garbage collect PSK remnants

author: schwarze <> 2016-12-01 16:02:14 +0000
committer: schwarze <> 2016-12-01 16:02:14 +0000
commit: b7efc38e2e1de628f298b7136f9395112718cc5b (patch)
tree: 0da5bd2b85dd1a82f34d2e5c64df2d626db5a2e4
parent: a19fc3196269c5b6b10b7c00798eca9136c26613 (diff)
download: openbsd-b7efc38e2e1de628f298b7136f9395112718cc5b.tar.gz
openbsd-b7efc38e2e1de628f298b7136f9395112718cc5b.tar.bz2
openbsd-b7efc38e2e1de628f298b7136f9395112718cc5b.zip
5 files changed, 3 insertions, 279 deletions
diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile
index cf4675b840..3078a76008 100644
--- a/src/lib/libssl/man/Makefile
+++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.40 2016/11/30 16:46:56 schwarze Exp $
+# $OpenBSD: Makefile,v 1.41 2016/12/01 16:02:14 schwarze Exp $
 .include <bsd.own.mk>
@@ -33,7 +33,6 @@ MAN =	BIO_f_ssl.3 \
        SSL_CTX_set_mode.3 \
        SSL_CTX_set_msg_callback.3 \
        SSL_CTX_set_options.3 \
-        SSL_CTX_set_psk_client_callback.3 \
        SSL_CTX_set_quiet_shutdown.3 \
        SSL_CTX_set_session_cache_mode.3 \
        SSL_CTX_set_session_id_context.3 \
@@ -43,7 +42,6 @@ MAN =	BIO_f_ssl.3 \
        SSL_CTX_set_tmp_rsa_callback.3 \
        SSL_CTX_set_verify.3 \
        SSL_CTX_use_certificate.3 \
-        SSL_CTX_use_psk_identity_hint.3 \
        SSL_SESSION_free.3 \
        SSL_SESSION_get_ex_new_index.3 \
        SSL_SESSION_get_time.3 \
@@ -64,7 +62,6 @@ MAN =	BIO_f_ssl.3 \
        SSL_get_fd.3 \
        SSL_get_peer_cert_chain.3 \
        SSL_get_peer_certificate.3 \
-        SSL_get_psk_identity.3 \
        SSL_get_rbio.3 \
        SSL_get_session.3 \
        SSL_get_verify_result.3 \
diff --git a/src/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 b/src/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
deleted file mode 100644
index 0325a9405a..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
+++ /dev/null
@@ -1,68 +0,0 @@
-.\"
-.\"     $OpenBSD: SSL_CTX_set_psk_client_callback.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $
-.\"
-.Dd $Mdocdate: November 5 2016 $
-.Dt SSL_CTX_SET_PSK_CLIENT_CALLBACK 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_psk_client_callback ,
-.Nm SSL_set_psk_client_callback
-.Nd set PSK client callback
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_psk_client_callback
-.Fa "SSL_CTX *ctx"
-.Fa "unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, \
-unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)"
-.Fc
-.Ft void
-.Fo SSL_set_psk_client_callback
-.Fa "SSL *ssl"
-.Fa "unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, \
-unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)"
-.Fc
-.Sh DESCRIPTION
-A client application must provide a callback function which is called
-when the client is sending the ClientKeyExchange message to the server.
-.Pp
-The purpose of the callback function is to select the PSK identity and
-the pre-shared key to use during the connection setup phase.
-.Pp
-The callback is set using functions
-.Fn SSL_CTX_set_psk_client_callback
-or
-.Fn SSL_set_psk_client_callback .
-The callback function is given the connection in parameter
-.Fa ssl ,
-a
-.Dv NULL Ns
-terminated PSK identity hint sent by the server in parameter
-.Fa hint ,
-a buffer
-.Fa identity
-of length
-.Fa max_identity_len
-bytes where the resulting
-.Dv NULL Ns
-terminated identity is to be stored, and a buffer
-.Fa psk
-of
-length
-.Fa max_psk_len
-bytes where the resulting pre-shared key is to be stored.
-.Sh NOTES
-Note that parameter
-.Fa hint
-given to the callback may be
-.Dv NULL .
-.Sh RETURN VALUES
-Return values from the client callback are interpreted as follows:
-.Pp
-On success (callback found a PSK identity and a pre-shared key to use)
-the length (> 0) of
-.Fa psk
-in bytes is returned.
-.Pp
-Otherwise or on errors callback should return 0.
-In this case the connection setup fails.
diff --git a/src/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 b/src/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
deleted file mode 100644
index 7d5d6b1dfd..0000000000
--- a/src/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
+++ /dev/null
@@ -1,110 +0,0 @@
-.\"
-.\"     $OpenBSD: SSL_CTX_use_psk_identity_hint.3,v 1.1 2016/11/05 15:32:20 schwarze Exp $
-.\"
-.Dd $Mdocdate: November 5 2016 $
-.Dt SSL_CTX_USE_PSK_IDENTITY_HINT 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_use_psk_identity_hint ,
-.Nm SSL_use_psk_identity_hint ,
-.Nm  SSL_CTX_set_psk_server_callback ,
-.Nm SSL_set_psk_server_callback
-.Nd set PSK identity hint to use
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_CTX_use_psk_identity_hint "SSL_CTX *ctx" "const char *hint"
-.Ft int
-.Fn SSL_use_psk_identity_hint "SSL *ssl" "const char *hint"
-.Ft void
-.Fo SSL_CTX_set_psk_server_callback
-.Fa "SSL_CTX *ctx"
-.Fa "unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len)"
-.Fc
-.Ft void
-.Fo SSL_set_psk_server_callback
-.Fa "SSL *ssl"
-.Fa "unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len)"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_use_psk_identity_hint
-sets the given
-.Dv NULL Ns
-terminated PSK identity hint
-.Fa hint
-to SSL context object
-.Fa ctx .
-.Fn SSL_use_psk_identity_hint
-sets the given
-.Dv NULL Ns
-terminated
-PSK identity hint
-.Fa hint
-to SSL connection object
-.Fa ssl .
-If
-.Fa hint
-is
-.Dv NULL
-the current hint from
-.Fa ctx
-or
-.Fa ssl
-is deleted.
-.Pp
-In the case where PSK identity hint is
-.Dv NULL ,
-the server does not send the
-.Em ServerKeyExchange
-message to the client.
-.Pp
-A server application must provide a callback function which is called when the
-server receives the
-.Em ClientKeyExchange
-message from the client.
-The purpose of the callback function is to validate the received PSK identity
-and to fetch the pre-shared key used during the connection setup phase.
-The callback is set using functions
-.Fn SSL_CTX_set_psk_server_callback
-or
-.Fn SSL_set_psk_server_callback .
-The callback function is given the connection in parameter
-.Fa ssl ,
-.Dv NULL Ns
-terminated PSK identity sent by the client in parameter
-.Fa identity ,
-and a buffer
-.Fa psk
-of length
-.Fa max_psk_len
-bytes where the pre-shared key is to be stored.
-.Sh RETURN VALUES
-.Fn SSL_CTX_use_psk_identity_hint
-and
-.Fn SSL_use_psk_identity_hint
-return 1 on success, 0 otherwise.
-.Pp
-Return values from the server callback are interpreted as follows:
-.Bl -tag -width Ds
-.It >0
-PSK identity was found and the server callback has provided the PSK
-successfully in parameter
-.Fa psk .
-Return value is the length of
-.Fa psk
-in bytes.
-It is an error to return a value greater than
-.Fa max_psk_len .
-.Pp
-If the PSK identity was not found but the callback instructs the protocol to
-continue anyway, the callback must provide some random data to
-.Fa psk
-and return the length of the random data, so the connection will fail with
-.Dq decryption_error
-before it will be finished completely.
-.It 0
-PSK identity was not found.
-An
-.Dq unknown_psk_identity
-alert message will be sent and the connection setup fails.
-.El
diff --git a/src/lib/libssl/man/SSL_get_psk_identity.3 b/src/lib/libssl/man/SSL_get_psk_identity.3
deleted file mode 100644
index a2f91ee1c7..0000000000
--- a/src/lib/libssl/man/SSL_get_psk_identity.3
+++ /dev/null
@@ -1,44 +0,0 @@
-.\"
-.\"     $OpenBSD: SSL_get_psk_identity.3,v 1.1 2016/11/05 15:32:20 schwarze Exp $
-.\"
-.Dd $Mdocdate: November 5 2016 $
-.Dt SSL_GET_PSK_IDENTITY 3
-.Os
-.Sh NAME
-.Nm SSL_get_psk_identity ,
-.Nm SSL_get_psk_identity_hint
-.Nd get PSK client identity and hint
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const char *
-.Fn SSL_get_psk_identity_hint "const SSL *ssl"
-.Ft const char *
-.Fn SSL_get_psk_identity "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_psk_identity_hint
-is used to retrieve the PSK identity hint used during the connection setup
-related to
-.Vt SSL
-object
-.Fa ssl .
-Similarly,
-.Fn SSL_get_psk_identity
-is used to retrieve the PSK identity used during the connection setup.
-.Sh RETURN VALUES
-If
-.Pf non- Dv NULL ,
-.Fn SSL_get_psk_identity_hint
-returns the PSK identity hint and
-.Fn SSL_get_psk_identity
-returns the PSK identity.
-Both are
-.Dv NULL Ns -terminated.
-.Fn SSL_get_psk_identity_hint
-may return
-.Dv NULL
-if no PSK identity hint was used during the connection setup.
-.Pp
-Note that the return value is valid only during the lifetime of the
-.Vt SSL
-object
-.Fa ssl .
diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3
index 77a24144fe..283340e228 100644
--- a/src/lib/libssl/man/ssl.3
+++ b/src/lib/libssl/man/ssl.3
@@ -1,7 +1,7 @@
 .\"
-.\"     $OpenBSD: ssl.3,v 1.2 2016/11/30 16:21:53 schwarze Exp $
+.\"     $OpenBSD: ssl.3,v 1.3 2016/12/01 16:02:14 schwarze Exp $
 .\"
-.Dd $Mdocdate: November 30 2016 $
+.Dd $Mdocdate: December 1 2016 $
 .Dt SSL 3
 .Os
 .Sh NAME
@@ -594,26 +594,6 @@ session instead of a context.
 .Ft int
 .Fn SSL_CTX_use_certificate_file "SSL_CTX *ctx" "char *file" "int type"
 .Xc
-.It Xo
-.Ft void
-.Fo SSL_CTX_set_psk_client_callback
-.Fa "SSL_CTX *ctx"
-.Fa "unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, \
-unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)"
-.Fc
-.Xc
-.It Xo
-.Ft int
-.Fn SSL_CTX_use_psk_identity_hint "SSL_CTX *ctx" "const char *hint"
-.Xc
-.It Xo
-.Ft void
-.Fo SSL_CTX_set_psk_server_callback
-.Fa "SSL_CTX *ctx"
-.Fa "unsigned int (*callback)(SSL *ssl, const char *identity, \
-unsigned char *psk, int max_psk_len)"
-.Fc
-.Xc
 .El
 .Ss DEALING WITH SESSIONS
 Here we document the various API functions which deal with the SSL/TLS sessions
@@ -1159,34 +1139,6 @@ size_t len, SSL *ssl, void *arg)"
 .Ft int
 .Fn SSL_write "SSL *ssl" "const void *buf" "int num"
 .Xc
-.It Xo
-.Ft void
-.Fo SSL_set_psk_client_callback
-.Fa "SSL *ssl"
-.Fa "unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, \
-unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)"
-.Fc
-.Xc
-.It Xo
-.Ft int
-.Fn SSL_use_psk_identity_hint "SSL *ssl" "const char *hint"
-.Xc
-.It Xo
-.Ft void
-.Fo SSL_set_psk_server_callback
-.Fa "SSL *ssl"
-.Fa "unsigned int (*callback)(SSL *ssl, const char *identity, \
-unsigned char *psk, int max_psk_len)"
-.Fc
-.Xc
-.It Xo
-.Ft const char *
-.Fn SSL_get_psk_identity_hint "SSL *ssl"
-.Xc
-.It Xo
-.Ft const char *
-.Fn SSL_get_psk_identity "SSL *ssl"
-.Xc
 .El
 .Sh SEE ALSO
 .Xr openssl 1 ,
@@ -1222,7 +1174,6 @@ unsigned char *psk, int max_psk_len)"
 .Xr SSL_CTX_set_mode 3 ,
 .Xr SSL_CTX_set_msg_callback 3 ,
 .Xr SSL_CTX_set_options 3 ,
-.Xr SSL_CTX_set_psk_client_callback 3 ,
 .Xr SSL_CTX_set_quiet_shutdown 3 ,
 .Xr SSL_CTX_set_session_cache_mode 3 ,
 .Xr SSL_CTX_set_session_id_context 3 ,
@@ -1232,7 +1183,6 @@ unsigned char *psk, int max_psk_len)"
 .Xr SSL_CTX_set_tmp_rsa_callback 3 ,
 .Xr SSL_CTX_set_verify 3 ,
 .Xr SSL_CTX_use_certificate 3 ,
-.Xr SSL_CTX_use_psk_identity_hint 3 ,
 .Xr SSL_do_handshake 3 ,
 .Xr SSL_get_ciphers 3 ,
 .Xr SSL_get_client_CA_list 3 ,
@@ -1242,7 +1192,6 @@ unsigned char *psk, int max_psk_len)"
 .Xr SSL_get_ex_new_index 3 ,
 .Xr SSL_get_fd 3 ,
 .Xr SSL_get_peer_cert_chain 3 ,
-.Xr SSL_get_psk_identity 3 ,
 .Xr SSL_get_rbio 3 ,
 .Xr SSL_get_session 3 ,
 .Xr SSL_get_SSL_CTX 3 ,
author	schwarze <>	2016-12-01 16:02:14 +0000
committer	schwarze <>	2016-12-01 16:02:14 +0000
commit	b7efc38e2e1de628f298b7136f9395112718cc5b (patch)
tree	0da5bd2b85dd1a82f34d2e5c64df2d626db5a2e4
parent	a19fc3196269c5b6b10b7c00798eca9136c26613 (diff)
download	openbsd-b7efc38e2e1de628f298b7136f9395112718cc5b.tar.gz openbsd-b7efc38e2e1de628f298b7136f9395112718cc5b.tar.bz2 openbsd-b7efc38e2e1de628f298b7136f9395112718cc5b.zip

diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile index cf4675b840..3078a76008 100644 --- a/src/lib/libssl/man/Makefile +++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.40 2016/11/30 16:46:56 schwarze Exp $	1	# $OpenBSD: Makefile,v 1.41 2016/12/01 16:02:14 schwarze Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -33,7 +33,6 @@ MAN = BIO_f_ssl.3 \
33	SSL_CTX_set_mode.3 \	33	SSL_CTX_set_mode.3 \
34	SSL_CTX_set_msg_callback.3 \	34	SSL_CTX_set_msg_callback.3 \
35	SSL_CTX_set_options.3 \	35	SSL_CTX_set_options.3 \
36	SSL_CTX_set_psk_client_callback.3 \
37	SSL_CTX_set_quiet_shutdown.3 \	36	SSL_CTX_set_quiet_shutdown.3 \
38	SSL_CTX_set_session_cache_mode.3 \	37	SSL_CTX_set_session_cache_mode.3 \
39	SSL_CTX_set_session_id_context.3 \	38	SSL_CTX_set_session_id_context.3 \
@@ -43,7 +42,6 @@ MAN = BIO_f_ssl.3 \
43	SSL_CTX_set_tmp_rsa_callback.3 \	42	SSL_CTX_set_tmp_rsa_callback.3 \
44	SSL_CTX_set_verify.3 \	43	SSL_CTX_set_verify.3 \
45	SSL_CTX_use_certificate.3 \	44	SSL_CTX_use_certificate.3 \
46	SSL_CTX_use_psk_identity_hint.3 \
