Unifdef LIBRESSL_HAS_SECURITY_LEVEL and remove some workarounds

that are no longer needed now that libcrypto exposes the necessary security-bits API. ok jsing
author: tb <> 2022-07-07 13:04:39 +0000
committer: tb <> 2022-07-07 13:04:39 +0000
commit: 5e009dfe713c55ed16e6f4732b2c8b5931265537 (patch)
tree: 422ab320b32995a12bf5eaa4242be365549ec73e
parent: 014c4b9a93d4ce98e8161197494a805e095e70fc (diff)
download: openbsd-5e009dfe713c55ed16e6f4732b2c8b5931265537.tar.gz
openbsd-5e009dfe713c55ed16e6f4732b2c8b5931265537.tar.bz2
openbsd-5e009dfe713c55ed16e6f4732b2c8b5931265537.zip
3 files changed, 4 insertions, 35 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index fc45e6b10d..453d75771d 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.102 2022/07/02 19:36:07 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.103 2022/07/07 13:04:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -170,11 +170,7 @@ ssl_cert_new(void)
        }
        ret->key = &(ret->pkeys[SSL_PKEY_RSA]);
        ret->references = 1;
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        ret->security_cb = ssl_security_default_cb;
-#else
-        ret->security_cb = ssl_security_dummy_cb;
-#endif
        ret->security_level = OPENSSL_TLS_SECURITY_LEVEL;
        ret->security_ex_data = NULL;
        return (ret);
@@ -426,9 +422,7 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *certs)
        param = X509_STORE_CTX_get0_param(ctx);
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
-#endif
        /*
         * Anything non-default in "param" should overwrite anything
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 4f1862254b..7ac9ddebdd 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.411 2022/07/02 16:31:04 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.412 2022/07/07 13:04:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1293,8 +1293,6 @@ int ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert);
 int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
    int bits, int nid, void *other, void *ex_data);
-int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
-    int bits, int nid, void *other, void *ex_data);
 int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher);
 int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher);
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 59760154f8..b9c724e262 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_seclevel.c,v 1.20 2022/07/05 16:14:18 tb Exp $ */
+/*      $OpenBSD: ssl_seclevel.c,v 1.21 2022/07/07 13:04:39 tb Exp $ */
 /*
 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 *
@@ -212,14 +212,7 @@ ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits,
        }
 }
-int
+static int
-ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits,
-    int version, void *cipher, void *ex_data)
-{
-        return 1;
-}
-int
 ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other)
 {
        return ctx->internal->cert->security_cb(NULL, ctx, secop, bits, nid,
@@ -236,12 +229,8 @@ ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other)
 int
 ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
 {
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK,
            EVP_PKEY_security_bits(pkey), 0, NULL);
-#else
-        return 1;
-#endif
 }
 int
@@ -283,25 +272,16 @@ ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
 int
 ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
 {
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0,
            dh);
-#else
-        return 1;
-#endif
 }
 int
 ssl_security_dh(const SSL *ssl, DH *dh)
 {
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh);
-#else
-        return 1;
-#endif
 }
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
 static int
 ssl_cert_pubkey_security_bits(const X509 *x509)
 {
@@ -377,13 +357,11 @@ ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
        return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509);
 }
-#endif
 int
 ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
    int is_ee, int *out_error)
 {
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
        int key_error, operation;
        *out_error = 0;
@@ -406,7 +384,6 @@ ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
                return 0;
        }
-#endif
        return 1;
 }
author	tb <>	2022-07-07 13:04:39 +0000
committer	tb <>	2022-07-07 13:04:39 +0000
commit	5e009dfe713c55ed16e6f4732b2c8b5931265537 (patch)
tree	422ab320b32995a12bf5eaa4242be365549ec73e
parent	014c4b9a93d4ce98e8161197494a805e095e70fc (diff)
download	openbsd-5e009dfe713c55ed16e6f4732b2c8b5931265537.tar.gz openbsd-5e009dfe713c55ed16e6f4732b2c8b5931265537.tar.bz2 openbsd-5e009dfe713c55ed16e6f4732b2c8b5931265537.zip