mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-15 04:53:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Make SSL{_CTX,}_{get,set,clear}_options functions

Browse Source 
These now take and return unsigned long, and get is constified.
Updated related documentation and util/ssleay.num

Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
Viktor Dukhovni 2016-01-10 20:15:04 -05:00
parent ccf73257f6
commit 8106cb8b6d
8 changed files with 65 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/ssl/SSL_CONF_cmd.pod
View File

@ -318,8 +318,9 @@ sure to also leave TLS 1.1 enabled.
=item B<Options>
The B<value> argument is a comma separated list of various flags to set.
If a flag string is preceded B<-> it is disabled. See the
B<SSL_CTX_set_options> function for more details of individual options.
If a flag string is preceded B<-> it is disabled.
See the L<SSL_CTX_set_options(3)> function for more details of
individual options.
Each option is listed below. Where an operation is enabled by default
the B<-flag> syntax is needed to disable it.
@ -527,7 +528,8 @@ L<SSL_CONF_CTX_new(3)>,
L<SSL_CONF_CTX_set_flags(3)>,
L<SSL_CONF_CTX_set1_prefix(3)>,
L<SSL_CONF_CTX_set_ssl_ctx(3)>,
L<SSL_CONF_cmd_argv(3)>
L<SSL_CONF_cmd_argv(3)>,
L<SSL_CTX_set_options(3)>
=head1 HISTORY

6
doc/ssl/SSL_CTX_new.pod
View File

@ -139,9 +139,9 @@ If you want to limit the supported protocols for the version flexible
methods you can use SSL_CTX_set_min_proto_version(),
SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and
SSL_set_max_proto_version() functions.
They can also be limited using by using an option like SSL_OP_NO_SSLv3
of the SSL_CTX_set_options() or SSL_set_options() functions, but
that's not recommended.
They can also be limited by setting an option like B<SSL_OP_NO_SSLv3>
via the L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions,
but that's not recommended.
Using these functions it is possible to choose e.g. TLS_server_method()
and be able to negotiate with all possible clients, but to only
allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.

5
doc/ssl/SSL_CTX_set_min_proto_version.pod
View File

@ -19,8 +19,9 @@ and maximum supported protocol version
The functions set the minimum and maximum supported portocol versions
for the B<ctx> or B<ssl>.
This works in combination with the options set via SSL_CTX_set_options()
that also make it possible to disable specific protocol versions.
This works in combination with the options set via
L<SSL_CTX_set_options(3)> that also make it possible to disable
specific protocol versions.
Use these functions instead of disabling specific protocol versions.
Setting the minimum or maximum version to 0, will enable protocol

3
doc/ssl/SSL_CTX_set_options.pod
View File

@ -23,8 +23,6 @@ SSL_get_secure_renegotiation_support - manipulate SSL options
=head1 DESCRIPTION
Note: all these functions are implemented using macros.
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
Options already set before are not cleared!
@ -42,6 +40,7 @@ SSL_get_options() returns the options set for B<ssl>.
SSL_get_secure_renegotiation_support() indicates whether the peer supports
secure renegotiation.
Note, this is implemented via a macro.
=head1 NOTES

12
doc/ssl/ssl.pod
View File

@ -315,7 +315,11 @@ Use the file path to locate trusted CA certficates.
=item void B<SSL_CTX_set_msg_callback_arg>(SSL_CTX *ctx, void *arg);
=item void B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
=item unsigned long B<SSL_CTX_clear_options>(SSL_CTX *ctx, unsigned long op);
=item unsigned long B<SSL_CTX_get_options>(SSL_CTX *ctx);
=item unsigned long B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
=item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);
@ -596,7 +600,11 @@ fresh handle for each connection.
=item void B<SSL_set_msg_callback_arg>(SSL *ctx, void *arg);
=item void B<SSL_set_options>(SSL *ssl, unsigned long op);
=item unsigned long B<SSL_clear_options>(SSL *ssl, unsigned long op);
=item unsigned long B<SSL_get_options>(SSL *ssl);
=item unsigned long B<SSL_set_options>(SSL *ssl, unsigned long op);
=item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);

20
include/openssl/ssl.h
View File

@ -569,18 +569,12 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
* cannot be used to clear bits.
*/
# define SSL_CTX_set_options(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
# define SSL_CTX_clear_options(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
# define SSL_CTX_get_options(ctx) \
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
# define SSL_set_options(ssl,op) \
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
# define SSL_clear_options(ssl,op) \
SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
# define SSL_get_options(ssl) \
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
unsigned long SSL_CTX_get_options(const SSL_CTX *ctx);
unsigned long SSL_get_options(const SSL* s);
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
unsigned long SSL_clear_options(SSL *s, unsigned long op);
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
unsigned long SSL_set_options(SSL *s, unsigned long op);
# define SSL_CTX_set_mode(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
@ -1140,7 +1134,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_CTRL_SESS_MISSES 29
# define SSL_CTRL_SESS_TIMEOUTS 30
# define SSL_CTRL_SESS_CACHE_FULL 31
# define SSL_CTRL_OPTIONS 32
# define SSL_CTRL_MODE 33
# define SSL_CTRL_GET_READ_AHEAD 40
# define SSL_CTRL_SET_READ_AHEAD 41
@ -1188,7 +1181,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define DTLS_CTRL_HANDLE_TIMEOUT 74
# define DTLS_CTRL_LISTEN 75
# define SSL_CTRL_GET_RI_SUPPORT 76
# define SSL_CTRL_CLEAR_OPTIONS 77
# define SSL_CTRL_CLEAR_MODE 78
# define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79
# define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82

39
ssl/ssl_lib.c
View File

@ -1609,10 +1609,6 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
s->msg_callback_arg = parg;
return 1;
case SSL_CTRL_OPTIONS:
return (s->options |= larg);
case SSL_CTRL_CLEAR_OPTIONS:
return (s->options &= ~larg);
case SSL_CTRL_MODE:
return (s->mode |= larg);
case SSL_CTRL_CLEAR_MODE:
@ -1759,10 +1755,6 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return (ctx->stats.sess_timeout);
case SSL_CTRL_SESS_CACHE_FULL:
return (ctx->stats.sess_cache_full);
case SSL_CTRL_OPTIONS:
return (ctx->options |= larg);
case SSL_CTRL_CLEAR_OPTIONS:
return (ctx->options &= ~larg);
case SSL_CTRL_MODE:
return (ctx->mode |= larg);
case SSL_CTRL_CLEAR_MODE:
@ -3763,4 +3755,35 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
return ctx->cert->sec_ex;
}
/*
* Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that
* can return unsigned long, instead of the generic long return value from the
* control interface.
*/
unsigned long SSL_CTX_get_options(const SSL_CTX *ctx)
{
return ctx->options;
}
unsigned long SSL_get_options(const SSL* s)
{
return s->options;
}
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op)
{
return ctx->options |= op;
}
unsigned long SSL_set_options(SSL *s, unsigned long op)
{
return s->options |= op;
}
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
{
return ctx->options &= ~op;
}
unsigned long SSL_clear_options(SSL *s, unsigned long op)
{
return s->options &= ~op;
}
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);

6
util/ssleay.num
View File

@ -427,3 +427,9 @@ SSL_get0_dane_tlsa 461 1_1_0 EXIST::FUNCTION:
SSL_set_hostflags 462 1_1_0 EXIST::FUNCTION:
SSL_dane_enable 463 1_1_0 EXIST::FUNCTION:
SSL_get0_dane 464 1_1_0 EXIST::FUNCTION:
SSL_CTX_set_options 465 1_1_0 EXIST::FUNCTION:
SSL_CTX_clear_options 466 1_1_0 EXIST::FUNCTION:
SSL_CTX_get_options 467 1_1_0 EXIST::FUNCTION:
SSL_clear_options 468 1_1_0 EXIST::FUNCTION:
SSL_set_options 469 1_1_0 EXIST::FUNCTION:
SSL_get_options 470 1_1_0 EXIST::FUNCTION: