Plug a "leak" in ssl_security_group()

The way the CBB API is used, CBB_add_u16() and CBB_finish() can't actually
fail here, but if they could, cbb->base would leak. Rewrite this code with
the proper idioms to make it look right.

ok jsing

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Provide ssl_security_shared_group()

Refactor ssl_security_supported_group() into a wrapper of a new internal
ssl_security_group() which takes a secop as an argument. This allows
adding ssl_security_shared_group() which will be needed in upcoming
commits.

ok jsing

update copyright years

Disallow MD5 and SHA-1 HMACs depending on the security level

Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and
using a SHA-1 HMAC is disallowed on security levels >= 4. This disables
RC4-MD5 by default.

ok jsing

Use a local bits variable to avoid ugly line break due to nested function
calls.

ok jsing

Unifdef LIBRESSL_HAS_SECURITY_LEVEL and remove some workarounds
that are no longer needed now that libcrypto exposes the necessary
security-bits API.

ok jsing

Use secop instead of op everywhere

Pull setting of is_ee out of the function calls to appease scan-build

Reword a comment

Unwrap a line

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

Rename uses 'curve' to 'group' and rework tls1 group API.

This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.

Based on a suggestion by jsing

ok jsing

Check security level for supported groups.

ok jsing

Rename variable from tls_version to version since it could also be
a DTLS version at this point.

Add checks to ensure we do not initiate or negotiate handshakes with
versions below the minimum required by the security level.

input & ok jsing

Remove obj_mac.h include. Requested by jsing

Don't check the signature if a cert is self signed.

ok beck jsing

Add functions that check security level in certs and cert chains.

ok beck jsing

missing blank line

Also check the security level of the 'tmp dh'

ok beck jsing

Check the security of DH key shares

ok beck, looks good to jsing

Add a period to a comment

Pointed out by jsing

Security level >= 3 requires a ciphersuite with PFS

ok beck jsing sthen

Add a secop handler for tmp_dh

This disallows DHE keys weaker than 1024 bits at level 0 to match
OpenSSL behavior.

ok beck jsing sthen

Implement ssl{,_ctx}_security()

ok beck jsing sthen

Implement the default security level callback

And here is where the fun starts. The tentacles will grow everywhere.

ok beck jsing sthen

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Provide ssl_security_shared_group()

Refactor ssl_security_supported_group() into a wrapper of a new internal
ssl_security_group() which takes a secop as an argument. This allows
adding ssl_security_shared_group() which will be needed in upcoming
commits.

ok jsing

update copyright years

Disallow MD5 and SHA-1 HMACs depending on the security level

Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and
using a SHA-1 HMAC is disallowed on security levels >= 4. This disables
RC4-MD5 by default.

ok jsing

Use a local bits variable to avoid ugly line break due to nested function
calls.

ok jsing

Unifdef LIBRESSL_HAS_SECURITY_LEVEL and remove some workarounds
that are no longer needed now that libcrypto exposes the necessary
security-bits API.

ok jsing

Use secop instead of op everywhere

Pull setting of is_ee out of the function calls to appease scan-build

Reword a comment

Unwrap a line

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

Rename uses 'curve' to 'group' and rework tls1 group API.

This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.

Based on a suggestion by jsing

ok jsing

Check security level for supported groups.

ok jsing

Rename variable from tls_version to version since it could also be
a DTLS version at this point.

Add checks to ensure we do not initiate or negotiate handshakes with
versions below the minimum required by the security level.

input & ok jsing

Remove obj_mac.h include. Requested by jsing

Don't check the signature if a cert is self signed.

ok beck jsing

Add functions that check security level in certs and cert chains.

ok beck jsing

missing blank line

Also check the security level of the 'tmp dh'

ok beck jsing

Check the security of DH key shares

ok beck, looks good to jsing

Add a period to a comment

Pointed out by jsing

Security level >= 3 requires a ciphersuite with PFS

ok beck jsing sthen

Add a secop handler for tmp_dh

This disallows DHE keys weaker than 1024 bits at level 0 to match
OpenSSL behavior.

ok beck jsing sthen

Implement ssl{,_ctx}_security()

ok beck jsing sthen

Implement the default security level callback

And here is where the fun starts. The tentacles will grow everywhere.

ok beck jsing sthen

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Provide ssl_security_shared_group()

Refactor ssl_security_supported_group() into a wrapper of a new internal
ssl_security_group() which takes a secop as an argument. This allows
adding ssl_security_shared_group() which will be needed in upcoming
commits.

ok jsing

update copyright years

Disallow MD5 and SHA-1 HMACs depending on the security level

Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and
using a SHA-1 HMAC is disallowed on security levels >= 4. This disables
RC4-MD5 by default.

ok jsing

Use a local bits variable to avoid ugly line break due to nested function
calls.

ok jsing

Unifdef LIBRESSL_HAS_SECURITY_LEVEL and remove some workarounds
that are no longer needed now that libcrypto exposes the necessary
security-bits API.

ok jsing

Use secop instead of op everywhere

Pull setting of is_ee out of the function calls to appease scan-build

Reword a comment

Unwrap a line

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

Rename uses 'curve' to 'group' and rework tls1 group API.

This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.

Based on a suggestion by jsing

ok jsing

Check security level for supported groups.

ok jsing

Rename variable from tls_version to version since it could also be
a DTLS version at this point.

Add checks to ensure we do not initiate or negotiate handshakes with
versions below the minimum required by the security level.

input & ok jsing

Remove obj_mac.h include. Requested by jsing

Don't check the signature if a cert is self signed.

ok beck jsing

Add functions that check security level in certs and cert chains.

ok beck jsing

missing blank line

Also check the security level of the 'tmp dh'

ok beck jsing

Check the security of DH key shares

ok beck, looks good to jsing

Add a period to a comment

Pointed out by jsing

Security level >= 3 requires a ciphersuite with PFS

ok beck jsing sthen

Add a secop handler for tmp_dh

This disallows DHE keys weaker than 1024 bits at level 0 to match
OpenSSL behavior.

ok beck jsing sthen

Implement ssl{,_ctx}_security()

ok beck jsing sthen

Implement the default security level callback

And here is where the fun starts. The tentacles will grow everywhere.

ok beck jsing sthen