From c81ec4ff052ddbf4b928fd8c5d7580394f43ade7 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 29 Jun 2022 20:04:28 +0000 Subject: [PATCH] Parse the @SECLEVEL=n annotation in cipher strings To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing --- lib/libssl/ssl_ciph.c | 28 ++++++++++++++++++++-------- lib/libssl/ssl_lib.c | 11 ++++++----- lib/libssl/ssl_locl.h | 4 ++-- 3 files changed, 28 insertions(+), 15 deletions(-) diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 2bc9f8ea42a..228c202c443 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.127 2022/03/05 07:13:48 bket Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.128 2022/06/29 20:04:28 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -945,7 +945,8 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) static int ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, int *tls13_seen) + CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, SSL_CERT *cert, + int *tls13_seen) { unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; unsigned long algo_strength; @@ -1000,7 +1001,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.') || - (ch == '_')) { + (ch == '_') || (ch == '=')) { ch = *(++l); buflen++; } @@ -1156,10 +1157,21 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, if (rule == CIPHER_SPECIAL) { /* special command */ ok = 0; - if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) + if (buflen == 8 && strncmp(buf, "STRENGTH", 8) == 0) { ok = ssl_cipher_strength_sort(head_p, tail_p); - else + } else if (buflen == 10 && + strncmp(buf, "SECLEVEL=", 9) == 0) { + int level = buf[9] - '0'; + + if (level >= 0 && level <= 5) { + cert->security_level = level; + ok = 1; + } else { + SSLerrorx(SSL_R_INVALID_COMMAND); + } + } else { SSLerrorx(SSL_R_INVALID_COMMAND); + } if (ok == 0) retval = 0; /* @@ -1201,7 +1213,7 @@ STACK_OF(SSL_CIPHER) * ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) *cipher_list_tls13, - const char *rule_str) + const char *rule_str, SSL_CERT *cert) { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; @@ -1327,7 +1339,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, rule_p = rule_str; if (strncmp(rule_str, "DEFAULT", 7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - &head, &tail, ca_list, &tls13_seen); + &head, &tail, ca_list, cert, &tls13_seen); rule_p += 7; if (*rule_p == ':') rule_p++; @@ -1335,7 +1347,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, if (ok && (strlen(rule_p) > 0)) ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, - &tls13_seen); + cert, &tls13_seen); free((void *)ca_list); /* Not needed anymore */ diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index b959d3428f7..609bfb7e65a 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.293 2022/06/29 17:39:20 beck Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.294 2022/06/29 20:04:28 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -226,7 +226,8 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST); + ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST, + ctx->internal->cert); if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return (0); @@ -1547,7 +1548,7 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) * ctx->cipher_list has been updated. */ ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - ctx->internal->cipher_list_tls13, str); + ctx->internal->cipher_list_tls13, str, ctx->internal->cert); if (ciphers == NULL) { return (0); } else if (sk_SSL_CIPHER_num(ciphers) == 0) { @@ -1582,7 +1583,7 @@ SSL_set_cipher_list(SSL *s, const char *str) /* See comment in SSL_CTX_set_cipher_list. */ ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, - ciphers_tls13, str); + ciphers_tls13, str, s->cert); if (ciphers == NULL) { return (0); } else if (sk_SSL_CIPHER_num(ciphers) == 0) { @@ -2011,7 +2012,7 @@ SSL_CTX_new(const SSL_METHOD *meth) goto err; ssl_create_cipher_list(ret->method, &ret->cipher_list, - NULL, SSL_DEFAULT_CIPHER_LIST); + NULL, SSL_DEFAULT_CIPHER_LIST, ret->internal->cert); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 102f7deaf52..d979baf301e 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.402 2022/06/29 17:39:20 beck Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.403 2022/06/29 20:04:28 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1311,7 +1311,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13, - const char *rule_str); + const char *rule_str, SSL_CERT *cert); int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str); int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, STACK_OF(SSL_CIPHER) *cipherlist_tls13, -- 2.20.1