diff options
| author | tedu <> | 2014-04-16 20:39:09 +0000 |
|---|---|---|
| committer | tedu <> | 2014-04-16 20:39:09 +0000 |
| commit | e7892d59587f55067ca2e2bc6fa26cf4bcd6c084 (patch) | |
| tree | 761d3461cd8f278c74120d2836c29dd21dc95be6 /src/lib/libssl/s3_lib.c | |
| parent | 750d86a4fc04f53024575d65269281ea6c4e450c (diff) | |
| download | openbsd-e7892d59587f55067ca2e2bc6fa26cf4bcd6c084.tar.gz openbsd-e7892d59587f55067ca2e2bc6fa26cf4bcd6c084.tar.bz2 openbsd-e7892d59587f55067ca2e2bc6fa26cf4bcd6c084.zip | |
add back SRP. i was being too greedy.
Diffstat (limited to 'src/lib/libssl/s3_lib.c')
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 209 |
1 files changed, 209 insertions, 0 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index f56dbe26d7..68a4b8ca2d 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -2419,6 +2419,151 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = { | |||
| 2419 | }, | 2419 | }, |
| 2420 | #endif /* OPENSSL_NO_ECDH */ | 2420 | #endif /* OPENSSL_NO_ECDH */ |
| 2421 | 2421 | ||
| 2422 | #ifndef OPENSSL_NO_SRP | ||
| 2423 | /* Cipher C01A */ | ||
| 2424 | { | ||
| 2425 | 1, | ||
| 2426 | TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA, | ||
| 2427 | TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA, | ||
| 2428 | SSL_kSRP, | ||
| 2429 | SSL_aNULL, | ||
| 2430 | SSL_3DES, | ||
| 2431 | SSL_SHA1, | ||
| 2432 | SSL_TLSV1, | ||
| 2433 | SSL_NOT_EXP|SSL_HIGH, | ||
| 2434 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 2435 | 168, | ||
| 2436 | 168, | ||
| 2437 | }, | ||
| 2438 | |||
| 2439 | /* Cipher C01B */ | ||
| 2440 | { | ||
| 2441 | 1, | ||
| 2442 | TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, | ||
| 2443 | TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA, | ||
| 2444 | SSL_kSRP, | ||
| 2445 | SSL_aRSA, | ||
| 2446 | SSL_3DES, | ||
| 2447 | SSL_SHA1, | ||
| 2448 | SSL_TLSV1, | ||
| 2449 | SSL_NOT_EXP|SSL_HIGH, | ||
| 2450 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 2451 | 168, | ||
| 2452 | 168, | ||
| 2453 | }, | ||
| 2454 | |||
| 2455 | /* Cipher C01C */ | ||
| 2456 | { | ||
| 2457 | 1, | ||
| 2458 | TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, | ||
| 2459 | TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA, | ||
| 2460 | SSL_kSRP, | ||
| 2461 | SSL_aDSS, | ||
| 2462 | SSL_3DES, | ||
| 2463 | SSL_SHA1, | ||
| 2464 | SSL_TLSV1, | ||
| 2465 | SSL_NOT_EXP|SSL_HIGH, | ||
| 2466 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 2467 | 168, | ||
| 2468 | 168, | ||
| 2469 | }, | ||
| 2470 | |||
| 2471 | /* Cipher C01D */ | ||
| 2472 | { | ||
| 2473 | 1, | ||
| 2474 | TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA, | ||
| 2475 | TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA, | ||
| 2476 | SSL_kSRP, | ||
| 2477 | SSL_aNULL, | ||
| 2478 | SSL_AES128, | ||
| 2479 | SSL_SHA1, | ||
| 2480 | SSL_TLSV1, | ||
| 2481 | SSL_NOT_EXP|SSL_HIGH, | ||
| 2482 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 2483 | 128, | ||
| 2484 | 128, | ||
| 2485 | }, | ||
| 2486 | |||
| 2487 | /* Cipher C01E */ | ||
| 2488 | { | ||
| 2489 | 1, | ||
| 2490 | TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, | ||
| 2491 | TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA, | ||
| 2492 | SSL_kSRP, | ||
| 2493 | SSL_aRSA, | ||
| 2494 | SSL_AES128, | ||
| 2495 | SSL_SHA1, | ||
| 2496 | SSL_TLSV1, | ||
| 2497 | SSL_NOT_EXP|SSL_HIGH, | ||
| 2498 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 2499 | 128, | ||
| 2500 | 128, | ||
| 2501 | }, | ||
| 2502 | |||
| 2503 | /* Cipher C01F */ | ||
| 2504 | { | ||
| 2505 | 1, | ||
| 2506 | TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, | ||
| 2507 | TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA, | ||
| 2508 | SSL_kSRP, | ||
| 2509 | SSL_aDSS, | ||
| 2510 | SSL_AES128, | ||
| 2511 | SSL_SHA1, | ||
| 2512 | SSL_TLSV1, | ||
| 2513 | SSL_NOT_EXP|SSL_HIGH, | ||
| 2514 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 2515 | 128, | ||
| 2516 | 128, | ||
| 2517 | }, | ||
| 2518 | |||
| 2519 | /* Cipher C020 */ | ||
| 2520 | { | ||
| 2521 | 1, | ||
| 2522 | TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA, | ||
| 2523 | TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA, | ||
| 2524 | SSL_kSRP, | ||
| 2525 | SSL_aNULL, | ||
| 2526 | SSL_AES256, | ||
| 2527 | SSL_SHA1, | ||
| 2528 | SSL_TLSV1, | ||
| 2529 | SSL_NOT_EXP|SSL_HIGH, | ||
| 2530 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 2531 | 256, | ||
| 2532 | 256, | ||
| 2533 | }, | ||
| 2534 | |||
| 2535 | /* Cipher C021 */ | ||
| 2536 | { | ||
| 2537 | 1, | ||
| 2538 | TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, | ||
| 2539 | TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA, | ||
| 2540 | SSL_kSRP, | ||
| 2541 | SSL_aRSA, | ||
| 2542 | SSL_AES256, | ||
| 2543 | SSL_SHA1, | ||
| 2544 | SSL_TLSV1, | ||
| 2545 | SSL_NOT_EXP|SSL_HIGH, | ||
| 2546 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 2547 | 256, | ||
| 2548 | 256, | ||
| 2549 | }, | ||
| 2550 | |||
| 2551 | /* Cipher C022 */ | ||
| 2552 | { | ||
| 2553 | 1, | ||
| 2554 | TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, | ||
| 2555 | TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA, | ||
| 2556 | SSL_kSRP, | ||
| 2557 | SSL_aDSS, | ||
| 2558 | SSL_AES256, | ||
| 2559 | SSL_SHA1, | ||
| 2560 | SSL_TLSV1, | ||
| 2561 | SSL_NOT_EXP|SSL_HIGH, | ||
| 2562 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | ||
| 2563 | 256, | ||
| 2564 | 256, | ||
| 2565 | }, | ||
| 2566 | #endif /* OPENSSL_NO_SRP */ | ||
| 2422 | #ifndef OPENSSL_NO_ECDH | 2567 | #ifndef OPENSSL_NO_ECDH |
| 2423 | 2568 | ||
| 2424 | /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ | 2569 | /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ |
| @@ -2808,6 +2953,9 @@ ssl3_new(SSL *s) | |||
| 2808 | 2953 | ||
| 2809 | s->s3 = s3; | 2954 | s->s3 = s3; |
| 2810 | 2955 | ||
| 2956 | #ifndef OPENSSL_NO_SRP | ||
| 2957 | SSL_SRP_CTX_init(s); | ||
| 2958 | #endif | ||
| 2811 | s->method->ssl_clear(s); | 2959 | s->method->ssl_clear(s); |
| 2812 | return (1); | 2960 | return (1); |
| 2813 | err: | 2961 | err: |
| @@ -2850,6 +2998,9 @@ ssl3_free(SSL *s) | |||
| 2850 | } | 2998 | } |
| 2851 | if (s->s3->handshake_dgst) | 2999 | if (s->s3->handshake_dgst) |
| 2852 | ssl3_free_digest_list(s); | 3000 | ssl3_free_digest_list(s); |
| 3001 | #ifndef OPENSSL_NO_SRP | ||
| 3002 | SSL_SRP_CTX_free(s); | ||
| 3003 | #endif | ||
| 2853 | OPENSSL_cleanse(s->s3, sizeof *s->s3); | 3004 | OPENSSL_cleanse(s->s3, sizeof *s->s3); |
| 2854 | OPENSSL_free(s->s3); | 3005 | OPENSSL_free(s->s3); |
| 2855 | s->s3 = NULL; | 3006 | s->s3 = NULL; |
| @@ -2934,6 +3085,13 @@ ssl3_clear(SSL *s) | |||
| 2934 | #endif | 3085 | #endif |
| 2935 | } | 3086 | } |
| 2936 | 3087 | ||
| 3088 | #ifndef OPENSSL_NO_SRP | ||
| 3089 | static char * | ||
| 3090 | srp_password_from_info_cb(SSL *s, void *arg) | ||
| 3091 | { | ||
| 3092 | return BUF_strdup(s->srp_ctx.info); | ||
| 3093 | } | ||
| 3094 | #endif | ||
| 2937 | 3095 | ||
| 2938 | long | 3096 | long |
| 2939 | ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) | 3097 | ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) |
| @@ -3375,6 +3533,36 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
| 3375 | return 1; | 3533 | return 1; |
| 3376 | break; | 3534 | break; |
| 3377 | 3535 | ||
| 3536 | #ifndef OPENSSL_NO_SRP | ||
| 3537 | case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME: | ||
| 3538 | ctx->srp_ctx.srp_Mask|=SSL_kSRP; | ||
| 3539 | if (ctx->srp_ctx.login != NULL) | ||
| 3540 | OPENSSL_free(ctx->srp_ctx.login); | ||
| 3541 | ctx->srp_ctx.login = NULL; | ||
| 3542 | if (parg == NULL) | ||
| 3543 | break; | ||
| 3544 | if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1) { | ||
| 3545 | SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME); | ||
| 3546 | return 0; | ||
| 3547 | } | ||
| 3548 | if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) { | ||
| 3549 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR); | ||
| 3550 | return 0; | ||
| 3551 | } | ||
| 3552 | break; | ||
| 3553 | case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD: | ||
| 3554 | ctx->srp_ctx.SRP_give_srp_client_pwd_callback = srp_password_from_info_cb; | ||
| 3555 | ctx->srp_ctx.info = parg; | ||
| 3556 | break; | ||
| 3557 | case SSL_CTRL_SET_SRP_ARG: | ||
| 3558 | ctx->srp_ctx.srp_Mask|=SSL_kSRP; | ||
| 3559 | ctx->srp_ctx.SRP_cb_arg = parg; | ||
| 3560 | break; | ||
| 3561 | |||
| 3562 | case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH: | ||
| 3563 | ctx->srp_ctx.strength = larg; | ||
| 3564 | break; | ||
| 3565 | #endif | ||
| 3378 | #endif /* !OPENSSL_NO_TLSEXT */ | 3566 | #endif /* !OPENSSL_NO_TLSEXT */ |
| 3379 | 3567 | ||
| 3380 | /* A Thawte special :-) */ | 3568 | /* A Thawte special :-) */ |
| @@ -3452,6 +3640,23 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) | |||
| 3452 | unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; | 3640 | unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; |
| 3453 | break; | 3641 | break; |
| 3454 | 3642 | ||
| 3643 | #ifndef OPENSSL_NO_SRP | ||
| 3644 | case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB: | ||
| 3645 | ctx->srp_ctx.srp_Mask|=SSL_kSRP; | ||
| 3646 | ctx->srp_ctx.SRP_verify_param_callback = | ||
| 3647 | (int (*)(SSL *, void *))fp; | ||
| 3648 | break; | ||
| 3649 | case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB: | ||
| 3650 | ctx->srp_ctx.srp_Mask|=SSL_kSRP; | ||
| 3651 | ctx->srp_ctx.TLS_ext_srp_username_callback = | ||
| 3652 | (int (*)(SSL *, int *, void *))fp; | ||
| 3653 | break; | ||
| 3654 | case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB: | ||
| 3655 | ctx->srp_ctx.srp_Mask|=SSL_kSRP; | ||
| 3656 | ctx->srp_ctx.SRP_give_srp_client_pwd_callback = | ||
| 3657 | (char *(*)(SSL *, void *))fp; | ||
| 3658 | break; | ||
| 3659 | #endif | ||
| 3455 | #endif | 3660 | #endif |
| 3456 | default: | 3661 | default: |
| 3457 | return (0); | 3662 | return (0); |
| @@ -3557,6 +3762,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, | |||
| 3557 | mask_a = cert->mask_a; | 3762 | mask_a = cert->mask_a; |
| 3558 | emask_k = cert->export_mask_k; | 3763 | emask_k = cert->export_mask_k; |
| 3559 | emask_a = cert->export_mask_a; | 3764 | emask_a = cert->export_mask_a; |
| 3765 | #ifndef OPENSSL_NO_SRP | ||
| 3766 | mask_k = cert->mask_k | s->srp_ctx.srp_Mask; | ||
| 3767 | emask_k = cert->export_mask_k | s->srp_ctx.srp_Mask; | ||
| 3768 | #endif | ||
| 3560 | 3769 | ||
| 3561 | #ifdef KSSL_DEBUG | 3770 | #ifdef KSSL_DEBUG |
| 3562 | /* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ | 3771 | /* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ |