/src/openssl/ssl/tls_srp.c

Source
/*
 * Copyright 2004-2025 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright (c) 2004, EdelKey Project. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * Originally written by Christophe Renou and Peter Sylvester,
 * for the EdelKey project.
 */

/*
 * We need to use the SRP deprecated APIs in order to implement the SSL SRP
 * APIs - which are themselves deprecated.
 */
#define OPENSSL_SUPPRESS_DEPRECATED

#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include "ssl_local.h"
#include "internal/ssl_unwrap.h"

#ifndef OPENSSL_NO_SRP
#include <openssl/srp.h>

/*
 * The public API SSL_CTX_SRP_CTX_free() is deprecated so we use
 * ssl_ctx_srp_ctx_free_intern() internally.
 */
int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx)
{
    if (ctx == NULL)
        return 0;
    OPENSSL_free(ctx->srp_ctx.login);
    OPENSSL_free(ctx->srp_ctx.info);
    BN_free(ctx->srp_ctx.N);
    BN_free(ctx->srp_ctx.g);
    BN_free(ctx->srp_ctx.s);
    BN_free(ctx->srp_ctx.B);
    BN_free(ctx->srp_ctx.A);
    BN_free(ctx->srp_ctx.a);
    BN_free(ctx->srp_ctx.b);
    BN_free(ctx->srp_ctx.v);
    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx)
{
    return ssl_ctx_srp_ctx_free_intern(ctx);
}

/*
 * The public API SSL_SRP_CTX_free() is deprecated so we use
 * ssl_srp_ctx_free_intern() internally.
 */
int ssl_srp_ctx_free_intern(SSL_CONNECTION *s)
{
    if (s == NULL)
        return 0;
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    s->srp_ctx.strength = SRP_MINIMAL_N;
    return 1;
}

int SSL_SRP_CTX_free(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    /* the call works with NULL sc */
    return ssl_srp_ctx_free_intern(sc);
}

/*
 * The public API SSL_SRP_CTX_init() is deprecated so we use
 * ssl_srp_ctx_init_intern() internally.
 */
int ssl_srp_ctx_init_intern(SSL_CONNECTION *s)
{
    SSL_CTX *ctx;

    if (s == NULL || (ctx = SSL_CONNECTION_GET_CTX(s)) == NULL)
        return 0;

    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));

    s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
    /* set client Hello login callback */
    s->srp_ctx.TLS_ext_srp_username_callback = ctx->srp_ctx.TLS_ext_srp_username_callback;
    /* set SRP N/g param callback for verification */
    s->srp_ctx.SRP_verify_param_callback = ctx->srp_ctx.SRP_verify_param_callback;
    /* set SRP client passwd callback */
    s->srp_ctx.SRP_give_srp_client_pwd_callback = ctx->srp_ctx.SRP_give_srp_client_pwd_callback;

    s->srp_ctx.strength = ctx->srp_ctx.strength;

    if (((ctx->srp_ctx.N != NULL) && ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) || ((ctx->srp_ctx.g != NULL) && ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) || ((ctx->srp_ctx.s != NULL) && ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) || ((ctx->srp_ctx.B != NULL) && ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) || ((ctx->srp_ctx.A != NULL) && ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) || ((ctx->srp_ctx.a != NULL) && ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) || ((ctx->srp_ctx.v != NULL) && ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) || ((ctx->srp_ctx.b != NULL) && ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
        ERR_raise(ERR_LIB_SSL, ERR_R_BN_LIB);
        goto err;
    }
    if ((ctx->srp_ctx.login != NULL) && ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    if ((ctx->srp_ctx.info != NULL) && ((s->srp_ctx.info = OPENSSL_strdup(ctx->srp_ctx.info)) == NULL)) {
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;

    return 1;
err:
    OPENSSL_free(s->srp_ctx.login);
    OPENSSL_free(s->srp_ctx.info);
    BN_free(s->srp_ctx.N);
    BN_free(s->srp_ctx.g);
    BN_free(s->srp_ctx.s);
    BN_free(s->srp_ctx.B);
    BN_free(s->srp_ctx.A);
    BN_free(s->srp_ctx.a);
    BN_free(s->srp_ctx.b);
    BN_free(s->srp_ctx.v);
    memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
    return 0;
}

int SSL_SRP_CTX_init(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    /* the call works with NULL sc */
    return ssl_srp_ctx_init_intern(sc);
}

/*
 * The public API SSL_CTX_SRP_CTX_init() is deprecated so we use
 * ssl_ctx_srp_ctx_init_intern() internally.
 */
int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx)
{
    if (ctx == NULL)
        return 0;

    memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
    ctx->srp_ctx.strength = SRP_MINIMAL_N;

    return 1;
}

int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx)
{
    return ssl_ctx_srp_ctx_init_intern(ctx);
}

/* server side */
/*
 * The public API SSL_srp_server_param_with_username() is deprecated so we use
 * ssl_srp_server_param_with_username_intern() internally.
 */
int ssl_srp_server_param_with_username_intern(SSL_CONNECTION *s, int *ad)
{
    unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
    int al;
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);

    *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
    if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) && ((al = s->srp_ctx.TLS_ext_srp_username_callback(SSL_CONNECTION_GET_USER_SSL(s), ad, s->srp_ctx.SRP_cb_arg)) != SSL_ERROR_NONE))
        return al;

    *ad = SSL_AD_INTERNAL_ERROR;
    if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) || (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
        return SSL3_AL_FATAL;

    if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, b, sizeof(b),
            0)
        <= 0)
        return SSL3_AL_FATAL;
    s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
    OPENSSL_cleanse(b, sizeof(b));

    /* Calculate:  B = (kv + g^b) % N  */
    s->srp_ctx.B = SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
        s->srp_ctx.v, sctx->libctx, sctx->propq);
    if (s->srp_ctx.B == NULL) {
        BN_clear_free(s->srp_ctx.b);
        s->srp_ctx.b = NULL;
        return SSL3_AL_FATAL;
    }

    return SSL_ERROR_NONE;
}

int SSL_srp_server_param_with_username(SSL *s, int *ad)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return SSL3_AL_FATAL;

    return ssl_srp_server_param_with_username_intern(sc, ad);
}

/*
 * If the server just has the raw password, make up a verifier entry on the
 * fly
 */
int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
    const char *grp)
{
    SRP_gN *GN;
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return -1;

    GN = SRP_get_default_gN(grp);
    if (GN == NULL)
        return -1;
    sc->srp_ctx.N = BN_dup(GN->N);
    sc->srp_ctx.g = BN_dup(GN->g);
    BN_clear_free(sc->srp_ctx.v);
    sc->srp_ctx.v = NULL;
    BN_clear_free(sc->srp_ctx.s);
    sc->srp_ctx.s = NULL;
    if (!SRP_create_verifier_BN_ex(user, pass, &sc->srp_ctx.s, &sc->srp_ctx.v,
            sc->srp_ctx.N, sc->srp_ctx.g, s->ctx->libctx,
            s->ctx->propq))
        return -1;

    return 1;
}

int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
    BIGNUM *sa, BIGNUM *v, char *info)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return -1;

    if (N != NULL) {
        if (sc->srp_ctx.N != NULL) {
            if (!BN_copy(sc->srp_ctx.N, N)) {
                BN_free(sc->srp_ctx.N);
                sc->srp_ctx.N = NULL;
            }
        } else
            sc->srp_ctx.N = BN_dup(N);
    }
    if (g != NULL) {
        if (sc->srp_ctx.g != NULL) {
            if (!BN_copy(sc->srp_ctx.g, g)) {
                BN_free(sc->srp_ctx.g);
                sc->srp_ctx.g = NULL;
            }
        } else
            sc->srp_ctx.g = BN_dup(g);
    }
    if (sa != NULL) {
        if (sc->srp_ctx.s != NULL) {
            if (!BN_copy(sc->srp_ctx.s, sa)) {
                BN_free(sc->srp_ctx.s);
                sc->srp_ctx.s = NULL;
            }
        } else
            sc->srp_ctx.s = BN_dup(sa);
    }
    if (v != NULL) {
        if (sc->srp_ctx.v != NULL) {
            if (!BN_copy(sc->srp_ctx.v, v)) {
                BN_free(sc->srp_ctx.v);
                sc->srp_ctx.v = NULL;
            }
        } else
            sc->srp_ctx.v = BN_dup(v);
    }
    if (info != NULL) {
        if (sc->srp_ctx.info)
            OPENSSL_free(sc->srp_ctx.info);
        if ((sc->srp_ctx.info = OPENSSL_strdup(info)) == NULL)
            return -1;
    }

    if (!(sc->srp_ctx.N) || !(sc->srp_ctx.g) || !(sc->srp_ctx.s) || !(sc->srp_ctx.v))
        return -1;

    return 1;
}

int srp_generate_server_master_secret(SSL_CONNECTION *s)
{
    BIGNUM *K = NULL, *u = NULL;
    int ret = 0, tmp_len = 0;
    unsigned char *tmp = NULL;
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);

    if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
        goto err;
    if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
             sctx->libctx, sctx->propq))
        == NULL)
        goto err;
    if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
             s->srp_ctx.N))
        == NULL)
        goto err;

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
        goto err;
    }
    BN_bn2bin(K, tmp);
    /* Calls SSLfatal() as required */
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
err:
    BN_clear_free(K);
    BN_clear_free(u);
    return ret;
}

/* client side */
int srp_generate_client_master_secret(SSL_CONNECTION *s)
{
    BIGNUM *x = NULL, *u = NULL, *K = NULL;
    int ret = 0, tmp_len = 0;
    char *passwd = NULL;
    unsigned char *tmp = NULL;
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);

    /*
     * Checks if b % n == 0
     */
    if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
        || (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
                sctx->libctx, sctx->propq))
            == NULL
        || s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(SSL_CONNECTION_GET_USER_SSL(s),
             s->srp_ctx.SRP_cb_arg))
        == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
        goto err;
    }
    if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd,
             sctx->libctx, sctx->propq))
            == NULL
        || (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B,
                s->srp_ctx.g, x,
                s->srp_ctx.a, u,
                sctx->libctx,
                sctx->propq))
            == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    tmp_len = BN_num_bytes(K);
    if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
        goto err;
    }
    BN_bn2bin(K, tmp);
    /* Calls SSLfatal() as required */
    ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
err:
    BN_clear_free(K);
    BN_clear_free(x);
    if (passwd != NULL)
        OPENSSL_clear_free(passwd, strlen(passwd));
    BN_clear_free(u);
    return ret;
}

int srp_verify_server_param(SSL_CONNECTION *s)
{
    SRP_CTX *srp = &s->srp_ctx;
    /*
     * Sanity check parameters: we can quickly check B % N == 0 by checking B
     * != 0 since B < N
     */
    if (BN_ucmp(srp->g, srp->N) >= 0 || BN_ucmp(srp->B, srp->N) >= 0
        || BN_is_zero(srp->B)) {
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DATA);
        return 0;
    }

    if (BN_num_bits(srp->N) < srp->strength) {
        SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_INSUFFICIENT_SECURITY);
        return 0;
    }

    if (srp->SRP_verify_param_callback) {
        if (srp->SRP_verify_param_callback(SSL_CONNECTION_GET_USER_SSL(s),
                srp->SRP_cb_arg)
            <= 0) {
            SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED);
            return 0;
        }
    } else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
        SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
            SSL_R_INSUFFICIENT_SECURITY);
        return 0;
    }

    return 1;
}

/*
 * The public API SRP_Calc_A_param() is deprecated so we use
 * ssl_srp_calc_a_param_intern() internally.
 */
int ssl_srp_calc_a_param_intern(SSL_CONNECTION *s)
{
    unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];

    if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
            rnd, sizeof(rnd), 0)
        <= 0)
        return 0;
    s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
    OPENSSL_cleanse(rnd, sizeof(rnd));

    if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
        return 0;

    return 1;
}

int SRP_Calc_A_param(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return 0;

    return ssl_srp_calc_a_param_intern(sc);
}

BIGNUM *SSL_get_srp_g(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return NULL;

    if (sc->srp_ctx.g != NULL)
        return sc->srp_ctx.g;
    return s->ctx->srp_ctx.g;
}

BIGNUM *SSL_get_srp_N(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return NULL;

    if (sc->srp_ctx.N != NULL)
        return sc->srp_ctx.N;
    return s->ctx->srp_ctx.N;
}

char *SSL_get_srp_username(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return NULL;

    if (sc->srp_ctx.login != NULL)
        return sc->srp_ctx.login;
    return s->ctx->srp_ctx.login;
}

char *SSL_get_srp_userinfo(SSL *s)
{
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);

    if (sc == NULL)
        return NULL;

    if (sc->srp_ctx.info != NULL)
        return sc->srp_ctx.info;
    return s->ctx->srp_ctx.info;
}

#define tls1_ctx_ctrl ssl3_ctx_ctrl
#define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl

int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
}

int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
}

int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
        NULL);
}

int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
    int (*cb)(SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
        (void (*)(void))cb);
}

int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
{
    return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
}

int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
    int (*cb)(SSL *, int *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
        (void (*)(void))cb);
}

int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
    char *(*cb)(SSL *, void *))
{
    return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
        (void (*)(void))cb);
}

#endif

Coverage Report

Created: 2026-03-09 06:55

Line	Count	Source
1		/*
2		* Copyright 2004-2025 The OpenSSL Project Authors. All Rights Reserved.
3		* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
4		*
5		* Licensed under the Apache License 2.0 (the "License"). You may not use
6		* this file except in compliance with the License. You can obtain a copy
7		* in the file LICENSE in the source distribution or at
8		* https://www.openssl.org/source/license.html
9		*
10		* Originally written by Christophe Renou and Peter Sylvester,
11		* for the EdelKey project.
12		*/
13
14		/*
15		* We need to use the SRP deprecated APIs in order to implement the SSL SRP
16		* APIs - which are themselves deprecated.
17		*/
18		#define OPENSSL_SUPPRESS_DEPRECATED
19
20		#include <openssl/crypto.h>
21		#include <openssl/rand.h>
22		#include <openssl/err.h>
23		#include "ssl_local.h"
24		#include "internal/ssl_unwrap.h"
25
26		#ifndef OPENSSL_NO_SRP
27		#include <openssl/srp.h>
28
29		/*
30		* The public API SSL_CTX_SRP_CTX_free() is deprecated so we use
31		* ssl_ctx_srp_ctx_free_intern() internally.
32		*/
33		int ssl_ctx_srp_ctx_free_intern(SSL_CTX *ctx)
34	0	{
35	0	if (ctx == NULL)
36	0	return 0;
37	0	OPENSSL_free(ctx->srp_ctx.login);
38	0	OPENSSL_free(ctx->srp_ctx.info);
39	0	BN_free(ctx->srp_ctx.N);
40	0	BN_free(ctx->srp_ctx.g);
41	0	BN_free(ctx->srp_ctx.s);
42	0	BN_free(ctx->srp_ctx.B);
43	0	BN_free(ctx->srp_ctx.A);
44	0	BN_free(ctx->srp_ctx.a);
45	0	BN_free(ctx->srp_ctx.b);
46	0	BN_free(ctx->srp_ctx.v);
47	0	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
48	0	ctx->srp_ctx.strength = SRP_MINIMAL_N;
49	0	return 1;
50	0	}
51
52		int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx)
53	0	{
54	0	return ssl_ctx_srp_ctx_free_intern(ctx);
55	0	}
56
57		/*
58		* The public API SSL_SRP_CTX_free() is deprecated so we use
59		* ssl_srp_ctx_free_intern() internally.
60		*/
61		int ssl_srp_ctx_free_intern(SSL_CONNECTION *s)
62	0	{
63	0	if (s == NULL)
64	0	return 0;
65	0	OPENSSL_free(s->srp_ctx.login);
66	0	OPENSSL_free(s->srp_ctx.info);
67	0	BN_free(s->srp_ctx.N);
68	0	BN_free(s->srp_ctx.g);
69	0	BN_free(s->srp_ctx.s);
70	0	BN_free(s->srp_ctx.B);
71	0	BN_free(s->srp_ctx.A);
72	0	BN_free(s->srp_ctx.a);
73	0	BN_free(s->srp_ctx.b);
74	0	BN_free(s->srp_ctx.v);
75	0	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
76	0	s->srp_ctx.strength = SRP_MINIMAL_N;
77	0	return 1;
78	0	}
79
80		int SSL_SRP_CTX_free(SSL *s)
81	0	{
82	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
83
84		/* the call works with NULL sc */
85	0	return ssl_srp_ctx_free_intern(sc);
86	0	}
87
88		/*
89		* The public API SSL_SRP_CTX_init() is deprecated so we use
90		* ssl_srp_ctx_init_intern() internally.
91		*/
92		int ssl_srp_ctx_init_intern(SSL_CONNECTION *s)
93	0	{
94	0	SSL_CTX *ctx;
95
96	0	if (s == NULL \|\| (ctx = SSL_CONNECTION_GET_CTX(s)) == NULL)
97	0	return 0;
98
99	0	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
100
101	0	s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
102		/* set client Hello login callback */
103	0	s->srp_ctx.TLS_ext_srp_username_callback = ctx->srp_ctx.TLS_ext_srp_username_callback;
104		/* set SRP N/g param callback for verification */
105	0	s->srp_ctx.SRP_verify_param_callback = ctx->srp_ctx.SRP_verify_param_callback;
106		/* set SRP client passwd callback */
107	0	s->srp_ctx.SRP_give_srp_client_pwd_callback = ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
108
109	0	s->srp_ctx.strength = ctx->srp_ctx.strength;
110
111	0	if (((ctx->srp_ctx.N != NULL) && ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) \|\| ((ctx->srp_ctx.g != NULL) && ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) \|\| ((ctx->srp_ctx.s != NULL) && ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) \|\| ((ctx->srp_ctx.B != NULL) && ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) \|\| ((ctx->srp_ctx.A != NULL) && ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) \|\| ((ctx->srp_ctx.a != NULL) && ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) \|\| ((ctx->srp_ctx.v != NULL) && ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) \|\| ((ctx->srp_ctx.b != NULL) && ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
112	0	ERR_raise(ERR_LIB_SSL, ERR_R_BN_LIB);
113	0	goto err;
114	0	}
115	0	if ((ctx->srp_ctx.login != NULL) && ((s->srp_ctx.login = OPENSSL_strdup(ctx->srp_ctx.login)) == NULL)) {
116	0	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
117	0	goto err;
118	0	}
119	0	if ((ctx->srp_ctx.info != NULL) && ((s->srp_ctx.info = OPENSSL_strdup(ctx->srp_ctx.info)) == NULL)) {
120	0	ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
121	0	goto err;
122	0	}
123	0	s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
124
125	0	return 1;
126	0	err:
127	0	OPENSSL_free(s->srp_ctx.login);
128	0	OPENSSL_free(s->srp_ctx.info);
129	0	BN_free(s->srp_ctx.N);
130	0	BN_free(s->srp_ctx.g);
131	0	BN_free(s->srp_ctx.s);
132	0	BN_free(s->srp_ctx.B);
133	0	BN_free(s->srp_ctx.A);
134	0	BN_free(s->srp_ctx.a);
135	0	BN_free(s->srp_ctx.b);
136	0	BN_free(s->srp_ctx.v);
137	0	memset(&s->srp_ctx, 0, sizeof(s->srp_ctx));
138	0	return 0;
139	0	}
140
141		int SSL_SRP_CTX_init(SSL *s)
142	0	{
143	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
144
145		/* the call works with NULL sc */
146	0	return ssl_srp_ctx_init_intern(sc);
147	0	}
148
149		/*
150		* The public API SSL_CTX_SRP_CTX_init() is deprecated so we use
151		* ssl_ctx_srp_ctx_init_intern() internally.
152		*/
153		int ssl_ctx_srp_ctx_init_intern(SSL_CTX *ctx)
154	0	{
155	0	if (ctx == NULL)
156	0	return 0;
157
158	0	memset(&ctx->srp_ctx, 0, sizeof(ctx->srp_ctx));
159	0	ctx->srp_ctx.strength = SRP_MINIMAL_N;
160
161	0	return 1;
162	0	}
163
164		int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx)
165	0	{
166	0	return ssl_ctx_srp_ctx_init_intern(ctx);
167	0	}
168
169		/* server side */
170		/*
171		* The public API SSL_srp_server_param_with_username() is deprecated so we use
172		* ssl_srp_server_param_with_username_intern() internally.
173		*/
174		int ssl_srp_server_param_with_username_intern(SSL_CONNECTION s, int ad)
175	0	{
176	0	unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
177	0	int al;
178	0	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
179
180	0	*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
181	0	if ((s->srp_ctx.TLS_ext_srp_username_callback != NULL) && ((al = s->srp_ctx.TLS_ext_srp_username_callback(SSL_CONNECTION_GET_USER_SSL(s), ad, s->srp_ctx.SRP_cb_arg)) != SSL_ERROR_NONE))
182	0	return al;
183
184	0	*ad = SSL_AD_INTERNAL_ERROR;
185	0	if ((s->srp_ctx.N == NULL) \|\| (s->srp_ctx.g == NULL) \|\| (s->srp_ctx.s == NULL) \|\| (s->srp_ctx.v == NULL))
186	0	return SSL3_AL_FATAL;
187
188	0	if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, b, sizeof(b),
189	0	0)
190	0	<= 0)
191	0	return SSL3_AL_FATAL;
192	0	s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
193	0	OPENSSL_cleanse(b, sizeof(b));
194
195		/* Calculate: B = (kv + g^b) % N */
196	0	s->srp_ctx.B = SRP_Calc_B_ex(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g,
197	0	s->srp_ctx.v, sctx->libctx, sctx->propq);
198	0	if (s->srp_ctx.B == NULL) {
199	0	BN_clear_free(s->srp_ctx.b);
200	0	s->srp_ctx.b = NULL;
201	0	return SSL3_AL_FATAL;
202	0	}
203
204	0	return SSL_ERROR_NONE;
205	0	}
206
207		int SSL_srp_server_param_with_username(SSL s, int ad)
208	0	{
209	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
210
211	0	if (sc == NULL)
212	0	return SSL3_AL_FATAL;
213
214	0	return ssl_srp_server_param_with_username_intern(sc, ad);
215	0	}
216
217		/*
218		* If the server just has the raw password, make up a verifier entry on the
219		* fly
220		*/
221		int SSL_set_srp_server_param_pw(SSL s, const char user, const char *pass,
222		const char *grp)
223	0	{
224	0	SRP_gN *GN;
225	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
226
227	0	if (sc == NULL)
228	0	return -1;
229
230	0	GN = SRP_get_default_gN(grp);
231	0	if (GN == NULL)
232	0	return -1;
233	0	sc->srp_ctx.N = BN_dup(GN->N);
234	0	sc->srp_ctx.g = BN_dup(GN->g);
235	0	BN_clear_free(sc->srp_ctx.v);
236	0	sc->srp_ctx.v = NULL;
237	0	BN_clear_free(sc->srp_ctx.s);
238	0	sc->srp_ctx.s = NULL;
239	0	if (!SRP_create_verifier_BN_ex(user, pass, &sc->srp_ctx.s, &sc->srp_ctx.v,
240	0	sc->srp_ctx.N, sc->srp_ctx.g, s->ctx->libctx,
241	0	s->ctx->propq))
242	0	return -1;
243
244	0	return 1;
245	0	}
246
247		int SSL_set_srp_server_param(SSL s, const BIGNUM N, const BIGNUM *g,
248		BIGNUM sa, BIGNUM v, char *info)
249	0	{
250	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
251
252	0	if (sc == NULL)
253	0	return -1;
254
255	0	if (N != NULL) {
256	0	if (sc->srp_ctx.N != NULL) {
257	0	if (!BN_copy(sc->srp_ctx.N, N)) {
258	0	BN_free(sc->srp_ctx.N);
259	0	sc->srp_ctx.N = NULL;
260	0	}
261	0	} else
262	0	sc->srp_ctx.N = BN_dup(N);
263	0	}
264	0	if (g != NULL) {
265	0	if (sc->srp_ctx.g != NULL) {
266	0	if (!BN_copy(sc->srp_ctx.g, g)) {
267	0	BN_free(sc->srp_ctx.g);
268	0	sc->srp_ctx.g = NULL;
269	0	}
270	0	} else
271	0	sc->srp_ctx.g = BN_dup(g);
272	0	}
273	0	if (sa != NULL) {
274	0	if (sc->srp_ctx.s != NULL) {
275	0	if (!BN_copy(sc->srp_ctx.s, sa)) {
276	0	BN_free(sc->srp_ctx.s);
277	0	sc->srp_ctx.s = NULL;
278	0	}
279	0	} else
280	0	sc->srp_ctx.s = BN_dup(sa);
281	0	}
282	0	if (v != NULL) {
283	0	if (sc->srp_ctx.v != NULL) {
284	0	if (!BN_copy(sc->srp_ctx.v, v)) {
285	0	BN_free(sc->srp_ctx.v);
286	0	sc->srp_ctx.v = NULL;
287	0	}
288	0	} else
289	0	sc->srp_ctx.v = BN_dup(v);
290	0	}
291	0	if (info != NULL) {
292	0	if (sc->srp_ctx.info)
293	0	OPENSSL_free(sc->srp_ctx.info);
294	0	if ((sc->srp_ctx.info = OPENSSL_strdup(info)) == NULL)
295	0	return -1;
296	0	}
297
298	0	if (!(sc->srp_ctx.N) \|\| !(sc->srp_ctx.g) \|\| !(sc->srp_ctx.s) \|\| !(sc->srp_ctx.v))
299	0	return -1;
300
301	0	return 1;
302	0	}
303
304		int srp_generate_server_master_secret(SSL_CONNECTION *s)
305	0	{
306	0	BIGNUM K = NULL, u = NULL;
307	0	int ret = 0, tmp_len = 0;
308	0	unsigned char *tmp = NULL;
309	0	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
310
311	0	if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
312	0	goto err;
313	0	if ((u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
314	0	sctx->libctx, sctx->propq))
315	0	== NULL)
316	0	goto err;
317	0	if ((K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b,
318	0	s->srp_ctx.N))
319	0	== NULL)
320	0	goto err;
321
322	0	tmp_len = BN_num_bytes(K);
323	0	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
324	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
325	0	goto err;
326	0	}
327	0	BN_bn2bin(K, tmp);
328		/* Calls SSLfatal() as required */
329	0	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
330	0	err:
331	0	BN_clear_free(K);
332	0	BN_clear_free(u);
333	0	return ret;
334	0	}
335
336		/* client side */
337		int srp_generate_client_master_secret(SSL_CONNECTION *s)
338	0	{
339	0	BIGNUM x = NULL, u = NULL, *K = NULL;
340	0	int ret = 0, tmp_len = 0;
341	0	char *passwd = NULL;
342	0	unsigned char *tmp = NULL;
343	0	SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
344
345		/*
346		* Checks if b % n == 0
347		*/
348	0	if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0
349	0	\|\| (u = SRP_Calc_u_ex(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N,
350	0	sctx->libctx, sctx->propq))
351	0	== NULL
352	0	\|\| s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL) {
353	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
354	0	goto err;
355	0	}
356	0	if ((passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(SSL_CONNECTION_GET_USER_SSL(s),
357	0	s->srp_ctx.SRP_cb_arg))
358	0	== NULL) {
359	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
360	0	goto err;
361	0	}
362	0	if ((x = SRP_Calc_x_ex(s->srp_ctx.s, s->srp_ctx.login, passwd,
363	0	sctx->libctx, sctx->propq))
364	0	== NULL
365	0	\|\| (K = SRP_Calc_client_key_ex(s->srp_ctx.N, s->srp_ctx.B,
366	0	s->srp_ctx.g, x,
367	0	s->srp_ctx.a, u,
368	0	sctx->libctx,
369	0	sctx->propq))
370	0	== NULL) {
371	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
372	0	goto err;
373	0	}
374
375	0	tmp_len = BN_num_bytes(K);
376	0	if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) {
377	0	SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
378	0	goto err;
379	0	}
380	0	BN_bn2bin(K, tmp);
381		/* Calls SSLfatal() as required */
382	0	ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
383	0	err:
384	0	BN_clear_free(K);
385	0	BN_clear_free(x);
386	0	if (passwd != NULL)
387	0	OPENSSL_clear_free(passwd, strlen(passwd));
388	0	BN_clear_free(u);
389	0	return ret;
390	0	}
391
392		int srp_verify_server_param(SSL_CONNECTION *s)
393	0	{
394	0	SRP_CTX *srp = &s->srp_ctx;
395		/*
396		* Sanity check parameters: we can quickly check B % N == 0 by checking B
397		* != 0 since B < N
398		*/
399	0	if (BN_ucmp(srp->g, srp->N) >= 0 \|\| BN_ucmp(srp->B, srp->N) >= 0
400	0	\|\| BN_is_zero(srp->B)) {
401	0	SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DATA);
402	0	return 0;
403	0	}
404
405	0	if (BN_num_bits(srp->N) < srp->strength) {
406	0	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_INSUFFICIENT_SECURITY);
407	0	return 0;
408	0	}
409
410	0	if (srp->SRP_verify_param_callback) {
411	0	if (srp->SRP_verify_param_callback(SSL_CONNECTION_GET_USER_SSL(s),
412	0	srp->SRP_cb_arg)
413	0	<= 0) {
414	0	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY, SSL_R_CALLBACK_FAILED);
415	0	return 0;
416	0	}
417	0	} else if (!SRP_check_known_gN_param(srp->g, srp->N)) {
418	0	SSLfatal(s, SSL_AD_INSUFFICIENT_SECURITY,
419	0	SSL_R_INSUFFICIENT_SECURITY);
420	0	return 0;
421	0	}
422
423	0	return 1;
424	0	}
425
426		/*
427		* The public API SRP_Calc_A_param() is deprecated so we use
428		* ssl_srp_calc_a_param_intern() internally.
429		*/
430		int ssl_srp_calc_a_param_intern(SSL_CONNECTION *s)
431	0	{
432	0	unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
433
434	0	if (RAND_priv_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx,
435	0	rnd, sizeof(rnd), 0)
436	0	<= 0)
437	0	return 0;
438	0	s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
439	0	OPENSSL_cleanse(rnd, sizeof(rnd));
440
441	0	if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N, s->srp_ctx.g)))
442	0	return 0;
443
444	0	return 1;
445	0	}
446
447		int SRP_Calc_A_param(SSL *s)
448	0	{
449	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
450
451	0	if (sc == NULL)
452	0	return 0;
453
454	0	return ssl_srp_calc_a_param_intern(sc);
455	0	}
456
457		BIGNUM SSL_get_srp_g(SSL s)
458	0	{
459	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
460
461	0	if (sc == NULL)
462	0	return NULL;
463
464	0	if (sc->srp_ctx.g != NULL)
465	0	return sc->srp_ctx.g;
466	0	return s->ctx->srp_ctx.g;
467	0	}
468
469		BIGNUM SSL_get_srp_N(SSL s)
470	0	{
471	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
472
473	0	if (sc == NULL)
474	0	return NULL;
475
476	0	if (sc->srp_ctx.N != NULL)
477	0	return sc->srp_ctx.N;
478	0	return s->ctx->srp_ctx.N;
479	0	}
480
481		char SSL_get_srp_username(SSL s)
482	0	{
483	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
484
485	0	if (sc == NULL)
486	0	return NULL;
487
488	0	if (sc->srp_ctx.login != NULL)
489	0	return sc->srp_ctx.login;
490	0	return s->ctx->srp_ctx.login;
491	0	}
492
493		char SSL_get_srp_userinfo(SSL s)
494	0	{
495	0	SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
496
497	0	if (sc == NULL)
498	0	return NULL;
499
500	0	if (sc->srp_ctx.info != NULL)
501	0	return sc->srp_ctx.info;
502	0	return s->ctx->srp_ctx.info;
503	0	}
504
505	0	#define tls1_ctx_ctrl ssl3_ctx_ctrl
506	0	#define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
507
508		int SSL_CTX_set_srp_username(SSL_CTX ctx, char name)
509	0	{
510	0	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
511	0	}
512
513		int SSL_CTX_set_srp_password(SSL_CTX ctx, char password)
514	0	{
515	0	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
516	0	}
517
518		int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
519	0	{
520	0	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
521	0	NULL);
522	0	}
523
524		int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
525		int (cb)(SSL , void *))
526	0	{
527	0	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
528	0	(void (*)(void))cb);
529	0	}
530
531		int SSL_CTX_set_srp_cb_arg(SSL_CTX ctx, void arg)
532	0	{
533	0	return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
534	0	}
535
536		int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
537		int (cb)(SSL , int , void ))
538	0	{
539	0	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
540	0	(void (*)(void))cb);
541	0	}
542
543		int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
544		char (cb)(SSL , void ))
545	0	{
546	0	return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
547	0	(void (*)(void))cb);
548	0	}
549
550		#endif