Does: - Fixes a typo in s_client.pod (2x "in the").
- Changes .pod to reflect reality: it is SSL_CONF_CTX_finish(), not SSL_CONF_finish(). - While here it seems best to change the remaining SSL_CONF_cmd(), SSL_CONF_cmd_argv() and SSL_CONF_cmd_value_type() to have a SSL_CONF_CTX_ prefix, too. PODs renamed accordingly. - Adjusts all places where git grep -i matches against the former. It compiles etc. It's ugly to have SSL_CONF_CTX_ as a prefix, but isn't it better to have a unique interface instead of special-treating the _cmd* stuff? Would be really nice like that. - --steffen
diff --git a/apps/s_cb.c b/apps/s_cb.c index f3892f9..7b111fd 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1553,7 +1553,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int rv; /* Attempt to run SSL configuration command */ - rv = SSL_CONF_cmd_argv(cctx, pargc, pargs); + rv = SSL_CONF_CTX_cmd_argv(cctx, pargc, pargs); /* If parameter not recognised just return */ if (rv == 0) return 0; @@ -1613,7 +1613,7 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, return 0; } #endif - if (SSL_CONF_cmd(cctx, param, value) <= 0) + if (SSL_CONF_CTX_cmd(cctx, param, value) <= 0) { BIO_printf(err, "Error with command: \"%s %s\"\n", param, value ? value : ""); @@ -1627,7 +1627,7 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, */ if (!no_ecdhe) { - if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) + if (SSL_CONF_CTX_cmd(cctx, "-named_curve", "P-256") <= 0) { BIO_puts(err, "Error setting EC curve\n"); ERR_print_errors(err); @@ -1637,7 +1637,7 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, #ifndef OPENSSL_NO_JPAKE if (!no_jpake) { - if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) + if (SSL_CONF_CTX_cmd(cctx, "-cipher", "PSK") <= 0) { BIO_puts(err, "Error setting cipher to PSK\n"); ERR_print_errors(err); diff --git a/demos/bio/client-arg.c b/demos/bio/client-arg.c index cca7a1e..34035f5 100644 --- a/demos/bio/client-arg.c +++ b/demos/bio/client-arg.c @@ -25,7 +25,7 @@ int main(int argc, char **argv) { int rv; /* Parse standard arguments */ - rv = SSL_CONF_cmd_argv(cctx, &nargs, &args); + rv = SSL_CONF_CTX_cmd_argv(cctx, &nargs, &args); if (rv == -3) { fprintf(stderr, "Missing argument for %s\n", *args); diff --git a/demos/bio/client-conf.c b/demos/bio/client-conf.c index 191615a..aec3c7b 100644 --- a/demos/bio/client-conf.c +++ b/demos/bio/client-conf.c @@ -47,7 +47,7 @@ int main(int argc, char **argv) for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { cnf = sk_CONF_VALUE_value(sect, i); - rv = SSL_CONF_cmd(cctx, cnf->name, cnf->value); + rv = SSL_CONF_CTX_cmd(cctx, cnf->name, cnf->value); if (rv > 0) continue; if (rv != -2) diff --git a/demos/bio/server-arg.c b/demos/bio/server-arg.c index 0d432a4..6ba5cc4 100644 --- a/demos/bio/server-arg.c +++ b/demos/bio/server-arg.c @@ -41,7 +41,7 @@ int main(int argc, char *argv[]) { int rv; /* Parse standard arguments */ - rv = SSL_CONF_cmd_argv(cctx, &nargs, &args); + rv = SSL_CONF_CTX_cmd_argv(cctx, &nargs, &args); if (rv == -3) { fprintf(stderr, "Missing argument for %s\n", *args); diff --git a/demos/bio/server-conf.c b/demos/bio/server-conf.c index 0d940f0..f19b5b8 100644 --- a/demos/bio/server-conf.c +++ b/demos/bio/server-conf.c @@ -62,7 +62,7 @@ int main(int argc, char *argv[]) { int rv; cnf = sk_CONF_VALUE_value(sect, i); - rv = SSL_CONF_cmd(cctx, cnf->name, cnf->value); + rv = SSL_CONF_CTX_cmd(cctx, cnf->name, cnf->value); if (rv > 0) continue; if (rv != -2) diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 17308b4..ff61825 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -90,7 +90,7 @@ SSL servers. In addition to the options below the B<s_client> utility also supports the common and client only options documented in the -in the L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)/SUPPORTED COMMAND LINE COMMANDS> +L<SSL_CONF_CTX_cmd(3)|SSL_CONF_CTX_cmd(3)/SUPPORTED COMMAND LINE COMMANDS> manual page. =over 4 diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 1cc965f..616de1d 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -98,8 +98,8 @@ for connections on a given port using SSL/TLS. In addition to the options below the B<s_server> utility also supports the common and server only options documented in the -L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)/SUPPORTED COMMAND LINE COMMANDS> manual -page. +L<SSL_CONF_CTX_cmd(3)|SSL_CONF_CTX_cmd(3)/SUPPORTED COMMAND LINE COMMANDS> +manual page. =over 4 diff --git a/doc/ssl/SSL_CONF_CTX_cmd.pod b/doc/ssl/SSL_CONF_CTX_cmd.pod new file mode 100644 index 0000000..ccc3dd5 --- /dev/null +++ b/doc/ssl/SSL_CONF_CTX_cmd.pod @@ -0,0 +1,442 @@ +=pod + +=head1 NAME + +SSL_CONF_CTX_cmd - send configuration command + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CONF_CTX_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); + int SSL_CONF_CTX_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); + int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx); + +=head1 DESCRIPTION + +The function SSL_CONF_CTX_cmd() performs configuration operation B<cmd> with +optional parameter B<value> on B<ctx>. Its purpose is to simplify application +configuration of B<SSL_CTX> or B<SSL> structures by providing a common +framework for command line options or configuration files. + +SSL_CONF_CTX_cmd_value_type() returns the type of value that B<cmd> refers to. + +The function SSL_CONF_CTX_finish() must be called after all configuration +operations have been completed. It is used to finalise any operations +or to process defaults. + +=head1 SUPPORTED COMMAND LINE COMMANDS + +Currently supported B<cmd> names for command lines (i.e. when the +flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names +are case sensitive. Unless otherwise stated commands can be used by +both clients and servers and the B<value> parameter is not used. The default +prefix for command line commands is B<-> and that is reflected below. + +=over 4 + +=item B<-sigalgs> + +This sets the supported signature algorithms for TLS v1.2. For clients this +value is used directly for the supported signature algorithms extension. For +servers it is used to determine which signature algorithms to support. + +The B<value> argument should be a colon separated list of signature algorithms +in order of decreasing preference of the form B<algorithm+hash>. B<algorithm> +is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm +OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. +Note: algorithm and hash names are case sensitive. + +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. + +=item B<-client_sigalgs> + +This sets the supported signature algorithms associated with client +authentication for TLS v1.2. For servers the value is used in the supported +signature algorithms field of a certificate request. For clients it is +used to determine which signature algorithm to with the client certificate. +If a server does not request a certificate this option has no effect. + +The syntax of B<value> is identical to B<-sigalgs>. If not set then +the value set for B<-sigalgs> will be used instead. + +=item B<-curves> + +This sets the supported elliptic curves. For clients the curves are +sent using the supported curves extension. For servers it is used +to determine which curve to use. This setting affects curves used for both +signatures and key exchange, if applicable. + +The B<value> argument is a colon separated list of curves. The curve can be +either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g +B<prime256v1>). Curve names are case sensitive. + +=item B<-named_curve> + +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers + +The B<value> argument is a curve name or the special value B<auto> which +picks an appropriate curve based on client and server preferences. The curve +can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name +(e.g B<prime256v1>). Curve names are case sensitive. + +=item B<-cipher> + +Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is +currently not performed unless a B<SSL> or B<SSL_CTX> structure is +associated with B<cctx>. + +=item B<-cert> + +Attempts to use the file B<value> as the certificate for the appropriate +context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> +structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL> +structure is set. This option is only supported if certificate operations +are permitted. + +=item B<-key> + +Attempts to use the file B<value> as the private key for the appropriate +context. This option is only supported if certificate operations +are permitted. Note: if no B<-key> option is set then a private key is +not loaded: it does not currently use the B<-cert> file. + +=item B<-dhparam> + +Attempts to use the file B<value> as the set of temporary DH parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. + +=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + +Disables protocol support for SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 +by setting the corresponding options B<SSL_OP_NO_SSL3>, +B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively. + +=item B<-bugs> + +Various bug workarounds are set, same as setting B<SSL_OP_ALL>. + +=item B<-no_comp> + +Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>. + +=item B<-no_ticket> + +Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. + +=item B<-serverpref> + +Use server and not client preference order when determining which cipher suite, +signature algorithm or elliptic curve to use for an incoming connection. +Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. + +=item B<-no_resumption_on_reneg> + +set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. + +=item B<-legacyrenegotiation> + +permits the use of unsafe legacy renegotiation. Equivalent to setting +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. + +=item B<-legacy_server_connect>, B<-no_legacy_server_connect> + +permits or prohibits the use of unsafe legacy renegotiation for OpenSSL +clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. +Set by default. + +=item B<-strict> + +enables strict mode protocol handling. Equivalent to setting +B<SSL_CERT_FLAG_TLS_STRICT>. + +=item B<-debug_broken_protocol> + +disables various checks and permits several kinds of broken protocol behaviour +for testing purposes: it should B<NEVER> be used in anything other than a test +environment. Only supported if OpenSSL is configured with +B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. + +=back + +=head1 SUPPORTED CONFIGURATION FILE COMMANDS + +Currently supported B<cmd> names for configuration files (i.e. when the +flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file +B<cmd> names are case insensitive so B<signaturealgorithms> is recognised +as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names +are also case insensitive. + +Note: the command prefix (if set) alters the recognised B<cmd> values. + +=over 4 + +=item B<CipherString> + +Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is +currently not performed unless an B<SSL> or B<SSL_CTX> structure is +associated with B<cctx>. + +=item B<Certificate> + +Attempts to use the file B<value> as the certificate for the appropriate +context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> +structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL> +structure is set. This option is only supported if certificate operations +are permitted. + +=item B<PrivateKey> + +Attempts to use the file B<value> as the private key for the appropriate +context. This option is only supported if certificate operations +are permitted. Note: if no B<-key> option is set then a private key is +not loaded: it does not currently use the B<Certificate> file. + +=item B<ServerInfoFile> + +Attempts to use the file B<value> in the "serverinfo" extension using the +function SSL_CTX_use_serverinfo_file. + +=item