From 8106cb8b6d706079cbcabd4631f05e4526a316e1 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sun, 10 Jan 2016 20:15:04 -0500 Subject: [PATCH] Make SSL{_CTX,}_{get,set,clear}_options functions These now take and return unsigned long, and get is constified. Updated related documentation and util/ssleay.num Reviewed-by: Matt Caswell --- doc/ssl/SSL_CONF_cmd.pod | 8 +++-- doc/ssl/SSL_CTX_new.pod | 6 ++-- doc/ssl/SSL_CTX_set_min_proto_version.pod | 5 +-- doc/ssl/SSL_CTX_set_options.pod | 3 +- doc/ssl/ssl.pod | 12 +++++-- include/openssl/ssl.h | 20 ++++-------- ssl/ssl_lib.c | 39 ++++++++++++++++++----- util/ssleay.num | 6 ++++ 8 files changed, 65 insertions(+), 34 deletions(-) diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index 9feaa2810..a74117df0 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -318,8 +318,9 @@ sure to also leave TLS 1.1 enabled. =item B The B argument is a comma separated list of various flags to set. -If a flag string is preceded B<-> it is disabled. See the -B function for more details of individual options. +If a flag string is preceded B<-> it is disabled. +See the L function for more details of +individual options. Each option is listed below. Where an operation is enabled by default the B<-flag> syntax is needed to disable it. @@ -527,7 +528,8 @@ L, L, L, L, -L +L, +L =head1 HISTORY diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod index 136f97b36..53f621685 100644 --- a/doc/ssl/SSL_CTX_new.pod +++ b/doc/ssl/SSL_CTX_new.pod @@ -139,9 +139,9 @@ If you want to limit the supported protocols for the version flexible methods you can use SSL_CTX_set_min_proto_version(), SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and SSL_set_max_proto_version() functions. -They can also be limited using by using an option like SSL_OP_NO_SSLv3 -of the SSL_CTX_set_options() or SSL_set_options() functions, but -that's not recommended. +They can also be limited by setting an option like B +via the L or L functions, +but that's not recommended. Using these functions it is possible to choose e.g. TLS_server_method() and be able to negotiate with all possible clients, but to only allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2. diff --git a/doc/ssl/SSL_CTX_set_min_proto_version.pod b/doc/ssl/SSL_CTX_set_min_proto_version.pod index 25f9cca23..535ae83e7 100644 --- a/doc/ssl/SSL_CTX_set_min_proto_version.pod +++ b/doc/ssl/SSL_CTX_set_min_proto_version.pod @@ -19,8 +19,9 @@ and maximum supported protocol version The functions set the minimum and maximum supported portocol versions for the B or B. -This works in combination with the options set via SSL_CTX_set_options() -that also make it possible to disable specific protocol versions. +This works in combination with the options set via +L that also make it possible to disable +specific protocol versions. Use these functions instead of disabling specific protocol versions. Setting the minimum or maximum version to 0, will enable protocol diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 56f62cc59..c1325681e 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -23,8 +23,6 @@ SSL_get_secure_renegotiation_support - manipulate SSL options =head1 DESCRIPTION -Note: all these functions are implemented using macros. - SSL_CTX_set_options() adds the options set via bitmask in B to B. Options already set before are not cleared! @@ -42,6 +40,7 @@ SSL_get_options() returns the options set for B. SSL_get_secure_renegotiation_support() indicates whether the peer supports secure renegotiation. +Note, this is implemented via a macro. =head1 NOTES diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index 0d29b54bd..33133ff78 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -315,7 +315,11 @@ Use the file path to locate trusted CA certficates. =item void B(SSL_CTX *ctx, void *arg); -=item void B(SSL_CTX *ctx, unsigned long op); +=item unsigned long B(SSL_CTX *ctx, unsigned long op); + +=item unsigned long B(SSL_CTX *ctx); + +=item unsigned long B(SSL_CTX *ctx, unsigned long op); =item void B(SSL_CTX *ctx, int mode); @@ -596,7 +600,11 @@ fresh handle for each connection. =item void B(SSL *ctx, void *arg); -=item void B(SSL *ssl, unsigned long op); +=item unsigned long B(SSL *ssl, unsigned long op); + +=item unsigned long B(SSL *ssl); + +=item unsigned long B(SSL *ssl, unsigned long op); =item void B(SSL *ssl, int mode); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index bb3f0aa40..b6ba59b40 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -569,18 +569,12 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, * cannot be used to clear bits. */ -# define SSL_CTX_set_options(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) -# define SSL_CTX_clear_options(ctx,op) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) -# define SSL_CTX_get_options(ctx) \ - SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL) -# define SSL_set_options(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) -# define SSL_clear_options(ssl,op) \ - SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL) -# define SSL_get_options(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL) +unsigned long SSL_CTX_get_options(const SSL_CTX *ctx); +unsigned long SSL_get_options(const SSL* s); +unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op); +unsigned long SSL_clear_options(SSL *s, unsigned long op); +unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op); +unsigned long SSL_set_options(SSL *s, unsigned long op); # define SSL_CTX_set_mode(ctx,op) \ SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) @@ -1140,7 +1134,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_SESS_MISSES 29 # define SSL_CTRL_SESS_TIMEOUTS 30 # define SSL_CTRL_SESS_CACHE_FULL 31 -# define SSL_CTRL_OPTIONS 32 # define SSL_CTRL_MODE 33 # define SSL_CTRL_GET_READ_AHEAD 40 # define SSL_CTRL_SET_READ_AHEAD 41 @@ -1188,7 +1181,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define DTLS_CTRL_HANDLE_TIMEOUT 74 # define DTLS_CTRL_LISTEN 75 # define SSL_CTRL_GET_RI_SUPPORT 76 -# define SSL_CTRL_CLEAR_OPTIONS 77 # define SSL_CTRL_CLEAR_MODE 78 # define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB 79 # define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index edb368df6..1666cd288 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1609,10 +1609,6 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) s->msg_callback_arg = parg; return 1; - case SSL_CTRL_OPTIONS: - return (s->options |= larg); - case SSL_CTRL_CLEAR_OPTIONS: - return (s->options &= ~larg); case SSL_CTRL_MODE: return (s->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -1759,10 +1755,6 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return (ctx->stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: return (ctx->stats.sess_cache_full); - case SSL_CTRL_OPTIONS: - return (ctx->options |= larg); - case SSL_CTRL_CLEAR_OPTIONS: - return (ctx->options &= ~larg); case SSL_CTRL_MODE: return (ctx->mode |= larg); case SSL_CTRL_CLEAR_MODE: @@ -3763,4 +3755,35 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx) return ctx->cert->sec_ex; } + +/* + * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that + * can return unsigned long, instead of the generic long return value from the + * control interface. + */ +unsigned long SSL_CTX_get_options(const SSL_CTX *ctx) +{ + return ctx->options; +} +unsigned long SSL_get_options(const SSL* s) +{ + return s->options; +} +unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op) +{ + return ctx->options |= op; +} +unsigned long SSL_set_options(SSL *s, unsigned long op) +{ + return s->options |= op; +} +unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op) +{ + return ctx->options &= ~op; +} +unsigned long SSL_clear_options(SSL *s, unsigned long op) +{ + return s->options &= ~op; +} + IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); diff --git a/util/ssleay.num b/util/ssleay.num index 6a68fe505..8bd2b1ae6 100755 --- a/util/ssleay.num +++ b/util/ssleay.num @@ -427,3 +427,9 @@ SSL_get0_dane_tlsa 461 1_1_0 EXIST::FUNCTION: SSL_set_hostflags 462 1_1_0 EXIST::FUNCTION: SSL_dane_enable 463 1_1_0 EXIST::FUNCTION: SSL_get0_dane 464 1_1_0 EXIST::FUNCTION: +SSL_CTX_set_options 465 1_1_0 EXIST::FUNCTION: +SSL_CTX_clear_options 466 1_1_0 EXIST::FUNCTION: +SSL_CTX_get_options 467 1_1_0 EXIST::FUNCTION: +SSL_clear_options 468 1_1_0 EXIST::FUNCTION: +SSL_set_options 469 1_1_0 EXIST::FUNCTION: +SSL_get_options 470 1_1_0 EXIST::FUNCTION: