From 6527cd382b9b1f2ab4e4e414a1f6060f0aaab8ba Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 8 Dec 2020 22:46:11 +0100 Subject: [PATCH] Enforce dhm_min_bitlen exactly, not just the byte size In a TLS client, enforce the Diffie-Hellman minimum parameter size set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the minimum size was rounded down to the nearest multiple of 8. Signed-off-by: Gilles Peskine --- ChangeLog.d/dhm_min_bitlen.txt | 4 ++++ library/ssl_cli.c | 8 +++++--- 2 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 ChangeLog.d/dhm_min_bitlen.txt diff --git a/ChangeLog.d/dhm_min_bitlen.txt b/ChangeLog.d/dhm_min_bitlen.txt new file mode 100644 index 000000000..e7ea82730 --- /dev/null +++ b/ChangeLog.d/dhm_min_bitlen.txt @@ -0,0 +1,4 @@ +Bugfix + * In a TLS client, enforce the Diffie-Hellman minimum parameter size + set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the + minimum size was rounded down to the nearest multiple of 8. diff --git a/library/ssl_cli.c b/library/ssl_cli.c index bd7f28134..073311b07 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2209,6 +2209,7 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char *end ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + size_t dhm_actual_bitlen; /* * Ephemeral DH parameters: @@ -2226,10 +2227,11 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, return( ret ); } - if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) + dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P ); + if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", - ssl->handshake->dhm_ctx.len * 8, + MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %u < %u", + (unsigned) dhm_actual_bitlen, ssl->conf->dhm_min_bitlen ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); }