1 files changed, 103 insertions, 57 deletions
diff --git a/src/lib/libssl/man/SSL_get_ciphers.3 b/src/lib/libssl/man/SSL_get_ciphers.3
index 07361da461..5ff1f69c42 100644
--- a/src/lib/libssl/man/SSL_get_ciphers.3
+++ b/src/lib/libssl/man/SSL_get_ciphers.3
@@ -1,10 +1,28 @@
-.\" $OpenBSD: SSL_get_ciphers.3,v 1.7 2019/01/22 01:18:24 tb Exp $
+.\" $OpenBSD: SSL_get_ciphers.3,v 1.8 2020/09/15 14:51:42 schwarze Exp $
-.\" full merge up to: OpenSSL c3e64028 Mar 30 11:50:14 2005 +0000
+.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
+.\" This file is a derived work.
-.\" Nick Mathewson <nickm@torproject.org>, and Kazuki Yamaguchi <k@rhe.jp>.
+.\" The changes are covered by the following Copyright and license:
-.\" Copyright (c) 2000, 2005, 2015, 2016 The OpenSSL Project.
+.\"
+.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Lutz Jaenicke <jaenicke@openssl.org>,
+.\" Nick Mathewson <nickm@torproject.org>, Kurt Roeckx <kurt@roeckx.be>,
+.\" Kazuki Yamaguchi <k@rhe.jp>, and Benjamin Kaduk <bkaduk@akamai.com>.
+.\" Copyright (c) 2000, 2005, 2015, 2016, 2017 The OpenSSL Project.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -51,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 22 2019 $
+.Dd $Mdocdate: September 15 2020 $
 .Dt SSL_GET_CIPHERS 3
 .Os
 .Sh NAME
@@ -60,7 +78,7 @@
 .Nm SSL_get1_supported_ciphers ,
 .Nm SSL_get_client_ciphers ,
 .Nm SSL_get_cipher_list
-.Nd get list of available SSL_CIPHERs
+.Nd get lists of available SSL_CIPHERs
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft STACK_OF(SSL_CIPHER) *
@@ -80,13 +98,6 @@ returns the stack of available
 for
 .Fa ssl ,
 sorted by preference.
-If
-.Fa ssl
-is
-.Dv NULL
-or no ciphers are available,
-.Dv NULL
-is returned.
 .Pp
 .Fn SSL_CTX_get_ciphers
 returns the stack of available
@@ -95,7 +106,7 @@ for
 .Fa ctx .
 .Pp
 .Fn SSL_get1_supported_ciphers
-returns the stack of enabled
+returns a stack of enabled
 .Vt SSL_CIPHER Ns s
 for
 .Fa ssl
@@ -110,40 +121,12 @@ For example,
 additional ciphers may be usable by a server if there is a gap in the
 list of supported protocols, and some ciphers may not be usable by a
 server if there is not a suitable certificate configured.
-If
-.Fa ssl
-is
-.Dv NULL
-or no ciphers are available,
-.Dv NULL
-is returned.
 .Pp
 .Fn SSL_get_client_ciphers
 returns the stack of available
 .Vt SSL_CIPHER Ns s
 matching the list received from the client on
 .Fa ssl .
-If
-.Fa ssl
-is
-.Dv NULL ,
-no ciphers are available, or
-.Fa ssl
-is not operating in server mode,
-.Dv NULL
-is returned.
-.Pp
-.Fn SSL_get_ciphers ,
-.Fn SSL_CTX_get_ciphers ,
-and
-.Fn SSL_get_client_ciphers
-return pointers to internal cipher stacks, which will be freed
-later on when the
-.Vt SSL
-or
-.Vt SSL_CTX
-object is freed.
-Therefore, the calling code must not free the return value itself.
 .Pp
 The details of the ciphers obtained by
 .Fn SSL_get_ciphers ,
@@ -156,29 +139,92 @@ can be obtained using the
 family of functions.
 .Pp
 .Fn SSL_get_cipher_list
-returns a pointer to the name of the
+is badly misnamed; it does not return a list.
-.Vt SSL_CIPHER
+Instead, it returns the name of one element of the return value of
-listed for
+.Fn SSL_get_ciphers ,
+with the index given by the
+.Fa priority
+argument.
+Passing 0 selects the cipher with the highest priority.
+To iterate over all available ciphers in decreasing priority,
+repeatedly increment the argument by 1 until
+.Dv NULL
+is returned.
+.Sh RETURN VALUES
+.Fn SSL_get_ciphers
+returns an internal pointer to a list of ciphers or
+.Dv NULL
+if
+.Fa ssl
+is
+.Dv NULL
+or if no ciphers are available.
+The returned pointer may not only become invalid when
 .Fa ssl
-with
+is destroyed or when
-.Fa priority .
+.Xr SSL_set_cipher_list 3
+is called on it, but also when the
+.Vt SSL_CTX
+object is destroyed that
+.Fa SSL
+was created from or when
+.Xr SSL_CTX_set_cipher_list 3
+is called on that context object.
+.Pp
+.Fn SSL_CTX_get_ciphers
+returns an internal pointer to a list of ciphers or
+.Dv NULL
+if no ciphers are available.
 If
+.Fa ctx
+is
+.Dv NULL ,
+calling this function crashes the program.
+The returned pointer becomes invalid when
+.Fa ctx
+is destroyed or when
+.Xr SSL_CTX_set_cipher_list 3
+is called on it.
+.Pp
+.Fn SSL_get1_supported_ciphers
+returns a newly allocated list of ciphers or
+.Dv NULL
+if
 .Fa ssl
 is
 .Dv NULL ,
-no ciphers are available, or there are fewer ciphers than
+if no ciphers are available, or if an error occurs.
-.Fa priority
+When the returned pointer is no longer needed, the caller is
-available,
+responsible for freeing it using
+.Fn sk_SSL_CIPHER_free .
+.Pp
+.Fn SSL_get_client_ciphers
+returns an internal pointer to a list of ciphers or
 .Dv NULL
-is returned.
+if
+.Fa ssl
+is
+.Dv NULL ,
+has no active session,
+or is not operating in server mode.
+The returned pointer becomes invalid when the
+.Vt SSL_SESSION
+object is destroyed, even if the
+.Fa ssl
+object remains valid.
+It may also become invalid in other circumstances,
+for example when processing a new ClientHello.
 .Pp
-Call
 .Fn SSL_get_cipher_list
-with
+returns an internal pointer to a string or
-.Fa priority
-starting from 0 to obtain the sorted list of available ciphers, until
 .Dv NULL
-is returned.
+if
+.Fa ssl
+is
+.Dv NULL ,
+if no ciphers are available, or if
+.Fa priority
+is greater than or equal to the number of available ciphers.
 .Sh SEE ALSO
 .Xr ssl 3 ,
 .Xr SSL_CIPHER_get_name 3 ,

diff --git a/src/lib/libssl/man/SSL_get_ciphers.3 b/src/lib/libssl/man/SSL_get_ciphers.3 index 07361da461..5ff1f69c42 100644 --- a/src/lib/libssl/man/SSL_get_ciphers.3 +++ b/src/lib/libssl/man/SSL_get_ciphers.3
@@ -1,10 +1,28 @@
1	.\" $OpenBSD: SSL_get_ciphers.3,v 1.7 2019/01/22 01:18:24 tb Exp $	1	.\" $OpenBSD: SSL_get_ciphers.3,v 1.8 2020/09/15 14:51:42 schwarze Exp $
2	.\" full merge up to: OpenSSL c3e64028 Mar 30 11:50:14 2005 +0000	2	.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
3	.\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100	3	.\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
4	.\"	4	.\"
5	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,	5	.\" This file is a derived work.
6	.\" Nick Mathewson <nickm@torproject.org>, and Kazuki Yamaguchi <k@rhe.jp>.	6	.\" The changes are covered by the following Copyright and license:
7	.\" Copyright (c) 2000, 2005, 2015, 2016 The OpenSSL Project.	7	.\"
		8	.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
		9	.\"
		10	.\" Permission to use, copy, modify, and distribute this software for any
		11	.\" purpose with or without fee is hereby granted, provided that the above
		12	.\" copyright notice and this permission notice appear in all copies.
		13	.\"
		14	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		15	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		16	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		17	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		18	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		19	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		20	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		21	.\"
		22	.\" The original file was written by Lutz Jaenicke <jaenicke@openssl.org>,
		23	.\" Nick Mathewson <nickm@torproject.org>, Kurt Roeckx <kurt@roeckx.be>,
		24	.\" Kazuki Yamaguchi <k@rhe.jp>, and Benjamin Kaduk <bkaduk@akamai.com>.
		25	.\" Copyright (c) 2000, 2005, 2015, 2016, 2017 The OpenSSL Project.
8	.\" All rights reserved.	26	.\" All rights reserved.
9	.\"	27	.\"
10	.\" Redistribution and use in source and binary forms, with or without	28	.\" Redistribution and use in source and binary forms, with or without
@@ -51,7 +69,7 @@
51	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	69	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
52	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	70	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
53	.\"	71	.\"
54	.Dd $Mdocdate: January 22 2019 $	72	.Dd $Mdocdate: September 15 2020 $
55	.Dt SSL_GET_CIPHERS 3	73	.Dt SSL_GET_CIPHERS 3
56	.Os	74	.Os
57	.Sh NAME	75	.Sh NAME
@@ -60,7 +78,7 @@
60	.Nm SSL_get1_supported_ciphers ,	78	.Nm SSL_get1_supported_ciphers ,
61	.Nm SSL_get_client_ciphers ,	79	.Nm SSL_get_client_ciphers ,
62	.Nm SSL_get_cipher_list	80	.Nm SSL_get_cipher_list
63	.Nd get list of available SSL_CIPHERs	81	.Nd get lists of available SSL_CIPHERs
64	.Sh SYNOPSIS	82	.Sh SYNOPSIS
65	.In openssl/ssl.h	83	.In openssl/ssl.h
66	.Ft STACK_OF(SSL_CIPHER) *	84	.Ft STACK_OF(SSL_CIPHER) *
@@ -80,13 +98,6 @@ returns the stack of available
80	for	98	for
81	.Fa ssl ,	99	.Fa ssl ,
82	sorted by preference.	100	sorted by preference.
83	If
84	.Fa ssl
85	is
86	.Dv NULL
87	or no ciphers are available,
88	.Dv NULL
89	is returned.
90	.Pp	101	.Pp
91	.Fn SSL_CTX_get_ciphers	102	.Fn SSL_CTX_get_ciphers
92	returns the stack of available	103	returns the stack of available
@@ -95,7 +106,7 @@ for
95	.Fa ctx .	106	.Fa ctx .
96	.Pp	107	.Pp
97	.Fn SSL_get1_supported_ciphers	108	.Fn SSL_get1_supported_ciphers
98	returns the stack of enabled	109	returns a stack of enabled
99	.Vt SSL_CIPHER Ns s	110	.Vt SSL_CIPHER Ns s
100	for	111	for
101	.Fa ssl	112	.Fa ssl
@@ -110,40 +121,12 @@ For example,
110	additional ciphers may be usable by a server if there is a gap in the	121	additional ciphers may be usable by a server if there is a gap in the
111	list of supported protocols, and some ciphers may not be usable by a	122	list of supported protocols, and some ciphers may not be usable by a
112	server if there is not a suitable certificate configured.	123	server if there is not a suitable certificate configured.
113	If
114	.Fa ssl
115	is
116	.Dv NULL
117	or no ciphers are available,
118	.Dv NULL
119	is returned.
120	.Pp	124	.Pp
121	.Fn SSL_get_client_ciphers	125	.Fn SSL_get_client_ciphers
122	returns the stack of available	126	returns the stack of available
123	.Vt SSL_CIPHER Ns s	127	.Vt SSL_CIPHER Ns s
124	matching the list received from the client on	128	matching the list received from the client on
125	.Fa ssl .	129	.Fa ssl .
126	If
127	.Fa ssl
128	is
129	.Dv NULL ,
130	no ciphers are available, or
131	.Fa ssl
132	is not operating in server mode,
133	.Dv NULL
134	is returned.
135	.Pp
136	.Fn SSL_get_ciphers ,
137	.Fn SSL_CTX_get_ciphers ,
138	and
139	.Fn SSL_get_client_ciphers
140	return pointers to internal cipher stacks, which will be freed
141	later on when the
142	.Vt SSL
143	or
144	.Vt SSL_CTX
145	object is freed.
