diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2022-06-29 08:30:05 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-06-29 08:30:05 +0000 |
| commit | f2026376d9eec4473352e668b00b60fb058c57f9 (patch) | |
| tree | 77ff3fc106fc8bd2ce61037e7f978fbf3d800485 | |
| parent | 23e7160eec5a4398f4b1317464f2cbea06c5294e (diff) | |
Also check the security level of the 'tmp dh'
ok beck jsing
| -rw-r--r-- | lib/libssl/s3_lib.c | 12 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 3 | ||||
| -rw-r--r-- | lib/libssl/ssl_seclevel.c | 12 |
3 files changed, 24 insertions, 3 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 624841a7a42..b4ad11dc6ea 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.228 2022/03/17 17:24:37 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.229 2022/06/29 08:30:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1706,6 +1706,11 @@ _SSL_set_tmp_dh(SSL *s, DH *dh) return 0; } + if (!ssl_security_dh(s, dh)) { + SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); + return 0; + } + if ((dhe_params = DHparams_dup(dh)) == NULL) { SSLerror(s, ERR_R_DH_LIB); return 0; @@ -2138,6 +2143,11 @@ _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) return 0; } + if (!ssl_ctx_security_dh(ctx, dh)) { + SSLerrorx(SSL_R_DH_KEY_TOO_SMALL); + return 0; + } + if ((dhe_params = DHparams_dup(dh)) == NULL) { SSLerrorx(ERR_R_DH_LIB); return 0; diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index f198c4b0353..5410600cf11 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.399 2022/06/29 08:27:51 tb Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.400 2022/06/29 08:30:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1290,6 +1290,7 @@ int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other); int ssl_security(const SSL *ssl, int op, int bits, int nid, void * other); +int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh); int ssl_security_dh(const SSL *ssl, DH *dh); int ssl_get_new_session(SSL *s, int session); diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c index 34cea637e0c..e0d7a631cb5 100644 --- a/lib/libssl/ssl_seclevel.c +++ b/lib/libssl/ssl_seclevel.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_seclevel.c,v 1.6 2022/06/29 08:27:51 tb Exp $ */ +/* $OpenBSD: ssl_seclevel.c,v 1.7 2022/06/29 08:30:04 tb Exp $ */ /* * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> * @@ -228,6 +228,16 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other) } int +ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) +{ +#if defined(LIBRESSL_HAS_SECURITY_LEVEL) + return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, + dh); +#else + return 1; +#endif +} +int ssl_security_dh(const SSL *ssl, DH *dh) { #if defined(LIBRESSL_HAS_SECURITY_LEVEL) |