1/* 2 * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2004, EdelKey Project. All Rights Reserved. 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 * 10 * Originally written by Christophe Renou and Peter Sylvester, 11 * for the EdelKey project. 12 */ 13 14#include <openssl/crypto.h> 15#include <openssl/rand.h> 16#include <openssl/err.h> 17#include "ssl_local.h" 18 19#ifndef OPENSSL_NO_SRP 20# include <openssl/srp.h> 21 22int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) 23{ 24 if (ctx == NULL) 25 return 0; 26 OPENSSL_free(ctx->srp_ctx.login); 27 OPENSSL_free(ctx->srp_ctx.info); 28 BN_free(ctx->srp_ctx.N); 29 BN_free(ctx->srp_ctx.g); 30 BN_free(ctx->srp_ctx.s); 31 BN_free(ctx->srp_ctx.B); 32 BN_free(ctx->srp_ctx.A); 33 BN_free(ctx->srp_ctx.a); 34 BN_free(ctx->srp_ctx.b); 35 BN_free(ctx->srp_ctx.v); 36 memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx)); 37 ctx->srp_ctx.strength = SRP_MINIMAL_N; 38 return 1; 39} 40 41int SSL_SRP_CTX_free(struct ssl_st *s) 42{ 43 if (s == NULL) 44 return 0; 45 OPENSSL_free(s->srp_ctx.login); 46 OPENSSL_free(s->srp_ctx.info); 47 BN_free(s->srp_ctx.N); 48 BN_free(s->srp_ctx.g); 49 BN_free(s->srp_ctx.s); 50 BN_free(s->srp_ctx.B); 51 BN_free(s->srp_ctx.A); 52 BN_free(s->srp_ctx.a); 53 BN_free(s->srp_ctx.b); 54 BN_free(s->srp_ctx.v); 55 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); 56 s->srp_ctx.strength = SRP_MINIMAL_N; 57 return 1; 58} 59 60int SSL_SRP_CTX_init(struct ssl_st *s) 61{ 62 SSL_CTX *ctx; 63 64 if ((s == NULL) || ((ctx = s->ctx) == NULL)) 65 return 0; 66 67 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); 68 69 s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg; 70 /* set client Hello login callback */ 71 s->srp_ctx.TLS_ext_srp_username_callback = 72 ctx->srp_ctx.TLS_ext_srp_username_callback; 73 /* set SRP N/g param callback for verification */ 74 s->srp_ctx.SRP_verify_param_callback = 75 ctx->srp_ctx.SRP_verify_param_callback; 76 /* set SRP client passwd callback */ 77 s->srp_ctx.SRP_give_srp_client_pwd_callback = 78 ctx->srp_ctx.SRP_give_srp_client_pwd_callback; 79 80 s->srp_ctx.strength = ctx->srp_ctx.strength; 81 82 if (((ctx->srp_ctx.N != NULL) && 83 ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) || 84 ((ctx->srp_ctx.g != NULL) && 85 ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) || 86 ((ctx->srp_ctx.s != NULL) && 87 ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) || 88 ((ctx->srp_ctx.B != NULL) && 89 ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) || 90 ((ctx->srp_ctx.A != NULL) && 91 ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) || 92 ((ctx->srp_ctx.a != NULL) && 93 ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) || 94 ((ctx->srp_ctx.v != NULL) && 95 ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) || 96 ((ctx->srp_ctx.b != NULL) && 97 ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) { 98 SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB); 99 goto err; 100 } 101 if ((ctx->srp_ctx.login != NULL) && 102 ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) { 103 SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR); 104 goto err; 105 } 106 if ((ctx->srp_ctx.info != NULL) && 107 ((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) { 108 SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR); 109 goto err; 110 } 111 s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask; 112 113 return 1; 114 err: 115 OPENSSL_free(s->srp_ctx.login); 116 OPENSSL_free(s->srp_ctx.info); 117 BN_free(s->srp_ctx.N); 118 BN_free(s->srp_ctx.g); 119 BN_free(s->srp_ctx.s); 120 BN_free(s->srp_ctx.B); 121 BN_free(s->srp_ctx.A); 122 BN_free(s->srp_ctx.a); 123 BN_free(s->srp_ctx.b); 124 BN_free(s->srp_ctx.v); 125 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); 126 return 0; 127} 128 129int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) 130{ 131 if (ctx == NULL) 132 return 0; 133 134 memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx)); 135 ctx->srp_ctx.strength = SRP_MINIMAL_N; 136 137 return 1; 138} 139 140/* server side */ 141int SSL_srp_server_param_with_username(SSL *s, int *ad) 142{ 143 unsigned char b[SSL_MAX_MASTER_KEY_LENGTH]; 144 int al; 145 146 *ad = SSL_AD_UNKNOWN_PSK_IDENTITY; 147 if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) && 148 ((al = 149 s->srp_ctx.TLS_ext_srp_username_callback(s, ad, 150 s->srp_ctx.SRP_cb_arg)) != 151 SSL_ERROR_NONE)) 152 return al; 153 154 *ad = SSL_AD_INTERNAL_ERROR; 155 if ((s->srp_ctx.N == NULL) || 156 (s->srp_ctx.g == NULL) || 157 (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL)) 158 return SSL3_AL_FATAL; 159 160 if (RAND_priv_bytes(b, sizeof(b)) <= 0) 161 return SSL3_AL_FATAL; 162 s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL); 163 OPENSSL_cleanse(b, sizeof(b)); 164 165 /* Calculate: B = (kv + g^b) % N */ 166 167 return ((s->srp_ctx.B = 168 SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g, 169 s->srp_ctx.v)) != 170 NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL; 171} 172 173/* 174 * If the server just has the raw password, make up a verifier entry on the 175 * fly 176 */ 177int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, 178 const char *grp) 179{ 180 SRP_gN *GN = SRP_get_default_gN(grp); 181 if (GN == NULL) 182 return -1; 183 s->srp_ctx.N = BN_dup(GN->N); 184 s->srp_ctx.g = BN_dup(GN->g); 185 BN_clear_free(s->srp_ctx.v); 186 s->srp_ctx.v = NULL; 187 BN_clear_free(s->srp_ctx.s); 188 s->srp_ctx.s = NULL; 189 if (!SRP_create_verifier_BN 190 (user, pass, &s->srp_ctx.s, &s->srp_ctx.v, GN->N, GN->g)) 191 return -1; 192 193 return 1; 194} 195 196int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, 197 BIGNUM *sa, BIGNUM *v, char *info) 198{ 199 if (N != NULL) { 200 if (s->srp_ctx.N != NULL) { 201 if (!BN_copy(s->srp_ctx.N, N)) { 202 BN_free(s->srp_ctx.N); 203 s->srp_ctx.N = NULL; 204 } 205 } else 206 s->srp_ctx.N = BN_dup(N); 207 } 208 if (g != NULL) { 209 if (s->srp_ctx.g != NULL) { 210 if (!BN_copy(s->srp_ctx.g, g)) { 211 BN_free(s->srp_ctx.g); 212 s->srp_ctx.g = NULL; 213 } 214 } else 215 s->srp_ctx.g = BN_dup(g); 216 } 217 if (sa != NULL) { 218 if (s->srp_ctx.s != NULL) { 219 if (!BN_copy(s->srp_ctx.s, sa)) { 220 BN_free(s->srp_ctx.s); 221 s->srp_ctx.s = NULL; 222 } 223 } else 224 s->srp_ctx.s = BN_dup(sa); 225 } 226 if (v != NULL) { 227 if (s->srp_ctx.v != NULL) { 228 if (!BN_copy(s->srp_ctx.v, v)) { 229 BN_free(s->srp_ctx.v); 230 s->srp_ctx.v = NULL; 231 } 232 } else 233 s->srp_ctx.v = BN_dup(v); 234 } 235 if (info != NULL) { 236 if (s->srp_ctx.info) 237 OPENSSL_free(s->srp_ctx.info); 238 if ((s->srp_ctx.info = BUF_strdup(info)) == NULL) 239 return -1; 240 } 241 242 if (!(s->srp_ctx.N) || 243 !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v)) 244 return -1; 245 246 return 1; 247} 248 249int srp_generate_server_master_secret(SSL *s) 250{ 251 BIGNUM *K = NULL, *u = NULL; 252 int ret = -1, tmp_len = 0; 253 unsigned char *tmp = NULL; 254 255 if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N)) 256 goto err; 257 if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL) 258 goto err; 259 if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b, 260 s->srp_ctx.N)) == NULL) 261 goto err; 262 263 tmp_len = BN_num_bytes(K); 264 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) { 265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 266 SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET, ERR_R_MALLOC_FAILURE); 267 goto err; 268 } 269 BN_bn2bin(K, tmp); 270 /* Calls SSLfatal() as required */ 271 ret = ssl_generate_master_secret(s, tmp, tmp_len, 1); 272 err: 273 BN_clear_free(K); 274 BN_clear_free(u); 275 return ret; 276} 277 278/* client side */ 279int srp_generate_client_master_secret(SSL *s) 280{ 281 BIGNUM *x = NULL, *u = NULL, *K = NULL; 282 int ret = -1, tmp_len = 0; 283 char *passwd = NULL; 284 unsigned char *tmp = NULL; 285 286 /* 287 * Checks if b % n == 0 288 */ 289 if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0 290 || (u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) 291 == NULL 292 || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) { 293 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 294 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR); 295 goto err; 296 } 297 if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s, 298 s->srp_ctx.SRP_cb_arg)) 299 == NULL) { 300 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 301 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, 302 SSL_R_CALLBACK_FAILED); 303 goto err; 304 } 305 if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL 306 || (K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, 307 s->srp_ctx.g, x, 308 s->srp_ctx.a, u)) == NULL) { 309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 310 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR); 311 goto err; 312 } 313 314 tmp_len = BN_num_bytes(K); 315 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) { 316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 317 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_MALLOC_FAILURE); 318 goto err; 319 } 320 BN_bn2bin(K, tmp); 321 /* Calls SSLfatal() as required */ 322 ret = ssl_generate_master_secret(s, tmp, tmp_len, 1); 323 err: 324 BN_clear_free(K); 325 BN_clear_free(x); 326 if (passwd != NULL) 327 OPENSSL_clear_free(passwd, strlen(passwd)); 328 BN_clear_free(u); 329 return ret; 330} 331 332int srp_verify_server_param(SSL *s) 333{ 334 SRP_CTX *srp = &s->srp_ctx; 335 /* 336 * Sanity check parameters: we can quickly check B % N == 0 by checking B 337 * != 0 since B < N 338 */ 339 if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0 340 || BN_is_zero(srp->B)) { 341 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SRP_VERIFY_SERVER_PARAM, 342 SSL_R_BAD_DATA); 343 return 0; 344 } 345 346 if (BN_num_bits(srp->N) < srp->strength) { 347 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM, 348 SSL_R_INSUFFICIENT_SECURITY); 349 return 0; 350 } 351 352 if (srp->SRP_verify_param_callback) { 353 if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) { 354 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, 355 SSL_F_SRP_VERIFY_SERVER_PARAM, 356 SSL_R_CALLBACK_FAILED); 357 return 0; 358 } 359 } else if (!SRP_check_known_gN_param(srp->g, srp->N)) { 360 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM, 361 SSL_R_INSUFFICIENT_SECURITY); 362 return 0; 363 } 364 365 return 1; 366} 367 368int SRP_Calc_A_param(SSL *s) 369{ 370 unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; 371 372 if (RAND_priv_bytes(rnd, sizeof(rnd)) <= 0) 373 return 0; 374 s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); 375 OPENSSL_cleanse(rnd, sizeof(rnd)); 376 377 if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g))) 378 return 0; 379 380 return 1; 381} 382 383BIGNUM *SSL_get_srp_g(SSL *s) 384{ 385 if (s->srp_ctx.g != NULL) 386 return s->srp_ctx.g; 387 return s->ctx->srp_ctx.g; 388} 389 390BIGNUM *SSL_get_srp_N(SSL *s) 391{ 392 if (s->srp_ctx.N != NULL) 393 return s->srp_ctx.N; 394 return s->ctx->srp_ctx.N; 395} 396 397char *SSL_get_srp_username(SSL *s) 398{ 399 if (s->srp_ctx.login != NULL) 400 return s->srp_ctx.login; 401 return s->ctx->srp_ctx.login; 402} 403 404char *SSL_get_srp_userinfo(SSL *s) 405{ 406 if (s->srp_ctx.info != NULL) 407 return s->srp_ctx.info; 408 return s->ctx->srp_ctx.info; 409} 410 411# define tls1_ctx_ctrl ssl3_ctx_ctrl 412# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl 413 414int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name) 415{ 416 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name); 417} 418 419int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password) 420{ 421 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password); 422} 423 424int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength) 425{ 426 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength, 427 NULL); 428} 429 430int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, 431 int (*cb) (SSL *, void *)) 432{ 433 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB, 434 (void (*)(void))cb); 435} 436 437int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg) 438{ 439 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg); 440} 441 442int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, 443 int (*cb) (SSL *, int *, void *)) 444{ 445 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, 446 (void (*)(void))cb); 447} 448 449int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, 450 char *(*cb) (SSL *, void *)) 451{ 452 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB, 453 (void (*)(void))cb); 454} 455 456#endif 457