Parse the @SECLEVEL=n annotation in cipher strings

To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing
author: tb <> 2022-06-29 20:04:28 +0000
committer: tb <> 2022-06-29 20:04:28 +0000
commit: 3fea5b8f156b0f6938854f06889198450a477b37 (patch)
tree: 18f3d12e5373f95fffa5674634fc8a75e8f914ab
parent: fc8a9f3799769566fe4b424c43a81a1a71f91328 (diff)
download: openbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.gz
openbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.bz2
openbsd-3fea5b8f156b0f6938854f06889198450a477b37.zip
3 files changed, 28 insertions, 15 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 2bc9f8ea42..228c202c44 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.127 2022/03/05 07:13:48 bket Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.128 2022/06/29 20:04:28 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -945,7 +945,8 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 static int
 ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
-    CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, int *tls13_seen)
+    CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, SSL_CERT *cert,
+    int *tls13_seen)
 {
        unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
        unsigned long algo_strength;
@@ -1000,7 +1001,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                            ((ch >= '0') && (ch <= '9')) ||
                            ((ch >= 'a') && (ch <= 'z')) ||
                            (ch == '-') || (ch == '.') ||
-                            (ch == '_')) {
+                            (ch == '_') || (ch == '=')) {
                                ch = *(++l);
                                buflen++;
                        }
@@ -1156,10 +1157,21 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
                if (rule == CIPHER_SPECIAL) {
                        /* special command */
                        ok = 0;
-                        if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8))
+                        if (buflen == 8 && strncmp(buf, "STRENGTH", 8) == 0) {
                                ok = ssl_cipher_strength_sort(head_p, tail_p);
-                        else
+                        } else if (buflen == 10 &&
+                            strncmp(buf, "SECLEVEL=", 9) == 0) {
+                                int level = buf[9] - '0';
+                                if (level >= 0 && level <= 5) {
+                                        cert->security_level = level;
+                                        ok = 1;
+                                } else {
+                                        SSLerrorx(SSL_R_INVALID_COMMAND);
+                                }
+                        } else {
                                SSLerrorx(SSL_R_INVALID_COMMAND);
+                        }
                        if (ok == 0)
                                retval = 0;
                        /*
@@ -1201,7 +1213,7 @@ STACK_OF(SSL_CIPHER) *
 ssl_create_cipher_list(const SSL_METHOD *ssl_method,
    STACK_OF(SSL_CIPHER) **cipher_list,
    STACK_OF(SSL_CIPHER) *cipher_list_tls13,
-    const char *rule_str)
+    const char *rule_str, SSL_CERT *cert)
 {
        int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
        unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
@@ -1327,7 +1339,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
        rule_p = rule_str;
        if (strncmp(rule_str, "DEFAULT", 7) == 0) {
                ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
-                    &head, &tail, ca_list, &tls13_seen);
+                    &head, &tail, ca_list, cert, &tls13_seen);
                rule_p += 7;
                if (*rule_p == ':')
                        rule_p++;
@@ -1335,7 +1347,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
        if (ok && (strlen(rule_p) > 0))
                ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list,
-                    &tls13_seen);
+                    cert, &tls13_seen);
        free((void *)ca_list);  /* Not needed anymore */
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index b959d3428f..609bfb7e65 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.293 2022/06/29 17:39:20 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.294 2022/06/29 20:04:28 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -226,7 +226,8 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
        ctx->method = meth;
        ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
-            ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST);
+            ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST,
+            ctx->internal->cert);
        if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) {
                SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
                return (0);
@@ -1547,7 +1548,7 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
         * ctx->cipher_list has been updated.
         */
        ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
-            ctx->internal->cipher_list_tls13, str);
+            ctx->internal->cipher_list_tls13, str, ctx->internal->cert);
        if (ciphers == NULL) {
                return (0);
        } else if (sk_SSL_CIPHER_num(ciphers) == 0) {
@@ -1582,7 +1583,7 @@ SSL_set_cipher_list(SSL *s, const char *str)
        /* See comment in SSL_CTX_set_cipher_list. */
        ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list,
-            ciphers_tls13, str);
+            ciphers_tls13, str, s->cert);
        if (ciphers == NULL) {
                return (0);
        } else if (sk_SSL_CIPHER_num(ciphers) == 0) {
@@ -2011,7 +2012,7 @@ SSL_CTX_new(const SSL_METHOD *meth)
                goto err;
        ssl_create_cipher_list(ret->method, &ret->cipher_list,
-            NULL, SSL_DEFAULT_CIPHER_LIST);
+            NULL, SSL_DEFAULT_CIPHER_LIST, ret->internal->cert);
        if (ret->cipher_list == NULL ||
            sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
                SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 102f7deaf5..d979baf301 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.402 2022/06/29 17:39:20 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.403 2022/06/29 20:04:28 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1311,7 +1311,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb);
 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs);
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
    STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13,
-    const char *rule_str);
+    const char *rule_str, SSL_CERT *cert);
 int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str);
 int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
    STACK_OF(SSL_CIPHER) *cipherlist_tls13,
author	tb <>	2022-06-29 20:04:28 +0000
committer	tb <>	2022-06-29 20:04:28 +0000
commit	3fea5b8f156b0f6938854f06889198450a477b37 (patch)
tree	18f3d12e5373f95fffa5674634fc8a75e8f914ab
parent	fc8a9f3799769566fe4b424c43a81a1a71f91328 (diff)
download	openbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.gz openbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.bz2 openbsd-3fea5b8f156b0f6938854f06889198450a477b37.zip