diff options
author | Matt Caswell <matt@openssl.org> | 2017-06-21 12:17:30 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-06-21 14:45:36 +0100 |
commit | 72257204bd2a88773461150765dfd0e0a428ee86 (patch) | |
tree | 0f62189accc00c2b1e58de678a7e56c1a8748325 /doc | |
parent | adfc37868e2dc406b80ab3111163eb475ef06975 (diff) |
PSK related tweaks based on review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/SSL_CTX_set_psk_client_callback.pod | 18 | ||||
-rw-r--r-- | doc/man3/SSL_CTX_use_psk_identity_hint.pod | 12 | ||||
-rw-r--r-- | doc/man3/SSL_get_client_random.pod | 8 |
3 files changed, 19 insertions, 19 deletions
diff --git a/doc/man3/SSL_CTX_set_psk_client_callback.pod b/doc/man3/SSL_CTX_set_psk_client_callback.pod index 7e8fffef81..919b6af292 100644 --- a/doc/man3/SSL_CTX_set_psk_client_callback.pod +++ b/doc/man3/SSL_CTX_set_psk_client_callback.pod @@ -38,8 +38,8 @@ TLSv1.3 Pre-Shared Keys (PSKs) and PSKs for TLSv1.2 and below are not compatible. A client application wishing to use PSK ciphersuites for TLSv1.2 and below must -provide a callback function which is called when the client is sending the -ClientKeyExchange message to the server. +provide a callback function. This function will be called when the client is +sending the ClientKeyExchange message to the server. The purpose of the callback function is to select the PSK identity and the pre-shared key to use during the connection setup phase. @@ -57,7 +57,7 @@ A client application wishing to use TLSv1.3 PSKs must set a different callback using either SSL_CTX_set_psk_use_session_callback() or SSL_set_psk_use_session_callback() as appropriate. -The callback function is given a reference to the SSL connection in B<ssl>. +The callback function is given a pointer to the SSL connection in B<ssl>. The first time the callback is called for a connection the B<md> parameter is NULL. In some circumstances the callback will be called a second time. In that @@ -71,7 +71,7 @@ the PSK in B<*id>. The identifier length in bytes should be stored in B<*idlen>. The memory pointed to by B<*id> remains owned by the application and should be freed by it as required at any point after the handshake is complete. -Additionally the callback should store a reference to an SSL_SESSION object in +Additionally the callback should store a pointer to an SSL_SESSION object in B<*sess>. This is used as the basis for the PSK, and should, at a minimum, have the following fields set: @@ -85,16 +85,16 @@ This can be set via a call to L<SSL_SESSION_set1_master_key(3)>. Only the handshake digest associated with the ciphersuite is relevant for the PSK (the server may go on to negotiate any ciphersuite which is compatible with -the digest). The application can use any TLSv1.3 ciphersuite. Where B<md> is -non-NULL the handshake digest for the ciphersuite should be the same. +the digest). The application can use any TLSv1.3 ciphersuite. If B<md> is +not NULL the handshake digest for the ciphersuite should be the same. The ciphersuite can be set via a call to <SSL_SESSION_set_cipher(3)>. The handshake digest of an SSL_CIPHER object can be checked using <SSL_CIPHER_get_handshake_digest(3)>. =item The protocol version -This can be set via a call to L<SSL_SESSION_set_protocol_version> and should be -TLS1_3_VERSION. +This can be set via a call to L<SSL_SESSION_set_protocol_version(3)> and should +be TLS1_3_VERSION. =back @@ -118,7 +118,7 @@ has occurred so that L<SSL_session_reused(3)> will return true. =head1 RETURN VALUES -Return values from the SSL_psk_client_cb_func callback are interpreted as +Return values from the B<SSL_psk_client_cb_func> callback are interpreted as follows: On success (callback found a PSK identity and a pre-shared key to use) diff --git a/doc/man3/SSL_CTX_use_psk_identity_hint.pod b/doc/man3/SSL_CTX_use_psk_identity_hint.pod index 9dd14f8e54..4ded544db3 100644 --- a/doc/man3/SSL_CTX_use_psk_identity_hint.pod +++ b/doc/man3/SSL_CTX_use_psk_identity_hint.pod @@ -43,8 +43,8 @@ compatible. Identity hints are not relevant for TLSv1.3. A server application wishing to use PSK ciphersuites for TLSv1.2 and below may call SSL_CTX_use_psk_identity_hint() -to set the given B<NULL>-terminated PSK identity hint B<hint> for SSL context -object B<ctx>. SSL_use_psk_identity_hint() sets the given B<NULL>-terminated PSK +to set the given B<NUL>-terminated PSK identity hint B<hint> for SSL context +object B<ctx>. SSL_use_psk_identity_hint() sets the given B<NUL>-terminated PSK identity hint B<hint> for the SSL connection object B<ssl>. If B<hint> is B<NULL> the current hint from B<ctx> or B<ssl> is deleted. @@ -57,7 +57,7 @@ client. The purpose of the callback function is to validate the received PSK identity and to fetch the pre-shared key used during the connection setup phase. The callback is set using the functions SSL_CTX_set_psk_server_callback() or SSL_set_psk_server_callback(). The callback -function is given the connection in parameter B<ssl>, B<NULL>-terminated PSK +function is given the connection in parameter B<ssl>, B<NUL>-terminated PSK identity sent by the client in parameter B<identity>, and a buffer B<psk> of length B<max_psk_len> bytes where the pre-shared key is to be stored. @@ -65,7 +65,7 @@ A client application wishing to use TLSv1.3 PSKs must set a different callback using either SSL_CTX_set_psk_use_session_callback() or SSL_set_psk_use_session_callback() as appropriate. -The callback function is given a reference to the SSL connection in B<ssl> and +The callback function is given a pointer to the SSL connection in B<ssl> and an identity in B<identity> of length B<identity_len>. The callback function should identify an SSL_SESSION object that provides the PSK details and store it in B<*sess>. The SSL_SESSION object should, as a minimum, set the master key, @@ -84,7 +84,7 @@ has occurred so that L<SSL_session_reused(3)> will return true. =head1 RETURN VALUES -SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return +B<SSL_CTX_use_psk_identity_hint()> and B<SSL_use_psk_identity_hint()> return 1 on success, 0 otherwise. Return values from the TLSv1.2 and below server callback are interpreted as @@ -112,7 +112,7 @@ completely. =back -The SSL_psk_find_session_cb_func callback should return 1 on success or 0 on +The B<SSL_psk_find_session_cb_func> callback should return 1 on success or 0 on failure. In the event of failure the connection setup fails. =head1 COPYRIGHT diff --git a/doc/man3/SSL_get_client_random.pod b/doc/man3/SSL_get_client_random.pod index 83a1027bca..1e4c66672d 100644 --- a/doc/man3/SSL_get_client_random.pod +++ b/doc/man3/SSL_get_client_random.pod @@ -39,10 +39,10 @@ can be dangerous if misused; see NOTES below. SSL_SESSION_set1_master_key() sets the master key value associated with the SSL_SESSION B<sess>. For example, this could be used to set up a session based PSK (see L<SSL_CTX_set_psk_use_session_callback(3)>). The master key of length -B<len> should be provided at B<in>. A copy of the supplied master key is taken -by the function, so the caller is responsible for freeing and cleaning any -memory associated with B<in>. The caller must ensure that the length of the ke -is suitable for the ciphersuite associated with the SSL_SESSION. +B<len> should be provided at B<in>. The supplied master key is copied by the +function, so the caller is responsible for freeing and cleaning any memory +associated with B<in>. The caller must ensure that the length of the key is +suitable for the ciphersuite associated with the SSL_SESSION. =head1 NOTES |