Browse Source

Added missing signature algorithm reflection functions

SSL_get_signature_nid()      -- local signature algorithm
    SSL_get_signature_type_nid() -- local signature algorithm key type
    SSL_get_peer_tmp_key()       -- Peer key-exchange public key
    SSL_get_tmp_key              -- local key exchange public key

Aliased pre-existing SSL_get_server_tmp_key(), which was formerly
just for clients, to SSL_get_peer_tmp_key().  Changed internal
calls to use the new name.

Reviewed-by: Matt Caswell <matt@openssl.org>
master
Viktor Dukhovni 4 years ago
parent
commit
a51c9f637c
11 changed files with 79 additions and 17 deletions
  1. +2
    -1
      apps/s_cb.c
  2. +9
    -3
      doc/man3/SSL_get_peer_signature_nid.pod
  3. +16
    -6
      doc/man3/SSL_get_peer_tmp_key.pod
  4. +15
    -3
      include/openssl/ssl.h
  5. +1
    -0
      include/openssl/tls1.h
  6. +22
    -2
      ssl/s3_lib.c
  7. +8
    -0
      ssl/t1_lib.c
  8. +1
    -1
      test/handshake_helper.c
  9. +1
    -1
      test/ssltest_old.c
  10. +1
    -0
      util/libssl.num
  11. +3
    -0
      util/private.num

+ 2
- 1
apps/s_cb.c View File

@ -394,7 +394,8 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
int ssl_print_tmp_key(BIO *out, SSL *s)
{
EVP_PKEY *key;
if (!SSL_get_server_tmp_key(s, &key))
if (!SSL_get_peer_tmp_key(s, &key))
return 1;
BIO_puts(out, "Server Temp Key: ");
switch (EVP_PKEY_id(key)) {


+ 9
- 3
doc/man3/SSL_get_peer_signature_nid.pod View File

@ -2,8 +2,9 @@
=head1 NAME
SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid - get TLS
message signing types
SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid,
SSL_get_signature_nid, SSL_get_signature_type_nid - get TLS message signing
types
=head1 SYNOPSIS
@ -11,6 +12,8 @@ message signing types
int SSL_get_peer_signature_nid(SSL *ssl, int *psig_nid);
int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid);
int SSL_get_signature_nid(SSL *ssl, int *psig_nid);
int SSL_get_signature_type_nid(const SSL *ssl, int *psigtype_nid);
=head1 DESCRIPTION
@ -24,12 +27,15 @@ where it is B<EVP_PKEY_RSA_PSS>. To differentiate between
B<rsa_pss_rsae_*> and B<rsa_pss_pss_*> signatures, it's necessary to check
the type of public key in the peer's certificate.
SSL_get_signature_nid() and SSL_get_signature_type_nid() return the equivalent
information for the local end of the connection.
=head1 RETURN VALUES
These functions return 1 for success and 0 for failure. There are several
possible reasons for failure: the cipher suite has no signature (e.g. it
uses RSA key exchange or is anonymous), the TLS version is below 1.2 or
the functions were called before the peer signed a message.
the functions were called too early, e.g. before the peer signed a message.
=head1 SEE ALSO


doc/man3/SSL_get_server_tmp_key.pod → doc/man3/SSL_get_peer_tmp_key.pod View File


+ 15
- 3
include/openssl/ssl.h View File

@ -1271,7 +1271,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_CTRL_SET_VERIFY_CERT_STORE 106
# define SSL_CTRL_SET_CHAIN_CERT_STORE 107
# define SSL_CTRL_GET_PEER_SIGNATURE_NID 108
# define SSL_CTRL_GET_SERVER_TMP_KEY 109
# define SSL_CTRL_GET_PEER_TMP_KEY 109
# define SSL_CTRL_GET_RAW_CIPHERLIST 110
# define SSL_CTRL_GET_EC_POINT_FORMATS 111
# define SSL_CTRL_GET_CHAIN_CERTS 115
@ -1290,6 +1290,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
# define SSL_CTRL_GET_MIN_PROTO_VERSION 130
# define SSL_CTRL_GET_MAX_PROTO_VERSION 131
# define SSL_CTRL_GET_SIGNATURE_NID 132
# define SSL_CTRL_GET_TMP_KEY 133
# define SSL_CERT_SET_FIRST 1
# define SSL_CERT_SET_NEXT 2
# define SSL_CERT_SET_SERVER 3
@ -1410,10 +1412,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
(char *)(clist))
# define SSL_set1_client_certificate_types(s, clist, clistlen) \
SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)(clist))
# define SSL_get_signature_nid(s, pn) \
SSL_ctrl(s,SSL_CTRL_GET_SIGNATURE_NID,0,pn)
# define SSL_get_peer_signature_nid(s, pn) \
SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
# define SSL_get_server_tmp_key(s, pk) \
SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
# define SSL_get_peer_tmp_key(s, pk) \
SSL_ctrl(s,SSL_CTRL_GET_PEER_TMP_KEY,0,pk)
# define SSL_get_tmp_key(s, pk) \
SSL_ctrl(s,SSL_CTRL_GET_TMP_KEY,0,pk)
# define SSL_get0_raw_cipherlist(s, plst) \
SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst)
# define SSL_get0_ec_point_formats(s, plst) \
@ -1435,6 +1441,12 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_get_max_proto_version(s) \
SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL)
/* Backwards compatibility, original 1.1.0 names */
# define SSL_CTRL_GET_SERVER_TMP_KEY \
SSL_CTRL_GET_PEER_TMP_KEY
# define SSL_get_server_tmp_key(s, pk) \
SSL_get_peer_tmp_key(s, pk)
/*
* The following symbol names are old and obsolete. They are kept
* for compatibility reasons only and should not be used anymore.


+ 1
- 0
include/openssl/tls1.h View File

@ -241,6 +241,7 @@ __owur int SSL_export_keying_material_early(SSL *s, unsigned char *out,
size_t contextlen);
int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid);
int SSL_get_signature_type_nid(const SSL *s, int *pnid);
int SSL_get_sigalgs(SSL *s, int idx,
int *psign, int *phash, int *psignandhash,


+ 22
- 2
ssl/s3_lib.c View File

@ -3681,9 +3681,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
*(int *)parg = s->s3->tmp.peer_sigalg->hash;
return 1;
case SSL_CTRL_GET_SERVER_TMP_KEY:
case SSL_CTRL_GET_SIGNATURE_NID:
if (s->s3->tmp.sigalg == NULL)
return 0;
*(int *)parg = s->s3->tmp.sigalg->hash;
return 1;
case SSL_CTRL_GET_PEER_TMP_KEY:
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) {
if (s->session == NULL || s->s3->peer_tmp == NULL) {
return 0;
} else {
EVP_PKEY_up_ref(s->s3->peer_tmp);
@ -3693,6 +3699,20 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#else
return 0;
#endif
case SSL_CTRL_GET_TMP_KEY:
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
if (s->session == NULL || s->s3->tmp.pkey == NULL) {
return 0;
} else {
EVP_PKEY_up_ref(s->s3->tmp.pkey);
*(EVP_PKEY **)parg = s->s3->tmp.pkey;
return 1;
}
#else
return 0;
#endif
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{


+ 8
- 0
ssl/t1_lib.c View File

@ -1122,6 +1122,14 @@ int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
return 1;
}
int SSL_get_signature_type_nid(const SSL *s, int *pnid)
{
if (s->s3->tmp.sigalg == NULL)
return 0;
*pnid = s->s3->tmp.sigalg->sig;
return 1;
}
/*
* Set a mask of disabled algorithms: an algorithm is disabled if it isn't
* supported, doesn't appear in supported signature algorithms, isn't supported


+ 1
- 1
test/handshake_helper.c View File

@ -1673,7 +1673,7 @@ static HANDSHAKE_RESULT *do_handshake_internal(
*serv_sess_out = SSL_SESSION_dup(tmp);
}
if (SSL_get_server_tmp_key(client.ssl, &tmp_key)) {
if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) {
ret->tmp_key_type = pkey_type(tmp_key);
EVP_PKEY_free(tmp_key);
}


+ 1
- 1
test/ssltest_old.c View File

@ -779,7 +779,7 @@ static void print_details(SSL *c_ssl, const char *prefix)
}
X509_free(cert);
}
if (SSL_get_server_tmp_key(c_ssl, &pkey)) {
if (SSL_get_peer_tmp_key(c_ssl, &pkey)) {
BIO_puts(bio_stdout, ", temp key: ");
print_key_details(bio_stdout, pkey);
EVP_PKEY_free(pkey);


+ 1
- 0
util/libssl.num View File

@ -497,3 +497,4 @@ SSL_get_recv_max_early_data 497 1_1_1 EXIST::FUNCTION:
SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_post_handshake_auth 500 1_1_1 EXIST::FUNCTION:
SSL_get_signature_type_nid 501 1_1_1a EXIST::FUNCTION:

+ 3
- 0
util/private.num View File

@ -400,14 +400,17 @@ SSL_get_max_proto_version define
SSL_get_min_proto_version define
SSL_get_mode define
SSL_get_peer_signature_nid define
SSL_get_peer_tmp_key define
SSL_get_secure_renegotiation_support define
SSL_get_server_tmp_key define
SSL_get_shared_curve define
SSL_get_shared_group define
SSL_get_signature_nid define
SSL_get_time define
SSL_get_timeout define
SSL_get_tlsext_status_ocsp_resp define
SSL_get_tlsext_status_type define
SSL_get_tmp_key define
SSL_in_accept_init define
SSL_in_connect_init define
SSL_library_init define


Loading…
Cancel
Save