Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provenance of ffdhe2048.txt #116

Closed
philpennock opened this issue Sep 17, 2020 · 3 comments
Closed

Provenance of ffdhe2048.txt #116

philpennock opened this issue Sep 17, 2020 · 3 comments

Comments

@philpennock
Copy link

Folks, could someone please explain the provenance of https://ssl-config.mozilla.org/ffdhe2048.txt and how that value was derived from the RFC?

In Exim, we've received a PR from a mystery source, asking to update our copy of ffdhe2048 to a new value. It appears to match the value which Mozilla provides at the above URL. The value in our code is in "std-crypto.c", almost entirely RFC comments and auto-converted constants: https://git.exim.org/exim.git/blob/HEAD:/src/src/std-crypto.c (currently lines 510-518)
with the tooling I wrote to handle the conversion from RFC form being at https://git.exim.org/exim.git/blob/HEAD:/src/util/gen_pkcs3.c

I've re-run the code against the RFC and things so far look like there's no error on our side, but I don't pretend to be a cryptographer and I might have missed something. Something thunderously stupid which means that I've misconverted all the constants?

It would really help to know exactly how the Mozilla-provided DH params were converted, so that I can compare and contrast to see if and how I've done something wrong.

Thanks.
@tomato42
Copy link
Member

The value in the ffdhe2048.txt file comes from RFC7919: https://tools.ietf.org/html/rfc7919#appendix-A.1
the value you have in here: https://git.exim.org/exim.git/blob/HEAD:/src/src/std-crypto.c#l512 is missing the first line of the prime (i.e. it starts with D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE not with FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620)

Side note: I don't know what you use those primes for but group 22, 23 and 24 are known weak parameters, you should basically never use them.

@philpennock
Copy link
Author

We provide them as options, they're not default; we recommend people generate their own and always have, but several years back added defaults so that DH would always be available. Originally to IKE23 and then a few years back to parameters which I generated but I added the RFC7919 primes so that if people didn't trust me they could choose something with some public record.

The value I have was generated from the RFC text with a tool and I re-ran it yesterday and thought I got the same result as before, but running it now I get the same value you do. I might be going crazy. It's not that the C form was missing the first line of the prime, since that yields a different PEM result and doesn't pass integrity checks.

Okay, thanks, we'll continue looking into it. Since I can now generate a form which matches yours, there's no issue here.

@tomato42
Copy link
Member

It's not that the C form was missing the first line of the prime, since that yields a different PEM result and doesn't pass integrity checks.

huh? I took the embedded PEM and used openssl asn1parse to get the value of the prime, it started with D8B9C583...
but even without that, it's clear it's missing the FFFFFFFF FFFFFFFF part as there was no ////////// in the beginning lines of the PEM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@philpennock @tomato42