Unifdef LIBRESSL_HAS_SECURITY_LEVEL and remove some workarounds

that are no longer needed now that libcrypto exposes the necessary
security-bits API.

ok jsing

diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c
index fc45e6b..453d757 100644 (file)
--- a/lib/libssl/ssl_cert.c
+++ b/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.102 2022/07/02 19:36:07 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.103 2022/07/07 13:04:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -170,11 +170,7 @@ ssl_cert_new(void)
        }
        ret->key = &(ret->pkeys[SSL_PKEY_RSA]);
        ret->references = 1;
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        ret->security_cb = ssl_security_default_cb;
-#else
-       ret->security_cb = ssl_security_dummy_cb;
-#endif
        ret->security_level = OPENSSL_TLS_SECURITY_LEVEL;
        ret->security_ex_data = NULL;
        return (ret);
@@ -426,9 +422,7 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *certs)
 
        param = X509_STORE_CTX_get0_param(ctx);
 
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
-#endif
 
        /*
         * Anything non-default in "param" should overwrite anything

diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 4f18622..7ac9dde 100644 (file)
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.411 2022/07/02 16:31:04 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.412 2022/07/07 13:04:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1293,8 +1293,6 @@ int ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert);
 
 int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
     int bits, int nid, void *other, void *ex_data);
-int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
-    int bits, int nid, void *other, void *ex_data);
 
 int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher);
 int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher);

diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c
index 5976015..b9c724e 100644 (file)
--- a/lib/libssl/ssl_seclevel.c
+++ b/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ssl_seclevel.c,v 1.20 2022/07/05 16:14:18 tb Exp $ */
+/*     $OpenBSD: ssl_seclevel.c,v 1.21 2022/07/07 13:04:39 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -212,14 +212,7 @@ ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits,
        }
 }
 
-int
-ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits,
-    int version, void *cipher, void *ex_data)
-{
-       return 1;
-}
-
-int
+static int
 ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other)
 {
        return ctx->internal->cert->security_cb(NULL, ctx, secop, bits, nid,
@@ -236,12 +229,8 @@ ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other)
 int
 ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
 {
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK,
            EVP_PKEY_security_bits(pkey), 0, NULL);
-#else
-       return 1;
-#endif
 }
 
 int
@@ -283,25 +272,16 @@ ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
 int
 ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
 {
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0,
            dh);
-#else
-       return 1;
-#endif
 }
 
 int
 ssl_security_dh(const SSL *ssl, DH *dh)
 {
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh);
-#else
-       return 1;
-#endif
 }
 
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
 static int
 ssl_cert_pubkey_security_bits(const X509 *x509)
 {
@@ -377,13 +357,11 @@ ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
 
        return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509);
 }
-#endif
 
 int
 ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
     int is_ee, int *out_error)
 {
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        int key_error, operation;
 
        *out_error = 0;
@@ -406,7 +384,6 @@ ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
                return 0;
        }
 
-#endif
        return 1;
 }