disentangle SRP code from TLS

author: tedu <> 2014-04-16 17:59:17 +0000
committer: tedu <> 2014-04-16 17:59:17 +0000
commit: 8cf170bf672c7d86b3903a219e445ba6138e7e95 (patch)
tree: fa8aa2c33679a60946ff76922a99938af26dde80 /src/lib/libssl/s3_srvr.c
parent: 2a02c4f91789a07715ed68ed2af2782ad52c815a (diff)
download: openbsd-8cf170bf672c7d86b3903a219e445ba6138e7e95.tar.gz
openbsd-8cf170bf672c7d86b3903a219e445ba6138e7e95.tar.bz2
openbsd-8cf170bf672c7d86b3903a219e445ba6138e7e95.zip
1 files changed, 0 insertions, 122 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index f532e254f9..93510cb58a 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -180,28 +180,6 @@ static const SSL_METHOD
                return (NULL);
 }
-#ifndef OPENSSL_NO_SRP
-static int
-ssl_check_srp_ext_ClientHello(SSL *s, int *al)
-{
-        int ret = SSL_ERROR_NONE;
-        *al = SSL_AD_UNRECOGNIZED_NAME;
-        if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
-                (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
-                if (s->srp_ctx.login == NULL) {
-                        /* RFC 5054 says SHOULD reject, 
-                           we do so if There is no srp login name */
-                        ret = SSL3_AL_FATAL;
-                        *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
-                } else {
-                        ret = SSL_srp_server_param_with_username(s, al);
-                }
-        }
-        return ret;
-}
-#endif
 IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
    ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
@@ -341,39 +319,6 @@ ssl3_accept(SSL *s)
                                if (ret <= 0)
                                        goto end;
                        }
-#ifndef OPENSSL_NO_SRP
-                        {
-                                int al;
-                                if ((ret =
-                                    ssl_check_srp_ext_ClientHello(s, &al)) 
-                                    < 0) {
-                                        /*
-                                         * Callback indicates further work to
-                                         * be done.
-                                         */
-                                        s->rwstate = SSL_X509_LOOKUP;
-                                        goto end;
-                                }
-                                if (ret != SSL_ERROR_NONE) {
-                                        ssl3_send_alert(s, SSL3_AL_FATAL, al);
-                                        /*
-                                         * This is not really an error but the
-                                         * only means for a client to detect
-                                         * whether srp is supported.
-                                         */
-                                        if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
-                                                SSLerr(SSL_F_SSL3_ACCEPT,
-                                                    SSL_R_CLIENTHELLO_TLSEXT);
-                                        ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-                                        ret = -1;
-                                        goto end;
-                                }
-                        }
-#endif          
                        s->renegotiate = 2;
                        s->state = SSL3_ST_SW_SRVR_HELLO_A;
@@ -472,10 +417,6 @@ ssl3_accept(SSL *s)
 #ifndef OPENSSL_NO_PSK
                            || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
 #endif
-#ifndef OPENSSL_NO_SRP
-                        /* SRP: send ServerKeyExchange */
-                            || (alg_k & SSL_kSRP)
-#endif
                            || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
                            || (alg_k & SSL_kEECDH)
                            || ((alg_k & SSL_kRSA)
@@ -1812,19 +1753,6 @@ ssl3_send_server_key_exchange(SSL *s)
                        n += 2 + pskhintlen;
                } else
 #endif /* !OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-                if (type & SSL_kSRP) {
-                        if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
-                            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
-                                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM);
-                                goto err;
-                        }
-                        r[0] = s->srp_ctx.N;
-                        r[1] = s->srp_ctx.g;
-                        r[2] = s->srp_ctx.s;
-                        r[3] = s->srp_ctx.B;
-                } else
-#endif
                {
                        al = SSL_AD_HANDSHAKE_FAILURE;
                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
@@ -1832,11 +1760,6 @@ ssl3_send_server_key_exchange(SSL *s)
                }
                for (i = 0; i < 4 && r[i] != NULL; i++) {
                        nr[i] = BN_num_bytes(r[i]);
-#ifndef OPENSSL_NO_SRP
-                        if ((i == 2) && (type & SSL_kSRP))
-                                n += 1 + nr[i];
-                        else
-#endif
                        n += 2 + nr[i];
                }
@@ -1862,12 +1785,6 @@ ssl3_send_server_key_exchange(SSL *s)
                p = &(d[4]);
                for (i = 0; i < 4 && r[i] != NULL; i++) {
-#ifndef OPENSSL_NO_SRP
-                        if ((i == 2) && (type & SSL_kSRP)) {
-                                *p = nr[i];
-                                p++;
-                        } else
-#endif
                        s2n(nr[i], p);
                        BN_bn2bin(r[i], p);
                        p += nr[i];
@@ -2736,43 +2653,6 @@ ssl3_get_client_key_exchange(SSL *s)
                        goto f_err;
        } else
 #endif
-#ifndef OPENSSL_NO_SRP
-        if (alg_k & SSL_kSRP) {
-                int param_len;
-                n2s(p, i);
-                param_len = i + 2;
-                if (param_len > n) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            SSL_R_BAD_SRP_A_LENGTH);
-                        goto f_err;
-                }
-                if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            ERR_R_BN_LIB);
-                        goto err;
-                }
-                if (s->session->srp_username != NULL)
-                        OPENSSL_free(s->session->srp_username);
-                s->session->srp_username = BUF_strdup(s->srp_ctx.login);
-                if (s->session->srp_username == NULL) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            ERR_R_MALLOC_FAILURE);
-                        goto err;
-                }
-                if ((s->session->master_key_length =
-                    SRP_generate_server_master_secret(s,
-                    s->session->master_key)) < 0) {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                            ERR_R_INTERNAL_ERROR);
-                        goto err;
-                }
-                p += i;
-        } else
-#endif  /* OPENSSL_NO_SRP */
        if (alg_k & SSL_kGOST) {
                int ret = 0;
                EVP_PKEY_CTX *pkey_ctx;
@@ -2853,9 +2733,7 @@ ssl3_get_client_key_exchange(SSL *s)
        return (1);
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
 err:
-#endif
 #ifndef OPENSSL_NO_ECDH
        EVP_PKEY_free(clnt_pub_pkey);
        EC_POINT_free(clnt_ecpoint);
author	tedu <>	2014-04-16 17:59:17 +0000
committer	tedu <>	2014-04-16 17:59:17 +0000
commit	8cf170bf672c7d86b3903a219e445ba6138e7e95 (patch)
tree	fa8aa2c33679a60946ff76922a99938af26dde80 /src/lib/libssl/s3_srvr.c
parent	2a02c4f91789a07715ed68ed2af2782ad52c815a (diff)
download	openbsd-8cf170bf672c7d86b3903a219e445ba6138e7e95.tar.gz openbsd-8cf170bf672c7d86b3903a219e445ba6138e7e95.tar.bz2 openbsd-8cf170bf672c7d86b3903a219e445ba6138e7e95.zip

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index f532e254f9..93510cb58a 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -180,28 +180,6 @@ static const SSL_METHOD
180	return (NULL);	180	return (NULL);
181	}	181	}
182		182
183	#ifndef OPENSSL_NO_SRP
184	static int
185	ssl_check_srp_ext_ClientHello(SSL s, int al)
186	{
187	int ret = SSL_ERROR_NONE;
188
189	*al = SSL_AD_UNRECOGNIZED_NAME;
190
191	if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
192	(s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
193	if (s->srp_ctx.login == NULL) {
194	/* RFC 5054 says SHOULD reject,
195	we do so if There is no srp login name */
196	ret = SSL3_AL_FATAL;
197	*al = SSL_AD_UNKNOWN_PSK_IDENTITY;
198	} else {
199	ret = SSL_srp_server_param_with_username(s, al);
200	}
201	}
202	return ret;
203	}
204	#endif
205		183
206	IMPLEMENT_ssl3_meth_func(SSLv3_server_method,	184	IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
207	ssl3_accept, ssl_undefined_function, ssl3_get_server_method)	185	ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
@@ -341,39 +319,6 @@ ssl3_accept(SSL *s)
341	if (ret <= 0)	319	if (ret <= 0)
342	goto end;	320	goto end;
343	}	321	}
344	#ifndef OPENSSL_NO_SRP
345	{
346	int al;
347	if ((ret =
348	ssl_check_srp_ext_ClientHello(s, &al))
349	< 0) {
350	/*
351	* Callback indicates further work to
352	* be done.
353	*/
354	s->rwstate = SSL_X509_LOOKUP;
355	goto end;
356	}
357	if (ret != SSL_ERROR_NONE) {
358	ssl3_send_alert(s, SSL3_AL_FATAL, al);
359
360	/*
361	* This is not really an error but the
362	* only means for a client to detect
363	* whether srp is supported.
364	*/
365	if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
366	SSLerr(SSL_F_SSL3_ACCEPT,
367	SSL_R_CLIENTHELLO_TLSEXT);
368
369	ret = SSL_TLSEXT_ERR_ALERT_FATAL;
370
371	ret = -1;
372	goto end;
373
374	}
375	}
376	#endif
377		322
378	s->renegotiate = 2;	323	s->renegotiate = 2;
379	s->state = SSL3_ST_SW_SRVR_HELLO_A;	324	s->state = SSL3_ST_SW_SRVR_HELLO_A;
@@ -472,10 +417,6 @@ ssl3_accept(SSL *s)
472	#ifndef OPENSSL_NO_PSK	417	#ifndef OPENSSL_NO_PSK
473	\|\| ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)	418	\|\| ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
474	#endif	419	#endif
475	#ifndef OPENSSL_NO_SRP
476	/* SRP: send ServerKeyExchange */
477	\|\| (alg_k & SSL_kSRP)
478	#endif
479	\|\| (alg_k & (SSL_kDHr\|SSL_kDHd\|SSL_kEDH))	420	\|\| (alg_k & (SSL_kDHr\|SSL_kDHd\|SSL_kEDH))
480	\|\| (alg_k & SSL_kEECDH)	421	\|\| (alg_k & SSL_kEECDH)
481	\|\| ((alg_k & SSL_kRSA)	422	\|\| ((alg_k & SSL_kRSA)
@@ -1812,19 +1753,6 @@ ssl3_send_server_key_exchange(SSL *s)
1812	n += 2 + pskhintlen;	1753	n += 2 + pskhintlen;
1813	} else	1754	} else
1814	#endif /* !OPENSSL_NO_PSK */	1755	#endif /* !OPENSSL_NO_PSK */
1815	#ifndef OPENSSL_NO_SRP
1816	if (type & SSL_kSRP) {
1817	if ((s->srp_ctx.N == NULL) \|\| (s->srp_ctx.g == NULL) \|\|
1818	(s->srp_ctx.s == NULL) \|\| (s->srp_ctx.B == NULL)) {
1819	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM);
1820	goto err;
1821	}
1822	r[0] = s->srp_ctx.N;
1823	r[1] = s->srp_ctx.g;
1824	r[2] = s->srp_ctx.s;
1825	r[3] = s->srp_ctx.B;
1826	} else
1827	#endif
1828	{	1756	{
1829	al = SSL_AD_HANDSHAKE_FAILURE;	1757	al = SSL_AD_HANDSHAKE_FAILURE;
1830	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);	1758	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
@@ -1832,11 +1760,6 @@ ssl3_send_server_key_exchange(SSL *s)
1832	}	1760	}
1833	for (i = 0; i < 4 && r[i] != NULL; i++) {	1761	for (i = 0; i < 4 && r[i] != NULL; i++) {
1834	nr[i] = BN_num_bytes(r[i]);	1762	nr[i] = BN_num_bytes(r[i]);
1835	#ifndef OPENSSL_NO_SRP
1836	if ((i == 2) && (type & SSL_kSRP))
1837	n += 1 + nr[i];
1838	else
1839	#endif
1840	n += 2 + nr[i];	1763	n += 2 + nr[i];
1841	}	1764	}
1842		1765
@@ -1862,12 +1785,6 @@ ssl3_send_server_key_exchange(SSL *s)
1862	p = &(d[4]);	1785	p = &(d[4]);
1863		1786
1864	for (i = 0; i < 4 && r[i] != NULL; i++) {	1787	for (i = 0; i < 4 && r[i] != NULL; i++) {
1865	#ifndef OPENSSL_NO_SRP
1866	if ((i == 2) && (type & SSL_kSRP)) {
1867	*p = nr[i];
1868	p++;
1869	} else
1870	#endif
1871	s2n(nr[i], p);	1788	s2n(nr[i], p);
1872	BN_bn2bin(r[i], p);	1789	BN_bn2bin(r[i], p);
1873	p += nr[i];	1790	p += nr[i];
@@ -2736,43 +2653,6 @@ ssl3_get_client_key_exchange(SSL *s)
2736	goto f_err;	2653	goto f_err;
2737	} else	2654	} else
2738	#endif	2655	#endif
2739	#ifndef OPENSSL_NO_SRP
2740	if (alg_k & SSL_kSRP) {
2741	int param_len;
2742
2743	n2s(p, i);
2744	param_len = i + 2;
2745	if (param_len > n) {
2746	al = SSL_AD_DECODE_ERROR;
2747	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2748	SSL_R_BAD_SRP_A_LENGTH);
2749	goto f_err;
2750	}
2751	if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
2752	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2753	ERR_R_BN_LIB);
2754	goto err;
2755	}
2756	if (s->session->srp_username != NULL)
2757	OPENSSL_free(s->session->srp_username);
2758	s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2759	if (s->session->srp_username == NULL) {
2760	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2761	ERR_R_MALLOC_FAILURE);
2762	goto err;
2763	}
2764
2765	if ((s->session->master_key_length =
2766	SRP_generate_server_master_secret(s,
2767	s->session->master_key)) < 0) {
2768	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2769	ERR_R_INTERNAL_ERROR);
2770	goto err;
2771	}
2772
2773	p += i;
2774	} else
2775	#endif /* OPENSSL_NO_SRP */
2776	if (alg_k & SSL_kGOST) {	2656	if (alg_k & SSL_kGOST) {
2777	int ret = 0;	2657	int ret = 0;
2778	EVP_PKEY_CTX *pkey_ctx;	2658	EVP_PKEY_CTX *pkey_ctx;
@@ -2853,9 +2733,7 @@ ssl3_get_client_key_exchange(SSL *s)
2853	return (1);	2733	return (1);
2854	f_err:	2734	f_err:
2855	ssl3_send_alert(s, SSL3_AL_FATAL, al);	2735	ssl3_send_alert(s, SSL3_AL_FATAL, al);
2856	#if !defined(OPENSSL_NO_DH) \|\| !defined(OPENSSL_NO_RSA) \|\| !defined(OPENSSL_NO_ECDH) \|\| defined(OPENSSL_NO_SRP)
2857	err:	2736	err:
2858	#endif
2859	#ifndef OPENSSL_NO_ECDH	2737	#ifndef OPENSSL_NO_ECDH
2860	EVP_PKEY_free(clnt_pub_pkey);	2738	EVP_PKEY_free(clnt_pub_pkey);
2861	EC_POINT_free(clnt_ecpoint);	2739	EC_POINT_free(clnt_ecpoint);