-/* $OpenBSD: ssl_ciph.c,v 1.127 2022/03/05 07:13:48 bket Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.128 2022/06/29 20:04:28 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
static int
ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
- CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, int *tls13_seen)
+ CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, SSL_CERT *cert,
+ int *tls13_seen)
{
unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
unsigned long algo_strength;
((ch >= '0') && (ch <= '9')) ||
((ch >= 'a') && (ch <= 'z')) ||
(ch == '-') || (ch == '.') ||
- (ch == '_')) {
+ (ch == '_') || (ch == '=')) {
ch = *(++l);
buflen++;
}
if (rule == CIPHER_SPECIAL) {
/* special command */
ok = 0;
- if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8))
+ if (buflen == 8 && strncmp(buf, "STRENGTH", 8) == 0) {
ok = ssl_cipher_strength_sort(head_p, tail_p);
- else
+ } else if (buflen == 10 &&
+ strncmp(buf, "SECLEVEL=", 9) == 0) {
+ int level = buf[9] - '0';
+
+ if (level >= 0 && level <= 5) {
+ cert->security_level = level;
+ ok = 1;
+ } else {
+ SSLerrorx(SSL_R_INVALID_COMMAND);
+ }
+ } else {
SSLerrorx(SSL_R_INVALID_COMMAND);
+ }
if (ok == 0)
retval = 0;
/*
ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) **cipher_list,
STACK_OF(SSL_CIPHER) *cipher_list_tls13,
- const char *rule_str)
+ const char *rule_str, SSL_CERT *cert)
{
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
rule_p = rule_str;
if (strncmp(rule_str, "DEFAULT", 7) == 0) {
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
- &head, &tail, ca_list, &tls13_seen);
+ &head, &tail, ca_list, cert, &tls13_seen);
rule_p += 7;
if (*rule_p == ':')
rule_p++;
if (ok && (strlen(rule_p) > 0))
ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list,
- &tls13_seen);
+ cert, &tls13_seen);
free((void *)ca_list); /* Not needed anymore */
-/* $OpenBSD: ssl_lib.c,v 1.293 2022/06/29 17:39:20 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.294 2022/06/29 20:04:28 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
ctx->method = meth;
ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
- ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST);
+ ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST,
+ ctx->internal->cert);
if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) {
SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return (0);
* ctx->cipher_list has been updated.
*/
ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
- ctx->internal->cipher_list_tls13, str);
+ ctx->internal->cipher_list_tls13, str, ctx->internal->cert);
if (ciphers == NULL) {
return (0);
} else if (sk_SSL_CIPHER_num(ciphers) == 0) {
/* See comment in SSL_CTX_set_cipher_list. */
ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list,
- ciphers_tls13, str);
+ ciphers_tls13, str, s->cert);
if (ciphers == NULL) {
return (0);
} else if (sk_SSL_CIPHER_num(ciphers) == 0) {
goto err;
ssl_create_cipher_list(ret->method, &ret->cipher_list,
- NULL, SSL_DEFAULT_CIPHER_LIST);
+ NULL, SSL_DEFAULT_CIPHER_LIST, ret->internal->cert);
if (ret->cipher_list == NULL ||
sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS);
-/* $OpenBSD: ssl_locl.h,v 1.402 2022/06/29 17:39:20 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.403 2022/06/29 20:04:28 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs);
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13,
- const char *rule_str);
+ const char *rule_str, SSL_CERT *cert);
int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str);
int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
STACK_OF(SSL_CIPHER) *cipherlist_tls13,
projects / openbsd / commitdiff