B<DHParameters> + +Attempts to use the file B<value> as the set of temporary DH parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. + +=item B<SignatureAlgorithms> + +This sets the supported signature algorithms for TLS v1.2. For clients this +value is used directly for the supported signature algorithms extension. For +servers it is used to determine which signature algorithms to support. + +The B<value> argument should be a colon separated list of signature algorithms +in order of decreasing preference of the form B<algorithm+hash>. B<algorithm> +is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm +OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. +Note: algorithm and hash names are case sensitive. + +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. + +=item B<ClientSignatureAlgorithms> + +This sets the supported signature algorithms associated with client +authentication for TLS v1.2. For servers the value is used in the supported +signature algorithms field of a certificate request. For clients it is +used to determine which signature algorithm to with the client certificate. + +The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then +the value set for B<SignatureAlgorithms> will be used instead. + +=item B<Curves> + +This sets the supported elliptic curves. For clients the curves are +sent using the supported curves extension. For servers it is used +to determine which curve to use. This setting affects curves used for both +signatures and key exchange, if applicable. + +The B<value> argument is a colon separated list of curves. The curve can be +either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g +B<prime256v1>). Curve names are case sensitive. + +=item B<ECDHParameters> + +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers + +The B<value> argument is a curve name or the special value B<Automatic> which +picks an appropriate curve based on client and server preferences. The curve +can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name +(e.g B<prime256v1>). Curve names are case sensitive. + +=item B<Protocol> + +The supported versions of the SSL or TLS protocol. + +The B<value> argument is a comma separated list of supported protocols to +enable or disable. If an protocol is preceded by B<-> that version is disabled. +All versions are enabled by default, though applications may choose to +explicitly disable some. Currently supported protocol values are +B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers +to all supported versions. + +=item B<Options> + +The B<value> argument is a comma separated list of various flags to set. +If a flag string is preceded B<-> it is disabled. See the +B<SSL_CTX_set_options> function for more details of individual options. + +Each option is listed below. Where an operation is enabled by default +the B<-flag> syntax is needed to disable it. + +B<SessionTicket>: session ticket support, enabled by default. Inverse of +B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting +B<SSL_OP_NO_TICKET>. + +B<Compression>: SSL/TLS compression support, enabled by default. Inverse +of B<SSL_OP_NO_COMPRESSION>. + +B<EmptyFragments>: use empty fragments as a countermeasure against a +SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It +is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>. + +B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>. + +B<DHSingle>: enable single use DH keys, set by default. Inverse of +B<SSL_OP_DH_SINGLE>. Only used by servers. + +B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of +B<SSL_OP_ECDH_SINGLE>. Only used by servers. + +B<ServerPreference> use server and not client preference order when +determining which cipher suite, signature algorithm or elliptic curve +to use for an incoming connection. Equivalent to +B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. + +B<NoResumptionOnRenegotiation> set +B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers. + +B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation. +Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. + +B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation +for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>. +Set by default. + +=back + +=head1 SUPPORTED COMMAND TYPES + +The function SSL_CONF_CTX_cmd_value_type() currently returns one of the +following types: + +=over 4 + +=item B<SSL_CONF_TYPE_UNKNOWN> + +The B<cmd> string is unrecognised, this return value can be use to flag +syntax errors. + +=item B<SSL_CONF_TYPE_STRING> + +The value is a string without any specific structure. + +=item B<SSL_CONF_TYPE_FILE> + +The value is a file name. + +=item B<SSL_CONF_TYPE_DIR> + +The value is a directory name. + +=back + +=head1 NOTES + +The order of operations is significant. This can be used to set either defaults +or values which cannot be overridden. For example if an application calls: + + SSL_CONF_CTX_cmd(ctx, "Protocol", "-SSLv2"); + SSL_CONF_CTX_cmd(ctx, userparam, uservalue); + +it will disable SSLv2 support by default but the user can override it. If +however the call sequence is: + + SSL_CONF_CTX_cmd(ctx, userparam, uservalue); + SSL_CONF_CTX_cmd(ctx, "Protocol", "-SSLv2"); + +SSLv2 is B<always> disabled and attempt to override this by the user are +ignored. + +By checking the return code of SSL_CTX_cmd() it is possible to query if a +given B<cmd> is recognised, this is useful is SSL_CTX_cmd() values are +mixed with additional application specific operations. + +For example an application might call SSL_CTX_cmd() and if it returns +-2 (unrecognised command) continue with processing of application specific +commands. + +Applications can also use SSL_CTX_cmd() to process command lines though the +utility function SSL_CTX_cmd_argv() is normally used instead. One way +to do this is to set the prefix to an appropriate value using +SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the +following argument to B<value> (which may be NULL). + +In this case if the return value is positive then it is used to skip that +number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is +returned then B<cmd> is not recognised and application specific arguments +can be checked instead. If -3 is returned a required argument is missing +and an error is indicated. If 0 is returned some other error occurred and +this can be reported back to the user. + +The function SSL_CONF_CTX_cmd_value_type() can be used by applications to +check for the existence of a command or to perform additional syntax +checking or translation of the command value. For example if the return +value is B<SSL_CONF_TYPE_FILE> an application could translate a relative +pathname to an absolute pathname. + +=head1 EXAMPLES + +Set supported signature algorithms: + + SSL_CONF_CTX_cmd(ctx, "SignatureAlgorithms", + "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); + +Enable all protocols except SSLv3 and SSLv2: + + SSL_CONF_CTX_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2"); + +Only enable TLSv1.2: + + SSL_CONF_CTX_cmd(ctx, "Protocol", "-ALL,TLSv1.2"); + +Disable TLS session tickets: + + SSL_CONF_CTX_cmd(ctx, "Options", "-SessionTicket"); + +Set supported curves to P-256, P-384: + + SSL_CONF_CTX_cmd(ctx, "Curves", "P-256:P-384"); + +Set automatic support for any elliptic curve for key exchange: + + SSL_CONF_CTX_cmd(ctx, "ECDHParameters", "Automatic"); + +=head1 RETURN VALUES + +SSL_CONF_CTX_cmd() returns 1 if the value of B<cmd> is recognised and B<value> +is B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it +returns the number of arguments processed. This is useful when processing +command lines. + +A return value of -2 means B<cmd> is not recognised. + +A return value of -3 means B<cmd> is recognised and the command requires a +value but B<value> is NULL. + +A return code of 0 indicates that both B<cmd> and B<value> are valid but an +error occurred attempting to perform the operation: for example due to an +error in the syntax of B<value> in this case the error queue may provide +additional information. + +SSL_CONF_CTX_finish() returns 1 for success and 0 for failure. + +=head1 SEE ALSO + +L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, +L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, +L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, +L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>, +L<SSL_CONF_CTX_cmd_argv(3)|SSL_CONF_CTX_cmd_argv(3)> + +=head1 HISTORY + +SSL_CONF_CTX_cmd() was first added to OpenSSL 1.0.2 + +B<SSL_OP_NO_SSL2> doesn't have effect anymore since 1.1.0 but the define is kept +for backward compatibility. + +=cut diff --git a/doc/ssl/SSL_CONF_CTX_cmd_argv.pod b/doc/ssl/SSL_CONF_CTX_cmd_argv.pod new file mode 100644 index 0000000..b7eb831 --- /dev/null +++ b/doc/ssl/SSL_CONF_CTX_cmd_argv.pod @@ -0,0 +1,42 @@ +=pod + +=head1 NAME + +SSL_CONF_CTX_cmd_argv - SSL configuration command line processing. + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CONF_CTX_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv); + +=head1 DESCRIPTION + +The function SSL_CONF_CTX_cmd_argv() processes at most two command line +arguments from B<pargv> and B<pargc>. The values of B<pargv> and B<pargc> +are updated to reflect the number of command options processed. The B<pargc> +argument can be set to B<NULL> is it is not used. + +=head1 RETURN VALUES + +SSL_CONF_CTX_cmd_argv() returns the number of command arguments processed: 0, 1, +2 or a negative error code. + +If -2 is returned then an argument for a command is missing. + +If -1 is returned the command is recognised but couldn't be processed due +to an error: for example a syntax error in the argument. + +=head1 SEE ALSO + +L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, +L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, +L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, +L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>, +L<SSL_CONF_CTX_cmd(3)|SSL_CONF_CTX_cmd(3)> + +=head1 HISTORY + +These functions were first added to OpenSSL 1.0.2 + +=cut diff --git a/doc/ssl/SSL_CONF_CTX_new.pod b/doc/ssl/SSL_CONF_CTX_new.pod index a9ccb04..d625901 100644 --- a/doc/ssl/SSL_CONF_CTX_new.pod +++ b/doc/ssl/SSL_CONF_CTX_new.pod @@ -30,8 +30,8 @@ SSL_CONF_CTX_free() does not return a value. L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>, L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, -L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>, -L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)> +L<SSL_CONF_CTX_cmd(3)|SSL_CONF_CTX_cmd(3)>, +L<SSL_CONF_CTX_cmd_argv(3)|SSL_CONF_CTX_cmd_argv(3)> =head1 HISTORY diff --git a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod index 7699018..cdd952e 100644 --- a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod +++ b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod @@ -39,8 +39,8 @@ SSL_CONF_CTX_set1_prefix() returns 1 for success and 0 for failure. L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>, -L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>, -L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)> +L<SSL_CONF_CTX_cmd(3)|SSL_CONF_CTX_cmd(3)>, +L<SSL_CONF_CTX_cmd_argv(3)|SSL_CONF_CTX_cmd_argv(3)> =head1 HISTORY diff --git a/doc/ssl/SSL_CONF_CTX_set_flags.pod b/doc/ssl/SSL_CONF_CTX_set_flags.pod index ab87efc..f4c467d 100644 --- a/doc/ssl/SSL_CONF_CTX_set_flags.pod +++ b/doc/ssl/SSL_CONF_CTX_set_flags.pod @@ -19,7 +19,7 @@ The function SSL_CONF_CTX_clear_flags() clears B<flags> in the context B<cctx>. =head1 NOTES -The flags set affect how subsequent calls to SSL_CONF_cmd() or +The flags set affect how subsequent calls to SSL_CONF_CTX_cmd() or SSL_CONF_argv() behave. Currently the following B<flags> values are recognised: @@ -58,8 +58,8 @@ value after setting or clearing flags. L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>, L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, -L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>, -L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)> +L<SSL_CONF_CTX_cmd(3)|SSL_CONF_CTX_cmd(3)>, +L<SSL_CONF_CTX_cmd_argv(3)|SSL_CONF_CTX_cmd_argv(3)> =head1 HISTORY diff --git a/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod index 2049a53..6550ab8 100644 --- a/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod +++ b/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod @@ -15,12 +15,12 @@ SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure SSL_CONF_CTX_set_ssl_ctx() sets the context associated with B<cctx> to the B<SSL_CTX> structure B<ctx>. Any previous B<SSL> or B<SSL_CTX> associated with -B<cctx> is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to +B<cctx> is cleared. Subsequent calls to SSL_CONF_CTX_cmd() will be sent to B<ctx>. SSL_CONF_CTX_set_ssl() sets the context associated with B<cctx> to the B<SSL> structure B<ssl>. Any previous B<SSL> or B<SSL_CTX> associated with -B<cctx> is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to +B<cctx> is cleared. Subsequent calls to SSL_CONF_CTX_cmd() will be sent to B<ssl>. =head1 NOTES @@ -37,8 +37,8 @@ SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value. L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, -L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>, -L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)> +L<SSL_CONF_CTX_cmd(3)|SSL_CONF_CTX_cmd(3)>, +L<SSL_CONF_CTX_cmd_argv(3)|SSL_CONF_CTX_cmd_argv(3)> =head1 HISTORY diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod deleted file mode 100644 index 90a20d6..0000000 --- a/doc/ssl/SSL_CONF_cmd.pod +++ /dev/null @@ -1,441 +0,0 @@ -=pod - -=head1 NAME - -SSL_CONF_cmd - send configuration command - -=head1 SYNOPSIS - - #include <openssl/ssl.h> - - int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); - int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); - int SSL_CONF_finish(SSL_CONF_CTX *cctx); - -=head1 DESCRIPTION - -The function SSL_CONF_cmd() performs configuration operation B<cmd> with -optional parameter B<value> on B<ctx>. Its purpose is to simplify application -configuration of B<SSL_CTX> or B<SSL> structures by providing a common -framework for command line options or configuration files. - -SSL_CONF_cmd_value_type() returns the type of value that B<cmd> refers to. - -The function SSL_CONF_finish() must be called after all configuration -operations have been completed. It is used to finalise any operations -or to process defaults. - -=head1 SUPPORTED COMMAND LINE COMMANDS - -Currently supported B<cmd> names for command lines (i.e. when the -flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names -are case sensitive. Unless otherwise stated commands can be used by -both clients and servers and the B<value> parameter is not used. The default -prefix for command line commands is B<-> and that is reflected below. - -=over 4 - -=item B<-sigalgs> - -This sets the supported signature algorithms for TLS v1.2. For clients this -value is used directly for the supported signature algorithms extension. For -servers it is used to determine which signature algorithms to support. - -The B<value> argument should be a colon separated list of signature algorithms -in order of decreasing preference of the form B<algorithm+hash>. B<algorithm> -is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm -OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. -Note: algorithm and hash names are case sensitive. - -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. - -=item B<-client_sigalgs> - -This sets the supported signature algorithms associated with client -authentication for TLS v1.2. For servers the value is used in the supported -signature algorithms field of a certificate request. For clients it is -used to determine which signature algorithm to with the client certificate. -If a server does not request a certificate this option has no effect. - -The syntax of B<value> is identical to B<-sigalgs>. If not set then -the value set for B<-sigalgs> will be used instead. - -=item B<-curves> - -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. - -The B<value> argument is a colon separated list of curves. The curve can be -either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g -B<prime256v1>). Curve names are case sensitive. - -=item B<-named_curve> - -This sets the temporary curve used for ephemeral ECDH modes. Only used by -servers - -The B<value> argument is a curve name or the special value B<auto> which -picks an appropriate curve based on client and server preferences. The curve -can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name -(e.g B<prime256v1>). Curve names are case sensitive. - -=item B<-cipher> - -Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is -currently not performed unless a B<SSL> or B<SSL_CTX> structure is -associated with B<cctx>. - -=item B<-cert> - -Attempts to use the file B<value> as the certificate for the appropriate -context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> -structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL> -structure is set. This option is only supported if certificate operations -are permitted. - -=item B<-key> - -Attempts to use the file B<value> as the private key for the appropriate -context. This option is only supported if certificate operations -are permitted. Note: if no B<-key> option is set then a private key is -not loaded: it does not currently use the B<-cert> file. - -=item B<-dhparam> - -Attempts to use the file B<value> as the set of temporary DH parameters for -the appropriate context. This option is only supported if certificate -operations are permitted. - -=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - -Disables protocol support for SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 -by setting the corresponding options B<SSL_OP_NO_SSL3>, -B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively. - -=item B<-bugs> - -Various bug workarounds are set, same as setting B<SSL_OP_ALL>. - -=item B<-no_comp> - -Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>. - -=item B<-no_ticket> - -Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. - -=item B<-serverpref> - -Use server and not client preference order when determining which cipher suite, -signature algorithm or elliptic curve to use for an incoming connection. -Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. - -=item B<-no_resumption_on_reneg> - -set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. - -=item B<-legacyrenegotiation> - -permits the use of unsafe legacy renegotiation. Equivalent to setting -B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. - -=item B<-legacy_server_connect>, B<-no_legacy_server_connect> - -permits or prohibits the use of unsafe legacy renegotiation for OpenSSL -clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. -Set by default. - -=item B<-strict> - -enables strict mode protocol handling. Equivalent to setting -B<SSL_CERT_FLAG_TLS_STRICT>. - -=item B<-debug_broken_protocol> - -disables various checks and permits several kinds of broken protocol behaviour -for testing purposes: it should B<NEVER> be used in anything other than a test -environment. Only supported if OpenSSL is configured with -B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. - -=back - -=head1 SUPPORTED CONFIGURATION FILE COMMANDS - -Currently supported B<cmd> names for configuration files (i.e. when the -flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file -B<cmd> names are case insensitive so B<signaturealgorithms> is recognised -as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names -are also case insensitive. - -Note: the command prefix (if set) alters the recognised B<cmd> values. - -=over 4 - -=item B<CipherString> - -Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is -currently not performed unless an B<SSL> or B<SSL_CTX> structure is -associated with B<cctx>. - -=item B<Certificate> - -Attempts to use the file B<value> as the certificate for the appropriate -context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> -structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL> -structure is set. This option is only supported if certificate operations -are permitted. - -=item B<PrivateKey> - -Attempts to use the file B<value> as the private key for the appropriate -context. This option is only supported if certificate operations -are permitted. Note: if no B<-key> option is set then a private key is -not loaded: it does not currently use the B<Certificate> file. - -=item B<ServerInfoFile> - -Attempts to use the file B<value> in the "serverinfo" extension using the -function SSL_CTX_use_serverinfo_file. - -=item B<DHParameters> - -Attempts to use the file B<value> as the set of temporary DH parameters for -the appropriate context. This option is only supported if certificate -operations are permitted. - -=item B<SignatureAlgorithms> - -This sets the supported signature algorithms for TLS v1.2. For clients this -value is used directly for the supported signature algorithms extension. For -servers it is used to determine which signature algorithms to support. - -The B<value> argument should be a colon separated list of signature algorithms -in order of decreasing preference of the form B<algorithm+hash>. B<algorithm> -is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm -OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. -Note: algorithm and hash names are case sensitive. - -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. - -=item B<ClientSignatureAlgorithms> - -This sets the supported signature algorithms associated with client -authentication for TLS v1.2. For servers the value is used in the supported -signature algorithms field of a certificate request. For clients it is -used to determine which signature algorithm to with the client certificate. - -The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then -the value set for B<SignatureAlgorithms> will be used instead. - -=item B<Curves> - -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. - -The B<value> argument is a colon separated list of curves. The curve can be -either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g -B<prime256v1>). Curve names are case sensitive. - -=item B<ECDHParameters> - -This sets the temporary curve used for ephemeral ECDH modes. Only used by -servers - -The B<value> argument is a curve name or the special value B<Automatic> which -picks an appropriate curve based on client and server preferences. The curve -can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name -(e.g B<prime256v1>). Curve names are case sensitive. - -=item B<Protocol> - -The supported versions of the SSL or TLS protocol. - -The B<value> argument is a comma separated list of supported protocols to -enable or disable. If an protocol is preceded by B<-> that version is disabled. -All versions are enabled by default, though applications may choose to -explicitly disable some. Currently supported protocol values are -B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers -to all supported versions. - -=item B<Options> - -The B<value> argument is a comma separated list of various flags to set. -If a flag string is preceded B<-> it is disabled. See the -B<SSL_CTX_set_options> function for more details of individual options. - -Each option is listed below. Where an operation is enabled by default -the B<-flag> syntax is needed to disable it. - -B<SessionTicket>: session ticket support, enabled by default. Inverse of -B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting -B<SSL_OP_NO_TICKET>. - -B<Compression>: SSL/TLS compression support, enabled by default. Inverse -of B<SSL_OP_NO_COMPRESSION>. - -B<EmptyFragments>: use empty fragments as a countermeasure against a -SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It -is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>. - -B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>. - -B<DHSingle>: enable single use DH keys, set by default. Inverse of -B<SSL_OP_DH_SINGLE>. Only used by servers. - -B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of -B<SSL_OP_ECDH_SINGLE>. Only used by servers. - -B<ServerPreference> use server and not client preference order when -determining which cipher suite, signature algorithm or elliptic curve -to use for an incoming connection. Equivalent to -B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. - -B<NoResumptionOnRenegotiation> set -B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers. - -B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation. -Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. - -B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation -for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>. -Set by default. - -=back - -=head1 SUPPORTED COMMAND TYPES - -The function SSL_CONF_cmd_value_type() currently returns one of the following -types: - -=over 4 - -=item B<SSL_CONF_TYPE_UNKNOWN> - -The B<cmd> string is unrecognised, this return value can be use to flag -syntax errors. - -=item B<SSL_CONF_TYPE_STRING> - -The value is a string without any specific structure. - -=item B<SSL_CONF_TYPE_FILE> - -The value is a file name. - -=item B<SSL_CONF_TYPE_DIR> - -The value is a directory name. - -=back - -=head1 NOTES - -The order of operations is significant. This can be used to set either defaults -or values which cannot be overridden. For example if an application calls: - - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); - SSL_CONF_cmd(ctx, userparam, uservalue); - -it will disable SSLv2 support by default but the user can override it. If -however the call sequence is: - - SSL_CONF_cmd(ctx, userparam, uservalue); - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); - -SSLv2 is B<always> disabled and attempt to override this by the user are -ignored. - -By checking the return code of SSL_CTX_cmd() it is possible to query if a -given B<cmd> is recognised, this is useful is SSL_CTX_cmd() values are -mixed with additional application specific operations. - -For example an application might call SSL_CTX_cmd() and if it returns --2 (unrecognised command) continue with processing of application specific -commands. - -Applications can also use SSL_CTX_cmd() to process command lines though the -utility function SSL_CTX_cmd_argv() is normally used instead. One way -to do this is to set the prefix to an appropriate value using -SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the -following argument to B<value> (which may be NULL). - -In this case if the return value is positive then it is used to skip that -number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is -returned then B<cmd> is not recognised and application specific arguments -can be checked instead. If -3 is returned a required argument is missing -and an error is indicated. If 0 is returned some other error occurred and -this can be reported back to the user. - -The function SSL_CONF_cmd_value_type() can be used by applications to -check for the existence of a command or to perform additional syntax -checking or translation of the command value. For example if the return -value is B<SSL_CONF_TYPE_FILE> an application could translate a relative -pathname to an absolute pathname. - -=head1 EXAMPLES - -Set supported signature algorithms: - - SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); - -Enable all protocols except SSLv3 and SSLv2: - - SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2"); - -Only enable TLSv1.2: - - SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2"); - -Disable TLS session tickets: - - SSL_CONF_cmd(ctx, "Options", "-SessionTicket"); - -Set supported curves to P-256, P-384: - - SSL_CONF_cmd(ctx, "Curves", "P-256:P-384"); - -Set automatic support for any elliptic curve for key exchange: - - SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic"); - -=head1 RETURN VALUES - -SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is -B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it -returns the number of arguments processed. This is useful when processing -command lines. - -A return value of -2 means B<cmd> is not recognised. - -A return value of -3 means B<cmd> is recognised and the command requires a -value but B<value> is NULL. - -A return code of 0 indicates that both B<cmd> and B<value> are valid but an -error occurred attempting to perform the operation: for example due to an -error in the syntax of B<value> in this case the error queue may provide -additional information. - -SSL_CONF_finish() returns 1 for success and 0 for failure. - -=head1 SEE ALSO - -L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, -L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, -L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, -L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>, -L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)> - -=head1 HISTORY - -SSL_CONF_cmd() was first added to OpenSSL 1.0.2 - -B<SSL_OP_NO_SSL2> doesn't have effect anymore since 1.1.0 but the define is kept -for backward compatibility. - -=cut diff --git a/doc/ssl/SSL_CONF_cmd_argv.pod b/doc/ssl/SSL_CONF_cmd_argv.pod deleted file mode 100644 index 6e66441..0000000 --- a/doc/ssl/SSL_CONF_cmd_argv.pod +++ /dev/null @@ -1,42 +0,0 @@ -=pod - -=head1 NAME - -SSL_CONF_cmd_argv - SSL configuration command line processing. - -=head1 SYNOPSIS - - #include <openssl/ssl.h> - - int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv); - -=head1 DESCRIPTION - -The function SSL_CONF_cmd_argv() processes at most two command line -arguments from B<pargv> and B<pargc>. The values of B<pargv> and B<pargc> -are updated to reflect the number of command options processed. The B<pargc> -argument can be set to B<NULL> is it is not used. - -=head1 RETURN VALUES - -SSL_CONF_cmd_argv() returns the number of command arguments processed: 0, 1, 2 -or a negative error code. - -If -2 is returned then an argument for a command is missing. - -If -1 is returned the command is recognised but couldn't be processed due -to an error: for example a syntax error in the argument. - -=head1 SEE ALSO - -L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, -L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, -L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, -L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>, -L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)> - -=head1 HISTORY - -These functions were first added to OpenSSL 1.0.2 - -=cut diff --git a/ssl/ssl.h b/ssl/ssl.h index 388d400..20feb82 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2434,9 +2434,9 @@ int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre); void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl); void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx); -int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); -int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv); -int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); +int SSL_CONF_CTX_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); +int SSL_CONF_CTX_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv); +int SSL_CONF_CTX_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); #ifndef OPENSSL_NO_SSL_TRACE void SSL_trace(int write_p, int version, int content_type, diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 3785b4f..beb33d7 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -522,7 +522,7 @@ static const ssl_conf_cmd_tbl *ssl_conf_cmd_lookup(SSL_CONF_CTX *cctx, const cha return NULL; } -int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) +int SSL_CONF_CTX_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) { const ssl_conf_cmd_tbl *runcmd; if (cmd == NULL) @@ -569,7 +569,7 @@ int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value) return -2; } -int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) +int SSL_CONF_CTX_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) { int rv; const char *arg = NULL, *argn; @@ -585,7 +585,7 @@ int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) argn = NULL; cctx->flags &= ~SSL_CONF_FLAG_FILE; cctx->flags |= SSL_CONF_FLAG_CMDLINE; - rv = SSL_CONF_cmd(cctx, arg, argn); + rv = SSL_CONF_CTX_cmd(cctx, arg, argn); if (rv > 0) { /* Success: update pargc, pargv */ @@ -603,7 +603,7 @@ int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv) return rv; } -int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) +int SSL_CONF_CTX_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) { if (ssl_conf_cmd_skip_prefix(cctx, &cmd)) { diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 220b6d7..2fe0bc5 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -182,7 +182,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "SSL_CIPHER_STRENGTH_SORT"}, {ERR_FUNC(SSL_F_SSL_CLEAR), "SSL_clear"}, {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD), "SSL_COMP_add_compression_method"}, -{ERR_FUNC(SSL_F_SSL_CONF_CMD), "SSL_CONF_cmd"}, +{ERR_FUNC(SSL_F_SSL_CONF_CMD), "SSL_CONF_CTX_cmd"}, {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "ssl_create_cipher_list"}, {ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"}, {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"}, diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 05f75aa..1ade4a8 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -1331,10 +1331,11 @@ int main(int argc, char *argv[]) arg = argv[0]; argn = argv[1]; /* Try to process command using SSL_CONF */ - rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv); + rv = SSL_CONF_CTX_cmd_argv(c_cctx, &argc, &argv); /* If not processed try server */ if (rv == 0) - rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv); + rv = SSL_CONF_CTX_cmd_argv(s_cctx, &argc, + &argv); /* Recognised: store it for later use */ if (rv > 0) { @@ -1529,10 +1530,10 @@ bad: int rv; arg = sk_OPENSSL_STRING_value(conf_args, i); argn = sk_OPENSSL_STRING_value(conf_args, i + 1); - rv = SSL_CONF_cmd(c_cctx, arg, argn); + rv = SSL_CONF_CTX_cmd(c_cctx, arg, argn); /* If not recognised use server context */ if (rv == -2) - rv = SSL_CONF_cmd(s_cctx, arg, argn); + rv = SSL_CONF_CTX_cmd(s_cctx, arg, argn); if (rv <= 0) { BIO_printf(bio_err, "Error processing %s %s\n", diff --git a/util/ssleay.num b/util/ssleay.num index 53dbe6d..93e542b 100755 --- a/util/ssleay.num +++ b/util/ssleay.num @@ -330,7 +330,7 @@ DTLS_client_method 368 EXIST::FUNCTION: SSL_CIPHER_standard_name 369 EXIST::FUNCTION:SSL_TRACE SSL_set_alpn_protos 370 EXIST::FUNCTION: SSL_CTX_set_srv_supp_data 371 NOEXIST::FUNCTION: -SSL_CONF_cmd_argv 372 EXIST::FUNCTION: +SSL_CONF_CTX_cmd_argv 372 EXIST::FUNCTION: DTLSv1_2_server_method 373 EXIST::FUNCTION: SSL_COMP_set0_compress_methods 374 NOEXIST::FUNCTION: SSL_COMP_set0_compression_methods 374 EXIST::FUNCTION:COMP @@ -338,7 +338,7 @@ SSL_CTX_set_cert_cb 375 EXIST::FUNCTION: SSL_CTX_add_client_custom_ext 376 EXIST::FUNCTION:TLSEXT SSL_is_server 377 EXIST::FUNCTION: SSL_CTX_get0_param 378 EXIST::FUNCTION: -SSL_CONF_cmd 379 EXIST::FUNCTION: +SSL_CONF_CTX_cmd 379 EXIST::FUNCTION: SSL_CTX_get_ssl_method 380 EXIST::FUNCTION: SSL_CONF_CTX_set_ssl_ctx 381 EXIST::FUNCTION: SSL_CIPHER_find 382 EXIST::FUNCTION: @@ -350,7 +350,7 @@ SSL_CTX_set_alpn_protos 387 EXIST::FUNCTION: SSL_CTX_add_server_custom_ext 389 EXIST::FUNCTION:TLSEXT SSL_CTX_get0_certificate 390 EXIST::FUNCTION: SSL_CTX_set_alpn_select_cb 391 EXIST::FUNCTION: -SSL_CONF_cmd_value_type 392 EXIST::FUNCTION: +SSL_CONF_CTX_cmd_value_type 392 EXIST::FUNCTION: SSL_set_cert_cb 393 EXIST::FUNCTION: SSL_get_sigalgs 394 EXIST::FUNCTION:TLSEXT SSL_CONF_CTX_set1_prefix 395 EXIST::FUNCTION:
_______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev