diff options
| author | tb <> | 2022-06-29 20:04:28 +0000 |
|---|---|---|
| committer | tb <> | 2022-06-29 20:04:28 +0000 |
| commit | 3fea5b8f156b0f6938854f06889198450a477b37 (patch) | |
| tree | 18f3d12e5373f95fffa5674634fc8a75e8f914ab /src/lib/libssl/ssl_ciph.c | |
| parent | fc8a9f3799769566fe4b424c43a81a1a71f91328 (diff) | |
| download | openbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.gz openbsd-3fea5b8f156b0f6938854f06889198450a477b37.tar.bz2 openbsd-3fea5b8f156b0f6938854f06889198450a477b37.zip | |
Parse the @SECLEVEL=n annotation in cipher strings
To this end, hand the SSL_CERT through about 5 levels of indirection to
set an integer on it.
ok beck jsing
Diffstat (limited to 'src/lib/libssl/ssl_ciph.c')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 2bc9f8ea42..228c202c44 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.127 2022/03/05 07:13:48 bket Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.128 2022/06/29 20:04:28 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -945,7 +945,8 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | |||
| 945 | 945 | ||
| 946 | static int | 946 | static int |
| 947 | ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | 947 | ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, |
| 948 | CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, int *tls13_seen) | 948 | CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, SSL_CERT *cert, |
| 949 | int *tls13_seen) | ||
| 949 | { | 950 | { |
| 950 | unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; | 951 | unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; |
| 951 | unsigned long algo_strength; | 952 | unsigned long algo_strength; |
| @@ -1000,7 +1001,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
| 1000 | ((ch >= '0') && (ch <= '9')) || | 1001 | ((ch >= '0') && (ch <= '9')) || |
| 1001 | ((ch >= 'a') && (ch <= 'z')) || | 1002 | ((ch >= 'a') && (ch <= 'z')) || |
| 1002 | (ch == '-') || (ch == '.') || | 1003 | (ch == '-') || (ch == '.') || |
| 1003 | (ch == '_')) { | 1004 | (ch == '_') || (ch == '=')) { |
| 1004 | ch = *(++l); | 1005 | ch = *(++l); |
| 1005 | buflen++; | 1006 | buflen++; |
| 1006 | } | 1007 | } |
| @@ -1156,10 +1157,21 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, | |||
| 1156 | if (rule == CIPHER_SPECIAL) { | 1157 | if (rule == CIPHER_SPECIAL) { |
| 1157 | /* special command */ | 1158 | /* special command */ |
| 1158 | ok = 0; | 1159 | ok = 0; |
| 1159 | if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) | 1160 | if (buflen == 8 && strncmp(buf, "STRENGTH", 8) == 0) { |
| 1160 | ok = ssl_cipher_strength_sort(head_p, tail_p); | 1161 | ok = ssl_cipher_strength_sort(head_p, tail_p); |
| 1161 | else | 1162 | } else if (buflen == 10 && |
| 1163 | strncmp(buf, "SECLEVEL=", 9) == 0) { | ||
| 1164 | int level = buf[9] - '0'; | ||
| 1165 | |||
| 1166 | if (level >= 0 && level <= 5) { | ||
| 1167 | cert->security_level = level; | ||
| 1168 | ok = 1; | ||
| 1169 | } else { | ||
| 1170 | SSLerrorx(SSL_R_INVALID_COMMAND); | ||
| 1171 | } | ||
| 1172 | } else { | ||
| 1162 | SSLerrorx(SSL_R_INVALID_COMMAND); | 1173 | SSLerrorx(SSL_R_INVALID_COMMAND); |
| 1174 | } | ||
| 1163 | if (ok == 0) | 1175 | if (ok == 0) |
| 1164 | retval = 0; | 1176 | retval = 0; |
| 1165 | /* | 1177 | /* |
| @@ -1201,7 +1213,7 @@ STACK_OF(SSL_CIPHER) * | |||
| 1201 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1213 | ssl_create_cipher_list(const SSL_METHOD *ssl_method, |
| 1202 | STACK_OF(SSL_CIPHER) **cipher_list, | 1214 | STACK_OF(SSL_CIPHER) **cipher_list, |
| 1203 | STACK_OF(SSL_CIPHER) *cipher_list_tls13, | 1215 | STACK_OF(SSL_CIPHER) *cipher_list_tls13, |
| 1204 | const char *rule_str) | 1216 | const char *rule_str, SSL_CERT *cert) |
| 1205 | { | 1217 | { |
| 1206 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 1218 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; |
| 1207 | unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; | 1219 | unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; |
| @@ -1327,7 +1339,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1327 | rule_p = rule_str; | 1339 | rule_p = rule_str; |
| 1328 | if (strncmp(rule_str, "DEFAULT", 7) == 0) { | 1340 | if (strncmp(rule_str, "DEFAULT", 7) == 0) { |
| 1329 | ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, | 1341 | ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, |
| 1330 | &head, &tail, ca_list, &tls13_seen); | 1342 | &head, &tail, ca_list, cert, &tls13_seen); |
| 1331 | rule_p += 7; | 1343 | rule_p += 7; |
| 1332 | if (*rule_p == ':') | 1344 | if (*rule_p == ':') |
| 1333 | rule_p++; | 1345 | rule_p++; |
| @@ -1335,7 +1347,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1335 | 1347 | ||
| 1336 | if (ok && (strlen(rule_p) > 0)) | 1348 | if (ok && (strlen(rule_p) > 0)) |
| 1337 | ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, | 1349 | ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, |
| 1338 | &tls13_seen); | 1350 | cert, &tls13_seen); |
| 1339 | 1351 | ||
| 1340 | free((void *)ca_list); /* Not needed anymore */ | 1352 | free((void *)ca_list); /* Not needed anymore */ |
| 1341 | 1353 | ||