xref: /freebsd/crypto/openssl/ssl/tls_srp.c (revision 63f537551380d2dab29fa402ad1269feae17e594)
1 /*
2  * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2004, EdelKey Project. All Rights Reserved.
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  *
10  * Originally written by Christophe Renou and Peter Sylvester,
11  * for the EdelKey project.
12  */
13 
14 /*
15  * We need to use the SRP deprecated APIs in order to implement the SSL SRP
16  * APIs - which are themselves deprecated.
17  */
18 #define OPENSSL_SUPPRESS_DEPRECATED
19 
20 #include <openssl/crypto.h>
21 #include <openssl/rand.h>
22 #include <openssl/err.h>
23 #include "ssl_local.h"
24 
25 #ifndef OPENSSL_NO_SRP
26 # include <openssl/srp.h>
27 
28 /*
29  * The public API SSL_CTX_SRP_CTX_free() is deprecated so we use
30  * ssl_ctx_srp_ctx_free_intern() internally.
31  */
32 int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx)
33 {
34     if (ctx == NULL)
35         return 0;
36     OPENSSL_free(ctx->srp_ctx.login);
37     OPENSSL_free(ctx->srp_ctx.info);
38     BN_free(ctx->srp_ctx.N);
39     BN_free(ctx->srp_ctx.g);
40     BN_free(ctx->srp_ctx.s);
41     BN_free(ctx->srp_ctx.B);
42     BN_free(ctx->srp_ctx.A);
43     BN_free(ctx->srp_ctx.a);
44     BN_free(ctx->srp_ctx.b);
45     BN_free(ctx->srp_ctx.v);
46     memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
47     ctx->srp_ctx.strength = SRP_MINIMAL_N;
48     return 1;
49 }
50 
51 int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx)
52 {
53     return ssl_ctx_srp_ctx_free_intern(ctx);
54 }
55 
56 /*
57  * The public API SSL_SRP_CTX_free() is deprecated so we use
58  * ssl_srp_ctx_free_intern() internally.
59  */
60 int ssl_srp_ctx_free_intern(SSL *s)
61 {
62     if (s == NULL)
63         return 0;
64     OPENSSL_free(s->srp_ctx.login);
65     OPENSSL_free(s->srp_ctx.info);
66     BN_free(s->srp_ctx.N);
67     BN_free(s->srp_ctx.g);
68     BN_free(s->srp_ctx.s);
69     BN_free(s->srp_ctx.B);
70     BN_free(s->srp_ctx.A);
71     BN_free(s->srp_ctx.a);
72     BN_free(s->srp_ctx.b);
73     BN_free(s->srp_ctx.v);
74     memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
75     s->srp_ctx.strength = SRP_MINIMAL_N;
76     return 1;
77 }
78 
79 int SSL_SRP_CTX_free(SSL *s)
80 {
81     return ssl_srp_ctx_free_intern(s);
82 }
83 
84 /*
85  * The public API SSL_SRP_CTX_init() is deprecated so we use
86  * ssl_srp_ctx_init_intern() internally.
87  */
88 int ssl_srp_ctx_init_intern(SSL *s)
89 {
90     SSL_CTX *ctx;
91 
92     if ((s == NULL) || ((ctx = s->ctx) == NULL))
93         return 0;
94 
95     memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
96 
97     s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
98     /* set client Hello login callback */
99     s->srp_ctx.TLS_ext_srp_username_callback =
100         ctx->srp_ctx.TLS_ext_srp_username_callback;
101     /* set SRP N/g param callback for verification */
102     s->srp_ctx.SRP_verify_param_callback =
103         ctx->srp_ctx.SRP_verify_param_callback;
104     /* set SRP client passwd callback */
105     s->srp_ctx.SRP_give_srp_client_pwd_callback =
106         ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
107 
108     s->srp_ctx.strength = ctx->srp_ctx.strength;
109 
110     if (((ctx->srp_ctx.N != NULL) &&
111          ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
112         ((ctx->srp_ctx.g != NULL) &&
113          ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
114         ((ctx->srp_ctx.s != NULL) &&
115          ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
116         ((ctx->srp_ctx.B != NULL) &&
117          ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
118         ((ctx->srp_ctx.A != NULL) &&
119          ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
120         ((ctx->srp_ctx.a != NULL) &&
121          ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
122         ((ctx->srp_ctx.v != NULL) &&
123          ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
124         ((ctx->srp_ctx.b != NULL) &&
125          ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
126         ERR_raise(ERR_LIB_SSL, ERR_R_BN_LIB);
127         goto err;
128     }
129     if ((ctx->srp_ctx.login != NULL) &&
130         ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
131         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
132         goto err;
133     }
134     if ((ctx->srp_ctx.info != NULL) &&
135         ((s->srp_ctx.info = OPENSSL_strdup(ctx->srp_ctx.info)) == NULL)) {
136         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
137         goto err;
138     }
139     s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
140 
141     return 1;
142  err:
143     OPENSSL_free(s->srp_ctx.login);
144     OPENSSL_free(s->srp_ctx.info);
145     BN_free(s->srp_ctx.N);
146     BN_free(s->srp_ctx.g);
147     BN_free(s->srp_ctx.s);
148     BN_free(s->srp_ctx.B);
149     BN_free(s->srp_ctx.A);
150     BN_free(s->srp_ctx.a);
151     BN_free(s->srp_ctx.b);
152     BN_free(s->srp_ctx.v);
153     memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
154     return 0;
155 }
156 
157 int SSL_SRP_CTX_init(SSL *s)
158 {
159     return ssl_srp_ctx_init_intern(s);
160 }
161 
162 /*
163  * The public API SSL_CTX_SRP_CTX_init() is deprecated so we use
164  * ssl_ctx_srp_ctx_init_intern() internally.
165  */
166 int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx)
167 {
168     if (ctx == NULL)
169         return 0;
170 
171     memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
172     ctx->srp_ctx.strength = SRP_MINIMAL_N;
173 
174     return 1;
175 }
176 
177 int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx)
178 {
179     return ssl_ctx_srp_ctx_init_intern(ctx);
180 }
181 
182 /* server side */
183 /*
184  * The public API SSL_srp_server_param_with_username() is deprecated so we use
185  * ssl_srp_server_param_with_username_intern() internally.
186  */
187 int ssl_srp_server_param_with_username_intern(SSL *s, int *ad)
188 {
189     unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
190     int al;
191 
192     *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
193     if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
194         ((al =
195           s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
196                                                    s->srp_ctx.SRP_cb_arg)) !=
197          SSL_ERROR_NONE))
198         return al;
199 
200     *ad = SSL_AD_INTERNAL_ERROR;
201     if ((s->srp_ctx.N == NULL) ||
202         (s->srp_ctx.g == NULL) ||
203         (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
204         return SSL3_AL_FATAL;
205 
206     if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b), 0) <= 0)
207         return SSL3_AL_FATAL;
208     s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
209     OPENSSL_cleanse(b, sizeof(b));
210 
211     /* Calculate:  B = (kv + g^b) % N  */
212 
213     return ((s->srp_ctx.B =
214              SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
215                            s->srp_ctx.v, s->ctx->libctx, s->ctx->propq)) !=
216             NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
217 }
218 
219 int SSL_srp_server_param_with_username(SSL *s, int *ad)
220 {
221     return ssl_srp_server_param_with_username_intern(s, ad);
222 }
223 
224 /*
225  * If the server just has the raw password, make up a verifier entry on the
226  * fly
227  */
228 int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
229                                 const char *grp)
230 {
231     SRP_gN *GN = SRP_get_default_gN(grp);
232     if (GN == NULL)
233         return -1;
234     s->srp_ctx.N = BN_dup(GN->N);
235     s->srp_ctx.g = BN_dup(GN->g);
236     BN_clear_free(s->srp_ctx.v);
237     s->srp_ctx.v = NULL;
238     BN_clear_free(s->srp_ctx.s);
239     s->srp_ctx.s = NULL;
240     if (!SRP_create_verifier_BN_ex(user, pass, &s->srp_ctx.s, &s->srp_ctx.v,
241                                    s->srp_ctx.N, s->srp_ctx.g, s->ctx->libctx,
242                                    s->ctx->propq))
243         return -1;
244 
245     return 1;
246 }
247 
248 int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
249                              BIGNUM *sa, BIGNUM *v, char *info)
250 {
251     if (N != NULL) {
252         if (s->srp_ctx.N != NULL) {
253             if (!BN_copy(s->srp_ctx.N, N)) {
254                 BN_free(s->srp_ctx.N);
255                 s->srp_ctx.N = NULL;
256             }
257         } else
258             s->srp_ctx.N = BN_dup(N);
259     }
260     if (g != NULL) {
261         if (s->srp_ctx.g != NULL) {
262             if (!BN_copy(s->srp_ctx.g, g)) {
263                 BN_free(s->srp_ctx.g);
264                 s->srp_ctx.g = NULL;
265             }
266         } else
267             s->srp_ctx.g = BN_dup(g);
268     }
269     if (sa != NULL) {
270         if (s->srp_ctx.s != NULL) {
271             if (!BN_copy(s->srp_ctx.s, sa)) {
272                 BN_free(s->srp_ctx.s);
273                 s->srp_ctx.s = NULL;
274             }
275         } else
276             s->srp_ctx.s = BN_dup(sa);
277     }
278     if (v != NULL) {
279         if (s->srp_ctx.v != NULL) {
280             if (!BN_copy(s->srp_ctx.v, v)) {
281                 BN_free(s->srp_ctx.v);
282                 s->srp_ctx.v = NULL;
283             }
284         } else
285             s->srp_ctx.v = BN_dup(v);
286     }
287     if (info != NULL) {
288         if (s->srp_ctx.info)
289             OPENSSL_free(s->srp_ctx.info);
290         if ((s->srp_ctx.info = OPENSSL_strdup(info)) == NULL)
291             return -1;
292     }
293 
294     if (!(s->srp_ctx.N) ||
295         !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
296         return -1;
297 
298     return 1;
299 }
300 
301 int srp_generate_server_master_secret(SSL *s)
302 {
303     BIGNUM *K = NULL, *u = NULL;
304     int ret = 0, tmp_len = 0;
305     unsigned char *tmp = NULL;
306 
307     if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
308         goto err;
309     if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
310                            s->ctx->libctx, s->ctx->propq)) == NULL)
311         goto err;
312     if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
313                                  s->srp_ctx.N)) == NULL)
314         goto err;
315 
316     tmp_len = BN_num_bytes(K);
317     if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
318         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
319         goto err;
320     }
321     BN_bn2bin(K, tmp);
322     /* Calls SSLfatal() as required */
323     ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
324  err:
325     BN_clear_free(K);
326     BN_clear_free(u);
327     return ret;
328 }
329 
330 /* client side */
331 int srp_generate_client_master_secret(SSL *s)
332 {
333     BIGNUM *x = NULL, *u = NULL, *K = NULL;
334     int ret = 0, tmp_len = 0;
335     char *passwd = NULL;
336     unsigned char *tmp = NULL;
337 
338     /*
339      * Checks if b % n == 0
340      */
341     if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
342             || (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
343                                   s->ctx->libctx, s->ctx->propq))
344                == NULL
345             || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
346         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
347         goto err;
348     }
349     if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
350                                                       s->srp_ctx.SRP_cb_arg))
351             == NULL) {
352         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
353         goto err;
354     }
355     if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd,
356                            s->ctx->libctx, s->ctx->propq)) == NULL
357             || (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B,
358                                            s->srp_ctx.g, x,
