generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add SRP.

Browse Source
This commit is contained in:
Ben Laurie
2011-03-16 11:26:40 +00:00
parent 13e230d505
commit a149b2466e
46 changed files with 4571 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/Makefile
View File

@@ -39,7 +39,7 @@ E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \
ca crl rsa rsautl dsa dsaparam ec ecparam \
x509 genrsa gendsa genpkey s_server s_client speed \
s_time version pkcs7 cms crl2pkcs7 sess_id ciphers nseq pkcs12 \
pkcs8 pkey pkeyparam pkeyutl spkac smime rand engine ocsp prime ts
pkcs8 pkey pkeyparam pkeyutl spkac smime rand engine ocsp prime ts srp
PROGS= $(PROGRAM).c
@@ -56,7 +56,7 @@ E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o er
x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o \
s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \
ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o \
spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o
spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o
E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \
pkcs7.c crl2p7.c crl.c \
@@ -64,7 +64,7 @@ E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.
x509.c genrsa.c gendsa.c genpkey.c s_server.c s_client.c speed.c \
s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \
ciphers.c nseq.c pkcs12.c pkcs8.c pkey.c pkeyparam.c pkeyutl.c \
spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c
spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c srp.c
SRC=$(E_SRC)

6
apps/demoSRP/srp_verifier.txt Normal file
View File

@@ -0,0 +1,6 @@
# This is a file that will be filled by the openssl srp routine.
# You can initialize the file with additional groups, these are
# records starting with a I followed by the g and N values and the id.
# The exact values ... you have to dig this out from the source of srp.c
# or srp_vfy.c
# The last value of an I is used as the default group for new users.

1
apps/demoSRP/srp_verifier.txt.attr Normal file
View File

@@ -0,0 +1 @@
unique_subject = yes

4
apps/progs.h
View File

@@ -44,6 +44,7 @@ extern int smime_main(int argc,char *argv[]);
extern int rand_main(int argc,char *argv[]);
extern int engine_main(int argc,char *argv[]);
extern int ocsp_main(int argc,char *argv[]);
extern int srp_main(int argc,char *argv[]);
extern int prime_main(int argc,char *argv[]);
extern int ts_main(int argc,char *argv[]);
@@ -144,6 +145,9 @@ FUNCTION functions[] = {
#endif
#ifndef OPENSSL_NO_OCSP
{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
#endif
#ifndef OPENSSL_NO_SRP
{FUNC_TYPE_GENERAL,"srp",srp_main},
#endif
{FUNC_TYPE_GENERAL,"prime",prime_main},
{FUNC_TYPE_GENERAL,"ts",ts_main},

180
apps/s_client.c
View File

@@ -163,6 +163,9 @@ typedef unsigned int u_int;
#include <openssl/rand.h>
#include <openssl/ocsp.h>
#include <openssl/bn.h>
#ifndef OPENSSL_NO_SRP
#include <openssl/srp.h>
#endif
#include "s_apps.h"
#include "timeouts.h"
@@ -315,6 +318,13 @@ static void sc_usage(void)
# ifndef OPENSSL_NO_JPAKE
BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
# endif
#endif
#ifndef OPENSSL_NO_SRP
BIO_printf(bio_err," -srpuser user - SRP authentification for 'user'\n");
BIO_printf(bio_err," -srppass arg - password for 'user'\n");
BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
#endif
BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
@@ -367,6 +377,112 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
return SSL_TLSEXT_ERR_OK;
}
#ifndef OPENSSL_NO_SRP
/* This is a context that we pass to all callbacks */
typedef struct srp_arg_st
{
char *srppassin;
char *srplogin;
int msg; /* copy from c_msg */
int debug; /* copy from c_debug */
int amp; /* allow more groups */
int strength /* minimal size for N */ ;
} SRP_ARG;
#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
static int SRP_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
{
BN_CTX *bn_ctx = BN_CTX_new();
BIGNUM *p = BN_new();
BIGNUM *r = BN_new();
int ret =
g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
p != NULL && BN_rshift1(p, N) &&
/* p = (N-1)/2 */
BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
r != NULL &&
/* verify g^((N-1)/2) == -1 (mod N) */
BN_mod_exp(r, g, p, N, bn_ctx) &&
BN_add_word(r, 1) &&
BN_cmp(r, N) == 0;
if(r)
BN_free(r);
if(p)
BN_free(p);
if(bn_ctx)
BN_CTX_free(bn_ctx);
return ret;
}
static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
{
SRP_ARG *srp_arg = (SRP_ARG *)arg;
BIGNUM *N = NULL, *g = NULL;
if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
return 0;
if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1)
{
BIO_printf(bio_err, "SRP parameters:\n");
BIO_printf(bio_err,"\tN="); BN_print(bio_err,N);
BIO_printf(bio_err,"\n\tg="); BN_print(bio_err,g);
BIO_printf(bio_err,"\n");
}
if (SRP_check_known_gN_param(g,N))
return 1;
if (srp_arg->amp == 1)
{
if (srp_arg->debug)
BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
/* The srp_moregroups must be used with caution, testing primes costs time.
Implementors should rather add the value to the known ones.
The minimal size has already been tested.
*/
if (BN_num_bits(g) <= BN_BITS && SRP_Verify_N_and_g(N,g))
return 1;
}
BIO_printf(bio_err, "SRP param N and g rejected.\n");
return 0;
}
#define PWD_STRLEN 1024
static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
{
SRP_ARG *srp_arg = (SRP_ARG *)arg;
char *pass = (char *)OPENSSL_malloc(PWD_STRLEN+1);
PW_CB_DATA cb_tmp;
int l;
cb_tmp.password = (char *)srp_arg->srppassin;
cb_tmp.prompt_info = "SRP user";
if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp))<0)
{
BIO_printf (bio_err, "Can't read Password\n");
OPENSSL_free(pass);
return NULL;
}
*(pass+l)= '\0';
return pass;
}
static char * MS_CALLBACK missing_srp_username_callback(SSL *s, void *arg)
{
SRP_ARG *srp_arg = (SRP_ARG *)arg;
return BUF_strdup(srp_arg->srplogin);
}
#endif
#endif
enum
@@ -440,6 +556,11 @@ int MAIN(int argc, char **argv)
#ifndef OPENSSL_NO_JPAKE
char *jpake_secret = NULL;
#endif
#ifndef OPENSSL_NO_SRP
char * srppass = NULL;
int srp_lateuser = 0;
SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_client_method();
@@ -589,6 +710,37 @@ int MAIN(int argc, char **argv)
}
}
#endif
#ifndef OPENSSL_NO_SRP
else if (strcmp(*argv,"-srpuser") == 0)
{
if (--argc < 1) goto bad;
srp_arg.srplogin= *(++argv);
meth=TLSv1_client_method();
}
else if (strcmp(*argv,"-srppass") == 0)
{
if (--argc < 1) goto bad;
srppass= *(++argv);
meth=TLSv1_client_method();
}
else if (strcmp(*argv,"-srp_strength") == 0)
{
if (--argc < 1) goto bad;
srp_arg.strength=atoi(*(++argv));
BIO_printf(bio_err,"SRP minimal length for N is %d\n",srp_arg.strength);
meth=TLSv1_client_method();
}
else if (strcmp(*argv,"-srp_lateuser") == 0)
{
srp_lateuser= 1;
meth=TLSv1_client_method();
}
else if (strcmp(*argv,"-srp_moregroups") == 0)
{
srp_arg.amp=1;
meth=TLSv1_client_method();
}
#endif
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv,"-ssl2") == 0)
meth=SSLv2_client_method();
@@ -840,6 +992,14 @@ bad:
}
}
#ifndef OPENSSL_NO_SRP
if(!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL))
{
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
#endif
ctx=SSL_CTX_new(meth);
if (ctx == NULL)
{
@@ -919,6 +1079,26 @@ bad:
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
}
#ifndef OPENSSL_NO_SRP
if (srp_arg.srplogin)
{
if (srp_lateuser)
SSL_CTX_set_srp_missing_srp_username_callback(ctx,missing_srp_username_callback);
else if (!SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
{
BIO_printf(bio_err,"Unable to set SRP username\n");
goto end;
}
srp_arg.msg = c_msg;
srp_arg.debug = c_debug ;
SSL_CTX_set_srp_cb_arg(ctx,&srp_arg);
SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
if (c_msg || c_debug || srp_arg.amp == 0)
SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
}
#endif
#endif
con=SSL_new(ctx);

81
apps/s_server.c
View File

@@ -186,6 +186,9 @@ typedef unsigned int u_int;
#ifndef OPENSSL_NO_RSA
#include <openssl/rsa.h>
#endif
#ifndef OPENSSL_NO_SRP
#include <openssl/srp.h>
#endif
#include "s_apps.h"
#include "timeouts.h"
@@ -369,6 +372,40 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
}
#endif
#ifndef OPENSSL_NO_SRP
/* This is a context that we pass to callbacks */
typedef struct srpsrvparm_st
{
int verbose;
char *login;
SRP_VBASE *vb;
} srpsrvparm;
static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
{
srpsrvparm *p = (srpsrvparm *) arg;
SRP_user_pwd *user;
p->login = BUF_strdup(SSL_get_srp_username(s));
BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
user = SRP_VBASE_get_by_user(p->vb, p->login);
if (user == NULL)
{
BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
return SSL3_AL_FATAL;
}
if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
user->info) < 0)
{
*ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL;
}
return SSL_ERROR_NONE;
}
#endif
#ifdef MONOLITH
static void s_server_init(void)
{
@@ -455,6 +492,10 @@ static void sv_usage(void)
# ifndef OPENSSL_NO_JPAKE
BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
# endif
#endif
#ifndef OPENSSL_NO_SRP
BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n");
BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
#endif
BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
@@ -874,12 +915,21 @@ int MAIN(int argc, char *argv[])
/* by default do not send a PSK identity hint */
static char *psk_identity_hint=NULL;
#endif
#ifndef OPENSSL_NO_SRP
char *srpuserseed = NULL;
char *srp_verifier_file = NULL;
srpsrvparm p;
#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_server_method();
#elif !defined(OPENSSL_NO_SSL3)
meth=SSLv3_server_method();
#elif !defined(OPENSSL_NO_SSL2)
meth=SSLv2_server_method();
#elif !defined(OPENSSL_NO_TLS1)
meth=TLSv1_server_method();
#else
/* #error no SSL version enabled */
#endif
local_argc=argc;
@@ -1111,6 +1161,20 @@ int MAIN(int argc, char *argv[])
goto bad;
}
}
#endif
#ifndef OPENSSL_NO_SRP
else if (strcmp(*argv, "-srpvfile") == 0)
{
if (--argc < 1) goto bad;
srp_verifier_file = *(++argv);
meth=TLSv1_server_method();
}
else if (strcmp(*argv, "-srpuserseed") == 0)
{
if (--argc < 1) goto bad;
srpuserseed = *(++argv);
meth=TLSv1_server_method();
}
#endif
else if (strcmp(*argv,"-www") == 0)
{ www=1; }
@@ -1690,6 +1754,23 @@ bad:
}
#endif
#ifndef OPENSSL_NO_SRP
if (srp_verifier_file != NULL)
{
p.vb = SRP_VBASE_new(srpuserseed);
if ((ret = SRP_VBASE_init(p.vb, srp_verifier_file)) != SRP_NO_ERROR)
{
BIO_printf(bio_err,
"Cannot initialize SRP verifier file \"%s\":ret=%d\n",
srp_verifier_file, ret);
goto end;
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback);
SSL_CTX_set_srp_cb_arg(ctx, &p);
SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
}
else
#endif
if (CAfile != NULL)
{
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));

759
apps/srp.c Normal file
View File

@@ -0,0 +1,759 @@
/* apps/srp.c */
/* Written by Peter Sylvester (peter.sylvester@edelweb.fr)
* for the EdelKey project and contributed to the OpenSSL project 2004.
*/
/* ====================================================================
* Copyright (c) 2004 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <openssl/opensslconf.h>
#ifndef OPENSSL_NO_SRP
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/conf.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/txt_db.h>
#include <openssl/buffer.h>
#include <openssl/srp.h>
#include "apps.h"
#undef PROG
#define PROG srp_main
#define BASE_SECTION "srp"
#define CONFIG_FILE "openssl.cnf"
#define ENV_RANDFILE "RANDFILE"
#define ENV_DATABASE "srpvfile"
#define ENV_DEFAULT_SRP "default_srp"
static char *srp_usage[]={
"usage: srp [args] [user] \n",
"\n",
" -verbose Talk alot while doing things\n",
" -config file A config file\n",
" -name arg The particular srp definition to use\n",
" -srpvfile arg The srp verifier file name\n",
" -add add an user and srp verifier\n",
" -modify modify the srp verifier of an existing user\n",
" -delete delete user from verifier file\n",
" -list list user\n",
" -gn arg g and N values to be used for new verifier\n",
" -userinfo arg additional info to be set for user\n",
" -passin arg input file pass phrase source\n",
" -passout arg output file pass phrase source\n",
#ifndef OPENSSL_NO_ENGINE
" -engine e - use engine e, possibly a hardware device.\n",
#endif
NULL
};
#ifdef EFENCE
extern int EF_PROTECT_FREE;
extern int EF_PROTECT_BELOW;
extern int EF_ALIGNMENT;
#endif
static CONF *conf=NULL;
static char *section=NULL;
#define VERBOSE if (verbose)
#define VVERBOSE if (verbose>1)
int MAIN(int, char **);
static int get_index(CA_DB *db, char* id, char type)
{
char ** pp;
int i;
if (id == NULL) return -1;
if (type == DB_SRP_INDEX)
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id, pp[DB_srpid]))
return i;
}
else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid]))
return i;
}
return -1 ;
}
static void print_entry(CA_DB *db, BIO *bio, int indx, int verbose, char *s)
{
if (indx >= 0 && verbose)
{
int j;
char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, indx);
BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]);
for (j = 0; j < DB_NUMBER; j++)
{
BIO_printf(bio_err," %d = \"%s\"\n", j, pp[j]);
}
}
}
static void print_index(CA_DB *db, BIO *bio, int indexindex, int verbose)
{
print_entry(db, bio, indexindex, verbose, "g N entry") ;
}
static void print_user(CA_DB *db, BIO *bio, int userindex, int verbose)
{
if (verbose > 0)
{
char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
if (pp[DB_srptype][0] != 'I')
{
print_entry(db, bio, userindex, verbose, "User entry");
print_entry(db, bio, get_index(db, pp[DB_srpgN], 'I'), verbose, "g N entry");
}
}
}
static int update_index(CA_DB *db, BIO *bio, char **row)
{
char ** irow;
int i;
if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
{
BIO_printf(bio_err,"Memory allocation failure\n");
return 0;
}
for (i=0; i<DB_NUMBER; i++)
{
irow[i]=row[i];
row[i]=NULL;
}
irow[DB_NUMBER]=NULL;
if (!TXT_DB_insert(db->db,irow))
{
BIO_printf(bio,"failed to update srpvfile\n");
BIO_printf(bio,"TXT_DB error number %ld\n",db->db->error);
OPENSSL_free(irow);
return 0;
}
return 1;
}
static void lookup_fail(const char *name, char *tag)
{
BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
}
static char *srp_verify_user(const char *user, const char *srp_verifier,
char *srp_usersalt, const char *g, const char *N,
const char *passin, BIO *bio, int verbose)
{
char password[1024];
PW_CB_DATA cb_tmp;
char *verifier = NULL;
char *gNid = NULL;
cb_tmp.prompt_info = user;
cb_tmp.password = passin;
if (password_callback(password, 1024, 0, &cb_tmp) >0)
