[openssl-dev] Missing API features

Salz, Rich rsalz at akamai.com
Mon Apr 20 20:25:08 UTC 2015 

What is the information you're looking for? "kx=X25519" or kx="2KRSA"  or ... ?  I picked those because sometimes there's a keysize, and other times it's implicit, for example.  The internal table is going to need restructuring.

--
Senior Architect, Akamai Technologies
IM: richsalz at jabber.at Twitter: RichSalz

From: Richard Moore [mailto:richmoore44 at gmail.com]
Sent: Monday, April 20, 2015 4:22 PM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] Missing API features



On 20 April 2015 at 15:33, Salz, Rich <rsalz at akamai.com<mailto:rsalz at akamai.com>> wrote:
>Continuing with the problems of making structs opaque, currently the API for querying the information about ciphers is quite weak. Only >SSL_CIPHER_description provides access to data such as the key exchange method, and parsing a string to obtain this information seems daft. We're >missing API for: key exchange, authentication method, encryption algorithm, MAC and the export flag.

(Man, outlook makes it hard to NOT top-post.  Sigh.)

Since all of those are implied by the cipher spec, could we just have an API to return the two-byte cipher identifier?  (That would break if TLS 1.3 moves to "a la carte" selection, but I doubt that will happen.)  Export is gone :)  And what's the MAC if using an AEAD cipher like AES-GCM?

Just returning the cipher id would mean every app needs to replicate the table that openssl already has, and keep it updated. Doesn't seem like a good plan to me. According to the current code in openssl the 'MAC' when using AES-GCM is AEAD - not ideal perhaps, but what we've got.


> It's also worth noting that SSL_CIPHER_get_version and SSL_CIPHER_description should probably be returning const char * not char *.

Yes, is that a bug to backport or just fix in master, you think?

Changing the return type here should be binary compatible on any sane platform, but it might cause source incompatibilities.

Cheers

Rich.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150420/70c4f47f/attachment.html>

More information about the openssl-dev mailing list