summaryrefslogtreecommitdiff
path: root/lib/libssl/ssl_srvr.c
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2022-06-29 08:27:53 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2022-06-29 08:27:53 +0000
commit23e7160eec5a4398f4b1317464f2cbea06c5294e (patch)
tree4853b92fed8af0bdba82a63e8fa05659b8fc9f3b /lib/libssl/ssl_srvr.c
parent9d25fdcb1965383fb753b8272b55ab3f2a7fe534 (diff)
Check the security of DH key shares
ok beck, looks good to jsing
Diffstat (limited to 'lib/libssl/ssl_srvr.c')
-rw-r--r--lib/libssl/ssl_srvr.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 97077a3380f..e37f9cfdb7a 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.144 2022/06/29 07:53:58 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.145 2022/06/29 08:27:51 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1355,6 +1355,12 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
if (!tls_key_share_public(s->s3->hs.key_share, cbb))
goto err;
+ if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
+ SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ return 0;
+ }
+
return 1;
err:
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-25 19:30:29 +0000