[openssl-dev] [openssl.org #3709] [PATCH] Constness in SSL_CTX_set_srp_username and SSL_CTX_set_srp_password functions

Henry Dorsett Case via RT rt at openssl.org
Tue Feb 17 21:50:08 UTC 2015


Currently SSL_CTX_set_srp_username/password functions take char*
argument for username/password value. In an application level code
those values are very often const (user provided data). In such cases,
when passing those values to OpenSSL library either dirty cast needs
to be performed to remove  constness, or const value needs to be
copied to temporary location (which for SSL_CTX_set_srp_username is
useless as this function copies again username value in ssl3_ctx_ctrl
function).

In this patch I try to cleanup API, so that const values also can be
passed to functions. Please integrate if interested.

The diff is available as PR in github:
https://github.com/openssl/openssl/pull/227

Operating system: ALL
Versions: ALL


diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ab19eeb..a464199 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4007,7 +4007,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long
larg, void *parg)
             SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
             return 0;
         }
-        if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) {
+        if ((ctx->srp_ctx.login = (char *)parg) == NULL) {
             SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
             return 0;
         }
@@ -4015,6 +4015,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long
larg, void *parg)
     case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
         ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
             srp_password_from_info_cb;
+        if(ctx->srp_ctx.info != NULL)
+          OPENSSL_free(ctx->srp_ctx.info);
         ctx->srp_ctx.info = parg;
         break;
     case SSL_CTRL_SET_SRP_ARG:
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 13fb053..cf0c5ab 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1545,8 +1545,8 @@ X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);

 # ifndef OPENSSL_NO_SRP
-int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
-int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
+int SSL_CTX_set_srp_username(SSL_CTX *ctx, const char *name);
+int SSL_CTX_set_srp_password(SSL_CTX *ctx, const char *password);
 int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
 int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
                                         char *(*cb) (SSL *, void *));
@@ -1557,7 +1557,7 @@ int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
 int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);

 int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
-                             BIGNUM *sa, BIGNUM *v, char *info);
+                             BIGNUM *sa, BIGNUM *v, const char *info);
 int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
                                 const char *grp);

diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index 33d398f..a054b70 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -71,6 +71,7 @@ int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
     if (ctx == NULL)
         return 0;
     OPENSSL_free(ctx->srp_ctx.login);
+    OPENSSL_free(ctx->srp_ctx.info);
     BN_free(ctx->srp_ctx.N);
     BN_free(ctx->srp_ctx.g);
     BN_free(ctx->srp_ctx.s);
@@ -103,6 +104,7 @@ int SSL_SRP_CTX_free(struct ssl_st *s)
     if (s == NULL)
         return 0;
     OPENSSL_free(s->srp_ctx.login);
+    OPENSSL_free(s->srp_ctx.info);
     BN_free(s->srp_ctx.N);
     BN_free(s->srp_ctx.g);
     BN_free(s->srp_ctx.s);
@@ -156,7 +158,6 @@ int SSL_SRP_CTX_init(struct ssl_st *s)
     s->srp_ctx.b = NULL;
     s->srp_ctx.v = NULL;
     s->srp_ctx.login = NULL;
-    s->srp_ctx.info = ctx->srp_ctx.info;
     s->srp_ctx.strength = ctx->srp_ctx.strength;

     if (((ctx->srp_ctx.N != NULL) &&
@@ -183,11 +184,18 @@ int SSL_SRP_CTX_init(struct ssl_st *s)
         SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
         goto err;
     }
+    if ((ctx->srp_ctx.info != NULL) &&
+        ((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) {
+        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
+
     s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;

     return (1);
  err:
     OPENSSL_free(s->srp_ctx.login);
+    OPENSSL_free(s->srp_ctx.info);
     BN_free(s->srp_ctx.N);
     BN_free(s->srp_ctx.g);
     BN_free(s->srp_ctx.s);
@@ -289,7 +297,7 @@ int SSL_set_srp_server_param_pw(SSL *s, const char
*user, const char *pass,
 }

 int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
-                             BIGNUM *sa, BIGNUM *v, char *info)
+                             BIGNUM *sa, BIGNUM *v, const char *info)
 {
     if (N != NULL) {
         if (s->srp_ctx.N != NULL) {
@@ -327,7 +335,12 @@ int SSL_set_srp_server_param(SSL *s, const BIGNUM
*N, const BIGNUM *g,
         } else
             s->srp_ctx.v = BN_dup(v);
     }
-    s->srp_ctx.info = info;
+    if(info!=NULL) {
+        if(s->srp_ctx.info != NULL )
+            OPENSSL_free(s->srp_ctx.info);
+        if((s->srp_ctx.info = BUF_strdup(info)) == NULL)
+            return -1;
+    }

     if (!(s->srp_ctx.N) ||
         !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
@@ -499,14 +512,16 @@ char *SSL_get_srp_userinfo(SSL *s)
 # define tls1_ctx_ctrl ssl3_ctx_ctrl
 # define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl

-int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
+int SSL_CTX_set_srp_username(SSL_CTX *ctx, const char *name)
 {
-    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
+    char* name_tmp = BUF_strdup(name);
+    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name_tmp);
 }

-int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
+int SSL_CTX_set_srp_password(SSL_CTX *ctx, const char *password)
 {
-    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
+    char* pass_tmp = BUF_strdup(password);
+    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, pass_tmp);
 }

 int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)



More information about the openssl-dev mailing list