[thirdparty/openssl.git] / ssl / tls_srp.c

/*
 * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2004, EdelKey Project. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * Originally written by Christophe Renou and Peter Sylvester,
 * for the EdelKey project.
 */

/*
 * We need to use the SRP deprecated APIs in order to implement the SSL SRP
 * APIs - which are themselves deprecated.
 */
#define OPENSSL_SUPPRESS_DEPRECATED

#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include "ssl_local.h"

#ifndef OPENSSL_NO_SRP
# include <openssl/srp.h>

/*
 * The public API SSL_CTX_SRP_CTX_free() is deprecated so we use
 * ssl_ctx_srp_ctx_free_intern() internally.
 */
int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx)
{
    if (ctx == NULL)
        return 0;
    OPENSSL_free(ctx->srp_ctx.login);
    OPENSSL_free(ctx->srp_ctx.info);
    BN_free(ctx->srp_ctx.N);
    BN_free(ctx->srp_ctx.g);
    BN_free(ctx->srp_ctx.s);
    BN_free(ctx->srp_ctx.B);
    BN_free(ctx->srp_ctx.A);
    BN_free(ctx->srp_ctx.a);
    BN_free(ctx->srp_ctx.b);
    BN_free(ctx->srp_ctx.v);
    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx)
{
    return ssl_ctx_srp_ctx_free_intern(ctx);
}

/*
 * The public API SSL_SRP_CTX_free() is deprecated so we use
 * ssl_srp_ctx_free_intern() internally.
 */
int ssl_srp_ctx_free_intern(SSL *s)
{
    if (s == NULL)
        return 0;
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    s->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_SRP_CTX_free(SSL *s)
{
    return ssl_srp_ctx_free_intern(s);
}

/*
 * The public API SSL_SRP_CTX_init() is deprecated so we use
 * ssl_srp_ctx_init_intern() internally.
 */
int ssl_srp_ctx_init_intern(SSL *s)
{
    SSL_CTX *ctx;

    if ((s == NULL) || ((ctx = s->ctx) == NULL))
        return 0;

    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));

    s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
    /* set client Hello login callback */
    s->srp_ctx.TLS_ext_srp_username_callback =
        ctx->srp_ctx.TLS_ext_srp_username_callback;
    /* set SRP N/g param callback for verification */
    s->srp_ctx.SRP_verify_param_callback =
        ctx->srp_ctx.SRP_verify_param_callback;
    /* set SRP client passwd callback */
    s->srp_ctx.SRP_give_srp_client_pwd_callback =
        ctx->srp_ctx.SRP_give_srp_client_pwd_callback;

    s->srp_ctx.strength = ctx->srp_ctx.strength;

    if (((ctx->srp_ctx.N != NULL) &&
         ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
        ((ctx->srp_ctx.g != NULL) &&
         ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
        ((ctx->srp_ctx.s != NULL) &&
         ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
        ((ctx->srp_ctx.B != NULL) &&
         ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
        ((ctx->srp_ctx.A != NULL) &&
         ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
        ((ctx->srp_ctx.a != NULL) &&
         ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
        ((ctx->srp_ctx.v != NULL) &&
         ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
        ((ctx->srp_ctx.b != NULL) &&
         ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
        ERR_raise(ERR_LIB_SSL, ERR_R_BN_LIB);
        goto err;
    }
    if ((ctx->srp_ctx.login != NULL) &&
        ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    if ((ctx->srp_ctx.info != NULL) &&
        ((s->srp_ctx.info = OPENSSL_strdup(ctx->srp_ctx.info)) == NULL)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;

    return 1;
 err:
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    return 0;
}

int SSL_SRP_CTX_init(SSL *s)
{
    return ssl_srp_ctx_init_intern(s);
}

/*
 * The public API SSL_CTX_SRP_CTX_init() is deprecated so we use
 * ssl_ctx_srp_ctx_init_intern() internally.
 */
int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx)
{
    if (ctx == NULL)
        return 0;

    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;

    return 1;
}

int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx)
{
    return ssl_ctx_srp_ctx_init_intern(ctx);
}

/* server side */
/*
 * The public API SSL_srp_server_param_with_username() is deprecated so we use
 * ssl_srp_server_param_with_username_intern() internally.
 */
int ssl_srp_server_param_with_username_intern(SSL *s, int *ad)
{
    unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
    int al;

    *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
    if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
        ((al =
          s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
                                                   s->srp_ctx.SRP_cb_arg)) !=
         SSL_ERROR_NONE))
        return al;

    *ad = SSL_AD_INTERNAL_ERROR;
    if ((s->srp_ctx.N == NULL) ||
        (s->srp_ctx.g == NULL) ||
        (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
        return SSL3_AL_FATAL;

    if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b)) <= 0)
        return SSL3_AL_FATAL;
    s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
    OPENSSL_cleanse(b, sizeof(b));

    /* Calculate:  B = (kv + g^b) % N  */

    return ((s->srp_ctx.B =
             SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
                           s->srp_ctx.v, s->ctx->libctx, s->ctx->propq)) !=
            NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
}

int SSL_srp_server_param_with_username(SSL *s, int *ad)
{
    return ssl_srp_server_param_with_username_intern(s, ad);
}

/*
 * If the server just has the raw password, make up a verifier entry on the
 * fly
 */
int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
                                const char *grp)
{
    SRP_gN *GN = SRP_get_default_gN(grp);
    if (GN == NULL)
        return -1;
    s->srp_ctx.N = BN_dup(GN->N);
    s->srp_ctx.g = BN_dup(GN->g);
    BN_clear_free(s->srp_ctx.v);
    s->srp_ctx.v = NULL;
    BN_clear_free(s->srp_ctx.s);
    s->srp_ctx.s = NULL;
    if (!SRP_create_verifier_BN_ex(user, pass, &s->srp_ctx.s, &s->srp_ctx.v,
                                   GN->N, GN->g, s->ctx->libctx,
                                   s->ctx->propq))
        return -1;

    return 1;
}

int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
                             BIGNUM *sa, BIGNUM *v, char *info)
{
    if (N != NULL) {
        if (s->srp_ctx.N != NULL) {
            if (!BN_copy(s->srp_ctx.N, N)) {
                BN_free(s->srp_ctx.N);
                s->srp_ctx.N = NULL;
            }
        } else
            s->srp_ctx.N = BN_dup(N);
    }
    if (g != NULL) {
        if (s->srp_ctx.g != NULL) {
            if (!BN_copy(s->srp_ctx.g, g)) {
                BN_free(s->srp_ctx.g);
                s->srp_ctx.g = NULL;
            }
        } else
            s->srp_ctx.g = BN_dup(g);
    }
    if (sa != NULL) {
        if (s->srp_ctx.s != NULL) {
            if (!BN_copy(s->srp_ctx.s, sa)) {
                BN_free(s->srp_ctx.s);
                s->srp_ctx.s = NULL;
            }
        } else
            s->srp_ctx.s = BN_dup(sa);
    }
    if (v != NULL) {
        if (s->srp_ctx.v != NULL) {
            if (!BN_copy(s->srp_ctx.v, v)) {
                BN_free(s->srp_ctx.v);
                s->srp_ctx.v = NULL;
            }
        } else
            s->srp_ctx.v = BN_dup(v);
    }
    if (info != NULL) {
        if (s->srp_ctx.info)
            OPENSSL_free(s->srp_ctx.info);
        if ((s->srp_ctx.info = OPENSSL_strdup(info)) == NULL)
            return -1;
    }

    if (!(s->srp_ctx.N) ||
        !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
        return -1;

    return 1;
}

int srp_generate_server_master_secret(SSL *s)
{
    BIGNUM *K = NULL, *u = NULL;
    int ret = -1, tmp_len = 0;
    unsigned char *tmp = NULL;

    if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
        goto err;
    if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
                           s->ctx->libctx, s->ctx->propq)) == NULL)
        goto err;
    if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
                                 s->srp_ctx.N)) == NULL)
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    BN_bn2bin(K, tmp);
    /* Calls SSLfatal() as required */
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(u);
    return ret;
}

/* client side */
int srp_generate_client_master_secret(SSL *s)
{
    BIGNUM *x = NULL, *u = NULL, *K = NULL;
    int ret = -1, tmp_len = 0;
    char *passwd = NULL;
    unsigned char *tmp = NULL;

    /*
     * Checks if b % n == 0
     */
    if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
            || (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
                                  s->ctx->libctx, s->ctx->propq))
               == NULL
            || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
                                                      s->srp_ctx.SRP_cb_arg))
            == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
        goto err;
    }
    if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd,
                           s->ctx->libctx, s->ctx->propq)) == NULL
            || (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B,
                                           s->srp_ctx.g, x,
                                           s->srp_ctx.a, u,
                                           s->ctx->libctx,
                                           s->ctx->propq)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    BN_bn2bin(K, tmp);
    /* Calls SSLfatal() as required */
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(x);
    if (passwd != NULL)
        OPENSSL_clear_free(passwd, strlen(passwd));
    BN_clear_free(u);
    return ret;
}

int srp_verify_server_param(SSL *s)
{
    SRP_CTX *srp = &s->srp_ctx;
    /*
     * Sanity check parameters: we can quickly check B % N == 0 by checking B
     * != 0 since B < N
     */
    if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0
        || BN_is_zero(srp->B)) {
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DATA);
        return 0;
    }

    if (BN_num_bits(srp->N) < srp->strength) {
        SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_INSUFFICIENT_SECURITY);
        return 0;
    }

    if (srp->SRP_verify_param_callback) {
        if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
            SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED);
            return 0;
        }
    } else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
        SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
                 SSL_R_INSUFFICIENT_SECURITY);
        return 0;
    }

    return 1;
}

/*
 * The public API SRP_Calc_A_param() is deprecated so we use
 * ssl_srp_calc_a_param_intern() internally.
 */
int ssl_srp_calc_a_param_intern(SSL *s)
{
    unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];

    if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd)) <= 0)
        return 0;
    s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
    OPENSSL_cleanse(rnd, sizeof(rnd));

    if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
        return 0;

    return 1;
}

int SRP_Calc_A_param(SSL *s)
{
    return ssl_srp_calc_a_param_intern(s);
}

BIGNUM *SSL_get_srp_g(SSL *s)
{
    if (s->srp_ctx.g != NULL)
        return s->srp_ctx.g;
    return s->ctx->srp_ctx.g;
}

BIGNUM *SSL_get_srp_N(SSL *s)
{
    if (s->srp_ctx.N != NULL)
        return s->srp_ctx.N;
    return s->ctx->srp_ctx.N;
}

char *SSL_get_srp_username(SSL *s)
{
    if (s->srp_ctx.login != NULL)
        return s->srp_ctx.login;
    return s->ctx->srp_ctx.login;
}

char *SSL_get_srp_userinfo(SSL *s)
{
    if (s->srp_ctx.info != NULL)
        return s->srp_ctx.info;
    return s->ctx->srp_ctx.info;
}

# define tls1_ctx_ctrl ssl3_ctx_ctrl
# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl

int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
}

int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
}

int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
                         NULL);
}

int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
                                          int (*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
}

int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
                                      int (*cb) (SSL *, int *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
                                        char *(*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
                                  (void (*)(void))cb);
}

#endif
Commit	Line	Data
0f113f3e	1	/*
a28d06f3	2	* Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
3b855b1f	3	* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
edc032b5	4	*
2c18d164	5	* Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7 RS	6	* this file except in compliance with the License. You can obtain a copy
	7	* in the file LICENSE in the source distribution or at
	8	* https://www.openssl.org/source/license.html
3b855b1f TH	9	*
	10	* Originally written by Christophe Renou and Peter Sylvester,
	11	* for the EdelKey project.
edc032b5	12	*/
edc032b5	13
76cb077f MC	14	/*
	15	* We need to use the SRP deprecated APIs in order to implement the SSL SRP
	16	* APIs - which are themselves deprecated.
	17	*/
6d2a1eff MC	18	#define OPENSSL_SUPPRESS_DEPRECATED
6d2a1eff MC	19
b93e331b	20	#include <openssl/crypto.h>
edc032b5	21	#include <openssl/rand.h>
edc032b5	22	#include <openssl/err.h>
706457b7	23	#include "ssl_local.h"
b93e331b DSH	24
b93e331b DSH	25	#ifndef OPENSSL_NO_SRP
a230b26e	26	# include <openssl/srp.h>
edc032b5	27
76cb077f MC	28	/*
	29	* The public API SSL_CTX_SRP_CTX_free() is deprecated so we use
	30	* ssl_ctx_srp_ctx_free_intern() internally.
	31	*/
	32	int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx)
0f113f3e MC	33	{
	34	if (ctx == NULL)
	35	return 0;
	36	OPENSSL_free(ctx->srp_ctx.login);
e655f549	37	OPENSSL_free(ctx->srp_ctx.info);
0f113f3e MC	38	BN_free(ctx->srp_ctx.N);
	39	BN_free(ctx->srp_ctx.g);
	40	BN_free(ctx->srp_ctx.s);
	41	BN_free(ctx->srp_ctx.B);
	42	BN_free(ctx->srp_ctx.A);
	43	BN_free(ctx->srp_ctx.a);
	44	BN_free(ctx->srp_ctx.b);
	45	BN_free(ctx->srp_ctx.v);
135976b3	46	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
0f113f3e	47	ctx->srp_ctx.strength = SRP_MINIMAL_N;
208fb891	48	return 1;
0f113f3e	49	}
edc032b5	50
76cb077f MC	51	int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx)
	52	{
	53	return ssl_ctx_srp_ctx_free_intern(ctx);
	54	}
	55
	56	/*
	57	* The public API SSL_SRP_CTX_free() is deprecated so we use
	58	* ssl_srp_ctx_free_intern() internally.
	59	*/
	60	int ssl_srp_ctx_free_intern(SSL *s)
0f113f3e MC	61	{
	62	if (s == NULL)
	63	return 0;
	64	OPENSSL_free(s->srp_ctx.login);
e655f549	65	OPENSSL_free(s->srp_ctx.info);
0f113f3e MC	66	BN_free(s->srp_ctx.N);
	67	BN_free(s->srp_ctx.g);
	68	BN_free(s->srp_ctx.s);
	69	BN_free(s->srp_ctx.B);
	70	BN_free(s->srp_ctx.A);
	71	BN_free(s->srp_ctx.a);
	72	BN_free(s->srp_ctx.b);
	73	BN_free(s->srp_ctx.v);
135976b3	74	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
0f113f3e	75	s->srp_ctx.strength = SRP_MINIMAL_N;
208fb891	76	return 1;
0f113f3e	77	}
edc032b5	78
76cb077f MC	79	int SSL_SRP_CTX_free(SSL *s)
	80	{
	81	return ssl_srp_ctx_free_intern(s);
	82	}
	83
	84	/*
	85	* The public API SSL_SRP_CTX_init() is deprecated so we use
	86	* ssl_srp_ctx_init_intern() internally.
	87	*/
	88	int ssl_srp_ctx_init_intern(SSL *s)
0f113f3e MC	89	{
	90	SSL_CTX *ctx;
	91
	92	if ((s == NULL) \|\| ((ctx = s->ctx) == NULL))
	93	return 0;
135976b3 DSC	94
	95	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
	96
0f113f3e MC	97	s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
	98	/* set client Hello login callback */
	99	s->srp_ctx.TLS_ext_srp_username_callback =
	100	ctx->srp_ctx.TLS_ext_srp_username_callback;
	101	/* set SRP N/g param callback for verification */
	102	s->srp_ctx.SRP_verify_param_callback =
	103	ctx->srp_ctx.SRP_verify_param_callback;
	104	/* set SRP client passwd callback */
	105	s->srp_ctx.SRP_give_srp_client_pwd_callback =
	106	ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
	107
0f113f3e MC	108	s->srp_ctx.strength = ctx->srp_ctx.strength;
	109
	110	if (((ctx->srp_ctx.N != NULL) &&
	111	((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) \|\|
	112	((ctx->srp_ctx.g != NULL) &&
	113	((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) \|\|
	114	((ctx->srp_ctx.s != NULL) &&
	115	((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) \|\|
	116	((ctx->srp_ctx.B != NULL) &&
	117	((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) \|\|
	118	((ctx->srp_ctx.A != NULL) &&
	119	((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) \|\|
	120	((ctx->srp_ctx.a != NULL) &&
	121	((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) \|\|
	122	((ctx->srp_ctx.v != NULL) &&
	123	((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) \|\|
	124	((ctx->srp_ctx.b != NULL) &&
	125	((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
6849b73c	126	ERR_raise(ERR_LIB_SSL, ERR_R_BN_LIB);
0f113f3e MC	127	goto err;
	128	}
	129	if ((ctx->srp_ctx.login != NULL) &&
7644a9ae	130	((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
6849b73c	131	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
0f113f3e MC	132	goto err;
0f113f3e MC	133	}
e655f549	134	if ((ctx->srp_ctx.info != NULL) &&
3d484574	135	((s->srp_ctx.info = OPENSSL_strdup(ctx->srp_ctx.info)) == NULL)) {
6849b73c	136	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
e655f549 DSC	137	goto err;
e655f549 DSC	138	}
0f113f3e MC	139	s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
0f113f3e MC	140
208fb891	141	return 1;
0f113f3e MC	142	err:
0f113f3e MC	143	OPENSSL_free(s->srp_ctx.login);
e655f549	144	OPENSSL_free(s->srp_ctx.info);
0f113f3e MC	145	BN_free(s->srp_ctx.N);
	146	BN_free(s->srp_ctx.g);
	147	BN_free(s->srp_ctx.s);
	148	BN_free(s->srp_ctx.B);
	149	BN_free(s->srp_ctx.A);
	150	BN_free(s->srp_ctx.a);
	151	BN_free(s->srp_ctx.b);
	152	BN_free(s->srp_ctx.v);
135976b3	153	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
26a7d938	154	return 0;
0f113f3e	155	}
edc032b5	156
76cb077f MC	157	int SSL_SRP_CTX_init(SSL *s)
	158	{
	159	return ssl_srp_ctx_init_intern(s);
	160	}
	161
	162	/*
	163	* The public API SSL_CTX_SRP_CTX_init() is deprecated so we use
	164	* ssl_ctx_srp_ctx_init_intern() internally.
	165	*/
	166	int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx)
0f113f3e MC	167	{
	168	if (ctx == NULL)
	169	return 0;
	170
135976b3	171	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
0f113f3e MC	172	ctx->srp_ctx.strength = SRP_MINIMAL_N;
0f113f3e MC	173
208fb891	174	return 1;
0f113f3e	175	}
edc032b5	176
76cb077f MC	177	int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx)
	178	{
	179	return ssl_ctx_srp_ctx_init_intern(ctx);
	180	}
	181
edc032b5	182	/* server side */
76cb077f MC	183	/*
	184	* The public API SSL_srp_server_param_with_username() is deprecated so we use
	185	* ssl_srp_server_param_with_username_intern() internally.
	186	*/
	187	int ssl_srp_server_param_with_username_intern(SSL s, int ad)
0f113f3e MC	188	{
	189	unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
	190	int al;
	191
	192	*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
	193	if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
