New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change the default key generation type for DH and DSA #13228
Conversation
… module The documentation claimed this was already the default but it wasn't. This was causing the dhparam application to change behaviour when compared to 1.1.1
Inside the FIPS module we continue to use FIPS186-4. We prefer FIPS186-2 in the default provider for backwards compatibility reasons.
$EC_GOAL=../../libimplementations.a | ||
$ECX_GOAL=../../libimplementations.a | ||
$KDF_GOAL=../../libimplementations.a | ||
|
||
IF[{- !$disabled{dh} -}] | ||
SOURCE[$DH_GOAL]=dh_kmgmt.c | ||
SOURCE[../../libfips.a]=dh_kmgmt.c | ||
SOURCE[../../libnonfips.a]=dh_kmgmt.c |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea of libimplementations.a is going more and more to waste...
Fixup pushed. Please take another look. |
This PR changes things so that by default in the default provider, DH keys swap to DH_PARAMGEN_TYPE_GENERATOR (i.e. PKCS3) and DHX keys swap to DH_PARAMGEN_TYPE_FIPS_186_2.
For DSA we swap to DSA_PARAMGEN_TYPE_FIPS_186_2 in the default provider.
Why would we use the obsolete FIPS 186-2? Is there a reason not to
just use 186-4?
|
Because its a breaking change...its way more restrictive about key lengths etc that you are allowed, e.g. see: openssl/crypto/ffc/ffc_params_generate.c Lines 67 to 91 in d1fb6b4
We could choose to relax those restrictions in the default provider. Or we could choose to have the breaking change - but that requires an OMC vote. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This pull request is ready to merge |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whilst I understand why you are doing this for backwards compatability- I think it is setting a really bad example if it generates params using a dead legacy algorithm (especially for key sizes larger than 2048).
Personally I think it should be using a named group (it if can) based on the size, and only use fips_1862 if that does not work..
I somehow suspected you might feel this way. I think this PR is worthy of an OTC discussion. |
For input into the OTC discussion, these are the things that I know of that break or change behaviour compared to 1.1.1 by having the default generation type be FIPS 186-4: EVP impacts:
dhparam app impacts:
|
IMO there is nothing wrong with DH_PARAMGEN_TYPE_GENERATOR (except of course that it is not FIPS compliant). However one useful thing would be to have a parameter generator that would simply select one of the known safe primes that has the nearest size to the requested one. That could IMO be even the default for the FIPS module for the DH key type. |
Whilst I understand why you are doing this for backwards compatability- I think it is setting a really bad example if it generates params using a dead legacy algorithm (especially for key sizes larger than 2048).
Personally I think it should be using a named group (it if can) based on the size, and only use fips_1862 if that does not work..
Are you suggesting that the "generate" function should return
existing known curves by default? It would at least be unexpected
to me that it didn't generate new parameters for me.
I think we all agree that using a named group is what people
should use. But weakdh.org / logjam encouraged people to use there own
parameters. There are probably other guides that suggest that too.
So I think we should do what we can to encourage people to use
the named groups, and the changes in #13233 at least try encourage to
use them.
I wonder if we should publish some document on what we recommend
people to do.
There might be people who really wish to generate their own safe
prime, and I think we should have support for that. I currently
don't see what is wrong with using safe primes, which is what the
named groups all use. And I think that should be the default.
I have not looked at what fips 186-2 does different to 186-4, but
it's been replaced for some reason. So I would like to get rid of
186-2, but maybe 3.0 is not realistic. We have actually marked using
dsa parameters as deprecated in the dhparam manpage. Did we mark parts
of the API that can be used to generate it also as deprecated? If
we did, we can just remove the 186-2 code in 4.0.
|
Another thing to keep in mind..
FIPS 186-2 was still present in FIPS 186-4 for backwards compatability for quite a long time(only the validation bit , not the generation part). |
I added a couple of fixups to bring this into line with the proposal currently being voted on by OTC. |
The travis failure does not seem relevant. @t8m - can you reconfirm your approval of this? I'm also still waiting on the conclusion of the OTC vote before I can merge this. |
Yes, still approved. |
The vote for this passed, so I'm lifting the OTC hold. |
The travis failure is not relevant. |
Pushed. Thanks. |
… module The documentation claimed this was already the default but it wasn't. This was causing the dhparam application to change behaviour when compared to 1.1.1 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #13228)
Inside the FIPS module we continue to use FIPS186-4. We prefer FIPS186-2 in the default provider for backwards compatibility reasons. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from #13228)
Previously both DH and DSA were using FIPS186-4 for all key generation for DH and DSA in both the default and FIPS providers.
This is a little too restrictive for general purpose use and is a significant breaking change (for example it introduces restrictions on the sizes keys can be). AFAIK there was no OTC/OMC decision to make this breaking change.
This PR changes things so that by default in the default provider, DH keys swap to DH_PARAMGEN_TYPE_GENERATOR (i.e. PKCS3) and DHX keys swap to DH_PARAMGEN_TYPE_FIPS_186_2.
For DSA we swap to DSA_PARAMGEN_TYPE_FIPS_186_2 in the default provider.
The defaults are unchanged for the FIPS provider.
This was discovered by the tests being introduced in #13138 and is required for those tests to pass.