[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Nov 15 10:58:38 UTC 2018
The branch master has been updated
via ac48fba036e1764dfa98ed0f0aa932491aa1c4ef (commit)
via ebfd055b29861b127c9cf4ed76553e109301fc64 (commit)
via 51f03f12270cdebf1dff140cc17925991520fb77 (commit)
via 495a1e5c3aec4d44558cd86161b8385f1b1b6822 (commit)
via d9720a5992315a6936ffba55d2fbbac460fb96a2 (commit)
via dc703d6b469f1b186483a55b59013fbaca2228fd (commit)
from 65d2c16cbe0da8efed2f285f59930297326fb435 (commit)
- Log -----------------------------------------------------------------
commit ac48fba036e1764dfa98ed0f0aa932491aa1c4ef
Author: Antoine Salon <asalon at vmware.com>
Date: Tue Nov 6 13:26:49 2018 -0800
Deprecate SSL_set_tmp_ecdh
Signed-off-by: Antoine Salon <asalon at vmware.com>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7522)
commit ebfd055b29861b127c9cf4ed76553e109301fc64
Author: Antoine Salon <asalon at vmware.com>
Date: Thu Nov 1 15:41:16 2018 -0700
Making SRP_user_pwd functions public
Signed-off-by: Antoine Salon <asalon at vmware.com>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7522)
commit 51f03f12270cdebf1dff140cc17925991520fb77
Author: Antoine Salon <asalon at vmware.com>
Date: Thu Nov 1 11:56:55 2018 -0700
Added SRP_VBASE_add0_user()
Signed-off-by: Antoine Salon <asalon at vmware.com>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7522)
commit 495a1e5c3aec4d44558cd86161b8385f1b1b6822
Author: Antoine Salon <asalon at vmware.com>
Date: Thu Oct 25 15:43:35 2018 -0700
SRP module documentation
Signed-off-by: Antoine Salon <asalon at vmware.com>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7522)
commit d9720a5992315a6936ffba55d2fbbac460fb96a2
Author: Antoine Salon <asalon at vmware.com>
Date: Tue Oct 16 16:40:01 2018 -0700
Add SSL_CTX_set_tmp_ecdh.pod
Signed-off-by: Antoine Salon <asalon at vmware.com>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7522)
commit dc703d6b469f1b186483a55b59013fbaca2228fd
Author: Antoine Salon <asalon at vmware.com>
Date: Tue Oct 16 09:07:00 2018 -0700
SSL extra chain certificates doc
Signed-off-by: Antoine Salon <asalon at vmware.com>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7522)
-----------------------------------------------------------------------
Summary of changes:
crypto/srp/srp_lib.c | 8 +-
crypto/srp/srp_vfy.c | 48 ++++---
doc/man1/srp.pod | 2 +-
doc/man3/SRP_VBASE_new.pod | 99 ++++++++++++++
doc/man3/SRP_create_verifier.pod | 110 +++++++++++++++
doc/man3/SRP_user_pwd_new.pod | 70 ++++++++++
doc/man3/SSL_CTX_add_extra_chain_cert.pod | 20 ++-
doc/man3/SSL_CTX_set_srp_password.pod | 216 ++++++++++++++++++++++++++++++
doc/man3/SSL_CTX_set_tmp_ecdh.pod | 50 +++++++
doc/man7/ssl.pod | 40 ++++++
include/openssl/srp.h | 6 +
include/openssl/ssl.h | 8 +-
ssl/s3_lib.c | 8 +-
util/libcrypto.num | 5 +
util/private.num | 6 +
15 files changed, 665 insertions(+), 31 deletions(-)
create mode 100644 doc/man3/SRP_VBASE_new.pod
create mode 100644 doc/man3/SRP_create_verifier.pod
create mode 100644 doc/man3/SRP_user_pwd_new.pod
create mode 100644 doc/man3/SSL_CTX_set_srp_password.pod
create mode 100644 doc/man3/SSL_CTX_set_tmp_ecdh.pod
diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c
index b97d630..a9e244e 100644
--- a/crypto/srp/srp_lib.c
+++ b/crypto/srp/srp_lib.c
@@ -44,13 +44,13 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N)
static BIGNUM *srp_Calc_k(const BIGNUM *N, const BIGNUM *g)
{
- /* k = SHA1(N | PAD(g)) -- tls-srp draft 8 */
+ /* k = SHA1(N | PAD(g)) -- tls-srp RFC 5054 */
return srp_Calc_xy(N, g, N);
}
BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N)
{
- /* k = SHA1(PAD(A) || PAD(B) ) -- tls-srp draft 8 */
+ /* u = SHA1(PAD(A) || PAD(B) ) -- tls-srp RFC 5054 */
return srp_Calc_xy(A, B, N);
}
@@ -254,13 +254,13 @@ static SRP_gN knowngN[] = {
/*
* Check if G and N are known parameters. The values have been generated
- * from the ietf-tls-srp draft version 8
+ * from the IETF RFC 5054
*/
char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N)
{
size_t i;
if ((g == NULL) || (N == NULL))
- return 0;
+ return NULL;
for (i = 0; i < KNOWN_GN_NUMBER; i++) {
if (BN_cmp(knowngN[i].g, g) == 0 && BN_cmp(knowngN[i].N, N) == 0)
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 17b35c0..bfe517b 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -184,7 +184,7 @@ void SRP_user_pwd_free(SRP_user_pwd *user_pwd)
OPENSSL_free(user_pwd);
}
-static SRP_user_pwd *SRP_user_pwd_new(void)
+SRP_user_pwd *SRP_user_pwd_new(void)
{
SRP_user_pwd *ret;
@@ -201,16 +201,18 @@ static SRP_user_pwd *SRP_user_pwd_new(void)
return ret;
}
-static void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g,
- const BIGNUM *N)
+void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g,
+ const BIGNUM *N)
{
vinfo->N = N;
vinfo->g = g;
}
-static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, const char *id,
- const char *info)
+int SRP_user_pwd_set1_ids(SRP_user_pwd *vinfo, const char *id,
+ const char *info)
{
+ OPENSSL_free(vinfo->id);
+ OPENSSL_free(vinfo->info);
if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id)))
return 0;
return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info)));
@@ -243,8 +245,10 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s,
return 0;
}
-static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v)
+int SRP_user_pwd_set0_sv(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v)
{
+ BN_free(vinfo->s);
+ BN_clear_free(vinfo->v);
vinfo->v = v;
vinfo->s = s;
return (vinfo->s != NULL && vinfo->v != NULL);
@@ -260,8 +264,8 @@ static SRP_user_pwd *srp_user_pwd_dup(SRP_user_pwd *src)
return NULL;
SRP_user_pwd_set_gN(ret, src->g, src->N);
- if (!SRP_user_pwd_set_ids(ret, src->id, src->info)
- || !SRP_user_pwd_set_sv_BN(ret, BN_dup(src->s), BN_dup(src->v))) {
+ if (!SRP_user_pwd_set1_ids(ret, src->id, src->info)
+ || !SRP_user_pwd_set0_sv(ret, BN_dup(src->s), BN_dup(src->v))) {
SRP_user_pwd_free(ret);
return NULL;
}
@@ -340,12 +344,13 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
int i;
SRP_gN *gN;
- if (gN_tab != NULL)
+ if (gN_tab != NULL) {
for (i = 0; i < sk_SRP_gN_num(gN_tab); i++) {
gN = sk_SRP_gN_value(gN_tab, i);
if (gN && (id == NULL || strcmp(gN->id, id) == 0))
return gN;
}
+ }
return SRP_get_default_gN(id);
}
@@ -374,9 +379,13 @@ static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch)
}
/*
- * this function parses verifier file. Format is:
- * string(index):base64(N):base64(g):0
- * string(username):base64(v):base64(salt):int(index)
+ * This function parses the verifier file generated by the srp app.
+ * The format for each entry is:
+ * V base64(verifier) base64(salt) username gNid userinfo(optional)
+ * or
+ * I base64(N) base64(g)
+ * Note that base64 is the SRP variant of base64 encoding described
+ * in t_fromb64().
*/
int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
@@ -441,7 +450,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
goto err;
SRP_user_pwd_set_gN(user_pwd, lgN->g, lgN->N);
- if (!SRP_user_pwd_set_ids
+ if (!SRP_user_pwd_set1_ids
(user_pwd, pp[DB_srpid], pp[DB_srpinfo]))
goto err;
@@ -509,6 +518,13 @@ static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username)
return NULL;
}
+int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd)
+{
+ if (sk_SRP_user_pwd_push(vb->users_pwd, user_pwd) <= 0)
+ return 0;
+ return 1;
+}
+
# if OPENSSL_API_COMPAT < 0x10100000L
/*
* DEPRECATED: use SRP_VBASE_get1_by_user instead.
@@ -550,7 +566,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username)
SRP_user_pwd_set_gN(user, vb->default_g, vb->default_N);
- if (!SRP_user_pwd_set_ids(user, username, NULL))
+ if (!SRP_user_pwd_set1_ids(user, username, NULL))
goto err;
if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0)
@@ -564,7 +580,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username)
goto err;
EVP_MD_CTX_free(ctxt);
ctxt = NULL;
- if (SRP_user_pwd_set_sv_BN(user,
+ if (SRP_user_pwd_set0_sv(user,
BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL),
BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL)))
return user;
@@ -605,7 +621,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
g_bn = g_bn_alloc;
defgNid = "*";
} else {
- SRP_gN *gN = SRP_get_gN_by_id(g, NULL);
+ SRP_gN *gN = SRP_get_default_gN(g);
if (gN == NULL)
goto err;
N_bn = gN->N;
diff --git a/doc/man1/srp.pod b/doc/man1/srp.pod
index e858a22..4977431 100644
--- a/doc/man1/srp.pod
+++ b/doc/man1/srp.pod
@@ -25,7 +25,7 @@ B<openssl srp>
=head1 DESCRIPTION
-The B<srp> command is user to maintain an SRP (secure remote password)
+The B<srp> command is used to maintain an SRP (secure remote password)
file.
At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> options
can be specified.
diff --git a/doc/man3/SRP_VBASE_new.pod b/doc/man3/SRP_VBASE_new.pod
new file mode 100644
index 0000000..8a0fb6d
--- /dev/null
+++ b/doc/man3/SRP_VBASE_new.pod
@@ -0,0 +1,99 @@
+=pod
+
+=head1 NAME
+
+SRP_VBASE_new,
+SRP_VBASE_free,
+SRP_VBASE_init,
+SRP_VBASE_add0_user,
+SRP_VBASE_get1_by_user,
+SRP_VBASE_get_by_user
+- Functions to create and manage a stack of SRP user verifier information
+
+=head1 SYNOPSIS
+
+ #include <openssl/srp.h>
+
+ SRP_VBASE *SRP_VBASE_new(char *seed_key);
+ void SRP_VBASE_free(SRP_VBASE *vb);
+
+ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);
+
+ int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd);
+ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username);
+ SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
+
+=head1 DESCRIPTION
+
+The SRP_VBASE_new() function allocates a structure to store server side SRP
+verifier information.
+If B<seed_key> is not NULL a copy is stored and used to generate dummy parameters
+for users that are not found by SRP_VBASE_get1_by_user(). This allows the server
+to hide the fact that it doesn't have a verifier for a particular username,
+as described in section 2.5.1.3 'Unknown SRP' of RFC 5054.
+The seed string should contain random NUL terminated binary data (therefore
+the random data should not contain NUL bytes!).
+
+The SRP_VBASE_free() function frees up the B<vb> structure.
+If B<vb> is NULL, nothing is done.
+
+The SRP_VBASE_init() function parses the information in a verifier file and
+populates the B<vb> structure.
+The verifier file is a text file containing multiple entries, whose format is:
+flag base64(verifier) base64(salt) username gNid userinfo(optional)
+where the flag can be 'V' (valid) or 'R' (revoked).
+Note that the base64 encoding used here is non-standard so it is recommended
+to use L<srp(1)> to generate this file.
+
+The SRP_VBASE_add0_user() function adds the B<user_pwd> verifier information
+to the B<vb> structure. See L<SRP_user_pwd_new(3)> to create and populate this
+record.
+The library takes ownership of B<user_pwd>, it should not be freed by the caller.
+
+The SRP_VBASE_get1_by_user() function returns the password info for the user
+whose username matches B<username>. It replaces the deprecated
+SRP_VBASE_get_by_user().
+If no matching user is found but a seed_key and default gN parameters have been
+set, dummy authentication information is generated from the seed_key, allowing
+the server to hide the fact that it doesn't have a verifier for a particular
+username. When using SRP as a TLS authentication mechanism, this will cause
+the handshake to proceed normally but the first client will be rejected with
+a "bad_record_mac" alert, as if the password was incorrect.
+If no matching user is found and the seed_key is not set, NULL is returned.
+Ownership of the returned pointer is released to the caller, it must be freed
+with SRP_user_pwd_free().
+
+=head1 RETURN VALUES
+
+SRP_VBASE_init() returns B<SRP_NO_ERROR> (0) on success and a positive value
+on failure.
+The error codes are B<SRP_ERR_OPEN_FILE> if the file could not be opened,
+B<SRP_ERR_VBASE_INCOMPLETE_FILE> if the file could not be parsed,
+B<SRP_ERR_MEMORY> on memory allocation failure and B<SRP_ERR_VBASE_BN_LIB>
+for invalid decoded parameter values.
+
+SRP_VBASE_add0_user() returns 1 on success and 0 on failure.
+
+=head1 SEE ALSO
+
+L<srp(1)>,
+L<SRP_create_verifier(3)>,
+L<SRP_user_pwd_new(3)>,
+L<SSL_CTX_set_srp_password(3)>
+
+=head1 HISTORY
+
+SRP_VBASE_add0_user() was first added to OpenSSL 1.2.0.
+
+All other functions were first added to OpenSSL 1.0.1.
+
+=head1 COPYRIGHT
+
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/SRP_create_verifier.pod b/doc/man3/SRP_create_verifier.pod
new file mode 100644
index 0000000..ac7c05b
--- /dev/null
+++ b/doc/man3/SRP_create_verifier.pod
@@ -0,0 +1,110 @@
+=pod
+
+=head1 NAME
+
+SRP_create_verifier,
+SRP_create_verifier_BN,
+SRP_check_known_gN_param,
+SRP_get_default_gN
+- SRP authentication primitives
+
+=head1 SYNOPSIS
+
+ #include <openssl/srp.h>
+
+ char *SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
+ BIGNUM **verifier, const BIGNUM *N, const BIGNUM *g);
+ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
+ char **verifier, const char *N, const char *g);
+
+ char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N);
+ SRP_gN *SRP_get_default_gN(const char *id);
+
+=head1 DESCRIPTION
+
+The SRP_create_verifier_BN() function creates an SRP password verifier from
+the supplied parameters as defined in section 2.4 of RFC 5054.
+On successful exit B<*verifier> will point to a newly allocated BIGNUM containing
+the verifier and (if a salt was not provided) B<*salt> will be populated with a
+newly allocated BIGNUM containing a random salt. If B<*salt> is not NULL then
+the provided salt is used instead.
+The caller is responsible for freeing the allocated B<*salt> and B<*verifier>
+BIGNUMS (use L<BN_free(3)>).
+
+The SRP_create_verifier() function is similar to SRP_create_verifier_BN() but
+all numeric parameters are in a non-standard base64 encoding originally designed
+for compatibility with libsrp. This is mainly present for historical compatibility
+and its use is discouraged.
+It is possible to pass NULL as B<N> and an SRP group id as B<g> instead to
+load the appropriate gN values (see SRP_get_default_gN()).
+If both B<N> and B<g> are NULL the 8192-bit SRP group parameters are used.
+The caller is responsible for freeing the allocated B<*salt> and B<*verifier>
+(use L<OPENSSL_free(3)>).
+
+The SRP_check_known_gN_param() function checks that B<g> and B<N> are valid
+SRP group parameters from RFC 5054 appendix A.
+
+The SRP_get_default_gN() function returns the gN parameters for the RFC 5054 B<id>
+SRP group size.
+The known ids are "1024", "1536", "2048", "3072", "4096", "6144" and "8192".
+
+=head1 RETURN VALUES
+
+SRP_create_verifier_BN() returns 1 on success and 0 on failure.
+
+SRP_create_verifier() returns NULL on failure and a non-NULL value on success:
+"*" if B<N> is not NULL, the selected group id otherwise. This value should
+not be freed.
+
+SRP_check_known_gN_param() returns the text representation of the group id
+(ie. the prime bit size) or NULL if the arguments are not valid SRP group parameters.
+This value should not be freed.
+
+SRP_get_default_gN() returns NULL if B<id> is not a valid group size,
+or the 8192-bit group parameters if B<id> is NULL.
+
+=head1 EXAMPLES
+
+Generate and store a 8192 bit password verifier (error handling
+omitted for clarity):
+
+ #include <openssl/bn.h>
+ #include <openssl/srp.h>
+
+ const char *username = "username";
+ const char *password = "password";
+
+ SRP_VBASE *srpData = SRP_VBASE_new(NULL);
+
+ SRP_gN *gN = SRP_get_default_gN("8192");
+
+ BIGNUM *salt = NULL, *verifier = NULL;
+ SRP_create_verifier_BN(username, password, &salt, &verifier, gN->N, gN->g);
+
+ SRP_user_pwd *pwd = SRP_user_pwd_new();
+ SRP_user_pwd_set1_ids(pwd, username, NULL);
+ SRP_user_pwd_set0_sv(pwd, salt, verifier);
+ SRP_user_pwd_set_gN(pwd, gN->g, gN->N);
+
+ SRP_VBASE_add0_user(srpData, pwd);
+
+=head1 SEE ALSO
+
+L<srp(1)>,
+L<SRP_VBASE_new(3)>,
+L<SRP_user_pwd_new(3)>
+
+=head1 HISTORY
+
+These functions were first added to OpenSSL 1.0.1.
+
+=head1 COPYRIGHT
+
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/SRP_user_pwd_new.pod b/doc/man3/SRP_user_pwd_new.pod
new file mode 100644
index 0000000..4f631a1
--- /dev/null
+++ b/doc/man3/SRP_user_pwd_new.pod
@@ -0,0 +1,70 @@
+=pod
+
+=head1 NAME
+
+SRP_user_pwd_new,
+SRP_user_pwd_free,
+SRP_user_pwd_set1_ids,
+SRP_user_pwd_set_gN,
+SRP_user_pwd_set0_sv
+- Functions to create a record of SRP user verifier information
+
+=head1 SYNOPSIS
+
+ #include <openssl/srp.h>
+
+ SRP_user_pwd *SRP_user_pwd_new(void);
+ void SRP_user_pwd_free(SRP_user_pwd *user_pwd);
+
+ int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id, const char *info);
+ void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, const BIGNUM *N);
+ int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v);
+
+=head1 DESCRIPTION
+
+The SRP_user_pwd_new() function allocates a structure to store a user verifier
+record.
+
+The SRP_user_pwd_free() function frees up the B<user_pwd> structure.
+If B<user_pwd> is NULL, nothing is done.
+
+The SRP_user_pwd_set1_ids() function sets the username to B<id> and the optional
+user info to B<info> for B<user_pwd>.
+The library allocates new copies of B<id> and B<info>, the caller still
+owns the original memory.
+
+The SRP_user_pwd_set0_sv() function sets the user salt to B<s> and the verifier
+to B<v> for B<user_pwd>.
+The library takes ownership of the values, they should not be freed by the caller.
+
+The SRP_user_pwd_set_gN() function sets the SRP group parameters for B<user_pwd>.
+The memory is not freed by SRP_user_pwd_free(), the caller must make sure it is
+freed once it is no longer used.
+
+=head1 RETURN VALUES
+
+SRP_user_pwd_set1_ids() returns 1 on success and 0 on failure or if B<id> was NULL.
+
+SRP_user_pwd_set0_sv() returns 1 if both B<s> and B<v> are not NULL, 0 otherwise.
+
+=head1 SEE ALSO
+
+L<srp(1)>,
+L<SRP_create_verifier(3)>,
+L<SRP_VBASE_new(3)>,
+L<SSL_CTX_set_srp_password(3)>
+
+=head1 HISTORY
+
+These functions were made public in OpenSSL 1.2.0.
+
+=head1 COPYRIGHT
+
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/SSL_CTX_add_extra_chain_cert.pod b/doc/man3/SSL_CTX_add_extra_chain_cert.pod
index 05d17f8..b8f11b3 100644
--- a/doc/man3/SSL_CTX_add_extra_chain_cert.pod
+++ b/doc/man3/SSL_CTX_add_extra_chain_cert.pod
@@ -2,14 +2,19 @@
=head1 NAME
-SSL_CTX_add_extra_chain_cert, SSL_CTX_clear_extra_chain_certs - add or clear
-extra chain certificates
+SSL_CTX_add_extra_chain_cert,
+SSL_CTX_get_extra_chain_certs,
+SSL_CTX_get_extra_chain_certs_only,
+SSL_CTX_clear_extra_chain_certs
+- add, get or clear extra chain certificates
=head1 SYNOPSIS
#include <openssl/ssl.h>
long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
+ long SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **sk);
+ long SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **sk);
long SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);
=head1 DESCRIPTION
@@ -18,6 +23,15 @@ SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the extra chain
certificates associated with B<ctx>. Several certificates can be added one
after another.
+SSL_CTX_get_extra_chain_certs() retrieves the extra chain certificates
+associated with B<ctx>, or the chain associated with the current certificate
+of B<ctx> if the extra chain is empty.
+The returned stack should not be freed by the caller.
+
+SSL_CTX_get_extra_chain_certs_only() retrieves the extra chain certificates
+associated with B<ctx>.
+The returned stack should not be freed by the caller.
+
SSL_CTX_clear_extra_chain_certs() clears all extra chain certificates
associated with B<ctx>.
@@ -70,7 +84,7 @@ L<SSL_build_cert_chain(3)>
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_srp_password.pod b/doc/man3/SSL_CTX_set_srp_password.pod
new file mode 100644
index 0000000..6f33230
--- /dev/null
+++ b/doc/man3/SSL_CTX_set_srp_password.pod
@@ -0,0 +1,216 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_srp_username,
+SSL_CTX_set_srp_password,
+SSL_CTX_set_srp_strength,
+SSL_CTX_set_srp_cb_arg,
+SSL_CTX_set_srp_username_callback,
+SSL_CTX_set_srp_client_pwd_callback,
+SSL_CTX_set_srp_verify_param_callback,
+SSL_set_srp_server_param,
+SSL_set_srp_server_param_pw,
+SSL_get_srp_g,
+SSL_get_srp_N,
+SSL_get_srp_username,
+SSL_get_srp_userinfo
+- SRP control operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
+ int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
+ int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
+ int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
+ int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
+ int (*cb) (SSL *s, int *ad, void *arg));
+ int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
+ char *(*cb) (SSL *s, void *arg));
+ int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
+ int (*cb) (SSL *s, void *arg));
+
+ int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
+ BIGNUM *sa, BIGNUM *v, char *info);
+ int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
+ const char *grp);
+
+ BIGNUM *SSL_get_srp_g(SSL *s);
+ BIGNUM *SSL_get_srp_N(SSL *s);
+
+ char *SSL_get_srp_username(SSL *s);
+ char *SSL_get_srp_userinfo(SSL *s);
+
+=head1 DESCRIPTION
+
+These functions provide access to SRP (Secure Remote Password) parameters,
+an alternate authentication mechanism for TLS. SRP allows the use of user names
+and passwords over unencrypted channels without revealing the password to an
+eavesdropper. SRP also supplies a shared secret at the end of the authentication
+sequence that can be used to generate encryption keys.
+
+The SRP protocol, version 3 is specified in RFC 2945. SRP version 6 is described
+in RFC 5054 with applications to TLS authentication.
+
+The SSL_CTX_set_srp_username() function sets the SRP username for B<ctx>. This
+should be called on the client prior to creating a connection to the server.
+The length of B<name> must be shorter or equal to 255 characters.
+
+The SSL_CTX_set_srp_password() function sets the SRP password for B<ctx>. This
+may be called on the client prior to creating a connection to the server.
+This overrides the effect of SSL_CTX_set_srp_client_pwd_callback().
+
+The SSL_CTX_set_srp_strength() function sets the SRP strength for B<ctx>. This
+is the minimal length of the SRP prime in bits. If not specified 1024 is used.
+If not satisfied by the server key exchange the connection will be rejected.
+
+The SSL_CTX_set_srp_cb_arg() function sets an extra parameter that will
+be passed to all following callbacks as B<arg>.
+
+The SSL_CTX_set_srp_username_callback() function sets the server side callback
+that is invoked when an SRP username is found in a ClientHello.
+The callback parameters are the SSL connection B<s>, a writable error flag B<ad>
+and the extra argument B<arg> set by SSL_CTX_set_srp_cb_arg().
+This callback should setup the server for the key exchange by calling
+SSL_set_srp_server_param() with the appropriate parameters for the received
+username. The username can be obtained by calling SSL_get_srp_username().
+See L<SRP_VBASE_init(3)> to parse the verifier file created by L<srp(1)> or
+L<SRP_create_verifier(3)> to generate it.
+The callback should return B<SSL_ERROR_NONE> to proceed with the server key exchange,
+B<SSL3_AL_FATAL> for a fatal error or any value < 0 for a retryable error.
+In the event of a B<SSL3_AL_FATAL> the alert flag given by B<*al> will be sent
+back. By default this will be B<SSL_AD_UNKOWN_PSK_IDENTITY>.
+
+The SSL_CTX_set_srp_client_pwd_callback() function sets the client password
+callback on the client.
+The callback parameters are the SSL connection B<s> and the extra argument B<arg>
+set by SSL_CTX_set_srp_cb_arg().
+The callback will be called as part of the generation of the client secrets.
+It should return the client password in text form or NULL to abort the connection.
+The resulting memory will be freed by the library as part of the callback resolution.
+This overrides the effect of SSL_CTX_set_srp_password().
+
+The SSL_CTX_set_srp_verify_param_callback() sets the SRP gN parameter verification
+callback on the client. This allows the client to perform custom verification when
+receiving the server SRP proposed parameters.
+The callback parameters are the SSL connection B<s> and the extra argument B<arg>
+set by SSL_CTX_set_srp_cb_arg().
+The callback should return a positive value to accept the server parameters.
+Returning 0 or a negative value will abort the connection. The server parameters
+can be obtained by calling SSL_get_srp_N() and SSL_get_srp_g().
+Sanity checks are already performed by the library after the handshake
+(B % N non zero, check against the strength parameter) and are not necessary.
+If no callback is set the g and N parameters will be checked against
+known RFC 5054 values.
+
+The SSL_set_srp_server_param() function sets all SRP parameters for
+the connection B<s>. B<N> and B<g> are the SRP group parameters, B<sa> is the
+user salt, B<v> the password verifier and B<info> is the optional user info.
+
+The SSL_set_srp_server_param_pw() function sets all SRP parameters for the
+connection B<s> by generating a random salt and a password verifier.
+B<user> is the username, B<pass> the password and B<grp> the SRP group paramters
+identifier for L<SRP_get_default_gN(3)>.
+
+The SSL_get_srp_g() function returns the SRP group generator for B<s>, or from
+the underlying SSL_CTX if it is NULL.
+
+The SSL_get_srp_N() function returns the SRP prime for B<s>, or from
+the underlying SSL_CTX if it is NULL.
+
+The SSL_get_srp_username() function returns the SRP username for B<s>, or from
+the underlying SSL_CTX if it is NULL.
+
+The SSL_get_srp_userinfo() function returns the SRP user info for B<s>, or from
+the underlying SSL_CTX if it is NULL.
+
+=head1 RETURN VALUES
+
+All SSL_CTX_set_* functions return 1 on success and 0 on failure.
+
+SSL_set_srp_server_param() returns 1 on success and -1 on failure.
+
+The SSL_get_SRP_* functions return a pointer to the requested data, the memory
+is owned by the library and should not be freed by the caller.
+
+=head1 EXAMPLES
+
+Setup SRP parameters on the client:
+
+ #include <openssl/ssl.h>
+
+ const char *username = "username";
+ const char *password = "password";
+
+ SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
+ if (!ctx)
+ /* Error */
+ if (!SSL_CTX_set_srp_username(ctx, username))
+ /* Error */
+ if (!SSL_CTX_set_srp_password(ctx, password))
+ /* Error */
+
+Setup SRP server with verifier file:
+
+ #include <openssl/srp.h>
+ #include <openssl/ssl.h>
+
+ const char *srpvfile = "password.srpv";
+
+ int srpServerCallback(SSL *s, int *ad, void *arg)
+ {
+ SRP_VBASE *srpData = (SRP_VBASE*) arg;
+ char *username = SSL_get_srp_username(s);
+
+ SRP_user_pwd *user_pwd = SRP_VBASE_get1_by_user(srpData, username);
+ if (!user_pwd)
+ /* Error */
+ return SSL3_AL_FATAL;
+
+ if (SSL_set_srp_server_param(s, user_pwd->N, user_pwd->g,
+ user_pwd->s, user_pwd->v, user_pwd->info) < 0)
+ /* Error */
+
+ SRP_user_pwd_free(user_pwd);
+ return SSL_ERROR_NONE;
+ }
+
+ SSL_CTX *ctx = SSL_CTX_new(TLS_server_method());
+ if (!ctx)
+ /* Error */
+
+ /*
+ * seedKey should contain a NUL terminated sequence
+ * of random non NUL bytes
+ */
+ const char *seedKey;
+
+ SRP_VBASE *srpData = SRP_VBASE_new(seedKey);
+ if (SRP_VBASE_init(srpData, (char*) srpvfile) != SRP_NO_ERROR)
+ /* Error */
+
+ SSL_CTX_set_srp_cb_arg(ctx, srpData);
+ SSL_CTX_set_srp_username_callback(ctx, srpServerCallback);
+
+=head1 SEE ALSO
+
+L<srp(1)>,
+L<SRP_VBASE_new(3)>,
+L<SRP_create_verifier(3)>
+
+=head1 HISTORY
+
+These functions were first added to OpenSSL 1.0.1.
+
+=head1 COPYRIGHT
+
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/SSL_CTX_set_tmp_ecdh.pod b/doc/man3/SSL_CTX_set_tmp_ecdh.pod
new file mode 100644
index 0000000..398fcbf
--- /dev/null
+++ b/doc/man3/SSL_CTX_set_tmp_ecdh.pod
@@ -0,0 +1,50 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto
+- handle ECDH keys for ephemeral key exchange
+
+=head1 SYNOPSIS
+
+#include <openssl/ssl.h>
+
+long SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ecdh);
+long SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ecdh);
+
+long SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state);
+long SSL_set_ecdh_auto(SSL *ssl, int state);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_tmp_ecdh() sets ECDH parameters to be used to be B<ecdh>.
+The key is inherited by all B<ssl> objects created from B<ctx>.
+This macro is deprecated in favor of L<SSL_CTX_set1_groups(3)>.
+
+SSL_set_tmp_ecdh() sets the parameters only for B<ssl>.
+This macro is deprecated in favor of L<SSL_set1_groups(3)>.
+
+SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and
+have no effect.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_tmp_ecdh() and SSL_set_tmp_ecdh() return 1 on success and 0
+on failure.
+
+=head1 SEE ALSO
+
+L<ssl(7)>, L<SSL_CTX_set1_curves(3)>, L<SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_set_options(3)>, L<SSL_CTX_set_tmp_dh_callback(3)>,
+L<ciphers(1)>, L<ecparam(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man7/ssl.pod b/doc/man7/ssl.pod
index d439860..60b1834 100644
--- a/doc/man7/ssl.pod
+++ b/doc/man7/ssl.pod
@@ -254,6 +254,10 @@ protocol context defined in the B<SSL_CTX> structure.
=item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
+=item long B<SSL_CTX_get_extra_chain_certs>(SSL_CTX *ctx, STACK_OF(X509) **sk);
+
+=item long B<SSL_CTX_get_extra_chain_certs_only>(SSL_CTX *ctx, STACK_OF(X509) **sk);
+
=item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);
=item int B<SSL_CTX_get_quiet_shutdown>(const SSL_CTX *ctx);
@@ -371,6 +375,20 @@ Use the file path to locate trusted CA certificates.
=item void B<SSL_CTX_set_session_cache_mode>(SSL_CTX *ctx, int mode);
+=item int B<SSL_CTX_set_srp_cb_arg>(SSL_CTX *ctx, void *arg);
+
+=item int B<SSL_CTX_set_srp_client_pwd_callback>(SSL_CTX *ctx, char *(*cb)(SSL *ssl, void *arg));
+
+=item int B<SSL_CTX_set_srp_password>(SSL_CTX *ctx, char *password);
+
+=item int B<SSL_CTX_set_srp_strength>(SSL_CTX *ctx, int strength);
+
+=item int B<SSL_CTX_set_srp_username>(SSL_CTX *ctx, char *name);
+
+=item int B<SSL_CTX_set_srp_username_callback>(SSL_CTX *ctx, int (*cb)(SSL *ssl, int *ad, void *arg));
+
+=item int B<SSL_CTX_set_srp_verify_param_callback>(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg));
+
=item int B<SSL_CTX_set_ssl_version>(SSL_CTX *ctx, const SSL_METHOD *meth);
=item void B<SSL_CTX_set_timeout>(SSL_CTX *ctx, long t);
@@ -379,6 +397,8 @@ Use the file path to locate trusted CA certificates.
=item long B<SSL_CTX_set_tmp_dh_callback>(SSL_CTX *ctx, DH *(*cb)(void));
+=item long B<SSL_CTX_set_tmp_ecdh>(SSL_CTX* ctx, const EC_KEY *ecdh);
+
=item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void))
=item int B<SSL_CTX_use_PrivateKey>(SSL_CTX *ctx, EVP_PKEY *pkey);
@@ -576,6 +596,14 @@ fresh handle for each connection.
=item int B<SSL_get_shutdown>(const SSL *ssl);
+=item BIGNUM *B<SSL_get_srp_g>(SSL *ssl);
+
+=item BIGNUM *B<SSL_get_srp_N>(SSL *ssl);
+
+=item char *B<SSL_get_srp_userinfo>(SSL *ssl);
+
+=item char *B<SSL_get_srp_username>(SSL *ssl);
+
=item const SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
=item int B<SSL_get_state>(const SSL *ssl);
@@ -668,12 +696,22 @@ fresh handle for each connection.
=item void B<SSL_set_shutdown>(SSL *ssl, int mode);
+=item int B<SSL_set_srp_server_param>(SSL *ssl, const BIGNUM *N, const BIGNUM *g, BIGNUM *sa, BIGNUM *v, char *info);
+
+=item int B<SSL_set_srp_server_param_pw>(SSL *ssl, const char *user, const char *pass, const char *grp);
+
=item int B<SSL_set_ssl_method>(SSL *ssl, const SSL_METHOD *meth);
=item void B<SSL_set_time>(SSL *ssl, long t);
=item void B<SSL_set_timeout>(SSL *ssl, long t);
+=item long B<SSL_set_tmp_dh>(SSL *ssl, DH *dh);
+
+=item long B<SSL_set_tmp_dh_callback>(SSL *ssl, DH *(*cb)(void));
+
+=item long B<SSL_set_tmp_ecdh>(SSL *ssl, const EC_KEY *ecdh);
+
=item void B<SSL_set_verify>(SSL *ssl, int mode, int (*callback);(void))
=item void B<SSL_set_verify_result>(SSL *ssl, long arg);
@@ -778,9 +816,11 @@ L<SSL_CTX_set_read_ahead(3)>,
L<SSL_CTX_set_security_level(3)>,
L<SSL_CTX_set_session_cache_mode(3)>,
L<SSL_CTX_set_session_id_context(3)>,
+L<SSL_CTX_set_srp_password(3)>,
L<SSL_CTX_set_ssl_version(3)>,
L<SSL_CTX_set_timeout(3)>,
L<SSL_CTX_set_tmp_dh_callback(3)>,
+L<SSL_CTX_set_tmp_ecdh(3)>,
L<SSL_CTX_set_verify(3)>,
L<SSL_CTX_use_certificate(3)>,
L<SSL_alert_type_string(3)>,
diff --git a/include/openssl/srp.h b/include/openssl/srp.h
index aaf1355..86fe6f4 100644
--- a/include/openssl/srp.h
+++ b/include/openssl/srp.h
@@ -47,8 +47,13 @@ typedef struct SRP_user_pwd_st {
char *info;
} SRP_user_pwd;
+SRP_user_pwd *SRP_user_pwd_new(void);
void SRP_user_pwd_free(SRP_user_pwd *user_pwd);
+void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, const BIGNUM *N);
+int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id, const char *info);
+int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v);
+
DEFINE_STACK_OF(SRP_user_pwd)
typedef struct SRP_VBASE_st {
@@ -75,6 +80,7 @@ SRP_VBASE *SRP_VBASE_new(char *seed_key);
void SRP_VBASE_free(SRP_VBASE *vb);
int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);
+int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd);
/* This method ignores the configured seed and fails for an unknown user. */
DEPRECATEDIN_1_1_0(SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username))
/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index cceb2d4..1e9e8d5 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1307,16 +1307,18 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
# define SSL_CTX_set_tmp_dh(ctx,dh) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
-# define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
# define SSL_CTX_set_dh_auto(ctx, onoff) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
# define SSL_set_dh_auto(s, onoff) \
SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
# define SSL_set_tmp_dh(ssl,dh) \
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
-# define SSL_set_tmp_ecdh(ssl,ecdh) \
+# if OPENSSL_API_COMPAT < 0x10200000L
+# define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
+# define SSL_set_tmp_ecdh(ssl,ecdh) \
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
+# endif
# define SSL_CTX_add_extra_chain_cert(ctx,x509) \
SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)(x509))
# define SSL_CTX_get_extra_chain_certs(ctx,px509) \
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 866ca4d..4b9906f 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3414,7 +3414,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
EVP_PKEY *pkdh = NULL;
if (dh == NULL) {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
- return ret;
+ return 0;
}
pkdh = ssl_dh_to_pkey(dh);
if (pkdh == NULL) {
@@ -3425,11 +3425,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL);
EVP_PKEY_free(pkdh);
- return ret;
+ return 0;
}
EVP_PKEY_free(s->cert->dh_tmp);
s->cert->dh_tmp = pkdh;
- ret = 1;
+ return 1;
}
break;
case SSL_CTRL_SET_TMP_DH_CB:
@@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
EVP_PKEY_free(pkdh);
- return 1;
+ return 0;
}
EVP_PKEY_free(ctx->cert->dh_tmp);
ctx->cert->dh_tmp = pkdh;
diff --git a/util/libcrypto.num b/util/libcrypto.num
index c6de172..f7d6cb5 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4598,3 +4598,8 @@ EVP_MAC_do_all_sorted 4551 1_1_2 EXIST::FUNCTION:
EVP_str2ctrl 4552 1_1_2 EXIST::FUNCTION:
EVP_hex2ctrl 4553 1_1_2 EXIST::FUNCTION:
EVP_PKEY_supports_digest_nid 4554 1_1_2 EXIST::FUNCTION:
+SRP_VBASE_add0_user 4555 1_1_2 EXIST::FUNCTION:SRP
+SRP_user_pwd_new 4556 1_1_2 EXIST::FUNCTION:SRP
+SRP_user_pwd_set_gN 4557 1_1_2 EXIST::FUNCTION:SRP
+SRP_user_pwd_set1_ids 4558 1_1_2 EXIST::FUNCTION:SRP
+SRP_user_pwd_set0_sv 4559 1_1_2 EXIST::FUNCTION:SRP
diff --git a/util/private.num b/util/private.num
index c5f3431..d6724ed 100644
--- a/util/private.num
+++ b/util/private.num
@@ -324,6 +324,8 @@ SSL_CTX_disable_ct define
SSL_CTX_generate_session_ticket_fn define
SSL_CTX_get0_chain_certs define
SSL_CTX_get_default_read_ahead define
+SSL_CTX_get_extra_chain_certs define
+SSL_CTX_get_extra_chain_certs_only define
SSL_CTX_get_max_cert_list define
SSL_CTX_get_max_proto_version define
SSL_CTX_get_min_proto_version define
@@ -363,6 +365,7 @@ SSL_CTX_set1_sigalgs define
SSL_CTX_set1_sigalgs_list define
SSL_CTX_set1_verify_cert_store define
SSL_CTX_set_current_cert define
+SSL_CTX_set_ecdh_auto define
SSL_CTX_set_max_cert_list define
SSL_CTX_set_max_pipelines define
SSL_CTX_set_max_proto_version define
@@ -380,6 +383,7 @@ SSL_CTX_set_tlsext_status_cb define
SSL_CTX_set_tlsext_status_type define
SSL_CTX_set_tlsext_ticket_key_cb define
SSL_CTX_set_tmp_dh define
+SSL_CTX_set_tmp_ecdh define
SSL_add0_chain_cert define
SSL_add1_chain_cert define
SSL_build_cert_chain define
@@ -431,6 +435,7 @@ SSL_set1_sigalgs define
SSL_set1_sigalgs_list define
SSL_set1_verify_cert_store define
SSL_set_current_cert define
+SSL_set_ecdh_auto define
SSL_set_max_cert_list define
SSL_set_max_pipelines define
SSL_set_max_proto_version define
@@ -446,6 +451,7 @@ SSL_set_tlsext_host_name define
SSL_set_tlsext_status_ocsp_resp define
SSL_set_tlsext_status_type define
SSL_set_tmp_dh define
+SSL_set_tmp_ecdh define
SSL_want_async define
SSL_want_async_job define
SSL_want_client_hello_cb define
More information about the openssl-commits
mailing list