### Changes between 3.0 and 3.1 [xx XXX xxxx]
+ * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
+ to the list of ciphersuites providing Perfect Forward Secrecy as
+ required by SECLEVEL >= 3.
+
+ *Dmitry Belyavskiy, Nicola Tuveri*
+
* Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting. The
SSL_CTRL_GET_IANA_GROUPS control code, exposed as the SSL_get0_iana_groups()
function-like macro, retrieves the list of supported groups sent by the peer,
int op, int bits, int nid, void *other,
void *ex)
{
- int level, minbits;
+ int level, minbits, pfs_mask;
minbits = ssl_get_security_level_bits(s, ctx, &level);
if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
return 0;
/* Level 3: forward secure ciphersuites only */
+ pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK;
if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
- !(c->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)))
+ !(c->algorithm_mkey & pfs_mask))
return 0;
break;
}
projects / openssl.git / commitdiff