/src/openssl/crypto/srp/srp_lib.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright (c) 2004, EdelKey Project. All Rights Reserved. |
4 | | * |
5 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
6 | | * this file except in compliance with the License. You can obtain a copy |
7 | | * in the file LICENSE in the source distribution or at |
8 | | * https://www.openssl.org/source/license.html |
9 | | * |
10 | | * Originally written by Christophe Renou and Peter Sylvester, |
11 | | * for the EdelKey project. |
12 | | */ |
13 | | |
14 | | /* All the SRP APIs in this file are deprecated */ |
15 | | #define OPENSSL_SUPPRESS_DEPRECATED |
16 | | |
17 | | #ifndef OPENSSL_NO_SRP |
18 | | # include "internal/cryptlib.h" |
19 | | # include <openssl/sha.h> |
20 | | # include <openssl/srp.h> |
21 | | # include <openssl/evp.h> |
22 | | # include "crypto/bn_srp.h" |
23 | | |
24 | | /* calculate = SHA1(PAD(x) || PAD(y)) */ |
25 | | |
26 | | static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N, |
27 | | OSSL_LIB_CTX *libctx, const char *propq) |
28 | 858 | { |
29 | 858 | unsigned char digest[SHA_DIGEST_LENGTH]; |
30 | 858 | unsigned char *tmp = NULL; |
31 | 858 | int numN = BN_num_bytes(N); |
32 | 858 | BIGNUM *res = NULL; |
33 | 858 | EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq); |
34 | | |
35 | 858 | if (sha1 == NULL) |
36 | 0 | return NULL; |
37 | | |
38 | 858 | if (x != N && BN_ucmp(x, N) >= 0) |
39 | 0 | goto err; |
40 | 858 | if (y != N && BN_ucmp(y, N) >= 0) |
41 | 0 | goto err; |
42 | 858 | if ((tmp = OPENSSL_malloc(numN * 2)) == NULL) |
43 | 0 | goto err; |
44 | 858 | if (BN_bn2binpad(x, tmp, numN) < 0 |
45 | 858 | || BN_bn2binpad(y, tmp + numN, numN) < 0 |
46 | 858 | || !EVP_Digest(tmp, numN * 2, digest, NULL, sha1, NULL)) |
47 | 0 | goto err; |
48 | 858 | res = BN_bin2bn(digest, sizeof(digest), NULL); |
49 | 858 | err: |
50 | 858 | EVP_MD_free(sha1); |
51 | 858 | OPENSSL_free(tmp); |
52 | 858 | return res; |
53 | 858 | } |
54 | | |
55 | | static BIGNUM *srp_Calc_k(const BIGNUM *N, const BIGNUM *g, |
56 | | OSSL_LIB_CTX *libctx, |
57 | | const char *propq) |
58 | 572 | { |
59 | | /* k = SHA1(N | PAD(g)) -- tls-srp RFC 5054 */ |
60 | 572 | return srp_Calc_xy(N, g, N, libctx, propq); |
61 | 572 | } |
62 | | |
63 | | BIGNUM *SRP_Calc_u_ex(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N, |
64 | | OSSL_LIB_CTX *libctx, const char *propq) |
65 | 0 | { |
66 | | /* u = SHA1(PAD(A) || PAD(B) ) -- tls-srp RFC 5054 */ |
67 | 0 | return srp_Calc_xy(A, B, N, libctx, propq); |
68 | 0 | } |
69 | | |
70 | | BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N) |
71 | 286 | { |
72 | | /* u = SHA1(PAD(A) || PAD(B) ) -- tls-srp RFC 5054 */ |
73 | 286 | return srp_Calc_xy(A, B, N, NULL, NULL); |
74 | 286 | } |
75 | | |
76 | | BIGNUM *SRP_Calc_server_key(const BIGNUM *A, const BIGNUM *v, const BIGNUM *u, |
77 | | const BIGNUM *b, const BIGNUM *N) |
78 | 286 | { |
79 | 286 | BIGNUM *tmp = NULL, *S = NULL; |
80 | 286 | BN_CTX *bn_ctx; |
81 | | |
82 | 286 | if (u == NULL || A == NULL || v == NULL || b == NULL || N == NULL) |
83 | 0 | return NULL; |
84 | | |
85 | 286 | if ((bn_ctx = BN_CTX_new()) == NULL || (tmp = BN_new()) == NULL) |
86 | 0 | goto err; |
87 | | |
88 | | /* S = (A*v**u) ** b */ |
89 | | |
90 | 286 | if (!BN_mod_exp(tmp, v, u, N, bn_ctx)) |
91 | 0 | goto err; |
92 | 286 | if (!BN_mod_mul(tmp, A, tmp, N, bn_ctx)) |
93 | 0 | goto err; |
94 | | |
95 | 286 | S = BN_new(); |
96 | 286 | if (S != NULL && !BN_mod_exp(S, tmp, b, N, bn_ctx)) { |
97 | 0 | BN_free(S); |
98 | 0 | S = NULL; |
99 | 0 | } |
100 | 286 | err: |
101 | 286 | BN_CTX_free(bn_ctx); |
102 | 286 | BN_clear_free(tmp); |
103 | 286 | return S; |
104 | 286 | } |
105 | | |
106 | | BIGNUM *SRP_Calc_B_ex(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g, |
107 | | const BIGNUM *v, OSSL_LIB_CTX *libctx, const char *propq) |
108 | 286 | { |
109 | 286 | BIGNUM *kv = NULL, *gb = NULL; |
110 | 286 | BIGNUM *B = NULL, *k = NULL; |
111 | 286 | BN_CTX *bn_ctx; |
112 | | |
113 | 286 | if (b == NULL || N == NULL || g == NULL || v == NULL || |
114 | 286 | (bn_ctx = BN_CTX_new_ex(libctx)) == NULL) |
115 | 0 | return NULL; |
116 | | |
117 | 286 | if ((kv = BN_new()) == NULL || |
118 | 286 | (gb = BN_new()) == NULL || (B = BN_new()) == NULL) |
119 | 0 | goto err; |
120 | | |
121 | | /* B = g**b + k*v */ |
122 | | |
123 | 286 | if (!BN_mod_exp(gb, g, b, N, bn_ctx) |
124 | 286 | || (k = srp_Calc_k(N, g, libctx, propq)) == NULL |
125 | 286 | || !BN_mod_mul(kv, v, k, N, bn_ctx) |
126 | 286 | || !BN_mod_add(B, gb, kv, N, bn_ctx)) { |
127 | 0 | BN_free(B); |
128 | 0 | B = NULL; |
129 | 0 | } |
130 | 286 | err: |
131 | 286 | BN_CTX_free(bn_ctx); |
132 | 286 | BN_clear_free(kv); |
133 | 286 | BN_clear_free(gb); |
134 | 286 | BN_free(k); |
135 | 286 | return B; |
136 | 286 | } |
137 | | |
138 | | BIGNUM *SRP_Calc_B(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g, |
139 | | const BIGNUM *v) |
140 | 286 | { |
141 | 286 | return SRP_Calc_B_ex(b, N, g, v, NULL, NULL); |
142 | 286 | } |
143 | | |
144 | | BIGNUM *SRP_Calc_x_ex(const BIGNUM *s, const char *user, const char *pass, |
145 | | OSSL_LIB_CTX *libctx, const char *propq) |
146 | 572 | { |
147 | 572 | unsigned char dig[SHA_DIGEST_LENGTH]; |
148 | 572 | EVP_MD_CTX *ctxt; |
149 | 572 | unsigned char *cs = NULL; |
150 | 572 | BIGNUM *res = NULL; |
151 | 572 | EVP_MD *sha1 = NULL; |
152 | | |
153 | 572 | if ((s == NULL) || (user == NULL) || (pass == NULL)) |
154 | 0 | return NULL; |
155 | | |
156 | 572 | ctxt = EVP_MD_CTX_new(); |
157 | 572 | if (ctxt == NULL) |
158 | 0 | return NULL; |
159 | 572 | if ((cs = OPENSSL_malloc(BN_num_bytes(s))) == NULL) |
160 | 0 | goto err; |
161 | | |
162 | 572 | sha1 = EVP_MD_fetch(libctx, "SHA1", propq); |
163 | 572 | if (sha1 == NULL) |
164 | 0 | goto err; |
165 | | |
166 | 572 | if (!EVP_DigestInit_ex(ctxt, sha1, NULL) |
167 | 572 | || !EVP_DigestUpdate(ctxt, user, strlen(user)) |
168 | 572 | || !EVP_DigestUpdate(ctxt, ":", 1) |
169 | 572 | || !EVP_DigestUpdate(ctxt, pass, strlen(pass)) |
170 | 572 | || !EVP_DigestFinal_ex(ctxt, dig, NULL) |
171 | 572 | || !EVP_DigestInit_ex(ctxt, sha1, NULL)) |
172 | 0 | goto err; |
173 | 572 | if (BN_bn2bin(s, cs) < 0) |
174 | 0 | goto err; |
175 | 572 | if (!EVP_DigestUpdate(ctxt, cs, BN_num_bytes(s))) |
176 | 0 | goto err; |
177 | | |
178 | 572 | if (!EVP_DigestUpdate(ctxt, dig, sizeof(dig)) |
179 | 572 | || !EVP_DigestFinal_ex(ctxt, dig, NULL)) |
180 | 0 | goto err; |
181 | | |
182 | 572 | res = BN_bin2bn(dig, sizeof(dig), NULL); |
183 | | |
184 | 572 | err: |
185 | 572 | EVP_MD_free(sha1); |
186 | 572 | OPENSSL_free(cs); |
187 | 572 | EVP_MD_CTX_free(ctxt); |
188 | 572 | return res; |
189 | 572 | } |
190 | | |
191 | | BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass) |
192 | 286 | { |
193 | 286 | return SRP_Calc_x_ex(s, user, pass, NULL, NULL); |
194 | 286 | } |
195 | | |
196 | | BIGNUM *SRP_Calc_A(const BIGNUM *a, const BIGNUM *N, const BIGNUM *g) |
197 | 286 | { |
198 | 286 | BN_CTX *bn_ctx; |
199 | 286 | BIGNUM *A = NULL; |
200 | | |
201 | 286 | if (a == NULL || N == NULL || g == NULL || (bn_ctx = BN_CTX_new()) == NULL) |
202 | 0 | return NULL; |
203 | | |
204 | 286 | if ((A = BN_new()) != NULL && !BN_mod_exp(A, g, a, N, bn_ctx)) { |
205 | 0 | BN_free(A); |
206 | 0 | A = NULL; |
207 | 0 | } |
208 | 286 | BN_CTX_free(bn_ctx); |
209 | 286 | return A; |
210 | 286 | } |
211 | | |
212 | | BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, |
213 | | const BIGNUM *x, const BIGNUM *a, const BIGNUM *u, |
214 | | OSSL_LIB_CTX *libctx, const char *propq) |
215 | 286 | { |
216 | 286 | BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL; |
217 | 286 | BIGNUM *xtmp = NULL; |
218 | 286 | BN_CTX *bn_ctx; |
219 | | |
220 | 286 | if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL |
221 | 286 | || a == NULL || (bn_ctx = BN_CTX_new_ex(libctx)) == NULL) |
222 | 0 | return NULL; |
223 | | |
224 | 286 | if ((tmp = BN_new()) == NULL || |
225 | 286 | (tmp2 = BN_new()) == NULL || |
226 | 286 | (tmp3 = BN_new()) == NULL || |
227 | 286 | (xtmp = BN_new()) == NULL) |
228 | 0 | goto err; |
229 | | |
230 | 286 | BN_with_flags(xtmp, x, BN_FLG_CONSTTIME); |
231 | 286 | BN_set_flags(tmp, BN_FLG_CONSTTIME); |
232 | 286 | if (!BN_mod_exp(tmp, g, xtmp, N, bn_ctx)) |
233 | 0 | goto err; |
234 | 286 | if ((k = srp_Calc_k(N, g, libctx, propq)) == NULL) |
235 | 0 | goto err; |
236 | 286 | if (!BN_mod_mul(tmp2, tmp, k, N, bn_ctx)) |
237 | 0 | goto err; |
238 | 286 | if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx)) |
239 | 0 | goto err; |
240 | 286 | if (!BN_mul(tmp3, u, xtmp, bn_ctx)) |
241 | 0 | goto err; |
242 | 286 | if (!BN_add(tmp2, a, tmp3)) |
243 | 0 | goto err; |
244 | 286 | K = BN_new(); |
245 | 286 | if (K != NULL && !BN_mod_exp(K, tmp, tmp2, N, bn_ctx)) { |
246 | 0 | BN_free(K); |
247 | 0 | K = NULL; |
248 | 0 | } |
249 | | |
250 | 286 | err: |
251 | 286 | BN_CTX_free(bn_ctx); |
252 | 286 | BN_free(xtmp); |
253 | 286 | BN_clear_free(tmp); |
254 | 286 | BN_clear_free(tmp2); |
255 | 286 | BN_clear_free(tmp3); |
256 | 286 | BN_free(k); |
257 | 286 | return K; |
258 | 286 | } |
259 | | |
260 | | BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g, |
261 | | const BIGNUM *x, const BIGNUM *a, const BIGNUM *u) |
262 | 286 | { |
263 | 286 | return SRP_Calc_client_key_ex(N, B, g, x, a, u, NULL, NULL); |
264 | 286 | } |
265 | | |
266 | | int SRP_Verify_B_mod_N(const BIGNUM *B, const BIGNUM *N) |
267 | 572 | { |
268 | 572 | BIGNUM *r; |
269 | 572 | BN_CTX *bn_ctx; |
270 | 572 | int ret = 0; |
271 | | |
272 | 572 | if (B == NULL || N == NULL || (bn_ctx = BN_CTX_new()) == NULL) |
273 | 0 | return 0; |
274 | | |
275 | 572 | if ((r = BN_new()) == NULL) |
276 | 0 | goto err; |
277 | | /* Checks if B % N == 0 */ |
278 | 572 | if (!BN_nnmod(r, B, N, bn_ctx)) |
279 | 0 | goto err; |
280 | 572 | ret = !BN_is_zero(r); |
281 | 572 | err: |
282 | 572 | BN_CTX_free(bn_ctx); |
283 | 572 | BN_free(r); |
284 | 572 | return ret; |
285 | 572 | } |
286 | | |
287 | | int SRP_Verify_A_mod_N(const BIGNUM *A, const BIGNUM *N) |
288 | 286 | { |
289 | | /* Checks if A % N == 0 */ |
290 | 286 | return SRP_Verify_B_mod_N(A, N); |
291 | 286 | } |
292 | | |
293 | | static SRP_gN knowngN[] = { |
294 | | {"8192", &ossl_bn_generator_19, &ossl_bn_group_8192}, |
295 | | {"6144", &ossl_bn_generator_5, &ossl_bn_group_6144}, |
296 | | {"4096", &ossl_bn_generator_5, &ossl_bn_group_4096}, |
297 | | {"3072", &ossl_bn_generator_5, &ossl_bn_group_3072}, |
298 | | {"2048", &ossl_bn_generator_2, &ossl_bn_group_2048}, |
299 | | {"1536", &ossl_bn_generator_2, &ossl_bn_group_1536}, |
300 | | {"1024", &ossl_bn_generator_2, &ossl_bn_group_1024}, |
301 | | }; |
302 | | |
303 | 2.00k | # define KNOWN_GN_NUMBER sizeof(knowngN) / sizeof(SRP_gN) |
304 | | |
305 | | /* |
306 | | * Check if G and N are known parameters. The values have been generated |
307 | | * from the IETF RFC 5054 |
308 | | */ |
309 | | char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N) |
310 | 0 | { |
311 | 0 | size_t i; |
312 | 0 | if ((g == NULL) || (N == NULL)) |
313 | 0 | return NULL; |
314 | | |
315 | 0 | for (i = 0; i < KNOWN_GN_NUMBER; i++) { |
316 | 0 | if (BN_cmp(knowngN[i].g, g) == 0 && BN_cmp(knowngN[i].N, N) == 0) |
317 | 0 | return knowngN[i].id; |
318 | 0 | } |
319 | 0 | return NULL; |
320 | 0 | } |
321 | | |
322 | | SRP_gN *SRP_get_default_gN(const char *id) |
323 | 286 | { |
324 | 286 | size_t i; |
325 | | |
326 | 286 | if (id == NULL) |
327 | 0 | return knowngN; |
328 | 2.00k | for (i = 0; i < KNOWN_GN_NUMBER; i++) { |
329 | 2.00k | if (strcmp(knowngN[i].id, id) == 0) |
330 | 286 | return knowngN + i; |
331 | 2.00k | } |
332 | 0 | return NULL; |
333 | 286 | } |
334 | | #endif |