tls_srp.c 12.0 KB
Newer Older
1
/*
R
Rich Salz 已提交
2
 * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
B
Ben Laurie 已提交
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
B
Ben Laurie 已提交
8 9
 */

10
#include <openssl/crypto.h>
B
Ben Laurie 已提交
11 12
#include <openssl/rand.h>
#include <openssl/err.h>
13 14 15
#include "ssl_locl.h"

#ifndef OPENSSL_NO_SRP
E
Emilia Kasper 已提交
16
# include <openssl/srp.h>
B
Ben Laurie 已提交
17 18

int SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
19 20 21 22
{
    if (ctx == NULL)
        return 0;
    OPENSSL_free(ctx->srp_ctx.login);
23
    OPENSSL_free(ctx->srp_ctx.info);
24 25 26 27 28 29 30 31
    BN_free(ctx->srp_ctx.N);
    BN_free(ctx->srp_ctx.g);
    BN_free(ctx->srp_ctx.s);
    BN_free(ctx->srp_ctx.B);
    BN_free(ctx->srp_ctx.A);
    BN_free(ctx->srp_ctx.a);
    BN_free(ctx->srp_ctx.b);
    BN_free(ctx->srp_ctx.v);
32
    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
33
    ctx->srp_ctx.strength = SRP_MINIMAL_N;
34
    return 1;
35
}
B
Ben Laurie 已提交
36 37

int SSL_SRP_CTX_free(struct ssl_st *s)
38 39 40 41
{
    if (s == NULL)
        return 0;
    OPENSSL_free(s->srp_ctx.login);
42
    OPENSSL_free(s->srp_ctx.info);
43 44 45 46 47 48 49 50
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
51
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
52
    s->srp_ctx.strength = SRP_MINIMAL_N;
53
    return 1;
54
}
B
Ben Laurie 已提交
55 56

int SSL_SRP_CTX_init(struct ssl_st *s)
57 58 59 60 61
{
    SSL_CTX *ctx;

    if ((s == NULL) || ((ctx = s->ctx) == NULL))
        return 0;
62 63 64

    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));

65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
    s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
    /* set client Hello login callback */
    s->srp_ctx.TLS_ext_srp_username_callback =
        ctx->srp_ctx.TLS_ext_srp_username_callback;
    /* set SRP N/g param callback for verification */
    s->srp_ctx.SRP_verify_param_callback =
        ctx->srp_ctx.SRP_verify_param_callback;
    /* set SRP client passwd callback */
    s->srp_ctx.SRP_give_srp_client_pwd_callback =
        ctx->srp_ctx.SRP_give_srp_client_pwd_callback;

    s->srp_ctx.strength = ctx->srp_ctx.strength;

    if (((ctx->srp_ctx.N != NULL) &&
         ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
        ((ctx->srp_ctx.g != NULL) &&
         ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
        ((ctx->srp_ctx.s != NULL) &&
         ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
        ((ctx->srp_ctx.B != NULL) &&
         ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
        ((ctx->srp_ctx.A != NULL) &&
         ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
        ((ctx->srp_ctx.a != NULL) &&
         ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
        ((ctx->srp_ctx.v != NULL) &&
         ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
        ((ctx->srp_ctx.b != NULL) &&
         ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB);
        goto err;
    }
    if ((ctx->srp_ctx.login != NULL) &&
R
Rich Salz 已提交
98
        ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
99 100 101
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
        goto err;
    }
102 103 104 105 106
    if ((ctx->srp_ctx.info != NULL) &&
        ((s->srp_ctx.info = BUF_strdup(ctx->srp_ctx.info)) == NULL)) {
        SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
        goto err;
    }
107 108
    s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;

109
    return 1;
110 111
 err:
    OPENSSL_free(s->srp_ctx.login);
112
    OPENSSL_free(s->srp_ctx.info);
113 114 115 116 117 118 119 120
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
121
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
122 123
    return (0);
}
B
Ben Laurie 已提交
124 125

int SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
126 127 128 129
{
    if (ctx == NULL)
        return 0;

130
    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
131 132
    ctx->srp_ctx.strength = SRP_MINIMAL_N;

133
    return 1;
134
}
B
Ben Laurie 已提交
135 136 137

/* server side */
int SSL_srp_server_param_with_username(SSL *s, int *ad)
138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
{
    unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
    int al;

    *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
    if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
        ((al =
          s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
                                                   s->srp_ctx.SRP_cb_arg)) !=
         SSL_ERROR_NONE))
        return al;

    *ad = SSL_AD_INTERNAL_ERROR;
    if ((s->srp_ctx.N == NULL) ||
        (s->srp_ctx.g == NULL) ||
        (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
        return SSL3_AL_FATAL;

R
Rich Salz 已提交
156
    if (ssl_randbytes(s, b, sizeof(b)) <= 0)
157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180
        return SSL3_AL_FATAL;
    s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
    OPENSSL_cleanse(b, sizeof(b));

    /* Calculate:  B = (kv + g^b) % N  */

    return ((s->srp_ctx.B =
             SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
                        s->srp_ctx.v)) !=
            NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
}

/*
 * If the server just has the raw password, make up a verifier entry on the
 * fly
 */
int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
                                const char *grp)
{
    SRP_gN *GN = SRP_get_default_gN(grp);
    if (GN == NULL)
        return -1;
    s->srp_ctx.N = BN_dup(GN->N);
    s->srp_ctx.g = BN_dup(GN->g);
R
Rich Salz 已提交
181 182 183 184
    BN_clear_free(s->srp_ctx.v);
    s->srp_ctx.v = NULL;
    BN_clear_free(s->srp_ctx.s);
    s->srp_ctx.s = NULL;
185 186 187 188 189 190
    if (!SRP_create_verifier_BN
        (user, pass, &s->srp_ctx.s, &s->srp_ctx.v, GN->N, GN->g))
        return -1;

    return 1;
}
B
Ben Laurie 已提交
191 192

int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230
                             BIGNUM *sa, BIGNUM *v, char *info)
{
    if (N != NULL) {
        if (s->srp_ctx.N != NULL) {
            if (!BN_copy(s->srp_ctx.N, N)) {
                BN_free(s->srp_ctx.N);
                s->srp_ctx.N = NULL;
            }
        } else
            s->srp_ctx.N = BN_dup(N);
    }
    if (g != NULL) {
        if (s->srp_ctx.g != NULL) {
            if (!BN_copy(s->srp_ctx.g, g)) {
                BN_free(s->srp_ctx.g);
                s->srp_ctx.g = NULL;
            }
        } else
            s->srp_ctx.g = BN_dup(g);
    }
    if (sa != NULL) {
        if (s->srp_ctx.s != NULL) {
            if (!BN_copy(s->srp_ctx.s, sa)) {
                BN_free(s->srp_ctx.s);
                s->srp_ctx.s = NULL;
            }
        } else
            s->srp_ctx.s = BN_dup(sa);
    }
    if (v != NULL) {
        if (s->srp_ctx.v != NULL) {
            if (!BN_copy(s->srp_ctx.v, v)) {
                BN_free(s->srp_ctx.v);
                s->srp_ctx.v = NULL;
            }
        } else
            s->srp_ctx.v = BN_dup(v);
    }
231 232 233 234 235 236
    if (info != NULL) {
        if (s->srp_ctx.info)
            OPENSSL_free(s->srp_ctx.info);
        if ((s->srp_ctx.info = BUF_strdup(info)) == NULL)
            return -1;
    }
237 238 239 240 241 242 243 244

    if (!(s->srp_ctx.N) ||
        !(s->srp_ctx.g) || !(s->srp_ctx.s) || !(s->srp_ctx.v))
        return -1;

    return 1;
}

245
int srp_generate_server_master_secret(SSL *s)
246 247
{
    BIGNUM *K = NULL, *u = NULL;
R
Rich Salz 已提交
248
    int ret = -1, tmp_len = 0;
249 250 251 252
    unsigned char *tmp = NULL;

    if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
        goto err;
253
    if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
254
        goto err;
255 256
    if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
                                 s->srp_ctx.N)) == NULL)
257 258 259 260 261 262
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
        goto err;
    BN_bn2bin(K, tmp);
263
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
264 265 266 267 268
 err:
    BN_clear_free(K);
    BN_clear_free(u);
    return ret;
}
B
Ben Laurie 已提交
269 270

/* client side */
271
int srp_generate_client_master_secret(SSL *s)
272 273
{
    BIGNUM *x = NULL, *u = NULL, *K = NULL;
R
Rich Salz 已提交
274
    int ret = -1, tmp_len = 0;
275 276 277 278 279 280 281 282
    char *passwd = NULL;
    unsigned char *tmp = NULL;

    /*
     * Checks if b % n == 0
     */
    if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0)
        goto err;
283
    if ((u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)) == NULL)
284 285 286 287 288
        goto err;
    if (s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL)
        goto err;
    if (!
        (passwd =
E
Emilia Kasper 已提交
289
         s->srp_ctx.SRP_give_srp_client_pwd_callback(s, s->srp_ctx.SRP_cb_arg)))
290
        goto err;
291
    if ((x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)) == NULL)
292
        goto err;
293 294
    if ((K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, s->srp_ctx.g, x,
                                 s->srp_ctx.a, u)) == NULL)
295 296 297 298 299 300
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
        goto err;
    BN_bn2bin(K, tmp);
301
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
302 303 304
 err:
    BN_clear_free(K);
    BN_clear_free(x);
305 306
    if (passwd != NULL)
        OPENSSL_clear_free(passwd, strlen(passwd));
307 308 309
    BN_clear_free(u);
    return ret;
}
B
Ben Laurie 已提交
310

D
Dr. Stephen Henson 已提交
311
int srp_verify_server_param(SSL *s, int *al)
312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340
{
    SRP_CTX *srp = &s->srp_ctx;
    /*
     * Sanity check parameters: we can quickly check B % N == 0 by checking B
     * != 0 since B < N
     */
    if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0
        || BN_is_zero(srp->B)) {
        *al = SSL3_AD_ILLEGAL_PARAMETER;
        return 0;
    }

    if (BN_num_bits(srp->N) < srp->strength) {
        *al = TLS1_AD_INSUFFICIENT_SECURITY;
        return 0;
    }

    if (srp->SRP_verify_param_callback) {
        if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0) {
            *al = TLS1_AD_INSUFFICIENT_SECURITY;
            return 0;
        }
    } else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
        *al = TLS1_AD_INSUFFICIENT_SECURITY;
        return 0;
    }

    return 1;
}
D
Dr. Stephen Henson 已提交
341 342

int SRP_Calc_A_param(SSL *s)
343 344
{
    unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
B
Ben Laurie 已提交
345

R
Rich Salz 已提交
346
    if (ssl_randbytes(s, rnd, sizeof(rnd)) <= 0)
347 348 349
        return 0;
    s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
    OPENSSL_cleanse(rnd, sizeof(rnd));
B
Ben Laurie 已提交
350

E
Emilia Kasper 已提交
351
    if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
352
        return 0;
B
Ben Laurie 已提交
353

354 355
    return 1;
}
B
Ben Laurie 已提交
356 357

BIGNUM *SSL_get_srp_g(SSL *s)
358 359 360 361 362
{
    if (s->srp_ctx.g != NULL)
        return s->srp_ctx.g;
    return s->ctx->srp_ctx.g;
}
B
Ben Laurie 已提交
363 364

BIGNUM *SSL_get_srp_N(SSL *s)
365 366 367 368 369
{
    if (s->srp_ctx.N != NULL)
        return s->srp_ctx.N;
    return s->ctx->srp_ctx.N;
}
B
Ben Laurie 已提交
370 371

char *SSL_get_srp_username(SSL *s)
372 373 374 375 376
{
    if (s->srp_ctx.login != NULL)
        return s->srp_ctx.login;
    return s->ctx->srp_ctx.login;
}
B
Ben Laurie 已提交
377 378

char *SSL_get_srp_userinfo(SSL *s)
379 380 381 382 383
{
    if (s->srp_ctx.info != NULL)
        return s->srp_ctx.info;
    return s->ctx->srp_ctx.info;
}
B
Ben Laurie 已提交
384

385 386
# define tls1_ctx_ctrl ssl3_ctx_ctrl
# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
B
Ben Laurie 已提交
387

388 389 390 391
int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
}
B
Ben Laurie 已提交
392

393 394 395 396
int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
}
B
Ben Laurie 已提交
397 398

int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
399 400 401 402 403 404 405 406 407 408 409
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
                         NULL);
}

int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
                                          int (*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
                                  (void (*)(void))cb);
}
B
Ben Laurie 已提交
410 411

int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
412 413 414
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
}
B
Ben Laurie 已提交
415 416

int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
417 418 419 420 421 422 423 424 425 426 427 428
                                      int (*cb) (SSL *, int *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
                                        char *(*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
                                  (void (*)(void))cb);
}
B
Ben Laurie 已提交
429 430

#endif