1 files changed, 0 insertions, 479 deletions
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
deleted file mode 100644
index 979da31942..0000000000
--- a/src/lib/libssl/ssl_seclevel.c
+++ /dev/null
@@ -1,479 +0,0 @@
-/*      $OpenBSD: ssl_seclevel.c,v 1.30 2025/01/18 10:52:09 tb Exp $ */
-/*
- * Copyright (c) 2020-2022 Theo Buehler <tb@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <stddef.h>
-#include <openssl/asn1.h>
-#include <openssl/dh.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/ossl_typ.h>
-#include <openssl/ssl.h>
-#include <openssl/tls1.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include "bytestring.h"
-#include "ssl_local.h"
-static int
-ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level)
-{
-        int security_level;
-        if (ctx != NULL)
-                security_level = SSL_CTX_get_security_level(ctx);
-        else
-                security_level = SSL_get_security_level(ssl);
-        if (security_level < 0)
-                security_level = 0;
-        if (security_level > 5)
-                security_level = 5;
-        *out_level = security_level;
-        return 1;
-}
-static int
-ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits)
-{
-        if (security_level < 0)
-                return 0;
-        if (security_level == 0)
-                *out_minimum_bits = 0;
-        else if (security_level == 1)
-                *out_minimum_bits = 80;
-        else if (security_level == 2)
-                *out_minimum_bits = 112;
-        else if (security_level == 3)
-                *out_minimum_bits = 128;
-        else if (security_level == 4)
-                *out_minimum_bits = 192;
-        else if (security_level >= 5)
-                *out_minimum_bits = 256;
-        return 1;
-}
-static int
-ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl,
-    int *out_level, int *out_minimum_bits)
-{
-        int security_level = 0, minimum_bits = 0;
-        if (!ssl_security_normalize_level(ctx, ssl, &security_level))
-                return 0;
-        if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits))
-                return 0;
-        if (out_level != NULL)
-                *out_level = security_level;
-        if (out_minimum_bits != NULL)
-                *out_minimum_bits = minimum_bits;
-        return 1;
-}
-static int
-ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits,
-    void *arg)
-{
-        const SSL_CIPHER *cipher = arg;
-        int security_level, minimum_bits;
-        if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
-            &minimum_bits))
-                return 0;
-        if (security_level <= 0)
-                return 1;
-        if (bits < minimum_bits)
-                return 0;
-        /* No unauthenticated ciphersuites. */
-        if (cipher->algorithm_auth & SSL_aNULL)
-                return 0;
-        if (cipher->algorithm_mac & SSL_MD5)
-                return 0;
-        if (security_level <= 1)
-                return 1;
-        if (cipher->algorithm_enc & SSL_RC4)
-                return 0;
-        if (security_level <= 2)
-                return 1;
-        /* Security level >= 3 requires a cipher with forward secrecy. */
-        if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 &&
-            cipher->algorithm_ssl != SSL_TLSV1_3)
-                return 0;
-        if (security_level <= 3)
-                return 1;
-        if (cipher->algorithm_mac & SSL_SHA1)
-                return 0;
-        return 1;
-}
-static int
-ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version)
-{
-        int min_version = TLS1_2_VERSION;
-        int security_level;
-        if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
-                return 0;
-        if (security_level < 4)
-                min_version = TLS1_1_VERSION;
-        if (security_level < 3)
-                min_version = TLS1_VERSION;
-        return ssl_tls_version(version) >= min_version;
-}
-static int
-ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl)
-{
-        return 0;
-}
-static int
-ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl)
-{
-        int security_level;
-        if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
-                return 0;
-        return security_level < 3;
-}
-static int
-ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits)
-{
-        int security_level, minimum_bits;
-        if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
-            &minimum_bits))
-                return 0;
-        /* Disallow DHE keys weaker than 1024 bits even at security level 0. */
-        if (security_level <= 0 && bits < 80)
-                return 0;
-        return bits >= minimum_bits;
-}
-static int
-ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits)
-{
-        int minimum_bits;
-        if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits))
-                return 0;
-        return bits >= minimum_bits;
-}
-int
-ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits,
-    int version, void *cipher, void *ex_data)
-{
-        switch (secop) {
-        case SSL_SECOP_CIPHER_SUPPORTED:
-        case SSL_SECOP_CIPHER_SHARED:
-        case SSL_SECOP_CIPHER_CHECK:
-                return ssl_security_secop_cipher(ctx, ssl, bits, cipher);
-        case SSL_SECOP_VERSION:
-                return ssl_security_secop_version(ctx, ssl, version);
-        case SSL_SECOP_COMPRESSION:
-                return ssl_security_secop_compression(ctx, ssl);
-        case SSL_SECOP_TICKET:
-                return ssl_security_secop_tickets(ctx, ssl);
-        case SSL_SECOP_TMP_DH:
-                return ssl_security_secop_tmp_dh(ctx, ssl, bits);
-        default:
-                return ssl_security_secop_default(ctx, ssl, bits);
-        }
-}
-static int
-ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other)
-{
-        return ctx->cert->security_cb(NULL, ctx, secop, bits, nid,
-            other, ctx->cert->security_ex_data);
-}
-static int
-ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other)
-{
-        return ssl->cert->security_cb(ssl, NULL, secop, bits, nid, other,
-            ssl->cert->security_ex_data);
-}
-int
-ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
-{
-        int bits;
-        bits = EVP_PKEY_security_bits(pkey);
-        return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, bits, 0, NULL);
-}
-int
-ssl_security_tickets(const SSL *ssl)
-{
-        return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
-}
-int
-ssl_security_version(const SSL *ssl, int version)
-{
-        return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
-}
-static int
-ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop)
-{
-        return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
-}
-int
-ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher)
-{
-        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
-}
-int
-ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher)
-{
-        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
-}
-int
-ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
-{
-        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
-}
-int
-ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
-{
-        int bits;
-        bits = DH_security_bits(dh);
-        return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, bits, 0, dh);
-}
-int
-ssl_security_dh(const SSL *ssl, DH *dh)
-{
-        int bits;
-        bits = DH_security_bits(dh);
-        return ssl_security(ssl, SSL_SECOP_TMP_DH, bits, 0, dh);
-}
-static int
-ssl_cert_pubkey_security_bits(const X509 *x509)
-{
-        EVP_PKEY *pkey;
-        if ((pkey = X509_get0_pubkey(x509)) == NULL)
-                return -1;
-        return EVP_PKEY_security_bits(pkey);
-}
-static int
-ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
-{
-        int security_bits;
-        security_bits = ssl_cert_pubkey_security_bits(x509);
-        if (ssl != NULL)
-                return ssl_security(ssl, secop, security_bits, 0, x509);
-        return ssl_ctx_security(ctx, secop, security_bits, 0, x509);
-}
-static int
-ssl_security_cert_sig_security_bits(X509 *x509, int *out_md_nid)
-{
-        int pkey_nid, security_bits;
-        uint32_t flags;
-        *out_md_nid = NID_undef;
-        /*
-         * Returning -1 security bits makes the default security callback fail
-         * to match bonkers behavior in OpenSSL. This in turn lets a security
-         * callback override such failures.
-         */
-        if (!X509_get_signature_info(x509, out_md_nid, &pkey_nid, &security_bits,
-            &flags))
-                return -1;
-        /*
-         * OpenSSL doesn't check flags. Test RSA-PSS certs we were provided have
-         * a salt length distinct from hash length and thus fail this check.
-         */
-        if ((flags & X509_SIG_INFO_TLS) == 0)
-                return -1;
-        /* Weird OpenSSL behavior only relevant for EdDSA certs in LibreSSL. */
-        if (*out_md_nid == NID_undef)
-                *out_md_nid = pkey_nid;
-        return security_bits;
-}
-static int
-ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop)
-{
-        int md_nid = NID_undef, security_bits = -1;
-        /* Don't check signature if self signed. */
-        if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0)
-                return 1;
-        /*
-         * The default security callback fails on -1 security bits. It ignores
-         * the md_nid (aka version) argument we pass from here.
