[thirdparty/openssl.git] / ssl / tls_srp.c

/*
 * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include "ssl_locl.h"

#ifndef OPENSSL_NO_SRP
# include <openssl/srp.h>

int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
{
    if (ctx == NULL)
        return 0;
    OPENSSL_free(ctx->srp_ctx.login);
    OPENSSL_free(ctx->srp_ctx.info);
    BN_free(ctx->srp_ctx.N);
    BN_free(ctx->srp_ctx.g);
    BN_free(ctx->srp_ctx.s);
    BN_free(ctx->srp_ctx.B);
    BN_free(ctx->srp_ctx.A);
    BN_free(ctx->srp_ctx.a);
    BN_free(ctx->srp_ctx.b);
    BN_free(ctx->srp_ctx.v);
    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_SRP_CTX_free(struct ssl_st *s)
{
    if (s == NULL)
        return 0;
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    s->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_SRP_CTX_init(struct ssl_st *s)
{
    SSL_CTX *ctx;

    if ((s == NULL) || ((ctx = s->ctx) == NULL))
        return 0;

    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));

    s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
    /* set client Hello login callback */
    s->srp_ctx.TLS_ext_srp_username_callback =
        ctx->srp_ctx.TLS_ext_srp_username_callback;
    /* set SRP N/g param callback for verification */
    s->srp_ctx.SRP_verify_param_callback =
        ctx->srp_ctx.SRP_verify_param_callback;
    /* set SRP client passwd callback */
    s->srp_ctx.SRP_give_srp_client_pwd_callback =
        ctx->srp_ctx.SRP_give_srp_client_pwd_callback;

    s->srp_ctx.strength = ctx->srp_ctx.strength;

    if (((ctx->srp_ctx.N != NULL) &&
         ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
        ((ctx->srp_ctx.g != NULL) &&
         ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
        ((ctx->srp_ctx.s != NULL) &&
         ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
        ((ctx->srp_ctx.B != NULL) &&
         ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
        ((ctx->srp_ctx.A != NULL) &&
         ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
        ((ctx->srp_ctx.a != NULL) &&
         ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
        ((ctx->srp_ctx.v != NULL) &&
         ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
        ((ctx->srp_ctx.b != NULL) &&
         ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB);
        goto err;
    }
    if ((ctx->srp_ctx.login != NULL) &&
        ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    if ((ctx->srp_ctx.info != NULL) &&
        ((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;

    return 1;
 err:
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    return (0);
}

int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
{
    if (ctx == NULL)
        return 0;

    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;

    return 1;
}

/* server side */
int SSL_srp_server_param_with_username(SSL *s, int *ad)
{
    unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
    int al;

    *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
    if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
        ((al =
          s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
                                                   s->srp_ctx.SRP_cb_arg)) !=
         SSL_ERROR_NONE))
        return al;

    *ad = SSL_AD_INTERNAL_ERROR;
    if ((s->srp_ctx.N == NULL) ||
        (s->srp_ctx.g == NULL) ||
        (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
        return SSL3_AL_FATAL;

    if (ssl_randbytes(s, b, sizeof(b)) <= 0)
        return SSL3_AL_FATAL;
    s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
    OPENSSL_cleanse(b, sizeof(b));

    /* Calculate:  B = (kv + g^b) % N  */

    return ((s->srp_ctx.B =
             SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
                        s->srp_ctx.v)) !=
            NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
}

/*
 * If the server just has the raw password, make up a verifier entry on the
 * fly
 */
int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
                                const char *grp)
{
    SRP_gN *GN = SRP_get_default_gN(grp);
    if (GN == NULL)
        return -1;
    s->srp_ctx.N = BN_dup(GN->N);
    s->srp_ctx.g = BN_dup(GN->g);
    BN_clear_free(s->srp_ctx.v);
    s->srp_ctx.v = NULL;
    BN_clear_free(s->srp_ctx.s);
    s->srp_ctx.s = NULL;
    if (!SRP_create_verifier_BN
        (user, pass, &s->srp_ctx.s, &s->srp_ctx.v, GN->N, GN->g))
        return -1;

    return 1;
}

int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
                             BIGNUM *sa, BIGNUM *v, char *info)
{
    if (N != NULL) {
        if (s->srp_ctx.N != NULL) {
            if (!BN_copy(s->srp_ctx.N, N)) {
                BN_free(s->srp_ctx.N);
                s->srp_ctx.N = NULL;
            }
        } else
            s->srp_ctx.N = BN_dup(N);
    }
    if (g != NULL) {
        if (s->srp_ctx.g != NULL) {
            if (!BN_copy(s->srp_ctx.g, g)) {
                BN_free(s->srp_ctx.g);
                s->srp_ctx.g = NULL;
            }
        } else
            s->srp_ctx.g = BN_dup(g);
    }
    if (sa != NULL) {
        if (s->srp_ctx.s != NULL) {
            if (!BN_copy(s->srp_ctx.s, sa)) {
                BN_free(s->srp_ctx.s);
                s->srp_ctx.s = NULL;
            }
        } else
            s->srp_ctx.s = BN_dup(sa);
    }
    if (v != NULL) {
        if (s->srp_ctx.v != NULL) {
            if (!BN_copy(s->srp_ctx.v, v)) {
                BN_free(s->srp_ctx.v);
                s->srp_ctx.v = NULL;
            }
        } else
            s->srp_ctx.v = BN_dup(v);
    }
    if (info != NULL) {
        if (s->srp_ctx.info)
            OPENSSL_free(s->srp_ctx.info);
        if ((s->srp_ctx.info = BUF_strdup(info)) == NULL)
            return -1;
    }

    if (!(s->srp_ctx.N) ||
        !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
        return -1;

    return 1;
}

int srp_generate_server_master_secret(SSL *s)
{
    BIGNUM *K = NULL, *u = NULL;
    int ret = -1, tmp_len = 0;
    unsigned char *tmp = NULL;

    if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
        goto err;
    if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
        goto err;
    if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
                                 s->srp_ctx.N)) == NULL)
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
        goto err;
    BN_bn2bin(K, tmp);
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(u);
    return ret;
}

/* client side */
int srp_generate_client_master_secret(SSL *s)
{
    BIGNUM *x = NULL, *u = NULL, *K = NULL;
    int ret = -1, tmp_len = 0;
    char *passwd = NULL;
    unsigned char *tmp = NULL;

    /*
     * Checks if b % n == 0
     */
    if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0)
        goto err;
    if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
        goto err;
    if (s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL)
        goto err;
    if (!
        (passwd =
         s->srp_ctx.SRP_give_srp_client_pwd_callback(s, s->srp_ctx.SRP_cb_arg)))
        goto err;
    if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL)
        goto err;
    if ((K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, s->srp_ctx.g, x,
                                 s->srp_ctx.a, u)) == NULL)
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
        goto err;
    BN_bn2bin(K, tmp);
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(x);
    if (passwd != NULL)
        OPENSSL_clear_free(passwd, strlen(passwd));
    BN_clear_free(u);
    return ret;
}

int srp_verify_server_param(SSL *s, int *al)
{
    SRP_CTX *srp = &s->srp_ctx;
    /*
     * Sanity check parameters: we can quickly check B % N == 0 by checking B
     * != 0 since B < N
     */
    if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0
        || BN_is_zero(srp->B)) {
        *al = SSL3_AD_ILLEGAL_PARAMETER;
        return 0;
    }

    if (BN_num_bits(srp->N) < srp->strength) {
        *al = TLS1_AD_INSUFFICIENT_SECURITY;
        return 0;
    }

    if (srp->SRP_verify_param_callback) {
        if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
            *al = TLS1_AD_INSUFFICIENT_SECURITY;
            return 0;
        }
    } else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
        *al = TLS1_AD_INSUFFICIENT_SECURITY;
        return 0;
    }

    return 1;
}

int SRP_Calc_A_param(SSL *s)
{
    unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];

    if (ssl_randbytes(s, rnd, sizeof(rnd)) <= 0)
        return 0;
    s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
    OPENSSL_cleanse(rnd, sizeof(rnd));

    if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
        return 0;

    return 1;
}

BIGNUM *SSL_get_srp_g(SSL *s)
{
    if (s->srp_ctx.g != NULL)
        return s->srp_ctx.g;
    return s->ctx->srp_ctx.g;
}

BIGNUM *SSL_get_srp_N(SSL *s)
{
    if (s->srp_ctx.N != NULL)
        return s->srp_ctx.N;
    return s->ctx->srp_ctx.N;
}

char *SSL_get_srp_username(SSL *s)
{
    if (s->srp_ctx.login != NULL)
        return s->srp_ctx.login;
    return s->ctx->srp_ctx.login;
}

char *SSL_get_srp_userinfo(SSL *s)
{
    if (s->srp_ctx.info != NULL)
        return s->srp_ctx.info;
    return s->ctx->srp_ctx.info;
}

# define tls1_ctx_ctrl ssl3_ctx_ctrl
# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl

int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
}

int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
}

int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
                         NULL);
}

int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
                                          int (*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
}

int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
                                      int (*cb) (SSL *, int *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
                                        char *(*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
                                  (void (*)(void))cb);
}

#endif
Commit	Line	Data
0f113f3e	1	/*
846e33c7	2	* Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
edc032b5	3	*
846e33c7 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
edc032b5	8	*/
edc032b5	9
b93e331b	10	#include <openssl/crypto.h>
edc032b5	11	#include <openssl/rand.h>
edc032b5	12	#include <openssl/err.h>
b93e331b DSH	13	#include "ssl_locl.h"
	14
	15	#ifndef OPENSSL_NO_SRP
a230b26e	16	# include <openssl/srp.h>
edc032b5 BL	17
edc032b5 BL	18	int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
0f113f3e MC	19	{
	20	if (ctx == NULL)
	21	return 0;
	22	OPENSSL_free(ctx->srp_ctx.login);
e655f549	23	OPENSSL_free(ctx->srp_ctx.info);
0f113f3e MC	24	BN_free(ctx->srp_ctx.N);
	25	BN_free(ctx->srp_ctx.g);
	26	BN_free(ctx->srp_ctx.s);
	27	BN_free(ctx->srp_ctx.B);
	28	BN_free(ctx->srp_ctx.A);
	29	BN_free(ctx->srp_ctx.a);
	30	BN_free(ctx->srp_ctx.b);
	31	BN_free(ctx->srp_ctx.v);
135976b3	32	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
0f113f3e	33	ctx->srp_ctx.strength = SRP_MINIMAL_N;
208fb891	34	return 1;
0f113f3e	35	}
edc032b5 BL	36
edc032b5 BL	37	int SSL_SRP_CTX_free(struct ssl_st *s)
0f113f3e MC	38	{
	39	if (s == NULL)
	40	return 0;
	41	OPENSSL_free(s->srp_ctx.login);
e655f549	42	OPENSSL_free(s->srp_ctx.info);
0f113f3e MC	43	BN_free(s->srp_ctx.N);
	44	BN_free(s->srp_ctx.g);
	45	BN_free(s->srp_ctx.s);
	46	BN_free(s->srp_ctx.B);
	47	BN_free(s->srp_ctx.A);
	48	BN_free(s->srp_ctx.a);
	49	BN_free(s->srp_ctx.b);
	50	BN_free(s->srp_ctx.v);
135976b3	51	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
0f113f3e	52	s->srp_ctx.strength = SRP_MINIMAL_N;
208fb891	53	return 1;
0f113f3e	54	}
edc032b5 BL	55
edc032b5 BL	56	int SSL_SRP_CTX_init(struct ssl_st *s)
0f113f3e MC	57	{
	58	SSL_CTX *ctx;
	59
	60	if ((s == NULL) \|\| ((ctx = s->ctx) == NULL))
	61	return 0;
135976b3 DSC	62
	63	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
	64
0f113f3e MC	65	s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
	66	/* set client Hello login callback */
	67	s->srp_ctx.TLS_ext_srp_username_callback =
	68	ctx->srp_ctx.TLS_ext_srp_username_callback;
	69	/* set SRP N/g param callback for verification */
	70	s->srp_ctx.SRP_verify_param_callback =
	71	ctx->srp_ctx.SRP_verify_param_callback;
	72	/* set SRP client passwd callback */
	73	s->srp_ctx.SRP_give_srp_client_pwd_callback =
	74	ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
	75
0f113f3e MC	76	s->srp_ctx.strength = ctx->srp_ctx.strength;
	77
	78	if (((ctx->srp_ctx.N != NULL) &&
	79	((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) \|\|
	80	((ctx->srp_ctx.g != NULL) &&
	81	((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) \|\|
	82	((ctx->srp_ctx.s != NULL) &&
	83	((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) \|\|
	84	((ctx->srp_ctx.B != NULL) &&
	85	((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) \|\|
	86	((ctx->srp_ctx.A != NULL) &&
	87	((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) \|\|
	88	((ctx->srp_ctx.a != NULL) &&
	89	((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) \|\|
	90	((ctx->srp_ctx.v != NULL) &&
	91	((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) \|\|
	92	((ctx->srp_ctx.b != NULL) &&
	93	((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
	94	SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB);
	95	goto err;
	96	}
	97	if ((ctx->srp_ctx.login != NULL) &&
7644a9ae	98	((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
0f113f3e MC	99	SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
	100	goto err;
	101	}
e655f549 DSC	102	if ((ctx->srp_ctx.info != NULL) &&
	103	((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) {
	104	SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
	105	goto err;
	106	}
0f113f3e MC	107	s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
0f113f3e MC	108
208fb891	109	return 1;
0f113f3e MC	110	err:
0f113f3e MC	111	OPENSSL_free(s->srp_ctx.login);
e655f549	112	OPENSSL_free(s->srp_ctx.info);
0f113f3e MC	113	BN_free(s->srp_ctx.N);
	114	BN_free(s->srp_ctx.g);
	115	BN_free(s->srp_ctx.s);
	116	BN_free(s->srp_ctx.B);
	117	BN_free(s->srp_ctx.A);
	118	BN_free(s->srp_ctx.a);
	119	BN_free(s->srp_ctx.b);
	120	BN_free(s->srp_ctx.v);
135976b3	121	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
0f113f3e MC	122	return (0);
0f113f3e MC	123	}
edc032b5 BL	124
edc032b5 BL	125	int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
0f113f3e MC	126	{
	127	if (ctx == NULL)
	128	return 0;
	129
135976b3	130	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
0f113f3e MC	131	ctx->srp_ctx.strength = SRP_MINIMAL_N;
0f113f3e MC	132
208fb891	133	return 1;
0f113f3e	134	}
edc032b5 BL	135
	136	/* server side */
	137	int SSL_srp_server_param_with_username(SSL s, int ad)
0f113f3e MC	138	{
	139	unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
	140	int al;
	141
	142	*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
	143	if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
	144	((al =
	145	s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
	146	s->srp_ctx.SRP_cb_arg)) !=
	147	SSL_ERROR_NONE))
	148	return al;
	149
	150	*ad = SSL_AD_INTERNAL_ERROR;
	151	if ((s->srp_ctx.N == NULL) \|\|
	152	(s->srp_ctx.g == NULL) \|\|
	153	(s->srp_ctx.s == NULL) \|\| (s->srp_ctx.v == NULL))
	154	return SSL3_AL_FATAL;
	155
ae3947de	156	if (ssl_randbytes(s, b, sizeof(b)) <= 0)
0f113f3e MC	157	return SSL3_AL_FATAL;
	158	s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
	159	OPENSSL_cleanse(b, sizeof(b));
	160
	161	/* Calculate: B = (kv + g^b) % N */
	162
	163	return ((s->srp_ctx.B =
	164	SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
	165	s->srp_ctx.v)) !=
	166	NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
	167	}
	168
	169	/*
	170	* If the server just has the raw password, make up a verifier entry on the
	171	* fly
	172	*/
	173	int SSL_set_srp_server_param_pw(SSL s, const char user, const char *pass,
	174	const char *grp)
	175	{
	176	SRP_gN *GN = SRP_get_default_gN(grp);
	177	if (GN == NULL)
	178	return -1;
	179	s->srp_ctx.N = BN_dup(GN->N);
	180	s->srp_ctx.g = BN_dup(GN->g);
23a1d5e9 RS	181	BN_clear_free(s->srp_ctx.v);
	182	s->srp_ctx.v = NULL;
	183	BN_clear_free(s->srp_ctx.s);
	184	s->srp_ctx.s = NULL;
0f113f3e MC	185	if (!SRP_create_verifier_BN
	186	(user, pass, &s->srp_ctx.s, &s->srp_ctx.v, GN->N, GN->g))
	187	return -1;
	188
	189	return 1;
	190	}
edc032b5 BL	191
edc032b5 BL	192	int SSL_set_srp_server_param(SSL s, const BIGNUM N, const BIGNUM *g,
0f113f3e MC	193	BIGNUM sa, BIGNUM v, char *info)
	194	{
	195	if (N != NULL) {
	196	if (s->srp_ctx.N != NULL) {
	197	if (!BN_copy(s->srp_ctx.N, N)) {
	198	BN_free(s->srp_ctx.N);
	199	s->srp_ctx.N = NULL;
	200	}
	201	} else
	202	s->srp_ctx.N = BN_dup(N);
	203	}
	204	if (g != NULL) {
	205	if (s->srp_ctx.g != NULL) {
	206	if (!BN_copy(s->srp_ctx.g, g)) {
	207	BN_free(s->srp_ctx.g);
	208	s->srp_ctx.g = NULL;
	209	}
	210	} else
	211	s->srp_ctx.g = BN_dup(g);
	212	}
	213	if (sa != NULL) {
	214	if (s->srp_ctx.s != NULL) {
	215	if (!BN_copy(s->srp_ctx.s, sa)) {
	216	BN_free(s->srp_ctx.s);
	217	s->srp_ctx.s = NULL;
	218	}
	219	} else
	220	s->srp_ctx.s = BN_dup(sa);
	221	}
	222	if (v != NULL) {
	223	if (s->srp_ctx.v != NULL) {
	224	if (!BN_copy(s->srp_ctx.v, v)) {
	225	BN_free(s->srp_ctx.v);
	226	s->srp_ctx.v = NULL;
	227	}
	228	} else
	229	s->srp_ctx.v = BN_dup(v);
	230	}
e655f549 DSC	231	if (info != NULL) {
	232	if (s->srp_ctx.info)
	233	OPENSSL_free(s->srp_ctx.info);
	234	if ((s->srp_ctx.info = BUF_strdup(info)) == NULL)
	235	return -1;
	236	}
0f113f3e MC	237
	238	if (!(s->srp_ctx.N) \|\|
	239	!(s->srp_ctx.g) \|\| !(s->srp_ctx.s) \|\| !(s->srp_ctx.v))
	240	return -1;
	241
	242	return 1;
	243	}
	244
57b272b0	245	int srp_generate_server_master_secret(SSL *s)
0f113f3e MC	246	{
0f113f3e MC	247	BIGNUM K = NULL, u = NULL;
4b45c6e5	248	int ret = -1, tmp_len = 0;
0f113f3e MC	249	unsigned char *tmp = NULL;
	250
	251	if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
	252	goto err;
75ebbd9a	253	if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
0f113f3e	254	goto err;
75ebbd9a RS	255	if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
75ebbd9a RS	256	s->srp_ctx.N)) == NULL)
0f113f3e MC	257	goto err;
	258
	259	tmp_len = BN_num_bytes(K);
	260	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
	261	goto err;
	262	BN_bn2bin(K, tmp);
57b272b0	263	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
0f113f3e	264	err:
0f113f3e MC	265	BN_clear_free(K);
	266	BN_clear_free(u);
	267	return ret;
	268	}
edc032b5 BL	269
edc032b5 BL	270	/* client side */
57b272b0	271	int srp_generate_client_master_secret(SSL *s)
0f113f3e MC	272	{
0f113f3e MC	273	BIGNUM x = NULL, u = NULL, *K = NULL;
4b45c6e5	274	int ret = -1, tmp_len = 0;
0f113f3e MC	275	char *passwd = NULL;
	276	unsigned char *tmp = NULL;
	277
	278	/*
	279	* Checks if b % n == 0
	280	*/
	281	if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0)
	282	goto err;
75ebbd9a	283	if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
0f113f3e MC	284	goto err;
	285	if (s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL)
	286	goto err;
	287	if (!
	288	(passwd =
a230b26e	289	s->srp_ctx.SRP_give_srp_client_pwd_callback(s, s->srp_ctx.SRP_cb_arg)))
0f113f3e	290	goto err;
75ebbd9a	291	if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL)
0f113f3e	292	goto err;
75ebbd9a RS	293	if ((K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, s->srp_ctx.g, x,
75ebbd9a RS	294	s->srp_ctx.a, u)) == NULL)
0f113f3e MC	295	goto err;
	296
	297	tmp_len = BN_num_bytes(K);
	298	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
	299	goto err;
	300	BN_bn2bin(K, tmp);
57b272b0	301	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
0f113f3e	302	err:
0f113f3e MC	303	BN_clear_free(K);
0f113f3e MC	304	BN_clear_free(x);
d73ca3ef MC	305	if (passwd != NULL)
d73ca3ef MC	306	OPENSSL_clear_free(passwd, strlen(passwd));
0f113f3e MC	307	BN_clear_free(u);
