Add functions to determine authentication, key-exchange, FIPS and AEAD.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
callback, such that updates to the SSL_CTX affect ALPN.
[Todd Short]
+ *) Add SSL_CIPHER queries for authentication and key-exchange.
+ [Todd Short]
+
*) Changes to the DEFAULT cipherlist:
- Prefer (EC)DHE handshakes over plain RSA.
- Prefer AEAD ciphers over legacy ciphers.
* [including the GNU Public Licence.]
*/
-#define NUM_NID 1037
-#define NUM_SN 1030
-#define NUM_LN 1030
+#define NUM_NID 1054
+#define NUM_SN 1047
+#define NUM_LN 1047
#define NUM_OBJ 951
static const unsigned char lvalues[6722]={
{"X25519","X25519",NID_X25519,9,&(lvalues[6703]),0},
{"X448","X448",NID_X448,9,&(lvalues[6712]),0},
{"HKDF","hkdf",NID_hkdf,0,NULL,0},
+{"KxRSA","kx-rsa",NID_kx_rsa,0,NULL,0},
+{"KxECDHE","kx-ecdhe",NID_kx_ecdhe,0,NULL,0},
+{"KxDHE","kx-dhe",NID_kx_dhe,0,NULL,0},
+{"KxECDHE-PSK","kx-ecdhe-psk",NID_kx_ecdhe_psk,0,NULL,0},
+{"KxDHE-PSK","kx-dhe-psk",NID_kx_dhe_psk,0,NULL,0},
+{"KxRSA_PSK","kx-rsa-psk",NID_kx_rsa_psk,0,NULL,0},
+{"KxPSK","kx-psk",NID_kx_psk,0,NULL,0},
+{"KxSRP","kx-srp",NID_kx_srp,0,NULL,0},
+{"KxGOST","kx-gost",NID_kx_gost,0,NULL,0},
+{"AuthRSA","auth-rsa",NID_auth_rsa,0,NULL,0},
+{"AuthECDSA","auth-ecdsa",NID_auth_ecdsa,0,NULL,0},
+{"AuthPSK","auth-psk",NID_auth_psk,0,NULL,0},
+{"AuthDSS","auth-dss",NID_auth_dss,0,NULL,0},
+{"AuthGOST01","auth-gost01",NID_auth_gost01,0,NULL,0},
+{"AuthGOST12","auth-gost12",NID_auth_gost12,0,NULL,0},
+{"AuthSRP","auth-srp",NID_auth_srp,0,NULL,0},
+{"AuthNULL","auth-null",NID_auth_null,0,NULL,0},
};
static const unsigned int sn_objs[NUM_SN]={
960, /* "AES-256-OCB" */
428, /* "AES-256-OFB" */
914, /* "AES-256-XTS" */
+1049, /* "AuthDSS" */
+1047, /* "AuthECDSA" */
+1050, /* "AuthGOST01" */
+1051, /* "AuthGOST12" */
+1053, /* "AuthNULL" */
+1048, /* "AuthPSK" */
+1046, /* "AuthRSA" */
+1052, /* "AuthSRP" */
91, /* "BF-CBC" */
93, /* "BF-CFB" */
92, /* "BF-ECB" */
645, /* "ITU-T" */
646, /* "JOINT-ISO-ITU-T" */
773, /* "KISA" */
+1039, /* "KxDHE" */
+1041, /* "KxDHE-PSK" */
+1038, /* "KxECDHE" */
+1040, /* "KxECDHE-PSK" */
+1045, /* "KxGOST" */
+1043, /* "KxPSK" */
+1037, /* "KxRSA" */
+1042, /* "KxRSA_PSK" */
+1044, /* "KxSRP" */
15, /* "L" */
856, /* "LocalKeySet" */
3, /* "MD2" */
484, /* "associatedDomain" */
485, /* "associatedName" */
501, /* "audio" */
+1049, /* "auth-dss" */
+1047, /* "auth-ecdsa" */
+1050, /* "auth-gost01" */
+1051, /* "auth-gost12" */
+1053, /* "auth-null" */
+1048, /* "auth-psk" */
+1046, /* "auth-rsa" */
+1052, /* "auth-srp" */
882, /* "authorityRevocationList" */
91, /* "bf-cbc" */
93, /* "bf-cfb" */
956, /* "jurisdictionStateOrProvinceName" */
150, /* "keyBag" */
773, /* "kisa" */
+1039, /* "kx-dhe" */
+1041, /* "kx-dhe-psk" */
+1038, /* "kx-ecdhe" */
+1040, /* "kx-ecdhe-psk" */
+1045, /* "kx-gost" */
+1043, /* "kx-psk" */
+1037, /* "kx-rsa" */
+1042, /* "kx-rsa-psk" */
+1044, /* "kx-srp" */
477, /* "lastModifiedBy" */
476, /* "lastModifiedTime" */
157, /* "localKeyID" */
X25519 1034
X448 1035
hkdf 1036
+kx_rsa 1037
+kx_ecdhe 1038
+kx_dhe 1039
+kx_ecdhe_psk 1040
+kx_dhe_psk 1041
+kx_rsa_psk 1042
+kx_psk 1043
+kx_srp 1044
+kx_gost 1045
+auth_rsa 1046
+auth_ecdsa 1047
+auth_psk 1048
+auth_dss 1049
+auth_gost01 1050
+auth_gost12 1051
+auth_srp 1052
+auth_null 1053
+fips_none 1054
+fips_140_2 1055
1 3 6 1 4 1 11591 15 1 : X25519
1 3 6 1 4 1 11591 15 2 : X448
+
+# NIDs for cipher key exchange
+ : KxRSA : kx-rsa
+ : KxECDHE : kx-ecdhe
+ : KxDHE : kx-dhe
+ : KxECDHE-PSK : kx-ecdhe-psk
+ : KxDHE-PSK : kx-dhe-psk
+ : KxRSA_PSK : kx-rsa-psk
+ : KxPSK : kx-psk
+ : KxSRP : kx-srp
+ : KxGOST : kx-gost
+
+# NIDs for cipher authentication
+ : AuthRSA : auth-rsa
+ : AuthECDSA : auth-ecdsa
+ : AuthPSK : auth-psk
+ : AuthDSS : auth-dss
+ : AuthGOST01 : auth-gost01
+ : AuthGOST12 : auth-gost12
+ : AuthSRP : auth-srp
+ : AuthNULL : auth-null
+
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);
int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
+ int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
+ int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
+ int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
=head1 DESCRIPTION
used by B<c>. If there is no digest (e.g. for AEAD ciphersuites) then
B<NID_undef> is returned.
+SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method
+used by B<c>. If there is no key exchange, then B<NID_undef> is returned. Examples (not comprehensive):
+
+ NID_kx_rsa
+ NID_kx_ecdhe
+ NID_kx_dhe
+ NID_kx_psk
+
+SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method
+used by B<c>. If there is no authentication, then B<NID_undef> is returned.
+Examples (not comprehensive):
+
+ NID_auth_rsa
+ NID_auth_ecdsa
+ NID_auth_psk
+
+SSL_CIPHER_is_aead() returns 1 if the cipher B<c> is AEAD (e.g. GCM or
+ChaCha20/Poly1305), and 0 if it is not AEAD.
+
SSL_CIPHER_description() returns a textual description of the cipher used
into the buffer B<buf> of length B<len> provided. If B<buf> is provided, it
must be at least 128 bytes, otherwise a buffer will be allocated using
#define SN_X448 "X448"
#define NID_X448 1035
#define OBJ_X448 1L,3L,6L,1L,4L,1L,11591L,15L,2L
+
+#define SN_kx_rsa "KxRSA"
+#define LN_kx_rsa "kx-rsa"
+#define NID_kx_rsa 1037
+
+#define SN_kx_ecdhe "KxECDHE"
+#define LN_kx_ecdhe "kx-ecdhe"
+#define NID_kx_ecdhe 1038
+
+#define SN_kx_dhe "KxDHE"
+#define LN_kx_dhe "kx-dhe"
+#define NID_kx_dhe 1039
+
+#define SN_kx_ecdhe_psk "KxECDHE-PSK"
+#define LN_kx_ecdhe_psk "kx-ecdhe-psk"
+#define NID_kx_ecdhe_psk 1040
+
+#define SN_kx_dhe_psk "KxDHE-PSK"
+#define LN_kx_dhe_psk "kx-dhe-psk"
+#define NID_kx_dhe_psk 1041
+
+#define SN_kx_rsa_psk "KxRSA_PSK"
+#define LN_kx_rsa_psk "kx-rsa-psk"
+#define NID_kx_rsa_psk 1042
+
+#define SN_kx_psk "KxPSK"
+#define LN_kx_psk "kx-psk"
+#define NID_kx_psk 1043
+
+#define SN_kx_srp "KxSRP"
+#define LN_kx_srp "kx-srp"
+#define NID_kx_srp 1044
+
+#define SN_kx_gost "KxGOST"
+#define LN_kx_gost "kx-gost"
+#define NID_kx_gost 1045
+
+#define SN_auth_rsa "AuthRSA"
+#define LN_auth_rsa "auth-rsa"
+#define NID_auth_rsa 1046
+
+#define SN_auth_ecdsa "AuthECDSA"
+#define LN_auth_ecdsa "auth-ecdsa"
+#define NID_auth_ecdsa 1047
+
