From 3e7b61c42b6dc45f3f2ca3bb41dc113166df03ba Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 8 Dec 2020 22:31:52 +0100
Subject: [PATCH 1/2] More precise testing of dhm_min_len

An SSL client can be configured to insist on a minimum size for the
Diffie-Hellman (DHM) parameters sent by the server. Add several test
cases where the server sends parameters with exactly the minimum
size (must be accepted) or parameters that are one bit too short (must
be rejected). Make sure that there are test cases both where the
boundary is byte-aligned and where it isn't.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/data_files/Makefile   | 10 ++++++++++
 tests/data_files/dh.998.pem | 17 +++++++++++++++++
 tests/data_files/dh.999.pem | 17 +++++++++++++++++
 tests/ssl-opt.sh            | 35 +++++++++++++++++++++++++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 tests/data_files/dh.998.pem
 create mode 100644 tests/data_files/dh.999.pem

diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index db4ee3b3d..3ac237a6a 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -1052,6 +1052,16 @@ cert_md5.crt: cert_md5.csr
 	$(MBEDTLS_CERT_WRITE) request_file=$< serial=6 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=MD5 version=3 output_file=$@
 all_final += cert_md5.crt
 
+################################################################
+#### Diffie-Hellman parameters
+################################################################
+
+dh.998.pem:
+	$(OPENSSL) dhparam -out $@ -text 998
+
+dh.999.pem:
+	$(OPENSSL) dhparam -out $@ -text 999
+
 ################################################################
 #### Meta targets
 ################################################################
diff --git a/tests/data_files/dh.998.pem b/tests/data_files/dh.998.pem
new file mode 100644
index 000000000..96d6cf2b8
--- /dev/null
+++ b/tests/data_files/dh.998.pem
@@ -0,0 +1,17 @@
+    DH Parameters: (998 bit)
+        prime:
+            39:5f:30:c0:7b:06:b7:6a:49:c6:c0:81:1f:39:77:
+            b3:35:e2:8d:66:fc:6a:6e:94:f3:df:97:f2:89:31:
+            6c:75:39:08:16:d1:a4:b8:0c:68:c5:63:21:61:eb:
+            48:2d:77:99:08:1d:67:38:37:0a:cd:cf:39:b6:3c:
+            9d:8a:e5:85:3c:71:e3:4b:3e:1e:b9:80:e3:cc:7a:
+            fd:84:05:b0:df:36:15:29:4e:3e:23:3b:c3:ae:6b:
+            c7:11:b9:64:43:40:75:c7:4a:ef:a7:2d:00:e2:62:
+            8f:93:78:96:8f:2c:25:8d:7d:1f:eb:5c:3c:bf:51:
+            de:f8:08:25:db
+        generator: 2 (0x2)
+-----BEGIN DH PARAMETERS-----
+MIGCAn05XzDAewa3aknGwIEfOXezNeKNZvxqbpTz35fyiTFsdTkIFtGkuAxoxWMh
+YetILXeZCB1nODcKzc85tjydiuWFPHHjSz4euYDjzHr9hAWw3zYVKU4+IzvDrmvH
+EblkQ0B1x0rvpy0A4mKPk3iWjywljX0f61w8v1He+Agl2wIBAg==
+-----END DH PARAMETERS-----
diff --git a/tests/data_files/dh.999.pem b/tests/data_files/dh.999.pem
new file mode 100644
index 000000000..6e3ceb3ba
--- /dev/null
+++ b/tests/data_files/dh.999.pem
@@ -0,0 +1,17 @@
+    DH Parameters: (999 bit)
+        prime:
+            4f:b8:d2:d8:3c:b3:02:c9:64:f5:99:fe:61:cc:b3:
+            69:1c:ba:bb:a2:33:db:38:2f:85:87:b7:12:fb:69:
+            6e:a5:32:3e:ff:24:df:c4:61:07:0c:e1:88:72:fa:
+            14:d4:22:65:18:66:09:7e:43:35:c4:5a:62:f7:0a:
+            69:be:45:71:6e:ac:c5:56:d8:22:9e:c4:9c:23:2b:
+            bd:6d:3b:b6:02:4f:5d:12:a7:ac:90:b8:9e:be:93:
+            82:bc:09:7c:cd:e1:09:21:1e:3d:69:2a:76:41:00:
+            68:6d:b7:e8:e8:df:d6:1b:82:93:d9:21:4a:ea:71:
+            f2:e6:c4:94:03
+        generator: 2 (0x2)
+-----BEGIN DH PARAMETERS-----
+MIGCAn1PuNLYPLMCyWT1mf5hzLNpHLq7ojPbOC+Fh7cS+2lupTI+/yTfxGEHDOGI
+cvoU1CJlGGYJfkM1xFpi9wppvkVxbqzFVtginsScIyu9bTu2Ak9dEqeskLievpOC
+vAl8zeEJIR49aSp2QQBobbfo6N/WG4KT2SFK6nHy5sSUAwIBAg==
+-----END DH PARAMETERS-----
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 7ec83d236..01235218a 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -3960,6 +3960,20 @@ run_test    "DHM size: server 1024, client default, OK" \
             0 \
             -C "DHM prime too short:"
 
