Enclosed a second patch to make ssl conformant to rfc 5054.
patch is to the stable snapshot of 11/14
Changes are:
- removal of the addition state after client hello
- removal of all pre-rfc srp alert ids
- sending a fatal alert when there is no srp extension but when the
server wants SRP
- removal of unnecessary code in the client.
have fun
diff -r -c openssl-1.0.1-stable-SNAP-2014/include/openssl/ssl3.h openssl-1.0.1-stable-SNAP-2014PS/include/openssl/ssl3.h
*** openssl-1.0.1-stable-SNAP-2014/include/openssl/ssl3.h 2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/include/openssl/ssl3.h 2011-11-15 17:14:49.427741000 +0100
***
*** 581,588
#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
- /* a new state to remember that we have already receive a ClientHello without srp username extension */
- #define SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME (0x1E2|SSL_ST_ACCEPT)
/* write to client */
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
--- 581,586
diff -r -c openssl-1.0.1-stable-SNAP-2014/include/openssl/ssl.h openssl-1.0.1-stable-SNAP-2014PS/include/openssl/ssl.h
*** openssl-1.0.1-stable-SNAP-2014/include/openssl/ssl.h 2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/include/openssl/ssl.h 2011-11-14 18:08:23.751741000 +0100
***
*** 1468,1475
#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
- #define SSL_AD_UNKNOWN_SRP_USERNAME TLS1_AD_UNKNOWN_SRP_USERNAME
- #define SSL_AD_MISSING_SRP_USERNAME TLS1_AD_MISSING_SRP_USERNAME
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
--- 1468,1473
diff -r -c openssl-1.0.1-stable-SNAP-2014/include/openssl/tls1.h openssl-1.0.1-stable-SNAP-2014PS/include/openssl/tls1.h
*** openssl-1.0.1-stable-SNAP-2014/include/openssl/tls1.h 2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/include/openssl/tls1.h 2011-11-14 18:20:29.071741000 +0100
***
*** 196,203
#define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
#define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114
#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 /* fatal */
- #define TLS1_AD_UNKNOWN_SRP_USERNAME 120 /* fatal */
- #define TLS1_AD_MISSING_SRP_USERNAME 121
/* ExtensionType values from RFC3546 / RFC4366 */
#define TLSEXT_TYPE_server_name 0
--- 196,201
diff -r -c openssl-1.0.1-stable-SNAP-2014/ssl/s3_clnt.c openssl-1.0.1-stable-SNAP-2014PS/ssl/s3_clnt.c
*** openssl-1.0.1-stable-SNAP-2014/ssl/s3_clnt.c 2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/ssl/s3_clnt.c 2011-11-15 17:26:16.731741000 +0100
***
*** 280,299
case SSL3_ST_CR_SRVR_HELLO_A:
case SSL3_ST_CR_SRVR_HELLO_B:
ret=ssl3_get_server_hello(s);
- #ifndef OPENSSL_NO_SRP
- if (ret == 0 s-s3-warn_alert == SSL_AD_MISSING_SRP_USERNAME)
- {
- if (!SRP_have_to_put_srp_username(s))
- {
- SSLerr(SSL_F_SSL3_CONNECT,SSL_R_MISSING_SRP_USERNAME);
- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_USER_CANCELLED);
- goto end;
- }
- s-state=SSL3_ST_CW_CLNT_HELLO_A;
- if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
- break;
- }
- #endif
if (ret = 0) goto end;
if (s-hit)
--- 280,285
diff -r -c openssl-1.0.1-stable-SNAP-2014/ssl/s3_srvr.c openssl-1.0.1-stable-SNAP-2014PS/ssl/s3_srvr.c
*** openssl-1.0.1-stable-SNAP-2014/ssl/s3_srvr.c 2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/ssl/s3_srvr.c 2011-11-15 17:13:55.327741000 +0100
***
*** 180,190
}
#ifndef OPENSSL_NO_SRP
! static int SSL_check_srp_ext_ClientHello(SSL *s, int *ad)
{
int ret = SSL_ERROR_NONE;
! *ad = SSL_AD_UNRECOGNIZED_NAME;
if ((s-s3-tmp.new_cipher-algorithm_mkey SSL_kSRP)
(s-srp_ctx.TLS_ext_srp_username_callback != NULL))
--- 180,190
}
#ifndef OPENSSL_NO_SRP
! static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
{
int ret = SSL_ERROR_NONE;
! *al = SSL_AD_UNRECOGNIZED_NAME;
if ((s-s3-tmp.new_cipher-algorithm_mkey SSL_kSRP)
(s-srp_ctx.TLS_ext_srp_username_callback != NULL))
***
*** 192,203
if(s-srp_ctx.login == NULL)
{
/* There isn't any srp login extension !!! */
! ret = SSL3_AL_WARNING;
! *ad = SSL_AD_MISSING_SRP_USERNAME;
}
else
{
! ret = SSL_srp_server_param_with_username(s,ad);
}
}
return ret;
--- 192,203
if(s-srp_ctx.login == NULL)
{
/* There isn't any srp login extension