grpc 1.56.2 → 1.57.0.pre1

data/third_party/boringssl-with-bazel/src/include/openssl/target.h

@@ -0,0 +1,154 @@
+/* Copyright (c) 2023, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_TARGET_H
+#define OPENSSL_HEADER_TARGET_H
+
+// Preprocessor symbols that define the target platform.
+//
+// This file may be included in C, C++, and assembler and must be compatible
+// with each environment. It is separated out only to share code between
+// <openssl/base.h> and <openssl/asm_base.h>. Prefer to include those headers
+// instead.
+
+#if defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64)
+#define OPENSSL_64_BIT
+#define OPENSSL_X86_64
+#elif defined(__x86) || defined(__i386) || defined(__i386__) || defined(_M_IX86)
+#define OPENSSL_32_BIT
+#define OPENSSL_X86
+#elif defined(__AARCH64EL__) || defined(_M_ARM64)
+#define OPENSSL_64_BIT
+#define OPENSSL_AARCH64
+#elif defined(__ARMEL__) || defined(_M_ARM)
+#define OPENSSL_32_BIT
+#define OPENSSL_ARM
+#elif defined(__MIPSEL__) && !defined(__LP64__)
+#define OPENSSL_32_BIT
+#define OPENSSL_MIPS
+#elif defined(__MIPSEL__) && defined(__LP64__)
+#define OPENSSL_64_BIT
+#define OPENSSL_MIPS64
+#elif defined(__riscv) && __SIZEOF_POINTER__ == 8
+#define OPENSSL_64_BIT
+#define OPENSSL_RISCV64
+#elif defined(__riscv) && __SIZEOF_POINTER__ == 4
+#define OPENSSL_32_BIT
+#elif defined(__pnacl__)
+#define OPENSSL_32_BIT
+#define OPENSSL_PNACL
+#elif defined(__wasm__)
+#define OPENSSL_32_BIT
+#elif defined(__asmjs__)
+#define OPENSSL_32_BIT
+#elif defined(__myriad2__)
+#define OPENSSL_32_BIT
+#else
+// Note BoringSSL only supports standard 32-bit and 64-bit two's-complement,
+// little-endian architectures. Functions will not produce the correct answer
+// on other systems. Run the crypto_test binary, notably
+// crypto/compiler_test.cc, before adding a new architecture.
+#error "Unknown target CPU"
+#endif
+
+#if defined(__APPLE__)
+#define OPENSSL_APPLE
+#endif
+
+#if defined(_WIN32)
+#define OPENSSL_WINDOWS
+#endif
+
+// Trusty isn't Linux but currently defines __linux__. As a workaround, we
+// exclude it here.
+// TODO(b/169780122): Remove this workaround once Trusty no longer defines it.
+#if defined(__linux__) && !defined(__TRUSTY__)
+#define OPENSSL_LINUX
+#endif
+
+#if defined(__Fuchsia__)
+#define OPENSSL_FUCHSIA
+#endif
+
+#if defined(__TRUSTY__)
+#define OPENSSL_TRUSTY
+#define OPENSSL_NO_POSIX_IO
+#define OPENSSL_NO_SOCK
+#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED
+#endif
+
+#if defined(OPENSSL_NANOLIBC)
+#define OPENSSL_NO_POSIX_IO
+#define OPENSSL_NO_SOCK
+#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED
+#endif
+
+#if defined(__ANDROID_API__)
+#define OPENSSL_ANDROID
+#endif
+
+#if defined(__FreeBSD__)
+#define OPENSSL_FREEBSD
+#endif
+
+#if defined(__OpenBSD__)
+#define OPENSSL_OPENBSD
+#endif
+
+// BoringSSL requires platform's locking APIs to make internal global state
+// thread-safe, including the PRNG. On some single-threaded embedded platforms,
+// locking APIs may not exist, so this dependency may be disabled with the
+// following build flag.
+//
+// IMPORTANT: Doing so means the consumer promises the library will never be
+// used in any multi-threaded context. It causes BoringSSL to be globally
+// thread-unsafe. Setting it inappropriately will subtly and unpredictably
+// corrupt memory and leak secret keys.
+//
+// Do not set this flag on any platform where threads are possible. BoringSSL
+// maintainers will not provide support for any consumers that do so. Changes
+// which break such unsupported configurations will not be reverted.
+#if !defined(OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED)
+#define OPENSSL_THREADS
+#endif
+
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) && \
+    !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+#define BORINGSSL_UNSAFE_DETERMINISTIC_MODE
+#endif
+
+#if defined(__has_feature)
+#if __has_feature(address_sanitizer)
+#define OPENSSL_ASAN
+#endif
+#if __has_feature(thread_sanitizer)
+#define OPENSSL_TSAN
+#endif
+#if __has_feature(memory_sanitizer)
+#define OPENSSL_MSAN
+#define OPENSSL_ASM_INCOMPATIBLE
+#endif
+#if __has_feature(hwaddress_sanitizer)
+#define OPENSSL_HWASAN
+#endif
+#endif
+
+#if defined(OPENSSL_ASM_INCOMPATIBLE)
+#undef OPENSSL_ASM_INCOMPATIBLE
+#if !defined(OPENSSL_NO_ASM)
+#define OPENSSL_NO_ASM
+#endif
+#endif  // OPENSSL_ASM_INCOMPATIBLE
+
+#endif  // OPENSSL_HEADER_TARGET_H

data/third_party/boringssl-with-bazel/src/include/openssl/thread.h

@@ -66,41 +66,13 @@ extern "C" {
 #endif
 
 
-#if !defined(OPENSSL_THREADS)
-typedef struct crypto_mutex_st {
-  char padding;  // Empty structs have different sizes in C and C++.
-} CRYPTO_MUTEX;
-#elif defined(OPENSSL_WINDOWS)
-// CRYPTO_MUTEX can appear in public header files so we really don't want to
-// pull in windows.h. It's statically asserted that this structure is large
-// enough to contain a Windows SRWLOCK by thread_win.c.
-typedef union crypto_mutex_st {
-  void *handle;
-} CRYPTO_MUTEX;
-#elif !defined(__GLIBC__)
-#if defined(OPENSSL_OPENBSD)
-// OpenBSD does not guarantee pthread_rwlock_t in sys/types.h yet.
-#include <pthread.h>
-#endif
-typedef pthread_rwlock_t CRYPTO_MUTEX;
-#else
-// On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't
-// ensure that we'll be able to get it from a public header. It's statically
-// asserted that this structure is large enough to contain a |pthread_rwlock_t|
-// by thread_pthread.c.
-typedef union crypto_mutex_st {
-  double alignment;
-  uint8_t padding[3*sizeof(int) + 5*sizeof(unsigned) + 16 + 8];
-} CRYPTO_MUTEX;
-#endif
-
 // CRYPTO_refcount_t is the type of a reference count.
 //
 // Since some platforms use C11 atomics to access this, it should have the
 // _Atomic qualifier. However, this header is included by C++ programs as well
 // as C code that might not set -std=c11. So, in practice, it's not possible to
 // do that. Instead we statically assert that the size and native alignment of
-// a plain uint32_t and an _Atomic uint32_t are equal in refcount_c11.c.
+// a plain uint32_t and an _Atomic uint32_t are equal in refcount.c.
 typedef uint32_t CRYPTO_refcount_t;
 
 

data/third_party/boringssl-with-bazel/src/include/openssl/x509.h

@@ -1999,7 +1999,7 @@ OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk,
 //
 // WARNING: Unlike most comparison functions, this function returns zero on
 // error, not equality.
-OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t);
+OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, const time_t *t);
 
 // X509_cmp_time_posix compares |s| against |t|. On success, it returns a
 // negative number if |s| <= |t| and a positive number if |s| > |t|. On error,
@@ -2015,12 +2015,12 @@ OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s);
 
 // X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero.
 OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec,
-                                        time_t *t);
+                                        const time_t *t);
 
 // X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If
 // |t| is NULL, it uses the current time instead of |*t|.
 OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day,
-                                           long offset_sec, time_t *t);
+                                           long offset_sec, const time_t *t);
 
