7 files changed, 60 insertions, 23 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index cfd50e66be..b6a2c26938 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.234 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.235 2022/07/02 16:31:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2535,8 +2535,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                    !(c->algorithm_ssl & SSL_TLSV1_3))
                        continue;
-                if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, c->strength_bits,
+                if (!ssl_security_shared_cipher(s, c))
-                    0, c))
                        continue;
                ssl_set_cert_masks(cert, c);
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 99f23dff4b..f77f32ab7f 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_ciphers.c,v 1.14 2022/06/29 08:38:01 tb Exp $ */
+/*      $OpenBSD: ssl_ciphers.c,v 1.15 2022/07/02 16:31:04 tb Exp $ */
 /*
 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
@@ -70,8 +70,7 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
                if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                    max_vers))
                        continue;
-                if (!ssl_security(s, SSL_SECOP_CIPHER_CHECK,
+                if (!ssl_security_cipher_check(s, cipher))
-                    cipher->strength_bits, 0, cipher))
                        continue;
                if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
                        return 0;
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 609bfb7e65..2cdcef444c 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.294 2022/06/29 20:04:28 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.295 2022/07/02 16:31:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1471,8 +1471,7 @@ SSL_get1_supported_ciphers(SSL *s)
                if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                    max_vers))
                        continue;
-                if (!ssl_security(s, SSL_SECOP_CIPHER_SUPPORTED,
+                if (!ssl_security_supported_cipher(s, cipher))
-                    cipher->strength_bits, 0, cipher))
                        continue;
                if (!sk_SSL_CIPHER_push(supported_ciphers, cipher))
                        goto err;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index a2ca99c02d..4f1862254b 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.410 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.411 2022/07/02 16:31:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1296,11 +1296,13 @@ int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
 int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
    int bits, int nid, void *other, void *ex_data);
-int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
+int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher);
-    void *other);
+int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher);
-int ssl_security(const SSL *ssl, int op, int bits, int nid, void *other);
+int ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher);
 int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh);
 int ssl_security_dh(const SSL *ssl, DH *dh);
+int ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey);
+int ssl_security_tickets(const SSL *ssl);
 int ssl_security_version(const SSL *ssl, int version);
 int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
    int is_peer, int *out_error);
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 2e0b74141f..bc06177b38 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */
+/*      $OpenBSD: ssl_seclevel.c,v 1.16 2022/07/02 16:31:04 tb Exp $ */
 /*
 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 *
@@ -226,7 +226,7 @@ ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other)
            ctx->internal->cert->security_ex_data);
 }
-int
+static int
 ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
 {
        return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,
@@ -234,11 +234,52 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
 }
 int
+ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
+{
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+        return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK,
+            EVP_PKEY_security_bits(pkey), 0, NULL);
+#else
+        return 1;
+#endif
+}
+int
+ssl_security_tickets(const SSL *ssl)
+{
+        return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
+}
+int
 ssl_security_version(const SSL *ssl, int version)
 {
        return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
 }
+static int
+ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop)
+{
+        return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
+}
+int
+ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher)
+{
+        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
+}
+int
+ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher)
+{
+        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
+}
+int
+ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
+{
+        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
+}
 int
 ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
 {
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 754d76e72a..c3e07e5c65 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.46 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.47 2022/07/02 16:31:04 tb Exp $ */
 /*
 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -307,11 +307,8 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
                        return 0;
        }
-#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+        if (!ssl_security_sigalg_check(s, pkey))
-        if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
-            EVP_PKEY_security_bits(pkey), 0, NULL))
                return 0;
-#endif
        if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
                return 1;
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 7457925572..fa1eef3587 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.118 2022/07/02 16:00:12 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.119 2022/07/02 16:31:04 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1126,7 +1126,7 @@ tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
        if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
                return 0;
-        if (!ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL))
+        if (!ssl_security_tickets(s))
                return 0;
        if (s->internal->new_session)
@@ -1209,7 +1209,7 @@ tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
 {
        return (s->internal->tlsext_ticket_expected &&
            !(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
-            ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL));
+            ssl_security_tickets(s));
 }
 int