[openssl-dev] [openssl.org #3707] [PATCH] Constness in SSL_CTX_set_srp_username and SSL_CTX_set_srp_password functions
Krzysztof Kwiatkowski via RT
rt at openssl.org
Wed Feb 18 21:03:02 UTC 2015
Hi Guys,
Tickets #3705 and #3709 can be closed as they are exactly same as this one.
I've sent same mail few times. Sorry for inconvenience.
Kris
On 02/17/2015 10:49 PM, Krzysztof Kwiatkowski via RT wrote:
> Currently SSL_CTX_set_srp_username/password functions take char*
> argument for username/password value. In an application level code those
> values are very often const (user provided data). In such cases, when
> passing those values to OpenSSL library either dirty cast needs to be
> performed to remove constness, or const value needs to be copied to
> temporary location (which for SSL_CTX_set_srp_username is useless as
> this function copies again username value in ssl3_ctx_ctrl function).
>
> In this patch I try to cleanup API, so that const values also can be
> passed to functions. Please integrate if interested.
>
> The diff is available as PR in github:
> https://github.com/openssl/openssl/pull/227
>
> Operating system: ALL
> Versions: ALL
>
>
> diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
> index ab19eeb..a464199 100644
> --- a/ssl/s3_lib.c
> +++ b/ssl/s3_lib.c
> @@ -4007,7 +4007,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long
> larg, void *parg)
> SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
> return 0;
> }
> - if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) {
> + if ((ctx->srp_ctx.login = (char *)parg) == NULL) {
> SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
> return 0;
> }
> @@ -4015,6 +4015,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long
> larg, void *parg)
> case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
> ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
> srp_password_from_info_cb;
> + if(ctx->srp_ctx.info != NULL)
> + OPENSSL_free(ctx->srp_ctx.info);
> ctx->srp_ctx.info = parg;
> break;
> case SSL_CTRL_SET_SRP_ARG:
> diff --git a/ssl/ssl.h b/ssl/ssl.h
> index 13fb053..cf0c5ab 100644
> --- a/ssl/ssl.h
> +++ b/ssl/ssl.h
> @@ -1545,8 +1545,8 @@ X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX
> *ctx);
> X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
>
> # ifndef OPENSSL_NO_SRP
> -int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
> -int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
> +int SSL_CTX_set_srp_username(SSL_CTX *ctx, const char *name);
> +int SSL_CTX_set_srp_password(SSL_CTX *ctx, const char *password);
> int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
> int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
> char *(*cb) (SSL *, void *));
> @@ -1557,7 +1557,7 @@ int SSL_CTX_set_srp_username_callback(SSL_CTX
> *ctx,
> int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
>
> int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
> - BIGNUM *sa, BIGNUM *v, char *info);
> + BIGNUM *sa, BIGNUM *v, const char *info);
> int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char
> *pass,
> const char *grp);
>
> diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
> index 33d398f..a054b70 100644
> --- a/ssl/tls_srp.c
> +++ b/ssl/tls_srp.c
> @@ -71,6 +71,7 @@ int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
> if (ctx == NULL)
> return 0;
> OPENSSL_free(ctx->srp_ctx.login);
> + OPENSSL_free(ctx->srp_ctx.info);
> BN_free(ctx->srp_ctx.N);
> BN_free(ctx->srp_ctx.g);
> BN_free(ctx->srp_ctx.s);
> @@ -103,6 +104,7 @@ int SSL_SRP_CTX_free(struct ssl_st *s)
> if (s == NULL)
> return 0;
> OPENSSL_free(s->srp_ctx.login);
> + OPENSSL_free(s->srp_ctx.info);
> BN_free(s->srp_ctx.N);
> BN_free(s->srp_ctx.g);
> BN_free(s->srp_ctx.s);
> @@ -156,7 +158,6 @@ int SSL_SRP_CTX_init(struct ssl_st *s)
> s->srp_ctx.b = NULL;
> s->srp_ctx.v = NULL;
> s->srp_ctx.login = NULL;
> - s->srp_ctx.info = ctx->srp_ctx.info;
> s->srp_ctx.strength = ctx->srp_ctx.strength;
>
> if (((ctx->srp_ctx.N != NULL) &&
> @@ -183,11 +184,18 @@ int SSL_SRP_CTX_init(struct ssl_st *s)
> SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
> goto err;
> }
> + if ((ctx->srp_ctx.info != NULL) &&
> + ((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) {
> + SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
> + goto err;
> + }
> +
> s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
>
> return (1);
> err:
> OPENSSL_free(s->srp_ctx.login);
> + OPENSSL_free(s->srp_ctx.info);
> BN_free(s->srp_ctx.N);
> BN_free(s->srp_ctx.g);
> BN_free(s->srp_ctx.s);
> @@ -289,7 +297,7 @@ int SSL_set_srp_server_param_pw(SSL *s, const char
> *user, const char *pass,
> }
>
> int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
> - BIGNUM *sa, BIGNUM *v, char *info)
> + BIGNUM *sa, BIGNUM *v, const char *info)
> {
> if (N != NULL) {
> if (s->srp_ctx.N != NULL) {
> @@ -327,7 +335,12 @@ int SSL_set_srp_server_param(SSL *s, const BIGNUM
> *N, const BIGNUM *g,
> } else
> s->srp_ctx.v = BN_dup(v);
> }
> - s->srp_ctx.info = info;
> + if(info!=NULL) {
> + if(s->srp_ctx.info != NULL )
> + OPENSSL_free(s->srp_ctx.info);
> + if((s->srp_ctx.info = BUF_strdup(info)) == NULL)
> + return -1;
> + }
>
> if (!(s->srp_ctx.N) ||
> !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
> @@ -499,14 +512,16 @@ char *SSL_get_srp_userinfo(SSL *s)
> # define tls1_ctx_ctrl ssl3_ctx_ctrl
> # define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
>
> -int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
> +int SSL_CTX_set_srp_username(SSL_CTX *ctx, const char *name)
> {
> - return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0,
> name);
> + char* name_tmp = BUF_strdup(name);
> + return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0,
> name_tmp);
> }
>
> -int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
> +int SSL_CTX_set_srp_password(SSL_CTX *ctx, const char *password)
> {
> - return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0,
> password);
> + char* pass_tmp = BUF_strdup(password);
> + return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0,
> pass_tmp);
> }
>
> int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
>
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
More information about the openssl-dev
mailing list