From 9ea1b23cc47d6be317f951909ec87f9ac9f9bacc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Mon, 29 Jun 2015 15:27:52 +0200
Subject: [PATCH] Up min size of DHM params to 1024 bits on client

---
 ChangeLog                 | 8 ++++++++
 include/polarssl/config.h | 1 +
 include/polarssl/ssl.h    | 6 ++++++
 library/ssl_cli.c         | 2 +-
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index a20669021..69bd93656 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,9 +2,17 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 = mbed TLS 1.3.12 released 2015-07-??
 
+Security
+   * Increase the minimum size of Diffie-Hellman parameters accepted by the
+     client to 1024 bits, to protect against Logjam attack.
+
 Bugfix
    * Fix thread-safety issue in SSL debug module (found by Edwin van Vliet).
 
+Changes
+   * Add SSL_MIN_DHM_BYTES configuration parameter in config.h to choose the
+     minimum size of Diffie-Hellman parameters accepted by the client.
+
 = mbed TLS 1.3.11 released 2015-06-04
 
 Security
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 6bfa705ba..422c8be95 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -2328,6 +2328,7 @@
 
 /* SSL options */
 //#define SSL_MAX_CONTENT_LEN             16384 /**< Size of the input / output buffer */
+//#define SSL_MIN_DHM_BYTES                 128 /**< Min size of the Diffie-Hellman prime */
 //#define SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
 //#define POLARSSL_PSK_MAX_LEN               32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
 
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 730594af4..f82d4fcce 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -282,6 +282,12 @@
 #define SSL_MAX_CONTENT_LEN         16384   /**< Size of the input / output buffer */
 #endif
 
+/*
+ * Minimum size of the Diffie-Hellman parameters to accept from a server.
+ * The default is 1024 bits (128 bytes) for compatibility reasons.
+ * From a purely security perspective, 2048 bits would be better.
+ */
+#define SSL_MIN_DHM_BYTES             128   /**< Min size of the Diffie-Hellman prime */
 /* \} name SECTION: Module settings */
 
 /*
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index caeb6f3f3..0c62c3448 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1445,7 +1445,7 @@ static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
         return( ret );
     }
 
-    if( ssl->handshake->dhm_ctx.len < 64  ||
+    if( ssl->handshake->dhm_ctx.len < SSL_MIN_DHM_BYTES ||
         ssl->handshake->dhm_ctx.len > 512 )
     {
         SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );