aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/tls')
-rw-r--r--src/lib/tls/credentials_manager.cpp30
-rw-r--r--src/lib/tls/credentials_manager.h42
-rw-r--r--src/lib/tls/msg_client_hello.cpp31
-rw-r--r--src/lib/tls/msg_client_kex.cpp42
-rw-r--r--src/lib/tls/msg_server_kex.cpp44
-rw-r--r--src/lib/tls/tls_algos.cpp5
-rw-r--r--src/lib/tls/tls_algos.h1
-rw-r--r--src/lib/tls/tls_ciphersuite.cpp8
-rw-r--r--src/lib/tls/tls_client.cpp34
-rw-r--r--src/lib/tls/tls_client.h1
-rw-r--r--src/lib/tls/tls_extensions.cpp26
-rw-r--r--src/lib/tls/tls_extensions.h29
-rw-r--r--src/lib/tls/tls_handshake_state.cpp12
-rw-r--r--src/lib/tls/tls_handshake_state.h2
-rw-r--r--src/lib/tls/tls_messages.h29
-rw-r--r--src/lib/tls/tls_policy.cpp8
-rw-r--r--src/lib/tls/tls_policy.h5
-rw-r--r--src/lib/tls/tls_server.cpp30
-rw-r--r--src/lib/tls/tls_session.cpp8
-rw-r--r--src/lib/tls/tls_session.h7
-rw-r--r--src/lib/tls/tls_suite_info.cpp8
21 files changed, 26 insertions, 376 deletions
diff --git a/src/lib/tls/credentials_manager.cpp b/src/lib/tls/credentials_manager.cpp
index 0c5ae9718..aca751d00 100644
--- a/src/lib/tls/credentials_manager.cpp
+++ b/src/lib/tls/credentials_manager.cpp
@@ -30,36 +30,6 @@ SymmetricKey Credentials_Manager::psk(const std::string&,
throw Internal_Error("No PSK set for identity " + identity);
}
-bool Credentials_Manager::attempt_srp(const std::string&,
- const std::string&)
- {
- return false;
- }
-
-std::string Credentials_Manager::srp_identifier(const std::string&,
- const std::string&)
- {
- return "";
- }
-
-std::string Credentials_Manager::srp_password(const std::string&,
- const std::string&,
- const std::string&)
- {
- return "";
- }
-
-bool Credentials_Manager::srp_verifier(const std::string&,
- const std::string&,
- const std::string&,
- std::string&,
- BigInt&,
- std::vector<uint8_t>&,
- bool)
- {
- return false;
- }
-
std::vector<X509_Certificate> Credentials_Manager::find_cert_chain(
const std::vector<std::string>& key_types,
const std::vector<X509_DN>&,
diff --git a/src/lib/tls/credentials_manager.h b/src/lib/tls/credentials_manager.h
index 627894a87..d036a1524 100644
--- a/src/lib/tls/credentials_manager.h
+++ b/src/lib/tls/credentials_manager.h
@@ -121,48 +121,6 @@ class BOTAN_PUBLIC_API(2,0) Credentials_Manager
/**
* @param type specifies the type of operation occurring
* @param context specifies a context relative to type.
- * @return true if we should attempt SRP authentication
- */
- virtual bool attempt_srp(const std::string& type,
- const std::string& context);
-
- /**
- * @param type specifies the type of operation occurring
- * @param context specifies a context relative to type.
- * @return identifier for client-side SRP auth, if available
- for this type/context. Should return empty string
- if password auth not desired/available.
- */
- virtual std::string srp_identifier(const std::string& type,
- const std::string& context);
-
- /**
- * @param type specifies the type of operation occurring
- * @param context specifies a context relative to type.
- * @param identifier specifies what identifier we want the
- * password for. This will be a value previously returned
- * by srp_identifier.
- * @return password for client-side SRP auth, if available
- for this identifier/type/context.
- */
- virtual std::string srp_password(const std::string& type,
- const std::string& context,
- const std::string& identifier);
-
- /**
- * Retrieve SRP verifier parameters
- */
- virtual bool srp_verifier(const std::string& type,
- const std::string& context,
- const std::string& identifier,
- std::string& group_name,
- BigInt& verifier,
- std::vector<uint8_t>& salt,
- bool generate_fake_on_unknown);
-
- /**
- * @param type specifies the type of operation occurring
- * @param context specifies a context relative to type.
* @return the PSK identity hint for this type/context
*/
virtual std::string psk_identity_hint(const std::string& type,
diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp
index 149f3f0d4..3eee06e69 100644
--- a/src/lib/tls/msg_client_hello.cpp
+++ b/src/lib/tls/msg_client_hello.cpp
@@ -89,7 +89,7 @@ Client_Hello::Client_Hello(Handshake_IO& io,
const std::vector<std::string>& next_protocols) :
m_version(client_settings.protocol_version()),
m_random(make_hello_random(rng, policy)),
- m_suites(policy.ciphersuite_list(m_version, !client_settings.srp_identifier().empty())),
+ m_suites(policy.ciphersuite_list(m_version)),
m_comp_methods(1)
{
if(!policy.acceptable_protocol_version(m_version))
@@ -125,15 +125,6 @@ Client_Hello::Client_Hello(Handshake_IO& io,
if(m_version.is_datagram_protocol())
m_extensions.add(new SRTP_Protection_Profiles(policy.srtp_profiles()));
-#if defined(BOTAN_HAS_SRP6)
- m_extensions.add(new SRP_Identifier(client_settings.srp_identifier()));
-#else
- if(!client_settings.srp_identifier().empty())
- {
- throw Invalid_State("Attempting to initiate SRP session but TLS-SRP support disabled");
- }
-#endif
-
std::unique_ptr<Supported_Groups> supported_groups(new Supported_Groups(policy.key_exchange_groups()));
if(supported_groups->ec_groups().size() > 0)
@@ -165,7 +156,7 @@ Client_Hello::Client_Hello(Handshake_IO& io,
m_version(session.version()),
m_session_id(session.session_id()),
m_random(make_hello_random(rng, policy)),
- m_suites(policy.ciphersuite_list(m_version, (session.srp_identifier() != ""))),
+ m_suites(policy.ciphersuite_list(m_version)),
m_comp_methods(1)
{
if(!policy.acceptable_protocol_version(m_version))
@@ -201,15 +192,6 @@ Client_Hello::Client_Hello(Handshake_IO& io,
if(session.supports_encrypt_then_mac())
m_extensions.add(new Encrypt_then_MAC);
-#if defined(BOTAN_HAS_SRP6)
- m_extensions.add(new SRP_Identifier(session.srp_identifier()));
-#else
- if(!session.srp_identifier().empty())
- {
- throw Invalid_State("Attempting to resume SRP session but TLS-SRP support disabled");
- }
-#endif
-
if(m_version.supports_negotiable_signature_algorithms())
m_extensions.add(new Signature_Algorithms(policy.allowed_signature_schemes()));
@@ -380,15 +362,6 @@ std::string Client_Hello::sni_hostname() const
return "";
}
-#if defined(BOTAN_HAS_SRP6)
-std::string Client_Hello::srp_identifier() const
- {
- if(SRP_Identifier* srp = m_extensions.get<SRP_Identifier>())
- return srp->identifier();
- return "";
- }
-#endif
-
bool Client_Hello::secure_renegotiation() const
{
return m_extensions.has<Renegotiation_Extension>();
diff --git a/src/lib/tls/msg_client_kex.cpp b/src/lib/tls/msg_client_kex.cpp
index 39266962b..beeede31f 100644
--- a/src/lib/tls/msg_client_kex.cpp
+++ b/src/lib/tls/msg_client_kex.cpp
@@ -23,10 +23,6 @@
#include <botan/cecpq1.h>
#endif
-#if defined(BOTAN_HAS_SRP6)
- #include <botan/srp6.h>
-#endif
-
namespace Botan {
namespace TLS {
@@ -146,36 +142,6 @@ Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io,
append_tls_length_value(m_key_material, ecdh_result.second, 1);
}
-#if defined(BOTAN_HAS_SRP6)
- else if(kex_algo == Kex_Algo::SRP_SHA)
- {
- const BigInt N = BigInt::decode(reader.get_range<uint8_t>(2, 1, 65535));
- const BigInt g = BigInt::decode(reader.get_range<uint8_t>(2, 1, 65535));
- std::vector<uint8_t> salt = reader.get_range<uint8_t>(1, 1, 255);
- const BigInt B = BigInt::decode(reader.get_range<uint8_t>(2, 1, 65535));
-
- const std::string srp_group = srp6_group_identifier(N, g);
-
- const std::string srp_identifier =
- creds.srp_identifier("tls-client", hostname);
-
- const std::string srp_password =
- creds.srp_password("tls-client", hostname, srp_identifier);
-
- std::pair<BigInt, SymmetricKey> srp_vals =
- srp6_client_agree(srp_identifier,
- srp_password,
- srp_group,
- "SHA-1",
- salt,
- B,
- rng);
-
- append_tls_length_value(m_key_material, BigInt::encode(srp_vals.first), 2);
- m_pre_master = srp_vals.second.bits_of();
- }
-#endif
-
#if defined(BOTAN_HAS_CECPQ1)
else if(kex_algo == Kex_Algo::CECPQ1)
{
@@ -313,14 +279,6 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<uint8_t>& contents,
append_tls_length_value(m_pre_master, zeros, 2);
append_tls_length_value(m_pre_master, psk.bits_of(), 2);
}
-#if defined(BOTAN_HAS_SRP6)
- else if(kex_algo == Kex_Algo::SRP_SHA)
- {
- SRP6_Server_Session& srp = state.server_kex()->server_srp_params();
-
- m_pre_master = srp.step2(BigInt::decode(reader.get_range<uint8_t>(2, 0, 65535))).bits_of();
- }
-#endif
#if defined(BOTAN_HAS_CECPQ1)
else if(kex_algo == Kex_Algo::CECPQ1)
{
diff --git a/src/lib/tls/msg_server_kex.cpp b/src/lib/tls/msg_server_kex.cpp
index cefb88904..35bd94d1b 100644
--- a/src/lib/tls/msg_server_kex.cpp
+++ b/src/lib/tls/msg_server_kex.cpp
@@ -26,10 +26,6 @@
#include <botan/cecpq1.h>
#endif
-#if defined(BOTAN_HAS_SRP6)
- #include <botan/srp6.h>
-#endif
-
namespace Botan {
namespace TLS {
@@ -137,37 +133,6 @@ Server_Key_Exchange::Server_Key_Exchange(Handshake_IO& io,
append_tls_length_value(m_params, ecdh_public_val, 1);
}
-#if defined(BOTAN_HAS_SRP6)
- else if(kex_algo == Kex_Algo::SRP_SHA)
- {
- const std::string srp_identifier = state.client_hello()->srp_identifier();
-
- std::string group_id;
- BigInt v;
- std::vector<uint8_t> salt;
-
- const bool found = creds.srp_verifier("tls-server", hostname,
- srp_identifier,
- group_id, v, salt,
- policy.hide_unknown_users());
-
- if(!found)
- throw TLS_Exception(Alert::UNKNOWN_PSK_IDENTITY,
- "Unknown SRP user " + srp_identifier);
-
- m_srp_params.reset(new SRP6_Server_Session);
-
- BigInt B = m_srp_params->step1(v, group_id,
- "SHA-1", rng);
-
- DL_Group group(group_id);
-
- append_tls_length_value(m_params, BigInt::encode(group.get_p()), 2);
- append_tls_length_value(m_params, BigInt::encode(group.get_g()), 2);
- append_tls_length_value(m_params, salt, 1);
- append_tls_length_value(m_params, BigInt::encode(B), 2);
- }
-#endif
#if defined(BOTAN_HAS_CECPQ1)
else if(kex_algo == Kex_Algo::CECPQ1)
{
@@ -239,15 +204,6 @@ Server_Key_Exchange::Server_Key_Exchange(const std::vector<uint8_t>& buf,
reader.get_uint16_t(); // curve id
reader.get_range<uint8_t>(1, 1, 255); // public key
}
- else if(kex_algo == Kex_Algo::SRP_SHA)
- {
- // 2 bigints (N,g) then salt, then server B
-
- reader.get_range<uint8_t>(2, 1, 65535);
- reader.get_range<uint8_t>(2, 1, 65535);
- reader.get_range<uint8_t>(1, 1, 255);
- reader.get_range<uint8_t>(2, 1, 65535);
- }
else if(kex_algo == Kex_Algo::CECPQ1)
{
// u16 blob
diff --git a/src/lib/tls/tls_algos.cpp b/src/lib/tls/tls_algos.cpp
index 5c383807b..cdd6cc1b9 100644
--- a/src/lib/tls/tls_algos.cpp
+++ b/src/lib/tls/tls_algos.cpp
@@ -38,8 +38,6 @@ std::string kex_method_to_string(Kex_Algo method)
return "ECDH";
case Kex_Algo::CECPQ1:
return "CECPQ1";
- case Kex_Algo::SRP_SHA:
- return "SRP_SHA";
case Kex_Algo::PSK:
return "PSK";
case Kex_Algo::DHE_PSK:
@@ -65,9 +63,6 @@ Kex_Algo kex_method_from_string(const std::string& str)
if(str == "CECPQ1")
return Kex_Algo::CECPQ1;
- if(str == "SRP_SHA")
- return Kex_Algo::SRP_SHA;
-
if(str == "PSK")
return Kex_Algo::PSK;
diff --git a/src/lib/tls/tls_algos.h b/src/lib/tls/tls_algos.h
index 0d3a02304..80bb55224 100644
--- a/src/lib/tls/tls_algos.h
+++ b/src/lib/tls/tls_algos.h
@@ -141,7 +141,6 @@ enum class Kex_Algo {
DH,
ECDH,
CECPQ1,
- SRP_SHA,
PSK,
DHE_PSK,
ECDHE_PSK,
diff --git a/src/lib/tls/tls_ciphersuite.cpp b/src/lib/tls/tls_ciphersuite.cpp
index 738be110b..3e54bcb89 100644
--- a/src/lib/tls/tls_ciphersuite.cpp
+++ b/src/lib/tls/tls_ciphersuite.cpp
@@ -199,13 +199,7 @@ bool Ciphersuite::is_usable() const
return false;
}
- if(kex_method() == Kex_Algo::SRP_SHA)
- {
-#if !defined(BOTAN_HAS_SRP6)
- return false;
-#endif
- }
- else if(kex_method() == Kex_Algo::ECDH || kex_method() == Kex_Algo::ECDHE_PSK)
+ if(kex_method() == Kex_Algo::ECDH || kex_method() == Kex_Algo::ECDHE_PSK)
{
#if !defined(BOTAN_HAS_ECDH)
return false;
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 091e649a9..7b668d48a 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -75,11 +75,8 @@ Client::Client(Callbacks& callbacks,
m_creds(creds),
m_info(info)
{
- const std::string srp_identifier = m_creds.srp_identifier("tls-client", m_info.hostname());
-
Handshake_State& state = create_handshake_state(offer_version);
- send_client_hello(state, false, offer_version,
- srp_identifier, next_protocols);
+ send_client_hello(state, false, offer_version, next_protocols);
}
Handshake_State* Client::new_handshake_state(Handshake_IO* io)
@@ -113,7 +110,6 @@ void Client::initiate_handshake(Handshake_State& state,
void Client::send_client_hello(Handshake_State& state_base,
bool force_full_renegotiation,
Protocol_Version version,
- const std::string& srp_identifier,
const std::vector<std::string>& next_protocols)
{
Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
@@ -140,27 +136,24 @@ void Client::send_client_hello(Handshake_State& state_base,
if(policy().acceptable_ciphersuite(session_info->ciphersuite()) && session_version_ok)
{
- if(srp_identifier == "" || session_info->srp_identifier() == srp_identifier)
- {
- state.client_hello(
- new Client_Hello(state.handshake_io(),
- state.hash(),
- policy(),
- callbacks(),
- rng(),
- secure_renegotiation_data_for_client_hello(),
- *session_info,
- next_protocols));
-
- state.resumed_session = std::move(session_info);
- }
+ state.client_hello(
+ new Client_Hello(state.handshake_io(),
+ state.hash(),
+ policy(),
+ callbacks(),
+ rng(),
+ secure_renegotiation_data_for_client_hello(),
+ *session_info,
+ next_protocols));
+
+ state.resumed_session = std::move(session_info);
}
}
}
if(!state.client_hello()) // not resuming
{
- Client_Hello::Settings client_settings(version, m_info.hostname(), srp_identifier);
+ Client_Hello::Settings client_settings(version, m_info.hostname());
state.client_hello(new Client_Hello(
state.handshake_io(),
state.hash(),
@@ -709,7 +702,6 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
get_peer_cert_chain(state),
session_ticket,
m_info,
- "",
state.server_hello()->srtp_profile()
);
diff --git a/src/lib/tls/tls_client.h b/src/lib/tls/tls_client.h
index 7440e59ef..8528491ce 100644
--- a/src/lib/tls/tls_client.h
+++ b/src/lib/tls/tls_client.h
@@ -75,7 +75,6 @@ class BOTAN_PUBLIC_API(2,0) Client final : public Channel
void send_client_hello(Handshake_State& state,
bool force_full_renegotiation,
Protocol_Version version,
- const std::string& srp_identifier = "",
const std::vector<std::string>& next_protocols = {});
void process_handshake_msg(const Handshake_State* active_state,
diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp
index 631868703..ce067d7c0 100644
--- a/src/lib/tls/tls_extensions.cpp
+++ b/src/lib/tls/tls_extensions.cpp
@@ -24,11 +24,6 @@ Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size,
case TLSEXT_SERVER_NAME_INDICATION:
return new Server_Name_Indicator(reader, size);
-#if defined(BOTAN_HAS_SRP6)
- case TLSEXT_SRP_IDENTIFIER:
- return new SRP_Identifier(reader, size);
-#endif
-
case TLSEXT_SUPPORTED_GROUPS:
return new Supported_Groups(reader, size);
@@ -213,27 +208,6 @@ std::vector<uint8_t> Server_Name_Indicator::serialize(Connection_Side /*whoami*/
return buf;
}
-#if defined(BOTAN_HAS_SRP6)
-
-SRP_Identifier::SRP_Identifier(TLS_Data_Reader& reader,
- uint16_t extension_size) : m_srp_identifier(reader.get_string(1, 1, 255))
- {
- if(m_srp_identifier.size() + 1 != extension_size)
- throw Decoding_Error("Bad encoding for SRP identifier extension");
- }
-
-std::vector<uint8_t> SRP_Identifier::serialize(Connection_Side /*whoami*/) const
- {
- std::vector<uint8_t> buf;
-
- const uint8_t* srp_bytes = cast_char_ptr_to_uint8(m_srp_identifier.data());
- append_tls_length_value(buf, srp_bytes, m_srp_identifier.size(), 1);
-
- return buf;
- }
-
-#endif
-
Renegotiation_Extension::Renegotiation_Extension(TLS_Data_Reader& reader,
uint16_t extension_size) : m_reneg_data(reader.get_range<uint8_t>(1, 0, 255))
{
diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h
index a426c8e56..fefa8af77 100644
--- a/src/lib/tls/tls_extensions.h
+++ b/src/lib/tls/tls_extensions.h
