Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

7 files changed, 60 insertions, 23 deletions

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index cfd50e66be..b6a2c26938 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.234 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.235 2022/07/02 16:31:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2535,8 +2535,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                     !(c->algorithm_ssl & SSL_TLSV1_3))
                         continue;
 
-                if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, c->strength_bits,
-                    0, c))
+                if (!ssl_security_shared_cipher(s, c))
                         continue;
 
                 ssl_set_cert_masks(cert, c);
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 99f23dff4b..f77f32ab7f 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_ciphers.c,v 1.14 2022/06/29 08:38:01 tb Exp $ */
+/*      $OpenBSD: ssl_ciphers.c,v 1.15 2022/07/02 16:31:04 tb Exp $ */
 /*
  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
  * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
@@ -70,8 +70,7 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
                 if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                     max_vers))
                         continue;
-                if (!ssl_security(s, SSL_SECOP_CIPHER_CHECK,
-                    cipher->strength_bits, 0, cipher))
+                if (!ssl_security_cipher_check(s, cipher))
                         continue;
                 if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
                         return 0;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 609bfb7e65..2cdcef444c 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.294 2022/06/29 20:04:28 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.295 2022/07/02 16:31:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1471,8 +1471,7 @@ SSL_get1_supported_ciphers(SSL *s)
                 if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                     max_vers))
                         continue;
-                if (!ssl_security(s, SSL_SECOP_CIPHER_SUPPORTED,
-                    cipher->strength_bits, 0, cipher))
+                if (!ssl_security_supported_cipher(s, cipher))
                         continue;
                 if (!sk_SSL_CIPHER_push(supported_ciphers, cipher))
                         goto err;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index a2ca99c02d..4f1862254b 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.410 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.411 2022/07/02 16:31:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1296,11 +1296,13 @@ int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
 int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
     int bits, int nid, void *other, void *ex_data);
 
-int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
-    void *other);
-int ssl_security(const SSL *ssl, int op, int bits, int nid, void *other);
+int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher);
+int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher);
+int ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher);
 int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh);
 int ssl_security_dh(const SSL *ssl, DH *dh);
+int ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey);
+int ssl_security_tickets(const SSL *ssl);
 int ssl_security_version(const SSL *ssl, int version);
 int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
     int is_peer, int *out_error);
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 2e0b74141f..bc06177b38 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */
+/*      $OpenBSD: ssl_seclevel.c,v 1.16 2022/07/02 16:31:04 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -226,7 +226,7 @@ ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other)
             ctx->internal->cert->security_ex_data);
 }
 
-int
+static int
 ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
 {
         return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,
@@ -234,11 +234,52 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
 }
 
 int
+ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
+{
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+        return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK,
+            EVP_PKEY_security_bits(pkey), 0, NULL);
+#else
+        return 1;
+#endif
+}
+
+int
+ssl_security_tickets(const SSL *ssl)
+{
+        return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
+}
+
+int
 ssl_security_version(const SSL *ssl, int version)
 {
         return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
 }
 
+static int
+ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop)
+{
+        return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
+}
+
+int
+ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher)
+{
+        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
+}
+
+int
+ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher)
+{
+        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
+}
+
+int
+ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
+{
+        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
+}
+
 int
 ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
 {
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 754d76e72a..c3e07e5c65 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.46 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.47 2022/07/02 16:31:04 tb Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -307,11 +307,8 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
                         return 0;
         }
 
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
-        if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
-            EVP_PKEY_security_bits(pkey), 0, NULL))
+        if (!ssl_security_sigalg_check(s, pkey))
                 return 0;
-#endif
 
         if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
                 return 1;
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 7457925572..fa1eef3587 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.118 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.119 2022/07/02 16:31:04 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1126,7 +1126,7 @@ tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
         if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
                 return 0;
 
-        if (!ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL))
+        if (!ssl_security_tickets(s))
                 return 0;
 
         if (s->internal->new_session)
@@ -1209,7 +1209,7 @@ tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
 {
         return (s->internal->tlsext_ticket_expected &&
             !(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
-            ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL));
+            ssl_security_tickets(s));
 }
 
 int