[openssl-dev] Missing API features
Richard Moore
richmoore44 at gmail.com
Mon Apr 20 20:21:43 UTC 2015
On 20 April 2015 at 15:33, Salz, Rich <rsalz at akamai.com> wrote:
> >Continuing with the problems of making structs opaque, currently the API
> for querying the information about ciphers is quite weak. Only
> >SSL_CIPHER_description provides access to data such as the key exchange
> method, and parsing a string to obtain this information seems daft. We're
> >missing API for: key exchange, authentication method, encryption
> algorithm, MAC and the export flag.
>
> (Man, outlook makes it hard to NOT top-post. Sigh.)
>
> Since all of those are implied by the cipher spec, could we just have an
> API to return the two-byte cipher identifier? (That would break if TLS 1.3
> moves to "a la carte" selection, but I doubt that will happen.) Export is
> gone :) And what's the MAC if using an AEAD cipher like AES-GCM?
>
>
Just returning the cipher id would mean every app needs to replicate the
table that openssl already has, and keep it updated. Doesn't seem like a
good plan to me. According to the current code in openssl the 'MAC' when
using AES-GCM is AEAD - not ideal perhaps, but what we've got.
> > It's also worth noting that SSL_CIPHER_get_version and
> SSL_CIPHER_description should probably be returning const char * not char *.
>
> Yes, is that a bug to backport or just fix in master, you think?
>
Changing the return type here should be binary compatible on any sane
platform, but it might cause source incompatibilities.
Cheers
Rich.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150420/02e5be6c/attachment.html>
More information about the openssl-dev
mailing list