yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-09 17:35:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream-restricted/pr/414' into mbedtls-2.1-restricted

Browse source
This commit is contained in:
Jaeden Amero 2018-01-26 18:09:14 +00:00
parent 3b8d82a1aa 469e93c0f6
commit bfafd12789
4 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ChangeLog
View file

@ -41,6 +41,9 @@ Security
* Fix a potential heap buffer overread in ALPN extension parsing * Fix a potential heap buffer overread in ALPN extension parsing
(server-side). Could result in application crash, but only if an ALPN (server-side). Could result in application crash, but only if an ALPN
name larger than 16 bytes had been configured on the server. name larger than 16 bytes had been configured on the server.
* Change default choice of DHE parameters from untrustworthy RFC 5114
to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
manner.
Features Features
* Allow comments in test data files. * Allow comments in test data files.

6
include/mbedtls/dhm.h
View file

@ -51,6 +51,12 @@
* RFC 3526 4. 3072-bit MODP Group * RFC 3526 4. 3072-bit MODP Group
* RFC 3526 5. 4096-bit MODP Group * RFC 3526 5. 4096-bit MODP Group
* RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup
*
* \warning The primes from RFC 5114 do not come together with information
* on how they were generated and are therefore not considered
* trustworthy. It is recommended to avoid them and to use the
* nothing-up-my-sleeve primes from RFC 3526 instead.
*
*/ */
#define MBEDTLS_DHM_RFC3526_MODP_2048_P \ #define MBEDTLS_DHM_RFC3526_MODP_2048_P \
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \

4
library/ssl_tls.c
View file

@ -7325,8 +7325,8 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
if( endpoint == MBEDTLS_SSL_IS_SERVER ) if( endpoint == MBEDTLS_SSL_IS_SERVER )
{ {
if( ( ret = mbedtls_ssl_conf_dh_param( conf, if( ( ret = mbedtls_ssl_conf_dh_param( conf,
MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC3526_MODP_2048_P,
MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) MBEDTLS_DHM_RFC3526_MODP_2048_G ) ) != 0 )
{ {
return( ret ); return( ret );
} }

2
tests/ssl-opt.sh
View file

@ -2828,7 +2828,7 @@ run_test "DHM parameters: reference" \
debug_level=3" \ debug_level=3" \
0 \ 0 \
-c "value of 'DHM: P ' (2048 bits)" \ -c "value of 'DHM: P ' (2048 bits)" \
-c "value of 'DHM: G ' (2048 bits)" -c "value of 'DHM: G ' (2 bits)"
run_test "DHM parameters: other parameters" \ run_test "DHM parameters: other parameters" \
"$P_SRV dhm_file=data_files/dhparams.pem" \ "$P_SRV dhm_file=data_files/dhparams.pem" \