[thirdparty/openssl.git] / ssl / tls_srp.c

/*
 * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include "ssl_locl.h"

#ifndef OPENSSL_NO_SRP
#include <openssl/srp.h>

int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
{
    if (ctx == NULL)
        return 0;
    OPENSSL_free(ctx->srp_ctx.login);
    BN_free(ctx->srp_ctx.N);
    BN_free(ctx->srp_ctx.g);
    BN_free(ctx->srp_ctx.s);
    BN_free(ctx->srp_ctx.B);
    BN_free(ctx->srp_ctx.A);
    BN_free(ctx->srp_ctx.a);
    BN_free(ctx->srp_ctx.b);
    BN_free(ctx->srp_ctx.v);
    ctx->srp_ctx.TLS_ext_srp_username_callback = NULL;
    ctx->srp_ctx.SRP_cb_arg = NULL;
    ctx->srp_ctx.SRP_verify_param_callback = NULL;
    ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
    ctx->srp_ctx.N = NULL;
    ctx->srp_ctx.g = NULL;
    ctx->srp_ctx.s = NULL;
    ctx->srp_ctx.B = NULL;
    ctx->srp_ctx.A = NULL;
    ctx->srp_ctx.a = NULL;
    ctx->srp_ctx.b = NULL;
    ctx->srp_ctx.v = NULL;
    ctx->srp_ctx.login = NULL;
    ctx->srp_ctx.info = NULL;
    ctx->srp_ctx.strength = SRP_MINIMAL_N;
    ctx->srp_ctx.srp_Mask = 0;
    return (1);
}

int SSL_SRP_CTX_free(struct ssl_st *s)
{
    if (s == NULL)
        return 0;
    OPENSSL_free(s->srp_ctx.login);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    s->srp_ctx.TLS_ext_srp_username_callback = NULL;
    s->srp_ctx.SRP_cb_arg = NULL;
    s->srp_ctx.SRP_verify_param_callback = NULL;
    s->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
    s->srp_ctx.N = NULL;
    s->srp_ctx.g = NULL;
    s->srp_ctx.s = NULL;
    s->srp_ctx.B = NULL;
    s->srp_ctx.A = NULL;
    s->srp_ctx.a = NULL;
    s->srp_ctx.b = NULL;
    s->srp_ctx.v = NULL;
    s->srp_ctx.login = NULL;
    s->srp_ctx.info = NULL;
    s->srp_ctx.strength = SRP_MINIMAL_N;
    s->srp_ctx.srp_Mask = 0;
    return (1);
}

int SSL_SRP_CTX_init(struct ssl_st *s)
{
    SSL_CTX *ctx;

    if ((s == NULL) || ((ctx = s->ctx) == NULL))
        return 0;
    s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
    /* set client Hello login callback */
    s->srp_ctx.TLS_ext_srp_username_callback =
        ctx->srp_ctx.TLS_ext_srp_username_callback;
    /* set SRP N/g param callback for verification */
    s->srp_ctx.SRP_verify_param_callback =
        ctx->srp_ctx.SRP_verify_param_callback;
    /* set SRP client passwd callback */
    s->srp_ctx.SRP_give_srp_client_pwd_callback =
        ctx->srp_ctx.SRP_give_srp_client_pwd_callback;

    s->srp_ctx.N = NULL;
    s->srp_ctx.g = NULL;
    s->srp_ctx.s = NULL;
    s->srp_ctx.B = NULL;
    s->srp_ctx.A = NULL;
    s->srp_ctx.a = NULL;
    s->srp_ctx.b = NULL;
    s->srp_ctx.v = NULL;
    s->srp_ctx.login = NULL;
    s->srp_ctx.info = ctx->srp_ctx.info;
    s->srp_ctx.strength = ctx->srp_ctx.strength;

    if (((ctx->srp_ctx.N != NULL) &&
         ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
        ((ctx->srp_ctx.g != NULL) &&
         ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
        ((ctx->srp_ctx.s != NULL) &&
         ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
        ((ctx->srp_ctx.B != NULL) &&
         ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
        ((ctx->srp_ctx.A != NULL) &&
         ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
        ((ctx->srp_ctx.a != NULL) &&
         ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
        ((ctx->srp_ctx.v != NULL) &&
         ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
        ((ctx->srp_ctx.b != NULL) &&
         ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB);
        goto err;
    }
    if ((ctx->srp_ctx.login != NULL) &&
        ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;

    return (1);
 err:
    OPENSSL_free(s->srp_ctx.login);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    return (0);
}

int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
{
    if (ctx == NULL)
        return 0;

    ctx->srp_ctx.SRP_cb_arg = NULL;
    /* set client Hello login callback */
    ctx->srp_ctx.TLS_ext_srp_username_callback = NULL;
    /* set SRP N/g param callback for verification */
    ctx->srp_ctx.SRP_verify_param_callback = NULL;
    /* set SRP client passwd callback */
    ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;

    ctx->srp_ctx.N = NULL;
    ctx->srp_ctx.g = NULL;
    ctx->srp_ctx.s = NULL;
    ctx->srp_ctx.B = NULL;
    ctx->srp_ctx.A = NULL;
    ctx->srp_ctx.a = NULL;
    ctx->srp_ctx.b = NULL;
    ctx->srp_ctx.v = NULL;
    ctx->srp_ctx.login = NULL;
    ctx->srp_ctx.srp_Mask = 0;
    ctx->srp_ctx.info = NULL;
    ctx->srp_ctx.strength = SRP_MINIMAL_N;

    return (1);
}

/* server side */
int SSL_srp_server_param_with_username(SSL *s, int *ad)
{
    unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
    int al;

    *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
    if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
        ((al =
          s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
                                                   s->srp_ctx.SRP_cb_arg)) !=
         SSL_ERROR_NONE))
        return al;

    *ad = SSL_AD_INTERNAL_ERROR;
    if ((s->srp_ctx.N == NULL) ||
        (s->srp_ctx.g == NULL) ||
        (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
        return SSL3_AL_FATAL;

    if (RAND_bytes(b, sizeof(b)) <= 0)
        return SSL3_AL_FATAL;
    s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
    OPENSSL_cleanse(b, sizeof(b));

    /* Calculate:  B = (kv + g^b) % N  */

    return ((s->srp_ctx.B =
             SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
                        s->srp_ctx.v)) !=
            NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
}

/*
 * If the server just has the raw password, make up a verifier entry on the
 * fly
 */
int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
                                const char *grp)
{
    SRP_gN *GN = SRP_get_default_gN(grp);
    if (GN == NULL)
        return -1;
    s->srp_ctx.N = BN_dup(GN->N);
    s->srp_ctx.g = BN_dup(GN->g);
    BN_clear_free(s->srp_ctx.v);
    s->srp_ctx.v = NULL;
    BN_clear_free(s->srp_ctx.s);
    s->srp_ctx.s = NULL;
    if (!SRP_create_verifier_BN
        (user, pass, &s->srp_ctx.s, &s->srp_ctx.v, GN->N, GN->g))
        return -1;

    return 1;
}

int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
                             BIGNUM *sa, BIGNUM *v, char *info)
{
    if (N != NULL) {
        if (s->srp_ctx.N != NULL) {
            if (!BN_copy(s->srp_ctx.N, N)) {
                BN_free(s->srp_ctx.N);
                s->srp_ctx.N = NULL;
            }
        } else
            s->srp_ctx.N = BN_dup(N);
    }
    if (g != NULL) {
        if (s->srp_ctx.g != NULL) {
            if (!BN_copy(s->srp_ctx.g, g)) {
                BN_free(s->srp_ctx.g);
                s->srp_ctx.g = NULL;
            }
        } else
            s->srp_ctx.g = BN_dup(g);
    }
    if (sa != NULL) {
        if (s->srp_ctx.s != NULL) {
            if (!BN_copy(s->srp_ctx.s, sa)) {
                BN_free(s->srp_ctx.s);
                s->srp_ctx.s = NULL;
            }
        } else
            s->srp_ctx.s = BN_dup(sa);
    }
    if (v != NULL) {
        if (s->srp_ctx.v != NULL) {
            if (!BN_copy(s->srp_ctx.v, v)) {
                BN_free(s->srp_ctx.v);
                s->srp_ctx.v = NULL;
            }
        } else
            s->srp_ctx.v = BN_dup(v);
    }
    s->srp_ctx.info = info;

    if (!(s->srp_ctx.N) ||
        !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
        return -1;

    return 1;
}

int srp_generate_server_master_secret(SSL *s)
{
    BIGNUM *K = NULL, *u = NULL;
    int ret = -1, tmp_len = 0;
    unsigned char *tmp = NULL;

    if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
        goto err;
    if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
        goto err;
    if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
                                 s->srp_ctx.N)) == NULL)
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
        goto err;
    BN_bn2bin(K, tmp);
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(u);
    return ret;
}

/* client side */
int srp_generate_client_master_secret(SSL *s)
{
    BIGNUM *x = NULL, *u = NULL, *K = NULL;
    int ret = -1, tmp_len = 0;
    char *passwd = NULL;
    unsigned char *tmp = NULL;

    /*
     * Checks if b % n == 0
     */
    if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0)
        goto err;
    if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
        goto err;
    if (s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL)
        goto err;
    if (!
        (passwd =
         s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
                                                     s->srp_ctx.SRP_cb_arg)))
        goto err;
    if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL)
        goto err;
    if ((K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, s->srp_ctx.g, x,
                                 s->srp_ctx.a, u)) == NULL)
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
        goto err;
    BN_bn2bin(K, tmp);
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(x);
    if (passwd != NULL)
        OPENSSL_clear_free(passwd, strlen(passwd));
    BN_clear_free(u);
    return ret;
}

int srp_verify_server_param(SSL *s, int *al)
{
    SRP_CTX *srp = &s->srp_ctx;
    /*
     * Sanity check parameters: we can quickly check B % N == 0 by checking B
     * != 0 since B < N
     */
    if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0
        || BN_is_zero(srp->B)) {
        *al = SSL3_AD_ILLEGAL_PARAMETER;
        return 0;
    }

    if (BN_num_bits(srp->N) < srp->strength) {
        *al = TLS1_AD_INSUFFICIENT_SECURITY;
        return 0;
    }

    if (srp->SRP_verify_param_callback) {
        if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
            *al = TLS1_AD_INSUFFICIENT_SECURITY;
            return 0;
        }
    } else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
        *al = TLS1_AD_INSUFFICIENT_SECURITY;
        return 0;
    }

    return 1;
}

int SRP_Calc_A_param(SSL *s)
{
    unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];

    if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
        return 0;
    s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
    OPENSSL_cleanse(rnd, sizeof(rnd));

    if (!
        (s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
        return 0;

    return 1;
}

BIGNUM *SSL_get_srp_g(SSL *s)
{
    if (s->srp_ctx.g != NULL)
        return s->srp_ctx.g;
    return s->ctx->srp_ctx.g;
}

BIGNUM *SSL_get_srp_N(SSL *s)
{
    if (s->srp_ctx.N != NULL)
        return s->srp_ctx.N;
    return s->ctx->srp_ctx.N;
}

char *SSL_get_srp_username(SSL *s)
{
    if (s->srp_ctx.login != NULL)
        return s->srp_ctx.login;
    return s->ctx->srp_ctx.login;
}

char *SSL_get_srp_userinfo(SSL *s)
{
    if (s->srp_ctx.info != NULL)
        return s->srp_ctx.info;
    return s->ctx->srp_ctx.info;
}

# define tls1_ctx_ctrl ssl3_ctx_ctrl
# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl

int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
}

int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
}

int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
                         NULL);
}

int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
                                          int (*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
}

int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
                                      int (*cb) (SSL *, int *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
                                        char *(*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
                                  (void (*)(void))cb);
}

#endif
Commit	Line	Data
0f113f3e	1	/*
846e33c7	2	* Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
edc032b5	3	*
846e33c7 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
edc032b5	8	*/
edc032b5	9
b93e331b	10	#include <openssl/crypto.h>
edc032b5	11	#include <openssl/rand.h>
edc032b5	12	#include <openssl/err.h>
b93e331b DSH	13	#include "ssl_locl.h"
	14
	15	#ifndef OPENSSL_NO_SRP
857048a7	16	#include <openssl/srp.h>
edc032b5 BL	17
edc032b5 BL	18	int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
0f113f3e MC	19	{
	20	if (ctx == NULL)
	21	return 0;
	22	OPENSSL_free(ctx->srp_ctx.login);
	23	BN_free(ctx->srp_ctx.N);
	24	BN_free(ctx->srp_ctx.g);
	25	BN_free(ctx->srp_ctx.s);
	26	BN_free(ctx->srp_ctx.B);
	27	BN_free(ctx->srp_ctx.A);
	28	BN_free(ctx->srp_ctx.a);
	29	BN_free(ctx->srp_ctx.b);
	30	BN_free(ctx->srp_ctx.v);
	31	ctx->srp_ctx.TLS_ext_srp_username_callback = NULL;
	32	ctx->srp_ctx.SRP_cb_arg = NULL;
	33	ctx->srp_ctx.SRP_verify_param_callback = NULL;
	34	ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
	35	ctx->srp_ctx.N = NULL;
	36	ctx->srp_ctx.g = NULL;
	37	ctx->srp_ctx.s = NULL;
	38	ctx->srp_ctx.B = NULL;
	39	ctx->srp_ctx.A = NULL;
	40	ctx->srp_ctx.a = NULL;
	41	ctx->srp_ctx.b = NULL;
	42	ctx->srp_ctx.v = NULL;
	43	ctx->srp_ctx.login = NULL;
	44	ctx->srp_ctx.info = NULL;
	45	ctx->srp_ctx.strength = SRP_MINIMAL_N;
	46	ctx->srp_ctx.srp_Mask = 0;
	47	return (1);
	48	}
edc032b5 BL	49
edc032b5 BL	50	int SSL_SRP_CTX_free(struct ssl_st *s)
0f113f3e MC	51	{
	52	if (s == NULL)
	53	return 0;
	54	OPENSSL_free(s->srp_ctx.login);
	55	BN_free(s->srp_ctx.N);
	56	BN_free(s->srp_ctx.g);
	57	BN_free(s->srp_ctx.s);
	58	BN_free(s->srp_ctx.B);
	59	BN_free(s->srp_ctx.A);
	60	BN_free(s->srp_ctx.a);
	61	BN_free(s->srp_ctx.b);
	62	BN_free(s->srp_ctx.v);
	63	s->srp_ctx.TLS_ext_srp_username_callback = NULL;
	64	s->srp_ctx.SRP_cb_arg = NULL;
	65	s->srp_ctx.SRP_verify_param_callback = NULL;
	66	s->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
	67	s->srp_ctx.N = NULL;
	68	s->srp_ctx.g = NULL;
	69	s->srp_ctx.s = NULL;
	70	s->srp_ctx.B = NULL;
	71	s->srp_ctx.A = NULL;
	72	s->srp_ctx.a = NULL;
	73	s->srp_ctx.b = NULL;
	74	s->srp_ctx.v = NULL;
	75	s->srp_ctx.login = NULL;
	76	s->srp_ctx.info = NULL;
	77	s->srp_ctx.strength = SRP_MINIMAL_N;
	78	s->srp_ctx.srp_Mask = 0;
	79	return (1);
	80	}
edc032b5 BL	81
edc032b5 BL	82	int SSL_SRP_CTX_init(struct ssl_st *s)
0f113f3e MC	83	{
	84	SSL_CTX *ctx;
	85
	86	if ((s == NULL) \|\| ((ctx = s->ctx) == NULL))
	87	return 0;
	88	s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
	89	/* set client Hello login callback */
	90	s->srp_ctx.TLS_ext_srp_username_callback =
	91	ctx->srp_ctx.TLS_ext_srp_username_callback;
	92	/* set SRP N/g param callback for verification */
	93	s->srp_ctx.SRP_verify_param_callback =
	94	ctx->srp_ctx.SRP_verify_param_callback;
	95	/* set SRP client passwd callback */
	96	s->srp_ctx.SRP_give_srp_client_pwd_callback =
	97	ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
	98
	99	s->srp_ctx.N = NULL;
	100	s->srp_ctx.g = NULL;
	101	s->srp_ctx.s = NULL;
	102	s->srp_ctx.B = NULL;
	103	s->srp_ctx.A = NULL;
	104	s->srp_ctx.a = NULL;
	105	s->srp_ctx.b = NULL;
	106	s->srp_ctx.v = NULL;
	107	s->srp_ctx.login = NULL;
	108	s->srp_ctx.info = ctx->srp_ctx.info;
	109	s->srp_ctx.strength = ctx->srp_ctx.strength;
	110
	111	if (((ctx->srp_ctx.N != NULL) &&
	112	((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) \|\|
	113	((ctx->srp_ctx.g != NULL) &&
	114	((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) \|\|
	115	((ctx->srp_ctx.s != NULL) &&
	116	((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) \|\|
	117	((ctx->srp_ctx.B != NULL) &&
	118	((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) \|\|
	119	((ctx->srp_ctx.A != NULL) &&
	120	((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) \|\|
	121	((ctx->srp_ctx.a != NULL) &&
	122	((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) \|\|
	123	((ctx->srp_ctx.v != NULL) &&
	124	((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) \|\|
	125	((ctx->srp_ctx.b != NULL) &&
	126	((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
	127	SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB);
	128	goto err;
	129	}
	130	if ((ctx->srp_ctx.login != NULL) &&
7644a9ae	131	((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
0f113f3e MC	132	SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
	133	goto err;
	134	}
	135	s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
	136
	137	return (1);
	138	err:
	139	OPENSSL_free(s->srp_ctx.login);
	140	BN_free(s->srp_ctx.N);
	141	BN_free(s->srp_ctx.g);
	142	BN_free(s->srp_ctx.s);
	143	BN_free(s->srp_ctx.B);
	144	BN_free(s->srp_ctx.A);
	145	BN_free(s->srp_ctx.a);
	146	BN_free(s->srp_ctx.b);
	147	BN_free(s->srp_ctx.v);
	148	return (0);
	149	}
edc032b5 BL	150
edc032b5 BL	151	int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
0f113f3e MC	152	{
	153	if (ctx == NULL)
	154	return 0;
	155
	156	ctx->srp_ctx.SRP_cb_arg = NULL;
	157	/* set client Hello login callback */
	158	ctx->srp_ctx.TLS_ext_srp_username_callback = NULL;
	159	/* set SRP N/g param callback for verification */
	160	ctx->srp_ctx.SRP_verify_param_callback = NULL;
	161	/* set SRP client passwd callback */
	162	ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
	163
	164	ctx->srp_ctx.N = NULL;
	165	ctx->srp_ctx.g = NULL;
	166	ctx->srp_ctx.s = NULL;
	167	ctx->srp_ctx.B = NULL;
	168	ctx->srp_ctx.A = NULL;
	169	ctx->srp_ctx.a = NULL;
	170	ctx->srp_ctx.b = NULL;
	171	ctx->srp_ctx.v = NULL;
	172	ctx->srp_ctx.login = NULL;
	173	ctx->srp_ctx.srp_Mask = 0;
	174	ctx->srp_ctx.info = NULL;
	175	ctx->srp_ctx.strength = SRP_MINIMAL_N;
	176
	177	return (1);
	178	}
edc032b5 BL	179
	180	/* server side */
	181	int SSL_srp_server_param_with_username(SSL s, int ad)
0f113f3e MC	182	{
	183	unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
	184	int al;
	185
	186	*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
	187	if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
	188	((al =
	189	s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
	190	s->srp_ctx.SRP_cb_arg)) !=
	191	SSL_ERROR_NONE))
	192	return al;
	193
	194	*ad = SSL_AD_INTERNAL_ERROR;
	195	if ((s->srp_ctx.N == NULL) \|\|
	196	(s->srp_ctx.g == NULL) \|\|
	197	(s->srp_ctx.s == NULL) \|\| (s->srp_ctx.v == NULL))
	198	return SSL3_AL_FATAL;
	199
	200	if (RAND_bytes(b, sizeof(b)) <= 0)
	201	return SSL3_AL_FATAL;
	202	s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
	203	OPENSSL_cleanse(b, sizeof(b));
	204
	205	/* Calculate: B = (kv + g^b) % N */
	206
	207	return ((s->srp_ctx.B =
	208	SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
	209	s->srp_ctx.v)) !=
	210	NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
	211	}
	212
	213	/*
	214	* If the server just has the raw password, make up a verifier entry on the
	215	* fly
	216	*/
	217	int SSL_set_srp_server_param_pw(SSL s, const char user, const char *pass,
	218	const char *grp)
	219	{
	220	SRP_gN *GN = SRP_get_default_gN(grp);
	221	if (GN == NULL)
	222	return -1;
	223	s->srp_ctx.N = BN_dup(GN->N);
	224	s->srp_ctx.g = BN_dup(GN->g);
23a1d5e9 RS	225	BN_clear_free(s->srp_ctx.v);
	226	s->srp_ctx.v = NULL;
	227	BN_clear_free(s->srp_ctx.s);
	228	s->srp_ctx.s = NULL;
0f113f3e MC	229	if (!SRP_create_verifier_BN
	230	(user, pass, &s->srp_ctx.s, &s->srp_ctx.v, GN->N, GN->g))
	231	return -1;
	232
	233	return 1;
	234	}
edc032b5 BL	235
edc032b5 BL	236	int SSL_set_srp_server_param(SSL s, const BIGNUM N, const BIGNUM *g,
0f113f3e MC	237	BIGNUM sa, BIGNUM v, char *info)
	238	{
	239	if (N != NULL) {
	240	if (s->srp_ctx.N != NULL) {
	241	if (!BN_copy(s->srp_ctx.N, N)) {
	242	BN_free(s->srp_ctx.N);
	243	s->srp_ctx.N = NULL;
	244	}
	245	} else
	246	s->srp_ctx.N = BN_dup(N);
	247	}
	248	if (g != NULL) {
	249	if (s->srp_ctx.g != NULL) {
	250	if (!BN_copy(s->srp_ctx.g, g)) {
	251	BN_free(s->srp_ctx.g);
	252	s->srp_ctx.g = NULL;
	253	}
	254	} else
	255	s->srp_ctx.g = BN_dup(g);
	256	}
	257	if (sa != NULL) {
	258	if (s->srp_ctx.s != NULL) {
	259	if (!BN_copy(s->srp_ctx.s, sa)) {
	260	BN_free(s->srp_ctx.s);
	261	s->srp_ctx.s = NULL;
	262	}
	263	} else
	264	s->srp_ctx.s = BN_dup(sa);
	265	}
	266	if (v != NULL) {
	267	if (s->srp_ctx.v != NULL) {
	268	if (!BN_copy(s->srp_ctx.v, v)) {
	269	BN_free(s->srp_ctx.v);
	270	s->srp_ctx.v = NULL;
	271	}
	272	} else
	273	s->srp_ctx.v = BN_dup(v);
	274	}
	275	s->srp_ctx.info = info;
	276
	277	if (!(s->srp_ctx.N) \|\|
	278	!(s->srp_ctx.g) \|\| !(s->srp_ctx.s) \|\| !(s->srp_ctx.v))
	279	return -1;
	280
	281	return 1;
	282	}
	283
57b272b0	284	int srp_generate_server_master_secret(SSL *s)
0f113f3e MC	285	{
0f113f3e MC	286	BIGNUM K = NULL, u = NULL;
4b45c6e5	287	int ret = -1, tmp_len = 0;
0f113f3e MC	288	unsigned char *tmp = NULL;
	289
	290	if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
	291	goto err;
75ebbd9a	292	if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
0f113f3e	293	goto err;
75ebbd9a RS	294	if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
75ebbd9a RS	295	s->srp_ctx.N)) == NULL)
0f113f3e MC	296	goto err;
	297
	298	tmp_len = BN_num_bytes(K);
	299	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
	300	goto err;
	301	BN_bn2bin(K, tmp);
57b272b0	302	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
0f113f3e	303	err:
0f113f3e MC	304	BN_clear_free(K);
	305	BN_clear_free(u);
	306	return ret;
	307	}
edc032b5 BL	308
edc032b5 BL	309	/* client side */
57b272b0	310	int srp_generate_client_master_secret(SSL *s)
0f113f3e MC	311	{
0f113f3e MC	312	BIGNUM x = NULL, u = NULL, *K = NULL;
4b45c6e5	313	int ret = -1, tmp_len = 0;
0f113f3e MC	314	char *passwd = NULL;
	315	unsigned char *tmp = NULL;
	316
	317	/*
	318	* Checks if b % n == 0
	319	*/
	320	if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0)
	321	goto err;
75ebbd9a	322	if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
0f113f3e MC	323	goto err;
	324	if (s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL)
	325	goto err;
	326	if (!
	327	(passwd =
	328	s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
	329	s->srp_ctx.SRP_cb_arg)))
	330	goto err;
75ebbd9a	331	if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL)
0f113f3e	332	goto err;
75ebbd9a RS	333	if ((K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, s->srp_ctx.g, x,
75ebbd9a RS	334	s->srp_ctx.a, u)) == NULL)
0f113f3e MC	335	goto err;
	336
	337	tmp_len = BN_num_bytes(K);
	338	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
	339	goto err;
	340	BN_bn2bin(K, tmp);
57b272b0	341	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
0f113f3e	342	err:
0f113f3e MC	343	BN_clear_free(K);
0f113f3e MC	344	BN_clear_free(x);
d73ca3ef MC	345	if (passwd != NULL)
d73ca3ef MC	346	OPENSSL_clear_free(passwd, strlen(passwd));
0f113f3e MC	347	BN_clear_free(u);
	348	return ret;
	349	}
edc032b5	350
0989790b	351	int srp_verify_server_param(SSL s, int al)
0f113f3e MC	352	{
	353	SRP_CTX *srp = &s->srp_ctx;
	354	/*
	355	* Sanity check parameters: we can quickly check B % N == 0 by checking B
	356	* != 0 since B < N
	357	*/
	358	if (BN_ucmp(srp->g, srp->N) >= 0 \|\| BN_ucmp(srp->B, srp->N) >= 0
	359	\|\| BN_is_zero(srp->B)) {
	360	*al = SSL3_AD_ILLEGAL_PARAMETER;
	361	return 0;
	362	}
	363
	364	if (BN_num_bits(srp->N) < srp->strength) {
	365	*al = TLS1_AD_INSUFFICIENT_SECURITY;
	366	return 0;
	367	}
	368
	369	if (srp->SRP_verify_param_callback) {
	370	if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
	371	*al = TLS1_AD_INSUFFICIENT_SECURITY;
	372	return 0;
	373	}
	374	} else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
	375	*al = TLS1_AD_INSUFFICIENT_SECURITY;
	376	return 0;
	377	}
	378
	379	return 1;
	380	}
0989790b DSH	381
0989790b DSH	382	int SRP_Calc_A_param(SSL *s)
0f113f3e MC	383	{
0f113f3e MC	384	unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
edc032b5	385
0f113f3e MC	386	if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
	387	return 0;
	388	s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
	389	OPENSSL_cleanse(rnd, sizeof(rnd));
edc032b5	390
0f113f3e MC	391	if (!
	392	(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
	393	return 0;
edc032b5	394
0f113f3e MC	395	return 1;
0f113f3e MC	396	}
edc032b5	397
edc032b5	398	BIGNUM SSL_get_srp_g(SSL s)
0f113f3e MC	399	{
	400	if (s->srp_ctx.g != NULL)
	401	return s->srp_ctx.g;
	402	return s->ctx->srp_ctx.g;
	403	}
edc032b5 BL	404
edc032b5 BL	405	BIGNUM SSL_get_srp_N(SSL s)
0f113f3e MC	406	{
	407	if (s->srp_ctx.N != NULL)
	408	return s->srp_ctx.N;
	409	return s->ctx->srp_ctx.N;
	410	}
edc032b5 BL	411
edc032b5 BL	412	char SSL_get_srp_username(SSL s)
0f113f3e MC	413	{
	414	if (s->srp_ctx.login != NULL)
	415	return s->srp_ctx.login;
	416	return s->ctx->srp_ctx.login;
	417	}
edc032b5 BL	418
edc032b5 BL	419	char SSL_get_srp_userinfo(SSL s)
0f113f3e MC	420	{
	421	if (s->srp_ctx.info != NULL)
	422	return s->srp_ctx.info;
	423	return s->ctx->srp_ctx.info;
	424	}
edc032b5	425
0f113f3e MC	426	# define tls1_ctx_ctrl ssl3_ctx_ctrl
0f113f3e MC	427	# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
edc032b5	428
0f113f3e MC	429	int SSL_CTX_set_srp_username(SSL_CTX ctx, char name)
	430	{
	431	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
	432	}
edc032b5	433
0f113f3e MC	434	int SSL_CTX_set_srp_password(SSL_CTX ctx, char password)
	435	{
	436	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
	437	}
edc032b5 BL	438
edc032b5 BL	439	int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
0f113f3e MC	440	{
	441	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
	442	NULL);
	443	}
	444
	445	int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
	446	int (cb) (SSL , void *))
	447	{
	448	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
	449	(void (*)(void))cb);
	450	}
edc032b5 BL	451
edc032b5 BL	452	int SSL_CTX_set_srp_cb_arg(SSL_CTX ctx, void arg)
0f113f3e MC	453	{
	454	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
	455	}
edc032b5 BL	456
edc032b5 BL	457	int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
0f113f3e MC	458	int (cb) (SSL , int , void ))
	459	{
	460	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
	461	(void (*)(void))cb);
	462	}
	463
	464	int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
	465	char (cb) (SSL , void ))
	466	{
	467	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
	468	(void (*)(void))cb);
	469	}
edc032b5	470
edc032b5	471	#endif