diff options
author | Hubert Kario <hkario@redhat.com> | 2021-06-21 16:52:14 +0200 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2021-06-23 09:26:15 +1000 |
commit | 657489e8128431979f47898a302f791eb082535d (patch) | |
tree | 59c48d176d67e360f721a46ae50f0c11b300d2e2 | |
parent | 1b1c9b0d7527f946755f6fc9784b45e34cb16a17 (diff) |
cross-reference the DH and RSA SECLEVEL to level of security mappings
Since the DH check is used only in DHE-PSK ciphersuites, it's
easy to miss it when updating the RSA mapping. Add cross-references
so that they remain consistent.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15853)
-rw-r--r-- | crypto/x509/x509_vfy.c | 4 | ||||
-rw-r--r-- | ssl/ssl_cert.c | 5 |
2 files changed, 9 insertions, 0 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index f020d4864d..18c6172c98 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3364,6 +3364,10 @@ STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs, return result; } +/* + * note that there's a corresponding minbits_table in ssl/ssl_cert.c + * in ssl_get_security_level_bits that's used for selection of DH parameters + */ static const int minbits_table[] = { 80, 112, 128, 192, 256 }; static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 4f3c2f8ee7..547e9b9ccd 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -963,6 +963,11 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp) { int level; + /* + * note that there's a corresponding minbits_table + * in crypto/x509/x509_vfy.c that's used for checking the security level + * of RSA and DSA keys + */ static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 }; if (ctx != NULL) |