<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p style="color: #777777;">

<a href="https://gitlab.com/nmav">Nikos Mavrogiannopoulos</a>

commented on a discussion

on <a href="https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171675775">lib/nettle/pk.c</a>:

</p>

<table>

<tr class="line_holder" id="">

<td class="diff-line-num old_line" data-linenumber="268" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

268

</td>

<td class="diff-line-num new_line" data-linenumber="269" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

269

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC269" class="line" lang="c">                    <span class="k" style="font-weight: 600;">goto</span> <span class="n" style="color: #333;">dh_cleanup</span><span class="p">;</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="">

<td class="diff-line-num old_line" data-linenumber="269" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

269

</td>

<td class="diff-line-num new_line" data-linenumber="270" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

270

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC270" class="line" lang="c">            <span class="p">}</span></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="">

<td class="diff-line-num old_line" data-linenumber="270" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

270

</td>

<td class="diff-line-num new_line" data-linenumber="271" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

271

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC271" class="line" lang="c"></span>

</pre>

</td>

</tr>

<tr class="line_holder new" id="">

<td class="diff-line-num new old_line" data-linenumber="271" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="272" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

272

</td>

<td class="line_content new" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">

<pre style="margin: 0;">+<span id="LC272" class="line" lang="c">            <span class="cm" style="color: #998; font-style: italic;">/* if we have Q check that y ^ q mod p == 1 */</span></span>

</pre>

</td>

</tr>

<tr class="line_holder new" id="">

<td class="diff-line-num new old_line" data-linenumber="271" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="273" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

273

</td>

<td class="line_content new" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">

<pre style="margin: 0;">+<span id="LC273" class="line" lang="c">            <span class="k" style="font-weight: 600;">if</span> <span class="p">(</span><span class="n" style="color: #333;">q</span> <span class="o" style="font-weight: 600;">!=</span> <span class="nb" style="color: #0086b3;">NULL</span><span class="p">)</span> <span class="p">{</span></span>

</pre>

</td>

</tr>

</table>

<div style="">

<blockquote dir="auto" style="color: #7f8fa4; border-left-width: 3px; border-left-color: #eaeaea; border-left-style: solid; margin: 0; padding: 0 0 0 15px;">

<p>The structure I was mentioning is struct gnutls_dh_params_int which is populated by gnutls_dh_params_init() It is marked as deprecated but still exported as opaque in gnutls/gnutls.h If it is ok to change it I can change it to hold 3 params and add Q during init.</p>

</blockquote>

<p dir="auto">This structure is only useful for tls1.2 or earlier, thus it may not make much sense to enhance it (see below).</p>

<p dir="auto">So, the options we have now are:</p>

<ol dir="auto">

<li>Implement tests with Q, and if not available bail out in FIPS mode; the tests will only be possible/efficient when the primes are known, i.e., TLS1.2 with RFC7919 or TLS1.3 (will most likely break some TLS1.2 connections)</li>

<li>Disable DHE completely and unconditionally when in FIPS mode (seems to be the easiest to implement, with probably minor incompatibility issues)</li>

<li>Disable DHE when used with TLS1.2 and FIPS mode, and implement tests with Q when used with TLS1.3 (where the Q is always known because only the known set of parameters is negotiated)</li>

</ol>

<p dir="auto">However reading <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf" rel="nofollow noreferrer noopener" target="_blank">SP800-56A</a>, <code>5.6.2.3.2 FFC Partial Public-Key Validation Routine</code>, if we restrict to safe primes (i.e., the approved list in the appendix D) we don't need any additional check to what is already there. Given that the supported primes for TLS1.3 are the approved ones, we may simplify (3) as follows.</p>

<ol start="3" dir="auto">

<li>Disable DHE when used with TLS1.2 and FIPS mode.</li>

</ol>

<p dir="auto">It seems a good compromise. What do you think? @smullerDD would that be acceptable in terms of FIPS?</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171675775">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/9b4f79142d4779731d04aa36bb859d97/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Merge request","url":"https://gitlab.com/gnutls/gnutls/merge_requests/990#note_171675775"}}</script>

</p>

</div>

</body>

</html>