TSL-SRP: enabled with OpenSSL

If a new enough OpenSSL version is used, configure detects the TLS-SRP support and enables it.
2011-03-25 23:09:28 +01:00 · 2011-03-25 23:09:28 +01:00 · 2531cd94a5
parent 40256ec4d3
commit 2531cd94a5
3 changed files with 51 additions and 3 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1632,6 +1632,17 @@ if test X"$OPENSSL_ENABLED" = X"1"; then
  fi
 fi

+dnl ---
+dnl We require OpenSSL with SRP support.
+dnl ---
+if test "$OPENSSL_ENABLED" = "1"; then
+  AC_CHECK_LIB(crypto, SRP_Calc_client_key,
+   [
+     AC_DEFINE(HAVE_SSLEAY_SRP, 1, [if you have the function SRP_Calc_client_key])
+     AC_SUBST(HAVE_SSLEAY_SRP, [1])
+   ])
+fi
+
 dnl ----------------------------------------------------
 dnl check for GnuTLS
 dnl ----------------------------------------------------
@ -2776,7 +2787,7 @@ AC_HELP_STRING([--disable-tls-srp],[Disable TLS-SRP authentication]),
       want_tls_srp=yes
 )

-if test "$want_tls_srp" = "yes" && test "x$HAVE_GNUTLS_SRP" = "x1"; then
+if test "$want_tls_srp" = "yes" && ( test "x$HAVE_GNUTLS_SRP" = "x1" || test "x$HAVE_SSLEAY_SRP" = "x1") ; then
   AC_DEFINE(USE_TLS_SRP, 1, [Use TLS-SRP authentication])
   USE_TLS_SRP=1
   curl_tls_srp_msg="enabled"
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@ -884,8 +884,8 @@ defined in RFC 5054 and provides mutual authentication if both sides have a
 shared secret. To use TLS-SRP, you must also set the
 \fICURLOPT_TLSAUTH_USERNAME\fP and \fICURLOPT_TLSAUTH_PASSWORD\fP options.

-You need to build libcurl with GnuTLS and with TLS-SRP support for this to
-work. (Added in 7.21.4)
+You need to build libcurl with GnuTLS or OpenSSL with TLS-SRP support for this
+to work. (Added in 7.21.4)
 .RE
 .IP CURLOPT_TLSAUTH_USERNAME
 Pass a char * as parameter, which should point to the zero-terminated username
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@ -1437,9 +1437,16 @@ ossl_connect_step1(struct connectdata *conn,
  Curl_ossl_seed(data);

  /* check to see if we've been told to use an explicit SSL/TLS version */
+
  switch(data->set.ssl.version) {
  default:
  case CURL_SSLVERSION_DEFAULT:
+#ifdef USE_TLS_SRP
+    if (data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+      infof(data, "Set version TLSv1 for SRP authorisation\n");
+      req_method = TLSv1_client_method() ;
+    } else
+#endif
    /* we try to figure out version */
    req_method = SSLv23_client_method();
    use_sni(TRUE);
@ -1449,10 +1456,18 @@ ossl_connect_step1(struct connectdata *conn,
    use_sni(TRUE);
    break;
  case CURL_SSLVERSION_SSLv2:
+#ifdef USE_TLS_SRP
+    if (data->set.ssl.authtype == CURL_TLSAUTH_SRP)
+      return CURLE_SSL_CONNECT_ERROR;
+#endif
    req_method = SSLv2_client_method();
    use_sni(FALSE);
    break;
  case CURL_SSLVERSION_SSLv3:
+#ifdef USE_TLS_SRP
+    if (data->set.ssl.authtype == CURL_TLSAUTH_SRP)
+      return CURLE_SSL_CONNECT_ERROR;
+#endif
    req_method = SSLv3_client_method();
    use_sni(FALSE);
    break;
@ -1547,6 +1562,28 @@ ossl_connect_step1(struct connectdata *conn,
    }
  }

+#ifdef USE_TLS_SRP
+  if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+    infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
+
+    if (!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
+      failf(data, "Unable to set SRP user name");
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    }
+    if (!SSL_CTX_set_srp_password(connssl->ctx,data->set.ssl.password)) {
+      failf(data, "failed setting SRP password");
+      return CURLE_BAD_FUNCTION_ARGUMENT;
+    }
+    if(!data->set.str[STRING_SSL_CIPHER_LIST]) {
+      infof(data, "Setting cipher list SRP\n");
+
+      if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
+        failf(data, "failed setting SRP cipher list");
+        return CURLE_SSL_CIPHER;
+      }
+    }
+  }
+#endif
  if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {
    /* tell SSL where to find CA certificates that are used to verify
       the servers certificate. */