mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 04:53:52 +08:00
Make SSL{_CTX,}_{get,set,clear}_options functions
These now take and return unsigned long, and get is constified. Updated related documentation and util/ssleay.num Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
Viktor Dukhovni
parent
ccf73257f6
commit
8106cb8b6d
@ -318,8 +318,9 @@ sure to also leave TLS 1.1 enabled.
|
|||||||
=item B<Options>
|
=item B<Options>
|
||||||
|
|
||||||
The B<value> argument is a comma separated list of various flags to set.
|
The B<value> argument is a comma separated list of various flags to set.
|
||||||
If a flag string is preceded B<-> it is disabled. See the
|
If a flag string is preceded B<-> it is disabled.
|
||||||
B<SSL_CTX_set_options> function for more details of individual options.
|
See the L<SSL_CTX_set_options(3)> function for more details of
|
||||||
|
individual options.
|
||||||
|
|
||||||
Each option is listed below. Where an operation is enabled by default
|
Each option is listed below. Where an operation is enabled by default
|
||||||
the B<-flag> syntax is needed to disable it.
|
the B<-flag> syntax is needed to disable it.
|
||||||
@ -527,7 +528,8 @@ L<SSL_CONF_CTX_new(3)>,
|
|||||||
L<SSL_CONF_CTX_set_flags(3)>,
|
L<SSL_CONF_CTX_set_flags(3)>,
|
||||||
L<SSL_CONF_CTX_set1_prefix(3)>,
|
L<SSL_CONF_CTX_set1_prefix(3)>,
|
||||||
L<SSL_CONF_CTX_set_ssl_ctx(3)>,
|
L<SSL_CONF_CTX_set_ssl_ctx(3)>,
|
||||||
L<SSL_CONF_cmd_argv(3)>
|
L<SSL_CONF_cmd_argv(3)>,
|
||||||
|
L<SSL_CTX_set_options(3)>
|
||||||
|
|
||||||
=head1 HISTORY
|
=head1 HISTORY
|
||||||
|
|
||||||
|
|||||||
@ -139,9 +139,9 @@ If you want to limit the supported protocols for the version flexible
|
|||||||
methods you can use SSL_CTX_set_min_proto_version(),
|
methods you can use SSL_CTX_set_min_proto_version(),
|
||||||
SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and
|
SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and
|
||||||
SSL_set_max_proto_version() functions.
|
SSL_set_max_proto_version() functions.
|
||||||
They can also be limited using by using an option like SSL_OP_NO_SSLv3
|
They can also be limited by setting an option like B<SSL_OP_NO_SSLv3>
|
||||||
of the SSL_CTX_set_options() or SSL_set_options() functions, but
|
via the L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions,
|
||||||
that's not recommended.
|
but that's not recommended.
|
||||||
Using these functions it is possible to choose e.g. TLS_server_method()
|
Using these functions it is possible to choose e.g. TLS_server_method()
|
||||||
and be able to negotiate with all possible clients, but to only
|
and be able to negotiate with all possible clients, but to only
|
||||||
allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.
|
allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.
|
||||||
|
|||||||
@ -19,8 +19,9 @@ and maximum supported protocol version
|
|||||||
|
|
||||||
The functions set the minimum and maximum supported portocol versions
|
The functions set the minimum and maximum supported portocol versions
|
||||||
for the B<ctx> or B<ssl>.
|
for the B<ctx> or B<ssl>.
|
||||||
This works in combination with the options set via SSL_CTX_set_options()
|
This works in combination with the options set via
|
||||||
that also make it possible to disable specific protocol versions.
|
L<SSL_CTX_set_options(3)> that also make it possible to disable
|
||||||
|
specific protocol versions.
|
||||||
Use these functions instead of disabling specific protocol versions.
|
Use these functions instead of disabling specific protocol versions.
|
||||||
|
|
||||||
Setting the minimum or maximum version to 0, will enable protocol
|
Setting the minimum or maximum version to 0, will enable protocol
|
||||||
|
|||||||
@ -23,8 +23,6 @@ SSL_get_secure_renegotiation_support - manipulate SSL options
|
|||||||
|
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
Note: all these functions are implemented using macros.
|
|
||||||
|
|
||||||
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
|
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
|
||||||
Options already set before are not cleared!
|
Options already set before are not cleared!
|
||||||
|
|
||||||
@ -42,6 +40,7 @@ SSL_get_options() returns the options set for B<ssl>.
|
|||||||
|
|
||||||
SSL_get_secure_renegotiation_support() indicates whether the peer supports
|
SSL_get_secure_renegotiation_support() indicates whether the peer supports
|
||||||
secure renegotiation.
