generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

PR: 1794

Browse Source 
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Remove unnecessary code for srp and to add some comments to
s_client.

- the callback to provide a user during client connect is
no longer necessary since rfc 5054 a connection attempt
with an srp cipher and no user is terminated when the
cipher is acceptable

- comments to indicate in s_client the (non-)usefulness of
th primalaty tests for non known group parameters.
This commit is contained in:
Dr. Stephen Henson 2011-12-14 22:18:03 +00:00
parent 3918de9ad1
commit b8a22c40e0
6 changed files with 26 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
apps/s_client.c
View File

@ -403,7 +403,7 @@ typedef struct srp_arg_st
#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
static int SRP_Verify_N_and_g(BIGNUM *N, BIGNUM *g) static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
{ {
BN_CTX *bn_ctx = BN_CTX_new(); BN_CTX *bn_ctx = BN_CTX_new();
BIGNUM *p = BN_new(); BIGNUM *p = BN_new();
@ -431,6 +431,21 @@ static int SRP_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
return ret; return ret;
} }
/* This callback is used here for two purposes:
- extended debugging
- making some primality tests for unknown groups
The callback is only called for a non default group.
An application does not need the call back at all if
only the stanard groups are used. In real life situations,
client and server already share well known groups,
thus there is no need to verify them.
Furthermore, in case that a server actually proposes a group that
is not one of those defined in RFC 5054, it is more appropriate
to add the group to a static list and then compare since
primality tests are rather cpu consuming.
*/
static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg) static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
{ {
SRP_ARG *srp_arg = (SRP_ARG *)arg; SRP_ARG *srp_arg = (SRP_ARG *)arg;
@ -453,11 +468,11 @@ static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
if (srp_arg->debug) if (srp_arg->debug)
BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n"); BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
/* The srp_moregroups must be used with caution, testing primes costs time. /* The srp_moregroups is a real debugging feature.
Implementors should rather add the value to the known ones. Implementors should rather add the value to the known ones.
The minimal size has already been tested. The minimal size has already been tested.
*/ */
if (BN_num_bits(g) <= BN_BITS && SRP_Verify_N_and_g(N,g)) if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
return 1; return 1;
} }
BIO_printf(bio_err, "SRP param N and g rejected.\n"); BIO_printf(bio_err, "SRP param N and g rejected.\n");
@ -486,12 +501,6 @@ static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
return pass; return pass;
} }
static char * MS_CALLBACK missing_srp_username_callback(SSL *s, void *arg)
{
SRP_ARG *srp_arg = (SRP_ARG *)arg;
return BUF_strdup(srp_arg->srplogin);
}
#endif #endif
char *srtp_profiles = NULL; char *srtp_profiles = NULL;
@ -1182,9 +1191,7 @@ bad:
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
if (srp_arg.srplogin) if (srp_arg.srplogin)
{ {
if (srp_lateuser) if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
SSL_CTX_set_srp_missing_srp_username_callback(ctx,missing_srp_username_callback);
else if (!SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
{ {
BIO_printf(bio_err,"Unable to set SRP username\n"); BIO_printf(bio_err,"Unable to set SRP username\n");
goto end; goto end;

3
crypto/symhacks.h
View File

@ -192,9 +192,6 @@
#define SSL_CTX_set_srp_verify_param_callback SSL_CTX_set_srp_vfy_param_cb #define SSL_CTX_set_srp_verify_param_callback SSL_CTX_set_srp_vfy_param_cb
#undef SSL_CTX_set_srp_username_callback #undef SSL_CTX_set_srp_username_callback
#define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb #define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb
#undef SSL_CTX_set_srp_missing_srp_username_callback
#define SSL_CTX_set_srp_missing_srp_username_callback \
SSL_CTX_set_srp_miss_srp_un_cb
/* Hack some long ENGINE names */ /* Hack some long ENGINE names */
#undef ENGINE_get_default_BN_mod_exp_crt #undef ENGINE_get_default_BN_mod_exp_crt

4
ssl/s3_lib.c
View File

@ -3674,10 +3674,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
ctx->srp_ctx.srp_Mask|=SSL_kSRP; ctx->srp_ctx.srp_Mask|=SSL_kSRP;
ctx->srp_ctx.SRP_give_srp_client_pwd_callback=(char *(*)(SSL *,void *))fp; ctx->srp_ctx.SRP_give_srp_client_pwd_callback=(char *(*)(SSL *,void *))fp;
break; break;
case SSL_CTRL_SET_TLS_EXT_SRP_MISSING_CLIENT_USERNAME_CB:
ctx->srp_ctx.srp_Mask|=SSL_kSRP;
ctx->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback=(char *(*)(SSL *,void *))fp;
break;
#endif #endif
#endif #endif
default: default:

12
ssl/ssl.h
View File

@ -692,8 +692,6 @@ typedef struct srp_ctx_st
int (*SRP_verify_param_callback)(SSL *, void *); int (*SRP_verify_param_callback)(SSL *, void *);
/* set SRP client passwd callback */ /* set SRP client passwd callback */
char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *); char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
/* set SRP client username callback */
char *(*SRP_TLS_ext_missing_srp_client_username_callback)(SSL *, void *);
char *login; char *login;
BIGNUM *N,*g,*s,*B,*A; BIGNUM *N,*g,*s,*B,*A;
@ -1573,11 +1571,11 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75 #define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75
#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76 #define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76
#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77 #define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77
#define SSL_CTRL_SET_TLS_EXT_SRP_MISSING_CLIENT_USERNAME_CB 78
#define SSL_CTRL_SET_SRP_ARG 79 #define SSL_CTRL_SET_SRP_ARG 78
#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 80 #define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 81 #define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 82 #define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
#endif #endif
#define DTLS_CTRL_GET_TIMEOUT 73 #define DTLS_CTRL_GET_TIMEOUT 73

11
ssl/ssltest.c
View File

@ -266,12 +266,6 @@ static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
return BUF_strdup((char *)srp_client_arg->srppassin); return BUF_strdup((char *)srp_client_arg->srppassin);
} }
static char * MS_CALLBACK missing_srp_username_callback(SSL *s, void *arg)
{
SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
return BUF_strdup(srp_client_arg->srplogin);
}
/* SRP server */ /* SRP server */
/* This is a context that we pass to SRP server callbacks */ /* This is a context that we pass to SRP server callbacks */
typedef struct srp_server_arg_st typedef struct srp_server_arg_st
@ -537,7 +531,6 @@ int main(int argc, char *argv[])
#endif #endif
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
/* client */ /* client */
int srp_lateuser = 0;
SRP_CLIENT_ARG srp_client_arg = {NULL,NULL}; SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
/* server */ /* server */
SRP_SERVER_ARG srp_server_arg = {NULL,NULL}; SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
@ -1053,9 +1046,7 @@ bad:
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
if (srp_client_arg.srplogin) if (srp_client_arg.srplogin)
{ {
if (srp_lateuser) if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
SSL_CTX_set_srp_missing_srp_username_callback(c_ctx,missing_srp_username_callback);
else if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
{ {
BIO_printf(bio_err,"Unable to set SRP username\n"); BIO_printf(bio_err,"Unable to set SRP username\n");
goto end; goto end;

23
ssl/tls_srp.c
View File

@ -4,7 +4,7 @@
* for the EdelKey project and contributed to the OpenSSL project 2004. * for the EdelKey project and contributed to the OpenSSL project 2004.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2004 The OpenSSL Project. All rights reserved. * Copyright (c) 2004-2011 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -80,7 +80,6 @@ int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
ctx->srp_ctx.SRP_cb_arg = NULL; ctx->srp_ctx.SRP_cb_arg = NULL;
ctx->srp_ctx.SRP_verify_param_callback = NULL; ctx->srp_ctx.SRP_verify_param_callback = NULL;
ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL; ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
ctx->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback = NULL;
ctx->srp_ctx.N = NULL; ctx->srp_ctx.N = NULL;
ctx->srp_ctx.g = NULL; ctx->srp_ctx.g = NULL;
ctx->srp_ctx.s = NULL; ctx->srp_ctx.s = NULL;
@ -113,7 +112,6 @@ int SSL_SRP_CTX_free(struct ssl_st *s)
s->srp_ctx.SRP_cb_arg = NULL; s->srp_ctx.SRP_cb_arg = NULL;
s->srp_ctx.SRP_verify_param_callback = NULL; s->srp_ctx.SRP_verify_param_callback = NULL;
s->srp_ctx.SRP_give_srp_client_pwd_callback = NULL; s->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
s->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback = NULL;
s->srp_ctx.N = NULL; s->srp_ctx.N = NULL;
s->srp_ctx.g = NULL; s->srp_ctx.g = NULL;
s->srp_ctx.s = NULL; s->srp_ctx.s = NULL;
@ -142,7 +140,6 @@ int SSL_SRP_CTX_init(struct ssl_st *s)
s->srp_ctx.SRP_verify_param_callback = ctx->srp_ctx.SRP_verify_param_callback; s->srp_ctx.SRP_verify_param_callback = ctx->srp_ctx.SRP_verify_param_callback;
/* set SRP client passwd callback */ /* set SRP client passwd callback */
s->srp_ctx.SRP_give_srp_client_pwd_callback = ctx->srp_ctx.SRP_give_srp_client_pwd_callback; s->srp_ctx.SRP_give_srp_client_pwd_callback = ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
s->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback = ctx->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback;
s->srp_ctx.N = NULL; s->srp_ctx.N = NULL;
s->srp_ctx.g = NULL; s->srp_ctx.g = NULL;
@ -210,7 +207,6 @@ int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
ctx->srp_ctx.SRP_verify_param_callback = NULL; ctx->srp_ctx.SRP_verify_param_callback = NULL;
/* set SRP client passwd callback */ /* set SRP client passwd callback */
ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL; ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
ctx->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback = NULL;
ctx->srp_ctx.N = NULL; ctx->srp_ctx.N = NULL;
ctx->srp_ctx.g = NULL; ctx->srp_ctx.g = NULL;
@ -436,16 +432,6 @@ int SRP_Calc_A_param(SSL *s)
return 1; return 1;
} }
int SRP_have_to_put_srp_username(SSL *s)
{
if (s->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback == NULL)
return 0;
if ((s->srp_ctx.login = s->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback(s,s->srp_ctx.SRP_cb_arg)) == NULL)
return 0;
s->srp_ctx.srp_Mask|=SSL_kSRP;
return 1;
}
BIGNUM *SSL_get_srp_g(SSL *s) BIGNUM *SSL_get_srp_g(SSL *s)
{ {
if (s->srp_ctx.g != NULL) if (s->srp_ctx.g != NULL)
@ -517,11 +503,4 @@ int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char *(*cb)(SSL *,void *))
(void (*)(void))cb); (void (*)(void))cb);
} }
int SSL_CTX_set_srp_missing_srp_username_callback(SSL_CTX *ctx,
char *(*cb)(SSL *,void *))
{
return tls1_ctx_callback_ctrl(ctx,
SSL_CTRL_SET_TLS_EXT_SRP_MISSING_CLIENT_USERNAME_CB,
(void (*)(void))cb);
}
#endif #endif