return 1;
}
+int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
+{
+ int level;
+ static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 };
+
+ if (ctx != NULL)
+ level = SSL_CTX_get_security_level(ctx);
+ else
+ level = SSL_get_security_level(s);
+
+ if (level > 5)
+ level = 5;
+ else if (level < 0)
+ level = 0;
+
+ if (levelp != NULL)
+ *levelp = level;
+
+ return minbits_table[level];
+}
+
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other,
void *ex)
{
int level, minbits;
- static const int minbits_table[5] = { 80, 112, 128, 192, 256 };
- if (ctx)
- level = SSL_CTX_get_security_level(ctx);
- else
- level = SSL_get_security_level(s);
- if (level <= 0) {
+ minbits = ssl_get_security_level_bits(s, ctx, &level);
+
+ if (level == 0) {
/*
* No EDH keys weaker than 1024-bits even at level 0, otherwise,
* anything goes.
return 0;
return 1;
}
- if (level > 5)
- level = 5;
- minbits = minbits_table[level - 1];
switch (op) {
case SSL_SECOP_CIPHER_SUPPORTED:
case SSL_SECOP_CIPHER_SHARED:
__owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other);
__owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
void *other);
+int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp);
__owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx);
__owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk,
{
EVP_PKEY *dhp = NULL;
BIGNUM *p;
- int dh_secbits = 80;
+ int dh_secbits = 80, sec_level_bits;
EVP_PKEY_CTX *pctx = NULL;
OSSL_PARAM_BLD *tmpl = NULL;
OSSL_PARAM *params = NULL;
}
}
+ /* Do not pick a prime that is too weak for the current security level */
+ sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL);
+ if (dh_secbits < sec_level_bits)
+ dh_secbits = sec_level_bits;
+
if (dh_secbits >= 192)
p = BN_get_rfc3526_prime_8192(NULL);
else if (dh_secbits >= 152)
projects / openssl.git / commitdiff