|
secure renegotiation.
|
||||||
|
Note, this is implemented via a macro.
|
||||||
|
|
||||||
=head1 NOTES
|
=head1 NOTES
|
||||||
|
|
||||||
|
|||||||
@ -315,7 +315,11 @@ Use the file path to locate trusted CA certficates.
|
|||||||
|
|
||||||
=item void B<SSL_CTX_set_msg_callback_arg>(SSL_CTX *ctx, void *arg);
|
=item void B<SSL_CTX_set_msg_callback_arg>(SSL_CTX *ctx, void *arg);
|
||||||
|
|
||||||
=item void B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
|
=item unsigned long B<SSL_CTX_clear_options>(SSL_CTX *ctx, unsigned long op);
|
||||||
|
|
||||||
|
=item unsigned long B<SSL_CTX_get_options>(SSL_CTX *ctx);
|
||||||
|
|
||||||
|
=item unsigned long B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
|
||||||
|
|
||||||
=item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);
|
=item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);
|
||||||
|
|
||||||
@ -596,7 +600,11 @@ fresh handle for each connection.
|
|||||||
|
|
||||||
=item void B<SSL_set_msg_callback_arg>(SSL *ctx, void *arg);
|
=item void B<SSL_set_msg_callback_arg>(SSL *ctx, void *arg);
|
||||||
|
|
||||||
=item void B<SSL_set_options>(SSL *ssl, unsigned long op);
|
=item unsigned long B<SSL_clear_options>(SSL *ssl, unsigned long op);
|
||||||
|
|
||||||
|
=item unsigned long B<SSL_get_options>(SSL *ssl);
|
||||||
|
|
||||||
|
=item unsigned long B<SSL_set_options>(SSL *ssl, unsigned long op);
|
||||||
|
|
||||||
=item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);
|
=item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);
|
||||||
|
|
||||||
|
|||||||
@ -569,18 +569,12 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
|
|||||||
* cannot be used to clear bits.
|
* cannot be used to clear bits.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
# define SSL_CTX_set_options(ctx,op) \
|
unsigned long SSL_CTX_get_options(const SSL_CTX *ctx);
|
||||||
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
|
unsigned long SSL_get_options(const SSL* s);
|
||||||
# define SSL_CTX_clear_options(ctx,op) \
|
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
|
||||||
SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
|
unsigned long SSL_clear_options(SSL *s, unsigned long op);
|
||||||
# define SSL_CTX_get_options(ctx) \
|
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
|
||||||
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
|
unsigned long SSL_set_options(SSL *s, unsigned long op);
|
||||||
# define SSL_set_options(ssl,op) \
|
|
||||||
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
|
|
||||||
# define SSL_clear_options(ssl,op) \
|
|
||||||
SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
|
|
||||||
# define SSL_get_options(ssl) \
|
|
||||||
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
|
|
||||||
|
|
||||||
# define SSL_CTX_set_mode(ctx,op) \
|
# define SSL_CTX_set_mode(ctx,op) \
|
||||||
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
|
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
|
||||||
@ -1140,7 +1134,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|||||||
# define SSL_CTRL_SESS_MISSES 29
|
# define SSL_CTRL_SESS_MISSES 29
|
||||||
# define SSL_CTRL_SESS_TIMEOUTS 30
|
# define SSL_CTRL_SESS_TIMEOUTS 30
|
||||||
# define SSL_CTRL_SESS_CACHE_FULL 31
|
# define SSL_CTRL_SESS_CACHE_FULL 31
|
||||||
# define SSL_CTRL_OPTIONS 32
|
|
||||||
# define SSL_CTRL_MODE 33
|
# define SSL_CTRL_MODE 33
|
||||||
# define SSL_CTRL_GET_READ_AHEAD 40
|
# define SSL_CTRL_GET_READ_AHEAD 40
|
||||||
# define SSL_CTRL_SET_READ_AHEAD 41
|
# define SSL_CTRL_SET_READ_AHEAD 41
|
||||||
@ -1188,7 +1181,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|||||||
# define DTLS_CTRL_HANDLE_TIMEOUT 74
|
# define DTLS_CTRL_HANDLE_TIMEOUT 74
|
