Add support for TLS-SRP (Secure Remote Password key exchange

for TLS, RFC 5054). Including some improvements as suggested by Kaspar PR: 51075 Submitted by: Quinn Slack <sqs cs stanford edu>, Christophe Renou, Peter Sylvester Backported by: sf Reviewed by: sf, minfrin, rjung Backports of r1347980 and r1348653 form trunk. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1420057 13f79535-47bb-0310-9956-ffa450edef68
2025-08-06 11:06:17 +00:00 · 2012-12-11 09:55:03 +00:00
parent b5f8df88da
commit ad61aab1d7
11 changed files with 253 additions and 12 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@ -526,6 +526,38 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
        modssl_init_stapling(s, p, ptemp, mctx);
    }
 #endif
+
+#ifndef OPENSSL_NO_SRP
+    /*
+     * TLS-SRP support
+     */
+    if (mctx->srp_vfile != NULL) {
+        int err;
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02308)
+                     "Using SRP verifier file [%s]", mctx->srp_vfile);
+
+        if (!(mctx->srp_vbase = SRP_VBASE_new(mctx->srp_unknown_user_seed))) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02309)
+                         "Unable to initialize SRP verifier structure "
+                         "[%s seed]",
+                         mctx->srp_unknown_user_seed ? "with" : "without");
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+            ssl_die(s);
+        }
+
+        err = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
+        if (err != SRP_NO_ERROR) {
+            ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02310)
+                         "Unable to load SRP verifier file [error %d]", err);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+            ssl_die(s);
+        }
+
+        SSL_CTX_set_srp_username_callback(mctx->ssl_ctx,
+                                          ssl_callback_SRPServerParams);
+        SSL_CTX_set_srp_cb_arg(mctx->ssl_ctx, mctx);
+    }
+#endif
 }
 #endif

@ -1687,6 +1719,13 @@ void ssl_init_Child(apr_pool_t *p, server_rec *s)
 static void ssl_init_ctx_cleanup(modssl_ctx_t *mctx)
 {
    MODSSL_CFG_ITEM_FREE(SSL_CTX_free, mctx->ssl_ctx);
+
+#ifndef OPENSSL_NO_SRP
+    if (mctx->srp_vbase != NULL) {
+        SRP_VBASE_free(mctx->srp_vbase);
+        mctx->srp_vbase = NULL;
+    }
+#endif
 }

 static void ssl_init_ctx_cleanup_proxy(modssl_ctx_t *mctx)