提交 45f24725 编写于 作者: V Viktor Dukhovni

Added missing signature algorithm reflection functions

    SSL_get_signature_nid()      -- local signature algorithm
    SSL_get_signature_type_nid() -- local signature algorithm key type
    SSL_get_peer_tmp_key()       -- Peer key-exchange public key
    SSL_get_tmp_key              -- local key exchange public key

Aliased pre-existing SSL_get_server_tmp_key(), which was formerly
just for clients, to SSL_get_peer_tmp_key().  Changed internal
calls to use the new name.
Reviewed-by: NMatt Caswell <matt@openssl.org>
上级 44197e96
...@@ -394,7 +394,8 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) ...@@ -394,7 +394,8 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
int ssl_print_tmp_key(BIO *out, SSL *s) int ssl_print_tmp_key(BIO *out, SSL *s)
{ {
EVP_PKEY *key; EVP_PKEY *key;
if (!SSL_get_server_tmp_key(s, &key))
if (!SSL_get_peer_tmp_key(s, &key))
return 1; return 1;
BIO_puts(out, "Server Temp Key: "); BIO_puts(out, "Server Temp Key: ");
switch (EVP_PKEY_id(key)) { switch (EVP_PKEY_id(key)) {
......
...@@ -2,8 +2,9 @@ ...@@ -2,8 +2,9 @@
=head1 NAME =head1 NAME
SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid - get TLS SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid,
message signing types SSL_get_signature_nid, SSL_get_signature_type_nid - get TLS message signing
types
=head1 SYNOPSIS =head1 SYNOPSIS
...@@ -11,6 +12,8 @@ message signing types ...@@ -11,6 +12,8 @@ message signing types
int SSL_get_peer_signature_nid(SSL *ssl, int *psig_nid); int SSL_get_peer_signature_nid(SSL *ssl, int *psig_nid);
int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid); int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid);
int SSL_get_signature_nid(SSL *ssl, int *psig_nid);
int SSL_get_signature_type_nid(const SSL *ssl, int *psigtype_nid);
=head1 DESCRIPTION =head1 DESCRIPTION
...@@ -24,12 +27,15 @@ where it is B<EVP_PKEY_RSA_PSS>. To differentiate between ...@@ -24,12 +27,15 @@ where it is B<EVP_PKEY_RSA_PSS>. To differentiate between
B<rsa_pss_rsae_*> and B<rsa_pss_pss_*> signatures, it's necessary to check B<rsa_pss_rsae_*> and B<rsa_pss_pss_*> signatures, it's necessary to check
the type of public key in the peer's certificate. the type of public key in the peer's certificate.
SSL_get_signature_nid() and SSL_get_signature_type_nid() return the equivalent
information for the local end of the connection.
=head1 RETURN VALUES =head1 RETURN VALUES
These functions return 1 for success and 0 for failure. There are several These functions return 1 for success and 0 for failure. There are several
possible reasons for failure: the cipher suite has no signature (e.g. it possible reasons for failure: the cipher suite has no signature (e.g. it
uses RSA key exchange or is anonymous), the TLS version is below 1.2 or uses RSA key exchange or is anonymous), the TLS version is below 1.2 or
the functions were called before the peer signed a message. the functions were called too early, e.g. before the peer signed a message.
=head1 SEE ALSO =head1 SEE ALSO
......
...@@ -2,26 +2,36 @@ ...@@ -2,26 +2,36 @@
=head1 NAME =head1 NAME
SSL_get_server_tmp_key - get information about the server's temporary key used SSL_get_peer_tmp_key, SSL_get_server_tmp_key, SSL_get_tmp_key - get information
during a handshake about temporary keys used during a handshake
=head1 SYNOPSIS =head1 SYNOPSIS
#include <openssl/ssl.h> #include <openssl/ssl.h>
long SSL_get_peer_tmp_key(SSL *ssl, EVP_PKEY **key);
long SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **key); long SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **key);
long SSL_get_tmp_key(SSL *ssl, EVP_PKEY **key);
=head1 DESCRIPTION =head1 DESCRIPTION
SSL_get_server_tmp_key() returns the temporary key provided by the server and SSL_get_peer_tmp_key() returns the temporary key provided by the peer and
used during key exchange. For example, if ECDHE is in use, then this represents used during key exchange. For example, if ECDHE is in use, then this represents
the server's public ECDHE key. On success a pointer to the key is stored in the peer's public ECDHE key. On success a pointer to the key is stored in
B<*key>. It is the caller's responsibility to free this key after use using B<*key>. It is the caller's responsibility to free this key after use using
L<EVP_PKEY_free(3)>. This function may only be called by the client. L<EVP_PKEY_free(3)>.
SSL_get_server_tmp_key() is a backwards compatibility alias for
SSL_get_peer_tmp_key().
Under that name it worked just on the client side of the connection, its
behaviour on the server end is release-dependent.
SSL_get_tmp_key() returns the equivalent information for the local
end of the connection.
=head1 RETURN VALUES =head1 RETURN VALUES
SSL_get_server_tmp_key() returns 1 on success or 0 otherwise. All these functions return 1 on success and 0 otherwise.
=head1 NOTES =head1 NOTES
......
...@@ -1271,7 +1271,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) ...@@ -1271,7 +1271,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_CTRL_SET_VERIFY_CERT_STORE 106 # define SSL_CTRL_SET_VERIFY_CERT_STORE 106
# define SSL_CTRL_SET_CHAIN_CERT_STORE 107 # define SSL_CTRL_SET_CHAIN_CERT_STORE 107
# define SSL_CTRL_GET_PEER_SIGNATURE_NID 108 # define SSL_CTRL_GET_PEER_SIGNATURE_NID 108
# define SSL_CTRL_GET_SERVER_TMP_KEY 109 # define SSL_CTRL_GET_PEER_TMP_KEY 109
# define SSL_CTRL_GET_RAW_CIPHERLIST 110 # define SSL_CTRL_GET_RAW_CIPHERLIST 110
# define SSL_CTRL_GET_EC_POINT_FORMATS 111 # define SSL_CTRL_GET_EC_POINT_FORMATS 111
# define SSL_CTRL_GET_CHAIN_CERTS 115 # define SSL_CTRL_GET_CHAIN_CERTS 115
...@@ -1290,6 +1290,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) ...@@ -1290,6 +1290,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 # define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
# define SSL_CTRL_GET_MIN_PROTO_VERSION 130 # define SSL_CTRL_GET_MIN_PROTO_VERSION 130
# define SSL_CTRL_GET_MAX_PROTO_VERSION 131 # define SSL_CTRL_GET_MAX_PROTO_VERSION 131
# define SSL_CTRL_GET_SIGNATURE_NID 132
# define SSL_CTRL_GET_TMP_KEY 133
# define SSL_CERT_SET_FIRST 1 # define SSL_CERT_SET_FIRST 1
# define SSL_CERT_SET_NEXT 2 # define SSL_CERT_SET_NEXT 2
# define SSL_CERT_SET_SERVER 3 # define SSL_CERT_SET_SERVER 3
...@@ -1410,10 +1412,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) ...@@ -1410,10 +1412,14 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
(char *)(clist)) (char *)(clist))
# define SSL_set1_client_certificate_types(s, clist, clistlen) \ # define SSL_set1_client_certificate_types(s, clist, clistlen) \
SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)(clist)) SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)(clist))
# define SSL_get_signature_nid(s, pn) \
SSL_ctrl(s,SSL_CTRL_GET_SIGNATURE_NID,0,pn)
# define SSL_get_peer_signature_nid(s, pn) \ # define SSL_get_peer_signature_nid(s, pn) \
SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn) SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
# define SSL_get_server_tmp_key(s, pk) \ # define SSL_get_peer_tmp_key(s, pk) \
SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk) SSL_ctrl(s,SSL_CTRL_GET_PEER_TMP_KEY,0,pk)
# define SSL_get_tmp_key(s, pk) \
SSL_ctrl(s,SSL_CTRL_GET_TMP_KEY,0,pk)
# define SSL_get0_raw_cipherlist(s, plst) \ # define SSL_get0_raw_cipherlist(s, plst) \
SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst) SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst)
# define SSL_get0_ec_point_formats(s, plst) \ # define SSL_get0_ec_point_formats(s, plst) \
...@@ -1435,6 +1441,12 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) ...@@ -1435,6 +1441,12 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_get_max_proto_version(s) \ # define SSL_get_max_proto_version(s) \
SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL) SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL)
/* Backwards compatibility, original 1.1.0 names */
# define SSL_CTRL_GET_SERVER_TMP_KEY \
SSL_CTRL_GET_PEER_TMP_KEY
# define SSL_get_server_tmp_key(s, pk) \
SSL_get_peer_tmp_key(s, pk)
/* /*
* The following symbol names are old and obsolete. They are kept * The following symbol names are old and obsolete. They are kept
* for compatibility reasons only and should not be used anymore. * for compatibility reasons only and should not be used anymore.
......
...@@ -241,6 +241,7 @@ __owur int SSL_export_keying_material_early(SSL *s, unsigned char *out, ...@@ -241,6 +241,7 @@ __owur int SSL_export_keying_material_early(SSL *s, unsigned char *out,
size_t contextlen); size_t contextlen);
int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid); int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid);
int SSL_get_signature_type_nid(const SSL *s, int *pnid);
int SSL_get_sigalgs(SSL *s, int idx, int SSL_get_sigalgs(SSL *s, int idx,
int *psign, int *phash, int *psignandhash, int *psign, int *phash, int *psignandhash,
......
...@@ -3681,9 +3681,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ...@@ -3681,9 +3681,15 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
*(int *)parg = s->s3->tmp.peer_sigalg->hash; *(int *)parg = s->s3->tmp.peer_sigalg->hash;
return 1; return 1;
case SSL_CTRL_GET_SERVER_TMP_KEY: case SSL_CTRL_GET_SIGNATURE_NID:
if (s->s3->tmp.sigalg == NULL)
return 0;
*(int *)parg = s->s3->tmp.sigalg->hash;
return 1;
case SSL_CTRL_GET_PEER_TMP_KEY:
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) { if (s->session == NULL || s->s3->peer_tmp == NULL) {
return 0; return 0;
} else { } else {
EVP_PKEY_up_ref(s->s3->peer_tmp); EVP_PKEY_up_ref(s->s3->peer_tmp);
...@@ -3693,6 +3699,20 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ...@@ -3693,6 +3699,20 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#else #else
return 0; return 0;
#endif #endif
case SSL_CTRL_GET_TMP_KEY:
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
if (s->session == NULL || s->s3->tmp.pkey == NULL) {
return 0;
} else {
EVP_PKEY_up_ref(s->s3->tmp.pkey);
*(EVP_PKEY **)parg = s->s3->tmp.pkey;
return 1;
}
#else
return 0;
#endif
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS: case SSL_CTRL_GET_EC_POINT_FORMATS:
{ {
......
...@@ -1122,6 +1122,14 @@ int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid) ...@@ -1122,6 +1122,14 @@ int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid)
return 1; return 1;
} }
int SSL_get_signature_type_nid(const SSL *s, int *pnid)
{
if (s->s3->tmp.sigalg == NULL)
return 0;
*pnid = s->s3->tmp.sigalg->sig;
return 1;
}
/* /*
* Set a mask of disabled algorithms: an algorithm is disabled if it isn't * Set a mask of disabled algorithms: an algorithm is disabled if it isn't
* supported, doesn't appear in supported signature algorithms, isn't supported * supported, doesn't appear in supported signature algorithms, isn't supported
......
...@@ -1673,7 +1673,7 @@ static HANDSHAKE_RESULT *do_handshake_internal( ...@@ -1673,7 +1673,7 @@ static HANDSHAKE_RESULT *do_handshake_internal(
*serv_sess_out = SSL_SESSION_dup(tmp); *serv_sess_out = SSL_SESSION_dup(tmp);
} }
if (SSL_get_server_tmp_key(client.ssl, &tmp_key)) { if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) {
ret->tmp_key_type = pkey_type(tmp_key); ret->tmp_key_type = pkey_type(tmp_key);
EVP_PKEY_free(tmp_key); EVP_PKEY_free(tmp_key);
} }
......
...@@ -779,7 +779,7 @@ static void print_details(SSL *c_ssl, const char *prefix) ...@@ -779,7 +779,7 @@ static void print_details(SSL *c_ssl, const char *prefix)
} }
X509_free(cert); X509_free(cert);
} }
if (SSL_get_server_tmp_key(c_ssl, &pkey)) { if (SSL_get_peer_tmp_key(c_ssl, &pkey)) {
BIO_puts(bio_stdout, ", temp key: "); BIO_puts(bio_stdout, ", temp key: ");
print_key_details(bio_stdout, pkey); print_key_details(bio_stdout, pkey);
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
......
...@@ -497,3 +497,4 @@ SSL_get_recv_max_early_data 497 1_1_1 EXIST::FUNCTION: ...@@ -497,3 +497,4 @@ SSL_get_recv_max_early_data 497 1_1_1 EXIST::FUNCTION:
SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION: SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION: SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_post_handshake_auth 500 1_1_1 EXIST::FUNCTION: SSL_CTX_set_post_handshake_auth 500 1_1_1 EXIST::FUNCTION:
SSL_get_signature_type_nid 501 1_1_1a EXIST::FUNCTION:
...@@ -394,14 +394,17 @@ SSL_get_max_proto_version define ...@@ -394,14 +394,17 @@ SSL_get_max_proto_version define
SSL_get_min_proto_version define SSL_get_min_proto_version define
SSL_get_mode define SSL_get_mode define
SSL_get_peer_signature_nid define SSL_get_peer_signature_nid define
SSL_get_peer_tmp_key define
SSL_get_secure_renegotiation_support define SSL_get_secure_renegotiation_support define
SSL_get_server_tmp_key define SSL_get_server_tmp_key define
SSL_get_shared_curve define SSL_get_shared_curve define
SSL_get_shared_group define SSL_get_shared_group define
SSL_get_signature_nid define
SSL_get_time define SSL_get_time define
SSL_get_timeout define SSL_get_timeout define
SSL_get_tlsext_status_ocsp_resp define SSL_get_tlsext_status_ocsp_resp define
SSL_get_tlsext_status_type define SSL_get_tlsext_status_type define
SSL_get_tmp_key define
SSL_in_accept_init define SSL_in_accept_init define
SSL_in_connect_init define SSL_in_connect_init define
SSL_library_init define SSL_library_init define
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册