Also check the security level of the 'tmp dh'

ok beck jsing
author: tb <> 2022-06-29 08:30:04 +0000
committer: tb <> 2022-06-29 08:30:04 +0000
commit: eba7e5662aacc7be4c98c01cb78204ee337e99ef (patch)
tree: 9bc7960741c35d37a08c36dd66b06fc316e04c94 /src
parent: d514ed3f0a5ed2d924983d4533a179823bf09ca0 (diff)
download: openbsd-eba7e5662aacc7be4c98c01cb78204ee337e99ef.tar.gz
openbsd-eba7e5662aacc7be4c98c01cb78204ee337e99ef.tar.bz2
openbsd-eba7e5662aacc7be4c98c01cb78204ee337e99ef.zip
3 files changed, 24 insertions, 3 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 624841a7a4..b4ad11dc6e 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.228 2022/03/17 17:24:37 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.229 2022/06/29 08:30:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1706,6 +1706,11 @@ _SSL_set_tmp_dh(SSL *s, DH *dh)
                return 0;
        }
+        if (!ssl_security_dh(s, dh)) {
+                SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
+                return 0;
+        }
        if ((dhe_params = DHparams_dup(dh)) == NULL) {
                SSLerror(s, ERR_R_DH_LIB);
                return 0;
@@ -2138,6 +2143,11 @@ _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
                return 0;
        }
+        if (!ssl_ctx_security_dh(ctx, dh)) {
+                SSLerrorx(SSL_R_DH_KEY_TOO_SMALL);
+                return 0;
+        }
        if ((dhe_params = DHparams_dup(dh)) == NULL) {
                SSLerrorx(ERR_R_DH_LIB);
                return 0;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index f198c4b035..5410600cf1 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.399 2022/06/29 08:27:51 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.400 2022/06/29 08:30:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1290,6 +1290,7 @@ int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
 int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
    void *other);
 int ssl_security(const SSL *ssl, int op, int bits, int nid, void * other);
+int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh);
 int ssl_security_dh(const SSL *ssl, DH *dh);
 int ssl_get_new_session(SSL *s, int session);
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 34cea637e0..e0d7a631cb 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_seclevel.c,v 1.6 2022/06/29 08:27:51 tb Exp $ */
+/*      $OpenBSD: ssl_seclevel.c,v 1.7 2022/06/29 08:30:04 tb Exp $ */
 /*
 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 *
@@ -228,6 +228,16 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
 }
 int
+ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
+{
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+        return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0,
+            dh);
+#else
+        return 1;
+#endif
+}
+int
 ssl_security_dh(const SSL *ssl, DH *dh)
 {
 #if defined(LIBRESSL_HAS_SECURITY_LEVEL)
author	tb <>	2022-06-29 08:30:04 +0000
committer	tb <>	2022-06-29 08:30:04 +0000
commit	eba7e5662aacc7be4c98c01cb78204ee337e99ef (patch)
tree	9bc7960741c35d37a08c36dd66b06fc316e04c94 /src
parent	d514ed3f0a5ed2d924983d4533a179823bf09ca0 (diff)
download	openbsd-eba7e5662aacc7be4c98c01cb78204ee337e99ef.tar.gz openbsd-eba7e5662aacc7be4c98c01cb78204ee337e99ef.tar.bz2 openbsd-eba7e5662aacc7be4c98c01cb78204ee337e99ef.zip