146	Therefore, the calling code must not free the return value itself.
147	.Pp	130	.Pp
148	The details of the ciphers obtained by	131	The details of the ciphers obtained by
149	.Fn SSL_get_ciphers ,	132	.Fn SSL_get_ciphers ,
@@ -156,29 +139,92 @@ can be obtained using the
156	family of functions.	139	family of functions.
157	.Pp	140	.Pp
158	.Fn SSL_get_cipher_list	141	.Fn SSL_get_cipher_list
159	returns a pointer to the name of the	142	is badly misnamed; it does not return a list.
160	.Vt SSL_CIPHER	143	Instead, it returns the name of one element of the return value of
161	listed for	144	.Fn SSL_get_ciphers ,
		145	with the index given by the
		146	.Fa priority
		147	argument.
		148	Passing 0 selects the cipher with the highest priority.
		149	To iterate over all available ciphers in decreasing priority,
		150	repeatedly increment the argument by 1 until
		151	.Dv NULL
		152	is returned.
		153	.Sh RETURN VALUES
		154	.Fn SSL_get_ciphers
		155	returns an internal pointer to a list of ciphers or
		156	.Dv NULL
		157	if
		158	.Fa ssl
		159	is
		160	.Dv NULL
		161	or if no ciphers are available.
		162	The returned pointer may not only become invalid when
162	.Fa ssl	163	.Fa ssl
163	with	164	is destroyed or when
164	.Fa priority .	165	.Xr SSL_set_cipher_list 3
		166	is called on it, but also when the
		167	.Vt SSL_CTX
		168	object is destroyed that
		169	.Fa SSL
		170	was created from or when
		171	.Xr SSL_CTX_set_cipher_list 3
		172	is called on that context object.
		173	.Pp
		174	.Fn SSL_CTX_get_ciphers
		175	returns an internal pointer to a list of ciphers or
		176	.Dv NULL
		177	if no ciphers are available.
165	If	178	If
		179	.Fa ctx
		180	is
		181	.Dv NULL ,
		182	calling this function crashes the program.
		183	The returned pointer becomes invalid when
		184	.Fa ctx
		185	is destroyed or when
		186	.Xr SSL_CTX_set_cipher_list 3
		187	is called on it.
		188	.Pp
		189	.Fn SSL_get1_supported_ciphers
		190	returns a newly allocated list of ciphers or
		191	.Dv NULL
		192	if
166	.Fa ssl	193	.Fa ssl
167	is	194	is
168	.Dv NULL ,	195	.Dv NULL ,
169	no ciphers are available, or there are fewer ciphers than	196	if no ciphers are available, or if an error occurs.
170	.Fa priority	197	When the returned pointer is no longer needed, the caller is
171	available,	198	responsible for freeing it using
		199	.Fn sk_SSL_CIPHER_free .
		200	.Pp
		201	.Fn SSL_get_client_ciphers
		202	returns an internal pointer to a list of ciphers or
172	.Dv NULL	203	.Dv NULL
173	is returned.	204	if
		205	.Fa ssl
		206	is
		207	.Dv NULL ,
		208	has no active session,
		209	or is not operating in server mode.
		210	The returned pointer becomes invalid when the
		211	.Vt SSL_SESSION
		212	object is destroyed, even if the
		213	.Fa ssl
		214	object remains valid.
		215	It may also become invalid in other circumstances,
		216	for example when processing a new ClientHello.
174	.Pp	217	.Pp
175	Call
176	.Fn SSL_get_cipher_list	218	.Fn SSL_get_cipher_list
177	with	219	returns an internal pointer to a string or
178	.Fa priority
179	starting from 0 to obtain the sorted list of available ciphers, until
180	.Dv NULL	220	.Dv NULL
181	is returned.	221	if
		222	.Fa ssl
		223	is
		224	.Dv NULL ,
		225	if no ciphers are available, or if
		226	.Fa priority
		227	is greater than or equal to the number of available ciphers.
182	.Sh SEE ALSO	228	.Sh SEE ALSO
183	.Xr ssl 3 ,	229	.Xr ssl 3 ,
184	.Xr SSL_CIPHER_get_name 3 ,	230	.Xr SSL_CIPHER_get_name 3 ,