||||||
# define DTLS_CTRL_LISTEN 75
|
# define DTLS_CTRL_LISTEN 75
|
||||||
# define SSL_CTRL_GET_RI_SUPPORT 76
|
# define SSL_CTRL_GET_RI_SUPPORT 76
|
||||||
# define SSL_CTRL_CLEAR_OPTIONS 77
|
|
||||||
# define SSL_CTRL_CLEAR_MODE 78
|
# define SSL_CTRL_CLEAR_MODE 78
|
||||||
# define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79
|
# define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79
|
||||||
# define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
|
# define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
|
||||||
|
|||||||
@ -1609,10 +1609,6 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
|
|||||||
s->msg_callback_arg = parg;
|
s->msg_callback_arg = parg;
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
case SSL_CTRL_OPTIONS:
|
|
||||||
return (s->options |= larg);
|
|
||||||
case SSL_CTRL_CLEAR_OPTIONS:
|
|
||||||
return (s->options &= ~larg);
|
|
||||||
case SSL_CTRL_MODE:
|
case SSL_CTRL_MODE:
|
||||||
return (s->mode |= larg);
|
return (s->mode |= larg);
|
||||||
case SSL_CTRL_CLEAR_MODE:
|
case SSL_CTRL_CLEAR_MODE:
|
||||||
@ -1759,10 +1755,6 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
|||||||
return (ctx->stats.sess_timeout);
|
return (ctx->stats.sess_timeout);
|
||||||
case SSL_CTRL_SESS_CACHE_FULL:
|
case SSL_CTRL_SESS_CACHE_FULL:
|
||||||
return (ctx->stats.sess_cache_full);
|
return (ctx->stats.sess_cache_full);
|
||||||
case SSL_CTRL_OPTIONS:
|
|
||||||
return (ctx->options |= larg);
|
|
||||||
case SSL_CTRL_CLEAR_OPTIONS:
|
|
||||||
return (ctx->options &= ~larg);
|
|
||||||
case SSL_CTRL_MODE:
|
case SSL_CTRL_MODE:
|
||||||
return (ctx->mode |= larg);
|
return (ctx->mode |= larg);
|
||||||
case SSL_CTRL_CLEAR_MODE:
|
case SSL_CTRL_CLEAR_MODE:
|
||||||
@ -3763,4 +3755,35 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
|
|||||||
return ctx->cert->sec_ex;
|
return ctx->cert->sec_ex;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that
|
||||||
|
* can return unsigned long, instead of the generic long return value from the
|
||||||
|
* control interface.
|
||||||
|
*/
|
||||||
|
unsigned long SSL_CTX_get_options(const SSL_CTX *ctx)
|
||||||
|
{
|
||||||
|
return ctx->options;
|
||||||
|
}
|
||||||
|
unsigned long SSL_get_options(const SSL* s)
|
||||||
|
{
|
||||||
|
return s->options;
|
||||||
|
}
|
||||||
|
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op)
|
||||||
|
{
|
||||||
|
return ctx->options |= op;
|
||||||
|
}
|
||||||
|
unsigned long SSL_set_options(SSL *s, unsigned long op)
|
||||||
|
{
|
||||||
|
return s->options |= op;
|
||||||
|
}
|
||||||
|
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
|
||||||
|
{
|
||||||
|
return ctx->options &= ~op;
|
||||||
|
}
|
||||||
|
unsigned long SSL_clear_options(SSL *s, unsigned long op)
|
||||||
|
{
|
||||||
|
return s->options &= ~op;
|
||||||
|
}
|
||||||
|
|
||||||
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
|
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
|
||||||
|
|||||||
@ -427,3 +427,9 @@ SSL_get0_dane_tlsa 461 1_1_0 EXIST::FUNCTION:
|
|||||||
SSL_set_hostflags 462 1_1_0 EXIST::FUNCTION:
|
SSL_set_hostflags 462 1_1_0 EXIST::FUNCTION:
|
||||||
SSL_dane_enable 463 1_1_0 EXIST::FUNCTION:
|
SSL_dane_enable 463 1_1_0 EXIST::FUNCTION:
|
||||||
SSL_get0_dane 464 1_1_0 EXIST::FUNCTION:
|
SSL_get0_dane 464 1_1_0 EXIST::FUNCTION:
|
||||||
|
SSL_CTX_set_options 465 1_1_0 EXIST::FUNCTION:
|
||||||
|
SSL_CTX_clear_options 466 1_1_0 EXIST::FUNCTION:
|
||||||
|
SSL_CTX_get_options 467 1_1_0 EXIST::FUNCTION:
|
||||||
|
SSL_clear_options 468 1_1_0 EXIST::FUNCTION:
|
||||||
|
SSL_set_options 469 1_1_0 EXIST::FUNCTION:
|
||||||
|
SSL_get_options 470 1_1_0 EXIST::FUNCTION:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user