Enforce dhm_min_bitlen exactly, not just the byte size

In a TLS client, enforce the Diffie-Hellman minimum parameter size set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the minimum size was rounded down to the nearest multiple of 8. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-10-18 22:21:22 +00:00 · 2020-12-08 22:46:11 +01:00 · 2020-12-08 22:46:11 +01:00 · e8a2fc8461
parent c6b0d96c31
commit e8a2fc8461
2 changed files with 8 additions and 2 deletions
--- a/ChangeLog.d/dhm_min_bitlen.txt
+++ b/ChangeLog.d/dhm_min_bitlen.txt
@ -0,0 +1,4 @@
+Bugfix
+   * In a TLS client, enforce the Diffie-Hellman minimum parameter size
+     set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
+     minimum size was rounded down to the nearest multiple of 8.
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -2610,6 +2610,7 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
                                       unsigned char *end )
 {
    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t dhm_actual_bitlen;

    /*
     * Ephemeral DH parameters:
@ -2627,10 +2628,11 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
        return( ret );
    }

-    if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
+    dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P );
+    if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
-                                    ssl->handshake->dhm_ctx.len * 8,
+                                    dhm_actual_bitlen,
                                    ssl->conf->dhm_min_bitlen ) );
        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
    }