API to get negotiated key exchange algorithm in TLS1.3

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9323)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7219d834203c699f1e479f4b5e26fc55a71bbbc3..93f6bbc8f830bdef30b874e04d8030ccb8720741 100644 (file)
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1316,6 +1316,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTRL_GET_MAX_PROTO_VERSION          131
 # define SSL_CTRL_GET_SIGNATURE_NID              132
 # define SSL_CTRL_GET_TMP_KEY                    133
+# define SSL_CTRL_GET_NEGOTIATED_GROUP           134
 # define SSL_CERT_SET_FIRST                      1
 # define SSL_CERT_SET_NEXT                       2
 # define SSL_CERT_SET_SERVER                     3
@@ -1415,6 +1416,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
         SSL_ctrl(s,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(str))
 # define SSL_get_shared_group(s, n) \
         SSL_ctrl(s,SSL_CTRL_GET_SHARED_GROUP,n,NULL)
+# define SSL_get_negotiated_group(s) \
+        SSL_ctrl(s,SSL_CTRL_GET_NEGOTIATED_GROUP,0,NULL)
 # define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \
         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist))
 # define SSL_CTX_set1_sigalgs_list(ctx, s) \

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8a22d01325dbdc21def41b60dd4abd7cb66cbfc9..d23f932ce9421cdef9e0e10e01656f9119fc6e1c 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3617,13 +3617,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
         {
             uint16_t id = tls1_shared_group(s, larg);
 
-            if (larg != -1) {
-                const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
-
-                return ginf == NULL ? 0 : ginf->nid;
-            }
+            if (larg != -1)
+                return tls1_group_id2nid(id);
             return id;
         }
+    case SSL_CTRL_GET_NEGOTIATED_GROUP:
+        ret = tls1_group_id2nid(s->s3.group_id);
+        break;
 #endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */
 
     case SSL_CTRL_SET_SIGALGS:

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 49c45109a801572818636adbb30a7d2d1af209ac..b66979b4dad0eabb023f18dabae2712250bd8800 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2530,6 +2530,7 @@ __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
 
 __owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id);
+__owur int tls1_group_id2nid(uint16_t group_id);
 __owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves);
 __owur uint16_t tls1_shared_group(SSL *s, int nmatch);
 __owur int tls1_set_groups(uint16_t **pext, size_t *pextlen,

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 93b14b80a2c015c92084118be5fccc63e93b1718..24702704db35820bf4aed33418f9b11bd6489a75 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -226,6 +226,13 @@ const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id)
 }
 
 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
+int tls1_group_id2nid(uint16_t group_id)
+{
+    const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(group_id);
+
+    return ginf == NULL ? NID_undef : ginf->nid;
+}
+
 static uint16_t tls1_nid2group_id(int nid)
 {
     size_t i;

diff --git a/util/private.num b/util/private.num
index 82cb72e606e9c345d5a66f7900e296e203acf31a..351828268c7a996f88f54747d1a9c6fa14dc3532 100644 (file)
--- a/util/private.num
+++ b/util/private.num
@@ -450,6 +450,7 @@ SSL_get_secure_renegotiation_support    define
 SSL_get_server_tmp_key                  define
 SSL_get_shared_curve                    define
 SSL_get_shared_group                    define
+SSL_get_negotiated_group                define
 SSL_get_signature_nid                   define
 SSL_get_time                            define
 SSL_get_timeout                         define