Up min size of DHM params to 1024 bits

2024-11-23 03:15:43 +01:00 · 2015-06-26 18:20:34 +02:00 · 2015-06-26 18:20:34 +02:00 · 5324d411da
commit 5324d411da
parent 7b209579c6
5 changed files with 15 additions and 2 deletions
--- a/10
+++ b/10
@ -1,5 +1,15 @@
 PolarSSL ChangeLog

+= Version 1.2.15 released 2015-mm-dd
+
+Security
+   * Increase the minimum size of Diffie-Hellman parameters accepted by the
+     lient to 1024 bits, to protect against Logjam attack.
+
+Changes
+   * Add SSL_MIN_DHM_BYTES configuration parameter in config.h to choose the
+     minimum size of Diffie-Hellman parameters accepted by the client.
+
 = Version 1.2.14 released 2015-06-26

 Security
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -1017,6 +1017,7 @@
 // SSL options
 //
 #define SSL_MAX_CONTENT_LEN             16384 /**< Size of the input / output buffer */
+#define SSL_MIN_DHM_BYTES                 128 /**< Min size of the Diffie-Hellman prime */

 // X509 options
 //
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -130,6 +130,7 @@
 */
 #if !defined(POLARSSL_CONFIG_OPTIONS)
 #define SSL_MAX_CONTENT_LEN         16384   /**< Size of the input / output buffer */
+#define SSL_MIN_DHM_BYTES             128   /**< Min size of the Diffie-Hellman prime */
 #endif /* !POLARSSL_CONFIG_OPTIONS */

 /*
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -778,7 +778,8 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    }

-    if( ssl->handshake->dhm_ctx.len < 64 || ssl->handshake->dhm_ctx.len > 512 )
+    if( ssl->handshake->dhm_ctx.len < SSL_MIN_DHM_BYTES ||
+        ssl->handshake->dhm_ctx.len > 512 )
    {
        SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
--- a/tests/compat.sh
+++ b/tests/compat.sh
@ -12,7 +12,7 @@ if [ "X$VERIFY" = "XYES" ];
 then
    P_SERVER_ARGS="auth_mode=required crt_file=data_files/server1.crt key_file=data_files/server1.key ca_file=data_files/test-ca.crt"
    P_CLIENT_ARGS="crt_file=data_files/server2.crt key_file=data_files/server2.key ca_file=data_files/test-ca.crt"
-    O_SERVER_ARGS="-verify 10 -CAfile data_files/test-ca.crt -cert data_files/server1.crt -key data_files/server1.key"
+    O_SERVER_ARGS="-verify 10 -CAfile data_files/test-ca.crt -cert data_files/server1.crt -key data_files/server1.key -dhparam data_files/dhparams.pem"
    O_CLIENT_ARGS="-cert data_files/server2.crt -key data_files/server2.key -CAfile data_files/test-ca.crt"
 fi