generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add cipher query functions

Browse Source 
Add functions to determine authentication, key-exchange, FIPS and AEAD.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Todd Short
2016-03-05 09:47:46 -05:00
committed by Rich Salz
parent 7b8e12d24e
commit 3ec13237f0
9 changed files with 242 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -8,6 +8,9 @@
callback, such that updates to the SSL_CTX affect ALPN. callback, such that updates to the SSL_CTX affect ALPN.
[Todd Short] [Todd Short]
*) Add SSL_CIPHER queries for authentication and key-exchange.
[Todd Short]
*) Changes to the DEFAULT cipherlist: *) Changes to the DEFAULT cipherlist:
- Prefer (EC)DHE handshakes over plain RSA. - Prefer (EC)DHE handshakes over plain RSA.
- Prefer AEAD ciphers over legacy ciphers. - Prefer AEAD ciphers over legacy ciphers.

57
crypto/objects/obj_dat.h
View File

@@ -60,9 +60,9 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
#define NUM_NID 1037 #define NUM_NID 1054
#define NUM_SN 1030 #define NUM_SN 1047
#define NUM_LN 1030 #define NUM_LN 1047
#define NUM_OBJ 951 #define NUM_OBJ 951
static const unsigned char lvalues[6722]={ static const unsigned char lvalues[6722]={
@@ -2705,6 +2705,23 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
{"X25519","X25519",NID_X25519,9,&(lvalues[6703]),0}, {"X25519","X25519",NID_X25519,9,&(lvalues[6703]),0},
{"X448","X448",NID_X448,9,&(lvalues[6712]),0}, {"X448","X448",NID_X448,9,&(lvalues[6712]),0},
{"HKDF","hkdf",NID_hkdf,0,NULL,0}, {"HKDF","hkdf",NID_hkdf,0,NULL,0},
{"KxRSA","kx-rsa",NID_kx_rsa,0,NULL,0},
{"KxECDHE","kx-ecdhe",NID_kx_ecdhe,0,NULL,0},
{"KxDHE","kx-dhe",NID_kx_dhe,0,NULL,0},
{"KxECDHE-PSK","kx-ecdhe-psk",NID_kx_ecdhe_psk,0,NULL,0},
{"KxDHE-PSK","kx-dhe-psk",NID_kx_dhe_psk,0,NULL,0},
{"KxRSA_PSK","kx-rsa-psk",NID_kx_rsa_psk,0,NULL,0},
{"KxPSK","kx-psk",NID_kx_psk,0,NULL,0},
{"KxSRP","kx-srp",NID_kx_srp,0,NULL,0},
{"KxGOST","kx-gost",NID_kx_gost,0,NULL,0},
{"AuthRSA","auth-rsa",NID_auth_rsa,0,NULL,0},
{"AuthECDSA","auth-ecdsa",NID_auth_ecdsa,0,NULL,0},
{"AuthPSK","auth-psk",NID_auth_psk,0,NULL,0},
{"AuthDSS","auth-dss",NID_auth_dss,0,NULL,0},
{"AuthGOST01","auth-gost01",NID_auth_gost01,0,NULL,0},
{"AuthGOST12","auth-gost12",NID_auth_gost12,0,NULL,0},
{"AuthSRP","auth-srp",NID_auth_srp,0,NULL,0},
{"AuthNULL","auth-null",NID_auth_null,0,NULL,0},
}; };
static const unsigned int sn_objs[NUM_SN]={ static const unsigned int sn_objs[NUM_SN]={
@@ -2741,6 +2758,14 @@ static const unsigned int sn_objs[NUM_SN]={
960, /* "AES-256-OCB" */ 960, /* "AES-256-OCB" */
428, /* "AES-256-OFB" */ 428, /* "AES-256-OFB" */
914, /* "AES-256-XTS" */ 914, /* "AES-256-XTS" */
1049, /* "AuthDSS" */
1047, /* "AuthECDSA" */
1050, /* "AuthGOST01" */
1051, /* "AuthGOST12" */
1053, /* "AuthNULL" */
1048, /* "AuthPSK" */
1046, /* "AuthRSA" */
1052, /* "AuthSRP" */
91, /* "BF-CBC" */ 91, /* "BF-CBC" */
93, /* "BF-CFB" */ 93, /* "BF-CFB" */
92, /* "BF-ECB" */ 92, /* "BF-ECB" */
@@ -2829,6 +2854,15 @@ static const unsigned int sn_objs[NUM_SN]={
645, /* "ITU-T" */ 645, /* "ITU-T" */
646, /* "JOINT-ISO-ITU-T" */ 646, /* "JOINT-ISO-ITU-T" */
773, /* "KISA" */ 773, /* "KISA" */
1039, /* "KxDHE" */
1041, /* "KxDHE-PSK" */
1038, /* "KxECDHE" */
1040, /* "KxECDHE-PSK" */
1045, /* "KxGOST" */
1043, /* "KxPSK" */
1037, /* "KxRSA" */
1042, /* "KxRSA_PSK" */
1044, /* "KxSRP" */
15, /* "L" */ 15, /* "L" */
856, /* "LocalKeySet" */ 856, /* "LocalKeySet" */
3, /* "MD2" */ 3, /* "MD2" */
@@ -3961,6 +3995,14 @@ static const unsigned int ln_objs[NUM_LN]={
484, /* "associatedDomain" */ 484, /* "associatedDomain" */
485, /* "associatedName" */ 485, /* "associatedName" */
501, /* "audio" */ 501, /* "audio" */
1049, /* "auth-dss" */
1047, /* "auth-ecdsa" */
1050, /* "auth-gost01" */
1051, /* "auth-gost12" */
1053, /* "auth-null" */
1048, /* "auth-psk" */
1046, /* "auth-rsa" */
1052, /* "auth-srp" */
882, /* "authorityRevocationList" */ 882, /* "authorityRevocationList" */
91, /* "bf-cbc" */ 91, /* "bf-cbc" */
93, /* "bf-cfb" */ 93, /* "bf-cfb" */
@@ -4421,6 +4463,15 @@ static const unsigned int ln_objs[NUM_LN]={
956, /* "jurisdictionStateOrProvinceName" */ 956, /* "jurisdictionStateOrProvinceName" */
150, /* "keyBag" */ 150, /* "keyBag" */
773, /* "kisa" */ 773, /* "kisa" */
1039, /* "kx-dhe" */
1041, /* "kx-dhe-psk" */
1038, /* "kx-ecdhe" */
1040, /* "kx-ecdhe-psk" */
1045, /* "kx-gost" */
1043, /* "kx-psk" */
1037, /* "kx-rsa" */
1042, /* "kx-rsa-psk" */
1044, /* "kx-srp" */
477, /* "lastModifiedBy" */ 477, /* "lastModifiedBy" */
476, /* "lastModifiedTime" */ 476, /* "lastModifiedTime" */
157, /* "localKeyID" */ 157, /* "localKeyID" */

19
crypto/objects/obj_mac.num
View File

@@ -1034,3 +1034,22 @@ pkInitKDC 1033
X25519 1034 X25519 1034
X448 1035 X448 1035
hkdf 1036 hkdf 1036
kx_rsa 1037
kx_ecdhe 1038
kx_dhe 1039
kx_ecdhe_psk 1040
kx_dhe_psk 1041
kx_rsa_psk 1042
kx_psk 1043
kx_srp 1044
kx_gost 1045
auth_rsa 1046
auth_ecdsa 1047
auth_psk 1048
auth_dss 1049
auth_gost01 1050
auth_gost12 1051
auth_srp 1052
auth_null 1053
fips_none 1054
fips_140_2 1055

22
crypto/objects/objects.txt
View File

@@ -1456,3 +1456,25 @@ id-pkinit 5 : pkInitKDC : Signing KDC Response
1 3 6 1 4 1 11591 15 1 : X25519 1 3 6 1 4 1 11591 15 1 : X25519
1 3 6 1 4 1 11591 15 2 : X448 1 3 6 1 4 1 11591 15 2 : X448
# NIDs for cipher key exchange
: KxRSA : kx-rsa
: KxECDHE : kx-ecdhe
: KxDHE : kx-dhe
: KxECDHE-PSK : kx-ecdhe-psk
: KxDHE-PSK : kx-dhe-psk
: KxRSA_PSK : kx-rsa-psk
: KxPSK : kx-psk
: KxSRP : kx-srp
: KxGOST : kx-gost
# NIDs for cipher authentication
: AuthRSA : auth-rsa
: AuthECDSA : auth-ecdsa
: AuthPSK : auth-psk
: AuthDSS : auth-dss
: AuthGOST01 : auth-gost01
: AuthGOST12 : auth-gost12
: AuthSRP : auth-srp
: AuthNULL : auth-null

22
doc/ssl/SSL_CIPHER_get_name.pod
View File

@@ -14,6 +14,9 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_des
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size); char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);
int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c); int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
=head1 DESCRIPTION =head1 DESCRIPTION
@@ -34,6 +37,25 @@ SSL_CIPHER_get_digest_nid() returns the digest NID corresponding to the MAC
used by B<c>. If there is no digest (e.g. for AEAD ciphersuites) then used by B<c>. If there is no digest (e.g. for AEAD ciphersuites) then
B<NID_undef> is returned. B<NID_undef> is returned.
SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method
used by B<c>. If there is no key exchange, then B<NID_undef> is returned. Examples (not comprehensive):
NID_kx_rsa
NID_kx_ecdhe
NID_kx_dhe
NID_kx_psk
SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method
used by B<c>. If there is no authentication, then B<NID_undef> is returned.
Examples (not comprehensive):
NID_auth_rsa
NID_auth_ecdsa
NID_auth_psk
SSL_CIPHER_is_aead() returns 1 if the cipher B<c> is AEAD (e.g. GCM or
ChaCha20/Poly1305), and 0 if it is not AEAD.
SSL_CIPHER_description() returns a textual description of the cipher used SSL_CIPHER_description() returns a textual description of the cipher used
into the buffer B<buf> of length B<len> provided. If B<buf> is provided, it into the buffer B<buf> of length B<len> provided. If B<buf> is provided, it
must be at least 128 bytes, otherwise a buffer will be allocated using must be at least 128 bytes, otherwise a buffer will be allocated using

68
include/openssl/obj_mac.h
View File

@@ -4536,3 +4536,71 @@
#define SN_X448 "X448" #define SN_X448 "X448"
#define NID_X448 1035 #define NID_X448 1035
#define OBJ_X448 1L,3L,6L,1L,4L,1L,11591L,15L,2L #define OBJ_X448 1L,3L,6L,1L,4L,1L,11591L,15L,2L
#define SN_kx_rsa "KxRSA"
#define LN_kx_rsa "kx-rsa"
#define NID_kx_rsa 1037
#define SN_kx_ecdhe "KxECDHE"
#define LN_kx_ecdhe "kx-ecdhe"
#define NID_kx_ecdhe 1038
#define SN_kx_dhe "KxDHE"
#define LN_kx_dhe "kx-dhe"
#define NID_kx_dhe 1039
#define SN_kx_ecdhe_psk "KxECDHE-PSK"
#define LN_kx_ecdhe_psk "kx-ecdhe-psk"
#define NID_kx_ecdhe_psk 1040
#define SN_kx_dhe_psk "KxDHE-PSK"
#define LN_kx_dhe_psk "kx-dhe-psk"
#define NID_kx_dhe_psk 1041
#define SN_kx_rsa_psk "KxRSA_PSK"
#define LN_kx_rsa_psk "kx-rsa-psk"
#define NID_kx_rsa_psk 1042
#define SN_kx_psk "KxPSK"
#define LN_kx_psk "kx-psk"
#define NID_kx_psk 1043
#define SN_kx_srp "KxSRP"
#define LN_kx_srp "kx-srp"
#define NID_kx_srp 1044
#define SN_kx_gost "KxGOST"
#define LN_kx_gost "kx-gost"
#define NID_kx_gost 1045
#define SN_auth_rsa "AuthRSA"
#define LN_auth_rsa "auth-rsa"
#define NID_auth_rsa 1046
#define SN_auth_ecdsa "AuthECDSA"
#define LN_auth_ecdsa "auth-ecdsa"
#define NID_auth_ecdsa 1047
#define SN_auth_psk "AuthPSK"
#define LN_auth_psk "auth-psk"
#define NID_auth_psk 1048
#define SN_auth_dss "AuthDSS"
#define LN_auth_dss "auth-dss"
#define NID_auth_dss 1049
#define SN_auth_gost01 "AuthGOST01"
#define LN_auth_gost01 "auth-gost01"
#define NID_auth_gost01 1050
#define SN_auth_gost12 "AuthGOST12"
#define LN_auth_gost12 "auth-gost12"
#define NID_auth_gost12 1051
#define SN_auth_srp "AuthSRP"
#define LN_auth_srp "auth-srp"
#define NID_auth_srp 1052
#define SN_auth_null "AuthNULL"
#define LN_auth_null "auth-null"
#define NID_auth_null 1053

3
include/openssl/ssl.h
View File

@@ -1400,6 +1400,9 @@ __owur int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
__owur char *SSL_CIPHER_get_version(const SSL_CIPHER *c); __owur char *SSL_CIPHER_get_version(const SSL_CIPHER *c);
__owur const char *SSL_CIPHER_get_name(const SSL_CIPHER *c); __owur const char *SSL_CIPHER_get_name(const SSL_CIPHER *c);
__owur uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c); __owur uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
__owur int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
__owur int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
__owur int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
__owur int SSL_get_fd(const SSL *s); __owur int SSL_get_fd(const SSL *s);
__owur int SSL_get_rfd(const SSL *s); __owur int SSL_get_rfd(const SSL *s);

52
ssl/ssl_ciph.c
View File

@@ -240,6 +240,29 @@ static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
}; };
static const ssl_cipher_table ssl_cipher_table_kx[] = {
{ SSL_kRSA, NID_kx_rsa },
{ SSL_kECDHE, NID_kx_ecdhe },
{ SSL_kDHE, NID_kx_dhe },
{ SSL_kECDHEPSK, NID_kx_ecdhe_psk },
{ SSL_kDHEPSK, NID_kx_dhe_psk },
{ SSL_kRSAPSK, NID_kx_rsa_psk },
{ SSL_kPSK, NID_kx_psk },
{ SSL_kSRP, NID_kx_srp },
{ SSL_kGOST, NID_kx_gost }
};
static const ssl_cipher_table ssl_cipher_table_auth[] = {
{ SSL_aRSA, NID_auth_rsa },
{ SSL_aECDSA, NID_auth_ecdsa },
{ SSL_aPSK, NID_auth_psk },
{ SSL_aDSS, NID_auth_dss },
{ SSL_aGOST01, NID_auth_gost01 },
{ SSL_aGOST12, NID_auth_gost12 },
{ SSL_aSRP, NID_auth_srp },
{ SSL_aNULL, NID_auth_null }
};
/* Utility function for table lookup */ /* Utility function for table lookup */
static int ssl_cipher_info_find(const ssl_cipher_table * table, static int ssl_cipher_info_find(const ssl_cipher_table * table,
size_t table_cnt, uint32_t mask) size_t table_cnt, uint32_t mask)
@@ -2005,10 +2028,10 @@ int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
{ {
int i; int i;
if (c == NULL) if (c == NULL)
return -1; return NID_undef;
i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc); i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);
if (i == -1) if (i == -1)
return -1; return NID_undef;
return ssl_cipher_table_cipher[i].nid; return ssl_cipher_table_cipher[i].nid;
} }
@@ -2016,9 +2039,30 @@ int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
{ {
int i; int i;
if (c == NULL) if (c == NULL)
return -1; return NID_undef;
i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac); i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
if (i == -1) if (i == -1)
return -1; return NID_undef;
return ssl_cipher_table_mac[i].nid; return ssl_cipher_table_mac[i].nid;
} }
int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
{
int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey);
if (i == -1)
return NID_undef;
return ssl_cipher_table_kx[i].nid;
}
int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
{
int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_auth);
if (i == -1)
return NID_undef;
return ssl_cipher_table_kx[i].nid;
}
int SSL_CIPHER_is_aead(const SSL_CIPHER *c)
{
return (c->algorithm_mac & SSL_AEAD) ? 1 : 0;
}

3
util/libssl.num
View File

@@ -384,3 +384,6 @@ SSL_CTX_get_ct_validation_callback 383 1_1_0 EXIST::FUNCTION:CT
SSL_set_default_read_buffer_len 384 1_1_0 EXIST::FUNCTION: SSL_set_default_read_buffer_len 384 1_1_0 EXIST::FUNCTION:
SSL_CTX_set_default_read_buffer_len 385 1_1_0 EXIST::FUNCTION: SSL_CTX_set_default_read_buffer_len 385 1_1_0 EXIST::FUNCTION:
SSL_has_pending 386 1_1_0 EXIST::FUNCTION: SSL_has_pending 386 1_1_0 EXIST::FUNCTION:
SSL_CIPHER_get_auth_nid 387 1_1_0 EXIST::FUNCTION:
SSL_CIPHER_get_kx_nid 388 1_1_0 EXIST::FUNCTION:
SSL_CIPHER_is_aead 389 1_1_0 EXIST::FUNCTION: