From: Dr. Stephen Henson <steve@openssl.org>
Date: Tue, 18 Mar 2014 14:35:22 +0000 (+0000)
Subject: Set security level in cipher string.
X-Git-Tag: master-pre-reformat~834
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21e0c1d23afff48601eb93135defddae51f7e2e3;p=thirdparty%2Fopenssl.git

Set security level in cipher string.

Allow setting of security level in cipher string using the
@SECLEVEL=N syntax.
---

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 9b37cae3852..91f1990c62b 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1133,7 +1133,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
 
 static int ssl_cipher_process_rulestr(const char *rule_str,
                 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
-                const SSL_CIPHER **ca_list)
+                const SSL_CIPHER **ca_list, CERT *c)
 	{
 	unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
 	const char *l, *buf;
@@ -1182,9 +1182,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			while (	((ch >= 'A') && (ch <= 'Z')) ||
 				((ch >= '0') && (ch <= '9')) ||
 				((ch >= 'a') && (ch <= 'z')) ||
-				 (ch == '-') || (ch == '.'))
+				 (ch == '-') || (ch == '.')  ||
+				 (ch == '='))
 #else
-			while (	isalnum(ch) || (ch == '-') || (ch == '.'))
+			while (	isalnum(ch) || (ch == '-') || (ch == '.') ||
+				(ch == '='))
 #endif
 				 {
 				 ch = *(++l);
@@ -1350,6 +1352,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			if ((buflen == 8) &&
 				!strncmp(buf, "STRENGTH", 8))
 				ok = ssl_cipher_strength_sort(head_p, tail_p);
+			else if (buflen == 10 && !strncmp(buf, "SECLEVEL=", 9))
+				{
+				int level = buf[9] - '0';
+				if (level < 0 || level > 5)
+					{
+					SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+						SSL_R_INVALID_COMMAND);
+					}
+				else
+					{
+					c->sec_level = level;
+					ok = 1;
+					}
+				}
 			else
 				SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
 					SSL_R_INVALID_COMMAND);
@@ -1441,7 +1457,6 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 	}
 #endif
 
-
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 		STACK_OF(SSL_CIPHER) **cipher_list,
 		STACK_OF(SSL_CIPHER) **cipher_list_by_id,
@@ -1563,14 +1578,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	if (strncmp(rule_str,"DEFAULT",7) == 0)
 		{
 		ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
-			&head, &tail, ca_list);
+			&head, &tail, ca_list, c);
 		rule_p += 7;
 		if (*rule_p == ':')
 			rule_p++;
 		}
 
 	if (ok && (strlen(rule_p) > 0))
-		ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
+		ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);
 
 	OPENSSL_free((void *)ca_list);	/* Not needed anymore */