DHM: Fix dhm_check_range() always returning 0
Although the variable ret was initialised to an error, the
MBEDTLS_MPI_CHK macro was overwriting it. Therefore it ended up being
0 whenewer the bignum computation was successfull and stayed 0
independently of the actual check.
diff --git a/ChangeLog b/ChangeLog
index e199682..ce0e831 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,10 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS x.x.x released xxxx-xx-xx
+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+Security
+ * Fix dhm_check_range() failing to detect trivial subgroups and essentially
+ always returning 0. Reported by prashantkspatil.
Bugfix
* Fix ssl_parse_record_header() to silently discard invalid DTLS records
diff --git a/library/dhm.c b/library/dhm.c
index bec52a1..620610d 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -93,6 +93,9 @@
*
* Parameter should be: 2 <= public_param <= P - 2
*
+ * This means that we need to return an error if
+ * public_param < 2 or public param > P-2
+ *
* For more information on the attack, see:
* http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
@@ -100,17 +103,17 @@
static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P )
{
mbedtls_mpi L, U;
- int ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+ int ret = 0;
mbedtls_mpi_init( &L ); mbedtls_mpi_init( &U );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &L, 2 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &U, P, 2 ) );
- if( mbedtls_mpi_cmp_mpi( param, &L ) >= 0 &&
- mbedtls_mpi_cmp_mpi( param, &U ) <= 0 )
+ if( mbedtls_mpi_cmp_mpi( param, &L ) < 0 ||
+ mbedtls_mpi_cmp_mpi( param, &U ) > 0 )
{
- ret = 0;
+ ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
}
cleanup: