xref: /freebsd/crypto/openssl/crypto/srp/srp_lib.c (revision 9e5787d2284e187abb5b654d924394a65772e004)
1 /*
2  * Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2004, EdelKey Project. All Rights Reserved.
4  *
5  * Licensed under the OpenSSL license (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  *
10  * Originally written by Christophe Renou and Peter Sylvester,
11  * for the EdelKey project.
12  */
13 
14 #ifndef OPENSSL_NO_SRP
15 # include "internal/cryptlib.h"
16 # include <openssl/sha.h>
17 # include <openssl/srp.h>
18 # include <openssl/evp.h>
19 # include "crypto/bn_srp.h"
20 
21 /* calculate = SHA1(PAD(x) || PAD(y)) */
22 
23 static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N)
24 {
25     unsigned char digest[SHA_DIGEST_LENGTH];
26     unsigned char *tmp = NULL;
27     int numN = BN_num_bytes(N);
28     BIGNUM *res = NULL;
29 
30     if (x != N && BN_ucmp(x, N) >= 0)
31         return NULL;
32     if (y != N && BN_ucmp(y, N) >= 0)
33         return NULL;
34     if ((tmp = OPENSSL_malloc(numN * 2)) == NULL)
35         goto err;
36     if (BN_bn2binpad(x, tmp, numN) < 0
37         || BN_bn2binpad(y, tmp + numN, numN) < 0
38         || !EVP_Digest(tmp, numN * 2, digest, NULL, EVP_sha1(), NULL))
39         goto err;
40     res = BN_bin2bn(digest, sizeof(digest), NULL);
41  err:
42     OPENSSL_free(tmp);
43     return res;
44 }
45 
46 static BIGNUM *srp_Calc_k(const BIGNUM *N, const BIGNUM *g)
47 {
48     /* k = SHA1(N | PAD(g)) -- tls-srp draft 8 */
49     return srp_Calc_xy(N, g, N);
50 }
51 
52 BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N)
53 {
54     /* k = SHA1(PAD(A) || PAD(B) ) -- tls-srp draft 8 */
55     return srp_Calc_xy(A, B, N);
56 }
57 
58 BIGNUM *SRP_Calc_server_key(const BIGNUM *A, const BIGNUM *v, const BIGNUM *u,
59                             const BIGNUM *b, const BIGNUM *N)
60 {
61     BIGNUM *tmp = NULL, *S = NULL;
62     BN_CTX *bn_ctx;
63 
64     if (u == NULL || A == NULL || v == NULL || b == NULL || N == NULL)
65         return NULL;
66 
67     if ((bn_ctx = BN_CTX_new()) == NULL || (tmp = BN_new()) == NULL)
68         goto err;
69 
70     /* S = (A*v**u) ** b */
71 
72     if (!BN_mod_exp(tmp, v, u, N, bn_ctx))
73         goto err;
74     if (!BN_mod_mul(tmp, A, tmp, N, bn_ctx))
75         goto err;
76 
77     S = BN_new();
78     if (S != NULL && !BN_mod_exp(S, tmp, b, N, bn_ctx)) {
79         BN_free(S);
80         S = NULL;
81     }
82  err:
83     BN_CTX_free(bn_ctx);
84     BN_clear_free(tmp);
85     return S;
86 }
87 
88 BIGNUM *SRP_Calc_B(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g,
89                    const BIGNUM *v)
90 {
91     BIGNUM *kv = NULL, *gb = NULL;
92     BIGNUM *B = NULL, *k = NULL;
93     BN_CTX *bn_ctx;
94 
95     if (b == NULL || N == NULL || g == NULL || v == NULL ||
96         (bn_ctx = BN_CTX_new()) == NULL)
97         return NULL;
98 
99     if ((kv = BN_new()) == NULL ||
100         (gb = BN_new()) == NULL || (B = BN_new()) == NULL)
101         goto err;
102 
103     /* B = g**b + k*v */
104 
105     if (!BN_mod_exp(gb, g, b, N, bn_ctx)
106         || (k = srp_Calc_k(N, g)) == NULL
107         || !BN_mod_mul(kv, v, k, N, bn_ctx)
108         || !BN_mod_add(B, gb, kv, N, bn_ctx)) {
109         BN_free(B);
110         B = NULL;
111     }
112  err:
113     BN_CTX_free(bn_ctx);
114     BN_clear_free(kv);
115     BN_clear_free(gb);
116     BN_free(k);
117     return B;
118 }
119 
120 BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass)
121 {
122     unsigned char dig[SHA_DIGEST_LENGTH];
123     EVP_MD_CTX *ctxt;
124     unsigned char *cs = NULL;
125     BIGNUM *res = NULL;
126 
127     if ((s == NULL) || (user == NULL) || (pass == NULL))
128         return NULL;
129 
130     ctxt = EVP_MD_CTX_new();
131     if (ctxt == NULL)
132         return NULL;
133     if ((cs = OPENSSL_malloc(BN_num_bytes(s))) == NULL)
134         goto err;
135 
136     if (!EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL)
137         || !EVP_DigestUpdate(ctxt, user, strlen(user))
138         || !EVP_DigestUpdate(ctxt, ":", 1)
139         || !EVP_DigestUpdate(ctxt, pass, strlen(pass))
140         || !EVP_DigestFinal_ex(ctxt, dig, NULL)
