( &ctx->GY ); + mbedtls_mpi_free( &ctx->GX ); mbedtls_mpi_free( &ctx->X ); + mbedtls_mpi_free( &ctx->G ); mbedtls_mpi_free( &ctx->P ); mbedtls_zeroize( ctx, sizeof( mbedtls_dhm_context ) ); } From e764324d96645efe68d6ac76bb46e17dfcd1d533 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 28 Sep 2017 10:33:11 +0100 Subject: [PATCH 08/29] Improve documentation in dhm.h --- include/mbedtls/dhm.h | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index a9185ec08..43c49402f 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -167,7 +167,8 @@ void mbedtls_dhm_init( mbedtls_dhm_context *ctx ); * \brief Parse the ServerKeyExchange parameters * * \param ctx DHM context - * \param p &(start of input buffer) + * \param p &(start of input buffer), will be increased + * by the amount of data read. * \param end end of buffer * * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code @@ -186,6 +187,11 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, * \param f_rng RNG function * \param p_rng RNG parameter * + * \note The destination buffer must be large enough to hold + * the modulus, the generator, and the public key, each + * wrapped with a 2-byte length field. It is the responsibility + * of the caller to ensure that enough space is available. + * * \note This function assumes that ctx->P and ctx->G * have already been properly set (for example * using mbedtls_mpi_read_string or mbedtls_mpi_read_binary). @@ -215,10 +221,16 @@ int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx, * \param ctx DHM context * \param x_size private value size in bytes * \param output destination buffer - * \param olen must be at least equal to the size of P, ctx->len + * \param olen size of the destination buffer; + * must be at least equal to the size of P, ctx->len * \param f_rng RNG function * \param p_rng RNG parameter * + * \note The destination buffer will always be fully written + * so as to contain a big-endian presentation of G^X mod P. + * If it is larger than ctx->len, it will accordingly be + * padded with zero-bytes in the beginning. + * * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code */ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size, @@ -231,7 +243,8 @@ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size, * * \param ctx DHM context * \param output destination buffer - * \param output_size size of the destination buffer + * \param output_size size of the destination buffer, must be at + * at least the size of ctx->len * \param olen on exit, holds the actual number of bytes written * \param f_rng RNG function, for blinding purposes * \param p_rng RNG parameter From a2f6b72cbb83302cdec09da68a492f0702f76b70 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 28 Sep 2017 10:33:29 +0100 Subject: [PATCH 09/29] Add warnings regarding the use of DHM in general --- include/mbedtls/config.h | 21 +++++++++++++++++++++ include/mbedtls/dhm.h | 23 +++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 47c719640..b490e33d7 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -618,6 +618,13 @@ * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA + * + * \warning The possibility for the use of custom groups + * in the use of DHM in TLS constitutes a security + * risk. If possible, it is recommended to use + * EC-based key exchanges instead. See the documentation + * at the top of dhm.h for more information. + * */ #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -717,6 +724,13 @@ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + * + * \warning The possibility for the use of custom groups + * in the use of DHM in TLS constitutes a security + * risk. If possible, it is recommended to use + * EC-based key exchanges instead. See the documentation + * at the top of dhm.h for more information. + * */ #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED @@ -1835,6 +1849,13 @@ * * This module is used by the following key exchanges: * DHE-RSA, DHE-PSK + * + * \warning The possibility for the use of custom groups + * in the use of DHM in TLS constitutes a security + * risk. If possible, it is recommended to use + * EC-based key exchanges instead. See the documentation + * at the top of dhm.h for more information. + * */ #define MBEDTLS_DHM_C diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 43c49402f..542592d85 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -19,6 +19,29 @@ * limitations under the License. * * This file is part of mbed TLS (https://tls.mbed.org) + * + * \warning The security of the DHM key exchange relies on the proper choice + * of prime modulus - optimally, it should be a safe prime. The usage + * of non-safe primes both decreases the difficulty of the underlying + * discrete logarithm problem and can lead to small subgroup attacks + * leaking private exponent bits when invalid public keys are used + * and not detected. This is especially relevant if the same DHM parameters + * are reused for multiple key exchanges as in static DHM, while the + * criticality of small-subgroup attacks is lower for ephemeral DHM. + * + * For performance reasons, the code does neither perform primality + * nor safe primality tests, nor the expensive checks for invalid + * subgroups. + * + * The possibility for the use of custom, non-safe primes in DHM + * is a deficiency in the TLS protocol that has been adressed only + * recently through the addition of the named group extension from + * RFC 7919, which however is not yet implemented in Mbed TLS. + * + * If possible, we recommend to use elliptic curve based key + * exchanges instead of DHM-based ones, because the former only + * accepts standardized groups. + * */ #ifndef MBEDTLS_DHM_H #define MBEDTLS_DHM_H From 70da2c545b239c710a5f30893402a4f4c051af13 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:02:59 +0100 Subject: [PATCH 10/29] Improve documentation of `mbedtls_dhm_make_params` --- include/mbedtls/dhm.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 542592d85..9254d953a 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -211,9 +211,11 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, * \param p_rng RNG parameter * * \note The destination buffer must be large enough to hold - * the modulus, the generator, and the public key, each - * wrapped with a 2-byte length field. It is the responsibility - * of the caller to ensure that enough space is available. + * the reduced binary presentation of the modulus, the generator + * and the public key, each wrapped with a 2-byte length field. + * It is the responsibility of the caller to ensure that enough + * space is available. Refer to \c mbedtls_mpi_size to computing + * the byte-size of an MPI. * * \note This function assumes that ctx->P and ctx->G * have already been properly set (for example From de6c1644cc68e34bf0ccf1161f0cf0e74853434d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:03:15 +0100 Subject: [PATCH 11/29] Add brackets around arguments of internal macro DHM_MPI_EXPORT --- library/dhm.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/library/dhm.c b/library/dhm.c index a29b02992..344b92cb5 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -430,12 +430,14 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, /* * export P, G, GX */ -#define DHM_MPI_EXPORT(X,n) \ +#define DHM_MPI_EXPORT( X, n ) \ do { \ - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( X, p + 2, n ) ); \ - *p++ = (unsigned char)( n >> 8 ); \ - *p++ = (unsigned char)( n ); \ - p += n; \ + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( ( X ), \ + p + 2, \ + ( n ) ) ); \ + *p++ = (unsigned char)( ( n ) >> 8 ); \ + *p++ = (unsigned char)( ( n ) ); \ + p += ( n ); \ } while( 0 ) n1 = mbedtls_mpi_size( &ctx->P ); From f8258e7d5a50b61e2d525b4a62d056e665dbe320 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:04:40 +0100 Subject: [PATCH 12/29] Adapt documentation of `mbedtls_ssl_conf_dh_param` to new moduli --- include/mbedtls/ssl.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index cc0007006..fb2f02f0e 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1702,7 +1702,7 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, /** * \brief Set the Diffie-Hellman public P and G values, * read as hexadecimal strings (server-side only) - * (Default: MBEDTLS_DHM_RFC5114_MODP_2048_[PG]) + * (Default: mbedtls_dhm_rfc7919_ffdhe2048_[pg]) * * \param conf SSL configuration * \param dhm_P Diffie-Hellman-Merkle modulus @@ -1710,7 +1710,9 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, * * \return 0 if successful */ -int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ); +int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, + const char *dhm_P, + const char *dhm_G ); /** * \brief Set the Diffie-Hellman public P and G values, From d4d856265ec2c486a3dc83238934c11a77d239b9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:06:27 +0100 Subject: [PATCH 13/29] Don't use deprecated macro form of DHM moduli in benchmark program --- programs/test/benchmark.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index eb578e730..9c6d46271 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -668,12 +668,12 @@ int main( int argc, char *argv[] ) { int dhm_sizes[] = { 2048, 3072 }; const char *dhm_P[] = { - MBEDTLS_DHM_RFC3526_MODP_2048_P, - MBEDTLS_DHM_RFC3526_MODP_3072_P, + mbedtls_dhm_rfc3526_modp_2048_p, + mbedtls_dhm_rfc3526_modp_3072_p, }; const char *dhm_G[] = { - MBEDTLS_DHM_RFC3526_MODP_2048_G, - MBEDTLS_DHM_RFC3526_MODP_3072_G, + mbedtls_dhm_rfc3526_modp_2048_g, + mbedtls_dhm_rfc3526_modp_3072_g, }; mbedtls_dhm_context dhm; From f240ea0b50c16dcae781c23294eba2468fdd59c2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:09:14 +0100 Subject: [PATCH 14/29] Expand documentation of `mbedtls_dhm_read_params` --- include/mbedtls/dhm.h | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 9254d953a..ed39f8db4 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -190,8 +190,13 @@ void mbedtls_dhm_init( mbedtls_dhm_context *ctx ); * \brief Parse the ServerKeyExchange parameters * * \param ctx DHM context - * \param p &(start of input buffer), will be increased - * by the amount of data read. + * \param p On input, *p must be the start of the input buffer. + * On output, *p is updated to point to the end of the data + * that has been read. On success, this is the first byte + * past the end of the ServerKeyExchange parameters. + * On error, this is the point at which an error has been + * detected, which is usually not useful except to debug + * failures. * \param end end of buffer * * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code From f9734b35b53fd9707ed3c44925f06068a2c442b6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 3 Oct 2017 12:09:22 +0100 Subject: [PATCH 15/29] Change wording of warnings --- include/mbedtls/config.h | 30 +++++++++++++++--------------- include/mbedtls/dhm.h | 22 ++++++++++------------ 2 files changed, 25 insertions(+), 27 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index b490e33d7..cff9391ea 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -619,11 +619,11 @@ * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA * - * \warning The possibility for the use of custom groups - * in the use of DHM in TLS constitutes a security - * risk. If possible, it is recommended to use - * EC-based key exchanges instead. See the documentation - * at the top of dhm.h for more information. + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. * */ #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -725,11 +725,11 @@ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA * - * \warning The possibility for the use of custom groups - * in the use of DHM in TLS constitutes a security - * risk. If possible, it is recommended to use - * EC-based key exchanges instead. See the documentation - * at the top of dhm.h for more information. + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. * */ #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED @@ -1850,11 +1850,11 @@ * This module is used by the following key exchanges: * DHE-RSA, DHE-PSK * - * \warning The possibility for the use of custom groups - * in the use of DHM in TLS constitutes a security - * risk. If possible, it is recommended to use - * EC-based key exchanges instead. See the documentation - * at the top of dhm.h for more information. + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. * */ #define MBEDTLS_DHM_C diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index ed39f8db4..9ef814650 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -25,22 +25,20 @@ * of non-safe primes both decreases the difficulty of the underlying * discrete logarithm problem and can lead to small subgroup attacks * leaking private exponent bits when invalid public keys are used - * and not detected. This is especially relevant if the same DHM parameters - * are reused for multiple key exchanges as in static DHM, while the - * criticality of small-subgroup attacks is lower for ephemeral DHM. + * and not detected. This is especially relevant if the same DHM + * parameters are reused for multiple key exchanges as in static DHM, + * while the criticality of small-subgroup attacks is lower for + * ephemeral DHM. * * For performance reasons, the code does neither perform primality * nor safe primality tests, nor the expensive checks for invalid - * subgroups. + * subgroups. Moreover, even if these were performed, non-standardized + * primes cannot be trusted because of the possibility of backdoors + * that can't be effectively checked for. * - * The possibility for the use of custom, non-safe primes in DHM - * is a deficiency in the TLS protocol that has been adressed only - * recently through the addition of the named group extension from - * RFC 7919, which however is not yet implemented in Mbed TLS. - * - * If possible, we recommend to use elliptic curve based key - * exchanges instead of DHM-based ones, because the former only - * accepts standardized groups. + * We therefore consider DHE a security risk. If possible, it is + * recommended users should consider preferring other methods of + * key exchange. * */ #ifndef MBEDTLS_DHM_H From e2fcfa84ea2fe8453adb26cbf32261dc4683d0f7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:12:15 +0100 Subject: [PATCH 16/29] Stick to the use of constant-macros This commit returns to using constant macros instead of global variables for the DHM group constants. Further, macros providing the binary encoding of the primes from RFC 3526 and RFC 7919 are added. The hex-string macros are deprecated. --- include/mbedtls/dhm.h | 812 +++++++++++++++++++++++++++++++++++++----- library/dhm.c | 243 ------------- 2 files changed, 717 insertions(+), 338 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 9ef814650..c105d7a78 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -58,101 +58,7 @@ #define MBEDTLS_ERR_DHM_INVALID_FORMAT -0x3380 /**< The ASN.1 data is not formatted correctly. */ #define MBEDTLS_ERR_DHM_ALLOC_FAILED -0x3400 /**< Allocation of memory failed. */ #define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read/write of file failed. */ - -#if ! defined(MBEDTLS_DEPRECATED_REMOVED) -#if defined(MBEDTLS_DEPRECATED_WARNING) -#define MBEDTLS_DEPRECATED __attribute__((deprecated)) -#else -#define MBEDTLS_DEPRECATED -#endif -#endif - -/** - * RFC 3526, RFC 5114 and RFC 7919 standardize a number of - * Diffie-Hellman groups, some of which are included here - * for use within the SSL/TLS module and the user's convenience - * when configuring the Diffie-Hellman parameters by hand - * through \c mbedtls_ssl_conf_dh_param. - * - * Included are: - * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup - * RFC 3526 3. 2048-bit MODP Group - * RFC 3526 4. 3072-bit MODP Group - * RFC 3526 5. 4096-bit MODP Group - * RFC 7919 A.1 ffdhe2048 - * RFC 7919 A.2 ffdhe3072 - * RFC 7919 A.3 ffdhe4096 - * RFC 7919 A.4 ffdhe6144 - * RFC 7919 A.5 ffdhe8192 - * - * The constants with suffix "_p" denote the chosen prime moduli, while - * the constants with suffix "_g" denote the chosen generator - * of the associated prime field. - * - * All constants are represented as null-terminated strings containing the - * hexadecimal presentation of the respective numbers. - * - * \warning The origin of the primes in RFC 5114 is not documented and - * their use therefore constitutes a security risk! - * - * \deprecated The primes from RFC 5114 are superseded by the primes - * from RFC 3526 and RFC 7919 and should no longer be used. - * They will be removed in the next major revision. - * - * The primes from RFC 3526 and RFC 7919 have been generating by the following - * trust-worthy procedure: - * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number - * the first and last 64 bits are all 1, and the remaining N - 128 bits of - * which are 0x7ff...ff. - * - Add the smallest multiple of the first N - 129 bits of the binary expansion - * of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string - * such that the resulting integer is a safe-prime. - * - The result is the respective RFC 3526 / 7919 prime, and the corresponding - * generator is always chosen to be 2 (which is a square for these prime, - * hence the corresponding subgroup has order (p-1)/2 and avoids leaking a - * bit in the private exponent). - * - * The above description can be validated using the - * the program programs/util/rfc_3526_7919_verify. - */ - -const char * const mbedtls_dhm_rfc3526_modp_2048_p; -const char * const mbedtls_dhm_rfc3526_modp_2048_g; -const char * const mbedtls_dhm_rfc3526_modp_3072_p; -const char * const mbedtls_dhm_rfc3526_modp_3072_g; -const char * const mbedtls_dhm_rfc3526_modp_4096_p; -const char * const mbedtls_dhm_rfc3526_modp_4096_g; - -const char * const mbedtls_dhm_rfc7919_ffdhe2048_p; -const char * const mbedtls_dhm_rfc7919_ffdhe2048_g; -const char * const mbedtls_dhm_rfc7919_ffdhe3072_p; -const char * const mbedtls_dhm_rfc7919_ffdhe3072_g; -const char * const mbedtls_dhm_rfc7919_ffdhe4096_p; -const char * const mbedtls_dhm_rfc7919_ffdhe4096_g; -const char * const mbedtls_dhm_rfc7919_ffdhe6144_p; -const char * const mbedtls_dhm_rfc7919_ffdhe6144_g; -const char * const mbedtls_dhm_rfc7919_ffdhe8192_p; -const char * const mbedtls_dhm_rfc7919_ffdhe8192_g; - -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -MBEDTLS_DEPRECATED const char * const mbedtls_dhm_rfc5114_modp_2048_p; -MBEDTLS_DEPRECATED const char * const mbedtls_dhm_rfc5114_modp_2048_g; -#endif - -/** - * \deprecated These macros are superseded by direct access to the corresponding - * global variables and will be removed in the next major revision. - */ -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -#define MBEDTLS_DHM_RFC5114_MODP_2048_P mbedtls_dhm_rfc5114_modp_2048_p -#define MBEDTLS_DHM_RFC5114_MODP_2048_G mbedtls_dhm_rfc5114_modp_2048_g -#define MBEDTLS_DHM_RFC3526_MODP_2048_P mbedtls_dhm_rfc3526_modp_2048_p -#define MBEDTLS_DHM_RFC3526_MODP_2048_G mbedtls_dhm_rfc3526_modp_2048_g -#define MBEDTLS_DHM_RFC3526_MODP_3072_P mbedtls_dhm_rfc3526_modp_3072_p -#define MBEDTLS_DHM_RFC3526_MODP_3072_G mbedtls_dhm_rfc3526_modp_3072_g -#define MBEDTLS_DHM_RFC3526_MODP_4096_P mbedtls_dhm_rfc3526_modp_4096_p -#define MBEDTLS_DHM_RFC3526_MODP_4096_G mbedtls_dhm_rfc3526_modp_4096_g -#endif +#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED -0x3500 /**< Setting the modulus and generator failed. */ #ifdef __cplusplus extern "C" { @@ -337,4 +243,720 @@ int mbedtls_dhm_self_test( int verbose ); } #endif +/** + * RFC 3526, RFC 5114 and RFC 7919 standardize a number of + * Diffie-Hellman groups, some of which are included here + * for use within the SSL/TLS module and the user's convenience + * when configuring the Diffie-Hellman parameters by hand + * through \c mbedtls_ssl_conf_dh_param. + * + * Included are: + * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup + * RFC 3526 3. 2048-bit MODP Group + * RFC 3526 4. 3072-bit MODP Group + * RFC 3526 5. 4096-bit MODP Group + * RFC 7919 A.1 ffdhe2048 + * RFC 7919 A.2 ffdhe3072 + * RFC 7919 A.3 ffdhe4096 + * RFC 7919 A.4 ffdhe6144 + * RFC 7919 A.5 ffdhe8192 + * + * The constants with suffix "_p" denote the chosen prime moduli, while + * the constants with suffix "_g" denote the chosen generator + * of the associated prime field. + * + * The constants further suffixed with "_bin" are provided in binary format, + * while all other constants represent null-terminated strings holding the + * hexadecimal presentation of the respective numbers. + * + * The primes from RFC 3526 and RFC 7919 have been generating by the following + * trust-worthy procedure: + * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number + * the first and last 64 bits are all 1, and the remaining N - 128 bits of + * which are 0x7ff...ff. + * - Add the smallest multiple of the first N - 129 bits of the binary expansion + * of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string + * such that the resulting integer is a safe-prime. + * - The result is the respective RFC 3526 / 7919 prime, and the corresponding + * generator is always chosen to be 2 (which is a square for these prime, + * hence the corresponding subgroup has order (p-1)/2 and avoids leaking a + * bit in the private exponent). + * + * The above description can be validated using the + * the program programs/util/rfc_3526_7919_verify. + */ + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +MBEDTLS_DEPRECATED typedef char const * deprecated_constant_t; +#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) \ + ( (deprecated_constant_t) ( VAL ) ) +#else +#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL +#endif /* ! MBEDTLS_DEPRECATED_WARNING */ + +/** + * \warning The origin of the primes in RFC 5114 is not documented and + * their use therefore constitutes a security risk! + * + * \deprecated The hex-encoded primes from RFC 5114 are deprecated and are + * likely to be removed in a future version of the library without + * replacement. + */ + +#define MBEDTLS_DHM_RFC5114_MODP_P \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" \ + "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" \ + "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" \ + "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" \ + "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" \ + "B3BF8A317091883681286130BC8985DB1602E714415D9330" \ + "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" \ + "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" \ + "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" \ + "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" \ + "CF9DE5384E71B81C0AC4DFFE0C10E64F" ) + +#define MBEDTLS_DHM_RFC5114_MODP_2048_G \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" \ + "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" \ + "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" \ + "C17669101999024AF4D027275AC1348BB8A762D0521BC98A" \ + "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE" \ + "F180EB34118E98D119529A45D6F834566E3025E316A330EF" \ + "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB" \ + "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" \ + "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" \ + "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" \ + "81BC087F2A7065B384B890D3191F2BFA" ) + +/** + * \deprecated The hex-encoded primes from RFC 3625 are deprecated and + * superseded by the corresponding macros providing them as + * binary constants. Their hex-encoded constants are likely + * to be removed in a future version of the library. + * + */ + +#define MBEDTLS_DHM_RFC3526_MODP_2048_P \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ + "15728E5A8AACAA68FFFFFFFFFFFFFFFF" ) + +#define MBEDTLS_DHM_RFC3526_MODP_2048_G \ + MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + +#define MBEDTLS_DHM_RFC3526_MODP_3072_P \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ + "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" ) + +#define MBEDTLS_DHM_RFC3526_MODP_3072_G \ + MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + +#define MBEDTLS_DHM_RFC3526_MODP_4096_P \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ + "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" \ + "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" \ + "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" \ + "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" \ + "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" \ + "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \ + "FFFFFFFFFFFFFFFF" ) + +#define MBEDTLS_DHM_RFC3526_MODP_4096_G \ + MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + +#endif /* MBEDTLS_DEPRECATED_REMOVED */ + +/* + * Trustworthy DHM parameters in binary form + */ + +#define MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \ + 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \ + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \ + 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \ + 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \ + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \ + 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \ + 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \ + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \ + 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \ + 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \ + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \ + 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \ + 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \ + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \ + 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \ + 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \ + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \ + 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \ + 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \ + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \ + 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \ + 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \ + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \ + 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \ + 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \ + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \ + 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \ + 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \ + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \ + 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \ + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \ + 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \ + 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \ + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \ + 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \ + 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \ + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \ + 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \ + 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \ + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \ + 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \ + 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \ + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \ + 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \ + 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \ + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \ + 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \ + 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \ + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \ + 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \ + 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \ + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \ + 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \ + 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \ + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \ + 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \ + 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \ + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \ + 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \ + 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \ + 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \ + 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \ + 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \ + 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \ + 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \ + 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \ + 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \ + 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \ + 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \ + 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \ + 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \ + 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \ + 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \ + 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC3526_MODP_4096_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \ + 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \ + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \ + 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \ + 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \ + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \ + 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \ + 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \ + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \ + 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \ + 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \ + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \ + 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \ + 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \ + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \ + 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \ + 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \ + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \ + 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \ + 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \ + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \ + 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \ + 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \ + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \ + 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \ + 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \ + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \ + 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \ + 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \ + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \ + 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \ + 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \ + 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \ + 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \ + 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \ + 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \ + 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \ + 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \ + 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \ + 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \ + 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \ + 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \ + 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \ + 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \ + 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \ + 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, \ + 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, \ + 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, \ + 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, \ + 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, \ + 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, \ + 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, \ + 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, \ + 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, \ + 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, \ + 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, \ + 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, \ + 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, \ + 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, \ + 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, \ + 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, \ + 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC3526_MODP_4096_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, } + +#define MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \ + 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \ + 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \ + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \ + 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \ + 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \ + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \ + 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \ + 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \ + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \ + 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \ + 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \ + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \ + 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \ + 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \ + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \ + 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \ + 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \ + 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \ + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \ + 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \ + 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \ + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \ + 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \ + 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \ + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \ + 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \ + 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \ + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \ + 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \ + 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \ + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \ + 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \ + 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \ + 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \ + 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \ + 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \ + 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \ + 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \ + 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \ + 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \ + 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \ + 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \ + 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \ + 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \ + 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \ + 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \ + 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \ + 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \ + 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \ + 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \ + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \ + 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \ + 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \ + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \ + 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \ + 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \ + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \ + 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \ + 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \ + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \ + 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \ + 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \ + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \ + 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \ + 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \ + 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \ + 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \ + 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \ + 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \ + 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \ + 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \ + 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \ + 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \ + 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \ + 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \ + 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \ + 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \ + 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \ + 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \ + 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \ + 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \ + 0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \ + 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \ + 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \ + 0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \ + 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \ + 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \ + 0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \ + 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \ + 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \ + 0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \ + 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \ + 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \ + 0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \ + 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \ + 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \ + 0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \ + 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \ + 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \ + 0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \ + 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \ + 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \ + 0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \ + 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \ + 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \ + 0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \ + 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \ + 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \ + 0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \ + 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \ + 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \ + 0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \ + 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \ + 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \ + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \ + 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \ + 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \ + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \ + 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \ + 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \ + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \ + 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \ + 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \ + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \ + 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \ + 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \ + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \ + 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \ + 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \ + 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \ + 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \ + 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \ + 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \ + 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \ + 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \ + 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \ + 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \ + 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \ + 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \ + 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \ + 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \ + 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \ + 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \ + 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \ + 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \ + 0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \ + 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \ + 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \ + 0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \ + 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \ + 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \ + 0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \ + 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \ + 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \ + 0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \ + 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \ + 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \ + 0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \ + 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \ + 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \ + 0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \ + 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \ + 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \ + 0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \ + 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \ + 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \ + 0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \ + 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \ + 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \ + 0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \ + 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \ + 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \ + 0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \ + 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \ + 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \ + 0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA, \ + 0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, \ + 0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, \ + 0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43, \ + 0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, \ + 0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, \ + 0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29, \ + 0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, \ + 0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, \ + 0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4, \ + 0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, \ + 0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, \ + 0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51, \ + 0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, \ + 0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, \ + 0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE, \ + 0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, \ + 0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, \ + 0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B, \ + 0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, \ + 0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, \ + 0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31, \ + 0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, \ + 0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, \ + 0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E, \ + 0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, \ + 0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, \ + 0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE, \ + 0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, \ + 0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, \ + 0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E, \ + 0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, \ + 0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN { 0x02 } + #endif /* dhm.h */ diff --git a/library/dhm.c b/library/dhm.c index 344b92cb5..8d9f66386 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -57,249 +57,6 @@ #define mbedtls_free free #endif -/* - * Diffie-Hellman groups from RFC 5114 - * - * \warning The origin of the primes in RFC 5114 is not documented and - * their use therefore constitutes a security risk! - * - * \deprecated The primes from RFC 5114 are superseded by the primes - * from RFC 3526 and RFC 7919 and should no longer be used. - * They will be removed in the next major version. - */ - -const char * const mbedtls_dhm_rfc5114_modp_2048_p = - "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" - "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" - "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" - "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" - "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" - "B3BF8A317091883681286130BC8985DB1602E714415D9330" - "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" - "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" - "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" - "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" - "CF9DE5384E71B81C0AC4DFFE0C10E64F"; -const char * const mbedtls_dhm_rfc5114_modp_2048_g = - "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" - "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" - "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" - "C17669101999024AF4D027275AC1348BB8A762D0521BC98A" - "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE" - "F180EB34118E98D119529A45D6F834566E3025E316A330EF" - "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB" - "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" - "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" - "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" - "81BC087F2A7065B384B890D3191F2BFA"; - -/* - * Diffie-Hellman groups from RFC 3526 - */ - -const char * const mbedtls_dhm_rfc3526_modp_2048_p = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc3526_modp_2048_g = "02"; - -const char * const mbedtls_dhm_rfc3526_modp_3072_p = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc3526_modp_3072_g = "02"; - -const char * const mbedtls_dhm_rfc3526_modp_4096_p = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" - "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" - "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" - "FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc3526_modp_4096_g = "02"; - -/* - * Diffie-Hellman groups from RFC 7919 - */ - -const char * const mbedtls_dhm_rfc7919_ffdhe2048_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B423861285C97FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe2048_g = "02"; - -const char * const mbedtls_dhm_rfc7919_ffdhe3072_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" - "3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe3072_g = "02"; - -const char * const mbedtls_dhm_rfc7919_ffdhe4096_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" - "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" - "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" - "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" - "A907600A918130C46DC778F971AD0038092999A333CB8B7A" - "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" - "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" - "FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe4096_g = "02"; - -const char * const mbedtls_dhm_rfc7919_ffdhe6144_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" - "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" - "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" - "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" - "A907600A918130C46DC778F971AD0038092999A333CB8B7A" - "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" - "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" - "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" - "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" - "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" - "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" - "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" - "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" - "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" - "D72B03746AE77F5E62292C311562A846505DC82DB854338A" - "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" - "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" - "A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe6144_g = "02"; - -const char * const mbedtls_dhm_rfc7919_ffdhe8192_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" - "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" - "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" - "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" - "A907600A918130C46DC778F971AD0038092999A333CB8B7A" - "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" - "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" - "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" - "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" - "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" - "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" - "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" - "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" - "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" - "D72B03746AE77F5E62292C311562A846505DC82DB854338A" - "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" - "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" - "A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C838" - "1E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E" - "0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665" - "CB2C0F1CC01BD70229388839D2AF05E454504AC78B758282" - "2846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022" - "BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C" - "51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9" - "D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA457" - "1EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30" - "FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D" - "97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" - "D68C8BB7C5C6424CFFFFFFFF" - "FFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe8192_g = "02"; - - /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; From b953921a4e1af098aabbf748a13f7f2f731280ca Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:13:34 +0100 Subject: [PATCH 17/29] Adapt benchmark application to naming and binary format --- programs/test/benchmark.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 9c6d46271..5361a5c8a 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -667,14 +667,22 @@ int main( int argc, char *argv[] ) if( todo.dhm ) { int dhm_sizes[] = { 2048, 3072 }; - const char *dhm_P[] = { - mbedtls_dhm_rfc3526_modp_2048_p, - mbedtls_dhm_rfc3526_modp_3072_p, - }; - const char *dhm_G[] = { - mbedtls_dhm_rfc3526_modp_2048_g, - mbedtls_dhm_rfc3526_modp_3072_g, - }; + const unsigned char dhm_P_2048[] = + MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; + const unsigned char dhm_P_3072[] = + MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN; + const unsigned char dhm_G_2048[] = + MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; + const unsigned char dhm_G_3072[] = + MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN; + + const unsigned char *dhm_P[] = { dhm_P_2048, dhm_P_3072 }; + const size_t dhm_P_size[] = { sizeof( dhm_P_2048 ), + sizeof( dhm_P_3072 ) }; + + const unsigned char *dhm_G[] = { dhm_G_2048, dhm_G_3072 }; + const size_t dhm_G_size[] = { sizeof( dhm_G_2048 ), + sizeof( dhm_G_3072 ) }; mbedtls_dhm_context dhm; size_t olen; @@ -682,8 +690,10 @@ int main( int argc, char *argv[] ) { mbedtls_dhm_init( &dhm ); - if( mbedtls_mpi_read_string( &dhm.P, 16, dhm_P[i] ) != 0 || - mbedtls_mpi_read_string( &dhm.G, 16, dhm_G[i] ) != 0 ) + if( mbedtls_mpi_read_binary( &dhm.P, dhm_P[i], + dhm_P_size[i] ) != 0 || + mbedtls_mpi_read_binary( &dhm.G, dhm_G[i], + dhm_G_size[i] ) != 0 ) { mbedtls_exit( 1 ); } From 00d0a6834ae81c5eea7989a56e8611225884f5c3 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:14:29 +0100 Subject: [PATCH 18/29] Adapt code setting default DHM parameters --- library/ssl_tls.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1ef50c244..f233e0a87 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7537,9 +7537,15 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) if( endpoint == MBEDTLS_SSL_IS_SERVER ) { - if( ( ret = mbedtls_ssl_conf_dh_param( conf, - mbedtls_dhm_rfc7919_ffdhe2048_p, - mbedtls_dhm_rfc7919_ffdhe2048_g ) ) != 0 ) + const unsigned char dhm_p[] = + MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; + const unsigned char dhm_g[] = + MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; + + if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_p, + sizeof( dhm_p ) ) ) != 0 || + ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_g, + sizeof( dhm_g ) ) ) != 0 ) { return( ret ); } From 8880e75dcbe06e74ca205e473fa66bbd9a4e4f2c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:15:08 +0100 Subject: [PATCH 19/29] Add new function mbedtls_dhm_set_group to DHM Group --- include/mbedtls/dhm.h | 21 +++++++++++++++++++-- library/dhm.c | 22 ++++++++++++++++++++++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index c105d7a78..de818697d 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -127,8 +127,9 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, * the byte-size of an MPI. * * \note This function assumes that ctx->P and ctx->G - * have already been properly set (for example - * using mbedtls_mpi_read_string or mbedtls_mpi_read_binary). + * have already been properly set. For that, use + * \c mbedtls_dhm_set_group below in conjunction with + * \c mbedtls_mpi_read_binary and \c mbedtls_mpi_read_string. * * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code */ @@ -137,6 +138,22 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); +/** + * \brief Set prime modulus and generator + * + * \param ctx DHM context + * \param P MPI holding DHM prime modulus + * \param G MPI holding DHM generator + * + * \note This function can be used to set P, G + * in preparation for \c mbedtls_dhm_make_params. + * + * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code + */ +int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx, + const mbedtls_mpi *P, + const mbedtls_mpi *G ); + /** * \brief Import the peer's public value G^Y * diff --git a/library/dhm.c b/library/dhm.c index 8d9f66386..f824f7b9b 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -218,6 +218,28 @@ cleanup: return( 0 ); } +/* + * Set prime modulus and generator + */ +int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx, + const mbedtls_mpi *P, + const mbedtls_mpi *G ) +{ + int ret; + + if( ctx == NULL || P == NULL || G == NULL ) + return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); + + if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 || + ( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 ) + { + return( MBEDTLS_ERR_DHM_SET_GROUP_FAILED + ret ); + } + + ctx->len = mbedtls_mpi_size( &ctx->P ); + return( 0 ); +} + /* * Import the peer's public value G^Y */ From ab74056037535de9639c9878a20092ec43c7284c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:15:37 +0100 Subject: [PATCH 20/29] Make use of `mbedtls_dhm_set_group` when generating DHM params --- library/ssl_srv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index f137c3dce..fbfc9222a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2940,10 +2940,11 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) * opaque dh_Ys<1..2^16-1>; * } ServerDHParams; */ - if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 || - ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 ) + if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx, + &ssl->conf->dhm_P, + &ssl->conf->dhm_G ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret ); return( ret ); } From a6dd90de30bc40b8a7703eb79af5420eac8480b5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:15:54 +0100 Subject: [PATCH 21/29] Add error string for failure code in `mbedtls_dhm_set_group` --- library/error.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/error.c b/library/error.c index db42381c4..6fa0c21d0 100644 --- a/library/error.c +++ b/library/error.c @@ -206,6 +206,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "DHM - Allocation of memory failed" ); if( use_ret == -(MBEDTLS_ERR_DHM_FILE_IO_ERROR) ) mbedtls_snprintf( buf, buflen, "DHM - Read/write of file failed" ); + if( use_ret == -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED) ) + mbedtls_snprintf( buf, buflen, "DHM - Setting modulus and generator failed" ); #endif /* MBEDTLS_DHM_C */ #if defined(MBEDTLS_ECP_C) From 5a7c35d1a8d13824efc6c93ba0be2d617844641e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:32:12 +0100 Subject: [PATCH 22/29] Correct documentation of `mbedtls_ssl_conf_dh_param` --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index fb2f02f0e..62f368fc0 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1702,7 +1702,7 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, /** * \brief Set the Diffie-Hellman public P and G values, * read as hexadecimal strings (server-side only) - * (Default: mbedtls_dhm_rfc7919_ffdhe2048_[pg]) + * (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]) * * \param conf SSL configuration * \param dhm_P Diffie-Hellman-Merkle modulus From 0482fd597aae2314e3c97fd5cc37faa4bcd2a101 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:39:08 +0100 Subject: [PATCH 23/29] Remove reference to utility program for RFC 3526/7919 verification --- include/mbedtls/dhm.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index de818697d..460ee7f0f 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -299,8 +299,6 @@ int mbedtls_dhm_self_test( int verbose ); * hence the corresponding subgroup has order (p-1)/2 and avoids leaking a * bit in the private exponent). * - * The above description can be validated using the - * the program programs/util/rfc_3526_7919_verify. */ #if !defined(MBEDTLS_DEPRECATED_REMOVED) From 5e6b8d7d29b47954090a09a00f30a0454e1d808c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:41:36 +0100 Subject: [PATCH 24/29] Add missing whitespace --- include/mbedtls/dhm.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 460ee7f0f..73b69e076 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -372,7 +372,7 @@ MBEDTLS_DEPRECATED typedef char const * deprecated_constant_t; "15728E5A8AACAA68FFFFFFFFFFFFFFFF" ) #define MBEDTLS_DHM_RFC3526_MODP_2048_G \ - MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" ) #define MBEDTLS_DHM_RFC3526_MODP_3072_P \ MBEDTLS_DEPRECATED_STRING_CONSTANT( \ @@ -394,7 +394,7 @@ MBEDTLS_DEPRECATED typedef char const * deprecated_constant_t; "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" ) #define MBEDTLS_DHM_RFC3526_MODP_3072_G \ - MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" ) #define MBEDTLS_DHM_RFC3526_MODP_4096_P \ MBEDTLS_DEPRECATED_STRING_CONSTANT( \ @@ -422,7 +422,7 @@ MBEDTLS_DEPRECATED typedef char const * deprecated_constant_t; "FFFFFFFFFFFFFFFF" ) #define MBEDTLS_DHM_RFC3526_MODP_4096_G \ - MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" ) #endif /* MBEDTLS_DEPRECATED_REMOVED */ From 470a8c4d8767565baa0f1c55f1b1487e2152cdbb Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 15:28:46 +0100 Subject: [PATCH 25/29] Deprecate mbedtls_ssl_conf_dh_param --- include/mbedtls/ssl.h | 18 +++++++++++++++--- library/ssl_tls.c | 3 +++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 62f368fc0..13ee5bd87 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1699,6 +1699,15 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif + /** * \brief Set the Diffie-Hellman public P and G values, * read as hexadecimal strings (server-side only) @@ -1708,12 +1717,15 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, * \param dhm_P Diffie-Hellman-Merkle modulus * \param dhm_G Diffie-Hellman-Merkle generator * + * \deprecated Superseded by \c mbedtls_ssl_conf_dh_param_bin. + * * \return 0 if successful */ -int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, - const char *dhm_P, - const char *dhm_G ); +MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, + const char *dhm_P, + const char *dhm_G ); +#endif /* MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Set the Diffie-Hellman public P and G values, * read from existing context (server-side only) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f233e0a87..fe945c3c9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6115,6 +6115,8 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) { int ret; @@ -6129,6 +6131,7 @@ int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, cons return( 0 ); } +#endif /* MBEDTLS_DEPRECATED_REMOVED */ int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) { From a90658f248cc7842d1b644f62c12deb9d2b32408 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 15:29:08 +0100 Subject: [PATCH 26/29] Add ssl_conf_dh_param_bin superseding ssl_conf_dh_param --- include/mbedtls/ssl.h | 18 ++++++++++++++++++ library/ssl_tls.c | 24 ++++++++++++++++++++---- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 13ee5bd87..32cec54b1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1726,6 +1726,24 @@ MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_G ); #endif /* MBEDTLS_DEPRECATED_REMOVED */ + +/** + * \brief Set the Diffie-Hellman public P and G values + * from big-endian binary presentations. + * (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN) + * + * \param conf SSL configuration + * \param dhm_P Diffie-Hellman-Merkle modulus in big-endian binary form + * \param P_len Length of DHM modulus + * \param dhm_G Diffie-Hellman-Merkle generator in big-endian binary form + * \param G_len Length of DHM generator + * + * \return 0 if successful + */ +int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf, + const unsigned char *dhm_P, size_t P_len, + const unsigned char *dhm_G, size_t G_len ); + /** * \brief Set the Diffie-Hellman public P and G values, * read from existing context (server-side only) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fe945c3c9..89d223d6a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6133,6 +6133,23 @@ int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, cons } #endif /* MBEDTLS_DEPRECATED_REMOVED */ +int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf, + const unsigned char *dhm_P, size_t P_len, + const unsigned char *dhm_G, size_t G_len ) +{ + int ret; + + if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 || + ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 ) + { + mbedtls_mpi_free( &conf->dhm_P ); + mbedtls_mpi_free( &conf->dhm_G ); + return( ret ); + } + + return( 0 ); +} + int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) { int ret; @@ -7545,10 +7562,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, const unsigned char dhm_g[] = MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; - if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_p, - sizeof( dhm_p ) ) ) != 0 || - ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_g, - sizeof( dhm_g ) ) ) != 0 ) + if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf, + dhm_p, sizeof( dhm_p ), + dhm_g, sizeof( dhm_g ) ) ) != 0 ) { return( ret ); } From e3481ab533b6416ec3609e2873424a72ce5cdd37 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 16:05:10 +0100 Subject: [PATCH 27/29] Improve top warning in dhm.h --- include/mbedtls/dhm.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 73b69e076..479aef841 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -36,6 +36,14 @@ * primes cannot be trusted because of the possibility of backdoors * that can't be effectively checked for. * + * Diffie-Hellman-Merkle is therefore a security risk when not using + * standardized primes generated using a trustworthy ("nothing up + * my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS + * protocol, DH parameters need to be negotiated, so using the default + * primes systematically is not always an option. If possible, use + * Elliptic Curve Diffie-Hellman (ECDH), which has better performance, + * and for which the TLS protocol mandates the use of standard + * parameters that were generated in a nothing-up-my-sleeve manner. * We therefore consider DHE a security risk. If possible, it is * recommended users should consider preferring other methods of * key exchange. From f5dce36a2440aaf1d2ecbac7323b5cc93f0311d4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 12 Oct 2017 13:45:10 +0100 Subject: [PATCH 28/29] Don't claim ECDH parameters are nothing-up-my-sleeve numbers --- include/mbedtls/dhm.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 479aef841..05a710903 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -43,10 +43,7 @@ * primes systematically is not always an option. If possible, use * Elliptic Curve Diffie-Hellman (ECDH), which has better performance, * and for which the TLS protocol mandates the use of standard - * parameters that were generated in a nothing-up-my-sleeve manner. - * We therefore consider DHE a security risk. If possible, it is - * recommended users should consider preferring other methods of - * key exchange. + * parameters. * */ #ifndef MBEDTLS_DHM_H From 0cd5b94dba7548c3b40efc0681f377744b424f59 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 13 Oct 2017 17:17:28 +0100 Subject: [PATCH 29/29] Adapt ChangeLog --- ChangeLog | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/ChangeLog b/ChangeLog index e199682ea..62a705d4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,21 @@ Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. +Security + * Change default choice of DHE parameters from untrustworthy RFC 5114 + to RFC 3526 containing parameters generated in a nothing-up-my-sleeve + manner. + +New deprecations + * Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by + parameters from RFC 3526 or the newly added parameters from RFC 7919. + * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc. + Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN + etc. + * Deprecate mbedtls_ssl_conf_dh_param for setting default DHE parameters + from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin + accepting DHM parameters in binary form, matching the new constants. + = mbed TLS 2.6.0 branch released 2017-08-10 Security