Skip to content

Commit

Permalink
Set security level in cipher string.
Browse files Browse the repository at this point in the history 
Allow setting of security level in cipher string using the
@SECLEVEL=N syntax.
  • Loading branch information
@snhenson
snhenson committed Mar 28, 2014
1 parent 77a926e commit 21e0c1d
Showing 1 changed file with 21 additions and 6 deletions.
27 changes: 21 additions & 6 deletions ssl/ssl_ciph.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1133,7 +1133,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,

static int ssl_cipher_process_rulestr(const char *rule_str,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
const SSL_CIPHER **ca_list)
const SSL_CIPHER **ca_list, CERT *c)
{
unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
const char *l, *buf;
Expand Down Expand Up @@ -1182,9 +1182,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
while ( ((ch >= 'A') && (ch <= 'Z')) ||
((ch >= '0') && (ch <= '9')) ||
((ch >= 'a') && (ch <= 'z')) ||
(ch == '-') || (ch == '.'))
(ch == '-') || (ch == '.') ||
(ch == '='))
#else
while ( isalnum(ch) || (ch == '-') || (ch == '.'))
while ( isalnum(ch) || (ch == '-') || (ch == '.') ||
(ch == '='))
#endif
{
ch = *(++l);
Expand Down Expand Up @@ -1350,6 +1352,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
if ((buflen == 8) &&
!strncmp(buf, "STRENGTH", 8))
ok = ssl_cipher_strength_sort(head_p, tail_p);
else if (buflen == 10 && !strncmp(buf, "SECLEVEL=", 9))
{
int level = buf[9] - '0';
if (level < 0 || level > 5)
{
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
SSL_R_INVALID_COMMAND);
}
else
{
c->sec_level = level;
ok = 1;
}
}
else
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
SSL_R_INVALID_COMMAND);
Expand Down Expand Up @@ -1441,7 +1457,6 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
}
#endif


STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) **cipher_list,
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
Expand Down Expand Up @@ -1563,14 +1578,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if (strncmp(rule_str,"DEFAULT",7) == 0)
{
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
&head, &tail, ca_list);
&head, &tail, ca_list, c);
rule_p += 7;
if (*rule_p == ':')
rule_p++;
}

if (ok && (strlen(rule_p) > 0))
ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);

OPENSSL_free((void *)ca_list); /* Not needed anymore */

Expand Down

0 comments on commit 21e0c1d

Please sign in to comment.