commit bd990d6629f48020e30c32926be7acedb6b4683b
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Jun 11 14:49:42 2015 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Jun 17 11:37:04 2015 +0200
tree e5fa47021da32ac1c29e40aee1316e55bd06ed2f
parent bf27eaac79f8af9470f568d7d8cce06c364d1c3b

Add ssl_conf_dhm_min_bitlen()

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 6eb190c..72ce76f 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1648,10 +1648,11 @@
         return( ret );
     }
 
-    if( ssl->handshake->dhm_ctx.len < 64  ||
-        ssl->handshake->dhm_ctx.len > 512 )
+    if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
     {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (DHM length)" ) );
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
+                                    ssl->handshake->dhm_ctx.len * 8,
+                                    ssl->conf->dhm_min_bitlen ) );
         return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
     }
 

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ee32502..a0cd3d2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5458,6 +5458,17 @@
 }
 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
 
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/*
+ * Set the minimum length for Diffie-Hellman parameters
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
+                                      unsigned int bitlen )
+{
+    conf->dhm_min_bitlen = bitlen;
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
 #if defined(MBEDTLS_SSL_SET_CURVES)
 /*
  * Set the allowed elliptic curves
@@ -6665,6 +6676,10 @@
     conf->renego_period[7] = 0x00;
 #endif
 
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+    conf->dhm_min_bitlen = 1024;
+#endif
+
 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
     if( endpoint == MBEDTLS_SSL_IS_SERVER )
     {