[openssl-dev] [openssl.org #3707] [PATCH] Constness in SSL_CTX_set_srp_username and SSL_CTX_set_srp_password functions

Krzysztof Kwiatkowski krzysiek at leeds.pl
Wed Feb 18 21:00:05 UTC 2015 

Hi Guys,

Tickets #3705 and #3709 can be closed as they are exactly same as this one.
I've sent same mail few times. Sorry for inconvenience.

Kris

On 02/17/2015 10:49 PM, Krzysztof Kwiatkowski via RT wrote:
>    Currently SSL_CTX_set_srp_username/password functions take char*
> argument for username/password value. In an application level code those
> values are very often const (user provided data). In such cases, when
> passing those values to OpenSSL library either dirty cast needs to be
> performed to remove  constness, or const value needs to be copied to
> temporary location (which for SSL_CTX_set_srp_username is useless as
> this function copies again username value in ssl3_ctx_ctrl function).
>
> In this patch I try to cleanup API, so that const values also can be
> passed to functions. Please integrate if interested.
>
> The diff is available as PR in github:
> https://github.com/openssl/openssl/pull/227
>
> Operating system: ALL
> Versions: ALL
>
>
> diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
> index ab19eeb..a464199 100644
> --- a/ssl/s3_lib.c
> +++ b/ssl/s3_lib.c
> @@ -4007,7 +4007,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long
> larg, void *parg)
>                SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
>                return 0;
>            }
> -        if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) {
> +        if ((ctx->srp_ctx.login = (char *)parg) == NULL) {
>                SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
>                return 0;
>            }
> @@ -4015,6 +4015,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long
> larg, void *parg)
>        case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
>            ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
>                srp_password_from_info_cb;
> +        if(ctx->srp_ctx.info != NULL)
> +          OPENSSL_free(ctx->srp_ctx.info);
>            ctx->srp_ctx.info = parg;
>            break;
>        case SSL_CTRL_SET_SRP_ARG:
> diff --git a/ssl/ssl.h b/ssl/ssl.h
> index 13fb053..cf0c5ab 100644
> --- a/ssl/ssl.h
> +++ b/ssl/ssl.h
> @@ -1545,8 +1545,8 @@ X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX
> *ctx);
>    X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
>
>    # ifndef OPENSSL_NO_SRP
> -int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
> -int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
> +int SSL_CTX_set_srp_username(SSL_CTX *ctx, const char *name);
> +int SSL_CTX_set_srp_password(SSL_CTX *ctx, const char *password);
>    int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
>    int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
>                                            char *(*cb) (SSL *, void *));
> @@ -1557,7 +1557,7 @@ int SSL_CTX_set_srp_username_callback(SSL_CTX
> *ctx,
>    int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
>
>    int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
> -                             BIGNUM *sa, BIGNUM *v, char *info);
> +                             BIGNUM *sa, BIGNUM *v, const char *info);
>    int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char
> *pass,
>                                    const char *grp);
>
> diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
> index 33d398f..a054b70 100644
> --- a/ssl/tls_srp.c
> +++ b/ssl/tls_srp.c
> @@ -71,6 +71,7 @@ int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
>        if (ctx == NULL)
>            return 0;
>        OPENSSL_free(ctx->srp_ctx.login);
> +    OPENSSL_free(ctx->srp_ctx.info);
>        BN_free(ctx->srp_ctx.N);
>        BN_free(ctx->srp_ctx.g);
>        BN_free(ctx->srp_ctx.s);
> @@ -103,6 +104,7 @@ int SSL_SRP_CTX_free(struct ssl_st *s)
>        if (s == NULL)
>            return 0;
>        OPENSSL_free(s->srp_ctx.login);
> +    OPENSSL_free(s->srp_ctx.info);
>        BN_free(s->srp_ctx.N);
>        BN_free(s->srp_ctx.g);
>        BN_free(s->srp_ctx.s);
> @@ -156,7 +158,6 @@ int SSL_SRP_CTX_init(struct ssl_st *s)
>        s->srp_ctx.b = NULL;
>        s->srp_ctx.v = NULL;
>        s->srp_ctx.login = NULL;
> -    s->srp_ctx.info = ctx->srp_ctx.info;
>        s->srp_ctx.strength = ctx->srp_ctx.strength;
>
>        if (((ctx->srp_ctx.N != NULL) &&
> @@ -183,11 +184,18 @@ int SSL_SRP_CTX_init(struct ssl_st *s)
>            SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
>            goto err;
>        }
> +    if ((ctx->srp_ctx.info != NULL) &&
> +        ((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) {
> +        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
> +        goto err;
> +    }
> +
>        s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
>
>        return (1);
>     err:
>        OPENSSL_free(s->srp_ctx.login);
> +    OPENSSL_free(s->srp_ctx.info);
>        BN_free(s->srp_ctx.N);
>        BN_free(s->srp_ctx.g);
>        BN_free(s->srp_ctx.s);
> @@ -289,7 +297,7 @@ int SSL_set_srp_server_param_pw(SSL *s, const char
> *user, const char *pass,
>    }
>
>    int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
> -                             BIGNUM *sa, BIGNUM *v, char *info)
> +                             BIGNUM *sa, BIGNUM *v, const char *info)
>    {
>        if (N != NULL) {
>            if (s->srp_ctx.N != NULL) {
> @@ -327,7 +335,12 @@ int SSL_set_srp_server_param(SSL *s, const BIGNUM
> *N, const BIGNUM *g,
>            } else
>                s->srp_ctx.v = BN_dup(v);
>        }
> -    s->srp_ctx.info = info;
> +    if(info!=NULL) {
> +        if(s->srp_ctx.info != NULL )
> +            OPENSSL_free(s->srp_ctx.info);
> +        if((s->srp_ctx.info = BUF_strdup(info)) == NULL)
> +            return -1;
> +    }
>
>        if (!(s->srp_ctx.N) ||
>            !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
> @@ -499,14 +512,16 @@ char *SSL_get_srp_userinfo(SSL *s)
>    # define tls1_ctx_ctrl ssl3_ctx_ctrl
>    # define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
>
> -int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
> +int SSL_CTX_set_srp_username(SSL_CTX *ctx, const char *name)
>    {
> -    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0,
> name);
> +    char* name_tmp = BUF_strdup(name);
> +    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0,
> name_tmp);
>    }
>
> -int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
> +int SSL_CTX_set_srp_password(SSL_CTX *ctx, const char *password)
>    {
> -    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0,
> password);
> +    char* pass_tmp = BUF_strdup(password);
> +    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0,
> pass_tmp);
>    }
>
>    int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
>
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>

More information about the openssl-dev mailing list