diff --git a/apps/s_cb.c b/apps/s_cb.c index 46b3864284619096b14528b999ffd07ee22d17e3..2d4568f40ccbc1eeb8d20fc2b5e15666c7e432cc 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -394,7 +394,8 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) int ssl_print_tmp_key(BIO *out, SSL *s) { EVP_PKEY *key; - if (!SSL_get_server_tmp_key(s, &key)) + + if (!SSL_get_peer_tmp_key(s, &key)) return 1; BIO_puts(out, "Server Temp Key: "); switch (EVP_PKEY_id(key)) { diff --git a/doc/man3/SSL_get_peer_signature_nid.pod b/doc/man3/SSL_get_peer_signature_nid.pod index ce6ab61f5e118ee5af189e609d2ebdfcade9914e..dbca8cffb92022ae602ea4d3ac9606a9c843471e 100644 --- a/doc/man3/SSL_get_peer_signature_nid.pod +++ b/doc/man3/SSL_get_peer_signature_nid.pod @@ -2,8 +2,9 @@ =head1 NAME -SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid - get TLS -message signing types +SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid, +SSL_get_signature_nid, SSL_get_signature_type_nid - get TLS message signing +types =head1 SYNOPSIS @@ -11,6 +12,8 @@ message signing types int SSL_get_peer_signature_nid(SSL *ssl, int *psig_nid); int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid); + int SSL_get_signature_nid(SSL *ssl, int *psig_nid); + int SSL_get_signature_type_nid(const SSL *ssl, int *psigtype_nid); =head1 DESCRIPTION @@ -24,12 +27,15 @@ where it is B. To differentiate between B and B signatures, it's necessary to check the type of public key in the peer's certificate. +SSL_get_signature_nid() and SSL_get_signature_type_nid() return the equivalent +information for the local end of the connection. + =head1 RETURN VALUES These functions return 1 for success and 0 for failure. There are several possible reasons for failure: the cipher suite has no signature (e.g. it uses RSA key exchange or is anonymous), the TLS version is below 1.2 or -the functions were called before the peer signed a message. +the functions were called too early, e.g. before the peer signed a message. =head1 SEE ALSO diff --git a/doc/man3/SSL_get_server_tmp_key.pod b/doc/man3/SSL_get_peer_tmp_key.pod similarity index 50% rename from doc/man3/SSL_get_server_tmp_key.pod rename to doc/man3/SSL_get_peer_tmp_key.pod index fda891b7a837bd63131ae43d325922993466b9d3..23006b3a12916ed68d128c7bd79d76a5ed7415e7 100644 --- a/doc/man3/SSL_get_server_tmp_key.pod +++ b/doc/man3/SSL_get_peer_tmp_key.pod @@ -2,26 +2,36 @@ =head1 NAME -SSL_get_server_tmp_key - get information about the server's temporary key used -during a handshake +SSL_get_peer_tmp_key, SSL_get_server_tmp_key, SSL_get_tmp_key - get information +about temporary keys used during a handshake =head1 SYNOPSIS #include + long SSL_get_peer_tmp_key(SSL *ssl, EVP_PKEY **key); long SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **key); + long SSL_get_tmp_key(SSL *ssl, EVP_PKEY **key); =head1 DESCRIPTION -SSL_get_server_tmp_key() returns the temporary key provided by the server and +SSL_get_peer_tmp_key() returns the temporary key provided by the peer and used during key exchange. For example, if ECDHE is in use, then this represents -the server's public ECDHE key. On success a pointer to the key is stored in +the peer's public ECDHE key. On success a pointer to the key is stored in B<*key>. It is the caller's responsibility to free this key after use using -L. This function may only be called by the client. +L. + +SSL_get_server_tmp_key() is a backwards compatibility alias for +SSL_get_peer_tmp_key(). +Under that name it worked just on the client side of the connection, its +behaviour on the server end is release-dependent. + +SSL_get_tmp_key() returns the equivalent information for the local +end of the connection. =head1 RETURN VALUES -SSL_get_server_tmp_key() returns 1 on success or 0 otherwise. +All these functions return 1 on success and 0 otherwise. =head1 NOTES diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index ffe158388d6ae486c10afd4c95250916a53a5d1c..cceb2d495a5b0c9eed868d58f2b9a9c72dd1c061 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1271,7 +1271,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_SET_VERIFY_CERT_STORE 106 # define SSL_CTRL_SET_CHAIN_CERT_STORE 107 # define SSL_CTRL_GET_PEER_SIGNATURE_NID 108 -# define SSL_CTRL_GET_SERVER_TMP_KEY 109 +# define SSL_CTRL_GET_PEER_TMP_KEY 109 # define SSL_CTRL_GET_RAW_CIPHERLIST 110 # define SSL_CTRL_GET_EC_POINT_FORMATS 111 # define SSL_CTRL_GET_CHAIN_CERTS 115 @@ -1290,6 +1290,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 # define SSL_CTRL_GET_MIN_PROTO_VERSION 130 # define SSL_CTRL_GET_MAX_PROTO_VERSION 131 +# define SSL_CTRL_GET_SIGNATURE_NID 132 +# define SSL_CTRL_GET_TMP_KEY 133 # define SSL_CERT_SET_FIRST 1 # define SSL_CERT_SET_NEXT 2 # define SSL_CERT_SET_SERVER 3 @@ -1410,10 +1412,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) (char *)(clist)) # define SSL_set1_client_certificate_types(s, clist, clistlen) \ SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)(clist)) +# define SSL_get_signature_nid(s, pn) \ + SSL_ctrl(s,SSL_CTRL_GET_SIGNATURE_NID,0,pn) # define SSL_get_peer_signature_nid(s, pn) \ SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn) -# define SSL_get_server_tmp_key(s, pk) \ - SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk) +# define SSL_get_peer_tmp_key(s, pk) \ + SSL_ctrl(s,SSL_CTRL_GET_PEER_TMP_KEY,0,pk) +# define SSL_get_tmp_key(s, pk) \ + SSL_ctrl(s,SSL_CTRL_GET_TMP_KEY,0,pk) # define SSL_get0_raw_cipherlist(s, plst) \ SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst) # define SSL_get0_ec_point_formats(s, plst) \ @@ -1435,6 +1441,12 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_get_max_proto_version(s) \ SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL) +/* Backwards compatibility, original 1.1.0 names */ +# define SSL_CTRL_GET_SERVER_TMP_KEY \ + SSL_CTRL_GET_PEER_TMP_KEY +# define SSL_get_server_tmp_key(s, pk) \ + SSL_get_peer_tmp_key(s, pk) + /* * The following symbol names are old and obsolete. They are kept * for compatibility reasons only and should not be used anymore. diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 2e46cf80d34205f5939d24dab3a9507e25902164..e13b5dd4bc65b5ef72bf04098f6a0d18c71a5d23 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -241,6 +241,7 @@ __owur int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t contextlen); int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid); +int SSL_get_signature_type_nid(const SSL *s, int *pnid); int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash, int *psignandhash, diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 7713f767b2d309035eb98167c35ba04ba429037a..866ca4dfa9b0672d5fd07e7278e1993fce63a6bc 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3681,9 +3681,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) *(int *)parg = s->s3->tmp.peer_sigalg->hash; return 1; - case SSL_CTRL_GET_SERVER_TMP_KEY: + case SSL_CTRL_GET_SIGNATURE_NID: + if (s->s3->tmp.sigalg == NULL) + return 0; + *(int *)parg = s->s3->tmp.sigalg->hash; + return 1; + + case SSL_CTRL_GET_PEER_TMP_KEY: #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) - if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) { + if (s->session == NULL || s->s3->peer_tmp == NULL) { return 0; } else { EVP_PKEY_up_ref(s->s3->peer_tmp); @@ -3693,6 +3699,20 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #else return 0; #endif + + case SSL_CTRL_GET_TMP_KEY: +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) + if (s->session == NULL || s->s3->tmp.pkey == NULL) { + return 0; + } else { + EVP_PKEY_up_ref(s->s3->tmp.pkey); + *(EVP_PKEY **)parg = s->s3->tmp.pkey; + return 1; + } +#else + return 0; +#endif + #ifndef OPENSSL_NO_EC case SSL_CTRL_GET_EC_POINT_FORMATS: { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ddafa0c623dab82f18e738609f8dd344bd3c8353..fe13a39c38cd2af7d8a787d2587854e34e161699 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1122,6 +1122,14 @@ int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) return 1; } +int SSL_get_signature_type_nid(const SSL *s, int *pnid) +{ + if (s->s3->tmp.sigalg == NULL) + return 0; + *pnid = s->s3->tmp.sigalg->sig; + return 1; +} + /* * Set a mask of disabled algorithms: an algorithm is disabled if it isn't * supported, doesn't appear in supported signature algorithms, isn't supported diff --git a/test/handshake_helper.c b/test/handshake_helper.c index a5b8d8007adb7e5ea0725811d13d00cd84ddd047..40bfd3ec26a4f152017ca0fc1349728fb9fda6ad 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -1673,7 +1673,7 @@ static HANDSHAKE_RESULT *do_handshake_internal( *serv_sess_out = SSL_SESSION_dup(tmp); } - if (SSL_get_server_tmp_key(client.ssl, &tmp_key)) { + if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) { ret->tmp_key_type = pkey_type(tmp_key); EVP_PKEY_free(tmp_key); } diff --git a/test/ssltest_old.c b/test/ssltest_old.c index e974f6c15d3800e7852db318eaca68793d4b3ee5..92970776fdda87811caedf61344715775efe5ccf 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -779,7 +779,7 @@ static void print_details(SSL *c_ssl, const char *prefix) } X509_free(cert); } - if (SSL_get_server_tmp_key(c_ssl, &pkey)) { + if (SSL_get_peer_tmp_key(c_ssl, &pkey)) { BIO_puts(bio_stdout, ", temp key: "); print_key_details(bio_stdout, pkey); EVP_PKEY_free(pkey); diff --git a/util/libssl.num b/util/libssl.num index ccf73411a9f7dcff96f3964c210b3e9856b36ab3..297522c36391f362bd2fed0b49986f2a130e2bd4 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -497,3 +497,4 @@ SSL_get_recv_max_early_data 497 1_1_1 EXIST::FUNCTION: SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION: SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION: SSL_CTX_set_post_handshake_auth 500 1_1_1 EXIST::FUNCTION: +SSL_get_signature_type_nid 501 1_1_1a EXIST::FUNCTION: diff --git a/util/private.num b/util/private.num index 27d352acae1cfbc52602f3ab2516b616a26a6f7d..c5f34314f170c0b7eaaf5e4b6973ad0cd52e40f7 100644 --- a/util/private.num +++ b/util/private.num @@ -400,14 +400,17 @@ SSL_get_max_proto_version define SSL_get_min_proto_version define SSL_get_mode define SSL_get_peer_signature_nid define +SSL_get_peer_tmp_key define SSL_get_secure_renegotiation_support define SSL_get_server_tmp_key define SSL_get_shared_curve define SSL_get_shared_group define +SSL_get_signature_nid define SSL_get_time define SSL_get_timeout define SSL_get_tlsext_status_ocsp_resp define SSL_get_tlsext_status_type define +SSL_get_tmp_key define SSL_in_accept_init define SSL_in_connect_init define SSL_library_init define