diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl_cert.c | 8 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_seclevel.c | 27 |
3 files changed, 4 insertions, 35 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index fc45e6b10d..453d75771d 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_cert.c,v 1.102 2022/07/02 19:36:07 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_cert.c,v 1.103 2022/07/07 13:04:39 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -170,11 +170,7 @@ ssl_cert_new(void) | |||
| 170 | } | 170 | } |
| 171 | ret->key = &(ret->pkeys[SSL_PKEY_RSA]); | 171 | ret->key = &(ret->pkeys[SSL_PKEY_RSA]); |
| 172 | ret->references = 1; | 172 | ret->references = 1; |
| 173 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) | ||
| 174 | ret->security_cb = ssl_security_default_cb; | 173 | ret->security_cb = ssl_security_default_cb; |
| 175 | #else | ||
| 176 | ret->security_cb = ssl_security_dummy_cb; | ||
| 177 | #endif | ||
| 178 | ret->security_level = OPENSSL_TLS_SECURITY_LEVEL; | 174 | ret->security_level = OPENSSL_TLS_SECURITY_LEVEL; |
| 179 | ret->security_ex_data = NULL; | 175 | ret->security_ex_data = NULL; |
| 180 | return (ret); | 176 | return (ret); |
| @@ -426,9 +422,7 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *certs) | |||
| 426 | 422 | ||
| 427 | param = X509_STORE_CTX_get0_param(ctx); | 423 | param = X509_STORE_CTX_get0_param(ctx); |
| 428 | 424 | ||
| 429 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) | ||
| 430 | X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); | 425 | X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); |
| 431 | #endif | ||
| 432 | 426 | ||
| 433 | /* | 427 | /* |
| 434 | * Anything non-default in "param" should overwrite anything | 428 | * Anything non-default in "param" should overwrite anything |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 4f1862254b..7ac9ddebdd 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.411 2022/07/02 16:31:04 tb Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.412 2022/07/07 13:04:39 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1293,8 +1293,6 @@ int ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert); | |||
| 1293 | 1293 | ||
| 1294 | int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, | 1294 | int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, |
| 1295 | int bits, int nid, void *other, void *ex_data); | 1295 | int bits, int nid, void *other, void *ex_data); |
| 1296 | int ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int op, | ||
| 1297 | int bits, int nid, void *other, void *ex_data); | ||
| 1298 | 1296 | ||
| 1299 | int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher); | 1297 | int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher); |
| 1300 | int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher); | 1298 | int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher); |
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c index 59760154f8..b9c724e262 100644 --- a/src/lib/libssl/ssl_seclevel.c +++ b/src/lib/libssl/ssl_seclevel.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_seclevel.c,v 1.20 2022/07/05 16:14:18 tb Exp $ */ | 1 | /* $OpenBSD: ssl_seclevel.c,v 1.21 2022/07/07 13:04:39 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> | 3 | * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> |
| 4 | * | 4 | * |
| @@ -212,14 +212,7 @@ ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits, | |||
| 212 | } | 212 | } |
| 213 | } | 213 | } |
| 214 | 214 | ||
| 215 | int | 215 | static int |
| 216 | ssl_security_dummy_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits, | ||
| 217 | int version, void *cipher, void *ex_data) | ||
| 218 | { | ||
| 219 | return 1; | ||
| 220 | } | ||
| 221 | |||
| 222 | int | ||
| 223 | ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other) | 216 | ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other) |
| 224 | { | 217 | { |
| 225 | return ctx->internal->cert->security_cb(NULL, ctx, secop, bits, nid, | 218 | return ctx->internal->cert->security_cb(NULL, ctx, secop, bits, nid, |
| @@ -236,12 +229,8 @@ ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other) | |||
| 236 | int | 229 | int |
| 237 | ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey) | 230 | ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey) |
| 238 | { | 231 | { |
| 239 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) | ||
| 240 | return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, | 232 | return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, |
| 241 | EVP_PKEY_security_bits(pkey), 0, NULL); | 233 | EVP_PKEY_security_bits(pkey), 0, NULL); |
| 242 | #else | ||
| 243 | return 1; | ||
| 244 | #endif | ||
| 245 | } | 234 | } |
| 246 | 235 | ||
| 247 | int | 236 | int |
| @@ -283,25 +272,16 @@ ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher) | |||
| 283 | int | 272 | int |
| 284 | ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) | 273 | ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) |
| 285 | { | 274 | { |
| 286 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) | ||
| 287 | return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, | 275 | return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, |
| 288 | dh); | 276 | dh); |
| 289 | #else | ||
| 290 | return 1; | ||
| 291 | #endif | ||
| 292 | } | 277 | } |
| 293 | 278 | ||
| 294 | int | 279 | int |
| 295 | ssl_security_dh(const SSL *ssl, DH *dh) | 280 | ssl_security_dh(const SSL *ssl, DH *dh) |
| 296 | { | 281 | { |
| 297 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) | ||
| 298 | return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh); | 282 | return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh); |
| 299 | #else | ||
| 300 | return 1; | ||
| 301 | #endif | ||
| 302 | } | 283 | } |
| 303 | 284 | ||
| 304 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) | ||
| 305 | static int | 285 | static int |
| 306 | ssl_cert_pubkey_security_bits(const X509 *x509) | 286 | ssl_cert_pubkey_security_bits(const X509 *x509) |
| 307 | { | 287 | { |
| @@ -377,13 +357,11 @@ ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop) | |||
| 377 | 357 | ||
| 378 | return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509); | 358 | return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509); |
| 379 | } | 359 | } |
| 380 | #endif | ||
| 381 | 360 | ||
| 382 | int | 361 | int |
| 383 | ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, | 362 | ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, |
| 384 | int is_ee, int *out_error) | 363 | int is_ee, int *out_error) |
| 385 | { | 364 | { |
| 386 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) | ||
| 387 | int key_error, operation; | 365 | int key_error, operation; |
| 388 | 366 | ||
| 389 | *out_error = 0; | 367 | *out_error = 0; |
| @@ -406,7 +384,6 @@ ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, | |||
| 406 | return 0; | 384 | return 0; |
| 407 | } | 385 | } |
| 408 | 386 | ||
| 409 | #endif | ||
| 410 | return 1; | 387 | return 1; |
| 411 | } | 388 | } |
| 412 | 389 | ||