fix(OpenSSL) Openssl DH key size (#4753)

* Fixed incorrect SSL_CTX_set0_tmp_dh_pkey() usage * fix(OpenSSL): use DH group enum * fix(IPAddress): windows scoped test, part II #4644 * fix(OpenSSL): fuzz errors #4663 * chore: remove misplaced comment --------- Co-authored-by: Peter Klotz <peter.klotz99@gmail.com>
2025-10-23 00:07:59 +02:00 · 2024-11-11 12:01:00 -06:00
parent 9530a77347
commit c4f66d5188
2 changed files with 100 additions and 45 deletions
--- a/NetSSL_OpenSSL/include/Poco/Net/Context.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/Context.h
@@ -136,9 +136,24 @@ public:
 		SECURITY_LEVEL_256_BITS = 5
 	};

+	enum KeyDHGroup
+	{
+		// MODP
+		//KEY_DH_GROUP_768  = 1,  // (768-bit)
+		KEY_DH_GROUP_1024 = 2,  // (1024-bit)
+		//KEY_DH_GROUP_1536 = 5,  // (1536-bit)
+		KEY_DH_GROUP_2048 = 14, // (2048-bit)
+		//KEY_DH_GROUP_3072 = 15, // (3072-bit)
+
+		// ECP
+		//KEY_DH_GROUP_256 = 19, // (256-bit random)
+		//KEY_DH_GROUP_384 = 20, // (384-bit random)
+		//KEY_DH_GROUP_521 = 21  // (521-bit random)
+	};
+
 	struct NetSSL_API Params
 	{
-		Params();
+		Params(KeyDHGroup dhBits = KEY_DH_GROUP_2048);
 			/// Initializes the struct with default values.

 		std::string privateKeyFile;
@@ -181,7 +196,7 @@ public:
 			/// Specifies a file containing Diffie-Hellman parameters.
 			/// If empty, the default parameters are used.

-		bool dhUse2048Bits;
+		KeyDHGroup dhGroup;
 			/// If set to true, will use 2048-bit MODP Group with 256-bit
 			/// prime order subgroup (RFC5114) instead of 1024-bit for DH.

@@ -441,7 +456,7 @@ public:

 	void ignoreUnexpectedEof(bool flag = true);
 		/// Enable or disable SSL/TLS SSL_OP_IGNORE_UNEXPECTED_EOF
-		/// 
+		///
 		/// Some TLS implementations do not send the mandatory close_notify alert on shutdown.
 		/// If the application tries to wait for the close_notify alert
 		/// but the peer closes the connection without sending it, an error is generated.
@@ -458,7 +473,7 @@ private:
 	void init(const Params& params);
 		/// Initializes the Context with the given parameters.

-	void initDH(bool use2048Bits, const std::string& dhFile);
+	void initDH(KeyDHGroup keyDHGroup, const std::string& dhFile);
 		/// Initializes the Context with Diffie-Hellman parameters.

 	void initECDH(const std::string& curve);