summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_ciph.c
diff options
context:
space:
mode:
authortb <>2022-06-29 20:04:28 +0000
committertb <>2022-06-29 20:04:28 +0000
commit3fea5b8f156b0f6938854f06889198450a477b37 (patch)
tree18f3d12e5373f95fffa5674634fc8a75e8f914ab /src/lib/libssl/ssl_ciph.c
parentfc8a9f3799769566fe4b424c43a81a1a71f91328 (diff)
downloadopenbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.gz
openbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.bz2
openbsd-3fea5b8f156b0f6938854f06889198450a477b37.zip
Parse the @SECLEVEL=n annotation in cipher strings
To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing
Diffstat (limited to 'src/lib/libssl/ssl_ciph.c')
-rw-r--r--src/lib/libssl/ssl_ciph.c28
1 files changed, 20 insertions, 8 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 2bc9f8ea42..228c202c44 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciph.c,v 1.127 2022/03/05 07:13:48 bket Exp $ */ 1/* $OpenBSD: ssl_ciph.c,v 1.128 2022/06/29 20:04:28 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -945,7 +945,8 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
945 945
946static int 946static int
947ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, 947ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
948 CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, int *tls13_seen) 948 CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, SSL_CERT *cert,
949 int *tls13_seen)
949{ 950{
950 unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; 951 unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
951 unsigned long algo_strength; 952 unsigned long algo_strength;
@@ -1000,7 +1001,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
1000 ((ch >= '0') && (ch <= '9')) || 1001 ((ch >= '0') && (ch <= '9')) ||
1001 ((ch >= 'a') && (ch <= 'z')) || 1002 ((ch >= 'a') && (ch <= 'z')) ||
1002 (ch == '-') || (ch == '.') || 1003 (ch == '-') || (ch == '.') ||
1003 (ch == '_')) { 1004 (ch == '_') || (ch == '=')) {
1004 ch = *(++l); 1005 ch = *(++l);
1005 buflen++; 1006 buflen++;
1006 } 1007 }
@@ -1156,10 +1157,21 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
1156 if (rule == CIPHER_SPECIAL) { 1157 if (rule == CIPHER_SPECIAL) {
1157 /* special command */ 1158 /* special command */
1158 ok = 0; 1159 ok = 0;
1159 if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) 1160 if (buflen == 8 && strncmp(buf, "STRENGTH", 8) == 0) {
1160 ok = ssl_cipher_strength_sort(head_p, tail_p); 1161 ok = ssl_cipher_strength_sort(head_p, tail_p);
1161 else 1162 } else if (buflen == 10 &&
1163 strncmp(buf, "SECLEVEL=", 9) == 0) {
1164 int level = buf[9] - '0';
1165
1166 if (level >= 0 && level <= 5) {
1167 cert->security_level = level;
1168 ok = 1;
1169 } else {
1170 SSLerrorx(SSL_R_INVALID_COMMAND);
1171 }
1172 } else {
1162 SSLerrorx(SSL_R_INVALID_COMMAND); 1173 SSLerrorx(SSL_R_INVALID_COMMAND);
1174 }
1163 if (ok == 0) 1175 if (ok == 0)
1164 retval = 0; 1176 retval = 0;
1165 /* 1177 /*
@@ -1201,7 +1213,7 @@ STACK_OF(SSL_CIPHER) *
1201ssl_create_cipher_list(const SSL_METHOD *ssl_method, 1213ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1202 STACK_OF(SSL_CIPHER) **cipher_list, 1214 STACK_OF(SSL_CIPHER) **cipher_list,
1203 STACK_OF(SSL_CIPHER) *cipher_list_tls13, 1215 STACK_OF(SSL_CIPHER) *cipher_list_tls13,
1204 const char *rule_str) 1216 const char *rule_str, SSL_CERT *cert)
1205{ 1217{
1206 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; 1218 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
1207 unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; 1219 unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
@@ -1327,7 +1339,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1327 rule_p = rule_str; 1339 rule_p = rule_str;
1328 if (strncmp(rule_str, "DEFAULT", 7) == 0) { 1340 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1329 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, 1341 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
1330 &head, &tail, ca_list, &tls13_seen); 1342 &head, &tail, ca_list, cert, &tls13_seen);
1331 rule_p += 7; 1343 rule_p += 7;
1332 if (*rule_p == ':') 1344 if (*rule_p == ':')
1333 rule_p++; 1345 rule_p++;
@@ -1335,7 +1347,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1335 1347
1336 if (ok && (strlen(rule_p) > 0)) 1348 if (ok && (strlen(rule_p) > 0))
1337 ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, 1349 ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list,
1338 &tls13_seen); 1350 cert, &tls13_seen);
1339 1351
1340 free((void *)ca_list); /* Not needed anymore */ 1352 free((void *)ca_list); /* Not needed anymore */
1341 1353