summaryrefslogtreecommitdiffstats
path: root/ssl/t1_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssl/t1_lib.c')
-rw-r--r--ssl/t1_lib.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3bc424acef..2ee97c2ae6 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2884,7 +2884,7 @@ EVP_PKEY *ssl_get_auto_dh(SSL *s)
{
EVP_PKEY *dhp = NULL;
BIGNUM *p;
- int dh_secbits = 80;
+ int dh_secbits = 80, sec_level_bits;
EVP_PKEY_CTX *pctx = NULL;
OSSL_PARAM_BLD *tmpl = NULL;
OSSL_PARAM *params = NULL;
@@ -2902,6 +2902,11 @@ EVP_PKEY *ssl_get_auto_dh(SSL *s)
}
}
+ /* Do not pick a prime that is too weak for the current security level */
+ sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL);
+ if (dh_secbits < sec_level_bits)
+ dh_secbits = sec_level_bits;
+
if (dh_secbits >= 192)
p = BN_get_rfc3526_prime_8192(NULL);
else if (dh_secbits >= 152)
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-09 10:33:12 +0000