[openssl] master update
Matt Caswell
matt at openssl.org
Tue Aug 6 11:09:15 UTC 2019
The branch master has been updated
via 88f19d86d9fb2d50b5a80b6cad0a6b38dfc2bf12 (commit)
via fb8c6db45f1d55c383da3c8e6f8154e8495c89a7 (commit)
via 84d4b9e31d5fd63408a0a43e02ec0780673362cf (commit)
from bbda79976b5c5095c5e6557311c86c623ba335f1 (commit)
- Log -----------------------------------------------------------------
commit 88f19d86d9fb2d50b5a80b6cad0a6b38dfc2bf12
Author: raja-ashok <rashok.svks at gmail.com>
Date: Mon Jul 8 18:13:24 2019 +0530
Update man page for new API SSL_get_negotiated_group()
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9323)
commit fb8c6db45f1d55c383da3c8e6f8154e8495c89a7
Author: raja-ashok <rashok.svks at gmail.com>
Date: Mon Jul 8 17:46:50 2019 +0530
Test SSL_get_negotiated_group() API
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9323)
commit 84d4b9e31d5fd63408a0a43e02ec0780673362cf
Author: raja-ashok <rashok.svks at gmail.com>
Date: Mon Jul 8 14:50:59 2019 +0530
API to get negotiated key exchange algorithm in TLS1.3
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9323)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_CTX_set1_curves.pod | 15 ++++++--
include/openssl/ssl.h | 3 ++
ssl/s3_lib.c | 10 +++---
ssl/ssl_locl.h | 1 +
ssl/t1_lib.c | 7 ++++
test/sslapitest.c | 77 ++++++++++++++++++++++++++++++++--------
util/private.num | 1 +
7 files changed, 91 insertions(+), 23 deletions(-)
diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
index bb58a4dbf0..13b1c0e44a 100644
--- a/doc/man3/SSL_CTX_set1_curves.pod
+++ b/doc/man3/SSL_CTX_set1_curves.pod
@@ -4,8 +4,8 @@
SSL_CTX_set1_groups, SSL_CTX_set1_groups_list, SSL_set1_groups,
SSL_set1_groups_list, SSL_get1_groups, SSL_get_shared_group,
-SSL_CTX_set1_curves, SSL_CTX_set1_curves_list, SSL_set1_curves,
-SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve
+SSL_get_negotiated_group, SSL_CTX_set1_curves, SSL_CTX_set1_curves_list,
+SSL_set1_curves, SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve
- EC supported curve functions
=head1 SYNOPSIS
@@ -20,6 +20,7 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve
int SSL_get1_groups(SSL *ssl, int *groups);
int SSL_get_shared_group(SSL *s, int n);
+ int SSL_get_negotiated_group(SSL *s);
int SSL_CTX_set1_curves(SSL_CTX *ctx, int *clist, int clistlen);
int SSL_CTX_set1_curves_list(SSL_CTX *ctx, char *list);
@@ -68,6 +69,9 @@ most applications will only be interested in the first shared group
so B<n> is normally set to zero. If the value B<n> is out of range,
NID_undef is returned.
+SSL_get_negotiated_group() returns the negotiated group on a TLSv1.3 connection
+for key exchange. This can be called by either client or server.
+
All these functions are implemented as macros.
The curve functions are synonyms for the equivalently named group functions and
@@ -96,6 +100,10 @@ is -1.
When called on a client B<ssl>, SSL_get_shared_group() has no meaning and
returns -1.
+SSL_get_negotiated_group() returns the NID of the negotiated group on a
+TLSv1.3 connection for key exchange. Or it returns NID_undef if no negotiated
+group.
+
=head1 SEE ALSO
L<SSL_CTX_add_extra_chain_cert(3)>
@@ -103,7 +111,8 @@ L<SSL_CTX_add_extra_chain_cert(3)>
=head1 HISTORY
The curve functions were added in OpenSSL 1.0.2. The equivalent group
-functions were added in OpenSSL 1.1.1.
+functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
+was added in OpenSSL 3.0.0.
=head1 COPYRIGHT
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7219d83420..93f6bbc8f8 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1316,6 +1316,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_CTRL_GET_MAX_PROTO_VERSION 131
# define SSL_CTRL_GET_SIGNATURE_NID 132
# define SSL_CTRL_GET_TMP_KEY 133
+# define SSL_CTRL_GET_NEGOTIATED_GROUP 134
# define SSL_CERT_SET_FIRST 1
# define SSL_CERT_SET_NEXT 2
# define SSL_CERT_SET_SERVER 3
@@ -1415,6 +1416,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
SSL_ctrl(s,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(str))
# define SSL_get_shared_group(s, n) \
SSL_ctrl(s,SSL_CTRL_GET_SHARED_GROUP,n,NULL)
+# define SSL_get_negotiated_group(s) \
+ SSL_ctrl(s,SSL_CTRL_GET_NEGOTIATED_GROUP,0,NULL)
# define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist))
# define SSL_CTX_set1_sigalgs_list(ctx, s) \
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8a22d01325..d23f932ce9 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3617,13 +3617,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
{
uint16_t id = tls1_shared_group(s, larg);
- if (larg != -1) {
- const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
-
- return ginf == NULL ? 0 : ginf->nid;
- }
+ if (larg != -1)
+ return tls1_group_id2nid(id);
return id;
}
+ case SSL_CTRL_GET_NEGOTIATED_GROUP:
+ ret = tls1_group_id2nid(s->s3.group_id);
+ break;
#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
case SSL_CTRL_SET_SIGALGS:
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 49c45109a8..b66979b4da 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2530,6 +2530,7 @@ __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
__owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id);
+__owur int tls1_group_id2nid(uint16_t group_id);
__owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves);
__owur uint16_t tls1_shared_group(SSL *s, int nmatch);
__owur int tls1_set_groups(uint16_t **pext, size_t *pextlen,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 93b14b80a2..24702704db 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -226,6 +226,13 @@ const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
}
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
+int tls1_group_id2nid(uint16_t group_id)
+{
+ const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(group_id);
+
+ return ginf == NULL ? NID_undef : ginf->nid;
+}
+
static uint16_t tls1_nid2group_id(int nid)
{
size_t i;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index aa9452460e..82faac085a 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -3742,10 +3742,20 @@ static int test_ciphersuite_change(void)
/*
* Test TLSv1.3 Key exchange
- * Test 0 = Test ECDHE Key exchange
- * Test 1 = Test ECDHE with TLSv1.2 client and TLSv1.2 server
- * Test 2 = Test FFDHE Key exchange
- * Test 3 = Test FFDHE with TLSv1.2 client and TLSv1.2 server
+ * Test 0 = Test ECDHE Key exchange with TLSv1.3 client and server
+ * Test 1 = Test ECDHE with TLSv1.2 client and server
+ * Test 2 = Test FFDHE Key exchange with TLSv1.3 client and server
+ * Test 3 = Test FFDHE with TLSv1.2 client and server
+ * Test 4 = Test NID_X9_62_prime256v1 with TLSv1.3 client and server
+ * Test 5 = Test NID_secp384r1 with TLSv1.3 client and server
+ * Test 6 = Test NID_secp521r1 with TLSv1.3 client and server
+ * Test 7 = Test NID_X25519 with TLSv1.3 client and server
+ * Test 8 = Test NID_X448 with TLSv1.3 client and server
+ * Test 9 = Test NID_ffdhe2048 with TLSv1.3 client and server
+ * Test 10 = Test NID_ffdhe3072 with TLSv1.3 client and server
+ * Test 11 = Test NID_ffdhe4096 with TLSv1.3 client and server
+ * Test 12 = Test NID_ffdhe6144 with TLSv1.3 client and server
+ * Test 13 = Test NID_ffdhe8192 with TLSv1.3 client and server
*/
static int test_tls13_key_exchange(int idx)
{
@@ -3760,13 +3770,38 @@ static int test_tls13_key_exchange(int idx)
int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
NID_ffdhe6144, NID_ffdhe8192};
#endif
- int *kexch_groups = NULL;
- int kexch_groups_size = 0;
+ int kexch_alg;
+ int *kexch_groups = &kexch_alg;
+ int kexch_groups_size = 1;
int max_version = TLS1_3_VERSION;
int want_err = SSL_ERROR_NONE;
int expected_err_reason = 0;
switch (idx) {
+#ifndef OPENSSL_NO_EC
+ case 1:
+ max_version = TLS1_2_VERSION;
+ /* Fall through */
+ case 0:
+ kexch_groups = ecdhe_kexch_groups;
+ kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
+ break;
+ case 4:
+ kexch_alg = NID_X9_62_prime256v1;
+ break;
+ case 5:
+ kexch_alg = NID_secp384r1;
+ break;
+ case 6:
+ kexch_alg = NID_secp521r1;
+ break;
+ case 7:
+ kexch_alg = NID_X25519;
+ break;
+ case 8:
+ kexch_alg = NID_X448;
+ break;
+#endif
#ifndef OPENSSL_NO_DH
case 3:
max_version = TLS1_2_VERSION;
@@ -3775,14 +3810,20 @@ static int test_tls13_key_exchange(int idx)
kexch_groups = ffdhe_kexch_groups;
kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
break;
-#endif
-#ifndef OPENSSL_NO_EC
- case 1:
- max_version = TLS1_2_VERSION;
- /* Fall through */
- case 0:
- kexch_groups = ecdhe_kexch_groups;
- kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
+ case 9:
+ kexch_alg = NID_ffdhe2048;
+ break;
+ case 10:
+ kexch_alg = NID_ffdhe3072;
+ break;
+ case 11:
+ kexch_alg = NID_ffdhe4096;
+ break;
+ case 12:
+ kexch_alg = NID_ffdhe6144;
+ break;
+ case 13:
+ kexch_alg = NID_ffdhe8192;
break;
#endif
default:
@@ -3845,6 +3886,12 @@ static int test_tls13_key_exchange(int idx)
if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0),
idx == 3 ? 0 : kexch_groups[0]))
goto end;
+ if (max_version == TLS1_3_VERSION) {
+ if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), kexch_groups[0]))
+ goto end;
+ if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), kexch_groups[0]))
+ goto end;
+ }
testresult = 1;
end:
@@ -6697,7 +6744,7 @@ int setup_tests(void)
#else
ADD_ALL_TESTS(test_tls13_psk, 4);
#endif /* OPENSSL_NO_PSK */
- ADD_ALL_TESTS(test_tls13_key_exchange, 4);
+ ADD_ALL_TESTS(test_tls13_key_exchange, 14);
ADD_ALL_TESTS(test_custom_exts, 5);
ADD_TEST(test_stateless);
ADD_TEST(test_pha_key_update);
diff --git a/util/private.num b/util/private.num
index 82cb72e606..351828268c 100644
--- a/util/private.num
+++ b/util/private.num
@@ -450,6 +450,7 @@ SSL_get_secure_renegotiation_support define
SSL_get_server_tmp_key define
SSL_get_shared_curve define
SSL_get_shared_group define
+SSL_get_negotiated_group define
SSL_get_signature_nid define
SSL_get_time define
SSL_get_timeout define
More information about the openssl-commits
mailing list