Merge pull request #5428 from gstrauss/mbedtls_ssl_ciphersuite
Add accessors for ciphersuite info
diff --git a/ChangeLog.d/mbedtls_ssl_get_ciphersuite_id.txt b/ChangeLog.d/mbedtls_ssl_get_ciphersuite_id.txt
new file mode 100644
index 0000000..c4235b7
--- /dev/null
+++ b/ChangeLog.d/mbedtls_ssl_get_ciphersuite_id.txt
@@ -0,0 +1,3 @@
+Features
+ * Add accessor to obtain ciphersuite id from ssl context.
+ * Add accessors to get members from ciphersuite info.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 77a7aaa..fbd1fa3 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -3889,6 +3889,15 @@
uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
/**
+ * \brief Return the id of the current ciphersuite
+ *
+ * \param ssl SSL context
+ *
+ * \return a ciphersuite id
+ */
+int mbedtls_ssl_get_ciphersuite_id_from_ssl( const mbedtls_ssl_context *ssl );
+
+/**
* \brief Return the name of the current ciphersuite
*
* \param ssl SSL context
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index 18e7c98..b46442a 100644
--- a/include/mbedtls/ssl_ciphersuites.h
+++ b/include/mbedtls/ssl_ciphersuites.h
@@ -394,6 +394,13 @@
int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info );
int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info );
+static inline const char *mbedtls_ssl_ciphersuite_get_name( const mbedtls_ssl_ciphersuite_t *info )
+{
+ return info->MBEDTLS_PRIVATE(name);
+}
+
+size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( const mbedtls_ssl_ciphersuite_t *info );
+
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info )
{
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 62588dc..cd2b125 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -2064,6 +2064,19 @@
return( cur->id );
}
+size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( const mbedtls_ssl_ciphersuite_t *info )
+{
+#if defined(MBEDTLS_CIPHER_C)
+ const mbedtls_cipher_info_t * const cipher_info =
+ mbedtls_cipher_info_from_type( info->cipher );
+
+ return( mbedtls_cipher_info_get_key_bitlen( cipher_info ) );
+#else
+ (void)info;
+ return( 0 );
+#endif
+}
+
#if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info )
{
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1d569e7..40d21b5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4364,6 +4364,14 @@
return( 0xFFFFFFFF );
}
+int mbedtls_ssl_get_ciphersuite_id_from_ssl( const mbedtls_ssl_context *ssl )
+{
+ if( ssl == NULL || ssl->session == NULL )
+ return( 0 );
+
+ return( ssl->session->ciphersuite );
+}
+
const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
{
if( ssl == NULL || ssl->session == NULL )
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 7ecc61d..762e21b 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2144,9 +2144,19 @@
}
}
- mbedtls_printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n",
- mbedtls_ssl_get_version( &ssl ),
- mbedtls_ssl_get_ciphersuite( &ssl ) );
+ {
+ int suite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl( &ssl );
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
+
+ mbedtls_printf( " ok\n [ Protocol is %s ]\n"
+ " [ Ciphersuite is %s ]\n"
+ " [ Key size is %u ]\n",
+ mbedtls_ssl_get_version( &ssl ),
+ mbedtls_ssl_ciphersuite_get_name( ciphersuite_info ),
+ (unsigned int)
+ mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( ciphersuite_info ) );
+ }
if( ( ret = mbedtls_ssl_get_record_expansion( &ssl ) ) >= 0 )
mbedtls_printf( " [ Record expansion is %d ]\n", ret );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 4de75c6..f627274 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3243,8 +3243,17 @@
}
else /* ret == 0 */
{
- mbedtls_printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n",
- mbedtls_ssl_get_version( &ssl ), mbedtls_ssl_get_ciphersuite( &ssl ) );
+ int suite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl( &ssl );
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
+
+ mbedtls_printf( " ok\n [ Protocol is %s ]\n"
+ " [ Ciphersuite is %s ]\n"
+ " [ Key size is %u ]\n",
+ mbedtls_ssl_get_version( &ssl ),
+ mbedtls_ssl_ciphersuite_get_name( ciphersuite_info ),
+ (unsigned int)
+ mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( ciphersuite_info ) );
}
if( ( ret = mbedtls_ssl_get_record_expansion( &ssl ) ) >= 0 )
diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h
index cf0b49e..ff02492 100644
--- a/programs/ssl/ssl_test_lib.h
+++ b/programs/ssl/ssl_test_lib.h
@@ -70,6 +70,7 @@
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index e78239d..2b342bc 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1475,6 +1475,20 @@
0 \
-s "Verifying peer X.509 certificate... ok"
+run_test "key size: TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
+ "$P_SRV" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
+ 0 \
+ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
+ -c "Key size is 256"
+
+run_test "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
+ "$P_SRV" \
+ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
+ 0 \
+ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
+ -c "Key size is 128"
+
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C