On Tue, Apr 28, 2020 at 11:22:02AM +0100, Stuart Henderson wrote:
> On 2020/04/28 01:09, Tobias Heider wrote:
> > Hi,
> >
> > the EC2N family of curves have been marked as insecure for at least 10
> > years.
> > In fact, IANA has stopped listing them altogether [1].
> > Their former IDs are now 'reserved'.
> >
> > I think it's time for us to drop them as well.
> >
> > ok?
>
> I agree with dropping them. Timing-wise perhaps it's better to do it
> after release (possible text for upgrade notes below); OTOH probably
> nobody really uses ec2n so it's not all that likely to hurt users (we
> can use similar text but say "prior to upgrade, add alternative groups
> [...]" instead).
>
> "The insecure ec2n D-H groups will be removed from iked in the next
> release; if you are using these, add alternative groups to ikesa/childsa
> in iked.conf, then you can move clients across one by one and remove
> the ec2n groups in advance of 6.8.
>
> While removal of other groups is not imminent, some are considered
> insecure (768-bit MODP, group 1) or weak (1024- and 1536-bit MODP,
> groups 2 and 5). Prefer curve25519, an ECP group of 256 bits or
> more, or a MODP group of 2048 bits or more."
I would really rather do it now. It has been marked as insecure for long
enough and really no one should be using it.
IMHO shipping them for another six months would be rather irresponsible
from our side.
The upgrade note sound good.
>
> > Index: iked.conf.5
> > ===================================================================
> > RCS file: /cvs/src/sbin/iked/iked.conf.5,v
> > retrieving revision 1.66
> > diff -u -p -r1.66 iked.conf.5
> > --- iked.conf.5 27 Apr 2020 22:40:09 -0000 1.66
> > +++ iked.conf.5 27 Apr 2020 22:58:24 -0000
> > @@ -909,8 +909,6 @@ keyword:
> > .It Em Name Ta Em Group Ta Em Size Ta Em Type
> > .It Li modp768 Ta grp1 Ta 768 Ta "MODP"
> > .It Li modp1024 Ta grp2 Ta 1024 Ta "MODP"
>
> .It Li modp768 Ta grp1 Ta 768 Ta "MODP" [insecure]
> .It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" [weak]
>
> > -.It Li ec2n155 Ta grp3 Ta 155 Ta "EC2N [insecure]"
> > -.It Li ec2n185 Ta grp4 Ta 185 Ta "EC2N [insecure]"
> > .It Li modp1536 Ta grp5 Ta 1536 Ta "MODP"
>
> .It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" [weak]
>
> I guess we should sprinkle some other weak/insecure in the manual
> too but this is a start.
Good idea, your classification makes sense. We should do the same for
all algorithms.
>
> > .It Li modp2048 Ta grp14 Ta 2048 Ta "MODP"
> > .It Li modp3072 Ta grp15 Ta 3072 Ta "MODP"
> > @@ -931,11 +929,8 @@ keyword:
> > .Pp
> > The currently supported group types are either
> > MODP (exponentiation groups modulo a prime),
> > -EC2N (elliptic curve groups over GF[2^N]),
> > ECP (elliptic curve groups modulo a prime),
> > or Curve25519.
> > -Please note that the EC2N groups are considered as insecure and only
> > -provided for backwards compatibility.
>
> Please note that MODP groups of less than 2048 bits are considered
> as weak or insecure (see RFC 8247 section 2.4) and only provided for
> backwards compatibility.
>
> > --- dh.h 27 Oct 2017 14:26:35 -0000 1.11
> > +++ dh.h 27 Apr 2020 22:58:24 -0000
> > @@ -21,7 +21,6 @@
> >
> > enum group_type {
> > GROUP_MODP = 0,
> > - GROUP_EC2N = 1,
> > GROUP_ECP = 2,
> > GROUP_CURVE25519 = 3
> > };
>
> Should the others be renumbered so that somebody looking later doesn't
> have to figure out why there's a gap?
>
Fixed.
