-/* $OpenBSD: s3_lib.c,v 1.234 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.235 2022/07/02 16:31:04 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
!(c->algorithm_ssl & SSL_TLSV1_3))
continue;
- if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, c->strength_bits,
- 0, c))
+ if (!ssl_security_shared_cipher(s, c))
continue;
ssl_set_cert_masks(cert, c);
-/* $OpenBSD: ssl_ciphers.c,v 1.14 2022/06/29 08:38:01 tb Exp $ */
+/* $OpenBSD: ssl_ciphers.c,v 1.15 2022/07/02 16:31:04 tb Exp $ */
/*
* Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
* Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
max_vers))
continue;
- if (!ssl_security(s, SSL_SECOP_CIPHER_CHECK,
- cipher->strength_bits, 0, cipher))
+ if (!ssl_security_cipher_check(s, cipher))
continue;
if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
return 0;
-/* $OpenBSD: ssl_lib.c,v 1.294 2022/06/29 20:04:28 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.295 2022/07/02 16:31:04 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
max_vers))
continue;
- if (!ssl_security(s, SSL_SECOP_CIPHER_SUPPORTED,
- cipher->strength_bits, 0, cipher))
+ if (!ssl_security_supported_cipher(s, cipher))
continue;
if (!sk_SSL_CIPHER_push(supported_ciphers, cipher))
goto err;
-/* $OpenBSD: ssl_locl.h,v 1.410 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.411 2022/07/02 16:31:04 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
int bits, int nid, void *other, void *ex_data);
-int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
- void *other);
-int ssl_security(const SSL *ssl, int op, int bits, int nid, void *other);
+int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher);
+int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher);
+int ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher);
int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh);
int ssl_security_dh(const SSL *ssl, DH *dh);
+int ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey);
+int ssl_security_tickets(const SSL *ssl);
int ssl_security_version(const SSL *ssl, int version);
int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
int is_peer, int *out_error);
-/* $OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_seclevel.c,v 1.16 2022/07/02 16:31:04 tb Exp $ */
/*
* Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
*
ctx->internal->cert->security_ex_data);
}
-int
+static int
ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
{
return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,
ssl->cert->security_ex_data);
}
+int
+ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
+{
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+ return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK,
+ EVP_PKEY_security_bits(pkey), 0, NULL);
+#else
+ return 1;
+#endif
+}
+
+int
+ssl_security_tickets(const SSL *ssl)
+{
+ return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
+}
+
int
ssl_security_version(const SSL *ssl, int version)
{
return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
}
+static int
+ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop)
+{
+ return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
+}
+
+int
+ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher)
+{
+ return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
+}
+
+int
+ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher)
+{
+ return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
+}
+
+int
+ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
+{
+ return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
+}
+
int
ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
{
-/* $OpenBSD: ssl_sigalgs.c,v 1.46 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.47 2022/07/02 16:31:04 tb Exp $ */
/*
* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
* Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
return 0;
}
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
- if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
- EVP_PKEY_security_bits(pkey), 0, NULL))
+ if (!ssl_security_sigalg_check(s, pkey))
return 0;
-#endif
if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
return 1;
-/* $OpenBSD: ssl_tlsext.c,v 1.118 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.119 2022/07/02 16:31:04 tb Exp $ */
/*
* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
return 0;
- if (!ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL))
+ if (!ssl_security_tickets(s))
return 0;
if (s->internal->new_session)
{
return (s->internal->tlsext_ticket_expected &&
!(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
- ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL));
+ ssl_security_tickets(s));
}
int
projects / openbsd / commitdiff