Get the MAC secret size from the TLS cipher, rather than reaching into

libssl internals. While here also take more of the OpenSSL 1.1 API code
paths.

ok tb@

security/wpa_supplicant/Makefile

@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.38 2018/09/04 12:46:21 espie Exp $
+# $OpenBSD: Makefile,v 1.39 2018/10/24 17:16:19 jsing Exp $
 
 COMMENT=	IEEE 802.1X supplicant
 
 DISTNAME=	wpa_supplicant-2.6
-REVISION=	3
+REVISION=	4
 CATEGORIES=	security net
 
 HOMEPAGE=	http://w1.fi/wpa_supplicant/

security/wpa_supplicant/patches/patch-src_crypto_crypto_openssl_c

@@ -1,4 +1,4 @@
-$OpenBSD: patch-src_crypto_crypto_openssl_c,v 1.2 2018/02/19 18:24:21 sthen Exp $
+$OpenBSD: patch-src_crypto_crypto_openssl_c,v 1.3 2018/10/24 17:16:19 jsing Exp $
 
 Compatibility fixes for LibreSSL
 
@@ -15,12 +15,23 @@ Index: src/crypto/crypto_openssl.c
  /* Compatibility wrappers for older versions. */
  
  static HMAC_CTX * HMAC_CTX_new(void)
-@@ -712,7 +713,7 @@ err:
+@@ -79,7 +80,8 @@ static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
+ 
+ static BIGNUM * get_group5_prime(void)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
++    (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
+ 	return BN_get_rfc3526_prime_1536(NULL);
+ #elif !defined(OPENSSL_IS_BORINGSSL)
+ 	return get_rfc3526_prime_1536(NULL);
+@@ -712,7 +714,8 @@ err:
  
  void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
  {
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
++    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
  	DH *dh;
  
  	dh = DH_new();

security/wpa_supplicant/patches/patch-src_crypto_tls_openssl_c

@@ -1,4 +1,4 @@
-$OpenBSD: patch-src_crypto_tls_openssl_c,v 1.5 2018/02/19 18:24:21 sthen Exp $
+$OpenBSD: patch-src_crypto_tls_openssl_c,v 1.6 2018/10/24 17:16:19 jsing Exp $
 
 Compatibility fixes for LibreSSL
 
@@ -14,16 +14,17 @@ Index: src/crypto/tls_openssl.c
      !defined(BORINGSSL_API_VERSION)
  /*
   * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
-@@ -919,7 +919,7 @@ void * tls_init(const struct tls_config *conf)
+@@ -919,7 +919,8 @@ void * tls_init(const struct tls_config *conf)
  		}
  #endif /* OPENSSL_FIPS */
  #endif /* CONFIG_FIPS */
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
++    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
  		SSL_load_error_strings();
  		SSL_library_init();
  #ifndef OPENSSL_NO_SHA256
-@@ -1043,7 +1043,7 @@ void tls_deinit(void *ssl_ctx)
+@@ -1043,7 +1044,7 @@ void tls_deinit(void *ssl_ctx)
  
  	tls_openssl_ref_count--;
  	if (tls_openssl_ref_count == 0) {
@@ -32,7 +33,17 @@ Index: src/crypto/tls_openssl.c
  #ifndef OPENSSL_NO_ENGINE
  		ENGINE_cleanup();
  #endif /* OPENSSL_NO_ENGINE */
-@@ -3976,7 +3976,7 @@ int tls_connection_set_params(void *tls_ctx, struct tl
+@@ -3105,7 +3106,8 @@ int tls_connection_get_random(void *ssl_ctx, struct tl
+ #ifdef OPENSSL_NEED_EAP_FAST_PRF
+ static int openssl_get_keyblock_size(SSL *ssl)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
++    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
+ 	const EVP_CIPHER *c;
+ 	const EVP_MD *h;
+ 	int md_size;
+@@ -3976,7 +3978,7 @@ int tls_connection_set_params(void *tls_ctx, struct tl
  		engine_id = "pkcs11";
  
  #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
@@ -41,7 +52,18 @@ Index: src/crypto/tls_openssl.c
  	if (params->flags & TLS_CONN_EAP_FAST) {
  		wpa_printf(MSG_DEBUG,
  			   "OpenSSL: Use TLSv1_method() for EAP-FAST");
-@@ -4159,7 +4159,7 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *
+@@ -4146,7 +4148,9 @@ int tls_global_set_params(void *tls_ctx,
+  * commented out unless explicitly needed for EAP-FAST in order to be able to
+  * build this file with unmodified openssl. */
+ 
+-#if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#if defined(OPENSSL_IS_BORINGSSL) || \
++    (OPENSSL_VERSION_NUMBER >= 0x10100000L && \
++    (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2080000fL))
+ static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
+ 			   STACK_OF(SSL_CIPHER) *peer_ciphers,
+ 			   const SSL_CIPHER **cipher, void *arg)
+@@ -4159,7 +4163,7 @@ static int tls_sess_sec_cb(SSL *s, void *secret, int *
  	struct tls_connection *conn = arg;
  	int ret;
  
@@ -50,7 +72,7 @@ Index: src/crypto/tls_openssl.c
  	if (conn == NULL || conn->session_ticket_cb == NULL)
  		return 0;
  
-@@ -4254,7 +4254,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx
+@@ -4254,7 +4258,7 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx
  
  int tls_get_library_version(char *buf, size_t buf_len)
  {