generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix SRP authentication ciphersuites.

Browse Source 
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)

Conflicts:

	ssl/s3_clnt.c
	ssl/s3_lib.c
This commit is contained in:
Dr. Stephen Henson 2014-08-08 11:24:25 +01:00
parent 1241e77f15
commit 30fbe92c78
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ssl/s3_clnt.c
View File

@ -326,9 +326,9 @@ int ssl3_connect(SSL *s)
break; break;
} }
#endif #endif
/* Check if it is anon DH/ECDH */ /* Check if it is anon DH/ECDH, SRP auth */
/* or PSK */ /* or PSK */
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) &&
!(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
{ {
ret=ssl3_get_server_certificate(s); ret=ssl3_get_server_certificate(s);
@ -1835,8 +1835,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
} }
else else
{ {
if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK)) /* aNULL, aSRP or kPSK do not need public keys */
/* aNULL or kPSK do not need public keys */ if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK))
{ {
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
goto err; goto err;

11
ssl/s3_srvr.c
View File

@ -410,9 +410,8 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SW_CERT_B: case SSL3_ST_SW_CERT_B:
/* Check if it is anon DH or anon ECDH, */ /* Check if it is anon DH or anon ECDH, */
/* normal PSK or KRB5 or SRP */ /* normal PSK or KRB5 or SRP */
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aKRB5|SSL_aSRP))
&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
&& !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
{ {
ret=ssl3_send_server_certificate(s); ret=ssl3_send_server_certificate(s);
if (ret <= 0) goto end; if (ret <= 0) goto end;
@ -515,7 +514,9 @@ int ssl3_accept(SSL *s)
* (against the specs, but s3_clnt.c accepts this for SSL 3) */ * (against the specs, but s3_clnt.c accepts this for SSL 3) */
!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
/* never request cert in Kerberos ciphersuites */ /* never request cert in Kerberos ciphersuites */
(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) ||
/* don't request certificate for SRP auth */
(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
/* With normal PSK Certificates and /* With normal PSK Certificates and
* Certificate Requests are omitted */ * Certificate Requests are omitted */
|| (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
@ -1846,7 +1847,7 @@ int ssl3_send_server_key_exchange(SSL *s)
n+=2+nr[i]; n+=2+nr[i];
} }
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
{ {
if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md)) if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md))