aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>2015-06-26 18:20:34 +0200
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>2015-06-29 18:54:28 +0200
commit5324d411da32d754a9658ff3eb5c1e59960d2bd9 (patch)
tree30ac9742fda10936a4b87e064d82bedc3084b3a2
parent7b209579c693eb12f3338fe03e29b7d889baeedb (diff)
downloadmbedtls-5324d411da32d754a9658ff3eb5c1e59960d2bd9.zip
mbedtls-5324d411da32d754a9658ff3eb5c1e59960d2bd9.tar.gz
mbedtls-5324d411da32d754a9658ff3eb5c1e59960d2bd9.tar.bz2
Up min size of DHM params to 1024 bits
Diffstat
-rw-r--r--ChangeLog10
-rw-r--r--include/polarssl/config.h1
-rw-r--r--include/polarssl/ssl.h1
-rw-r--r--library/ssl_cli.c3
-rw-r--r--tests/compat.sh2
5 files changed, 15 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 1ff0658..d2328b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,15 @@
PolarSSL ChangeLog
+= Version 1.2.15 released 2015-mm-dd
+
+Security
+ * Increase the minimum size of Diffie-Hellman parameters accepted by the
+ lient to 1024 bits, to protect against Logjam attack.
+
+Changes
+ * Add SSL_MIN_DHM_BYTES configuration parameter in config.h to choose the
+ minimum size of Diffie-Hellman parameters accepted by the client.
+
= Version 1.2.14 released 2015-06-26
Security
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 10b4fb1..3a18f8a 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -1017,6 +1017,7 @@
// SSL options
//
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
+#define SSL_MIN_DHM_BYTES 128 /**< Min size of the Diffie-Hellman prime */
// X509 options
//
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 14ec0fd..e6cc2ad 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -130,6 +130,7 @@
*/
#if !defined(POLARSSL_CONFIG_OPTIONS)
#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
+#define SSL_MIN_DHM_BYTES 128 /**< Min size of the Diffie-Hellman prime */
#endif /* !POLARSSL_CONFIG_OPTIONS */
/*
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 0817ea7..db9e179 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -778,7 +778,8 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
- if( ssl->handshake->dhm_ctx.len < 64 || ssl->handshake->dhm_ctx.len > 512 )
+ if( ssl->handshake->dhm_ctx.len < SSL_MIN_DHM_BYTES ||
+ ssl->handshake->dhm_ctx.len > 512 )
{
SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
diff --git a/tests/compat.sh b/tests/compat.sh
index be1d720..b7170ff 100644
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -12,7 +12,7 @@ if [ "X$VERIFY" = "XYES" ];
then
P_SERVER_ARGS="auth_mode=required crt_file=data_files/server1.crt key_file=data_files/server1.key ca_file=data_files/test-ca.crt"
P_CLIENT_ARGS="crt_file=data_files/server2.crt key_file=data_files/server2.key ca_file=data_files/test-ca.crt"
- O_SERVER_ARGS="-verify 10 -CAfile data_files/test-ca.crt -cert data_files/server1.crt -key data_files/server1.key"
+ O_SERVER_ARGS="-verify 10 -CAfile data_files/test-ca.crt -cert data_files/server1.crt -key data_files/server1.key -dhparam data_files/dhparams.pem"
O_CLIENT_ARGS="-cert data_files/server2.crt -key data_files/server2.key -CAfile data_files/test-ca.crt"
fi
generated by cgit v1.1 at 2024-09-12 06:57:12 +0000