summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_lib.c12
-rw-r--r--src/lib/libssl/ssl_locl.h3
-rw-r--r--src/lib/libssl/ssl_seclevel.c12
3 files changed, 24 insertions, 3 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 624841a7a4..b4ad11dc6e 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_lib.c,v 1.228 2022/03/17 17:24:37 jsing Exp $ */ 1/* $OpenBSD: s3_lib.c,v 1.229 2022/06/29 08:30:04 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1706,6 +1706,11 @@ _SSL_set_tmp_dh(SSL *s, DH *dh)
1706 return 0; 1706 return 0;
1707 } 1707 }
1708 1708
1709 if (!ssl_security_dh(s, dh)) {
1710 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1711 return 0;
1712 }
1713
1709 if ((dhe_params = DHparams_dup(dh)) == NULL) { 1714 if ((dhe_params = DHparams_dup(dh)) == NULL) {
1710 SSLerror(s, ERR_R_DH_LIB); 1715 SSLerror(s, ERR_R_DH_LIB);
1711 return 0; 1716 return 0;
@@ -2138,6 +2143,11 @@ _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
2138 return 0; 2143 return 0;
2139 } 2144 }
2140 2145
2146 if (!ssl_ctx_security_dh(ctx, dh)) {
2147 SSLerrorx(SSL_R_DH_KEY_TOO_SMALL);
2148 return 0;
2149 }
2150
2141 if ((dhe_params = DHparams_dup(dh)) == NULL) { 2151 if ((dhe_params = DHparams_dup(dh)) == NULL) {
2142 SSLerrorx(ERR_R_DH_LIB); 2152 SSLerrorx(ERR_R_DH_LIB);
2143 return 0; 2153 return 0;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index f198c4b035..5410600cf1 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.399 2022/06/29 08:27:51 tb Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.400 2022/06/29 08:30:04 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1290,6 +1290,7 @@ int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
1290int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, 1290int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
1291 void *other); 1291 void *other);
1292int ssl_security(const SSL *ssl, int op, int bits, int nid, void * other); 1292int ssl_security(const SSL *ssl, int op, int bits, int nid, void * other);
1293int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh);
1293int ssl_security_dh(const SSL *ssl, DH *dh); 1294int ssl_security_dh(const SSL *ssl, DH *dh);
1294 1295
1295int ssl_get_new_session(SSL *s, int session); 1296int ssl_get_new_session(SSL *s, int session);
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 34cea637e0..e0d7a631cb 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_seclevel.c,v 1.6 2022/06/29 08:27:51 tb Exp $ */ 1/* $OpenBSD: ssl_seclevel.c,v 1.7 2022/06/29 08:30:04 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> 3 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
4 * 4 *
@@ -228,6 +228,16 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
228} 228}
229 229
230int 230int
231ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
232{
233#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
234 return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0,
235 dh);
236#else
237 return 1;
238#endif
239}
240int
231ssl_security_dh(const SSL *ssl, DH *dh) 241ssl_security_dh(const SSL *ssl, DH *dh)
232{ 242{
233#if defined(LIBRESSL_HAS_SECURITY_LEVEL) 243#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-10 13:38:58 +0000