[openssl-commits] [openssl] master update
Viktor Dukhovni
viktor at openssl.org
Mon Jan 11 15:51:18 UTC 2016
The branch master has been updated
via 8106cb8b6d706079cbcabd4631f05e4526a316e1 (commit)
from ccf73257f6c8736a5af3e7be4bf09eebef06ac46 (commit)
- Log -----------------------------------------------------------------
commit 8106cb8b6d706079cbcabd4631f05e4526a316e1
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Sun Jan 10 20:15:04 2016 -0500
Make SSL{_CTX,}_{get,set,clear}_options functions
These now take and return unsigned long, and get is constified.
Updated related documentation and util/ssleay.num
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
doc/ssl/SSL_CONF_cmd.pod | 8 ++++---
doc/ssl/SSL_CTX_new.pod | 6 ++---
doc/ssl/SSL_CTX_set_min_proto_version.pod | 5 ++--
doc/ssl/SSL_CTX_set_options.pod | 3 +--
doc/ssl/ssl.pod | 12 ++++++++--
include/openssl/ssl.h | 20 +++++-----------
ssl/ssl_lib.c | 39 ++++++++++++++++++++++++-------
util/ssleay.num | 6 +++++
8 files changed, 65 insertions(+), 34 deletions(-)
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index 9feaa28..a74117d 100644
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -318,8 +318,9 @@ sure to also leave TLS 1.1 enabled.
=item B<Options>
The B<value> argument is a comma separated list of various flags to set.
-If a flag string is preceded B<-> it is disabled. See the
-B<SSL_CTX_set_options> function for more details of individual options.
+If a flag string is preceded B<-> it is disabled.
+See the L<SSL_CTX_set_options(3)> function for more details of
+individual options.
Each option is listed below. Where an operation is enabled by default
the B<-flag> syntax is needed to disable it.
@@ -527,7 +528,8 @@ L<SSL_CONF_CTX_new(3)>,
L<SSL_CONF_CTX_set_flags(3)>,
L<SSL_CONF_CTX_set1_prefix(3)>,
L<SSL_CONF_CTX_set_ssl_ctx(3)>,
-L<SSL_CONF_cmd_argv(3)>
+L<SSL_CONF_cmd_argv(3)>,
+L<SSL_CTX_set_options(3)>
=head1 HISTORY
diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod
index 136f97b..53f6216 100644
--- a/doc/ssl/SSL_CTX_new.pod
+++ b/doc/ssl/SSL_CTX_new.pod
@@ -139,9 +139,9 @@ If you want to limit the supported protocols for the version flexible
methods you can use SSL_CTX_set_min_proto_version(),
SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and
SSL_set_max_proto_version() functions.
-They can also be limited using by using an option like SSL_OP_NO_SSLv3
-of the SSL_CTX_set_options() or SSL_set_options() functions, but
-that's not recommended.
+They can also be limited by setting an option like B<SSL_OP_NO_SSLv3>
+via the L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions,
+but that's not recommended.
Using these functions it is possible to choose e.g. TLS_server_method()
and be able to negotiate with all possible clients, but to only
allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.
diff --git a/doc/ssl/SSL_CTX_set_min_proto_version.pod b/doc/ssl/SSL_CTX_set_min_proto_version.pod
index 25f9cca..535ae83 100644
--- a/doc/ssl/SSL_CTX_set_min_proto_version.pod
+++ b/doc/ssl/SSL_CTX_set_min_proto_version.pod
@@ -19,8 +19,9 @@ and maximum supported protocol version
The functions set the minimum and maximum supported portocol versions
for the B<ctx> or B<ssl>.
-This works in combination with the options set via SSL_CTX_set_options()
-that also make it possible to disable specific protocol versions.
+This works in combination with the options set via
+L<SSL_CTX_set_options(3)> that also make it possible to disable
+specific protocol versions.
Use these functions instead of disabling specific protocol versions.
Setting the minimum or maximum version to 0, will enable protocol
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 56f62cc..c132568 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -23,8 +23,6 @@ SSL_get_secure_renegotiation_support - manipulate SSL options
=head1 DESCRIPTION
-Note: all these functions are implemented using macros.
-
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
Options already set before are not cleared!
@@ -42,6 +40,7 @@ SSL_get_options() returns the options set for B<ssl>.
SSL_get_secure_renegotiation_support() indicates whether the peer supports
secure renegotiation.
+Note, this is implemented via a macro.
=head1 NOTES
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 0d29b54..33133ff 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -315,7 +315,11 @@ Use the file path to locate trusted CA certficates.
=item void B<SSL_CTX_set_msg_callback_arg>(SSL_CTX *ctx, void *arg);
-=item void B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
+=item unsigned long B<SSL_CTX_clear_options>(SSL_CTX *ctx, unsigned long op);
+
+=item unsigned long B<SSL_CTX_get_options>(SSL_CTX *ctx);
+
+=item unsigned long B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
=item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);
@@ -596,7 +600,11 @@ fresh handle for each connection.
=item void B<SSL_set_msg_callback_arg>(SSL *ctx, void *arg);
-=item void B<SSL_set_options>(SSL *ssl, unsigned long op);
+=item unsigned long B<SSL_clear_options>(SSL *ssl, unsigned long op);
+
+=item unsigned long B<SSL_get_options>(SSL *ssl);
+
+=item unsigned long B<SSL_set_options>(SSL *ssl, unsigned long op);
=item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index bb3f0aa..b6ba59b 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -569,18 +569,12 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
* cannot be used to clear bits.
*/
-# define SSL_CTX_set_options(ctx,op) \
- SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
-# define SSL_CTX_clear_options(ctx,op) \
- SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
-# define SSL_CTX_get_options(ctx) \
- SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
-# define SSL_set_options(ssl,op) \
- SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
-# define SSL_clear_options(ssl,op) \
- SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
-# define SSL_get_options(ssl) \
- SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
+unsigned long SSL_CTX_get_options(const SSL_CTX *ctx);
+unsigned long SSL_get_options(const SSL* s);
+unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
+unsigned long SSL_clear_options(SSL *s, unsigned long op);
+unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
+unsigned long SSL_set_options(SSL *s, unsigned long op);
# define SSL_CTX_set_mode(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
@@ -1140,7 +1134,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_CTRL_SESS_MISSES 29
# define SSL_CTRL_SESS_TIMEOUTS 30
# define SSL_CTRL_SESS_CACHE_FULL 31
-# define SSL_CTRL_OPTIONS 32
# define SSL_CTRL_MODE 33
# define SSL_CTRL_GET_READ_AHEAD 40
# define SSL_CTRL_SET_READ_AHEAD 41
@@ -1188,7 +1181,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define DTLS_CTRL_HANDLE_TIMEOUT 74
# define DTLS_CTRL_LISTEN 75
# define SSL_CTRL_GET_RI_SUPPORT 76
-# define SSL_CTRL_CLEAR_OPTIONS 77
# define SSL_CTRL_CLEAR_MODE 78
# define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79
# define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index edb368d..1666cd2 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1609,10 +1609,6 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
s->msg_callback_arg = parg;
return 1;
- case SSL_CTRL_OPTIONS:
- return (s->options |= larg);
- case SSL_CTRL_CLEAR_OPTIONS:
- return (s->options &= ~larg);
case SSL_CTRL_MODE:
return (s->mode |= larg);
case SSL_CTRL_CLEAR_MODE:
@@ -1759,10 +1755,6 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return (ctx->stats.sess_timeout);
case SSL_CTRL_SESS_CACHE_FULL:
return (ctx->stats.sess_cache_full);
- case SSL_CTRL_OPTIONS:
- return (ctx->options |= larg);
- case SSL_CTRL_CLEAR_OPTIONS:
- return (ctx->options &= ~larg);
case SSL_CTRL_MODE:
return (ctx->mode |= larg);
case SSL_CTRL_CLEAR_MODE:
@@ -3763,4 +3755,35 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
return ctx->cert->sec_ex;
}
+
+/*
+ * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that
+ * can return unsigned long, instead of the generic long return value from the
+ * control interface.
+ */
+unsigned long SSL_CTX_get_options(const SSL_CTX *ctx)
+{
+ return ctx->options;
+}
+unsigned long SSL_get_options(const SSL* s)
+{
+ return s->options;
+}
+unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op)
+{
+ return ctx->options |= op;
+}
+unsigned long SSL_set_options(SSL *s, unsigned long op)
+{
+ return s->options |= op;
+}
+unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
+{
+ return ctx->options &= ~op;
+}
+unsigned long SSL_clear_options(SSL *s, unsigned long op)
+{
+ return s->options &= ~op;
+}
+
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
diff --git a/util/ssleay.num b/util/ssleay.num
index 6a68fe5..8bd2b1a 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -427,3 +427,9 @@ SSL_get0_dane_tlsa 461 1_1_0 EXIST::FUNCTION:
SSL_set_hostflags 462 1_1_0 EXIST::FUNCTION:
SSL_dane_enable 463 1_1_0 EXIST::FUNCTION:
SSL_get0_dane 464 1_1_0 EXIST::FUNCTION:
+SSL_CTX_set_options 465 1_1_0 EXIST::FUNCTION:
+SSL_CTX_clear_options 466 1_1_0 EXIST::FUNCTION:
+SSL_CTX_get_options 467 1_1_0 EXIST::FUNCTION:
+SSL_clear_options 468 1_1_0 EXIST::FUNCTION:
+SSL_set_options 469 1_1_0 EXIST::FUNCTION:
+SSL_get_options 470 1_1_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list