-         */
-        security_bits = ssl_security_cert_sig_security_bits(x509, &md_nid);
-        if (ssl != NULL)
-                return ssl_security(ssl, secop, security_bits, md_nid, x509);
-        return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509);
-}
-int
-ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
-    int is_ee, int *out_error)
-{
-        int key_error, operation;
-        *out_error = 0;
-        if (is_ee) {
-                operation = SSL_SECOP_EE_KEY;
-                key_error = SSL_R_EE_KEY_TOO_SMALL;
-        } else {
-                operation = SSL_SECOP_CA_KEY;
-                key_error = SSL_R_CA_KEY_TOO_SMALL;
-        }
-        if (!ssl_security_cert_key(ctx, ssl, x509, operation)) {
-                *out_error = key_error;
-                return 0;
-        }
-        if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) {
-                *out_error = SSL_R_CA_MD_TOO_WEAK;
-                return 0;
-        }
-        return 1;
-}
-/*
- * Check security of a chain. If |sk| includes the end entity certificate
- * then |x509| must be NULL.
- */
-int
-ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509,
-    int *out_error)
-{
-        int start_idx = 0;
-        int is_ee;
-        int i;
-        if (x509 == NULL) {
-                x509 = sk_X509_value(sk, 0);
-                start_idx = 1;
-        }
-        is_ee = 1;
-        if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
-                return 0;
-        is_ee = 0;
-        for (i = start_idx; i < sk_X509_num(sk); i++) {
-                x509 = sk_X509_value(sk, i);
-                if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
-                        return 0;
-        }
-        return 1;
-}
-static int
-ssl_security_group(const SSL *ssl, uint16_t group_id, int secop)
-{
-        CBB cbb;
-        int bits, nid;
-        uint8_t group[2];
-        memset(&cbb, 0, sizeof(cbb));
-        if (!tls1_ec_group_id2bits(group_id, &bits))
-                goto err;
-        if (!tls1_ec_group_id2nid(group_id, &nid))
-                goto err;
-        if (!CBB_init_fixed(&cbb, group, sizeof(group)))
-                goto err;
-        if (!CBB_add_u16(&cbb, group_id))
-                goto err;
-        if (!CBB_finish(&cbb, NULL, NULL))
-                goto err;
-        return ssl_security(ssl, secop, bits, nid, group);
- err:
-        CBB_cleanup(&cbb);
-        return 0;
-}
-int
-ssl_security_shared_group(const SSL *ssl, uint16_t group_id)
-{
-        return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SHARED);
-}
-int
-ssl_security_supported_group(const SSL *ssl, uint16_t group_id)
-{
-        return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SUPPORTED);
-}

diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c deleted file mode 100644 index 979da31942..0000000000 --- a/src/lib/libssl/ssl_seclevel.c +++ /dev/null
@@ -1,479 +0,0 @@
1	/* $OpenBSD: ssl_seclevel.c,v 1.30 2025/01/18 10:52:09 tb Exp $ */
2	/*
3	* Copyright (c) 2020-2022 Theo Buehler <tb@openbsd.org>
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#include <stddef.h>
19
20	#include <openssl/asn1.h>
21	#include <openssl/dh.h>
22	#include <openssl/evp.h>
23	#include <openssl/objects.h>
24	#include <openssl/ossl_typ.h>
25	#include <openssl/ssl.h>
26	#include <openssl/tls1.h>
27	#include <openssl/x509.h>
28	#include <openssl/x509v3.h>
29
30	#include "bytestring.h"
31	#include "ssl_local.h"
32
33	static int
34	ssl_security_normalize_level(const SSL_CTX ctx, const SSL ssl, int *out_level)
35	{
36	int security_level;
37
38	if (ctx != NULL)
39	security_level = SSL_CTX_get_security_level(ctx);