Here's an updated diff:
Index: dh.c
===================================================================
RCS file: /cvs/src/sbin/iked/dh.c,v
retrieving revision 1.22
diff -u -p -r1.22 dh.c
--- dh.c 2 Apr 2019 09:42:55 -0000 1.22
+++ dh.c 28 Apr 2020 14:50:58 -0000
@@ -35,7 +35,7 @@ int modp_getlen(struct group *);
int modp_create_exchange(struct group *, uint8_t *);
int modp_create_shared(struct group *, uint8_t *, uint8_t *);
-/* EC2N/ECP */
+/* ECP */
int ec_init(struct group *);
int ec_getlen(struct group *);
int ec_secretlen(struct group *);
@@ -83,8 +83,6 @@ const struct group_id ike_groups[] = {
"FFFFFFFFFFFFFFFF",
"02"
},
- { GROUP_EC2N, 3, 155, NULL, NULL, NID_ipsec3 },
- { GROUP_EC2N, 4, 185, NULL, NULL, NID_ipsec4 },
{ GROUP_MODP, 5, 1536,
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD"
@@ -290,7 +288,6 @@ group_get(uint32_t id)
group->exchange = modp_create_exchange;
group->shared = modp_create_shared;
break;
- case GROUP_EC2N:
case GROUP_ECP:
group->init = ec_init;
group->getlen = ec_getlen;
Index: dh.h
===================================================================
RCS file: /cvs/src/sbin/iked/dh.h,v
retrieving revision 1.11
diff -u -p -r1.11 dh.h
--- dh.h 27 Oct 2017 14:26:35 -0000 1.11
+++ dh.h 28 Apr 2020 14:50:58 -0000
@@ -21,9 +21,8 @@
enum group_type {
GROUP_MODP = 0,
- GROUP_EC2N = 1,
- GROUP_ECP = 2,
- GROUP_CURVE25519 = 3
+ GROUP_ECP = 1,
+ GROUP_CURVE25519 = 2
};
struct group_id {
Index: iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
retrieving revision 1.66
diff -u -p -r1.66 iked.conf.5
--- iked.conf.5 27 Apr 2020 22:40:09 -0000 1.66
+++ iked.conf.5 28 Apr 2020 14:50:58 -0000
@@ -907,11 +907,9 @@ The following group types are permitted
keyword:
.Bl -column "modp1024-160" "Group" "Size" "Type" -offset indent
.It Em Name Ta Em Group Ta Em Size Ta Em Type
-.It Li modp768 Ta grp1 Ta 768 Ta "MODP"
-.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP"
-.It Li ec2n155 Ta grp3 Ta 155 Ta "EC2N [insecure]"
-.It Li ec2n185 Ta grp4 Ta 185 Ta "EC2N [insecure]"
-.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP"
+.It Li modp768 Ta grp1 Ta 768 Ta "MODP" [insecure]
+.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" [weak]
+.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" [weak]
.It Li modp2048 Ta grp14 Ta 2048 Ta "MODP"
.It Li modp3072 Ta grp15 Ta 3072 Ta "MODP"
.It Li modp4096 Ta grp16 Ta 4096 Ta "MODP"
@@ -931,11 +929,11 @@ keyword:
.Pp
The currently supported group types are either
MODP (exponentiation groups modulo a prime),
-EC2N (elliptic curve groups over GF[2^N]),
ECP (elliptic curve groups modulo a prime),
or Curve25519.
-Please note that the EC2N groups are considered as insecure and only
-provided for backwards compatibility.
+Please note that MODP groups of less than 2048 bits are considered
+as weak or insecure (see RFC 8247 section 2.4) and only provided for
+backwards compatibility.
.Sh FILES
.Bl -tag -width /etc/examples/iked.conf -compact
.It Pa /etc/iked.conf
Index: ikev2.h
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2.h,v
retrieving revision 1.31
diff -u -p -r1.31 ikev2.h
--- ikev2.h 3 Dec 2019 12:38:34 -0000 1.31
+++ ikev2.h 28 Apr 2020 14:50:59 -0000
@@ -230,8 +230,6 @@ extern struct iked_constmap ikev2_xforma
#define IKEV2_XFORMDH_NONE 0 /* No DH */
#define IKEV2_XFORMDH_MODP_768 1 /* DH Group 1 */
#define IKEV2_XFORMDH_MODP_1024 2 /* DH Group 2 */
-#define IKEV2_XFORMDH_EC2N_155 3 /* DH Group 3 */
-#define IKEV2_XFORMDH_EC2N_185 4 /* DH Group 3 */
#define IKEV2_XFORMDH_MODP_1536 5 /* DH Group 5 */
#define IKEV2_XFORMDH_MODP_2048 14 /* DH Group 14 */
#define IKEV2_XFORMDH_MODP_3072 15 /* DH Group 15 */
Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.95
diff -u -p -r1.95 parse.y
--- parse.y 26 Apr 2020 16:55:47 -0000 1.95
+++ parse.y 28 Apr 2020 14:50:59 -0000
@@ -223,10 +223,6 @@ const struct ipsec_xf groupxfs[] = {
{ "grp1", IKEV2_XFORMDH_MODP_768 },
{ "modp1024", IKEV2_XFORMDH_MODP_1024 },
{ "grp2", IKEV2_XFORMDH_MODP_1024 },
- { "ec2n155", IKEV2_XFORMDH_EC2N_155 },
- { "grp3", IKEV2_XFORMDH_EC2N_155 },
- { "ec2n185", IKEV2_XFORMDH_EC2N_185 },
- { "grp4", IKEV2_XFORMDH_EC2N_185 },
{ "modp1536", IKEV2_XFORMDH_MODP_1536 },
{ "grp5", IKEV2_XFORMDH_MODP_1536 },
{ "modp2048", IKEV2_XFORMDH_MODP_2048 },
