Security framework.

Security callback: selects which parameters are permitted including sensible defaults based on bits of security. The "parameters" which can be selected include: ciphersuites, curves, key sizes, certificate signature algorithms, supported signature algorithms, DH parameters, SSL/TLS version, session tickets and compression. In some cases prohibiting the use of a parameters will mean they are not advertised to the peer: for example cipher suites and ECC curves. In other cases it will abort the handshake: e.g DH parameters or the peer key size. Documentation to follow...
2013-12-15 13:32:24 +00:00
parent 66f96fe2d5
commit b362ccab5c
16 changed files with 827 additions and 202 deletions
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -695,7 +695,7 @@ int ssl3_setup_read_buffer(SSL *s)
 			len += SSL3_RT_MAX_EXTRA;
 			}
 #ifndef OPENSSL_NO_COMP
-		if (!(s->options & SSL_OP_NO_COMPRESSION))
+		if (ssl_allow_compression(s))
 			len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
 #endif
 		if ((p=freelist_extract(s->ctx, 1, len)) == NULL)
@@ -732,7 +732,7 @@ int ssl3_setup_write_buffer(SSL *s)
 			+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
 			+ headerlen + align;
 #ifndef OPENSSL_NO_COMP
-		if (!(s->options & SSL_OP_NO_COMPRESSION))
+		if (ssl_allow_compression(s))
 			len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
 #endif
 		if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
@@ -782,3 +782,10 @@ int ssl3_release_read_buffer(SSL *s)
 	return 1;
 	}

+int ssl_allow_compression(SSL *s)
+	{
+	if (s->options & SSL_OP_NO_COMPRESSION)
+		return 0;
+	return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
+	}
+