2 * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2004, EdelKey Project. All Rights Reserved.
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
10 * Originally written by Christophe Renou and Peter Sylvester,
11 * for the EdelKey project.
14 /* We need to use the SRP deprecated APIs */
15 #define OPENSSL_SUPPRESS_DEPRECATED
17 #include <openssl/crypto.h>
18 #include <openssl/rand.h>
19 #include <openssl/err.h>
20 #include "ssl_local.h"
22 #ifndef OPENSSL_NO_SRP
23 # include <openssl/srp.h>
25 int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
29 OPENSSL_free(ctx->srp_ctx.login);
30 OPENSSL_free(ctx->srp_ctx.info);
31 BN_free(ctx->srp_ctx.N);
32 BN_free(ctx->srp_ctx.g);
33 BN_free(ctx->srp_ctx.s);
34 BN_free(ctx->srp_ctx.B);
35 BN_free(ctx->srp_ctx.A);
36 BN_free(ctx->srp_ctx.a);
37 BN_free(ctx->srp_ctx.b);
38 BN_free(ctx->srp_ctx.v);
39 memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
40 ctx->srp_ctx.strength = SRP_MINIMAL_N;
44 int SSL_SRP_CTX_free(struct ssl_st *s)
48 OPENSSL_free(s->srp_ctx.login);
49 OPENSSL_free(s->srp_ctx.info);
50 BN_free(s->srp_ctx.N);
51 BN_free(s->srp_ctx.g);
52 BN_free(s->srp_ctx.s);
53 BN_free(s->srp_ctx.B);
54 BN_free(s->srp_ctx.A);
55 BN_free(s->srp_ctx.a);
56 BN_free(s->srp_ctx.b);
57 BN_free(s->srp_ctx.v);
58 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
59 s->srp_ctx.strength = SRP_MINIMAL_N;
63 int SSL_SRP_CTX_init(struct ssl_st *s)
67 if ((s == NULL) || ((ctx = s->ctx) == NULL))
70 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
72 s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
73 /* set client Hello login callback */
74 s->srp_ctx.TLS_ext_srp_username_callback =
75 ctx->srp_ctx.TLS_ext_srp_username_callback;
76 /* set SRP N/g param callback for verification */
77 s->srp_ctx.SRP_verify_param_callback =
78 ctx->srp_ctx.SRP_verify_param_callback;
79 /* set SRP client passwd callback */
80 s->srp_ctx.SRP_give_srp_client_pwd_callback =
81 ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
83 s->srp_ctx.strength = ctx->srp_ctx.strength;
85 if (((ctx->srp_ctx.N != NULL) &&
86 ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
87 ((ctx->srp_ctx.g != NULL) &&
88 ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
89 ((ctx->srp_ctx.s != NULL) &&
90 ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
91 ((ctx->srp_ctx.B != NULL) &&
92 ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
93 ((ctx->srp_ctx.A != NULL) &&
94 ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
95 ((ctx->srp_ctx.a != NULL) &&
96 ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
97 ((ctx->srp_ctx.v != NULL) &&
98 ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
99 ((ctx->srp_ctx.b != NULL) &&
100 ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
101 ERR_raise(ERR_LIB_SSL, ERR_R_BN_LIB);
104 if ((ctx->srp_ctx.login != NULL) &&
105 ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
106 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
109 if ((ctx->srp_ctx.info != NULL) &&
110 ((s->srp_ctx.info = OPENSSL_strdup(ctx->srp_ctx.info)) == NULL)) {
111 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
114 s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
118 OPENSSL_free(s->srp_ctx.login);
119 OPENSSL_free(s->srp_ctx.info);
120 BN_free(s->srp_ctx.N);
121 BN_free(s->srp_ctx.g);
122 BN_free(s->srp_ctx.s);
123 BN_free(s->srp_ctx.B);
124 BN_free(s->srp_ctx.A);
125 BN_free(s->srp_ctx.a);
126 BN_free(s->srp_ctx.b);
127 BN_free(s->srp_ctx.v);
128 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
132 int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
137 memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
138 ctx->srp_ctx.strength = SRP_MINIMAL_N;
144 int SSL_srp_server_param_with_username(SSL *s, int *ad)
146 unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
149 *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
150 if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
152 s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
153 s->srp_ctx.SRP_cb_arg)) !=
157 *ad = SSL_AD_INTERNAL_ERROR;
158 if ((s->srp_ctx.N == NULL) ||
159 (s->srp_ctx.g == NULL) ||
160 (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
161 return SSL3_AL_FATAL;
163 if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b)) <= 0)
164 return SSL3_AL_FATAL;
165 s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
166 OPENSSL_cleanse(b, sizeof(b));
168 /* Calculate: B = (kv + g^b) % N */
170 return ((s->srp_ctx.B =
171 SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
172 s->srp_ctx.v, s->ctx->libctx, s->ctx->propq)) !=
173 NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
177 * If the server just has the raw password, make up a verifier entry on the
180 int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
183 SRP_gN *GN = SRP_get_default_gN(grp);
186 s->srp_ctx.N = BN_dup(GN->N);
187 s->srp_ctx.g = BN_dup(GN->g);
188 BN_clear_free(s->srp_ctx.v);
190 BN_clear_free(s->srp_ctx.s);
192 if (!SRP_create_verifier_BN_ex(user, pass, &s->srp_ctx.s, &s->srp_ctx.v,
193 GN->N, GN->g, s->ctx->libctx,
200 int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
201 BIGNUM *sa, BIGNUM *v, char *info)
204 if (s->srp_ctx.N != NULL) {
205 if (!BN_copy(s->srp_ctx.N, N)) {
206 BN_free(s->srp_ctx.N);
210 s->srp_ctx.N = BN_dup(N);
213 if (s->srp_ctx.g != NULL) {
214 if (!BN_copy(s->srp_ctx.g, g)) {
215 BN_free(s->srp_ctx.g);
219 s->srp_ctx.g = BN_dup(g);
222 if (s->srp_ctx.s != NULL) {
223 if (!BN_copy(s->srp_ctx.s, sa)) {
224 BN_free(s->srp_ctx.s);
228 s->srp_ctx.s = BN_dup(sa);
231 if (s->srp_ctx.v != NULL) {
232 if (!BN_copy(s->srp_ctx.v, v)) {
233 BN_free(s->srp_ctx.v);
237 s->srp_ctx.v = BN_dup(v);
241 OPENSSL_free(s->srp_ctx.info);
242 if ((s->srp_ctx.info = OPENSSL_strdup(info)) == NULL)
246 if (!(s->srp_ctx.N) ||
247 !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
253 int srp_generate_server_master_secret(SSL *s)
255 BIGNUM *K = NULL, *u = NULL;
256 int ret = -1, tmp_len = 0;
257 unsigned char *tmp = NULL;
259 if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
261 if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
262 s->ctx->libctx, s->ctx->propq)) == NULL)
264 if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
265 s->srp_ctx.N)) == NULL)
268 tmp_len = BN_num_bytes(K);
269 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
274 /* Calls SSLfatal() as required */
275 ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
283 int srp_generate_client_master_secret(SSL *s)
285 BIGNUM *x = NULL, *u = NULL, *K = NULL;
286 int ret = -1, tmp_len = 0;
288 unsigned char *tmp = NULL;
291 * Checks if b % n == 0
293 if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
294 || (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
295 s->ctx->libctx, s->ctx->propq))
297 || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
301 if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
302 s->srp_ctx.SRP_cb_arg))
304 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
307 if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd,
308 s->ctx->libctx, s->ctx->propq)) == NULL
309 || (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B,
313 s->ctx->propq)) == NULL) {
314 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
318 tmp_len = BN_num_bytes(K);
319 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
320 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
324 /* Calls SSLfatal() as required */
325 ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
330 OPENSSL_clear_free(passwd, strlen(passwd));
335 int srp_verify_server_param(SSL *s)
337 SRP_CTX *srp = &s->srp_ctx;
339 * Sanity check parameters: we can quickly check B % N == 0 by checking B
342 if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0
343 || BN_is_zero(srp->B)) {
344 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DATA);
348 if (BN_num_bits(srp->N) < srp->strength) {
349 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_INSUFFICIENT_SECURITY);
353 if (srp->SRP_verify_param_callback) {
354 if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
355 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED);
358 } else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
359 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
360 SSL_R_INSUFFICIENT_SECURITY);
367 int SRP_Calc_A_param(SSL *s)
369 unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
371 if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd)) <= 0)
373 s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
374 OPENSSL_cleanse(rnd, sizeof(rnd));
376 if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
382 BIGNUM *SSL_get_srp_g(SSL *s)
384 if (s->srp_ctx.g != NULL)
386 return s->ctx->srp_ctx.g;
389 BIGNUM *SSL_get_srp_N(SSL *s)
391 if (s->srp_ctx.N != NULL)
393 return s->ctx->srp_ctx.N;
396 char *SSL_get_srp_username(SSL *s)
398 if (s->srp_ctx.login != NULL)
399 return s->srp_ctx.login;
400 return s->ctx->srp_ctx.login;
403 char *SSL_get_srp_userinfo(SSL *s)
405 if (s->srp_ctx.info != NULL)
406 return s->srp_ctx.info;
407 return s->ctx->srp_ctx.info;
410 # define tls1_ctx_ctrl ssl3_ctx_ctrl
411 # define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
413 int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
415 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
418 int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
420 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
423 int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
425 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
429 int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
430 int (*cb) (SSL *, void *))
432 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
436 int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
438 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
441 int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
442 int (*cb) (SSL *, int *, void *))
444 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
448 int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
449 char *(*cb) (SSL *, void *))
451 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,