[gnutls-devel] GnuTLS | DH and ECDH keys tests (!990)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri May 17 21:35:45 CEST 2019

Nikos Mavrogiannopoulos commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171675775

>  			goto dh_cleanup;
>  		}
> +		/* if we have Q check that y ^ q mod p == 1 */
> +		if (q != NULL) {

> The structure I was mentioning is struct gnutls_dh_params_int which is populated by gnutls_dh_params_init() It is marked as deprecated but still exported as opaque in gnutls/gnutls.h If it is ok to change it I can change it to hold 3 params and add Q during init.

This structure is only useful for tls1.2 or earlier, thus it may not make much sense to enhance it (see below).

So, the options we have now are:
 1. Implement tests with Q, and if not available bail out in FIPS mode; the tests will only be possible/efficient when the primes are known, i.e., TLS1.2 with RFC7919 or TLS1.3 (will most likely break some TLS1.2 connections)
 2. Disable DHE completely and unconditionally when in FIPS mode (seems to be the easiest to implement, with probably minor incompatibility issues)
 3. Disable DHE when used with TLS1.2 and FIPS mode, and implement tests with Q when used with TLS1.3 (where the Q is always known because only the known set of parameters is negotiated)

However reading [SP800-56A](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf), ` FFC Partial Public-Key Validation Routine`, if we restrict to safe primes (i.e., the approved list in the appendix D) we don't need any additional check to what is already there. Given that the supported primes for TLS1.3 are the approved ones, we may simplify (3) as follows.

 3. Disable DHE when used with TLS1.2 and FIPS mode.

It seems a good compromise. What do you think? @smullerDD would that be acceptable in terms of FIPS?

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171675775
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190517/ce36f5d9/attachment.html>

More information about the Gnutls-devel mailing list