diff options
| author | Matt Caswell <matt@openssl.org> | 2021-02-08 11:31:59 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2021-02-12 08:47:32 +0000 |
| commit | 76cb077f81c96e98d2f2042478c916ed2fdeda16 (patch) | |
| tree | fe98349c43554f984f2256b180584903164b4a74 | |
| parent | 6d2a1eff553b0bd463cce008a25506d89280679f (diff) | |
Deprecate the libssl level SRP APIs
The low level SRP implementation has been deprecated with no replacement.
Therefore the libssl level APIs need to be similarly deprecated.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14132)
| -rw-r--r-- | apps/ciphers.c | 11 | ||||
| -rw-r--r-- | apps/include/s_apps.h | 1 | ||||
| -rw-r--r-- | apps/lib/tlssrp_depr.c | 12 | ||||
| -rw-r--r-- | include/openssl/ssl.h.in | 34 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 4 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 4 | ||||
| -rw-r--r-- | ssl/ssl_local.h | 8 | ||||
| -rw-r--r-- | ssl/statem/statem_clnt.c | 2 | ||||
| -rw-r--r-- | ssl/statem/statem_srvr.c | 2 | ||||
| -rw-r--r-- | ssl/tls_srp.c | 71 | ||||
| -rw-r--r-- | test/build.info | 3 | ||||
| -rw-r--r-- | test/helpers/handshake.c | 61 | ||||
| -rw-r--r-- | test/helpers/handshake.h | 17 | ||||
| -rw-r--r-- | test/helpers/handshake_srp.c | 71 | ||||
| -rw-r--r-- | util/libcrypto.num | 56 |
15 files changed, 236 insertions, 121 deletions
diff --git a/apps/ciphers.c b/apps/ciphers.c index 3afbbe5002..03ffad3b3b 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -14,6 +14,7 @@ #include "progs.h" #include <openssl/err.h> #include <openssl/ssl.h> +#include "s_apps.h" typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, @@ -63,7 +64,7 @@ const OPTIONS ciphers_options[] = { {"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"}, #endif #ifndef OPENSSL_NO_SRP - {"srp", OPT_SRP, '-', "Include ciphersuites requiring SRP"}, + {"srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP"}, #endif {"ciphersuites", OPT_CIPHERSUITES, 's', "Configure the TLSv1.3 ciphersuites to use"}, @@ -83,12 +84,6 @@ static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity, return 0; } #endif -#ifndef OPENSSL_NO_SRP -static char *dummy_srp(SSL *ssl, void *arg) -{ - return ""; -} -#endif int ciphers_main(int argc, char **argv) { @@ -205,7 +200,7 @@ int ciphers_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_SRP if (srp) - SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp); + set_up_dummy_srp(ctx); #endif if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) { diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h index 5931c221c4..8ddf7d51e1 100644 --- a/apps/include/s_apps.h +++ b/apps/include/s_apps.h @@ -92,6 +92,7 @@ typedef struct srp_arg_st { int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg, int c_debug); +void set_up_dummy_srp(SSL_CTX *ctx); /* The server side SRP context that we pass to all SRP related callbacks */ typedef struct srpsrvparm_st { diff --git a/apps/lib/tlssrp_depr.c b/apps/lib/tlssrp_depr.c index 7b93e34647..91c19b096e 100644 --- a/apps/lib/tlssrp_depr.c +++ b/apps/lib/tlssrp_depr.c @@ -10,7 +10,7 @@ /* * This file is to enable backwards compatibility for the SRP features of - * s_client and s_server. All of those features are deprecated and will + * s_client, s_server and ciphers. All of those features are deprecated and will * eventually disappear. In the meantime, to continue to support them, we * need to access deprecated SRP APIs. */ @@ -137,6 +137,16 @@ int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg, return 1; } +static char *dummy_srp(SSL *ssl, void *arg) +{ + return ""; +} + +void set_up_dummy_srp(SSL_CTX *ctx) +{ + SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp); +} + /* * This callback pretends to require some asynchronous logic in order to * obtain a verifier. When the callback is called for a new connection we diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index f329514324..0da5b3804f 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -666,12 +666,13 @@ void SSL_set_msg_callback(SSL *ssl, # ifndef OPENSSL_NO_SRP /* see tls_srp.c */ -__owur int SSL_SRP_CTX_init(SSL *s); -__owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx); -int SSL_SRP_CTX_free(SSL *ctx); -int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx); -__owur int SSL_srp_server_param_with_username(SSL *s, int *ad); -__owur int SRP_Calc_A_param(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur int SSL_SRP_CTX_init(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx); +OSSL_DEPRECATEDIN_3_0 int SSL_SRP_CTX_free(SSL *ctx); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx); +OSSL_DEPRECATEDIN_3_0 __owur int SSL_srp_server_param_with_username(SSL *s, + int *ad); +OSSL_DEPRECATEDIN_3_0 __owur int SRP_Calc_A_param(SSL *s); # endif @@ -1833,27 +1834,32 @@ __owur X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); __owur X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl); # ifndef OPENSSL_NO_SRP -int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name); -int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password); -int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char *(*cb) (SSL *, void *)); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, int (*cb) (SSL *, void *)); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, int (*cb) (SSL *, int *, void *)); -int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg); +OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg); +OSSL_DEPRECATEDIN_3_0 int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, BIGNUM *sa, BIGNUM *v, char *info); +OSSL_DEPRECATEDIN_3_0 int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, const char *grp); -__owur BIGNUM *SSL_get_srp_g(SSL *s); -__owur BIGNUM *SSL_get_srp_N(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur BIGNUM *SSL_get_srp_g(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur BIGNUM *SSL_get_srp_N(SSL *s); -__owur char *SSL_get_srp_username(SSL *s); -__owur char *SSL_get_srp_userinfo(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_username(SSL *s); +OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_userinfo(SSL *s); # endif /* diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ec19eeacc3..8eb0f7c864 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3330,7 +3330,7 @@ int ssl3_handshake_write(SSL *s) int ssl3_new(SSL *s) { #ifndef OPENSSL_NO_SRP - if (!SSL_SRP_CTX_init(s)) + if (!ssl_srp_ctx_init_intern(s)) return 0; #endif @@ -3366,7 +3366,7 @@ void ssl3_free(SSL *s) OPENSSL_free(s->s3.alpn_proposed); #ifndef OPENSSL_NO_SRP - SSL_SRP_CTX_free(s); + ssl_srp_ctx_free_intern(s); #endif memset(&s->s3, 0, sizeof(s->s3)); } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 554fc3533d..1fded640a1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3239,7 +3239,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, goto err; #ifndef OPENSSL_NO_SRP - if (!SSL_CTX_SRP_CTX_init(ret)) + if (!ssl_ctx_srp_ctx_init_intern(ret)) goto err; #endif #ifndef OPENSSL_NO_ENGINE @@ -3382,7 +3382,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); #endif #ifndef OPENSSL_NO_SRP - SSL_CTX_SRP_CTX_free(a); + ssl_ctx_srp_ctx_free_intern(a); #endif #ifndef OPENSSL_NO_ENGINE tls_engine_finish(a->client_cert_engine); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 2687a47c2a..127011b62c 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2828,6 +2828,14 @@ int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len); int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len); size_t ssl_hmac_old_size(const SSL_HMAC *ctx); +int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx); +int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx); +int ssl_srp_ctx_free_intern(SSL *s); +int ssl_srp_ctx_init_intern(SSL *s); + +int ssl_srp_calc_a_param_intern(SSL *s); +int ssl_srp_server_param_with_username_intern(SSL *s, int *ad); + # else /* OPENSSL_UNIT_TEST */ # define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 83862e076d..2358e2c616 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2716,7 +2716,7 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) } #ifndef OPENSSL_NO_SRP if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { - if (SRP_Calc_A_param(s) <= 0) { + if (ssl_srp_calc_a_param_intern(s) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); return MSG_PROCESS_ERROR; } diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 956348613b..d1138e45d5 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1258,7 +1258,7 @@ static int ssl_check_srp_ext_ClientHello(SSL *s) SSL_R_PSK_IDENTITY_NOT_FOUND); return -1; } else { - ret = SSL_srp_server_param_with_username(s, &al); + ret = ssl_srp_server_param_with_username_intern(s, &al); if (ret < 0) return 0; if (ret == SSL3_AL_FATAL) { diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 98b2785b8c..1d9f4d29f6 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -11,7 +11,10 @@ * for the EdelKey project. */ -/* We need to use the SRP deprecated APIs */ +/* + * We need to use the SRP deprecated APIs in order to implement the SSL SRP + * APIs - which are themselves deprecated. + */ #define OPENSSL_SUPPRESS_DEPRECATED #include <openssl/crypto.h> @@ -22,7 +25,11 @@ #ifndef OPENSSL_NO_SRP # include <openssl/srp.h> -int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) +/* + * The public API SSL_CTX_SRP_CTX_free() is deprecated so we use + * ssl_ctx_srp_ctx_free_intern() internally. + */ +int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx) { if (ctx == NULL) return 0; @@ -41,7 +48,16 @@ int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) return 1; } -int SSL_SRP_CTX_free(struct ssl_st *s) +int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx) +{ + return ssl_ctx_srp_ctx_free_intern(ctx); +} + +/* + * The public API SSL_SRP_CTX_free() is deprecated so we use + * ssl_srp_ctx_free_intern() internally. + */ +int ssl_srp_ctx_free_intern(SSL *s) { if (s == NULL) return 0; @@ -60,7 +76,16 @@ int SSL_SRP_CTX_free(struct ssl_st *s) return 1; } -int SSL_SRP_CTX_init(struct ssl_st *s) +int SSL_SRP_CTX_free(SSL *s) +{ + return ssl_srp_ctx_free_intern(s); +} + +/* + * The public API SSL_SRP_CTX_init() is deprecated so we use + * ssl_srp_ctx_init_intern() internally. + */ +int ssl_srp_ctx_init_intern(SSL *s) { SSL_CTX *ctx; @@ -129,7 +154,16 @@ int SSL_SRP_CTX_init(struct ssl_st *s) return 0; } -int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) +int SSL_SRP_CTX_init(SSL *s) +{ + return ssl_srp_ctx_init_intern(s); +} + +/* + * The public API SSL_CTX_SRP_CTX_init() is deprecated so we use + * ssl_ctx_srp_ctx_init_intern() internally. + */ +int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx) { if (ctx == NULL) return 0; @@ -140,8 +174,17 @@ int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) return 1; } +int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx) +{ + return ssl_ctx_srp_ctx_init_intern(ctx); +} + /* server side */ -int SSL_srp_server_param_with_username(SSL *s, int *ad) +/* + * The public API SSL_srp_server_param_with_username() is deprecated so we use + * ssl_srp_server_param_with_username_intern() internally. + */ +int ssl_srp_server_param_with_username_intern(SSL *s, int *ad) { unsigned char b[SSL_MAX_MASTER_KEY_LENGTH]; int al; @@ -173,6 +216,11 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad) NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL; } +int SSL_srp_server_param_with_username(SSL *s, int *ad) +{ + return ssl_srp_server_param_with_username_intern(s, ad); +} + /* * If the server just has the raw password, make up a verifier entry on the * fly @@ -364,7 +412,11 @@ int srp_verify_server_param(SSL *s) return 1; } -int SRP_Calc_A_param(SSL *s) +/* + * The public API SRP_Calc_A_param() is deprecated so we use + * ssl_srp_calc_a_param_intern() internally. + */ +int ssl_srp_calc_a_param_intern(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; @@ -379,6 +431,11 @@ int SRP_Calc_A_param(SSL *s) return 1; } +int SRP_Calc_A_param(SSL *s) +{ + return ssl_srp_calc_a_param_intern(s); +} + BIGNUM *SSL_get_srp_g(SSL *s) { if (s->srp_ctx.g != NULL) diff --git a/test/build.info b/test/build.info index 159f7146e3..3f65d68b8c 100644 --- a/test/build.info +++ b/test/build.info @@ -279,6 +279,9 @@ IF[{- !$disabled{tests} -}] DEPEND[ssl_test_ctx_test]=../libcrypto ../libssl libtestutil.a SOURCE[ssl_test]=ssl_test.c helpers/ssl_test_ctx.c helpers/handshake.c + IF[{- !$disabled{'srp'} -}] + SOURCE[ssl_test]=helpers/handshake_srp.c + ENDIF INCLUDE[ssl_test]=../include ../apps/include DEPEND[ssl_test]=../libcrypto ../libssl libtestutil.a diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c index 1a06365ebb..bba78f6d79 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c @@ -13,9 +13,6 @@ #include <openssl/x509_vfy.h> #include <openssl/ssl.h> #include <openssl/core_names.h> -#ifndef OPENSSL_NO_SRP -#include <openssl/srp.h> -#endif #include "../../ssl/ssl_local.h" #include "internal/sockets.h" @@ -63,16 +60,6 @@ typedef struct handshake_ex_data_st { ssl_servername_t servername; } HANDSHAKE_EX_DATA; -typedef struct ctx_data_st { - unsigned char *npn_protocols; - size_t npn_protocols_len; - unsigned char *alpn_protocols; - size_t alpn_protocols_len; - char *srp_user; - char *srp_password; - char *session_ticket_app_data; -} CTX_DATA; - /* |ctx_data| itself is stack-allocated. */ static void ctx_data_free_data(CTX_DATA *ctx_data) { @@ -449,28 +436,6 @@ static int server_alpn_cb(SSL *s, const unsigned char **out, : SSL_TLSEXT_ERR_ALERT_FATAL; } -#ifndef OPENSSL_NO_SRP -static char *client_srp_cb(SSL *s, void *arg) -{ - CTX_DATA *ctx_data = (CTX_DATA*)(arg); - return OPENSSL_strdup(ctx_data->srp_password); -} - -static int server_srp_cb(SSL *s, int *ad, void *arg) -{ - CTX_DATA *ctx_data = (CTX_DATA*)(arg); - if (strcmp(ctx_data->srp_user, SSL_get_srp_username(s)) != 0) - return SSL3_AL_FATAL; - if (SSL_set_srp_server_param_pw(s, ctx_data->srp_user, - ctx_data->srp_password, - "2048" /* known group */) < 0) { - *ad = SSL_AD_INTERNAL_ERROR; - return SSL3_AL_FATAL; - } - return SSL_ERROR_NONE; -} -#endif /* !OPENSSL_NO_SRP */ - static int generate_session_ticket_cb(SSL *s, void *arg) { CTX_DATA *server_ctx_data = arg; @@ -711,28 +676,10 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, } #endif #ifndef OPENSSL_NO_SRP - if (extra->server.srp_user != NULL) { - SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); - server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); - server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); - SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); - } - if (extra->server2.srp_user != NULL) { - if (!TEST_ptr(server2_ctx)) - goto err; - SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); - server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); - server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); - SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); - } - if (extra->client.srp_user != NULL) { - if (!TEST_true(SSL_CTX_set_srp_username(client_ctx, - extra->client.srp_user))) - goto err; - SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); - client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); - SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); - } + if (!configure_handshake_ctx_for_srp(server_ctx, server2_ctx, client_ctx, + extra, server_ctx_data, + server2_ctx_data, client_ctx_data)) + goto err; #endif /* !OPENSSL_NO_SRP */ return 1; err: diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h index f0ae5a8d7e..04ff874623 100644 --- a/test/helpers/handshake.h +++ b/test/helpers/handshake.h @@ -12,6 +12,16 @@ #include "ssl_test_ctx.h" +typedef struct ctx_data_st { + unsigned char *npn_protocols; + size_t npn_protocols_len; + unsigned char *alpn_protocols; + size_t alpn_protocols_len; + char *srp_user; + char *srp_password; + char *session_ticket_app_data; +} CTX_DATA; + typedef struct handshake_result { ssl_test_result_t result; /* These alerts are in the 2-byte format returned by the info_callback. */ @@ -78,4 +88,11 @@ HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *resume_client_ctx, const SSL_TEST_CTX *test_ctx); +int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, + SSL_CTX *client_ctx, + const SSL_TEST_EXTRA_CONF *extra, + CTX_DATA *server_ctx_data, + CTX_DATA *server2_ctx_data, + CTX_DATA *client_ctx_data); + #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */ diff --git a/test/helpers/handshake_srp.c b/test/helpers/handshake_srp.c new file mode 100644 index 0000000000..f18e5c81a6 --- /dev/null +++ b/test/helpers/handshake_srp.c @@ -0,0 +1,71 @@ +/* + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * SRP is deprecated and there is no replacent. When SRP is removed, the code in + * this file can be removed too. Until then we have to use the deprecated APIs. + */ +#define OPENSSL_SUPPRESS_DEPRECATED + +#include <openssl/srp.h> +#include <openssl/ssl.h> +#include "handshake.h" +#include "../testutil.h" + +static char *client_srp_cb(SSL *s, void *arg) +{ + CTX_DATA *ctx_data = (CTX_DATA*)(arg); + return OPENSSL_strdup(ctx_data->srp_password); +} + +static int server_srp_cb(SSL *s, int *ad, void *arg) +{ + CTX_DATA *ctx_data = (CTX_DATA*)(arg); + if (strcmp(ctx_data->srp_user, SSL_get_srp_username(s)) != 0) + return SSL3_AL_FATAL; + if (SSL_set_srp_server_param_pw(s, ctx_data->srp_user, + ctx_data->srp_password, + "2048" /* known group */) < 0) { + *ad = SSL_AD_INTERNAL_ERROR; + return SSL3_AL_FATAL; + } + return SSL_ERROR_NONE; +} + +int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, + SSL_CTX *client_ctx, + const SSL_TEST_EXTRA_CONF *extra, + CTX_DATA *server_ctx_data, + CTX_DATA *server2_ctx_data, + CTX_DATA *client_ctx_data) +{ + if (extra->server.srp_user != NULL) { + SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb); + server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user); + server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password); + SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data); + } + if (extra->server2.srp_user != NULL) { + if (!TEST_ptr(server2_ctx)) + return 0; + SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb); + server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user); + server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password); + SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data); + } + if (extra->client.srp_user != NULL) { + if (!TEST_true(SSL_CTX_set_srp_username(client_ctx, + extra->client.srp_user))) + return 0; + SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb); + client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password); + SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data); + } + return 1; +} diff --git a/util/libcrypto.num b/util/libcrypto.num index 226e496fc9..fa7a096145 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -56,7 +56,7 @@ EVP_MD_do_all_sorted 57 3_0_0 EXIST::FUNCTION: OCSP_crl_reason_str 58 3_0_0 EXIST::FUNCTION:OCSP ENGINE_ctrl_cmd_string 59 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE ENGINE_finish 60 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -SRP_Calc_client_key 61 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_client_key 61 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP X509_PUBKEY_free 62 3_0_0 EXIST::FUNCTION: BIO_free_all 63 3_0_0 EXIST::FUNCTION: EVP_idea_ofb 64 3_0_0 EXIST::FUNCTION:IDEA @@ -328,7 +328,7 @@ d2i_RSAPrivateKey_fp 333 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3 s2i_ASN1_IA5STRING 334 3_0_0 EXIST::FUNCTION: UI_get_ex_data 335 3_0_0 EXIST::FUNCTION: EVP_EncryptUpdate 336 3_0_0 EXIST::FUNCTION: -SRP_create_verifier 337 3_0_0 EXIST::FUNCTION:SRP +SRP_create_verifier 337 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP TS_TST_INFO_print_bio 338 3_0_0 EXIST::FUNCTION:TS X509_NAME_get_index_by_OBJ 339 3_0_0 EXIST::FUNCTION: BIO_get_host_ip 340 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0,SOCK @@ -1373,7 +1373,7 @@ BIO_dump_cb 1405 3_0_0 EXIST::FUNCTION: v2i_GENERAL_NAMES 1406 3_0_0 EXIST::FUNCTION: EVP_des_ede3_ofb 1407 3_0_0 EXIST::FUNCTION:DES EVP_MD_meth_get_cleanup 1408 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -SRP_Calc_server_key 1409 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_server_key 1409 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP BN_mod_exp_simple 1410 3_0_0 EXIST::FUNCTION: BIO_set_ex_data 1411 3_0_0 EXIST::FUNCTION: SHA512 1412 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 @@ -1504,7 +1504,7 @@ ASN1_INTEGER_set_uint64 1537 3_0_0 EXIST::FUNCTION: EVP_PKEY_get_attr_by_OBJ 1538 3_0_0 EXIST::FUNCTION: ASN1_add_oid_module 1539 3_0_0 EXIST::FUNCTION: BN_div_recp 1540 3_0_0 EXIST::FUNCTION: -SRP_Verify_B_mod_N 1541 3_0_0 EXIST::FUNCTION:SRP +SRP_Verify_B_mod_N 1541 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP SXNET_free 1542 3_0_0 EXIST::FUNCTION: CMS_get0_content 1543 3_0_0 EXIST::FUNCTION:CMS BN_is_word 1544 3_0_0 EXIST::FUNCTION: @@ -1549,8 +1549,8 @@ X509_policy_tree_get0_user_policies 1582 3_0_0 EXIST::FUNCTION: DSA_do_sign 1584 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA EVP_CIPHER_CTX_reset 1585 3_0_0 EXIST::FUNCTION: OCSP_REVOKEDINFO_new 1586 3_0_0 EXIST::FUNCTION:OCSP -SRP_Verify_A_mod_N 1587 3_0_0 EXIST::FUNCTION:SRP -SRP_VBASE_free 1588 3_0_0 EXIST::FUNCTION:SRP +SRP_Verify_A_mod_N 1587 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP +SRP_VBASE_free 1588 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP PKCS7_add0_attrib_signing_time 1589 3_0_0 EXIST::FUNCTION: X509_STORE_set_flags 1590 3_0_0 EXIST::FUNCTION: UI_get0_output_string 1591 3_0_0 EXIST::FUNCTION: @@ -1862,7 +1862,7 @@ SCT_set1_signature 1906 3_0_0 EXIST::FUNCTION:CT CONF_imodule_get_module 1907 3_0_0 EXIST::FUNCTION: NAME_CONSTRAINTS_new 1908 3_0_0 EXIST::FUNCTION: BN_usub 1909 3_0_0 EXIST::FUNCTION: -SRP_Calc_B 1910 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_B 1910 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP CMS_decrypt_set1_key 1911 3_0_0 EXIST::FUNCTION:CMS EC_GROUP_get_degree 1912 3_0_0 EXIST::FUNCTION:EC X509_ALGOR_set0 1913 3_0_0 EXIST::FUNCTION: @@ -1877,7 +1877,7 @@ X509_REQ_free 1921 3_0_0 EXIST::FUNCTION: ASN1_INTEGER_set 1922 3_0_0 EXIST::FUNCTION: EVP_DecodeFinal 1923 3_0_0 EXIST::FUNCTION: MD5_Transform 1925 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,MD5 -SRP_create_verifier_BN 1926 3_0_0 EXIST::FUNCTION:SRP +SRP_create_verifier_BN 1926 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP ENGINE_register_all_EC 1927 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE EVP_camellia_128_ofb 1928 3_0_0 EXIST::FUNCTION:CAMELLIA PEM_write_X509_AUX 1929 3_0_0 EXIST::FUNCTION:STDIO @@ -1967,7 +1967,7 @@ ENGINE_get_init_function 2012 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_ EC_POINT_point2hex 2013 3_0_0 EXIST::FUNCTION:EC ENGINE_get_default_DSA 2014 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE ENGINE_register_all_complete 2015 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -SRP_get_default_gN 2016 3_0_0 EXIST::FUNCTION:SRP +SRP_get_default_gN 2016 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP UI_dup_input_boolean 2017 3_0_0 EXIST::FUNCTION: PKCS7_dup 2018 3_0_0 EXIST::FUNCTION: i2d_TS_REQ_fp 2019 3_0_0 EXIST::FUNCTION:STDIO,TS @@ -2190,7 +2190,7 @@ PKCS7_SIGNER_INFO_set 2237 3_0_0 EXIST::FUNCTION: PEM_write_bio_PKCS8_PRIV_KEY_INFO 2238 3_0_0 EXIST::FUNCTION: EC_GROUP_set_curve_GF2m 2239 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,EC2M ENGINE_load_builtin_engines 2240 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -SRP_VBASE_init 2241 3_0_0 EXIST::FUNCTION:SRP +SRP_VBASE_init 2241 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP SHA224_Final 2242 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 OCSP_CERTSTATUS_free 2243 3_0_0 EXIST::FUNCTION:OCSP d2i_TS_TST_INFO 2244 3_0_0 EXIST::FUNCTION:TS @@ -2350,7 +2350,7 @@ X509_TRUST_get_count 2399 3_0_0 EXIST::FUNCTION: IPAddressOrRange_free 2400 3_0_0 EXIST::FUNCTION:RFC3779 RSA_padding_add_PKCS1_OAEP 2401 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EC_KEY_set_ex_data 2402 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC -SRP_VBASE_new 2403 3_0_0 EXIST::FUNCTION:SRP +SRP_VBASE_new 2403 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP i2d_ECDSA_SIG 2404 3_0_0 EXIST::FUNCTION:EC BIO_dump_indent 2405 3_0_0 EXIST::FUNCTION: ENGINE_set_pkey_asn1_meths 2406 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE @@ -2771,7 +2771,7 @@ TS_TST_INFO_get_ext 2831 3_0_0 EXIST::FUNCTION:TS i2d_OCSP_RESPID 2832 3_0_0 EXIST::FUNCTION:OCSP EVP_camellia_256_cfb8 2833 3_0_0 EXIST::FUNCTION:CAMELLIA EC_KEY_get0_public_key 2834 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC -SRP_Calc_x 2835 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_x 2835 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP a2i_ASN1_ENUMERATED 2836 3_0_0 EXIST::FUNCTION: CONF_module_get_usr_data 2837 3_0_0 EXIST::FUNCTION: i2d_X509_NAME_ENTRY 2838 3_0_0 EXIST::FUNCTION: @@ -3033,7 +3033,7 @@ TS_RESP_create_response 3097 3_0_0 EXIST::FUNCTION:TS BIO_ADDR_rawaddress 3098 3_0_0 EXIST::FUNCTION:SOCK PKCS7_ENCRYPT_new 3099 3_0_0 EXIST::FUNCTION: i2d_PKCS8PrivateKey_fp 3100 3_0_0 EXIST::FUNCTION:STDIO -SRP_user_pwd_free 3101 3_0_0 EXIST::FUNCTION:SRP +SRP_user_pwd_free 3101 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP Camellia_encrypt 3102 3_0_0 EXIST::FUNCTION:CAMELLIA,DEPRECATEDIN_3_0 BIO_ADDR_hostname_string 3103 3_0_0 EXIST::FUNCTION:SOCK USERNOTICE_new 3104 3_0_0 EXIST::FUNCTION: @@ -3132,7 +3132,7 @@ SCT_get_version 3197 3_0_0 EXIST::FUNCTION:CT IDEA_set_encrypt_key 3198 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA ENGINE_get_DH 3199 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE i2d_ASIdentifierChoice 3200 3_0_0 EXIST::FUNCTION:RFC3779 -SRP_Calc_A 3201 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_A 3201 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP OCSP_BASICRESP_add_ext 3202 3_0_0 EXIST::FUNCTION:OCSP EVP_idea_cfb64 3203 3_0_0 EXIST::FUNCTION:IDEA PKCS12_newpass 3204 3_0_0 EXIST::FUNCTION: @@ -3218,7 +3218,7 @@ OCSP_cert_id_new 3284 3_0_0 EXIST::FUNCTION:OCSP GENERAL_SUBTREE_new 3285 3_0_0 EXIST::FUNCTION: OPENSSL_sk_push 3286 3_0_0 EXIST::FUNCTION: X509_LOOKUP_ctrl 3287 3_0_0 EXIST::FUNCTION: -SRP_check_known_gN_param 3288 3_0_0 EXIST::FUNCTION:SRP +SRP_check_known_gN_param 3288 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP d2i_DIST_POINT 3289 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_free 3290 3_0_0 EXIST::FUNCTION: PBEPARAM_free 3291 3_0_0 EXIST::FUNCTION: @@ -3541,7 +3541,7 @@ ERR_get_error 3618 3_0_0 EXIST::FUNCTION: TS_CONF_set_signer_digest 3619 3_0_0 EXIST::FUNCTION:TS OBJ_new_nid 3620 3_0_0 EXIST::FUNCTION: CMS_ReceiptRequest_new 3621 3_0_0 EXIST::FUNCTION:CMS -SRP_VBASE_get1_by_user 3622 3_0_0 EXIST::FUNCTION:SRP +SRP_VBASE_get1_by_user 3622 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP UI_method_get_closer 3623 3_0_0 EXIST::FUNCTION: ENGINE_get_ex_data 3624 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE BN_print_fp 3625 3_0_0 EXIST::FUNCTION:STDIO @@ -3654,7 +3654,7 @@ EVP_CIPHER_meth_get_set_asn1_params 3734 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_ X509_STORE_CTX_get_ex_data 3735 3_0_0 EXIST::FUNCTION: CMS_RecipientInfo_kari_set0_pkey 3736 3_0_0 EXIST::FUNCTION:CMS X509v3_addr_add_inherit 3737 3_0_0 EXIST::FUNCTION:RFC3779 -SRP_Calc_u 3738 3_0_0 EXIST::FUNCTION:SRP +SRP_Calc_u 3738 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP i2d_PKCS8PrivateKey_bio 3739 3_0_0 EXIST::FUNCTION: X509_get_extension_flags 3740 3_0_0 EXIST::FUNCTION: X509V3_EXT_val_prn 3741 3_0_0 EXIST::FUNCTION: @@ -4414,11 +4414,11 @@ EVP_MAC_init ? 3_0_0 EXIST::FUNCTION: EVP_MAC_update ? 3_0_0 EXIST::FUNCTION: EVP_MAC_final ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_supports_digest_nid ? 3_0_0 EXIST::FUNCTION: -SRP_VBASE_add0_user ? 3_0_0 EXIST::FUNCTION:SRP -SRP_user_pwd_new ? 3_0_0 EXIST::FUNCTION:SRP -SRP_user_pwd_set_gN |