diff options
author | Benjamin Kaduk <bkaduk@akamai.com> | 2017-01-30 11:24:17 -0600 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2017-02-23 19:40:25 +0100 |
commit | ccb8e6e0b1c536430290a87ba5c87dc072cc5a12 (patch) | |
tree | b80c31b90ba3f28ce3909348587fb91dc6bed166 /doc | |
parent | 60d685d196e8d594d754751e4852f01d80d8c0cc (diff) | |
download | openssl-ccb8e6e0b1c536430290a87ba5c87dc072cc5a12.tar.gz |
Export SSL_bytes_to_cipher_list()
Move ssl_bytes_to_cipher_list() to ssl_lib.c and create a public
wrapper around it. This lets application early callbacks easily get
SSL_CIPHER objects from the raw ciphers bytes without having to
reimplement the parsing code. In particular, they do not need to
know the details of the sslv2 format ClientHello's ciphersuite
specifications.
Document the new public function, including the arguably buggy behavior
of modifying the supplied SSL object. On the face of it, such a function
should be able to be pure, just a direct translation of wire octets to
internal data structures.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/SSL_get_ciphers.pod | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/doc/man3/SSL_get_ciphers.pod b/doc/man3/SSL_get_ciphers.pod index ce0be6e6c1..5933bf5849 100644 --- a/doc/man3/SSL_get_ciphers.pod +++ b/doc/man3/SSL_get_ciphers.pod @@ -3,7 +3,8 @@ =head1 NAME SSL_get1_supported_ciphers, SSL_get_client_ciphers, -SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_get_cipher_list +SSL_get_ciphers, SSL_CTX_get_ciphers, +SSL_bytes_to_cipher_list, SSL_get_cipher_list - get list of available SSL_CIPHERs =head1 SYNOPSIS @@ -14,6 +15,9 @@ SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_get_cipher_list STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s); STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *ssl); + STACK_OF(SSL_CIPHER) *SSL_bytes_to_cipher_list(SSL *s, + const unsigned char *bytes, + size_t len, int isv2format) const char *SSL_get_cipher_list(const SSL *ssl, int priority); =head1 DESCRIPTION @@ -41,6 +45,13 @@ SSL_get_client_ciphers() returns the stack of available SSL_CIPHERs matching the list received from the client on B<ssl>. If B<ssl> is NULL, no ciphers are available, or B<ssl> is not operating in server mode, NULL is returned. +SSL_bytes_to_cipher_list() treats the supplied B<len> octets in B<bytes> +as a wire-protocol cipher suite specification (in the three-octet-per-cipher +SSLv2 wire format if B<isv2format> is nonzero; otherwise the two-octet +SSLv3/TLS wire format), and parses the cipher suites supported by the library +into the returned stack of SSL_CIPHER objects. Unsupported cipher suites +are ignored, and NULL is returned on error. + SSL_get_cipher_list() returns a pointer to the name of the SSL_CIPHER listed for B<ssl> with B<priority>. If B<ssl> is NULL, no ciphers are available, or there are less ciphers than B<priority> available, NULL @@ -63,10 +74,19 @@ free the return value itself. The stack returned by SSL_get1_supported_ciphers() should be freed using sk_SSL_CIPHER_free(). +The stack returned by SSL_bytes_to_cipher_list() should be freed using +sk_SSL_CIPHER_free(). + =head1 RETURN VALUES See DESCRIPTION +=head1 BUGS + +The implementation of SSL_bytes_to_cipher_list() mutates state in the +supplied SSL object B<s>; SSL_bytes_to_cipher_list() should not be called +on a server SSL object after that server has processed the received ClientHello. + =head1 SEE ALSO L<ssl(7)>, L<SSL_CTX_set_cipher_list(3)>, |