+#define SN_auth_psk "AuthPSK"
+#define LN_auth_psk "auth-psk"
+#define NID_auth_psk 1048
+
+#define SN_auth_dss "AuthDSS"
+#define LN_auth_dss "auth-dss"
+#define NID_auth_dss 1049
+
+#define SN_auth_gost01 "AuthGOST01"
+#define LN_auth_gost01 "auth-gost01"
+#define NID_auth_gost01 1050
+
+#define SN_auth_gost12 "AuthGOST12"
+#define LN_auth_gost12 "auth-gost12"
+#define NID_auth_gost12 1051
+
+#define SN_auth_srp "AuthSRP"
+#define LN_auth_srp "auth-srp"
+#define NID_auth_srp 1052
+
+#define SN_auth_null "AuthNULL"
+#define LN_auth_null "auth-null"
+#define NID_auth_null 1053
__owur char *SSL_CIPHER_get_version(const SSL_CIPHER *c);
__owur const char *SSL_CIPHER_get_name(const SSL_CIPHER *c);
__owur uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
+__owur int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
+__owur int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
+__owur int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
__owur int SSL_get_fd(const SSL *s);
__owur int SSL_get_rfd(const SSL *s);
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
};
+static const ssl_cipher_table ssl_cipher_table_kx[] = {
+ { SSL_kRSA, NID_kx_rsa },
+ { SSL_kECDHE, NID_kx_ecdhe },
+ { SSL_kDHE, NID_kx_dhe },
+ { SSL_kECDHEPSK, NID_kx_ecdhe_psk },
+ { SSL_kDHEPSK, NID_kx_dhe_psk },
+ { SSL_kRSAPSK, NID_kx_rsa_psk },
+ { SSL_kPSK, NID_kx_psk },
+ { SSL_kSRP, NID_kx_srp },
+ { SSL_kGOST, NID_kx_gost }
+};
+
+static const ssl_cipher_table ssl_cipher_table_auth[] = {
+ { SSL_aRSA, NID_auth_rsa },
+ { SSL_aECDSA, NID_auth_ecdsa },
+ { SSL_aPSK, NID_auth_psk },
+ { SSL_aDSS, NID_auth_dss },
+ { SSL_aGOST01, NID_auth_gost01 },
+ { SSL_aGOST12, NID_auth_gost12 },
+ { SSL_aSRP, NID_auth_srp },
+ { SSL_aNULL, NID_auth_null }
+};
+
/* Utility function for table lookup */
static int ssl_cipher_info_find(const ssl_cipher_table * table,
size_t table_cnt, uint32_t mask)
{
int i;
if (c == NULL)
- return -1;
+ return NID_undef;
i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);
if (i == -1)
- return -1;
+ return NID_undef;
return ssl_cipher_table_cipher[i].nid;
}
{
int i;
if (c == NULL)
- return -1;
+ return NID_undef;
i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
if (i == -1)
- return -1;
+ return NID_undef;
return ssl_cipher_table_mac[i].nid;
}
+
+int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
+{
+ int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey);
+ if (i == -1)
+ return NID_undef;
+ return ssl_cipher_table_kx[i].nid;
+}
+
+int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
+{
+ int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_auth);
+ if (i == -1)
+ return NID_undef;
+ return ssl_cipher_table_kx[i].nid;
+}
+
+int SSL_CIPHER_is_aead(const SSL_CIPHER *c)
+{
+ return (c->algorithm_mac & SSL_AEAD) ? 1 : 0;
+}
SSL_set_default_read_buffer_len 384 1_1_0 EXIST::FUNCTION:
SSL_CTX_set_default_read_buffer_len 385 1_1_0 EXIST::FUNCTION:
SSL_has_pending 386 1_1_0 EXIST::FUNCTION:
+SSL_CIPHER_get_auth_nid 387 1_1_0 EXIST::FUNCTION:
+SSL_CIPHER_get_kx_nid 388 1_1_0 EXIST::FUNCTION:
+SSL_CIPHER_is_aead 389 1_1_0 EXIST::FUNCTION: