Introduce SSL_CIPHER_get_protocol_id

The returned ID matches with what IANA specifies (or goes on the wire anyway, IANA notwithstanding). Doc is added. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4107)
2025-03-19 19:50:42 +08:00 · 2017-08-23 00:37:10 +08:00 · 2017-08-23 00:37:10 +08:00 · 50966bfa11
commit 50966bfa11
parent 22d1a340b6
4 changed files with 15 additions and 6 deletions
--- a/doc/man3/SSL_CIPHER_get_name.pod
+++ b/doc/man3/SSL_CIPHER_get_name.pod
@ -15,7 +15,8 @@ SSL_CIPHER_get_kx_nid,
 SSL_CIPHER_get_auth_nid,
 SSL_CIPHER_is_aead,
 SSL_CIPHER_find,
-SSL_CIPHER_get_id
+SSL_CIPHER_get_id,
+SSL_CIPHER_get_protocol_id
 - get SSL_CIPHER properties

 =head1 SYNOPSIS
@ -36,6 +37,7 @@ SSL_CIPHER_get_id
 int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
 const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
+ uint32_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c);

 =head1 DESCRIPTION

@ -98,11 +100,11 @@ two-byte TLS cipher ID (as allocated by IANA) in network byte order. This parame
 is usually retrieved from a TLS packet by using functions like L<SSL_early_get0_ciphers(3)>.
 SSL_CIPHER_find() returns NULL if an error occurs or the indicated cipher is not found.

-SSL_CIPHER_get_id() returns the ID of the given cipher B<c>. The ID here is an
-OpenSSL-specific concept, which stores a prefix of 0x0300 in the higher two bytes,
-and the IANA-specified chipher suite ID in the lower two bytes. For instance,
-TLS_RSA_WITH_NULL_MD5 has IANA ID "0x00, 0x01", but the SSL_CIPHER_get_id()
-function will return an ID with value 0x03000001.
+SSL_CIPHER_get_id() returns the OpenSSL-specific ID of the given cipher B<c>. That ID is
+not the same as the IANA-specific ID.
+
+SSL_CIPHER_get_protocol_id() returns the two-byte ID used in the TLS protocol of the given
+cipher B<c>.

 SSL_CIPHER_description() returns a textual description of the cipher used
 into the buffer B<buf> of length B<len> provided.  If B<buf> is provided, it
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -1441,6 +1441,7 @@ __owur const char *SSL_CIPHER_get_name(const SSL_CIPHER *c);
 __owur const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
 __owur const char *OPENSSL_cipher_name(const char *rfc_name);
 __owur uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
+__owur uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c);
 __owur int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
 __owur int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
 __owur const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@ -1764,6 +1764,11 @@ uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c)
    return c->id;
 }

+uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c)
+{
+    return c->id & 0xFFFF;
+}
+
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
 {
    SSL_COMP *ctmp;
--- a/util/libssl.num
+++ b/util/libssl.num
@ -464,3 +464,4 @@ SSL_alloc_buffers                       464	1_1_1	EXIST::FUNCTION:
 SSL_free_buffers                        465	1_1_1	EXIST::FUNCTION:
 SSL_SESSION_dup                         466	1_1_1	EXIST::FUNCTION:
 SSL_get_pending_cipher                  467	1_1_1	EXIST::FUNCTION:
+SSL_CIPHER_get_protocol_id              468	1_1_1	EXIST::FUNCTION: