Merge pull request #4325 from gilles-peskine-arm/dhm_min_bitlen-bits-2.16

Backport 2.16: Enforce dhm_min_bitlen exactly
This commit is contained in:
Gilles Peskine 2021-04-29 14:55:41 +02:00 committed by GitHub
commit 23e5f715f1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 88 additions and 3 deletions

View file

@ -0,0 +1,4 @@
Bugfix
* In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8.

View file

@ -2209,6 +2209,7 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
unsigned char *end )
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
size_t dhm_actual_bitlen;
/*
* Ephemeral DH parameters:
@ -2226,10 +2227,11 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
return( ret );
}
if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P );
if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
ssl->handshake->dhm_ctx.len * 8,
MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %u < %u",
(unsigned) dhm_actual_bitlen,
ssl->conf->dhm_min_bitlen ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}

View file

@ -1052,6 +1052,16 @@ cert_md5.crt: cert_md5.csr
$(MBEDTLS_CERT_WRITE) request_file=$< serial=6 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=MD5 version=3 output_file=$@
all_final += cert_md5.crt
################################################################
#### Diffie-Hellman parameters
################################################################
dh.998.pem:
$(OPENSSL) dhparam -out $@ -text 998
dh.999.pem:
$(OPENSSL) dhparam -out $@ -text 999
################################################################
#### Meta targets
################################################################

View file

@ -0,0 +1,17 @@
DH Parameters: (998 bit)
prime:
39:5f:30:c0:7b:06:b7:6a:49:c6:c0:81:1f:39:77:
b3:35:e2:8d:66:fc:6a:6e:94:f3:df:97:f2:89:31:
6c:75:39:08:16:d1:a4:b8:0c:68:c5:63:21:61:eb:
48:2d:77:99:08:1d:67:38:37:0a:cd:cf:39:b6:3c:
9d:8a:e5:85:3c:71:e3:4b:3e:1e:b9:80:e3:cc:7a:
fd:84:05:b0:df:36:15:29:4e:3e:23:3b:c3:ae:6b:
c7:11:b9:64:43:40:75:c7:4a:ef:a7:2d:00:e2:62:
8f:93:78:96:8f:2c:25:8d:7d:1f:eb:5c:3c:bf:51:
de:f8:08:25:db
generator: 2 (0x2)
-----BEGIN DH PARAMETERS-----
MIGCAn05XzDAewa3aknGwIEfOXezNeKNZvxqbpTz35fyiTFsdTkIFtGkuAxoxWMh
YetILXeZCB1nODcKzc85tjydiuWFPHHjSz4euYDjzHr9hAWw3zYVKU4+IzvDrmvH
EblkQ0B1x0rvpy0A4mKPk3iWjywljX0f61w8v1He+Agl2wIBAg==
-----END DH PARAMETERS-----

View file

@ -0,0 +1,17 @@
DH Parameters: (999 bit)
prime:
4f:b8:d2:d8:3c:b3:02:c9:64:f5:99:fe:61:cc:b3:
69:1c:ba:bb:a2:33:db:38:2f:85:87:b7:12:fb:69:
6e:a5:32:3e:ff:24:df:c4:61:07:0c:e1:88:72:fa:
14:d4:22:65:18:66:09:7e:43:35:c4:5a:62:f7:0a:
69:be:45:71:6e:ac:c5:56:d8:22:9e:c4:9c:23:2b:
bd:6d:3b:b6:02:4f:5d:12:a7:ac:90:b8:9e:be:93:
82:bc:09:7c:cd:e1:09:21:1e:3d:69:2a:76:41:00:
68:6d:b7:e8:e8:df:d6:1b:82:93:d9:21:4a:ea:71:
f2:e6:c4:94:03
generator: 2 (0x2)
-----BEGIN DH PARAMETERS-----
MIGCAn1PuNLYPLMCyWT1mf5hzLNpHLq7ojPbOC+Fh7cS+2lupTI+/yTfxGEHDOGI
cvoU1CJlGGYJfkM1xFpi9wppvkVxbqzFVtginsScIyu9bTu2Ak9dEqeskLievpOC
vAl8zeEJIR49aSp2QQBobbfo6N/WG4KT2SFK6nHy5sSUAwIBAg==
-----END DH PARAMETERS-----

View file

@ -3960,6 +3960,20 @@ run_test "DHM size: server 1024, client default, OK" \
0 \
-C "DHM prime too short:"
run_test "DHM size: server 999, client 999, OK" \
"$P_SRV dhm_file=data_files/dh.999.pem" \
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
debug_level=1 dhmlen=999" \
0 \
-C "DHM prime too short:"
run_test "DHM size: server 1000, client 1000, OK" \
"$P_SRV dhm_file=data_files/dh.1000.pem" \
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
debug_level=1 dhmlen=1000" \
0 \
-C "DHM prime too short:"
run_test "DHM size: server 1000, client default, rejected" \
"$P_SRV dhm_file=data_files/dh.1000.pem" \
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
@ -3967,6 +3981,27 @@ run_test "DHM size: server 1000, client default, rejected" \
1 \
-c "DHM prime too short:"
run_test "DHM size: server 1000, client 1001, rejected" \
"$P_SRV dhm_file=data_files/dh.1000.pem" \
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
debug_level=1 dhmlen=1001" \
1 \
-c "DHM prime too short:"
run_test "DHM size: server 999, client 1000, rejected" \
"$P_SRV dhm_file=data_files/dh.999.pem" \
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
debug_level=1 dhmlen=1000" \
1 \
-c "DHM prime too short:"
run_test "DHM size: server 998, client 999, rejected" \
"$P_SRV dhm_file=data_files/dh.998.pem" \
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
debug_level=1 dhmlen=999" \
1 \
-c "DHM prime too short:"
run_test "DHM size: server default, client 2049, rejected" \
"$P_SRV" \
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \