diff --git a/configure.ac b/configure.ac index 28ccbc6bf..dc861b88b 100644 --- a/configure.ac +++ b/configure.ac @@ -1632,6 +1632,17 @@ if test X"$OPENSSL_ENABLED" = X"1"; then fi fi +dnl --- +dnl We require OpenSSL with SRP support. +dnl --- +if test "$OPENSSL_ENABLED" = "1"; then + AC_CHECK_LIB(crypto, SRP_Calc_client_key, + [ + AC_DEFINE(HAVE_SSLEAY_SRP, 1, [if you have the function SRP_Calc_client_key]) + AC_SUBST(HAVE_SSLEAY_SRP, [1]) + ]) +fi + dnl ---------------------------------------------------- dnl check for GnuTLS dnl ---------------------------------------------------- @@ -2776,7 +2787,7 @@ AC_HELP_STRING([--disable-tls-srp],[Disable TLS-SRP authentication]), want_tls_srp=yes ) -if test "$want_tls_srp" = "yes" && test "x$HAVE_GNUTLS_SRP" = "x1"; then +if test "$want_tls_srp" = "yes" && ( test "x$HAVE_GNUTLS_SRP" = "x1" || test "x$HAVE_SSLEAY_SRP" = "x1") ; then AC_DEFINE(USE_TLS_SRP, 1, [Use TLS-SRP authentication]) USE_TLS_SRP=1 curl_tls_srp_msg="enabled" diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 2dd536cf5..6166d5fd5 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -884,8 +884,8 @@ defined in RFC 5054 and provides mutual authentication if both sides have a shared secret. To use TLS-SRP, you must also set the \fICURLOPT_TLSAUTH_USERNAME\fP and \fICURLOPT_TLSAUTH_PASSWORD\fP options. -You need to build libcurl with GnuTLS and with TLS-SRP support for this to -work. (Added in 7.21.4) +You need to build libcurl with GnuTLS or OpenSSL with TLS-SRP support for this +to work. (Added in 7.21.4) .RE .IP CURLOPT_TLSAUTH_USERNAME Pass a char * as parameter, which should point to the zero-terminated username diff --git a/lib/ssluse.c b/lib/ssluse.c index ec6c02a50..654ffaa9f 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1437,9 +1437,16 @@ ossl_connect_step1(struct connectdata *conn, Curl_ossl_seed(data); /* check to see if we've been told to use an explicit SSL/TLS version */ + switch(data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: +#ifdef USE_TLS_SRP + if (data->set.ssl.authtype == CURL_TLSAUTH_SRP) { + infof(data, "Set version TLSv1 for SRP authorisation\n"); + req_method = TLSv1_client_method() ; + } else +#endif /* we try to figure out version */ req_method = SSLv23_client_method(); use_sni(TRUE); @@ -1449,10 +1456,18 @@ ossl_connect_step1(struct connectdata *conn, use_sni(TRUE); break; case CURL_SSLVERSION_SSLv2: +#ifdef USE_TLS_SRP + if (data->set.ssl.authtype == CURL_TLSAUTH_SRP) + return CURLE_SSL_CONNECT_ERROR; +#endif req_method = SSLv2_client_method(); use_sni(FALSE); break; case CURL_SSLVERSION_SSLv3: +#ifdef USE_TLS_SRP + if (data->set.ssl.authtype == CURL_TLSAUTH_SRP) + return CURLE_SSL_CONNECT_ERROR; +#endif req_method = SSLv3_client_method(); use_sni(FALSE); break; @@ -1547,6 +1562,28 @@ ossl_connect_step1(struct connectdata *conn, } } +#ifdef USE_TLS_SRP + if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { + infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username); + + if (!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } + if (!SSL_CTX_set_srp_password(connssl->ctx,data->set.ssl.password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } + if(!data->set.str[STRING_SSL_CIPHER_LIST]) { + infof(data, "Setting cipher list SRP\n"); + + if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) { + failf(data, "failed setting SRP cipher list"); + return CURLE_SSL_CIPHER; + } + } + } +#endif if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) { /* tell SSL where to find CA certificates that are used to verify the servers certificate. */