Home Explore Help
Register Sign In
Apq
/
winscp
mirror of https://github.com/winscp/winscp.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: efa8db8eec
Branches Tags
winscp
/
libs
/
openssl
/
doc
/
man3
/
SSL_CTX_set1_curves.pod

SSL_CTX_set1_curves.pod 8.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189 
  1. =pod
    2. 

  2. 

  3. =head1 NAME
    4. 

  4. 

  5. SSL_CTX_set1_groups, SSL_CTX_set1_groups_list, SSL_set1_groups,
    6. 

  6. SSL_set1_groups_list, SSL_get1_groups, SSL_get0_iana_groups,
    7. 

  7. SSL_get_shared_group, SSL_get_negotiated_group, SSL_CTX_set1_curves,
    8. 

  8. SSL_CTX_set1_curves_list, SSL_set1_curves, SSL_set1_curves_list,
    9. 

  9. SSL_get1_curves, SSL_get_shared_curve
    10. 

  10. - EC supported curve functions
    11. 

  11. 

  12. =head1 SYNOPSIS
    13. 

  13. 

  14.  #include <openssl/ssl.h>
    15. 

  15. 

  16.  int SSL_CTX_set1_groups(SSL_CTX *ctx, int *glist, int glistlen);
    17. 

  17.  int SSL_CTX_set1_groups_list(SSL_CTX *ctx, char *list);
    18. 

  18. 

  19.  int SSL_set1_groups(SSL *ssl, int *glist, int glistlen);
    20. 

  20.  int SSL_set1_groups_list(SSL *ssl, char *list);
    21. 

  21. 

  22.  int SSL_get1_groups(SSL *ssl, int *groups);
    23. 

  23.  int SSL_get0_iana_groups(SSL *ssl, uint16_t **out);
    24. 

  24.  int SSL_get_shared_group(SSL *s, int n);
    25. 

  25.  int SSL_get_negotiated_group(SSL *s);
    26. 

  26. 

  27.  int SSL_CTX_set1_curves(SSL_CTX *ctx, int *clist, int clistlen);
    28. 

  28.  int SSL_CTX_set1_curves_list(SSL_CTX *ctx, char *list);
    29. 

  29. 

  30.  int SSL_set1_curves(SSL *ssl, int *clist, int clistlen);
    31. 

  31.  int SSL_set1_curves_list(SSL *ssl, char *list);
    32. 

  32. 

  33.  int SSL_get1_curves(SSL *ssl, int *curves);
    34. 

  34.  int SSL_get_shared_curve(SSL *s, int n);
    35. 

  35. 

  36. =head1 DESCRIPTION
    37. 

  37. 

  38. For all of the functions below that set the supported groups there must be at
    39. 

  39. least one group in the list. A number of these functions identify groups via a
    40. 

  40. unique integer NID value. However, support for some groups may be added by
    41. 

  41. external providers. In this case there will be no NID assigned for the group.
    42. 

  42. When setting such groups applications should use the "list" form of these
    43. 

  43. functions (i.e. SSL_CTX_set1_groups_list() and SSL_set1_groups_list).
    44. 

  44. 

  45. SSL_CTX_set1_groups() sets the supported groups for B<ctx> to B<glistlen>
    46. 

  46. groups in the array B<glist>. The array consist of all NIDs of supported groups.
    47. 

  47. Currently supported groups for B<TLSv1.3> are B<NID_X9_62_prime256v1>,
    48. 

  48. B<NID_secp384r1>, B<NID_secp521r1>, B<NID_X25519>, B<NID_X448>,
    49. 

  49. B<NID_brainpoolP256r1tls13>, B<NID_brainpoolP384r1tls13>,
    50. 

  50. B<NID_brainpoolP512r1tls13>, B<NID_ffdhe2048>, B<NID_ffdhe3072>,
    51. 

  51. B<NID_ffdhe4096>, B<NID_ffdhe6144> and B<NID_ffdhe8192>.
    52. 

  52. OpenSSL will use this array in different ways depending on TLS role and version:
    53. 

  53. 

  54. =over 4
    55. 

  55. 

  56. =item For a TLS client, the groups are used directly in the supported groups
    57. 

  57. extension. The extension's preference order, to be evaluated by the server, is
    58. 

  58. determined by the order of the elements in the array.
    59. 

  59. 

  60. =item For a TLS 1.2 server, the groups determine the selected group. If
    61. 

  61. B<SSL_OP_CIPHER_SERVER_PREFERENCE> is set, the order of the elements in the
    62. 

  62. array determines the selected group. Otherwise, the order is ignored and the
    63. 

  63. client's order determines the selection.
    64. 

  64. 

  65. =item For a TLS 1.3 server, the groups determine the selected group, but
    66. 

  66. selection is more complex. A TLS 1.3 client sends both a group list as well as a
    67. 

  67. predicted subset of groups. Choosing a group outside the predicted subset incurs
    68. 

  68. an extra roundtrip. However, in some situations, the most preferred group may
    69. 

  69. not be predicted. OpenSSL considers all supported groups to be comparable in
    70. 

  70. security and prioritizes avoiding roundtrips above either client or server
    71. 

  71. preference order. If an application uses an external provider to extend OpenSSL
    72. 

  72. with, e.g., a post-quantum algorithm, this behavior may allow a network attacker
    73. 

  73. to downgrade connections to a weaker algorithm.
    74. 

  74. 

  75. =back
    76. 

  76. 

  77. SSL_CTX_set1_groups_list() sets the supported groups for B<ctx> to
    78. 

  78. string B<list>. The string is a colon separated list of group names, for example
    79. 

  79. "P-521:P-384:P-256:X25519:ffdhe2048". The groups are used as in
    80. 

  80. SSL_CTX_set1_groups(), described above. Currently supported groups for
    81. 

  81. B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>, B<X25519>, B<X448>,
    82. 

  82. B<brainpoolP256r1tls13>, B<brainpoolP384r1tls13>, B<brainpoolP512r1tls13>,
    83. 

  83. B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144> and B<ffdhe8192>. Support
    84. 

  84. for other groups may be added by external providers, however note the discussion
    85. 

  85. on TLS 1.3 selection criteria above. If a group name is preceded with the C<?>
    86. 

  86. character, it will be ignored if an implementation is missing.
    87. 

  87. 

  88. SSL_set1_groups() and SSL_set1_groups_list() are similar except they set
    89. 

  89. supported groups for the SSL structure B<ssl>.
    90. 

  90. 

  91. SSL_get1_groups() returns the set of supported groups sent by a client
    92. 

  92. in the supported groups extension. It returns the total number of
    93. 

  93. supported groups. The B<groups> parameter can be B<NULL> to simply
    94. 

  94. return the number of groups for memory allocation purposes. The
    95. 

  95. B<groups> array is in the form of a set of group NIDs in preference
    96. 

  96. order. It can return zero if the client did not send a supported groups
    97. 

  97. extension. If a supported group NID is unknown then the value is set to the
    98. 

  98. bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the group.
    99. 

  99. 

  100. SSL_get0_iana_groups() retrieves the list of groups sent by the
    101. 

  101. client in the supported_groups extension.  The B<*out> array of bytes
    102. 

  102. is populated with the host-byte-order representation of the uint16_t group
    103. 

  103. identifiers, as assigned by IANA.  The group list is returned in the same order
    104. 

  104. that was received in the ClientHello.  The return value is the number of groups,
    105. 

  105. not the number of bytes written.
    106. 

  106. 

  107. SSL_get_shared_group() returns the NID of the shared group B<n> for a
    108. 

  108. server-side SSL B<ssl>. If B<n> is -1 then the total number of shared groups is
    109. 

  109. returned, which may be zero. Other than for diagnostic purposes,
    110. 

  110. most applications will only be interested in the first shared group
    111. 

  111. so B<n> is normally set to zero. If the value B<n> is out of range,
    112. 

  112. NID_undef is returned. If the NID for the shared group is unknown then the value
    113. 

  113. is set to the bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the
    114. 

  114. group.
    115. 

  115. 

  116. SSL_get_negotiated_group() returns the NID of the negotiated group used for
    117. 

  117. the handshake key exchange process.  For TLSv1.3 connections this typically
    118. 

  118. reflects the state of the current connection, though in the case of PSK-only
    119. 

  119. resumption, the returned value will be from a previous connection.  For earlier
    120. 

  120. TLS versions, when a session has been resumed, it always reflects the group
    121. 

  121. used for key exchange during the initial handshake (otherwise it is from the
    122. 

  122. current, non-resumption, connection).  This can be called by either client or
    123. 

  123. server. If the NID for the shared group is unknown then the value is set to the
    124. 

  124. bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the group. See also
    125. 

  125. L<SSL_get0_group_name(3)> which returns the name of the negotiated group
    126. 

  126. directly and is generally preferred over SSL_get_negotiated_group().
    127. 

  127. 

  128. All these functions are implemented as macros.
    129. 

  129. 

  130. The curve functions are synonyms for the equivalently named group functions and
    131. 

  131. are identical in every respect. They exist because, prior to TLS1.3, there was
    132. 

  132. only the concept of supported curves. In TLS1.3 this was renamed to supported
    133. 

  133. groups, and extended to include Diffie Hellman groups. The group functions
    134. 

  134. should be used in preference.
    135. 

  135. 

  136. =head1 NOTES
    137. 

  137. 

  138. If an application wishes to make use of several of these functions for
    139. 

  139. configuration purposes either on a command line or in a file it should
    140. 

  140. consider using the SSL_CONF interface instead of manually parsing options.
    141. 

  141. 

  142. =head1 RETURN VALUES
    143. 

  143. 

  144. SSL_CTX_set1_groups(), SSL_CTX_set1_groups_list(), SSL_set1_groups() and
    145. 

  145. SSL_set1_groups_list(), return 1 for success and 0 for failure.
    146. 

  146. 

  147. SSL_get1_groups() returns the number of groups, which may be zero.
    148. 

  148. 

  149. SSL_get0_iana_groups() returns the number of (uint16_t) groups, which may be zero.
    150. 

  150. 

  151. SSL_get_shared_group() returns the NID of shared group B<n> or NID_undef if there
    152. 

  152. is no shared group B<n>; or the total number of shared groups if B<n>
    153. 

  153. is -1.
    154. 

  154. 

  155. When called on a client B<ssl>, SSL_get_shared_group() has no meaning and
    156. 

  156. returns -1.
    157. 

  157. 

  158. SSL_get_negotiated_group() returns the NID of the negotiated group used for
    159. 

  159. key exchange, or NID_undef if there was no negotiated group.
    160. 

  160. 

  161. =head1 SEE ALSO
    162. 

  162. 

  163. L<ssl(7)>,
    164. 

  164. L<SSL_CTX_add_extra_chain_cert(3)>,
    165. 

  165. L<SSL_get0_group_name(3)>
    166. 

  166. 

  167. =head1 HISTORY
    168. 

  168. 

  169. The curve functions were added in OpenSSL 1.0.2. The equivalent group
    170. 

  170. functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function
    171. 

  171. was added in OpenSSL 3.0.0.
    172. 

  172. 

  173. Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
    174. 

  174. SSL_set1_groups_list() was added in OpenSSL 3.3.
    175. 

  175. 

  176. Earlier versions of this document described the list as a preference order.
    177. 

  177. However, OpenSSL's behavior as a TLS 1.3 server is to consider I<all>
    178. 

  178. supported groups as comparable in security.
    179. 

  179. 

  180. =head1 COPYRIGHT
    181. 

  181. 

  182. Copyright 2013-2025 The OpenSSL Project Authors. All Rights Reserved.
    183. 

  183. 

  184. Licensed under the Apache License 2.0 (the "License").  You may not use
    185. 

  185. this file except in compliance with the License.  You can obtain a copy
    186. 

  186. in the file LICENSE in the source distribution or at
    187. 

  187. L<https://www.openssl.org/source/license.html>.
    188. 

  188. 

  189. =cut
    190.