[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-dev
Subject: [openssl.org #2523] Patch to use standard RFC 5054 constants and behavior for TLS-SRP (OpenSSL 1.0.1
From: "Quinn Slack via RT" <rt () openssl ! org>
Date: 2011-05-23 10:27:35
Message-ID: rt-3.4.5-35456-1306146455-770.2523-21-0 () openssl ! org
[Download RAW message or body]
I'm very excited to see that SRP and TLS-SRP will be in OpenSSL 1.0.1.
The current code has some old, pre-RFC 5054 constants and behavior
with respect to a missing SRP username. I have attached a patch to
update the TLS-SRP support in OpenSSL 1.0.1 to be compatible with RFC
5054, and also to test that behavior. This patch:
1) removes the missing_srp_username and unknown_srp_username alerts,
replacing them with unknown_psk_identity where appropriate (per RFC
5054)
2) removes the missing_srp_client_username_callback (since the
unknown_psk_identity alert is always fatal, per RFC 5054)
3) removes SRP_have_to_put_username (since it only makes sense to have
if the missing_srp_username warning exists)
4) adds SSL_R_TLSV1_UNKNOWN_PSK_IDENTITY error reason so clients can
detect that the handshake failed because they need to supply an SRP
username (so can implement the functionality of the old
missing_srp_username callback)
5) adds new options to ssl/ssltest.c: -{client,server}_srp{user,pass}
instead of just -srp{user,pass} to test SRP auth failures, and
-server_err to specify that ssltest should expect an error (and return
0 if it indeed sees the specified error)
6) adds more TLS-SRP tests: non-cert SRP, missing username, bad password
It applies almost unchanged to the latest CVS code, too. I can submit
that patch once this patch has been discussed.
-Quinn
["openssl-1.0.1+tls-srp-rfc5054-20110504.patch" (text/x-patch)]
diff --git a/apps/s_client.c b/apps/s_client.c
index 81c7e85..cfaaa1f 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -476,12 +476,6 @@ static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, \
void *arg) return pass;
}
-static char * MS_CALLBACK missing_srp_username_callback(SSL *s, void *arg)
- {
- SRP_ARG *srp_arg = (SRP_ARG *)arg;
- return BUF_strdup(srp_arg->srplogin);
- }
-
#endif
#endif
@@ -1082,9 +1076,7 @@ bad:
#ifndef OPENSSL_NO_SRP
if (srp_arg.srplogin)
{
- if (srp_lateuser)
- SSL_CTX_set_srp_missing_srp_username_callback(ctx,missing_srp_username_callback);
- else if (!SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
+ if (!SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
{
BIO_printf(bio_err,"Unable to set SRP username\n");
goto end;
diff --git a/crypto/symhacks.h b/crypto/symhacks.h
index 9e32447..fffc98d 100644
--- a/crypto/symhacks.h
+++ b/crypto/symhacks.h
@@ -192,9 +192,6 @@
#define SSL_CTX_set_srp_verify_param_callback SSL_CTX_set_srp_vfy_param_cb
#undef SSL_CTX_set_srp_username_callback
#define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb
-#undef SSL_CTX_set_srp_missing_srp_username_callback
-#define SSL_CTX_set_srp_missing_srp_username_callback \
- SSL_CTX_set_srp_miss_srp_un_cb
/* Hack some long ENGINE names */
#undef ENGINE_get_default_BN_mod_exp_crt
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 121ffb2..c8a17e2 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -277,20 +277,6 @@ int ssl3_connect(SSL *s)
case SSL3_ST_CR_SRVR_HELLO_A:
case SSL3_ST_CR_SRVR_HELLO_B:
ret=ssl3_get_server_hello(s);
-#ifndef OPENSSL_NO_SRP
- if (ret == 0 && s->s3->warn_alert == SSL_AD_MISSING_SRP_USERNAME)
- {
- if (!SRP_have_to_put_srp_username(s))
- {
- SSLerr(SSL_F_SSL3_CONNECT,SSL_R_MISSING_SRP_USERNAME);
- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_USER_CANCELLED);
- goto end;
- }
- s->state=SSL3_ST_CW_CLNT_HELLO_A;
- if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
- break;
- }
-#endif
if (ret <= 0) goto end;
if (s->hit)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 87d19c7..f6a91e3 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2982,10 +2982,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void \
(*fp)(void)) ctx->srp_ctx.srp_Mask|=SSL_kSRP;
ctx->srp_ctx.SRP_give_srp_client_pwd_callback=(char *(*)(SSL *,void *))fp;
break;
- case SSL_CTRL_SET_TLS_EXT_SRP_MISSING_CLIENT_USERNAME_CB:
- ctx->srp_ctx.srp_Mask|=SSL_kSRP;
- ctx->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback=(char *(*)(SSL \
*,void *))fp;
- break;
#endif
#endif
default:
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index a1b4a65..521a4da 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1203,10 +1203,6 @@ start:
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
goto f_err;
}
-#ifdef SSL_AD_MISSING_SRP_USERNAME
- if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
- return(0);
-#endif
}
else if (alert_level == 2) /* fatal */
{
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a0d09e0..77d9864 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -192,8 +192,8 @@ static int SSL_check_srp_ext_ClientHello(SSL *s, int *ad)
if(s->srp_ctx.login == NULL)
{
/* There isn't any srp login extension !!! */
- ret = SSL3_AL_WARNING;
- *ad = SSL_AD_MISSING_SRP_USERNAME;
+ ret = SSL3_AL_FATAL;
+ *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
}
else
{
@@ -217,7 +217,6 @@ int ssl3_accept(SSL *s)
int ret= -1;
int new_state,state,skip=0;
#ifndef OPENSSL_NO_SRP
- int srp_no_username=0;
int extension_error,al;
#endif
@@ -340,10 +339,6 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_CLNT_HELLO_A:
case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
-#ifndef OPENSSL_NO_SRP
- case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME:
-#endif
-
s->shutdown=0;
ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end;
@@ -352,19 +347,8 @@ int ssl3_accept(SSL *s)
if ((al = SSL_check_srp_ext_ClientHello(s,&extension_error)) != SSL_ERROR_NONE)
{
ssl3_send_alert(s,al,extension_error);
- if (extension_error == SSL_AD_MISSING_SRP_USERNAME)
- {
- if (srp_no_username) goto end;
- ERR_clear_error();
- srp_no_username = 1;
- s->state=SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME;
- if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
- if ((ret=BIO_flush(s->wbio)) <= 0) goto end;
- s->init_num=0;
- break;
- }
ret = -1;
- SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
+ SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_MISSING_SRP_USERNAME);
goto end;
}
#endif
@@ -860,11 +844,7 @@ int ssl3_get_client_hello(SSL *s)
* If we are SSLv3, we will respond with SSLv3, even if prompted with
* TLSv1.
*/
- if (s->state == SSL3_ST_SR_CLNT_HELLO_A
-#ifndef OPENSSL_NO_SRP
- || (s->state == SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME)
-#endif
- )
+ if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
{
s->state=SSL3_ST_SR_CLNT_HELLO_B;
}
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 5c71a79..d0801a2 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -662,8 +662,6 @@ typedef struct srp_ctx_st
int (*SRP_verify_param_callback)(SSL *, void *);
/* set SRP client passwd callback */
char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
- /* set SRP client username callback */
- char *(*SRP_TLS_ext_missing_srp_client_username_callback)(SSL *, void *);
char *login;
BIGNUM *N,*g,*s,*B,*A;
@@ -683,7 +681,6 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad);
int SRP_generate_server_master_secret(SSL *s,unsigned char *master_key);
int SRP_Calc_A_param(SSL *s);
int SRP_generate_client_master_secret(SSL *s,unsigned char *master_key);
-int SRP_have_to_put_srp_username(SSL *s);
#endif
@@ -1377,8 +1374,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE \
TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE \
TLS1_AD_BAD_CERTIFICATE_HASH_VALUE #define SSL_AD_UNKNOWN_PSK_IDENTITY \
TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
-#define SSL_AD_UNKNOWN_SRP_USERNAME TLS1_AD_UNKNOWN_SRP_USERNAME
-#define SSL_AD_MISSING_SRP_USERNAME TLS1_AD_MISSING_SRP_USERNAME
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
@@ -1466,7 +1461,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75
#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76
#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77
-#define SSL_CTRL_SET_TLS_EXT_SRP_MISSING_CLIENT_USERNAME_CB 78
#define SSL_CTRL_SET_SRP_ARG 79
#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 80
#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 81
@@ -1685,8 +1679,6 @@ int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
int (*cb)(SSL *,void *));
int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
int (*cb)(SSL *,int *,void *));
-int SSL_CTX_set_srp_missing_srp_username_callback(SSL_CTX *ctx,
- char *(*cb)(SSL *,void *));
int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
@@ -2357,6 +2349,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
+#define SSL_R_TLSV1_UNKNOWN_PSK_IDENTITY 1115
#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 8bfa588..baaa89e 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -566,8 +566,6 @@ typedef struct ssl3_state_st
#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
-/* a new state to remember that we have already receive a ClientHello without srp \
username extension */
-#define SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME (0x1E2|SSL_ST_ACCEPT)
/* write to client */
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 781fde1..b5c8483 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -517,6 +517,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),"tlsv1 certificate unobtainable"},
{ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
{ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
+{ERR_REASON(SSL_R_TLSV1_UNKNOWN_PSK_IDENTITY),"tlsv1 unknown psk identity"},
{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with \
anon cipher"}, {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid \
ecpointformat list"}, \
{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not \
respond with certificate list"},
diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c
index 2f57296..144b81e 100644
--- a/ssl/ssl_stat.c
+++ b/ssl/ssl_stat.c
@@ -210,9 +210,6 @@ case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange \
A"; break; case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; \
break; case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
-#ifndef OPENSSL_NO_SRP
-case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME: str="SSLv3 waiting for a SRP username"; \
break;
-#endif
#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
@@ -550,11 +547,6 @@ const char *SSL_alert_desc_string_long(int value)
case TLS1_AD_UNKNOWN_PSK_IDENTITY:
str="unknown PSK identity";
break;
-#ifndef OPENSSL_NO_SRP
- case TLS1_AD_MISSING_SRP_USERNAME:
- str="no srp username";
- break;
-#endif
default: str="unknown"; break;
}
return(str);
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 994522e..4fbcfbe 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -266,12 +266,6 @@ static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, \
void *arg) return BUF_strdup((char *)srp_client_arg->srppassin);
}
-static char * MS_CALLBACK missing_srp_username_callback(SSL *s, void *arg)
- {
- SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
- return BUF_strdup(srp_client_arg->srplogin);
- }
-
/* SRP server */
/* This is a context that we pass to SRP server callbacks */
typedef struct srp_server_arg_st
@@ -304,6 +298,7 @@ static BIO *bio_stdout=NULL;
static char *cipher=NULL;
static int verbose=0;
static int debug=0;
+static unsigned long server_err=0;
#if 0
/* Not used yet. */
#ifdef FIONBIO
@@ -327,6 +322,7 @@ static void sv_usage(void)
fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
fprintf(stderr," -v - more output\n");
fprintf(stderr," -d - debug output\n");
+ fprintf(stderr," -server_err <str> - substring of expected server error\n");
fprintf(stderr," -reuse - use session-id reuse\n");
fprintf(stderr," -num <val> - number of connections to perform\n");
fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
@@ -342,8 +338,10 @@ static void sv_usage(void)
fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
#endif
#ifndef OPENSSL_NO_SRP
- fprintf(stderr," -srpuser user - SRP username to use\n");
- fprintf(stderr," -srppass arg - password for 'user'\n");
+ fprintf(stderr," -server_srpuser user - server-side SRP username to use\n");
+ fprintf(stderr," -server_srppass arg - server-side password for 'user'\n");
+ fprintf(stderr," -client_srpuser user - client-side SRP username to use\n");
+ fprintf(stderr," -client_srppass arg - client-side password for 'user'\n");
#endif
#ifndef OPENSSL_NO_SSL2
fprintf(stderr," -ssl2 - use SSLv2\n");
@@ -525,6 +523,7 @@ int main(int argc, char *argv[])
SSL *c_ssl,*s_ssl;
int number=1,reuse=0;
long bytes=256L;
+ char *expect_server_err=NULL;
#ifndef OPENSSL_NO_DH
DH *dh;
int dhe1024 = 0, dhe1024dsa = 0;
@@ -534,7 +533,6 @@ int main(int argc, char *argv[])
#endif
#ifndef OPENSSL_NO_SRP
/* client */
- int srp_lateuser = 0;
SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
/* server */
SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
@@ -636,16 +634,28 @@ int main(int argc, char *argv[])
#endif
}
#ifndef OPENSSL_NO_SRP
- else if (strcmp(*argv,"-srpuser") == 0)
+ else if (strcmp(*argv,"-client_srpuser") == 0)
{
if (--argc < 1) goto bad;
- srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
+ srp_client_arg.srplogin= *(++argv);
tls1=1;
}
- else if (strcmp(*argv,"-srppass") == 0)
+ else if (strcmp(*argv,"-client_srppass") == 0)
{
if (--argc < 1) goto bad;
- srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
+ srp_client_arg.srppassin= *(++argv);
+ tls1=1;
+ }
+ else if (strcmp(*argv,"-server_srpuser") == 0)
+ {
+ if (--argc < 1) goto bad;
+ srp_server_arg.expected_user= *(++argv);
+ tls1=1;
+ }
+ else if (strcmp(*argv,"-server_srppass") == 0)
+ {
+ if (--argc < 1) goto bad;
+ srp_server_arg.pass= *(++argv);
tls1=1;
}
#endif
@@ -670,6 +680,11 @@ int main(int argc, char *argv[])
if (argv[0][i-1] == 'k') bytes*=1024L;
if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
}
+ else if (strcmp(*argv,"-server_err") == 0)
+ {
+ if (--argc < 1) goto bad;
+ expect_server_err= *(++argv);
+ }
else if (strcmp(*argv,"-cert") == 0)
{
if (--argc < 1) goto bad;
@@ -1020,9 +1035,7 @@ bad:
#ifndef OPENSSL_NO_SRP
if (srp_client_arg.srplogin)
{
- if (srp_lateuser)
- SSL_CTX_set_srp_missing_srp_username_callback(c_ctx,missing_srp_username_callback);
- else if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
+ if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
{
BIO_printf(bio_err,"Unable to set SRP username\n");
goto end;
@@ -1108,6 +1121,18 @@ end:
if (bio_stdout != NULL) BIO_free(bio_stdout);
+ if (expect_server_err)
+ {
+ if (strstr(ERR_error_string(server_err, NULL), expect_server_err) == NULL)
+ {
+ fprintf(stderr, "EXPECTED SERVER ERROR: '%s'\n",
+ expect_server_err);
+ ret = 1;
+ }
+ else
+ ret = 0;
+ }
+
#ifndef OPENSSL_NO_RSA
free_tmp_rsa();
#endif
@@ -1710,6 +1735,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
else
{
fprintf(stderr,"ERROR in SERVER\n");
+ server_err=ERR_peek_error();
ERR_print_errors(bio_err);
goto err;
}
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 8950700..c418d32 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -1073,9 +1073,6 @@ int tls1_alert_code(int code)
case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: \
return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); case \
SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); case \
SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
-#ifndef OPENSSL_NO_SRP
- case SSL_AD_MISSING_SRP_USERNAME:return(TLS1_AD_MISSING_SRP_USERNAME);
-#endif
#if 0 /* not appropriate for TLS, not used for DTLS */
case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
(DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
diff --git a/ssl/tls1.h b/ssl/tls1.h
index c3bb2e5..0d5e4f7 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -186,8 +186,6 @@ extern "C" {
#define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
#define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114
#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 /* fatal */
-#define TLS1_AD_UNKNOWN_SRP_USERNAME 120 /* fatal */
-#define TLS1_AD_MISSING_SRP_USERNAME 121
/* ExtensionType values from RFC3546 / RFC4366 */
#define TLSEXT_TYPE_server_name 0
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index 0d15e8b..c8bc6f1 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -80,7 +80,6 @@ int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
ctx->srp_ctx.SRP_cb_arg = NULL;
ctx->srp_ctx.SRP_verify_param_callback = NULL;
ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
- ctx->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback = NULL;
ctx->srp_ctx.N = NULL;
ctx->srp_ctx.g = NULL;
ctx->srp_ctx.s = NULL;
@@ -113,7 +112,6 @@ int SSL_SRP_CTX_free(struct ssl_st *s)
s->srp_ctx.SRP_cb_arg = NULL;
s->srp_ctx.SRP_verify_param_callback = NULL;
s->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
- s->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback = NULL;
s->srp_ctx.N = NULL;
s->srp_ctx.g = NULL;
s->srp_ctx.s = NULL;
@@ -142,7 +140,6 @@ int SSL_SRP_CTX_init(struct ssl_st *s)
s->srp_ctx.SRP_verify_param_callback = ctx->srp_ctx.SRP_verify_param_callback;
/* set SRP client passwd callback */
s->srp_ctx.SRP_give_srp_client_pwd_callback = \
ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
- s->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback = \
ctx->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback;
s->srp_ctx.N = NULL;
s->srp_ctx.g = NULL;
@@ -210,7 +207,6 @@ int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
ctx->srp_ctx.SRP_verify_param_callback = NULL;
/* set SRP client passwd callback */
ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
- ctx->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback = NULL;
ctx->srp_ctx.N = NULL;
ctx->srp_ctx.g = NULL;
@@ -234,7 +230,7 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad)
unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
int al;
- *ad = SSL_AD_UNKNOWN_SRP_USERNAME;
+ *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
if ((s->srp_ctx.TLS_ext_srp_username_callback !=NULL) &&
((al = s->srp_ctx.TLS_ext_srp_username_callback(s, ad, \
s->srp_ctx.SRP_cb_arg))!=SSL_ERROR_NONE)) return al;
@@ -436,16 +432,6 @@ int SRP_Calc_A_param(SSL *s)
return 1;
}
-int SRP_have_to_put_srp_username(SSL *s)
- {
- if (s->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback == NULL)
- return 0;
- if ((s->srp_ctx.login = \
s->srp_ctx.SRP_TLS_ext_missing_srp_client_username_callback(s,s->srp_ctx.SRP_cb_arg)) \
== NULL)
- return 0;
- s->srp_ctx.srp_Mask|=SSL_kSRP;
- return 1;
- }
-
BIGNUM *SSL_get_srp_g(SSL *s)
{
if (s->srp_ctx.g != NULL)
@@ -516,12 +502,4 @@ int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char \
*(*cb)(SSL *,void *)) return tls1_ctx_callback_ctrl(ctx, \
SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB, (void (*)())cb);
}
-
-int SSL_CTX_set_srp_missing_srp_username_callback(SSL_CTX *ctx,
- char *(*cb)(SSL *,void *))
- {
- return tls1_ctx_callback_ctrl(ctx,
- SSL_CTRL_SET_TLS_EXT_SRP_MISSING_CLIENT_USERNAME_CB,
- (void (*)())cb);
- }
#endif
diff --git a/test/testssl b/test/testssl
index 3ab5b02..d9c56b8 100644
--- a/test/testssl
+++ b/test/testssl
@@ -151,11 +151,28 @@ $ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit \
1 if ../util/shlib_wrap.sh ../apps/openssl no-srp; then
echo skipping SRP tests
else
+ srp_nocert='!aRSA:!DSS:SRP'
+ good_srp_credentials="-client_srpuser test -client_srppass abc123 -server_srpuser \
test -server_srppass abc123" +
echo test tls1 with SRP
- $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123
+ $ssltest -tls1 -cipher $srp_nocert $good_srp_credentials || exit 1
echo test tls1 with SRP via BIO pair
- $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123
+ $ssltest -bio_pair -tls1 -cipher $srp_nocert $good_srp_credentials || exit 1
+
+ echo test tls1 with SRP-RSA
+ $ssltest -tls1 -server_auth $CA $extra -cipher SRP $good_srp_credentials || exit 1
+
+ echo test tls1 with SRP-RSA via BIO pair
+ $ssltest -bio_pair -server_auth $CA $extra -tls1 -cipher SRP $good_srp_credentials \
|| exit 1 +
+ echo test tls1 with SRP missing username
+ $ssltest -tls1 -cipher $srp_nocert -client_srpuser testbad -client_srppass abc123 \
-server_srpuser test -server_srppass abc123 -server_err 'missing srp username' || \
exit 1 + $ssltest -tls1 -cipher $srp_nocert -server_srpuser test -server_srppass \
abc123 -server_err 'missing srp username' || exit 1 + $ssltest -tls1 -cipher \
$srp_nocert -client_srpuser test -client_srppass abc123 -server_err 'no shared \
cipher' || exit 1 +
+ echo test tls1 with SRP using bad password
+ $ssltest -tls1 -cipher $srp_nocert -client_srpuser test -client_srppass BADCLI \
-server_srpuser test -server_srppass BADSRV -server_err 'decryption failed or bad \
record mac' || exit 1 fi
exit 0
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic