1 | /* |
2 | * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | * Copyright (c) 2004, EdelKey Project. All Rights Reserved. |
4 | * |
5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
6 | * this file except in compliance with the License. You can obtain a copy |
7 | * in the file LICENSE in the source distribution or at |
8 | * https://www.openssl.org/source/license.html |
9 | * |
10 | * Originally written by Christophe Renou and Peter Sylvester, |
11 | * for the EdelKey project. |
12 | */ |
13 | |
14 | #ifndef OPENSSL_NO_SRP |
15 | # include "internal/cryptlib.h" |
16 | # include "crypto/evp.h" |
17 | # include <openssl/sha.h> |
18 | # include <openssl/srp.h> |
19 | # include <openssl/evp.h> |
20 | # include <openssl/buffer.h> |
21 | # include <openssl/rand.h> |
22 | # include <openssl/txt_db.h> |
23 | # include <openssl/err.h> |
24 | |
25 | # define SRP_RANDOM_SALT_LEN 20 |
26 | # define MAX_LEN 2500 |
27 | |
28 | /* |
29 | * Note that SRP uses its own variant of base 64 encoding. A different base64 |
30 | * alphabet is used and no padding '=' characters are added. Instead we pad to |
31 | * the front with 0 bytes and subsequently strip off leading encoded padding. |
32 | * This variant is used for compatibility with other SRP implementations - |
33 | * notably libsrp, but also others. It is also required for backwards |
34 | * compatibility in order to load verifier files from other OpenSSL versions. |
35 | */ |
36 | |
37 | /* |
38 | * Convert a base64 string into raw byte array representation. |
39 | * Returns the length of the decoded data, or -1 on error. |
40 | */ |
41 | static int t_fromb64(unsigned char *a, size_t alen, const char *src) |
42 | { |
43 | EVP_ENCODE_CTX *ctx; |
44 | int outl = 0, outl2 = 0; |
45 | size_t size, padsize; |
46 | const unsigned char *pad = (const unsigned char *)"00" ; |
47 | |
48 | while (*src == ' ' || *src == '\t' || *src == '\n') |
49 | ++src; |
50 | size = strlen(src); |
51 | padsize = 4 - (size & 3); |
52 | padsize &= 3; |
53 | |
54 | /* Four bytes in src become three bytes output. */ |
55 | if (size > INT_MAX || ((size + padsize) / 4) * 3 > alen) |
56 | return -1; |
57 | |
58 | ctx = EVP_ENCODE_CTX_new(); |
59 | if (ctx == NULL) |
60 | return -1; |
61 | |
62 | /* |
63 | * This should never occur because 1 byte of data always requires 2 bytes of |
64 | * encoding, i.e. |
65 | * 0 bytes unencoded = 0 bytes encoded |
66 | * 1 byte unencoded = 2 bytes encoded |
67 | * 2 bytes unencoded = 3 bytes encoded |
68 | * 3 bytes unencoded = 4 bytes encoded |
69 | * 4 bytes unencoded = 6 bytes encoded |
70 | * etc |
71 | */ |
72 | if (padsize == 3) { |
73 | outl = -1; |
74 | goto err; |
75 | } |
76 | |
77 | /* Valid padsize values are now 0, 1 or 2 */ |
78 | |
79 | EVP_DecodeInit(ctx); |
80 | evp_encode_ctx_set_flags(ctx, EVP_ENCODE_CTX_USE_SRP_ALPHABET); |
81 | |
82 | /* Add any encoded padding that is required */ |
83 | if (padsize != 0 |
84 | && EVP_DecodeUpdate(ctx, a, &outl, pad, padsize) < 0) { |
85 | outl = -1; |
86 | goto err; |
87 | } |
88 | if (EVP_DecodeUpdate(ctx, a, &outl2, (const unsigned char *)src, size) < 0) { |
89 | outl = -1; |
90 | goto err; |
91 | } |
92 | outl += outl2; |
93 | EVP_DecodeFinal(ctx, a + outl, &outl2); |
94 | outl += outl2; |
95 | |
96 | /* Strip off the leading padding */ |
97 | if (padsize != 0) { |
98 | if ((int)padsize >= outl) { |
99 | outl = -1; |
100 | goto err; |
101 | } |
102 | |
103 | /* |
104 | * If we added 1 byte of padding prior to encoding then we have 2 bytes |
105 | * of "real" data which gets spread across 4 encoded bytes like this: |
106 | * (6 bits pad)(2 bits pad | 4 bits data)(6 bits data)(6 bits data) |
107 | * So 1 byte of pre-encoding padding results in 1 full byte of encoded |
108 | * padding. |
109 | * If we added 2 bytes of padding prior to encoding this gets encoded |
110 | * as: |
111 | * (6 bits pad)(6 bits pad)(4 bits pad | 2 bits data)(6 bits data) |
112 | * So 2 bytes of pre-encoding padding results in 2 full bytes of encoded |
113 | * padding, i.e. we have to strip the same number of bytes of padding |
114 | * from the encoded data as we added to the pre-encoded data. |
115 | */ |
116 | memmove(a, a + padsize, outl - padsize); |
117 | outl -= padsize; |
118 | } |
119 | |
120 | err: |
121 | EVP_ENCODE_CTX_free(ctx); |
122 | |
123 | return outl; |
124 | } |
125 | |
126 | /* |
127 | * Convert a raw byte string into a null-terminated base64 ASCII string. |
128 | * Returns 1 on success or 0 on error. |
129 | */ |
130 | static int t_tob64(char *dst, const unsigned char *src, int size) |
131 | { |
132 | EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new(); |
133 | int outl = 0, outl2 = 0; |
134 | unsigned char pad[2] = {0, 0}; |
135 | size_t leadz = 0; |
136 | |
137 | if (ctx == NULL) |
138 | return 0; |
139 | |
140 | EVP_EncodeInit(ctx); |
141 | evp_encode_ctx_set_flags(ctx, EVP_ENCODE_CTX_NO_NEWLINES |
142 | | EVP_ENCODE_CTX_USE_SRP_ALPHABET); |
143 | |
144 | /* |
145 | * We pad at the front with zero bytes until the length is a multiple of 3 |
146 | * so that EVP_EncodeUpdate/EVP_EncodeFinal does not add any of its own "=" |
147 | * padding |
148 | */ |
149 | leadz = 3 - (size % 3); |
150 | if (leadz != 3 |
151 | && !EVP_EncodeUpdate(ctx, (unsigned char *)dst, &outl, pad, |
152 | leadz)) { |
153 | EVP_ENCODE_CTX_free(ctx); |
154 | return 0; |
155 | } |
156 | |
157 | if (!EVP_EncodeUpdate(ctx, (unsigned char *)dst + outl, &outl2, src, |
158 | size)) { |
159 | EVP_ENCODE_CTX_free(ctx); |
160 | return 0; |
161 | } |
162 | outl += outl2; |
163 | EVP_EncodeFinal(ctx, (unsigned char *)dst + outl, &outl2); |
164 | outl += outl2; |
165 | |
166 | /* Strip the encoded padding at the front */ |
167 | if (leadz != 3) { |
168 | memmove(dst, dst + leadz, outl - leadz); |
169 | dst[outl - leadz] = '\0'; |
170 | } |
171 | |
172 | EVP_ENCODE_CTX_free(ctx); |
173 | return 1; |
174 | } |
175 | |
176 | void SRP_user_pwd_free(SRP_user_pwd *user_pwd) |
177 | { |
178 | if (user_pwd == NULL) |
179 | return; |
180 | BN_free(user_pwd->s); |
181 | BN_clear_free(user_pwd->v); |
182 | OPENSSL_free(user_pwd->id); |
183 | OPENSSL_free(user_pwd->info); |
184 | OPENSSL_free(user_pwd); |
185 | } |
186 | |
187 | SRP_user_pwd *SRP_user_pwd_new(void) |
188 | { |
189 | SRP_user_pwd *ret; |
190 | |
191 | if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { |
192 | /* SRPerr(SRP_F_SRP_USER_PWD_NEW, ERR_R_MALLOC_FAILURE); */ /*ckerr_ignore*/ |
193 | return NULL; |
194 | } |
195 | ret->N = NULL; |
196 | ret->g = NULL; |
197 | ret->s = NULL; |
198 | ret->v = NULL; |
199 | ret->id = NULL; |
200 | ret->info = NULL; |
201 | return ret; |
202 | } |
203 | |
204 | void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g, |
205 | const BIGNUM *N) |
206 | { |
207 | vinfo->N = N; |
208 | vinfo->g = g; |
209 | } |
210 | |
211 | int SRP_user_pwd_set1_ids(SRP_user_pwd *vinfo, const char *id, |
212 | const char *info) |
213 | { |
214 | OPENSSL_free(vinfo->id); |
215 | OPENSSL_free(vinfo->info); |
216 | if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id))) |
217 | return 0; |
218 | return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info))); |
219 | } |
220 | |
221 | static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s, |
222 | const char *v) |
223 | { |
224 | unsigned char tmp[MAX_LEN]; |
225 | int len; |
226 | |
227 | vinfo->v = NULL; |
228 | vinfo->s = NULL; |
229 | |
230 | len = t_fromb64(tmp, sizeof(tmp), v); |
231 | if (len < 0) |
232 | return 0; |
233 | if (NULL == (vinfo->v = BN_bin2bn(tmp, len, NULL))) |
234 | return 0; |
235 | len = t_fromb64(tmp, sizeof(tmp), s); |
236 | if (len < 0) |
237 | goto err; |
238 | vinfo->s = BN_bin2bn(tmp, len, NULL); |
239 | if (vinfo->s == NULL) |
240 | goto err; |
241 | return 1; |
242 | err: |
243 | BN_free(vinfo->v); |
244 | vinfo->v = NULL; |
245 | return 0; |
246 | } |
247 | |
248 | int SRP_user_pwd_set0_sv(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) |
249 | { |
250 | BN_free(vinfo->s); |
251 | BN_clear_free(vinfo->v); |
252 | vinfo->v = v; |
253 | vinfo->s = s; |
254 | return (vinfo->s != NULL && vinfo->v != NULL); |
255 | } |
256 | |
257 | static SRP_user_pwd *srp_user_pwd_dup(SRP_user_pwd *src) |
258 | { |
259 | SRP_user_pwd *ret; |
260 | |
261 | if (src == NULL) |
262 | return NULL; |
263 | if ((ret = SRP_user_pwd_new()) == NULL) |
264 | return NULL; |
265 | |
266 | SRP_user_pwd_set_gN(ret, src->g, src->N); |
267 | if (!SRP_user_pwd_set1_ids(ret, src->id, src->info) |
268 | || !SRP_user_pwd_set0_sv(ret, BN_dup(src->s), BN_dup(src->v))) { |
269 | SRP_user_pwd_free(ret); |
270 | return NULL; |
271 | } |
272 | return ret; |
273 | } |
274 | |
275 | SRP_VBASE *SRP_VBASE_new(char *seed_key) |
276 | { |
277 | SRP_VBASE *vb = OPENSSL_malloc(sizeof(*vb)); |
278 | |
279 | if (vb == NULL) |
280 | return NULL; |
281 | if ((vb->users_pwd = sk_SRP_user_pwd_new_null()) == NULL |
282 | || (vb->gN_cache = sk_SRP_gN_cache_new_null()) == NULL) { |
283 | OPENSSL_free(vb); |
284 | return NULL; |
285 | } |
286 | vb->default_g = NULL; |
287 | vb->default_N = NULL; |
288 | vb->seed_key = NULL; |
289 | if ((seed_key != NULL) && (vb->seed_key = OPENSSL_strdup(seed_key)) == NULL) { |
290 | sk_SRP_user_pwd_free(vb->users_pwd); |
291 | sk_SRP_gN_cache_free(vb->gN_cache); |
292 | OPENSSL_free(vb); |
293 | return NULL; |
294 | } |
295 | return vb; |
296 | } |
297 | |
298 | void SRP_VBASE_free(SRP_VBASE *vb) |
299 | { |
300 | if (!vb) |
301 | return; |
302 | sk_SRP_user_pwd_pop_free(vb->users_pwd, SRP_user_pwd_free); |
303 | sk_SRP_gN_cache_free(vb->gN_cache); |
304 | OPENSSL_free(vb->seed_key); |
305 | OPENSSL_free(vb); |
306 | } |
307 | |
308 | static SRP_gN_cache *SRP_gN_new_init(const char *ch) |
309 | { |
310 | unsigned char tmp[MAX_LEN]; |
311 | int len; |
312 | SRP_gN_cache *newgN = OPENSSL_malloc(sizeof(*newgN)); |
313 | |
314 | if (newgN == NULL) |
315 | return NULL; |
316 | |
317 | len = t_fromb64(tmp, sizeof(tmp), ch); |
318 | if (len < 0) |
319 | goto err; |
320 | |
321 | if ((newgN->b64_bn = OPENSSL_strdup(ch)) == NULL) |
322 | goto err; |
323 | |
324 | if ((newgN->bn = BN_bin2bn(tmp, len, NULL))) |
325 | return newgN; |
326 | |
327 | OPENSSL_free(newgN->b64_bn); |
328 | err: |
329 | OPENSSL_free(newgN); |
330 | return NULL; |
331 | } |
332 | |
333 | static void SRP_gN_free(SRP_gN_cache *gN_cache) |
334 | { |
335 | if (gN_cache == NULL) |
336 | return; |
337 | OPENSSL_free(gN_cache->b64_bn); |
338 | BN_free(gN_cache->bn); |
339 | OPENSSL_free(gN_cache); |
340 | } |
341 | |
342 | static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab) |
343 | { |
344 | int i; |
345 | |
346 | SRP_gN *gN; |
347 | if (gN_tab != NULL) { |
348 | for (i = 0; i < sk_SRP_gN_num(gN_tab); i++) { |
349 | gN = sk_SRP_gN_value(gN_tab, i); |
350 | if (gN && (id == NULL || strcmp(gN->id, id) == 0)) |
351 | return gN; |
352 | } |
353 | } |
354 | |
355 | return SRP_get_default_gN(id); |
356 | } |
357 | |
358 | static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch) |
359 | { |
360 | int i; |
361 | if (gN_cache == NULL) |
362 | return NULL; |
363 | |
364 | /* search if we have already one... */ |
365 | for (i = 0; i < sk_SRP_gN_cache_num(gN_cache); i++) { |
366 | SRP_gN_cache *cache = sk_SRP_gN_cache_value(gN_cache, i); |
367 | if (strcmp(cache->b64_bn, ch) == 0) |
368 | return cache->bn; |
369 | } |
370 | { /* it is the first time that we find it */ |
371 | SRP_gN_cache *newgN = SRP_gN_new_init(ch); |
372 | if (newgN) { |
373 | if (sk_SRP_gN_cache_insert(gN_cache, newgN, 0) > 0) |
374 | return newgN->bn; |
375 | SRP_gN_free(newgN); |
376 | } |
377 | } |
378 | return NULL; |
379 | } |
380 | |
381 | /* |
382 | * This function parses the verifier file generated by the srp app. |
383 | * The format for each entry is: |
384 | * V base64(verifier) base64(salt) username gNid userinfo(optional) |
385 | * or |
386 | * I base64(N) base64(g) |
387 | * Note that base64 is the SRP variant of base64 encoding described |
388 | * in t_fromb64(). |
389 | */ |
390 | |
391 | int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) |
392 | { |
393 | int error_code; |
394 | STACK_OF(SRP_gN) *SRP_gN_tab = sk_SRP_gN_new_null(); |
395 | char *last_index = NULL; |
396 | int i; |
397 | char **pp; |
398 | |
399 | SRP_gN *gN = NULL; |
400 | SRP_user_pwd *user_pwd = NULL; |
401 | |
402 | TXT_DB *tmpdb = NULL; |
403 | BIO *in = BIO_new(BIO_s_file()); |
404 | |
405 | error_code = SRP_ERR_OPEN_FILE; |
406 | |
407 | if (in == NULL || BIO_read_filename(in, verifier_file) <= 0) |
408 | goto err; |
409 | |
410 | error_code = SRP_ERR_VBASE_INCOMPLETE_FILE; |
411 | |
412 | if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL) |
413 | goto err; |
414 | |
415 | error_code = SRP_ERR_MEMORY; |
416 | |
417 | if (vb->seed_key) { |
418 | last_index = SRP_get_default_gN(NULL)->id; |
419 | } |
420 | for (i = 0; i < sk_OPENSSL_PSTRING_num(tmpdb->data); i++) { |
421 | pp = sk_OPENSSL_PSTRING_value(tmpdb->data, i); |
422 | if (pp[DB_srptype][0] == DB_SRP_INDEX) { |
423 | /* |
424 | * we add this couple in the internal Stack |
425 | */ |
426 | |
427 | if ((gN = OPENSSL_malloc(sizeof(*gN))) == NULL) |
428 | goto err; |
429 | |
430 | if ((gN->id = OPENSSL_strdup(pp[DB_srpid])) == NULL |
431 | || (gN->N = SRP_gN_place_bn(vb->gN_cache, pp[DB_srpverifier])) |
432 | == NULL |
433 | || (gN->g = SRP_gN_place_bn(vb->gN_cache, pp[DB_srpsalt])) |
434 | == NULL |
435 | || sk_SRP_gN_insert(SRP_gN_tab, gN, 0) == 0) |
436 | goto err; |
437 | |
438 | gN = NULL; |
439 | |
440 | if (vb->seed_key != NULL) { |
441 | last_index = pp[DB_srpid]; |
442 | } |
443 | } else if (pp[DB_srptype][0] == DB_SRP_VALID) { |
444 | /* it is a user .... */ |
445 | const SRP_gN *lgN; |
446 | |
447 | if ((lgN = SRP_get_gN_by_id(pp[DB_srpgN], SRP_gN_tab)) != NULL) { |
448 | error_code = SRP_ERR_MEMORY; |
449 | if ((user_pwd = SRP_user_pwd_new()) == NULL) |
450 | goto err; |
451 | |
452 | SRP_user_pwd_set_gN(user_pwd, lgN->g, lgN->N); |
453 | if (!SRP_user_pwd_set1_ids |
454 | (user_pwd, pp[DB_srpid], pp[DB_srpinfo])) |
455 | goto err; |
456 | |
457 | error_code = SRP_ERR_VBASE_BN_LIB; |
458 | if (!SRP_user_pwd_set_sv |
459 | (user_pwd, pp[DB_srpsalt], pp[DB_srpverifier])) |
460 | goto err; |
461 | |
462 | if (sk_SRP_user_pwd_insert(vb->users_pwd, user_pwd, 0) == 0) |
463 | goto err; |
464 | user_pwd = NULL; /* abandon responsibility */ |
465 | } |
466 | } |
467 | } |
468 | |
469 | if (last_index != NULL) { |
470 | /* this means that we want to simulate a default user */ |
471 | |
472 | if (((gN = SRP_get_gN_by_id(last_index, SRP_gN_tab)) == NULL)) { |
473 | error_code = SRP_ERR_VBASE_BN_LIB; |
474 | goto err; |
475 | } |
476 | vb->default_g = gN->g; |
477 | vb->default_N = gN->N; |
478 | gN = NULL; |
479 | } |
480 | error_code = SRP_NO_ERROR; |
481 | |
482 | err: |
483 | /* |
484 | * there may be still some leaks to fix, if this fails, the application |
485 | * terminates most likely |
486 | */ |
487 | |
488 | if (gN != NULL) { |
489 | OPENSSL_free(gN->id); |
490 | OPENSSL_free(gN); |
491 | } |
492 | |
493 | SRP_user_pwd_free(user_pwd); |
494 | |
495 | TXT_DB_free(tmpdb); |
496 | BIO_free_all(in); |
497 | |
498 | sk_SRP_gN_free(SRP_gN_tab); |
499 | |
500 | return error_code; |
501 | |
502 | } |
503 | |
504 | static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username) |
505 | { |
506 | int i; |
507 | SRP_user_pwd *user; |
508 | |
509 | if (vb == NULL) |
510 | return NULL; |
511 | |
512 | for (i = 0; i < sk_SRP_user_pwd_num(vb->users_pwd); i++) { |
513 | user = sk_SRP_user_pwd_value(vb->users_pwd, i); |
514 | if (strcmp(user->id, username) == 0) |
515 | return user; |
516 | } |
517 | |
518 | return NULL; |
519 | } |
520 | |
521 | int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd) |
522 | { |
523 | if (sk_SRP_user_pwd_push(vb->users_pwd, user_pwd) <= 0) |
524 | return 0; |
525 | return 1; |
526 | } |
527 | |
528 | # ifndef OPENSSL_NO_DEPRECATED_1_1_0 |
529 | /* |
530 | * DEPRECATED: use SRP_VBASE_get1_by_user instead. |
531 | * This method ignores the configured seed and fails for an unknown user. |
532 | * Ownership of the returned pointer is not released to the caller. |
533 | * In other words, caller must not free the result. |
534 | */ |
535 | SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) |
536 | { |
537 | return find_user(vb, username); |
538 | } |
539 | # endif |
540 | |
541 | /* |
542 | * Ownership of the returned pointer is released to the caller. |
543 | * In other words, caller must free the result once done. |
544 | */ |
545 | SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) |
546 | { |
547 | SRP_user_pwd *user; |
548 | unsigned char digv[SHA_DIGEST_LENGTH]; |
549 | unsigned char digs[SHA_DIGEST_LENGTH]; |
550 | EVP_MD_CTX *ctxt = NULL; |
551 | |
552 | if (vb == NULL) |
553 | return NULL; |
554 | |
555 | if ((user = find_user(vb, username)) != NULL) |
556 | return srp_user_pwd_dup(user); |
557 | |
558 | if ((vb->seed_key == NULL) || |
559 | (vb->default_g == NULL) || (vb->default_N == NULL)) |
560 | return NULL; |
561 | |
562 | /* if the user is unknown we set parameters as well if we have a seed_key */ |
563 | |
564 | if ((user = SRP_user_pwd_new()) == NULL) |
565 | return NULL; |
566 | |
567 | SRP_user_pwd_set_gN(user, vb->default_g, vb->default_N); |
568 | |
569 | if (!SRP_user_pwd_set1_ids(user, username, NULL)) |
570 | goto err; |
571 | |
572 | if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0) |
573 | goto err; |
574 | ctxt = EVP_MD_CTX_new(); |
575 | if (ctxt == NULL |
576 | || !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL) |
577 | || !EVP_DigestUpdate(ctxt, vb->seed_key, strlen(vb->seed_key)) |
578 | || !EVP_DigestUpdate(ctxt, username, strlen(username)) |
579 | || !EVP_DigestFinal_ex(ctxt, digs, NULL)) |
580 | goto err; |
581 | EVP_MD_CTX_free(ctxt); |
582 | ctxt = NULL; |
583 | if (SRP_user_pwd_set0_sv(user, |
584 | BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL), |
585 | BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL))) |
586 | return user; |
587 | |
588 | err: |
589 | EVP_MD_CTX_free(ctxt); |
590 | SRP_user_pwd_free(user); |
591 | return NULL; |
592 | } |
593 | |
594 | /* |
595 | * create a verifier (*salt,*verifier,g and N are in base64) |
596 | */ |
597 | char *SRP_create_verifier(const char *user, const char *pass, char **salt, |
598 | char **verifier, const char *N, const char *g) |
599 | { |
600 | int len; |
601 | char *result = NULL, *vf = NULL; |
602 | const BIGNUM *N_bn = NULL, *g_bn = NULL; |
603 | BIGNUM *N_bn_alloc = NULL, *g_bn_alloc = NULL, *s = NULL, *v = NULL; |
604 | unsigned char tmp[MAX_LEN]; |
605 | unsigned char tmp2[MAX_LEN]; |
606 | char *defgNid = NULL; |
607 | int vfsize = 0; |
608 | |
609 | if ((user == NULL) || |
610 | (pass == NULL) || (salt == NULL) || (verifier == NULL)) |
611 | goto err; |
612 | |
613 | if (N) { |
614 | if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0) |
615 | goto err; |
616 | N_bn_alloc = BN_bin2bn(tmp, len, NULL); |
617 | if (N_bn_alloc == NULL) |
618 | goto err; |
619 | N_bn = N_bn_alloc; |
620 | if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0) |
621 | goto err; |
622 | g_bn_alloc = BN_bin2bn(tmp, len, NULL); |
623 | if (g_bn_alloc == NULL) |
624 | goto err; |
625 | g_bn = g_bn_alloc; |
626 | defgNid = "*" ; |
627 | } else { |
628 | SRP_gN *gN = SRP_get_default_gN(g); |
629 | if (gN == NULL) |
630 | goto err; |
631 | N_bn = gN->N; |
632 | g_bn = gN->g; |
633 | defgNid = gN->id; |
634 | } |
635 | |
636 | if (*salt == NULL) { |
637 | if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) |
638 | goto err; |
639 | |
640 | s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); |
641 | } else { |
642 | if ((len = t_fromb64(tmp2, sizeof(tmp2), *salt)) <= 0) |
643 | goto err; |
644 | s = BN_bin2bn(tmp2, len, NULL); |
645 | } |
646 | if (s == NULL) |
647 | goto err; |
648 | |
649 | if (!SRP_create_verifier_BN(user, pass, &s, &v, N_bn, g_bn)) |
650 | goto err; |
651 | |
652 | if (BN_bn2bin(v, tmp) < 0) |
653 | goto err; |
654 | vfsize = BN_num_bytes(v) * 2; |
655 | if (((vf = OPENSSL_malloc(vfsize)) == NULL)) |
656 | goto err; |
657 | if (!t_tob64(vf, tmp, BN_num_bytes(v))) |
658 | goto err; |
659 | |
660 | if (*salt == NULL) { |
661 | char *tmp_salt; |
662 | |
663 | if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) { |
664 | goto err; |
665 | } |
666 | if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) { |
667 | OPENSSL_free(tmp_salt); |
668 | goto err; |
669 | } |
670 | *salt = tmp_salt; |
671 | } |
672 | |
673 | *verifier = vf; |
674 | vf = NULL; |
675 | result = defgNid; |
676 | |
677 | err: |
678 | BN_free(N_bn_alloc); |
679 | BN_free(g_bn_alloc); |
680 | OPENSSL_clear_free(vf, vfsize); |
681 | BN_clear_free(s); |
682 | BN_clear_free(v); |
683 | return result; |
684 | } |
685 | |
686 | /* |
687 | * create a verifier (*salt,*verifier,g and N are BIGNUMs). If *salt != NULL |
688 | * then the provided salt will be used. On successful exit *verifier will point |
689 | * to a newly allocated BIGNUM containing the verifier and (if a salt was not |
690 | * provided) *salt will be populated with a newly allocated BIGNUM containing a |
691 | * random salt. |
692 | * The caller is responsible for freeing the allocated *salt and *verifier |
693 | * BIGNUMS. |
694 | */ |
695 | int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, |
696 | BIGNUM **verifier, const BIGNUM *N, |
697 | const BIGNUM *g) |
698 | { |
699 | int result = 0; |
700 | BIGNUM *x = NULL; |
701 | BN_CTX *bn_ctx = BN_CTX_new(); |
702 | unsigned char tmp2[MAX_LEN]; |
703 | BIGNUM *salttmp = NULL; |
704 | |
705 | if ((user == NULL) || |
706 | (pass == NULL) || |
707 | (salt == NULL) || |
708 | (verifier == NULL) || (N == NULL) || (g == NULL) || (bn_ctx == NULL)) |
709 | goto err; |
710 | |
711 | if (*salt == NULL) { |
712 | if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) |
713 | goto err; |
714 | |
715 | salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); |
716 | if (salttmp == NULL) |
717 | goto err; |
718 | } else { |
719 | salttmp = *salt; |
720 | } |
721 | |
722 | x = SRP_Calc_x(salttmp, user, pass); |
723 | if (x == NULL) |
724 | goto err; |
725 | |
726 | *verifier = BN_new(); |
727 | if (*verifier == NULL) |
728 | goto err; |
729 | |
730 | if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) { |
731 | BN_clear_free(*verifier); |
732 | goto err; |
733 | } |
734 | |
735 | result = 1; |
736 | *salt = salttmp; |
737 | |
738 | err: |
739 | if (salt != NULL && *salt != salttmp) |
740 | BN_clear_free(salttmp); |
741 | BN_clear_free(x); |
742 | BN_CTX_free(bn_ctx); |
743 | return result; |
744 | } |
745 | |
746 | #endif |
747 | |