1/* 2 * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2004, EdelKey Project. All Rights Reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 * 10 * Originally written by Christophe Renou and Peter Sylvester, 11 * for the EdelKey project. 12 */ 13 14/* All the SRP APIs in this file are deprecated */ 15#define OPENSSL_SUPPRESS_DEPRECATED 16 17#ifndef OPENSSL_NO_SRP 18# include "internal/cryptlib.h" 19# include "crypto/evp.h" 20# include <openssl/sha.h> 21# include <openssl/srp.h> 22# include <openssl/evp.h> 23# include <openssl/buffer.h> 24# include <openssl/rand.h> 25# include <openssl/txt_db.h> 26# include <openssl/err.h> 27 28# define SRP_RANDOM_SALT_LEN 20 29# define MAX_LEN 2500 30 31/* 32 * Note that SRP uses its own variant of base 64 encoding. A different base64 33 * alphabet is used and no padding '=' characters are added. Instead we pad to 34 * the front with 0 bytes and subsequently strip off leading encoded padding. 35 * This variant is used for compatibility with other SRP implementations - 36 * notably libsrp, but also others. It is also required for backwards 37 * compatibility in order to load verifier files from other OpenSSL versions. 38 */ 39 40/* 41 * Convert a base64 string into raw byte array representation. 42 * Returns the length of the decoded data, or -1 on error. 43 */ 44static int t_fromb64(unsigned char *a, size_t alen, const char *src) 45{ 46 EVP_ENCODE_CTX *ctx; 47 int outl = 0, outl2 = 0; 48 size_t size, padsize; 49 const unsigned char *pad = (const unsigned char *)"00"; 50 51 while (*src == ' ' || *src == '\t' || *src == '\n') 52 ++src; 53 size = strlen(src); 54 padsize = 4 - (size & 3); 55 padsize &= 3; 56 57 /* Four bytes in src become three bytes output. */ 58 if (size > INT_MAX || ((size + padsize) / 4) * 3 > alen) 59 return -1; 60 61 ctx = EVP_ENCODE_CTX_new(); 62 if (ctx == NULL) 63 return -1; 64 65 /* 66 * This should never occur because 1 byte of data always requires 2 bytes of 67 * encoding, i.e. 68 * 0 bytes unencoded = 0 bytes encoded 69 * 1 byte unencoded = 2 bytes encoded 70 * 2 bytes unencoded = 3 bytes encoded 71 * 3 bytes unencoded = 4 bytes encoded 72 * 4 bytes unencoded = 6 bytes encoded 73 * etc 74 */ 75 if (padsize == 3) { 76 outl = -1; 77 goto err; 78 } 79 80 /* Valid padsize values are now 0, 1 or 2 */ 81 82 EVP_DecodeInit(ctx); 83 evp_encode_ctx_set_flags(ctx, EVP_ENCODE_CTX_USE_SRP_ALPHABET); 84 85 /* Add any encoded padding that is required */ 86 if (padsize != 0 87 && EVP_DecodeUpdate(ctx, a, &outl, pad, padsize) < 0) { 88 outl = -1; 89 goto err; 90 } 91 if (EVP_DecodeUpdate(ctx, a, &outl2, (const unsigned char *)src, size) < 0) { 92 outl = -1; 93 goto err; 94 } 95 outl += outl2; 96 EVP_DecodeFinal(ctx, a + outl, &outl2); 97 outl += outl2; 98 99 /* Strip off the leading padding */ 100 if (padsize != 0) { 101 if ((int)padsize >= outl) { 102 outl = -1; 103 goto err; 104 } 105 106 /* 107 * If we added 1 byte of padding prior to encoding then we have 2 bytes 108 * of "real" data which gets spread across 4 encoded bytes like this: 109 * (6 bits pad)(2 bits pad | 4 bits data)(6 bits data)(6 bits data) 110 * So 1 byte of pre-encoding padding results in 1 full byte of encoded 111 * padding. 112 * If we added 2 bytes of padding prior to encoding this gets encoded 113 * as: 114 * (6 bits pad)(6 bits pad)(4 bits pad | 2 bits data)(6 bits data) 115 * So 2 bytes of pre-encoding padding results in 2 full bytes of encoded 116 * padding, i.e. we have to strip the same number of bytes of padding 117 * from the encoded data as we added to the pre-encoded data. 118 */ 119 memmove(a, a + padsize, outl - padsize); 120 outl -= padsize; 121 } 122 123 err: 124 EVP_ENCODE_CTX_free(ctx); 125 126 return outl; 127} 128 129/* 130 * Convert a raw byte string into a null-terminated base64 ASCII string. 131 * Returns 1 on success or 0 on error. 132 */ 133static int t_tob64(char *dst, const unsigned char *src, int size) 134{ 135 EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new(); 136 int outl = 0, outl2 = 0; 137 unsigned char pad[2] = {0, 0}; 138 size_t leadz = 0; 139 140 if (ctx == NULL) 141 return 0; 142 143 EVP_EncodeInit(ctx); 144 evp_encode_ctx_set_flags(ctx, EVP_ENCODE_CTX_NO_NEWLINES 145 | EVP_ENCODE_CTX_USE_SRP_ALPHABET); 146 147 /* 148 * We pad at the front with zero bytes until the length is a multiple of 3 149 * so that EVP_EncodeUpdate/EVP_EncodeFinal does not add any of its own "=" 150 * padding 151 */ 152 leadz = 3 - (size % 3); 153 if (leadz != 3 154 && !EVP_EncodeUpdate(ctx, (unsigned char *)dst, &outl, pad, 155 leadz)) { 156 EVP_ENCODE_CTX_free(ctx); 157 return 0; 158 } 159 160 if (!EVP_EncodeUpdate(ctx, (unsigned char *)dst + outl, &outl2, src, 161 size)) { 162 EVP_ENCODE_CTX_free(ctx); 163 return 0; 164 } 165 outl += outl2; 166 EVP_EncodeFinal(ctx, (unsigned char *)dst + outl, &outl2); 167 outl += outl2; 168 169 /* Strip the encoded padding at the front */ 170 if (leadz != 3) { 171 memmove(dst, dst + leadz, outl - leadz); 172 dst[outl - leadz] = '\0'; 173 } 174 175 EVP_ENCODE_CTX_free(ctx); 176 return 1; 177} 178 179void SRP_user_pwd_free(SRP_user_pwd *user_pwd) 180{ 181 if (user_pwd == NULL) 182 return; 183 BN_free(user_pwd->s); 184 BN_clear_free(user_pwd->v); 185 OPENSSL_free(user_pwd->id); 186 OPENSSL_free(user_pwd->info); 187 OPENSSL_free(user_pwd); 188} 189 190SRP_user_pwd *SRP_user_pwd_new(void) 191{ 192 SRP_user_pwd *ret; 193 194 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { 195 /* ERR_raise(ERR_LIB_SRP, ERR_R_MALLOC_FAILURE); */ /*ckerr_ignore*/ 196 return NULL; 197 } 198 ret->N = NULL; 199 ret->g = NULL; 200 ret->s = NULL; 201 ret->v = NULL; 202 ret->id = NULL; 203 ret->info = NULL; 204 return ret; 205} 206 207void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g, 208 const BIGNUM *N) 209{ 210 vinfo->N = N; 211 vinfo->g = g; 212} 213 214int SRP_user_pwd_set1_ids(SRP_user_pwd *vinfo, const char *id, 215 const char *info) 216{ 217 OPENSSL_free(vinfo->id); 218 OPENSSL_free(vinfo->info); 219 if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id))) 220 return 0; 221 return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info))); 222} 223 224static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s, 225 const char *v) 226{ 227 unsigned char tmp[MAX_LEN]; 228 int len; 229 230 vinfo->v = NULL; 231 vinfo->s = NULL; 232 233 len = t_fromb64(tmp, sizeof(tmp), v); 234 if (len < 0) 235 return 0; 236 if (NULL == (vinfo->v = BN_bin2bn(tmp, len, NULL))) 237 return 0; 238 len = t_fromb64(tmp, sizeof(tmp), s); 239 if (len < 0) 240 goto err; 241 vinfo->s = BN_bin2bn(tmp, len, NULL); 242 if (vinfo->s == NULL) 243 goto err; 244 return 1; 245 err: 246 BN_free(vinfo->v); 247 vinfo->v = NULL; 248 return 0; 249} 250 251int SRP_user_pwd_set0_sv(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) 252{ 253 BN_free(vinfo->s); 254 BN_clear_free(vinfo->v); 255 vinfo->v = v; 256 vinfo->s = s; 257 return (vinfo->s != NULL && vinfo->v != NULL); 258} 259 260static SRP_user_pwd *srp_user_pwd_dup(SRP_user_pwd *src) 261{ 262 SRP_user_pwd *ret; 263 264 if (src == NULL) 265 return NULL; 266 if ((ret = SRP_user_pwd_new()) == NULL) 267 return NULL; 268 269 SRP_user_pwd_set_gN(ret, src->g, src->N); 270 if (!SRP_user_pwd_set1_ids(ret, src->id, src->info) 271 || !SRP_user_pwd_set0_sv(ret, BN_dup(src->s), BN_dup(src->v))) { 272 SRP_user_pwd_free(ret); 273 return NULL; 274 } 275 return ret; 276} 277 278SRP_VBASE *SRP_VBASE_new(char *seed_key) 279{ 280 SRP_VBASE *vb = OPENSSL_malloc(sizeof(*vb)); 281 282 if (vb == NULL) 283 return NULL; 284 if ((vb->users_pwd = sk_SRP_user_pwd_new_null()) == NULL 285 || (vb->gN_cache = sk_SRP_gN_cache_new_null()) == NULL) { 286 sk_SRP_user_pwd_free(vb->users_pwd); 287 OPENSSL_free(vb); 288 return NULL; 289 } 290 vb->default_g = NULL; 291 vb->default_N = NULL; 292 vb->seed_key = NULL; 293 if ((seed_key != NULL) && (vb->seed_key = OPENSSL_strdup(seed_key)) == NULL) { 294 sk_SRP_user_pwd_free(vb->users_pwd); 295 sk_SRP_gN_cache_free(vb->gN_cache); 296 OPENSSL_free(vb); 297 return NULL; 298 } 299 return vb; 300} 301 302void SRP_VBASE_free(SRP_VBASE *vb) 303{ 304 if (!vb) 305 return; 306 sk_SRP_user_pwd_pop_free(vb->users_pwd, SRP_user_pwd_free); 307 sk_SRP_gN_cache_free(vb->gN_cache); 308 OPENSSL_free(vb->seed_key); 309 OPENSSL_free(vb); 310} 311 312static SRP_gN_cache *SRP_gN_new_init(const char *ch) 313{ 314 unsigned char tmp[MAX_LEN]; 315 int len; 316 SRP_gN_cache *newgN = OPENSSL_malloc(sizeof(*newgN)); 317 318 if (newgN == NULL) 319 return NULL; 320 321 len = t_fromb64(tmp, sizeof(tmp), ch); 322 if (len < 0) 323 goto err; 324 325 if ((newgN->b64_bn = OPENSSL_strdup(ch)) == NULL) 326 goto err; 327 328 if ((newgN->bn = BN_bin2bn(tmp, len, NULL))) 329 return newgN; 330 331 OPENSSL_free(newgN->b64_bn); 332 err: 333 OPENSSL_free(newgN); 334 return NULL; 335} 336 337static void SRP_gN_free(SRP_gN_cache *gN_cache) 338{ 339 if (gN_cache == NULL) 340 return; 341 OPENSSL_free(gN_cache->b64_bn); 342 BN_free(gN_cache->bn); 343 OPENSSL_free(gN_cache); 344} 345 346static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab) 347{ 348 int i; 349 350 SRP_gN *gN; 351 if (gN_tab != NULL) { 352 for (i = 0; i < sk_SRP_gN_num(gN_tab); i++) { 353 gN = sk_SRP_gN_value(gN_tab, i); 354 if (gN && (id == NULL || strcmp(gN->id, id) == 0)) 355 return gN; 356 } 357 } 358 359 return SRP_get_default_gN(id); 360} 361 362static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch) 363{ 364 int i; 365 if (gN_cache == NULL) 366 return NULL; 367 368 /* search if we have already one... */ 369 for (i = 0; i < sk_SRP_gN_cache_num(gN_cache); i++) { 370 SRP_gN_cache *cache = sk_SRP_gN_cache_value(gN_cache, i); 371 if (strcmp(cache->b64_bn, ch) == 0) 372 return cache->bn; 373 } 374 { /* it is the first time that we find it */ 375 SRP_gN_cache *newgN = SRP_gN_new_init(ch); 376 if (newgN) { 377 if (sk_SRP_gN_cache_insert(gN_cache, newgN, 0) > 0) 378 return newgN->bn; 379 SRP_gN_free(newgN); 380 } 381 } 382 return NULL; 383} 384 385/* 386 * This function parses the verifier file generated by the srp app. 387 * The format for each entry is: 388 * V base64(verifier) base64(salt) username gNid userinfo(optional) 389 * or 390 * I base64(N) base64(g) 391 * Note that base64 is the SRP variant of base64 encoding described 392 * in t_fromb64(). 393 */ 394 395int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) 396{ 397 int error_code; 398 STACK_OF(SRP_gN) *SRP_gN_tab = sk_SRP_gN_new_null(); 399 char *last_index = NULL; 400 int i; 401 char **pp; 402 403 SRP_gN *gN = NULL; 404 SRP_user_pwd *user_pwd = NULL; 405 406 TXT_DB *tmpdb = NULL; 407 BIO *in = BIO_new(BIO_s_file()); 408 409 error_code = SRP_ERR_OPEN_FILE; 410 411 if (in == NULL || BIO_read_filename(in, verifier_file) <= 0) 412 goto err; 413 414 error_code = SRP_ERR_VBASE_INCOMPLETE_FILE; 415 416 if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL) 417 goto err; 418 419 error_code = SRP_ERR_MEMORY; 420 421 if (vb->seed_key) { 422 last_index = SRP_get_default_gN(NULL)->id; 423 } 424 for (i = 0; i < sk_OPENSSL_PSTRING_num(tmpdb->data); i++) { 425 pp = sk_OPENSSL_PSTRING_value(tmpdb->data, i); 426 if (pp[DB_srptype][0] == DB_SRP_INDEX) { 427 /* 428 * we add this couple in the internal Stack 429 */ 430 431 if ((gN = OPENSSL_malloc(sizeof(*gN))) == NULL) 432 goto err; 433 434 if ((gN->id = OPENSSL_strdup(pp[DB_srpid])) == NULL 435 || (gN->N = SRP_gN_place_bn(vb->gN_cache, pp[DB_srpverifier])) 436 == NULL 437 || (gN->g = SRP_gN_place_bn(vb->gN_cache, pp[DB_srpsalt])) 438 == NULL 439 || sk_SRP_gN_insert(SRP_gN_tab, gN, 0) == 0) 440 goto err; 441 442 gN = NULL; 443 444 if (vb->seed_key != NULL) { 445 last_index = pp[DB_srpid]; 446 } 447 } else if (pp[DB_srptype][0] == DB_SRP_VALID) { 448 /* it is a user .... */ 449 const SRP_gN *lgN; 450 451 if ((lgN = SRP_get_gN_by_id(pp[DB_srpgN], SRP_gN_tab)) != NULL) { 452 error_code = SRP_ERR_MEMORY; 453 if ((user_pwd = SRP_user_pwd_new()) == NULL) 454 goto err; 455 456 SRP_user_pwd_set_gN(user_pwd, lgN->g, lgN->N); 457 if (!SRP_user_pwd_set1_ids 458 (user_pwd, pp[DB_srpid], pp[DB_srpinfo])) 459 goto err; 460 461 error_code = SRP_ERR_VBASE_BN_LIB; 462 if (!SRP_user_pwd_set_sv 463 (user_pwd, pp[DB_srpsalt], pp[DB_srpverifier])) 464 goto err; 465 466 if (sk_SRP_user_pwd_insert(vb->users_pwd, user_pwd, 0) == 0) 467 goto err; 468 user_pwd = NULL; /* abandon responsibility */ 469 } 470 } 471 } 472 473 if (last_index != NULL) { 474 /* this means that we want to simulate a default user */ 475 476 if (((gN = SRP_get_gN_by_id(last_index, SRP_gN_tab)) == NULL)) { 477 error_code = SRP_ERR_VBASE_BN_LIB; 478 goto err; 479 } 480 vb->default_g = gN->g; 481 vb->default_N = gN->N; 482 gN = NULL; 483 } 484 error_code = SRP_NO_ERROR; 485 486 err: 487 /* 488 * there may be still some leaks to fix, if this fails, the application 489 * terminates most likely 490 */ 491 492 if (gN != NULL) { 493 OPENSSL_free(gN->id); 494 OPENSSL_free(gN); 495 } 496 497 SRP_user_pwd_free(user_pwd); 498 499 TXT_DB_free(tmpdb); 500 BIO_free_all(in); 501 502 sk_SRP_gN_free(SRP_gN_tab); 503 504 return error_code; 505 506} 507 508static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username) 509{ 510 int i; 511 SRP_user_pwd *user; 512 513 if (vb == NULL) 514 return NULL; 515 516 for (i = 0; i < sk_SRP_user_pwd_num(vb->users_pwd); i++) { 517 user = sk_SRP_user_pwd_value(vb->users_pwd, i); 518 if (strcmp(user->id, username) == 0) 519 return user; 520 } 521 522 return NULL; 523} 524 525int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd) 526{ 527 if (sk_SRP_user_pwd_push(vb->users_pwd, user_pwd) <= 0) 528 return 0; 529 return 1; 530} 531 532# ifndef OPENSSL_NO_DEPRECATED_1_1_0 533/* 534 * DEPRECATED: use SRP_VBASE_get1_by_user instead. 535 * This method ignores the configured seed and fails for an unknown user. 536 * Ownership of the returned pointer is not released to the caller. 537 * In other words, caller must not free the result. 538 */ 539SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) 540{ 541 return find_user(vb, username); 542} 543# endif 544 545/* 546 * Ownership of the returned pointer is released to the caller. 547 * In other words, caller must free the result once done. 548 */ 549SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) 550{ 551 SRP_user_pwd *user; 552 unsigned char digv[SHA_DIGEST_LENGTH]; 553 unsigned char digs[SHA_DIGEST_LENGTH]; 554 EVP_MD_CTX *ctxt = NULL; 555 EVP_MD *md = NULL; 556 557 if (vb == NULL) 558 return NULL; 559 560 if ((user = find_user(vb, username)) != NULL) 561 return srp_user_pwd_dup(user); 562 563 if ((vb->seed_key == NULL) || 564 (vb->default_g == NULL) || (vb->default_N == NULL)) 565 return NULL; 566 567/* if the user is unknown we set parameters as well if we have a seed_key */ 568 569 if ((user = SRP_user_pwd_new()) == NULL) 570 return NULL; 571 572 SRP_user_pwd_set_gN(user, vb->default_g, vb->default_N); 573 574 if (!SRP_user_pwd_set1_ids(user, username, NULL)) 575 goto err; 576 577 if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0) 578 goto err; 579 md = EVP_MD_fetch(NULL, SN_sha1, NULL); 580 if (md == NULL) 581 goto err; 582 ctxt = EVP_MD_CTX_new(); 583 if (ctxt == NULL 584 || !EVP_DigestInit_ex(ctxt, md, NULL) 585 || !EVP_DigestUpdate(ctxt, vb->seed_key, strlen(vb->seed_key)) 586 || !EVP_DigestUpdate(ctxt, username, strlen(username)) 587 || !EVP_DigestFinal_ex(ctxt, digs, NULL)) 588 goto err; 589 EVP_MD_CTX_free(ctxt); 590 ctxt = NULL; 591 EVP_MD_free(md); 592 md = NULL; 593 if (SRP_user_pwd_set0_sv(user, 594 BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL), 595 BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL))) 596 return user; 597 598 err: 599 EVP_MD_free(md); 600 EVP_MD_CTX_free(ctxt); 601 SRP_user_pwd_free(user); 602 return NULL; 603} 604 605/* 606 * create a verifier (*salt,*verifier,g and N are in base64) 607 */ 608char *SRP_create_verifier_ex(const char *user, const char *pass, char **salt, 609 char **verifier, const char *N, const char *g, 610 OSSL_LIB_CTX *libctx, const char *propq) 611{ 612 int len; 613 char *result = NULL, *vf = NULL; 614 const BIGNUM *N_bn = NULL, *g_bn = NULL; 615 BIGNUM *N_bn_alloc = NULL, *g_bn_alloc = NULL, *s = NULL, *v = NULL; 616 unsigned char tmp[MAX_LEN]; 617 unsigned char tmp2[MAX_LEN]; 618 char *defgNid = NULL; 619 int vfsize = 0; 620 621 if ((user == NULL) || 622 (pass == NULL) || (salt == NULL) || (verifier == NULL)) 623 goto err; 624 625 if (N) { 626 if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0) 627 goto err; 628 N_bn_alloc = BN_bin2bn(tmp, len, NULL); 629 if (N_bn_alloc == NULL) 630 goto err; 631 N_bn = N_bn_alloc; 632 if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0) 633 goto err; 634 g_bn_alloc = BN_bin2bn(tmp, len, NULL); 635 if (g_bn_alloc == NULL) 636 goto err; 637 g_bn = g_bn_alloc; 638 defgNid = "*"; 639 } else { 640 SRP_gN *gN = SRP_get_default_gN(g); 641 if (gN == NULL) 642 goto err; 643 N_bn = gN->N; 644 g_bn = gN->g; 645 defgNid = gN->id; 646 } 647 648 if (*salt == NULL) { 649 if (RAND_bytes_ex(libctx, tmp2, SRP_RANDOM_SALT_LEN, 0) <= 0) 650 goto err; 651 652 s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); 653 } else { 654 if ((len = t_fromb64(tmp2, sizeof(tmp2), *salt)) <= 0) 655 goto err; 656 s = BN_bin2bn(tmp2, len, NULL); 657 } 658 if (s == NULL) 659 goto err; 660 661 if (!SRP_create_verifier_BN_ex(user, pass, &s, &v, N_bn, g_bn, libctx, 662 propq)) 663 goto err; 664 665 if (BN_bn2bin(v, tmp) < 0) 666 goto err; 667 vfsize = BN_num_bytes(v) * 2; 668 if (((vf = OPENSSL_malloc(vfsize)) == NULL)) 669 goto err; 670 if (!t_tob64(vf, tmp, BN_num_bytes(v))) 671 goto err; 672 673 if (*salt == NULL) { 674 char *tmp_salt; 675 676 if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) { 677 goto err; 678 } 679 if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) { 680 OPENSSL_free(tmp_salt); 681 goto err; 682 } 683 *salt = tmp_salt; 684 } 685 686 *verifier = vf; 687 vf = NULL; 688 result = defgNid; 689 690 err: 691 BN_free(N_bn_alloc); 692 BN_free(g_bn_alloc); 693 OPENSSL_clear_free(vf, vfsize); 694 BN_clear_free(s); 695 BN_clear_free(v); 696 return result; 697} 698 699char *SRP_create_verifier(const char *user, const char *pass, char **salt, 700 char **verifier, const char *N, const char *g) 701{ 702 return SRP_create_verifier_ex(user, pass, salt, verifier, N, g, NULL, NULL); 703} 704 705/* 706 * create a verifier (*salt,*verifier,g and N are BIGNUMs). If *salt != NULL 707 * then the provided salt will be used. On successful exit *verifier will point 708 * to a newly allocated BIGNUM containing the verifier and (if a salt was not 709 * provided) *salt will be populated with a newly allocated BIGNUM containing a 710 * random salt. 711 * The caller is responsible for freeing the allocated *salt and *verifier 712 * BIGNUMS. 713 */ 714int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, 715 BIGNUM **verifier, const BIGNUM *N, 716 const BIGNUM *g, OSSL_LIB_CTX *libctx, 717 const char *propq) 718{ 719 int result = 0; 720 BIGNUM *x = NULL; 721 BN_CTX *bn_ctx = BN_CTX_new_ex(libctx); 722 unsigned char tmp2[MAX_LEN]; 723 BIGNUM *salttmp = NULL, *verif; 724 725 if ((user == NULL) || 726 (pass == NULL) || 727 (salt == NULL) || 728 (verifier == NULL) || (N == NULL) || (g == NULL) || (bn_ctx == NULL)) 729 goto err; 730 731 if (*salt == NULL) { 732 if (RAND_bytes_ex(libctx, tmp2, SRP_RANDOM_SALT_LEN, 0) <= 0) 733 goto err; 734 735 salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); 736 if (salttmp == NULL) 737 goto err; 738 } else { 739 salttmp = *salt; 740 } 741 742 x = SRP_Calc_x_ex(salttmp, user, pass, libctx, propq); 743 if (x == NULL) 744 goto err; 745 746 verif = BN_new(); 747 if (verif == NULL) 748 goto err; 749 750 if (!BN_mod_exp(verif, g, x, N, bn_ctx)) { 751 BN_clear_free(verif); 752 goto err; 753 } 754 755 result = 1; 756 *salt = salttmp; 757 *verifier = verif; 758 759 err: 760 if (salt != NULL && *salt != salttmp) 761 BN_clear_free(salttmp); 762 BN_clear_free(x); 763 BN_CTX_free(bn_ctx); 764 return result; 765} 766 767int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, 768 BIGNUM **verifier, const BIGNUM *N, 769 const BIGNUM *g) 770{ 771 return SRP_create_verifier_BN_ex(user, pass, salt, verifier, N, g, NULL, 772 NULL); 773} 774#endif 775