 // X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the
 // current time.
@@ -2529,7 +2529,7 @@ OPENSSL_EXPORT X509_TRUST *X509_TRUST_get0(int idx);
 OPENSSL_EXPORT int X509_TRUST_get_by_id(int id);
 OPENSSL_EXPORT int X509_TRUST_add(int id, int flags,
                                   int (*ck)(X509_TRUST *, X509 *, int),
-                                  char *name, int arg1, void *arg2);
+                                  const char *name, int arg1, void *arg2);
 OPENSSL_EXPORT void X509_TRUST_cleanup(void);
 OPENSSL_EXPORT int X509_TRUST_get_flags(const X509_TRUST *xp);
 OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp);

data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h

@@ -906,12 +906,13 @@ OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509);
 
 OPENSSL_EXPORT int X509_PURPOSE_get_count(void);
 OPENSSL_EXPORT X509_PURPOSE *X509_PURPOSE_get0(int idx);
-OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(char *sname);
+OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname);
 OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id);
 OPENSSL_EXPORT int X509_PURPOSE_add(int id, int trust, int flags,
                                     int (*ck)(const X509_PURPOSE *,
                                               const X509 *, int),
-                                    char *name, char *sname, void *arg);
+                                    const char *name, const char *sname,
+                                    void *arg);
 OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
 OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
 OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);

data/third_party/boringssl-with-bazel/src/ssl/extensions.cc

@@ -206,7 +206,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
 
 static bool is_post_quantum_group(uint16_t id) {
   switch (id) {
-    case SSL_CURVE_X25519_KYBER768_DRAFT00:
+    case SSL_GROUP_X25519_KYBER768_DRAFT00:
       return true;
     default:
       return false;
@@ -307,9 +307,9 @@ bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,
 }
 
 static const uint16_t kDefaultGroups[] = {
-    SSL_CURVE_X25519,
-    SSL_CURVE_SECP256R1,
-    SSL_CURVE_SECP384R1,
+    SSL_GROUP_X25519,
+    SSL_GROUP_SECP256R1,
+    SSL_GROUP_SECP384R1,
 };
 
 Span<const uint16_t> tls1_get_grouplist(const SSL_HANDSHAKE *hs) {
@@ -358,57 +358,6 @@ bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {
   return false;
 }
 
-bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves) {
-  Array<uint16_t> group_ids;
-  if (!group_ids.Init(curves.size())) {
-    return false;
-  }
-
-  for (size_t i = 0; i < curves.size(); i++) {
-    if (!ssl_nid_to_group_id(&group_ids[i], curves[i])) {
-      return false;
-    }
-  }
-
-  *out_group_ids = std::move(group_ids);
-  return true;
-}
-
-bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves) {
-  // Count the number of curves in the list.
-  size_t count = 0;
-  const char *ptr = curves, *col;
-  do {
-    col = strchr(ptr, ':');
-    count++;
-    if (col) {
-      ptr = col + 1;
-    }
-  } while (col);
-
-  Array<uint16_t> group_ids;
-  if (!group_ids.Init(count)) {
-    return false;
-  }
-
-  size_t i = 0;
-  ptr = curves;
-  do {
-    col = strchr(ptr, ':');
-    if (!ssl_name_to_group_id(&group_ids[i++], ptr,
-                              col ? (size_t)(col - ptr) : strlen(ptr))) {
-      return false;
-    }
-    if (col) {
-      ptr = col + 1;
-    }
-  } while (col);
-
-  assert(i == count);
-  *out_group_ids = std::move(group_ids);
-  return true;
-}
-
 bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
   if (is_post_quantum_group(group_id) &&
       ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
@@ -4153,12 +4102,7 @@ bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
     return false;
   }
 
-  UniquePtr<EC_GROUP> p256(EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1));
-  if (!p256) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_NO_P256_SUPPORT);
-    return false;
-  }
-
+  const EC_GROUP *p256 = EC_group_p256();
   UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
   UniquePtr<BIGNUM> x(BN_new()), y(BN_new());
   if (!sig || !x || !y) {
@@ -4174,11 +4118,11 @@ bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
   }
 
