Add support for TLS-SRP (Secure Remote Password key exchange

for TLS, RFC 5054). PR: 51075 Submitted by: Quinn Slack <sqs cs stanford edu>, Christophe Renou, Peter Sylvester git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1347980 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2012-06-08 09:38:44 +00:00
parent 3676b7cab5
commit ccf77a856a
11 changed files with 238 additions and 4 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -330,6 +330,19 @@ int ssl_hook_Access(request_rec *r)
        return DECLINED;
    }

+#ifndef OPENSSL_NO_SRP
+    /*
+     * Support for per-directory reconfigured SSL connection parameters
+     *
+     * We do not force any renegotiation if the user is already authenticated
+     * via SRP.
+     *
+     */
+    if (SSL_get_srp_username(ssl)) {
+        return DECLINED;
+    }
+#endif
+
    /*
     * Support for per-directory reconfigured SSL connection parameters.
     *
@@ -1089,6 +1102,10 @@ static const char *ssl_hook_Fixup_vars[] = {
    "SSL_SERVER_A_SIG",
    "SSL_SESSION_ID",
    "SSL_SESSION_RESUMED",
+#ifndef OPENSSL_NO_SRP
+    "SSL_SRP_USER",
+    "SSL_SRP_USERINFO",
+#endif
    NULL
 };

@@ -2073,7 +2090,7 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)

    return 0;
 }
-#endif
+#endif /* OPENSSL_NO_TLSEXT */

 #ifdef HAVE_TLS_SESSION_TICKETS
 /*
@@ -2143,7 +2160,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
    /* OpenSSL is not expected to call us with modes other than 1 or 0 */
    return -1;
 }
-#endif
+#endif /* HAVE_TLS_SESSION_TICKETS */

 #ifdef HAVE_TLS_NPN
 /*
@@ -2226,4 +2243,30 @@ int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
    *size_out = size;
    return SSL_TLSEXT_ERR_OK;
 }
-#endif
+
+#endif /* HAVE_TLS_NPN */
+
+#ifndef OPENSSL_NO_SRP
+
+int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+{
+    modssl_ctx_t *mctx = (modssl_ctx_t *)arg;
+    char *username = SSL_get_srp_username(ssl);
+    SRP_user_pwd *u;
+
+    if ((u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
+        *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
+        return SSL3_AL_FATAL;
+    }
+
+    if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) {
+        *ad = SSL_AD_INTERNAL_ERROR;
+        return SSL3_AL_FATAL;
+    }
+
+    /* reset all other options */
+    SSL_set_verify(ssl, SSL_VERIFY_NONE,  ssl_callback_SSLVerify);
+    return SSL_ERROR_NONE;
+}
+
+#endif /* OPENSSL_NO_SRP */