diff options
author | Matt Caswell <matt@openssl.org> | 2021-02-08 11:31:59 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-02-12 08:47:32 +0000 |
commit | 76cb077f81c96e98d2f2042478c916ed2fdeda16 (patch) | |
tree | fe98349c43554f984f2256b180584903164b4a74 /ssl | |
parent | 6d2a1eff553b0bd463cce008a25506d89280679f (diff) |
Deprecate the libssl level SRP APIs
The low level SRP implementation has been deprecated with no replacement.
Therefore the libssl level APIs need to be similarly deprecated.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14132)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/s3_lib.c | 4 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 4 | ||||
-rw-r--r-- | ssl/ssl_local.h | 8 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 2 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 2 | ||||
-rw-r--r-- | ssl/tls_srp.c | 71 |
6 files changed, 78 insertions, 13 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ec19eeacc3..8eb0f7c864 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3330,7 +3330,7 @@ int ssl3_handshake_write(SSL *s) int ssl3_new(SSL *s) { #ifndef OPENSSL_NO_SRP - if (!SSL_SRP_CTX_init(s)) + if (!ssl_srp_ctx_init_intern(s)) return 0; #endif @@ -3366,7 +3366,7 @@ void ssl3_free(SSL *s) OPENSSL_free(s->s3.alpn_proposed); #ifndef OPENSSL_NO_SRP - SSL_SRP_CTX_free(s); + ssl_srp_ctx_free_intern(s); #endif memset(&s->s3, 0, sizeof(s->s3)); } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 554fc3533d..1fded640a1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3239,7 +3239,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, goto err; #ifndef OPENSSL_NO_SRP - if (!SSL_CTX_SRP_CTX_init(ret)) + if (!ssl_ctx_srp_ctx_init_intern(ret)) goto err; #endif #ifndef OPENSSL_NO_ENGINE @@ -3382,7 +3382,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); #endif #ifndef OPENSSL_NO_SRP - SSL_CTX_SRP_CTX_free(a); + ssl_ctx_srp_ctx_free_intern(a); #endif #ifndef OPENSSL_NO_ENGINE tls_engine_finish(a->client_cert_engine); diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 2687a47c2a..127011b62c 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2828,6 +2828,14 @@ int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len); int ssl_hmac_old_final(SSL_HMAC *ctx, unsigned char *md, size_t *len); size_t ssl_hmac_old_size(const SSL_HMAC *ctx); +int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx); +int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx); +int ssl_srp_ctx_free_intern(SSL *s); +int ssl_srp_ctx_init_intern(SSL *s); + +int ssl_srp_calc_a_param_intern(SSL *s); +int ssl_srp_server_param_with_username_intern(SSL *s, int *ad); + # else /* OPENSSL_UNIT_TEST */ # define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 83862e076d..2358e2c616 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2716,7 +2716,7 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) } #ifndef OPENSSL_NO_SRP if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { - if (SRP_Calc_A_param(s) <= 0) { + if (ssl_srp_calc_a_param_intern(s) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); return MSG_PROCESS_ERROR; } diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 956348613b..d1138e45d5 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1258,7 +1258,7 @@ static int ssl_check_srp_ext_ClientHello(SSL *s) SSL_R_PSK_IDENTITY_NOT_FOUND); return -1; } else { - ret = SSL_srp_server_param_with_username(s, &al); + ret = ssl_srp_server_param_with_username_intern(s, &al); if (ret < 0) return 0; if (ret == SSL3_AL_FATAL) { diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 98b2785b8c..1d9f4d29f6 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -11,7 +11,10 @@ * for the EdelKey project. */ -/* We need to use the SRP deprecated APIs */ +/* + * We need to use the SRP deprecated APIs in order to implement the SSL SRP + * APIs - which are themselves deprecated. + */ #define OPENSSL_SUPPRESS_DEPRECATED #include <openssl/crypto.h> @@ -22,7 +25,11 @@ #ifndef OPENSSL_NO_SRP # include <openssl/srp.h> -int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) +/* + * The public API SSL_CTX_SRP_CTX_free() is deprecated so we use + * ssl_ctx_srp_ctx_free_intern() internally. + */ +int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx) { if (ctx == NULL) return 0; @@ -41,7 +48,16 @@ int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) return 1; } -int SSL_SRP_CTX_free(struct ssl_st *s) +int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx) +{ + return ssl_ctx_srp_ctx_free_intern(ctx); +} + +/* + * The public API SSL_SRP_CTX_free() is deprecated so we use + * ssl_srp_ctx_free_intern() internally. + */ +int ssl_srp_ctx_free_intern(SSL *s) { if (s == NULL) return 0; @@ -60,7 +76,16 @@ int SSL_SRP_CTX_free(struct ssl_st *s) return 1; } -int SSL_SRP_CTX_init(struct ssl_st *s) +int SSL_SRP_CTX_free(SSL *s) +{ + return ssl_srp_ctx_free_intern(s); +} + +/* + * The public API SSL_SRP_CTX_init() is deprecated so we use + * ssl_srp_ctx_init_intern() internally. + */ +int ssl_srp_ctx_init_intern(SSL *s) { SSL_CTX *ctx; @@ -129,7 +154,16 @@ int SSL_SRP_CTX_init(struct ssl_st *s) return 0; } -int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) +int SSL_SRP_CTX_init(SSL *s) +{ + return ssl_srp_ctx_init_intern(s); +} + +/* + * The public API SSL_CTX_SRP_CTX_init() is deprecated so we use + * ssl_ctx_srp_ctx_init_intern() internally. + */ +int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx) { if (ctx == NULL) return 0; @@ -140,8 +174,17 @@ int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) return 1; } +int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx) +{ + return ssl_ctx_srp_ctx_init_intern(ctx); +} + /* server side */ -int SSL_srp_server_param_with_username(SSL *s, int *ad) +/* + * The public API SSL_srp_server_param_with_username() is deprecated so we use + * ssl_srp_server_param_with_username_intern() internally. + */ +int ssl_srp_server_param_with_username_intern(SSL *s, int *ad) { unsigned char b[SSL_MAX_MASTER_KEY_LENGTH]; int al; @@ -173,6 +216,11 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad) NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL; } +int SSL_srp_server_param_with_username(SSL *s, int *ad) +{ + return ssl_srp_server_param_with_username_intern(s, ad); +} + /* * If the server just has the raw password, make up a verifier entry on the * fly @@ -364,7 +412,11 @@ int srp_verify_server_param(SSL *s) return 1; } -int SRP_Calc_A_param(SSL *s) +/* + * The public API SRP_Calc_A_param() is deprecated so we use + * ssl_srp_calc_a_param_intern() internally. + */ +int ssl_srp_calc_a_param_intern(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; @@ -379,6 +431,11 @@ int SRP_Calc_A_param(SSL *s) return 1; } +int SRP_Calc_A_param(SSL *s) +{ + return ssl_srp_calc_a_param_intern(s); +} + BIGNUM *SSL_get_srp_g(SSL *s) { if (s->srp_ctx.g != NULL) |