Skip Menu |
 
Ticket metadata
The Basics
Id: 1794
Status: open
Priority: 0/
Queue: OpenSSL-Bugs
Custom Fields
Milestone: (no value)
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)
People
Owner: Stephen Henson
Requestors: Tom Wu
Cc:
AdminCc:
Attachments
alert-20111031.patch
head-20111123.patch
head-20111211.patch
head_20111219_srp.patch
openssl-1.0.1-0314+srp-patch.txt
openssl-1.0.1-0314+srp-patchv2.txt
srp-openssl-20090513-patch.txt
srp-openssl-20090603-patch.txt
srp-openssl-20090713-patch.txt
srp-openssl-20090803-patch.txt
srp-openssl-20090909-patch.txt
srp-openssl-20091030-patch.txt
srp-openssl-20091218-patch.txt
srp-openssl-20100208-patch.txt
srp-openssl-20100908-patch.txt
srp-openssl-20101229-patch.txt
srp-openssl-20110306-patch.txt
srp-openssl099-1125-patch1.txt
srp-openssl099-1201-patch1.txt
srp-openssl099-1210-patch.txt
srp-openssl099-20090113-patch.txt
srp-openssl099-20090304-patch.txt
srp-openssl099-20090401-patch.txt
srp-openssl099-20090410-patch.txt
srp.patch
srp2.patch
stable-20111123.patch
stable-20111211.patch
stable_20111219_srp.patch
More about the requestors

Tom Wu

Comments about this user: No comment entered about this user
Groups this user belongs to
  • Everyone
  • Unprivileged
Reminders
New reminder:
Subject:
Owner:
Due:
Dates
Created: Thu Nov 27 07:45:29 2008
Starts: Not set
Started: Not set
Last Contact: Tue Dec 20 10:14:37 2011
Due: Not set
Closed: Wed Mar 16 13:15:04 2011
Updated: Tue Dec 20 10:14:37 2011 by Peter Sylvester
Links Graph
Depends on :
Depended on by :
Parents :
Children :
Refers to :
Referred to by :

History Show all quoted textShow full headers
# Thu Nov 27 07:45:29 2008 Thomas Wu (thomwu) - Ticket created
CC: <crypt@bxa.doc.gov>
Subject: [PATCH] SRP in OpenSSL 0.9.9
Date: Wed, 26 Nov 2008 13:52:54 -0800
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 658b
This patch is the first portion of SRP (RFC 5054) support in OpenSSL.

The original work to add SRP to OpenSSL was done by the EdelKey project
(http://www.edelweb.fr/EdelKey/). I am updating these patches for the
latest
development version of OpenSSL (0.9.9) and submitting them for
integration.

This first patch only includes support for the 'crypto/srp' directory
and the
'openssl/srp' command, as well as the 'no-srp' conditional compilation
directive in 'configure'. This does NOT yet include support for TLS/SRP

ciphersuites, which will be added in an upcoming patch.

This patch applies cleanly against the 20081125 and 20081126 dev
snapshots.
Download srp-openssl099-1125-patch1.txt
text/plain 83.6k

Message body is not shown because sender requested not to inline it.

# Thu Nov 27 13:43:21 2008 Stephen Henson - Correspondence added
Download (untitled) / with headers
text/plain 1.2k
Show quoted text
> [thomwu@cisco.com - Thu Nov 27 07:45:29 2008]:
>
> This patch is the first portion of SRP (RFC 5054) support in OpenSSL.
>
> The original work to add SRP to OpenSSL was done by the EdelKey project
> (http://www.edelweb.fr/EdelKey/). I am updating these patches for the
> latest
> development version of OpenSSL (0.9.9) and submitting them for
> integration.
>
> This first patch only includes support for the 'crypto/srp' directory
> and the
> 'openssl/srp' command, as well as the 'no-srp' conditional compilation
> directive in 'configure'. This does NOT yet include support for TLS/SRP
>
> ciphersuites, which will be added in an upcoming patch.
>
> This patch applies cleanly against the 20081125 and 20081126 dev
> snapshots.
>
>

A few initial comments.

The copyright notice in srp.c gives the impression Eric Young wrote that
file... I'm assuming he didn't and it is a combination of work from
other files in apps he did write.

The indentation in srp.c (perhaps as a result) is very inconsistent.

Indentation in other files doesn't follow the "standard" of the rest of
OpenSSL (well most of it).

In a couple of files the low level SHA1 digest API is used directly.
That should be avoided because it precludes use of ENGINEs in future.
Use EVP instead.
# Thu Nov 27 13:43:22 2008 The RT System itself - Status changed from 'new' to 'open'
# Tue Dec 02 01:10:52 2008 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] updated patch for SRP
Date: Mon, 1 Dec 2008 17:03:58 -0800
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 229b
This updated patch supersedes the previous patch submitted for this
issue and addresses the issues raised earlier. This patch also includes
the 'srptest' unit test. This patch applies cleanly against the
20081201 dev snapshot.
Download srp-openssl099-1201-patch1.txt
text/plain 90.6k

Message body is not shown because sender requested not to inline it.

# Mon Dec 15 18:56:40 2008 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 0.9.9
Date: Mon, 15 Dec 2008 10:52:12 -0800
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 722b
This patch adds full RFC 5054 support in OpenSSL 0.9.9. SRP
ciphersuites are implemented in libssl, and the SRP algorithm is
implemented in "crypto/srp". This patch applies cleanly to the 20081215
dev snapshot and supersedes the earlier patches submitted under this
ticket. A unit test for SRP is included, and the integration tests have
also been extended to cover the SRP ciphersuites.

Please incorporate this patch into 0.9.9, and send me any comments or
suggestions. I am working with a group at Cisco that is looking forward
to using SRP ciphersuites in an upcoming product. Thanks for the
helpful comments on the previous patches - they were very useful towards
improving the patches for this submission.

Tom
Download srp-openssl099-1210-patch.txt
text/plain 163.8k

Message body is not shown because sender requested not to inline it.

# Wed Jan 14 23:07:40 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 0.9.9 (updated)
Date: Wed, 14 Jan 2009 14:58:46 -0800
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 344b
This patch adds full RFC 5054 support in OpenSSL 0.9.9, and has been
updated to apply cleanly to the 20090113 dev snapshot. This version of
the patch supercedes the earlier patches submitted under this ticket.
Please let me know if the code is ready to be integrated into 0.9.9-dev,
or if there are any improvements still needed.

Thanks,
Tom
Download srp-openssl099-20090113-patch.txt
text/plain 163.8k

Message body is not shown because sender requested not to inline it.

# Wed Mar 04 23:38:37 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 0.9.9 (updated)
Date: Wed, 4 Mar 2009 15:30:07 -0800
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 320b
This patch adds full RFC 5054 support in OpenSSL 0.9.9, and has been
updated to apply cleanly to the 20090304 dev snapshot. This version of
the patch supercedes the earlier patches submitted under this ticket.
Please let me know what the next steps are for the integration of this
patch into OpenSSL 0.9.9.

Thanks,
Tom
Download srp-openssl099-20090304-patch.txt
text/plain 163.9k

Message body is not shown because sender requested not to inline it.

# Thu Apr 02 23:50:58 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 0.9.9 and 1.0.0 (updated)
Date: Thu, 2 Apr 2009 15:41:28 -0700
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 354b
This patch adds full RFC 5054 support in OpenSSL 0.9.9, and has been
updated to apply cleanly to the 20090402 dev snapshot as well as 1.0.0
beta1. This version of the patch supercedes the earlier patches
submitted
under this ticket. Please let me know what the next steps are for the
integration of this patch into OpenSSL 0.9.9 and 1.0.0.

Thanks,
Tom
Download srp-openssl099-20090401-patch.txt
text/plain 163.9k

Message body is not shown because sender requested not to inline it.

# Sat Apr 11 00:12:18 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 0.9.9 and 1.0.0 (updated)
Date: Fri, 10 Apr 2009 16:07:05 -0700
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 368b
This patch adds full RFC 5054 support in OpenSSL 0.9.9, and has been
updated to apply cleanly to the 20090410 dev snapshot as well as the
0410 snapshot of 1.0.0. This version of the patch supercedes the earlier
patches submitted under this ticket. Please let me know what the next
steps are for the integration of this patch into OpenSSL 0.9.9 and
1.0.0.

Thanks,
Tom
Download srp-openssl099-20090410-patch.txt
text/plain 163.9k

Message body is not shown because sender requested not to inline it.

