Integrate J-PAKE and TLS-PSK. Increase PSK buffer size. Fix memory leaks.

diff --git a/apps/apps.c b/apps/apps.c
index 455bf28e7691a95d23d53bebe805900de60d7aae..6a65f94434055a43ac0b03eee2c0801e3fb55e0d 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2381,7 +2381,7 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx)
                BIO_free(out);
        }
 
                BIO_free(out);
        }
 

-#ifdef OPENSSL_EXPERIMENTAL_JPAKE
+#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)

 
 static JPAKE_CTX *jpake_init(const char *us, const char *them,
                                                         const char *secret)
 
 static JPAKE_CTX *jpake_init(const char *us, const char *them,
                                                         const char *secret)


@@ -2564,10 +2564,14 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
        jpake_send_step3a(bconn, ctx);
        jpake_receive_step3b(ctx, bconn);
 
        jpake_send_step3a(bconn, ctx);
        jpake_receive_step3b(ctx, bconn);
 

-       BIO_puts(out, "JPAKE authentication succeeded\n");
+       BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+       psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));

 
        BIO_pop(bconn);
        BIO_free(bconn);
 
        BIO_pop(bconn);
        BIO_free(bconn);

+
+       JPAKE_CTX_free(ctx);

        }
 
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
        }
 
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret)


@@ -2589,10 +2593,14 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
        jpake_receive_step3a(ctx, bconn);
        jpake_send_step3b(bconn, ctx);
 
        jpake_receive_step3a(ctx, bconn);
        jpake_send_step3b(bconn, ctx);
 

-       BIO_puts(out, "JPAKE authentication succeeded\n");
+       BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+       psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));

 
        BIO_pop(bconn);
        BIO_free(bconn);
 
        BIO_pop(bconn);
        BIO_free(bconn);

+
+       JPAKE_CTX_free(ctx);

        }
 
 #endif
        }
 
 #endif

diff --git a/apps/apps.h b/apps/apps.h
index 7172edf398cf762d3a339b67ed195ae47ee5b620..62a8659624201acf298839f0ddc59ac08399a6ee 100644 (file)
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -309,6 +309,7 @@ int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
 int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
                        const char *algname, ENGINE *e, int do_param);
 #ifdef OPENSSL_EXPERIMENTAL_JPAKE
 int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
                        const char *algname, ENGINE *e, int do_param);
 #ifdef OPENSSL_EXPERIMENTAL_JPAKE

+extern char *psk_key;

 void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 #endif
 void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 #endif

diff --git a/apps/s_client.c b/apps/s_client.c
index 231915160e49ec5aa698fee521c7029a95dd59ee..05ebff1f679573ffcddb20045973aa6f6b31df51 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -215,7 +215,7 @@ static int c_ign_eof=0;
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
 static char *psk_identity="Client_identity";
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
 static char *psk_identity="Client_identity";

-static char *psk_key=NULL; /* by default PSK is not used */
+/*char *psk_key=NULL;  by default PSK is not used */

 
 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
        unsigned int max_identity_len, unsigned char *psk,
 
 static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
        unsigned int max_identity_len, unsigned char *psk,


@@ -312,6 +312,9 @@ static void sc_usage(void)
 #ifndef OPENSSL_NO_PSK
        BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
        BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
 #ifndef OPENSSL_NO_PSK
        BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
        BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");

+# ifdef OPENSSL_EXPERIMENTAL_JPAKE
+       BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
+# endif

 #endif
        BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
        BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
 #endif
        BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
        BIO_printf(bio_err," -ssl3         - just use SSLv3\n");


@@ -724,6 +727,26 @@ bad:
                goto end;
                }
 
                goto end;
                }
 

+#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
+       if (jpake_secret)
+               {
+               if (psk_key)
+                       {
+                       BIO_printf(bio_err,
+                                  "Can't use JPAKE and PSK together\n");
+                       goto end;
+                       }
+               psk_identity = "JPAKE";
+               }
+
+       if (cipher)
+               {
+               BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
+               goto end;
+               }
+       cipher = "PSK";
+#endif
+

        OpenSSL_add_ssl_algorithms();
        SSL_load_error_strings();
 
        OpenSSL_add_ssl_algorithms();
        SSL_load_error_strings();
 


@@ -822,10 +845,10 @@ bad:
 #endif
 
 #ifndef OPENSSL_NO_PSK
 #endif
 
 #ifndef OPENSSL_NO_PSK

-       if (psk_key != NULL)
+       if (psk_key != NULL || jpake_secret)

                {
                if (c_debug)
                {
                if (c_debug)

-                       BIO_printf(bio_c_out, "PSK key given, setting client callback\n");
+                       BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");

                SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
                }
 #endif
                SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
                }
 #endif

diff --git a/apps/s_server.c b/apps/s_server.c
index 6b0d340be28b854ba323a2f46edff167935d89a4..277b2f04f24a9205ceab1c886c40065852cb1b1b 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -302,7 +302,7 @@ static int cert_chain = 0;
 
 #ifndef OPENSSL_NO_PSK
 static char *psk_identity="Client_identity";
 
 #ifndef OPENSSL_NO_PSK
 static char *psk_identity="Client_identity";

-static char *psk_key=NULL; /* by default PSK is not used */
+char *psk_key=NULL; /* by default PSK is not used */

 
 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
        unsigned char *psk, unsigned int max_psk_len)
 
 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
        unsigned char *psk, unsigned int max_psk_len)


@@ -325,7 +325,9 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
        /* here we could lookup the given identity e.g. from a database */
        if (strcmp(identity, psk_identity) != 0)
                {
        /* here we could lookup the given identity e.g. from a database */
        if (strcmp(identity, psk_identity) != 0)
                {

-                BIO_printf(bio_s_out, "PSK error: client identity not found\n");
+                BIO_printf(bio_s_out, "PSK error: client identity not found"
+                          " (got '%s' expected '%s')\n", identity,
+                          psk_identity);

                goto out_err;
                 }
        if (s_debug)
                goto out_err;
                 }
        if (s_debug)


@@ -448,6 +450,9 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_PSK
        BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
        BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
 #ifndef OPENSSL_NO_PSK
        BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
        BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");

+# ifdef OPENSSL_EXPERIMENTAL_JPAKE
+       BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
+# endif

 #endif
        BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
 #endif
        BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");


@@ -1184,7 +1189,7 @@ int MAIN(int argc, char *argv[])
                        }
                        
 #endif
                        }
                        
 #endif

-#ifdef OPENSSL_EXPERIMENTAL_JPAKE
+#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)

                else if (strcmp(*argv,"-jpake") == 0)
                        {
                        if (--argc < 1) goto bad;
                else if (strcmp(*argv,"-jpake") == 0)
                        {
                        if (--argc < 1) goto bad;


@@ -1207,6 +1212,26 @@ bad:
                goto end;
                }
 
                goto end;
                }
 

+#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
+       if (jpake_secret)
+               {
+               if (psk_key)
+                       {
+                       BIO_printf(bio_err,
+                                  "Can't use JPAKE and PSK together\n");
+                       goto end;
+                       }
+               psk_identity = "JPAKE";
+               }
+
+       if (cipher)
+               {
+               BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
+               goto end;
+               }
+       cipher = "PSK";
+#endif
+               

        SSL_load_error_strings();
        OpenSSL_add_ssl_algorithms();
 
        SSL_load_error_strings();
        OpenSSL_add_ssl_algorithms();
 


@@ -1591,10 +1616,10 @@ bad:
 #endif
 
 #ifndef OPENSSL_NO_PSK
 #endif
 
 #ifndef OPENSSL_NO_PSK

-       if (psk_key != NULL)
+       if (psk_key != NULL || jpake_secret)

                {
                if (s_debug)
                {
                if (s_debug)

-                       BIO_printf(bio_s_out, "PSK key given, setting server callback\n");
+                       BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n");

                SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
                }
 
                SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
                }
 

diff --git a/crypto/jpake/jpaketest.c b/crypto/jpake/jpaketest.c
index c3a83ba3d6a58a240648c925b3d8b4ec0510d461..6bf7ee46d912522eb45e4beebb98d4bdda0eddc8 100644 (file)
--- a/crypto/jpake/jpaketest.c
+++ b/crypto/jpake/jpaketest.c
@@ -1,3 +1,15 @@
+#ifndef OPENSSL_EXPERIMENTAL_JPAKE
+
+#include <stdio.h>
+
+int main(int argc, char *argv[])
+{
+    printf("No J-PAKE support\n");
+    return(0);
+}
+
+#else
+

 #include <openssl/jpake.h>
 #include <openssl/err.h>
 
 #include <openssl/jpake.h>
 #include <openssl/err.h>
 


@@ -174,3 +186,5 @@ int main(int argc, char **argv)
 
     return 0;
     }
 
     return 0;
     }

+
+#endif

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 1029e823aace69fba8a6a0a2c3d2a4cce909180e..e43b5c27c6db5dba22d4f1490c2f540c1ceec2f1 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -910,7 +910,7 @@ void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL
 /* the maximum length of the buffer given to callbacks containing the
  * resulting identity/psk */
 #define PSK_MAX_IDENTITY_LEN 128
 /* the maximum length of the buffer given to callbacks containing the
  * resulting identity/psk */
 #define PSK_MAX_IDENTITY_LEN 128

-#define PSK_MAX_PSK_LEN 64
+#define PSK_MAX_PSK_LEN 256

 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, 
        unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, 
                char *identity, unsigned int max_identity_len, unsigned char *psk,
 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, 
        unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, 
                char *identity, unsigned int max_identity_len, unsigned char *psk,