From ab032b55834ed837f4093d9fe59190e74d52d250 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Sun, 15 Mar 2020 11:18:30 +0100
Subject: state: add function to get the current hash algorithm

This is particularly useful when the application applies key
derivation function by itself with the same underlying hash algorithm
as the session.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 NEWS                              |  1 +
 devel/libgnutls-latest-x86_64.abi |  1 +
 devel/symbols.last                |  1 +
 doc/Makefile.am                   |  2 ++
 doc/manpages/Makefile.am          |  1 +
 lib/includes/gnutls/gnutls.h.in   |  1 +
 lib/libgnutls.map                 |  1 +
 lib/state.c                       | 26 ++++++++++++++++++++++++++
 tests/prf.c                       |  6 ++++++
 tests/tls13/prf.c                 |  6 ++++++
 10 files changed, 46 insertions(+)

diff --git a/NEWS b/NEWS
index 21e95d5a33..2362e8b395 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ gnutls_hkdf_extract: Added
 gnutls_hkdf_expand: Added
 gnutls_pbkdf2: Added
 gnutls_session_set_keylog_function: Added
+gnutls_prf_hash_get: Added
 
 * Version 3.6.12 (released 2020-02-01)
 
diff --git a/devel/libgnutls-latest-x86_64.abi b/devel/libgnutls-latest-x86_64.abi
index 78d61778e4..76552ab037 100644
--- a/devel/libgnutls-latest-x86_64.abi
+++ b/devel/libgnutls-latest-x86_64.abi
@@ -48,6 +48,7 @@
     <elf-symbol name='_gnutls_mpi_log' version='GNUTLS_PRIVATE_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='_gnutls_pkcs11_token_get_url' version='GNUTLS_PRIVATE_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='_gnutls_pkcs12_string_to_key' version='GNUTLS_PRIVATE_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
+    <elf-symbol name='gnutls_prf_hash_get' version='GNUTLS_3_6_13' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='_gnutls_prf_raw' version='GNUTLS_FIPS140_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='_gnutls_record_overhead' version='GNUTLS_PRIVATE_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
     <elf-symbol name='_gnutls_record_set_default_version' version='GNUTLS_PRIVATE_3_4' is-default-version='yes' type='func-type' binding='global-binding' visibility='default-visibility' is-defined='yes'/>
diff --git a/devel/symbols.last b/devel/symbols.last
index 4654e4f708..70ef6b3f18 100644
--- a/devel/symbols.last
+++ b/devel/symbols.last
@@ -576,6 +576,7 @@ gnutls_pkcs_schema_get_name@GNUTLS_3_4
 gnutls_pkcs_schema_get_oid@GNUTLS_3_4
 gnutls_prf@GNUTLS_3_4
 gnutls_prf_early@GNUTLS_3_6_8
+gnutls_prf_hash_get@GNUTLS_3_6_13
 gnutls_prf_raw@GNUTLS_3_4
 gnutls_prf_rfc5705@GNUTLS_3_4
 gnutls_priority_certificate_type_list2@GNUTLS_3_6_4
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 0d24b33720..dd962d6a78 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1573,6 +1573,8 @@ FUNCS += functions/gnutls_prf
 FUNCS += functions/gnutls_prf.short
 FUNCS += functions/gnutls_prf_early
 FUNCS += functions/gnutls_prf_early.short
+FUNCS += functions/gnutls_prf_hash_get
+FUNCS += functions/gnutls_prf_hash_get.short
 FUNCS += functions/gnutls_prf_raw
 FUNCS += functions/gnutls_prf_raw.short
 FUNCS += functions/gnutls_prf_rfc5705
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index ca0e279e1c..6d381d8bd0 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -588,6 +588,7 @@ APIMANS += gnutls_pk_list.3
 APIMANS += gnutls_pk_to_sign.3
 APIMANS += gnutls_prf.3
 APIMANS += gnutls_prf_early.3
+APIMANS += gnutls_prf_hash_get.3
 APIMANS += gnutls_prf_raw.3
 APIMANS += gnutls_prf_rfc5705.3
 APIMANS += gnutls_priority_certificate_type_list.3
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 3592d3c071..b0832a9bdd 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1275,6 +1275,7 @@ gnutls_group_t gnutls_group_get(gnutls_session_t session);
 gnutls_cipher_algorithm_t gnutls_cipher_get(gnutls_session_t session);
 gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session);
 gnutls_mac_algorithm_t gnutls_mac_get(gnutls_session_t session);
+gnutls_digest_algorithm_t gnutls_prf_hash_get(const gnutls_session_t session);
 gnutls_certificate_type_t
 gnutls_certificate_type_get(gnutls_session_t session);
 gnutls_certificate_type_t
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 234d43e755..3cc321beb8 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1316,6 +1316,7 @@ GNUTLS_3_6_13
 	gnutls_hkdf_expand;
 	gnutls_pbkdf2;
 	gnutls_session_set_keylog_function;
+	gnutls_prf_hash_get;
 } GNUTLS_3_6_12;
 
 GNUTLS_FIPS140_3_4 {
diff --git a/lib/state.c b/lib/state.c
index 35ebb2a230..d4d5254228 100644
--- a/lib/state.c
+++ b/lib/state.c
@@ -230,6 +230,32 @@ gnutls_compression_get(gnutls_session_t session)
 	return GNUTLS_COMP_NULL;
 }
 
+/**
+ * gnutls_prf_hash_get:
+ * @session: is a #gnutls_session_t type.
+ *
+ * Get the currently used hash algorithm. In TLS 1.3, the hash
+ * algorithm is used for both the key derivation function and
+ * handshake message authentication code. In TLS 1.2, it matches the
+ * hash algorithm used for PRF.
+ *
+ * Returns: the currently used hash algorithm, a
+ *    #gnutls_digest_algorithm_t value.
+ *
+ * Since: 3.6.13
+ **/
+gnutls_digest_algorithm_t
+gnutls_prf_hash_get(const gnutls_session_t session)
+{
+	if (session->security_parameters.prf == NULL)
+		return gnutls_assert_val(GNUTLS_DIG_UNKNOWN);
+
+	if (session->security_parameters.prf->id >= GNUTLS_MAC_AEAD)
+		return gnutls_assert_val(GNUTLS_DIG_UNKNOWN);
+
+	return (gnutls_digest_algorithm_t)session->security_parameters.prf->id;
+}
+
 void reset_binders(gnutls_session_t session)
 {
 	_gnutls_free_temp_key_datum(&session->key.binders[0].psk);
diff --git a/tests/prf.c b/tests/prf.c
index c4c7a0dac2..aa4f36af6a 100644
--- a/tests/prf.c
+++ b/tests/prf.c
@@ -323,6 +323,12 @@ static void client(int fd)
 		exit(1);
 	}
 
+	ret = gnutls_prf_hash_get(session);
+	if (ret != GNUTLS_DIG_MD5_SHA1) {
+		fprintf(stderr, "negotiated unexpected hash: %s\n", gnutls_digest_get_name(ret));
+		exit(1);
+	}
+
 	check_prfs(session);
 
 	gnutls_bye(session, GNUTLS_SHUT_WR);
diff --git a/tests/tls13/prf.c b/tests/tls13/prf.c
index a8a529bcb8..c9c9f80b7b 100644
--- a/tests/tls13/prf.c
+++ b/tests/tls13/prf.c
@@ -234,6 +234,12 @@ static void client(int fd)
 		exit(1);
 	}
 
+	ret = gnutls_prf_hash_get(session);
+	if (ret != GNUTLS_DIG_SHA384) {
+		fprintf(stderr, "negotiated unexpected hash: %s\n", gnutls_digest_get_name(ret));
+		exit(1);
+	}
+
 	check_prfs(session);
 
 	gnutls_bye(session, GNUTLS_SHUT_WR);
-- 
cgit v1.2.1