From bf22d29dc846d759d3e63a092ff25b15863c5b9e Mon Sep 17 00:00:00 2001 From: tb Date: Thu, 7 Jul 2022 13:04:39 +0000 Subject: [PATCH] Unifdef LIBRESSL_HAS_SECURITY_LEVEL and remove some workarounds that are no longer needed now that libcrypto exposes the necessary security-bits API. ok jsing --- lib/libssl/ssl_cert.c | 8 +------- lib/libssl/ssl_locl.h | 4 +--- lib/libssl/ssl_seclevel.c | 27 ++------------------------- 3 files changed, 4 insertions(+), 35 deletions(-) diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index fc45e6b10d1..453d75771d3 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.102 2022/07/02 19:36:07 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.103 2022/07/07 13:04:39 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,11 +170,7 @@ ssl_cert_new(void) } ret->key = &(ret->pkeys[SSL_PKEY_RSA]); ret->references = 1; -#if defined(LIBRESSL_HAS_SECURITY_LEVEL) ret->security_cb = ssl_security_default_cb; -#else - ret->security_cb = ssl_security_dummy_cb; -#endif ret->security_level = OPENSSL_TLS_SECURITY_LEVEL; ret->security_ex_data = NULL; return (ret); @@ -426,9 +422,7 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *certs) param = X509_STORE_CTX_get0_param(ctx); -#if defined(LIBRESSL_HAS_SECURITY_LEVEL) X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); -#endif /* * Anything non-default in "param" should overwrite anything diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 4f1862254b1..7ac9ddebdda 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.411 2022/07/02 16:31:04 tb Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.412 2022/07/07 13:04:39 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1293,8 +1293,6 @@ int ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert); int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex_data); -int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, - int bits, int nid, void *other, void *ex_data); int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher); int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher); diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c index 59760154f8c..b9c724e262b 100644 --- a/lib/libssl/ssl_seclevel.c +++ b/lib/libssl/ssl_seclevel.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_seclevel.c,v 1.20 2022/07/05 16:14:18 tb Exp $ */ +/* $OpenBSD: ssl_seclevel.c,v 1.21 2022/07/07 13:04:39 tb Exp $ */ /* * Copyright (c) 2020 Theo Buehler * @@ -212,14 +212,7 @@ ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits, } } -int -ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits, - int version, void *cipher, void *ex_data) -{ - return 1; -} - -int +static int ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other) { return ctx->internal->cert->security_cb(NULL, ctx, secop, bits, nid, @@ -236,12 +229,8 @@ ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other) int ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey) { -#if defined(LIBRESSL_HAS_SECURITY_LEVEL) return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, EVP_PKEY_security_bits(pkey), 0, NULL); -#else - return 1; -#endif } int @@ -283,25 +272,16 @@ ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher) int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) { -#if defined(LIBRESSL_HAS_SECURITY_LEVEL) return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh); -#else - return 1; -#endif } int ssl_security_dh(const SSL *ssl, DH *dh) { -#if defined(LIBRESSL_HAS_SECURITY_LEVEL) return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh); -#else - return 1; -#endif } -#if defined(LIBRESSL_HAS_SECURITY_LEVEL) static int ssl_cert_pubkey_security_bits(const X509 *x509) { @@ -377,13 +357,11 @@ ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop) return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509); } -#endif int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int is_ee, int *out_error) { -#if defined(LIBRESSL_HAS_SECURITY_LEVEL) int key_error, operation; *out_error = 0; @@ -406,7 +384,6 @@ ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, return 0; } -#endif return 1; } -- 2.20.1