[EXTERNAL] Re: Need Help for Code Changes to Upgrade from OpenSSL 1.0.2 to 3.0

Matt Caswell matt at openssl.org
Thu Oct 28 09:16:24 UTC 2021



On 28/10/2021 05:50, Paramashivaiah, Sunil wrote:
> ssl->session

SSL_get0_session():

https://www.openssl.org/docs/man3.0/man3/SSL_get_session.html

Although beware: TLSv1.3 changes how sessions are established - they are 
created post-handshake. Read the NOTES section on the man page carefully.

> ssl->ctx

SSL_get_SSL_CTX()

https://www.openssl.org/docs/man3.0/man3/SSL_get_SSL_CTX.html


> ssl->references

This is not exposed.


> ssl->tlsext_ocsp_resp

SSL_set_tlsext_status_ocsp_resp();

https://www.openssl.org/docs/man3.0/man3/SSL_set_tlsext_status_ocsp_resp.html


Matt


>              Please let me know the Openssl 3.0 API's for the same.
> 
> Thanks and Regards,
> Sunil
> 
> -----Original Message-----
> From: Matt Caswell <matt at openssl.org>
> Sent: Monday, October 25, 2021 3:03 PM
> To: Paramashivaiah, Sunil <Sunil.Paramashivaiah at rbbn.com>; openssl-users at openssl.org
> Cc: Kumar Mishra, Sanjeev <Sanjeev.Kumar-Mishra at rbbn.com>
> Subject: Re: [EXTERNAL] Re: Need Help for Code Changes to Upgrade from OpenSSL 1.0.2 to 3.0
> 
> Caveat: I've not tested or compiled the following...but something like this:
> 
> if (EVP_PKEY_is_a(evpKey, "RSA)) {
>       keysz = EVP_PKEY_get_bits(evpKey) / 8;
>       /* some code */
> } else if (EVP_PKEY_is_a(evpKey, "EC")) {
>       char *name;
>       size_t namesize;
> 
>       if (!EVP_PKEY_get_utf8_string_param(pkey,
>                                           OSSL_PKEY_PARAM_GROUP_NAME,
>                                           NULL, 0, &namesize))
>           /* error */;
>       name = OPENSSL_malloc(namesize + 1);
>       if (name == NULL)
>           /* error */
>       if (!EVP_PKEY_get_utf8_string_param(pkey,
>                                           OSSL_PKEY_PARAM_GROUP_NAME,
>                                           name, namesize + 1, 0))
>           /* error */
>       /* This gets you the curve name as a string. If you really need as
>        * an integer you can additionally do the following - but note that
>        * some providers might add curves that libcrypto doesn't know about
>        * so this could fail
>        */
>       ecGrpId = OBJ_txt2nid(name);
>       if (ecGrpId == NID_undef)
>           /* error */;
>       OPENSSL_free(name);
>       /* some code */
> }
> 
> On 25/10/2021 10:21, Paramashivaiah, Sunil wrote:
>> Hi Matt,
>>
>>              Thanks for the reply. I need to replace the below code.
>>
>>             int keysz,ecGrpId;
>>
>>               switch(evpKey->type)
>>               {
>>                   case NID_rsaEncryption:
>>                   {
>>                       if(evpKey->pkey.rsa)
>>                       {
>>                           keysz = BN_num_bits(evpKey->pkey.rsa->n);
>>                                   .
>>                                   .
>>                              /* some code */
>>                       }
>>                       break;
>>                   }
>>                   case NID_X9_62_id_ecPublicKey:
>>                   {
>>                       ecGrpId = EC_GROUP_get_curve_name(evpKey->pkey.ec->group);
>>                           /* some code follows*/
>>
>> Thanks and Regards,
>> Sunil
>>
>> -----Original Message-----
>> From: Matt Caswell <matt at openssl.org>
>> Sent: Monday, October 25, 2021 2:23 PM
>> To: Paramashivaiah, Sunil <Sunil.Paramashivaiah at rbbn.com>;
>> openssl-users at openssl.org
>> Subject: [EXTERNAL] Re: Need Help for Code Changes to Upgrade from
>> OpenSSL 1.0.2 to 3.0
>>
>>
>>
>> On 25/10/2021 05:45, Paramashivaiah, Sunil wrote:
>>> Hi All,
>>>
>>>            I need get APIs for accessing the members of  EVP_PKEY.
>>> Please suggest APIs to get following members of EVP_PKEY
>>>
>>> evpkey->type , evpkey->pkey.rsa , pubKey->pkey.ec->group.
>>
>> EVP_PKEY_get_id() will get you the `evpkey->type` value. But note that in the provider world an external provider could add key types that are unknown to libcrypto. "EVP_PKEY_is_a" is a more future proof way to go.
>>
>> https://clicktime.symantec.com/3TPr6AZe5xYBkrduooQtHHv6H2?u=https%3A%2
>> F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FEVP_PKEY_is_a.html
>>
>> E.g.
>>
>> if (EVP_PKEY_is_a(pkey, "RSA")) ...;
>> if (EVP_PKEY_is_a(pkey, "EC")) ...;
>>
>>
>> The "evppkey->pkey.rsa" value can be obtained via EVP_PKEY_get0_RSA()
>> but note that this is deprecated. You are encouraged to not use the
>> RSA structure at all in 3.0 (all the functions that take an RSA
>> structure are deprecated). So you should look at what you are trying
>> to do with
>> evpkey->pkey.rsa and refactor things to not need it. Why do you want this?
>>
>> Similar comments apply to "pubkey->pkey.ec". You can get the EC_KEY object using EVP_PKEY_get0_EC_KEY() but this is deprecated. You can get the group from an EC_KEY using EC_KEY_get0_group() - but this is also deprecated. Instead you might consider getting the "group name" for the EC key which will tell you what curve is in use, e.g.
>>
>> EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
>>                                   NULL, 0, &namesize); name = OPENSSL_malloc(namesize + 1); EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
>>                                   name, namesize + 1, 0);
>>
>> https://clicktime.symantec.com/36qEeyKryNCZ32uxNgfFe4p6H2?u=https%3A%2
>> F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman3%2FEVP_PKEY_get_utf8_string_
>> param.html
>>
>> Matt
>>
>>
>>>
>>> Thanks and Regards,
>>>
>>> Sunil
>>>
>>>
>>> Notice: This e-mail together with any attachments may contain
>>> information of Ribbon Communications Inc. and its Affiliates that is
>>> confidential and/or proprietary for the sole use of the intended
>>> recipient. Any review, disclosure, reliance or distribution by others
>>> or forwarding without express permission is strictly prohibited. If
>>> you are not the intended recipient, please notify the sender
>>> immediately and then delete all copies, including any attachments.
>>
>> Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.
>>
> 
> Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.
> 


More information about the openssl-users mailing list