wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

EDH >= 1024 bits even at security level 0

Browse source 
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Viktor Dukhovni 2016-01-14 01:16:16 -05:00
parent c60ebfdc08
commit a7cf07b496
1 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
ssl/ssl_cert.c
View file

@ -1062,9 +1062,16 @@ static int ssl_security_default_callback(SSL *s, SSL_CTX *ctx, int op,
level = SSL_CTX_get_security_level(ctx);
else
level = SSL_get_security_level(s);
/* Level 0: anything goes */
if (level <= 0)
if (level <= 0) {
/*
* No EDH keys weaker than 1024-bits even at level 0, otherwise,
* anything goes.
*/
if (op == SSL_SECOP_TMP_DH && bits < 80)
return 0;
return 1;
}
if (level > 5)
level = 5;
minbits = minbits_table[level - 1];