40	else
41	security_level = SSL_get_security_level(ssl);
42
43	if (security_level < 0)
44	security_level = 0;
45	if (security_level > 5)
46	security_level = 5;
47
48	*out_level = security_level;
49
50	return 1;
51	}
52
53	static int
54	ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits)
55	{
56	if (security_level < 0)
57	return 0;
58
59	if (security_level == 0)
60	*out_minimum_bits = 0;
61	else if (security_level == 1)
62	*out_minimum_bits = 80;
63	else if (security_level == 2)
64	*out_minimum_bits = 112;
65	else if (security_level == 3)
66	*out_minimum_bits = 128;
67	else if (security_level == 4)
68	*out_minimum_bits = 192;
69	else if (security_level >= 5)
70	*out_minimum_bits = 256;
71
72	return 1;
73	}
74
75	static int
76	ssl_security_level_and_minimum_bits(const SSL_CTX ctx, const SSL ssl,
77	int out_level, int out_minimum_bits)
78	{
79	int security_level = 0, minimum_bits = 0;
80
81	if (!ssl_security_normalize_level(ctx, ssl, &security_level))
82	return 0;
83	if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits))
84	return 0;
85
86	if (out_level != NULL)
87	*out_level = security_level;
88	if (out_minimum_bits != NULL)
89	*out_minimum_bits = minimum_bits;
90
91	return 1;
92	}
93
94	static int
95	ssl_security_secop_cipher(const SSL_CTX ctx, const SSL ssl, int bits,
96	void *arg)
97	{
98	const SSL_CIPHER *cipher = arg;
99	int security_level, minimum_bits;
100
101	if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
102	&minimum_bits))
103	return 0;
104
105	if (security_level <= 0)
106	return 1;
107
108	if (bits < minimum_bits)
109	return 0;
110
111	/* No unauthenticated ciphersuites. */
112	if (cipher->algorithm_auth & SSL_aNULL)
113	return 0;
114
115	if (cipher->algorithm_mac & SSL_MD5)
116	return 0;
117
118	if (security_level <= 1)
119	return 1;
120
121	if (cipher->algorithm_enc & SSL_RC4)
122	return 0;
123
124	if (security_level <= 2)
125	return 1;
126
127	/* Security level >= 3 requires a cipher with forward secrecy. */
128	if ((cipher->algorithm_mkey & (SSL_kDHE \| SSL_kECDHE)) == 0 &&
129	cipher->algorithm_ssl != SSL_TLSV1_3)
130	return 0;
131
132	if (security_level <= 3)
133	return 1;
134
135	if (cipher->algorithm_mac & SSL_SHA1)
136	return 0;
137
138	return 1;
139	}
140
141	static int
142	ssl_security_secop_version(const SSL_CTX ctx, const SSL ssl, int version)
143	{
144	int min_version = TLS1_2_VERSION;
145	int security_level;
146
147	if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
148	return 0;
149
150	if (security_level < 4)
151	min_version = TLS1_1_VERSION;
152	if (security_level < 3)
153	min_version = TLS1_VERSION;
154
155	return ssl_tls_version(version) >= min_version;
156	}
157
158	static int
159	ssl_security_secop_compression(const SSL_CTX ctx, const SSL ssl)
160	{
161	return 0;
162	}
163
164	static int
165	ssl_security_secop_tickets(const SSL_CTX ctx, const SSL ssl)
166	{
167	int security_level;
168
169	if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL))
170	return 0;
171
172	return security_level < 3;
173	}
174
175	static int
176	ssl_security_secop_tmp_dh(const SSL_CTX ctx, const SSL ssl, int bits)
177	{
178	int security_level, minimum_bits;
179
180	if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level,
181	&minimum_bits))
182	return 0;
183
184	/* Disallow DHE keys weaker than 1024 bits even at security level 0. */
185	if (security_level <= 0 && bits < 80)
186	return 0;
187
188	return bits >= minimum_bits;
189	}
190
191	static int
192	ssl_security_secop_default(const SSL_CTX ctx, const SSL ssl, int bits)
193	{
194	int minimum_bits;
195
196	if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits))
197	return 0;
198
