1 files changed, 72 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e313268216..f58ae40995 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.215 2021/11/01 08:14:36 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.216 2022/06/28 20:29:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1507,6 +1507,77 @@ int SSL_set_session_secret_cb(SSL *s,
 void SSL_set_debug(SSL *s, int debug);
 int SSL_cache_hit(SSL *s);
+#if defined(LIBRESSL_INTERNAL)
+/* What the "other" parameter contains in security callback */
+/* Mask for type */
+#define SSL_SECOP_OTHER_TYPE            0xffff0000
+#define SSL_SECOP_OTHER_NONE            0
+#define SSL_SECOP_OTHER_CIPHER          (1 << 16)
+#define SSL_SECOP_OTHER_CURVE           (2 << 16)
+#define SSL_SECOP_OTHER_DH              (3 << 16)
+#define SSL_SECOP_OTHER_PKEY            (4 << 16)
+#define SSL_SECOP_OTHER_SIGALG          (5 << 16)
+#define SSL_SECOP_OTHER_CERT            (6 << 16)
+/* Indicated operation refers to peer key or certificate */
+#define SSL_SECOP_PEER                  0x1000
+/* Values for "op" parameter in security callback */
+/* Called to filter ciphers */
+/* Ciphers client supports */
+#define SSL_SECOP_CIPHER_SUPPORTED      (1 | SSL_SECOP_OTHER_CIPHER)
+/* Cipher shared by client/server */
+#define SSL_SECOP_CIPHER_SHARED         (2 | SSL_SECOP_OTHER_CIPHER)
+/* Sanity check of cipher server selects */
+#define SSL_SECOP_CIPHER_CHECK          (3 | SSL_SECOP_OTHER_CIPHER)
+/* Curves supported by client */
+#define SSL_SECOP_CURVE_SUPPORTED       (4 | SSL_SECOP_OTHER_CURVE)
+/* Curves shared by client/server */
+#define SSL_SECOP_CURVE_SHARED          (5 | SSL_SECOP_OTHER_CURVE)
+/* Sanity check of curve server selects */
+#define SSL_SECOP_CURVE_CHECK           (6 | SSL_SECOP_OTHER_CURVE)
+/* Temporary DH key */
+/*
+ * XXX: changed in OpenSSL e2b420fdd70 to (7 | SSL_SECOP_OTHER_PKEY)
+ * Needs switching internal use of DH to EVP_PKEY. The code is not reachable
+ * from outside the library as long as we do not expose the callback in the API.
+ */
+#define SSL_SECOP_TMP_DH                (7 | SSL_SECOP_OTHER_DH)
+/* SSL/TLS version */
+#define SSL_SECOP_VERSION               (9 | SSL_SECOP_OTHER_NONE)
+/* Session tickets */
+#define SSL_SECOP_TICKET                (10 | SSL_SECOP_OTHER_NONE)
+/* Supported signature algorithms sent to peer */
+#define SSL_SECOP_SIGALG_SUPPORTED      (11 | SSL_SECOP_OTHER_SIGALG)
+/* Shared signature algorithm */
+#define SSL_SECOP_SIGALG_SHARED         (12 | SSL_SECOP_OTHER_SIGALG)
+/* Sanity check signature algorithm allowed */
+#define SSL_SECOP_SIGALG_CHECK          (13 | SSL_SECOP_OTHER_SIGALG)
+/* Used to get mask of supported public key signature algorithms */
+#define SSL_SECOP_SIGALG_MASK           (14 | SSL_SECOP_OTHER_SIGALG)
+/* Use to see if compression is allowed */
+#define SSL_SECOP_COMPRESSION           (15 | SSL_SECOP_OTHER_NONE)
+/* EE key in certificate */
+#define SSL_SECOP_EE_KEY                (16 | SSL_SECOP_OTHER_CERT)
+/* CA key in certificate */
+#define SSL_SECOP_CA_KEY                (17 | SSL_SECOP_OTHER_CERT)
+/* CA digest algorithm in certificate */
+#define SSL_SECOP_CA_MD                 (18 | SSL_SECOP_OTHER_CERT)
+/* Peer EE key in certificate */
+#define SSL_SECOP_PEER_EE_KEY           (SSL_SECOP_EE_KEY | SSL_SECOP_PEER)
+/* Peer CA key in certificate */
+#define SSL_SECOP_PEER_CA_KEY           (SSL_SECOP_CA_KEY | SSL_SECOP_PEER)
+/* Peer CA digest algorithm in certificate */
+#define SSL_SECOP_PEER_CA_MD            (SSL_SECOP_CA_MD | SSL_SECOP_PEER)
+void SSL_set_security_level(SSL *ssl, int level);
+int SSL_get_security_level(const SSL *ssl);
+void SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
+int SSL_CTX_get_security_level(const SSL_CTX *ctx);
+#endif /* LIBRESSL_INTERNAL */
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.

diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index e313268216..f58ae40995 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.215 2021/11/01 08:14:36 tb Exp $ */	1	/* $OpenBSD: ssl.h,v 1.216 2022/06/28 20:29:27 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1507,6 +1507,77 @@ int SSL_set_session_secret_cb(SSL *s,
1507	void SSL_set_debug(SSL *s, int debug);	1507	void SSL_set_debug(SSL *s, int debug);
1508	int SSL_cache_hit(SSL *s);	1508	int SSL_cache_hit(SSL *s);
1509		1509
		1510	#if defined(LIBRESSL_INTERNAL)
		1511	/* What the "other" parameter contains in security callback */
		1512	/* Mask for type */
		1513	#define SSL_SECOP_OTHER_TYPE 0xffff0000
		1514	#define SSL_SECOP_OTHER_NONE 0
		1515	#define SSL_SECOP_OTHER_CIPHER (1 << 16)
		1516	#define SSL_SECOP_OTHER_CURVE (2 << 16)
		1517	#define SSL_SECOP_OTHER_DH (3 << 16)
		1518	#define SSL_SECOP_OTHER_PKEY (4 << 16)
		1519	#define SSL_SECOP_OTHER_SIGALG (5 << 16)
		1520	#define SSL_SECOP_OTHER_CERT (6 << 16)
		1521
		1522	/* Indicated operation refers to peer key or certificate */
		1523	#define SSL_SECOP_PEER 0x1000
		1524
		1525	/* Values for "op" parameter in security callback */
		1526
		1527	/* Called to filter ciphers */
		1528	/* Ciphers client supports */
		1529	#define SSL_SECOP_CIPHER_SUPPORTED (1 \| SSL_SECOP_OTHER_CIPHER)
		1530	/* Cipher shared by client/server */
		1531	#define SSL_SECOP_CIPHER_SHARED (2 \| SSL_SECOP_OTHER_CIPHER)
		1532	/* Sanity check of cipher server selects */
		1533	#define SSL_SECOP_CIPHER_CHECK (3 \| SSL_SECOP_OTHER_CIPHER)
		1534	/* Curves supported by client */
		1535	#define SSL_SECOP_CURVE_SUPPORTED (4 \| SSL_SECOP_OTHER_CURVE)
		1536	/* Curves shared by client/server */
		1537	#define SSL_SECOP_CURVE_SHARED (5 \| SSL_SECOP_OTHER_CURVE)
		1538	/* Sanity check of curve server selects */
		1539	#define SSL_SECOP_CURVE_CHECK (6 \| SSL_SECOP_OTHER_CURVE)
		1540	/* Temporary DH key */
		1541	/*
		1542	* XXX: changed in OpenSSL e2b420fdd70 to (7 \| SSL_SECOP_OTHER_PKEY)
		1543	* Needs switching internal use of DH to EVP_PKEY. The code is not reachable
		1544	* from outside the library as long as we do not expose the callback in the API.
		1545	*/
		1546	#define SSL_SECOP_TMP_DH (7 \| SSL_SECOP_OTHER_DH)
		1547	/* SSL/TLS version */
		1548	#define SSL_SECOP_VERSION (9 \| SSL_SECOP_OTHER_NONE)
		1549	/* Session tickets */
		1550	#define SSL_SECOP_TICKET (10 \| SSL_SECOP_OTHER_NONE)
		1551	/* Supported signature algorithms sent to peer */
		1552	#define SSL_SECOP_SIGALG_SUPPORTED (11 \| SSL_SECOP_OTHER_SIGALG)
		1553	/* Shared signature algorithm */
		1554	#define SSL_SECOP_SIGALG_SHARED (12 \| SSL_SECOP_OTHER_SIGALG)
		1555	/* Sanity check signature algorithm allowed */
		1556	#define SSL_SECOP_SIGALG_CHECK (13 \| SSL_SECOP_OTHER_SIGALG)
		1557	/* Used to get mask of supported public key signature algorithms */
		1558	#define SSL_SECOP_SIGALG_MASK (14 \| SSL_SECOP_OTHER_SIGALG)
		1559	/* Use to see if compression is allowed */
		1560	#define SSL_SECOP_COMPRESSION (15 \| SSL_SECOP_OTHER_NONE)
		1561	/* EE key in certificate */
		1562	#define SSL_SECOP_EE_KEY (16 \| SSL_SECOP_OTHER_CERT)
		1563	/* CA key in certificate */
		1564	#define SSL_SECOP_CA_KEY (17 \| SSL_SECOP_OTHER_CERT)
		1565	/* CA digest algorithm in certificate */
		1566	#define SSL_SECOP_CA_MD (18 \| SSL_SECOP_OTHER_CERT)
		1567	/* Peer EE key in certificate */
		1568	#define SSL_SECOP_PEER_EE_KEY (SSL_SECOP_EE_KEY \| SSL_SECOP_PEER)
		1569	/* Peer CA key in certificate */
		1570	#define SSL_SECOP_PEER_CA_KEY (SSL_SECOP_CA_KEY \| SSL_SECOP_PEER)
		1571	/* Peer CA digest algorithm in certificate */
		1572	#define SSL_SECOP_PEER_CA_MD (SSL_SECOP_CA_MD \| SSL_SECOP_PEER)
		1573
		1574	void SSL_set_security_level(SSL *ssl, int level);
		1575	int SSL_get_security_level(const SSL *ssl);
		1576
		1577	void SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
		1578	int SSL_CTX_get_security_level(const SSL_CTX *ctx);
		1579	#endif /* LIBRESSL_INTERNAL */
		1580
1510	/* BEGIN ERROR CODES */	1581	/* BEGIN ERROR CODES */
1511	/* The following lines are auto generated by the script mkerr.pl. Any changes	1582	/* The following lines are auto generated by the script mkerr.pl. Any changes
1512	* made after this point may be overwritten when the script is next run.	1583	* made after this point may be overwritten when the script is next run.