summaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
authorNicola Tuveri <nic.tuv@gmail.com>2022-02-22 16:26:26 +0200
committerNicola Tuveri <nic.tuv@gmail.com>2022-03-02 00:02:10 +0200
commita108f66bf4f6edbe436179e62301d8c08bd53aa2 (patch)
tree7ae383b4f1929ff91d47e118b1dd13894698ff8e /ssl
parent1925edb2586e00cc502a325271f5528200dc1914 (diff)
[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3
Fixes #17743 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763) (cherry picked from commit b139a95665eb023b38695d62d9dfc28f3fb89972)
Diffstat (limited to 'ssl')
-rw-r--r--ssl/ssl_cert.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 70d2468b2b..e8ffe6b631 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1001,7 +1001,7 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other,
void *ex)
{
- int level, minbits;
+ int level, minbits, pfs_mask;
minbits = ssl_get_security_level_bits(s, ctx, &level);
@@ -1036,8 +1036,9 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
if (level >= 2 && c->algorithm_enc == SSL_RC4)
return 0;
/* Level 3: forward secure ciphersuites only */
+ pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK;
if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
- !(c->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)))
+ !(c->algorithm_mkey & pfs_mask))
return 0;
break;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-03 22:21:02 +0000