199	return bits >= minimum_bits;
200	}
201
202	int
203	ssl_security_default_cb(const SSL ssl, const SSL_CTX ctx, int secop, int bits,
204	int version, void cipher, void ex_data)
205	{
206	switch (secop) {
207	case SSL_SECOP_CIPHER_SUPPORTED:
208	case SSL_SECOP_CIPHER_SHARED:
209	case SSL_SECOP_CIPHER_CHECK:
210	return ssl_security_secop_cipher(ctx, ssl, bits, cipher);
211	case SSL_SECOP_VERSION:
212	return ssl_security_secop_version(ctx, ssl, version);
213	case SSL_SECOP_COMPRESSION:
214	return ssl_security_secop_compression(ctx, ssl);
215	case SSL_SECOP_TICKET:
216	return ssl_security_secop_tickets(ctx, ssl);
217	case SSL_SECOP_TMP_DH:
218	return ssl_security_secop_tmp_dh(ctx, ssl, bits);
219	default:
220	return ssl_security_secop_default(ctx, ssl, bits);
221	}
222	}
223
224	static int
225	ssl_ctx_security(const SSL_CTX ctx, int secop, int bits, int nid, void other)
226	{
227	return ctx->cert->security_cb(NULL, ctx, secop, bits, nid,
228	other, ctx->cert->security_ex_data);
229	}
230
231	static int
232	ssl_security(const SSL ssl, int secop, int bits, int nid, void other)
233	{
234	return ssl->cert->security_cb(ssl, NULL, secop, bits, nid, other,
235	ssl->cert->security_ex_data);
236	}
237
238	int
239	ssl_security_sigalg_check(const SSL ssl, const EVP_PKEY pkey)
240	{
241	int bits;
242
243	bits = EVP_PKEY_security_bits(pkey);
244
245	return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, bits, 0, NULL);
246	}
247
248	int
249	ssl_security_tickets(const SSL *ssl)
250	{
251	return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
252	}
253
254	int
255	ssl_security_version(const SSL *ssl, int version)
256	{
257	return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
258	}
259
260	static int
261	ssl_security_cipher(const SSL ssl, SSL_CIPHER cipher, int secop)
262	{
263	return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
264	}
265
266	int
267	ssl_security_cipher_check(const SSL ssl, SSL_CIPHER cipher)
268	{
269	return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
270	}
271
272	int
273	ssl_security_shared_cipher(const SSL ssl, SSL_CIPHER cipher)
274	{
275	return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
276	}
277
278	int
279	ssl_security_supported_cipher(const SSL ssl, SSL_CIPHER cipher)
280	{
281	return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
282	}
283
284	int
285	ssl_ctx_security_dh(const SSL_CTX ctx, DH dh)
286	{
287	int bits;
288
289	bits = DH_security_bits(dh);
290
291	return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, bits, 0, dh);
292	}
293
294	int
295	ssl_security_dh(const SSL ssl, DH dh)
296	{
297	int bits;
298
299	bits = DH_security_bits(dh);
300
301	return ssl_security(ssl, SSL_SECOP_TMP_DH, bits, 0, dh);
302	}
303
304	static int
305	ssl_cert_pubkey_security_bits(const X509 *x509)
306	{
307	EVP_PKEY *pkey;
308
309	if ((pkey = X509_get0_pubkey(x509)) == NULL)
310	return -1;
311
312	return EVP_PKEY_security_bits(pkey);
313	}
314
315	static int
316	ssl_security_cert_key(const SSL_CTX ctx, const SSL ssl, X509 *x509, int secop)
317	{
318	int security_bits;
319
320	security_bits = ssl_cert_pubkey_security_bits(x509);
321
322	if (ssl != NULL)
323	return ssl_security(ssl, secop, security_bits, 0, x509);
324
325	return ssl_ctx_security(ctx, secop, security_bits, 0, x509);
326	}
327
328	static int
329	ssl_security_cert_sig_security_bits(X509 x509, int out_md_nid)
330	{
331	int pkey_nid, security_bits;
332	uint32_t flags;
333
334	*out_md_nid = NID_undef;
335
336	/*
337	* Returning -1 security bits makes the default security callback fail
338	* to match bonkers behavior in OpenSSL. This in turn lets a security
339	* callback override such failures.
