ssl_seclevel: remove comment pertaining to DSA certs

ok jsing

libssl: rework cert signature security level

This switches to using the X509_get_signature_info() API instead of hand
rolling a part of it. This is slightly tangly since the security level API
is st

libssl: rework cert signature security level

This switches to using the X509_get_signature_info() API instead of hand
rolling a part of it. This is slightly tangly since the security level API
is strange. In particular, some failures are passed to the security level
callback so that applications can override them.

This makes the security level API handle RSA-PSS and EdDSA certificates
correctly and the handshake with such can progress a bit further. Of note,
we check that the certs are actually suitable for use in TLS per RFC 8446
contrary to what OpenSSL does.

ok beck jsing

show more ...

Plug a "leak" in ssl_security_group()

The way the CBB API is used, CBB_add_u16() and CBB_finish() can't actually
fail here, but if they could, cbb->base would leak. Rewrite this code with
the proper

Plug a "leak" in ssl_security_group()

The way the CBB API is used, CBB_add_u16() and CBB_finish() can't actually
fail here, but if they could, cbb->base would leak. Rewrite this code with
the proper idioms to make it look right.

ok jsing

show more ...

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_l

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

show more ...

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

P

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

show more ...

Provide ssl_security_shared_group()

Refactor ssl_security_supported_group() into a wrapper of a new internal
ssl_security_group() which takes a secop as an argument. This allows
adding ssl_security_

Provide ssl_security_shared_group()

Refactor ssl_security_supported_group() into a wrapper of a new internal
ssl_security_group() which takes a secop as an argument. This allows
adding ssl_security_shared_group() which will be needed in upcoming
commits.

ok jsing

show more ...

update copyright years

Disallow MD5 and SHA-1 HMACs depending on the security level

Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and
using a SHA-1 HMAC is disallowed on security levels >= 4. This disa

Disallow MD5 and SHA-1 HMACs depending on the security level

Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and
using a SHA-1 HMAC is disallowed on security levels >= 4. This disables
RC4-MD5 by default.

ok jsing

show more ...

Use a local bits variable to avoid ugly line break due to nested function
calls.

ok jsing

Unifdef LIBRESSL_HAS_SECURITY_LEVEL and remove some workarounds
that are no longer needed now that libcrypto exposes the necessary
security-bits API.

ok jsing

Use secop instead of op everywhere

Pull setting of is_ee out of the function calls to appease scan-build

Reword a comment

Unwrap a line

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library c

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

show more ...

Rename uses 'curve' to 'group' and rework tls1 group API.

This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the

Rename uses 'curve' to 'group' and rework tls1 group API.

This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.

Based on a suggestion by jsing

ok jsing

show more ...

Check security level for supported groups.

ok jsing

Rename variable from tls_version to version since it could also be
a DTLS version at this point.

Add checks to ensure we do not initiate or negotiate handshakes with
versions below the minimum required by the security level.

input & ok jsing

Remove obj_mac.h include. Requested by jsing

Don't check the signature if a cert is self signed.

ok beck jsing

Add functions that check security level in certs and cert chains.

ok beck jsing

missing blank line

Also check the security level of the 'tmp dh'

ok beck jsing

Check the security of DH key shares

ok beck, looks good to jsing