Get the MAC secret size from the cipher, rather than reaching into libssl internals. This effectively takes the OpenSSL 1.1 code path instead of the OpenSSL 1.0 code path, and will allow for further libssl clean up. While here use some additional OpenSSL 1.1 code paths and const related changes.
ok? Index: Makefile =================================================================== RCS file: /cvs/ports/security/wpa_supplicant/Makefile,v retrieving revision 1.38 diff -u -p -u -p -r1.38 Makefile --- Makefile 4 Sep 2018 12:46:21 -0000 1.38 +++ Makefile 22 Oct 2018 16:31:35 -0000 @@ -3,7 +3,7 @@ COMMENT= IEEE 802.1X supplicant DISTNAME= wpa_supplicant-2.6 -REVISION= 3 +REVISION= 4 CATEGORIES= security net HOMEPAGE= http://w1.fi/wpa_supplicant/ Index: patches/patch-src_crypto_crypto_openssl_c =================================================================== RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_crypto_crypto_openssl_c,v retrieving revision 1.2 diff -u -p -u -p -r1.2 patch-src_crypto_crypto_openssl_c --- patches/patch-src_crypto_crypto_openssl_c 19 Feb 2018 18:24:21 -0000 1.2 +++ patches/patch-src_crypto_crypto_openssl_c 22 Oct 2018 16:31:35 -0000 @@ -15,12 +15,23 @@ Index: src/crypto/crypto_openssl.c /* Compatibility wrappers for older versions. */ static HMAC_CTX * HMAC_CTX_new(void) -@@ -712,7 +713,7 @@ err: +@@ -79,7 +80,8 @@ static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) + + static BIGNUM * get_group5_prime(void) + { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL) + return BN_get_rfc3526_prime_1536(NULL); + #elif !defined(OPENSSL_IS_BORINGSSL) + return get_rfc3526_prime_1536(NULL); +@@ -712,7 +714,8 @@ err: void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) DH *dh; dh = DH_new(); Index: patches/patch-src_crypto_tls_openssl_c =================================================================== RCS file: /cvs/ports/security/wpa_supplicant/patches/patch-src_crypto_tls_openssl_c,v retrieving revision 1.5 diff -u -p -u -p -r1.5 patch-src_crypto_tls_openssl_c --- patches/patch-src_crypto_tls_openssl_c 19 Feb 2018 18:24:21 -0000 1.5 +++ patches/patch-src_crypto_tls_openssl_c 22 Oct 2018 16:31:35 -0000 @@ -14,16 +14,17 @@ Index: src/crypto/tls_openssl.c !defined(BORINGSSL_API_VERSION) /* * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL -@@ -919,7 +919,7 @@ void * tls_init(const struct tls_config *conf) +@@ -919,7 +919,8 @@ void * tls_init(const struct tls_config *conf) } #endif /* OPENSSL_FIPS */ #endif /* CONFIG_FIPS */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) SSL_load_error_strings(); SSL_library_init(); #ifndef OPENSSL_NO_SHA256 -@@ -1043,7 +1043,7 @@ void tls_deinit(void *ssl_ctx) +@@ -1043,7 +1044,7 @@ void tls_deinit(void *ssl_ctx) tls_openssl_ref_count--; if (tls_openssl_ref_count == 0) { @@ -32,7 +33,17 @@ Index: src/crypto/tls_openssl.c #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif /* OPENSSL_NO_ENGINE */ -@@ -3976,7 +3976,7 @@ int tls_connection_set_params(void *tls_ctx, struct tl +@@ -3105,7 +3106,8 @@ int tls_connection_get_random(void *ssl_ctx, struct tl + #ifdef OPENSSL_NEED_EAP_FAST_PRF + static int openssl_get_keyblock_size(SSL *ssl) + { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) + const EVP_CIPHER *c; + const EVP_MD *h; + int md_size; +@@ -3976,7 +3978,7 @@ int tls_connection_set_params(void *tls_ctx, struct tl engine_id = "pkcs11"; #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) @@ -41,7 +52,17 @@ Index: src/crypto/tls_openssl.c if (params->flags & TLS_CONN_EAP_FAST) { wpa_printf(MSG_DEBUG, "OpenSSL: Use TLSv1_method() for EAP-FAST"); -@@ -4159,7 +4159,7 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int * +@@ -4146,7 +4148,8 @@ int tls_global_set_params(void *tls_ctx, + * commented out unless explicitly needed for EAP-FAST in order to be able to + * build this file with unmodified openssl. */ + +-#if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) ++#if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER > 0x2080000fL) + static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len, + STACK_OF(SSL_CIPHER) *peer_ciphers, + const SSL_CIPHER **cipher, void *arg) +@@ -4159,7 +4162,7 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int * struct tls_connection *conn = arg; int ret; @@ -50,7 +71,7 @@ Index: src/crypto/tls_openssl.c if (conn == NULL || conn->session_ticket_cb == NULL) return 0; -@@ -4254,7 +4254,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx +@@ -4254,7 +4257,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx int tls_get_library_version(char *buf, size_t buf_len) {
