diff --git a/ChangeLog b/ChangeLog index 28093ae01..2e5a54f89 100644 --- a/ChangeLog +++ b/ChangeLog @@ -84,6 +84,7 @@ Default behavior changes * Support for RSA_ALT contexts in the PK layer is now optional. Since is is enabled in the default configuration, this is only noticeable if using a custom config.h + * Default DHM parameters server-side upgraded from 1024 to 2048 bits. Reauirement changes * The minimum MSVC version required is now 2010 (better C99 support). diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 92420b533..4782cd539 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1621,11 +1621,11 @@ void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf, void *p_psk ); #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ -#if defined(MBEDTLS_DHM_C) +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) /** * \brief Set the Diffie-Hellman public P and G values, * read as hexadecimal strings (server-side only) - * (Default: MBEDTLS_DHM_RFC5114_MODP_1024_[PG]) + * (Default: MBEDTLS_DHM_RFC5114_MODP_2048_[PG]) * * \param conf SSL configuration * \param dhm_P Diffie-Hellman-Merkle modulus diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 59fce958b..c537fe4b2 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2871,6 +2871,12 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) { + if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + /* * Ephemeral DH parameters: * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 229536dd3..114f5ae30 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5400,11 +5400,13 @@ int mbedtls_ssl_set_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const { int ret; - if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ) - return( ret ); - - if( ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 ) + if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 || + ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 ) + { + mbedtls_mpi_free( &conf->dhm_P ); + mbedtls_mpi_free( &conf->dhm_G ); return( ret ); + } return( 0 ); } @@ -5413,11 +5415,13 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context { int ret; - if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ) - return( ret ); - - if( ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 ) + if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 || + ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 ) + { + mbedtls_mpi_free( &conf->dhm_P ); + mbedtls_mpi_free( &conf->dhm_G ); return( ret ); + } return( 0 ); } @@ -6667,15 +6671,15 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->renego_period[7] = 0x00; #endif -#if defined(MBEDTLS_DHM_C) - if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, - MBEDTLS_DHM_RFC5114_MODP_1024_P) ) != 0 || - ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, - MBEDTLS_DHM_RFC5114_MODP_1024_G) ) != 0 ) +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) + if( endpoint == MBEDTLS_SSL_IS_SERVER ) { - mbedtls_mpi_free( &conf->dhm_P ); - mbedtls_mpi_free( &conf->dhm_G ); - return( ret ); + if( ( ret = mbedtls_ssl_set_dh_param( conf, + MBEDTLS_DHM_RFC5114_MODP_2048_P, + MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) + { + return( ret ); + } } #endif diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 6f6836d9c..17aa9ff9f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1727,11 +1727,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_FS_IO) if( opt.dhm_file != NULL ) ret = mbedtls_ssl_set_dh_param_ctx( &conf, &dhm ); - else #endif - ret = mbedtls_ssl_set_dh_param( &conf, MBEDTLS_DHM_RFC5114_MODP_2048_P, - MBEDTLS_DHM_RFC5114_MODP_2048_G ); - if( ret != 0 ) { mbedtls_printf( " failed\n mbedtls_ssl_set_dh_param returned -0x%04X\n\n", - ret );