summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authortedu <>2014-04-16 17:59:17 +0000
committertedu <>2014-04-16 17:59:17 +0000
commit8cf170bf672c7d86b3903a219e445ba6138e7e95 (patch)
treefa8aa2c33679a60946ff76922a99938af26dde80 /src
parent2a02c4f91789a07715ed68ed2af2782ad52c815a (diff)
downloadopenbsd-8cf170bf672c7d86b3903a219e445ba6138e7e95.tar.gz
openbsd-8cf170bf672c7d86b3903a219e445ba6138e7e95.tar.bz2
openbsd-8cf170bf672c7d86b3903a219e445ba6138e7e95.zip
disentangle SRP code from TLS
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/s3_clnt.c106
-rw-r--r--src/lib/libssl/s3_lib.c209
-rw-r--r--src/lib/libssl/s3_srvr.c122
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c106
-rw-r--r--src/lib/libssl/src/ssl/s3_lib.c209
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c122
-rw-r--r--src/lib/libssl/src/ssl/ssl.h63
-rw-r--r--src/lib/libssl/src/ssl/ssl_asn1.c33
-rw-r--r--src/lib/libssl/src/ssl/ssl_ciph.c2
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c6
-rw-r--r--src/lib/libssl/src/ssl/ssl_sess.c7
-rw-r--r--src/lib/libssl/src/ssl/ssl_txt.c6
-rw-r--r--src/lib/libssl/src/ssl/ssltest.c83
-rw-r--r--src/lib/libssl/src/ssl/t1_lib.c50
-rw-r--r--src/lib/libssl/src/ssl/tls_srp.c511
-rw-r--r--src/lib/libssl/ssl.h63
-rw-r--r--src/lib/libssl/ssl/Makefile4
-rw-r--r--src/lib/libssl/ssl_asn1.c33
-rw-r--r--src/lib/libssl/ssl_ciph.c2
-rw-r--r--src/lib/libssl/ssl_lib.c6
-rw-r--r--src/lib/libssl/ssl_sess.c7
-rw-r--r--src/lib/libssl/ssl_txt.c6
-rw-r--r--src/lib/libssl/t1_lib.c50
23 files changed, 2 insertions, 1804 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 88be294ab7..1589cdc21e 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -365,15 +365,6 @@ ssl3_connect(SSL *s)
365 ret = ssl3_get_server_done(s); 365 ret = ssl3_get_server_done(s);
366 if (ret <= 0) 366 if (ret <= 0)
367 goto end; 367 goto end;
368#ifndef OPENSSL_NO_SRP
369 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
370 if ((ret = SRP_Calc_A_param(s)) <= 0) {
371 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
372 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
373 goto end;
374 }
375 }
376#endif
377 if (s->s3->tmp.cert_req) 368 if (s->s3->tmp.cert_req)
378 s->state = SSL3_ST_CW_CERT_A; 369 s->state = SSL3_ST_CW_CERT_A;
379 else 370 else
@@ -1299,76 +1290,6 @@ ssl3_get_key_exchange(SSL *s)
1299 n -= param_len; 1290 n -= param_len;
1300 } else 1291 } else
1301#endif /* !OPENSSL_NO_PSK */ 1292#endif /* !OPENSSL_NO_PSK */
1302#ifndef OPENSSL_NO_SRP
1303 if (alg_k & SSL_kSRP) {
1304 n2s(p, i);
1305 param_len = i + 2;
1306 if (param_len > n) {
1307 al = SSL_AD_DECODE_ERROR;
1308 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);
1309 goto f_err;
1310 }
1311 if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
1312 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1313 goto err;
1314 }
1315 p += i;
1316
1317 n2s(p, i);
1318 param_len += i + 2;
1319 if (param_len > n) {
1320 al = SSL_AD_DECODE_ERROR;
1321 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);
1322 goto f_err;
1323 }
1324 if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
1325 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1326 goto err;
1327 }
1328 p += i;
1329
1330 i = (unsigned int)(p[0]);
1331 p++;
1332 param_len += i + 1;
1333 if (param_len > n) {
1334 al = SSL_AD_DECODE_ERROR;
1335 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);
1336 goto f_err;
1337 }
1338 if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
1339 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1340 goto err;
1341 }
1342 p += i;
1343
1344 n2s(p, i);
1345 param_len += i + 2;
1346 if (param_len > n) {
1347 al = SSL_AD_DECODE_ERROR;
1348 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);
1349 goto f_err;
1350 }
1351 if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
1352 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1353 goto err;
1354 }
1355 p += i;
1356 n -= param_len;
1357
1358/* We must check if there is a certificate */
1359#ifndef OPENSSL_NO_RSA
1360 if (alg_a & SSL_aRSA)
1361 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1362#else
1363 if (0)
1364;
1365#endif
1366#ifndef OPENSSL_NO_DSA
1367 else if (alg_a & SSL_aDSS)
1368 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1369#endif
1370 } else
1371#endif /* !OPENSSL_NO_SRP */
1372#ifndef OPENSSL_NO_RSA 1293#ifndef OPENSSL_NO_RSA
1373 if (alg_k & SSL_kRSA) { 1294 if (alg_k & SSL_kRSA) {
1374 if ((rsa = RSA_new()) == NULL) { 1295 if ((rsa = RSA_new()) == NULL) {
@@ -2571,33 +2492,6 @@ ssl3_send_client_key_exchange(SSL *s)
2571 EVP_PKEY_free(pub_key); 2492 EVP_PKEY_free(pub_key);
2572 2493
2573 } 2494 }
2574#ifndef OPENSSL_NO_SRP
2575 else if (alg_k & SSL_kSRP) {
2576 if (s->srp_ctx.A != NULL) {
2577 /* send off the data */
2578 n = BN_num_bytes(s->srp_ctx.A);
2579 s2n(n, p);
2580 BN_bn2bin(s->srp_ctx.A, p);
2581 n += 2;
2582 } else {
2583 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2584 goto err;
2585 }
2586 if (s->session->srp_username != NULL)
2587 OPENSSL_free(s->session->srp_username);
2588 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2589 if (s->session->srp_username == NULL) {
2590 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2591 ERR_R_MALLOC_FAILURE);
2592 goto err;
2593 }
2594
2595 if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) {
2596 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2597 goto err;
2598 }
2599 }
2600#endif
2601#ifndef OPENSSL_NO_PSK 2495#ifndef OPENSSL_NO_PSK
2602 else if (alg_k & SSL_kPSK) { 2496 else if (alg_k & SSL_kPSK) {
2603 char identity[PSK_MAX_IDENTITY_LEN]; 2497 char identity[PSK_MAX_IDENTITY_LEN];
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 68a4b8ca2d..f56dbe26d7 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -2419,151 +2419,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
2419 }, 2419 },
2420#endif /* OPENSSL_NO_ECDH */ 2420#endif /* OPENSSL_NO_ECDH */
2421 2421
2422#ifndef OPENSSL_NO_SRP
2423 /* Cipher C01A */
2424 {
2425 1,
2426 TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
2427 TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
2428 SSL_kSRP,
2429 SSL_aNULL,
2430 SSL_3DES,
2431 SSL_SHA1,
2432 SSL_TLSV1,
2433 SSL_NOT_EXP|SSL_HIGH,
2434 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2435 168,
2436 168,
2437 },
2438
2439 /* Cipher C01B */
2440 {
2441 1,
2442 TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
2443 TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
2444 SSL_kSRP,
2445 SSL_aRSA,
2446 SSL_3DES,
2447 SSL_SHA1,
2448 SSL_TLSV1,
2449 SSL_NOT_EXP|SSL_HIGH,
2450 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2451 168,
2452 168,
2453 },
2454
2455 /* Cipher C01C */
2456 {
2457 1,
2458 TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
2459 TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
2460 SSL_kSRP,
2461 SSL_aDSS,
2462 SSL_3DES,
2463 SSL_SHA1,
2464 SSL_TLSV1,
2465 SSL_NOT_EXP|SSL_HIGH,
2466 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2467 168,
2468 168,
2469 },
2470
2471 /* Cipher C01D */
2472 {
2473 1,
2474 TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
2475 TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
2476 SSL_kSRP,
2477 SSL_aNULL,
2478 SSL_AES128,
2479 SSL_SHA1,
2480 SSL_TLSV1,
2481 SSL_NOT_EXP|SSL_HIGH,
2482 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2483 128,
2484 128,
2485 },
2486
2487 /* Cipher C01E */
2488 {
2489 1,
2490 TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
2491 TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
2492 SSL_kSRP,
2493 SSL_aRSA,
2494 SSL_AES128,
2495 SSL_SHA1,
2496 SSL_TLSV1,
2497 SSL_NOT_EXP|SSL_HIGH,
2498 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2499 128,
2500 128,
2501 },
2502
2503 /* Cipher C01F */
2504 {
2505 1,
2506 TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
2507 TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
2508 SSL_kSRP,
2509 SSL_aDSS,
2510 SSL_AES128,
2511 SSL_SHA1,
2512 SSL_TLSV1,
2513 SSL_NOT_EXP|SSL_HIGH,
2514 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2515 128,
2516 128,
2517 },
2518
2519 /* Cipher C020 */
2520 {
2521 1,
2522 TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
2523 TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
2524 SSL_kSRP,
2525 SSL_aNULL,
2526 SSL_AES256,
2527 SSL_SHA1,
2528 SSL_TLSV1,
2529 SSL_NOT_EXP|SSL_HIGH,
2530 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2531 256,
2532 256,
2533 },
2534
2535 /* Cipher C021 */
2536 {
2537 1,
2538 TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
2539 TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
2540 SSL_kSRP,
2541 SSL_aRSA,
2542 SSL_AES256,
2543 SSL_SHA1,
2544 SSL_TLSV1,
2545 SSL_NOT_EXP|SSL_HIGH,
2546 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2547 256,
2548 256,
2549 },
2550
2551 /* Cipher C022 */
2552 {
2553 1,
2554 TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
2555 TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
2556 SSL_kSRP,
2557 SSL_aDSS,
2558 SSL_AES256,
2559 SSL_SHA1,
2560 SSL_TLSV1,
2561 SSL_NOT_EXP|SSL_HIGH,
2562 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2563 256,
2564 256,
2565 },
2566#endif /* OPENSSL_NO_SRP */
2567#ifndef OPENSSL_NO_ECDH 2422#ifndef OPENSSL_NO_ECDH
2568 2423
2569 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 2424 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
@@ -2953,9 +2808,6 @@ ssl3_new(SSL *s)
2953 2808
2954 s->s3 = s3; 2809 s->s3 = s3;
2955 2810
2956#ifndef OPENSSL_NO_SRP
2957 SSL_SRP_CTX_init(s);
2958#endif
2959 s->method->ssl_clear(s); 2811 s->method->ssl_clear(s);
2960 return (1); 2812 return (1);
2961err: 2813err:
@@ -2998,9 +2850,6 @@ ssl3_free(SSL *s)
2998 } 2850 }
2999 if (s->s3->handshake_dgst) 2851 if (s->s3->handshake_dgst)
3000 ssl3_free_digest_list(s); 2852 ssl3_free_digest_list(s);
3001#ifndef OPENSSL_NO_SRP
3002 SSL_SRP_CTX_free(s);
3003#endif
3004 OPENSSL_cleanse(s->s3, sizeof *s->s3); 2853 OPENSSL_cleanse(s->s3, sizeof *s->s3);
3005 OPENSSL_free(s->s3); 2854 OPENSSL_free(s->s3);
3006 s->s3 = NULL; 2855 s->s3 = NULL;
@@ -3085,13 +2934,6 @@ ssl3_clear(SSL *s)
3085#endif 2934#endif
3086} 2935}
3087 2936
3088#ifndef OPENSSL_NO_SRP
3089static char *
3090srp_password_from_info_cb(SSL *s, void *arg)
3091{
3092 return BUF_strdup(s->srp_ctx.info);
3093}
3094#endif
3095 2937
3096long 2938long
3097ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 2939ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
@@ -3533,36 +3375,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
3533 return 1; 3375 return 1;
3534 break; 3376 break;
3535 3377
3536#ifndef OPENSSL_NO_SRP
3537 case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
3538 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3539 if (ctx->srp_ctx.login != NULL)
3540 OPENSSL_free(ctx->srp_ctx.login);
3541 ctx->srp_ctx.login = NULL;
3542 if (parg == NULL)
3543 break;
3544 if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1) {
3545 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
3546 return 0;
3547 }
3548 if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) {
3549 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
3550 return 0;
3551 }
3552 break;
3553 case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
3554 ctx->srp_ctx.SRP_give_srp_client_pwd_callback = srp_password_from_info_cb;
3555 ctx->srp_ctx.info = parg;
3556 break;
3557 case SSL_CTRL_SET_SRP_ARG:
3558 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3559 ctx->srp_ctx.SRP_cb_arg = parg;
3560 break;
3561
3562 case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
3563 ctx->srp_ctx.strength = larg;
3564 break;
3565#endif
3566#endif /* !OPENSSL_NO_TLSEXT */ 3378#endif /* !OPENSSL_NO_TLSEXT */
3567 3379
3568 /* A Thawte special :-) */ 3380 /* A Thawte special :-) */
@@ -3640,23 +3452,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
3640 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 3452 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
3641 break; 3453 break;
3642 3454
3643#ifndef OPENSSL_NO_SRP
3644 case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
3645 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3646 ctx->srp_ctx.SRP_verify_param_callback =
3647 (int (*)(SSL *, void *))fp;
3648 break;
3649 case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB:
3650 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3651 ctx->srp_ctx.TLS_ext_srp_username_callback =
3652 (int (*)(SSL *, int *, void *))fp;
3653 break;
3654 case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB:
3655 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3656 ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
3657 (char *(*)(SSL *, void *))fp;
3658 break;
3659#endif
3660#endif 3455#endif
3661 default: 3456 default:
3662 return (0); 3457 return (0);
@@ -3762,10 +3557,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
3762 mask_a = cert->mask_a; 3557 mask_a = cert->mask_a;
3763 emask_k = cert->export_mask_k; 3558 emask_k = cert->export_mask_k;
3764 emask_a = cert->export_mask_a; 3559 emask_a = cert->export_mask_a;
3765#ifndef OPENSSL_NO_SRP
3766 mask_k = cert->mask_k | s->srp_ctx.srp_Mask;
3767 emask_k = cert->export_mask_k | s->srp_ctx.srp_Mask;
3768#endif
3769 3560
3770#ifdef KSSL_DEBUG 3561#ifdef KSSL_DEBUG
3771/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ 3562/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index f532e254f9..93510cb58a 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -180,28 +180,6 @@ static const SSL_METHOD
180 return (NULL); 180 return (NULL);
181} 181}
182 182
183#ifndef OPENSSL_NO_SRP
184static int
185ssl_check_srp_ext_ClientHello(SSL *s, int *al)
186{
187 int ret = SSL_ERROR_NONE;
188
189 *al = SSL_AD_UNRECOGNIZED_NAME;
190
191 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
192 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
193 if (s->srp_ctx.login == NULL) {
194 /* RFC 5054 says SHOULD reject,
195 we do so if There is no srp login name */
196 ret = SSL3_AL_FATAL;
197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
198 } else {
199 ret = SSL_srp_server_param_with_username(s, al);
200 }
201 }
202 return ret;
203}
204#endif
205 183
206IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 184IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
207 ssl3_accept, ssl_undefined_function, ssl3_get_server_method) 185 ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
@@ -341,39 +319,6 @@ ssl3_accept(SSL *s)
341 if (ret <= 0) 319 if (ret <= 0)
342 goto end; 320 goto end;
343 } 321 }
344#ifndef OPENSSL_NO_SRP
345 {
346 int al;
347 if ((ret =
348 ssl_check_srp_ext_ClientHello(s, &al))
349 < 0) {
350 /*
351 * Callback indicates further work to
352 * be done.
353 */
354 s->rwstate = SSL_X509_LOOKUP;
355 goto end;
356 }
357 if (ret != SSL_ERROR_NONE) {
358 ssl3_send_alert(s, SSL3_AL_FATAL, al);
359
360 /*
361 * This is not really an error but the
362 * only means for a client to detect
363 * whether srp is supported.
364 */
365 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
366 SSLerr(SSL_F_SSL3_ACCEPT,
367 SSL_R_CLIENTHELLO_TLSEXT);
368
369 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
370
371 ret = -1;
372 goto end;
373
374 }
375 }
376#endif
377 322
378 s->renegotiate = 2; 323 s->renegotiate = 2;
379 s->state = SSL3_ST_SW_SRVR_HELLO_A; 324 s->state = SSL3_ST_SW_SRVR_HELLO_A;
@@ -472,10 +417,6 @@ ssl3_accept(SSL *s)
472#ifndef OPENSSL_NO_PSK 417#ifndef OPENSSL_NO_PSK
473 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 418 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
474#endif 419#endif
475#ifndef OPENSSL_NO_SRP
476 /* SRP: send ServerKeyExchange */
477 || (alg_k & SSL_kSRP)
478#endif
479 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 420 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
480 || (alg_k & SSL_kEECDH) 421 || (alg_k & SSL_kEECDH)
481 || ((alg_k & SSL_kRSA) 422 || ((alg_k & SSL_kRSA)
@@ -1812,19 +1753,6 @@ ssl3_send_server_key_exchange(SSL *s)
1812 n += 2 + pskhintlen; 1753 n += 2 + pskhintlen;
1813 } else 1754 } else
1814#endif /* !OPENSSL_NO_PSK */ 1755#endif /* !OPENSSL_NO_PSK */
1815#ifndef OPENSSL_NO_SRP
1816 if (type & SSL_kSRP) {
1817 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
1818 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
1819 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM);
1820 goto err;
1821 }
1822 r[0] = s->srp_ctx.N;
1823 r[1] = s->srp_ctx.g;
1824 r[2] = s->srp_ctx.s;
1825 r[3] = s->srp_ctx.B;
1826 } else
1827#endif
1828 { 1756 {
1829 al = SSL_AD_HANDSHAKE_FAILURE; 1757 al = SSL_AD_HANDSHAKE_FAILURE;
1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1758 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
@@ -1832,11 +1760,6 @@ ssl3_send_server_key_exchange(SSL *s)
1832 } 1760 }
1833 for (i = 0; i < 4 && r[i] != NULL; i++) { 1761 for (i = 0; i < 4 && r[i] != NULL; i++) {
1834 nr[i] = BN_num_bytes(r[i]); 1762 nr[i] = BN_num_bytes(r[i]);
1835#ifndef OPENSSL_NO_SRP
1836 if ((i == 2) && (type & SSL_kSRP))
1837 n += 1 + nr[i];
1838 else
1839#endif
1840 n += 2 + nr[i]; 1763 n += 2 + nr[i];
1841 } 1764 }
1842 1765
@@ -1862,12 +1785,6 @@ ssl3_send_server_key_exchange(SSL *s)
1862 p = &(d[4]); 1785 p = &(d[4]);
1863 1786
1864 for (i = 0; i < 4 && r[i] != NULL; i++) { 1787 for (i = 0; i < 4 && r[i] != NULL; i++) {
1865#ifndef OPENSSL_NO_SRP
1866 if ((i == 2) && (type & SSL_kSRP)) {
1867 *p = nr[i];
1868 p++;
1869 } else
1870#endif
1871 s2n(nr[i], p); 1788 s2n(nr[i], p);
1872 BN_bn2bin(r[i], p); 1789 BN_bn2bin(r[i], p);
1873 p += nr[i]; 1790 p += nr[i];
@@ -2736,43 +2653,6 @@ ssl3_get_client_key_exchange(SSL *s)
2736 goto f_err; 2653 goto f_err;
2737 } else 2654 } else
2738#endif 2655#endif
2739#ifndef OPENSSL_NO_SRP
2740 if (alg_k & SSL_kSRP) {
2741 int param_len;
2742
2743 n2s(p, i);
2744 param_len = i + 2;
2745 if (param_len > n) {
2746 al = SSL_AD_DECODE_ERROR;
2747 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2748 SSL_R_BAD_SRP_A_LENGTH);
2749 goto f_err;
2750 }
2751 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
2752 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2753 ERR_R_BN_LIB);
2754 goto err;
2755 }
2756 if (s->session->srp_username != NULL)
2757 OPENSSL_free(s->session->srp_username);
2758 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2759 if (s->session->srp_username == NULL) {
2760 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2761 ERR_R_MALLOC_FAILURE);
2762 goto err;
2763 }
2764
2765 if ((s->session->master_key_length =
2766 SRP_generate_server_master_secret(s,
2767 s->session->master_key)) < 0) {
2768 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2769 ERR_R_INTERNAL_ERROR);
2770 goto err;
2771 }
2772
2773 p += i;
2774 } else
2775#endif /* OPENSSL_NO_SRP */
2776 if (alg_k & SSL_kGOST) { 2656 if (alg_k & SSL_kGOST) {
2777 int ret = 0; 2657 int ret = 0;
2778 EVP_PKEY_CTX *pkey_ctx; 2658 EVP_PKEY_CTX *pkey_ctx;
@@ -2853,9 +2733,7 @@ ssl3_get_client_key_exchange(SSL *s)
2853 return (1); 2733 return (1);
2854f_err: 2734f_err:
2855 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2735 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2856#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2857err: 2736err:
2858#endif
2859#ifndef OPENSSL_NO_ECDH 2737#ifndef OPENSSL_NO_ECDH
2860 EVP_PKEY_free(clnt_pub_pkey); 2738 EVP_PKEY_free(clnt_pub_pkey);
2861 EC_POINT_free(clnt_ecpoint); 2739 EC_POINT_free(clnt_ecpoint);
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 88be294ab7..1589cdc21e 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -365,15 +365,6 @@ ssl3_connect(SSL *s)
365 ret = ssl3_get_server_done(s); 365 ret = ssl3_get_server_done(s);
366 if (ret <= 0) 366 if (ret <= 0)
367 goto end; 367 goto end;
368#ifndef OPENSSL_NO_SRP
369 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
370 if ((ret = SRP_Calc_A_param(s)) <= 0) {
371 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);
372 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
373 goto end;
374 }
375 }
376#endif
377 if (s->s3->tmp.cert_req) 368 if (s->s3->tmp.cert_req)
378 s->state = SSL3_ST_CW_CERT_A; 369 s->state = SSL3_ST_CW_CERT_A;
379 else 370 else
@@ -1299,76 +1290,6 @@ ssl3_get_key_exchange(SSL *s)
1299 n -= param_len; 1290 n -= param_len;
1300 } else 1291 } else
1301#endif /* !OPENSSL_NO_PSK */ 1292#endif /* !OPENSSL_NO_PSK */
1302#ifndef OPENSSL_NO_SRP
1303 if (alg_k & SSL_kSRP) {
1304 n2s(p, i);
1305 param_len = i + 2;
1306 if (param_len > n) {
1307 al = SSL_AD_DECODE_ERROR;
1308 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);
1309 goto f_err;
1310 }
1311 if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
1312 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1313 goto err;
1314 }
1315 p += i;
1316
1317 n2s(p, i);
1318 param_len += i + 2;
1319 if (param_len > n) {
1320 al = SSL_AD_DECODE_ERROR;
1321 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);
1322 goto f_err;
1323 }
1324 if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
1325 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1326 goto err;
1327 }
1328 p += i;
1329
1330 i = (unsigned int)(p[0]);
1331 p++;
1332 param_len += i + 1;
1333 if (param_len > n) {
1334 al = SSL_AD_DECODE_ERROR;
1335 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);
1336 goto f_err;
1337 }
1338 if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
1339 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1340 goto err;
1341 }
1342 p += i;
1343
1344 n2s(p, i);
1345 param_len += i + 2;
1346 if (param_len > n) {
1347 al = SSL_AD_DECODE_ERROR;
1348 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);
1349 goto f_err;
1350 }
1351 if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
1352 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
1353 goto err;
1354 }
1355 p += i;
1356 n -= param_len;
1357
1358/* We must check if there is a certificate */
1359#ifndef OPENSSL_NO_RSA
1360 if (alg_a & SSL_aRSA)
1361 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1362#else
1363 if (0)
1364;
1365#endif
1366#ifndef OPENSSL_NO_DSA
1367 else if (alg_a & SSL_aDSS)
1368 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1369#endif
1370 } else
1371#endif /* !OPENSSL_NO_SRP */
1372#ifndef OPENSSL_NO_RSA 1293#ifndef OPENSSL_NO_RSA
1373 if (alg_k & SSL_kRSA) { 1294 if (alg_k & SSL_kRSA) {
1374 if ((rsa = RSA_new()) == NULL) { 1295 if ((rsa = RSA_new()) == NULL) {
@@ -2571,33 +2492,6 @@ ssl3_send_client_key_exchange(SSL *s)
2571 EVP_PKEY_free(pub_key); 2492 EVP_PKEY_free(pub_key);
2572 2493
2573 } 2494 }
2574#ifndef OPENSSL_NO_SRP
2575 else if (alg_k & SSL_kSRP) {
2576 if (s->srp_ctx.A != NULL) {
2577 /* send off the data */
2578 n = BN_num_bytes(s->srp_ctx.A);
2579 s2n(n, p);
2580 BN_bn2bin(s->srp_ctx.A, p);
2581 n += 2;
2582 } else {
2583 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2584 goto err;
2585 }
2586 if (s->session->srp_username != NULL)
2587 OPENSSL_free(s->session->srp_username);
2588 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2589 if (s->session->srp_username == NULL) {
2590 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2591 ERR_R_MALLOC_FAILURE);
2592 goto err;
2593 }
2594
2595 if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) {
2596 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2597 goto err;
2598 }
2599 }
2600#endif
2601#ifndef OPENSSL_NO_PSK 2495#ifndef OPENSSL_NO_PSK
2602 else if (alg_k & SSL_kPSK) { 2496 else if (alg_k & SSL_kPSK) {
2603 char identity[PSK_MAX_IDENTITY_LEN]; 2497 char identity[PSK_MAX_IDENTITY_LEN];
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 68a4b8ca2d..f56dbe26d7 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -2419,151 +2419,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
2419 }, 2419 },
2420#endif /* OPENSSL_NO_ECDH */ 2420#endif /* OPENSSL_NO_ECDH */
2421 2421
2422#ifndef OPENSSL_NO_SRP
2423 /* Cipher C01A */
2424 {
2425 1,
2426 TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
2427 TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
2428 SSL_kSRP,
2429 SSL_aNULL,
2430 SSL_3DES,
2431 SSL_SHA1,
2432 SSL_TLSV1,
2433 SSL_NOT_EXP|SSL_HIGH,
2434 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2435 168,
2436 168,
2437 },
2438
2439 /* Cipher C01B */
2440 {
2441 1,
2442 TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
2443 TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
2444 SSL_kSRP,
2445 SSL_aRSA,
2446 SSL_3DES,
2447 SSL_SHA1,
2448 SSL_TLSV1,
2449 SSL_NOT_EXP|SSL_HIGH,
2450 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2451 168,
2452 168,
2453 },
2454
2455 /* Cipher C01C */
2456 {
2457 1,
2458 TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
2459 TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
2460 SSL_kSRP,
2461 SSL_aDSS,
2462 SSL_3DES,
2463 SSL_SHA1,
2464 SSL_TLSV1,
2465 SSL_NOT_EXP|SSL_HIGH,
2466 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2467 168,
2468 168,
2469 },
2470
2471 /* Cipher C01D */
2472 {
2473 1,
2474 TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
2475 TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
2476 SSL_kSRP,
2477 SSL_aNULL,
2478 SSL_AES128,
2479 SSL_SHA1,
2480 SSL_TLSV1,
2481 SSL_NOT_EXP|SSL_HIGH,
2482 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2483 128,
2484 128,
2485 },
2486
2487 /* Cipher C01E */
2488 {
2489 1,
2490 TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
2491 TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
2492 SSL_kSRP,
2493 SSL_aRSA,
2494 SSL_AES128,
2495 SSL_SHA1,
2496 SSL_TLSV1,
2497 SSL_NOT_EXP|SSL_HIGH,
2498 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2499 128,
2500 128,
2501 },
2502
2503 /* Cipher C01F */
2504 {
2505 1,
2506 TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
2507 TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
2508 SSL_kSRP,
2509 SSL_aDSS,
2510 SSL_AES128,
2511 SSL_SHA1,
2512 SSL_TLSV1,
2513 SSL_NOT_EXP|SSL_HIGH,
2514 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2515 128,
2516 128,
2517 },
2518
2519 /* Cipher C020 */
2520 {
2521 1,
2522 TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
2523 TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
2524 SSL_kSRP,
2525 SSL_aNULL,
2526 SSL_AES256,
2527 SSL_SHA1,
2528 SSL_TLSV1,
2529 SSL_NOT_EXP|SSL_HIGH,
2530 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2531 256,
2532 256,
2533 },
2534
2535 /* Cipher C021 */
2536 {
2537 1,
2538 TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
2539 TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
2540 SSL_kSRP,
2541 SSL_aRSA,
2542 SSL_AES256,
2543 SSL_SHA1,
2544 SSL_TLSV1,
2545 SSL_NOT_EXP|SSL_HIGH,
2546 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2547 256,
2548 256,
2549 },
2550
2551 /* Cipher C022 */
2552 {
2553 1,
2554 TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
2555 TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
2556 SSL_kSRP,
2557 SSL_aDSS,
2558 SSL_AES256,
2559 SSL_SHA1,
2560 SSL_TLSV1,
2561 SSL_NOT_EXP|SSL_HIGH,
2562 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2563 256,
2564 256,
2565 },
2566#endif /* OPENSSL_NO_SRP */
2567#ifndef OPENSSL_NO_ECDH 2422#ifndef OPENSSL_NO_ECDH
2568 2423
2569 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 2424 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
@@ -2953,9 +2808,6 @@ ssl3_new(SSL *s)
2953 2808
2954 s->s3 = s3; 2809 s->s3 = s3;
2955 2810
2956#ifndef OPENSSL_NO_SRP
2957 SSL_SRP_CTX_init(s);
2958#endif
2959 s->method->ssl_clear(s); 2811 s->method->ssl_clear(s);
2960 return (1); 2812 return (1);
2961err: 2813err:
@@ -2998,9 +2850,6 @@ ssl3_free(SSL *s)
2998 } 2850 }
2999 if (s->s3->handshake_dgst) 2851 if (s->s3->handshake_dgst)
3000 ssl3_free_digest_list(s); 2852 ssl3_free_digest_list(s);
3001#ifndef OPENSSL_NO_SRP
3002 SSL_SRP_CTX_free(s);
3003#endif
3004 OPENSSL_cleanse(s->s3, sizeof *s->s3); 2853 OPENSSL_cleanse(s->s3, sizeof *s->s3);
3005 OPENSSL_free(s->s3); 2854 OPENSSL_free(s->s3);
3006 s->s3 = NULL; 2855 s->s3 = NULL;
@@ -3085,13 +2934,6 @@ ssl3_clear(SSL *s)
3085#endif 2934#endif
3086} 2935}
3087 2936
3088#ifndef OPENSSL_NO_SRP
3089static char *
3090srp_password_from_info_cb(SSL *s, void *arg)
3091{
3092 return BUF_strdup(s->srp_ctx.info);
3093}
3094#endif
3095 2937
3096long 2938long
3097ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 2939ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
@@ -3533,36 +3375,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
3533 return 1; 3375 return 1;
3534 break; 3376 break;
3535 3377
3536#ifndef OPENSSL_NO_SRP
3537 case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
3538 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3539 if (ctx->srp_ctx.login != NULL)
3540 OPENSSL_free(ctx->srp_ctx.login);
3541 ctx->srp_ctx.login = NULL;
3542 if (parg == NULL)
3543 break;
3544 if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1) {
3545 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
3546 return 0;
3547 }
3548 if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) {
3549 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
3550 return 0;
3551 }
3552 break;
3553 case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
3554 ctx->srp_ctx.SRP_give_srp_client_pwd_callback = srp_password_from_info_cb;
3555 ctx->srp_ctx.info = parg;
3556 break;
3557 case SSL_CTRL_SET_SRP_ARG:
3558 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3559 ctx->srp_ctx.SRP_cb_arg = parg;
3560 break;
3561
3562 case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
3563 ctx->srp_ctx.strength = larg;
3564 break;
3565#endif
3566#endif /* !OPENSSL_NO_TLSEXT */ 3378#endif /* !OPENSSL_NO_TLSEXT */
3567 3379
3568 /* A Thawte special :-) */ 3380 /* A Thawte special :-) */
@@ -3640,23 +3452,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
3640 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; 3452 unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
3641 break; 3453 break;
3642 3454
3643#ifndef OPENSSL_NO_SRP
3644 case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
3645 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3646 ctx->srp_ctx.SRP_verify_param_callback =
3647 (int (*)(SSL *, void *))fp;
3648 break;
3649 case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB:
3650 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3651 ctx->srp_ctx.TLS_ext_srp_username_callback =
3652 (int (*)(SSL *, int *, void *))fp;
3653 break;
3654 case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB:
3655 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3656 ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
3657 (char *(*)(SSL *, void *))fp;
3658 break;
3659#endif
3660#endif 3455#endif
3661 default: 3456 default:
3662 return (0); 3457 return (0);
@@ -3762,10 +3557,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
3762 mask_a = cert->mask_a; 3557 mask_a = cert->mask_a;
3763 emask_k = cert->export_mask_k; 3558 emask_k = cert->export_mask_k;
3764 emask_a = cert->export_mask_a; 3559 emask_a = cert->export_mask_a;
3765#ifndef OPENSSL_NO_SRP
3766 mask_k = cert->mask_k | s->srp_ctx.srp_Mask;
3767 emask_k = cert->export_mask_k | s->srp_ctx.srp_Mask;
3768#endif
3769 3560
3770#ifdef KSSL_DEBUG 3561#ifdef KSSL_DEBUG
3771/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ 3562/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index f532e254f9..93510cb58a 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -180,28 +180,6 @@ static const SSL_METHOD
180 return (NULL); 180 return (NULL);
181} 181}
182 182
183#ifndef OPENSSL_NO_SRP
184static int
185ssl_check_srp_ext_ClientHello(SSL *s, int *al)
186{
187 int ret = SSL_ERROR_NONE;
188
189 *al = SSL_AD_UNRECOGNIZED_NAME;
190
191 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
192 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
193 if (s->srp_ctx.login == NULL) {
194 /* RFC 5054 says SHOULD reject,
195 we do so if There is no srp login name */
196 ret = SSL3_AL_FATAL;
197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
198 } else {
199 ret = SSL_srp_server_param_with_username(s, al);
200 }
201 }
202 return ret;
203}
204#endif
205 183
206IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 184IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
207 ssl3_accept, ssl_undefined_function, ssl3_get_server_method) 185 ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
@@ -341,39 +319,6 @@ ssl3_accept(SSL *s)
341 if (ret <= 0) 319 if (ret <= 0)
342 goto end; 320 goto end;
343 } 321 }
344#ifndef OPENSSL_NO_SRP
345 {
346 int al;
347 if ((ret =
348 ssl_check_srp_ext_ClientHello(s, &al))
349 < 0) {
350 /*
351 * Callback indicates further work to
352 * be done.
353 */
354 s->rwstate = SSL_X509_LOOKUP;
355 goto end;
356 }
357 if (ret != SSL_ERROR_NONE) {
358 ssl3_send_alert(s, SSL3_AL_FATAL, al);
359
360 /*
361 * This is not really an error but the
362 * only means for a client to detect
363 * whether srp is supported.
364 */
365 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
366 SSLerr(SSL_F_SSL3_ACCEPT,
367 SSL_R_CLIENTHELLO_TLSEXT);
368
369 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
370
371 ret = -1;
372 goto end;
373
374 }
375 }
376#endif
377 322
378 s->renegotiate = 2; 323 s->renegotiate = 2;
379 s->state = SSL3_ST_SW_SRVR_HELLO_A; 324 s->state = SSL3_ST_SW_SRVR_HELLO_A;
@@ -472,10 +417,6 @@ ssl3_accept(SSL *s)
472#ifndef OPENSSL_NO_PSK 417#ifndef OPENSSL_NO_PSK
473 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 418 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
474#endif 419#endif
475#ifndef OPENSSL_NO_SRP
476 /* SRP: send ServerKeyExchange */
477 || (alg_k & SSL_kSRP)
478#endif
479 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 420 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
480 || (alg_k & SSL_kEECDH) 421 || (alg_k & SSL_kEECDH)
481 || ((alg_k & SSL_kRSA) 422 || ((alg_k & SSL_kRSA)
@@ -1812,19 +1753,6 @@ ssl3_send_server_key_exchange(SSL *s)
1812 n += 2 + pskhintlen; 1753 n += 2 + pskhintlen;
1813 } else 1754 } else
1814#endif /* !OPENSSL_NO_PSK */ 1755#endif /* !OPENSSL_NO_PSK */
1815#ifndef OPENSSL_NO_SRP
1816 if (type & SSL_kSRP) {
1817 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
1818 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
1819 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_MISSING_SRP_PARAM);
1820 goto err;
1821 }
1822 r[0] = s->srp_ctx.N;
1823 r[1] = s->srp_ctx.g;
1824 r[2] = s->srp_ctx.s;
1825 r[3] = s->srp_ctx.B;
1826 } else
1827#endif
1828 { 1756 {
1829 al = SSL_AD_HANDSHAKE_FAILURE; 1757 al = SSL_AD_HANDSHAKE_FAILURE;
1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1758 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
@@ -1832,11 +1760,6 @@ ssl3_send_server_key_exchange(SSL *s)
1832 } 1760 }
1833 for (i = 0; i < 4 && r[i] != NULL; i++) { 1761 for (i = 0; i < 4 && r[i] != NULL; i++) {
1834 nr[i] = BN_num_bytes(r[i]); 1762 nr[i] = BN_num_bytes(r[i]);
1835#ifndef OPENSSL_NO_SRP
1836 if ((i == 2) && (type & SSL_kSRP))
1837 n += 1 + nr[i];
1838 else
1839#endif
1840 n += 2 + nr[i]; 1763 n += 2 + nr[i];
1841 } 1764 }
1842 1765
@@ -1862,12 +1785,6 @@ ssl3_send_server_key_exchange(SSL *s)
1862 p = &(d[4]); 1785 p = &(d[4]);
1863 1786
1864 for (i = 0; i < 4 && r[i] != NULL; i++) { 1787 for (i = 0; i < 4 && r[i] != NULL; i++) {
1865#ifndef OPENSSL_NO_SRP
1866 if ((i == 2) && (type & SSL_kSRP)) {
1867 *p = nr[i];
1868 p++;
1869 } else
1870#endif
1871 s2n(nr[i], p); 1788 s2n(nr[i], p);
1872 BN_bn2bin(r[i], p); 1789 BN_bn2bin(r[i], p);
1873 p += nr[i]; 1790 p += nr[i];
@@ -2736,43 +2653,6 @@ ssl3_get_client_key_exchange(SSL *s)
2736 goto f_err; 2653 goto f_err;
2737 } else 2654 } else
2738#endif 2655#endif
2739#ifndef OPENSSL_NO_SRP
2740 if (alg_k & SSL_kSRP) {
2741 int param_len;
2742
2743 n2s(p, i);
2744 param_len = i + 2;
2745 if (param_len > n) {
2746 al = SSL_AD_DECODE_ERROR;
2747 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2748 SSL_R_BAD_SRP_A_LENGTH);
2749 goto f_err;
2750 }
2751 if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
2752 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2753 ERR_R_BN_LIB);
2754 goto err;
2755 }
2756 if (s->session->srp_username != NULL)
2757 OPENSSL_free(s->session->srp_username);
2758 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2759 if (s->session->srp_username == NULL) {
2760 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2761 ERR_R_MALLOC_FAILURE);
2762 goto err;
2763 }
2764
2765 if ((s->session->master_key_length =
2766 SRP_generate_server_master_secret(s,
2767 s->session->master_key)) < 0) {
2768 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2769 ERR_R_INTERNAL_ERROR);
2770 goto err;
2771 }
2772
2773 p += i;
2774 } else
2775#endif /* OPENSSL_NO_SRP */
2776 if (alg_k & SSL_kGOST) { 2656 if (alg_k & SSL_kGOST) {
2777 int ret = 0; 2657 int ret = 0;
2778 EVP_PKEY_CTX *pkey_ctx; 2658 EVP_PKEY_CTX *pkey_ctx;
@@ -2853,9 +2733,7 @@ ssl3_get_client_key_exchange(SSL *s)
2853 return (1); 2733 return (1);
2854f_err: 2734f_err:
2855 ssl3_send_alert(s, SSL3_AL_FATAL, al); 2735 ssl3_send_alert(s, SSL3_AL_FATAL, al);
2856#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2857err: 2736err:
2858#endif
2859#ifndef OPENSSL_NO_ECDH 2737#ifndef OPENSSL_NO_ECDH
2860 EVP_PKEY_free(clnt_pub_pkey); 2738 EVP_PKEY_free(clnt_pub_pkey);
2861 EC_POINT_free(clnt_ecpoint); 2739 EC_POINT_free(clnt_ecpoint);
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index d3e015e738..3f99de1616 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -533,9 +533,6 @@ struct ssl_session_st {
533 size_t tlsext_ticklen; /* Session ticket length */ 533 size_t tlsext_ticklen; /* Session ticket length */
534 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ 534 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
535#endif 535#endif
536#ifndef OPENSSL_NO_SRP
537 char *srp_username;
538#endif
539}; 536};
540 537
541#endif 538#endif
@@ -685,42 +682,6 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
685#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) 682#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
686#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) 683#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
687 684
688#ifndef OPENSSL_NO_SRP
689
690#ifndef OPENSSL_NO_SSL_INTERN
691
692typedef struct srp_ctx_st {
693 /* param for all the callbacks */
694 void *SRP_cb_arg;
695 /* set client Hello login callback */
696 int (*TLS_ext_srp_username_callback)(SSL *, int *, void *);
697 /* set SRP N/g param callback for verification */
698 int (*SRP_verify_param_callback)(SSL *, void *);
699 /* set SRP client passwd callback */
700 char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
701
702 char *login;
703 BIGNUM *N, *g, *s, *B, *A;
704 BIGNUM *a, *b, *v;
705 char *info;
706 int strength;
707
708 unsigned long srp_Mask;
709} SRP_CTX;
710
711#endif
712
713/* see tls_srp.c */
714int SSL_SRP_CTX_init(SSL *s);
715int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
716int SSL_SRP_CTX_free(SSL *ctx);
717int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
718int SSL_srp_server_param_with_username(SSL *s, int *ad);
719int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key);
720int SRP_Calc_A_param(SSL *s);
721int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key);
722
723#endif
724 685
725#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */ 686#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
726 687
@@ -942,9 +903,6 @@ struct ssl_ctx_st {
942 struct ssl3_buf_freelist_st *wbuf_freelist; 903 struct ssl3_buf_freelist_st *wbuf_freelist;
943 struct ssl3_buf_freelist_st *rbuf_freelist; 904 struct ssl3_buf_freelist_st *rbuf_freelist;
944#endif 905#endif
945#ifndef OPENSSL_NO_SRP
946 SRP_CTX srp_ctx; /* ctx for SRP authentication */
947#endif
948 906
949#ifndef OPENSSL_NO_TLSEXT 907#ifndef OPENSSL_NO_TLSEXT
950 908
@@ -1348,9 +1306,6 @@ struct ssl_st {
1348 * 2 if we are a server and are inside a handshake 1306 * 2 if we are a server and are inside a handshake
1349 * (i.e. not just sending a HelloRequest) */ 1307 * (i.e. not just sending a HelloRequest) */
1350 1308
1351#ifndef OPENSSL_NO_SRP
1352 SRP_CTX srp_ctx; /* ctx for SRP authentication */
1353#endif
1354}; 1309};
1355 1310
1356#endif 1311#endif
@@ -1799,24 +1754,6 @@ int SSL_set_trust(SSL *s, int trust);
1799int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); 1754int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
1800int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm); 1755int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
1801 1756
1802#ifndef OPENSSL_NO_SRP
1803int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
1804int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
1805int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
1806int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char *(*cb)(SSL *, void *));
1807int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, int (*cb)(SSL *, void *));
1808int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, int (*cb)(SSL *, int *, void *));
1809int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
1810
1811int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, BIGNUM *sa, BIGNUM *v, char *info);
1812int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, const char *grp);
1813
1814BIGNUM *SSL_get_srp_g(SSL *s);
1815BIGNUM *SSL_get_srp_N(SSL *s);
1816
1817char *SSL_get_srp_username(SSL *s);
1818char *SSL_get_srp_userinfo(SSL *s);
1819#endif
1820 1757
1821void SSL_free(SSL *ssl); 1758void SSL_free(SSL *ssl);
1822int SSL_accept(SSL *ssl); 1759int SSL_accept(SSL *ssl);
diff --git a/src/lib/libssl/src/ssl/ssl_asn1.c b/src/lib/libssl/src/ssl/ssl_asn1.c
index 28e295f6a4..b1a3876c91 100644
--- a/src/lib/libssl/src/ssl/ssl_asn1.c
+++ b/src/lib/libssl/src/ssl/ssl_asn1.c
@@ -113,9 +113,6 @@ typedef struct ssl_session_asn1_st {
113 ASN1_OCTET_STRING psk_identity_hint; 113 ASN1_OCTET_STRING psk_identity_hint;
114 ASN1_OCTET_STRING psk_identity; 114 ASN1_OCTET_STRING psk_identity;
115#endif /* OPENSSL_NO_PSK */ 115#endif /* OPENSSL_NO_PSK */
116#ifndef OPENSSL_NO_SRP
117 ASN1_OCTET_STRING srp_username;
118#endif /* OPENSSL_NO_SRP */
119} SSL_SESSION_ASN1; 116} SSL_SESSION_ASN1;
120 117
121int 118int
@@ -133,9 +130,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
133 unsigned char cbuf; 130 unsigned char cbuf;
134 int v11 = 0; 131 int v11 = 0;
135#endif 132#endif
136#ifndef OPENSSL_NO_SRP
137 int v12 = 0;
138#endif
139 long l; 133 long l;
140 SSL_SESSION_ASN1 a; 134 SSL_SESSION_ASN1 a;
141 M_ASN1_I2D_vars(in); 135 M_ASN1_I2D_vars(in);
@@ -253,13 +247,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
253 a.psk_identity.data = (unsigned char *)(in->psk_identity); 247 a.psk_identity.data = (unsigned char *)(in->psk_identity);
254 } 248 }
255#endif /* OPENSSL_NO_PSK */ 249#endif /* OPENSSL_NO_PSK */
256#ifndef OPENSSL_NO_SRP
257 if (in->srp_username) {
258 a.srp_username.length = strlen(in->srp_username);
259 a.srp_username.type = V_ASN1_OCTET_STRING;
260 a.srp_username.data = (unsigned char *)(in->srp_username);
261 }
262#endif /* OPENSSL_NO_SRP */
263 250
264 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); 251 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
265 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER); 252 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
@@ -300,10 +287,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
300 if (in->psk_identity) 287 if (in->psk_identity)
301 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8); 288 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8);
302#endif /* OPENSSL_NO_PSK */ 289#endif /* OPENSSL_NO_PSK */
303#ifndef OPENSSL_NO_SRP
304 if (in->srp_username)
305 M_ASN1_I2D_len_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, v12);
306#endif /* OPENSSL_NO_SRP */
307 290
308 M_ASN1_I2D_seq_total(); 291 M_ASN1_I2D_seq_total();
309 292
@@ -348,10 +331,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
348 if (in->compress_meth) 331 if (in->compress_meth)
349 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11); 332 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
350#endif 333#endif
351#ifndef OPENSSL_NO_SRP
352 if (in->srp_username)
353 M_ASN1_I2D_put_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, v12);
354#endif /* OPENSSL_NO_SRP */
355 M_ASN1_I2D_finish(); 334 M_ASN1_I2D_finish();
356} 335}
357 336
@@ -580,18 +559,6 @@ long length)
580 } 559 }
581#endif 560#endif
582 561
583#ifndef OPENSSL_NO_SRP
584 os.length = 0;
585 os.data = NULL;
586 M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 12);
587 if (os.data) {
588 ret->srp_username = BUF_strndup((char *)os.data, os.length);
589 OPENSSL_free(os.data);
590 os.data = NULL;
591 os.length = 0;
592 } else
593 ret->srp_username = NULL;
594#endif /* OPENSSL_NO_SRP */
595 562
596 M_ASN1_D2I_Finish(a, SSL_SESSION_free, SSL_F_D2I_SSL_SESSION); 563 M_ASN1_D2I_Finish(a, SSL_SESSION_free, SSL_F_D2I_SSL_SESSION);
597} 564}
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 4bd3be0d41..1a87cc255d 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -724,9 +724,7 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
724 *mkey |= SSL_kPSK; 724 *mkey |= SSL_kPSK;
725 *auth |= SSL_aPSK; 725 *auth |= SSL_aPSK;
726#endif 726#endif
727#ifdef OPENSSL_NO_SRP
728 *mkey |= SSL_kSRP; 727 *mkey |= SSL_kSRP;
729#endif
730 /* Check for presence of GOST 34.10 algorithms, and if they 728 /* Check for presence of GOST 34.10 algorithms, and if they
731 * do not present, disable appropriate auth and key exchange */ 729 * do not present, disable appropriate auth and key exchange */
732 if (!get_optional_pkey_id("gost94")) { 730 if (!get_optional_pkey_id("gost94")) {
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index a0882e4521..d0c79710ef 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1823,9 +1823,6 @@ SSL_CTX
1823 ret->psk_client_callback = NULL; 1823 ret->psk_client_callback = NULL;
1824 ret->psk_server_callback = NULL; 1824 ret->psk_server_callback = NULL;
1825#endif 1825#endif
1826#ifndef OPENSSL_NO_SRP
1827 SSL_CTX_SRP_CTX_init(ret);
1828#endif
1829#ifndef OPENSSL_NO_BUF_FREELISTS 1826#ifndef OPENSSL_NO_BUF_FREELISTS
1830 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT; 1827 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
1831 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST)); 1828 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -1965,9 +1962,6 @@ SSL_CTX_free(SSL_CTX *a)
1965 if (a->psk_identity_hint) 1962 if (a->psk_identity_hint)
1966 OPENSSL_free(a->psk_identity_hint); 1963 OPENSSL_free(a->psk_identity_hint);
1967#endif 1964#endif
1968#ifndef OPENSSL_NO_SRP
1969 SSL_CTX_SRP_CTX_free(a);
1970#endif
1971#ifndef OPENSSL_NO_ENGINE 1965#ifndef OPENSSL_NO_ENGINE
1972 if (a->client_cert_engine) 1966 if (a->client_cert_engine)
1973 ENGINE_finish(a->client_cert_engine); 1967 ENGINE_finish(a->client_cert_engine);
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index 0b1c655820..5c5ef4a312 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -224,9 +224,6 @@ SSL_SESSION
224 ss->psk_identity_hint = NULL; 224 ss->psk_identity_hint = NULL;
225 ss->psk_identity = NULL; 225 ss->psk_identity = NULL;
226#endif 226#endif
227#ifndef OPENSSL_NO_SRP
228 ss->srp_username = NULL;
229#endif
230 return (ss); 227 return (ss);
231} 228}
232 229
@@ -737,10 +734,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
737 if (ss->psk_identity != NULL) 734 if (ss->psk_identity != NULL)
738 OPENSSL_free(ss->psk_identity); 735 OPENSSL_free(ss->psk_identity);
739#endif 736#endif
740#ifndef OPENSSL_NO_SRP
741 if (ss->srp_username != NULL)
742 OPENSSL_free(ss->srp_username);
743#endif
744 OPENSSL_cleanse(ss, sizeof(*ss)); 737 OPENSSL_cleanse(ss, sizeof(*ss));
745 OPENSSL_free(ss); 738 OPENSSL_free(ss);
746} 739}
diff --git a/src/lib/libssl/src/ssl/ssl_txt.c b/src/lib/libssl/src/ssl/ssl_txt.c
index 91664ffe43..d3f304b73d 100644
--- a/src/lib/libssl/src/ssl/ssl_txt.c
+++ b/src/lib/libssl/src/ssl/ssl_txt.c
@@ -193,12 +193,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
193 if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") 193 if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None")
194 <= 0) goto err; 194 <= 0) goto err;
195#endif 195#endif
196#ifndef OPENSSL_NO_SRP
197 if (BIO_puts(bp, "\n SRP username: ")
198 <= 0) goto err;
199 if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None")
200 <= 0) goto err;
201#endif
202#ifndef OPENSSL_NO_TLSEXT 196#ifndef OPENSSL_NO_TLSEXT
203 if (x->tlsext_tick_lifetime_hint) { 197 if (x->tlsext_tick_lifetime_hint) {
204 if (BIO_printf(bp, 198 if (BIO_printf(bp,
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index 771c50a3e1..1d43f5a0e8 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -182,9 +182,6 @@
182#ifndef OPENSSL_NO_DH 182#ifndef OPENSSL_NO_DH
183#include <openssl/dh.h> 183#include <openssl/dh.h>
184#endif 184#endif
185#ifndef OPENSSL_NO_SRP
186#include <openssl/srp.h>
187#endif
188#include <openssl/bn.h> 185#include <openssl/bn.h>
189 186
190#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly 187#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
@@ -234,46 +231,6 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity,
234 unsigned char *psk, unsigned int max_psk_len); 231 unsigned char *psk, unsigned int max_psk_len);
235#endif 232#endif
236 233
237#ifndef OPENSSL_NO_SRP
238/* SRP client */
239/* This is a context that we pass to all callbacks */
240typedef struct srp_client_arg_st {
241 char *srppassin;
242 char *srplogin;
243} SRP_CLIENT_ARG;
244
245#define PWD_STRLEN 1024
246
247static char *
248ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
249{
250 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
251 return BUF_strdup((char *)srp_client_arg->srppassin);
252}
253
254/* SRP server */
255/* This is a context that we pass to SRP server callbacks */
256typedef struct srp_server_arg_st {
257 char *expected_user;
258 char *pass;
259} SRP_SERVER_ARG;
260
261static int
262ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
263{
264 SRP_SERVER_ARG *p = (SRP_SERVER_ARG *) arg;
265
266 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) {
267 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
268 return SSL3_AL_FATAL;
269 }
270 if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) {
271 *ad = SSL_AD_INTERNAL_ERROR;
272 return SSL3_AL_FATAL;
273 }
274 return SSL_ERROR_NONE;
275}
276#endif
277 234
278static BIO *bio_err = NULL; 235static BIO *bio_err = NULL;
279static BIO *bio_stdout = NULL; 236static BIO *bio_stdout = NULL;
@@ -320,10 +277,6 @@ sv_usage(void)
320#ifndef OPENSSL_NO_PSK 277#ifndef OPENSSL_NO_PSK
321 fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n"); 278 fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
322#endif 279#endif
323#ifndef OPENSSL_NO_SRP
324 fprintf(stderr, " -srpuser user - SRP username to use\n");
325 fprintf(stderr, " -srppass arg - password for 'user'\n");
326#endif
327 fprintf(stderr, " -ssl3 - use SSLv3\n"); 280 fprintf(stderr, " -ssl3 - use SSLv3\n");
328 fprintf(stderr, " -tls1 - use TLSv1\n"); 281 fprintf(stderr, " -tls1 - use TLSv1\n");
329 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); 282 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
@@ -499,12 +452,6 @@ main(int argc, char *argv[])
499#ifndef OPENSSL_NO_ECDH 452#ifndef OPENSSL_NO_ECDH
500 EC_KEY *ecdh = NULL; 453 EC_KEY *ecdh = NULL;
501#endif 454#endif
502#ifndef OPENSSL_NO_SRP
503 /* client */
504 SRP_CLIENT_ARG srp_client_arg = {NULL, NULL};
505 /* server */
506 SRP_SERVER_ARG srp_server_arg = {NULL, NULL};
507#endif
508 int no_dhe = 0; 455 int no_dhe = 0;
509 int no_ecdhe = 0; 456 int no_ecdhe = 0;
510 int no_psk = 0; 457 int no_psk = 0;
@@ -594,19 +541,6 @@ main(int argc, char *argv[])
594 no_psk = 1; 541 no_psk = 1;
595#endif 542#endif
596 } 543 }
597#ifndef OPENSSL_NO_SRP
598 else if (strcmp(*argv, "-srpuser") == 0) {
599 if (--argc < 1)
600 goto bad;
601 srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
602 tls1 = 1;
603 } else if (strcmp(*argv, "-srppass") == 0) {
604 if (--argc < 1)
605 goto bad;
606 srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
607 tls1 = 1;
608 }
609#endif
610 else if (strcmp(*argv, "-ssl2") == 0) 544 else if (strcmp(*argv, "-ssl2") == 0)
611 ssl2 = 1; 545 ssl2 = 1;
612 else if (strcmp(*argv, "-tls1") == 0) 546 else if (strcmp(*argv, "-tls1") == 0)
@@ -914,23 +848,6 @@ bad:
914 } 848 }
915#endif 849#endif
916 } 850 }
917#ifndef OPENSSL_NO_SRP
918 if (srp_client_arg.srplogin) {
919 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) {
920 BIO_printf(bio_err, "Unable to set SRP username\n");
921 goto end;
922 }
923 SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg);
924 SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
925 /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
926 }
927
928 if (srp_server_arg.expected_user != NULL) {
929 SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback);
930 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
931 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
932 }
933#endif
934 851
935 c_ssl = SSL_new(c_ctx); 852 c_ssl = SSL_new(c_ctx);
936 s_ssl = SSL_new(s_ctx); 853 s_ssl = SSL_new(s_ctx);
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 8796651806..417b90381b 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -427,35 +427,6 @@ unsigned char
427 ret += el; 427 ret += el;
428 } 428 }
429 429
430#ifndef OPENSSL_NO_SRP
431 /* Add SRP username if there is one */
432 if (s->srp_ctx.login != NULL)
433 { /* Add TLS extension SRP username to the Client Hello message */
434
435 int login_len = strlen(s->srp_ctx.login);
436
437 if (login_len > 255 || login_len == 0) {
438 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
439 return NULL;
440 }
441
442 /* check for enough space.
443 4 for the srp type type and entension length
444 1 for the srp user identity
445 + srp user identity length
446 */
447 if ((limit - ret - 5 - login_len)
448 < 0) return NULL;
449
450
451 /* fill in the extension */
452 s2n(TLSEXT_TYPE_srp, ret);
453 s2n(login_len + 1, ret);
454 (*ret++) = (unsigned char) login_len;
455 memcpy(ret, s->srp_ctx.login, login_len);
456 ret += login_len;
457 }
458#endif
459 430
460#ifndef OPENSSL_NO_EC 431#ifndef OPENSSL_NO_EC
461 if (s->tlsext_ecpointformatlist != NULL && 432 if (s->tlsext_ecpointformatlist != NULL &&
@@ -1071,27 +1042,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1071 } 1042 }
1072 1043
1073 } 1044 }
1074#ifndef OPENSSL_NO_SRP
1075 else if (type == TLSEXT_TYPE_srp) {
1076 if (size <= 0 || ((len = data[0])) != (size - 1)) {
1077 *al = SSL_AD_DECODE_ERROR;
1078 return 0;
1079 }
1080 if (s->srp_ctx.login != NULL) {
1081 *al = SSL_AD_DECODE_ERROR;
1082 return 0;
1083 }
1084 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
1085 return -1;
1086 memcpy(s->srp_ctx.login, &data[1], len);
1087 s->srp_ctx.login[len] = '\0';
1088
1089 if (strlen(s->srp_ctx.login) != len) {
1090 *al = SSL_AD_DECODE_ERROR;
1091 return 0;
1092 }
1093 }
1094#endif
1095 1045
1096#ifndef OPENSSL_NO_EC 1046#ifndef OPENSSL_NO_EC
1097 else if (type == TLSEXT_TYPE_ec_point_formats && 1047 else if (type == TLSEXT_TYPE_ec_point_formats &&
diff --git a/src/lib/libssl/src/ssl/tls_srp.c b/src/lib/libssl/src/ssl/tls_srp.c
deleted file mode 100644
index 25ab73af9d..0000000000
--- a/src/lib/libssl/src/ssl/tls_srp.c
+++ /dev/null
@@ -1,511 +0,0 @@
1/* ssl/tls_srp.c */
2/* Written by Christophe Renou (christophe.renou@edelweb.fr) with
3 * the precious help of Peter Sylvester (peter.sylvester@edelweb.fr)
4 * for the EdelKey project and contributed to the OpenSSL project 2004.
5 */
6/* ====================================================================
7 * Copyright (c) 2004-2011 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59#include "ssl_locl.h"
60#ifndef OPENSSL_NO_SRP
61
62#include <openssl/rand.h>
63#include <openssl/srp.h>
64#include <openssl/err.h>
65
66int
67SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) {
68 if (ctx == NULL)
69 return 0;
70 OPENSSL_free(ctx->srp_ctx.login);
71 BN_free(ctx->srp_ctx.N);
72 BN_free(ctx->srp_ctx.g);
73 BN_free(ctx->srp_ctx.s);
74 BN_free(ctx->srp_ctx.B);
75 BN_free(ctx->srp_ctx.A);
76 BN_free(ctx->srp_ctx.a);
77 BN_free(ctx->srp_ctx.b);
78 BN_free(ctx->srp_ctx.v);
79 ctx->srp_ctx.TLS_ext_srp_username_callback = NULL;
80 ctx->srp_ctx.SRP_cb_arg = NULL;
81 ctx->srp_ctx.SRP_verify_param_callback = NULL;
82 ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
83 ctx->srp_ctx.N = NULL;
84 ctx->srp_ctx.g = NULL;
85 ctx->srp_ctx.s = NULL;
86 ctx->srp_ctx.B = NULL;
87 ctx->srp_ctx.A = NULL;
88 ctx->srp_ctx.a = NULL;
89 ctx->srp_ctx.b = NULL;
90 ctx->srp_ctx.v = NULL;
91 ctx->srp_ctx.login = NULL;
92 ctx->srp_ctx.info = NULL;
93 ctx->srp_ctx.strength = SRP_MINIMAL_N;
94 ctx->srp_ctx.srp_Mask = 0;
95 return (1);
96}
97
98int
99SSL_SRP_CTX_free(struct ssl_st *s) {
100 if (s == NULL)
101 return 0;
102 OPENSSL_free(s->srp_ctx.login);
103 BN_free(s->srp_ctx.N);
104 BN_free(s->srp_ctx.g);
105 BN_free(s->srp_ctx.s);
106 BN_free(s->srp_ctx.B);
107 BN_free(s->srp_ctx.A);
108 BN_free(s->srp_ctx.a);
109 BN_free(s->srp_ctx.b);
110 BN_free(s->srp_ctx.v);
111 s->srp_ctx.TLS_ext_srp_username_callback = NULL;
112 s->srp_ctx.SRP_cb_arg = NULL;
113 s->srp_ctx.SRP_verify_param_callback = NULL;
114 s->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
115 s->srp_ctx.N = NULL;
116 s->srp_ctx.g = NULL;
117 s->srp_ctx.s = NULL;
118 s->srp_ctx.B = NULL;
119 s->srp_ctx.A = NULL;
120 s->srp_ctx.a = NULL;
121 s->srp_ctx.b = NULL;
122 s->srp_ctx.v = NULL;
123 s->srp_ctx.login = NULL;
124 s->srp_ctx.info = NULL;
125 s->srp_ctx.strength = SRP_MINIMAL_N;
126 s->srp_ctx.srp_Mask = 0;
127 return (1);
128}
129
130int
131SSL_SRP_CTX_init(struct ssl_st *s) {
132 SSL_CTX *ctx;
133
134 if ((s == NULL) || ((ctx = s->ctx) == NULL))
135 return 0;
136 s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
137 /* set client Hello login callback */
138 s->srp_ctx.TLS_ext_srp_username_callback = ctx->srp_ctx.TLS_ext_srp_username_callback;
139 /* set SRP N/g param callback for verification */
140 s->srp_ctx.SRP_verify_param_callback = ctx->srp_ctx.SRP_verify_param_callback;
141 /* set SRP client passwd callback */
142 s->srp_ctx.SRP_give_srp_client_pwd_callback = ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
143
144 s->srp_ctx.N = NULL;
145 s->srp_ctx.g = NULL;
146 s->srp_ctx.s = NULL;
147 s->srp_ctx.B = NULL;
148 s->srp_ctx.A = NULL;
149 s->srp_ctx.a = NULL;
150 s->srp_ctx.b = NULL;
151 s->srp_ctx.v = NULL;
152 s->srp_ctx.login = NULL;
153 s->srp_ctx.info = ctx->srp_ctx.info;
154 s->srp_ctx.strength = ctx->srp_ctx.strength;
155
156 if (((ctx->srp_ctx.N != NULL) &&
157 ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
158 ((ctx->srp_ctx.g != NULL) &&
159 ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
160 ((ctx->srp_ctx.s != NULL) &&
161 ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
162 ((ctx->srp_ctx.B != NULL) &&
163 ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
164 ((ctx->srp_ctx.A != NULL) &&
165 ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
166 ((ctx->srp_ctx.a != NULL) &&
167 ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
168 ((ctx->srp_ctx.v != NULL) &&
169 ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
170 ((ctx->srp_ctx.b != NULL) &&
171 ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
172 SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB);
173 goto err;
174 }
175 if ((ctx->srp_ctx.login != NULL) &&
176 ((s->srp_ctx.login = BUF_strdup(ctx->srp_ctx.login)) == NULL)) {
177 SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
178 goto err;
179 }
180 s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
181
182 return (1);
183err:
184 OPENSSL_free(s->srp_ctx.login);
185 BN_free(s->srp_ctx.N);
186 BN_free(s->srp_ctx.g);
187 BN_free(s->srp_ctx.s);
188 BN_free(s->srp_ctx.B);
189 BN_free(s->srp_ctx.A);
190 BN_free(s->srp_ctx.a);
191 BN_free(s->srp_ctx.b);
192 BN_free(s->srp_ctx.v);
193 return (0);
194}
195
196int
197SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) {
198 if (ctx == NULL)
199 return 0;
200
201 ctx->srp_ctx.SRP_cb_arg = NULL;
202 /* set client Hello login callback */
203 ctx->srp_ctx.TLS_ext_srp_username_callback = NULL;
204 /* set SRP N/g param callback for verification */
205 ctx->srp_ctx.SRP_verify_param_callback = NULL;
206 /* set SRP client passwd callback */
207 ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
208
209 ctx->srp_ctx.N = NULL;
210 ctx->srp_ctx.g = NULL;
211 ctx->srp_ctx.s = NULL;
212 ctx->srp_ctx.B = NULL;
213 ctx->srp_ctx.A = NULL;
214 ctx->srp_ctx.a = NULL;
215 ctx->srp_ctx.b = NULL;
216 ctx->srp_ctx.v = NULL;
217 ctx->srp_ctx.login = NULL;
218 ctx->srp_ctx.srp_Mask = 0;
219 ctx->srp_ctx.info = NULL;
220 ctx->srp_ctx.strength = SRP_MINIMAL_N;
221
222 return (1);
223}
224
225/* server side */
226int
227SSL_srp_server_param_with_username(SSL *s, int *ad)
228{
229 unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
230 int al;
231
232 *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
233 if ((s->srp_ctx.TLS_ext_srp_username_callback !=NULL) &&
234 ((al = s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
235 s->srp_ctx.SRP_cb_arg)) != SSL_ERROR_NONE))
236 return al;
237
238 *ad = SSL_AD_INTERNAL_ERROR;
239 if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
240 (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
241 return SSL3_AL_FATAL;
242
243 if (RAND_bytes(b, sizeof(b)) <= 0)
244 return SSL3_AL_FATAL;
245 s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
246 OPENSSL_cleanse(b, sizeof(b));
247
248 /* Calculate: B = (kv + g^b) % N */
249
250 return ((s->srp_ctx.B = SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g, s->srp_ctx.v)) != NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
251}
252
253/* If the server just has the raw password, make up a verifier entry on the fly */
254int
255SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, const char *grp)
256{
257 SRP_gN *GN = SRP_get_default_gN(grp);
258 if (GN == NULL)
259 return -1;
260 s->srp_ctx.N = BN_dup(GN->N);
261 s->srp_ctx.g = BN_dup(GN->g);
262 if (s->srp_ctx.v != NULL) {
263 BN_clear_free(s->srp_ctx.v);
264 s->srp_ctx.v = NULL;
265 }
266 if (s->srp_ctx.s != NULL) {
267 BN_clear_free(s->srp_ctx.s);
268 s->srp_ctx.s = NULL;
269 }
270 if (!SRP_create_verifier_BN(user, pass, &s->srp_ctx.s, &s->srp_ctx.v,
271 GN->N, GN->g))
272 return -1;
273
274 return 1;
275}
276
277int
278SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
279 BIGNUM *sa, BIGNUM *v, char *info)
280{
281 if (N != NULL) {
282 if (s->srp_ctx.N != NULL) {
283 if (!BN_copy(s->srp_ctx.N, N)) {
284 BN_free(s->srp_ctx.N);
285 s->srp_ctx.N = NULL;
286 }
287 } else
288 s->srp_ctx.N = BN_dup(N);
289 }
290 if (g != NULL) {
291 if (s->srp_ctx.g != NULL) {
292 if (!BN_copy(s->srp_ctx.g, g)) {
293 BN_free(s->srp_ctx.g);
294 s->srp_ctx.g = NULL;
295 }
296 } else
297 s->srp_ctx.g = BN_dup(g);
298 }
299 if (sa != NULL) {
300 if (s->srp_ctx.s != NULL) {
301 if (!BN_copy(s->srp_ctx.s, sa)) {
302 BN_free(s->srp_ctx.s);
303 s->srp_ctx.s = NULL;
304 }
305 } else
306 s->srp_ctx.s = BN_dup(sa);
307 }
308 if (v != NULL) {
309 if (s->srp_ctx.v != NULL) {
310 if (!BN_copy(s->srp_ctx.v, v)) {
311 BN_free(s->srp_ctx.v);
312 s->srp_ctx.v = NULL;
313 }
314 } else
315 s->srp_ctx.v = BN_dup(v);
316 }
317 s->srp_ctx.info = info;
318
319 if (!(s->srp_ctx.N) || !(s->srp_ctx.g) ||
320 !(s->srp_ctx.s) || !(s->srp_ctx.v))
321 return -1;
322
323 return 1;
324}
325
326int
327SRP_generate_server_master_secret(SSL *s, unsigned char *master_key)
328{
329 BIGNUM *K = NULL, *u = NULL;
330 int ret = -1, tmp_len;
331 unsigned char *tmp = NULL;
332
333 if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
334 goto err;
335 if (!(u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)))
336 goto err;
337 if (!(K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b, s->srp_ctx.N)))
338 goto err;
339
340 tmp_len = BN_num_bytes(K);
341 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
342 goto err;
343 BN_bn2bin(K, tmp);
344 ret = s->method->ssl3_enc->generate_master_secret(s, master_key, tmp, tmp_len);
345err:
346 if (tmp) {
347 OPENSSL_cleanse(tmp, tmp_len);
348 OPENSSL_free(tmp);
349 }
350 BN_clear_free(K);
351 BN_clear_free(u);
352 return ret;
353}
354
355/* client side */
356int
357SRP_generate_client_master_secret(SSL *s, unsigned char *master_key)
358{
359 BIGNUM *x = NULL, *u = NULL, *K = NULL;
360 int ret = -1, tmp_len;
361 char *passwd = NULL;
362 unsigned char *tmp = NULL;
363
364 /* Checks if b % n == 0
365 */
366 if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0)
367 goto err;
368 if (!(u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)))
369 goto err;
370 if (s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL)
371 goto err;
372 if (!(passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
373 s->srp_ctx.SRP_cb_arg)))
374 goto err;
375 if (!(x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)))
376 goto err;
377 if (!(K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, s->srp_ctx.g,
378 x, s->srp_ctx.a, u)))
379 goto err;
380
381 tmp_len = BN_num_bytes(K);
382 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) goto err;
383 BN_bn2bin(K, tmp);
384 ret = s->method->ssl3_enc->generate_master_secret(s, master_key,
385 tmp, tmp_len);
386err:
387 if (tmp) {
388 OPENSSL_cleanse(tmp, tmp_len);
389 OPENSSL_free(tmp);
390 }
391 BN_clear_free(K);
392 BN_clear_free(x);
393 if (passwd) {
394 OPENSSL_cleanse(passwd, strlen(passwd));
395 OPENSSL_free(passwd);
396 }
397 BN_clear_free(u);
398 return ret;
399}
400
401int
402SRP_Calc_A_param(SSL *s)
403{
404 unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
405
406 if (BN_num_bits(s->srp_ctx.N) < s->srp_ctx.strength)
407 return -1;
408
409 if (s->srp_ctx.SRP_verify_param_callback ==NULL &&
410 !SRP_check_known_gN_param(s->srp_ctx.g, s->srp_ctx.N))
411 return -1;
412
413 RAND_bytes(rnd, sizeof(rnd));
414 s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
415 OPENSSL_cleanse(rnd, sizeof(rnd));
416
417 if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N,
418 s->srp_ctx.g)))
419 return -1;
420
421 /* We can have a callback to verify SRP param!! */
422 if (s->srp_ctx.SRP_verify_param_callback !=NULL)
423 return s->srp_ctx.SRP_verify_param_callback(s,
424 s->srp_ctx.SRP_cb_arg);
425
426 return 1;
427}
428
429BIGNUM
430*SSL_get_srp_g(SSL *s)
431{
432 if (s->srp_ctx.g != NULL)
433 return s->srp_ctx.g;
434 return s->ctx->srp_ctx.g;
435}
436
437BIGNUM
438*SSL_get_srp_N(SSL *s)
439{
440 if (s->srp_ctx.N != NULL)
441 return s->srp_ctx.N;
442 return s->ctx->srp_ctx.N;
443}
444
445char
446*SSL_get_srp_username(SSL *s)
447{
448 if (s->srp_ctx.login != NULL)
449 return s->srp_ctx.login;
450 return s->ctx->srp_ctx.login;
451}
452
453char
454*SSL_get_srp_userinfo(SSL *s)
455{
456 if (s->srp_ctx.info != NULL)
457 return s->srp_ctx.info;
458 return s->ctx->srp_ctx.info;
459}
460
461#define tls1_ctx_ctrl ssl3_ctx_ctrl
462#define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
463
464int
465SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
466{
467 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
468}
469
470int
471SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
472{
473 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
474}
475
476int
477SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
478{
479 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
480 NULL);
481}
482
483int
484SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, int (*cb)(SSL *, void *))
485{
486 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
487 (void (*)(void))cb);
488}
489
490int
491SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
492{
493 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
494}
495
496int
497SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
498 int (*cb)(SSL *, int *, void *))
499{
500 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
501 (void (*)(void))cb);
502}
503
504int
505SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char *(*cb)(SSL *, void *))
506{
507 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
508 (void (*)(void))cb);
509}
510
511#endif
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index d3e015e738..3f99de1616 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -533,9 +533,6 @@ struct ssl_session_st {
533 size_t tlsext_ticklen; /* Session ticket length */ 533 size_t tlsext_ticklen; /* Session ticket length */
534 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ 534 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
535#endif 535#endif
536#ifndef OPENSSL_NO_SRP
537 char *srp_username;
538#endif
539}; 536};
540 537
541#endif 538#endif
@@ -685,42 +682,6 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
685#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) 682#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
686#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) 683#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
687 684
688#ifndef OPENSSL_NO_SRP
689
690#ifndef OPENSSL_NO_SSL_INTERN
691
692typedef struct srp_ctx_st {
693 /* param for all the callbacks */
694 void *SRP_cb_arg;
695 /* set client Hello login callback */
696 int (*TLS_ext_srp_username_callback)(SSL *, int *, void *);
697 /* set SRP N/g param callback for verification */
698 int (*SRP_verify_param_callback)(SSL *, void *);
699 /* set SRP client passwd callback */
700 char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
701
702 char *login;
703 BIGNUM *N, *g, *s, *B, *A;
704 BIGNUM *a, *b, *v;
705 char *info;
706 int strength;
707
708 unsigned long srp_Mask;
709} SRP_CTX;
710
711#endif
712
713/* see tls_srp.c */
714int SSL_SRP_CTX_init(SSL *s);
715int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
716int SSL_SRP_CTX_free(SSL *ctx);
717int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
718int SSL_srp_server_param_with_username(SSL *s, int *ad);
719int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key);
720int SRP_Calc_A_param(SSL *s);
721int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key);
722
723#endif
724 685
725#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */ 686#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
726 687
@@ -942,9 +903,6 @@ struct ssl_ctx_st {
942 struct ssl3_buf_freelist_st *wbuf_freelist; 903 struct ssl3_buf_freelist_st *wbuf_freelist;
943 struct ssl3_buf_freelist_st *rbuf_freelist; 904 struct ssl3_buf_freelist_st *rbuf_freelist;
944#endif 905#endif
945#ifndef OPENSSL_NO_SRP
946 SRP_CTX srp_ctx; /* ctx for SRP authentication */
947#endif
948 906
949#ifndef OPENSSL_NO_TLSEXT 907#ifndef OPENSSL_NO_TLSEXT
950 908
@@ -1348,9 +1306,6 @@ struct ssl_st {
1348 * 2 if we are a server and are inside a handshake 1306 * 2 if we are a server and are inside a handshake
1349 * (i.e. not just sending a HelloRequest) */ 1307 * (i.e. not just sending a HelloRequest) */
1350 1308
1351#ifndef OPENSSL_NO_SRP
1352 SRP_CTX srp_ctx; /* ctx for SRP authentication */
1353#endif
1354}; 1309};
1355 1310
1356#endif 1311#endif
@@ -1799,24 +1754,6 @@ int SSL_set_trust(SSL *s, int trust);
1799int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); 1754int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
1800int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm); 1755int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
1801 1756
1802#ifndef OPENSSL_NO_SRP
1803int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
1804int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
1805int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
1806int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char *(*cb)(SSL *, void *));
1807int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, int (*cb)(SSL *, void *));
1808int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, int (*cb)(SSL *, int *, void *));
1809int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
1810
1811int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, BIGNUM *sa, BIGNUM *v, char *info);
1812int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, const char *grp);
1813
1814BIGNUM *SSL_get_srp_g(SSL *s);
1815BIGNUM *SSL_get_srp_N(SSL *s);
1816
1817char *SSL_get_srp_username(SSL *s);
1818char *SSL_get_srp_userinfo(SSL *s);
1819#endif
1820 1757
1821void SSL_free(SSL *ssl); 1758void SSL_free(SSL *ssl);
1822int SSL_accept(SSL *ssl); 1759int SSL_accept(SSL *ssl);
diff --git a/src/lib/libssl/ssl/Makefile b/src/lib/libssl/ssl/Makefile
index 6c41b6449c..81b90e3fc3 100644
--- a/src/lib/libssl/ssl/Makefile
+++ b/src/lib/libssl/ssl/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.35 2014/04/15 21:47:56 tedu Exp $ 1# $OpenBSD: Makefile,v 1.36 2014/04/16 17:59:17 tedu Exp $
2 2
3LIB= ssl 3LIB= ssl
4 4
@@ -19,7 +19,7 @@ SRCS=\
19 ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \ 19 ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
20 ssl_ciph.c ssl_stat.c ssl_rsa.c \ 20 ssl_ciph.c ssl_stat.c ssl_rsa.c \
21 ssl_asn1.c ssl_txt.c ssl_algs.c \ 21 ssl_asn1.c ssl_txt.c ssl_algs.c \
22 bio_ssl.c ssl_err.c kssl.c tls_srp.c t1_reneg.c 22 bio_ssl.c ssl_err.c kssl.c t1_reneg.c
23SRCS+= s3_cbc.c 23SRCS+= s3_cbc.c
24 24
25HDRS= srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h kssl.h 25HDRS= srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h kssl.h
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index 28e295f6a4..b1a3876c91 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -113,9 +113,6 @@ typedef struct ssl_session_asn1_st {
113 ASN1_OCTET_STRING psk_identity_hint; 113 ASN1_OCTET_STRING psk_identity_hint;
114 ASN1_OCTET_STRING psk_identity; 114 ASN1_OCTET_STRING psk_identity;
115#endif /* OPENSSL_NO_PSK */ 115#endif /* OPENSSL_NO_PSK */
116#ifndef OPENSSL_NO_SRP
117 ASN1_OCTET_STRING srp_username;
118#endif /* OPENSSL_NO_SRP */
119} SSL_SESSION_ASN1; 116} SSL_SESSION_ASN1;
120 117
121int 118int
@@ -133,9 +130,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
133 unsigned char cbuf; 130 unsigned char cbuf;
134 int v11 = 0; 131 int v11 = 0;
135#endif 132#endif
136#ifndef OPENSSL_NO_SRP
137 int v12 = 0;
138#endif
139 long l; 133 long l;
140 SSL_SESSION_ASN1 a; 134 SSL_SESSION_ASN1 a;
141 M_ASN1_I2D_vars(in); 135 M_ASN1_I2D_vars(in);
@@ -253,13 +247,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
253 a.psk_identity.data = (unsigned char *)(in->psk_identity); 247 a.psk_identity.data = (unsigned char *)(in->psk_identity);
254 } 248 }
255#endif /* OPENSSL_NO_PSK */ 249#endif /* OPENSSL_NO_PSK */
256#ifndef OPENSSL_NO_SRP
257 if (in->srp_username) {
258 a.srp_username.length = strlen(in->srp_username);
259 a.srp_username.type = V_ASN1_OCTET_STRING;
260 a.srp_username.data = (unsigned char *)(in->srp_username);
261 }
262#endif /* OPENSSL_NO_SRP */
263 250
264 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); 251 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
265 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER); 252 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
@@ -300,10 +287,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
300 if (in->psk_identity) 287 if (in->psk_identity)
301 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8); 288 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8);
302#endif /* OPENSSL_NO_PSK */ 289#endif /* OPENSSL_NO_PSK */
303#ifndef OPENSSL_NO_SRP
304 if (in->srp_username)
305 M_ASN1_I2D_len_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, v12);
306#endif /* OPENSSL_NO_SRP */
307 290
308 M_ASN1_I2D_seq_total(); 291 M_ASN1_I2D_seq_total();
309 292
@@ -348,10 +331,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
348 if (in->compress_meth) 331 if (in->compress_meth)
349 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11); 332 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
350#endif 333#endif
351#ifndef OPENSSL_NO_SRP
352 if (in->srp_username)
353 M_ASN1_I2D_put_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, v12);
354#endif /* OPENSSL_NO_SRP */
355 M_ASN1_I2D_finish(); 334 M_ASN1_I2D_finish();
356} 335}
357 336
@@ -580,18 +559,6 @@ long length)
580 } 559 }
581#endif 560#endif
582 561
583#ifndef OPENSSL_NO_SRP
584 os.length = 0;
585 os.data = NULL;
586 M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 12);
587 if (os.data) {
588 ret->srp_username = BUF_strndup((char *)os.data, os.length);
589 OPENSSL_free(os.data);
590 os.data = NULL;
591 os.length = 0;
592 } else
593 ret->srp_username = NULL;
594#endif /* OPENSSL_NO_SRP */
595 562
596 M_ASN1_D2I_Finish(a, SSL_SESSION_free, SSL_F_D2I_SSL_SESSION); 563 M_ASN1_D2I_Finish(a, SSL_SESSION_free, SSL_F_D2I_SSL_SESSION);
597} 564}
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 4bd3be0d41..1a87cc255d 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -724,9 +724,7 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
724 *mkey |= SSL_kPSK; 724 *mkey |= SSL_kPSK;
725 *auth |= SSL_aPSK; 725 *auth |= SSL_aPSK;
726#endif 726#endif
727#ifdef OPENSSL_NO_SRP
728 *mkey |= SSL_kSRP; 727 *mkey |= SSL_kSRP;
729#endif
730 /* Check for presence of GOST 34.10 algorithms, and if they 728 /* Check for presence of GOST 34.10 algorithms, and if they
731 * do not present, disable appropriate auth and key exchange */ 729 * do not present, disable appropriate auth and key exchange */
732 if (!get_optional_pkey_id("gost94")) { 730 if (!get_optional_pkey_id("gost94")) {
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index a0882e4521..d0c79710ef 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1823,9 +1823,6 @@ SSL_CTX
1823 ret->psk_client_callback = NULL; 1823 ret->psk_client_callback = NULL;
1824 ret->psk_server_callback = NULL; 1824 ret->psk_server_callback = NULL;
1825#endif 1825#endif
1826#ifndef OPENSSL_NO_SRP
1827 SSL_CTX_SRP_CTX_init(ret);
1828#endif
1829#ifndef OPENSSL_NO_BUF_FREELISTS 1826#ifndef OPENSSL_NO_BUF_FREELISTS
1830 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT; 1827 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
1831 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST)); 1828 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -1965,9 +1962,6 @@ SSL_CTX_free(SSL_CTX *a)
1965 if (a->psk_identity_hint) 1962 if (a->psk_identity_hint)
1966 OPENSSL_free(a->psk_identity_hint); 1963 OPENSSL_free(a->psk_identity_hint);
1967#endif 1964#endif
1968#ifndef OPENSSL_NO_SRP
1969 SSL_CTX_SRP_CTX_free(a);
1970#endif
1971#ifndef OPENSSL_NO_ENGINE 1965#ifndef OPENSSL_NO_ENGINE
1972 if (a->client_cert_engine) 1966 if (a->client_cert_engine)
1973 ENGINE_finish(a->client_cert_engine); 1967 ENGINE_finish(a->client_cert_engine);
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 0b1c655820..5c5ef4a312 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -224,9 +224,6 @@ SSL_SESSION
224 ss->psk_identity_hint = NULL; 224 ss->psk_identity_hint = NULL;
225 ss->psk_identity = NULL; 225 ss->psk_identity = NULL;
226#endif 226#endif
227#ifndef OPENSSL_NO_SRP
228 ss->srp_username = NULL;
229#endif
230 return (ss); 227 return (ss);
231} 228}
232 229
@@ -737,10 +734,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
737 if (ss->psk_identity != NULL) 734 if (ss->psk_identity != NULL)
738 OPENSSL_free(ss->psk_identity); 735 OPENSSL_free(ss->psk_identity);
739#endif 736#endif
740#ifndef OPENSSL_NO_SRP
741 if (ss->srp_username != NULL)
742 OPENSSL_free(ss->srp_username);
743#endif
744 OPENSSL_cleanse(ss, sizeof(*ss)); 737 OPENSSL_cleanse(ss, sizeof(*ss));
745 OPENSSL_free(ss); 738 OPENSSL_free(ss);
746} 739}
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
index 91664ffe43..d3f304b73d 100644
--- a/src/lib/libssl/ssl_txt.c
+++ b/src/lib/libssl/ssl_txt.c
@@ -193,12 +193,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
193 if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") 193 if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None")
194 <= 0) goto err; 194 <= 0) goto err;
195#endif 195#endif
196#ifndef OPENSSL_NO_SRP
197 if (BIO_puts(bp, "\n SRP username: ")
198 <= 0) goto err;
199 if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None")
200 <= 0) goto err;
201#endif
202#ifndef OPENSSL_NO_TLSEXT 196#ifndef OPENSSL_NO_TLSEXT
203 if (x->tlsext_tick_lifetime_hint) { 197 if (x->tlsext_tick_lifetime_hint) {
204 if (BIO_printf(bp, 198 if (BIO_printf(bp,
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 8796651806..417b90381b 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -427,35 +427,6 @@ unsigned char
427 ret += el; 427 ret += el;
428 } 428 }
429 429
430#ifndef OPENSSL_NO_SRP
431 /* Add SRP username if there is one */
432 if (s->srp_ctx.login != NULL)
433 { /* Add TLS extension SRP username to the Client Hello message */
434
435 int login_len = strlen(s->srp_ctx.login);
436
437 if (login_len > 255 || login_len == 0) {
438 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
439 return NULL;
440 }
441
442 /* check for enough space.
443 4 for the srp type type and entension length
444 1 for the srp user identity
445 + srp user identity length
446 */
447 if ((limit - ret - 5 - login_len)
448 < 0) return NULL;
449
450
451 /* fill in the extension */
452 s2n(TLSEXT_TYPE_srp, ret);
453 s2n(login_len + 1, ret);
454 (*ret++) = (unsigned char) login_len;
455 memcpy(ret, s->srp_ctx.login, login_len);
456 ret += login_len;
457 }
458#endif
459 430
460#ifndef OPENSSL_NO_EC 431#ifndef OPENSSL_NO_EC
461 if (s->tlsext_ecpointformatlist != NULL && 432 if (s->tlsext_ecpointformatlist != NULL &&
@@ -1071,27 +1042,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1071 } 1042 }
1072 1043
1073 } 1044 }
1074#ifndef OPENSSL_NO_SRP
1075 else if (type == TLSEXT_TYPE_srp) {
1076 if (size <= 0 || ((len = data[0])) != (size - 1)) {
1077 *al = SSL_AD_DECODE_ERROR;
1078 return 0;
1079 }
1080 if (s->srp_ctx.login != NULL) {
1081 *al = SSL_AD_DECODE_ERROR;
1082 return 0;
1083 }
1084 if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
1085 return -1;
1086 memcpy(s->srp_ctx.login, &data[1], len);
1087 s->srp_ctx.login[len] = '\0';
1088
1089 if (strlen(s->srp_ctx.login) != len) {
1090 *al = SSL_AD_DECODE_ERROR;
1091 return 0;
1092 }
1093 }
1094#endif
1095 1045
1096#ifndef OPENSSL_NO_EC 1046#ifndef OPENSSL_NO_EC
1097 else if (type == TLSEXT_TYPE_ec_point_formats && 1047 else if (type == TLSEXT_TYPE_ec_point_formats &&
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 18:00:29 +0000