1 /* srp.c
2 *
3 * Copyright (C) 2006-2021 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL.
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20 */
21
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26
27 #include <wolfssl/wolfcrypt/settings.h>
28
29 #ifdef WOLFCRYPT_HAVE_SRP
30
31 #include <wolfssl/wolfcrypt/srp.h>
32 #include <wolfssl/wolfcrypt/random.h>
33 #include <wolfssl/wolfcrypt/error-crypt.h>
34
35 #ifdef NO_INLINE
36 #include <wolfssl/wolfcrypt/misc.h>
37 #else
38 #define WOLFSSL_MISC_INCLUDED
39 #include <wolfcrypt/src/misc.c>
40 #endif
41
42 /** Computes the session key using the Mask Generation Function 1. */
43 static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size);
44
SrpHashInit(SrpHash * hash,SrpType type,void * heap)45 static int SrpHashInit(SrpHash* hash, SrpType type, void* heap)
46 {
47 hash->type = type;
48
49 switch (type) {
50 case SRP_TYPE_SHA:
51 #ifndef NO_SHA
52 return wc_InitSha_ex(&hash->data.sha, heap, INVALID_DEVID);
53 #else
54 return BAD_FUNC_ARG;
55 #endif
56
57 case SRP_TYPE_SHA256:
58 #ifndef NO_SHA256
59 return wc_InitSha256_ex(&hash->data.sha256, heap, INVALID_DEVID);
60 #else
61 return BAD_FUNC_ARG;
62 #endif
63
64 case SRP_TYPE_SHA384:
65 #ifdef WOLFSSL_SHA384
66 return wc_InitSha384_ex(&hash->data.sha384, heap, INVALID_DEVID);
67 #else
68 return BAD_FUNC_ARG;
69 #endif
70
71 case SRP_TYPE_SHA512:
72 #ifdef WOLFSSL_SHA512
73 return wc_InitSha512_ex(&hash->data.sha512, heap, INVALID_DEVID);
74 #else
75 return BAD_FUNC_ARG;
76 #endif
77
78 default:
79 return BAD_FUNC_ARG;
80 }
81 }
82
SrpHashUpdate(SrpHash * hash,const byte * data,word32 size)83 static int SrpHashUpdate(SrpHash* hash, const byte* data, word32 size)
84 {
85 switch (hash->type) {
86 case SRP_TYPE_SHA:
87 #ifndef NO_SHA
88 return wc_ShaUpdate(&hash->data.sha, data, size);
89 #else
90 return BAD_FUNC_ARG;
91 #endif
92
93 case SRP_TYPE_SHA256:
94 #ifndef NO_SHA256
95 return wc_Sha256Update(&hash->data.sha256, data, size);
96 #else
97 return BAD_FUNC_ARG;
98 #endif
99
100 case SRP_TYPE_SHA384:
101 #ifdef WOLFSSL_SHA384
102 return wc_Sha384Update(&hash->data.sha384, data, size);
103 #else
104 return BAD_FUNC_ARG;
105 #endif
106
107 case SRP_TYPE_SHA512:
108 #ifdef WOLFSSL_SHA512
109 return wc_Sha512Update(&hash->data.sha512, data, size);
110 #else
111 return BAD_FUNC_ARG;
112 #endif
113
114 default:
115 return BAD_FUNC_ARG;
116 }
117 }
118
SrpHashFinal(SrpHash * hash,byte * digest)119 static int SrpHashFinal(SrpHash* hash, byte* digest)
120 {
121 switch (hash->type) {
122 case SRP_TYPE_SHA:
123 #ifndef NO_SHA
124 return wc_ShaFinal(&hash->data.sha, digest);
125 #else
126 return BAD_FUNC_ARG;
127 #endif
128
129 case SRP_TYPE_SHA256:
130 #ifndef NO_SHA256
131 return wc_Sha256Final(&hash->data.sha256, digest);
132 #else
133 return BAD_FUNC_ARG;
134 #endif
135
136 case SRP_TYPE_SHA384:
137 #ifdef WOLFSSL_SHA384
138 return wc_Sha384Final(&hash->data.sha384, digest);
139 #else
140 return BAD_FUNC_ARG;
141 #endif
142
143 case SRP_TYPE_SHA512:
144 #ifdef WOLFSSL_SHA512
145 return wc_Sha512Final(&hash->data.sha512, digest);
146 #else
147 return BAD_FUNC_ARG;
148 #endif
149
150 default:
151 return BAD_FUNC_ARG;
152 }
153 }
154
SrpHashSize(SrpType type)155 static word32 SrpHashSize(SrpType type)
156 {
157 switch (type) {
158 case SRP_TYPE_SHA:
159 #ifndef NO_SHA
160 return WC_SHA_DIGEST_SIZE;
161 #else
162 return 0;
163 #endif
164
165 case SRP_TYPE_SHA256:
166 #ifndef NO_SHA256
167 return WC_SHA256_DIGEST_SIZE;
168 #else
169 return 0;
170 #endif
171
172 case SRP_TYPE_SHA384:
173 #ifdef WOLFSSL_SHA384
174 return WC_SHA384_DIGEST_SIZE;
175 #else
176 return 0;
177 #endif
178
179 case SRP_TYPE_SHA512:
180 #ifdef WOLFSSL_SHA512
181 return WC_SHA512_DIGEST_SIZE;
182 #else
183 return 0;
184 #endif
185
186 default:
187 return 0;
188 }
189 }
190
SrpHashFree(SrpHash * hash)191 static void SrpHashFree(SrpHash* hash)
192 {
193 switch (hash->type) {
194 case SRP_TYPE_SHA:
195 #ifndef NO_SHA
196 wc_ShaFree(&hash->data.sha);
197 #endif
198 break;
199 case SRP_TYPE_SHA256:
200 #ifndef NO_SHA256
201 wc_Sha256Free(&hash->data.sha256);
202 #endif
203 break;
204 case SRP_TYPE_SHA384:
205 #ifdef WOLFSSL_SHA384
206 wc_Sha384Free(&hash->data.sha384);
207 #endif
208 break;
209 case SRP_TYPE_SHA512:
210 #ifdef WOLFSSL_SHA512
211 wc_Sha512Free(&hash->data.sha512);
212 #endif
213 break;
214 default:
215 break;
216 }
217 }
218
219
wc_SrpInit_ex(Srp * srp,SrpType type,SrpSide side,void * heap,int devId)220 int wc_SrpInit_ex(Srp* srp, SrpType type, SrpSide side, void* heap, int devId)
221 {
222 int r;
223
224 /* validating params */
225
226 if (!srp)
227 return BAD_FUNC_ARG;
228
229 if (side != SRP_CLIENT_SIDE && side != SRP_SERVER_SIDE)
230 return BAD_FUNC_ARG;
231
232 switch (type) {
233 case SRP_TYPE_SHA:
234 #ifdef NO_SHA
235 return NOT_COMPILED_IN;
236 #else
237 break; /* OK */
238 #endif
239
240 case SRP_TYPE_SHA256:
241 #ifdef NO_SHA256
242 return NOT_COMPILED_IN;
243 #else
244 break; /* OK */
245 #endif
246
247 case SRP_TYPE_SHA384:
248 #ifndef WOLFSSL_SHA384
249 return NOT_COMPILED_IN;
250 #else
251 break; /* OK */
252 #endif
253
254 case SRP_TYPE_SHA512:
255 #ifndef WOLFSSL_SHA512
256 return NOT_COMPILED_IN;
257 #else
258 break; /* OK */
259 #endif
260
261 default:
262 return BAD_FUNC_ARG;
263 }
264
265 /* initializing variables */
266 XMEMSET(srp, 0, sizeof(Srp));
267
268 if ((r = SrpHashInit(&srp->client_proof, type, srp->heap)) != 0)
269 return r;
270
271 if ((r = SrpHashInit(&srp->server_proof, type, srp->heap)) != 0) {
272 SrpHashFree(&srp->client_proof);
273 return r;
274 }
275 if ((r = mp_init_multi(&srp->N, &srp->g, &srp->auth,
276 &srp->priv, 0, 0)) != 0) {
277 SrpHashFree(&srp->client_proof);
278 SrpHashFree(&srp->server_proof);
279 return r;
280 }
281
282 srp->side = side; srp->type = type;
283 srp->salt = NULL; srp->saltSz = 0;
284 srp->user = NULL; srp->userSz = 0;
285 srp->key = NULL; srp->keySz = 0;
286
287 srp->keyGenFunc_cb = wc_SrpSetKey;
288
289 /* default heap hint to NULL or test value */
290 #ifdef WOLFSSL_HEAP_TEST
291 srp->heap = (void*)WOLFSSL_HEAP_TEST;
292 #else
293 srp->heap = heap;
294 #endif /* WOLFSSL_HEAP_TEST */
295
296 (void)devId; /* future */
297
298 return 0;
299 }
300
wc_SrpInit(Srp * srp,SrpType type,SrpSide side)301 int wc_SrpInit(Srp* srp, SrpType type, SrpSide side)
302 {
303 return wc_SrpInit_ex(srp, type, side, NULL, INVALID_DEVID);
304 }
305
wc_SrpTerm(Srp * srp)306 void wc_SrpTerm(Srp* srp)
307 {
308 if (srp) {
309 mp_clear(&srp->N); mp_clear(&srp->g);
310 mp_clear(&srp->auth); mp_clear(&srp->priv);
311 if (srp->salt) {
312 ForceZero(srp->salt, srp->saltSz);
313 XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
314 }
315 if (srp->user) {
316 ForceZero(srp->user, srp->userSz);
317 XFREE(srp->user, srp->heap, DYNAMIC_TYPE_SRP);
318 }
319 if (srp->key) {
320 ForceZero(srp->key, srp->keySz);
321 XFREE(srp->key, srp->heap, DYNAMIC_TYPE_SRP);
322 }
323
324 SrpHashFree(&srp->client_proof);
325 SrpHashFree(&srp->server_proof);
326 ForceZero(srp, sizeof(Srp));
327 }
328 }
329
wc_SrpSetUsername(Srp * srp,const byte * username,word32 size)330 int wc_SrpSetUsername(Srp* srp, const byte* username, word32 size)
331 {
332 if (!srp || !username)
333 return BAD_FUNC_ARG;
334
335 /* +1 for NULL char */
336 srp->user = (byte*)XMALLOC(size + 1, srp->heap, DYNAMIC_TYPE_SRP);
337 if (srp->user == NULL)
338 return MEMORY_E;
339
340 srp->userSz = size;
341 XMEMCPY(srp->user, username, srp->userSz);
342 srp->user[size] = '\0';
343
344 return 0;
345 }
346
wc_SrpSetParams(Srp * srp,const byte * N,word32 nSz,const byte * g,word32 gSz,const byte * salt,word32 saltSz)347 int wc_SrpSetParams(Srp* srp, const byte* N, word32 nSz,
348 const byte* g, word32 gSz,
349 const byte* salt, word32 saltSz)
350 {
351 SrpHash hash;
352 byte digest1[SRP_MAX_DIGEST_SIZE];
353 byte digest2[SRP_MAX_DIGEST_SIZE];
354 byte pad = 0;
355 int i, r;
356 int j = 0;
357
358 if (!srp || !N || !g || !salt || nSz < gSz)
359 return BAD_FUNC_ARG;
360
361 if (!srp->user)
362 return SRP_CALL_ORDER_E;
363
364 /* Set N */
365 if (mp_read_unsigned_bin(&srp->N, N, nSz) != MP_OKAY)
366 return MP_READ_E;
367
368 if (mp_count_bits(&srp->N) < SRP_MODULUS_MIN_BITS)
369 return BAD_FUNC_ARG;
370
371 /* Set g */
372 if (mp_read_unsigned_bin(&srp->g, g, gSz) != MP_OKAY)
373 return MP_READ_E;
374
375 if (mp_cmp(&srp->N, &srp->g) != MP_GT)
376 return BAD_FUNC_ARG;
377
378 /* Set salt */
379 if (srp->salt) {
380 ForceZero(srp->salt, srp->saltSz);
381 XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
382 }
383
384 srp->salt = (byte*)XMALLOC(saltSz, srp->heap, DYNAMIC_TYPE_SRP);
385 if (srp->salt == NULL)
386 return MEMORY_E;
387
388 XMEMCPY(srp->salt, salt, saltSz);
389 srp->saltSz = saltSz;
390
391 /* Set k = H(N, g) */
392 r = SrpHashInit(&hash, srp->type, srp->heap);
393 if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
394 for (i = 0; (word32)i < nSz - gSz; i++) {
395 if (!r) r = SrpHashUpdate(&hash, &pad, 1);
396 }
397 if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
398 if (!r) r = SrpHashFinal(&hash, srp->k);
399 SrpHashFree(&hash);
400
401 /* update client proof */
402
403 /* digest1 = H(N) */
404 if (!r) r = SrpHashInit(&hash, srp->type, srp->heap);
405 if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
406 if (!r) r = SrpHashFinal(&hash, digest1);
407 SrpHashFree(&hash);
408
409 /* digest2 = H(g) */
410 if (!r) r = SrpHashInit(&hash, srp->type, srp->heap);
411 if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
412 if (!r) r = SrpHashFinal(&hash, digest2);
413 SrpHashFree(&hash);
414
415 /* digest1 = H(N) ^ H(g) */
416 if (r == 0) {
417 for (i = 0, j = SrpHashSize(srp->type); i < j; i++)
418 digest1[i] ^= digest2[i];
419 }
420
421 /* digest2 = H(user) */
422 if (!r) r = SrpHashInit(&hash, srp->type, srp->heap);
423 if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
424 if (!r) r = SrpHashFinal(&hash, digest2);
425 SrpHashFree(&hash);
426
427 /* client proof = H( H(N) ^ H(g) | H(user) | salt) */
428 if (!r) r = SrpHashUpdate(&srp->client_proof, digest1, j);
429 if (!r) r = SrpHashUpdate(&srp->client_proof, digest2, j);
430 if (!r) r = SrpHashUpdate(&srp->client_proof, salt, saltSz);
431
432 return r;
433 }
434
wc_SrpSetPassword(Srp * srp,const byte * password,word32 size)435 int wc_SrpSetPassword(Srp* srp, const byte* password, word32 size)
436 {
437 SrpHash hash;
438 byte digest[SRP_MAX_DIGEST_SIZE];
439 word32 digestSz;
440 int r;
441
442 if (!srp || !password || srp->side != SRP_CLIENT_SIDE)
443 return BAD_FUNC_ARG;
444
445 if (!srp->salt)
446 return SRP_CALL_ORDER_E;
447
448 digestSz = SrpHashSize(srp->type);
449
450 /* digest = H(username | ':' | password) */
451 r = SrpHashInit(&hash, srp->type, srp->heap);
452 if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
453 if (!r) r = SrpHashUpdate(&hash, (const byte*) ":", 1);
454 if (!r) r = SrpHashUpdate(&hash, password, size);
455 if (!r) r = SrpHashFinal(&hash, digest);
456 SrpHashFree(&hash);
457
458 /* digest = H(salt | H(username | ':' | password)) */
459 if (!r) r = SrpHashInit(&hash, srp->type, srp->heap);
460 if (!r) r = SrpHashUpdate(&hash, srp->salt, srp->saltSz);
461 if (!r) r = SrpHashUpdate(&hash, digest, digestSz);
462 if (!r) r = SrpHashFinal(&hash, digest);
463 SrpHashFree(&hash);
464
465 /* Set x (private key) */
466 if (!r) r = mp_read_unsigned_bin(&srp->auth, digest, digestSz);
467
468 ForceZero(digest, SRP_MAX_DIGEST_SIZE);
469
470 return r;
471 }
472
wc_SrpGetVerifier(Srp * srp,byte * verifier,word32 * size)473 int wc_SrpGetVerifier(Srp* srp, byte* verifier, word32* size)
474 {
475 #ifdef WOLFSSL_SMALL_STACK
476 mp_int *v = NULL;
477 #else
478 mp_int v[1];
479 #endif
480 int r;
481
482 if (!srp || !verifier || !size || srp->side != SRP_CLIENT_SIDE)
483 return BAD_FUNC_ARG;
484
485 if (mp_iszero(&srp->auth) == MP_YES)
486 return SRP_CALL_ORDER_E;
487
488 #ifdef WOLFSSL_SMALL_STACK
489 if ((v = (mp_int *)XMALLOC(sizeof(*v), srp->heap, DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
490 return MEMORY_E;
491 #endif
492
493 r = mp_init(v);
494 if (r != MP_OKAY)
495 r = MP_INIT_E;
496 /* v = g ^ x % N */
497 if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, v);
498 if (!r) r = *size < (word32)mp_unsigned_bin_size(v) ? BUFFER_E : MP_OKAY;
499 if (!r) r = mp_to_unsigned_bin(v, verifier);
500 if (!r) *size = mp_unsigned_bin_size(v);
501
502 mp_clear(v);
503 #ifdef WOLFSSL_SMALL_STACK
504 XFREE(v, srp->heap, DYNAMIC_TYPE_TMP_BUFFER);
505 #endif
506
507 return r;
508 }
509
wc_SrpSetVerifier(Srp * srp,const byte * verifier,word32 size)510 int wc_SrpSetVerifier(Srp* srp, const byte* verifier, word32 size)
511 {
512 if (!srp || !verifier || srp->side != SRP_SERVER_SIDE)
513 return BAD_FUNC_ARG;
514
515 return mp_read_unsigned_bin(&srp->auth, verifier, size);
516 }
517
wc_SrpSetPrivate(Srp * srp,const byte * priv,word32 size)518 int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size)
519 {
520 #ifdef WOLFSSL_SMALL_STACK
521 mp_int *p = NULL;
522 #else
523 mp_int p[1];
524 #endif
525 int r;
526
527 if (!srp || !priv || !size)
528 return BAD_FUNC_ARG;
529
530 if (mp_iszero(&srp->auth) == MP_YES)
531 return SRP_CALL_ORDER_E;
532
533 #ifdef WOLFSSL_SMALL_STACK
534 if ((p = (mp_int *)XMALLOC(sizeof(*p), srp->heap, DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
535 return MEMORY_E;
536 #endif
537
538 r = mp_init(p);
539 if (r != MP_OKAY)
540 r = MP_INIT_E;
541 if (!r) r = mp_read_unsigned_bin(p, priv, size);
542 if (!r) r = mp_mod(p, &srp->N, &srp->priv);
543 if (!r) r = mp_iszero(&srp->priv) == MP_YES ? SRP_BAD_KEY_E : 0;
544
545 mp_clear(p);
546 #ifdef WOLFSSL_SMALL_STACK
547 XFREE(p, srp->heap, DYNAMIC_TYPE_TMP_BUFFER);
548 #endif
549
550 return r;
551 }
552
553 /** Generates random data using wolfcrypt RNG. */
wc_SrpGenPrivate(Srp * srp,byte * priv,word32 size)554 static int wc_SrpGenPrivate(Srp* srp, byte* priv, word32 size)
555 {
556 WC_RNG rng;
557 int r = wc_InitRng_ex(&rng, srp->heap, INVALID_DEVID);
558
559 if (!r) r = wc_RNG_GenerateBlock(&rng, priv, size);
560 if (!r) r = wc_SrpSetPrivate(srp, priv, size);
561 if (!r) wc_FreeRng(&rng);
562
563 return r;
564 }
565
wc_SrpGetPublic(Srp * srp,byte * pub,word32 * size)566 int wc_SrpGetPublic(Srp* srp, byte* pub, word32* size)
567 {
568 #ifdef WOLFSSL_SMALL_STACK
569 mp_int *pubkey = NULL;
570 #else
571 mp_int pubkey[1];
572 #endif
573 word32 modulusSz;
574 int r;
575
576 if (!srp || !pub || !size)
577 return BAD_FUNC_ARG;
578
579 if (mp_iszero(&srp->auth) == MP_YES)
580 return SRP_CALL_ORDER_E;
581
582 modulusSz = mp_unsigned_bin_size(&srp->N);
583 if (*size < modulusSz)
584 return BUFFER_E;
585
586 #ifdef WOLFSSL_SMALL_STACK
587 if ((pubkey = (mp_int *)XMALLOC(sizeof(*pubkey), srp->heap, DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
588 return MEMORY_E;
589 #endif
590 r = mp_init(pubkey);
591 if (r != MP_OKAY)
592 r = MP_INIT_E;
593
594 /* priv = random() */
595 if (mp_iszero(&srp->priv) == MP_YES)
596 if (! r) r = wc_SrpGenPrivate(srp, pub, SRP_PRIVATE_KEY_MIN_BITS / 8);
597
598 /* client side: A = g ^ a % N */
599 if (srp->side == SRP_CLIENT_SIDE) {
600 if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, pubkey);
601
602 /* server side: B = (k * v + (g ^ b % N)) % N */
603 } else {
604 if (! r) {
605 #ifdef WOLFSSL_SMALL_STACK
606 mp_int *i = NULL, *j = NULL;
607 #else
608 mp_int i[1], j[1];
609 #endif
610 #ifdef WOLFSSL_SMALL_STACK
611 if (((i = (mp_int *)XMALLOC(sizeof(*i), srp->heap, DYNAMIC_TYPE_TMP_BUFFER)) == NULL) ||
612 ((j = (mp_int *)XMALLOC(sizeof(*j), srp->heap, DYNAMIC_TYPE_TMP_BUFFER)) == NULL))
613 r = MEMORY_E;
614 #endif
615 if (!r) r = mp_init_multi(i, j, 0, 0, 0, 0);
616 if (!r) r = mp_read_unsigned_bin(i, srp->k,SrpHashSize(srp->type));
617 if (!r) r = mp_iszero(i) == MP_YES ? SRP_BAD_KEY_E : 0;
618 if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, pubkey);
619 if (!r) r = mp_mulmod(i, &srp->auth, &srp->N, j);
620 if (!r) r = mp_add(j, pubkey, i);
621 if (!r) r = mp_mod(i, &srp->N, pubkey);
622 #ifdef WOLFSSL_SMALL_STACK
623 if (i != NULL) {
624 mp_clear(i);
625 XFREE(i, srp->heap, DYNAMIC_TYPE_TMP_BUFFER);
626 }
627 if (j != NULL) {
628 mp_clear(j);
629 XFREE(j, srp->heap, DYNAMIC_TYPE_TMP_BUFFER);
630 }
631 #else
632 mp_clear(i); mp_clear(j);
633 #endif
634 }
635 }
636
637 /* extract public key to buffer */
638 XMEMSET(pub, 0, modulusSz);
639 if (!r) r = mp_to_unsigned_bin(pubkey, pub);
640 if (!r) *size = mp_unsigned_bin_size(pubkey);
641
642 mp_clear(pubkey);
643 #ifdef WOLFSSL_SMALL_STACK
644 XFREE(pubkey, srp->heap, DYNAMIC_TYPE_TMP_BUFFER);
645 #endif
646
647 return r;
648 }
649
wc_SrpSetKey(Srp * srp,byte * secret,word32 size)650 static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size)
651 {
652 SrpHash hash;
653 byte digest[SRP_MAX_DIGEST_SIZE];
654 word32 i, j, digestSz = SrpHashSize(srp->type);
655 byte counter[4];
656 int r = BAD_FUNC_ARG;
657
658 XMEMSET(digest, 0, SRP_MAX_DIGEST_SIZE);
659
660 srp->key = (byte*)XMALLOC(2 * digestSz, srp->heap, DYNAMIC_TYPE_SRP);
661 if (srp->key == NULL)
662 return MEMORY_E;
663
664 srp->keySz = 2 * digestSz;
665
666 for (i = j = 0; j < srp->keySz; i++) {
667 counter[0] = (i >> 24) & 0xFF;
668 counter[1] = (i >> 16) & 0xFF;
669 counter[2] = (i >> 8) & 0xFF;
670 counter[3] = i & 0xFF;
671
672 r = SrpHashInit(&hash, srp->type, srp->heap);
673 if (!r) r = SrpHashUpdate(&hash, secret, size);
674 if (!r) r = SrpHashUpdate(&hash, counter, 4);
675
676 if (!r) {
677 if (j + digestSz > srp->keySz) {
678 r = SrpHashFinal(&hash, digest);
679 XMEMCPY(srp->key + j, digest, srp->keySz - j);
680 j = srp->keySz;
681 }
682 else
683 {
684 r = SrpHashFinal(&hash, srp->key + j);
685 j += digestSz;
686 }
687 }
688 SrpHashFree(&hash);
689 if (r)
690 break;
691 }
692
693 ForceZero(digest, sizeof(digest));
694 ForceZero(&hash, sizeof(SrpHash));
695
696 return r;
697 }
698
wc_SrpComputeKey(Srp * srp,byte * clientPubKey,word32 clientPubKeySz,byte * serverPubKey,word32 serverPubKeySz)699 int wc_SrpComputeKey(Srp* srp, byte* clientPubKey, word32 clientPubKeySz,
700 byte* serverPubKey, word32 serverPubKeySz)
701 {
702 #ifdef WOLFSSL_SMALL_STACK
703 SrpHash *hash = NULL;
704 byte *digest = NULL;
705 mp_int *u = NULL;
706 mp_int *s = NULL;
707 mp_int *temp1 = NULL;
708 mp_int *temp2 = NULL;
709 #else
710 SrpHash hash[1];
711 byte digest[SRP_MAX_DIGEST_SIZE];
712 mp_int u[1], s[1], temp1[1], temp2[1];
713 #endif
714 byte *secret = NULL;
715 word32 i, secretSz, digestSz;
716 byte pad = 0;
717 int r;
718
719 /* validating params */
720
721 if (!srp || !clientPubKey || clientPubKeySz == 0
722 || !serverPubKey || serverPubKeySz == 0) {
723 return BAD_FUNC_ARG;
724 }
725
726 #ifdef WOLFSSL_SMALL_STACK
727 hash = (SrpHash *)XMALLOC(sizeof *hash, srp->heap, DYNAMIC_TYPE_SRP);
728 digest = (byte *)XMALLOC(SRP_MAX_DIGEST_SIZE, srp->heap, DYNAMIC_TYPE_SRP);
729 u = (mp_int *)XMALLOC(sizeof *u, srp->heap, DYNAMIC_TYPE_SRP);
730 s = (mp_int *)XMALLOC(sizeof *s, srp->heap, DYNAMIC_TYPE_SRP);
731 temp1 = (mp_int *)XMALLOC(sizeof *temp1, srp->heap, DYNAMIC_TYPE_SRP);
732 temp2 = (mp_int *)XMALLOC(sizeof *temp2, srp->heap, DYNAMIC_TYPE_SRP);
733
734 if ((hash == NULL) ||
735 (digest == NULL) ||
736 (u == NULL) ||
737 (s == NULL) ||
738 (temp1 == NULL) ||
739 (temp2 == NULL)) {
740 r = MEMORY_E;
741 goto out;
742 }
743 #endif
744
745 if ((mp_init_multi(u, s, temp1, temp2, 0, 0)) != MP_OKAY) {
746 r = MP_INIT_E;
747 goto out;
748 }
749
750 if (mp_iszero(&srp->priv) == MP_YES) {
751 r = SRP_CALL_ORDER_E;
752 goto out;
753 }
754
755 /* initializing variables */
756
757 if ((r = SrpHashInit(hash, srp->type, srp->heap)) != 0)
758 goto out;
759
760 digestSz = SrpHashSize(srp->type);
761 secretSz = mp_unsigned_bin_size(&srp->N);
762
763 if ((secretSz < clientPubKeySz) || (secretSz < serverPubKeySz)) {
764 r = BAD_FUNC_ARG;
765 goto out;
766 }
767
768 if ((secret = (byte*)XMALLOC(secretSz, srp->heap, DYNAMIC_TYPE_SRP)) == NULL) {
769 r = MEMORY_E;
770 goto out;
771 }
772
773 /* building u (random scrambling parameter) */
774
775 /* H(A) */
776 for (i = 0; i < secretSz - clientPubKeySz; i++) {
777 if ((r = SrpHashUpdate(hash, &pad, 1)))
778 goto out;
779 }
780
781 if ((r = SrpHashUpdate(hash, clientPubKey, clientPubKeySz)))
782 goto out;
783
784 /* H(A | B) */
785 for (i = 0; i < secretSz - serverPubKeySz; i++) {
786 if ((r = SrpHashUpdate(hash, &pad, 1)))
787 goto out;
788 }
789 if ((r = SrpHashUpdate(hash, serverPubKey, serverPubKeySz)))
790 goto out;
791
792 /* set u */
793 if ((r = SrpHashFinal(hash, digest)))
794 goto out;
795 if ((r = mp_read_unsigned_bin(u, digest, SrpHashSize(srp->type))))
796 goto out;
797 SrpHashFree(hash);
798
799 /* building s (secret) */
800
801 if (srp->side == SRP_CLIENT_SIDE) {
802
803 /* temp1 = B - k * v; rejects k == 0, B == 0 and B >= N. */
804 if ((r = mp_read_unsigned_bin(temp1, srp->k, digestSz)))
805 goto out;
806 if (mp_iszero(temp1) == MP_YES) {
807 r = SRP_BAD_KEY_E;
808 goto out;
809 }
810 if ((r = mp_exptmod(&srp->g, &srp->auth, &srp->N, temp2)))
811 goto out;
812 if ((r = mp_mulmod(temp1, temp2, &srp->N, s)))
813 goto out;
814 if ((r = mp_read_unsigned_bin(temp2, serverPubKey, serverPubKeySz)))
815 goto out;
816 if (mp_iszero(temp2) == MP_YES) {
817 r = SRP_BAD_KEY_E;
818 goto out;
819 }
820 if (mp_cmp(temp2, &srp->N) != MP_LT) {
821 r = SRP_BAD_KEY_E;
822 goto out;
823 }
824 if ((r = mp_submod(temp2, s, &srp->N, temp1)))
825 goto out;
826
827 /* temp2 = a + u * x */
828 if ((r = mp_mulmod(u, &srp->auth, &srp->N, s)))
829 goto out;
830 if ((r = mp_add(&srp->priv, s, temp2)))
831 goto out;
832
833 /* secret = temp1 ^ temp2 % N */
834 if ((r = mp_exptmod(temp1, temp2, &srp->N, s)))
835 goto out;
836
837 } else if (srp->side == SRP_SERVER_SIDE) {
838 /* temp1 = v ^ u % N */
839 if ((r = mp_exptmod(&srp->auth, u, &srp->N, temp1)))
840 goto out;
841
842 /* temp2 = A * temp1 % N; rejects A == 0, A >= N */
843 if ((r = mp_read_unsigned_bin(s, clientPubKey, clientPubKeySz)))
844 goto out;
845 if (mp_iszero(s) == MP_YES) {
846 r = SRP_BAD_KEY_E;
847 goto out;
848 }
849 if (mp_cmp(s, &srp->N) != MP_LT) {
850 r = SRP_BAD_KEY_E;
851 goto out;
852 }
853 if ((r = mp_mulmod(s, temp1, &srp->N, temp2)))
854 goto out;
855
856 /* rejects A * v ^ u % N >= 1, A * v ^ u % N == -1 % N */
857 if ((r = mp_read_unsigned_bin(temp1, (const byte*)"\001", 1)))
858 goto out;
859 if (mp_cmp(temp2, temp1) != MP_GT) {
860 r = SRP_BAD_KEY_E;
861 goto out;
862 }
863 if ((r = mp_sub(&srp->N, temp1, s)))
864 goto out;
865 if (mp_cmp(temp2, s) == MP_EQ) {
866 r = SRP_BAD_KEY_E;
867 goto out;
868 }
869
870 /* secret = temp2 * b % N */
871 if ((r = mp_exptmod(temp2, &srp->priv, &srp->N, s)))
872 goto out;
873 }
874
875 /* building session key from secret */
876
877 if ((r = mp_to_unsigned_bin(s, secret)))
878 goto out;
879 if ((r = srp->keyGenFunc_cb(srp, secret, mp_unsigned_bin_size(s))))
880 goto out;
881
882 /* updating client proof = H( H(N) ^ H(g) | H(user) | salt | A | B | K) */
883
884 if ((r = SrpHashUpdate(&srp->client_proof, clientPubKey, clientPubKeySz)))
885 goto out;
886 if ((r = SrpHashUpdate(&srp->client_proof, serverPubKey, serverPubKeySz)))
887 goto out;
888 if ((r = SrpHashUpdate(&srp->client_proof, srp->key, srp->keySz)))
889 goto out;
890
891 /* updating server proof = H(A) */
892
893 r = SrpHashUpdate(&srp->server_proof, clientPubKey, clientPubKeySz);
894
895 out:
896
897 if (secret) {
898 ForceZero(secret, secretSz);
899 XFREE(secret, srp->heap, DYNAMIC_TYPE_SRP);
900 }
901
902 #ifdef WOLFSSL_SMALL_STACK
903 if (hash)
904 XFREE(hash, srp->heap, DYNAMIC_TYPE_SRP);
905 if (digest)
906 XFREE(digest, srp->heap, DYNAMIC_TYPE_SRP);
907 if (u) {
908 if (r != MP_INIT_E)
909 mp_clear(u);
910 XFREE(u, srp->heap, DYNAMIC_TYPE_SRP);
911 }
912 if (s) {
913 if (r != MP_INIT_E)
914 mp_clear(s);
915 XFREE(s, srp->heap, DYNAMIC_TYPE_SRP);
916 }
917 if (temp1) {
918 if (r != MP_INIT_E)
919 mp_clear(temp1);
920 XFREE(temp1, srp->heap, DYNAMIC_TYPE_SRP);
921 }
922 if (temp2) {
923 if (r != MP_INIT_E)
924 mp_clear(temp2);
925 XFREE(temp2, srp->heap, DYNAMIC_TYPE_SRP);
926 }
927 #else
928 if (r != MP_INIT_E) {
929 mp_clear(u);
930 mp_clear(s);
931 mp_clear(temp1);
932 mp_clear(temp2);
933 }
934 #endif
935
936 return r;
937 }
938
wc_SrpGetProof(Srp * srp,byte * proof,word32 * size)939 int wc_SrpGetProof(Srp* srp, byte* proof, word32* size)
940 {
941 int r;
942
943 if (!srp || !proof || !size)
944 return BAD_FUNC_ARG;
945
946 if (*size < SrpHashSize(srp->type))
947 return BUFFER_E;
948
949 if ((r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE
950 ? &srp->client_proof
951 : &srp->server_proof, proof)) != 0)
952 return r;
953
954 *size = SrpHashSize(srp->type);
955
956 if (srp->side == SRP_CLIENT_SIDE) {
957 /* server proof = H( A | client proof | K) */
958 if (!r) r = SrpHashUpdate(&srp->server_proof, proof, *size);
959 if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
960 }
961
962 return r;
963 }
964
wc_SrpVerifyPeersProof(Srp * srp,byte * proof,word32 size)965 int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size)
966 {
967 byte digest[SRP_MAX_DIGEST_SIZE];
968 int r;
969
970 if (!srp || !proof)
971 return BAD_FUNC_ARG;
972
973 if (size != SrpHashSize(srp->type))
974 return BUFFER_E;
975
976 r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE ? &srp->server_proof
977 : &srp->client_proof, digest);
978
979 if (srp->side == SRP_SERVER_SIDE) {
980 /* server proof = H( A | client proof | K) */
981 if (!r) r = SrpHashUpdate(&srp->server_proof, proof, size);
982 if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
983 }
984
985 if (!r && XMEMCMP(proof, digest, size) != 0)
986 r = SRP_VERIFY_E;
987
988 return r;
989 }
990
991 #endif /* WOLFCRYPT_HAVE_SRP */
992