diff options
author | Nicola Tuveri <nic.tuv@gmail.com> | 2022-02-22 16:26:26 +0200 |
---|---|---|
committer | Nicola Tuveri <nic.tuv@gmail.com> | 2022-03-02 00:02:10 +0200 |
commit | a108f66bf4f6edbe436179e62301d8c08bd53aa2 (patch) | |
tree | 7ae383b4f1929ff91d47e118b1dd13894698ff8e /ssl | |
parent | 1925edb2586e00cc502a325271f5528200dc1914 (diff) |
[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3
Fixes #17743
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17763)
(cherry picked from commit b139a95665eb023b38695d62d9dfc28f3fb89972)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_cert.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 70d2468b2b..e8ffe6b631 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1001,7 +1001,7 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex) { - int level, minbits; + int level, minbits, pfs_mask; minbits = ssl_get_security_level_bits(s, ctx, &level); @@ -1036,8 +1036,9 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, if (level >= 2 && c->algorithm_enc == SSL_RC4) return 0; /* Level 3: forward secure ciphersuites only */ + pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK; if (level >= 3 && c->min_tls != TLS1_3_VERSION && - !(c->algorithm_mkey & (SSL_kDHE | SSL_kECDHE))) + !(c->algorithm_mkey & pfs_mask)) return 0; break; } |