1/* 2 * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2004, EdelKey Project. All Rights Reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 * 10 * Originally written by Christophe Renou and Peter Sylvester, 11 * for the EdelKey project. 12 */ 13 14/* 15 * We need to use the SRP deprecated APIs in order to implement the SSL SRP 16 * APIs - which are themselves deprecated. 17 */ 18#define OPENSSL_SUPPRESS_DEPRECATED 19 20#include <openssl/crypto.h> 21#include <openssl/rand.h> 22#include <openssl/err.h> 23#include "ssl_local.h" 24 25#ifndef OPENSSL_NO_SRP 26# include <openssl/srp.h> 27 28/* 29 * The public API SSL_CTX_SRP_CTX_free() is deprecated so we use 30 * ssl_ctx_srp_ctx_free_intern() internally. 31 */ 32int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx) 33{ 34 if (ctx == NULL) 35 return 0; 36 OPENSSL_free(ctx->srp_ctx.login); 37 OPENSSL_free(ctx->srp_ctx.info); 38 BN_free(ctx->srp_ctx.N); 39 BN_free(ctx->srp_ctx.g); 40 BN_free(ctx->srp_ctx.s); 41 BN_free(ctx->srp_ctx.B); 42 BN_free(ctx->srp_ctx.A); 43 BN_free(ctx->srp_ctx.a); 44 BN_free(ctx->srp_ctx.b); 45 BN_free(ctx->srp_ctx.v); 46 memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx)); 47 ctx->srp_ctx.strength = SRP_MINIMAL_N; 48 return 1; 49} 50 51int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx) 52{ 53 return ssl_ctx_srp_ctx_free_intern(ctx); 54} 55 56/* 57 * The public API SSL_SRP_CTX_free() is deprecated so we use 58 * ssl_srp_ctx_free_intern() internally. 59 */ 60int ssl_srp_ctx_free_intern(SSL *s) 61{ 62 if (s == NULL) 63 return 0; 64 OPENSSL_free(s->srp_ctx.login); 65 OPENSSL_free(s->srp_ctx.info); 66 BN_free(s->srp_ctx.N); 67 BN_free(s->srp_ctx.g); 68 BN_free(s->srp_ctx.s); 69 BN_free(s->srp_ctx.B); 70 BN_free(s->srp_ctx.A); 71 BN_free(s->srp_ctx.a); 72 BN_free(s->srp_ctx.b); 73 BN_free(s->srp_ctx.v); 74 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); 75 s->srp_ctx.strength = SRP_MINIMAL_N; 76 return 1; 77} 78 79int SSL_SRP_CTX_free(SSL *s) 80{ 81 return ssl_srp_ctx_free_intern(s); 82} 83 84/* 85 * The public API SSL_SRP_CTX_init() is deprecated so we use 86 * ssl_srp_ctx_init_intern() internally. 87 */ 88int ssl_srp_ctx_init_intern(SSL *s) 89{ 90 SSL_CTX *ctx; 91 92 if ((s == NULL) || ((ctx = s->ctx) == NULL)) 93 return 0; 94 95 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); 96 97 s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg; 98 /* set client Hello login callback */ 99 s->srp_ctx.TLS_ext_srp_username_callback = 100 ctx->srp_ctx.TLS_ext_srp_username_callback; 101 /* set SRP N/g param callback for verification */ 102 s->srp_ctx.SRP_verify_param_callback = 103 ctx->srp_ctx.SRP_verify_param_callback; 104 /* set SRP client passwd callback */ 105 s->srp_ctx.SRP_give_srp_client_pwd_callback = 106 ctx->srp_ctx.SRP_give_srp_client_pwd_callback; 107 108 s->srp_ctx.strength = ctx->srp_ctx.strength; 109 110 if (((ctx->srp_ctx.N != NULL) && 111 ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) || 112 ((ctx->srp_ctx.g != NULL) && 113 ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) || 114 ((ctx->srp_ctx.s != NULL) && 115 ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) || 116 ((ctx->srp_ctx.B != NULL) && 117 ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) || 118 ((ctx->srp_ctx.A != NULL) && 119 ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) || 120 ((ctx->srp_ctx.a != NULL) && 121 ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) || 122 ((ctx->srp_ctx.v != NULL) && 123 ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) || 124 ((ctx->srp_ctx.b != NULL) && 125 ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) { 126 ERR_raise(ERR_LIB_SSL, ERR_R_BN_LIB); 127 goto err; 128 } 129 if ((ctx->srp_ctx.login != NULL) && 130 ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) { 131 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 132 goto err; 133 } 134 if ((ctx->srp_ctx.info != NULL) && 135 ((s->srp_ctx.info = OPENSSL_strdup(ctx->srp_ctx.info)) == NULL)) { 136 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 137 goto err; 138 } 139 s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask; 140 141 return 1; 142 err: 143 OPENSSL_free(s->srp_ctx.login); 144 OPENSSL_free(s->srp_ctx.info); 145 BN_free(s->srp_ctx.N); 146 BN_free(s->srp_ctx.g); 147 BN_free(s->srp_ctx.s); 148 BN_free(s->srp_ctx.B); 149 BN_free(s->srp_ctx.A); 150 BN_free(s->srp_ctx.a); 151 BN_free(s->srp_ctx.b); 152 BN_free(s->srp_ctx.v); 153 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); 154 return 0; 155} 156 157int SSL_SRP_CTX_init(SSL *s) 158{ 159 return ssl_srp_ctx_init_intern(s); 160} 161 162/* 163 * The public API SSL_CTX_SRP_CTX_init() is deprecated so we use 164 * ssl_ctx_srp_ctx_init_intern() internally. 165 */ 166int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx) 167{ 168 if (ctx == NULL) 169 return 0; 170 171 memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx)); 172 ctx->srp_ctx.strength = SRP_MINIMAL_N; 173 174 return 1; 175} 176 177int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx) 178{ 179 return ssl_ctx_srp_ctx_init_intern(ctx); 180} 181 182/* server side */ 183/* 184 * The public API SSL_srp_server_param_with_username() is deprecated so we use 185 * ssl_srp_server_param_with_username_intern() internally. 186 */ 187int ssl_srp_server_param_with_username_intern(SSL *s, int *ad) 188{ 189 unsigned char b[SSL_MAX_MASTER_KEY_LENGTH]; 190 int al; 191 192 *ad = SSL_AD_UNKNOWN_PSK_IDENTITY; 193 if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) && 194 ((al = 195 s->srp_ctx.TLS_ext_srp_username_callback(s, ad, 196 s->srp_ctx.SRP_cb_arg)) != 197 SSL_ERROR_NONE)) 198 return al; 199 200 *ad = SSL_AD_INTERNAL_ERROR; 201 if ((s->srp_ctx.N == NULL) || 202 (s->srp_ctx.g == NULL) || 203 (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL)) 204 return SSL3_AL_FATAL; 205 206 if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b), 0) <= 0) 207 return SSL3_AL_FATAL; 208 s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL); 209 OPENSSL_cleanse(b, sizeof(b)); 210 211 /* Calculate: B = (kv + g^b) % N */ 212 213 return ((s->srp_ctx.B = 214 SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g, 215 s->srp_ctx.v, s->ctx->libctx, s->ctx->propq)) != 216 NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL; 217} 218 219int SSL_srp_server_param_with_username(SSL *s, int *ad) 220{ 221 return ssl_srp_server_param_with_username_intern(s, ad); 222} 223 224/* 225 * If the server just has the raw password, make up a verifier entry on the 226 * fly 227 */ 228int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, 229 const char *grp) 230{ 231 SRP_gN *GN = SRP_get_default_gN(grp); 232 if (GN == NULL) 233 return -1; 234 s->srp_ctx.N = BN_dup(GN->N); 235 s->srp_ctx.g = BN_dup(GN->g); 236 BN_clear_free(s->srp_ctx.v); 237 s->srp_ctx.v = NULL; 238 BN_clear_free(s->srp_ctx.s); 239 s->srp_ctx.s = NULL; 240 if (!SRP_create_verifier_BN_ex(user, pass, &s->srp_ctx.s, &s->srp_ctx.v, 241 s->srp_ctx.N, s->srp_ctx.g, s->ctx->libctx, 242 s->ctx->propq)) 243 return -1; 244 245 return 1; 246} 247 248int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, 249 BIGNUM *sa, BIGNUM *v, char *info) 250{ 251 if (N != NULL) { 252 if (s->srp_ctx.N != NULL) { 253 if (!BN_copy(s->srp_ctx.N, N)) { 254 BN_free(s->srp_ctx.N); 255 s->srp_ctx.N = NULL; 256 } 257 } else 258 s->srp_ctx.N = BN_dup(N); 259 } 260 if (g != NULL) { 261 if (s->srp_ctx.g != NULL) { 262 if (!BN_copy(s->srp_ctx.g, g)) { 263 BN_free(s->srp_ctx.g); 264 s->srp_ctx.g = NULL; 265 } 266 } else 267 s->srp_ctx.g = BN_dup(g); 268 } 269 if (sa != NULL) { 270 if (s->srp_ctx.s != NULL) { 271 if (!BN_copy(s->srp_ctx.s, sa)) { 272 BN_free(s->srp_ctx.s); 273 s->srp_ctx.s = NULL; 274 } 275 } else 276 s->srp_ctx.s = BN_dup(sa); 277 } 278 if (v != NULL) { 279 if (s->srp_ctx.v != NULL) { 280 if (!BN_copy(s->srp_ctx.v, v)) { 281 BN_free(s->srp_ctx.v); 282 s->srp_ctx.v = NULL; 283 } 284 } else 285 s->srp_ctx.v = BN_dup(v); 286 } 287 if (info != NULL) { 288 if (s->srp_ctx.info) 289 OPENSSL_free(s->srp_ctx.info); 290 if ((s->srp_ctx.info = OPENSSL_strdup(info)) == NULL) 291 return -1; 292 } 293 294 if (!(s->srp_ctx.N) || 295 !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v)) 296 return -1; 297 298 return 1; 299} 300 301int srp_generate_server_master_secret(SSL *s) 302{ 303 BIGNUM *K = NULL, *u = NULL; 304 int ret = 0, tmp_len = 0; 305 unsigned char *tmp = NULL; 306 307 if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N)) 308 goto err; 309 if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N, 310 s->ctx->libctx, s->ctx->propq)) == NULL) 311 goto err; 312 if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b, 313 s->srp_ctx.N)) == NULL) 314 goto err; 315 316 tmp_len = BN_num_bytes(K); 317 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) { 318 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 319 goto err; 320 } 321 BN_bn2bin(K, tmp); 322 /* Calls SSLfatal() as required */ 323 ret = ssl_generate_master_secret(s, tmp, tmp_len, 1); 324 err: 325 BN_clear_free(K); 326 BN_clear_free(u); 327 return ret; 328} 329 330/* client side */ 331int srp_generate_client_master_secret(SSL *s) 332{ 333 BIGNUM *x = NULL, *u = NULL, *K = NULL; 334 int ret = 0, tmp_len = 0; 335 char *passwd = NULL; 336 unsigned char *tmp = NULL; 337 338 /* 339 * Checks if b % n == 0 340 */ 341 if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0 342 || (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N, 343 s->ctx->libctx, s->ctx->propq)) 344 == NULL 345 || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) { 346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 347 goto err; 348 } 349 if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s, 350 s->srp_ctx.SRP_cb_arg)) 351 == NULL) { 352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); 353 goto err; 354 } 355 if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd, 356 s->ctx->libctx, s->ctx->propq)) == NULL 357 || (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B, 358 s->srp_ctx.g, x, 359 s->srp_ctx.a, u, 360 s->ctx->libctx, 361 s->ctx->propq)) == NULL) { 362 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 363 goto err; 364 } 365 366 tmp_len = BN_num_bytes(K); 367 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) { 368 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 369 goto err; 370 } 371 BN_bn2bin(K, tmp); 372 /* Calls SSLfatal() as required */ 373 ret = ssl_generate_master_secret(s, tmp, tmp_len, 1); 374 err: 375 BN_clear_free(K); 376 BN_clear_free(x); 377 if (passwd != NULL) 378 OPENSSL_clear_free(passwd, strlen(passwd)); 379 BN_clear_free(u); 380 return ret; 381} 382 383int srp_verify_server_param(SSL *s) 384{ 385 SRP_CTX *srp = &s->srp_ctx; 386 /* 387 * Sanity check parameters: we can quickly check B % N == 0 by checking B 388 * != 0 since B < N 389 */ 390 if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0 391 || BN_is_zero(srp->B)) { 392 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DATA); 393 return 0; 394 } 395 396 if (BN_num_bits(srp->N) < srp->strength) { 397 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_INSUFFICIENT_SECURITY); 398 return 0; 399 } 400 401 if (srp->SRP_verify_param_callback) { 402 if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) { 403 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED); 404 return 0; 405 } 406 } else if (!SRP_check_known_gN_param(srp->g, srp->N)) { 407 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, 408 SSL_R_INSUFFICIENT_SECURITY); 409 return 0; 410 } 411 412 return 1; 413} 414 415/* 416 * The public API SRP_Calc_A_param() is deprecated so we use 417 * ssl_srp_calc_a_param_intern() internally. 418 */ 419int ssl_srp_calc_a_param_intern(SSL *s) 420{ 421 unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; 422 423 if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd), 0) <= 0) 424 return 0; 425 s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); 426 OPENSSL_cleanse(rnd, sizeof(rnd)); 427 428 if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g))) 429 return 0; 430 431 return 1; 432} 433 434int SRP_Calc_A_param(SSL *s) 435{ 436 return ssl_srp_calc_a_param_intern(s); 437} 438 439BIGNUM *SSL_get_srp_g(SSL *s) 440{ 441 if (s->srp_ctx.g != NULL) 442 return s->srp_ctx.g; 443 return s->ctx->srp_ctx.g; 444} 445 446BIGNUM *SSL_get_srp_N(SSL *s) 447{ 448 if (s->srp_ctx.N != NULL) 449 return s->srp_ctx.N; 450 return s->ctx->srp_ctx.N; 451} 452 453char *SSL_get_srp_username(SSL *s) 454{ 455 if (s->srp_ctx.login != NULL) 456 return s->srp_ctx.login; 457 return s->ctx->srp_ctx.login; 458} 459 460char *SSL_get_srp_userinfo(SSL *s) 461{ 462 if (s->srp_ctx.info != NULL) 463 return s->srp_ctx.info; 464 return s->ctx->srp_ctx.info; 465} 466 467# define tls1_ctx_ctrl ssl3_ctx_ctrl 468# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl 469 470int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name) 471{ 472 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name); 473} 474 475int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password) 476{ 477 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password); 478} 479 480int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength) 481{ 482 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength, 483 NULL); 484} 485 486int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, 487 int (*cb) (SSL *, void *)) 488{ 489 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB, 490 (void (*)(void))cb); 491} 492 493int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg) 494{ 495 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg); 496} 497 498int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, 499 int (*cb) (SSL *, int *, void *)) 500{ 501 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, 502 (void (*)(void))cb); 503} 504 505int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, 506 char *(*cb) (SSL *, void *)) 507{ 508 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB, 509 (void (*)(void))cb); 510} 511 512#endif 513