/src/openssl/ssl/tls_srp.c

Source (jump to first uncovered line)
/*
 * Copyright 2004-2025 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2004, EdelKey Project. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * Originally written by Christophe Renou and Peter Sylvester,
 * for the EdelKey project.
 */

/*
 * We need to use the SRP deprecated APIs in order to implement the SSL SRP
 * APIs - which are themselves deprecated.
 */
#define OPENSSL_SUPPRESS_DEPRECATED

#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include "ssl_local.h"
#include "internal/ssl_unwrap.h"

#ifndef OPENSSL_NO_SRP
# include <openssl/srp.h>

/*
 * The public API SSL_CTX_SRP_CTX_free() is deprecated so we use
 * ssl_ctx_srp_ctx_free_intern() internally.
 */
int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx)
{
    if (ctx == NULL)
        return 0;
    OPENSSL_free(ctx->srp_ctx.login);
    OPENSSL_free(ctx->srp_ctx.info);
    BN_free(ctx->srp_ctx.N);
    BN_free(ctx->srp_ctx.g);
    BN_free(ctx->srp_ctx.s);
    BN_free(ctx->srp_ctx.B);
    BN_free(ctx->srp_ctx.A);
    BN_free(ctx->srp_ctx.a);
    BN_free(ctx->srp_ctx.b);
    BN_free(ctx->srp_ctx.v);
    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx)
{
    return ssl_ctx_srp_ctx_free_intern(ctx);
}

/*
 * The public API SSL_SRP_CTX_free() is deprecated so we use
 * ssl_srp_ctx_free_intern() internally.
 */
int ssl_srp_ctx_free_intern(SSL_CONNECTION *s)
{
    if (s == NULL)
        return 0;
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    s->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_SRP_CTX_free(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    /* the call works with NULL sc */
    return ssl_srp_ctx_free_intern(sc);
}

/*
 * The public API SSL_SRP_CTX_init() is deprecated so we use
 * ssl_srp_ctx_init_intern() internally.
 */
int ssl_srp_ctx_init_intern(SSL_CONNECTION *s)
{
    SSL_CTX *ctx;

    if (s == NULL || (ctx = SSL_CONNECTION_GET_CTX(s)) == NULL)
        return 0;

    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));

    s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
    /* set client Hello login callback */
    s->srp_ctx.TLS_ext_srp_username_callback =
        ctx->srp_ctx.TLS_ext_srp_username_callback;
    /* set SRP N/g param callback for verification */
    s->srp_ctx.SRP_verify_param_callback =
        ctx->srp_ctx.SRP_verify_param_callback;
    /* set SRP client passwd callback */
    s->srp_ctx.SRP_give_srp_client_pwd_callback =
        ctx->srp_ctx.SRP_give_srp_client_pwd_callback;

    s->srp_ctx.strength = ctx->srp_ctx.strength;

    if (((ctx->srp_ctx.N != NULL) &&
         ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
        ((ctx->srp_ctx.g != NULL) &&
         ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
        ((ctx->srp_ctx.s != NULL) &&
         ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
        ((ctx->srp_ctx.B != NULL) &&
         ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
        ((ctx->srp_ctx.A != NULL) &&
         ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
        ((ctx->srp_ctx.a != NULL) &&
         ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
        ((ctx->srp_ctx.v != NULL) &&
         ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
        ((ctx->srp_ctx.b != NULL) &&
         ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
        ERR_raise(ERR_LIB_SSL, ERR_R_BN_LIB);
        goto err;
    }
    if ((ctx->srp_ctx.login != NULL) &&
        ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    if ((ctx->srp_ctx.info != NULL) &&
        ((s->srp_ctx.info = OPENSSL_strdup(ctx->srp_ctx.info)) == NULL)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;

    return 1;
 err:
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    return 0;
}

int SSL_SRP_CTX_init(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    /* the call works with NULL sc */
    return ssl_srp_ctx_init_intern(sc);
}

/*
 * The public API SSL_CTX_SRP_CTX_init() is deprecated so we use
 * ssl_ctx_srp_ctx_init_intern() internally.
 */
int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx)
{
    if (ctx == NULL)
        return 0;

    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;

    return 1;
}

int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx)
{
    return ssl_ctx_srp_ctx_init_intern(ctx);
}

/* server side */
/*
 * The public API SSL_srp_server_param_with_username() is deprecated so we use
 * ssl_srp_server_param_with_username_intern() internally.
 */
int ssl_srp_server_param_with_username_intern(SSL_CONNECTION *s, int *ad)
{
    unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
    int al;
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);

    *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
    if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
        ((al =
          s->srp_ctx.TLS_ext_srp_username_callback(SSL_CONNECTION_GET_USER_SSL(s),
                                                   ad,
                                                   s->srp_ctx.SRP_cb_arg)) !=
         SSL_ERROR_NONE))
        return al;

    *ad = SSL_AD_INTERNAL_ERROR;
    if ((s->srp_ctx.N == NULL) ||
        (s->srp_ctx.g == NULL) ||
        (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
        return SSL3_AL_FATAL;

    if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, b, sizeof(b),
                           0) <= 0)
        return SSL3_AL_FATAL;
    s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
    OPENSSL_cleanse(b, sizeof(b));

    /* Calculate:  B = (kv + g^b) % N  */

    return ((s->srp_ctx.B =
             SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
                           s->srp_ctx.v, sctx->libctx, sctx->propq)) !=
            NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
}

int SSL_srp_server_param_with_username(SSL *s, int *ad)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return SSL3_AL_FATAL;

    return ssl_srp_server_param_with_username_intern(sc, ad);
}

/*
 * If the server just has the raw password, make up a verifier entry on the
 * fly
 */
int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
                                const char *grp)
{
    SRP_gN *GN;
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return -1;

    GN = SRP_get_default_gN(grp);
    if (GN == NULL)
        return -1;
    sc->srp_ctx.N = BN_dup(GN->N);
    sc->srp_ctx.g = BN_dup(GN->g);
    BN_clear_free(sc->srp_ctx.v);
    sc->srp_ctx.v = NULL;
    BN_clear_free(sc->srp_ctx.s);
    sc->srp_ctx.s = NULL;
    if (!SRP_create_verifier_BN_ex(user, pass, &sc->srp_ctx.s, &sc->srp_ctx.v,
                                   sc->srp_ctx.N, sc->srp_ctx.g, s->ctx->libctx,
                                   s->ctx->propq))
        return -1;

    return 1;
}

int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
                             BIGNUM *sa, BIGNUM *v, char *info)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return -1;

    if (N != NULL) {
        if (sc->srp_ctx.N != NULL) {
            if (!BN_copy(sc->srp_ctx.N, N)) {
                BN_free(sc->srp_ctx.N);
                sc->srp_ctx.N = NULL;
            }
        } else
            sc->srp_ctx.N = BN_dup(N);
    }
    if (g != NULL) {
        if (sc->srp_ctx.g != NULL) {
            if (!BN_copy(sc->srp_ctx.g, g)) {
                BN_free(sc->srp_ctx.g);
                sc->srp_ctx.g = NULL;
            }
        } else
            sc->srp_ctx.g = BN_dup(g);
    }
    if (sa != NULL) {
        if (sc->srp_ctx.s != NULL) {
            if (!BN_copy(sc->srp_ctx.s, sa)) {
                BN_free(sc->srp_ctx.s);
                sc->srp_ctx.s = NULL;
            }
        } else
            sc->srp_ctx.s = BN_dup(sa);
    }
    if (v != NULL) {
        if (sc->srp_ctx.v != NULL) {
            if (!BN_copy(sc->srp_ctx.v, v)) {
                BN_free(sc->srp_ctx.v);
                sc->srp_ctx.v = NULL;
            }
        } else
            sc->srp_ctx.v = BN_dup(v);
    }
    if (info != NULL) {
        if (sc->srp_ctx.info)
            OPENSSL_free(sc->srp_ctx.info);
        if ((sc->srp_ctx.info = OPENSSL_strdup(info)) == NULL)
            return -1;
    }

    if (!(sc->srp_ctx.N) ||
        !(sc->srp_ctx.g) || !(sc->srp_ctx.s) || !(sc->srp_ctx.v))
        return -1;

    return 1;
}

int srp_generate_server_master_secret(SSL_CONNECTION *s)
{
    BIGNUM *K = NULL, *u = NULL;
    int ret = 0, tmp_len = 0;
    unsigned char *tmp = NULL;
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);

    if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
        goto err;
    if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
                           sctx->libctx, sctx->propq)) == NULL)
        goto err;
    if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
                                 s->srp_ctx.N)) == NULL)
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
        goto err;
    }
    BN_bn2bin(K, tmp);
    /* Calls SSLfatal() as required */
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(u);
    return ret;
}

/* client side */
int srp_generate_client_master_secret(SSL_CONNECTION *s)
{
    BIGNUM *x = NULL, *u = NULL, *K = NULL;
    int ret = 0, tmp_len = 0;
    char *passwd = NULL;
    unsigned char *tmp = NULL;
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);

    /*
     * Checks if b % n == 0
     */
    if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
            || (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
                                  sctx->libctx, sctx->propq))
               == NULL
            || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(SSL_CONNECTION_GET_USER_SSL(s),
                                                              s->srp_ctx.SRP_cb_arg))
            == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
        goto err;
    }
    if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd,
                           sctx->libctx, sctx->propq)) == NULL
            || (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B,
                                           s->srp_ctx.g, x,
                                           s->srp_ctx.a, u,
                                           sctx->libctx,
                                           sctx->propq)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
        goto err;
    }
    BN_bn2bin(K, tmp);
    /* Calls SSLfatal() as required */
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
 err:
    BN_clear_free(K);
    BN_clear_free(x);
    if (passwd != NULL)
        OPENSSL_clear_free(passwd, strlen(passwd));
    BN_clear_free(u);
    return ret;
}

int srp_verify_server_param(SSL_CONNECTION *s)
{
    SRP_CTX *srp = &s->srp_ctx;
    /*
     * Sanity check parameters: we can quickly check B % N == 0 by checking B
     * != 0 since B < N
     */
    if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0
        || BN_is_zero(srp->B)) {
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DATA);
        return 0;
    }

    if (BN_num_bits(srp->N) < srp->strength) {
        SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_INSUFFICIENT_SECURITY);
        return 0;
    }

    if (srp->SRP_verify_param_callback) {
        if (srp->SRP_verify_param_callback(SSL_CONNECTION_GET_USER_SSL(s),
                                           srp->SRP_cb_arg) <= 0) {
            SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED);
            return 0;
        }
    } else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
        SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
                 SSL_R_INSUFFICIENT_SECURITY);
        return 0;
    }

    return 1;
}

/*
 * The public API SRP_Calc_A_param() is deprecated so we use
 * ssl_srp_calc_a_param_intern() internally.
 */
int ssl_srp_calc_a_param_intern(SSL_CONNECTION *s)
{
    unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];

    if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
                           rnd, sizeof(rnd), 0) <= 0)
        return 0;
    s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
    OPENSSL_cleanse(rnd, sizeof(rnd));

    if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
        return 0;

    return 1;
}

int SRP_Calc_A_param(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return 0;

    return ssl_srp_calc_a_param_intern(sc);
}

BIGNUM *SSL_get_srp_g(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return NULL;

    if (sc->srp_ctx.g != NULL)
        return sc->srp_ctx.g;
    return s->ctx->srp_ctx.g;
}

BIGNUM *SSL_get_srp_N(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return NULL;

    if (sc->srp_ctx.N != NULL)
        return sc->srp_ctx.N;
    return s->ctx->srp_ctx.N;
}

char *SSL_get_srp_username(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return NULL;

    if (sc->srp_ctx.login != NULL)
        return sc->srp_ctx.login;
    return s->ctx->srp_ctx.login;
}

char *SSL_get_srp_userinfo(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return NULL;

    if (sc->srp_ctx.info != NULL)
        return sc->srp_ctx.info;
    return s->ctx->srp_ctx.info;
}

# define tls1_ctx_ctrl ssl3_ctx_ctrl
# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl

int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
}

int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
}

int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
                         NULL);
}

int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
                                          int (*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
}

int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
                                      int (*cb) (SSL *, int *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
                                  (void (*)(void))cb);
}

int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
                                        char *(*cb) (SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
                                  (void (*)(void))cb);
}

#endif

Coverage Report

Created: 2025-07-11 06:57

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2004-2025 The OpenSSL Project Authors. All Rights Reserved.
3		* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
4		*
5		* Licensed under the Apache License 2.0 (the "License"). You may not use
6		* this file except in compliance with the License. You can obtain a copy
7		* in the file LICENSE in the source distribution or at
8		* https://www.openssl.org/source/license.html
9		*
10		* Originally written by Christophe Renou and Peter Sylvester,
11		* for the EdelKey project.
12		*/
13
14		/*
15		* We need to use the SRP deprecated APIs in order to implement the SSL SRP
16		* APIs - which are themselves deprecated.
17		*/
18		#define OPENSSL_SUPPRESS_DEPRECATED
19
20		#include <openssl/crypto.h>
21		#include <openssl/rand.h>
22		#include <openssl/err.h>
23		#include "ssl_local.h"
24		#include "internal/ssl_unwrap.h"
25
26		#ifndef OPENSSL_NO_SRP
27		# include <openssl/srp.h>
28
29		/*
30		* The public API SSL_CTX_SRP_CTX_free() is deprecated so we use
31		* ssl_ctx_srp_ctx_free_intern() internally.
32		*/
33		int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx)
34	0	{
35	0	if (ctx == NULL)
36	0	return 0;
37	0	OPENSSL_free(ctx->srp_ctx.login);
38	0	OPENSSL_free(ctx->srp_ctx.info);
39	0	BN_free(ctx->srp_ctx.N);
40	0	BN_free(ctx->srp_ctx.g);
41	0	BN_free(ctx->srp_ctx.s);
42	0	BN_free(ctx->srp_ctx.B);
43	0	BN_free(ctx->srp_ctx.A);
44	0	BN_free(ctx->srp_ctx.a);
45	0	BN_free(ctx->srp_ctx.b);
46	0	BN_free(ctx->srp_ctx.v);
47	0	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
48	0	ctx->srp_ctx.strength = SRP_MINIMAL_N;
49	0	return 1;
50	0	}
51
52		int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx)
53	0	{
54	0	return ssl_ctx_srp_ctx_free_intern(ctx);
55	0	}
56
57		/*
58		* The public API SSL_SRP_CTX_free() is deprecated so we use
59		* ssl_srp_ctx_free_intern() internally.
60		*/
61		int ssl_srp_ctx_free_intern(SSL_CONNECTION *s)
62	0	{
63	0	if (s == NULL)
64	0	return 0;
65	0	OPENSSL_free(s->srp_ctx.login);
66	0	OPENSSL_free(s->srp_ctx.info);
67	0	BN_free(s->srp_ctx.N);
68	0	BN_free(s->srp_ctx.g);
69	0	BN_free(s->srp_ctx.s);
70	0	BN_free(s->srp_ctx.B);
71	0	BN_free(s->srp_ctx.A);
72	0	BN_free(s->srp_ctx.a);
73	0	BN_free(s->srp_ctx.b);
74	0	BN_free(s->srp_ctx.v);
75	0	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
76	0	s->srp_ctx.strength = SRP_MINIMAL_N;
77	0	return 1;
78	0	}
79
80		int SSL_SRP_CTX_free(SSL *s)
81	0	{
82	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
83
84		/* the call works with NULL sc */
85	0	return ssl_srp_ctx_free_intern(sc);
86	0	}
87
88		/*
89		* The public API SSL_SRP_CTX_init() is deprecated so we use
90		* ssl_srp_ctx_init_intern() internally.
91		*/
92		int ssl_srp_ctx_init_intern(SSL_CONNECTION *s)
93	0	{
94	0	SSL_CTX *ctx;
95
96	0	if (s == NULL \|\| (ctx = SSL_CONNECTION_GET_CTX(s)) == NULL)
97	0	return 0;
98
99	0	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
100
101	0	s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
102		/* set client Hello login callback */
103	0	s->srp_ctx.TLS_ext_srp_username_callback =
104	0	ctx->srp_ctx.TLS_ext_srp_username_callback;
105		/* set SRP N/g param callback for verification */
106	0	s->srp_ctx.SRP_verify_param_callback =
107	0	ctx->srp_ctx.SRP_verify_param_callback;
108		/* set SRP client passwd callback */
109	0	s->srp_ctx.SRP_give_srp_client_pwd_callback =
110	0	ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
111
112	0	s->srp_ctx.strength = ctx->srp_ctx.strength;
113
114	0	if (((ctx->srp_ctx.N != NULL) &&
115	0	((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) \|\|
116	0	((ctx->srp_ctx.g != NULL) &&
117	0	((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) \|\|
118	0	((ctx->srp_ctx.s != NULL) &&
119	0	((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) \|\|
120	0	((ctx->srp_ctx.B != NULL) &&
121	0	((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) \|\|
122	0	((ctx->srp_ctx.A != NULL) &&
123	0	((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) \|\|
124	0	((ctx->srp_ctx.a != NULL) &&
125	0	((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) \|\|
126	0	((ctx->srp_ctx.v != NULL) &&
127	0	((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) \|\|
128	0	((ctx->srp_ctx.b != NULL) &&
129	0	((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
130	0	ERR_raise(ERR_LIB_SSL, ERR_R_BN_LIB);
131	0	goto err;
132	0	}
133	0	if ((ctx->srp_ctx.login != NULL) &&
134	0	((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
135	0	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
136	0	goto err;
137	0	}
138	0	if ((ctx->srp_ctx.info != NULL) &&
139	0	((s->srp_ctx.info = OPENSSL_strdup(ctx->srp_ctx.info)) == NULL)) {
140	0	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
141	0	goto err;
142	0	}
143	0	s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
144
145	0	return 1;
146	0	err:
147	0	OPENSSL_free(s->srp_ctx.login);
148	0	OPENSSL_free(s->srp_ctx.info);
149	0	BN_free(s->srp_ctx.N);
150	0	BN_free(s->srp_ctx.g);
151	0	BN_free(s->srp_ctx.s);
152	0	BN_free(s->srp_ctx.B);
153	0	BN_free(s->srp_ctx.A);
154	0	BN_free(s->srp_ctx.a);
155	0	BN_free(s->srp_ctx.b);
156	0	BN_free(s->srp_ctx.v);
157	0	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
158	0	return 0;
159	0	}
160
161		int SSL_SRP_CTX_init(SSL *s)
162	0	{
163	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
164
165		/* the call works with NULL sc */
166	0	return ssl_srp_ctx_init_intern(sc);
167	0	}
168
169		/*
170		* The public API SSL_CTX_SRP_CTX_init() is deprecated so we use
171		* ssl_ctx_srp_ctx_init_intern() internally.
172		*/
173		int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx)
174	0	{
175	0	if (ctx == NULL)
176	0	return 0;
177
178	0	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
179	0	ctx->srp_ctx.strength = SRP_MINIMAL_N;
180
181	0	return 1;
182	0	}
183
184		int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx)
185	0	{
186	0	return ssl_ctx_srp_ctx_init_intern(ctx);
187	0	}
188
189		/* server side */
190		/*
191		* The public API SSL_srp_server_param_with_username() is deprecated so we use
192		* ssl_srp_server_param_with_username_intern() internally.
193		*/
194		int ssl_srp_server_param_with_username_intern(SSL_CONNECTION s, int ad)
195	0	{
196	0	unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
197	0	int al;
198	0	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
199
200	0	*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
201	0	if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) &&
202	0	((al =
203	0	s->srp_ctx.TLS_ext_srp_username_callback(SSL_CONNECTION_GET_USER_SSL(s),
204	0	ad,
205	0	s->srp_ctx.SRP_cb_arg)) !=
206	0	SSL_ERROR_NONE))
207	0	return al;
208
209	0	*ad = SSL_AD_INTERNAL_ERROR;
210	0	if ((s->srp_ctx.N == NULL) \|\|
211	0	(s->srp_ctx.g == NULL) \|\|
212	0	(s->srp_ctx.s == NULL) \|\| (s->srp_ctx.v == NULL))
213	0	return SSL3_AL_FATAL;
214
215	0	if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, b, sizeof(b),
216	0	0) <= 0)
217	0	return SSL3_AL_FATAL;
218	0	s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
219	0	OPENSSL_cleanse(b, sizeof(b));
220
221		/* Calculate: B = (kv + g^b) % N */
222
223	0	return ((s->srp_ctx.B =
224	0	SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
225	0	s->srp_ctx.v, sctx->libctx, sctx->propq)) !=
226	0	NULL) ? SSL_ERROR_NONE : SSL3_AL_FATAL;
227	0	}
228
229		int SSL_srp_server_param_with_username(SSL s, int ad)
230	0	{
231	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
232
233	0	if (sc == NULL)
234	0	return SSL3_AL_FATAL;
235
236	0	return ssl_srp_server_param_with_username_intern(sc, ad);
237	0	}
238
239		/*
240		* If the server just has the raw password, make up a verifier entry on the
241		* fly
242		*/
243		int SSL_set_srp_server_param_pw(SSL s, const char user, const char *pass,
244		const char *grp)
245	0	{
246	0	SRP_gN *GN;
247	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
248
249	0	if (sc == NULL)
250	0	return -1;
251
252	0	GN = SRP_get_default_gN(grp);
253	0	if (GN == NULL)
254	0	return -1;
255	0	sc->srp_ctx.N = BN_dup(GN->N);
256	0	sc->srp_ctx.g = BN_dup(GN->g);
257	0	BN_clear_free(sc->srp_ctx.v);
258	0	sc->srp_ctx.v = NULL;
259	0	BN_clear_free(sc->srp_ctx.s);
260	0	sc->srp_ctx.s = NULL;
261	0	if (!SRP_create_verifier_BN_ex(user, pass, &sc->srp_ctx.s, &sc->srp_ctx.v,
262	0	sc->srp_ctx.N, sc->srp_ctx.g, s->ctx->libctx,
263	0	s->ctx->propq))
264	0	return -1;
265
266	0	return 1;
267	0	}
268
269		int SSL_set_srp_server_param(SSL s, const BIGNUM N, const BIGNUM *g,
270		BIGNUM sa, BIGNUM v, char *info)
271	0	{
272	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
273
274	0	if (sc == NULL)
275	0	return -1;
276
277	0	if (N != NULL) {
278	0	if (sc->srp_ctx.N != NULL) {
279	0	if (!BN_copy(sc->srp_ctx.N, N)) {
280	0	BN_free(sc->srp_ctx.N);
281	0	sc->srp_ctx.N = NULL;
282	0	}
283	0	} else
284	0	sc->srp_ctx.N = BN_dup(N);
285	0	}
286	0	if (g != NULL) {
287	0	if (sc->srp_ctx.g != NULL) {
288	0	if (!BN_copy(sc->srp_ctx.g, g)) {
289	0	BN_free(sc->srp_ctx.g);
290	0	sc->srp_ctx.g = NULL;
291	0	}
292	0	} else
293	0	sc->srp_ctx.g = BN_dup(g);
294	0	}
295	0	if (sa != NULL) {
296	0	if (sc->srp_ctx.s != NULL) {
297	0	if (!BN_copy(sc->srp_ctx.s, sa)) {
298	0	BN_free(sc->srp_ctx.s);
299	0	sc->srp_ctx.s = NULL;
300	0	}
301	0	} else
302	0	sc->srp_ctx.s = BN_dup(sa);
303	0	}
304	0	if (v != NULL) {
305	0	if (sc->srp_ctx.v != NULL) {
306	0	if (!BN_copy(sc->srp_ctx.v, v)) {
307	0	BN_free(sc->srp_ctx.v);
308	0	sc->srp_ctx.v = NULL;
309	0	}
310	0	} else
311	0	sc->srp_ctx.v = BN_dup(v);
312	0	}
313	0	if (info != NULL) {
314	0	if (sc->srp_ctx.info)
315	0	OPENSSL_free(sc->srp_ctx.info);
316	0	if ((sc->srp_ctx.info = OPENSSL_strdup(info)) == NULL)
317	0	return -1;
318	0	}
319
320	0	if (!(sc->srp_ctx.N) \|\|
321	0	!(sc->srp_ctx.g) \|\| !(sc->srp_ctx.s) \|\| !(sc->srp_ctx.v))
322	0	return -1;
323
324	0	return 1;
325	0	}
326
327		int srp_generate_server_master_secret(SSL_CONNECTION *s)
328	0	{
329	0	BIGNUM K = NULL, u = NULL;
330	0	int ret = 0, tmp_len = 0;
331	0	unsigned char *tmp = NULL;
332	0	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
333
334	0	if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
335	0	goto err;
336	0	if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
337	0	sctx->libctx, sctx->propq)) == NULL)
338	0	goto err;
339	0	if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
340	0	s->srp_ctx.N)) == NULL)
341	0	goto err;
342
343	0	tmp_len = BN_num_bytes(K);
344	0	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
345	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
346	0	goto err;
347	0	}
348	0	BN_bn2bin(K, tmp);
349		/* Calls SSLfatal() as required */
350	0	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
351	0	err:
352	0	BN_clear_free(K);
353	0	BN_clear_free(u);
354	0	return ret;
355	0	}
356
357		/* client side */
358		int srp_generate_client_master_secret(SSL_CONNECTION *s)
359	0	{
360	0	BIGNUM x = NULL, u = NULL, *K = NULL;
361	0	int ret = 0, tmp_len = 0;
362	0	char *passwd = NULL;
363	0	unsigned char *tmp = NULL;
364	0	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
365
366		/*
367		* Checks if b % n == 0
368		*/
369	0	if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
370	0	\|\| (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
371	0	sctx->libctx, sctx->propq))
372	0	== NULL
373	0	\|\| s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
374	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
375	0	goto err;
376	0	}
377	0	if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(SSL_CONNECTION_GET_USER_SSL(s),
378	0	s->srp_ctx.SRP_cb_arg))
379	0	== NULL) {
380	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
381	0	goto err;
382	0	}
383	0	if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd,
384	0	sctx->libctx, sctx->propq)) == NULL
385	0	\|\| (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B,
386	0	s->srp_ctx.g, x,
387	0	s->srp_ctx.a, u,
388	0	sctx->libctx,
389	0	sctx->propq)) == NULL) {
390	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
391	0	goto err;
392	0	}
393
394	0	tmp_len = BN_num_bytes(K);
395	0	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
396	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
397	0	goto err;
398	0	}
399	0	BN_bn2bin(K, tmp);
400		/* Calls SSLfatal() as required */
401	0	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
402	0	err:
403	0	BN_clear_free(K);
404	0	BN_clear_free(x);
405	0	if (passwd != NULL)
406	0	OPENSSL_clear_free(passwd, strlen(passwd));
407	0	BN_clear_free(u);
408	0	return ret;
409	0	}
410
411		int srp_verify_server_param(SSL_CONNECTION *s)
412	0	{
413	0	SRP_CTX *srp = &s->srp_ctx;
414		/*
415		* Sanity check parameters: we can quickly check B % N == 0 by checking B
416		* != 0 since B < N
417		*/
418	0	if (BN_ucmp(srp->g, srp->N) >= 0 \|\| BN_ucmp(srp->B, srp->N) >= 0
419	0	\|\| BN_is_zero(srp->B)) {
420	0	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DATA);
421	0	return 0;
422	0	}
423
424	0	if (BN_num_bits(srp->N) < srp->strength) {
425	0	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_INSUFFICIENT_SECURITY);
426	0	return 0;
427	0	}
428
429	0	if (srp->SRP_verify_param_callback) {
430	0	if (srp->SRP_verify_param_callback(SSL_CONNECTION_GET_USER_SSL(s),
431	0	srp->SRP_cb_arg) <= 0) {
432	0	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED);
433	0	return 0;
434	0	}
435	0	} else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
436	0	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
437	0	SSL_R_INSUFFICIENT_SECURITY);
438	0	return 0;
439	0	}
440
441	0	return 1;
442	0	}
443
444		/*
445		* The public API SRP_Calc_A_param() is deprecated so we use
446		* ssl_srp_calc_a_param_intern() internally.
447		*/
448		int ssl_srp_calc_a_param_intern(SSL_CONNECTION *s)
449	0	{
450	0	unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
451
452	0	if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
453	0	rnd, sizeof(rnd), 0) <= 0)
454	0	return 0;
455	0	s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
456	0	OPENSSL_cleanse(rnd, sizeof(rnd));
457
458	0	if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
459	0	return 0;
460
461	0	return 1;
462	0	}
463
464		int SRP_Calc_A_param(SSL *s)
465	0	{
466	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
467
468	0	if (sc == NULL)
469	0	return 0;
470
471	0	return ssl_srp_calc_a_param_intern(sc);
472	0	}
473
474		BIGNUM SSL_get_srp_g(SSL s)
475	0	{
476	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
477
478	0	if (sc == NULL)
479	0	return NULL;
480
481	0	if (sc->srp_ctx.g != NULL)
482	0	return sc->srp_ctx.g;
483	0	return s->ctx->srp_ctx.g;
484	0	}
485
486		BIGNUM SSL_get_srp_N(SSL s)
487	0	{
488	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
489
490	0	if (sc == NULL)
491	0	return NULL;
492
493	0	if (sc->srp_ctx.N != NULL)
494	0	return sc->srp_ctx.N;
495	0	return s->ctx->srp_ctx.N;
496	0	}
497
498		char SSL_get_srp_username(SSL s)
499	0	{
500	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
501
502	0	if (sc == NULL)
503	0	return NULL;
504
505	0	if (sc->srp_ctx.login != NULL)
506	0	return sc->srp_ctx.login;
507	0	return s->ctx->srp_ctx.login;
508	0	}
509
510		char SSL_get_srp_userinfo(SSL s)
511	0	{
512	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
513
514	0	if (sc == NULL)
515	0	return NULL;
516
517	0	if (sc->srp_ctx.info != NULL)
518	0	return sc->srp_ctx.info;
519	0	return s->ctx->srp_ctx.info;
520	0	}
521
522	0	# define tls1_ctx_ctrl ssl3_ctx_ctrl
523	0	# define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
524
525		int SSL_CTX_set_srp_username(SSL_CTX ctx, char name)
526	0	{
527	0	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
528	0	}
529
530		int SSL_CTX_set_srp_password(SSL_CTX ctx, char password)
531	0	{
532	0	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
533	0	}
534
535		int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
536	0	{
537	0	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
538	0	NULL);
539	0	}
540
541		int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
542		int (cb) (SSL , void *))
543	0	{
544	0	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
545	0	(void (*)(void))cb);
546	0	}
547
548		int SSL_CTX_set_srp_cb_arg(SSL_CTX ctx, void arg)
549	0	{
550	0	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
551	0	}
552
553		int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
554		int (cb) (SSL , int , void ))
555	0	{
556	0	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
557	0	(void (*)(void))cb);
558	0	}
559
560		int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
561		char (cb) (SSL , void ))
562	0	{
563	0	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
564	0	(void (*)(void))cb);
565	0	}
566
567		#endif