From aebfe8e72c4fec80cf1f0105449251fddd163376 Mon Sep 17 00:00:00 2001
From: James Mayclin <maycj@amazon.com>
Date: Fri, 27 Oct 2023 19:14:38 +0000
Subject: [PATCH 1/2] add security level bindings

---
 openssl-sys/src/handwritten/ssl.rs | 14 +++++++++++
 openssl/src/ssl/mod.rs             | 40 ++++++++++++++++++++++++++++++
 openssl/src/ssl/test/mod.rs        | 14 +++++++++++
 3 files changed, 68 insertions(+)

diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs
index d4f4b619f4..6b9a329ea8 100644
--- a/openssl-sys/src/handwritten/ssl.rs
+++ b/openssl-sys/src/handwritten/ssl.rs
@@ -924,3 +924,17 @@ extern "C" {
     #[cfg(all(ossl111, not(ossl111b)))]
     pub fn SSL_get_num_tickets(s: *mut SSL) -> size_t;
 }
+
+extern "C" {
+    #[cfg(ossl110)]
+    pub fn SSL_CTX_set_security_level(ctx: *mut SSL_CTX, level: c_int);
+
+    #[cfg(ossl110)]
+    pub fn SSL_set_security_level(s: *mut SSL, level: c_int);
+
+    #[cfg(ossl110)]
+    pub fn SSL_CTX_get_security_level(ctx: *const SSL_CTX) -> c_int;
+
+    #[cfg(ossl110)]
+    pub fn SSL_get_security_level(s: *const SSL) -> c_int;
+}
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index bdfbfc14f0..1e19d2a809 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -1718,6 +1718,16 @@ impl SslContextBuilder {
         unsafe { cvt(ffi::SSL_CTX_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) }
     }
 
+    /// Set the context's security level, which controls the allowed parameters
+    /// and algorithms.
+    ///
+    /// Requires OpenSSL 1.1.0 or newer.
+    #[corresponds(SSL_CTX_set_security_level)]
+    #[cfg(ossl110)]
+    pub fn set_security_level(&mut self, level: u32) {
+        unsafe { ffi::SSL_CTX_set_security_level(self.as_ptr(), level as c_int) }
+    }
+
     /// Consumes the builder, returning a new `SslContext`.
     pub fn build(self) -> SslContext {
         self.0
@@ -1921,6 +1931,16 @@ impl SslContextRef {
     pub fn num_tickets(&self) -> usize {
         unsafe { ffi::SSL_CTX_get_num_tickets(self.as_ptr()) }
     }
+
+    /// Get the context's security level, which controls the allowed parameters
+    /// and algorithms.
+    ///
+    /// Requires OpenSSL 1.1.0 or newer.
+    #[corresponds(SSL_CTX_get_security_level)]
+    #[cfg(ossl110)]
+    pub fn security_level(&self) -> u32 {
+        unsafe { ffi::SSL_CTX_get_security_level(self.as_ptr()) as u32 }
+    }
 }
 
 /// Information about the state of a cipher.
@@ -3405,6 +3425,26 @@ impl SslRef {
     pub fn num_tickets(&self) -> usize {
         unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) }
     }
+
+    /// Set the connection's security level, which controls the allowed parameters
+    /// and algorithms.
+    ///
+    /// Requires OpenSSL 1.1.0 or newer.
+    #[corresponds(SSL_set_security_level)]
+    #[cfg(ossl110)]
+    pub fn set_security_level(&mut self, level: u32) {
+        unsafe { ffi::SSL_set_security_level(self.as_ptr(), level as c_int) }
+    }
+
+    /// Get the connection's security level, which controls the allowed parameters
+    /// and algorithms.
+    ///
+    /// Requires OpenSSL 1.1.0 or newer.
+    #[corresponds(SSL_get_security_level)]
+    #[cfg(ossl110)]
+    pub fn security_level(&self) -> u32 {
+        unsafe { ffi::SSL_get_security_level(self.as_ptr()) as u32 }
+    }
 }
 
 /// An SSL stream midway through the handshake process.
diff --git a/openssl/src/ssl/test/mod.rs b/openssl/src/ssl/test/mod.rs
index 6013614118..542656cb04 100644
--- a/openssl/src/ssl/test/mod.rs
+++ b/openssl/src/ssl/test/mod.rs
@@ -1574,3 +1574,17 @@ fn set_num_tickets() {
     let ssl = ssl;
     assert_eq!(5, ssl.num_tickets());
 }
+
+#[test]
+#[cfg(ossl110)]
+fn set_security_level() {
+    let mut ctx = SslContext::builder(SslMethod::tls_server()).unwrap();
+    ctx.set_security_level(3);
+    let ctx = ctx.build();
+    assert_eq!(3, ctx.security_level());
+
+    let mut ssl = Ssl::new(&ctx).unwrap();
+    ssl.set_security_level(4);
+    let ssl = ssl;
+    assert_eq!(4, ssl.security_level());
+}

From d6591bb3cd9e5c36cb807b91c34c70f3103f2729 Mon Sep 17 00:00:00 2001
From: James Mayclin <maycj@amazon.com>
Date: Sat, 28 Oct 2023 21:00:04 +0000
Subject: [PATCH 2/2] address pr feedback

* add libressl360 cfg statement
* add 0-5 reference to documentation
---
 openssl-sys/src/handwritten/ssl.rs |  8 ++++----
 openssl/src/ssl/mod.rs             | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs
index 6b9a329ea8..944a476618 100644
--- a/openssl-sys/src/handwritten/ssl.rs
+++ b/openssl-sys/src/handwritten/ssl.rs
@@ -926,15 +926,15 @@ extern "C" {
 }
 
 extern "C" {
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl360))]
     pub fn SSL_CTX_set_security_level(ctx: *mut SSL_CTX, level: c_int);
 
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl360))]
     pub fn SSL_set_security_level(s: *mut SSL, level: c_int);
 
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl360))]
     pub fn SSL_CTX_get_security_level(ctx: *const SSL_CTX) -> c_int;
 
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl360))]
     pub fn SSL_get_security_level(s: *const SSL) -> c_int;
 }
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index 1e19d2a809..d147c3c343 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -1718,12 +1718,12 @@ impl SslContextBuilder {
         unsafe { cvt(ffi::SSL_CTX_set_num_tickets(self.as_ptr(), num_tickets)).map(|_| ()) }
     }
 
-    /// Set the context's security level, which controls the allowed parameters
-    /// and algorithms.
+    /// Set the context's security level to a value between 0 and 5, inclusive.
+    /// A security value of 0 allows allows all parameters and algorithms.
     ///
     /// Requires OpenSSL 1.1.0 or newer.
     #[corresponds(SSL_CTX_set_security_level)]
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl360))]
     pub fn set_security_level(&mut self, level: u32) {
         unsafe { ffi::SSL_CTX_set_security_level(self.as_ptr(), level as c_int) }
     }
@@ -1937,7 +1937,7 @@ impl SslContextRef {
     ///
     /// Requires OpenSSL 1.1.0 or newer.
     #[corresponds(SSL_CTX_get_security_level)]
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl360))]
     pub fn security_level(&self) -> u32 {
         unsafe { ffi::SSL_CTX_get_security_level(self.as_ptr()) as u32 }
     }
@@ -3426,12 +3426,12 @@ impl SslRef {
         unsafe { ffi::SSL_get_num_tickets(self.as_ptr()) }
     }
 
-    /// Set the connection's security level, which controls the allowed parameters
-    /// and algorithms.
+    /// Set the context's security level to a value between 0 and 5, inclusive.
+    /// A security value of 0 allows allows all parameters and algorithms.
     ///
     /// Requires OpenSSL 1.1.0 or newer.
     #[corresponds(SSL_set_security_level)]
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl360))]
     pub fn set_security_level(&mut self, level: u32) {
         unsafe { ffi::SSL_set_security_level(self.as_ptr(), level as c_int) }
     }
@@ -3441,7 +3441,7 @@ impl SslRef {
     ///
     /// Requires OpenSSL 1.1.0 or newer.
     #[corresponds(SSL_get_security_level)]
-    #[cfg(ossl110)]
+    #[cfg(any(ossl110, libressl360))]
     pub fn security_level(&self) -> u32 {
         unsafe { ffi::SSL_get_security_level(self.as_ptr()) as u32 }
     }