1 files changed, 58 insertions, 35 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
index 29ff6a123e..5166b90605 100644
--- a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
+++ b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
@@ -1,7 +1,54 @@
+.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.2 2016/11/30 18:07:12 schwarze Exp $
+.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
-.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $
+.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
+.\" Copyright (c) 2001, 2014 The OpenSSL Project.  All rights reserved.
 .\"
-.Dd $Mdocdate: November 5 2016 $
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 30 2016 $
 .Dt SSL_CTX_SET_GENERATE_SESSION_ID 3
 .Os
 .Sh NAME
@@ -11,10 +58,12 @@
 .Nd manipulate generation of SSL session IDs (server only)
 .Sh SYNOPSIS
 .In openssl/ssl.h
-.Bd -literal
+.Ft typedef int
- typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
+.Fo (*GEN_SESSION_CB)
-                               unsigned int *id_len);
+.Fa "const SSL *ssl"
-.Ed
+.Fa "unsigned char *id"
+.Fa "unsigned int *id_len"
+.Fc
 .Ft int
 .Fn SSL_CTX_set_generate_session_id "SSL_CTX *ctx" "GEN_SESSION_CB cb"
 .Ft int
@@ -46,12 +95,11 @@ checks, whether a session with id
 is already contained in the internal session cache
 of the parent context of
 .Fa ssl .
-.Sh NOTES
+.Pp
 When a new session is established between client and server,
 the server generates a session id.
 The session id is an arbitrary sequence of bytes.
-The length of the session id is 16 bytes for SSLv2 sessions and between 1 and
+The length of the session id is between 1 and 32 bytes.
-32 bytes for SSLv3/TLSv1.
 The session id is not security critical but must be unique for the server.
 Additionally, the session id is transmitted in the clear when reusing the
 session so it must not contain sensitive information.
@@ -80,17 +128,6 @@ or write to the location
 .Fa id
 exceeding the given limit.
 .Pp
-If a SSLv2 session id is generated and
-.Fa id_len
-is reduced, it will be restored after the callback has finished and the session
-id will be padded with 0x00.
-It is not recommended to change the
-.Fa id_len
-for SSLv2 sessions.
-The callback can use the
-.Xr SSL_get_version 3
-function to check whether the session is of type SSLv2.
-.Pp
 The location
 .Fa id
 is filled with 0x00 before the callback is called,
@@ -101,7 +138,7 @@ untouched while maintaining reproducibility.
 Since the sessions must be distinguished, session ids must be unique.
 Without the callback a random number is used,
 so that the probability of generating the same session id is extremely small
-(2^128 possible ids for an SSLv2 session, 2^256 for SSLv3/TLSv1).
+(2^256 for TLSv1).
 In order to ensure the uniqueness of the generated session id,
 the callback must call
 .Fn SSL_has_matching_session_id
@@ -128,13 +165,6 @@ since the external cache is not tested with
 .Fn SSL_has_matching_session_id
 and the same race condition applies.
 .Pp
-When calling
-.Fn SSL_has_matching_session_id
-for an SSLv2 session with reduced
-.Fa id_len Ns  ,
-the match operation will be performed using the fixed length required and with
-a 0x00 padded id.
-.Pp
 The callback must return 0 if it cannot generate a session id for whatever
 reason and return 1 on success.
 .Sh RETURN VALUES
@@ -157,13 +187,6 @@ generate_session_id(const SSL *ssl, unsigned char *id,
    unsigned int *id_len)
 {
        unsigned int count = 0;
-        const char *version;
-        version = SSL_get_version(ssl);
-        if (!strcmp(version, "SSLv2")) {
-                /* we must not change id_len */
-                ;
-        }
        do {
                RAND_pseudo_bytes(id, *id_len);

diff --git a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 index 29ff6a123e..5166b90605 100644 --- a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 +++ b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
@@ -1,7 +1,54 @@
		1	.\" $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.2 2016/11/30 18:07:12 schwarze Exp $
		2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
1	.\"	3	.\"
2	.\" $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $	4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
		5	.\" Copyright (c) 2001, 2014 The OpenSSL Project. All rights reserved.
3	.\"	6	.\"
4	.Dd $Mdocdate: November 5 2016 $	7	.\" Redistribution and use in source and binary forms, with or without
		8	.\" modification, are permitted provided that the following conditions
		9	.\" are met:
		10	.\"
		11	.\" 1. Redistributions of source code must retain the above copyright
		12	.\" notice, this list of conditions and the following disclaimer.
		13	.\"
		14	.\" 2. Redistributions in binary form must reproduce the above copyright
		15	.\" notice, this list of conditions and the following disclaimer in
		16	.\" the documentation and/or other materials provided with the
		17	.\" distribution.
		18	.\"
		19	.\" 3. All advertising materials mentioning features or use of this
		20	.\" software must display the following acknowledgment:
		21	.\" "This product includes software developed by the OpenSSL Project
		22	.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
		23	.\"
		24	.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
		25	.\" endorse or promote products derived from this software without
		26	.\" prior written permission. For written permission, please contact
		27	.\" openssl-core@openssl.org.
		28	.\"
		29	.\" 5. Products derived from this software may not be called "OpenSSL"
		30	.\" nor may "OpenSSL" appear in their names without prior written
		31	.\" permission of the OpenSSL Project.
		32	.\"
		33	.\" 6. Redistributions of any form whatsoever must retain the following
		34	.\" acknowledgment:
		35	.\" "This product includes software developed by the OpenSSL Project
		36	.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
		37	.\"
		38	.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
		39	.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		40	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
		41	.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
		42	.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		43	.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		44	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
		45	.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		46	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
		47	.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
		49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
		50	.\"
		51	.Dd $Mdocdate: November 30 2016 $
5	.Dt SSL_CTX_SET_GENERATE_SESSION_ID 3	52	.Dt SSL_CTX_SET_GENERATE_SESSION_ID 3
6	.Os	53	.Os
7	.Sh NAME	54	.Sh NAME
@@ -11,10 +58,12 @@
11	.Nd manipulate generation of SSL session IDs (server only)	58	.Nd manipulate generation of SSL session IDs (server only)
12	.Sh SYNOPSIS	59	.Sh SYNOPSIS
13	.In openssl/ssl.h	60	.In openssl/ssl.h
14	.Bd -literal	61	.Ft typedef int
15	typedef int (GEN_SESSION_CB)(const SSL ssl, unsigned char *id,	62	.Fo (*GEN_SESSION_CB)
16	unsigned int *id_len);	63	.Fa "const SSL *ssl"
17	.Ed	64	.Fa "unsigned char *id"
		65	.Fa "unsigned int *id_len"
		66	.Fc
18	.Ft int	67	.Ft int
19	.Fn SSL_CTX_set_generate_session_id "SSL_CTX *ctx" "GEN_SESSION_CB cb"	68	.Fn SSL_CTX_set_generate_session_id "SSL_CTX *ctx" "GEN_SESSION_CB cb"
20	.Ft int	69	.Ft int
@@ -46,12 +95,11 @@ checks, whether a session with id
46	is already contained in the internal session cache	95	is already contained in the internal session cache
47	of the parent context of	96	of the parent context of
48	.Fa ssl .	97	.Fa ssl .
49	.Sh NOTES	98	.Pp
50	When a new session is established between client and server,	99	When a new session is established between client and server,
51	the server generates a session id.	100	the server generates a session id.
52	The session id is an arbitrary sequence of bytes.	101	The session id is an arbitrary sequence of bytes.
53	The length of the session id is 16 bytes for SSLv2 sessions and between 1 and	102	The length of the session id is between 1 and 32 bytes.
54	32 bytes for SSLv3/TLSv1.
55	The session id is not security critical but must be unique for the server.	103	The session id is not security critical but must be unique for the server.
56	Additionally, the session id is transmitted in the clear when reusing the	104	Additionally, the session id is transmitted in the clear when reusing the
57	session so it must not contain sensitive information.	105	session so it must not contain sensitive information.
@@ -80,17 +128,6 @@ or write to the location
80	.Fa id	128	.Fa id
81	exceeding the given limit.	129	exceeding the given limit.
82	.Pp	130	.Pp
83	If a SSLv2 session id is generated and
84	.Fa id_len
85	is reduced, it will be restored after the callback has finished and the session
86	id will be padded with 0x00.
87	It is not recommended to change the
88	.Fa id_len
89	for SSLv2 sessions.
90	The callback can use the
91	.Xr SSL_get_version 3
92	function to check whether the session is of type SSLv2.
93	.Pp
94	The location	131	The location
95	.Fa id	132	.Fa id
96	is filled with 0x00 before the callback is called,	133	is filled with 0x00 before the callback is called,
@@ -101,7 +138,7 @@ untouched while maintaining reproducibility.
101	Since the sessions must be distinguished, session ids must be unique.	138	Since the sessions must be distinguished, session ids must be unique.
102	Without the callback a random number is used,	139	Without the callback a random number is used,
103	so that the probability of generating the same session id is extremely small	140	so that the probability of generating the same session id is extremely small
104	(2^128 possible ids for an SSLv2 session, 2^256 for SSLv3/TLSv1).	141	(2^256 for TLSv1).
105	In order to ensure the uniqueness of the generated session id,	142	In order to ensure the uniqueness of the generated session id,
106	the callback must call	143	the callback must call
107	.Fn SSL_has_matching_session_id	144	.Fn SSL_has_matching_session_id
@@ -128,13 +165,6 @@ since the external cache is not tested with
128	.Fn SSL_has_matching_session_id	165	.Fn SSL_has_matching_session_id
129	and the same race condition applies.	166	and the same race condition applies.
130	.Pp	167	.Pp
131	When calling
132	.Fn SSL_has_matching_session_id
133	for an SSLv2 session with reduced
134	.Fa id_len Ns ,
135	the match operation will be performed using the fixed length required and with
136	a 0x00 padded id.
137	.Pp
138	The callback must return 0 if it cannot generate a session id for whatever	168	The callback must return 0 if it cannot generate a session id for whatever
139	reason and return 1 on success.	169	reason and return 1 on success.
140	.Sh RETURN VALUES	170	.Sh RETURN VALUES
@@ -157,13 +187,6 @@ generate_session_id(const SSL ssl, unsigned char id,
157	unsigned int *id_len)	187	unsigned int *id_len)
158	{	188	{
159	unsigned int count = 0;	189	unsigned int count = 0;
160	const char *version;
161
162	version = SSL_get_version(ssl);
163	if (!strcmp(version, "SSLv2")) {
164	/* we must not change id_len */
165	;
166	}
167		190
168	do {	191	do {
169	RAND_pseudo_bytes(id, *id_len);	192	RAND_pseudo_bytes(id, *id_len);