yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-23 06:45:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Up min size of DHM params to 1024 bits

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2015-06-26 18:20:34 +02:00
parent 7b209579c6
commit 5324d411da
5 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -1,5 +1,15 @@
PolarSSL ChangeLog PolarSSL ChangeLog
= Version 1.2.15 released 2015-mm-dd
Security
* Increase the minimum size of Diffie-Hellman parameters accepted by the
lient to 1024 bits, to protect against Logjam attack.
Changes
* Add SSL_MIN_DHM_BYTES configuration parameter in config.h to choose the
minimum size of Diffie-Hellman parameters accepted by the client.
= Version 1.2.14 released 2015-06-26 = Version 1.2.14 released 2015-06-26
Security Security

1
include/polarssl/config.h
View File

@ -1017,6 +1017,7 @@
// SSL options // SSL options
// //
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */ #define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
#define SSL_MIN_DHM_BYTES 128 /**< Min size of the Diffie-Hellman prime */
// X509 options // X509 options
// //

1
include/polarssl/ssl.h
View File

@ -130,6 +130,7 @@
*/ */
#if !defined(POLARSSL_CONFIG_OPTIONS) #if !defined(POLARSSL_CONFIG_OPTIONS)
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */ #define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
#define SSL_MIN_DHM_BYTES 128 /**< Min size of the Diffie-Hellman prime */
#endif /* !POLARSSL_CONFIG_OPTIONS */ #endif /* !POLARSSL_CONFIG_OPTIONS */
/* /*

3
library/ssl_cli.c
View File

@ -778,7 +778,8 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
} }
if( ssl->handshake->dhm_ctx.len < 64 || ssl->handshake->dhm_ctx.len > 512 ) if( ssl->handshake->dhm_ctx.len < SSL_MIN_DHM_BYTES ||
ssl->handshake->dhm_ctx.len > 512 )
{ {
SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );

2
tests/compat.sh
View File

@ -12,7 +12,7 @@ if [ "X$VERIFY" = "XYES" ];
then then
P_SERVER_ARGS="auth_mode=required crt_file=data_files/server1.crt key_file=data_files/server1.key ca_file=data_files/test-ca.crt" P_SERVER_ARGS="auth_mode=required crt_file=data_files/server1.crt key_file=data_files/server1.key ca_file=data_files/test-ca.crt"
P_CLIENT_ARGS="crt_file=data_files/server2.crt key_file=data_files/server2.key ca_file=data_files/test-ca.crt" P_CLIENT_ARGS="crt_file=data_files/server2.crt key_file=data_files/server2.key ca_file=data_files/test-ca.crt"
O_SERVER_ARGS="-verify 10 -CAfile data_files/test-ca.crt -cert data_files/server1.crt -key data_files/server1.key" O_SERVER_ARGS="-verify 10 -CAfile data_files/test-ca.crt -cert data_files/server1.crt -key data_files/server1.key -dhparam data_files/dhparams.pem"
O_CLIENT_ARGS="-cert data_files/server2.crt -key data_files/server2.key -CAfile data_files/test-ca.crt" O_CLIENT_ARGS="-cert data_files/server2.crt -key data_files/server2.key -CAfile data_files/test-ca.crt"
fi fi