1 /* 2 * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2004, EdelKey Project. All Rights Reserved. 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 * 10 * Originally written by Christophe Renou and Peter Sylvester, 11 * for the EdelKey project. 12 */ 13 14 #include <openssl/crypto.h> 15 #include <openssl/rand.h> 16 #include <openssl/err.h> 17 #include "ssl_local.h" 18 19 #ifndef OPENSSL_NO_SRP 20 # include <openssl/srp.h> 21 22 int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx) 23 { 24 if (ctx == NULL) 25 return 0; 26 OPENSSL_free(ctx->srp_ctx.login); 27 OPENSSL_free(ctx->srp_ctx.info); 28 BN_free(ctx->srp_ctx.N); 29 BN_free(ctx->srp_ctx.g); 30 BN_free(ctx->srp_ctx.s); 31 BN_free(ctx->srp_ctx.B); 32 BN_free(ctx->srp_ctx.A); 33 BN_free(ctx->srp_ctx.a); 34 BN_free(ctx->srp_ctx.b); 35 BN_free(ctx->srp_ctx.v); 36 memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx)); 37 ctx->srp_ctx.strength = SRP_MINIMAL_N; 38 return 1; 39 } 40 41 int SSL_SRP_CTX_free(struct ssl_st *s) 42 { 43 if (s == NULL) 44 return 0; 45 OPENSSL_free(s->srp_ctx.login); 46 OPENSSL_free(s->srp_ctx.info); 47 BN_free(s->srp_ctx.N); 48 BN_free(s->srp_ctx.g); 49 BN_free(s->srp_ctx.s); 50 BN_free(s->srp_ctx.B); 51 BN_free(s->srp_ctx.A); 52 BN_free(s->srp_ctx.a); 53 BN_free(s->srp_ctx.b); 54 BN_free(s->srp_ctx.v); 55 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); 56 s->srp_ctx.strength = SRP_MINIMAL_N; 57 return 1; 58 } 59 60 int SSL_SRP_CTX_init(struct ssl_st *s) 61 { 62 SSL_CTX *ctx; 63 64 if ((s == NULL) || ((ctx = s->ctx) == NULL)) 65 return 0; 66 67 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); 68 69 s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg; 70 /* set client Hello login callback */ 71 s->srp_ctx.TLS_ext_srp_username_callback = 72 ctx->srp_ctx.TLS_ext_srp_username_callback; 73 /* set SRP N/g param callback for verification */ 74 s->srp_ctx.SRP_verify_param_callback = 75 ctx->srp_ctx.SRP_verify_param_callback; 76 /* set SRP client passwd callback */ 77 s->srp_ctx.SRP_give_srp_client_pwd_callback = 78 ctx->srp_ctx.SRP_give_srp_client_pwd_callback; 79 80 s->srp_ctx.strength = ctx->srp_ctx.strength; 81 82 if (((ctx->srp_ctx.N != NULL) && 83 ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) || 84 ((ctx->srp_ctx.g != NULL) && 85 ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) || 86 ((ctx->srp_ctx.s != NULL) && 87 ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) || 88 ((ctx->srp_ctx.B != NULL) && 89 ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) || 90 ((ctx->srp_ctx.A != NULL) && 91 ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) || 92 ((ctx->srp_ctx.a != NULL) && 93 ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) || 94 ((ctx->srp_ctx.v != NULL) && 95 ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) || 96 ((ctx->srp_ctx.b != NULL) && 97 ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) { 98 SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB); 99 goto err; 100 } 101 if ((ctx->srp_ctx.login != NULL) && 102 ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) { 103 SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR); 104 goto err; 105 } 106 if ((ctx->srp_ctx.info != NULL) && 107 ((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) { 108 SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR); 109 goto err; 110 } 111 s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask; 112 113 return 1; 114 err: 115 OPENSSL_free(s->srp_ctx.login); 116 OPENSSL_free(s->srp_ctx.info); 117 BN_free(s->srp_ctx.N); 118 BN_free(s->srp_ctx.g); 119 BN_free(s->srp_ctx.s); 120 BN_free(s->srp_ctx.B); 121 BN_free(s->srp_ctx.A); 122 BN_free(s->srp_ctx.a); 123 BN_free(s->srp_ctx.b); 124 BN_free(s->srp_ctx.v); 125 memset(&s->srp_ctx, 0, sizeof(s->srp_ctx)); 126 return 0; 127 } 128 129 int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx) 130 { 131 if (ctx == NULL) 132 return 0; 133 134 memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx)); 135 ctx->srp_ctx.strength = SRP_MINIMAL_N; 136 137 return 1; 138 } 139 140 /* server side */ 141 int SSL_srp_server_param_with_username(SSL *s, int *ad) 142 { 143 unsigned char b[SSL_MAX_MASTER_KEY_LENGTH]; 144 int al; 145 146 *ad = SSL_AD_UNKNOWN_PSK_IDENTITY; 147 if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) && 148 ((al = 149 s->srp_ctx.TLS_ext_srp_username_callback(s, ad, 150 s->srp_ctx.SRP_cb_arg)) != 151 SSL_ERROR_NONE)) 152 return al; 153 154 *ad = SSL_AD_INTERNAL_ERROR; 155 if ((s->srp_ctx.N == NULL) || 156 (s->srp_ctx.g == NULL) || 157 (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL)) 158 return SSL3_AL_FATAL; 159 160 if (RAND_priv_bytes(b, sizeof(b)) <= 0) 161 return SSL3_AL_FATAL; 162 s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL); 163 OPENSSL_cleanse(b, sizeof(b)); 164 165 /* Calculate: B = (kv + g^b) % N */ 166 167 return ((s->srp_ctx.B = 168 SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g, 169 s->srp_ctx.v)) != 170 NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL; 171 } 172 173 /* 174 * If the server just has the raw password, make up a verifier entry on the 175 * fly 176 */ 177 int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, 178 const char *grp) 179 { 180 SRP_gN *GN = SRP_get_default_gN(grp); 181 if (GN == NULL) 182 return -1; 183 s->srp_ctx.N = BN_dup(GN->N); 184 s->srp_ctx.g = BN_dup(GN->g); 185 BN_clear_free(s->srp_ctx.v); 186 s->srp_ctx.v = NULL; 187 BN_clear_free(s->srp_ctx.s); 188 s->srp_ctx.s = NULL; 189 if (!SRP_create_verifier_BN 190 (user, pass, &s->srp_ctx.s, &s->srp_ctx.v, GN->N, GN->g)) 191 return -1; 192 193 return 1; 194 } 195 196 int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, 197 BIGNUM *sa, BIGNUM *v, char *info) 198 { 199 if (N != NULL) { 200 if (s->srp_ctx.N != NULL) { 201 if (!BN_copy(s->srp_ctx.N, N)) { 202 BN_free(s->srp_ctx.N); 203 s->srp_ctx.N = NULL; 204 } 205 } else 206 s->srp_ctx.N = BN_dup(N); 207 } 208 if (g != NULL) { 209 if (s->srp_ctx.g != NULL) { 210 if (!BN_copy(s->srp_ctx.g, g)) { 211 BN_free(s->srp_ctx.g); 212 s->srp_ctx.g = NULL; 213 } 214 } else 215 s->srp_ctx.g = BN_dup(g); 216 } 217 if (sa != NULL) { 218 if (s->srp_ctx.s != NULL) { 219 if (!BN_copy(s->srp_ctx.s, sa)) { 220 BN_free(s->srp_ctx.s); 221 s->srp_ctx.s = NULL; 222 } 223 } else 224 s->srp_ctx.s = BN_dup(sa); 225 } 226 if (v != NULL) { 227 if (s->srp_ctx.v != NULL) { 228 if (!BN_copy(s->srp_ctx.v, v)) { 229 BN_free(s->srp_ctx.v); 230 s->srp_ctx.v = NULL; 231 } 232 } else 233 s->srp_ctx.v = BN_dup(v); 234 } 235 if (info != NULL) { 236 if (s->srp_ctx.info) 237 OPENSSL_free(s->srp_ctx.info); 238 if ((s->srp_ctx.info = BUF_strdup(info)) == NULL) 239 return -1; 240 } 241 242 if (!(s->srp_ctx.N) || 243 !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v)) 244 return -1; 245 246 return 1; 247 } 248 249 int srp_generate_server_master_secret(SSL *s) 250 { 251 BIGNUM *K = NULL, *u = NULL; 252 int ret = -1, tmp_len = 0; 253 unsigned char *tmp = NULL; 254 255 if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N)) 256 goto err; 257 if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL) 258 goto err; 259 if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b, 260 s->srp_ctx.N)) == NULL) 261 goto err; 262 263 tmp_len = BN_num_bytes(K); 264 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) { 265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 266 SSL_F_SRP_GENERATE_SERVER_MASTER_SECRET, ERR_R_MALLOC_FAILURE); 267 goto err; 268 } 269 BN_bn2bin(K, tmp); 270 /* Calls SSLfatal() as required */ 271 ret = ssl_generate_master_secret(s, tmp, tmp_len, 1); 272 err: 273 BN_clear_free(K); 274 BN_clear_free(u); 275 return ret; 276 } 277 278 /* client side */ 279 int srp_generate_client_master_secret(SSL *s) 280 { 281 BIGNUM *x = NULL, *u = NULL, *K = NULL; 282 int ret = -1, tmp_len = 0; 283 char *passwd = NULL; 284 unsigned char *tmp = NULL; 285 286 /* 287 * Checks if b % n == 0 288 */ 289 if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0 290 || (u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) 291 == NULL 292 || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) { 293 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 294 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR); 295 goto err; 296 } 297 if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s, 298 s->srp_ctx.SRP_cb_arg)) 299 == NULL) { 300 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 301 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, 302 SSL_R_CALLBACK_FAILED); 303 goto err; 304 } 305 if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL 306 || (K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, 307 s->srp_ctx.g, x, 308 s->srp_ctx.a, u)) == NULL) { 309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 310 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_INTERNAL_ERROR); 311 goto err; 312 } 313 314 tmp_len = BN_num_bytes(K); 315 if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) { 316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 317 SSL_F_SRP_GENERATE_CLIENT_MASTER_SECRET, ERR_R_MALLOC_FAILURE); 318 goto err; 319 } 320 BN_bn2bin(K, tmp); 321 /* Calls SSLfatal() as required */ 322 ret = ssl_generate_master_secret(s, tmp, tmp_len, 1); 323 err: 324 BN_clear_free(K); 325 BN_clear_free(x); 326 if (passwd != NULL) 327 OPENSSL_clear_free(passwd, strlen(passwd)); 328 BN_clear_free(u); 329 return ret; 330 } 331 332 int srp_verify_server_param(SSL *s) 333 { 334 SRP_CTX *srp = &s->srp_ctx; 335 /* 336 * Sanity check parameters: we can quickly check B % N == 0 by checking B 337 * != 0 since B < N 338 */ 339 if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0 340 || BN_is_zero(srp->B)) { 341 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SRP_VERIFY_SERVER_PARAM, 342 SSL_R_BAD_DATA); 343 return 0; 344 } 345 346 if (BN_num_bits(srp->N) < srp->strength) { 347 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM, 348 SSL_R_INSUFFICIENT_SECURITY); 349 return 0; 350 } 351 352 if (srp->SRP_verify_param_callback) { 353 if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) { 354 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, 355 SSL_F_SRP_VERIFY_SERVER_PARAM, 356 SSL_R_CALLBACK_FAILED); 357 return 0; 358 } 359 } else if (!SRP_check_known_gN_param(srp->g, srp->N)) { 360 SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_F_SRP_VERIFY_SERVER_PARAM, 361 SSL_R_INSUFFICIENT_SECURITY); 362 return 0; 363 } 364 365 return 1; 366 } 367 368 int SRP_Calc_A_param(SSL *s) 369 { 370 unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; 371 372 if (RAND_priv_bytes(rnd, sizeof(rnd)) <= 0) 373 return 0; 374 s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); 375 OPENSSL_cleanse(rnd, sizeof(rnd)); 376 377 if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g))) 378 return 0; 379 380 return 1; 381 } 382 383 BIGNUM *SSL_get_srp_g(SSL *s) 384 { 385 if (s->srp_ctx.g != NULL) 386 return s->srp_ctx.g; 387 return s->ctx->srp_ctx.g; 388 } 389 390 BIGNUM *SSL_get_srp_N(SSL *s) 391 { 392 if (s->srp_ctx.N != NULL) 393 return s->srp_ctx.N; 394 return s->ctx->srp_ctx.N; 395 } 396 397 char *SSL_get_srp_username(SSL *s) 398 { 399 if (s->srp_ctx.login != NULL) 400 return s->srp_ctx.login; 401 return s->ctx->srp_ctx.login; 402 } 403 404 char *SSL_get_srp_userinfo(SSL *s) 405 { 406 if (s->srp_ctx.info != NULL) 407 return s->srp_ctx.info; 408 return s->ctx->srp_ctx.info; 409 } 410 411 # define tls1_ctx_ctrl ssl3_ctx_ctrl 412 # define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl 413 414 int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name) 415 { 416 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name); 417 } 418 419 int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password) 420 { 421 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password); 422 } 423 424 int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength) 425 { 426 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength, 427 NULL); 428 } 429 430 int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, 431 int (*cb) (SSL *, void *)) 432 { 433 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB, 434 (void (*)(void))cb); 435 } 436 437 int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg) 438 { 439 return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg); 440 } 441 442 int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, 443 int (*cb) (SSL *, int *, void *)) 444 { 445 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, 446 (void (*)(void))cb); 447 } 448 449 int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, 450 char *(*cb) (SSL *, void *)) 451 { 452 return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB, 453 (void (*)(void))cb); 454 } 455 456 #endif 457