Commit 3ec13237 authored by Todd Short's avatar Todd Short Committed by Rich Salz
Browse files

Add cipher query functions 



Add functions to determine authentication, key-exchange, FIPS and AEAD.

Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent 7b8e12d2

CHANGES

+3 −0
Original line number Diff line number Diff line
@@ -8,6 +8,9 @@ 
     callback, such that updates to the SSL_CTX affect ALPN.

     [Todd Short]



  *) Add SSL_CIPHER queries for authentication and key-exchange.

     [Todd Short]



  *) Changes to the DEFAULT cipherlist:

       - Prefer (EC)DHE handshakes over plain RSA.

       - Prefer AEAD ciphers over legacy ciphers.

crypto/objects/obj_dat.h

+54 −3
Original line number Diff line number Diff line
@@ -60,9 +60,9 @@ 
 * [including the GNU Public Licence.]

 */



#define NUM_NID 1037

#define NUM_SN 1030

#define NUM_LN 1030

#define NUM_NID 1054

#define NUM_SN 1047

#define NUM_LN 1047

#define NUM_OBJ 951



static const unsigned char lvalues[6722]={
@@ -2705,6 +2705,23 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ 
{"X25519","X25519",NID_X25519,9,&(lvalues[6703]),0},

{"X448","X448",NID_X448,9,&(lvalues[6712]),0},

{"HKDF","hkdf",NID_hkdf,0,NULL,0},

{"KxRSA","kx-rsa",NID_kx_rsa,0,NULL,0},

{"KxECDHE","kx-ecdhe",NID_kx_ecdhe,0,NULL,0},

{"KxDHE","kx-dhe",NID_kx_dhe,0,NULL,0},

{"KxECDHE-PSK","kx-ecdhe-psk",NID_kx_ecdhe_psk,0,NULL,0},

{"KxDHE-PSK","kx-dhe-psk",NID_kx_dhe_psk,0,NULL,0},

{"KxRSA_PSK","kx-rsa-psk",NID_kx_rsa_psk,0,NULL,0},

{"KxPSK","kx-psk",NID_kx_psk,0,NULL,0},

{"KxSRP","kx-srp",NID_kx_srp,0,NULL,0},

{"KxGOST","kx-gost",NID_kx_gost,0,NULL,0},

{"AuthRSA","auth-rsa",NID_auth_rsa,0,NULL,0},

{"AuthECDSA","auth-ecdsa",NID_auth_ecdsa,0,NULL,0},

{"AuthPSK","auth-psk",NID_auth_psk,0,NULL,0},

{"AuthDSS","auth-dss",NID_auth_dss,0,NULL,0},

{"AuthGOST01","auth-gost01",NID_auth_gost01,0,NULL,0},

{"AuthGOST12","auth-gost12",NID_auth_gost12,0,NULL,0},

{"AuthSRP","auth-srp",NID_auth_srp,0,NULL,0},

{"AuthNULL","auth-null",NID_auth_null,0,NULL,0},

};



static const unsigned int sn_objs[NUM_SN]={
@@ -2741,6 +2758,14 @@ static const unsigned int sn_objs[NUM_SN]={ 
960,	/* "AES-256-OCB" */

428,	/* "AES-256-OFB" */

914,	/* "AES-256-XTS" */

1049,	/* "AuthDSS" */

1047,	/* "AuthECDSA" */

1050,	/* "AuthGOST01" */

1051,	/* "AuthGOST12" */

1053,	/* "AuthNULL" */

1048,	/* "AuthPSK" */

1046,	/* "AuthRSA" */

1052,	/* "AuthSRP" */

91,	/* "BF-CBC" */

93,	/* "BF-CFB" */

92,	/* "BF-ECB" */
@@ -2829,6 +2854,15 @@ static const unsigned int sn_objs[NUM_SN]={ 
645,	/* "ITU-T" */

646,	/* "JOINT-ISO-ITU-T" */

773,	/* "KISA" */

1039,	/* "KxDHE" */

1041,	/* "KxDHE-PSK" */

1038,	/* "KxECDHE" */

1040,	/* "KxECDHE-PSK" */

1045,	/* "KxGOST" */

1043,	/* "KxPSK" */

1037,	/* "KxRSA" */

1042,	/* "KxRSA_PSK" */

1044,	/* "KxSRP" */

15,	/* "L" */

856,	/* "LocalKeySet" */

 3,	/* "MD2" */
@@ -3961,6 +3995,14 @@ static const unsigned int ln_objs[NUM_LN]={ 
484,	/* "associatedDomain" */

485,	/* "associatedName" */

501,	/* "audio" */

1049,	/* "auth-dss" */

1047,	/* "auth-ecdsa" */

1050,	/* "auth-gost01" */

1051,	/* "auth-gost12" */

1053,	/* "auth-null" */

1048,	/* "auth-psk" */

1046,	/* "auth-rsa" */

1052,	/* "auth-srp" */

882,	/* "authorityRevocationList" */

91,	/* "bf-cbc" */

93,	/* "bf-cfb" */
@@ -4421,6 +4463,15 @@ static const unsigned int ln_objs[NUM_LN]={ 
956,	/* "jurisdictionStateOrProvinceName" */

150,	/* "keyBag" */

773,	/* "kisa" */

1039,	/* "kx-dhe" */

1041,	/* "kx-dhe-psk" */

1038,	/* "kx-ecdhe" */

1040,	/* "kx-ecdhe-psk" */

1045,	/* "kx-gost" */

1043,	/* "kx-psk" */

1037,	/* "kx-rsa" */

1042,	/* "kx-rsa-psk" */

1044,	/* "kx-srp" */

477,	/* "lastModifiedBy" */

476,	/* "lastModifiedTime" */

157,	/* "localKeyID" */

crypto/objects/obj_mac.num

+19 −0
Original line number Diff line number Diff line
@@ -1034,3 +1034,22 @@ pkInitKDC 1033 
X25519		1034

X448		1035

hkdf		1036

kx_rsa		1037

kx_ecdhe		1038

kx_dhe		1039

kx_ecdhe_psk		1040

kx_dhe_psk		1041

kx_rsa_psk		1042

kx_psk		1043

kx_srp		1044

kx_gost		1045

auth_rsa		1046

auth_ecdsa		1047

auth_psk		1048

auth_dss		1049

auth_gost01		1050

auth_gost12		1051

auth_srp		1052

auth_null		1053

fips_none		1054

fips_140_2		1055

crypto/objects/objects.txt

+22 −0
Original line number Diff line number Diff line
@@ -1456,3 +1456,25 @@ id-pkinit 5 : pkInitKDC : Signing KDC Response 


1 3 6 1 4 1 11591 15 1      : X25519

1 3 6 1 4 1 11591 15 2      : X448



# NIDs for cipher key exchange

                            : KxRSA        : kx-rsa

                            : KxECDHE      : kx-ecdhe

                            : KxDHE        : kx-dhe

                            : KxECDHE-PSK  : kx-ecdhe-psk

                            : KxDHE-PSK    : kx-dhe-psk

                            : KxRSA_PSK    : kx-rsa-psk

                            : KxPSK        : kx-psk

                            : KxSRP        : kx-srp

                            : KxGOST       : kx-gost



# NIDs for cipher authentication

                            : AuthRSA      : auth-rsa

                            : AuthECDSA    : auth-ecdsa

                            : AuthPSK      : auth-psk

                            : AuthDSS      : auth-dss

                            : AuthGOST01   : auth-gost01

                            : AuthGOST12   : auth-gost12

                            : AuthSRP      : auth-srp

                            : AuthNULL     : auth-null

doc/ssl/SSL_CIPHER_get_name.pod

+22 −0
Original line number Diff line number Diff line
@@ -14,6 +14,9 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_des 
 char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);

 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);

 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);

 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);

 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);

 int SSL_CIPHER_is_aead(const SSL_CIPHER *c);



=head1 DESCRIPTION
@@ -34,6 +37,25 @@ SSL_CIPHER_get_digest_nid() returns the digest NID corresponding to the MAC 
used by B<c>. If there is no digest (e.g. for AEAD ciphersuites) then

B<NID_undef> is returned.



SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method

used by B<c>. If there is no key exchange, then B<NID_undef> is returned. Examples (not comprehensive):



 NID_kx_rsa

 NID_kx_ecdhe

 NID_kx_dhe

 NID_kx_psk



SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method

used by B<c>. If there is no authentication, then B<NID_undef> is returned.

Examples (not comprehensive):



 NID_auth_rsa

 NID_auth_ecdsa

 NID_auth_psk



SSL_CIPHER_is_aead() returns 1 if the cipher B<c> is AEAD (e.g. GCM or

ChaCha20/Poly1305), and 0 if it is not AEAD.



SSL_CIPHER_description() returns a textual description of the cipher used

into the buffer B<buf> of length B<len> provided.  If B<buf> is provided, it

must be at least 128 bytes, otherwise a buffer will be allocated using