diff options
| author | Rich Salz <rsalz@akamai.com> | 2016-02-14 00:17:59 -0500 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-02-17 09:46:10 -0500 |
| commit | dba317774555fbd5bccdfc5270fc486e0d02d9db (patch) | |
| tree | e2665b0bb6f2ee46fbaa34f048c7e349ca1f8ce7 /apps | |
| parent | 6a78ae2821e89a8838714496524fd39d9d21fb1b (diff) | |
Remove JPAKE
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/apps.c | 226 | ||||
| -rw-r--r-- | apps/apps.h | 4 | ||||
| -rw-r--r-- | apps/openssl.c | 3 | ||||
| -rw-r--r-- | apps/s_apps.h | 3 | ||||
| -rw-r--r-- | apps/s_cb.c | 17 | ||||
| -rw-r--r-- | apps/s_client.c | 31 | ||||
| -rw-r--r-- | apps/s_server.c | 37 |
7 files changed, 11 insertions, 310 deletions
diff --git a/apps/apps.c b/apps/apps.c index 2a189f20a0..1ba86050e6 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -141,9 +141,6 @@ # include <openssl/rsa.h> #endif #include <openssl/bn.h> -#ifndef OPENSSL_NO_JPAKE -# include <openssl/jpake.h> -#endif #include <openssl/ssl.h> #include "apps.h" @@ -1990,229 +1987,6 @@ void policies_print(X509_STORE_CTX *ctx) nodes_print("User", X509_policy_tree_get0_user_policies(tree)); } -#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) - -static JPAKE_CTX *jpake_init(const char *us, const char *them, - const char *secret) -{ - BIGNUM *p = NULL; - BIGNUM *g = NULL; - BIGNUM *q = NULL; - BIGNUM *bnsecret = BN_new(); - JPAKE_CTX *ctx; - - /* Use a safe prime for p (that we found earlier) */ - BN_hex2bn(&p, - "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F"); - g = BN_new(); - BN_set_word(g, 2); - q = BN_new(); - BN_rshift1(q, p); - - BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret); - - ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret); - BN_free(bnsecret); - BN_free(q); - BN_free(g); - BN_free(p); - - return ctx; -} - -static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p) -{ - BN_print(conn, p->gx); - BIO_puts(conn, "\n"); - BN_print(conn, p->zkpx.gr); - BIO_puts(conn, "\n"); - BN_print(conn, p->zkpx.b); - BIO_puts(conn, "\n"); -} - -static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx) -{ - JPAKE_STEP1 s1; - - JPAKE_STEP1_init(&s1); - JPAKE_STEP1_generate(&s1, ctx); - jpake_send_part(bconn, &s1.p1); - jpake_send_part(bconn, &s1.p2); - (void)BIO_flush(bconn); - JPAKE_STEP1_release(&s1); -} - -static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx) -{ - JPAKE_STEP2 s2; - - JPAKE_STEP2_init(&s2); - JPAKE_STEP2_generate(&s2, ctx); - jpake_send_part(bconn, &s2); - (void)BIO_flush(bconn); - JPAKE_STEP2_release(&s2); -} - -static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx) -{ - JPAKE_STEP3A s3a; - - JPAKE_STEP3A_init(&s3a); - JPAKE_STEP3A_generate(&s3a, ctx); - BIO_write(bconn, s3a.hhk, sizeof s3a.hhk); - (void)BIO_flush(bconn); - JPAKE_STEP3A_release(&s3a); -} - -static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx) -{ - JPAKE_STEP3B s3b; - - JPAKE_STEP3B_init(&s3b); - JPAKE_STEP3B_generate(&s3b, ctx); - BIO_write(bconn, s3b.hk, sizeof s3b.hk); - (void)BIO_flush(bconn); - JPAKE_STEP3B_release(&s3b); -} - -static void readbn(BIGNUM **bn, BIO *bconn) -{ - char buf[10240]; - int l; - - l = BIO_gets(bconn, buf, sizeof buf); - assert(l > 0); - assert(buf[l - 1] == '\n'); - buf[l - 1] = '\0'; - BN_hex2bn(bn, buf); -} - -static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn) -{ - readbn(&p->gx, bconn); - readbn(&p->zkpx.gr, bconn); - readbn(&p->zkpx.b, bconn); -} - -static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn) -{ - JPAKE_STEP1 s1; - - JPAKE_STEP1_init(&s1); - jpake_receive_part(&s1.p1, bconn); - jpake_receive_part(&s1.p2, bconn); - if (!JPAKE_STEP1_process(ctx, &s1)) { - ERR_print_errors(bio_err); - exit(1); - } - JPAKE_STEP1_release(&s1); -} - -static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn) -{ - JPAKE_STEP2 s2; - - JPAKE_STEP2_init(&s2); - jpake_receive_part(&s2, bconn); - if (!JPAKE_STEP2_process(ctx, &s2)) { - ERR_print_errors(bio_err); - exit(1); - } - JPAKE_STEP2_release(&s2); -} - -static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn) -{ - JPAKE_STEP3A s3a; - int l; - - JPAKE_STEP3A_init(&s3a); - l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk); - assert(l == sizeof s3a.hhk); - if (!JPAKE_STEP3A_process(ctx, &s3a)) { - ERR_print_errors(bio_err); - exit(1); - } - JPAKE_STEP3A_release(&s3a); -} - -static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn) -{ - JPAKE_STEP3B s3b; - int l; - - JPAKE_STEP3B_init(&s3b); - l = BIO_read(bconn, s3b.hk, sizeof s3b.hk); - assert(l == sizeof s3b.hk); - if (!JPAKE_STEP3B_process(ctx, &s3b)) { - ERR_print_errors(bio_err); - exit(1); - } - JPAKE_STEP3B_release(&s3b); -} - -void jpake_client_auth(BIO *out, BIO *conn, const char *secret) -{ - JPAKE_CTX *ctx; - BIO *bconn; - - BIO_puts(out, "Authenticating with JPAKE\n"); - - ctx = jpake_init("client", "server", secret); - - bconn = BIO_new(BIO_f_buffer()); - BIO_push(bconn, conn); - - jpake_send_step1(bconn, ctx); - jpake_receive_step1(ctx, bconn); - jpake_send_step2(bconn, ctx); - jpake_receive_step2(ctx, bconn); - jpake_send_step3a(bconn, ctx); - jpake_receive_step3b(ctx, bconn); - - BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); - - OPENSSL_free(psk_key); - psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx)); - - BIO_pop(bconn); - BIO_free(bconn); - - JPAKE_CTX_free(ctx); -} - -void jpake_server_auth(BIO *out, BIO *conn, const char *secret) -{ - JPAKE_CTX *ctx; - BIO *bconn; - - BIO_puts(out, "Authenticating with JPAKE\n"); - - ctx = jpake_init("server", "client", secret); - - bconn = BIO_new(BIO_f_buffer()); - BIO_push(bconn, conn); - - jpake_receive_step1(ctx, bconn); - jpake_send_step1(bconn, ctx); - jpake_receive_step2(ctx, bconn); - jpake_send_step2(bconn, ctx); - jpake_receive_step3a(ctx, bconn); - jpake_send_step3b(bconn, ctx); - - BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); - - OPENSSL_free(psk_key); - psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx)); - - BIO_pop(bconn); - BIO_free(bconn); - - JPAKE_CTX_free(ctx); -} - -#endif - /*- * next_protos_parse parses a comma separated list of strings into a string * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. diff --git a/apps/apps.h b/apps/apps.h index 878dc11c07..8f7ec18b1c 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -571,10 +571,6 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, # ifndef OPENSSL_NO_PSK extern char *psk_key; # endif -# ifndef OPENSSL_NO_JPAKE -void jpake_client_auth(BIO *out, BIO *conn, const char *secret); -void jpake_server_auth(BIO *out, BIO *conn, const char *secret); -# endif unsigned char *next_protos_parse(unsigned short *outlen, const char *in); diff --git a/apps/openssl.c b/apps/openssl.c index 732cdf105a..7783cc48c1 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -757,9 +757,6 @@ static void list_disabled(void) #ifdef OPENSSL_NO_IDEA BIO_puts(bio_out, "IDEA\n"); #endif -#ifdef OPENSSL_NO_JPAKE - BIO_puts(bio_out, "JPAKE\n"); -#endif #ifdef OPENSSL_NO_MD2 BIO_puts(bio_out, "MD2\n"); #endif diff --git a/apps/s_apps.h b/apps/s_apps.h index 8e12c2146c..435741547a 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -195,8 +195,7 @@ int load_excert(SSL_EXCERT **pexc); void print_verify_detail(SSL *s, BIO *bio); void print_ssl_summary(SSL *s); #ifdef HEADER_SSL_H -int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, - SSL_CTX *ctx, int no_jpake); +int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx); int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download); int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, diff --git a/apps/s_cb.c b/apps/s_cb.c index 30c9147d5c..a463dac4ff 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1198,7 +1198,7 @@ void print_ssl_summary(SSL *s) } int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, - SSL_CTX *ctx, int no_jpake) + SSL_CTX *ctx) { int i; @@ -1206,12 +1206,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) { const char *flag = sk_OPENSSL_STRING_value(str, i); const char *arg = sk_OPENSSL_STRING_value(str, i + 1); -#ifndef OPENSSL_NO_JPAKE - if (!no_jpake && (strcmp(flag, "-cipher") == 0)) { - BIO_puts(bio_err, "JPAKE sets cipher to PSK\n"); - return 0; - } -#endif if (SSL_CONF_cmd(cctx, flag, arg) <= 0) { if (arg) BIO_printf(bio_err, "Error with command: \"%s %s\"\n", @@ -1222,15 +1216,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, return 0; } } -#ifndef OPENSSL_NO_JPAKE - if (!no_jpake) { - if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) { - BIO_puts(bio_err, "Error setting cipher to PSK\n"); - ERR_print_errors(bio_err); - return 0; - } - } -#endif if (!SSL_CONF_CTX_finish(cctx)) { BIO_puts(bio_err, "Error finishing context\n"); ERR_print_errors(bio_err); diff --git a/apps/s_client.c b/apps/s_client.c index 55d1283b1c..e820e7c03c 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -648,7 +648,7 @@ typedef enum OPTION_choice { OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN, - OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE, + OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST, OPT_ASYNC, OPT_V_ENUM, @@ -780,9 +780,6 @@ OPTIONS s_client_options[] = { #ifndef OPENSSL_NO_PSK {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"}, {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, -# ifndef OPENSSL_NO_JPAKE - {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, -# endif #endif #ifndef OPENSSL_NO_SRP {"srpuser", OPT_SRPUSER, 's', "SRP authentification for 'user'"}, @@ -853,7 +850,7 @@ int s_client_main(int argc, char **argv) char *inrand = NULL; char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p; - char *jpake_secret = NULL, *xmpphost = NULL; + char *xmpphost = NULL; const char *ehlo = "mail.example.com"; struct sockaddr peer; struct timeval timeout, *timeoutp; @@ -1316,11 +1313,6 @@ int s_client_main(int argc, char **argv) case OPT_SERVERNAME: servername = opt_arg(); break; - case OPT_JPAKE: -#ifndef OPENSSL_NO_JPAKE - jpake_secret = opt_arg(); -#endif - break; case OPT_USE_SRTP: srtp_profiles = opt_arg(); break; @@ -1378,15 +1370,6 @@ int s_client_main(int argc, char **argv) "Can't use unix sockets and datagrams together\n"); goto end; } -#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) - if (jpake_secret) { - if (psk_key) { - BIO_printf(bio_err, "Can't use JPAKE and PSK together\n"); - goto end; - } - psk_identity = "JPAKE"; - } -#endif #if !defined(OPENSSL_NO_NEXTPROTONEG) next_proto.status = -1; @@ -1506,7 +1489,7 @@ int s_client_main(int argc, char **argv) SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC); } - if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, @@ -1528,10 +1511,10 @@ int s_client_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_PSK - if (psk_key != NULL || jpake_secret) { + if (psk_key != NULL) { if (c_debug) BIO_printf(bio_c_out, - "PSK key given or JPAKE in use, setting client callback\n"); + "PSK key given, setting client callback\n"); SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); } #endif @@ -1774,10 +1757,6 @@ int s_client_main(int argc, char **argv) SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); } -#ifndef OPENSSL_NO_JPAKE - if (jpake_secret) - jpake_client_auth(bio_c_out, sbio, jpake_secret); -#endif SSL_set_bio(con, sbio, sbio); SSL_set_connect_state(con); diff --git a/apps/s_server.c b/apps/s_server.c index 38030364bd..3c5b4222ef 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -785,7 +785,6 @@ static int not_resumable_sess_cb(SSL *s, int is_forward_secure) return is_forward_secure; } -static char *jpake_secret = NULL; #ifndef OPENSSL_NO_SRP static srpsrvparm srp_callback_parm; #endif @@ -814,7 +813,7 @@ typedef enum OPTION_choice { OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, OPT_LISTEN, OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL, - OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_JPAKE, + OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_S_ENUM, OPT_V_ENUM, @@ -952,9 +951,6 @@ OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_PSK {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"}, {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, -# ifndef OPENSSL_NO_JPAKE - {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, -# endif #endif #ifndef OPENSSL_NO_SRP {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"}, @@ -1501,14 +1497,6 @@ int s_server_main(int argc, char *argv[]) case OPT_ALPN: alpn_in = opt_arg(); break; -#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) - case OPT_JPAKE: - jpake_secret = opt_arg(); - break; -#else - case OPT_JPAKE: - goto opthelp; -#endif case OPT_SRTP_PROFILES: srtp_profiles = opt_arg(); break; @@ -1545,15 +1533,6 @@ int s_server_main(int argc, char *argv[]) goto end; } #endif -#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) - if (jpake_secret) { - if (psk_key) { - BIO_printf(bio_err, "Can't use JPAKE and PSK together\n"); - goto end; - } - psk_identity = "JPAKE"; - } -#endif if (!app_passwd(passarg, dpassarg, &pass, &dpass)) { BIO_printf(bio_err, "Error getting password\n"); @@ -1768,7 +1747,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, @@ -1831,7 +1810,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx2, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx2, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx2)) goto end; } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -1917,15 +1896,11 @@ int s_server_main(int argc, char *argv[]) not_resumable_sess_cb); } #ifndef OPENSSL_NO_PSK -# ifdef OPENSSL_NO_JPAKE if (psk_key != NULL) -# else - if (psk_key != NULL || jpake_secret) -# endif { if (s_debug) BIO_printf(bio_s_out, - "PSK key given or JPAKE in use, setting server callback\n"); + "PSK key given, setting server callback\n"); SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); } @@ -2175,10 +2150,6 @@ static int sv_body(const char *hostname, int s, int stype, test = BIO_new(BIO_f_nbio_test()); sbio = BIO_push(test, sbio); } -#ifndef OPENSSL_NO_JPAKE - if (jpake_secret) - jpake_server_auth(bio_s_out, sbio, jpake_secret); -#endif SSL_set_bio(con, sbio, sbio); SSL_set_accept_state(con); |