# Wed May 13 23:55:21 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 0.9.9 and 1.0.0 (updated)
Date: Wed, 13 May 2009 15:45:06 -0700
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 330b
This patch adds full RFC 5054 support in OpenSSL 0.9.9, and has been
updated to apply cleanly to the 20090513 dev snapshot. This version of
the patch supercedes the earlier patches submitted under this ticket.
Please let me know what the next steps are for the integration of this
patch into OpenSSL 0.9.9 and 1.0.0.

Thanks,
Tom
Download srp-openssl-20090513-patch.txt
text/plain 163.9k

Message body is not shown because sender requested not to inline it.

# Wed Jun 03 19:40:55 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.0 and 1.1.0 (updated)
Date: Wed, 3 Jun 2009 11:34:47 -0700
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 330b
This patch adds full RFC 5054 support in OpenSSL 0.9.9, and has been
updated to apply cleanly to the 20090603 dev snapshot. This version of
the patch supercedes the earlier patches submitted under this ticket.
Please let me know what the next steps are for the integration of this
patch into OpenSSL 1.0.0 and 1.1.0.

Thanks,
Tom
Download srp-openssl-20090603-patch.txt
text/plain 163.9k

Message body is not shown because sender requested not to inline it.

# Mon Jul 13 19:34:06 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.0 and 1.1.0 (updated)
Date: Mon, 13 Jul 2009 11:25:05 -0700
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 340b
This patch adds full RFC 5054 support in OpenSSL 1.0.0 and 1.1.0, and
has
been updated to apply cleanly to the 20090713 dev snapshot. This version
of the patch supercedes the earlier patches submitted under this ticket.
Please let me know what the next steps are for the integration of this
patch into OpenSSL 1.0.0 and 1.1.0.

Thanks,
Tom
Download srp-openssl-20090713-patch.txt
text/plain 163.8k

Message body is not shown because sender requested not to inline it.

# Mon Aug 03 22:01:43 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.0 and 1.1.0 (updated)
Date: Mon, 3 Aug 2009 13:54:40 -0700
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 342b
This patch adds full RFC 5054 support in OpenSSL 1.0.0 and 1.1.0, and
has been updated to apply cleanly to the 20090803 dev snapshot. This
version of the patch supercedes the earlier patches submitted under this
ticket. Please let me know what the next steps are for the integration
of this patch into OpenSSL 1.0.0 and 1.1.0.

Thanks,
Tom
Download srp-openssl-20090803-patch.txt
text/plain 163.8k

Message body is not shown because sender requested not to inline it.

# Sun Aug 09 17:27:00 2009 Stephen Henson - Correspondence added
Download (untitled) / with headers
text/plain 654b
Show quoted text
> [thomwu@cisco.com - Mon Aug 03 22:01:43 2009]:
>
> This patch adds full RFC 5054 support in OpenSSL 1.0.0 and 1.1.0, and
> has been updated to apply cleanly to the 20090803 dev snapshot. This
> version of the patch supercedes the earlier patches submitted under this
> ticket. Please let me know what the next steps are for the integration
> of this patch into OpenSSL 1.0.0 and 1.1.0.
>

Since 1.0.0 is in a feature freeze this wont be applied to that. After
1.0.0 release it can be considered for 1.0.1 and 1.1.0.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
# Wed Sep 09 23:16:37 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9
Date: Wed, 9 Sep 2009 15:06:02 -0700
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 333b
Show quoted text
> Since 1.0.0 is in a feature freeze this wont be applied to
> that. After 1.0.0 release it can be considered for 1.0.1 and 1.1.0.
>
> Steve.

I've updated the patch for the 2009-09-09 main line snapshot. Let me
know if there are any other changes that should be made before
integrating the patch into either 1.0.1 or 1.1.0.

Tom
Download srp-openssl-20090909-patch.txt
text/plain 163.8k

Message body is not shown because sender requested not to inline it.

# Fri Oct 30 23:51:18 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Fri, 30 Oct 2009 15:47:48 -0700
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 340b
This patch adds full RFC 5054 support in OpenSSL 1.0.1 and 1.1.0, and
has been updated to apply cleanly to the 20091030 dev snapshot. This
version of the patch supercedes the earlier patches submitted under this
ticket. Please let me know what the next steps are for the integration
of this patch into OpenSSL 1.0.1 and 1.1.0.

Thanks,
Tom
Download srp-openssl-20091030-patch.txt
text/plain 163.8k

Message body is not shown because sender requested not to inline it.

# Fri Dec 18 22:07:36 2009 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Fri, 18 Dec 2009 13:07:18 -0800
To: <rt@openssl.org>
From: "Thomas Wu (thomwu)" <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 340b
This patch adds full RFC 5054 support in OpenSSL 1.0.1 and 1.1.0, and
has been updated to apply cleanly to the 20091218 dev snapshot. This
version of the patch supercedes the earlier patches submitted under this
ticket. Please let me know what the next steps are for the integration
of this patch into OpenSSL 1.0.1 and 1.1.0.

Thanks,
Tom
Download srp-openssl-20091218-patch.txt
text/plain 163.9k

Message body is not shown because sender requested not to inline it.

# Tue Feb 09 01:55:13 2010 Thomas Wu (thomwu) - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Mon, 08 Feb 2010 16:53:28 -0800
To: <rt@openssl.org>
From: thomwu <thomwu@cisco.com>
Download (untitled) / with headers
text/plain 341b
This patch adds full RFC 5054 support in OpenSSL 1.0.1 and 1.1.0, and
has been updated to apply cleanly to the 20100208 dev snapshot. This
version of the patch supercedes the earlier patches submitted under this
ticket. Please let me know what the next steps are for the integration
of this patch into OpenSSL 1.0.1 and 1.1.0.

Thanks,
Tom
Download srp-openssl-20100208-patch.txt
application/octet-stream 164k

Message body not shown because it is not plain text.

# Mon Sep 06 19:42:11 2010 noloader@gmail.com - Correspondence added
CC: thomwu@cisco.com
Subject: Re: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Mon, 6 Sep 2010 13:38:16 -0400
To: rt@openssl.org
From: Jeffrey Walton <noloader@gmail.com>
Download (untitled) / with headers
text/plain 1k
Hi Thomas,

[rt@openssl.org email corrected]

Looking at the latest SRP patch [1], I noticed the use of RAND_bytes:
lines 5047 and 5222. Bytes acquired at 5047 are subsequently used in a
call to generate B's key pair, while the call at 5222 is later used
for A's key pair generation.

According to the OpenSSL documentation on RAND_bytes [2], RAND_bytes
returns 1 on success, 0 otherwise. But it appears the current
implementation does not detect a possible failure, which might get a
user into trouble under [presumably] a narrowly limited set of
circumstances.

I understand the documentation is not always up to date (the dev team
is usually busy doing what they do best - developing), so I might be
wrong on the whole return value/failure thing.

OT: I look forward to seeing SRP incorporated into OpenSSL (both RFC
2945 and RFC 5054). They are both very helpful when needed.

Jeffrey Walton

[1] http://rt.openssl.org/Ticket/Attachment/25682/12416/srp-openssl-20100208-patch.txt
[2] RAND_bytes, http://www.openssl.org/docs/crypto/RAND_bytes.html
# Mon Sep 06 19:57:03 2010 noloader@gmail.com - Correspondence added
CC: thomwu@cisco.com
Subject: Re: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Mon, 6 Sep 2010 13:53:08 -0400
To: rt@openssl.org
From: Jeffrey Walton <noloader@gmail.com>
Download (untitled) / with headers
text/plain 1k
Hi Thomas,

Looking at the latest SRP patch [1], I noticed the use of
RAND_pseudo_bytes. I believe RAND_pseudo_bytes is sufficient for salts
and other public values. But it does appear that RAND_pseudo_bytes is
being used for keying material at lines 3171 and 3187. The bytes
acquired at 3171 and 3187 are then used to generate A's and B's key
pairs.

According to the OpenSSL documentation on RAND_pseudo_bytes [2],
RAND_pseudo_bytes might not be suitable for keying material:
"RAND_pseudo_bytes() will be unique if they are of sufficient length,
but are not necessarily unpredictable. They can be used for
non-cryptographic purposes and for certain purposes in cryptographic
protocols, but usually not for key generation etc."

I understand the documentation is not always up to date (the dev team
is usually busy doing what they do best - developing), so I might be
wrong on the use of RAND_pseudo_bytes.

Jeffrey Walton

[1] http://rt.openssl.org/Ticket/Attachment/25682/12416/srp-openssl-20100208-patch.txt
[2] RAND_bytes, http://www.openssl.org/docs/crypto/RAND_bytes.html
# Mon Sep 06 20:17:09 2010 noloader@gmail.com - Correspondence added
CC: thomwu@cisco.com
Subject: Re: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Mon, 6 Sep 2010 14:13:13 -0400
To: rt@openssl.org
From: Jeffrey Walton <noloader@gmail.com>
Download (untitled) / with headers
text/plain 524b
Hi Thomas,

Looking at the latest SRP patch [1], I noticed the patch was not
zeroizing all keying buffers used with RAND_bytes [and perhaps
erroneously RAND_pseudo_bytes]. For example, a particular buffer is
last used in routine run_srp(const char *username, ...) at line 3171.
But the buffer is not zeroized on exit even though due diligence is
applied to the subsequent BIGNUM (which is cleared with
BN_clear_free).

Jeffrey Walton

[1] http://rt.openssl.org/Ticket/Attachment/25682/12416/srp-openssl-20100208-patch.txt
# Thu Sep 09 20:57:30 2010 Tom Wu - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Thu, 9 Sep 2010 11:27:18 -0700 (PDT)
To: rt@openssl.org
From: Tom Wu <tjw@CS.Stanford.EDU>
Download (untitled) / with headers
text/plain 394b
This patch adds full RFC 5054 support in OpenSSL 1.0.1 and 1.1.0,
and has been updated to apply cleanly to the 20100908 dev snapshot.
This version of the patch incorporates recent feedback from Jeffrey
Walton, and supercedes the earlier patches submitted under this ticket.

Please let me know what the next steps are for the integration of this
patch into OpenSSL 1.0.1 and 1.1.0.

Thanks,
Tom
Download srp-openssl-20100908-patch.txt
text/plain 169.7k

Message body is not shown because sender requested not to inline it.

# Thu Dec 30 06:44:19 2010 Tom Wu - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Wed, 29 Dec 2010 21:23:10 -0800 (PST)
To: rt@openssl.org
From: Tom Wu <tjw@CS.Stanford.EDU>
Download (untitled) / with headers
text/plain 340b
This patch adds full RFC 5054 support in OpenSSL 1.0.1 and 1.1.0,
and has been updated to apply cleanly to the 20101229 dev snapshot.
This version of the patch supercedes the earlier patches submitted
under this ticket. Please let me know what the next steps are for
the integration of this patch into OpenSSL 1.0.1 and 1.1.0.

Thanks,
Tom
Download srp-openssl-20101229-patch.txt
text/plain 169.7k

Message body is not shown because sender requested not to inline it.

# Sun Mar 06 09:44:49 2011 Tom Wu - Correspondence added
Subject: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Sun, 6 Mar 2011 00:14:42 -0800 (PST)
To: rt@openssl.org
From: Tom Wu <tjw@CS.Stanford.EDU>
Download (untitled) / with headers
text/plain 589b
This patch adds full RFC 5054 support in OpenSSL 1.0.1 and 1.1.0,
and has been updated to apply cleanly to the 201110306 dev snapshot.
This version of the patch supercedes the earlier patches submitted
under this ticket. Please let me know what the next steps are for
the integration of this patch into OpenSSL 1.0.1 and 1.1.0.

libcurl has added TLS-SRP support via GNUtls but not yet for openssl.
Once this patch is in the trunk I will ask the curl dev team to enable it
for both libraries so that strong password authentication works in curl
when linked against openssl.

Thanks,
Tom
Download srp-openssl-20110306-patch.txt
text/plain 170.2k

Message body is not shown because sender requested not to inline it.

# Sat Mar 12 17:41:17 2011 Ben Laurie - Correspondence added
Download (untitled) / with headers
text/plain 1.3k
Show quoted text
> [tjw@CS.Stanford.EDU - Sun Mar 06 09:44:49 2011]:
>
> This patch adds full RFC 5054 support in OpenSSL 1.0.1 and 1.1.0,
> and has been updated to apply cleanly to the 201110306 dev snapshot.
> This version of the patch supercedes the earlier patches submitted
> under this ticket. Please let me know what the next steps are for
> the integration of this patch into OpenSSL 1.0.1 and 1.1.0.

I have reviewed and revised this patch. I attach the revised patch (against HEAD).

What you need to do:

1. Provide a patch that patches cleanly against 1.0.1. The existing patch does not. Use
the patch I have uploaded as a basis - it was a considerable effort to correct the
various problems with it.

2. Ensure the patch compiles clean with the developer options set (see Configure).

3. Do not add new elements in the middle of structures: they must always be added at
the end.

4. Be consistent about punctuation, and conform with OpenSSL's style (admittedly this
is not 100% uniform, but this patch introduces even more vagaries). In particular,
there is no space after a '*', there should be a space after a ',' and around binary
operators. I have corrected some but not all of these problems.

5. Avoid casts if at all possible.

6. Mark things as const where possible.

I will commit the change to HEAD shortly, so if you make further changes, don't forget
to update first.

Please review my revisions.

Download srp.patch
application/octet-stream 184k

Message body not shown because it is not plain text.

# Sat Mar 12 17:41:27 2011 Ben Laurie - Taken
# Mon Mar 14 19:21:33 2011 Tom Wu - Correspondence added
Subject: Re: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Mon, 14 Mar 2011 11:21:25 -0700 (PDT)
To: rt@openssl.org
From: Tom Wu <tjw@CS.Stanford.EDU>
Download (untitled) / with headers
text/plain 594b
Show quoted text
> 1. Provide a patch that patches cleanly against 1.0.1.
> The existing patch does not. Use the patch I have uploaded
> as a basis - it was a considerable effort to
> correct the various problems with it.

I have taken your patch and ported your fixes over to the 1.0.1
version of the TLS-SRP patch, which should apply cleanly against
the 0314 1.0.1 branch snapshot (please see attached).

The HEAD commit looks good; the only change I would suggest at
this time is to use this e-mail address (tjw@cs.stanford.edu)
for the comment in CHANGES; the Cisco e-mail address is no longer
active.

Tom
Download openssl-1.0.1-0314+srp-patch.txt
text/plain 172.5k

Message body is not shown because sender requested not to inline it.

# Mon Mar 14 22:57:37 2011 Tom Wu - Correspondence added
Subject: Re: [openssl.org #1794] [PATCH] SRP ciphersuites in 1.0.1 and 1.1.0 (updated)
Date: Mon, 14 Mar 2011 14:57:28 -0700 (PDT)
To: rt@openssl.org
From: Tom Wu <tjw@CS.Stanford.EDU>
Download (untitled) / with headers
text/plain 117b
This updated patch for 1.0.1-stable also fixes additional
warnings/errors when built with developer options set.

Tom
Download openssl-1.0.1-0314+srp-patchv2.txt
text/plain 172.8k

Message body is not shown because sender requested not to inline it.

# Wed Mar 16 03:52:05 2011 Ben Laurie - Given to Nobody
# Wed Mar 16 03:52:06 2011 Ben Laurie - Requestor tjw@CS.Stanford.EDU added
# Wed Mar 16 03:52:06 2011 Ben Laurie - Requestor thomwu@cisco.com deleted
# Wed Mar 16 03:52:24 2011 Ben Laurie - Taken
# Wed Mar 16 13:15:04 2011 Ben Laurie - Status changed from 'open' to 'resolved'
# Mon Nov 07 18:04:06 2011 Peter Sylvester - Correspondence added
CC: Alain Knaff via RT <rt@openssl.org>
Subject: [openssl.org #1794] patch to document unknown_psk_identify alert
Date: Mon, 07 Nov 2011 12:28:53 +0100
To: openssl-dev@openssl.org
From: Peter Sylvester <peter.sylvester@edelweb.fr>
Download (untitled) / with headers
text/plain 248b
Hello,

enclosed please find a patch to documentand recognize
the unknown_psk_identity alert:

- In the s_cb.c callback
- in the documentation of SSL_alert_type_string

In addition, it removes a pre-RFC 5054 string from ssl_stat.c

regards
Peter
Download alert-20111031.patch
text/x-patch 1.8k

Message body is not shown because sender requested not to inline it.

# Mon Nov 07 18:04:07 2011 The RT System itself - Status changed from 'resolved' to 'open'
# Sun Nov 13 14:14:06 2011 Stephen Henson - Correspondence added
Download (untitled) / with headers
text/plain 457b
Show quoted text
> [Peter.Sylvester@EdelWeb.fr - Mon Nov 07 18:04:06 2011]:
>
> Hello,
>
> enclosed please find a patch to documentand recognize
> the unknown_psk_identity alert:
>
> - In the s_cb.c callback
> - in the documentation of SSL_alert_type_string
>
> In addition, it removes a pre-RFC 5054 string from ssl_stat.c
>

Applied.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
# Tue Nov 15 17:33:17 2011 Peter Sylvester - Correspondence added
CC: "Dr. Stephen Henson" <steve@openssl.org>
Subject: [openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9
Date: Tue, 15 Nov 2011 17:33:15 +0100
To: rt@openssl.org
From: Peter Sylvester <peter.sylvester@edelweb.fr>
Download (untitled) / with headers
text/plain 348b
Enclosed a second patch to make ssl conformant to rfc 5054.

patch is to the stable snapshot of 11/14

Changes are:

- removal of the addition state after client hello
- removal of all pre-rfc srp alert ids
- sending a fatal alert when there is no srp extension but when the
server wants SRP
- removal of unnecessary code in the client.

have fun
Download srp2.patch
text/x-patch 11.6k

Message body is not shown because sender requested not to inline it.

# Wed Nov 23 17:30:27 2011 Peter Sylvester - Correspondence added
CC: "Dr. Stephen Henson" <steve@openssl.org>
Subject: [openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9
Date: Wed, 23 Nov 2011 17:30:33 +0100
To: rt@openssl.org
From: Peter Sylvester <peter.sylvester@edelweb.fr>
Download (untitled) / with headers
text/plain 161b
Enclosed a revised patch to make ssl conformant to the RFC 5054.

The two patches are for the head and the stable release since
the code parts differ too much.
Download head-20111123.patch
text/x-patch 8.6k

Message body is not shown because sender requested not to inline it.

Download stable-20111123.patch
text/x-patch 9.2k

Message body is not shown because sender requested not to inline it.

# Sun Dec 11 17:51:10 2011 Peter Sylvester - Correspondence added
CC: "Dr. Stephen Henson" <steve@openssl.org>
Subject: [openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9
Date: Sun, 11 Dec 2011 17:51:06 +0100
To: rt@openssl.org
From: Peter Sylvester <peter.sylvester@edelweb.fr>
Download (untitled) / with headers
text/plain 431b
Enclosed two patches for head and stable to remove unnecessary code
for srp and to add some comments to s_client.

- the callback to provide a user during client connect is
no longer necessary since rfc 5054 a connection attempt
with an srp cipher and no user is terminated when the
cipher is acceptable

- comments to indicate in s_client the (non-)usefulness of
th primalaty tests for non known group parameters.
Download stable-20111211.patch
text/x-patch 14k

Message body is not shown because sender requested not to inline it.

Download head-20111211.patch
text/x-patch 11.4k

Message body is not shown because sender requested not to inline it.

# Wed Dec 14 23:12:33 2011 Stephen Henson - Stolen from ben
# Wed Dec 14 23:18:32 2011 Stephen Henson - Correspondence added
Download (untitled) / with headers
text/plain 325b
Show quoted text
> [Peter.Sylvester@EdelWeb.fr - Sun Dec 11 17:51:10 2011]:
>
> Enclosed two patches for head and stable to remove unnecessary code
> for srp and to add some comments to s_client.
>

Applied.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
# Thu Dec 15 00:45:40 2011 Stephen Henson - Subject changed from '[PATCH] SRP in OpenSSL 0.9.9' to '[PATCH] SRP in OpenSSL 1.0.1'
# Tue Dec 20 10:14:35 2011 Peter Sylvester - Correspondence added
CC: "Dr. Stephen Henson" <steve@openssl.org>
Subject: [openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9
Date: Mon, 19 Dec 2011 16:36:36 +0100
To: rt@openssl.org
From: Peter Sylvester <peter.sylvester@edelweb.fr>
Download (untitled) / with headers
text/plain 326b
Enclosed two patches for head and stable to finish cleanup
for this ticket.

- leaving a trace in CHANGES

- removing some unncessary SSL_err and permitting
an srp user callback to allow a worker to obtain
a user verifier.

- cleanup and comments in s_server and demonstration
for asynchronous srp user lookup
Download stable_20111219_srp.patch
text/x-patch 9.3k

Message body is not shown because sender requested not to inline it.

Download head_20111219_srp.patch
text/x-patch 9.4k

Message body is not shown because sender requested not to inline it.