Google Git
Sign in
boringssl / boringssl.git / 556a973f9b10ea11f1ce7751721f2f7a64e09632^! / . / include / openssl
commit556a973f9b10ea11f1ce7751721f2f7a64e09632[log] [tgz]
authorDavid Benjamin <davidben@google.com>Sat Jun 03 23:32:27 2023 -0400
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Thu Jun 08 17:16:14 2023 +0000
tree41c79d9f3e34147ba488a61acfd27ec1c0bb78a9
parentcbb96b4ffd29b7fd280b04f59790cf9b060bc7bc [diff]
Add SSL_CIPHER_get_handshake_digest

We added SSL_CIPHER_get_prf_nid to match the other SSL_CIPHER_get_*_nid
functions, but OpenSSL went with returning the EVP_MD instead.
rust-openssl uses this function, and all the callers of
SSL_CIPHER_get_prf_nid then call EVP_get_digestbynid anyway, so this
version is preferable.

Update-Note: This change is backwards-compatible, but we should update
the QUIC code to use this new function when OPENSSL_API_VERSION is
high enough. It has the benefit of not pulling in random other hash
functions like MD4.

Change-Id: Ied66a6f0adbd5d7d86257d9349c40a2830e3c7e8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60606
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>

diff --git a/include/openssl/base.h b/include/openssl/base.h
index aa5c63d..2249aea 100644
--- a/include/openssl/base.h
+++ b/include/openssl/base.h

@@ -197,7 +197,7 @@
 // A consumer may use this symbol in the preprocessor to temporarily build
 // against multiple revisions of BoringSSL at the same time. It is not
 // recommended to do so for longer than is necessary.
-#define BORINGSSL_API_VERSION 22
+#define BORINGSSL_API_VERSION 23
 
 #if defined(BORINGSSL_SHARED_LIBRARY)
 

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 1de31e8..f8f696b 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -1375,10 +1375,15 @@
 // function returns |NID_auth_any|.
 OPENSSL_EXPORT int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher);
 
-// SSL_CIPHER_get_prf_nid retuns the NID for |cipher|'s PRF hash. If |cipher| is
-// a pre-TLS-1.2 cipher, it returns |NID_md5_sha1| but note these ciphers use
+// SSL_CIPHER_get_handshake_digest returns |cipher|'s PRF hash. If |cipher|
+// is a pre-TLS-1.2 cipher, it returns |EVP_md5_sha1| but note these ciphers use
 // SHA-256 in TLS 1.2. Other return values may be treated uniformly in all
 // applicable versions.
+OPENSSL_EXPORT const EVP_MD *SSL_CIPHER_get_handshake_digest(
+    const SSL_CIPHER *cipher);
+
+// SSL_CIPHER_get_prf_nid behaves like |SSL_CIPHER_get_handshake_digest| but
+// returns the NID constant. Use |SSL_CIPHER_get_handshake_digest| instead.
 OPENSSL_EXPORT int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher);
 
 // SSL_CIPHER_get_min_version returns the minimum protocol version required