[openssl] master update

Dr. Paul Dale pauli at openssl.org
Tue Jun 22 23:26:45 UTC 2021 

The branch master has been updated
       via  657489e8128431979f47898a302f791eb082535d (commit)
      from  1b1c9b0d7527f946755f6fc9784b45e34cb16a17 (commit)


- Log -----------------------------------------------------------------
commit 657489e8128431979f47898a302f791eb082535d
Author: Hubert Kario <hkario at redhat.com>
Date:   Mon Jun 21 16:52:14 2021 +0200

    cross-reference the DH and RSA SECLEVEL to level of security mappings
    
    Since the DH check is used only in DHE-PSK ciphersuites, it's
    easy to miss it when updating the RSA mapping. Add cross-references
    so that they remain consistent.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15853)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c | 4 ++++
 ssl/ssl_cert.c         | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f020d4864d..18c6172c98 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -3364,6 +3364,10 @@ STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs,
     return result;
 }
 
+/*
+ * note that there's a corresponding minbits_table in ssl/ssl_cert.c
+ * in ssl_get_security_level_bits that's used for selection of DH parameters
+ */
 static const int minbits_table[] = { 80, 112, 128, 192, 256 };
 static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
 
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 4f3c2f8ee7..547e9b9ccd 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -963,6 +963,11 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
 int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
 {
     int level;
+    /*
+     * note that there's a corresponding minbits_table
+     * in crypto/x509/x509_vfy.c that's used for checking the security level
+     * of RSA and DSA keys
+     */
     static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 };
 
     if (ctx != NULL)

More information about the openssl-commits mailing list