diff --git a/ChangeLog.d/dhm_min_bitlen.txt b/ChangeLog.d/dhm_min_bitlen.txt new file mode 100644 index 000000000..e7ea82730 --- /dev/null +++ b/ChangeLog.d/dhm_min_bitlen.txt @@ -0,0 +1,4 @@ +Bugfix + * In a TLS client, enforce the Diffie-Hellman minimum parameter size + set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the + minimum size was rounded down to the nearest multiple of 8. diff --git a/library/ssl_cli.c b/library/ssl_cli.c index bd7f28134..073311b07 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2209,6 +2209,7 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char *end ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + size_t dhm_actual_bitlen; /* * Ephemeral DH parameters: @@ -2226,10 +2227,11 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, return( ret ); } - if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen ) + dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P ); + if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d", - ssl->handshake->dhm_ctx.len * 8, + MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %u < %u", + (unsigned) dhm_actual_bitlen, ssl->conf->dhm_min_bitlen ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); } diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index db4ee3b3d..3ac237a6a 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -1052,6 +1052,16 @@ cert_md5.crt: cert_md5.csr $(MBEDTLS_CERT_WRITE) request_file=$< serial=6 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=MD5 version=3 output_file=$@ all_final += cert_md5.crt +################################################################ +#### Diffie-Hellman parameters +################################################################ + +dh.998.pem: + $(OPENSSL) dhparam -out $@ -text 998 + +dh.999.pem: + $(OPENSSL) dhparam -out $@ -text 999 + ################################################################ #### Meta targets ################################################################ diff --git a/tests/data_files/dh.998.pem b/tests/data_files/dh.998.pem new file mode 100644 index 000000000..96d6cf2b8 --- /dev/null +++ b/tests/data_files/dh.998.pem @@ -0,0 +1,17 @@ + DH Parameters: (998 bit) + prime: + 39:5f:30:c0:7b:06:b7:6a:49:c6:c0:81:1f:39:77: + b3:35:e2:8d:66:fc:6a:6e:94:f3:df:97:f2:89:31: + 6c:75:39:08:16:d1:a4:b8:0c:68:c5:63:21:61:eb: + 48:2d:77:99:08:1d:67:38:37:0a:cd:cf:39:b6:3c: + 9d:8a:e5:85:3c:71:e3:4b:3e:1e:b9:80:e3:cc:7a: + fd:84:05:b0:df:36:15:29:4e:3e:23:3b:c3:ae:6b: + c7:11:b9:64:43:40:75:c7:4a:ef:a7:2d:00:e2:62: + 8f:93:78:96:8f:2c:25:8d:7d:1f:eb:5c:3c:bf:51: + de:f8:08:25:db + generator: 2 (0x2) +-----BEGIN DH PARAMETERS----- +MIGCAn05XzDAewa3aknGwIEfOXezNeKNZvxqbpTz35fyiTFsdTkIFtGkuAxoxWMh +YetILXeZCB1nODcKzc85tjydiuWFPHHjSz4euYDjzHr9hAWw3zYVKU4+IzvDrmvH +EblkQ0B1x0rvpy0A4mKPk3iWjywljX0f61w8v1He+Agl2wIBAg== +-----END DH PARAMETERS----- diff --git a/tests/data_files/dh.999.pem b/tests/data_files/dh.999.pem new file mode 100644 index 000000000..6e3ceb3ba --- /dev/null +++ b/tests/data_files/dh.999.pem @@ -0,0 +1,17 @@ + DH Parameters: (999 bit) + prime: + 4f:b8:d2:d8:3c:b3:02:c9:64:f5:99:fe:61:cc:b3: + 69:1c:ba:bb:a2:33:db:38:2f:85:87:b7:12:fb:69: + 6e:a5:32:3e:ff:24:df:c4:61:07:0c:e1:88:72:fa: + 14:d4:22:65:18:66:09:7e:43:35:c4:5a:62:f7:0a: + 69:be:45:71:6e:ac:c5:56:d8:22:9e:c4:9c:23:2b: + bd:6d:3b:b6:02:4f:5d:12:a7:ac:90:b8:9e:be:93: + 82:bc:09:7c:cd:e1:09:21:1e:3d:69:2a:76:41:00: + 68:6d:b7:e8:e8:df:d6:1b:82:93:d9:21:4a:ea:71: + f2:e6:c4:94:03 + generator: 2 (0x2) +-----BEGIN DH PARAMETERS----- +MIGCAn1PuNLYPLMCyWT1mf5hzLNpHLq7ojPbOC+Fh7cS+2lupTI+/yTfxGEHDOGI +cvoU1CJlGGYJfkM1xFpi9wppvkVxbqzFVtginsScIyu9bTu2Ak9dEqeskLievpOC +vAl8zeEJIR49aSp2QQBobbfo6N/WG4KT2SFK6nHy5sSUAwIBAg== +-----END DH PARAMETERS----- diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7ec83d236..01235218a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3960,6 +3960,20 @@ run_test "DHM size: server 1024, client default, OK" \ 0 \ -C "DHM prime too short:" +run_test "DHM size: server 999, client 999, OK" \ + "$P_SRV dhm_file=data_files/dh.999.pem" \ + "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ + debug_level=1 dhmlen=999" \ + 0 \ + -C "DHM prime too short:" + +run_test "DHM size: server 1000, client 1000, OK" \ + "$P_SRV dhm_file=data_files/dh.1000.pem" \ + "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ + debug_level=1 dhmlen=1000" \ + 0 \ + -C "DHM prime too short:" + run_test "DHM size: server 1000, client default, rejected" \ "$P_SRV dhm_file=data_files/dh.1000.pem" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ @@ -3967,6 +3981,27 @@ run_test "DHM size: server 1000, client default, rejected" \ 1 \ -c "DHM prime too short:" +run_test "DHM size: server 1000, client 1001, rejected" \ + "$P_SRV dhm_file=data_files/dh.1000.pem" \ + "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ + debug_level=1 dhmlen=1001" \ + 1 \ + -c "DHM prime too short:" + +run_test "DHM size: server 999, client 1000, rejected" \ + "$P_SRV dhm_file=data_files/dh.999.pem" \ + "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ + debug_level=1 dhmlen=1000" \ + 1 \ + -c "DHM prime too short:" + +run_test "DHM size: server 998, client 999, rejected" \ + "$P_SRV dhm_file=data_files/dh.998.pem" \ + "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ + debug_level=1 dhmlen=999" \ + 1 \ + -c "DHM prime too short:" + run_test "DHM size: server default, client 2049, rejected" \ "$P_SRV" \ "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \