OpenSSL 1.1 通过 IANA ID 获取密码套件 [英] OpenSSL 1.1 get a cipher suite by the IANA ID

问题描述

在 OpenSSL 1.0.2 中，我们使用了 s3_lib.c 中的 ssl3_get_cipher_by_id() 函数来获取密码套件(SSL_CIPHER*) 使用 IANA ID.

例如，ID 0x00,0x2F 会给我们 TLS_RSA_WITH_AES_128_CBC_SHA 密码套件作为 SSL_CIPHER 结构.

但是，1.0.2 及更高版本的 OpenSSL 文档中未列出此功能，虽然该功能在 1.1.1 中仍然可用，但似乎没有适用于较新的密码套件，例如为这两个返回 NULL:

0xC0,0x2F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA2560xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

我的问题:是否有一种现代方法可以通过其 IANA ID 获取密码套件(SSL_CIPHER 或较新的结构)?>

我看过这个相关问题，但它没有回答如何获得来自 IANA 十六进制 ID 的密码套件对象.

注意IANA ID 我的意思是这些页面上的第一个十六进制列:

• https://testssl.sh/openssl-iana.mapping.html
• https://wiki.mozilla.org/Security/Cipher_Suites
• https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4

解决方案

您可以使用 SSL_CIPHER_find()，其中

<块引用>

... 返回一个 SSL_CIPHER 结构，它的密码 ID 存储在 ptr 中.ptr 参数是一个二元字符数组，以网络字节顺序存储两字节的 TLS 密码 ID(由 IANA 分配).

参见 https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_find.html

C 程序

您的两个示例的 C 代码可能如下所示:

#include #include #include static void print_name(unsigned char iana[], const SSL_CIPHER *cipher);int main(void) {SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());SSL *ssl = SSL_new(ctx);如果(ssl == NULL){ERR_print_errors_fp(stderr);退出(1)；}无符号字符 iana1[] = {0xC0, 0x2F};const SSL_CIPHER *cipher = SSL_CIPHER_find(ssl, iana1);如果(密码){打印名称(iana1，密码)；}无符号字符 iana2[] = {0xC0, 0x14};密码 = SSL_CIPHER_find(ssl, iana2);如果(密码){打印名称(iana2，密码)；}SSL_free(ssl);SSL_CTX_free(ctx);返回0；}static void print_name(unsigned char iana[], const SSL_CIPHER *cipher) {const char *name = SSL_CIPHER_standard_name(cipher);如果(名称 == NULL)名称=?"；printf("0x%02X,0x%02X -> %s\n", iana[0], iana[1], name);}

测试

如果你运行上面的程序，你会在调试控制台上得到如下输出:

0xC0,0x2F ->TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA2560xC0,0x14 ->TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

In OpenSSL 1.0.2 we have used the ssl3_get_cipher_by_id() function found in s3_lib.c to obtain a cipher suite (SSL_CIPHER*) using the IANA ID.

For example, the ID 0x00,0x2F would give us the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite as an SSL_CIPHER struct.

However, this function is not listed in the OpenSSL documentation from 1.0.2 and above, and while the function is still available in 1.1.1 it does not seem to work for newer cipher suites, e.g. returning NULL for both of these:

0xC0,0x2F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

MY QUESTION: Is there a modern way to obtain the cipher suite (SSL_CIPHER or newer struct) by its IANA ID?

I have seen this related question but it does not answer how to obtain a cipher suite object from an IANA hex ID.

N.B. by IANA ID I mean the first hex column on pages like these:

• https://testssl.sh/openssl-iana.mapping.html
• https://wiki.mozilla.org/Security/Cipher_Suites
• https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4

解决方案

You could use SSL_CIPHER_find(), which

... returns a SSL_CIPHER structure which has the cipher ID stored in ptr. The ptr parameter is a two element array of char, which stores the two-byte TLS cipher ID (as allocated by IANA) in network byte order.

see https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_find.html

C Program

C code for your two examples could look like this:

#include <stdio.h>
#include <openssl/err.h>
#include <openssl/ssl.h>

static void print_name(unsigned char iana[], const SSL_CIPHER *cipher);

int main(void) {
    SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
    SSL *ssl = SSL_new(ctx);
    if (ssl == NULL) {
        ERR_print_errors_fp(stderr);
        exit(1);
    }

    unsigned char iana1[] = {0xC0, 0x2F};
    const SSL_CIPHER *cipher = SSL_CIPHER_find(ssl, iana1);
    if (cipher) {
        print_name(iana1, cipher);
    }

    unsigned char iana2[] = {0xC0, 0x14};
    cipher = SSL_CIPHER_find(ssl, iana2);
    if (cipher) {
        print_name(iana2, cipher);
    }
    SSL_free(ssl);
    SSL_CTX_free(ctx);
    return 0;
}

static void print_name(unsigned char iana[], const SSL_CIPHER *cipher) {
    const char *name = SSL_CIPHER_standard_name(cipher);
    if (name == NULL)
        name = "?";
    printf("0x%02X,0x%02X -> %s\n", iana[0], iana[1], name);
}

Test

If you run the above program, you will get the following output on the debug console:

0xC0,0x2F -> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xC0,0x14 -> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

这篇关于OpenSSL 1.1 通过 IANA ID 获取密码套件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！