Browse Source

cross-reference the DH and RSA SECLEVEL to level of security mappings

Since the DH check is used only in DHE-PSK ciphersuites, it's
easy to miss it when updating the RSA mapping. Add cross-references
so that they remain consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15853)
master
Hubert Kario 4 months ago
committed by Pauli
parent
commit
657489e812
2 changed files with 9 additions and 0 deletions
  1. +4
    -0
      crypto/x509/x509_vfy.c
  2. +5
    -0
      ssl/ssl_cert.c

+ 4
- 0
crypto/x509/x509_vfy.c View File

@ -3364,6 +3364,10 @@ STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs,
return result;
}
/*
* note that there's a corresponding minbits_table in ssl/ssl_cert.c
* in ssl_get_security_level_bits that's used for selection of DH parameters
*/
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);


+ 5
- 0
ssl/ssl_cert.c View File

@ -963,6 +963,11 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
{
int level;
/*
* note that there's a corresponding minbits_table
* in crypto/x509/x509_vfy.c that's used for checking the security level
* of RSA and DSA keys
*/
static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 };
if (ctx != NULL)


Loading…
Cancel
Save