Make SSL{_CTX,}_{get,set,clear}_options functions
These now take and return unsigned long, and get is constified. Updated related documentation and util/ssleay.num Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
parent
ccf73257f6
commit
8106cb8b6d
@ -318,8 +318,9 @@ sure to also leave TLS 1.1 enabled.
|
||||
=item B<Options>
|
||||
|
||||
The B<value> argument is a comma separated list of various flags to set.
|
||||
If a flag string is preceded B<-> it is disabled. See the
|
||||
B<SSL_CTX_set_options> function for more details of individual options.
|
||||
If a flag string is preceded B<-> it is disabled.
|
||||
See the L<SSL_CTX_set_options(3)> function for more details of
|
||||
individual options.
|
||||
|
||||
Each option is listed below. Where an operation is enabled by default
|
||||
the B<-flag> syntax is needed to disable it.
|
||||
@ -527,7 +528,8 @@ L<SSL_CONF_CTX_new(3)>,
|
||||
L<SSL_CONF_CTX_set_flags(3)>,
|
||||
L<SSL_CONF_CTX_set1_prefix(3)>,
|
||||
L<SSL_CONF_CTX_set_ssl_ctx(3)>,
|
||||
L<SSL_CONF_cmd_argv(3)>
|
||||
L<SSL_CONF_cmd_argv(3)>,
|
||||
L<SSL_CTX_set_options(3)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
|
@ -139,9 +139,9 @@ If you want to limit the supported protocols for the version flexible
|
||||
methods you can use SSL_CTX_set_min_proto_version(),
|
||||
SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and
|
||||
SSL_set_max_proto_version() functions.
|
||||
They can also be limited using by using an option like SSL_OP_NO_SSLv3
|
||||
of the SSL_CTX_set_options() or SSL_set_options() functions, but
|
||||
that's not recommended.
|
||||
They can also be limited by setting an option like B<SSL_OP_NO_SSLv3>
|
||||
via the L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions,
|
||||
but that's not recommended.
|
||||
Using these functions it is possible to choose e.g. TLS_server_method()
|
||||
and be able to negotiate with all possible clients, but to only
|
||||
allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.
|
||||
|
@ -19,8 +19,9 @@ and maximum supported protocol version
|
||||
|
||||
The functions set the minimum and maximum supported portocol versions
|
||||
for the B<ctx> or B<ssl>.
|
||||
This works in combination with the options set via SSL_CTX_set_options()
|
||||
that also make it possible to disable specific protocol versions.
|
||||
This works in combination with the options set via
|
||||
L<SSL_CTX_set_options(3)> that also make it possible to disable
|
||||
specific protocol versions.
|
||||
Use these functions instead of disabling specific protocol versions.
|
||||
|
||||
Setting the minimum or maximum version to 0, will enable protocol
|
||||
|
@ -23,8 +23,6 @@ SSL_get_secure_renegotiation_support - manipulate SSL options
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
Note: all these functions are implemented using macros.
|
||||
|
||||
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
|
||||
Options already set before are not cleared!
|
||||
|
||||
@ -42,6 +40,7 @@ SSL_get_options() returns the options set for B<ssl>.
|
||||
|
||||
SSL_get_secure_renegotiation_support() indicates whether the peer supports
|
||||
secure renegotiation.
|
||||
Note, this is implemented via a macro.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
|
@ -315,7 +315,11 @@ Use the file path to locate trusted CA certficates.
|
||||
|
||||
=item void B<SSL_CTX_set_msg_callback_arg>(SSL_CTX *ctx, void *arg);
|
||||
|
||||
=item void B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
|
||||
=item unsigned long B<SSL_CTX_clear_options>(SSL_CTX *ctx, unsigned long op);
|
||||
|
||||
=item unsigned long B<SSL_CTX_get_options>(SSL_CTX *ctx);
|
||||
|
||||
=item unsigned long B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
|
||||
|
||||
=item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);
|
||||
|
||||
@ -596,7 +600,11 @@ fresh handle for each connection.
|
||||
|
||||
=item void B<SSL_set_msg_callback_arg>(SSL *ctx, void *arg);
|
||||
|
||||
=item void B<SSL_set_options>(SSL *ssl, unsigned long op);
|
||||
=item unsigned long B<SSL_clear_options>(SSL *ssl, unsigned long op);
|
||||
|
||||
=item unsigned long B<SSL_get_options>(SSL *ssl);
|
||||
|
||||
=item unsigned long B<SSL_set_options>(SSL *ssl, unsigned long op);
|
||||
|
||||
=item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);
|
||||
|
||||
|
@ -569,18 +569,12 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
|
||||
* cannot be used to clear bits.
|
||||
*/
|
||||
|
||||
# define SSL_CTX_set_options(ctx,op) \
|
||||
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
|
||||
# define SSL_CTX_clear_options(ctx,op) \
|
||||
SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
|
||||
# define SSL_CTX_get_options(ctx) \
|
||||
SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
|
||||
# define SSL_set_options(ssl,op) \
|
||||
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
|
||||
# define SSL_clear_options(ssl,op) \
|
||||
SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
|
||||
# define SSL_get_options(ssl) \
|
||||
SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
|
||||
unsigned long SSL_CTX_get_options(const SSL_CTX *ctx);
|
||||
unsigned long SSL_get_options(const SSL* s);
|
||||
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
|
||||
unsigned long SSL_clear_options(SSL *s, unsigned long op);
|
||||
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
|
||||
unsigned long SSL_set_options(SSL *s, unsigned long op);
|
||||
|
||||
# define SSL_CTX_set_mode(ctx,op) \
|
||||
SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
|
||||
@ -1140,7 +1134,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
||||
# define SSL_CTRL_SESS_MISSES 29
|
||||
# define SSL_CTRL_SESS_TIMEOUTS 30
|
||||
# define SSL_CTRL_SESS_CACHE_FULL 31
|
||||
# define SSL_CTRL_OPTIONS 32
|
||||
# define SSL_CTRL_MODE 33
|
||||
# define SSL_CTRL_GET_READ_AHEAD 40
|
||||
# define SSL_CTRL_SET_READ_AHEAD 41
|
||||
@ -1188,7 +1181,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
||||
# define DTLS_CTRL_HANDLE_TIMEOUT 74
|
||||
# define DTLS_CTRL_LISTEN 75
|
||||
# define SSL_CTRL_GET_RI_SUPPORT 76
|
||||
# define SSL_CTRL_CLEAR_OPTIONS 77
|
||||
# define SSL_CTRL_CLEAR_MODE 78
|
||||
# define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79
|
||||
# define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
|
||||
|
@ -1609,10 +1609,6 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||
s->msg_callback_arg = parg;
|
||||
return 1;
|
||||
|
||||
case SSL_CTRL_OPTIONS:
|
||||
return (s->options |= larg);
|
||||
case SSL_CTRL_CLEAR_OPTIONS:
|
||||
return (s->options &= ~larg);
|
||||
case SSL_CTRL_MODE:
|
||||
return (s->mode |= larg);
|
||||
case SSL_CTRL_CLEAR_MODE:
|
||||
@ -1759,10 +1755,6 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||
return (ctx->stats.sess_timeout);
|
||||
case SSL_CTRL_SESS_CACHE_FULL:
|
||||
return (ctx->stats.sess_cache_full);
|
||||
case SSL_CTRL_OPTIONS:
|
||||
return (ctx->options |= larg);
|
||||
case SSL_CTRL_CLEAR_OPTIONS:
|
||||
return (ctx->options &= ~larg);
|
||||
case SSL_CTRL_MODE:
|
||||
return (ctx->mode |= larg);
|
||||
case SSL_CTRL_CLEAR_MODE:
|
||||
@ -3763,4 +3755,35 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
|
||||
return ctx->cert->sec_ex;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that
|
||||
* can return unsigned long, instead of the generic long return value from the
|
||||
* control interface.
|
||||
*/
|
||||
unsigned long SSL_CTX_get_options(const SSL_CTX *ctx)
|
||||
{
|
||||
return ctx->options;
|
||||
}
|
||||
unsigned long SSL_get_options(const SSL* s)
|
||||
{
|
||||
return s->options;
|
||||
}
|
||||
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op)
|
||||
{
|
||||
return ctx->options |= op;
|
||||
}
|
||||
unsigned long SSL_set_options(SSL *s, unsigned long op)
|
||||
{
|
||||
return s->options |= op;
|
||||
}
|
||||
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
|
||||
{
|
||||
return ctx->options &= ~op;
|
||||
}
|
||||
unsigned long SSL_clear_options(SSL *s, unsigned long op)
|
||||
{
|
||||
return s->options &= ~op;
|
||||
}
|
||||
|
||||
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
|
||||
|
@ -427,3 +427,9 @@ SSL_get0_dane_tlsa 461 1_1_0 EXIST::FUNCTION:
|
||||
SSL_set_hostflags 462 1_1_0 EXIST::FUNCTION:
|
||||
SSL_dane_enable 463 1_1_0 EXIST::FUNCTION:
|
||||
SSL_get0_dane 464 1_1_0 EXIST::FUNCTION:
|
||||
SSL_CTX_set_options 465 1_1_0 EXIST::FUNCTION:
|
||||
SSL_CTX_clear_options 466 1_1_0 EXIST::FUNCTION:
|
||||
SSL_CTX_get_options 467 1_1_0 EXIST::FUNCTION:
|
||||
SSL_clear_options 468 1_1_0 EXIST::FUNCTION:
|
||||
SSL_set_options 469 1_1_0 EXIST::FUNCTION:
|
||||
SSL_get_options 470 1_1_0 EXIST::FUNCTION:
|
||||
|
Loading…
Reference in New Issue
Block a user