Skip to content

Commit

Permalink
[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLE…
Browse files Browse the repository at this point in the history
…VEL >= 3

Fixes #17743

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #17763)
  • Loading branch information
romen committed Mar 1, 2022
1 parent 66914fc commit b139a95
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
6 changes: 6 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,12 @@ OpenSSL 3.1

### Changes between 3.0 and 3.1 [xx XXX xxxx]

* Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
to the list of ciphersuites providing Perfect Forward Secrecy as
required by SECLEVEL >= 3.

*Dmitry Belyavskiy, Nicola Tuveri*

* Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting. The
SSL_CTRL_GET_IANA_GROUPS control code, exposed as the SSL_get0_iana_groups()
function-like macro, retrieves the list of supported groups sent by the peer,
Expand Down
5 changes: 3 additions & 2 deletions ssl/ssl_cert.c
Original file line number Diff line number Diff line change
Expand Up @@ -1001,7 +1001,7 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other,
void *ex)
{
int level, minbits;
int level, minbits, pfs_mask;

minbits = ssl_get_security_level_bits(s, ctx, &level);

Expand Down Expand Up @@ -1033,8 +1033,9 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
return 0;
/* Level 3: forward secure ciphersuites only */
pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK;
if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
!(c->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)))
!(c->algorithm_mkey & pfs_mask))
return 0;
break;
}
Expand Down

0 comments on commit b139a95

Please sign in to comment.