47	SSL_SESSION_free.3 \	45	SSL_SESSION_free.3 \
48	SSL_SESSION_get_ex_new_index.3 \	46	SSL_SESSION_get_ex_new_index.3 \
49	SSL_SESSION_get_time.3 \	47	SSL_SESSION_get_time.3 \
@@ -64,7 +62,6 @@ MAN = BIO_f_ssl.3 \
64	SSL_get_fd.3 \	62	SSL_get_fd.3 \
65	SSL_get_peer_cert_chain.3 \	63	SSL_get_peer_cert_chain.3 \
66	SSL_get_peer_certificate.3 \	64	SSL_get_peer_certificate.3 \
67	SSL_get_psk_identity.3 \
68	SSL_get_rbio.3 \	65	SSL_get_rbio.3 \
69	SSL_get_session.3 \	66	SSL_get_session.3 \
70	SSL_get_verify_result.3 \	67	SSL_get_verify_result.3 \


diff --git a/src/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 b/src/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 deleted file mode 100644 index 0325a9405a..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 +++ /dev/null
@@ -1,68 +0,0 @@
1	.\"
2	.\" $OpenBSD: SSL_CTX_set_psk_client_callback.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $
3	.\"
4	.Dd $Mdocdate: November 5 2016 $
5	.Dt SSL_CTX_SET_PSK_CLIENT_CALLBACK 3
6	.Os
7	.Sh NAME
8	.Nm SSL_CTX_set_psk_client_callback ,
9	.Nm SSL_set_psk_client_callback
10	.Nd set PSK client callback
11	.Sh SYNOPSIS
12	.In openssl/ssl.h
13	.Ft void
14	.Fo SSL_CTX_set_psk_client_callback
15	.Fa "SSL_CTX *ctx"
16	.Fa "unsigned int (callback)(SSL ssl, const char hint, char identity, \
17	unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)"
18	.Fc
19	.Ft void
20	.Fo SSL_set_psk_client_callback
21	.Fa "SSL *ssl"
22	.Fa "unsigned int (callback)(SSL ssl, const char hint, char identity, \
23	unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)"
24	.Fc
25	.Sh DESCRIPTION
26	A client application must provide a callback function which is called
27	when the client is sending the ClientKeyExchange message to the server.
28	.Pp
29	The purpose of the callback function is to select the PSK identity and
30	the pre-shared key to use during the connection setup phase.
31	.Pp
32	The callback is set using functions
33	.Fn SSL_CTX_set_psk_client_callback
34	or
35	.Fn SSL_set_psk_client_callback .
36	The callback function is given the connection in parameter
37	.Fa ssl ,
38	a
39	.Dv NULL Ns
40	-terminated PSK identity hint sent by the server in parameter
41	.Fa hint ,
42	a buffer
43	.Fa identity
44	of length
45	.Fa max_identity_len
46	bytes where the resulting
47	.Dv NULL Ns
48	-terminated identity is to be stored, and a buffer
49	.Fa psk
50	of
51	length
52	.Fa max_psk_len
53	bytes where the resulting pre-shared key is to be stored.
54	.Sh NOTES
55	Note that parameter
56	.Fa hint
57	given to the callback may be
58	.Dv NULL .
59	.Sh RETURN VALUES
60	Return values from the client callback are interpreted as follows:
61	.Pp
62	On success (callback found a PSK identity and a pre-shared key to use)
63	the length (> 0) of
64	.Fa psk
65	in bytes is returned.
66	.Pp
67	Otherwise or on errors callback should return 0.
68	In this case the connection setup fails.


diff --git a/src/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 b/src/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 deleted file mode 100644 index 7d5d6b1dfd..0000000000 --- a/src/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 +++ /dev/null
@@ -1,110 +0,0 @@
1	.\"
2	.\" $OpenBSD: SSL_CTX_use_psk_identity_hint.3,v 1.1 2016/11/05 15:32:20 schwarze Exp $
3	.\"
4	.Dd $Mdocdate: November 5 2016 $
5	.Dt SSL_CTX_USE_PSK_IDENTITY_HINT 3
6	.Os
7	.Sh NAME
8	.Nm SSL_CTX_use_psk_identity_hint ,
9	.Nm SSL_use_psk_identity_hint ,
10	.Nm SSL_CTX_set_psk_server_callback ,
11	.Nm SSL_set_psk_server_callback
12	.Nd set PSK identity hint to use
13	.Sh SYNOPSIS
14	.In openssl/ssl.h
15	.Ft int
16	.Fn SSL_CTX_use_psk_identity_hint "SSL_CTX ctx" "const char hint"
17	.Ft int
18	.Fn SSL_use_psk_identity_hint "SSL ssl" "const char hint"
19	.Ft void
20	.Fo SSL_CTX_set_psk_server_callback
21	.Fa "SSL_CTX *ctx"
22	.Fa "unsigned int (callback)(SSL ssl, const char identity, unsigned char psk, int max_psk_len)"
23	.Fc
24	.Ft void
25	.Fo SSL_set_psk_server_callback
26	.Fa "SSL *ssl"
27	.Fa "unsigned int (callback)(SSL ssl, const char identity, unsigned char psk, int max_psk_len)"
28	.Fc
29	.Sh DESCRIPTION
30	.Fn SSL_CTX_use_psk_identity_hint
31	sets the given
32	.Dv NULL Ns
33	-terminated PSK identity hint
34	.Fa hint
35	to SSL context object
36	.Fa ctx .
37	.Fn SSL_use_psk_identity_hint
38	sets the given
39	.Dv NULL Ns
40	-terminated
41	PSK identity hint
42	.Fa hint
43	to SSL connection object
44	.Fa ssl .
45	If
46	.Fa hint
47	is
48	.Dv NULL
49	the current hint from
50	.Fa ctx
51	or
52	.Fa ssl
53	is deleted.
54	.Pp
55	In the case where PSK identity hint is
56	.Dv NULL ,
57	the server does not send the
58	.Em ServerKeyExchange
59	message to the client.
60	.Pp
61	A server application must provide a callback function which is called when the
62	server receives the
63	.Em ClientKeyExchange
64	message from the client.
65	The purpose of the callback function is to validate the received PSK identity
66	and to fetch the pre-shared key used during the connection setup phase.
67	The callback is set using functions
68	.Fn SSL_CTX_set_psk_server_callback
69	or
70	.Fn SSL_set_psk_server_callback .
71	The callback function is given the connection in parameter
72	.Fa ssl ,
73	.Dv NULL Ns
74	-terminated PSK identity sent by the client in parameter
75	.Fa identity ,
76	and a buffer
77	.Fa psk
78	of length
79	.Fa max_psk_len
80	bytes where the pre-shared key is to be stored.
81	.Sh RETURN VALUES
82	.Fn SSL_CTX_use_psk_identity_hint
83	and
84	.Fn SSL_use_psk_identity_hint
85	return 1 on success, 0 otherwise.
86	.Pp
87	Return values from the server callback are interpreted as follows:
88	.Bl -tag -width Ds
89	.It >0
90	PSK identity was found and the server callback has provided the PSK
91	successfully in parameter
92	.Fa psk .
93	Return value is the length of
94	.Fa psk
95	in bytes.
96	It is an error to return a value greater than
97	.Fa max_psk_len .
98	.Pp
99	If the PSK identity was not found but the callback instructs the protocol to
100	continue anyway, the callback must provide some random data to
101	.Fa psk
102	and return the length of the random data, so the connection will fail with
103	.Dq decryption_error
104	before it will be finished completely.
105	.It 0
106	PSK identity was not found.
107	An
108	.Dq unknown_psk_identity
109	alert message will be sent and the connection setup fails.
110	.El


diff --git a/src/lib/libssl/man/SSL_get_psk_identity.3 b/src/lib/libssl/man/SSL_get_psk_identity.3 deleted file mode 100644 index a2f91ee1c7..0000000000 --- a/src/lib/libssl/man/SSL_get_psk_identity.3 +++ /dev/null
@@ -1,44 +0,0 @@
1	.\"
2	.\" $OpenBSD: SSL_get_psk_identity.3,v 1.1 2016/11/05 15:32:20 schwarze Exp $
3	.\"
4	.Dd $Mdocdate: November 5 2016 $
5	.Dt SSL_GET_PSK_IDENTITY 3
6	.Os
7	.Sh NAME
8	.Nm SSL_get_psk_identity ,
9	.Nm SSL_get_psk_identity_hint
10	.Nd get PSK client identity and hint
11	.Sh SYNOPSIS
12	.In openssl/ssl.h
13	.Ft const char *
14	.Fn SSL_get_psk_identity_hint "const SSL *ssl"
15	.Ft const char *
16	.Fn SSL_get_psk_identity "const SSL *ssl"
17	.Sh DESCRIPTION
18	.Fn SSL_get_psk_identity_hint
19	is used to retrieve the PSK identity hint used during the connection setup
20	related to
21	.Vt SSL
22	object
23	.Fa ssl .
24	Similarly,
25	.Fn SSL_get_psk_identity
26	is used to retrieve the PSK identity used during the connection setup.
27	.Sh RETURN VALUES
28	If
29	.Pf non- Dv NULL ,
30	.Fn SSL_get_psk_identity_hint
31	returns the PSK identity hint and
32	.Fn SSL_get_psk_identity
33	returns the PSK identity.
34	Both are
35	.Dv NULL Ns -terminated.
36	.Fn SSL_get_psk_identity_hint
37	may return
38	.Dv NULL
39	if no PSK identity hint was used during the connection setup.
40	.Pp
41	Note that the return value is valid only during the lifetime of the
42	.Vt SSL
43	object
44	.Fa ssl .


diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3 index 77a24144fe..283340e228 100644 --- a/src/lib/libssl/man/ssl.3 +++ b/src/lib/libssl/man/ssl.3
@@ -1,7 +1,7 @@
1	.\"	1	.\"
2	.\" $OpenBSD: ssl.3,v 1.2 2016/11/30 16:21:53 schwarze Exp $	2	.\" $OpenBSD: ssl.3,v 1.3 2016/12/01 16:02:14 schwarze Exp $
3	.\"	3	.\"
4	.Dd $Mdocdate: November 30 2016 $	4	.Dd $Mdocdate: December 1 2016 $
5	.Dt SSL 3	5	.Dt SSL 3
6	.Os	6	.Os
7	.Sh NAME	7	.Sh NAME
@@ -594,26 +594,6 @@ session instead of a context.
594	.Ft int	594	.Ft int
595	.Fn SSL_CTX_use_certificate_file "SSL_CTX ctx" "char file" "int type"	595	.Fn SSL_CTX_use_certificate_file "SSL_CTX ctx" "char file" "int type"
596	.Xc	596	.Xc
597	.It Xo
598	.Ft void
599	.Fo SSL_CTX_set_psk_client_callback
600	.Fa "SSL_CTX *ctx"
601	.Fa "unsigned int (callback)(SSL ssl, const char hint, char identity, \
602	unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)"
603	.Fc
604	.Xc
605	.It Xo
606	.Ft int
607	.Fn SSL_CTX_use_psk_identity_hint "SSL_CTX ctx" "const char hint"
608	.Xc
609	.It Xo
610	.Ft void
611	.Fo SSL_CTX_set_psk_server_callback
612	.Fa "SSL_CTX *ctx"
613	.Fa "unsigned int (callback)(SSL ssl, const char *identity, \
614	unsigned char *psk, int max_psk_len)"
615	.Fc
616	.Xc
617	.El	597	.El
618	.Ss DEALING WITH SESSIONS	598	.Ss DEALING WITH SESSIONS
619	Here we document the various API functions which deal with the SSL/TLS sessions	599	Here we document the various API functions which deal with the SSL/TLS sessions
@@ -1159,34 +1139,6 @@ size_t len, SSL ssl, void arg)"
1159	.Ft int	1139	.Ft int
1160	.Fn SSL_write "SSL ssl" "const void buf" "int num"	1140	.Fn SSL_write "SSL ssl" "const void buf" "int num"
1161	.Xc	1141	.Xc
1162	.It Xo
1163	.Ft void
1164	.Fo SSL_set_psk_client_callback
1165	.Fa "SSL *ssl"
1166	.Fa "unsigned int (callback)(SSL ssl, const char hint, char identity, \
1167	unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len)"
1168	.Fc
1169	.Xc
1170	.It Xo
1171	.Ft int
1172	.Fn SSL_use_psk_identity_hint "SSL ssl" "const char hint"
1173	.Xc
1174	.It Xo
1175	.Ft void
1176	.Fo SSL_set_psk_server_callback
1177	.Fa "SSL *ssl"
1178	.Fa "unsigned int (callback)(SSL ssl, const char *identity, \
1179	unsigned char *psk, int max_psk_len)"
1180	.Fc
1181	.Xc
1182	.It Xo
1183	.Ft const char *
1184	.Fn SSL_get_psk_identity_hint "SSL *ssl"
1185	.Xc
1186	.It Xo
1187	.Ft const char *
1188	.Fn SSL_get_psk_identity "SSL *ssl"
1189	.Xc
1190	.El	1142	.El
1191	.Sh SEE ALSO	1143	.Sh SEE ALSO
1192	.Xr openssl 1 ,	1144	.Xr openssl 1 ,
@@ -1222,7 +1174,6 @@ unsigned char *psk, int max_psk_len)"
1222	.Xr SSL_CTX_set_mode 3 ,	1174	.Xr SSL_CTX_set_mode 3 ,
1223	.Xr SSL_CTX_set_msg_callback 3 ,	1175	.Xr SSL_CTX_set_msg_callback 3 ,
1224	.Xr SSL_CTX_set_options 3 ,	1176	.Xr SSL_CTX_set_options 3 ,
1225	.Xr SSL_CTX_set_psk_client_callback 3 ,
1226	.Xr SSL_CTX_set_quiet_shutdown 3 ,	1177	.Xr SSL_CTX_set_quiet_shutdown 3 ,
1227	.Xr SSL_CTX_set_session_cache_mode 3 ,	1178	.Xr SSL_CTX_set_session_cache_mode 3 ,
1228	.Xr SSL_CTX_set_session_id_context 3 ,	1179	.Xr SSL_CTX_set_session_id_context 3 ,
@@ -1232,7 +1183,6 @@ unsigned char *psk, int max_psk_len)"
1232	.Xr SSL_CTX_set_tmp_rsa_callback 3 ,	1183	.Xr SSL_CTX_set_tmp_rsa_callback 3 ,
1233	.Xr SSL_CTX_set_verify 3 ,	1184	.Xr SSL_CTX_set_verify 3 ,
1234	.Xr SSL_CTX_use_certificate 3 ,	1185	.Xr SSL_CTX_use_certificate 3 ,
1235	.Xr SSL_CTX_use_psk_identity_hint 3 ,
1236	.Xr SSL_do_handshake 3 ,	1186	.Xr SSL_do_handshake 3 ,
1237	.Xr SSL_get_ciphers 3 ,	1187	.Xr SSL_get_ciphers 3 ,
1238	.Xr SSL_get_client_CA_list 3 ,	1188	.Xr SSL_get_client_CA_list 3 ,
@@ -1242,7 +1192,6 @@ unsigned char *psk, int max_psk_len)"
1242	.Xr SSL_get_ex_new_index 3 ,	1192	.Xr SSL_get_ex_new_index 3 ,
1243	.Xr SSL_get_fd 3 ,	1193	.Xr SSL_get_fd 3 ,
1244	.Xr SSL_get_peer_cert_chain 3 ,	1194	.Xr SSL_get_peer_cert_chain 3 ,
1245	.Xr SSL_get_psk_identity 3 ,
1246	.Xr SSL_get_rbio 3 ,	1195	.Xr SSL_get_rbio 3 ,
1247	.Xr SSL_get_session 3 ,	1196	.Xr SSL_get_session 3 ,
1248	.Xr SSL_get_SSL_CTX 3 ,	1197	.Xr SSL_get_SSL_CTX 3 ,