1/* 2 * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2004, EdelKey Project. All Rights Reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 * 10 * Originally written by Christophe Renou and Peter Sylvester, 11 * for the EdelKey project. 12 */ 13 14/* All the SRP APIs in this file are deprecated */ 15#define OPENSSL_SUPPRESS_DEPRECATED 16 17#ifndef OPENSSL_NO_SRP 18# include "internal/cryptlib.h" 19# include "crypto/evp.h" 20# include <openssl/sha.h> 21# include <openssl/srp.h> 22# include <openssl/evp.h> 23# include <openssl/buffer.h> 24# include <openssl/rand.h> 25# include <openssl/txt_db.h> 26# include <openssl/err.h> 27 28# define SRP_RANDOM_SALT_LEN 20 29# define MAX_LEN 2500 30 31/* 32 * Note that SRP uses its own variant of base 64 encoding. A different base64 33 * alphabet is used and no padding '=' characters are added. Instead we pad to 34 * the front with 0 bytes and subsequently strip off leading encoded padding. 35 * This variant is used for compatibility with other SRP implementations - 36 * notably libsrp, but also others. It is also required for backwards 37 * compatibility in order to load verifier files from other OpenSSL versions. 38 */ 39 40/* 41 * Convert a base64 string into raw byte array representation. 42 * Returns the length of the decoded data, or -1 on error. 43 */ 44static int t_fromb64(unsigned char *a, size_t alen, const char *src) 45{ 46 EVP_ENCODE_CTX *ctx; 47 int outl = 0, outl2 = 0; 48 size_t size, padsize; 49 const unsigned char *pad = (const unsigned char *)"00"; 50 51 while (*src == ' ' || *src == '\t' || *src == '\n') 52 ++src; 53 size = strlen(src); 54 padsize = 4 - (size & 3); 55 padsize &= 3; 56 57 /* Four bytes in src become three bytes output. */ 58 if (size > INT_MAX || ((size + padsize) / 4) * 3 > alen) 59 return -1; 60 61 ctx = EVP_ENCODE_CTX_new(); 62 if (ctx == NULL) 63 return -1; 64 65 /* 66 * This should never occur because 1 byte of data always requires 2 bytes of 67 * encoding, i.e. 68 * 0 bytes unencoded = 0 bytes encoded 69 * 1 byte unencoded = 2 bytes encoded 70 * 2 bytes unencoded = 3 bytes encoded 71 * 3 bytes unencoded = 4 bytes encoded 72 * 4 bytes unencoded = 6 bytes encoded 73 * etc 74 */ 75 if (padsize == 3) { 76 outl = -1; 77 goto err; 78 } 79 80 /* Valid padsize values are now 0, 1 or 2 */ 81 82 EVP_DecodeInit(ctx); 83 evp_encode_ctx_set_flags(ctx, EVP_ENCODE_CTX_USE_SRP_ALPHABET); 84 85 /* Add any encoded padding that is required */ 86 if (padsize != 0 87 && EVP_DecodeUpdate(ctx, a, &outl, pad, padsize) < 0) { 88 outl = -1; 89 goto err; 90 } 91 if (EVP_DecodeUpdate(ctx, a, &outl2, (const unsigned char *)src, size) < 0) { 92 outl = -1; 93 goto err; 94 } 95 outl += outl2; 96 EVP_DecodeFinal(ctx, a + outl, &outl2); 97 outl += outl2; 98 99 /* Strip off the leading padding */ 100 if (padsize != 0) { 101 if ((int)padsize >= outl) { 102 outl = -1; 103 goto err; 104 } 105 106 /* 107 * If we added 1 byte of padding prior to encoding then we have 2 bytes 108 * of "real" data which gets spread across 4 encoded bytes like this: 109 * (6 bits pad)(2 bits pad | 4 bits data)(6 bits data)(6 bits data) 110 * So 1 byte of pre-encoding padding results in 1 full byte of encoded 111 * padding. 112 * If we added 2 bytes of padding prior to encoding this gets encoded 113 * as: 114 * (6 bits pad)(6 bits pad)(4 bits pad | 2 bits data)(6 bits data) 115 * So 2 bytes of pre-encoding padding results in 2 full bytes of encoded 116 * padding, i.e. we have to strip the same number of bytes of padding 117 * from the encoded data as we added to the pre-encoded data. 118 */ 119 memmove(a, a + padsize, outl - padsize); 120 outl -= padsize; 121 } 122 123 err: 124 EVP_ENCODE_CTX_free(ctx); 125 126 return outl; 127} 128 129/* 130 * Convert a raw byte string into a null-terminated base64 ASCII string. 131 * Returns 1 on success or 0 on error. 132 */ 133static int t_tob64(char *dst, const unsigned char *src, int size) 134{ 135 EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new(); 136 int outl = 0, outl2 = 0; 137 unsigned char pad[2] = {0, 0}; 138 size_t leadz = 0; 139 140 if (ctx == NULL) 141 return 0; 142 143 EVP_EncodeInit(ctx); 144 evp_encode_ctx_set_flags(ctx, EVP_ENCODE_CTX_NO_NEWLINES 145 | EVP_ENCODE_CTX_USE_SRP_ALPHABET); 146 147 /* 148 * We pad at the front with zero bytes until the length is a multiple of 3 149 * so that EVP_EncodeUpdate/EVP_EncodeFinal does not add any of its own "=" 150 * padding 151 */ 152 leadz = 3 - (size % 3); 153 if (leadz != 3 154 && !EVP_EncodeUpdate(ctx, (unsigned char *)dst, &outl, pad, 155 leadz)) { 156 EVP_ENCODE_CTX_free(ctx); 157 return 0; 158 } 159 160 if (!EVP_EncodeUpdate(ctx, (unsigned char *)dst + outl, &outl2, src, 161 size)) { 162 EVP_ENCODE_CTX_free(ctx); 163 return 0; 164 } 165 outl += outl2; 166 EVP_EncodeFinal(ctx, (unsigned char *)dst + outl, &outl2); 167 outl += outl2; 168 169 /* Strip the encoded padding at the front */ 170 if (leadz != 3) { 171 memmove(dst, dst + leadz, outl - leadz); 172 dst[outl - leadz] = '\0'; 173 } 174 175 EVP_ENCODE_CTX_free(ctx); 176 return 1; 177} 178 179void SRP_user_pwd_free(SRP_user_pwd *user_pwd) 180{ 181 if (user_pwd == NULL) 182 return; 183 BN_free(user_pwd->s); 184 BN_clear_free(user_pwd->v); 185 OPENSSL_free(user_pwd->id); 186 OPENSSL_free(user_pwd->info); 187 OPENSSL_free(user_pwd); 188} 189 190SRP_user_pwd *SRP_user_pwd_new(void) 191{ 192 SRP_user_pwd *ret; 193 194 if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { 195 /* ERR_raise(ERR_LIB_SRP, ERR_R_MALLOC_FAILURE); */ /*ckerr_ignore*/ 196 return NULL; 197 } 198 ret->N = NULL; 199 ret->g = NULL; 200 ret->s = NULL; 201 ret->v = NULL; 202 ret->id = NULL; 203 ret->info = NULL; 204 return ret; 205} 206 207void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g, 208 const BIGNUM *N) 209{ 210 vinfo->N = N; 211 vinfo->g = g; 212} 213 214int SRP_user_pwd_set1_ids(SRP_user_pwd *vinfo, const char *id, 215 const char *info) 216{ 217 OPENSSL_free(vinfo->id); 218 OPENSSL_free(vinfo->info); 219 vinfo->id = NULL; 220 vinfo->info = NULL; 221 if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id))) 222 return 0; 223 return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info))); 224} 225 226static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s, 227 const char *v) 228{ 229 unsigned char tmp[MAX_LEN]; 230 int len; 231 232 vinfo->v = NULL; 233 vinfo->s = NULL; 234 235 len = t_fromb64(tmp, sizeof(tmp), v); 236 if (len < 0) 237 return 0; 238 if (NULL == (vinfo->v = BN_bin2bn(tmp, len, NULL))) 239 return 0; 240 len = t_fromb64(tmp, sizeof(tmp), s); 241 if (len < 0) 242 goto err; 243 vinfo->s = BN_bin2bn(tmp, len, NULL); 244 if (vinfo->s == NULL) 245 goto err; 246 return 1; 247 err: 248 BN_free(vinfo->v); 249 vinfo->v = NULL; 250 return 0; 251} 252 253int SRP_user_pwd_set0_sv(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) 254{ 255 BN_free(vinfo->s); 256 BN_clear_free(vinfo->v); 257 vinfo->v = v; 258 vinfo->s = s; 259 return (vinfo->s != NULL && vinfo->v != NULL); 260} 261 262static SRP_user_pwd *srp_user_pwd_dup(SRP_user_pwd *src) 263{ 264 SRP_user_pwd *ret; 265 266 if (src == NULL) 267 return NULL; 268 if ((ret = SRP_user_pwd_new()) == NULL) 269 return NULL; 270 271 SRP_user_pwd_set_gN(ret, src->g, src->N); 272 if (!SRP_user_pwd_set1_ids(ret, src->id, src->info) 273 || !SRP_user_pwd_set0_sv(ret, BN_dup(src->s), BN_dup(src->v))) { 274 SRP_user_pwd_free(ret); 275 return NULL; 276 } 277 return ret; 278} 279 280SRP_VBASE *SRP_VBASE_new(char *seed_key) 281{ 282 SRP_VBASE *vb = OPENSSL_malloc(sizeof(*vb)); 283 284 if (vb == NULL) 285 return NULL; 286 if ((vb->users_pwd = sk_SRP_user_pwd_new_null()) == NULL 287 || (vb->gN_cache = sk_SRP_gN_cache_new_null()) == NULL) { 288 OPENSSL_free(vb); 289 return NULL; 290 } 291 vb->default_g = NULL; 292 vb->default_N = NULL; 293 vb->seed_key = NULL; 294 if ((seed_key != NULL) && (vb->seed_key = OPENSSL_strdup(seed_key)) == NULL) { 295 sk_SRP_user_pwd_free(vb->users_pwd); 296 sk_SRP_gN_cache_free(vb->gN_cache); 297 OPENSSL_free(vb); 298 return NULL; 299 } 300 return vb; 301} 302 303void SRP_VBASE_free(SRP_VBASE *vb) 304{ 305 if (!vb) 306 return; 307 sk_SRP_user_pwd_pop_free(vb->users_pwd, SRP_user_pwd_free); 308 sk_SRP_gN_cache_free(vb->gN_cache); 309 OPENSSL_free(vb->seed_key); 310 OPENSSL_free(vb); 311} 312 313static SRP_gN_cache *SRP_gN_new_init(const char *ch) 314{ 315 unsigned char tmp[MAX_LEN]; 316 int len; 317 SRP_gN_cache *newgN = OPENSSL_malloc(sizeof(*newgN)); 318 319 if (newgN == NULL) 320 return NULL; 321 322 len = t_fromb64(tmp, sizeof(tmp), ch); 323 if (len < 0) 324 goto err; 325 326 if ((newgN->b64_bn = OPENSSL_strdup(ch)) == NULL) 327 goto err; 328 329 if ((newgN->bn = BN_bin2bn(tmp, len, NULL))) 330 return newgN; 331 332 OPENSSL_free(newgN->b64_bn); 333 err: 334 OPENSSL_free(newgN); 335 return NULL; 336} 337 338static void SRP_gN_free(SRP_gN_cache *gN_cache) 339{ 340 if (gN_cache == NULL) 341 return; 342 OPENSSL_free(gN_cache->b64_bn); 343 BN_free(gN_cache->bn); 344 OPENSSL_free(gN_cache); 345} 346 347static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab) 348{ 349 int i; 350 351 SRP_gN *gN; 352 if (gN_tab != NULL) { 353 for (i = 0; i < sk_SRP_gN_num(gN_tab); i++) { 354 gN = sk_SRP_gN_value(gN_tab, i); 355 if (gN && (id == NULL || strcmp(gN->id, id) == 0)) 356 return gN; 357 } 358 } 359 360 return SRP_get_default_gN(id); 361} 362 363static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch) 364{ 365 int i; 366 if (gN_cache == NULL) 367 return NULL; 368 369 /* search if we have already one... */ 370 for (i = 0; i < sk_SRP_gN_cache_num(gN_cache); i++) { 371 SRP_gN_cache *cache = sk_SRP_gN_cache_value(gN_cache, i); 372 if (strcmp(cache->b64_bn, ch) == 0) 373 return cache->bn; 374 } 375 { /* it is the first time that we find it */ 376 SRP_gN_cache *newgN = SRP_gN_new_init(ch); 377 if (newgN) { 378 if (sk_SRP_gN_cache_insert(gN_cache, newgN, 0) > 0) 379 return newgN->bn; 380 SRP_gN_free(newgN); 381 } 382 } 383 return NULL; 384} 385 386/* 387 * This function parses the verifier file generated by the srp app. 388 * The format for each entry is: 389 * V base64(verifier) base64(salt) username gNid userinfo(optional) 390 * or 391 * I base64(N) base64(g) 392 * Note that base64 is the SRP variant of base64 encoding described 393 * in t_fromb64(). 394 */ 395 396int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) 397{ 398 int error_code; 399 STACK_OF(SRP_gN) *SRP_gN_tab = sk_SRP_gN_new_null(); 400 char *last_index = NULL; 401 int i; 402 char **pp; 403 404 SRP_gN *gN = NULL; 405 SRP_user_pwd *user_pwd = NULL; 406 407 TXT_DB *tmpdb = NULL; 408 BIO *in = BIO_new(BIO_s_file()); 409 410 error_code = SRP_ERR_OPEN_FILE; 411 412 if (in == NULL || BIO_read_filename(in, verifier_file) <= 0) 413 goto err; 414 415 error_code = SRP_ERR_VBASE_INCOMPLETE_FILE; 416 417 if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL) 418 goto err; 419 420 error_code = SRP_ERR_MEMORY; 421 422 if (vb->seed_key) { 423 last_index = SRP_get_default_gN(NULL)->id; 424 } 425 for (i = 0; i < sk_OPENSSL_PSTRING_num(tmpdb->data); i++) { 426 pp = sk_OPENSSL_PSTRING_value(tmpdb->data, i); 427 if (pp[DB_srptype][0] == DB_SRP_INDEX) { 428 /* 429 * we add this couple in the internal Stack 430 */ 431 432 if ((gN = OPENSSL_malloc(sizeof(*gN))) == NULL) 433 goto err; 434 435 if ((gN->id = OPENSSL_strdup(pp[DB_srpid])) == NULL 436 || (gN->N = SRP_gN_place_bn(vb->gN_cache, pp[DB_srpverifier])) 437 == NULL 438 || (gN->g = SRP_gN_place_bn(vb->gN_cache, pp[DB_srpsalt])) 439 == NULL 440 || sk_SRP_gN_insert(SRP_gN_tab, gN, 0) == 0) 441 goto err; 442 443 gN = NULL; 444 445 if (vb->seed_key != NULL) { 446 last_index = pp[DB_srpid]; 447 } 448 } else if (pp[DB_srptype][0] == DB_SRP_VALID) { 449 /* it is a user .... */ 450 const SRP_gN *lgN; 451 452 if ((lgN = SRP_get_gN_by_id(pp[DB_srpgN], SRP_gN_tab)) != NULL) { 453 error_code = SRP_ERR_MEMORY; 454 if ((user_pwd = SRP_user_pwd_new()) == NULL) 455 goto err; 456 457 SRP_user_pwd_set_gN(user_pwd, lgN->g, lgN->N); 458 if (!SRP_user_pwd_set1_ids 459 (user_pwd, pp[DB_srpid], pp[DB_srpinfo])) 460 goto err; 461 462 error_code = SRP_ERR_VBASE_BN_LIB; 463 if (!SRP_user_pwd_set_sv 464 (user_pwd, pp[DB_srpsalt], pp[DB_srpverifier])) 465 goto err; 466 467 if (sk_SRP_user_pwd_insert(vb->users_pwd, user_pwd, 0) == 0) 468 goto err; 469 user_pwd = NULL; /* abandon responsibility */ 470 } 471 } 472 } 473 474 if (last_index != NULL) { 475 /* this means that we want to simulate a default user */ 476 477 if (((gN = SRP_get_gN_by_id(last_index, SRP_gN_tab)) == NULL)) { 478 error_code = SRP_ERR_VBASE_BN_LIB; 479 goto err; 480 } 481 vb->default_g = gN->g; 482 vb->default_N = gN->N; 483 gN = NULL; 484 } 485 error_code = SRP_NO_ERROR; 486 487 err: 488 /* 489 * there may be still some leaks to fix, if this fails, the application 490 * terminates most likely 491 */ 492 493 if (gN != NULL) { 494 OPENSSL_free(gN->id); 495 OPENSSL_free(gN); 496 } 497 498 SRP_user_pwd_free(user_pwd); 499 500 TXT_DB_free(tmpdb); 501 BIO_free_all(in); 502 503 sk_SRP_gN_free(SRP_gN_tab); 504 505 return error_code; 506 507} 508 509static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username) 510{ 511 int i; 512 SRP_user_pwd *user; 513 514 if (vb == NULL) 515 return NULL; 516 517 for (i = 0; i < sk_SRP_user_pwd_num(vb->users_pwd); i++) { 518 user = sk_SRP_user_pwd_value(vb->users_pwd, i); 519 if (strcmp(user->id, username) == 0) 520 return user; 521 } 522 523 return NULL; 524} 525 526int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd) 527{ 528 if (sk_SRP_user_pwd_push(vb->users_pwd, user_pwd) <= 0) 529 return 0; 530 return 1; 531} 532 533# ifndef OPENSSL_NO_DEPRECATED_1_1_0 534/* 535 * DEPRECATED: use SRP_VBASE_get1_by_user instead. 536 * This method ignores the configured seed and fails for an unknown user. 537 * Ownership of the returned pointer is not released to the caller. 538 * In other words, caller must not free the result. 539 */ 540SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) 541{ 542 return find_user(vb, username); 543} 544# endif 545 546/* 547 * Ownership of the returned pointer is released to the caller. 548 * In other words, caller must free the result once done. 549 */ 550SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) 551{ 552 SRP_user_pwd *user; 553 unsigned char digv[SHA_DIGEST_LENGTH]; 554 unsigned char digs[SHA_DIGEST_LENGTH]; 555 EVP_MD_CTX *ctxt = NULL; 556 EVP_MD *md = NULL; 557 558 if (vb == NULL) 559 return NULL; 560 561 if ((user = find_user(vb, username)) != NULL) 562 return srp_user_pwd_dup(user); 563 564 if ((vb->seed_key == NULL) || 565 (vb->default_g == NULL) || (vb->default_N == NULL)) 566 return NULL; 567 568/* if the user is unknown we set parameters as well if we have a seed_key */ 569 570 if ((user = SRP_user_pwd_new()) == NULL) 571 return NULL; 572 573 SRP_user_pwd_set_gN(user, vb->default_g, vb->default_N); 574 575 if (!SRP_user_pwd_set1_ids(user, username, NULL)) 576 goto err; 577 578 if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0) 579 goto err; 580 md = EVP_MD_fetch(NULL, SN_sha1, NULL); 581 if (md == NULL) 582 goto err; 583 ctxt = EVP_MD_CTX_new(); 584 if (ctxt == NULL 585 || !EVP_DigestInit_ex(ctxt, md, NULL) 586 || !EVP_DigestUpdate(ctxt, vb->seed_key, strlen(vb->seed_key)) 587 || !EVP_DigestUpdate(ctxt, username, strlen(username)) 588 || !EVP_DigestFinal_ex(ctxt, digs, NULL)) 589 goto err; 590 EVP_MD_CTX_free(ctxt); 591 ctxt = NULL; 592 EVP_MD_free(md); 593 md = NULL; 594 if (SRP_user_pwd_set0_sv(user, 595 BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL), 596 BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL))) 597 return user; 598 599 err: 600 EVP_MD_free(md); 601 EVP_MD_CTX_free(ctxt); 602 SRP_user_pwd_free(user); 603 return NULL; 604} 605 606/* 607 * create a verifier (*salt,*verifier,g and N are in base64) 608 */ 609char *SRP_create_verifier_ex(const char *user, const char *pass, char **salt, 610 char **verifier, const char *N, const char *g, 611 OSSL_LIB_CTX *libctx, const char *propq) 612{ 613 int len; 614 char *result = NULL, *vf = NULL; 615 const BIGNUM *N_bn = NULL, *g_bn = NULL; 616 BIGNUM *N_bn_alloc = NULL, *g_bn_alloc = NULL, *s = NULL, *v = NULL; 617 unsigned char tmp[MAX_LEN]; 618 unsigned char tmp2[MAX_LEN]; 619 char *defgNid = NULL; 620 int vfsize = 0; 621 622 if ((user == NULL) || 623 (pass == NULL) || (salt == NULL) || (verifier == NULL)) 624 goto err; 625 626 if (N) { 627 if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0) 628 goto err; 629 N_bn_alloc = BN_bin2bn(tmp, len, NULL); 630 if (N_bn_alloc == NULL) 631 goto err; 632 N_bn = N_bn_alloc; 633 if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0) 634 goto err; 635 g_bn_alloc = BN_bin2bn(tmp, len, NULL); 636 if (g_bn_alloc == NULL) 637 goto err; 638 g_bn = g_bn_alloc; 639 defgNid = "*"; 640 } else { 641 SRP_gN *gN = SRP_get_default_gN(g); 642 if (gN == NULL) 643 goto err; 644 N_bn = gN->N; 645 g_bn = gN->g; 646 defgNid = gN->id; 647 } 648 649 if (*salt == NULL) { 650 if (RAND_bytes_ex(libctx, tmp2, SRP_RANDOM_SALT_LEN, 0) <= 0) 651 goto err; 652 653 s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); 654 } else { 655 if ((len = t_fromb64(tmp2, sizeof(tmp2), *salt)) <= 0) 656 goto err; 657 s = BN_bin2bn(tmp2, len, NULL); 658 } 659 if (s == NULL) 660 goto err; 661 662 if (!SRP_create_verifier_BN_ex(user, pass, &s, &v, N_bn, g_bn, libctx, 663 propq)) 664 goto err; 665 666 if (BN_bn2bin(v, tmp) < 0) 667 goto err; 668 vfsize = BN_num_bytes(v) * 2; 669 if (((vf = OPENSSL_malloc(vfsize)) == NULL)) 670 goto err; 671 if (!t_tob64(vf, tmp, BN_num_bytes(v))) 672 goto err; 673 674 if (*salt == NULL) { 675 char *tmp_salt; 676 677 if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) { 678 goto err; 679 } 680 if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) { 681 OPENSSL_free(tmp_salt); 682 goto err; 683 } 684 *salt = tmp_salt; 685 } 686 687 *verifier = vf; 688 vf = NULL; 689 result = defgNid; 690 691 err: 692 BN_free(N_bn_alloc); 693 BN_free(g_bn_alloc); 694 OPENSSL_clear_free(vf, vfsize); 695 BN_clear_free(s); 696 BN_clear_free(v); 697 return result; 698} 699 700char *SRP_create_verifier(const char *user, const char *pass, char **salt, 701 char **verifier, const char *N, const char *g) 702{ 703 return SRP_create_verifier_ex(user, pass, salt, verifier, N, g, NULL, NULL); 704} 705 706/* 707 * create a verifier (*salt,*verifier,g and N are BIGNUMs). If *salt != NULL 708 * then the provided salt will be used. On successful exit *verifier will point 709 * to a newly allocated BIGNUM containing the verifier and (if a salt was not 710 * provided) *salt will be populated with a newly allocated BIGNUM containing a 711 * random salt. 712 * The caller is responsible for freeing the allocated *salt and *verifier 713 * BIGNUMS. 714 */ 715int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, 716 BIGNUM **verifier, const BIGNUM *N, 717 const BIGNUM *g, OSSL_LIB_CTX *libctx, 718 const char *propq) 719{ 720 int result = 0; 721 BIGNUM *x = NULL; 722 BN_CTX *bn_ctx = BN_CTX_new_ex(libctx); 723 unsigned char tmp2[MAX_LEN]; 724 BIGNUM *salttmp = NULL, *verif; 725 726 if ((user == NULL) || 727 (pass == NULL) || 728 (salt == NULL) || 729 (verifier == NULL) || (N == NULL) || (g == NULL) || (bn_ctx == NULL)) 730 goto err; 731 732 if (*salt == NULL) { 733 if (RAND_bytes_ex(libctx, tmp2, SRP_RANDOM_SALT_LEN, 0) <= 0) 734 goto err; 735 736 salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); 737 if (salttmp == NULL) 738 goto err; 739 } else { 740 salttmp = *salt; 741 } 742 743 x = SRP_Calc_x_ex(salttmp, user, pass, libctx, propq); 744 if (x == NULL) 745 goto err; 746 747 verif = BN_new(); 748 if (verif == NULL) 749 goto err; 750 751 if (!BN_mod_exp(verif, g, x, N, bn_ctx)) { 752 BN_clear_free(verif); 753 goto err; 754 } 755 756 result = 1; 757 *salt = salttmp; 758 *verifier = verif; 759 760 err: 761 if (salt != NULL && *salt != salttmp) 762 BN_clear_free(salttmp); 763 BN_clear_free(x); 764 BN_CTX_free(bn_ctx); 765 return result; 766} 767 768int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, 769 BIGNUM **verifier, const BIGNUM *N, 770 const BIGNUM *g) 771{ 772 return SRP_create_verifier_BN_ex(user, pass, salt, verifier, N, g, NULL, 773 NULL); 774} 775#endif 776