diff --git a/ChangeLog.d/mbedtls_ssl_get_ciphersuite_id.txt b/ChangeLog.d/mbedtls_ssl_get_ciphersuite_id.txt new file mode 100644 index 0000000000..c4235b74b2 --- /dev/null +++ b/ChangeLog.d/mbedtls_ssl_get_ciphersuite_id.txt @@ -0,0 +1,3 @@ +Features + * Add accessor to obtain ciphersuite id from ssl context. + * Add accessors to get members from ciphersuite info. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 77a7aaa649..fbd1fa3ee1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3888,6 +3888,15 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ); */ uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ); +/** + * \brief Return the id of the current ciphersuite + * + * \param ssl SSL context + * + * \return a ciphersuite id + */ +int mbedtls_ssl_get_ciphersuite_id_from_ssl( const mbedtls_ssl_context *ssl ); + /** * \brief Return the name of the current ciphersuite * diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 18e7c98767..b46442a357 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -394,6 +394,13 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphers int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info ); int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info ); +static inline const char *mbedtls_ssl_ciphersuite_get_name( const mbedtls_ssl_ciphersuite_t *info ) +{ + return info->MBEDTLS_PRIVATE(name); +} + +size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( const mbedtls_ssl_ciphersuite_t *info ); + #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info ) { diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 62588dc2e5..cd2b1253f4 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -2064,6 +2064,19 @@ int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name ) return( cur->id ); } +size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( const mbedtls_ssl_ciphersuite_t *info ) +{ +#if defined(MBEDTLS_CIPHER_C) + const mbedtls_cipher_info_t * const cipher_info = + mbedtls_cipher_info_from_type( info->cipher ); + + return( mbedtls_cipher_info_get_key_bitlen( cipher_info ) ); +#else + (void)info; + return( 0 ); +#endif +} + #if defined(MBEDTLS_PK_C) mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1d569e7928..40d21b5f81 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4364,6 +4364,14 @@ uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ) return( 0xFFFFFFFF ); } +int mbedtls_ssl_get_ciphersuite_id_from_ssl( const mbedtls_ssl_context *ssl ) +{ + if( ssl == NULL || ssl->session == NULL ) + return( 0 ); + + return( ssl->session->ciphersuite ); +} + const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) { if( ssl == NULL || ssl->session == NULL ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 7ecc61d385..762e21b410 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2144,9 +2144,19 @@ int main( int argc, char *argv[] ) } } - mbedtls_printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n", - mbedtls_ssl_get_version( &ssl ), - mbedtls_ssl_get_ciphersuite( &ssl ) ); + { + int suite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl( &ssl ); + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); + + mbedtls_printf( " ok\n [ Protocol is %s ]\n" + " [ Ciphersuite is %s ]\n" + " [ Key size is %u ]\n", + mbedtls_ssl_get_version( &ssl ), + mbedtls_ssl_ciphersuite_get_name( ciphersuite_info ), + (unsigned int) + mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( ciphersuite_info ) ); + } if( ( ret = mbedtls_ssl_get_record_expansion( &ssl ) ) >= 0 ) mbedtls_printf( " [ Record expansion is %d ]\n", ret ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 4de75c661b..f627274a49 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3243,8 +3243,17 @@ handshake: } else /* ret == 0 */ { - mbedtls_printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n", - mbedtls_ssl_get_version( &ssl ), mbedtls_ssl_get_ciphersuite( &ssl ) ); + int suite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl( &ssl ); + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); + + mbedtls_printf( " ok\n [ Protocol is %s ]\n" + " [ Ciphersuite is %s ]\n" + " [ Key size is %u ]\n", + mbedtls_ssl_get_version( &ssl ), + mbedtls_ssl_ciphersuite_get_name( ciphersuite_info ), + (unsigned int) + mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( ciphersuite_info ) ); } if( ( ret = mbedtls_ssl_get_record_expansion( &ssl ) ) >= 0 ) diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index cf0b49e097..ff024924fe 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -70,6 +70,7 @@ #include "mbedtls/net_sockets.h" #include "mbedtls/ssl.h" +#include "mbedtls/ssl_ciphersuites.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/hmac_drbg.h" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e78239dff8..2b342bcdf0 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1475,6 +1475,20 @@ run_test "TLS client auth: required" \ 0 \ -s "Verifying peer X.509 certificate... ok" +run_test "key size: TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ + "$P_SRV" \ + "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ + 0 \ + -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \ + -c "Key size is 256" + +run_test "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ + "$P_SRV" \ + "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ + 0 \ + -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ + -c "Key size is 128" + requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C