diff options
Diffstat (limited to 'crypto/srp/srp_vfy.c')
| -rw-r--r-- | crypto/srp/srp_vfy.c | 111 |
1 files changed, 78 insertions, 33 deletions
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 394e1180dfa4..4b842dfd9129 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -1,8 +1,8 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2004, EdelKey Project. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -11,6 +11,9 @@ * for the EdelKey project. */ +/* All the SRP APIs in this file are deprecated */ +#define OPENSSL_SUPPRESS_DEPRECATED + #ifndef OPENSSL_NO_SRP # include "internal/cryptlib.h" # include "crypto/evp.h" @@ -184,12 +187,12 @@ void SRP_user_pwd_free(SRP_user_pwd *user_pwd) OPENSSL_free(user_pwd); } -static SRP_user_pwd *SRP_user_pwd_new(void) +SRP_user_pwd *SRP_user_pwd_new(void) { SRP_user_pwd *ret; if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { - /* SRPerr(SRP_F_SRP_USER_PWD_NEW, ERR_R_MALLOC_FAILURE); */ /*ckerr_ignore*/ + /* ERR_raise(ERR_LIB_SRP, ERR_R_MALLOC_FAILURE); */ /*ckerr_ignore*/ return NULL; } ret->N = NULL; @@ -201,16 +204,20 @@ static SRP_user_pwd *SRP_user_pwd_new(void) return ret; } -static void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g, - const BIGNUM *N) +void SRP_user_pwd_set_gN(SRP_user_pwd *vinfo, const BIGNUM *g, + const BIGNUM *N) { vinfo->N = N; vinfo->g = g; } -static int SRP_user_pwd_set_ids(SRP_user_pwd *vinfo, const char *id, - const char *info) +int SRP_user_pwd_set1_ids(SRP_user_pwd *vinfo, const char *id, + const char *info) { + OPENSSL_free(vinfo->id); + OPENSSL_free(vinfo->info); + vinfo->id = NULL; + vinfo->info = NULL; if (id != NULL && NULL == (vinfo->id = OPENSSL_strdup(id))) return 0; return (info == NULL || NULL != (vinfo->info = OPENSSL_strdup(info))); @@ -243,8 +250,10 @@ static int SRP_user_pwd_set_sv(SRP_user_pwd *vinfo, const char *s, return 0; } -static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) +int SRP_user_pwd_set0_sv(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) { + BN_free(vinfo->s); + BN_clear_free(vinfo->v); vinfo->v = v; vinfo->s = s; return (vinfo->s != NULL && vinfo->v != NULL); @@ -260,8 +269,8 @@ static SRP_user_pwd *srp_user_pwd_dup(SRP_user_pwd *src) return NULL; SRP_user_pwd_set_gN(ret, src->g, src->N); - if (!SRP_user_pwd_set_ids(ret, src->id, src->info) - || !SRP_user_pwd_set_sv_BN(ret, BN_dup(src->s), BN_dup(src->v))) { + if (!SRP_user_pwd_set1_ids(ret, src->id, src->info) + || !SRP_user_pwd_set0_sv(ret, BN_dup(src->s), BN_dup(src->v))) { SRP_user_pwd_free(ret); return NULL; } @@ -276,6 +285,7 @@ SRP_VBASE *SRP_VBASE_new(char *seed_key) return NULL; if ((vb->users_pwd = sk_SRP_user_pwd_new_null()) == NULL || (vb->gN_cache = sk_SRP_gN_cache_new_null()) == NULL) { + sk_SRP_user_pwd_free(vb->users_pwd); OPENSSL_free(vb); return NULL; } @@ -340,12 +350,13 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab) int i; SRP_gN *gN; - if (gN_tab != NULL) + if (gN_tab != NULL) { for (i = 0; i < sk_SRP_gN_num(gN_tab); i++) { gN = sk_SRP_gN_value(gN_tab, i); if (gN && (id == NULL || strcmp(gN->id, id) == 0)) return gN; } + } return SRP_get_default_gN(id); } @@ -374,9 +385,13 @@ static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch) } /* - * this function parses verifier file. Format is: - * string(index):base64(N):base64(g):0 - * string(username):base64(v):base64(salt):int(index) + * This function parses the verifier file generated by the srp app. + * The format for each entry is: + * V base64(verifier) base64(salt) username gNid userinfo(optional) + * or + * I base64(N) base64(g) + * Note that base64 is the SRP variant of base64 encoding described + * in t_fromb64(). */ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) @@ -441,7 +456,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) goto err; SRP_user_pwd_set_gN(user_pwd, lgN->g, lgN->N); - if (!SRP_user_pwd_set_ids + if (!SRP_user_pwd_set1_ids (user_pwd, pp[DB_srpid], pp[DB_srpinfo])) goto err; @@ -509,7 +524,14 @@ static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username) return NULL; } -# if OPENSSL_API_COMPAT < 0x10100000L +int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd) +{ + if (sk_SRP_user_pwd_push(vb->users_pwd, user_pwd) <= 0) + return 0; + return 1; +} + +# ifndef OPENSSL_NO_DEPRECATED_1_1_0 /* * DEPRECATED: use SRP_VBASE_get1_by_user instead. * This method ignores the configured seed and fails for an unknown user. @@ -532,6 +554,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) unsigned char digv[SHA_DIGEST_LENGTH]; unsigned char digs[SHA_DIGEST_LENGTH]; EVP_MD_CTX *ctxt = NULL; + EVP_MD *md = NULL; if (vb == NULL) return NULL; @@ -550,26 +573,32 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) SRP_user_pwd_set_gN(user, vb->default_g, vb->default_N); - if (!SRP_user_pwd_set_ids(user, username, NULL)) + if (!SRP_user_pwd_set1_ids(user, username, NULL)) goto err; if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0) goto err; + md = EVP_MD_fetch(NULL, SN_sha1, NULL); + if (md == NULL) + goto err; ctxt = EVP_MD_CTX_new(); if (ctxt == NULL - || !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL) + || !EVP_DigestInit_ex(ctxt, md, NULL) || !EVP_DigestUpdate(ctxt, vb->seed_key, strlen(vb->seed_key)) || !EVP_DigestUpdate(ctxt, username, strlen(username)) || !EVP_DigestFinal_ex(ctxt, digs, NULL)) goto err; EVP_MD_CTX_free(ctxt); ctxt = NULL; - if (SRP_user_pwd_set_sv_BN(user, - BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL), - BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL))) + EVP_MD_free(md); + md = NULL; + if (SRP_user_pwd_set0_sv(user, + BN_bin2bn(digs, SHA_DIGEST_LENGTH, NULL), + BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL))) return user; err: + EVP_MD_free(md); EVP_MD_CTX_free(ctxt); SRP_user_pwd_free(user); return NULL; @@ -578,8 +607,9 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) /* * create a verifier (*salt,*verifier,g and N are in base64) */ -char *SRP_create_verifier(const char *user, const char *pass, char **salt, - char **verifier, const char *N, const char *g) +char *SRP_create_verifier_ex(const char *user, const char *pass, char **salt, + char **verifier, const char *N, const char *g, + OSSL_LIB_CTX *libctx, const char *propq) { int len; char *result = NULL, *vf = NULL; @@ -609,7 +639,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, g_bn = g_bn_alloc; defgNid = "*"; } else { - SRP_gN *gN = SRP_get_gN_by_id(g, NULL); + SRP_gN *gN = SRP_get_default_gN(g); if (gN == NULL) goto err; N_bn = gN->N; @@ -618,7 +648,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, } if (*salt == NULL) { - if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) + if (RAND_bytes_ex(libctx, tmp2, SRP_RANDOM_SALT_LEN, 0) <= 0) goto err; s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); @@ -630,7 +660,8 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, if (s == NULL) goto err; - if (!SRP_create_verifier_BN(user, pass, &s, &v, N_bn, g_bn)) + if (!SRP_create_verifier_BN_ex(user, pass, &s, &v, N_bn, g_bn, libctx, + propq)) goto err; if (BN_bn2bin(v, tmp) < 0) @@ -667,6 +698,12 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, return result; } +char *SRP_create_verifier(const char *user, const char *pass, char **salt, + char **verifier, const char *N, const char *g) +{ + return SRP_create_verifier_ex(user, pass, salt, verifier, N, g, NULL, NULL); +} + /* * create a verifier (*salt,*verifier,g and N are BIGNUMs). If *salt != NULL * then the provided salt will be used. On successful exit *verifier will point @@ -676,13 +713,14 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, * The caller is responsible for freeing the allocated *salt and *verifier * BIGNUMS. */ -int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, - BIGNUM **verifier, const BIGNUM *N, - const BIGNUM *g) +int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt, + BIGNUM **verifier, const BIGNUM *N, + const BIGNUM *g, OSSL_LIB_CTX *libctx, + const char *propq) { int result = 0; BIGNUM *x = NULL; - BN_CTX *bn_ctx = BN_CTX_new(); + BN_CTX *bn_ctx = BN_CTX_new_ex(libctx); unsigned char tmp2[MAX_LEN]; BIGNUM *salttmp = NULL, *verif; @@ -693,7 +731,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, goto err; if (*salt == NULL) { - if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) + if (RAND_bytes_ex(libctx, tmp2, SRP_RANDOM_SALT_LEN, 0) <= 0) goto err; salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); @@ -703,7 +741,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, salttmp = *salt; } - x = SRP_Calc_x(salttmp, user, pass); + x = SRP_Calc_x_ex(salttmp, user, pass, libctx, propq); if (x == NULL) goto err; @@ -728,4 +766,11 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, return result; } +int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, + BIGNUM **verifier, const BIGNUM *N, + const BIGNUM *g) +{ + return SRP_create_verifier_BN_ex(user, pass, salt, verifier, N, g, NULL, + NULL); +} #endif |