int ssl_print_tmp_key(BIO *out, SSL *s)
{
EVP_PKEY *key;
- if (!SSL_get_server_tmp_key(s, &key))
+
+ if (!SSL_get_peer_tmp_key(s, &key))
return 1;
BIO_puts(out, "Server Temp Key: ");
switch (EVP_PKEY_id(key)) {
=head1 NAME
-SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid - get TLS
-message signing types
+SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid,
+SSL_get_signature_nid, SSL_get_signature_type_nid - get TLS message signing
+types
=head1 SYNOPSIS
int SSL_get_peer_signature_nid(SSL *ssl, int *psig_nid);
int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid);
+ int SSL_get_signature_nid(SSL *ssl, int *psig_nid);
+ int SSL_get_signature_type_nid(const SSL *ssl, int *psigtype_nid);
=head1 DESCRIPTION
B<rsa_pss_rsae_*> and B<rsa_pss_pss_*> signatures, it's necessary to check
the type of public key in the peer's certificate.
+SSL_get_signature_nid() and SSL_get_signature_type_nid() return the equivalent
+information for the local end of the connection.
+
=head1 RETURN VALUES
These functions return 1 for success and 0 for failure. There are several
possible reasons for failure: the cipher suite has no signature (e.g. it
uses RSA key exchange or is anonymous), the TLS version is below 1.2 or
-the functions were called before the peer signed a message.
+the functions were called too early, e.g. before the peer signed a message.
=head1 SEE ALSO
=head1 NAME
-SSL_get_server_tmp_key - get information about the server's temporary key used
-during a handshake
+SSL_get_peer_tmp_key, SSL_get_server_tmp_key, SSL_get_tmp_key - get information
+about temporary keys used during a handshake
=head1 SYNOPSIS
#include <openssl/ssl.h>
+ long SSL_get_peer_tmp_key(SSL *ssl, EVP_PKEY **key);
long SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **key);
+ long SSL_get_tmp_key(SSL *ssl, EVP_PKEY **key);
=head1 DESCRIPTION
-SSL_get_server_tmp_key() returns the temporary key provided by the server and
+SSL_get_peer_tmp_key() returns the temporary key provided by the peer and
used during key exchange. For example, if ECDHE is in use, then this represents
-the server's public ECDHE key. On success a pointer to the key is stored in
+the peer's public ECDHE key. On success a pointer to the key is stored in
B<*key>. It is the caller's responsibility to free this key after use using
-L<EVP_PKEY_free(3)>. This function may only be called by the client.
+L<EVP_PKEY_free(3)>.
+
+SSL_get_server_tmp_key() is a backwards compatibility alias for
+SSL_get_peer_tmp_key().
+Under that name it worked just on the client side of the connection, its
+behaviour on the server end is release-dependent.
+
+SSL_get_tmp_key() returns the equivalent information for the local
+end of the connection.
=head1 RETURN VALUES
-SSL_get_server_tmp_key() returns 1 on success or 0 otherwise.
+All these functions return 1 on success and 0 otherwise.
=head1 NOTES
# define SSL_CTRL_SET_VERIFY_CERT_STORE 106
# define SSL_CTRL_SET_CHAIN_CERT_STORE 107
# define SSL_CTRL_GET_PEER_SIGNATURE_NID 108
-# define SSL_CTRL_GET_SERVER_TMP_KEY 109
+# define SSL_CTRL_GET_PEER_TMP_KEY 109
# define SSL_CTRL_GET_RAW_CIPHERLIST 110
# define SSL_CTRL_GET_EC_POINT_FORMATS 111
# define SSL_CTRL_GET_CHAIN_CERTS 115
# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
# define SSL_CTRL_GET_MIN_PROTO_VERSION 130
# define SSL_CTRL_GET_MAX_PROTO_VERSION 131
+# define SSL_CTRL_GET_SIGNATURE_NID 132
+# define SSL_CTRL_GET_TMP_KEY 133
# define SSL_CERT_SET_FIRST 1
# define SSL_CERT_SET_NEXT 2
# define SSL_CERT_SET_SERVER 3
(char *)(clist))
# define SSL_set1_client_certificate_types(s, clist, clistlen) \
SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)(clist))
+# define SSL_get_signature_nid(s, pn) \
+ SSL_ctrl(s,SSL_CTRL_GET_SIGNATURE_NID,0,pn)
# define SSL_get_peer_signature_nid(s, pn) \
SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
-# define SSL_get_server_tmp_key(s, pk) \
- SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)
+# define SSL_get_peer_tmp_key(s, pk) \
+ SSL_ctrl(s,SSL_CTRL_GET_PEER_TMP_KEY,0,pk)
+# define SSL_get_tmp_key(s, pk) \
+ SSL_ctrl(s,SSL_CTRL_GET_TMP_KEY,0,pk)
# define SSL_get0_raw_cipherlist(s, plst) \
SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst)
# define SSL_get0_ec_point_formats(s, plst) \
# define SSL_get_max_proto_version(s) \
SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL)
+/* Backwards compatibility, original 1.1.0 names */
+# define SSL_CTRL_GET_SERVER_TMP_KEY \
+ SSL_CTRL_GET_PEER_TMP_KEY
+# define SSL_get_server_tmp_key(s, pk) \
+ SSL_get_peer_tmp_key(s, pk)
+
/*
* The following symbol names are old and obsolete. They are kept
* for compatibility reasons only and should not be used anymore.
size_t contextlen);
int SSL_get_peer_signature_type_nid(const SSL *s, int *pnid);
+int SSL_get_signature_type_nid(const SSL *s, int *pnid);
int SSL_get_sigalgs(SSL *s, int idx,
int *psign, int *phash, int *psignandhash,
*(int *)parg = s->s3->tmp.peer_sigalg->hash;
return 1;
- case SSL_CTRL_GET_SERVER_TMP_KEY:
+ case SSL_CTRL_GET_SIGNATURE_NID:
+ if (s->s3->tmp.sigalg == NULL)
+ return 0;
+ *(int *)parg = s->s3->tmp.sigalg->hash;
+ return 1;
+
+ case SSL_CTRL_GET_PEER_TMP_KEY:
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
- if (s->server || s->session == NULL || s->s3->peer_tmp == NULL) {
+ if (s->session == NULL || s->s3->peer_tmp == NULL) {
return 0;
} else {
EVP_PKEY_up_ref(s->s3->peer_tmp);
#else
return 0;
#endif
+
+ case SSL_CTRL_GET_TMP_KEY:
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
+ if (s->session == NULL || s->s3->tmp.pkey == NULL) {
+ return 0;
+ } else {
+ EVP_PKEY_up_ref(s->s3->tmp.pkey);
+ *(EVP_PKEY **)parg = s->s3->tmp.pkey;
+ return 1;
+ }
+#else
+ return 0;
+#endif
+
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
return 1;
}
+int SSL_get_signature_type_nid(const SSL *s, int *pnid)
+{
+ if (s->s3->tmp.sigalg == NULL)
+ return 0;
+ *pnid = s->s3->tmp.sigalg->sig;
+ return 1;
+}
+
/*
* Set a mask of disabled algorithms: an algorithm is disabled if it isn't
* supported, doesn't appear in supported signature algorithms, isn't supported
*serv_sess_out = SSL_SESSION_dup(tmp);
}
- if (SSL_get_server_tmp_key(client.ssl, &tmp_key)) {
+ if (SSL_get_peer_tmp_key(client.ssl, &tmp_key)) {
ret->tmp_key_type = pkey_type(tmp_key);
EVP_PKEY_free(tmp_key);
}
}
X509_free(cert);
}
- if (SSL_get_server_tmp_key(c_ssl, &pkey)) {
+ if (SSL_get_peer_tmp_key(c_ssl, &pkey)) {
BIO_puts(bio_stdout, ", temp key: ");
print_key_details(bio_stdout, pkey);
EVP_PKEY_free(pkey);
SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_post_handshake_auth 500 1_1_1 EXIST::FUNCTION:
+SSL_get_signature_type_nid 501 1_1_1a EXIST::FUNCTION:
SSL_get_min_proto_version define
SSL_get_mode define
SSL_get_peer_signature_nid define
+SSL_get_peer_tmp_key define
SSL_get_secure_renegotiation_support define
SSL_get_server_tmp_key define
SSL_get_shared_curve define
SSL_get_shared_group define
+SSL_get_signature_nid define
SSL_get_time define
SSL_get_timeout define
SSL_get_tlsext_status_ocsp_resp define
SSL_get_tlsext_status_type define
+SSL_get_tmp_key define
SSL_in_accept_init define
SSL_in_connect_init define
SSL_library_init define
projects / thirdparty / openssl.git / commitdiff
