TSL-SRP: enabled with OpenSSL (2531cd94) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

configure.ac

+12 −1

Original line number	Diff line number	Diff line
		@@ -1632,6 +1632,17 @@ if test X"$OPENSSL_ENABLED" = X"1"; then
		fi
		fi

		dnl ---
		dnl We require OpenSSL with SRP support.
		dnl ---
		if test "$OPENSSL_ENABLED" = "1"; then
		AC_CHECK_LIB(crypto, SRP_Calc_client_key,
		[
		AC_DEFINE(HAVE_SSLEAY_SRP, 1, [if you have the function SRP_Calc_client_key])
		AC_SUBST(HAVE_SSLEAY_SRP, [1])
		])
		fi

		dnl ----------------------------------------------------
		dnl check for GnuTLS
		dnl ----------------------------------------------------
		@@ -2776,7 +2787,7 @@ AC_HELP_STRING([--disable-tls-srp],[Disable TLS-SRP authentication]),
		want_tls_srp=yes
		)

		if test "$want_tls_srp" = "yes" && test "x$HAVE_GNUTLS_SRP" = "x1"; then
		if test "$want_tls_srp" = "yes" && ( test "x$HAVE_GNUTLS_SRP" = "x1" \|\| test "x$HAVE_SSLEAY_SRP" = "x1") ; then
		AC_DEFINE(USE_TLS_SRP, 1, [Use TLS-SRP authentication])
		USE_TLS_SRP=1
		curl_tls_srp_msg="enabled"

docs/libcurl/curl_easy_setopt.3

+2 −2

Original line number	Diff line number	Diff line
		@@ -884,8 +884,8 @@ defined in RFC 5054 and provides mutual authentication if both sides have a
		shared secret. To use TLS-SRP, you must also set the
		\fICURLOPT_TLSAUTH_USERNAME\fP and \fICURLOPT_TLSAUTH_PASSWORD\fP options.

		You need to build libcurl with GnuTLS and with TLS-SRP support for this to
		work. (Added in 7.21.4)
		You need to build libcurl with GnuTLS or OpenSSL with TLS-SRP support for this
		to work. (Added in 7.21.4)
		.RE
		.IP CURLOPT_TLSAUTH_USERNAME
		Pass a char * as parameter, which should point to the zero-terminated username

lib/ssluse.c

+37 −0

Original line number	Diff line number	Diff line
		@@ -1437,9 +1437,16 @@ ossl_connect_step1(struct connectdata *conn,
		Curl_ossl_seed(data);

		/* check to see if we've been told to use an explicit SSL/TLS version */

		switch(data->set.ssl.version) {
		default:
		case CURL_SSLVERSION_DEFAULT:
		#ifdef USE_TLS_SRP
		if (data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
		infof(data, "Set version TLSv1 for SRP authorisation\n");
		req_method = TLSv1_client_method() ;
		} else
		#endif
		/* we try to figure out version */
		req_method = SSLv23_client_method();
		use_sni(TRUE);
		@@ -1449,10 +1456,18 @@ ossl_connect_step1(struct connectdata *conn,
		use_sni(TRUE);
		break;
		case CURL_SSLVERSION_SSLv2:
		#ifdef USE_TLS_SRP
		if (data->set.ssl.authtype == CURL_TLSAUTH_SRP)
		return CURLE_SSL_CONNECT_ERROR;
		#endif
		req_method = SSLv2_client_method();
		use_sni(FALSE);
		break;
		case CURL_SSLVERSION_SSLv3:
		#ifdef USE_TLS_SRP
		if (data->set.ssl.authtype == CURL_TLSAUTH_SRP)
		return CURLE_SSL_CONNECT_ERROR;
		#endif
		req_method = SSLv3_client_method();
		use_sni(FALSE);
		break;
		@@ -1547,6 +1562,28 @@ ossl_connect_step1(struct connectdata *conn,
		}
		}

		#ifdef USE_TLS_SRP
		if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
		infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);

		if (!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
		failf(data, "Unable to set SRP user name");
		return CURLE_BAD_FUNCTION_ARGUMENT;
		}
		if (!SSL_CTX_set_srp_password(connssl->ctx,data->set.ssl.password)) {
		failf(data, "failed setting SRP password");
		return CURLE_BAD_FUNCTION_ARGUMENT;
		}
		if(!data->set.str[STRING_SSL_CIPHER_LIST]) {
		infof(data, "Setting cipher list SRP\n");

		if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
		failf(data, "failed setting SRP cipher list");
		return CURLE_SSL_CIPHER;
		}
		}
		}
		#endif
		if(data->set.str[STRING_SSL_CAFILE] \|\| data->set.str[STRING_SSL_CAPATH]) {
		/* tell SSL where to find CA certificates that are used to verify
		the servers certificate. */