search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Guile: Fix `x509-certificate-dn-oid' and related functions.
[gnutls.git] / lib / gnutls_srp.c
blob7a54d2d3824076d71d040283bea9d79eef702d4f
1 /*
2 * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation
3 *
4 * Author: Nikos Mavroyanopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25 #include <gnutls_int.h>
26 #include <gnutls_errors.h>
27 #include <auth_srp.h>
28 #include <gnutls_state.h>
29
30 #ifdef ENABLE_SRP
31
32 #include <gnutls_srp.h>
33 #include <auth_srp_passwd.h>
34 #include <gnutls_mpi.h>
35 #include <gnutls_num.h>
36 #include <gnutls_helper.h>
37
38 #include "debug.h"
39
40
41 /* Here functions for SRP (like g^x mod n) are defined
42 */
43
44 int
45 _gnutls_srp_gx (opaque * text, size_t textsize, opaque ** result,
46 mpi_t g, mpi_t prime, gnutls_alloc_function galloc_func)
47 {
48 mpi_t x, e;
49 size_t result_size;
50
51 if (_gnutls_mpi_scan_nz (&x, text, &textsize))
52 {
53 gnutls_assert ();
54 return GNUTLS_E_MPI_SCAN_FAILED;
55 }
56
57 e = _gnutls_mpi_alloc_like (prime);
58 if (e == NULL)
59 {
60 gnutls_assert ();
61 _gnutls_mpi_release (&x);
62 return GNUTLS_E_MEMORY_ERROR;
63 }
64
65 /* e = g^x mod prime (n) */
66 _gnutls_mpi_powm (e, g, x, prime);
67 _gnutls_mpi_release (&x);
68
69 _gnutls_mpi_print (NULL, &result_size, e);
70 if (result != NULL)
71 {
72 *result = galloc_func (result_size);
73 if ((*result) == NULL)
74 return GNUTLS_E_MEMORY_ERROR;
75
76 _gnutls_mpi_print (*result, &result_size, e);
77 }
78
79 _gnutls_mpi_release (&e);
80
81 return result_size;
82
83 }
84
85
86 /****************
87 * Choose a random value b and calculate B = (k* v + g^b) % N.
88 * where k == SHA1(N|g)
89 * Return: B and if ret_b is not NULL b.
90 */
91 mpi_t
92 _gnutls_calc_srp_B (mpi_t * ret_b, mpi_t g, mpi_t n, mpi_t v)
93 {
94 mpi_t tmpB = NULL, tmpV = NULL;
95 mpi_t b = NULL, B = NULL, k = NULL;
96 int bits;
97
98
99 /* calculate: B = (k*v + g^b) % N
100 */
101 bits = _gnutls_mpi_get_nbits (n);
102 b = _gnutls_mpi_snew (bits);
103 if (b == NULL)
104 {
105 gnutls_assert ();
106 return NULL;
107 }
108
109 tmpV = _gnutls_mpi_alloc_like (n);
110
111 if (tmpV == NULL)
112 {
113 gnutls_assert ();
114 goto error;
115 }
116
117 _gnutls_mpi_randomize (b, bits, GCRY_STRONG_RANDOM);
118
119 tmpB = _gnutls_mpi_snew (bits);
120 if (tmpB == NULL)
121 {
122 gnutls_assert ();
123 goto error;
124 }
125
126 B = _gnutls_mpi_snew (bits);
127 if (B == NULL)
128 {
129 gnutls_assert ();
130 goto error;
131 }
132
133 k = _gnutls_calc_srp_u (n, g, n);
134 if (k == NULL)
135 {
136 gnutls_assert ();
137 goto error;
138 }
139
140 _gnutls_mpi_mulm (tmpV, k, v, n);
141 _gnutls_mpi_powm (tmpB, g, b, n);
142
143 _gnutls_mpi_addm (B, tmpV, tmpB, n);
144
145 _gnutls_mpi_release (&k);
146 _gnutls_mpi_release (&tmpB);
147 _gnutls_mpi_release (&tmpV);
148
149 if (ret_b)
150 *ret_b = b;
151 else
152 _gnutls_mpi_release (&b);
153
154 return B;
155
156 error:
157 _gnutls_mpi_release (&b);
158 _gnutls_mpi_release (&B);
159 _gnutls_mpi_release (&k);
160 _gnutls_mpi_release (&tmpB);
161 _gnutls_mpi_release (&tmpV);
162 return NULL;
163
164 }
165
166 /* This calculates the SHA1(A | B)
167 * A and B will be left-padded with zeros to fill n_size.
168 */
169 mpi_t
170 _gnutls_calc_srp_u (mpi_t A, mpi_t B, mpi_t n)
171 {
172 size_t b_size, a_size;
173 opaque *holder, hd[MAX_HASH_SIZE];
174 size_t holder_size, hash_size, n_size;
175 GNUTLS_HASH_HANDLE td;
176 int ret;
177 mpi_t res;
178
179 /* get the size of n in bytes */
180 _gnutls_mpi_print (NULL, &n_size, n);
181
182 _gnutls_mpi_print (NULL, &a_size, A);
183 _gnutls_mpi_print (NULL, &b_size, B);
184
185 if (a_size > n_size || b_size > n_size)
186 {
187 gnutls_assert ();
188 return NULL; /* internal error */
189 }
190
191 holder_size = n_size + n_size;
192
193 holder = gnutls_calloc (1, holder_size);
194 if (holder == NULL)
195 return NULL;
196
197 _gnutls_mpi_print (&holder[n_size - a_size], &a_size, A);
198 _gnutls_mpi_print (&holder[n_size + n_size - b_size], &b_size, B);
199
200 td = _gnutls_hash_init (GNUTLS_MAC_SHA1);
201 if (td == NULL)
202 {
203 gnutls_free (holder);
204 gnutls_assert ();
205 return NULL;
206 }
207 _gnutls_hash (td, holder, holder_size);
208 _gnutls_hash_deinit (td, hd);
209
210 /* convert the bytes of hd to integer
211 */
212 hash_size = 20; /* SHA */
213 ret = _gnutls_mpi_scan_nz (&res, hd, &hash_size);
214 gnutls_free (holder);
215
216 if (ret < 0)
217 {
218 gnutls_assert ();
219 return NULL;
220 }
221
222 return res;
223 }
224
225 /* S = (A * v^u) ^ b % N
226 * this is our shared key (server premaster secret)
227 */
228 mpi_t
229 _gnutls_calc_srp_S1 (mpi_t A, mpi_t b, mpi_t u, mpi_t v, mpi_t n)
230 {
231 mpi_t tmp1 = NULL, tmp2 = NULL;
232 mpi_t S = NULL;
233
234 S = _gnutls_mpi_alloc_like (n);
235 if (S == NULL)
236 return NULL;
237
238 tmp1 = _gnutls_mpi_alloc_like (n);
239 tmp2 = _gnutls_mpi_alloc_like (n);
240
241 if (tmp1 == NULL || tmp2 == NULL)
242 goto freeall;
243
244 _gnutls_mpi_powm (tmp1, v, u, n);
245 _gnutls_mpi_mulm (tmp2, A, tmp1, n);
246 _gnutls_mpi_powm (S, tmp2, b, n);
247
248 _gnutls_mpi_release (&tmp1);
249 _gnutls_mpi_release (&tmp2);
250
251 return S;
252
253 freeall:
254 _gnutls_mpi_release (&tmp1);
255 _gnutls_mpi_release (&tmp2);
256 return NULL;
257 }
258
259 /* A = g^a % N
260 * returns A and a (which is random)
261 */
262 mpi_t
263 _gnutls_calc_srp_A (mpi_t * a, mpi_t g, mpi_t n)
264 {
265 mpi_t tmpa;
266 mpi_t A;
267 int bits;
268
269 bits = _gnutls_mpi_get_nbits (n);
270 tmpa = _gnutls_mpi_snew (bits);
271 if (tmpa == NULL)
272 {
273 gnutls_assert ();
274 return NULL;
275 }
276
277 _gnutls_mpi_randomize (tmpa, bits, GCRY_STRONG_RANDOM);
278
279 A = _gnutls_mpi_snew (bits);
280 if (A == NULL)
281 {
282 gnutls_assert ();
283 _gnutls_mpi_release (&tmpa);
284 return NULL;
285 }
286 _gnutls_mpi_powm (A, g, tmpa, n);
287
288 if (a != NULL)
289 *a = tmpa;
290 else
291 _gnutls_mpi_release (&tmpa);
292
293 return A;
294 }
295
296 /* generate x = SHA(s | SHA(U | ":" | p))
297 * The output is exactly 20 bytes
298 */
299 int
300 _gnutls_calc_srp_sha (const char *username, const char *password,
301 opaque * salt, int salt_size, size_t * size,
302 void *digest)
303 {
304 GNUTLS_HASH_HANDLE td;
305 opaque res[MAX_HASH_SIZE];
306
307 *size = 20;
308
309 td = _gnutls_hash_init (GNUTLS_MAC_SHA1);
310 if (td == NULL)
311 {
312 return GNUTLS_E_MEMORY_ERROR;
313 }
314 _gnutls_hash (td, username, strlen (username));
315 _gnutls_hash (td, ":", 1);
316 _gnutls_hash (td, password, strlen (password));
317
318 _gnutls_hash_deinit (td, res);
319
320 td = _gnutls_hash_init (GNUTLS_MAC_SHA1);
321 if (td == NULL)
322 {
323 return GNUTLS_E_MEMORY_ERROR;
324 }
325
326 _gnutls_hash (td, salt, salt_size);
327 _gnutls_hash (td, res, 20); /* 20 bytes is the output of sha1 */
328
329 _gnutls_hash_deinit (td, digest);
330
331 return 0;
332 }
333
334 int
335 _gnutls_calc_srp_x (char *username, char *password, opaque * salt,
336 size_t salt_size, size_t * size, void *digest)
337 {
338
339 return _gnutls_calc_srp_sha (username, password, salt,
340 salt_size, size, digest);
341 }
342
343
344 /* S = (B - k*g^x) ^ (a + u * x) % N
345 * this is our shared key (client premaster secret)
346 */
347 mpi_t
348 _gnutls_calc_srp_S2 (mpi_t B, mpi_t g, mpi_t x, mpi_t a, mpi_t u, mpi_t n)
349 {
350 mpi_t S = NULL, tmp1 = NULL, tmp2 = NULL;
351 mpi_t tmp4 = NULL, tmp3 = NULL, k = NULL;
352
353 S = _gnutls_mpi_alloc_like (n);
354 if (S == NULL)
355 return NULL;
356
357 tmp1 = _gnutls_mpi_alloc_like (n);
358 tmp2 = _gnutls_mpi_alloc_like (n);
359 tmp3 = _gnutls_mpi_alloc_like (n);
360 if (tmp1 == NULL || tmp2 == NULL || tmp3 == NULL)
361 {
362 goto freeall;
363 }
364
365 k = _gnutls_calc_srp_u (n, g, n);
366 if (k == NULL)
367 {
368 gnutls_assert ();
369 goto freeall;
370 }
371
372 _gnutls_mpi_powm (tmp1, g, x, n); /* g^x */
373 _gnutls_mpi_mulm (tmp3, tmp1, k, n); /* k*g^x mod n */
374 _gnutls_mpi_subm (tmp2, B, tmp3, n);
375
376 tmp4 = _gnutls_mpi_alloc_like (n);
377 if (tmp4 == NULL)
378 goto freeall;
379
380 _gnutls_mpi_mul (tmp1, u, x);
381 _gnutls_mpi_add (tmp4, a, tmp1);
382 _gnutls_mpi_powm (S, tmp2, tmp4, n);
383
384 _gnutls_mpi_release (&tmp1);
385 _gnutls_mpi_release (&tmp2);
386 _gnutls_mpi_release (&tmp3);
387 _gnutls_mpi_release (&tmp4);
388 _gnutls_mpi_release (&k);
389
390 return S;
391
392 freeall:
393 _gnutls_mpi_release (&k);
394 _gnutls_mpi_release (&tmp1);
395 _gnutls_mpi_release (&tmp2);
396 _gnutls_mpi_release (&tmp3);
397 _gnutls_mpi_release (&tmp4);
398 _gnutls_mpi_release (&S);
399 return NULL;
400 }
401
402 /**
403 * gnutls_srp_free_client_credentials - Used to free an allocated gnutls_srp_client_credentials_t structure
404 * @sc: is an #gnutls_srp_client_credentials_t structure.
405 *
406 * This structure is complex enough to manipulate directly thus
407 * this helper function is provided in order to free (deallocate) it.
408 *
409 **/
410 void
411 gnutls_srp_free_client_credentials (gnutls_srp_client_credentials_t sc)
412 {
413 gnutls_free (sc->username);
414 gnutls_free (sc->password);
415 gnutls_free (sc);
416 }
417
418 /**
419 * gnutls_srp_allocate_client_credentials - Used to allocate an gnutls_srp_server_credentials_t structure
420 * @sc: is a pointer to an #gnutls_srp_server_credentials_t structure.
421 *
422 * This structure is complex enough to manipulate directly thus
423 * this helper function is provided in order to allocate it.
424 *
425 * Returns 0 on success.
426 **/
427 int
428 gnutls_srp_allocate_client_credentials (gnutls_srp_client_credentials_t * sc)
429 {
430 *sc = gnutls_calloc (1, sizeof (srp_client_credentials_st));
431
432 if (*sc == NULL)
433 return GNUTLS_E_MEMORY_ERROR;
434
435 return 0;
436 }
437
438 /**
439 * gnutls_srp_set_client_credentials - Used to set the username/password, in a gnutls_srp_client_credentials_t structure
440 * @res: is an #gnutls_srp_client_credentials_t structure.
441 * @username: is the user's userid
442 * @password: is the user's password
443 *
444 * This function sets the username and password, in a gnutls_srp_client_credentials_t structure.
445 * Those will be used in SRP authentication. @username and @password should be ASCII
446 * strings or UTF-8 strings prepared using the "SASLprep" profile of "stringprep".
447 *
448 * Returns 0 on success.
449 **/
450 int
451 gnutls_srp_set_client_credentials (gnutls_srp_client_credentials_t res,
452 const char *username, const char *password)
453 {
454
455 if (username == NULL || password == NULL)
456 {
457 gnutls_assert ();
458 return GNUTLS_E_INVALID_REQUEST;
459 }
460
461 res->username = gnutls_strdup (username);
462 if (res->username == NULL)
463 return GNUTLS_E_MEMORY_ERROR;
464
465 res->password = gnutls_strdup (password);
466 if (res->password == NULL)
467 {
468 gnutls_free (res->username);
469 return GNUTLS_E_MEMORY_ERROR;
470 }
471
472 return 0;
473 }
474
475 /**
476 * gnutls_srp_free_server_credentials - Used to free an allocated gnutls_srp_server_credentials_t structure
477 * @sc: is an #gnutls_srp_server_credentials_t structure.
478 *
479 * This structure is complex enough to manipulate directly thus
480 * this helper function is provided in order to free (deallocate) it.
481 *
482 **/
483 void
484 gnutls_srp_free_server_credentials (gnutls_srp_server_credentials_t sc)
485 {
486 gnutls_free (sc->password_file);
487 gnutls_free (sc->password_conf_file);
488
489 gnutls_free (sc);
490 }
491
492 /**
493 * gnutls_srp_allocate_server_credentials - Used to allocate an gnutls_srp_server_credentials_t structure
494 * @sc: is a pointer to an #gnutls_srp_server_credentials_t structure.
495 *
496 * This structure is complex enough to manipulate directly thus
497 * this helper function is provided in order to allocate it.
498 *
499 * Returns 0 on success.
500 **/
501 int
502 gnutls_srp_allocate_server_credentials (gnutls_srp_server_credentials_t * sc)
503 {
504 *sc = gnutls_calloc (1, sizeof (srp_server_cred_st));
505
506 if (*sc == NULL)
507 return GNUTLS_E_MEMORY_ERROR;
508
509 return 0;
510 }
511
512 /**
513 * gnutls_srp_set_server_credentials_file - Used to set the password files, in a gnutls_srp_server_credentials_t structure
514 * @res: is an #gnutls_srp_server_credentials_t structure.
515 * @password_file: is the SRP password file (tpasswd)
516 * @password_conf_file: is the SRP password conf file (tpasswd.conf)
517 *
518 * This function sets the password files, in a gnutls_srp_server_credentials_t structure.
519 * Those password files hold usernames and verifiers and will be used for SRP authentication.
520 *
521 * Returns 0 on success.
522 *
523 **/
524 int
525 gnutls_srp_set_server_credentials_file (gnutls_srp_server_credentials_t
526 res, const char *password_file,
527 const char *password_conf_file)
528 {
529
530 if (password_file == NULL || password_conf_file == NULL)
531 {
532 gnutls_assert ();
533 return GNUTLS_E_INVALID_REQUEST;
534 }
535
536 /* Check if the files can be opened */
537 if (_gnutls_file_exists (password_file) != 0)
538 {
539 gnutls_assert ();
540 return GNUTLS_E_FILE_ERROR;
541 }
542
543 if (_gnutls_file_exists (password_conf_file) != 0)
544 {
545 gnutls_assert ();
546 return GNUTLS_E_FILE_ERROR;
547 }
548
549 res->password_file = gnutls_strdup (password_file);
550 if (res->password_file == NULL)
551 {
552 gnutls_assert ();
553 return GNUTLS_E_MEMORY_ERROR;
554 }
555
556 res->password_conf_file = gnutls_strdup (password_conf_file);
557 if (res->password_conf_file == NULL)
558 {
559 gnutls_assert ();
560 gnutls_free (res->password_file);
561 res->password_file = NULL;
562 return GNUTLS_E_MEMORY_ERROR;
563 }
564
565 return 0;
566 }
567
568
569 /**
570 * gnutls_srp_set_server_credentials_function - Used to set a callback to retrieve the user's SRP credentials
571 * @cred: is a #gnutls_srp_server_credentials_t structure.
572 * @func: is the callback function
573 *
574 * This function can be used to set a callback to retrieve the user's SRP credentials.
575 * The callback's function form is:
576 * int (*callback)(gnutls_session_t, const char* username,
577 * gnutls_datum_t* salt, gnutls_datum_t *verifier, gnutls_datum_t* g,
578 * gnutls_datum_t* n);
579 *
580 * @username contains the actual username.
581 * The @salt, @verifier, @generator and @prime must be filled
582 * in using the gnutls_malloc(). For convenience @prime and @generator
583 * may also be one of the static parameters defined in extra.h.
584 *
585 * In case the callback returned a negative number then gnutls will
586 * assume that the username does not exist.
587 *
588 * In order to prevent attackers from guessing valid usernames,
589 * if a user does not exist, g and n values should be filled in
590 * using a random user's parameters. In that case the callback must
591 * return the special value (1).
592 *
593 * The callback function will only be called once per handshake.
594 * The callback function should return 0 on success, while
595 * -1 indicates an error.
596 *
597 **/
598 void
599 gnutls_srp_set_server_credentials_function (gnutls_srp_server_credentials_t
600 cred,
601 gnutls_srp_server_credentials_function
602 * func)
603 {
604 cred->pwd_callback = func;
605 }
606
607 /**
608 * gnutls_srp_set_client_credentials_function - Used to set a callback to retrieve the username and password
609 * @cred: is a #gnutls_srp_server_credentials_t structure.
610 * @func: is the callback function
611 *
612 * This function can be used to set a callback to retrieve the username and
613 * password for client SRP authentication.
614 * The callback's function form is:
615 * int (*callback)(gnutls_session_t, unsigned int times, char** username,
616 * char** password);
617 *
618 * The @username and @password must be allocated using gnutls_malloc().
619 * @times will be 0 the first time called, and 1 the second.
620 * @username and @password should be ASCII strings or UTF-8 strings
621 * prepared using the "SASLprep" profile of "stringprep".
622 *
623 * The callback function will be called once or twice per handshake.
624 * The first time called, is before the ciphersuite is negotiated.
625 * At that time if the callback returns a negative error code,
626 * the callback will be called again if SRP has been
627 * negotiated. This uses a special TLS-SRP idiom in order to avoid
628 * asking the user for SRP password and username if the server does
629 * not support SRP.
630 *
631 * The callback should not return a negative error code the second
632 * time called, since the handshake procedure will be aborted.
633 *
634 * The callback function should return 0 on success.
635 * -1 indicates an error.
636 *
637 **/
638 void
639 gnutls_srp_set_client_credentials_function (gnutls_srp_client_credentials_t
640 cred,
641 gnutls_srp_client_credentials_function
642 * func)
643 {
644 cred->get_function = func;
645 }
646
647
648 /**
649 * gnutls_srp_server_get_username - This function returns the username of the peer
650 * @session: is a gnutls session
651 *
652 * This function will return the username of the peer. This should only be
653 * called in case of SRP authentication and in case of a server.
654 * Returns NULL in case of an error.
655 *
656 **/
657 const char *
658 gnutls_srp_server_get_username (gnutls_session_t session)
659 {
660 srp_server_auth_info_t info;
661
662 CHECK_AUTH (GNUTLS_CRD_SRP, NULL);
663
664 info = _gnutls_get_auth_info (session);
665 if (info == NULL)
666 return NULL;
667 return info->username;
668 }
669
670 /**
671 * gnutls_srp_verifier - Used to calculate an SRP verifier
672 * @username: is the user's name
673 * @password: is the user's password
674 * @salt: should be some randomly generated bytes
675 * @generator: is the generator of the group
676 * @prime: is the group's prime
677 * @res: where the verifier will be stored.
678 *
679 * This function will create an SRP verifier, as specified in RFC2945.
680 * The @prime and @generator should be one of the static parameters defined
681 * in gnutls/extra.h or may be generated using the GCRYPT functions
682 * gcry_prime_generate() and gcry_prime_group_generator().
683 * The verifier will be allocated with @malloc and will be stored in @res using
684 * binary format.
685 *
686 **/
687 int
688 gnutls_srp_verifier (const char *username, const char *password,
689 const gnutls_datum_t * salt,
690 const gnutls_datum_t * generator,
691 const gnutls_datum_t * prime, gnutls_datum_t * res)
692 {
693 mpi_t _n, _g;
694 int ret;
695 size_t digest_size = 20, size;
696 opaque digest[20];
697
698 ret = _gnutls_calc_srp_sha (username, password, salt->data,
699 salt->size, &digest_size, digest);
700 if (ret < 0)
701 {
702 gnutls_assert ();
703 return ret;
704 }
705
706 size = prime->size;
707 if (_gnutls_mpi_scan_nz (&_n, prime->data, &size))
708 {
709 gnutls_assert ();
710 return GNUTLS_E_MPI_SCAN_FAILED;
711 }
712
713 size = generator->size;
714 if (_gnutls_mpi_scan_nz (&_g, generator->data, &size))
715 {
716 gnutls_assert ();
717 return GNUTLS_E_MPI_SCAN_FAILED;
718 }
719
720 ret = _gnutls_srp_gx (digest, 20, &res->data, _g, _n, malloc);
721 if (ret < 0)
722 {
723 gnutls_assert ();
724 return ret;
725 }
726 res->size = ret;
727
728 return 0;
729 }
730
731 #endif /* ENABLE_SRP */
Implementation of the SSL/TLS protocol