1SSL_CTX_SET_SRP_PASSWORD(3ossl)     OpenSSL    SSL_CTX_SET_SRP_PASSWORD(3ossl)
2
3
4

NAME

6       SSL_CTX_set_srp_username, SSL_CTX_set_srp_password,
7       SSL_CTX_set_srp_strength, SSL_CTX_set_srp_cb_arg,
8       SSL_CTX_set_srp_username_callback, SSL_CTX_set_srp_client_pwd_callback,
9       SSL_CTX_set_srp_verify_param_callback, SSL_set_srp_server_param,
10       SSL_set_srp_server_param_pw, SSL_get_srp_g, SSL_get_srp_N,
11       SSL_get_srp_username, SSL_get_srp_userinfo - SRP control operations
12

SYNOPSIS

14        #include <openssl/ssl.h>
15
16       The following functions have been deprecated since OpenSSL 3.0, and can
17       be hidden entirely by defining OPENSSL_API_COMPAT with a suitable
18       version value, see openssl_user_macros(7):
19
20        int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
21        int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
22        int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
23        int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
24        int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
25                                              int (*cb) (SSL *s, int *ad, void *arg));
26        int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
27                                                char *(*cb) (SSL *s, void *arg));
28        int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
29                                                  int (*cb) (SSL *s, void *arg));
30
31        int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
32                                     BIGNUM *sa, BIGNUM *v, char *info);
33        int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
34                                        const char *grp);
35
36        BIGNUM *SSL_get_srp_g(SSL *s);
37        BIGNUM *SSL_get_srp_N(SSL *s);
38
39        char *SSL_get_srp_username(SSL *s);
40        char *SSL_get_srp_userinfo(SSL *s);
41

DESCRIPTION

43       All of the functions described on this page are deprecated. There are
44       no available replacement functions at this time.
45
46       These functions provide access to SRP (Secure Remote Password)
47       parameters, an alternate authentication mechanism for TLS. SRP allows
48       the use of usernames and passwords over unencrypted channels without
49       revealing the password to an eavesdropper. SRP also supplies a shared
50       secret at the end of the authentication sequence that can be used to
51       generate encryption keys.
52
53       The SRP protocol, version 3 is specified in RFC 2945. SRP version 6 is
54       described in RFC 5054 with applications to TLS authentication.
55
56       The SSL_CTX_set_srp_username() function sets the SRP username for ctx.
57       This should be called on the client prior to creating a connection to
58       the server.  The length of name must be shorter or equal to 255
59       characters.
60
61       The SSL_CTX_set_srp_password() function sets the SRP password for ctx.
62       This may be called on the client prior to creating a connection to the
63       server.  This overrides the effect of
64       SSL_CTX_set_srp_client_pwd_callback().
65
66       The SSL_CTX_set_srp_strength() function sets the SRP strength for ctx.
67       This is the minimal length of the SRP prime in bits. If not specified
68       1024 is used.  If not satisfied by the server key exchange the
69       connection will be rejected.
70
71       The SSL_CTX_set_srp_cb_arg() function sets an extra parameter that will
72       be passed to all following callbacks as arg.
73
74       The SSL_CTX_set_srp_username_callback() function sets the server side
75       callback that is invoked when an SRP username is found in a
76       ClientHello.  The callback parameters are the SSL connection s, a
77       writable error flag ad and the extra argument arg set by
78       SSL_CTX_set_srp_cb_arg().  This callback should setup the server for
79       the key exchange by calling SSL_set_srp_server_param() with the
80       appropriate parameters for the received username. The username can be
81       obtained by calling SSL_get_srp_username().  See SRP_VBASE_init(3) to
82       parse the verifier file created by openssl-srp(1) or
83       SRP_create_verifier(3) to generate it.  The callback should return
84       SSL_ERROR_NONE to proceed with the server key exchange, SSL3_AL_FATAL
85       for a fatal error or any value < 0 for a retryable error.  In the event
86       of a SSL3_AL_FATAL the alert flag given by *al will be sent back. By
87       default this will be SSL_AD_UNKNOWN_PSK_IDENTITY.
88
89       The SSL_CTX_set_srp_client_pwd_callback() function sets the client
90       password callback on the client.  The callback parameters are the SSL
91       connection s and the extra argument arg set by
92       SSL_CTX_set_srp_cb_arg().  The callback will be called as part of the
93       generation of the client secrets.  It should return the client password
94       in text form or NULL to abort the connection.  The resulting memory
95       will be freed by the library as part of the callback resolution.  This
96       overrides the effect of SSL_CTX_set_srp_password().
97
98       The SSL_CTX_set_srp_verify_param_callback() sets the SRP gN parameter
99       verification callback on the client. This allows the client to perform
100       custom verification when receiving the server SRP proposed parameters.
101       The callback parameters are the SSL connection s and the extra argument
102       arg set by SSL_CTX_set_srp_cb_arg().  The callback should return a
103       positive value to accept the server parameters.  Returning 0 or a
104       negative value will abort the connection. The server parameters can be
105       obtained by calling SSL_get_srp_N() and SSL_get_srp_g().  Sanity checks
106       are already performed by the library after the handshake (B % N non
107       zero, check against the strength parameter) and are not necessary.  If
108       no callback is set the g and N parameters will be checked against known
109       RFC 5054 values.
110
111       The SSL_set_srp_server_param() function sets all SRP parameters for the
112       connection s. N and g are the SRP group parameters, sa is the user
113       salt, v the password verifier and info is the optional user info.
114
115       The SSL_set_srp_server_param_pw() function sets all SRP parameters for
116       the connection s by generating a random salt and a password verifier.
117       user is the username, pass the password and grp the SRP group
118       parameters identifier for SRP_get_default_gN(3).
119
120       The SSL_get_srp_g() function returns the SRP group generator for s, or
121       from the underlying SSL_CTX if it is NULL.
122
123       The SSL_get_srp_N() function returns the SRP prime for s, or from the
124       underlying SSL_CTX if it is NULL.
125
126       The SSL_get_srp_username() function returns the SRP username for s, or
127       from the underlying SSL_CTX if it is NULL.
128
129       The SSL_get_srp_userinfo() function returns the SRP user info for s, or
130       from the underlying SSL_CTX if it is NULL.
131

RETURN VALUES

133       All SSL_CTX_set_* functions return 1 on success and 0 on failure.
134
135       SSL_set_srp_server_param() returns 1 on success and -1 on failure.
136
137       The SSL_get_SRP_* functions return a pointer to the requested data, the
138       memory is owned by the library and should not be freed by the caller.
139

EXAMPLES

141       Setup SRP parameters on the client:
142
143        #include <openssl/ssl.h>
144
145        const char *username = "username";
146        const char *password = "password";
147
148        SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
149        if (!ctx)
150            /* Error */
151        if (!SSL_CTX_set_srp_username(ctx, username))
152            /* Error */
153        if (!SSL_CTX_set_srp_password(ctx, password))
154            /* Error */
155
156       Setup SRP server with verifier file:
157
158        #include <openssl/srp.h>
159        #include <openssl/ssl.h>
160
161        const char *srpvfile = "password.srpv";
162
163        int srpServerCallback(SSL *s, int *ad, void *arg)
164        {
165            SRP_VBASE *srpData = (SRP_VBASE*) arg;
166            char *username = SSL_get_srp_username(s);
167
168            SRP_user_pwd *user_pwd = SRP_VBASE_get1_by_user(srpData, username);
169            if (!user_pwd)
170                /* Error */
171                return SSL3_AL_FATAL;
172
173            if (SSL_set_srp_server_param(s, user_pwd->N, user_pwd->g,
174                user_pwd->s, user_pwd->v, user_pwd->info) < 0)
175                /* Error */
176
177            SRP_user_pwd_free(user_pwd);
178            return SSL_ERROR_NONE;
179        }
180
181        SSL_CTX *ctx = SSL_CTX_new(TLS_server_method());
182        if (!ctx)
183            /* Error */
184
185        /*
186         * seedKey should contain a NUL terminated sequence
187         * of random non NUL bytes
188         */
189        const char *seedKey;
190
191        SRP_VBASE *srpData = SRP_VBASE_new(seedKey);
192        if (SRP_VBASE_init(srpData, (char*) srpvfile) != SRP_NO_ERROR)
193           /* Error */
194
195        SSL_CTX_set_srp_cb_arg(ctx, srpData);
196        SSL_CTX_set_srp_username_callback(ctx, srpServerCallback);
197

SEE ALSO

199       ssl(7), openssl-srp(1), SRP_VBASE_new(3), SRP_create_verifier(3)
200

HISTORY

202       These functions were added in OpenSSL 1.0.1 and deprecated in OpenSSL
203       3.0.
204
206       Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
207
208       Licensed under the Apache License 2.0 (the "License").  You may not use
209       this file except in compliance with the License.  You can obtain a copy
210       in the file LICENSE in the source distribution or at
211       <https://www.openssl.org/source/license.html>.
212
213
214
2153.1.1                             2023-08-31   SSL_CTX_SET_SRP_PASSWORD(3ossl)
Impressum