diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2011-12-14 22:18:03 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2011-12-14 22:18:03 +0000 |
| commit | b8a22c40e019c406f1023c0383bf8425c3f1d890 (patch) | |
| tree | 56cee917db7d40ca74a2be1ba472893f492b43df /apps | |
| parent | 3918de9ad111a6456e43056f007a910c471ec855 (diff) | |
PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve
Remove unnecessary code for srp and to add some comments to
s_client.
- the callback to provide a user during client connect is
no longer necessary since rfc 5054 a connection attempt
with an srp cipher and no user is terminated when the
cipher is acceptable
- comments to indicate in s_client the (non-)usefulness of
th primalaty tests for non known group parameters.
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/s_client.c | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index 0a0fcf836a..b72e505fb1 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -403,7 +403,7 @@ typedef struct srp_arg_st #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 -static int SRP_Verify_N_and_g(BIGNUM *N, BIGNUM *g) +static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g) { BN_CTX *bn_ctx = BN_CTX_new(); BIGNUM *p = BN_new(); @@ -431,6 +431,21 @@ static int SRP_Verify_N_and_g(BIGNUM *N, BIGNUM *g) return ret; } +/* This callback is used here for two purposes: + - extended debugging + - making some primality tests for unknown groups + The callback is only called for a non default group. + + An application does not need the call back at all if + only the stanard groups are used. In real life situations, + client and server already share well known groups, + thus there is no need to verify them. + Furthermore, in case that a server actually proposes a group that + is not one of those defined in RFC 5054, it is more appropriate + to add the group to a static list and then compare since + primality tests are rather cpu consuming. +*/ + static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg) { SRP_ARG *srp_arg = (SRP_ARG *)arg; @@ -453,11 +468,11 @@ static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg) if (srp_arg->debug) BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n"); -/* The srp_moregroups must be used with caution, testing primes costs time. +/* The srp_moregroups is a real debugging feature. Implementors should rather add the value to the known ones. The minimal size has already been tested. */ - if (BN_num_bits(g) <= BN_BITS && SRP_Verify_N_and_g(N,g)) + if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g)) return 1; } BIO_printf(bio_err, "SRP param N and g rejected.\n"); @@ -486,12 +501,6 @@ static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) return pass; } -static char * MS_CALLBACK missing_srp_username_callback(SSL *s, void *arg) - { - SRP_ARG *srp_arg = (SRP_ARG *)arg; - return BUF_strdup(srp_arg->srplogin); - } - #endif char *srtp_profiles = NULL; @@ -1182,9 +1191,7 @@ bad: #ifndef OPENSSL_NO_SRP if (srp_arg.srplogin) { - if (srp_lateuser) - SSL_CTX_set_srp_missing_srp_username_callback(ctx,missing_srp_username_callback); - else if (!SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) + if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) { BIO_printf(bio_err,"Unable to set SRP username\n"); goto end; |