1 /* 2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2005 Nokia. All rights reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 /* 12 * This file is to enable backwards compatibility for the SRP features of 13 * s_client, s_server and ciphers. All of those features are deprecated and will 14 * eventually disappear. In the meantime, to continue to support them, we 15 * need to access deprecated SRP APIs. 16 */ 17 #define OPENSSL_SUPPRESS_DEPRECATED 18 19 #include <openssl/bn.h> 20 #include <openssl/bio.h> 21 #include <openssl/ssl.h> 22 #include <openssl/srp.h> 23 #include "apps_ui.h" 24 #include "apps.h" 25 #include "s_apps.h" 26 27 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g) 28 { 29 BN_CTX *bn_ctx = BN_CTX_new(); 30 BIGNUM *p = BN_new(); 31 BIGNUM *r = BN_new(); 32 int ret = g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && BN_check_prime(N, bn_ctx, NULL) == 1 && p != NULL && BN_rshift1(p, N) && 33 /* p = (N-1)/2 */ 34 BN_check_prime(p, bn_ctx, NULL) == 1 && r != NULL && 35 /* verify g^((N-1)/2) == -1 (mod N) */ 36 BN_mod_exp(r, g, p, N, bn_ctx) && BN_add_word(r, 1) && BN_cmp(r, N) == 0; 37 38 BN_free(r); 39 BN_free(p); 40 BN_CTX_free(bn_ctx); 41 return ret; 42 } 43 44 /*- 45 * This callback is used here for two purposes: 46 * - extended debugging 47 * - making some primality tests for unknown groups 48 * The callback is only called for a non default group. 49 * 50 * An application does not need the call back at all if 51 * only the standard groups are used. In real life situations, 52 * client and server already share well known groups, 53 * thus there is no need to verify them. 54 * Furthermore, in case that a server actually proposes a group that 55 * is not one of those defined in RFC 5054, it is more appropriate 56 * to add the group to a static list and then compare since 57 * primality tests are rather cpu consuming. 58 */ 59 60 static int ssl_srp_verify_param_cb(SSL *s, void *arg) 61 { 62 SRP_ARG *srp_arg = (SRP_ARG *)arg; 63 BIGNUM *N = NULL, *g = NULL; 64 65 if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL)) 66 return 0; 67 if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) { 68 BIO_printf(bio_err, "SRP parameters:\n"); 69 BIO_printf(bio_err, "\tN="); 70 BN_print(bio_err, N); 71 BIO_printf(bio_err, "\n\tg="); 72 BN_print(bio_err, g); 73 BIO_printf(bio_err, "\n"); 74 } 75 76 if (SRP_check_known_gN_param(g, N)) 77 return 1; 78 79 if (srp_arg->amp == 1) { 80 if (srp_arg->debug) 81 BIO_printf(bio_err, 82 "SRP param N and g are not known params, going to check deeper.\n"); 83 84 /* 85 * The srp_moregroups is a real debugging feature. Implementers 86 * should rather add the value to the known ones. The minimal size 87 * has already been tested. 88 */ 89 if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g)) 90 return 1; 91 } 92 BIO_printf(bio_err, "SRP param N and g rejected.\n"); 93 return 0; 94 } 95 96 #define PWD_STRLEN 1024 97 98 static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) 99 { 100 SRP_ARG *srp_arg = (SRP_ARG *)arg; 101 char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer"); 102 PW_CB_DATA cb_tmp; 103 int l; 104 105 cb_tmp.password = (char *)srp_arg->srppassin; 106 cb_tmp.prompt_info = "SRP user"; 107 if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) { 108 BIO_printf(bio_err, "Can't read Password\n"); 109 OPENSSL_free(pass); 110 return NULL; 111 } 112 *(pass + l) = '\0'; 113 114 return pass; 115 } 116 117 int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg, 118 int c_debug) 119 { 120 if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg->srplogin)) { 121 BIO_printf(bio_err, "Unable to set SRP username\n"); 122 return 0; 123 } 124 srp_arg->msg = c_msg; 125 srp_arg->debug = c_debug; 126 SSL_CTX_set_srp_cb_arg(ctx, &srp_arg); 127 SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb); 128 SSL_CTX_set_srp_strength(ctx, srp_arg->strength); 129 if (c_msg || c_debug || srp_arg->amp == 0) 130 SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb); 131 132 return 1; 133 } 134 135 static char *dummy_srp(SSL *ssl, void *arg) 136 { 137 return ""; 138 } 139 140 void set_up_dummy_srp(SSL_CTX *ctx) 141 { 142 SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp); 143 } 144 145 /* 146 * This callback pretends to require some asynchronous logic in order to 147 * obtain a verifier. When the callback is called for a new connection we 148 * return with a negative value. This will provoke the accept etc to return 149 * with an LOOKUP_X509. The main logic of the reinvokes the suspended call 150 * (which would normally occur after a worker has finished) and we set the 151 * user parameters. 152 */ 153 static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) 154 { 155 srpsrvparm *p = (srpsrvparm *)arg; 156 int ret = SSL3_AL_FATAL; 157 158 if (p->login == NULL && p->user == NULL) { 159 p->login = SSL_get_srp_username(s); 160 BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login); 161 return -1; 162 } 163 164 if (p->user == NULL) { 165 BIO_printf(bio_err, "User %s doesn't exist\n", p->login); 166 goto err; 167 } 168 169 if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v, 170 p->user->info) 171 < 0) { 172 *ad = SSL_AD_INTERNAL_ERROR; 173 goto err; 174 } 175 BIO_printf(bio_err, 176 "SRP parameters set: username = \"%s\" info=\"%s\"\n", 177 p->login, p->user->info); 178 ret = SSL_ERROR_NONE; 179 180 err: 181 SRP_user_pwd_free(p->user); 182 p->user = NULL; 183 p->login = NULL; 184 return ret; 185 } 186 187 int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm, 188 char *srpuserseed, char *srp_verifier_file) 189 { 190 int ret; 191 192 srp_callback_parm->vb = SRP_VBASE_new(srpuserseed); 193 srp_callback_parm->user = NULL; 194 srp_callback_parm->login = NULL; 195 196 if (srp_callback_parm->vb == NULL) { 197 BIO_printf(bio_err, "Failed to initialize SRP verifier file\n"); 198 return 0; 199 } 200 if ((ret = SRP_VBASE_init(srp_callback_parm->vb, 201 srp_verifier_file)) 202 != SRP_NO_ERROR) { 203 BIO_printf(bio_err, 204 "Cannot initialize SRP verifier file \"%s\":ret=%d\n", 205 srp_verifier_file, ret); 206 return 0; 207 } 208 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback); 209 SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm); 210 SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb); 211 212 return 1; 213 } 214 215 void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out) 216 { 217 SRP_user_pwd_free(srp_callback_parm->user); 218 srp_callback_parm->user = SRP_VBASE_get1_by_user(srp_callback_parm->vb, 219 srp_callback_parm->login); 220 221 if (srp_callback_parm->user != NULL) 222 BIO_printf(bio_s_out, "LOOKUP done %s\n", 223 srp_callback_parm->user->info); 224 else 225 BIO_printf(bio_s_out, "LOOKUP not successful\n"); 226 } 227