1 files changed, 19 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index d86d38ebc8..c3d23b2547 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_seclevel.c,v 1.2 2022/06/28 20:44:49 tb Exp $ */
+/*      $OpenBSD: ssl_seclevel.c,v 1.3 2022/06/28 20:49:16 tb Exp $ */
 /*
 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 *
@@ -156,6 +156,22 @@ ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl)
 }
 static int
+ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits)
+{
+        int security_level, minimum_bits;
+        if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
+            &minimum_bits))
+                return 0;
+        /* Disallow DHE keys weaker than 1024 bits even at security level 0. */
+        if (security_level <= 0 && bits < 80)
+                return 0;
+        return bits >= minimum_bits;
+}
+static int
 ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits)
 {
        int minimum_bits;
@@ -181,6 +197,8 @@ ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits,
                return ssl_security_secop_compression(ctx, ssl);
        case SSL_SECOP_TICKET:
                return ssl_security_secop_tickets(ctx, ssl);
+        case SSL_SECOP_TMP_DH:
+                return ssl_security_secop_tmp_dh(ctx, ssl, bits);
        default:
                return ssl_security_secop_default(ctx, ssl, bits);
        }

diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c index d86d38ebc8..c3d23b2547 100644 --- a/src/lib/libssl/ssl_seclevel.c +++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_seclevel.c,v 1.2 2022/06/28 20:44:49 tb Exp $ */	1	/* $OpenBSD: ssl_seclevel.c,v 1.3 2022/06/28 20:49:16 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
4	*	4	*
@@ -156,6 +156,22 @@ ssl_security_secop_tickets(const SSL_CTX ctx, const SSL ssl)
156	}	156	}
157		157
158	static int	158	static int
		159	ssl_security_secop_tmp_dh(const SSL_CTX ctx, const SSL ssl, int bits)
		160	{
		161	int security_level, minimum_bits;
		162
		163	if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
		164	&minimum_bits))
		165	return 0;
		166
		167	/* Disallow DHE keys weaker than 1024 bits even at security level 0. */
		168	if (security_level <= 0 && bits < 80)
		169	return 0;
		170
		171	return bits >= minimum_bits;
		172	}
		173
		174	static int
159	ssl_security_secop_default(const SSL_CTX ctx, const SSL ssl, int bits)	175	ssl_security_secop_default(const SSL_CTX ctx, const SSL ssl, int bits)
160	{	176	{
161	int minimum_bits;	177	int minimum_bits;
@@ -181,6 +197,8 @@ ssl_security_default_cb(const SSL ssl, const SSL_CTX ctx, int op, int bits,
181	return ssl_security_secop_compression(ctx, ssl);	197	return ssl_security_secop_compression(ctx, ssl);
182	case SSL_SECOP_TICKET:	198	case SSL_SECOP_TICKET:
183	return ssl_security_secop_tickets(ctx, ssl);	199	return ssl_security_secop_tickets(ctx, ssl);
		200	case SSL_SECOP_TMP_DH:
		201	return ssl_security_secop_tmp_dh(ctx, ssl, bits);
184	default:	202	default:
185	return ssl_security_secop_default(ctx, ssl, bits);	203	return ssl_security_secop_default(ctx, ssl, bits);
186	}	204	}