141         || !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL))
142         goto err;
143     if (BN_bn2bin(s, cs) < 0)
144         goto err;
145     if (!EVP_DigestUpdate(ctxt, cs, BN_num_bytes(s)))
146         goto err;
147 
148     if (!EVP_DigestUpdate(ctxt, dig, sizeof(dig))
149         || !EVP_DigestFinal_ex(ctxt, dig, NULL))
150         goto err;
151 
152     res = BN_bin2bn(dig, sizeof(dig), NULL);
153 
154  err:
155     OPENSSL_free(cs);
156     EVP_MD_CTX_free(ctxt);
157     return res;
158 }
159 
160 BIGNUM *SRP_Calc_A(const BIGNUM *a, const BIGNUM *N, const BIGNUM *g)
161 {
162     BN_CTX *bn_ctx;
163     BIGNUM *A = NULL;
164 
165     if (a == NULL || N == NULL || g == NULL || (bn_ctx = BN_CTX_new()) == NULL)
166         return NULL;
167 
168     if ((A = BN_new()) != NULL && !BN_mod_exp(A, g, a, N, bn_ctx)) {
169         BN_free(A);
170         A = NULL;
171     }
172     BN_CTX_free(bn_ctx);
173     return A;
174 }
175 
176 BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g,
177                             const BIGNUM *x, const BIGNUM *a, const BIGNUM *u)
178 {
179     BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL;
180     BN_CTX *bn_ctx;
181 
182     if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL
183         || a == NULL || (bn_ctx = BN_CTX_new()) == NULL)
184         return NULL;
185 
186     if ((tmp = BN_new()) == NULL ||
187         (tmp2 = BN_new()) == NULL ||
188         (tmp3 = BN_new()) == NULL)
189         goto err;
190 
191     if (!BN_mod_exp(tmp, g, x, N, bn_ctx))
192         goto err;
193     if ((k = srp_Calc_k(N, g)) == NULL)
194         goto err;
195     if (!BN_mod_mul(tmp2, tmp, k, N, bn_ctx))
196         goto err;
197     if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx))
198         goto err;
199     if (!BN_mul(tmp3, u, x, bn_ctx))
200         goto err;
201     if (!BN_add(tmp2, a, tmp3))
202         goto err;
203     K = BN_new();
204     if (K != NULL && !BN_mod_exp(K, tmp, tmp2, N, bn_ctx)) {
205         BN_free(K);
206         K = NULL;
207     }
208 
209  err:
210     BN_CTX_free(bn_ctx);
211     BN_clear_free(tmp);
212     BN_clear_free(tmp2);
213     BN_clear_free(tmp3);
214     BN_free(k);
215     return K;
216 }
217 
218 int SRP_Verify_B_mod_N(const BIGNUM *B, const BIGNUM *N)
219 {
220     BIGNUM *r;
221     BN_CTX *bn_ctx;
222     int ret = 0;
223 
224     if (B == NULL || N == NULL || (bn_ctx = BN_CTX_new()) == NULL)
225         return 0;
226 
227     if ((r = BN_new()) == NULL)
228         goto err;
229     /* Checks if B % N == 0 */
230     if (!BN_nnmod(r, B, N, bn_ctx))
231         goto err;
232     ret = !BN_is_zero(r);
233  err:
234     BN_CTX_free(bn_ctx);
235     BN_free(r);
236     return ret;
237 }
238 
239 int SRP_Verify_A_mod_N(const BIGNUM *A, const BIGNUM *N)
240 {
241     /* Checks if A % N == 0 */
242     return SRP_Verify_B_mod_N(A, N);
243 }
244 
245 static SRP_gN knowngN[] = {
246     {"8192", &bn_generator_19, &bn_group_8192},
247     {"6144", &bn_generator_5, &bn_group_6144},
248     {"4096", &bn_generator_5, &bn_group_4096},
249     {"3072", &bn_generator_5, &bn_group_3072},
250     {"2048", &bn_generator_2, &bn_group_2048},
251     {"1536", &bn_generator_2, &bn_group_1536},
252     {"1024", &bn_generator_2, &bn_group_1024},
253 };
254 
255 # define KNOWN_GN_NUMBER sizeof(knowngN) / sizeof(SRP_gN)
256 
257 /*
258  * Check if G and N are known parameters. The values have been generated
259  * from the ietf-tls-srp draft version 8
260  */
261 char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N)
262 {
263     size_t i;
264     if ((g == NULL) || (N == NULL))
265         return 0;
266 
267     for (i = 0; i < KNOWN_GN_NUMBER; i++) {
268         if (BN_cmp(knowngN[i].g, g) == 0 && BN_cmp(knowngN[i].N, N) == 0)
269             return knowngN[i].id;
270     }
271     return NULL;
272 }
273 
274 SRP_gN *SRP_get_default_gN(const char *id)
275 {
276     size_t i;
277 
278     if (id == NULL)
279         return knowngN;
280     for (i = 0; i < KNOWN_GN_NUMBER; i++) {
281         if (strcmp(knowngN[i].id, id) == 0)
282             return knowngN + i;
283     }
284     return NULL;
285 }
286 #endif
287