From: tb Date: Sat, 2 Jul 2022 16:31:04 +0000 (+0000) Subject: Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=1fd41f507b903098abcfc49a0b954d9e6cd43fb7;p=openbsd Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing --- diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index cfd50e66be3..b6a2c269389 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.234 2022/07/02 16:00:12 tb Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.235 2022/07/02 16:31:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2535,8 +2535,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, !(c->algorithm_ssl & SSL_TLSV1_3)) continue; - if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, c->strength_bits, - 0, c)) + if (!ssl_security_shared_cipher(s, c)) continue; ssl_set_cert_masks(cert, c); diff --git a/lib/libssl/ssl_ciphers.c b/lib/libssl/ssl_ciphers.c index 99f23dff4bd..f77f32ab7f9 100644 --- a/lib/libssl/ssl_ciphers.c +++ b/lib/libssl/ssl_ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.14 2022/06/29 08:38:01 tb Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.15 2022/07/02 16:31:04 tb Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan * Copyright (c) 2015-2018, 2020 Joel Sing @@ -70,8 +70,7 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, max_vers)) continue; - if (!ssl_security(s, SSL_SECOP_CIPHER_CHECK, - cipher->strength_bits, 0, cipher)) + if (!ssl_security_cipher_check(s, cipher)) continue; if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) return 0; diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 609bfb7e65a..2cdcef444c4 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.294 2022/06/29 20:04:28 tb Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.295 2022/07/02 16:31:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1471,8 +1471,7 @@ SSL_get1_supported_ciphers(SSL *s) if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, max_vers)) continue; - if (!ssl_security(s, SSL_SECOP_CIPHER_SUPPORTED, - cipher->strength_bits, 0, cipher)) + if (!ssl_security_supported_cipher(s, cipher)) continue; if (!sk_SSL_CIPHER_push(supported_ciphers, cipher)) goto err; diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index a2ca99c02d7..4f1862254b1 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.410 2022/07/02 16:00:12 tb Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.411 2022/07/02 16:31:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1296,11 +1296,13 @@ int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex_data); -int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, - void *other); -int ssl_security(const SSL *ssl, int op, int bits, int nid, void *other); +int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher); +int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher); +int ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher); int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh); int ssl_security_dh(const SSL *ssl, DH *dh); +int ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey); +int ssl_security_tickets(const SSL *ssl); int ssl_security_version(const SSL *ssl, int version); int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int is_peer, int *out_error); diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c index 2e0b74141f7..bc06177b384 100644 --- a/lib/libssl/ssl_seclevel.c +++ b/lib/libssl/ssl_seclevel.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */ +/* $OpenBSD: ssl_seclevel.c,v 1.16 2022/07/02 16:31:04 tb Exp $ */ /* * Copyright (c) 2020 Theo Buehler * @@ -226,19 +226,60 @@ ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other) ctx->internal->cert->security_ex_data); } -int +static int ssl_security(const SSL *ssl, int op, int bits, int nid, void *other) { return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other, ssl->cert->security_ex_data); } +int +ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey) +{ +#if defined(LIBRESSL_HAS_SECURITY_LEVEL) + return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, + EVP_PKEY_security_bits(pkey), 0, NULL); +#else + return 1; +#endif +} + +int +ssl_security_tickets(const SSL *ssl) +{ + return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL); +} + int ssl_security_version(const SSL *ssl, int version) { return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL); } +static int +ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop) +{ + return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher); +} + +int +ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher) +{ + return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK); +} + +int +ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher) +{ + return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED); +} + +int +ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher) +{ + return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED); +} + int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) { diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c index 754d76e72a2..c3e07e5c655 100644 --- a/lib/libssl/ssl_sigalgs.c +++ b/lib/libssl/ssl_sigalgs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.46 2022/07/02 16:00:12 tb Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.47 2022/07/02 16:31:04 tb Exp $ */ /* * Copyright (c) 2018-2020 Bob Beck * Copyright (c) 2021 Joel Sing @@ -307,11 +307,8 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey) return 0; } -#if defined(LIBRESSL_HAS_SECURITY_LEVEL) - if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK, - EVP_PKEY_security_bits(pkey), 0, NULL)) + if (!ssl_security_sigalg_check(s, pkey)) return 0; -#endif if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION) return 1; diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 74579255724..fa1eef35874 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.118 2022/07/02 16:00:12 tb Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.119 2022/07/02 16:31:04 tb Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -1126,7 +1126,7 @@ tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) return 0; - if (!ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL)) + if (!ssl_security_tickets(s)) return 0; if (s->internal->new_session) @@ -1209,7 +1209,7 @@ tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) { return (s->internal->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET) && - ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL)); + ssl_security_tickets(s)); } int