@@ -36,7 +36,6 @@ enum Handshake_Extension_Type {
TLSEXT_CERTIFICATE_TYPES = 9,
TLSEXT_SUPPORTED_GROUPS = 10,
TLSEXT_EC_POINT_FORMATS = 11,
- TLSEXT_SRP_IDENTIFIER = 12,
TLSEXT_SIGNATURE_ALGORITHMS = 13,
TLSEXT_USE_SRTP = 14,
TLSEXT_ALPN = 16,
@@ -101,34 +100,6 @@ class BOTAN_UNSTABLE_API Server_Name_Indicator final : public Extension
std::string m_sni_host_name;
};
-#if defined(BOTAN_HAS_SRP6)
-/**
-* SRP identifier extension (RFC 5054)
-*/
-class BOTAN_UNSTABLE_API SRP_Identifier final : public Extension
- {
- public:
- static Handshake_Extension_Type static_type()
- { return TLSEXT_SRP_IDENTIFIER; }
-
- Handshake_Extension_Type type() const override { return static_type(); }
-
- explicit SRP_Identifier(const std::string& identifier) :
- m_srp_identifier(identifier) {}
-
- SRP_Identifier(TLS_Data_Reader& reader,
- uint16_t extension_size);
-
- std::string identifier() const { return m_srp_identifier; }
-
- std::vector<uint8_t> serialize(Connection_Side whoami) const override;
-
- bool empty() const override { return m_srp_identifier.empty(); }
- private:
- std::string m_srp_identifier;
- };
-#endif
-
/**
* Renegotiation Indication Extension (RFC 5746)
*/
diff --git a/src/lib/tls/tls_handshake_state.cpp b/src/lib/tls/tls_handshake_state.cpp
index 7c1264511..ee54000f7 100644
--- a/src/lib/tls/tls_handshake_state.cpp
+++ b/src/lib/tls/tls_handshake_state.cpp
@@ -359,18 +359,6 @@ Handshake_State::get_next_handshake_msg()
return m_handshake_io->get_next_record(expecting_ccs);
}
-std::string Handshake_State::srp_identifier() const
- {
-#if defined(BOTAN_HAS_SRP6)
- // Authenticated via the successful key exchange
- if(ciphersuite().valid() && ciphersuite().kex_method() == Kex_Algo::SRP_SHA)
- return client_hello()->srp_identifier();
-#endif
-
- return "";
- }
-
-
std::vector<uint8_t> Handshake_State::session_ticket() const
{
if(new_session_ticket() && !new_session_ticket()->ticket().empty())
diff --git a/src/lib/tls/tls_handshake_state.h b/src/lib/tls/tls_handshake_state.h
index 3321a6210..0238ebd2b 100644
--- a/src/lib/tls/tls_handshake_state.h
+++ b/src/lib/tls/tls_handshake_state.h
@@ -93,8 +93,6 @@ class Handshake_State
bool for_client_auth,
const Policy& policy) const;
- std::string srp_identifier() const;
-
KDF* protocol_specific_prf() const;
Protocol_Version version() const { return m_version; }
diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h
index fc95a1c02..5de15f0a2 100644
--- a/src/lib/tls/tls_messages.h
+++ b/src/lib/tls/tls_messages.h
@@ -25,10 +25,6 @@
#include <botan/cecpq1.h>
#endif
-#if defined(BOTAN_HAS_SRP6)
- #include <botan/srp6.h>
-#endif
-
namespace Botan {
class Public_Key;
@@ -74,20 +70,16 @@ class BOTAN_UNSTABLE_API Client_Hello final : public Handshake_Message
{
public:
Settings(const Protocol_Version version,
- const std::string& hostname = "",
- const std::string& srp_identifier = "") :
+ const std::string& hostname = "") :
m_new_session_version(version),
- m_hostname(hostname),
- m_srp_identifier(srp_identifier) {}
+ m_hostname(hostname) {}
const Protocol_Version protocol_version() const { return m_new_session_version; }
const std::string& hostname() const { return m_hostname; }
- const std::string& srp_identifier() const { return m_srp_identifier; }
private:
const Protocol_Version m_new_session_version;
const std::string m_hostname;
- const std::string m_srp_identifier;
};
Handshake_Type type() const override { return CLIENT_HELLO; }
@@ -118,10 +110,6 @@ class BOTAN_UNSTABLE_API Client_Hello final : public Handshake_Message
std::string sni_hostname() const;
-#if defined(BOTAN_HAS_SRP6)
- std::string srp_identifier() const;
-#endif
-
bool secure_renegotiation() const;
std::vector<uint8_t> renegotiation_info() const;
@@ -543,15 +531,6 @@ class BOTAN_UNSTABLE_API Server_Key_Exchange final : public Handshake_Message
// Only valid for certain kex types
const Private_Key& server_kex_key() const;
-#if defined(BOTAN_HAS_SRP6)
- // Only valid for SRP negotiation
- SRP6_Server_Session& server_srp_params() const
- {
- BOTAN_ASSERT_NONNULL(m_srp_params);
- return *m_srp_params;
- }
-#endif
-
#if defined(BOTAN_HAS_CECPQ1)
// Only valid for CECPQ1 negotiation
const CECPQ1_key& cecpq1_key() const
@@ -577,10 +556,6 @@ class BOTAN_UNSTABLE_API Server_Key_Exchange final : public Handshake_Message
private:
std::vector<uint8_t> serialize() const override;
-#if defined(BOTAN_HAS_SRP6)
- std::unique_ptr<SRP6_Server_Session> m_srp_params;
-#endif
-
#if defined(BOTAN_HAS_CECPQ1)
std::unique_ptr<CECPQ1_key> m_cecpq1_key;
#endif
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index a63c73101..b2e8a86f7 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -92,7 +92,6 @@ std::vector<std::string> Policy::allowed_macs() const
std::vector<std::string> Policy::allowed_key_exchange_methods() const
{
return {
- //"SRP_SHA",
//"ECDHE_PSK",
//"DHE_PSK",
//"PSK",
@@ -428,8 +427,7 @@ class Ciphersuite_Preference_Ordering final
}
-std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
- bool have_srp) const
+std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version) const
{
const std::vector<std::string> ciphers = allowed_ciphers();
const std::vector<std::string> macs = allowed_macs();
@@ -452,10 +450,6 @@ std::vector<uint16_t> Policy::ciphersuite_list(Protocol_Version version,
if(!this->acceptable_ciphersuite(suite))
continue;
- // Are we doing SRP?
- if(!have_srp && suite.kex_method() == Kex_Algo::SRP_SHA)
- continue;
-
if(!value_exists(kex, suite.kex_algo()))
continue; // unsupported key exchange
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index c0f618e0f..209e814c2 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -205,7 +205,7 @@ class BOTAN_PUBLIC_API(2,0) Policy
virtual void check_peer_key_acceptable(const Public_Key& public_key) const;
/**
- * If this function returns false, unknown SRP/PSK identifiers
+ * If this function returns false, unknown PSK identifiers
* will be rejected with an unknown_psk_identifier alert as soon
* as the non-existence is identified. Otherwise, a false
* identifier value will be used and the protocol allowed to
@@ -295,8 +295,7 @@ class BOTAN_PUBLIC_API(2,0) Policy
/**
* Return allowed ciphersuites, in order of preference
*/
- virtual std::vector<uint16_t> ciphersuite_list(Protocol_Version version,
- bool have_srp) const;
+ virtual std::vector<uint16_t> ciphersuite_list(Protocol_Version version) const;
/**
* @return the default MTU for DTLS
diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index 3fd4565fd..c62053857 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -104,15 +104,6 @@ bool check_for_resume(Session& session_info,
session_info.ciphersuite_code()))
return false;
-#if defined(BOTAN_HAS_SRP6)
- // client sent a different SRP identity
- if(client_hello->srp_identifier() != "")
- {
- if(client_hello->srp_identifier() != session_info.srp_identifier())
- return false;
- }
-#endif
-
// client sent a different SNI hostname
if(client_hello->sni_hostname() != "")
{
@@ -158,14 +149,12 @@ bool check_for_resume(Session& session_info,
uint16_t choose_ciphersuite(
const Policy& policy,
Protocol_Version version,
- Credentials_Manager& creds,
const std::map<std::string, std::vector<X509_Certificate>>& cert_chains,
const Client_Hello& client_hello)
{
const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
- const bool have_srp = creds.attempt_srp("tls-server", client_hello.sni_hostname());
const std::vector<uint16_t> client_suites = client_hello.ciphersuites();
- const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version, have_srp);
+ const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version);
if(server_suites.empty())
throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
@@ -248,20 +237,6 @@ uint16_t choose_ciphersuite(
}
}
-#if defined(BOTAN_HAS_SRP6)
- /*
- The client may offer SRP cipher suites in the hello message but
- omit the SRP extension. If the server would like to select an
- SRP cipher suite in this case, the server SHOULD return a fatal
- "unknown_psk_identity" alert immediately after processing the
- client hello message.
- - RFC 5054 section 2.5.1.2
- */
- if(suite.kex_method() == Kex_Algo::SRP_SHA && client_hello.srp_identifier() == "")
- throw TLS_Exception(Alert::UNKNOWN_PSK_IDENTITY,
- "Client wanted SRP but did not send username");
-#endif
-
return suite_id;
}
@@ -686,7 +661,6 @@ void Server::process_finished_msg(Server_Handshake_State& pending_state,
get_peer_cert_chain(pending_state),
std::vector<uint8_t>(),
Server_Information(pending_state.client_hello()->sni_hostname()),
- pending_state.srp_identifier(),
pending_state.server_hello()->srtp_profile());
if(save_session(session_info))
@@ -871,7 +845,7 @@ void Server::session_create(Server_Handshake_State& pending_state,
}
const uint16_t ciphersuite = choose_ciphersuite(policy(), pending_state.version(),
- m_creds, cert_chains,
+ cert_chains,
*pending_state.client_hello());
Server_Hello::Settings srv_settings(
diff --git a/src/lib/tls/tls_session.cpp b/src/lib/tls/tls_session.cpp
index bd817687c..de118f778 100644
--- a/src/lib/tls/tls_session.cpp
+++ b/src/lib/tls/tls_session.cpp
@@ -29,7 +29,6 @@ Session::Session(const std::vector<uint8_t>& session_identifier,
const std::vector<X509_Certificate>& certs,
const std::vector<uint8_t>& ticket,
const Server_Information& server_info,
- const std::string& srp_identifier,
uint16_t srtp_profile) :
m_start_time(std::chrono::system_clock::now()),
m_identifier(session_identifier),
@@ -42,8 +41,7 @@ Session::Session(const std::vector<uint8_t>& session_identifier,
m_extended_master_secret(extended_master_secret),
m_encrypt_then_mac(encrypt_then_mac),
m_peer_certs(certs),
- m_server_info(server_info),
- m_srp_identifier(srp_identifier)
+ m_server_info(server_info)
{
}
@@ -124,8 +122,6 @@ Session::Session(const uint8_t ber[], size_t ber_len)
server_service.value(),
static_cast<uint16_t>(server_port));
- m_srp_identifier = srp_identifier_str.value();
-
if(!peer_cert_bits.empty())
{
DataSource_Memory certs(peer_cert_bits.data(), peer_cert_bits.size());
@@ -160,7 +156,7 @@ secure_vector<uint8_t> Session::DER_encode() const
.encode(ASN1_String(m_server_info.hostname(), UTF8_STRING))
.encode(ASN1_String(m_server_info.service(), UTF8_STRING))
.encode(static_cast<size_t>(m_server_info.port()))
- .encode(ASN1_String(m_srp_identifier, UTF8_STRING))
+ .encode(ASN1_String("", UTF8_STRING)) // old srp identifier
.encode(static_cast<size_t>(m_srtp_profile))
.end_cons()
.get_contents();
diff --git a/src/lib/tls/tls_session.h b/src/lib/tls/tls_session.h
index 5a75e6a32..5cb1f44be 100644
--- a/src/lib/tls/tls_session.h
+++ b/src/lib/tls/tls_session.h
@@ -54,7 +54,6 @@ class BOTAN_PUBLIC_API(2,0) Session final
const std::vector<X509_Certificate>& peer_certs,
const std::vector<uint8_t>& session_ticket,
const Server_Information& server_info,
- const std::string& srp_identifier,
uint16_t srtp_profile);
/**
@@ -134,11 +133,6 @@ class BOTAN_PUBLIC_API(2,0) Session final
Connection_Side side() const { return m_connection_side; }
/**
- * Get the SRP identity (if sent by the client in the initial handshake)
- */
- const std::string& srp_identifier() const { return m_srp_identifier; }
-
- /**
* Get the saved master secret
*/
const secure_vector<uint8_t>& master_secret() const { return m_master_secret; }
@@ -200,7 +194,6 @@ class BOTAN_PUBLIC_API(2,0) Session final
std::vector<X509_Certificate> m_peer_certs;
Server_Information m_server_info; // optional
- std::string m_srp_identifier; // optional
};
}
diff --git a/src/lib/tls/tls_suite_info.cpp b/src/lib/tls/tls_suite_info.cpp
index 4c49f72ad..7c07720ec 100644
--- a/src/lib/tls/tls_suite_info.cpp
+++ b/src/lib/tls/tls_suite_info.cpp
@@ -3,7 +3,7 @@
*
* This file was automatically generated from the IANA assignments
* (tls-parameters.txt sha256 6412d7a966151d409d463681e5427e706cd9066f13d34ca7a89f8cc2f7dff4b2)
-* by ./src/scripts/tls_suite_info.py on 2020-11-17
+* by ./src/scripts/tls_suite_info.py on 2020-11-21
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
@@ -65,12 +65,6 @@ const std::vector<Ciphersuite>& Ciphersuite::all_known_ciphersuites()
Ciphersuite(0xC012, "ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", Auth_Method::RSA, Kex_Algo::ECDH, "3DES", 24, "SHA-1", 20, KDF_Algo::SHA_1, Nonce_Format::CBC_MODE),
Ciphersuite(0xC013, "ECDHE_RSA_WITH_AES_128_CBC_SHA", Auth_Method::RSA, Kex_Algo::ECDH, "AES-128", 16, "SHA-1", 20, KDF_Algo::SHA_1, Nonce_Format::CBC_MODE),
Ciphersuite(0xC014, "ECDHE_RSA_WITH_AES_256_CBC_SHA", Auth_Method::RSA, Kex_Algo::ECDH, "AES-256", 32, "SHA-1", 20, KDF_Algo::SHA_1, Nonce_Format::CBC_MODE),
- Ciphersuite(0xC01A, "SRP_SHA_WITH_3DES_EDE_CBC_SHA", Auth_Method::IMPLICIT, Kex_Algo::SRP_SHA, "3DES", 24, "SHA-1", 20, KDF_Algo::SHA_1, Nonce_Format::CBC_MODE),
- Ciphersuite(0xC01B, "SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", Auth_Method::RSA, Kex_Algo::SRP_SHA, "3DES", 24, "SHA-1", 20, KDF_Algo::SHA_1, Nonce_Format::CBC_MODE),
- Ciphersuite(0xC01D, "SRP_SHA_WITH_AES_128_CBC_SHA", Auth_Method::IMPLICIT, Kex_Algo::SRP_SHA, "AES-128", 16, "SHA-1", 20, KDF_Algo::SHA_1, Nonce_Format::CBC_MODE),
- Ciphersuite(0xC01E, "SRP_SHA_RSA_WITH_AES_128_CBC_SHA", Auth_Method::RSA, Kex_Algo::SRP_SHA, "AES-128", 16, "SHA-1", 20, KDF_Algo::SHA_1, Nonce_Format::CBC_MODE),
- Ciphersuite(0xC020, "SRP_SHA_WITH_AES_256_CBC_SHA", Auth_Method::IMPLICIT, Kex_Algo::SRP_SHA, "AES-256", 32, "SHA-1", 20, KDF_Algo::SHA_1, Nonce_Format::CBC_MODE),
- Ciphersuite(0xC021, "SRP_SHA_RSA_WITH_AES_256_CBC_SHA", Auth_Method::RSA, Kex_Algo::SRP_SHA, "AES-256", 32, "SHA-1", 20, KDF_Algo::SHA_1, Nonce_Format::CBC_MODE),
Ciphersuite(0xC023, "ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", Auth_Method::ECDSA, Kex_Algo::ECDH, "AES-128", 16, "SHA-256", 32, KDF_Algo::SHA_256, Nonce_Format::CBC_MODE),
Ciphersuite(0xC024, "ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", Auth_Method::ECDSA, Kex_Algo::ECDH, "AES-256", 32, "SHA-384", 48, KDF_Algo::SHA_384, Nonce_Format::CBC_MODE),
Ciphersuite(0xC027, "ECDHE_RSA_WITH_AES_128_CBC_SHA256", Auth_Method::RSA, Kex_Algo::ECDH, "AES-128", 16, "SHA-256", 32, KDF_Algo::SHA_256, Nonce_Format::CBC_MODE),
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 12:58:00 +0000