340	*/
341	if (!X509_get_signature_info(x509, out_md_nid, &pkey_nid, &security_bits,
342	&flags))
343	return -1;
344	/*
345	* OpenSSL doesn't check flags. Test RSA-PSS certs we were provided have
346	* a salt length distinct from hash length and thus fail this check.
347	*/
348	if ((flags & X509_SIG_INFO_TLS) == 0)
349	return -1;
350
351	/* Weird OpenSSL behavior only relevant for EdDSA certs in LibreSSL. */
352	if (*out_md_nid == NID_undef)
353	*out_md_nid = pkey_nid;
354
355	return security_bits;
356	}
357
358	static int
359	ssl_security_cert_sig(const SSL_CTX ctx, const SSL ssl, X509 *x509, int secop)
360	{
361	int md_nid = NID_undef, security_bits = -1;
362
363	/* Don't check signature if self signed. */
364	if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0)
365	return 1;
366
367	/*
368	* The default security callback fails on -1 security bits. It ignores
369	* the md_nid (aka version) argument we pass from here.
370	*/
371	security_bits = ssl_security_cert_sig_security_bits(x509, &md_nid);
372
373	if (ssl != NULL)
374	return ssl_security(ssl, secop, security_bits, md_nid, x509);
375
376	return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509);
377	}
378
379	int
380	ssl_security_cert(const SSL_CTX ctx, const SSL ssl, X509 *x509,
381	int is_ee, int *out_error)
382	{
383	int key_error, operation;
384
385	*out_error = 0;
386
387	if (is_ee) {
388	operation = SSL_SECOP_EE_KEY;
389	key_error = SSL_R_EE_KEY_TOO_SMALL;
390	} else {
391	operation = SSL_SECOP_CA_KEY;
392	key_error = SSL_R_CA_KEY_TOO_SMALL;
393	}
394
395	if (!ssl_security_cert_key(ctx, ssl, x509, operation)) {
396	*out_error = key_error;
397	return 0;
398	}
399
400	if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) {
401	*out_error = SSL_R_CA_MD_TOO_WEAK;
402	return 0;
403	}
404
405	return 1;
406	}
407
408	/*
409	* Check security of a chain. If \|sk\| includes the end entity certificate
410	* then \|x509\| must be NULL.
411	*/
412	int
413	ssl_security_cert_chain(const SSL ssl, STACK_OF(X509) sk, X509 *x509,
414	int *out_error)
415	{
416	int start_idx = 0;
417	int is_ee;
418	int i;
419
420	if (x509 == NULL) {
421	x509 = sk_X509_value(sk, 0);
422	start_idx = 1;
423	}
424
425	is_ee = 1;
426	if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
427	return 0;
428
429	is_ee = 0;
430	for (i = start_idx; i < sk_X509_num(sk); i++) {
431	x509 = sk_X509_value(sk, i);
432
433	if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error))
434	return 0;
435	}
436
437	return 1;
438	}
439
440	static int
441	ssl_security_group(const SSL *ssl, uint16_t group_id, int secop)
442	{
443	CBB cbb;
444	int bits, nid;
445	uint8_t group[2];
446
447	memset(&cbb, 0, sizeof(cbb));
448
449	if (!tls1_ec_group_id2bits(group_id, &bits))
450	goto err;
451	if (!tls1_ec_group_id2nid(group_id, &nid))
452	goto err;
453
454	if (!CBB_init_fixed(&cbb, group, sizeof(group)))
455	goto err;
456	if (!CBB_add_u16(&cbb, group_id))
457	goto err;
458	if (!CBB_finish(&cbb, NULL, NULL))
459	goto err;
460
461	return ssl_security(ssl, secop, bits, nid, group);
462
463	err:
464	CBB_cleanup(&cbb);
465
466	return 0;
467	}
468
469	int
470	ssl_security_shared_group(const SSL *ssl, uint16_t group_id)
471	{
472	return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SHARED);
473	}
474
475	int
476	ssl_security_supported_group(const SSL *ssl, uint16_t group_id)
477	{
478	return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SUPPORTED);
479	}