diff options
author | tb <> | 2022-06-29 20:04:28 +0000 |
---|---|---|
committer | tb <> | 2022-06-29 20:04:28 +0000 |
commit | 3fea5b8f156b0f6938854f06889198450a477b37 (patch) | |
tree | 18f3d12e5373f95fffa5674634fc8a75e8f914ab /src/lib/libssl/ssl_ciph.c | |
parent | fc8a9f3799769566fe4b424c43a81a1a71f91328 (diff) | |
download | openbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.gz openbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.bz2 openbsd-3fea5b8f156b0f6938854f06889198450a477b37.zip |
Parse the @SECLEVEL=n annotation in cipher strings
To this end, hand the SSL_CERT through about 5 levels of indirection to
set an integer on it.
ok beck jsing
Diffstat (limited to 'src/lib/libssl/ssl_ciph.c')
-rw-r--r-- | src/lib/libssl/ssl_ciph.c | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 2bc9f8ea42..228c202c44 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssl_ciph.c,v 1.127 2022/03/05 07:13:48 bket Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.128 2022/06/29 20:04:28 tb Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -945,7 +945,8 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | |||
945 | 945 | ||
946 | static int | 946 | static int |
947 | ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | 947 | ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, |
948 | CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, int *tls13_seen) | 948 | CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, SSL_CERT *cert, |
949 | int *tls13_seen) | ||
949 | { | 950 | { |
950 | unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; | 951 | unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; |
951 | unsigned long algo_strength; | 952 | unsigned long algo_strength; |
@@ -1000,7 +1001,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
1000 | ((ch >= '0') && (ch <= '9')) || | 1001 | ((ch >= '0') && (ch <= '9')) || |
1001 | ((ch >= 'a') && (ch <= 'z')) || | 1002 | ((ch >= 'a') && (ch <= 'z')) || |
1002 | (ch == '-') || (ch == '.') || | 1003 | (ch == '-') || (ch == '.') || |
1003 | (ch == '_')) { | 1004 | (ch == '_') || (ch == '=')) { |
1004 | ch = *(++l); | 1005 | ch = *(++l); |
1005 | buflen++; | 1006 | buflen++; |
1006 | } | 1007 | } |
@@ -1156,10 +1157,21 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
1156 | if (rule == CIPHER_SPECIAL) { | 1157 | if (rule == CIPHER_SPECIAL) { |
1157 | /* special command */ | 1158 | /* special command */ |
1158 | ok = 0; | 1159 | ok = 0; |
1159 | if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) | 1160 | if (buflen == 8 && strncmp(buf, "STRENGTH", 8) == 0) { |
1160 | ok = ssl_cipher_strength_sort(head_p, tail_p); | 1161 | ok = ssl_cipher_strength_sort(head_p, tail_p); |
1161 | else | 1162 | } else if (buflen == 10 && |
1163 | strncmp(buf, "SECLEVEL=", 9) == 0) { | ||
1164 | int level = buf[9] - '0'; | ||
1165 | |||
1166 | if (level >= 0 && level <= 5) { | ||
1167 | cert->security_level = level; | ||
1168 | ok = 1; | ||
1169 | } else { | ||
1170 | SSLerrorx(SSL_R_INVALID_COMMAND); | ||
1171 | } | ||
1172 | } else { | ||
1162 | SSLerrorx(SSL_R_INVALID_COMMAND); | 1173 | SSLerrorx(SSL_R_INVALID_COMMAND); |
1174 | } | ||
1163 | if (ok == 0) | 1175 | if (ok == 0) |
1164 | retval = 0; | 1176 | retval = 0; |
1165 | /* | 1177 | /* |
@@ -1201,7 +1213,7 @@ STACK_OF(SSL_CIPHER) * | |||
1201 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1213 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, |
1202 | STACK_OF(SSL_CIPHER) **cipher_list, | 1214 | STACK_OF(SSL_CIPHER) **cipher_list, |
1203 | STACK_OF(SSL_CIPHER) *cipher_list_tls13, | 1215 | STACK_OF(SSL_CIPHER) *cipher_list_tls13, |
1204 | const char *rule_str) | 1216 | const char *rule_str, SSL_CERT *cert) |
1205 | { | 1217 | { |
1206 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 1218 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; |
1207 | unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; | 1219 | unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; |
@@ -1327,7 +1339,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
1327 | rule_p = rule_str; | 1339 | rule_p = rule_str; |
1328 | if (strncmp(rule_str, "DEFAULT", 7) == 0) { | 1340 | if (strncmp(rule_str, "DEFAULT", 7) == 0) { |
1329 | ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, | 1341 | ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, |
1330 | &head, &tail, ca_list, &tls13_seen); | 1342 | &head, &tail, ca_list, cert, &tls13_seen); |
1331 | rule_p += 7; | 1343 | rule_p += 7; |
1332 | if (*rule_p == ':') | 1344 | if (*rule_p == ':') |
1333 | rule_p++; | 1345 | rule_p++; |
@@ -1335,7 +1347,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
1335 | 1347 | ||
1336 | if (ok && (strlen(rule_p) > 0)) | 1348 | if (ok && (strlen(rule_p) > 0)) |
1337 | ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, | 1349 | ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, |
1338 | &tls13_seen); | 1350 | cert, &tls13_seen); |
1339 | 1351 | ||
1340 | free((void *)ca_list); /* Not needed anymore */ | 1352 | free((void *)ca_list); /* Not needed anymore */ |
1341 | 1353 | ||