diff options
| author | Antoine Salon <asalon@vmware.com> | 2018-10-16 16:40:01 -0700 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-11-15 10:41:37 +0000 |
| commit | d9720a5992315a6936ffba55d2fbbac460fb96a2 (patch) | |
| tree | a5ff2e7d8c032c137a0047015861e0b6e99e0f4b | |
| parent | dc703d6b469f1b186483a55b59013fbaca2228fd (diff) | |
Add SSL_CTX_set_tmp_ecdh.pod
Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7522)
| -rw-r--r-- | doc/man3/SSL_CTX_set_tmp_ecdh.pod | 48 | ||||
| -rw-r--r-- | doc/man7/ssl.pod | 9 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 8 | ||||
| -rw-r--r-- | util/private.num | 4 |
4 files changed, 65 insertions, 4 deletions
diff --git a/doc/man3/SSL_CTX_set_tmp_ecdh.pod b/doc/man3/SSL_CTX_set_tmp_ecdh.pod new file mode 100644 index 0000000000..08e88da312 --- /dev/null +++ b/doc/man3/SSL_CTX_set_tmp_ecdh.pod @@ -0,0 +1,48 @@ +=pod + +=head1 NAME + +SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto +- handle ECDH keys for ephemeral key exchange + +=head1 SYNOPSIS + +#include <openssl/ssl.h> + +long SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ecdh); +long SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ecdh); + +long SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state); +long SSL_set_ecdh_auto(SSL *ssl, int state); + +=head1 DESCRIPTION + +SSL_CTX_set_tmp_ecdh() sets ECDH parameters to be used to be B<ecdh>. +The key is inherited by all B<ssl> objects created from B<ctx>. + +SSL_set_tmp_ecdh() sets the parameters only for B<ssl>. + +SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and +have no effect. + +=head1 RETURN VALUES + +SSL_CTX_set_tmp_ecdh() and SSL_set_tmp_ecdh() return 1 on success and 0 +on failure. + +=head1 SEE ALSO + +L<ssl(7)>, L<SSL_CTX_set1_curves(3)>, L<SSL_CTX_set_cipher_list(3)>, +L<SSL_CTX_set_options(3)>, L<SSL_CTX_set_tmp_dh_callback(3)>, +L<ciphers(1)>, L<ecparam(1)> + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man7/ssl.pod b/doc/man7/ssl.pod index 6cc1c4bcff..1695f7ea19 100644 --- a/doc/man7/ssl.pod +++ b/doc/man7/ssl.pod @@ -383,6 +383,8 @@ Use the file path to locate trusted CA certificates. =item long B<SSL_CTX_set_tmp_dh_callback>(SSL_CTX *ctx, DH *(*cb)(void)); +=item long B<SSL_CTX_set_tmp_ecdh>(SSL_CTX* ctx, const EC_KEY *ecdh); + =item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void)) =item int B<SSL_CTX_use_PrivateKey>(SSL_CTX *ctx, EVP_PKEY *pkey); @@ -678,6 +680,12 @@ fresh handle for each connection. =item void B<SSL_set_timeout>(SSL *ssl, long t); +=item long B<SSL_set_tmp_dh>(SSL *ssl, DH *dh); + +=item long B<SSL_set_tmp_dh_callback>(SSL *ssl, DH *(*cb)(void)); + +=item long B<SSL_set_tmp_ecdh>(SSL *ssl, const EC_KEY *ecdh); + =item void B<SSL_set_verify>(SSL *ssl, int mode, int (*callback);(void)) =item void B<SSL_set_verify_result>(SSL *ssl, long arg); @@ -785,6 +793,7 @@ L<SSL_CTX_set_session_id_context(3)>, L<SSL_CTX_set_ssl_version(3)>, L<SSL_CTX_set_timeout(3)>, L<SSL_CTX_set_tmp_dh_callback(3)>, +L<SSL_CTX_set_tmp_ecdh(3)>, L<SSL_CTX_set_verify(3)>, L<SSL_CTX_use_certificate(3)>, L<SSL_alert_type_string(3)>, diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 866ca4dfa9..4b9906f215 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3414,7 +3414,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY *pkdh = NULL; if (dh == NULL) { SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); - return ret; + return 0; } pkdh = ssl_dh_to_pkey(dh); if (pkdh == NULL) { @@ -3425,11 +3425,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(pkdh); - return ret; + return 0; } EVP_PKEY_free(s->cert->dh_tmp); s->cert->dh_tmp = pkdh; - ret = 1; + return 1; } break; case SSL_CTRL_SET_TMP_DH_CB: @@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) EVP_PKEY_security_bits(pkdh), 0, pkdh)) { SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL); EVP_PKEY_free(pkdh); - return 1; + return 0; } EVP_PKEY_free(ctx->cert->dh_tmp); ctx->cert->dh_tmp = pkdh; diff --git a/util/private.num b/util/private.num index 4a0ed292ec..d6724ed5f3 100644 --- a/util/private.num +++ b/util/private.num @@ -365,6 +365,7 @@ SSL_CTX_set1_sigalgs define SSL_CTX_set1_sigalgs_list define SSL_CTX_set1_verify_cert_store define SSL_CTX_set_current_cert define +SSL_CTX_set_ecdh_auto define SSL_CTX_set_max_cert_list define SSL_CTX_set_max_pipelines define SSL_CTX_set_max_proto_version define @@ -382,6 +383,7 @@ SSL_CTX_set_tlsext_status_cb define SSL_CTX_set_tlsext_status_type define SSL_CTX_set_tlsext_ticket_key_cb define SSL_CTX_set_tmp_dh define +SSL_CTX_set_tmp_ecdh define SSL_add0_chain_cert define SSL_add1_chain_cert define SSL_build_cert_chain define @@ -433,6 +435,7 @@ SSL_set1_sigalgs define SSL_set1_sigalgs_list define SSL_set1_verify_cert_store define SSL_set_current_cert define +SSL_set_ecdh_auto define SSL_set_max_cert_list define SSL_set_max_pipelines define SSL_set_max_proto_version define @@ -448,6 +451,7 @@ SSL_set_tlsext_host_name define SSL_set_tlsext_status_ocsp_resp define SSL_set_tlsext_status_type define SSL_set_tmp_dh define +SSL_set_tmp_ecdh define SSL_want_async define SSL_want_async_job define SSL_want_client_hello_cb define |