Integrate J-PAKE and TLS-PSK. Increase PSK buffer size. Fix memory leaks.
diff --git a/apps/apps.c b/apps/apps.c
index 455bf28..6a65f94 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2381,7 +2381,7 @@
BIO_free(out);
}
-#ifdef OPENSSL_EXPERIMENTAL_JPAKE
+#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
static JPAKE_CTX *jpake_init(const char *us, const char *them,
const char *secret)
@@ -2564,10 +2564,14 @@
jpake_send_step3a(bconn, ctx);
jpake_receive_step3b(ctx, bconn);
- BIO_puts(out, "JPAKE authentication succeeded\n");
+ BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+ psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
BIO_pop(bconn);
BIO_free(bconn);
+
+ JPAKE_CTX_free(ctx);
}
void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
@@ -2589,10 +2593,14 @@
jpake_receive_step3a(ctx, bconn);
jpake_send_step3b(bconn, ctx);
- BIO_puts(out, "JPAKE authentication succeeded\n");
+ BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+ psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
BIO_pop(bconn);
BIO_free(bconn);
+
+ JPAKE_CTX_free(ctx);
}
#endif
diff --git a/apps/apps.h b/apps/apps.h
index 7172edf..62a8659 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -309,6 +309,7 @@
int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param);
#ifdef OPENSSL_EXPERIMENTAL_JPAKE
+extern char *psk_key;
void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
#endif
diff --git a/apps/s_client.c b/apps/s_client.c
index 2319151..05ebff1 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -215,7 +215,7 @@
#ifndef OPENSSL_NO_PSK
/* Default PSK identity and key */
static char *psk_identity="Client_identity";
-static char *psk_key=NULL; /* by default PSK is not used */
+/*char *psk_key=NULL; by default PSK is not used */
static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len, unsigned char *psk,
@@ -312,6 +312,9 @@
#ifndef OPENSSL_NO_PSK
BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
+# ifdef OPENSSL_EXPERIMENTAL_JPAKE
+ BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
+# endif
#endif
BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
@@ -724,6 +727,26 @@
goto end;
}
+#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
+ if (jpake_secret)
+ {
+ if (psk_key)
+ {
+ BIO_printf(bio_err,
+ "Can't use JPAKE and PSK together\n");
+ goto end;
+ }
+ psk_identity = "JPAKE";
+ }
+
+ if (cipher)
+ {
+ BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
+ goto end;
+ }
+ cipher = "PSK";
+#endif
+
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
@@ -822,10 +845,10 @@
#endif
#ifndef OPENSSL_NO_PSK
- if (psk_key != NULL)
+ if (psk_key != NULL || jpake_secret)
{
if (c_debug)
- BIO_printf(bio_c_out, "PSK key given, setting client callback\n");
+ BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
}
#endif
diff --git a/apps/s_server.c b/apps/s_server.c
index 6b0d340..277b2f0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -302,7 +302,7 @@
#ifndef OPENSSL_NO_PSK
static char *psk_identity="Client_identity";
-static char *psk_key=NULL; /* by default PSK is not used */
+char *psk_key=NULL; /* by default PSK is not used */
static unsigned int psk_server_cb(SSL *ssl, const char *identity,
unsigned char *psk, unsigned int max_psk_len)
@@ -325,7 +325,9 @@
/* here we could lookup the given identity e.g. from a database */
if (strcmp(identity, psk_identity) != 0)
{
- BIO_printf(bio_s_out, "PSK error: client identity not found\n");
+ BIO_printf(bio_s_out, "PSK error: client identity not found"
+ " (got '%s' expected '%s')\n", identity,
+ psk_identity);
goto out_err;
}
if (s_debug)
@@ -448,6 +450,9 @@
#ifndef OPENSSL_NO_PSK
BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
+# ifdef OPENSSL_EXPERIMENTAL_JPAKE
+ BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
+# endif
#endif
BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
@@ -1184,7 +1189,7 @@
}
#endif
-#ifdef OPENSSL_EXPERIMENTAL_JPAKE
+#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
else if (strcmp(*argv,"-jpake") == 0)
{
if (--argc < 1) goto bad;
@@ -1207,6 +1212,26 @@
goto end;
}
+#if defined(OPENSSL_EXPERIMENTAL_JPAKE) && !defined(OPENSSL_NO_PSK)
+ if (jpake_secret)
+ {
+ if (psk_key)
+ {
+ BIO_printf(bio_err,
+ "Can't use JPAKE and PSK together\n");
+ goto end;
+ }
+ psk_identity = "JPAKE";
+ }
+
+ if (cipher)
+ {
+ BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
+ goto end;
+ }
+ cipher = "PSK";
+#endif
+
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
@@ -1591,10 +1616,10 @@
#endif
#ifndef OPENSSL_NO_PSK
- if (psk_key != NULL)
+ if (psk_key != NULL || jpake_secret)
{
if (s_debug)
- BIO_printf(bio_s_out, "PSK key given, setting server callback\n");
+ BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n");
SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
}
