Enforce dhm_min_bitlen exactly, not just the byte size In a TLS client, enforce the Diffie-Hellman minimum parameter size set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the minimum size was rounded down to the nearest multiple of 8. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: 6527cd382b9b1f2ab4e4e414a1f6060f0aaab8ba [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Tue Dec 08 22:46:11 2020 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Fri Apr 09 17:35:33 2021 +0200
tree: 0fd93f1812f60c867d6676d6eb5fa23081829c7e
parent: 3e7b61c42b6dc45f3f2ca3bb41dc113166df03ba [diff] [blame]
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index bd7f281..073311b 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c

@@ -2209,6 +2209,7 @@
                                        unsigned char *end )
 {
     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t dhm_actual_bitlen;
 
     /*
      * Ephemeral DH parameters:
@@ -2226,10 +2227,11 @@
         return( ret );
     }
 
-    if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
+    dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P );
+    if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
-                                    ssl->handshake->dhm_ctx.len * 8,
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %u < %u",
+                                    (unsigned) dhm_actual_bitlen,
                                     ssl->conf->dhm_min_bitlen ) );
         return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
     }
commit	6527cd382b9b1f2ab4e4e414a1f6060f0aaab8ba	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Tue Dec 08 22:46:11 2020 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Fri Apr 09 17:35:33 2021 +0200
tree	0fd93f1812f60c867d6676d6eb5fa23081829c7e
parent	3e7b61c42b6dc45f3f2ca3bb41dc113166df03ba [diff] [blame]