ssl: do not choose auto DH groups that are weaker than the security level

Fixes #15808 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15818)
author: Pauli <pauli@openssl.org> 2021-06-18 12:54:24 +1000
committer: Pauli <pauli@openssl.org> 2021-06-19 15:49:46 +1000
commit: d7b5c648d682b499b71320a03747602a6ba4dec3 (patch)
tree: e862a77bf88186198192164adc3ed5bf1f61c5ae /ssl/t1_lib.c
parent: b9d022d78faee0648c3ace7f15ccec08f14feddb (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3bc424acef..2ee97c2ae6 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2884,7 +2884,7 @@ EVP_PKEY *ssl_get_auto_dh(SSL *s)
 {
     EVP_PKEY *dhp = NULL;
     BIGNUM *p;
-    int dh_secbits = 80;
+    int dh_secbits = 80, sec_level_bits;
     EVP_PKEY_CTX *pctx = NULL;
     OSSL_PARAM_BLD *tmpl = NULL;
     OSSL_PARAM *params = NULL;
@@ -2902,6 +2902,11 @@ EVP_PKEY *ssl_get_auto_dh(SSL *s)
         }
     }
 
+    /* Do not pick a prime that is too weak for the current security level */
+    sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL);
+    if (dh_secbits < sec_level_bits)
+        dh_secbits = sec_level_bits;
+
     if (dh_secbits >= 192)
         p = BN_get_rfc3526_prime_8192(NULL);
     else if (dh_secbits >= 152)
author	Pauli <pauli@openssl.org>	2021-06-18 12:54:24 +1000
committer	Pauli <pauli@openssl.org>	2021-06-19 15:49:46 +1000
commit	d7b5c648d682b499b71320a03747602a6ba4dec3 (patch)
tree	e862a77bf88186198192164adc3ed5bf1f61c5ae /ssl/t1_lib.c
parent	b9d022d78faee0648c3ace7f15ccec08f14feddb (diff)