add back SRP. i was being too greedy.

author: tedu <> 2014-04-16 20:39:09 +0000
committer: tedu <> 2014-04-16 20:39:09 +0000
commit: e7892d59587f55067ca2e2bc6fa26cf4bcd6c084 (patch)
tree: 761d3461cd8f278c74120d2836c29dd21dc95be6 /src/lib/libssl/s3_clnt.c
parent: 750d86a4fc04f53024575d65269281ea6c4e450c (diff)
download: openbsd-e7892d59587f55067ca2e2bc6fa26cf4bcd6c084.tar.gz
openbsd-e7892d59587f55067ca2e2bc6fa26cf4bcd6c084.tar.bz2
openbsd-e7892d59587f55067ca2e2bc6fa26cf4bcd6c084.zip
1 files changed, 106 insertions, 0 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 1589cdc21e..88be294ab7 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -365,6 +365,15 @@ ssl3_connect(SSL *s)
                        ret = ssl3_get_server_done(s);
                        if (ret <= 0)
                                goto end;
+#ifndef OPENSSL_NO_SRP
+                        if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
+                                if ((ret = SRP_Calc_A_param(s)) <= 0) {
+                                        SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
+                                        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+                                        goto end;
+                                }
+                        }
+#endif
                        if (s->s3->tmp.cert_req)
                                s->state = SSL3_ST_CW_CERT_A;
                        else
@@ -1290,6 +1299,76 @@ ssl3_get_key_exchange(SSL *s)
                n -= param_len;
        } else
 #endif /* !OPENSSL_NO_PSK */
+#ifndef OPENSSL_NO_SRP
+        if (alg_k & SSL_kSRP) {
+                n2s(p, i);
+                param_len = i + 2;
+                if (param_len > n) {
+                        al = SSL_AD_DECODE_ERROR;
+                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);
+                        goto f_err;
+                }
+                if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
+                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                        goto err;
+                }
+                p += i;
+                n2s(p, i);
+                param_len += i + 2;
+                if (param_len > n) {
+                        al = SSL_AD_DECODE_ERROR;
+                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);
+                        goto f_err;
+                }
+                if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
+                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                        goto err;
+                }
+                p += i;
+                i = (unsigned int)(p[0]);
+                p++;
+                param_len += i + 1;
+                if (param_len > n) {
+                        al = SSL_AD_DECODE_ERROR;
+                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);
+                        goto f_err;
+                }
+                if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
+                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                        goto err;
+                }
+                p += i;
+                n2s(p, i);
+                param_len += i + 2;
+                if (param_len > n) {
+                        al = SSL_AD_DECODE_ERROR;
+                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);
+                        goto f_err;
+                }
+                if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
+                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
+                        goto err;
+                }
+                p += i;
+                n -= param_len;
+/* We must check if there is a certificate */
+#ifndef OPENSSL_NO_RSA
+                if (alg_a & SSL_aRSA)
+                        pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
+#else
+                if (0)
+;
+#endif
+#ifndef OPENSSL_NO_DSA
+                else if (alg_a & SSL_aDSS)
+                        pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
+#endif
+        } else
+#endif /* !OPENSSL_NO_SRP */
 #ifndef OPENSSL_NO_RSA
        if (alg_k & SSL_kRSA) {
                if ((rsa = RSA_new()) == NULL) {
@@ -2492,6 +2571,33 @@ ssl3_send_client_key_exchange(SSL *s)
                        EVP_PKEY_free(pub_key);
                }
+#ifndef OPENSSL_NO_SRP
+                else if (alg_k & SSL_kSRP) {
+                        if (s->srp_ctx.A != NULL) {
+                                /* send off the data */
+                                n = BN_num_bytes(s->srp_ctx.A);
+                                s2n(n, p);
+                                BN_bn2bin(s->srp_ctx.A, p);
+                                n += 2;
+                        } else {
+                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                        }
+                        if (s->session->srp_username != NULL)
+                                OPENSSL_free(s->session->srp_username);
+                        s->session->srp_username = BUF_strdup(s->srp_ctx.login);
+                        if (s->session->srp_username == NULL) {
+                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
+                        if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) {
+                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                        }
+                }
+#endif
 #ifndef OPENSSL_NO_PSK
                else if (alg_k & SSL_kPSK) {
                        char identity[PSK_MAX_IDENTITY_LEN];
author	tedu <>	2014-04-16 20:39:09 +0000
committer	tedu <>	2014-04-16 20:39:09 +0000
commit	e7892d59587f55067ca2e2bc6fa26cf4bcd6c084 (patch)
tree	761d3461cd8f278c74120d2836c29dd21dc95be6 /src/lib/libssl/s3_clnt.c
parent	750d86a4fc04f53024575d65269281ea6c4e450c (diff)
download	openbsd-e7892d59587f55067ca2e2bc6fa26cf4bcd6c084.tar.gz openbsd-e7892d59587f55067ca2e2bc6fa26cf4bcd6c084.tar.bz2 openbsd-e7892d59587f55067ca2e2bc6fa26cf4bcd6c084.zip

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 1589cdc21e..88be294ab7 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -365,6 +365,15 @@ ssl3_connect(SSL *s)
365	ret = ssl3_get_server_done(s);	365	ret = ssl3_get_server_done(s);
366	if (ret <= 0)	366	if (ret <= 0)
367	goto end;	367	goto end;
		368	#ifndef OPENSSL_NO_SRP
		369	if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
		370	if ((ret = SRP_Calc_A_param(s)) <= 0) {
		371	SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
		372	ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
		373	goto end;
		374	}
		375	}
		376	#endif
368	if (s->s3->tmp.cert_req)	377	if (s->s3->tmp.cert_req)
369	s->state = SSL3_ST_CW_CERT_A;	378	s->state = SSL3_ST_CW_CERT_A;
370	else	379	else
@@ -1290,6 +1299,76 @@ ssl3_get_key_exchange(SSL *s)
1290	n -= param_len;	1299	n -= param_len;
1291	} else	1300	} else
1292	#endif /* !OPENSSL_NO_PSK */	1301	#endif /* !OPENSSL_NO_PSK */
		1302	#ifndef OPENSSL_NO_SRP
		1303	if (alg_k & SSL_kSRP) {
		1304	n2s(p, i);
		1305	param_len = i + 2;
		1306	if (param_len > n) {
		1307	al = SSL_AD_DECODE_ERROR;
		1308	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);
		1309	goto f_err;
		1310	}
		1311	if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
		1312	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		1313	goto err;
		1314	}
		1315	p += i;
		1316
		1317	n2s(p, i);
		1318	param_len += i + 2;
		1319	if (param_len > n) {
		1320	al = SSL_AD_DECODE_ERROR;
		1321	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);
		1322	goto f_err;
		1323	}
		1324	if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
		1325	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		1326	goto err;
		1327	}
		1328	p += i;
		1329
		1330	i = (unsigned int)(p[0]);
		1331	p++;
		1332	param_len += i + 1;
		1333	if (param_len > n) {
		1334	al = SSL_AD_DECODE_ERROR;
		1335	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);
		1336	goto f_err;
		1337	}
		1338	if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
		1339	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		1340	goto err;
		1341	}
		1342	p += i;
		1343
		1344	n2s(p, i);
		1345	param_len += i + 2;
		1346	if (param_len > n) {
		1347	al = SSL_AD_DECODE_ERROR;
		1348	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);
		1349	goto f_err;
		1350	}
		1351	if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
		1352	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
		1353	goto err;
		1354	}
		1355	p += i;
		1356	n -= param_len;
		1357
		1358	/* We must check if there is a certificate */
		1359	#ifndef OPENSSL_NO_RSA
		1360	if (alg_a & SSL_aRSA)
		1361	pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
		1362	#else
		1363	if (0)
		1364	;
		1365	#endif
		1366	#ifndef OPENSSL_NO_DSA
		1367	else if (alg_a & SSL_aDSS)
		1368	pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
		1369	#endif
		1370	} else
		1371	#endif /* !OPENSSL_NO_SRP */
1293	#ifndef OPENSSL_NO_RSA	1372	#ifndef OPENSSL_NO_RSA
1294	if (alg_k & SSL_kRSA) {	1373	if (alg_k & SSL_kRSA) {
1295	if ((rsa = RSA_new()) == NULL) {	1374	if ((rsa = RSA_new()) == NULL) {
@@ -2492,6 +2571,33 @@ ssl3_send_client_key_exchange(SSL *s)
2492	EVP_PKEY_free(pub_key);	2571	EVP_PKEY_free(pub_key);
2493		2572
2494	}	2573	}
		2574	#ifndef OPENSSL_NO_SRP
		2575	else if (alg_k & SSL_kSRP) {
		2576	if (s->srp_ctx.A != NULL) {
		2577	/* send off the data */
		2578	n = BN_num_bytes(s->srp_ctx.A);
		2579	s2n(n, p);
		2580	BN_bn2bin(s->srp_ctx.A, p);
		2581	n += 2;
		2582	} else {
		2583	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
		2584	goto err;
		2585	}
		2586	if (s->session->srp_username != NULL)
		2587	OPENSSL_free(s->session->srp_username);
		2588	s->session->srp_username = BUF_strdup(s->srp_ctx.login);
		2589	if (s->session->srp_username == NULL) {
		2590	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
		2591	ERR_R_MALLOC_FAILURE);
		2592	goto err;
		2593	}
		2594
		2595	if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) {
		2596	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
		2597	goto err;
		2598	}
		2599	}
		2600	#endif
2495	#ifndef OPENSSL_NO_PSK	2601	#ifndef OPENSSL_NO_PSK
2496	else if (alg_k & SSL_kPSK) {	2602	else if (alg_k & SSL_kPSK) {
2497	char identity[PSK_MAX_IDENTITY_LEN];	2603	char identity[PSK_MAX_IDENTITY_LEN];