src - OpenBSD base system

diff options


context:
space:
mode:

author	Ted Unangst <tedu@cvs.openbsd.org>	2014-04-16 20:39:10 +0000
committer	Ted Unangst <tedu@cvs.openbsd.org>	2014-04-16 20:39:10 +0000
commit	0b42c8e9442d14354d0c3dc40ea11ca81744f39f (patch)
tree	a88e15f71e751ac54787e17e12ad4420e78d46f2 /lib/libssl/s3_clnt.c
parent	d1c2971263880f9044c4db378bfe322cd012ab6b (diff)

add back SRP. i was being too greedy.

Diffstat (limited to 'lib/libssl/s3_clnt.c')

-rw-r--r--

lib/libssl/s3_clnt.c

106

1 files changed, 106 insertions, 0 deletions

diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index 1589cdc21e4..88be294ab78 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c

@@ -365,6 +365,15 @@ ssl3_connect(SSL *s)

ret = ssl3_get_server_done(s);

if (ret <= 0)

goto end;

+#ifndef OPENSSL_NO_SRP

+ if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {

+ if ((ret = SRP_Calc_A_param(s)) <= 0) {

+ SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC);

+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

+ goto end;

+ }

+#endif

if (s->s3->tmp.cert_req)

s->state = SSL3_ST_CW_CERT_A;

else

@@ -1290,6 +1299,76 @@ ssl3_get_key_exchange(SSL *s)

n -= param_len;

} else

#endif /* !OPENSSL_NO_PSK */

+#ifndef OPENSSL_NO_SRP

+ if (alg_k & SSL_kSRP) {

+ n2s(p, i);

+ param_len = i + 2;

+ if (param_len > n) {

+ al = SSL_AD_DECODE_ERROR;

+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH);

+ goto f_err;

+ }

+ if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {

+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);

+ goto err;

+ }

+ p += i;

+ n2s(p, i);

+ param_len += i + 2;

+ if (param_len > n) {

+ al = SSL_AD_DECODE_ERROR;

+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH);

+ goto f_err;

+ }

+ if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {

+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);

+ goto err;

+ }

+ p += i;

+ i = (unsigned int)(p[0]);

+ p++;

+ param_len += i + 1;

+ if (param_len > n) {

+ al = SSL_AD_DECODE_ERROR;

+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH);

+ goto f_err;

+ }

+ if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {

+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);

+ goto err;

+ }

+ p += i;

+ n2s(p, i);

+ param_len += i + 2;

+ if (param_len > n) {

+ al = SSL_AD_DECODE_ERROR;

+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH);

+ goto f_err;

+ }

+ if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {

+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);

+ goto err;

+ }

+ p += i;

+ n -= param_len;

+/* We must check if there is a certificate */

+#ifndef OPENSSL_NO_RSA

+ if (alg_a & SSL_aRSA)

+ pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);

+#else

+ if (0)

+#endif

+#ifndef OPENSSL_NO_DSA

+ else if (alg_a & SSL_aDSS)

+ pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);

+#endif

+ } else

+#endif /* !OPENSSL_NO_SRP */

#ifndef OPENSSL_NO_RSA

if (alg_k & SSL_kRSA) {

if ((rsa = RSA_new()) == NULL) {

@@ -2492,6 +2571,33 @@ ssl3_send_client_key_exchange(SSL *s)

EVP_PKEY_free(pub_key);

}

+#ifndef OPENSSL_NO_SRP

+ else if (alg_k & SSL_kSRP) {

+ if (s->srp_ctx.A != NULL) {

+ /* send off the data */

+ n = BN_num_bytes(s->srp_ctx.A);

+ s2n(n, p);

+ BN_bn2bin(s->srp_ctx.A, p);

+ n += 2;

+ } else {

+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);

+ goto err;

+ }

+ if (s->session->srp_username != NULL)

+ OPENSSL_free(s->session->srp_username);

+ s->session->srp_username = BUF_strdup(s->srp_ctx.login);

+ if (s->session->srp_username == NULL) {

+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,

+ ERR_R_MALLOC_FAILURE);

+ goto err;

+ }

+ if ((s->session->master_key_length = SRP_generate_client_master_secret(s, s->session->master_key)) < 0) {

+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);

+ goto err;

+ }

+#endif

#ifndef OPENSSL_NO_PSK

else if (alg_k & SSL_kPSK) {

char identity[PSK_MAX_IDENTITY_LEN];