hi,
given that the latest openssl now contains support for SRP,
here a patch for openssl. since gnu-tls is already supported
in curl, the patch is rather simple:
adds some test to configure.ac and some logic to ssluse.c
I do not have tested whether the behaviour is like with gnu-tls
potential issues:
In case when the tlsauth is enabled:
- what should be the default ssl version?
I'll set TLSv1 if non was given.
- The default ciphersuites in openssl do not include SRP
if no ciphersuite is given by the user,
SRP is set as the default.
regards
/PS
diff -ur curl-7.21.5-20110317/configure.ac curl-7.21.5-20110317+srp//configure.ac
--- curl-7.21.5-20110317/configure.ac 2011-03-16 04:00:33.000000000 +0100
+++ curl-7.21.5-20110317+srp//configure.ac 2011-03-19 11:59:46.000000000 +0100
@@ -1632,6 +1632,17 @@
fi
fi
+dnl ---
+dnl We require OpenSSL with SRP support.
+dnl ---
+if test "$OPENSSL_ENABLED" = "1"; then
+ AC_CHECK_LIB(crypto, SRP_Calc_client_key,
+ [
+ AC_DEFINE(HAVE_SSLEAY_SRP, 1, [if you have the function SRP_Calc_client_key])
+ AC_SUBST(HAVE_SSLEAY_SRP, [1])
+ ])
+fi
+
dnl ----------------------------------------------------
dnl check for GnuTLS
dnl ----------------------------------------------------
@@ -2776,7 +2787,7 @@
want_tls_srp=yes
)
-if test "$want_tls_srp" = "yes" && test "x$HAVE_GNUTLS_SRP" = "x1"; then
+if test "$want_tls_srp" = "yes" && ( test "x$HAVE_GNUTLS_SRP" = "x1" || test "x$HAVE_SSLEAY_SRP" = "x1") ; then
AC_DEFINE(USE_TLS_SRP, 1, [Use TLS-SRP authentication])
USE_TLS_SRP=1
curl_tls_srp_msg="enabled"
diff -ur curl-7.21.5-20110317/lib/ssluse.c curl-7.21.5-20110317+srp//lib/ssluse.c
--- curl-7.21.5-20110317/lib/ssluse.c 2011-02-11 04:00:09.000000000 +0100
+++ curl-7.21.5-20110317+srp//lib/ssluse.c 2011-03-19 12:00:04.000000000 +0100
@@ -1437,9 +1437,16 @@
Curl_ossl_seed(data);
/* check to see if we've been told to use an explicit SSL/TLS version */
+
switch(data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
+#ifdef USE_TLS_SRP
+ if (data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+ infof(data, "Set version TLSv1 for SRP authorisation\n");
+ req_method = TLSv1_client_method() ;
+ } else
+#endif
/* we try to figure out version */
req_method = SSLv23_client_method();
use_sni(TRUE);
@@ -1449,10 +1456,18 @@
use_sni(TRUE);
break;
case CURL_SSLVERSION_SSLv2:
+#ifdef USE_TLS_SRP
+ if (data->set.ssl.authtype == CURL_TLSAUTH_SRP)
+ return CURLE_SSL_CONNECT_ERROR;
+#endif
req_method = SSLv2_client_method();
use_sni(FALSE);
break;
case CURL_SSLVERSION_SSLv3:
+#ifdef USE_TLS_SRP
+ if (data->set.ssl.authtype == CURL_TLSAUTH_SRP)
+ return CURLE_SSL_CONNECT_ERROR;
+#endif
req_method = SSLv3_client_method();
use_sni(FALSE);
break;
@@ -1547,6 +1562,28 @@
}
}
+#ifdef USE_TLS_SRP
+ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+ infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
+
+ if (!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
+ failf(data, "Unable to set SRP user name");
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+ if (!SSL_CTX_set_srp_password(connssl->ctx,data->set.ssl.password)) {
+ failf(data, "failed setting SRP password");
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+ if(!data->set.str[STRING_SSL_CIPHER_LIST]) {
+ infof(data, "Setting cipher list SRP\n");
+
+ if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
+ failf(data, "failed setting SRP cipher list");
+ return CURLE_SSL_CIPHER;
+ }
+ }
+ }
+#endif
if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {
/* tell SSL where to find CA certificates that are used to verify
the servers certificate. */
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
