srp_vfy.c revision 77c6be7176c48d2ce4d5979a84876d34204eedaf
1/* crypto/srp/srp_vfy.c */ 2/* Written by Christophe Renou (christophe.renou@edelweb.fr) with 3 * the precious help of Peter Sylvester (peter.sylvester@edelweb.fr) 4 * for the EdelKey project and contributed to the OpenSSL project 2004. 5 */ 6/* ==================================================================== 7 * Copyright (c) 2004 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59#ifndef OPENSSL_NO_SRP 60#include "cryptlib.h" 61#include "srp_lcl.h" 62#include <openssl/srp.h> 63#include <openssl/evp.h> 64#include <openssl/buffer.h> 65#include <openssl/rand.h> 66#include <openssl/txt_db.h> 67 68#define SRP_RANDOM_SALT_LEN 20 69#define MAX_LEN 2500 70 71static char b64table[] = 72 "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"; 73 74/* the following two conversion routines have been inspired by code from Stanford */ 75 76/* 77 * Convert a base64 string into raw byte array representation. 78 */ 79static int t_fromb64(unsigned char *a, const char *src) 80 { 81 char *loc; 82 int i, j; 83 int size; 84 85 while(*src && (*src == ' ' || *src == '\t' || *src == '\n')) 86 ++src; 87 size = strlen(src); 88 i = 0; 89 while(i < size) 90 { 91 loc = strchr(b64table, src[i]); 92 if(loc == (char *) 0) break; 93 else a[i] = loc - b64table; 94 ++i; 95 } 96 /* if nothing valid to process we have a zero length response */ 97 if (i == 0) 98 return 0; 99 size = i; 100 i = size - 1; 101 j = size; 102 while(1) 103 { 104 a[j] = a[i]; 105 if(--i < 0) break; 106 a[j] |= (a[i] & 3) << 6; 107 --j; 108 a[j] = (unsigned char) ((a[i] & 0x3c) >> 2); 109 if(--i < 0) break; 110 a[j] |= (a[i] & 0xf) << 4; 111 --j; 112 a[j] = (unsigned char) ((a[i] & 0x30) >> 4); 113 if(--i < 0) break; 114 a[j] |= (a[i] << 2); 115 116 a[--j] = 0; 117 if(--i < 0) break; 118 } 119 while(a[j] == 0 && j <= size) ++j; 120 i = 0; 121 while (j <= size) a[i++] = a[j++]; 122 return i; 123 } 124 125 126/* 127 * Convert a raw byte string into a null-terminated base64 ASCII string. 128 */ 129static char *t_tob64(char *dst, const unsigned char *src, int size) 130 { 131 int c, pos = size % 3; 132 unsigned char b0 = 0, b1 = 0, b2 = 0, notleading = 0; 133 char *olddst = dst; 134 135 switch(pos) 136 { 137 case 1: 138 b2 = src[0]; 139 break; 140 case 2: 141 b1 = src[0]; 142 b2 = src[1]; 143 break; 144 } 145 146 while(1) 147 { 148 c = (b0 & 0xfc) >> 2; 149 if(notleading || c != 0) 150 { 151 *dst++ = b64table[c]; 152 notleading = 1; 153 } 154 c = ((b0 & 3) << 4) | ((b1 & 0xf0) >> 4); 155 if(notleading || c != 0) 156 { 157 *dst++ = b64table[c]; 158 notleading = 1; 159 } 160 c = ((b1 & 0xf) << 2) | ((b2 & 0xc0) >> 6); 161 if(notleading || c != 0) 162 { 163 *dst++ = b64table[c]; 164 notleading = 1; 165 } 166 c = b2 & 0x3f; 167 if(notleading || c != 0) 168 { 169 *dst++ = b64table[c]; 170 notleading = 1; 171 } 172 if(pos >= size) break; 173 else 174 { 175 b0 = src[pos++]; 176 b1 = src[pos++]; 177 b2 = src[pos++]; 178 } 179 } 180 181 *dst++ = '\0'; 182 return olddst; 183 } 184 185static void SRP_user_pwd_free(SRP_user_pwd *user_pwd) 186 { 187 if (user_pwd == NULL) 188 return; 189 BN_free(user_pwd->s); 190 BN_clear_free(user_pwd->v); 191 OPENSSL_free(user_pwd->id); 192 OPENSSL_free(user_pwd->info); 193 OPENSSL_free(user_pwd); 194 } 195 196static SRP_user_pwd *SRP_user_pwd_new() 197 { 198 SRP_user_pwd *ret = OPENSSL_malloc(sizeof(SRP_user_pwd)); 199 if (ret == NULL) 200 return NULL; 201 ret->N = NULL; 202 ret->g = NULL; 203 ret->s = NULL; 204 ret->v = NULL; 205 ret->id = NULL ; 206 ret->info = NULL; 207 return ret; 208 } 209 210static void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g, 211 const BIGNUM *N) 212 { 213 vinfo->N = N; 214 vinfo->g = g; 215 } 216 217static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, const char *id, 218 const char *info) 219 { 220 if (id != NULL && NULL == (vinfo->id = BUF_strdup(id))) 221 return 0; 222 return (info == NULL || NULL != (vinfo->info = BUF_strdup(info))) ; 223 } 224 225static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s, 226 const char *v) 227 { 228 unsigned char tmp[MAX_LEN]; 229 int len; 230 231 if (strlen(s) > MAX_LEN || strlen(v) > MAX_LEN) 232 return 0; 233 len = t_fromb64(tmp, v); 234 if (NULL == (vinfo->v = BN_bin2bn(tmp, len, NULL)) ) 235 return 0; 236 len = t_fromb64(tmp, s); 237 return ((vinfo->s = BN_bin2bn(tmp, len, NULL)) != NULL) ; 238 } 239 240static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) 241 { 242 vinfo->v = v; 243 vinfo->s = s; 244 return (vinfo->s != NULL && vinfo->v != NULL) ; 245 } 246 247SRP_VBASE *SRP_VBASE_new(char *seed_key) 248 { 249 SRP_VBASE *vb = (SRP_VBASE *) OPENSSL_malloc(sizeof(SRP_VBASE)); 250 251 if (vb == NULL) 252 return NULL; 253 if (!(vb->users_pwd = sk_SRP_user_pwd_new_null()) || 254 !(vb->gN_cache = sk_SRP_gN_cache_new_null())) 255 { 256 OPENSSL_free(vb); 257 return NULL; 258 } 259 vb->default_g = NULL; 260 vb->default_N = NULL; 261 vb->seed_key = NULL; 262 if ((seed_key != NULL) && 263 (vb->seed_key = BUF_strdup(seed_key)) == NULL) 264 { 265 sk_SRP_user_pwd_free(vb->users_pwd); 266 sk_SRP_gN_cache_free(vb->gN_cache); 267 OPENSSL_free(vb); 268 return NULL; 269 } 270 return vb; 271 } 272 273 274int SRP_VBASE_free(SRP_VBASE *vb) 275 { 276 sk_SRP_user_pwd_pop_free(vb->users_pwd,SRP_user_pwd_free); 277 sk_SRP_gN_cache_free(vb->gN_cache); 278 OPENSSL_free(vb->seed_key); 279 OPENSSL_free(vb); 280 return 0; 281 } 282 283 284static SRP_gN_cache *SRP_gN_new_init(const char *ch) 285 { 286 unsigned char tmp[MAX_LEN]; 287 int len; 288 289 SRP_gN_cache *newgN = (SRP_gN_cache *)OPENSSL_malloc(sizeof(SRP_gN_cache)); 290 if (newgN == NULL) 291 return NULL; 292 293 if ((newgN->b64_bn = BUF_strdup(ch)) == NULL) 294 goto err; 295 296 len = t_fromb64(tmp, ch); 297 if ((newgN->bn = BN_bin2bn(tmp, len, NULL))) 298 return newgN; 299 300 OPENSSL_free(newgN->b64_bn); 301err: 302 OPENSSL_free(newgN); 303 return NULL; 304 } 305 306 307static void SRP_gN_free(SRP_gN_cache *gN_cache) 308 { 309 if (gN_cache == NULL) 310 return; 311 OPENSSL_free(gN_cache->b64_bn); 312 BN_free(gN_cache->bn); 313 OPENSSL_free(gN_cache); 314 } 315 316static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab) 317 { 318 int i; 319 320 SRP_gN *gN; 321 if (gN_tab != NULL) 322 for(i = 0; i < sk_SRP_gN_num(gN_tab); i++) 323 { 324 gN = sk_SRP_gN_value(gN_tab, i); 325 if (gN && (id == NULL || strcmp(gN->id,id)==0)) 326 return gN; 327 } 328 329 return SRP_get_default_gN(id); 330 } 331 332static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch) 333 { 334 int i; 335 if (gN_cache == NULL) 336 return NULL; 337 338 /* search if we have already one... */ 339 for(i = 0; i < sk_SRP_gN_cache_num(gN_cache); i++) 340 { 341 SRP_gN_cache *cache = sk_SRP_gN_cache_value(gN_cache, i); 342 if (strcmp(cache->b64_bn,ch)==0) 343 return cache->bn; 344 } 345 { /* it is the first time that we find it */ 346 SRP_gN_cache *newgN = SRP_gN_new_init(ch); 347 if (newgN) 348 { 349 if (sk_SRP_gN_cache_insert(gN_cache,newgN,0)>0) 350 return newgN->bn; 351 SRP_gN_free(newgN); 352 } 353 } 354 return NULL; 355 } 356 357/* this function parses verifier file. Format is: 358 * string(index):base64(N):base64(g):0 359 * string(username):base64(v):base64(salt):int(index) 360 */ 361 362 363int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) 364 { 365 int error_code ; 366 STACK_OF(SRP_gN) *SRP_gN_tab = sk_SRP_gN_new_null(); 367 char *last_index = NULL; 368 int i; 369 char **pp; 370 371 SRP_gN *gN = NULL; 372 SRP_user_pwd *user_pwd = NULL ; 373 374 TXT_DB *tmpdb = NULL; 375 BIO *in = BIO_new(BIO_s_file()); 376 377 error_code = SRP_ERR_OPEN_FILE; 378 379 if (in == NULL || BIO_read_filename(in,verifier_file) <= 0) 380 goto err; 381 382 error_code = SRP_ERR_VBASE_INCOMPLETE_FILE; 383 384 if ((tmpdb =TXT_DB_read(in,DB_NUMBER)) == NULL) 385 goto err; 386 387 error_code = SRP_ERR_MEMORY; 388 389 390 if (vb->seed_key) 391 { 392 last_index = SRP_get_default_gN(NULL)->id; 393 } 394 for (i = 0; i < sk_OPENSSL_PSTRING_num(tmpdb->data); i++) 395 { 396 pp = sk_OPENSSL_PSTRING_value(tmpdb->data,i); 397 if (pp[DB_srptype][0] == DB_SRP_INDEX) 398 { 399 /*we add this couple in the internal Stack */ 400 401 if ((gN = (SRP_gN *)OPENSSL_malloc(sizeof(SRP_gN))) == NULL) 402 goto err; 403 404 if (!(gN->id = BUF_strdup(pp[DB_srpid])) 405 || !(gN->N = SRP_gN_place_bn(vb->gN_cache,pp[DB_srpverifier])) 406 || !(gN->g = SRP_gN_place_bn(vb->gN_cache,pp[DB_srpsalt])) 407 || sk_SRP_gN_insert(SRP_gN_tab,gN,0) == 0) 408 goto err; 409 410 gN = NULL; 411 412 if (vb->seed_key != NULL) 413 { 414 last_index = pp[DB_srpid]; 415 } 416 } 417 else if (pp[DB_srptype][0] == DB_SRP_VALID) 418 { 419 /* it is a user .... */ 420 SRP_gN *lgN; 421 if ((lgN = SRP_get_gN_by_id(pp[DB_srpgN],SRP_gN_tab))!=NULL) 422 { 423 error_code = SRP_ERR_MEMORY; 424 if ((user_pwd = SRP_user_pwd_new()) == NULL) 425 goto err; 426 427 SRP_user_pwd_set_gN(user_pwd,lgN->g,lgN->N); 428 if (!SRP_user_pwd_set_ids(user_pwd, pp[DB_srpid],pp[DB_srpinfo])) 429 goto err; 430 431 error_code = SRP_ERR_VBASE_BN_LIB; 432 if (!SRP_user_pwd_set_sv(user_pwd, pp[DB_srpsalt],pp[DB_srpverifier])) 433 goto err; 434 435 if (sk_SRP_user_pwd_insert(vb->users_pwd, user_pwd, 0) == 0) 436 goto err; 437 user_pwd = NULL; /* abandon responsability */ 438 } 439 } 440 } 441 442 if (last_index != NULL) 443 { 444 /* this means that we want to simulate a default user */ 445 446 if (((gN = SRP_get_gN_by_id(last_index,SRP_gN_tab))==NULL)) 447 { 448 error_code = SRP_ERR_VBASE_BN_LIB; 449 goto err; 450 } 451 vb->default_g = gN->g ; 452 vb->default_N = gN->N ; 453 gN = NULL ; 454 } 455 error_code = SRP_NO_ERROR; 456 457 err: 458 /* there may be still some leaks to fix, if this fails, the application terminates most likely */ 459 460 if (gN != NULL) 461 { 462 OPENSSL_free(gN->id); 463 OPENSSL_free(gN); 464 } 465 466 SRP_user_pwd_free(user_pwd); 467 468 if (tmpdb) TXT_DB_free(tmpdb); 469 if (in) BIO_free_all(in); 470 471 sk_SRP_gN_free(SRP_gN_tab); 472 473 return error_code; 474 475 } 476 477 478SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) 479 { 480 int i; 481 SRP_user_pwd *user; 482 unsigned char digv[SHA_DIGEST_LENGTH]; 483 unsigned char digs[SHA_DIGEST_LENGTH]; 484 EVP_MD_CTX ctxt; 485 486 if (vb == NULL) 487 return NULL; 488 for(i = 0; i < sk_SRP_user_pwd_num(vb->users_pwd); i++) 489 { 490 user = sk_SRP_user_pwd_value(vb->users_pwd, i); 491 if (strcmp(user->id,username)==0) 492 return user; 493 } 494 if ((vb->seed_key == NULL) || 495 (vb->default_g == NULL) || 496 (vb->default_N == NULL)) 497 return NULL; 498 499/* if the user is unknown we set parameters as well if we have a seed_key */ 500 501 if ((user = SRP_user_pwd_new()) == NULL) 502 return NULL; 503 504 SRP_user_pwd_set_gN(user,vb->default_g,vb->default_N); 505 506 if (!SRP_user_pwd_set_ids(user,username,NULL)) 507 goto err; 508 509 RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH); 510 EVP_MD_CTX_init(&ctxt); 511 EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL); 512 EVP_DigestUpdate(&ctxt, vb->seed_key, strlen(vb->seed_key)); 513 EVP_DigestUpdate(&ctxt, username, strlen(username)); 514 EVP_DigestFinal_ex(&ctxt, digs, NULL); 515 EVP_MD_CTX_cleanup(&ctxt); 516 if (SRP_user_pwd_set_sv_BN(user, BN_bin2bn(digs,SHA_DIGEST_LENGTH,NULL), BN_bin2bn(digv,SHA_DIGEST_LENGTH, NULL))) 517 return user; 518 519err: SRP_user_pwd_free(user); 520 return NULL; 521 } 522 523 524/* 525 create a verifier (*salt,*verifier,g and N are in base64) 526*/ 527char *SRP_create_verifier(const char *user, const char *pass, char **salt, 528 char **verifier, const char *N, const char *g) 529 { 530 int len; 531 char * result=NULL; 532 char *vf; 533 BIGNUM *N_bn = NULL, *g_bn = NULL, *s = NULL, *v = NULL; 534 unsigned char tmp[MAX_LEN]; 535 unsigned char tmp2[MAX_LEN]; 536 char * defgNid = NULL; 537 538 if ((user == NULL)|| 539 (pass == NULL)|| 540 (salt == NULL)|| 541 (verifier == NULL)) 542 goto err; 543 544 if (N) 545 { 546 if (!(len = t_fromb64(tmp, N))) goto err; 547 N_bn = BN_bin2bn(tmp, len, NULL); 548 if (!(len = t_fromb64(tmp, g))) goto err; 549 g_bn = BN_bin2bn(tmp, len, NULL); 550 defgNid = "*"; 551 } 552 else 553 { 554 SRP_gN * gN = SRP_get_gN_by_id(g, NULL) ; 555 if (gN == NULL) 556 goto err; 557 N_bn = gN->N; 558 g_bn = gN->g; 559 defgNid = gN->id; 560 } 561 562 if (*salt == NULL) 563 { 564 RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN); 565 566 s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); 567 } 568 else 569 { 570 if (!(len = t_fromb64(tmp2, *salt))) 571 goto err; 572 s = BN_bin2bn(tmp2, len, NULL); 573 } 574 575 576 if(!SRP_create_verifier_BN(user, pass, &s, &v, N_bn, g_bn)) goto err; 577 578 BN_bn2bin(v,tmp); 579 if (((vf = OPENSSL_malloc(BN_num_bytes(v)*2)) == NULL)) 580 goto err; 581 t_tob64(vf, tmp, BN_num_bytes(v)); 582 583 *verifier = vf; 584 if (*salt == NULL) 585 { 586 char *tmp_salt; 587 588 if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) 589 { 590 OPENSSL_free(vf); 591 goto err; 592 } 593 t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN); 594 *salt = tmp_salt; 595 } 596 597 result=defgNid; 598 599err: 600 if(N) 601 { 602 BN_free(N_bn); 603 BN_free(g_bn); 604 } 605 return result; 606 } 607 608/* 609 create a verifier (*salt,*verifier,g and N are BIGNUMs) 610*/ 611int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, BIGNUM **verifier, BIGNUM *N, BIGNUM *g) 612 { 613 int result=0; 614 BIGNUM *x = NULL; 615 BN_CTX *bn_ctx = BN_CTX_new(); 616 unsigned char tmp2[MAX_LEN]; 617 618 if ((user == NULL)|| 619 (pass == NULL)|| 620 (salt == NULL)|| 621 (verifier == NULL)|| 622 (N == NULL)|| 623 (g == NULL)|| 624 (bn_ctx == NULL)) 625 goto err; 626 627 srp_bn_print(N); 628 srp_bn_print(g); 629 630 if (*salt == NULL) 631 { 632 RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN); 633 634 *salt = BN_bin2bn(tmp2,SRP_RANDOM_SALT_LEN,NULL); 635 } 636 637 x = SRP_Calc_x(*salt,user,pass); 638 639 *verifier = BN_new(); 640 if(*verifier == NULL) goto err; 641 642 if (!BN_mod_exp(*verifier,g,x,N,bn_ctx)) 643 { 644 BN_clear_free(*verifier); 645 goto err; 646 } 647 648 srp_bn_print(*verifier); 649 650 result=1; 651 652err: 653 654 BN_clear_free(x); 655 BN_CTX_free(bn_ctx); 656 return result; 657 } 658 659 660 661#endif 662