SSL(3)SSL(3)NAMEssl - secure sockets layer device
SYNOPSIS
#D/clone
#D/n
#D/n/data
#D/n/ctl
#D/n/secretin
#D/n/secretout
#D/n/encalgs
#D/n/hashalgs
DESCRIPTION
The ssl device provides access to a Secure Socket Layer that implements
the record layer protocol of SSLv2 (but not its handshaking). The
device provides encrypting and digesting for many independent connec‐
tions. Once associated with a network connection, the ssl device can
be thought of as a filter for the connection. Ssl can send data in the
clear, digested or encrypted. In all cases, if ssl is associated with
both ends of a connection, all messages are delimited. As long as
reads always specify buffers that are of equal or greater lengths than
the writes at the other end of the connection, one write will corre‐
spond to one read. The device is unusual because it is not bound into
the name space but named directly by its local name, #D. That is
because the interface described below requires writing a local file
descriptor number to a file, which will not work remotely.
The top-level directory contains a clone file and numbered directories,
each representing a connection. Opening the clone file reserves a con‐
nection; the file descriptor resulting from the sys-open(2) will be
open on the control file, ctl, in the directory that represents the new
connection. Reading the control file will return a text string giving
the connection number n, and thus the directory name.
Writing to ctl controls the corresponding connection. The following
control messages are possible:
fd m Associate the network connection on existing file descriptor m
with the ssl device.
alg clear
Allow data to pass in the clear with only message delimiters
added. The device starts in this mode.
alg sha
Append a SHA digest to each buffer written to data. The digest
covers the outgoing secret (written to secretout), the message,
and a message number which starts at 0 and increments by one for
each message. Messages read have their appended digests com‐
pared to a digest computed using the incoming secret (written to
secretin). If the comparison fails, so will the read.
alg md4
Like sha but using the MD4 message digest algorithm.
alg md5
Like sha but using the MD5 message digest algorithm.
alg rc4
alg rc4_40
alg rc4_128
alg rc4_256
RC4 encrypt each message written to data with the key written to
secretout, using the key length as indicated (40-bit keys by
default).
alg des_56_cbc
Encrypt the stream using DES and Cipher Block Chaining (CBC)
alg des_56_ecb
Encrypt the stream using DES and Electronic Code Book (ECB)
alg ideacbc
Encrypt the stream using IDEA and CBC
alg ideaecb
Encrypt the stream using IDEA and ECB
alg digest/crypt
Combine the use of the given digest algorithm and the stream
encryption algorithm crypt
Files secretin and secretout must be written before digesting or
encryption is turned on. If only one is written, they are both assumed
to be the same.
The mode may be changed at any time during a connection.
The list of algorithms supported by a given implementation of ssl may
be read from the read-only text files encalgs (encryption algorithms)
and hashalgs (hashing algorithms for digests). Each contains a space-
separated list of algorithm names.
SEE ALSOsecurity-ssl(2)
B. Schneier, Applied Cryptography , 1996, J. Wiley & Sons, Inc.
SSL(3)
