sub { !$disabled{"msan"} } => [ "asm" ],
- sub { $disabled{cmac}; } => [ "siv" ],
- "legacy" => [ "md2" ],
+ "cmac" => [ "siv" ],
+ "legacy" => [ "md2" ],
"cmp" => [ "crmf" ],
- sub { $disabled{"deprecated-3.0"} }
- => [ "engine" ]
+ "deprecated-3.0" => [ "engine", "srp" ]
);
# Avoid protocol support holes. Also disable all versions below N, if version
#include <openssl/opensslconf.h>
#include <openssl/ssl.h>
+#include <openssl/srp.h>
#define PORT "4433"
#define PROTOCOL "tcp"
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
void print_ca_names(BIO *bio, SSL *s);
+
+#ifndef OPENSSL_NO_SRP
+/* The client side SRP context that we pass to all SRP related callbacks */
+typedef struct srp_arg_st {
+ char *srppassin;
+ char *srplogin;
+ int msg; /* copy from c_msg */
+ int debug; /* copy from c_debug */
+ int amp; /* allow more groups */
+ int strength; /* minimal size for N */
+} SRP_ARG;
+
+int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
+ int c_debug);
+
+/* The server side SRP context that we pass to all SRP related callbacks */
+typedef struct srpsrvparm_st {
+ char *login;
+ SRP_VBASE *vb;
+ SRP_user_pwd *user;
+} srpsrvparm;
+
+int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
+ char *srpuserseed, char *srp_verifier_file);
+void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out);
+#endif /* OPENSSL_NO_SRP */
SOURCE[../libapps.a]=$LIBAPPSSRC $AUXLIBAPPSSRC
INCLUDE[../libapps.a]=../.. ../../include ../include
ENDIF
+
+IF[{- !$disabled{srp} -}]
+ SOURCE[../libapps.a]=tlssrp_depr.c
+ENDIF
--- /dev/null
+/*
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is to enable backwards compatibility for the SRP features of
+ * s_client and s_server. All of those features are deprecated and will
+ * eventually disappear. In the meantime, to continue to support them, we
+ * need to access deprecated SRP APIs.
+ */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
+#include <openssl/bn.h>
+#include <openssl/bio.h>
+#include <openssl/ssl.h>
+#include <openssl/srp.h>
+#include "apps_ui.h"
+#include "apps.h"
+#include "s_apps.h"
+
+static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
+{
+ BN_CTX *bn_ctx = BN_CTX_new();
+ BIGNUM *p = BN_new();
+ BIGNUM *r = BN_new();
+ int ret =
+ g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
+ BN_check_prime(N, bn_ctx, NULL) == 1 &&
+ p != NULL && BN_rshift1(p, N) &&
+ /* p = (N-1)/2 */
+ BN_check_prime(p, bn_ctx, NULL) == 1 &&
+ r != NULL &&
+ /* verify g^((N-1)/2) == -1 (mod N) */
+ BN_mod_exp(r, g, p, N, bn_ctx) &&
+ BN_add_word(r, 1) && BN_cmp(r, N) == 0;
+
+ BN_free(r);
+ BN_free(p);
+ BN_CTX_free(bn_ctx);
+ return ret;
+}
+
+/*-
+ * This callback is used here for two purposes:
+ * - extended debugging
+ * - making some primality tests for unknown groups
+ * The callback is only called for a non default group.
+ *
+ * An application does not need the call back at all if
+ * only the standard groups are used. In real life situations,
+ * client and server already share well known groups,
+ * thus there is no need to verify them.
+ * Furthermore, in case that a server actually proposes a group that
+ * is not one of those defined in RFC 5054, it is more appropriate
+ * to add the group to a static list and then compare since
+ * primality tests are rather cpu consuming.
+ */
+
+static int ssl_srp_verify_param_cb(SSL *s, void *arg)
+{
+ SRP_ARG *srp_arg = (SRP_ARG *)arg;
+ BIGNUM *N = NULL, *g = NULL;
+
+ if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL))
+ return 0;
+ if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) {
+ BIO_printf(bio_err, "SRP parameters:\n");
+ BIO_printf(bio_err, "\tN=");
+ BN_print(bio_err, N);
+ BIO_printf(bio_err, "\n\tg=");
+ BN_print(bio_err, g);
+ BIO_printf(bio_err, "\n");
+ }
+
+ if (SRP_check_known_gN_param(g, N))
+ return 1;
+
+ if (srp_arg->amp == 1) {
+ if (srp_arg->debug)
+ BIO_printf(bio_err,
+ "SRP param N and g are not known params, going to check deeper.\n");
+
+ /*
+ * The srp_moregroups is a real debugging feature. Implementors
+ * should rather add the value to the known ones. The minimal size
+ * has already been tested.
+ */
+ if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g))
+ return 1;
+ }
+ BIO_printf(bio_err, "SRP param N and g rejected.\n");
+ return 0;
+}
+
+#define PWD_STRLEN 1024
+
+static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
+{
+ SRP_ARG *srp_arg = (SRP_ARG *)arg;
+ char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer");
+ PW_CB_DATA cb_tmp;
+ int l;
+
+ cb_tmp.password = (char *)srp_arg->srppassin;
+ cb_tmp.prompt_info = "SRP user";
+ if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) {
+ BIO_printf(bio_err, "Can't read Password\n");
+ OPENSSL_free(pass);
+ return NULL;
+ }
+ *(pass + l) = '\0';
+
+ return pass;
+}
+
+int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
+ int c_debug)
+{
+ if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg->srplogin)) {
+ BIO_printf(bio_err, "Unable to set SRP username\n");
+ return 0;
+ }
+ srp_arg->msg = c_msg;
+ srp_arg->debug = c_debug;
+ SSL_CTX_set_srp_cb_arg(ctx, &srp_arg);
+ SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
+ SSL_CTX_set_srp_strength(ctx, srp_arg->strength);
+ if (c_msg || c_debug || srp_arg->amp == 0)
+ SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
+
+ return 1;
+}
+
+/*
+ * This callback pretends to require some asynchronous logic in order to
+ * obtain a verifier. When the callback is called for a new connection we
+ * return with a negative value. This will provoke the accept etc to return
+ * with an LOOKUP_X509. The main logic of the reinvokes the suspended call
+ * (which would normally occur after a worker has finished) and we set the
+ * user parameters.
+ */
+static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
+{
+ srpsrvparm *p = (srpsrvparm *) arg;
+ int ret = SSL3_AL_FATAL;
+
+ if (p->login == NULL && p->user == NULL) {
+ p->login = SSL_get_srp_username(s);
+ BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
+ return -1;
+ }
+
+ if (p->user == NULL) {
+ BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
+ goto err;
+ }
+
+ if (SSL_set_srp_server_param
+ (s, p->user->N, p->user->g, p->user->s, p->user->v,
+ p->user->info) < 0) {
+ *ad = SSL_AD_INTERNAL_ERROR;
+ goto err;
+ }
+ BIO_printf(bio_err,
+ "SRP parameters set: username = \"%s\" info=\"%s\" \n",
+ p->login, p->user->info);
+ ret = SSL_ERROR_NONE;
+
+ err:
+ SRP_user_pwd_free(p->user);
+ p->user = NULL;
+ p->login = NULL;
+ return ret;
+}
+
+int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
+ char *srpuserseed, char *srp_verifier_file)
+{
+ int ret;
+
+ srp_callback_parm->vb = SRP_VBASE_new(srpuserseed);
+ srp_callback_parm->user = NULL;
+ srp_callback_parm->login = NULL;
+
+ if (srp_callback_parm->vb == NULL) {
+ BIO_printf(bio_err, "Failed to initialize SRP verifier file \n");
+ return 0;
+ }
+ if ((ret =
+ SRP_VBASE_init(srp_callback_parm->vb,
+ srp_verifier_file)) != SRP_NO_ERROR) {
+ BIO_printf(bio_err,
+ "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
+ srp_verifier_file, ret);
+ return 0;
+ }
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
+ SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);
+ SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
+
+ return 1;
+}
+
+void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out)
+{
+ SRP_user_pwd_free(srp_callback_parm->user);
+ srp_callback_parm->user = SRP_VBASE_get1_by_user(srp_callback_parm->vb,
+ srp_callback_parm->login);
+
+ if (srp_callback_parm->user != NULL)
+ BIO_printf(bio_s_out, "LOOKUP done %s\n",
+ srp_callback_parm->user->info);
+ else
+ BIO_printf(bio_s_out, "LOOKUP not successful\n");
+}
#include <openssl/bn.h>
#include <openssl/trace.h>
#include <openssl/async.h>
-#ifndef OPENSSL_NO_SRP
-# include <openssl/srp.h>
-#endif
#ifndef OPENSSL_NO_CT
# include <openssl/ct.h>
#endif
return SSL_TLSEXT_ERR_OK;
}
-#ifndef OPENSSL_NO_SRP
-
-/* This is a context that we pass to all callbacks */
-typedef struct srp_arg_st {
- char *srppassin;
- char *srplogin;
- int msg; /* copy from c_msg */
- int debug; /* copy from c_debug */
- int amp; /* allow more groups */
- int strength; /* minimal size for N */
-} SRP_ARG;
-
-static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
-{
- BN_CTX *bn_ctx = BN_CTX_new();
- BIGNUM *p = BN_new();
- BIGNUM *r = BN_new();
- int ret =
- g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
- BN_check_prime(N, bn_ctx, NULL) == 1 &&
- p != NULL && BN_rshift1(p, N) &&
- /* p = (N-1)/2 */
- BN_check_prime(p, bn_ctx, NULL) == 1 &&
- r != NULL &&
- /* verify g^((N-1)/2) == -1 (mod N) */
- BN_mod_exp(r, g, p, N, bn_ctx) &&
- BN_add_word(r, 1) && BN_cmp(r, N) == 0;
-
- BN_free(r);
- BN_free(p);
- BN_CTX_free(bn_ctx);
- return ret;
-}
-
-/*-
- * This callback is used here for two purposes:
- * - extended debugging
- * - making some primality tests for unknown groups
- * The callback is only called for a non default group.
- *
- * An application does not need the call back at all if
- * only the standard groups are used. In real life situations,
- * client and server already share well known groups,
- * thus there is no need to verify them.
- * Furthermore, in case that a server actually proposes a group that
- * is not one of those defined in RFC 5054, it is more appropriate
- * to add the group to a static list and then compare since
- * primality tests are rather cpu consuming.
- */
-
-static int ssl_srp_verify_param_cb(SSL *s, void *arg)
-{
- SRP_ARG *srp_arg = (SRP_ARG *)arg;
- BIGNUM *N = NULL, *g = NULL;
-
- if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL))
- return 0;
- if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) {
- BIO_printf(bio_err, "SRP parameters:\n");
- BIO_printf(bio_err, "\tN=");
- BN_print(bio_err, N);
- BIO_printf(bio_err, "\n\tg=");
- BN_print(bio_err, g);
- BIO_printf(bio_err, "\n");
- }
-
- if (SRP_check_known_gN_param(g, N))
- return 1;
-
- if (srp_arg->amp == 1) {
- if (srp_arg->debug)
- BIO_printf(bio_err,
- "SRP param N and g are not known params, going to check deeper.\n");
-
- /*
- * The srp_moregroups is a real debugging feature. Implementors
- * should rather add the value to the known ones. The minimal size
- * has already been tested.
- */
- if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g))
- return 1;
- }
- BIO_printf(bio_err, "SRP param N and g rejected.\n");
- return 0;
-}
-
-# define PWD_STRLEN 1024
-
-static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
-{
- SRP_ARG *srp_arg = (SRP_ARG *)arg;
- char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer");
- PW_CB_DATA cb_tmp;
- int l;
-
- cb_tmp.password = (char *)srp_arg->srppassin;
- cb_tmp.prompt_info = "SRP user";
- if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) {
- BIO_printf(bio_err, "Can't read Password\n");
- OPENSSL_free(pass);
- return NULL;
- }
- *(pass + l) = '\0';
-
- return pass;
-}
-
-#endif
-
#ifndef OPENSSL_NO_NEXTPROTONEG
/* This the context that we pass to next_proto_cb */
typedef struct tlsextnextprotoctx_st {
"Offer SRTP key management with a colon-separated profile list"},
#endif
#ifndef OPENSSL_NO_SRP
- {"srpuser", OPT_SRPUSER, 's', "SRP authentication for 'user'"},
- {"srppass", OPT_SRPPASS, 's', "Password for 'user'"},
+ {"srpuser", OPT_SRPUSER, 's', "(deprecated) SRP authentication for 'user'"},
+ {"srppass", OPT_SRPPASS, 's', "(deprecated) Password for 'user'"},
{"srp_lateuser", OPT_SRP_LATEUSER, '-',
- "SRP username into second ClientHello message"},
+ "(deprecated) SRP username into second ClientHello message"},
{"srp_moregroups", OPT_SRP_MOREGROUPS, '-',
- "Tolerate other than the known g N values."},
- {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal length in bits for N"},
+ "(deprecated) Tolerate other than the known g N values."},
+ {"srp_strength", OPT_SRP_STRENGTH, 'p',
+ "(deprecated) Minimal length in bits for N"},
#endif
OPT_R_OPTIONS,
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
}
-# ifndef OPENSSL_NO_SRP
- if (srp_arg.srplogin) {
- if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) {
- BIO_printf(bio_err, "Unable to set SRP username\n");
- goto end;
- }
- srp_arg.msg = c_msg;
- srp_arg.debug = c_debug;
- SSL_CTX_set_srp_cb_arg(ctx, &srp_arg);
- SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
- SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
- if (c_msg || c_debug || srp_arg.amp == 0)
- SSL_CTX_set_srp_verify_param_callback(ctx,
- ssl_srp_verify_param_cb);
- }
+#ifndef OPENSSL_NO_SRP
+ if (srp_arg.srplogin != NULL
+ && !set_up_srp_arg(ctx, &srp_arg, srp_lateuser, c_msg, c_debug))
+ goto end;
# endif
if (dane_tlsa_domain != NULL) {
# include <openssl/dh.h>
#endif
#include <openssl/rsa.h>
-#ifndef OPENSSL_NO_SRP
-# include <openssl/srp.h>
-#endif
#include "s_apps.h"
#include "timeouts.h"
#ifdef CHARSET_EBCDIC
}
#ifndef OPENSSL_NO_SRP
-/* This is a context that we pass to callbacks */
-typedef struct srpsrvparm_st {
- char *login;
- SRP_VBASE *vb;
- SRP_user_pwd *user;
-} srpsrvparm;
static srpsrvparm srp_callback_parm;
-
-/*
- * This callback pretends to require some asynchronous logic in order to
- * obtain a verifier. When the callback is called for a new connection we
- * return with a negative value. This will provoke the accept etc to return
- * with an LOOKUP_X509. The main logic of the reinvokes the suspended call
- * (which would normally occur after a worker has finished) and we set the
- * user parameters.
- */
-static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
-{
- srpsrvparm *p = (srpsrvparm *) arg;
- int ret = SSL3_AL_FATAL;
-
- if (p->login == NULL && p->user == NULL) {
- p->login = SSL_get_srp_username(s);
- BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
- return -1;
- }
-
- if (p->user == NULL) {
- BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
- goto err;
- }
-
- if (SSL_set_srp_server_param
- (s, p->user->N, p->user->g, p->user->s, p->user->v,
- p->user->info) < 0) {
- *ad = SSL_AD_INTERNAL_ERROR;
- goto err;
- }
- BIO_printf(bio_err,
- "SRP parameters set: username = \"%s\" info=\"%s\" \n",
- p->login, p->user->info);
- ret = SSL_ERROR_NONE;
-
- err:
- SRP_user_pwd_free(p->user);
- p->user = NULL;
- p->login = NULL;
- return ret;
-}
-
#endif
static int local_argc = 0;
{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
{"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
#ifndef OPENSSL_NO_SRP
- {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},
+ {"srpvfile", OPT_SRPVFILE, '<', "(deprecated) The verifier file for SRP"},
{"srpuserseed", OPT_SRPUSERSEED, 's',
- "A seed string for a default user salt"},
+ "(deprecated) A seed string for a default user salt"},
#endif
OPT_SECTION("Protocol and version"),
#ifndef OPENSSL_NO_SRP
if (srp_verifier_file != NULL) {
- srp_callback_parm.vb = SRP_VBASE_new(srpuserseed);
- srp_callback_parm.user = NULL;
- srp_callback_parm.login = NULL;
- if ((ret =
- SRP_VBASE_init(srp_callback_parm.vb,
- srp_verifier_file)) != SRP_NO_ERROR) {
- BIO_printf(bio_err,
- "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
- srp_verifier_file, ret);
+ if (!set_up_srp_verifier_file(ctx, &srp_callback_parm, srpuserseed,
+ srp_verifier_file))
goto end;
- }
- SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
- SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);
- SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
} else
#endif
if (CAfile != NULL) {
#ifndef OPENSSL_NO_SRP
while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP renego during write\n");
- SRP_user_pwd_free(srp_callback_parm.user);
- srp_callback_parm.user =
- SRP_VBASE_get1_by_user(srp_callback_parm.vb,
- srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n",
- srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
+
+ lookup_srp_user(&srp_callback_parm, bio_s_out);
+
k = SSL_write(con, &(buf[l]), (unsigned int)i);
}
#endif
#ifndef OPENSSL_NO_SRP
while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
- SRP_user_pwd_free(srp_callback_parm.user);
- srp_callback_parm.user =
- SRP_VBASE_get1_by_user(srp_callback_parm.vb,
- srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n",
- srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
+
+ lookup_srp_user(&srp_callback_parm, bio_s_out);
+
i = SSL_read(con, (char *)buf, bufsize);
}
#endif
&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
srp_callback_parm.login);
- SRP_user_pwd_free(srp_callback_parm.user);
- srp_callback_parm.user =
- SRP_VBASE_get1_by_user(srp_callback_parm.vb,
- srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n",
- srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
+
+ lookup_srp_user(&srp_callback_parm, bio_s_out);
+
i = SSL_accept(con);
if (i <= 0)
retry = is_retryable(con, i);
if (BIO_should_io_special(io)
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
- SRP_user_pwd_free(srp_callback_parm.user);
- srp_callback_parm.user =
- SRP_VBASE_get1_by_user(srp_callback_parm.vb,
- srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n",
- srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
+
+ lookup_srp_user(&srp_callback_parm, bio_s_out);
+
continue;
}
#endif
if (BIO_should_io_special(io)
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
- SRP_user_pwd_free(srp_callback_parm.user);
- srp_callback_parm.user =
- SRP_VBASE_get1_by_user(srp_callback_parm.vb,
- srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n",
- srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
+
+ lookup_srp_user(&srp_callback_parm, bio_s_out);
+
continue;
}
#endif
if (BIO_should_io_special(io)
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
- SRP_user_pwd_free(srp_callback_parm.user);
- srp_callback_parm.user =
- SRP_VBASE_get1_by_user(srp_callback_parm.vb,
- srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n",
- srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
+
+ lookup_srp_user(&srp_callback_parm, bio_s_out);
+
continue;
}
#endif
* for the EdelKey project.
*/
+/* SRP is deprecated, so we're going to have to use some deprecated APIs */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#include <openssl/opensslconf.h>
#include <stdio.h>
* for the EdelKey project.
*/
+/* All the SRP APIs in this file are deprecated */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#ifndef OPENSSL_NO_SRP
# include "internal/cryptlib.h"
# include <openssl/sha.h>
* for the EdelKey project.
*/
+/* All the SRP APIs in this file are deprecated */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#ifndef OPENSSL_NO_SRP
# include "internal/cryptlib.h"
# include "crypto/evp.h"
extern "C" {
# endif
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+
typedef struct SRP_gN_cache_st {
char *b64_bn;
BIGNUM *bn;
generate_stack_macros("SRP_user_pwd");
-}
+OSSL_DEPRECATEDIN_3_0
SRP_user_pwd *SRP_user_pwd_new(void);
+OSSL_DEPRECATEDIN_3_0
void SRP_user_pwd_free(SRP_user_pwd *user_pwd);
-void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, const BIGNUM *N);
-int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id, const char *info);
+OSSL_DEPRECATEDIN_3_0
+void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g,
+ const BIGNUM *N);
+OSSL_DEPRECATEDIN_3_0
+int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id,
+ const char *info);
+OSSL_DEPRECATEDIN_3_0
int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v);
typedef struct SRP_VBASE_st {
-}
+OSSL_DEPRECATEDIN_3_0
SRP_VBASE *SRP_VBASE_new(char *seed_key);
+OSSL_DEPRECATEDIN_3_0
void SRP_VBASE_free(SRP_VBASE *vb);
+OSSL_DEPRECATEDIN_3_0
int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);
+OSSL_DEPRECATEDIN_3_0
int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd);
-/* This method ignores the configured seed and fails for an unknown user. */
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0
-SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
-# endif
+
/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/
+OSSL_DEPRECATEDIN_3_0
SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username);
+OSSL_DEPRECATEDIN_3_0
char *SRP_create_verifier_ex(const char *user, const char *pass, char **salt,
char **verifier, const char *N, const char *g,
OSSL_LIB_CTX *libctx, const char *propq);
+OSSL_DEPRECATEDIN_3_0
char *SRP_create_verifier(const char *user, const char *pass, char **salt,
char **verifier, const char *N, const char *g);
+OSSL_DEPRECATEDIN_3_0
int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
BIGNUM **verifier, const BIGNUM *N,
const BIGNUM *g, OSSL_LIB_CTX *libctx,
const char *propq);
+OSSL_DEPRECATEDIN_3_0
int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
BIGNUM **verifier, const BIGNUM *N,
const BIGNUM *g);
-# define SRP_NO_ERROR 0
-# define SRP_ERR_VBASE_INCOMPLETE_FILE 1
-# define SRP_ERR_VBASE_BN_LIB 2
-# define SRP_ERR_OPEN_FILE 3
-# define SRP_ERR_MEMORY 4
-
-# define DB_srptype 0
-# define DB_srpverifier 1
-# define DB_srpsalt 2
-# define DB_srpid 3
-# define DB_srpgN 4
-# define DB_srpinfo 5
-# undef DB_NUMBER
-# define DB_NUMBER 6
-
-# define DB_SRP_INDEX 'I'
-# define DB_SRP_VALID 'V'
-# define DB_SRP_REVOKED 'R'
-# define DB_SRP_MODIF 'v'
+# define SRP_NO_ERROR 0
+# define SRP_ERR_VBASE_INCOMPLETE_FILE 1
+# define SRP_ERR_VBASE_BN_LIB 2
+# define SRP_ERR_OPEN_FILE 3
+# define SRP_ERR_MEMORY 4
+
+# define DB_srptype 0
+# define DB_srpverifier 1
+# define DB_srpsalt 2
+# define DB_srpid 3
+# define DB_srpgN 4
+# define DB_srpinfo 5
+# undef DB_NUMBER
+# define DB_NUMBER 6
+
+# define DB_SRP_INDEX 'I'
+# define DB_SRP_VALID 'V'
+# define DB_SRP_REVOKED 'R'
+# define DB_SRP_MODIF 'v'
/* see srp.c */
+OSSL_DEPRECATEDIN_3_0
char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N);
+OSSL_DEPRECATEDIN_3_0
SRP_gN *SRP_get_default_gN(const char *id);
/* server side .... */
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_server_key(const BIGNUM *A, const BIGNUM *v, const BIGNUM *u,
const BIGNUM *b, const BIGNUM *N);
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_B_ex(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g,
const BIGNUM *v, OSSL_LIB_CTX *libctx, const char *propq);
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_B(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g,
const BIGNUM *v);
+
+OSSL_DEPRECATEDIN_3_0
int SRP_Verify_A_mod_N(const BIGNUM *A, const BIGNUM *N);
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_u_ex(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N,
OSSL_LIB_CTX *libctx, const char *propq);
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N);
/* client side .... */
+
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_x_ex(const BIGNUM *s, const char *user, const char *pass,
OSSL_LIB_CTX *libctx, const char *propq);
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass);
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_A(const BIGNUM *a, const BIGNUM *N, const BIGNUM *g);
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g,
const BIGNUM *x, const BIGNUM *a, const BIGNUM *u,
OSSL_LIB_CTX *libctx, const char *propq);
+OSSL_DEPRECATEDIN_3_0
BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g,
const BIGNUM *x, const BIGNUM *a, const BIGNUM *u);
+OSSL_DEPRECATEDIN_3_0
int SRP_Verify_B_mod_N(const BIGNUM *B, const BIGNUM *N);
-# define SRP_MINIMAL_N 1024
+# define SRP_MINIMAL_N 1024
+
+# endif /* OPENSSL_NO_DEPRECATED_3_0 */
+
+/* This method ignores the configured seed and fails for an unknown user. */
+# ifndef OPENSSL_NO_DEPRECATED_1_1_0
+OSSL_DEPRECATEDIN_1_1_0
+SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
+# endif
# ifdef __cplusplus
}
* for the EdelKey project.
*/
+/* We need to use the SRP deprecated APIs */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/err.h>
* https://www.openssl.org/source/license.html
*/
+/*
+ * SRP is deprecated, so we're going to have to use some deprecated APIs in
+ * order to test it.
+ */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
#include <openssl/opensslconf.h>
# include "testutil.h"
projects / openssl.git / commitdiff