diff options
| -rw-r--r-- | apps/apps.c | 6 | ||||
| -rw-r--r-- | apps/s_apps.h | 2 | ||||
| -rw-r--r-- | apps/s_cb.c | 20 | ||||
| -rw-r--r-- | apps/s_client.c | 18 | ||||
| -rw-r--r-- | apps/s_server.c | 20 |
5 files changed, 44 insertions, 22 deletions
diff --git a/apps/apps.c b/apps/apps.c index 984582111c..15f2069c95 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2864,6 +2864,9 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret) BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); + if (psk_key) + OPENSSL_free(psk_key); + psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx)); BIO_pop(bconn); @@ -2893,6 +2896,9 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret) BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n"); + if (psk_key) + OPENSSL_free(psk_key); + psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx)); BIO_pop(bconn); diff --git a/apps/s_apps.h b/apps/s_apps.h index 83526eca30..be985280c9 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -196,7 +196,7 @@ void print_ssl_summary(BIO *bio, SSL *s); int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, - STACK_OF(OPENSSL_STRING) *str, int no_ecdhe); + STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake); int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download); int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, const char *vfyCAfile, diff --git a/apps/s_cb.c b/apps/s_cb.c index 96bc5dba5a..65c3dae0a2 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1619,7 +1619,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, } int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, - STACK_OF(OPENSSL_STRING) *str, int no_ecdhe) + STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake) { int i; SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); @@ -1632,6 +1632,13 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, */ if (!no_ecdhe && !strcmp(param, "-named_curve")) no_ecdhe = 1; +#ifndef OPENSSL_NO_JPAKE + if (!no_jpake && !strcmp(param, "-cipher")) + { + BIO_puts(err, "JPAKE sets cipher to PSK\n"); + return 0; + } +#endif if (SSL_CONF_cmd(cctx, param, value) <= 0) { BIO_printf(err, "Error with command: \"%s %s\"\n", @@ -1653,6 +1660,17 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, return 0; } } +#ifndef OPENSSL_NO_JPAKE + if (!no_jpake) + { + if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) + { + BIO_puts(err, "Error setting cipher to PSK\n"); + ERR_print_errors(err); + return 0; + } + } +#endif return 1; } diff --git a/apps/s_client.c b/apps/s_client.c index 5edede4633..841395db16 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -622,7 +622,10 @@ int MAIN(int argc, char **argv) int enable_timeouts = 0 ; long socket_mtu = 0; #ifndef OPENSSL_NO_JPAKE - char *jpake_secret = NULL; +static char *jpake_secret = NULL; +#define no_jpake !jpake_secret +#else +#define no_jpake 1 #endif #ifndef OPENSSL_NO_SRP char * srppass = NULL; @@ -1052,13 +1055,6 @@ bad: } psk_identity = "JPAKE"; } - - if (cipher) - { - BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); - goto end; - } - cipher = "PSK"; #endif OpenSSL_add_ssl_algorithms(); @@ -1203,7 +1199,7 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); - if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1)) + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake)) { ERR_print_errors(bio_err); goto end; @@ -2032,6 +2028,10 @@ end: sk_OPENSSL_STRING_free(ssl_args); if (cctx) SSL_CONF_CTX_free(cctx); +#ifndef OPENSSL_NO_JPAKE + if (jpake_secret && psk_key) + OPENSSL_free(psk_key); +#endif if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } diff --git a/apps/s_server.c b/apps/s_server.c index f0ec4dbc09..7cb9a08da5 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -938,6 +938,9 @@ int MAIN(int, char **); #ifndef OPENSSL_NO_JPAKE static char *jpake_secret = NULL; +#define no_jpake !jpake_secret +#else +#define no_jpake 1 #endif #ifndef OPENSSL_NO_SRP static srpsrvparm srp_callback_parm; @@ -1465,14 +1468,7 @@ bad: goto end; } psk_identity = "JPAKE"; - if (cipher) - { - BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); - goto end; - } - cipher = "PSK"; } - #endif SSL_load_error_strings(); @@ -1719,8 +1715,7 @@ bad: SSL_CTX_set1_param(ctx, vpm); ssl_ctx_add_crls(ctx, crls, 0); - - if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe)) + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, @@ -1788,8 +1783,7 @@ bad: SSL_CTX_set1_param(ctx2, vpm); ssl_ctx_add_crls(ctx2, crls, 0); - - if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe)) + if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake)) goto end; } @@ -2033,6 +2027,10 @@ end: sk_OPENSSL_STRING_free(ssl_args); if (cctx) SSL_CONF_CTX_free(cctx); +#ifndef OPENSSL_NO_JPAKE + if (jpake_secret && psk_key) + OPENSSL_free(psk_key); +#endif if (bio_s_out != NULL) { BIO_free(bio_s_out); |