summaryrefslogtreecommitdiff
path: root/lib/libssl
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@cvs.openbsd.org>2016-11-30 18:07:13 +0000
committerIngo Schwarze <schwarze@cvs.openbsd.org>2016-11-30 18:07:13 +0000
commit6837db28b5dcdb9a20e9a1b95a53195fc04165f8 (patch)
tree4366316ff66848371c3c275b08590b28d00074ba /lib/libssl
parent89f93fe51082f8489f5d226429bb6ab0bdeb81f5 (diff)
Add Copyright and license.
Add markup for the declaration of GEN_SESSION_CB. Garbage collect some remnants of SSLv2 and SSLv3.
Diffstat (limited to 'lib/libssl')
-rw-r--r--lib/libssl/man/SSL_CTX_set_generate_session_id.393
1 files changed, 58 insertions, 35 deletions
diff --git a/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/lib/libssl/man/SSL_CTX_set_generate_session_id.3
index 29ff6a123ed..5166b906052 100644
--- a/lib/libssl/man/SSL_CTX_set_generate_session_id.3
+++ b/lib/libssl/man/SSL_CTX_set_generate_session_id.3
@@ -1,7 +1,54 @@
+.\" $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.2 2016/11/30 18:07:12 schwarze Exp $
+.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
-.\" $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $
+.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
+.\" Copyright (c) 2001, 2014 The OpenSSL Project. All rights reserved.
.\"
-.Dd $Mdocdate: November 5 2016 $
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in
+.\" the documentation and/or other materials provided with the
+.\" distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\" software must display the following acknowledgment:
+.\" "This product includes software developed by the OpenSSL Project
+.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\" endorse or promote products derived from this software without
+.\" prior written permission. For written permission, please contact
+.\" openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\" nor may "OpenSSL" appear in their names without prior written
+.\" permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\" acknowledgment:
+.\" "This product includes software developed by the OpenSSL Project
+.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 30 2016 $
.Dt SSL_CTX_SET_GENERATE_SESSION_ID 3
.Os
.Sh NAME
@@ -11,10 +58,12 @@
.Nd manipulate generation of SSL session IDs (server only)
.Sh SYNOPSIS
.In openssl/ssl.h
-.Bd -literal
- typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
- unsigned int *id_len);
-.Ed
+.Ft typedef int
+.Fo (*GEN_SESSION_CB)
+.Fa "const SSL *ssl"
+.Fa "unsigned char *id"
+.Fa "unsigned int *id_len"
+.Fc
.Ft int
.Fn SSL_CTX_set_generate_session_id "SSL_CTX *ctx" "GEN_SESSION_CB cb"
.Ft int
@@ -46,12 +95,11 @@ checks, whether a session with id
is already contained in the internal session cache
of the parent context of
.Fa ssl .
-.Sh NOTES
+.Pp
When a new session is established between client and server,
the server generates a session id.
The session id is an arbitrary sequence of bytes.
-The length of the session id is 16 bytes for SSLv2 sessions and between 1 and
-32 bytes for SSLv3/TLSv1.
+The length of the session id is between 1 and 32 bytes.
The session id is not security critical but must be unique for the server.
Additionally, the session id is transmitted in the clear when reusing the
session so it must not contain sensitive information.
@@ -80,17 +128,6 @@ or write to the location
.Fa id
exceeding the given limit.
.Pp
-If a SSLv2 session id is generated and
-.Fa id_len
-is reduced, it will be restored after the callback has finished and the session
-id will be padded with 0x00.
-It is not recommended to change the
-.Fa id_len
-for SSLv2 sessions.
-The callback can use the
-.Xr SSL_get_version 3
-function to check whether the session is of type SSLv2.
-.Pp
The location
.Fa id
is filled with 0x00 before the callback is called,
@@ -101,7 +138,7 @@ untouched while maintaining reproducibility.
Since the sessions must be distinguished, session ids must be unique.
Without the callback a random number is used,
so that the probability of generating the same session id is extremely small
-(2^128 possible ids for an SSLv2 session, 2^256 for SSLv3/TLSv1).
+(2^256 for TLSv1).
In order to ensure the uniqueness of the generated session id,
the callback must call
.Fn SSL_has_matching_session_id
@@ -128,13 +165,6 @@ since the external cache is not tested with
.Fn SSL_has_matching_session_id
and the same race condition applies.
.Pp
-When calling
-.Fn SSL_has_matching_session_id
-for an SSLv2 session with reduced
-.Fa id_len Ns ,
-the match operation will be performed using the fixed length required and with
-a 0x00 padded id.
-.Pp
The callback must return 0 if it cannot generate a session id for whatever
reason and return 1 on success.
.Sh RETURN VALUES
@@ -157,13 +187,6 @@ generate_session_id(const SSL *ssl, unsigned char *id,
unsigned int *id_len)
{
unsigned int count = 0;
- const char *version;
-
- version = SSL_get_version(ssl);
- if (!strcmp(version, "SSLv2")) {
- /* we must not change id_len */
- ;
- }
do {
RAND_pseudo_bytes(id, *id_len);