[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-dev
Subject: Re: [openssl-dev] Missing API features
From: Richard Moore <richmoore44 () gmail ! com>
Date: 2015-04-20 20:21:43
Message-ID: CAMp7mVuSQiFRn=1KyZm7rQGQ1NaBX+ThdTscFKvR0O1CBwUG4Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 20 April 2015 at 15:33, Salz, Rich <rsalz@akamai.com> wrote:
> >Continuing with the problems of making structs opaque, currently the API
> for querying the information about ciphers is quite weak. Only
> >SSL_CIPHER_description provides access to data such as the key exchange
> method, and parsing a string to obtain this information seems daft. We're
> >missing API for: key exchange, authentication method, encryption
> algorithm, MAC and the export flag.
>
> (Man, outlook makes it hard to NOT top-post. Sigh.)
>
> Since all of those are implied by the cipher spec, could we just have an
> API to return the two-byte cipher identifier? (That would break if TLS 1.3
> moves to "a la carte" selection, but I doubt that will happen.) Export is
> gone :) And what's the MAC if using an AEAD cipher like AES-GCM?
>
>
Just returning the cipher id would mean every app needs to replicate the
table that openssl already has, and keep it updated. Doesn't seem like a
good plan to me. According to the current code in openssl the 'MAC' when
using AES-GCM is AEAD - not ideal perhaps, but what we've got.
> > It's also worth noting that SSL_CIPHER_get_version and
> SSL_CIPHER_description should probably be returning const char * not char *.
>
> Yes, is that a bug to backport or just fix in master, you think?
>
Changing the return type here should be binary compatible on any sane
platform, but it might cause source incompatibilities.
Cheers
Rich.
[Attachment #5 (text/html)]
<div dir="ltr"><div class="gmail_default" \
style="font-family:verdana,sans-serif"><br></div><div class="gmail_extra"><br><div \
class="gmail_quote">On 20 April 2015 at 15:33, Salz, Rich <span dir="ltr"><<a \
href="mailto:rsalz@akamai.com" target="_blank">rsalz@akamai.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"><span class="">>Continuing with the problems of \
making structs opaque, currently the API for querying the information about ciphers \
is quite weak. Only >SSL_CIPHER_description provides access to data such as the \
key exchange method, and parsing a string to obtain this information seems daft. \
We're >missing API for: key exchange, authentication method, encryption \
algorithm, MAC and the export flag.<br> <br>
</span>(Man, outlook makes it hard to NOT top-post. Sigh.)<br>
<br>
Since all of those are implied by the cipher spec, could we just have an API to \
return the two-byte cipher identifier? (That would break if TLS 1.3 moves to "a \
la carte" selection, but I doubt that will happen.) Export is gone :) And \
what's the MAC if using an AEAD cipher like AES-GCM?<br> <span \
class=""><br></span></blockquote><div><br></div><div><div class="gmail_default" \
style="font-family:verdana,sans-serif">Just returning the cipher id would mean every \
app needs to replicate the table that openssl already has, and keep it updated. \
Doesn't seem like a good plan to me. According to the current code in openssl the \
'MAC' when using AES-GCM is AEAD - not ideal perhaps, but what we've \
got.</div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""> > It's also \
worth noting that SSL_CIPHER_get_version and SSL_CIPHER_description should probably \
be returning const char * not char *.<br> <br>
</span>Yes, is that a bug to backport or just fix in master, you \
think?<br></blockquote><div><br></div><div><div class="gmail_default" \
style="font-family:verdana,sans-serif">Changing the return type here should be binary \
compatible on any sane platform, but it might cause source \
incompatibilities.</div><div class="gmail_default" \
style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" \
style="font-family:verdana,sans-serif">Cheers</div><div class="gmail_default" \
style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" \
style="font-family:verdana,sans-serif">Rich.</div><div class="gmail_default" \
style="font-family:verdana,sans-serif"><br></div><br></div><div> \
</div></div></div></div>
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic