generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Integrate J-PAKE and TLS-PSK. Increase PSK buffer size. Fix memory leaks.

Browse Source
This commit is contained in:
Ben Laurie 2008-11-16 12:47:12 +00:00
parent ad7159ea84
commit f3b7bdadbc
6 changed files with 83 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
apps/apps.c
View File

@ -2381,7 +2381,7 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx)
BIO_free(out); BIO_free(out);
} }
#ifdef OPENSSL_EXPERIMENTAL_JPAKE #if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
static JPAKE_CTX *jpake_init(const char *us, const char *them, static JPAKE_CTX *jpake_init(const char *us, const char *them,
const char *secret) const char *secret)
@ -2564,10 +2564,14 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
jpake_send_step3a(bconn, ctx); jpake_send_step3a(bconn, ctx);
jpake_receive_step3b(ctx, bconn); jpake_receive_step3b(ctx, bconn);
BIO_puts(out, "JPAKE authentication succeeded\n"); BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
BIO_pop(bconn); BIO_pop(bconn);
BIO_free(bconn); BIO_free(bconn);
JPAKE_CTX_free(ctx);
} }
void jpake_server_auth(BIO *out, BIO *conn, const char *secret) void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
@ -2589,10 +2593,14 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
jpake_receive_step3a(ctx, bconn); jpake_receive_step3a(ctx, bconn);
jpake_send_step3b(bconn, ctx); jpake_send_step3b(bconn, ctx);
BIO_puts(out, "JPAKE authentication succeeded\n"); BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
BIO_pop(bconn); BIO_pop(bconn);
BIO_free(bconn); BIO_free(bconn);
JPAKE_CTX_free(ctx);
} }
#endif #endif

1
apps/apps.h
View File

@ -309,6 +309,7 @@ int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param); const char *algname, ENGINE *e, int do_param);
#ifdef OPENSSL_EXPERIMENTAL_JPAKE #ifdef OPENSSL_EXPERIMENTAL_JPAKE
extern char *psk_key;
void jpake_client_auth(BIO *out, BIO *conn, const char *secret); void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
void jpake_server_auth(BIO *out, BIO *conn, const char *secret); void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
#endif #endif

29
apps/s_client.c
View File

@ -215,7 +215,7 @@ static int c_ign_eof=0;
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
/* Default PSK identity and key */ /* Default PSK identity and key */
static char *psk_identity="Client_identity"; static char *psk_identity="Client_identity";
static char *psk_key=NULL; /* by default PSK is not used */ /*char *psk_key=NULL; by default PSK is not used */
static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len, unsigned char *psk, unsigned int max_identity_len, unsigned char *psk,
@ -312,6 +312,9 @@ static void sc_usage(void)
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
BIO_printf(bio_err," -psk_identity arg - PSK identity\n"); BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
# ifdef OPENSSL_EXPERIMENTAL_JPAKE
BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
# endif
#endif #endif
BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
@ -724,6 +727,26 @@ bad:
goto end; goto end;
} }
#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
if (jpake_secret)
{
if (psk_key)
{
BIO_printf(bio_err,
"Can't use JPAKE and PSK together\n");
goto end;
}
psk_identity = "JPAKE";
}
if (cipher)
{
BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
goto end;
}
cipher = "PSK";
#endif
OpenSSL_add_ssl_algorithms(); OpenSSL_add_ssl_algorithms();
SSL_load_error_strings(); SSL_load_error_strings();
@ -822,10 +845,10 @@ bad:
#endif #endif
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
if (psk_key != NULL) if (psk_key != NULL || jpake_secret)
{ {
if (c_debug) if (c_debug)
BIO_printf(bio_c_out, "PSK key given, setting client callback\n"); BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
} }
#endif #endif

35
apps/s_server.c
View File

@ -302,7 +302,7 @@ static int cert_chain = 0;
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
static char *psk_identity="Client_identity"; static char *psk_identity="Client_identity";
static char *psk_key=NULL; /* by default PSK is not used */ char *psk_key=NULL; /* by default PSK is not used */
static unsigned int psk_server_cb(SSL *ssl, const char *identity, static unsigned int psk_server_cb(SSL *ssl, const char *identity,
unsigned char *psk, unsigned int max_psk_len) unsigned char *psk, unsigned int max_psk_len)
@ -325,7 +325,9 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
/* here we could lookup the given identity e.g. from a database */ /* here we could lookup the given identity e.g. from a database */
if (strcmp(identity, psk_identity) != 0) if (strcmp(identity, psk_identity) != 0)
{ {
BIO_printf(bio_s_out, "PSK error: client identity not found\n"); BIO_printf(bio_s_out, "PSK error: client identity not found"
" (got '%s' expected '%s')\n", identity,
psk_identity);
goto out_err; goto out_err;
} }
if (s_debug) if (s_debug)
@ -448,6 +450,9 @@ static void sv_usage(void)
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n"); BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
# ifdef OPENSSL_EXPERIMENTAL_JPAKE
BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
# endif
#endif #endif
BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
@ -1184,7 +1189,7 @@ int MAIN(int argc, char *argv[])
} }
#endif #endif
#ifdef OPENSSL_EXPERIMENTAL_JPAKE #if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
else if (strcmp(*argv,"-jpake") == 0) else if (strcmp(*argv,"-jpake") == 0)
{ {
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
@ -1207,6 +1212,26 @@ bad:
goto end; goto end;
} }
#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
if (jpake_secret)
{
if (psk_key)
{
BIO_printf(bio_err,
"Can't use JPAKE and PSK together\n");
goto end;
}
psk_identity = "JPAKE";
}
if (cipher)
{
BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
goto end;
}
cipher = "PSK";
#endif
SSL_load_error_strings(); SSL_load_error_strings();
OpenSSL_add_ssl_algorithms(); OpenSSL_add_ssl_algorithms();
@ -1591,10 +1616,10 @@ bad:
#endif #endif
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
if (psk_key != NULL) if (psk_key != NULL || jpake_secret)
{ {
if (s_debug) if (s_debug)
BIO_printf(bio_s_out, "PSK key given, setting server callback\n"); BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n");
SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
} }

14
crypto/jpake/jpaketest.c
View File

@ -1,3 +1,15 @@
#ifndef OPENSSL_EXPERIMENTAL_JPAKE
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("No J-PAKE support\n");
return(0);
}
#else
#include <openssl/jpake.h> #include <openssl/jpake.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -174,3 +186,5 @@ int main(int argc, char **argv)
return 0; return 0;
} }
#endif

2
ssl/ssl.h
View File

@ -910,7 +910,7 @@ void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL
/* the maximum length of the buffer given to callbacks containing the /* the maximum length of the buffer given to callbacks containing the
* resulting identity/psk */ * resulting identity/psk */
#define PSK_MAX_IDENTITY_LEN 128 #define PSK_MAX_IDENTITY_LEN 128
#define PSK_MAX_PSK_LEN 64 #define PSK_MAX_PSK_LEN 256
void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
char *identity, unsigned int max_identity_len, unsigned char *psk, char *identity, unsigned int max_identity_len, unsigned char *psk,