123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919 |
- /* srp.c
- *
- * Copyright (C) 2006-2020 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/settings.h>
- #ifdef WOLFCRYPT_HAVE_SRP
- #include <wolfssl/wolfcrypt/srp.h>
- #include <wolfssl/wolfcrypt/random.h>
- #include <wolfssl/wolfcrypt/error-crypt.h>
- #ifdef NO_INLINE
- #include <wolfssl/wolfcrypt/misc.h>
- #else
- #define WOLFSSL_MISC_INCLUDED
- #include <wolfcrypt/src/misc.c>
- #endif
- /** Computes the session key using the Mask Generation Function 1. */
- static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size);
- static int SrpHashInit(SrpHash* hash, SrpType type)
- {
- hash->type = type;
- switch (type) {
- case SRP_TYPE_SHA:
- #ifndef NO_SHA
- return wc_InitSha(&hash->data.sha);
- #else
- return BAD_FUNC_ARG;
- #endif
- case SRP_TYPE_SHA256:
- #ifndef NO_SHA256
- return wc_InitSha256(&hash->data.sha256);
- #else
- return BAD_FUNC_ARG;
- #endif
- case SRP_TYPE_SHA384:
- #ifdef WOLFSSL_SHA384
- return wc_InitSha384(&hash->data.sha384);
- #else
- return BAD_FUNC_ARG;
- #endif
- case SRP_TYPE_SHA512:
- #ifdef WOLFSSL_SHA512
- return wc_InitSha512(&hash->data.sha512);
- #else
- return BAD_FUNC_ARG;
- #endif
- default:
- return BAD_FUNC_ARG;
- }
- }
- static int SrpHashUpdate(SrpHash* hash, const byte* data, word32 size)
- {
- switch (hash->type) {
- case SRP_TYPE_SHA:
- #ifndef NO_SHA
- return wc_ShaUpdate(&hash->data.sha, data, size);
- #else
- return BAD_FUNC_ARG;
- #endif
- case SRP_TYPE_SHA256:
- #ifndef NO_SHA256
- return wc_Sha256Update(&hash->data.sha256, data, size);
- #else
- return BAD_FUNC_ARG;
- #endif
- case SRP_TYPE_SHA384:
- #ifdef WOLFSSL_SHA384
- return wc_Sha384Update(&hash->data.sha384, data, size);
- #else
- return BAD_FUNC_ARG;
- #endif
- case SRP_TYPE_SHA512:
- #ifdef WOLFSSL_SHA512
- return wc_Sha512Update(&hash->data.sha512, data, size);
- #else
- return BAD_FUNC_ARG;
- #endif
- default:
- return BAD_FUNC_ARG;
- }
- }
- static int SrpHashFinal(SrpHash* hash, byte* digest)
- {
- switch (hash->type) {
- case SRP_TYPE_SHA:
- #ifndef NO_SHA
- return wc_ShaFinal(&hash->data.sha, digest);
- #else
- return BAD_FUNC_ARG;
- #endif
- case SRP_TYPE_SHA256:
- #ifndef NO_SHA256
- return wc_Sha256Final(&hash->data.sha256, digest);
- #else
- return BAD_FUNC_ARG;
- #endif
- case SRP_TYPE_SHA384:
- #ifdef WOLFSSL_SHA384
- return wc_Sha384Final(&hash->data.sha384, digest);
- #else
- return BAD_FUNC_ARG;
- #endif
- case SRP_TYPE_SHA512:
- #ifdef WOLFSSL_SHA512
- return wc_Sha512Final(&hash->data.sha512, digest);
- #else
- return BAD_FUNC_ARG;
- #endif
- default:
- return BAD_FUNC_ARG;
- }
- }
- static word32 SrpHashSize(SrpType type)
- {
- switch (type) {
- case SRP_TYPE_SHA:
- #ifndef NO_SHA
- return WC_SHA_DIGEST_SIZE;
- #else
- return 0;
- #endif
- case SRP_TYPE_SHA256:
- #ifndef NO_SHA256
- return WC_SHA256_DIGEST_SIZE;
- #else
- return 0;
- #endif
- case SRP_TYPE_SHA384:
- #ifdef WOLFSSL_SHA384
- return WC_SHA384_DIGEST_SIZE;
- #else
- return 0;
- #endif
- case SRP_TYPE_SHA512:
- #ifdef WOLFSSL_SHA512
- return WC_SHA512_DIGEST_SIZE;
- #else
- return 0;
- #endif
- default:
- return 0;
- }
- }
- static void SrpHashFree(SrpHash* hash)
- {
- switch (hash->type) {
- case SRP_TYPE_SHA:
- #ifndef NO_SHA
- wc_ShaFree(&hash->data.sha);
- #endif
- break;
- case SRP_TYPE_SHA256:
- #ifndef NO_SHA256
- wc_Sha256Free(&hash->data.sha256);
- #endif
- break;
- case SRP_TYPE_SHA384:
- #ifdef WOLFSSL_SHA384
- wc_Sha384Free(&hash->data.sha384);
- #endif
- break;
- case SRP_TYPE_SHA512:
- #ifdef WOLFSSL_SHA512
- wc_Sha512Free(&hash->data.sha512);
- #endif
- break;
- default:
- break;
- }
- }
- int wc_SrpInit(Srp* srp, SrpType type, SrpSide side)
- {
- int r;
- /* validating params */
- if (!srp)
- return BAD_FUNC_ARG;
- if (side != SRP_CLIENT_SIDE && side != SRP_SERVER_SIDE)
- return BAD_FUNC_ARG;
- switch (type) {
- case SRP_TYPE_SHA:
- #ifdef NO_SHA
- return NOT_COMPILED_IN;
- #else
- break; /* OK */
- #endif
- case SRP_TYPE_SHA256:
- #ifdef NO_SHA256
- return NOT_COMPILED_IN;
- #else
- break; /* OK */
- #endif
- case SRP_TYPE_SHA384:
- #ifndef WOLFSSL_SHA384
- return NOT_COMPILED_IN;
- #else
- break; /* OK */
- #endif
- case SRP_TYPE_SHA512:
- #ifndef WOLFSSL_SHA512
- return NOT_COMPILED_IN;
- #else
- break; /* OK */
- #endif
- default:
- return BAD_FUNC_ARG;
- }
- /* initializing variables */
- XMEMSET(srp, 0, sizeof(Srp));
- if ((r = SrpHashInit(&srp->client_proof, type)) != 0)
- return r;
- if ((r = SrpHashInit(&srp->server_proof, type)) != 0) {
- SrpHashFree(&srp->client_proof);
- return r;
- }
- if ((r = mp_init_multi(&srp->N, &srp->g, &srp->auth,
- &srp->priv, 0, 0)) != 0) {
- SrpHashFree(&srp->client_proof);
- SrpHashFree(&srp->server_proof);
- return r;
- }
- srp->side = side; srp->type = type;
- srp->salt = NULL; srp->saltSz = 0;
- srp->user = NULL; srp->userSz = 0;
- srp->key = NULL; srp->keySz = 0;
- srp->keyGenFunc_cb = wc_SrpSetKey;
- /* default heap hint to NULL or test value */
- #ifdef WOLFSSL_HEAP_TEST
- srp->heap = (void*)WOLFSSL_HEAP_TEST;
- #else
- srp->heap = NULL;
- #endif
- return 0;
- }
- void wc_SrpTerm(Srp* srp)
- {
- if (srp) {
- mp_clear(&srp->N); mp_clear(&srp->g);
- mp_clear(&srp->auth); mp_clear(&srp->priv);
- if (srp->salt) {
- ForceZero(srp->salt, srp->saltSz);
- XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
- }
- if (srp->user) {
- ForceZero(srp->user, srp->userSz);
- XFREE(srp->user, srp->heap, DYNAMIC_TYPE_SRP);
- }
- if (srp->key) {
- ForceZero(srp->key, srp->keySz);
- XFREE(srp->key, srp->heap, DYNAMIC_TYPE_SRP);
- }
- SrpHashFree(&srp->client_proof);
- SrpHashFree(&srp->server_proof);
- ForceZero(srp, sizeof(Srp));
- }
- }
- int wc_SrpSetUsername(Srp* srp, const byte* username, word32 size)
- {
- if (!srp || !username)
- return BAD_FUNC_ARG;
- /* +1 for NULL char */
- srp->user = (byte*)XMALLOC(size + 1, srp->heap, DYNAMIC_TYPE_SRP);
- if (srp->user == NULL)
- return MEMORY_E;
- srp->userSz = size;
- XMEMCPY(srp->user, username, srp->userSz);
- srp->user[size] = '\0';
- return 0;
- }
- int wc_SrpSetParams(Srp* srp, const byte* N, word32 nSz,
- const byte* g, word32 gSz,
- const byte* salt, word32 saltSz)
- {
- SrpHash hash;
- byte digest1[SRP_MAX_DIGEST_SIZE];
- byte digest2[SRP_MAX_DIGEST_SIZE];
- byte pad = 0;
- int i, r;
- int j = 0;
- if (!srp || !N || !g || !salt || nSz < gSz)
- return BAD_FUNC_ARG;
- if (!srp->user)
- return SRP_CALL_ORDER_E;
- /* Set N */
- if (mp_read_unsigned_bin(&srp->N, N, nSz) != MP_OKAY)
- return MP_READ_E;
- if (mp_count_bits(&srp->N) < SRP_MODULUS_MIN_BITS)
- return BAD_FUNC_ARG;
- /* Set g */
- if (mp_read_unsigned_bin(&srp->g, g, gSz) != MP_OKAY)
- return MP_READ_E;
- if (mp_cmp(&srp->N, &srp->g) != MP_GT)
- return BAD_FUNC_ARG;
- /* Set salt */
- if (srp->salt) {
- ForceZero(srp->salt, srp->saltSz);
- XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
- }
- srp->salt = (byte*)XMALLOC(saltSz, srp->heap, DYNAMIC_TYPE_SRP);
- if (srp->salt == NULL)
- return MEMORY_E;
- XMEMCPY(srp->salt, salt, saltSz);
- srp->saltSz = saltSz;
- /* Set k = H(N, g) */
- r = SrpHashInit(&hash, srp->type);
- if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
- for (i = 0; (word32)i < nSz - gSz; i++) {
- if (!r) r = SrpHashUpdate(&hash, &pad, 1);
- }
- if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
- if (!r) r = SrpHashFinal(&hash, srp->k);
- SrpHashFree(&hash);
- /* update client proof */
- /* digest1 = H(N) */
- if (!r) r = SrpHashInit(&hash, srp->type);
- if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz);
- if (!r) r = SrpHashFinal(&hash, digest1);
- SrpHashFree(&hash);
- /* digest2 = H(g) */
- if (!r) r = SrpHashInit(&hash, srp->type);
- if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz);
- if (!r) r = SrpHashFinal(&hash, digest2);
- SrpHashFree(&hash);
- /* digest1 = H(N) ^ H(g) */
- if (r == 0) {
- for (i = 0, j = SrpHashSize(srp->type); i < j; i++)
- digest1[i] ^= digest2[i];
- }
- /* digest2 = H(user) */
- if (!r) r = SrpHashInit(&hash, srp->type);
- if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
- if (!r) r = SrpHashFinal(&hash, digest2);
- SrpHashFree(&hash);
- /* client proof = H( H(N) ^ H(g) | H(user) | salt) */
- if (!r) r = SrpHashUpdate(&srp->client_proof, digest1, j);
- if (!r) r = SrpHashUpdate(&srp->client_proof, digest2, j);
- if (!r) r = SrpHashUpdate(&srp->client_proof, salt, saltSz);
- return r;
- }
- int wc_SrpSetPassword(Srp* srp, const byte* password, word32 size)
- {
- SrpHash hash;
- byte digest[SRP_MAX_DIGEST_SIZE];
- word32 digestSz;
- int r;
- if (!srp || !password || srp->side != SRP_CLIENT_SIDE)
- return BAD_FUNC_ARG;
- if (!srp->salt)
- return SRP_CALL_ORDER_E;
- digestSz = SrpHashSize(srp->type);
- /* digest = H(username | ':' | password) */
- r = SrpHashInit(&hash, srp->type);
- if (!r) r = SrpHashUpdate(&hash, srp->user, srp->userSz);
- if (!r) r = SrpHashUpdate(&hash, (const byte*) ":", 1);
- if (!r) r = SrpHashUpdate(&hash, password, size);
- if (!r) r = SrpHashFinal(&hash, digest);
- SrpHashFree(&hash);
- /* digest = H(salt | H(username | ':' | password)) */
- if (!r) r = SrpHashInit(&hash, srp->type);
- if (!r) r = SrpHashUpdate(&hash, srp->salt, srp->saltSz);
- if (!r) r = SrpHashUpdate(&hash, digest, digestSz);
- if (!r) r = SrpHashFinal(&hash, digest);
- SrpHashFree(&hash);
- /* Set x (private key) */
- if (!r) r = mp_read_unsigned_bin(&srp->auth, digest, digestSz);
- ForceZero(digest, SRP_MAX_DIGEST_SIZE);
- return r;
- }
- int wc_SrpGetVerifier(Srp* srp, byte* verifier, word32* size)
- {
- mp_int v;
- int r;
- if (!srp || !verifier || !size || srp->side != SRP_CLIENT_SIDE)
- return BAD_FUNC_ARG;
- if (mp_iszero(&srp->auth) == MP_YES)
- return SRP_CALL_ORDER_E;
- r = mp_init(&v);
- if (r != MP_OKAY)
- return MP_INIT_E;
- /* v = g ^ x % N */
- if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &v);
- if (!r) r = *size < (word32)mp_unsigned_bin_size(&v) ? BUFFER_E : MP_OKAY;
- if (!r) r = mp_to_unsigned_bin(&v, verifier);
- if (!r) *size = mp_unsigned_bin_size(&v);
- mp_clear(&v);
- return r;
- }
- int wc_SrpSetVerifier(Srp* srp, const byte* verifier, word32 size)
- {
- if (!srp || !verifier || srp->side != SRP_SERVER_SIDE)
- return BAD_FUNC_ARG;
- return mp_read_unsigned_bin(&srp->auth, verifier, size);
- }
- int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size)
- {
- mp_int p;
- int r;
- if (!srp || !priv || !size)
- return BAD_FUNC_ARG;
- if (mp_iszero(&srp->auth) == MP_YES)
- return SRP_CALL_ORDER_E;
- r = mp_init(&p);
- if (r != MP_OKAY)
- return MP_INIT_E;
- if (!r) r = mp_read_unsigned_bin(&p, priv, size);
- if (!r) r = mp_mod(&p, &srp->N, &srp->priv);
- if (!r) r = mp_iszero(&srp->priv) == MP_YES ? SRP_BAD_KEY_E : 0;
- mp_clear(&p);
- return r;
- }
- /** Generates random data using wolfcrypt RNG. */
- static int wc_SrpGenPrivate(Srp* srp, byte* priv, word32 size)
- {
- WC_RNG rng;
- int r = wc_InitRng(&rng);
- if (!r) r = wc_RNG_GenerateBlock(&rng, priv, size);
- if (!r) r = wc_SrpSetPrivate(srp, priv, size);
- if (!r) wc_FreeRng(&rng);
- return r;
- }
- int wc_SrpGetPublic(Srp* srp, byte* pub, word32* size)
- {
- mp_int pubkey;
- word32 modulusSz;
- int r;
- if (!srp || !pub || !size)
- return BAD_FUNC_ARG;
- if (mp_iszero(&srp->auth) == MP_YES)
- return SRP_CALL_ORDER_E;
- modulusSz = mp_unsigned_bin_size(&srp->N);
- if (*size < modulusSz)
- return BUFFER_E;
- r = mp_init(&pubkey);
- if (r != MP_OKAY)
- return MP_INIT_E;
- /* priv = random() */
- if (mp_iszero(&srp->priv) == MP_YES)
- r = wc_SrpGenPrivate(srp, pub, SRP_PRIVATE_KEY_MIN_BITS / 8);
- /* client side: A = g ^ a % N */
- if (srp->side == SRP_CLIENT_SIDE) {
- if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey);
- /* server side: B = (k * v + (g ^ b % N)) % N */
- } else {
- mp_int i, j;
- if (mp_init_multi(&i, &j, 0, 0, 0, 0) == MP_OKAY) {
- if (!r) r = mp_read_unsigned_bin(&i, srp->k,SrpHashSize(srp->type));
- if (!r) r = mp_iszero(&i) == MP_YES ? SRP_BAD_KEY_E : 0;
- if (!r) r = mp_exptmod(&srp->g, &srp->priv, &srp->N, &pubkey);
- if (!r) r = mp_mulmod(&i, &srp->auth, &srp->N, &j);
- if (!r) r = mp_add(&j, &pubkey, &i);
- if (!r) r = mp_mod(&i, &srp->N, &pubkey);
- mp_clear(&i); mp_clear(&j);
- }
- }
- /* extract public key to buffer */
- XMEMSET(pub, 0, modulusSz);
- if (!r) r = mp_to_unsigned_bin(&pubkey, pub);
- if (!r) *size = mp_unsigned_bin_size(&pubkey);
- mp_clear(&pubkey);
- return r;
- }
- static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size)
- {
- SrpHash hash;
- byte digest[SRP_MAX_DIGEST_SIZE];
- word32 i, j, digestSz = SrpHashSize(srp->type);
- byte counter[4];
- int r = BAD_FUNC_ARG;
- XMEMSET(digest, 0, SRP_MAX_DIGEST_SIZE);
- srp->key = (byte*)XMALLOC(2 * digestSz, srp->heap, DYNAMIC_TYPE_SRP);
- if (srp->key == NULL)
- return MEMORY_E;
- srp->keySz = 2 * digestSz;
- for (i = j = 0; j < srp->keySz; i++) {
- counter[0] = (i >> 24) & 0xFF;
- counter[1] = (i >> 16) & 0xFF;
- counter[2] = (i >> 8) & 0xFF;
- counter[3] = i & 0xFF;
- r = SrpHashInit(&hash, srp->type);
- if (!r) r = SrpHashUpdate(&hash, secret, size);
- if (!r) r = SrpHashUpdate(&hash, counter, 4);
- if (j + digestSz > srp->keySz) {
- if (!r) r = SrpHashFinal(&hash, digest);
- XMEMCPY(srp->key + j, digest, srp->keySz - j);
- j = srp->keySz;
- }
- else {
- if (!r) r = SrpHashFinal(&hash, srp->key + j);
- j += digestSz;
- }
- SrpHashFree(&hash);
- }
- ForceZero(digest, sizeof(digest));
- ForceZero(&hash, sizeof(SrpHash));
- return r;
- }
- int wc_SrpComputeKey(Srp* srp, byte* clientPubKey, word32 clientPubKeySz,
- byte* serverPubKey, word32 serverPubKeySz)
- {
- #ifdef WOLFSSL_SMALL_STACK
- SrpHash *hash = (SrpHash *)XMALLOC(sizeof *hash, srp->heap, DYNAMIC_TYPE_SRP);
- byte *digest = (byte *)XMALLOC(SRP_MAX_DIGEST_SIZE, srp->heap, DYNAMIC_TYPE_SRP);
- mp_int *u = (mp_int *)XMALLOC(sizeof *u, srp->heap, DYNAMIC_TYPE_SRP);
- mp_int *s = (mp_int *)XMALLOC(sizeof *s, srp->heap, DYNAMIC_TYPE_SRP);
- mp_int *temp1 = (mp_int *)XMALLOC(sizeof *temp1, srp->heap, DYNAMIC_TYPE_SRP);
- mp_int *temp2 = (mp_int *)XMALLOC(sizeof *temp2, srp->heap, DYNAMIC_TYPE_SRP);
- #else
- SrpHash hash[1];
- byte digest[SRP_MAX_DIGEST_SIZE];
- mp_int u[1], s[1], temp1[1], temp2[1];
- #endif
- byte *secret = NULL;
- word32 i, secretSz, digestSz;
- byte pad = 0;
- int r;
- /* validating params */
- if ((mp_init_multi(u, s, temp1, temp2, 0, 0)) != MP_OKAY) {
- r = MP_INIT_E;
- goto out;
- }
- if (!srp || !clientPubKey || clientPubKeySz == 0
- || !serverPubKey || serverPubKeySz == 0) {
- r = BAD_FUNC_ARG;
- goto out;
- }
- #ifdef WOLFSSL_SMALL_STACK
- if ((hash == NULL) ||
- (digest == NULL) ||
- (u == NULL) ||
- (s == NULL) ||
- (temp1 == NULL) ||
- (temp2 == NULL)) {
- r = MEMORY_E;
- goto out;
- }
- #endif
- if (mp_iszero(&srp->priv) == MP_YES) {
- r = SRP_CALL_ORDER_E;
- goto out;
- }
- /* initializing variables */
- if ((r = SrpHashInit(hash, srp->type)) != 0)
- goto out;
- digestSz = SrpHashSize(srp->type);
- secretSz = mp_unsigned_bin_size(&srp->N);
- if ((secretSz < clientPubKeySz) || (secretSz < serverPubKeySz)) {
- r = BAD_FUNC_ARG;
- goto out;
- }
- if ((secret = (byte*)XMALLOC(secretSz, srp->heap, DYNAMIC_TYPE_SRP)) == NULL) {
- r = MEMORY_E;
- goto out;
- }
- /* building u (random scrambling parameter) */
- /* H(A) */
- for (i = 0; i < secretSz - clientPubKeySz; i++) {
- if ((r = SrpHashUpdate(hash, &pad, 1)))
- goto out;
- }
- if ((r = SrpHashUpdate(hash, clientPubKey, clientPubKeySz)))
- goto out;
- /* H(A | B) */
- for (i = 0; i < secretSz - serverPubKeySz; i++) {
- if ((r = SrpHashUpdate(hash, &pad, 1)))
- goto out;
- }
- if ((r = SrpHashUpdate(hash, serverPubKey, serverPubKeySz)))
- goto out;
- /* set u */
- if ((r = SrpHashFinal(hash, digest)))
- goto out;
- if ((r = mp_read_unsigned_bin(u, digest, SrpHashSize(srp->type))))
- goto out;
- SrpHashFree(hash);
- /* building s (secret) */
- if (srp->side == SRP_CLIENT_SIDE) {
- /* temp1 = B - k * v; rejects k == 0, B == 0 and B >= N. */
- if ((r = mp_read_unsigned_bin(temp1, srp->k, digestSz)))
- goto out;
- if (mp_iszero(temp1) == MP_YES) {
- r = SRP_BAD_KEY_E;
- goto out;
- }
- if ((r = mp_exptmod(&srp->g, &srp->auth, &srp->N, temp2)))
- goto out;
- if ((r = mp_mulmod(temp1, temp2, &srp->N, s)))
- goto out;
- if ((r = mp_read_unsigned_bin(temp2, serverPubKey, serverPubKeySz)))
- goto out;
- if (mp_iszero(temp2) == MP_YES) {
- r = SRP_BAD_KEY_E;
- goto out;
- }
- if (mp_cmp(temp2, &srp->N) != MP_LT) {
- r = SRP_BAD_KEY_E;
- goto out;
- }
- if ((r = mp_submod(temp2, s, &srp->N, temp1)))
- goto out;
- /* temp2 = a + u * x */
- if ((r = mp_mulmod(u, &srp->auth, &srp->N, s)))
- goto out;
- if ((r = mp_add(&srp->priv, s, temp2)))
- goto out;
- /* secret = temp1 ^ temp2 % N */
- if ((r = mp_exptmod(temp1, temp2, &srp->N, s)))
- goto out;
- } else if (srp->side == SRP_SERVER_SIDE) {
- /* temp1 = v ^ u % N */
- if ((r = mp_exptmod(&srp->auth, u, &srp->N, temp1)))
- goto out;
- /* temp2 = A * temp1 % N; rejects A == 0, A >= N */
- if ((r = mp_read_unsigned_bin(s, clientPubKey, clientPubKeySz)))
- goto out;
- if (mp_iszero(s) == MP_YES) {
- r = SRP_BAD_KEY_E;
- goto out;
- }
- if (mp_cmp(s, &srp->N) != MP_LT) {
- r = SRP_BAD_KEY_E;
- goto out;
- }
- if ((r = mp_mulmod(s, temp1, &srp->N, temp2)))
- goto out;
- /* rejects A * v ^ u % N >= 1, A * v ^ u % N == -1 % N */
- if ((r = mp_read_unsigned_bin(temp1, (const byte*)"\001", 1)))
- goto out;
- if (mp_cmp(temp2, temp1) != MP_GT) {
- r = SRP_BAD_KEY_E;
- goto out;
- }
- if ((r = mp_sub(&srp->N, temp1, s)))
- goto out;
- if (mp_cmp(temp2, s) == MP_EQ) {
- r = SRP_BAD_KEY_E;
- goto out;
- }
- /* secret = temp2 * b % N */
- if ((r = mp_exptmod(temp2, &srp->priv, &srp->N, s)))
- goto out;
- }
- /* building session key from secret */
- if ((r = mp_to_unsigned_bin(s, secret)))
- goto out;
- if ((r = srp->keyGenFunc_cb(srp, secret, mp_unsigned_bin_size(s))))
- goto out;
- /* updating client proof = H( H(N) ^ H(g) | H(user) | salt | A | B | K) */
- if ((r = SrpHashUpdate(&srp->client_proof, clientPubKey, clientPubKeySz)))
- goto out;
- if ((r = SrpHashUpdate(&srp->client_proof, serverPubKey, serverPubKeySz)))
- goto out;
- if ((r = SrpHashUpdate(&srp->client_proof, srp->key, srp->keySz)))
- goto out;
- /* updating server proof = H(A) */
- r = SrpHashUpdate(&srp->server_proof, clientPubKey, clientPubKeySz);
- out:
- if (secret) {
- ForceZero(secret, secretSz);
- XFREE(secret, srp->heap, DYNAMIC_TYPE_SRP);
- }
- #ifdef WOLFSSL_SMALL_STACK
- if (hash)
- XFREE(hash, srp->heap, DYNAMIC_TYPE_SRP);
- if (digest)
- XFREE(digest, srp->heap, DYNAMIC_TYPE_SRP);
- if (u) {
- if (r != MP_INIT_E)
- mp_clear(u);
- XFREE(u, srp->heap, DYNAMIC_TYPE_SRP);
- }
- if (s) {
- if (r != MP_INIT_E)
- mp_clear(s);
- XFREE(s, srp->heap, DYNAMIC_TYPE_SRP);
- }
- if (temp1) {
- if (r != MP_INIT_E)
- mp_clear(temp1);
- XFREE(temp1, srp->heap, DYNAMIC_TYPE_SRP);
- }
- if (temp2) {
- if (r != MP_INIT_E)
- mp_clear(temp2);
- XFREE(temp2, srp->heap, DYNAMIC_TYPE_SRP);
- }
- #else
- if (r != MP_INIT_E) {
- mp_clear(u);
- mp_clear(s);
- mp_clear(temp1);
- mp_clear(temp2);
- }
- #endif
- return r;
- }
- int wc_SrpGetProof(Srp* srp, byte* proof, word32* size)
- {
- int r;
- if (!srp || !proof || !size)
- return BAD_FUNC_ARG;
- if (*size < SrpHashSize(srp->type))
- return BUFFER_E;
- if ((r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE
- ? &srp->client_proof
- : &srp->server_proof, proof)) != 0)
- return r;
- *size = SrpHashSize(srp->type);
- if (srp->side == SRP_CLIENT_SIDE) {
- /* server proof = H( A | client proof | K) */
- if (!r) r = SrpHashUpdate(&srp->server_proof, proof, *size);
- if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
- }
- return r;
- }
- int wc_SrpVerifyPeersProof(Srp* srp, byte* proof, word32 size)
- {
- byte digest[SRP_MAX_DIGEST_SIZE];
- int r;
- if (!srp || !proof)
- return BAD_FUNC_ARG;
- if (size != SrpHashSize(srp->type))
- return BUFFER_E;
- r = SrpHashFinal(srp->side == SRP_CLIENT_SIDE ? &srp->server_proof
- : &srp->client_proof, digest);
- if (srp->side == SRP_SERVER_SIDE) {
- /* server proof = H( A | client proof | K) */
- if (!r) r = SrpHashUpdate(&srp->server_proof, proof, size);
- if (!r) r = SrpHashUpdate(&srp->server_proof, srp->key, srp->keySz);
- }
- if (!r && XMEMCMP(proof, digest, size) != 0)
- r = SRP_VERIFY_E;
- return r;
- }
- #endif /* WOLFCRYPT_HAVE_SRP */
|