	194	((al =
	195	s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
	196	s->srp_ctx.SRP_cb_arg)) !=
	197	SSL_ERROR_NONE))
	198	return al;
	199
	200	*ad = SSL_AD_INTERNAL_ERROR;
	201	if ((s->srp_ctx.N == NULL) \|\|
	202	(s->srp_ctx.g == NULL) \|\|
	203	(s->srp_ctx.s == NULL) \|\| (s->srp_ctx.v == NULL))
	204	return SSL3_AL_FATAL;
	205
1744b6d3	206	if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b)) <= 0)
0f113f3e MC	207	return SSL3_AL_FATAL;
	208	s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
	209	OPENSSL_cleanse(b, sizeof(b));
	210
	211	/* Calculate: B = (kv + g^b) % N */
	212
	213	return ((s->srp_ctx.B =
1744b6d3 MC	214	SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
1744b6d3 MC	215	s->srp_ctx.v, s->ctx->libctx, s->ctx->propq)) !=
0f113f3e MC	216	NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
	217	}
	218
76cb077f MC	219	int SSL_srp_server_param_with_username(SSL s, int ad)
	220	{
	221	return ssl_srp_server_param_with_username_intern(s, ad);
	222	}
	223
0f113f3e MC	224	/*
	225	* If the server just has the raw password, make up a verifier entry on the
	226	* fly
	227	*/
	228	int SSL_set_srp_server_param_pw(SSL s, const char user, const char *pass,
	229	const char *grp)
	230	{
	231	SRP_gN *GN = SRP_get_default_gN(grp);
	232	if (GN == NULL)
	233	return -1;
	234	s->srp_ctx.N = BN_dup(GN->N);
	235	s->srp_ctx.g = BN_dup(GN->g);
23a1d5e9 RS	236	BN_clear_free(s->srp_ctx.v);
	237	s->srp_ctx.v = NULL;
	238	BN_clear_free(s->srp_ctx.s);
	239	s->srp_ctx.s = NULL;
1744b6d3 MC	240	if (!SRP_create_verifier_BN_ex(user, pass, &s->srp_ctx.s, &s->srp_ctx.v,
	241	GN->N, GN->g, s->ctx->libctx,
	242	s->ctx->propq))
0f113f3e MC	243	return -1;
	244
	245	return 1;
	246	}
edc032b5 BL	247
edc032b5 BL	248	int SSL_set_srp_server_param(SSL s, const BIGNUM N, const BIGNUM *g,
0f113f3e MC	249	BIGNUM sa, BIGNUM v, char *info)
	250	{
	251	if (N != NULL) {
	252	if (s->srp_ctx.N != NULL) {
	253	if (!BN_copy(s->srp_ctx.N, N)) {
	254	BN_free(s->srp_ctx.N);
	255	s->srp_ctx.N = NULL;
	256	}
	257	} else
	258	s->srp_ctx.N = BN_dup(N);
	259	}
	260	if (g != NULL) {
	261	if (s->srp_ctx.g != NULL) {
	262	if (!BN_copy(s->srp_ctx.g, g)) {
	263	BN_free(s->srp_ctx.g);
	264	s->srp_ctx.g = NULL;
	265	}
	266	} else
	267	s->srp_ctx.g = BN_dup(g);
	268	}
	269	if (sa != NULL) {
	270	if (s->srp_ctx.s != NULL) {
	271	if (!BN_copy(s->srp_ctx.s, sa)) {
	272	BN_free(s->srp_ctx.s);
	273	s->srp_ctx.s = NULL;
	274	}
	275	} else
	276	s->srp_ctx.s = BN_dup(sa);
	277	}
	278	if (v != NULL) {
	279	if (s->srp_ctx.v != NULL) {
	280	if (!BN_copy(s->srp_ctx.v, v)) {
	281	BN_free(s->srp_ctx.v);
	282	s->srp_ctx.v = NULL;
	283	}
	284	} else
	285	s->srp_ctx.v = BN_dup(v);
	286	}
e655f549 DSC	287	if (info != NULL) {
	288	if (s->srp_ctx.info)
	289	OPENSSL_free(s->srp_ctx.info);
3d484574	290	if ((s->srp_ctx.info = OPENSSL_strdup(info)) == NULL)
e655f549 DSC	291	return -1;
e655f549 DSC	292	}
0f113f3e MC	293
	294	if (!(s->srp_ctx.N) \|\|
	295	!(s->srp_ctx.g) \|\| !(s->srp_ctx.s) \|\| !(s->srp_ctx.v))
	296	return -1;
	297
	298	return 1;
	299	}
	300
57b272b0	301	int srp_generate_server_master_secret(SSL *s)
0f113f3e MC	302	{
0f113f3e MC	303	BIGNUM K = NULL, u = NULL;
4b45c6e5	304	int ret = -1, tmp_len = 0;
0f113f3e MC	305	unsigned char *tmp = NULL;
	306
	307	if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
	308	goto err;
1744b6d3 MC	309	if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
1744b6d3 MC	310	s->ctx->libctx, s->ctx->propq)) == NULL)
0f113f3e	311	goto err;
75ebbd9a RS	312	if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
75ebbd9a RS	313	s->srp_ctx.N)) == NULL)
0f113f3e MC	314	goto err;
	315
	316	tmp_len = BN_num_bytes(K);
f63a17d6	317	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
c48ffbcc	318	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
0f113f3e	319	goto err;
f63a17d6	320	}
0f113f3e	321	BN_bn2bin(K, tmp);
f63a17d6	322	/* Calls SSLfatal() as required */
57b272b0	323	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
0f113f3e	324	err:
0f113f3e MC	325	BN_clear_free(K);
	326	BN_clear_free(u);
	327	return ret;
	328	}
edc032b5 BL	329
edc032b5 BL	330	/* client side */
57b272b0	331	int srp_generate_client_master_secret(SSL *s)
0f113f3e MC	332	{
0f113f3e MC	333	BIGNUM x = NULL, u = NULL, *K = NULL;
4b45c6e5	334	int ret = -1, tmp_len = 0;
0f113f3e MC	335	char *passwd = NULL;
	336	unsigned char *tmp = NULL;
	337
	338	/*
	339	* Checks if b % n == 0
	340	*/
a2c2e000	341	if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
1744b6d3 MC	342	\|\| (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
1744b6d3 MC	343	s->ctx->libctx, s->ctx->propq))
a2c2e000 MC	344	== NULL
a2c2e000 MC	345	\|\| s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
c48ffbcc	346	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
0f113f3e	347	goto err;
a2c2e000 MC	348	}
	349	if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
	350	s->srp_ctx.SRP_cb_arg))
	351	== NULL) {
c48ffbcc	352	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
0f113f3e	353	goto err;
a2c2e000	354	}
1744b6d3 MC	355	if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd,
	356	s->ctx->libctx, s->ctx->propq)) == NULL
	357	\|\| (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B,
	358	s->srp_ctx.g, x,
	359	s->srp_ctx.a, u,
	360	s->ctx->libctx,
	361	s->ctx->propq)) == NULL) {
c48ffbcc	362	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
0f113f3e	363	goto err;
a2c2e000	364	}
0f113f3e MC	365
0f113f3e MC	366	tmp_len = BN_num_bytes(K);
a2c2e000	367	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
c48ffbcc	368	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
0f113f3e	369	goto err;
a2c2e000	370	}
0f113f3e	371	BN_bn2bin(K, tmp);
a2c2e000	372	/* Calls SSLfatal() as required */
57b272b0	373	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
0f113f3e	374	err:
0f113f3e MC	375	BN_clear_free(K);
0f113f3e MC	376	BN_clear_free(x);
d73ca3ef MC	377	if (passwd != NULL)
d73ca3ef MC	378	OPENSSL_clear_free(passwd, strlen(passwd));
0f113f3e MC	379	BN_clear_free(u);
	380	return ret;
	381	}
edc032b5	382
a2c2e000	383	int srp_verify_server_param(SSL *s)
0f113f3e MC	384	{
	385	SRP_CTX *srp = &s->srp_ctx;
	386	/*
	387	* Sanity check parameters: we can quickly check B % N == 0 by checking B
	388	* != 0 since B < N
	389	*/
	390	if (BN_ucmp(srp->g, srp->N) >= 0 \|\| BN_ucmp(srp->B, srp->N) >= 0
	391	\|\| BN_is_zero(srp->B)) {
c48ffbcc	392	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DATA);
0f113f3e MC	393	return 0;
	394	}
	395
	396	if (BN_num_bits(srp->N) < srp->strength) {
c48ffbcc	397	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_INSUFFICIENT_SECURITY);
0f113f3e MC	398	return 0;
	399	}
	400
	401	if (srp->SRP_verify_param_callback) {
	402	if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
c48ffbcc	403	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED);
0f113f3e MC	404	return 0;
	405	}
	406	} else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
c48ffbcc	407	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
a2c2e000	408	SSL_R_INSUFFICIENT_SECURITY);
0f113f3e MC	409	return 0;
	410	}
	411
	412	return 1;
	413	}
0989790b	414
76cb077f MC	415	/*
	416	* The public API SRP_Calc_A_param() is deprecated so we use
	417	* ssl_srp_calc_a_param_intern() internally.
	418	*/
	419	int ssl_srp_calc_a_param_intern(SSL *s)
0f113f3e MC	420	{
0f113f3e MC	421	unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
edc032b5	422
1744b6d3	423	if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd)) <= 0)
0f113f3e MC	424	return 0;
	425	s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
	426	OPENSSL_cleanse(rnd, sizeof(rnd));
edc032b5	427
a230b26e	428	if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
0f113f3e	429	return 0;
edc032b5	430
0f113f3e MC	431	return 1;
0f113f3e MC	432	}
edc032b5	433
76cb077f MC	434	int SRP_Calc_A_param(SSL *s)
	435	{
	436	return ssl_srp_calc_a_param_intern(s);
	437	}
	438
edc032b5	439	BIGNUM SSL_get_srp_g(SSL s)
0f113f3e MC	440	{
	441	if (s->srp_ctx.g != NULL)
	442	return s->srp_ctx.g;
	443	return s->ctx->srp_ctx.g;
	444	}
edc032b5 BL	445
edc032b5 BL	446	BIGNUM SSL_get_srp_N(SSL s)
0f113f3e MC	447	{
	448	if (s->srp_ctx.N != NULL)
	449	return s->srp_ctx.N;
	450	return s->ctx->srp_ctx.N;
	451	}
edc032b5 BL	452
edc032b5 BL	453	char SSL_get_srp_username(SSL s)
0f113f3e MC	454	{
	455	if (s->srp_ctx.login != NULL)
	456	return s->srp_ctx.login;
	457	return s->ctx->srp_ctx.login;
	458	}
edc032b5 BL	459
edc032b5 BL	460	char SSL_get_srp_userinfo(SSL s)
0f113f3e MC	461	{
	462	if (s->srp_ctx.info != NULL)
	463	return s->srp_ctx.info;
	464	return s->ctx->srp_ctx.info;
	465	}
edc032b5	466
0f113f3e MC	467	# define tls1_ctx_ctrl ssl3_ctx_ctrl
0f113f3e MC	468	# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
edc032b5	469
0f113f3e MC	470	int SSL_CTX_set_srp_username(SSL_CTX ctx, char name)
	471	{
	472	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
	473	}
edc032b5	474
0f113f3e MC	475	int SSL_CTX_set_srp_password(SSL_CTX ctx, char password)
	476	{
	477	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
	478	}
edc032b5 BL	479
edc032b5 BL	480	int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
0f113f3e MC	481	{
	482	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
	483	NULL);
	484	}
	485
	486	int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
	487	int (cb) (SSL , void *))
	488	{
	489	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
	490	(void (*)(void))cb);
	491	}
edc032b5 BL	492
edc032b5 BL	493	int SSL_CTX_set_srp_cb_arg(SSL_CTX ctx, void arg)
0f113f3e MC	494	{
	495	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
	496	}
edc032b5 BL	497
edc032b5 BL	498	int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
0f113f3e MC	499	int (cb) (SSL , int , void ))
	500	{
	501	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
	502	(void (*)(void))cb);
	503	}
	504
	505	int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
	506	char (cb) (SSL , void ))
	507	{
	508	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
	509	(void (*)(void))cb);
	510	}
edc032b5	511
edc032b5	512	#endif