   UniquePtr<EC_KEY> key(EC_KEY_new());
-  UniquePtr<EC_POINT> point(EC_POINT_new(p256.get()));
+  UniquePtr<EC_POINT> point(EC_POINT_new(p256));
   if (!key || !point ||
-      !EC_POINT_set_affine_coordinates_GFp(p256.get(), point.get(), x.get(),
-                                           y.get(), nullptr) ||
-      !EC_KEY_set_group(key.get(), p256.get()) ||
+      !EC_POINT_set_affine_coordinates_GFp(p256, point.get(), x.get(), y.get(),
+                                           nullptr) ||
+      !EC_KEY_set_group(key.get(), p256) ||
       !EC_KEY_set_public_key(key.get(), point.get())) {
     return false;
   }

data/third_party/boringssl-with-bazel/src/ssl/handoff.cc

@@ -52,12 +52,12 @@ static bool serialize_features(CBB *out) {
       return false;
     }
   }
-  CBB curves;
-  if (!CBB_add_asn1(out, &curves, CBS_ASN1_OCTETSTRING)) {
+  CBB groups;
+  if (!CBB_add_asn1(out, &groups, CBS_ASN1_OCTETSTRING)) {
     return false;
   }
   for (const NamedGroup& g : NamedGroups()) {
-    if (!CBB_add_u16(&curves, g.group_id)) {
+    if (!CBB_add_u16(&groups, g.group_id)) {
       return false;
     }
   }
@@ -169,46 +169,46 @@ static bool apply_remote_features(SSL *ssl, CBS *in) {
     return false;
   }
 
-  CBS curves;
-  if (!CBS_get_asn1(in, &curves, CBS_ASN1_OCTETSTRING)) {
+  CBS groups;
+  if (!CBS_get_asn1(in, &groups, CBS_ASN1_OCTETSTRING)) {
     return false;
   }
-  Array<uint16_t> supported_curves;
-  if (!supported_curves.Init(CBS_len(&curves) / 2)) {
+  Array<uint16_t> supported_groups;
+  if (!supported_groups.Init(CBS_len(&groups) / 2)) {
     return false;
   }
   size_t idx = 0;
-  while (CBS_len(&curves)) {
-    uint16_t curve;
-    if (!CBS_get_u16(&curves, &curve)) {
+  while (CBS_len(&groups)) {
+    uint16_t group;
+    if (!CBS_get_u16(&groups, &group)) {
       return false;
     }
-    supported_curves[idx++] = curve;
+    supported_groups[idx++] = group;
   }
-  Span<const uint16_t> configured_curves =
+  Span<const uint16_t> configured_groups =
       tls1_get_grouplist(ssl->s3->hs.get());
-  Array<uint16_t> new_configured_curves;
-  if (!new_configured_curves.Init(configured_curves.size())) {
+  Array<uint16_t> new_configured_groups;
+  if (!new_configured_groups.Init(configured_groups.size())) {
     return false;
   }
   idx = 0;
-  for (uint16_t configured_curve : configured_curves) {
+  for (uint16_t configured_group : configured_groups) {
     bool ok = false;
-    for (uint16_t supported_curve : supported_curves) {
-      if (supported_curve == configured_curve) {
+    for (uint16_t supported_group : supported_groups) {
+      if (supported_group == configured_group) {
         ok = true;
         break;
       }
     }
     if (ok) {
-      new_configured_curves[idx++] = configured_curve;
+      new_configured_groups[idx++] = configured_group;
     }
   }
   if (idx == 0) {
     return false;
   }
-  new_configured_curves.Shrink(idx);
-  ssl->config->supported_group_list = std::move(new_configured_curves);
+  new_configured_groups.Shrink(idx);
+  ssl->config->supported_group_list = std::move(new_configured_groups);
 
   CBS alps;
   CBS_init(&alps, nullptr, 0);

data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc

@@ -483,7 +483,7 @@ static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {
   while (CBS_len(&supported_groups) > 0) {
     uint16_t group;
     if (!CBS_get_u16(&supported_groups, &group) ||
-        group == SSL_CURVE_X25519) {
+        group == SSL_GROUP_X25519) {
       return false;
     }
   }

data/third_party/boringssl-with-bazel/src/ssl/internal.h

@@ -1148,6 +1148,10 @@ bool ssl_nid_to_group_id(uint16_t *out_group_id, int nid);
 // true. Otherwise, it returns false.
 bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len);
 
+// ssl_group_id_to_nid returns the NID corresponding to |group_id| or
+// |NID_undef| if unknown.
+int ssl_group_id_to_nid(uint16_t group_id);
+
 
 // Handshake messages.
 
@@ -3353,17 +3357,6 @@ bool tls1_check_group_id(const SSL_HANDSHAKE *ssl, uint16_t group_id);
 // found, it returns false.
 bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id);
 
-// tls1_set_curves converts the array of NIDs in |curves| into a newly allocated
-// array of TLS group IDs. On success, the function returns true and writes the
-// array to |*out_group_ids|. Otherwise, it returns false.
-bool tls1_set_curves(Array<uint16_t> *out_group_ids, Span<const int> curves);
-
-// tls1_set_curves_list converts the string of curves pointed to by |curves|
-// into a newly allocated array of TLS group IDs. On success, the function
-// returns true and writes the array to |*out_group_ids|. Otherwise, it returns
-// false.
-bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves);
-
 // ssl_add_clienthello_tlsext writes ClientHello extensions to |out| for |type|.
 // It returns true on success and false on failure. The |header_len| argument is
 // the length of the ClientHello written so far and is used to compute the

data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc

@@ -540,12 +540,16 @@ static const CIPHER_ALIAS kCipherAliases[] = {
     {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
 
     // symmetric encryption aliases
-    {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
-    {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
-    {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
+    {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0, /*include_deprecated=*/true},
+    {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0,
+     /*include_deprecated=*/false},
+    {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0,
+     /*include_deprecated=*/false},
     {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
-    {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
-    {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
+    {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0,
+     /*include_deprecated=*/false},
+    {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0,
+     /*include_deprecated=*/false},
 
     // MAC aliases
     {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0},
@@ -769,8 +773,8 @@ void SSLCipherPreferenceList::Remove(const SSL_CIPHER *cipher) {
 }
 
 bool ssl_cipher_is_deprecated(const SSL_CIPHER *cipher) {
-  // TODO(crbug.com/boringssl/599): Deprecate 3DES.
-  return cipher->id == TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
+  return cipher->id == TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ||
+         cipher->algorithm_enc == SSL_3DES;
 }
 
 // ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
@@ -1070,8 +1074,6 @@ static bool ssl_cipher_process_rulestr(const char *rule_str,
             // can increase the set of matched ciphers. This is so that an alias
             // like "RSA" will only specifiy AES-based RSA ciphers, but
             // "RSA+3DES" will still specify 3DES.
-            //
-            // TODO(crbug.com/boringssl/599): Deprecate 3DES.
             alias.include_deprecated |= kCipherAliases[j].include_deprecated;
 
             if (alias.min_version != 0 &&
@@ -1368,10 +1370,6 @@ uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *cipher) {
   return static_cast<uint16_t>(cipher->id);
 }
 
-uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher) {
-  return SSL_CIPHER_get_protocol_id(cipher);
-}
-
 int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
   return (cipher->algorithm_mac & SSL_AEAD) != 0;
 }
@@ -1438,17 +1436,25 @@ int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) {
   return NID_undef;
 }
 
-int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) {
+const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *cipher) {
   switch (cipher->algorithm_prf) {
     case SSL_HANDSHAKE_MAC_DEFAULT:
-      return NID_md5_sha1;
+      return EVP_md5_sha1();
     case SSL_HANDSHAKE_MAC_SHA256:
-      return NID_sha256;
+      return EVP_sha256();
     case SSL_HANDSHAKE_MAC_SHA384:
-      return NID_sha384;
+      return EVP_sha384();
   }
   assert(0);
-  return NID_undef;
+  return NULL;
+}
+
+int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) {
+  const EVP_MD *md = SSL_CIPHER_get_handshake_digest(cipher);
+  if (md == NULL) {
+    return NID_undef;
+  }
+  return EVP_MD_nid(md);
 }
 
 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {