1 files changed, 209 insertions, 0 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index f56dbe26d7..68a4b8ca2d 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -2419,6 +2419,151 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
        },
 #endif  /* OPENSSL_NO_ECDH */
+#ifndef OPENSSL_NO_SRP
+        /* Cipher C01A */
+        {
+                1,
+                TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+                TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+                SSL_kSRP,
+                SSL_aNULL,
+                SSL_3DES,
+                SSL_SHA1,
+                SSL_TLSV1,
+                SSL_NOT_EXP|SSL_HIGH,
+                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+                168,
+                168,
+        },
+        /* Cipher C01B */
+        {
+                1,
+                TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
+                TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
+                SSL_kSRP,
+                SSL_aRSA,
+                SSL_3DES,
+                SSL_SHA1,
+                SSL_TLSV1,
+                SSL_NOT_EXP|SSL_HIGH,
+                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+                168,
+                168,
+        },
+        /* Cipher C01C */
+        {
+                1,
+                TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
+                TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
+                SSL_kSRP,
+                SSL_aDSS,
+                SSL_3DES,
+                SSL_SHA1,
+                SSL_TLSV1,
+                SSL_NOT_EXP|SSL_HIGH,
+                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+                168,
+                168,
+        },
+        /* Cipher C01D */
+        {
+                1,
+                TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
+                TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
+                SSL_kSRP,
+                SSL_aNULL,
+                SSL_AES128,
+                SSL_SHA1,
+                SSL_TLSV1,
+                SSL_NOT_EXP|SSL_HIGH,
+                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+                128,
+                128,
+        },
+        /* Cipher C01E */
+        {
+                1,
+                TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
+                TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
+                SSL_kSRP,
+                SSL_aRSA,
+                SSL_AES128,
+                SSL_SHA1,
+                SSL_TLSV1,
+                SSL_NOT_EXP|SSL_HIGH,
+                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+                128,
+                128,
+        },
+        /* Cipher C01F */
+        {
+                1,
+                TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
+                TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
+                SSL_kSRP,
+                SSL_aDSS,
+                SSL_AES128,
+                SSL_SHA1,
+                SSL_TLSV1,
+                SSL_NOT_EXP|SSL_HIGH,
+                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+                128,
+                128,
+        },
+        /* Cipher C020 */
+        {
+                1,
+                TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
+                TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
+                SSL_kSRP,
+                SSL_aNULL,
+                SSL_AES256,
+                SSL_SHA1,
+                SSL_TLSV1,
+                SSL_NOT_EXP|SSL_HIGH,
+                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+                256,
+                256,
+        },
+        /* Cipher C021 */
+        {
+                1,
+                TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
+                TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
+                SSL_kSRP,
+                SSL_aRSA,
+                SSL_AES256,
+                SSL_SHA1,
+                SSL_TLSV1,
+                SSL_NOT_EXP|SSL_HIGH,
+                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+                256,
+                256,
+        },
+        /* Cipher C022 */
+        {
+                1,
+                TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
+                TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
+                SSL_kSRP,
+                SSL_aDSS,
+                SSL_AES256,
+                SSL_SHA1,
+                SSL_TLSV1,
+                SSL_NOT_EXP|SSL_HIGH,
+                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+                256,
+                256,
+        },
+#endif  /* OPENSSL_NO_SRP */
 #ifndef OPENSSL_NO_ECDH
        /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
@@ -2808,6 +2953,9 @@ ssl3_new(SSL *s)
        s->s3 = s3;
+#ifndef OPENSSL_NO_SRP
+        SSL_SRP_CTX_init(s);
+#endif
        s->method->ssl_clear(s);
        return (1);
 err:
@@ -2850,6 +2998,9 @@ ssl3_free(SSL *s)
        }
        if (s->s3->handshake_dgst)
                ssl3_free_digest_list(s);
+#ifndef OPENSSL_NO_SRP
+        SSL_SRP_CTX_free(s);
+#endif
        OPENSSL_cleanse(s->s3, sizeof *s->s3);
        OPENSSL_free(s->s3);
        s->s3 = NULL;
@@ -2934,6 +3085,13 @@ ssl3_clear(SSL *s)
 #endif
 }
+#ifndef OPENSSL_NO_SRP
+static char *
+srp_password_from_info_cb(SSL *s, void *arg)
+{
+        return BUF_strdup(s->srp_ctx.info);
+}
+#endif
 long
 ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
@@ -3375,6 +3533,36 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                return 1;
                break;
+#ifndef OPENSSL_NO_SRP
+        case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
+                ctx->srp_ctx.srp_Mask|=SSL_kSRP;
+                if (ctx->srp_ctx.login != NULL)
+                        OPENSSL_free(ctx->srp_ctx.login);
+                ctx->srp_ctx.login = NULL;
+                if (parg == NULL)
+                        break;
+                if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1) {
+                        SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
+                        return 0;
+                }
+                if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) {
+                        SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
+                        return 0;
+                }
+                break;
+        case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
+                ctx->srp_ctx.SRP_give_srp_client_pwd_callback = srp_password_from_info_cb;
+                ctx->srp_ctx.info = parg;
+                break;
+        case SSL_CTRL_SET_SRP_ARG:
+                ctx->srp_ctx.srp_Mask|=SSL_kSRP;
+                ctx->srp_ctx.SRP_cb_arg = parg;
+                break;
+        case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
+                ctx->srp_ctx.strength = larg;
+                break;
+#endif
 #endif /* !OPENSSL_NO_TLSEXT */
                /* A Thawte special :-) */
@@ -3452,6 +3640,23 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
                    unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
                break;
+#ifndef OPENSSL_NO_SRP
+        case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
+                ctx->srp_ctx.srp_Mask|=SSL_kSRP;
+                ctx->srp_ctx.SRP_verify_param_callback =
+                    (int (*)(SSL *, void *))fp;
+                break;
+        case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB:
+                ctx->srp_ctx.srp_Mask|=SSL_kSRP;
+                ctx->srp_ctx.TLS_ext_srp_username_callback =
+                    (int (*)(SSL *, int *, void *))fp;
+                break;
+        case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB:
+                ctx->srp_ctx.srp_Mask|=SSL_kSRP;
+                ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
+                    (char *(*)(SSL *, void *))fp;
+                break;
+#endif
 #endif
        default:
                return (0);
@@ -3557,6 +3762,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                mask_a = cert->mask_a;
                emask_k = cert->export_mask_k;
                emask_a = cert->export_mask_a;
+#ifndef OPENSSL_NO_SRP
+                mask_k = cert->mask_k | s->srp_ctx.srp_Mask;
+                emask_k = cert->export_mask_k | s->srp_ctx.srp_Mask;
+#endif
 #ifdef KSSL_DEBUG
 /*              printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index f56dbe26d7..68a4b8ca2d 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -2419,6 +2419,151 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
2419	},	2419	},
2420	#endif /* OPENSSL_NO_ECDH */	2420	#endif /* OPENSSL_NO_ECDH */
2421		2421
		2422	#ifndef OPENSSL_NO_SRP
		2423	/* Cipher C01A */
		2424	{
		2425	1,
		2426	TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
		2427	TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
		2428	SSL_kSRP,
		2429	SSL_aNULL,
		2430	SSL_3DES,
		2431	SSL_SHA1,
		2432	SSL_TLSV1,
		2433	SSL_NOT_EXP\|SSL_HIGH,
		2434	SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
		2435	168,
		2436	168,
		2437	},
		2438
		2439	/* Cipher C01B */
		2440	{
		2441	1,
		2442	TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
		2443	TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
		2444	SSL_kSRP,
		2445	SSL_aRSA,
		2446	SSL_3DES,
		2447	SSL_SHA1,
		2448	SSL_TLSV1,
		2449	SSL_NOT_EXP\|SSL_HIGH,
		2450	SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
		2451	168,
		2452	168,
		2453	},
		2454
		2455	/* Cipher C01C */
		2456	{
		2457	1,
		2458	TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
		2459	TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
		2460	SSL_kSRP,
		2461	SSL_aDSS,
		2462	SSL_3DES,
		2463	SSL_SHA1,
		2464	SSL_TLSV1,
		2465	SSL_NOT_EXP\|SSL_HIGH,
		2466	SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
		2467	168,
		2468	168,
		2469	},
		2470
		2471	/* Cipher C01D */
		2472	{
		2473	1,
		2474	TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
		2475	TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
		2476	SSL_kSRP,
		2477	SSL_aNULL,
		2478	SSL_AES128,
		2479	SSL_SHA1,
		2480	SSL_TLSV1,
		2481	SSL_NOT_EXP\|SSL_HIGH,
		2482	SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
		2483	128,
		2484	128,
		2485	},
		2486
		2487	/* Cipher C01E */
		2488	{
		2489	1,
		2490	TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
		2491	TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
		2492	SSL_kSRP,
		2493	SSL_aRSA,
		2494	SSL_AES128,
		2495	SSL_SHA1,
		2496	SSL_TLSV1,
		2497	SSL_NOT_EXP\|SSL_HIGH,
		2498	SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
		2499	128,
		2500	128,
		2501	},
		2502
		2503	/* Cipher C01F */
		2504	{
		2505	1,
		2506	TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
		2507	TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
		2508	SSL_kSRP,
		2509	SSL_aDSS,
		2510	SSL_AES128,
		2511	SSL_SHA1,
		2512	SSL_TLSV1,
		2513	SSL_NOT_EXP\|SSL_HIGH,
		2514	SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
		2515	128,
		2516	128,
		2517	},
		2518
		2519	/* Cipher C020 */
		2520	{
		2521	1,
		2522	TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
		2523	TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
		2524	SSL_kSRP,
		2525	SSL_aNULL,
		2526	SSL_AES256,
		2527	SSL_SHA1,
		2528	SSL_TLSV1,
		2529	SSL_NOT_EXP\|SSL_HIGH,
		2530	SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
		2531	256,
		2532	256,
		2533	},
		2534
		2535	/* Cipher C021 */
		2536	{
		2537	1,
		2538	TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
		2539	TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
		2540	SSL_kSRP,
		2541	SSL_aRSA,
		2542	SSL_AES256,
		2543	SSL_SHA1,
		2544	SSL_TLSV1,
		2545	SSL_NOT_EXP\|SSL_HIGH,
		2546	SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
		2547	256,
		2548	256,
		2549	},
		2550
		2551	/* Cipher C022 */
		2552	{
		2553	1,
		2554	TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
		2555	TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
		2556	SSL_kSRP,
		2557	SSL_aDSS,
		2558	SSL_AES256,
		2559	SSL_SHA1,
		2560	SSL_TLSV1,
		2561	SSL_NOT_EXP\|SSL_HIGH,
		2562	SSL_HANDSHAKE_MAC_DEFAULT\|TLS1_PRF,
		2563	256,
		2564	256,
		2565	},
		2566	#endif /* OPENSSL_NO_SRP */
2422	#ifndef OPENSSL_NO_ECDH	2567	#ifndef OPENSSL_NO_ECDH
2423		2568
2424	/* HMAC based TLS v1.2 ciphersuites from RFC5289 */	2569	/* HMAC based TLS v1.2 ciphersuites from RFC5289 */
@@ -2808,6 +2953,9 @@ ssl3_new(SSL *s)
2808		2953
2809	s->s3 = s3;	2954	s->s3 = s3;
2810		2955
		2956	#ifndef OPENSSL_NO_SRP
		2957	SSL_SRP_CTX_init(s);
		2958	#endif
2811	s->method->ssl_clear(s);	2959	s->method->ssl_clear(s);
2812	return (1);	2960	return (1);
2813	err:	2961	err:
@@ -2850,6 +2998,9 @@ ssl3_free(SSL *s)
2850	}	2998	}
2851	if (s->s3->handshake_dgst)	2999	if (s->s3->handshake_dgst)
2852	ssl3_free_digest_list(s);	3000	ssl3_free_digest_list(s);
		3001	#ifndef OPENSSL_NO_SRP
		3002	SSL_SRP_CTX_free(s);
		3003	#endif
2853	OPENSSL_cleanse(s->s3, sizeof *s->s3);	3004	OPENSSL_cleanse(s->s3, sizeof *s->s3);
2854	OPENSSL_free(s->s3);	3005	OPENSSL_free(s->s3);
2855	s->s3 = NULL;	3006	s->s3 = NULL;
@@ -2934,6 +3085,13 @@ ssl3_clear(SSL *s)
2934	#endif	3085	#endif
2935	}	3086	}
2936		3087
		3088	#ifndef OPENSSL_NO_SRP
		3089	static char *
		3090	srp_password_from_info_cb(SSL s, void arg)
		3091	{
		3092	return BUF_strdup(s->srp_ctx.info);
		3093	}
		3094	#endif
2937		3095
2938	long	3096	long
2939	ssl3_ctrl(SSL s, int cmd, long larg, void parg)	3097	ssl3_ctrl(SSL s, int cmd, long larg, void parg)
@@ -3375,6 +3533,36 @@ ssl3_ctx_ctrl(SSL_CTX ctx, int cmd, long larg, void parg)
3375	return 1;	3533	return 1;
3376	break;	3534	break;
3377		3535
		3536	#ifndef OPENSSL_NO_SRP
		3537	case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
		3538	ctx->srp_ctx.srp_Mask\|=SSL_kSRP;
		3539	if (ctx->srp_ctx.login != NULL)
		3540	OPENSSL_free(ctx->srp_ctx.login);
		3541	ctx->srp_ctx.login = NULL;
		3542	if (parg == NULL)
		3543	break;
		3544	if (strlen((const char )parg) > 255 \|\| strlen((const char )parg) < 1) {
		3545	SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
		3546	return 0;
		3547	}
		3548	if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) {
		3549	SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
		3550	return 0;
		3551	}
		3552	break;
		3553	case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
		3554	ctx->srp_ctx.SRP_give_srp_client_pwd_callback = srp_password_from_info_cb;
		3555	ctx->srp_ctx.info = parg;
		3556	break;
		3557	case SSL_CTRL_SET_SRP_ARG:
		3558	ctx->srp_ctx.srp_Mask\|=SSL_kSRP;
		3559	ctx->srp_ctx.SRP_cb_arg = parg;
		3560	break;
		3561
		3562	case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
		3563	ctx->srp_ctx.strength = larg;
		3564	break;
		3565	#endif
3378	#endif /* !OPENSSL_NO_TLSEXT */	3566	#endif /* !OPENSSL_NO_TLSEXT */
3379		3567
3380	/* A Thawte special :-) */	3568	/* A Thawte special :-) */
@@ -3452,6 +3640,23 @@ ssl3_ctx_callback_ctrl(SSL_CTX ctx, int cmd, void (fp)(void))
3452	unsigned char , EVP_CIPHER_CTX , HMAC_CTX *, int))fp;	3640	unsigned char , EVP_CIPHER_CTX , HMAC_CTX *, int))fp;
3453	break;	3641	break;
3454		3642
		3643	#ifndef OPENSSL_NO_SRP
		3644	case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
		3645	ctx->srp_ctx.srp_Mask\|=SSL_kSRP;
		3646	ctx->srp_ctx.SRP_verify_param_callback =
		3647	(int ()(SSL , void *))fp;
		3648	break;
		3649	case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB:
		3650	ctx->srp_ctx.srp_Mask\|=SSL_kSRP;
		3651	ctx->srp_ctx.TLS_ext_srp_username_callback =
		3652	(int ()(SSL , int , void ))fp;
		3653	break;
		3654	case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB:
		3655	ctx->srp_ctx.srp_Mask\|=SSL_kSRP;
		3656	ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
		3657	(char ()(SSL , void ))fp;
		3658	break;
		3659	#endif
3455	#endif	3660	#endif
3456	default:	3661	default:
3457	return (0);	3662	return (0);
@@ -3557,6 +3762,10 @@ SSL_CIPHER ssl3_choose_cipher(SSL s, STACK_OF(SSL_CIPHER) *clnt,
3557	mask_a = cert->mask_a;	3762	mask_a = cert->mask_a;
3558	emask_k = cert->export_mask_k;	3763	emask_k = cert->export_mask_k;
3559	emask_a = cert->export_mask_a;	3764	emask_a = cert->export_mask_a;
		3765	#ifndef OPENSSL_NO_SRP
		3766	mask_k = cert->mask_k \| s->srp_ctx.srp_Mask;
		3767	emask_k = cert->export_mask_k \| s->srp_ctx.srp_Mask;
		3768	#endif
3560		3769
3561	#ifdef KSSL_DEBUG	3770	#ifdef KSSL_DEBUG
3562	/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/	3771	/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/