{
VERBOSE BIO_printf(bio,"Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",user,srp_verifier,srp_usersalt, g, N);
BIO_printf(bio, "Pass %s\n", password);
if (!(gNid=SRP_create_verifier(user, password, &srp_usersalt, &verifier, N, g)))
{
BIO_printf(bio, "Internal error validating SRP verifier\n");
}
else
{
if (strcmp(verifier, srp_verifier))
gNid = NULL;
OPENSSL_free(verifier);
}
}
return gNid;
}
static char *srp_create_user(char *user, char **srp_verifier,
char **srp_usersalt, char *g, char *N,
char *passout, BIO *bio, int verbose)
{
char password[1024];
PW_CB_DATA cb_tmp;
char *gNid = NULL;
char *salt = NULL;
cb_tmp.prompt_info = user;
cb_tmp.password = passout;
if (password_callback(password,1024,1,&cb_tmp) >0)
{
VERBOSE BIO_printf(bio,"Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",user,g,N);
if (!(gNid =SRP_create_verifier(user, password, &salt, srp_verifier, N, g)))
{
BIO_printf(bio,"Internal error creating SRP verifier\n");
}
else
*srp_usersalt = salt;
VVERBOSE BIO_printf(bio,"gNid=%s salt =\"%s\"\n verifier =\"%s\"\n", gNid,salt, *srp_verifier);
}
return gNid;
}
int MAIN(int argc, char **argv)
{
#ifndef OPENSSL_NO_ENGINE
ENGINE *e = NULL;
#endif
int add_user = 0;
int list_user= 0;
int delete_user= 0;
int modify_user= 0;
char * user = NULL;
char *passargin = NULL, *passargout = NULL;
char *passin = NULL, *passout = NULL;
char * gN = NULL;
int gNindex = -1;
char ** gNrow = NULL;
int maxgN = -1;
char * userinfo = NULL;
int badops=0;
int ret=1;
int errors=0;
int verbose=0;
int doupdatedb=0;
char *configfile=NULL;
char *dbfile=NULL;
CA_DB *db=NULL;
char **pp ;
int i;
long errorline = -1;
char *randfile=NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine = NULL;
#endif
char *tofree=NULL;
DB_ATTR db_attr;
#ifdef EFENCE
EF_PROTECT_FREE=1;
EF_PROTECT_BELOW=1;
EF_ALIGNMENT=0;
#endif
apps_startup();
conf = NULL;
section = NULL;
if (bio_err == NULL)
if ((bio_err=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
argc--;
argv++;
while (argc >= 1 && badops == 0)
{
if (strcmp(*argv,"-verbose") == 0)
verbose++;
else if (strcmp(*argv,"-config") == 0)
{
if (--argc < 1) goto bad;
configfile= *(++argv);
}
else if (strcmp(*argv,"-name") == 0)
{
if (--argc < 1) goto bad;
section= *(++argv);
}
else if (strcmp(*argv,"-srpvfile") == 0)
{
if (--argc < 1) goto bad;
dbfile= *(++argv);
}
else if (strcmp(*argv,"-add") == 0)
add_user=1;
else if (strcmp(*argv,"-delete") == 0)
delete_user=1;
else if (strcmp(*argv,"-modify") == 0)
modify_user=1;
else if (strcmp(*argv,"-list") == 0)
list_user=1;
else if (strcmp(*argv,"-gn") == 0)
{
if (--argc < 1) goto bad;
gN= *(++argv);
}
else if (strcmp(*argv,"-userinfo") == 0)
{
if (--argc < 1) goto bad;
userinfo= *(++argv);
}
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
passargin= *(++argv);
}
else if (strcmp(*argv,"-passout") == 0)
{
if (--argc < 1) goto bad;
passargout= *(++argv);
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
if (--argc < 1) goto bad;
engine= *(++argv);
}
#endif
else if (**argv == '-')
{
bad:
BIO_printf(bio_err,"unknown option %s\n",*argv);
badops=1;
break;
}
else
break;
argc--;
argv++;
}
if (dbfile && configfile)
{
BIO_printf(bio_err,"-dbfile and -configfile cannot be specified together.\n");
badops = 1;
}
if (add_user+delete_user+modify_user+list_user != 1)
{
BIO_printf(bio_err,"Exactly one of the options -add, -delete, -modify -list must be specified.\n");
badops = 1;
}
if (delete_user+modify_user+delete_user== 1 && argc <= 0)
{
BIO_printf(bio_err,"Need at least one user for options -add, -delete, -modify. \n");
badops = 1;
}
if ((passin || passout) && argc != 1 )
{
BIO_printf(bio_err,"-passin, -passout arguments only valid with one user.\n");
badops = 1;
}
if (badops)
{
for (pp=srp_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,"%s",*pp);
BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
BIO_printf(bio_err," load the file (or the files in the directory) into\n");
BIO_printf(bio_err," the random number generator\n");
goto err;
}
ERR_load_crypto_strings();
#ifndef OPENSSL_NO_ENGINE
e = setup_engine(bio_err, engine, 0);
#endif
if(!app_passwd(bio_err, passargin, passargout, &passin, &passout))
{
BIO_printf(bio_err, "Error getting passwords\n");
goto err;
}
if (!dbfile)
{
/*****************************************************************/
tofree=NULL;
if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
if (configfile == NULL)
{
const char *s=X509_get_default_cert_area();
size_t len;
#ifdef OPENSSL_SYS_VMS
len = strlen(s)+sizeof(CONFIG_FILE);
tofree=OPENSSL_malloc(len);
strcpy(tofree,s);
#else
len = strlen(s)+sizeof(CONFIG_FILE)+1;
tofree=OPENSSL_malloc(len);
BUF_strlcpy(tofree,s,len);
BUF_strlcat(tofree,"/",len);
#endif
BUF_strlcat(tofree,CONFIG_FILE,len);
configfile=tofree;
}
VERBOSE BIO_printf(bio_err,"Using configuration from %s\n",configfile);
conf = NCONF_new(NULL);
if (NCONF_load(conf,configfile,&errorline) <= 0)
{
if (errorline <= 0)
BIO_printf(bio_err,"error loading the config file '%s'\n",
configfile);
else
BIO_printf(bio_err,"error on line %ld of config file '%s'\n"
,errorline,configfile);
goto err;
}
if(tofree)
{
OPENSSL_free(tofree);
tofree = NULL;
}
if (!load_config(bio_err, conf))
goto err;
/* Lets get the config section we are using */
if (section == NULL)
{
VERBOSE BIO_printf(bio_err,"trying to read " ENV_DEFAULT_SRP " in \" BASE_SECTION \"\n");
section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_SRP);
if (section == NULL)
{
lookup_fail(BASE_SECTION,ENV_DEFAULT_SRP);
goto err;
}
}
if (randfile == NULL && conf)
randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
VERBOSE BIO_printf(bio_err,"trying to read " ENV_DATABASE " in section \"%s\"\n",section);
if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
{
lookup_fail(section,ENV_DATABASE);
goto err;
}
}
if (randfile == NULL)
ERR_clear_error();
else
app_RAND_load_file(randfile, bio_err, 0);
VERBOSE BIO_printf(bio_err,"Trying to read SRP verifier file \"%s\"\n",dbfile);
db = load_index(dbfile, &db_attr);
if (db == NULL) goto err;
/* Lets check some fields */
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
if (pp[DB_srptype][0] == DB_SRP_INDEX)
{
maxgN = i;
if (gNindex < 0 && gN != NULL && !strcmp(gN, pp[DB_srpid]))
gNindex = i;
print_index(db, bio_err, i, verbose > 1);
}
}
VERBOSE BIO_printf(bio_err, "Database initialised\n");
if (gNindex >= 0)
{
gNrow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, gNindex);
print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N") ;
}
else if (maxgN > 0 && !SRP_get_default_gN(gN))
{
BIO_printf(bio_err, "No g and N value for index \"%s\"\n", gN);
goto err;
}
else
{
VERBOSE BIO_printf(bio_err, "Database has no g N information.\n");
gNrow = NULL;
}
VVERBOSE BIO_printf(bio_err,"Starting user processing\n");
if (argc > 0)
user = *(argv++) ;
while (list_user || user)
{
int userindex = -1;
if (user)
VVERBOSE BIO_printf(bio_err, "Processing user \"%s\"\n", user);
if ((userindex = get_index(db, user, 'U')) >= 0)
{
print_user(db, bio_err, userindex, (verbose > 0) || list_user);
}
if (list_user)
{
if (user == NULL)
{
BIO_printf(bio_err,"List all users\n");
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
print_user(db,bio_err, i, 1);
}
list_user = 0;
}
else if (userindex < 0)
{
BIO_printf(bio_err, "user \"%s\" does not exist, ignored. t\n",
user);
errors++;
}
}
else if (add_user)
{
if (userindex >= 0)
{
/* reactivation of a new user */
char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
row[DB_srptype][0] = 'V';
doupdatedb = 1;
}
else
{
char *row[DB_NUMBER] ; char *gNid;
row[DB_srpverifier] = NULL;
row[DB_srpsalt] = NULL;
row[DB_srpinfo] = NULL;
if (!(gNid = srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:gN,gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose)))
{
BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned .\n", user);
errors++;
goto err;
}
row[DB_srpid] = BUF_strdup(user);
row[DB_srptype] = BUF_strdup("v");
row[DB_srpgN] = BUF_strdup(gNid);
if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype] || !row[DB_srpverifier] || !row[DB_srpsalt] ||
(userinfo && (!(row[DB_srpinfo] = BUF_strdup(userinfo)))) ||
!update_index(db, bio_err, row))
{
if (row[DB_srpid]) OPENSSL_free(row[DB_srpid]);
if (row[DB_srpgN]) OPENSSL_free(row[DB_srpgN]);
if (row[DB_srpinfo]) OPENSSL_free(row[DB_srpinfo]);
if (row[DB_srptype]) OPENSSL_free(row[DB_srptype]);
if (row[DB_srpverifier]) OPENSSL_free(row[DB_srpverifier]);
if (row[DB_srpsalt]) OPENSSL_free(row[DB_srpsalt]);
goto err;
}
doupdatedb = 1;
}
}
else if (modify_user)
{
if (userindex < 0)
{
BIO_printf(bio_err,"user \"%s\" does not exist, operation ignored.\n",user);
errors++;
}
else
{
char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
char type = row[DB_srptype][0];
if (type == 'v')
{
BIO_printf(bio_err,"user \"%s\" already updated, operation ignored.\n",user);
errors++;
}
else
{
char *gNid;
if (row[DB_srptype][0] == 'V')
{
int user_gN;
char **irow = NULL;
VERBOSE BIO_printf(bio_err,"Verifying password for user \"%s\"\n",user);
if ( (user_gN = get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0)
irow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
if (!srp_verify_user(user, row[DB_srpverifier], row[DB_srpsalt], irow ? irow[DB_srpsalt] : row[DB_srpgN], irow ? irow[DB_srpverifier] : NULL, passin, bio_err, verbose))
{
BIO_printf(bio_err, "Invalid password for user \"%s\", operation abandoned.\n", user);
errors++;
goto err;
}
}
VERBOSE BIO_printf(bio_err,"Password for user \"%s\" ok.\n",user);
if (!(gNid=srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:NULL, gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose)))
{
BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
errors++;
goto err;
}
row[DB_srptype][0] = 'v';
row[DB_srpgN] = BUF_strdup(gNid);
if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype] || !row[DB_srpverifier] || !row[DB_srpsalt] ||
(userinfo && (!(row[DB_srpinfo] = BUF_strdup(userinfo)))))
goto err;
doupdatedb = 1;
}
}
}
else if (delete_user)
{
if (userindex < 0)
{
BIO_printf(bio_err, "user \"%s\" does not exist, operation ignored. t\n", user);
errors++;
}
else
{
char **xpp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
BIO_printf(bio_err, "user \"%s\" revoked. t\n", user);
xpp[DB_srptype][0] = 'R';
doupdatedb = 1;
}
}
if (--argc > 0)
user = *(argv++) ;
else
{
user = NULL;
list_user = 0;
}
}
VERBOSE BIO_printf(bio_err,"User procession done.\n");
if (doupdatedb)
{
/* Lets check some fields */
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
if (pp[DB_srptype][0] == 'v')
{
pp[DB_srptype][0] = 'V';
print_user(db, bio_err, i, verbose);
}
}
VERBOSE BIO_printf(bio_err, "Trying to update srpvfile.\n");
if (!save_index(dbfile, "new", db)) goto err;
VERBOSE BIO_printf(bio_err, "Temporary srpvfile created.\n");
if (!rotate_index(dbfile, "new", "old")) goto err;
VERBOSE BIO_printf(bio_err, "srpvfile updated.\n");
}
ret = (errors != 0);
err:
if (errors != 0)
VERBOSE BIO_printf(bio_err,"User errors %d.\n",errors);
VERBOSE BIO_printf(bio_err,"SRP terminating with code %d.\n",ret);
if(tofree)
OPENSSL_free(tofree);
if (ret) ERR_print_errors(bio_err);
if (randfile) app_RAND_write_file(randfile, bio_err);
if (conf) NCONF_free(conf);
if (db) free_index(db);
OBJ_cleanup();
apps_shutdown();
OPENSSL_EXIT(ret);
}
#endif