Prepare to provide SSL_CIPHER_get_handshake_digest()

Needed by newer freeradius. This is a straightforward implementation that essentially duplicates tls13_cipher_hash(). ok jsing
author: tb <> 2024-07-14 15:39:36 +0000
committer: tb <> 2024-07-14 15:39:36 +0000
commit: f3b35d1af02c3bc250276acd62a2434d3b80d349 (patch)
tree: b0f8e29dbb39c011b65adc36293b16c4cd32aed7
parent: 3006ff83f98c4783ee71689e5e63047b95dc7bca (diff)
download: openbsd-f3b35d1af02c3bc250276acd62a2434d3b80d349.tar.gz
openbsd-f3b35d1af02c3bc250276acd62a2434d3b80d349.tar.bz2
openbsd-f3b35d1af02c3bc250276acd62a2434d3b80d349.zip
3 files changed, 23 insertions, 3 deletions
diff --git a/src/lib/libssl/hidden/openssl/ssl.h b/src/lib/libssl/hidden/openssl/ssl.h
index aa946ad25d..cff250ee75 100644
--- a/src/lib/libssl/hidden/openssl/ssl.h
+++ b/src/lib/libssl/hidden/openssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.6 2024/03/02 11:48:55 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.7 2024/07/14 15:39:36 tb Exp $ */
 /*
 * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
 *
@@ -377,5 +377,6 @@ LSSL_USED(SSL_get_peer_quic_transport_params);
 LSSL_USED(SSL_set_quic_use_legacy_codepoint);
 LSSL_USED(ERR_load_SSL_strings);
 LSSL_USED(OPENSSL_init_ssl);
+LSSL_USED(SSL_CIPHER_get_handshake_digest);
 #endif /* _LIBSSL_SSL_H */
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e63312a123..d8846a4851 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.238 2024/07/13 18:33:18 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.239 2024/07/14 15:39:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1125,6 +1125,9 @@ int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
+#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API)
+const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
+#endif
 int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
 int     SSL_get_fd(const SSL *s);
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index a01465d9e0..13790c56be 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.142 2024/05/09 07:55:48 tb Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.143 2024/07/14 15:39:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -524,6 +524,7 @@ ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
        handshake_mac = s->s3->hs.cipher->algorithm2 & SSL_HANDSHAKE_MAC_MASK;
+        /* XXX - can we simplify this now that TLSv1.0 and TLSv1.1 are gone? */
        /* For TLSv1.2 we upgrade the default MD5+SHA1 MAC to SHA256. */
        if (SSL_USE_SHA256_PRF(s) && handshake_mac == SSL_HANDSHAKE_MAC_DEFAULT)
                handshake_mac = SSL_HANDSHAKE_MAC_SHA256;
@@ -1624,6 +1625,21 @@ SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
 }
 LSSL_ALIAS(SSL_CIPHER_get_auth_nid);
+const EVP_MD *
+SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c)
+{
+        switch (c->algorithm2 & SSL_HANDSHAKE_MAC_MASK) {
+        case SSL_HANDSHAKE_MAC_DEFAULT:
+        case SSL_HANDSHAKE_MAC_SHA256:
+                return EVP_sha256();
+        case SSL_HANDSHAKE_MAC_SHA384:
+                return EVP_sha384();
+        default:
+                return NULL;
+        }
+}
+LSSL_ALIAS(SSL_CIPHER_get_handshake_digest);
 int
 SSL_CIPHER_is_aead(const SSL_CIPHER *c)
 {
author	tb <>	2024-07-14 15:39:36 +0000
committer	tb <>	2024-07-14 15:39:36 +0000
commit	f3b35d1af02c3bc250276acd62a2434d3b80d349 (patch)
tree	b0f8e29dbb39c011b65adc36293b16c4cd32aed7
parent	3006ff83f98c4783ee71689e5e63047b95dc7bca (diff)
download	openbsd-f3b35d1af02c3bc250276acd62a2434d3b80d349.tar.gz openbsd-f3b35d1af02c3bc250276acd62a2434d3b80d349.tar.bz2 openbsd-f3b35d1af02c3bc250276acd62a2434d3b80d349.zip