From eba7e5662aacc7be4c98c01cb78204ee337e99ef Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 29 Jun 2022 08:30:04 +0000
Subject: Also check the security level of the 'tmp dh'

ok beck jsing
---
 src/lib/libssl/s3_lib.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'src/lib/libssl/s3_lib.c')

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 624841a7a4..b4ad11dc6e 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.228 2022/03/17 17:24:37 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.229 2022/06/29 08:30:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1706,6 +1706,11 @@ _SSL_set_tmp_dh(SSL *s, DH *dh)
 		return 0;
 	}
 
+	if (!ssl_security_dh(s, dh)) {
+		SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
+		return 0;
+	}
+
 	if ((dhe_params = DHparams_dup(dh)) == NULL) {
 		SSLerror(s, ERR_R_DH_LIB);
 		return 0;
@@ -2138,6 +2143,11 @@ _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh)
 		return 0;
 	}
 
+	if (!ssl_ctx_security_dh(ctx, dh)) {
+		SSLerrorx(SSL_R_DH_KEY_TOO_SMALL);
+		return 0;
+	}
+
 	if ((dhe_params = DHparams_dup(dh)) == NULL) {
 		SSLerrorx(ERR_R_DH_LIB);
 		return 0;
-- 
cgit v1.2.3-55-g6feb