359                                            s->srp_ctx.a, u,
360                                            s->ctx->libctx,
361                                            s->ctx->propq)) == NULL) {
362         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
363         goto err;
364     }
365 
366     tmp_len = BN_num_bytes(K);
367     if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
368         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
369         goto err;
370     }
371     BN_bn2bin(K, tmp);
372     /* Calls SSLfatal() as required */
373     ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
374  err:
375     BN_clear_free(K);
376     BN_clear_free(x);
377     if (passwd != NULL)
378         OPENSSL_clear_free(passwd, strlen(passwd));
379     BN_clear_free(u);
380     return ret;
381 }
382 
383 int srp_verify_server_param(SSL *s)
384 {
385     SRP_CTX *srp = &s->srp_ctx;
386     /*
387      * Sanity check parameters: we can quickly check B % N == 0 by checking B
388      * != 0 since B < N
389      */
390     if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0
391         || BN_is_zero(srp->B)) {
392         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DATA);
393         return 0;
394     }
395 
396     if (BN_num_bits(srp->N) < srp->strength) {
397         SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_INSUFFICIENT_SECURITY);
398         return 0;
399     }
400 
401     if (srp->SRP_verify_param_callback) {
402         if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
403             SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED);
404             return 0;
405         }
406     } else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
407         SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
408                  SSL_R_INSUFFICIENT_SECURITY);
409         return 0;
410     }
411 
412     return 1;
413 }
414 
415 /*
416  * The public API SRP_Calc_A_param() is deprecated so we use
417  * ssl_srp_calc_a_param_intern() internally.
418  */
419 int ssl_srp_calc_a_param_intern(SSL *s)
420 {
421     unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
422 
423     if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd), 0) <= 0)
424         return 0;
425     s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
426     OPENSSL_cleanse(rnd, sizeof(rnd));
427 
428     if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
429         return 0;
430 
431     return 1;
432 }
433 
434 int SRP_Calc_A_param(SSL *s)
435 {
436     return ssl_srp_calc_a_param_intern(s);
437 }
438 
439 BIGNUM *SSL_get_srp_g(SSL *s)
440 {
441     if (s->srp_ctx.g != NULL)
442         return s->srp_ctx.g;
443     return s->ctx->srp_ctx.g;
444 }
445 
446 BIGNUM *SSL_get_srp_N(SSL *s)
447 {
448     if (s->srp_ctx.N != NULL)
449         return s->srp_ctx.N;
450     return s->ctx->srp_ctx.N;
451 }
452 
453 char *SSL_get_srp_username(SSL *s)
454 {
455     if (s->srp_ctx.login != NULL)
456         return s->srp_ctx.login;
457     return s->ctx->srp_ctx.login;
458 }
459 
460 char *SSL_get_srp_userinfo(SSL *s)
461 {
462     if (s->srp_ctx.info != NULL)
463         return s->srp_ctx.info;
464     return s->ctx->srp_ctx.info;
465 }
466 
467 # define tls1_ctx_ctrl ssl3_ctx_ctrl
468 # define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
469 
470 int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
471 {
472     return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
473 }
474 
475 int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
476 {
477     return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
478 }
479 
480 int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
481 {
482     return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
483                          NULL);
484 }
485 
486 int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
487                                           int (*cb) (SSL *, void *))
488 {
489     return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
490                                   (void (*)(void))cb);
491 }
492 
493 int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
494 {
495     return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
496 }
497 
498 int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
499                                       int (*cb) (SSL *, int *, void *))
500 {
501     return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
502                                   (void (*)(void))cb);
503 }
504 
505 int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
506                                         char *(*cb) (SSL *, void *))
507 {
508     return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
509                                   (void (*)(void))cb);
510 }
511 
512 #endif
513