[thirdparty/openssl.git] / ssl / tls_srp.c

/*
 * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2004, EdelKey Project. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * Originally written by Christophe Renou and Peter Sylvester,
 * for the EdelKey project.
 */

#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include "ssl_locl.h"

#ifndef OPENSSL_NO_SRP
# include <openssl/srp.h>

int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
{
    if (ctx == NULL)
        return 0;
    OPENSSL_free(ctx->srp_ctx.login);
    OPENSSL_free(ctx->srp_ctx.info);
    BN_free(ctx->srp_ctx.N);
    BN_free(ctx->srp_ctx.g);
    BN_free(ctx->srp_ctx.s);
    BN_free(ctx->srp_ctx.B);
    BN_free(ctx->srp_ctx.A);
    BN_free(ctx->srp_ctx.a);
    BN_free(ctx->srp_ctx.b);
    BN_free(ctx->srp_ctx.v);
    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_SRP_CTX_free(struct ssl_st *s)
{
    if (s == NULL)
        return 0;
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    s->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_SRP_CTX_init(struct ssl_st *s)
{
    SSL_CTX *ctx;

    if ((s == NULL) || ((ctx = s->ctx) == NULL))
        return 0;

    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));

    s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
    /* set client Hello login callback */
    s->srp_ctx.TLS_ext_srp_username_callback =
        ctx->srp_ctx.TLS_ext_srp_username_callback;
    /* set SRP N/g param callback for verification */
    s->srp_ctx.SRP_verify_param_callback =
        ctx->srp_ctx.SRP_verify_param_callback;
    /* set SRP client passwd callback */
    s->srp_ctx.SRP_give_srp_client_pwd_callback =
        ctx->srp_ctx.SRP_give_srp_client_pwd_callback;

    s->srp_ctx.strength = ctx->srp_ctx.strength;

    if (((ctx->srp_ctx.N != NULL) &&
         ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
        ((ctx->srp_ctx.g != NULL) &&
         ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
        ((ctx->srp_ctx.s != NULL) &&
         ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
        ((ctx->srp_ctx.B != NULL) &&
         ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
        ((ctx->srp_ctx.A != NULL) &&
         ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
        ((ctx->srp_ctx.a != NULL) &&
         ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
        ((ctx->srp_ctx.v != NULL) &&
         ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
        ((ctx->srp_ctx.b != NULL) &&
         ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB);
        goto err;
    }
    if ((ctx->srp_ctx.login != NULL) &&
        ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    if ((ctx->srp_ctx.info != NULL) &&
        ((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;

    return 1;
 err:
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    return 0;
}

int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
{
    if (ctx == NULL)
        return 0;

    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;

    return 1;
}

/* server side */
int SSL_srp_server_param_with_username(SSL *s, int *ad)
{
    unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
    int al;

    *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
    if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
        ((al =
          s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
                                                   s->srp_ctx.SRP_cb_arg)) !=
         SSL_ERROR_NONE))
        return al;

    *ad = SSL_AD_INTERNAL_ERROR;
    if ((s->srp_ctx.N == NULL) ||
        (s->srp_ctx.g == NULL) ||
        (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
        return SSL3_AL_FATAL;

    if (RAND_priv_bytes(b, sizeof(b)) <= 0)
        return SSL3_AL_FATAL;
    s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
    OPENSSL_cleanse(b, sizeof(b));

    /* Calculate:  B = (kv + g^b) % N  */

    return ((s->srp_ctx.B =
             SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
                        s->srp_ctx.v)) !=
            NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
}

/*
 * If the server just has the raw password, make up a verifier entry on the
 * fly
 */
int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
                                const char *grp)
{
    SRP_gN *GN = SRP_get_default_gN(grp);
    if (GN == NULL)
        return -1;
    s->srp_ctx.N = BN_dup(GN->N);
    s->srp_ctx.g = BN_dup(GN->g);
    BN_clear_free(s->srp_ctx.v);
    s->srp_ctx.v = NULL;
    BN_clear_free(s->srp_ctx.s);
    s->srp_ctx.s = NULL;
    if (!SRP_create_verifier_BN
        (user, pass, &s->srp_ctx.s, &s->srp_ctx.v, GN->N, GN->g))
        return -1;

    return 1;
}

int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
                             BIGNUM *sa, BIGNUM *v, char *info)
{
    if (N != NULL) {
        if (s->srp_ctx.N != NULL) {
            if (!BN_copy(s->srp_ctx.N, N)) {
                BN_free(s->srp_ctx.N);
                s->srp_ctx.N = NULL;
            }
        } else
            s->srp_ctx.N = BN_dup(N);
    }
    if (g != NULL) {
        if (s->srp_ctx.g != NULL) {
            if (!BN_copy(s->srp_ctx.g, g)) {
                BN_free(s->srp_ctx.g);
                s->srp_ctx.g = NULL;
            }
        } else
            s->srp_ctx.g = BN_dup(g);
    }
    if (sa != NULL) {
        if (s->srp_ctx.s != NULL) {
            if (!BN_copy(s->srp_ctx.s, sa)) {
                BN_free(s->srp_ctx.s);
                s->srp_ctx.s = NULL;
            }
        } else
            s->srp_ctx.s = BN_dup(sa);
    }
    if (v != NULL) {
        if (s->srp_ctx.v != NULL) {
            if (!BN_copy(s->srp_ctx.v, v)) {
                BN_free(s->srp_ctx.v);
                s->srp_ctx.v = NULL;
            }
        } else
            s->srp_ctx.v = BN_dup(v);
    }
    if (info != NULL) {
        if (s->srp_ctx.info)
            OPENSSL_free(s->srp_ctx.info);
        if ((s->srp_ctx.info = BUF_strdup(info)) == NULL)
            return -1;
    }

    if (!(s->srp_ctx.N) ||
        !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
        return -1;

    return 1;
}

int srp_generate_server_master_secret(SSL *s)
{
    BIGNUM *K = NULL, *u = NULL;
    int ret = -1, tmp_len = 0;
    unsigned char *tmp = NULL;

    if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
        goto err;
    if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
        goto err;
    if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
                                 s->srp_ctx.N)) == NULL)
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    BN_bn2bin(K, tmp);
    /* Calls SSLfatal() as required */
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(u);
    return ret;
}

/* client side */
int srp_generate_client_master_secret(SSL *s)
{
    BIGNUM *x = NULL, *u = NULL, *K = NULL;
    int ret = -1, tmp_len = 0;
    char *passwd = NULL;
    unsigned char *tmp = NULL;

    /*
     * Checks if b % n == 0
     */
    if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
            || (u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N))
               == NULL
            || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
                                                      s->srp_ctx.SRP_cb_arg))
            == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET,
                 SSL_R_CALLBACK_FAILED);
        goto err;
    }
    if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL
            || (K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B,
                                        s->srp_ctx.g, x,
                                        s->srp_ctx.a, u)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    BN_bn2bin(K, tmp);
    /* Calls SSLfatal() as required */
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(x);
    if (passwd != NULL)
        OPENSSL_clear_free(passwd, strlen(passwd));
    BN_clear_free(u);
    return ret;
}

int srp_verify_server_param(SSL *s)
{
    SRP_CTX *srp = &s->srp_ctx;
    /*
     * Sanity check parameters: we can quickly check B % N == 0 by checking B
     * != 0 since B < N
     */
    if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0
        || BN_is_zero(srp->B)) {
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SRP_VERIFY_SERVER_PARAM,
                 SSL_R_BAD_DATA);
        return 0;
    }

    if (BN_num_bits(srp->N) < srp->strength) {
        SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM,
                 SSL_R_INSUFFICIENT_SECURITY);
        return 0;
    }

    if (srp->SRP_verify_param_callback) {
        if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
            SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
                     SSL_F_SRP_VERIFY_SERVER_PARAM,
                     SSL_R_CALLBACK_FAILED);
            return 0;
        }
    } else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
        SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM,
                 SSL_R_INSUFFICIENT_SECURITY);
        return 0;
    }

    return 1;
}

int SRP_Calc_A_param(SSL *s)
{
    unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];

    if (RAND_priv_bytes(rnd, sizeof(rnd)) <= 0)
        return 0;
    s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
    OPENSSL_cleanse(rnd, sizeof(rnd));

    if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
        return 0;

    return 1;
}

BIGNUM *SSL_get_srp_g(SSL *s)
{
    if (s->srp_ctx.g != NULL)
        return s->srp_ctx.g;
    return s->ctx->srp_ctx.g;
}

BIGNUM *SSL_get_srp_N(SSL *s)
{
    if (s->srp_ctx.N != NULL)
        return s->srp_ctx.N;
    return s->ctx->srp_ctx.N;
}

char *SSL_get_srp_username(SSL *s)
{
    if (s->srp_ctx.login != NULL)
        return s->srp_ctx.login;
    return s->ctx->srp_ctx.login;
}

char *SSL_get_srp_userinfo(SSL *s)
{
    if (s->srp_ctx.info != NULL)
        return s->srp_ctx.info;
    return s->ctx->srp_ctx.info;
}

# define tls1_ctx_ctrl ssl3_ctx_ctrl
# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl

int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
}

int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
}

int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
                         NULL);
}

int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
                                          int (*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
}

int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
                                      int (*cb) (SSL *, int *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
                                        char *(*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
                                  (void (*)(void))cb);
}

#endif
Commit	Line	Data
0f113f3e	1	/*
3b855b1f TH	2	* Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
3b855b1f TH	3	* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
edc032b5	4	*
2c18d164	5	* Licensed under the Apache License 2.0 (the "License"). You may not use
846e33c7 RS	6	* this file except in compliance with the License. You can obtain a copy
	7	* in the file LICENSE in the source distribution or at
	8	* https://www.openssl.org/source/license.html
3b855b1f TH	9	*
	10	* Originally written by Christophe Renou and Peter Sylvester,
	11	* for the EdelKey project.
edc032b5	12	*/
edc032b5	13
b93e331b	14	#include <openssl/crypto.h>
edc032b5	15	#include <openssl/rand.h>
edc032b5	16	#include <openssl/err.h>
b93e331b DSH	17	#include "ssl_locl.h"
	18
	19	#ifndef OPENSSL_NO_SRP
a230b26e	20	# include <openssl/srp.h>
edc032b5 BL	21
edc032b5 BL	22	int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
0f113f3e MC	23	{
	24	if (ctx == NULL)
	25	return 0;
	26	OPENSSL_free(ctx->srp_ctx.login);
e655f549	27	OPENSSL_free(ctx->srp_ctx.info);
0f113f3e MC	28	BN_free(ctx->srp_ctx.N);
	29	BN_free(ctx->srp_ctx.g);
	30	BN_free(ctx->srp_ctx.s);
	31	BN_free(ctx->srp_ctx.B);
	32	BN_free(ctx->srp_ctx.A);
	33	BN_free(ctx->srp_ctx.a);
	34	BN_free(ctx->srp_ctx.b);
	35	BN_free(ctx->srp_ctx.v);
135976b3	36	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
0f113f3e	37	ctx->srp_ctx.strength = SRP_MINIMAL_N;
208fb891	38	return 1;
0f113f3e	39	}
edc032b5 BL	40
edc032b5 BL	41	int SSL_SRP_CTX_free(struct ssl_st *s)
0f113f3e MC	42	{
	43	if (s == NULL)
	44	return 0;
	45	OPENSSL_free(s->srp_ctx.login);
e655f549	46	OPENSSL_free(s->srp_ctx.info);
0f113f3e MC	47	BN_free(s->srp_ctx.N);
	48	BN_free(s->srp_ctx.g);
	49	BN_free(s->srp_ctx.s);
	50	BN_free(s->srp_ctx.B);
	51	BN_free(s->srp_ctx.A);
	52	BN_free(s->srp_ctx.a);
	53	BN_free(s->srp_ctx.b);
	54	BN_free(s->srp_ctx.v);
135976b3	55	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
0f113f3e	56	s->srp_ctx.strength = SRP_MINIMAL_N;
208fb891	57	return 1;
0f113f3e	58	}
edc032b5 BL	59
edc032b5 BL	60	int SSL_SRP_CTX_init(struct ssl_st *s)
0f113f3e MC	61	{
	62	SSL_CTX *ctx;
	63
	64	if ((s == NULL) \|\| ((ctx = s->ctx) == NULL))
	65	return 0;
135976b3 DSC	66
	67	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
	68
0f113f3e MC	69	s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
	70	/* set client Hello login callback */
	71	s->srp_ctx.TLS_ext_srp_username_callback =
	72	ctx->srp_ctx.TLS_ext_srp_username_callback;
	73	/* set SRP N/g param callback for verification */
	74	s->srp_ctx.SRP_verify_param_callback =
	75	ctx->srp_ctx.SRP_verify_param_callback;
	76	/* set SRP client passwd callback */
	77	s->srp_ctx.SRP_give_srp_client_pwd_callback =
	78	ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
	79
0f113f3e MC	80	s->srp_ctx.strength = ctx->srp_ctx.strength;
	81
	82	if (((ctx->srp_ctx.N != NULL) &&
	83	((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) \|\|
	84	((ctx->srp_ctx.g != NULL) &&
	85	((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) \|\|
	86	((ctx->srp_ctx.s != NULL) &&
	87	((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) \|\|
	88	((ctx->srp_ctx.B != NULL) &&
	89	((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) \|\|
	90	((ctx->srp_ctx.A != NULL) &&
	91	((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) \|\|
	92	((ctx->srp_ctx.a != NULL) &&
	93	((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) \|\|
	94	((ctx->srp_ctx.v != NULL) &&
	95	((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) \|\|
	96	((ctx->srp_ctx.b != NULL) &&
	97	((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
	98	SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB);
	99	goto err;
	100	}
	101	if ((ctx->srp_ctx.login != NULL) &&
7644a9ae	102	((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
0f113f3e MC	103	SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
	104	goto err;
	105	}
e655f549 DSC	106	if ((ctx->srp_ctx.info != NULL) &&
	107	((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) {
	108	SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
	109	goto err;
	110	}
0f113f3e MC	111	s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
0f113f3e MC	112
208fb891	113	return 1;
0f113f3e MC	114	err:
0f113f3e MC	115	OPENSSL_free(s->srp_ctx.login);
e655f549	116	OPENSSL_free(s->srp_ctx.info);
0f113f3e MC	117	BN_free(s->srp_ctx.N);
	118	BN_free(s->srp_ctx.g);
	119	BN_free(s->srp_ctx.s);
	120	BN_free(s->srp_ctx.B);
	121	BN_free(s->srp_ctx.A);
	122	BN_free(s->srp_ctx.a);
	123	BN_free(s->srp_ctx.b);
	124	BN_free(s->srp_ctx.v);
135976b3	125	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
26a7d938	126	return 0;
0f113f3e	127	}
edc032b5 BL	128
edc032b5 BL	129	int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
0f113f3e MC	130	{
	131	if (ctx == NULL)
	132	return 0;
	133
135976b3	134	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
0f113f3e MC	135	ctx->srp_ctx.strength = SRP_MINIMAL_N;
0f113f3e MC	136
208fb891	137	return 1;
0f113f3e	138	}
edc032b5 BL	139
	140	/* server side */
	141	int SSL_srp_server_param_with_username(SSL s, int ad)
0f113f3e MC	142	{
	143	unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
	144	int al;
	145
	146	*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
	147	if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
	148	((al =
	149	s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
	150	s->srp_ctx.SRP_cb_arg)) !=
	151	SSL_ERROR_NONE))
	152	return al;
	153
	154	*ad = SSL_AD_INTERNAL_ERROR;
	155	if ((s->srp_ctx.N == NULL) \|\|
	156	(s->srp_ctx.g == NULL) \|\|
	157	(s->srp_ctx.s == NULL) \|\| (s->srp_ctx.v == NULL))
	158	return SSL3_AL_FATAL;
	159
4cffafe9	160	if (RAND_priv_bytes(b, sizeof(b)) <= 0)
0f113f3e MC	161	return SSL3_AL_FATAL;
	162	s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
	163	OPENSSL_cleanse(b, sizeof(b));
	164
	165	/* Calculate: B = (kv + g^b) % N */
	166
	167	return ((s->srp_ctx.B =
	168	SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
	169	s->srp_ctx.v)) !=
	170	NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
	171	}
	172
	173	/*
	174	* If the server just has the raw password, make up a verifier entry on the
	175	* fly
	176	*/
	177	int SSL_set_srp_server_param_pw(SSL s, const char user, const char *pass,
	178	const char *grp)
	179	{
	180	SRP_gN *GN = SRP_get_default_gN(grp);
	181	if (GN == NULL)
	182	return -1;
	183	s->srp_ctx.N = BN_dup(GN->N);
	184	s->srp_ctx.g = BN_dup(GN->g);
23a1d5e9 RS	185	BN_clear_free(s->srp_ctx.v);
	186	s->srp_ctx.v = NULL;
	187	BN_clear_free(s->srp_ctx.s);
	188	s->srp_ctx.s = NULL;
0f113f3e MC	189	if (!SRP_create_verifier_BN
	190	(user, pass, &s->srp_ctx.s, &s->srp_ctx.v, GN->N, GN->g))
	191	return -1;
	192
	193	return 1;
	194	}
edc032b5 BL	195
edc032b5 BL	196	int SSL_set_srp_server_param(SSL s, const BIGNUM N, const BIGNUM *g,
0f113f3e MC	197	BIGNUM sa, BIGNUM v, char *info)
	198	{
	199	if (N != NULL) {
	200	if (s->srp_ctx.N != NULL) {
	201	if (!BN_copy(s->srp_ctx.N, N)) {
	202	BN_free(s->srp_ctx.N);
	203	s->srp_ctx.N = NULL;
	204	}
	205	} else
	206	s->srp_ctx.N = BN_dup(N);
	207	}
	208	if (g != NULL) {
	209	if (s->srp_ctx.g != NULL) {
	210	if (!BN_copy(s->srp_ctx.g, g)) {
	211	BN_free(s->srp_ctx.g);
	212	s->srp_ctx.g = NULL;
	213	}
	214	} else
	215	s->srp_ctx.g = BN_dup(g);
	216	}
	217	if (sa != NULL) {
	218	if (s->srp_ctx.s != NULL) {
	219	if (!BN_copy(s->srp_ctx.s, sa)) {
	220	BN_free(s->srp_ctx.s);
	221	s->srp_ctx.s = NULL;
	222	}
	223	} else
	224	s->srp_ctx.s = BN_dup(sa);
	225	}
	226	if (v != NULL) {
	227	if (s->srp_ctx.v != NULL) {
	228	if (!BN_copy(s->srp_ctx.v, v)) {
	229	BN_free(s->srp_ctx.v);
	230	s->srp_ctx.v = NULL;
	231	}
	232	} else
	233	s->srp_ctx.v = BN_dup(v);
	234	}
e655f549 DSC	235	if (info != NULL) {
	236	if (s->srp_ctx.info)
	237	OPENSSL_free(s->srp_ctx.info);
	238	if ((s->srp_ctx.info = BUF_strdup(info)) == NULL)
	239	return -1;
	240	}
0f113f3e MC	241
	242	if (!(s->srp_ctx.N) \|\|
	243	!(s->srp_ctx.g) \|\| !(s->srp_ctx.s) \|\| !(s->srp_ctx.v))
	244	return -1;
	245
	246	return 1;
	247	}
	248
57b272b0	249	int srp_generate_server_master_secret(SSL *s)
0f113f3e MC	250	{
0f113f3e MC	251	BIGNUM K = NULL, u = NULL;
4b45c6e5	252	int ret = -1, tmp_len = 0;
0f113f3e MC	253	unsigned char *tmp = NULL;
	254
	255	if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
	256	goto err;
75ebbd9a	257	if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
0f113f3e	258	goto err;
75ebbd9a RS	259	if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
75ebbd9a RS	260	s->srp_ctx.N)) == NULL)
0f113f3e MC	261	goto err;
	262
	263	tmp_len = BN_num_bytes(K);
f63a17d6 MC	264	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
	265	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
	266	SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET, ERR_R_MALLOC_FAILURE);
0f113f3e	267	goto err;
f63a17d6	268	}
0f113f3e	269	BN_bn2bin(K, tmp);
f63a17d6	270	/* Calls SSLfatal() as required */
57b272b0	271	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
0f113f3e	272	err:
0f113f3e MC	273	BN_clear_free(K);
	274	BN_clear_free(u);
	275	return ret;
	276	}
edc032b5 BL	277
edc032b5 BL	278	/* client side */
57b272b0	279	int srp_generate_client_master_secret(SSL *s)
0f113f3e MC	280	{
0f113f3e MC	281	BIGNUM x = NULL, u = NULL, *K = NULL;
4b45c6e5	282	int ret = -1, tmp_len = 0;
0f113f3e MC	283	char *passwd = NULL;
	284	unsigned char *tmp = NULL;
	285
	286	/*
	287	* Checks if b % n == 0
	288	*/
a2c2e000 MC	289	if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
	290	\|\| (u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N))
	291	== NULL
	292	\|\| s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
	293	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
	294	SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
0f113f3e	295	goto err;
a2c2e000 MC	296	}
	297	if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
	298	s->srp_ctx.SRP_cb_arg))
	299	== NULL) {
	300	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
	301	SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET,
	302	SSL_R_CALLBACK_FAILED);
0f113f3e	303	goto err;
a2c2e000 MC	304	}
	305	if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL
	306	\|\| (K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B,
	307	s->srp_ctx.g, x,
	308	s->srp_ctx.a, u)) == NULL) {
	309	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
	310	SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
0f113f3e	311	goto err;
a2c2e000	312	}
0f113f3e MC	313
0f113f3e MC	314	tmp_len = BN_num_bytes(K);
a2c2e000 MC	315	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
	316	SSLfatal(s, SSL_AD_INTERNAL_ERROR,
	317	SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_MALLOC_FAILURE);
0f113f3e	318	goto err;
a2c2e000	319	}
0f113f3e	320	BN_bn2bin(K, tmp);
a2c2e000	321	/* Calls SSLfatal() as required */
57b272b0	322	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
0f113f3e	323	err:
0f113f3e MC	324	BN_clear_free(K);
0f113f3e MC	325	BN_clear_free(x);
d73ca3ef MC	326	if (passwd != NULL)
d73ca3ef MC	327	OPENSSL_clear_free(passwd, strlen(passwd));
0f113f3e MC	328	BN_clear_free(u);
	329	return ret;
	330	}
edc032b5	331
a2c2e000	332	int srp_verify_server_param(SSL *s)
0f113f3e MC	333	{
	334	SRP_CTX *srp = &s->srp_ctx;
	335	/*
	336	* Sanity check parameters: we can quickly check B % N == 0 by checking B
	337	* != 0 since B < N
	338	*/
	339	if (BN_ucmp(srp->g, srp->N) >= 0 \|\| BN_ucmp(srp->B, srp->N) >= 0
	340	\|\| BN_is_zero(srp->B)) {
a2c2e000 MC	341	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SRP_VERIFY_SERVER_PARAM,
a2c2e000 MC	342	SSL_R_BAD_DATA);
0f113f3e MC	343	return 0;
	344	}
	345
	346	if (BN_num_bits(srp->N) < srp->strength) {
a2c2e000 MC	347	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM,
a2c2e000 MC	348	SSL_R_INSUFFICIENT_SECURITY);
0f113f3e MC	349	return 0;
	350	}
	351
	352	if (srp->SRP_verify_param_callback) {
	353	if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
a2c2e000 MC	354	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
	355	SSL_F_SRP_VERIFY_SERVER_PARAM,
	356	SSL_R_CALLBACK_FAILED);
0f113f3e MC	357	return 0;
	358	}
	359	} else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
a2c2e000 MC	360	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM,
a2c2e000 MC	361	SSL_R_INSUFFICIENT_SECURITY);
0f113f3e MC	362	return 0;
	363	}
	364
	365	return 1;
	366	}
0989790b DSH	367
0989790b DSH	368	int SRP_Calc_A_param(SSL *s)
0f113f3e MC	369	{
0f113f3e MC	370	unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
edc032b5	371
4cffafe9	372	if (RAND_priv_bytes(rnd, sizeof(rnd)) <= 0)
0f113f3e MC	373	return 0;
	374	s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
	375	OPENSSL_cleanse(rnd, sizeof(rnd));
edc032b5	376
a230b26e	377	if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
0f113f3e	378	return 0;
edc032b5	379
0f113f3e MC	380	return 1;
0f113f3e MC	381	}
edc032b5	382
edc032b5	383	BIGNUM SSL_get_srp_g(SSL s)
0f113f3e MC	384	{
	385	if (s->srp_ctx.g != NULL)
	386	return s->srp_ctx.g;
	387	return s->ctx->srp_ctx.g;
	388	}
edc032b5 BL	389
edc032b5 BL	390	BIGNUM SSL_get_srp_N(SSL s)
0f113f3e MC	391	{
	392	if (s->srp_ctx.N != NULL)
	393	return s->srp_ctx.N;
	394	return s->ctx->srp_ctx.N;
	395	}
edc032b5 BL	396
edc032b5 BL	397	char SSL_get_srp_username(SSL s)
0f113f3e MC	398	{
	399	if (s->srp_ctx.login != NULL)
	400	return s->srp_ctx.login;
	401	return s->ctx->srp_ctx.login;
	402	}
edc032b5 BL	403
edc032b5 BL	404	char SSL_get_srp_userinfo(SSL s)
0f113f3e MC	405	{
	406	if (s->srp_ctx.info != NULL)
	407	return s->srp_ctx.info;
	408	return s->ctx->srp_ctx.info;
	409	}
edc032b5	410
0f113f3e MC	411	# define tls1_ctx_ctrl ssl3_ctx_ctrl
0f113f3e MC	412	# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
edc032b5	413
0f113f3e MC	414	int SSL_CTX_set_srp_username(SSL_CTX ctx, char name)
	415	{
	416	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
	417	}
edc032b5	418
0f113f3e MC	419	int SSL_CTX_set_srp_password(SSL_CTX ctx, char password)
	420	{
	421	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
	422	}
edc032b5 BL	423
edc032b5 BL	424	int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
0f113f3e MC	425	{
	426	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
	427	NULL);
	428	}
	429
	430	int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
	431	int (cb) (SSL , void *))
	432	{
	433	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
	434	(void (*)(void))cb);
	435	}
edc032b5 BL	436
edc032b5 BL	437	int SSL_CTX_set_srp_cb_arg(SSL_CTX ctx, void arg)
0f113f3e MC	438	{
	439	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
	440	}
edc032b5 BL	441
edc032b5 BL	442	int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
0f113f3e MC	443	int (cb) (SSL , int , void ))
	444	{
	445	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
	446	(void (*)(void))cb);
	447	}
	448
	449	int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
	450	char (cb) (SSL , void ))
	451	{
	452	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
	453	(void (*)(void))cb);
	454	}
edc032b5	455
edc032b5	456	#endif