	308	return ret;
	309	}
edc032b5	310
0989790b	311	int srp_verify_server_param(SSL s, int al)
0f113f3e MC	312	{
	313	SRP_CTX *srp = &s->srp_ctx;
	314	/*
	315	* Sanity check parameters: we can quickly check B % N == 0 by checking B
	316	* != 0 since B < N
	317	*/
	318	if (BN_ucmp(srp->g, srp->N) >= 0 \|\| BN_ucmp(srp->B, srp->N) >= 0
	319	\|\| BN_is_zero(srp->B)) {
	320	*al = SSL3_AD_ILLEGAL_PARAMETER;
	321	return 0;
	322	}
	323
	324	if (BN_num_bits(srp->N) < srp->strength) {
	325	*al = TLS1_AD_INSUFFICIENT_SECURITY;
	326	return 0;
	327	}
	328
	329	if (srp->SRP_verify_param_callback) {
	330	if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
	331	*al = TLS1_AD_INSUFFICIENT_SECURITY;
	332	return 0;
	333	}
	334	} else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
	335	*al = TLS1_AD_INSUFFICIENT_SECURITY;
	336	return 0;
	337	}
	338
	339	return 1;
	340	}
0989790b DSH	341
0989790b DSH	342	int SRP_Calc_A_param(SSL *s)
0f113f3e MC	343	{
0f113f3e MC	344	unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
edc032b5	345
ae3947de	346	if (ssl_randbytes(s, rnd, sizeof(rnd)) <= 0)
0f113f3e MC	347	return 0;
	348	s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
	349	OPENSSL_cleanse(rnd, sizeof(rnd));
edc032b5	350
a230b26e	351	if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
0f113f3e	352	return 0;
edc032b5	353
0f113f3e MC	354	return 1;
0f113f3e MC	355	}
edc032b5	356
edc032b5	357	BIGNUM SSL_get_srp_g(SSL s)
0f113f3e MC	358	{
	359	if (s->srp_ctx.g != NULL)
	360	return s->srp_ctx.g;
	361	return s->ctx->srp_ctx.g;
	362	}
edc032b5 BL	363
edc032b5 BL	364	BIGNUM SSL_get_srp_N(SSL s)
0f113f3e MC	365	{
	366	if (s->srp_ctx.N != NULL)
	367	return s->srp_ctx.N;
	368	return s->ctx->srp_ctx.N;
	369	}
edc032b5 BL	370
edc032b5 BL	371	char SSL_get_srp_username(SSL s)
0f113f3e MC	372	{
	373	if (s->srp_ctx.login != NULL)
	374	return s->srp_ctx.login;
	375	return s->ctx->srp_ctx.login;
	376	}
edc032b5 BL	377
edc032b5 BL	378	char SSL_get_srp_userinfo(SSL s)
0f113f3e MC	379	{
	380	if (s->srp_ctx.info != NULL)
	381	return s->srp_ctx.info;
	382	return s->ctx->srp_ctx.info;
	383	}
edc032b5	384
0f113f3e MC	385	# define tls1_ctx_ctrl ssl3_ctx_ctrl
0f113f3e MC	386	# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
edc032b5	387
0f113f3e MC	388	int SSL_CTX_set_srp_username(SSL_CTX ctx, char name)
	389	{
	390	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
	391	}
edc032b5	392
0f113f3e MC	393	int SSL_CTX_set_srp_password(SSL_CTX ctx, char password)
	394	{
	395	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
	396	}
edc032b5 BL	397
edc032b5 BL	398	int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
0f113f3e MC	399	{
	400	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
	401	NULL);
	402	}
	403
	404	int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
	405	int (cb) (SSL , void *))
	406	{
	407	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
	408	(void (*)(void))cb);
	409	}
edc032b5 BL	410
edc032b5 BL	411	int SSL_CTX_set_srp_cb_arg(SSL_CTX ctx, void arg)
0f113f3e MC	412	{
	413	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
	414	}
edc032b5 BL	415
edc032b5 BL	416	int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
0f113f3e MC	417	int (cb) (SSL , int , void ))
	418	{
	419	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
	420	(void (*)(void))cb);
	421	}
	422
	423	int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
	424	char (cb) (SSL , void ))
	425	{
	426	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
	427	(void (*)(void))cb);
	428	}
edc032b5	429
edc032b5	430	#endif