Fix SRP authentication ciphersuites.

The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 09fe64e8349f163542fe7621a11904b8f85e547f..9fbe15e80c00a33147de922702d9efcddb69bf6f 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -334,9 +334,9 @@ int ssl3_connect(SSL *s)
                                break;
                                }
 #endif
-                       /* Check if it is anon DH/ECDH */
+                       /* Check if it is anon DH/ECDH, SRP auth */
                        /* or PSK */
-                       if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
+                       if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) &&
                            !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                                {
                                ret=ssl3_get_server_certificate(s);
@@ -1939,8 +1939,8 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                }
        else
                {
-               /* aNULL or kPSK do not need public keys */
-               if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
+               /* aNULL, aSRP or kPSK do not need public keys */
+               if (!(alg_a & (SSL_aNULL|SSL_aSRP)) && !(alg_k & SSL_kPSK))
                        {
                        /* Might be wrong key type, check it */
                        if (ssl3_check_cert_and_algorithm(s))

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index e1bfb7e3d2e684af1fc7dc0f452828937501ef5f..a4fa1ea4de25de1c75028e53c2405afa7181d8c1 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3646,8 +3646,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                        cipher = s->s3->tmp.new_cipher;
                        if (!cipher)
                                return 0;
-                       /* No certificate for unauthenticated ciphersuites */
-                       if (cipher->algorithm_auth & SSL_aNULL)
+                       /* No certificate for unauthenticated ciphersuites
+                        * or using SRP authentication
+                        */
+                       if (cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
                                return 2;
                        cpk = ssl_get_server_send_pkey(s);
                        if (!cpk)
@@ -4357,8 +4359,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                emask_k = cert->export_mask_k;
                emask_a = cert->export_mask_a;
 #ifndef OPENSSL_NO_SRP
-               mask_k=cert->mask_k | s->srp_ctx.srp_Mask;
-               emask_k=cert->export_mask_k | s->srp_ctx.srp_Mask;
+               if (s->srp_ctx.srp_Mask & SSL_kSRP)
+                       {
+                       mask_k |= SSL_kSRP;
+                       emask_k |= SSL_kSRP;
+                       mask_a |= SSL_aSRP;
+                       emask_a |= SSL_aSRP;
+                       }
 #endif
                        
 #ifdef KSSL_DEBUG

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 63fc23c540cc3a61ed824c3abb1c0a2f4094f524..440fc13e4fe75765005d8a12e8d9ea103a5822b0 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -417,9 +417,8 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SW_CERT_B:
                        /* Check if it is anon DH or anon ECDH, */
                        /* normal PSK or KRB5 or SRP */
-                       if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
-                               && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
-                               && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
+                       if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aKRB5|SSL_aSRP))
+                               && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                                {
                                ret=ssl3_send_server_certificate(s);
                                if (ret <= 0) goto end;
@@ -522,7 +521,9 @@ int ssl3_accept(SSL *s)
                                  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
                                 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
                                 /* never request cert in Kerberos ciphersuites */
-                               (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
+                               (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) ||
+                               /* don't request certificate for SRP auth */
+                               (s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
                                /* With normal PSK Certificates and
                                 * Certificate Requests are omitted */
                                || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
@@ -1909,7 +1910,7 @@ int ssl3_send_server_key_exchange(SSL *s)
                        n+=2+nr[i];
                        }
 
-               if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
+               if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
                        && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                        {
                        if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md))