Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().

The mess that is ssl_get_algorithm2() only exists to upgrade the handshake MAC of a pre-TLSv1.2 cipher suite to SHA256 when used with TLSv1.2. We can readily do this in ssl_get_handshake_evp_md(), which is far more readable. ok tb@
author: jsing <jsing@openbsd.org> 2021-02-07 15:26:32 +0000
committer: jsing <jsing@openbsd.org> 2021-02-07 15:26:32 +0000
commit: 605ba3c6f07d2e102b534645d46bcc9a8e041b52 (patch)
tree: abcfc59b82e830f090fa28e5c564d77368809afb /lib/libssl/ssl_clnt.c
parent: Correct handshake MAC/PRF for various TLSv1.2 cipher suites. (diff)
download: wireguard-openbsd-605ba3c6f07d2e102b534645d46bcc9a8e041b52.tar.xz
wireguard-openbsd-605ba3c6f07d2e102b534645d46bcc9a8e041b52.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 25164ea012a..0c7bdbc7762 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.77 2021/02/07 15:04:10 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.78 2021/02/07 15:26:32 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2238,7 +2238,8 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)
 		goto err;
 	}
 
-	if (ssl_get_algorithm2(s) & SSL_HANDSHAKE_MAC_GOST94)
+	/* XXX check handshake hash instead. */
+	if (S3I(s)->hs.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94)
 		nid = NID_id_GostR3411_94;
 	else
 		nid = NID_id_tc26_gost3411_2012_256;
author	jsing <jsing@openbsd.org>	2021-02-07 15:26:32 +0000
committer	jsing <jsing@openbsd.org>	2021-02-07 15:26:32 +0000
commit	605ba3c6f07d2e102b534645d46bcc9a8e041b52 (patch)
tree	abcfc59b82e830f090fa28e5c564d77368809afb /lib/libssl/ssl_clnt.c
parent	Correct handshake MAC/PRF for various TLSv1.2 cipher suites. (diff)
download	wireguard-openbsd-605ba3c6f07d2e102b534645d46bcc9a8e041b52.tar.xz wireguard-openbsd-605ba3c6f07d2e102b534645d46bcc9a8e041b52.zip