From 39d7e1651e3abfcfbe785dcb785308ca7f506f40 Mon Sep 17 00:00:00 2001 From: tb Date: Sun, 14 Jul 2024 15:39:36 +0000 Subject: [PATCH] Prepare to provide SSL_CIPHER_get_handshake_digest() Needed by newer freeradius. This is a straightforward implementation that essentially duplicates tls13_cipher_hash(). ok jsing --- lib/libssl/hidden/openssl/ssl.h | 3 ++- lib/libssl/ssl.h | 5 ++++- lib/libssl/ssl_ciph.c | 18 +++++++++++++++++- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/lib/libssl/hidden/openssl/ssl.h b/lib/libssl/hidden/openssl/ssl.h index aa946ad25d6..cff250ee755 100644 --- a/lib/libssl/hidden/openssl/ssl.h +++ b/lib/libssl/hidden/openssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.6 2024/03/02 11:48:55 tb Exp $ */ +/* $OpenBSD: ssl.h,v 1.7 2024/07/14 15:39:36 tb Exp $ */ /* * Copyright (c) 2023 Bob Beck * @@ -377,5 +377,6 @@ LSSL_USED(SSL_get_peer_quic_transport_params); LSSL_USED(SSL_set_quic_use_legacy_codepoint); LSSL_USED(ERR_load_SSL_strings); LSSL_USED(OPENSSL_init_ssl); +LSSL_USED(SSL_CIPHER_get_handshake_digest); #endif /* _LIBSSL_SSL_H */ diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index e63312a1230..d8846a48516 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.238 2024/07/13 18:33:18 tb Exp $ */ +/* $OpenBSD: ssl.h,v 1.239 2024/07/14 15:39:36 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1125,6 +1125,9 @@ int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c); int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c); int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c); +#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API) +const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c); +#endif int SSL_CIPHER_is_aead(const SSL_CIPHER *c); int SSL_get_fd(const SSL *s); diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index a01465d9e0f..13790c56be1 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.142 2024/05/09 07:55:48 tb Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.143 2024/07/14 15:39:36 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -524,6 +524,7 @@ ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md) handshake_mac = s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK; + /* XXX - can we simplify this now that TLSv1.0 and TLSv1.1 are gone? */ /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */ if (SSL_USE_SHA256_PRF(s) && handshake_mac == SSL_HANDSHAKE_MAC_DEFAULT) handshake_mac = SSL_HANDSHAKE_MAC_SHA256; @@ -1624,6 +1625,21 @@ SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c) } LSSL_ALIAS(SSL_CIPHER_get_auth_nid); +const EVP_MD * +SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c) +{ + switch (c->algorithm2 & SSL_HANDSHAKE_MAC_MASK) { + case SSL_HANDSHAKE_MAC_DEFAULT: + case SSL_HANDSHAKE_MAC_SHA256: + return EVP_sha256(); + case SSL_HANDSHAKE_MAC_SHA384: + return EVP_sha384(); + default: + return NULL; + } +} +LSSL_ALIAS(SSL_CIPHER_get_handshake_digest); + int SSL_CIPHER_is_aead(const SSL_CIPHER *c) { -- 2.20.1