diff options
| author | Tomas Mraz <tomas@openssl.org> | 2022-06-20 17:11:28 +0200 |
|---|---|---|
| committer | Hugo Landau <hlandau@openssl.org> | 2022-07-28 10:04:28 +0100 |
| commit | 38b051a1fedc79ebf24a96de2e9a326ad3665baf (patch) | |
| tree | e32fa2a0a5cf8572b48b3cb8a1aac2a20d0b439f /ssl/tls_srp.c | |
| parent | ce602bb0a20589e5a84c48a55ce13219ab881e84 (diff) | |
SSL object refactoring using SSL_CONNECTION object
Make the SSL object polymorphic based on whether this is
a traditional SSL connection, QUIC connection, or later
to be implemented a QUIC stream.
It requires adding if after every SSL_CONNECTION_FROM_SSL() call
which itself has to be added to almost every public SSL_ API call.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18612)
Diffstat (limited to 'ssl/tls_srp.c')
| -rw-r--r-- | ssl/tls_srp.c | 188 |
1 files changed, 121 insertions, 67 deletions
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index a4ec363cfb..2f1d2198fd 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -57,7 +57,7 @@ int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx) * The public API SSL_SRP_CTX_free() is deprecated so we use * ssl_srp_ctx_free_intern() internally. */ -int ssl_srp_ctx_free_intern(SSL *s) +int ssl_srp_ctx_free_intern(SSL_CONNECTION *s) { if (s == NULL) return 0; @@ -78,18 +78,21 @@ int ssl_srp_ctx_free_intern(SSL *s) int SSL_SRP_CTX_free(SSL *s) { - return ssl_srp_ctx_free_intern(s); + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + /* the call works with NULL sc */ + return ssl_srp_ctx_free_intern(sc); } /* * The public API SSL_SRP_CTX_init() is deprecated so we use * ssl_srp_ctx_init_intern() internally. */ -int ssl_srp_ctx_init_intern(SSL *s) +int ssl_srp_ctx_init_intern(SSL_CONNECTION *s) { - SSL_CTX *ctx; + SSL_CTX *ctx = SSL_CONNECTION_GET_CTX(s); - if ((s == NULL) || ((ctx = s->ctx) == NULL)) + if (s == NULL || ctx == NULL) return 0; memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); @@ -156,7 +159,10 @@ int ssl_srp_ctx_init_intern(SSL *s) int SSL_SRP_CTX_init(SSL *s) { - return ssl_srp_ctx_init_intern(s); + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + /* the call works with NULL sc */ + return ssl_srp_ctx_init_intern(sc); } /* @@ -184,15 +190,17 @@ int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx) * The public API SSL_srp_server_param_with_username() is deprecated so we use * ssl_srp_server_param_with_username_intern() internally. */ -int ssl_srp_server_param_with_username_intern(SSL *s, int *ad) +int ssl_srp_server_param_with_username_intern(SSL_CONNECTION *s, int *ad) { unsigned char b[SSL_MAX_MASTER_KEY_LENGTH]; int al; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); *ad = SSL_AD_UNKNOWN_PSK_IDENTITY; if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) && ((al = - s->srp_ctx.TLS_ext_srp_username_callback(s, ad, + s->srp_ctx.TLS_ext_srp_username_callback(SSL_CONNECTION_GET_SSL(s), + ad, s->srp_ctx.SRP_cb_arg)) != SSL_ERROR_NONE)) return al; @@ -203,7 +211,8 @@ int ssl_srp_server_param_with_username_intern(SSL *s, int *ad) (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL)) return SSL3_AL_FATAL; - if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b), 0) <= 0) + if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, b, sizeof(b), + 0) <= 0) return SSL3_AL_FATAL; s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL); OPENSSL_cleanse(b, sizeof(b)); @@ -212,13 +221,18 @@ int ssl_srp_server_param_with_username_intern(SSL *s, int *ad) return ((s->srp_ctx.B = SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g, - s->srp_ctx.v, s->ctx->libctx, s->ctx->propq)) != + s->srp_ctx.v, sctx->libctx, sctx->propq)) != NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL; } int SSL_srp_server_param_with_username(SSL *s, int *ad) { - return ssl_srp_server_param_with_username_intern(s, ad); + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + if (sc == NULL) + return SSL3_AL_FATAL; + + return ssl_srp_server_param_with_username_intern(sc, ad); } /* @@ -228,17 +242,23 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad) int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, const char *grp) { - SRP_gN *GN = SRP_get_default_gN(grp); + SRP_gN *GN; + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + if (sc == NULL) + return -1; + + GN = SRP_get_default_gN(grp); if (GN == NULL) return -1; - s->srp_ctx.N = BN_dup(GN->N); - s->srp_ctx.g = BN_dup(GN->g); - BN_clear_free(s->srp_ctx.v); - s->srp_ctx.v = NULL; - BN_clear_free(s->srp_ctx.s); - s->srp_ctx.s = NULL; - if (!SRP_create_verifier_BN_ex(user, pass, &s->srp_ctx.s, &s->srp_ctx.v, - s->srp_ctx.N, s->srp_ctx.g, s->ctx->libctx, + sc->srp_ctx.N = BN_dup(GN->N); + sc->srp_ctx.g = BN_dup(GN->g); + BN_clear_free(sc->srp_ctx.v); + sc->srp_ctx.v = NULL; + BN_clear_free(sc->srp_ctx.s); + sc->srp_ctx.s = NULL; + if (!SRP_create_verifier_BN_ex(user, pass, &sc->srp_ctx.s, &sc->srp_ctx.v, + sc->srp_ctx.N, sc->srp_ctx.g, s->ctx->libctx, s->ctx->propq)) return -1; @@ -248,66 +268,72 @@ int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, BIGNUM *sa, BIGNUM *v, char *info) { + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + if (sc == NULL) + return -1; + if (N != NULL) { - if (s->srp_ctx.N != NULL) { - if (!BN_copy(s->srp_ctx.N, N)) { - BN_free(s->srp_ctx.N); - s->srp_ctx.N = NULL; + if (sc->srp_ctx.N != NULL) { + if (!BN_copy(sc->srp_ctx.N, N)) { + BN_free(sc->srp_ctx.N); + sc->srp_ctx.N = NULL; } } else - s->srp_ctx.N = BN_dup(N); + sc->srp_ctx.N = BN_dup(N); } if (g != NULL) { - if (s->srp_ctx.g != NULL) { - if (!BN_copy(s->srp_ctx.g, g)) { - BN_free(s->srp_ctx.g); - s->srp_ctx.g = NULL; + if (sc->srp_ctx.g != NULL) { + if (!BN_copy(sc->srp_ctx.g, g)) { + BN_free(sc->srp_ctx.g); + sc->srp_ctx.g = NULL; } } else - s->srp_ctx.g = BN_dup(g); + sc->srp_ctx.g = BN_dup(g); } if (sa != NULL) { - if (s->srp_ctx.s != NULL) { - if (!BN_copy(s->srp_ctx.s, sa)) { - BN_free(s->srp_ctx.s); - s->srp_ctx.s = NULL; + if (sc->srp_ctx.s != NULL) { + if (!BN_copy(sc->srp_ctx.s, sa)) { + BN_free(sc->srp_ctx.s); + sc->srp_ctx.s = NULL; } } else - s->srp_ctx.s = BN_dup(sa); + sc->srp_ctx.s = BN_dup(sa); } if (v != NULL) { - if (s->srp_ctx.v != NULL) { - if (!BN_copy(s->srp_ctx.v, v)) { - BN_free(s->srp_ctx.v); - s->srp_ctx.v = NULL; + if (sc->srp_ctx.v != NULL) { + if (!BN_copy(sc->srp_ctx.v, v)) { + BN_free(sc->srp_ctx.v); + sc->srp_ctx.v = NULL; } } else - s->srp_ctx.v = BN_dup(v); + sc->srp_ctx.v = BN_dup(v); } if (info != NULL) { - if (s->srp_ctx.info) - OPENSSL_free(s->srp_ctx.info); - if ((s->srp_ctx.info = OPENSSL_strdup(info)) == NULL) + if (sc->srp_ctx.info) + OPENSSL_free(sc->srp_ctx.info); + if ((sc->srp_ctx.info = OPENSSL_strdup(info)) == NULL) return -1; } - if (!(s->srp_ctx.N) || - !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v)) + if (!(sc->srp_ctx.N) || + !(sc->srp_ctx.g) || !(sc->srp_ctx.s) || !(sc->srp_ctx.v)) return -1; return 1; } -int srp_generate_server_master_secret(SSL *s) +int srp_generate_server_master_secret(SSL_CONNECTION *s) { BIGNUM *K = NULL, *u = NULL; int ret = 0, tmp_len = 0; unsigned char *tmp = NULL; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N)) goto err; if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N, - s->ctx->libctx, s->ctx->propq)) == NULL) + sctx->libctx, sctx->propq)) == NULL) goto err; if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b, s->srp_ctx.N)) == NULL) @@ -328,37 +354,38 @@ int srp_generate_server_master_secret(SSL *s) } /* client side */ -int srp_generate_client_master_secret(SSL *s) +int srp_generate_client_master_secret(SSL_CONNECTION *s) { BIGNUM *x = NULL, *u = NULL, *K = NULL; int ret = 0, tmp_len = 0; char *passwd = NULL; unsigned char *tmp = NULL; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); /* * Checks if b % n == 0 */ if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0 || (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N, - s->ctx->libctx, s->ctx->propq)) + sctx->libctx, sctx->propq)) == NULL || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } - if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s, - s->srp_ctx.SRP_cb_arg)) + if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(SSL_CONNECTION_GET_SSL(s), + s->srp_ctx.SRP_cb_arg)) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); goto err; } if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd, - s->ctx->libctx, s->ctx->propq)) == NULL + sctx->libctx, sctx->propq)) == NULL || (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B, s->srp_ctx.g, x, s->srp_ctx.a, u, - s->ctx->libctx, - s->ctx->propq)) == NULL) { + sctx->libctx, + sctx->propq)) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -380,7 +407,7 @@ int srp_generate_client_master_secret(SSL *s) return ret; } -int srp_verify_server_param(SSL *s) +int srp_verify_server_param(SSL_CONNECTION *s) { SRP_CTX *srp = &s->srp_ctx; /* @@ -399,7 +426,8 @@ int srp_verify_server_param(SSL *s) } if (srp->SRP_verify_param_callback) { - if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) { + if (srp->SRP_verify_param_callback(SSL_CONNECTION_GET_SSL(s), + srp->SRP_cb_arg) <= 0) { SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED); return 0; } @@ -416,11 +444,12 @@ int srp_verify_server_param(SSL *s) * The public API SRP_Calc_A_param() is deprecated so we use * ssl_srp_calc_a_param_intern() internally. */ -int ssl_srp_calc_a_param_intern(SSL *s) +int ssl_srp_calc_a_param_intern(SSL_CONNECTION *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; - if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd), 0) <= 0) + if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, + rnd, sizeof(rnd), 0) <= 0) return 0; s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); OPENSSL_cleanse(rnd, sizeof(rnd)); @@ -433,34 +462,59 @@ int ssl_srp_calc_a_param_intern(SSL *s) int SRP_Calc_A_param(SSL *s) { - return ssl_srp_calc_a_param_intern(s); + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + if (sc == NULL) + return 0; + + return ssl_srp_calc_a_param_intern(sc); } BIGNUM *SSL_get_srp_g(SSL *s) { - if (s->srp_ctx.g != NULL) - return s->srp_ctx.g; + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + if (sc == NULL) + return NULL; + + if (sc->srp_ctx.g != NULL) + return sc->srp_ctx.g; return s->ctx->srp_ctx.g; } BIGNUM *SSL_get_srp_N(SSL *s) { - if (s->srp_ctx.N != NULL) - return s->srp_ctx.N; + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + if (sc == NULL) + return NULL; + + if (sc->srp_ctx.N != NULL) + return sc->srp_ctx.N; return s->ctx->srp_ctx.N; } char *SSL_get_srp_username(SSL *s) { - if (s->srp_ctx.login != NULL) - return s->srp_ctx.login; + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + if (sc == NULL) + return NULL; + + if (sc->srp_ctx.login != NULL) + return sc->srp_ctx.login; return s->ctx->srp_ctx.login; } char *SSL_get_srp_userinfo(SSL *s) { - if (s->srp_ctx.info != NULL) - return s->srp_ctx.info; + SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + + if (sc == NULL) + return NULL; + + if (sc->srp_ctx.info != NULL) + return sc->srp_ctx.info; return s->ctx->srp_ctx.info; } |