cross-reference the DH and RSA SECLEVEL to level of security mappings

Since the DH check is used only in DHE-PSK ciphersuites, it's easy to miss it when updating the RSA mapping. Add cross-references so that they remain consistent. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15853)
author: Hubert Kario <hkario@redhat.com> 2021-06-21 16:52:14 +0200
committer: Pauli <pauli@openssl.org> 2021-06-23 09:26:15 +1000
commit: 657489e8128431979f47898a302f791eb082535d (patch)
tree: 59c48d176d67e360f721a46ae50f0c11b300d2e2 /ssl
parent: 1b1c9b0d7527f946755f6fc9784b45e34cb16a17 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 4f3c2f8ee7..547e9b9ccd 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -963,6 +963,11 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
 int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
 {
     int level;
+    /*
+     * note that there's a corresponding minbits_table
+     * in crypto/x509/x509_vfy.c that's used for checking the security level
+     * of RSA and DSA keys
+     */
     static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 };
 
     if (ctx != NULL)
author	Hubert Kario <hkario@redhat.com>	2021-06-21 16:52:14 +0200
committer	Pauli <pauli@openssl.org>	2021-06-23 09:26:15 +1000
commit	657489e8128431979f47898a302f791eb082535d (patch)
tree	59c48d176d67e360f721a46ae50f0c11b300d2e2 /ssl
parent	1b1c9b0d7527f946755f6fc9784b45e34cb16a17 (diff)