+run_test    "DHM size: server 999, client 999, OK" \
+            "$P_SRV dhm_file=data_files/dh.999.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=999" \
+            0 \
+            -C "DHM prime too short:"
+
+run_test    "DHM size: server 1000, client 1000, OK" \
+            "$P_SRV dhm_file=data_files/dh.1000.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=1000" \
+            0 \
+            -C "DHM prime too short:"
+
 run_test    "DHM size: server 1000, client default, rejected" \
             "$P_SRV dhm_file=data_files/dh.1000.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
@@ -3967,6 +3981,27 @@ run_test    "DHM size: server 1000, client default, rejected" \
             1 \
             -c "DHM prime too short:"
 
+run_test    "DHM size: server 1000, client 1001, rejected" \
+            "$P_SRV dhm_file=data_files/dh.1000.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=1001" \
+            1 \
+            -c "DHM prime too short:"
+
+run_test    "DHM size: server 999, client 1000, rejected" \
+            "$P_SRV dhm_file=data_files/dh.999.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=1000" \
+            1 \
+            -c "DHM prime too short:"
+
+run_test    "DHM size: server 998, client 999, rejected" \
+            "$P_SRV dhm_file=data_files/dh.998.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=999" \
+            1 \
+            -c "DHM prime too short:"
+
 run_test    "DHM size: server default, client 2049, rejected" \
             "$P_SRV" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \

From 6527cd382b9b1f2ab4e4e414a1f6060f0aaab8ba Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 8 Dec 2020 22:46:11 +0100
Subject: [PATCH 2/2] Enforce dhm_min_bitlen exactly, not just the byte size

In a TLS client, enforce the Diffie-Hellman minimum parameter size
set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
minimum size was rounded down to the nearest multiple of 8.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 ChangeLog.d/dhm_min_bitlen.txt | 4 ++++
 library/ssl_cli.c              | 8 +++++---
 2 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 ChangeLog.d/dhm_min_bitlen.txt

diff --git a/ChangeLog.d/dhm_min_bitlen.txt b/ChangeLog.d/dhm_min_bitlen.txt
new file mode 100644
index 000000000..e7ea82730
--- /dev/null
+++ b/ChangeLog.d/dhm_min_bitlen.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * In a TLS client, enforce the Diffie-Hellman minimum parameter size
+     set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
+     minimum size was rounded down to the nearest multiple of 8.
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index bd7f28134..073311b07 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2209,6 +2209,7 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
                                        unsigned char *end )
 {
     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t dhm_actual_bitlen;
 
     /*
      * Ephemeral DH parameters:
@@ -2226,10 +2227,11 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
         return( ret );
     }
 
-    if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
+    dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P );
+    if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
-                                    ssl->handshake->dhm_ctx.len * 8,
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %u < %u",
+                                    (unsigned) dhm_actual_bitlen,
                                     ssl->conf->dhm_min_bitlen ) );
         return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
     }