1 files changed, 43 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 2e0b74141f..bc06177b38 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */
+/*      $OpenBSD: ssl_seclevel.c,v 1.16 2022/07/02 16:31:04 tb Exp $ */
 /*
 * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 *
@@ -226,7 +226,7 @@ ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other)
            ctx->internal->cert->security_ex_data);
 }
-int
+static int
 ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
 {
        return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,
@@ -234,11 +234,52 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
 }
 int
+ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey)
+{
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+        return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK,
+            EVP_PKEY_security_bits(pkey), 0, NULL);
+#else
+        return 1;
+#endif
+}
+int
+ssl_security_tickets(const SSL *ssl)
+{
+        return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
+}
+int
 ssl_security_version(const SSL *ssl, int version)
 {
        return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
 }
+static int
+ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop)
+{
+        return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
+}
+int
+ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher)
+{
+        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
+}
+int
+ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher)
+{
+        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
+}
+int
+ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher)
+{
+        return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
+}
 int
 ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
 {

diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c index 2e0b74141f..bc06177b38 100644 --- a/src/lib/libssl/ssl_seclevel.c +++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */	1	/* $OpenBSD: ssl_seclevel.c,v 1.16 2022/07/02 16:31:04 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
4	*	4	*
@@ -226,7 +226,7 @@ ssl_ctx_security(const SSL_CTX ctx, int op, int bits, int nid, void other)
226	ctx->internal->cert->security_ex_data);	226	ctx->internal->cert->security_ex_data);
227	}	227	}
228		228
229	int	229	static int
230	ssl_security(const SSL ssl, int op, int bits, int nid, void other)	230	ssl_security(const SSL ssl, int op, int bits, int nid, void other)
231	{	231	{
232	return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,	232	return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,
@@ -234,11 +234,52 @@ ssl_security(const SSL ssl, int op, int bits, int nid, void other)
234	}	234	}
235		235
236	int	236	int
		237	ssl_security_sigalg_check(const SSL ssl, const EVP_PKEY pkey)
		238	{
		239	#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
		240	return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK,
		241	EVP_PKEY_security_bits(pkey), 0, NULL);
		242	#else
		243	return 1;
		244	#endif
		245	}
		246
		247	int
		248	ssl_security_tickets(const SSL *ssl)
		249	{
		250	return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL);
		251	}
		252
		253	int
237	ssl_security_version(const SSL *ssl, int version)	254	ssl_security_version(const SSL *ssl, int version)
238	{	255	{
239	return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);	256	return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL);
240	}	257	}
241		258
		259	static int
		260	ssl_security_cipher(const SSL ssl, SSL_CIPHER cipher, int secop)
		261	{
		262	return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher);
		263	}
		264
		265	int
		266	ssl_security_cipher_check(const SSL ssl, SSL_CIPHER cipher)
		267	{
		268	return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK);
		269	}
		270
		271	int
		272	ssl_security_shared_cipher(const SSL ssl, SSL_CIPHER cipher)
		273	{
		274	return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED);
		275	}
		276
		277	int
		278	ssl_security_supported_cipher(const SSL ssl, SSL_CIPHER cipher)
		279	{
		280	return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED);
		281	}
		282
242	int	283	int
243	ssl_ctx_security_dh(const SSL_CTX ctx, DH dh)	284	ssl_ctx_security_dh(const SSL_CTX ctx, DH dh)
244	{	285	{