Permalink
Browse files

SRP module documentation

Signed-off-by: Antoine Salon <asalon@vmware.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl/openssl#7522)
  • Loading branch information...
evqna authored and mattcaswell committed Oct 25, 2018
1 parent d9720a5 commit 495a1e5c3aec4d44558cd86161b8385f1b1b6822
@@ -44,13 +44,13 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N)

static BIGNUM *srp_Calc_k(const BIGNUM *N, const BIGNUM *g)
{
/* k = SHA1(N | PAD(g)) -- tls-srp draft 8 */
/* k = SHA1(N | PAD(g)) -- tls-srp RFC 5054 */
return srp_Calc_xy(N, g, N);
}

BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N)
{
/* k = SHA1(PAD(A) || PAD(B) ) -- tls-srp draft 8 */
/* u = SHA1(PAD(A) || PAD(B) ) -- tls-srp RFC 5054 */
return srp_Calc_xy(A, B, N);
}

@@ -254,13 +254,13 @@ static SRP_gN knowngN[] = {

/*
* Check if G and N are known parameters. The values have been generated
* from the ietf-tls-srp draft version 8
* from the IETF RFC 5054
*/
char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N)
{
size_t i;
if ((g == NULL) || (N == NULL))
return 0;
return NULL;

for (i = 0; i < KNOWN_GN_NUMBER; i++) {
if (BN_cmp(knowngN[i].g, g) == 0 && BN_cmp(knowngN[i].N, N) == 0)
@@ -340,12 +340,13 @@ static SRP_gN *SRP_get_gN_by_id(const char *id, STACK_OF(SRP_gN) *gN_tab)
int i;

SRP_gN *gN;
if (gN_tab != NULL)
if (gN_tab != NULL) {
for (i = 0; i < sk_SRP_gN_num(gN_tab); i++) {
gN = sk_SRP_gN_value(gN_tab, i);
if (gN && (id == NULL || strcmp(gN->id, id) == 0))
return gN;
}
}

return SRP_get_default_gN(id);
}
@@ -374,9 +375,13 @@ static BIGNUM *SRP_gN_place_bn(STACK_OF(SRP_gN_cache) *gN_cache, char *ch)
}

/*
* this function parses verifier file. Format is:
* string(index):base64(N):base64(g):0
* string(username):base64(v):base64(salt):int(index)
* This function parses the verifier file generated by the srp app.
* The format for each entry is:
* V base64(verifier) base64(salt) username gNid userinfo(optional)
* or
* I base64(N) base64(g)
* Note that base64 is the SRP variant of base64 encoding described
* in t_fromb64().
*/

int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
@@ -605,7 +610,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
g_bn = g_bn_alloc;
defgNid = "*";
} else {
SRP_gN *gN = SRP_get_gN_by_id(g, NULL);
SRP_gN *gN = SRP_get_default_gN(g);
if (gN == NULL)
goto err;
N_bn = gN->N;
@@ -25,7 +25,7 @@ B<openssl srp>

=head1 DESCRIPTION

The B<srp> command is user to maintain an SRP (secure remote password)
The B<srp> command is used to maintain an SRP (secure remote password)
file.
At most one of the B<-add>, B<-modify>, B<-delete>, and B<-list> options
can be specified.
@@ -0,0 +1,91 @@
=pod

=head1 NAME

SRP_VBASE_new,
SRP_VBASE_free,
SRP_user_pwd_free,
SRP_VBASE_init,
SRP_VBASE_get1_by_user,
SRP_VBASE_get_by_user
- Functions to create and manage a stack of SRP user verifier information

=head1 SYNOPSIS

#include <openssl/srp.h>

SRP_VBASE *SRP_VBASE_new(char *seed_key);
void SRP_VBASE_free(SRP_VBASE *vb);
void SRP_user_pwd_free(SRP_user_pwd *user_pwd);

int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);

SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username);
SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);

=head1 DESCRIPTION

The SRP_VBASE_new() function allocates a structure to store server side SRP
verifier information. If B<seed_key> is not NULL a copy is stored and used to
generate dummy parameters for users that are not found by SRP_VBASE_get1_by_user().
This allows the server to hide the fact that it doesn't have a verifier for a
particular username, as described in section 2.5.1.3 'Unknown SRP' of RFC 5054.
The seed string should contain random NUL terminated binary data (therefore
the random data should not contain NUL bytes!).

The SRP_VBASE_free() function frees up the B<vb> structure.
If B<vb> is NULL, nothing is done.

The SRP_user_pwd_free() function frees up the B<user_pwd> structure.
If B<user_pwd> is NULL, nothing is done.

The SRP_VBASE_init() function parses the information in a verifier file and
populates the B<vb> structure.
The verifier file is a text file containing multiple entries, whose format is:
flag base64(verifier) base64(salt) username gNid userinfo(optional)
where the flag can be 'V' (valid) or 'R' (revoked).
Note that the base64 encoding used here is non-standard so it is recommended
to use L<srp(1)> to generate this file.

The SRP_VBASE_get1_by_user() function returns the password info for the user
whose username matches B<username>. It replaces the deprecated
SRP_VBASE_get_by_user().
If no matching user is found but a seed_key and default gN parameters have been
set, dummy authentication information is generated from the seed_key, allowing
the server to hide the fact that it doesn't have a verifier for a particular
username. When using SRP as a TLS authentication mechanism, this will cause
the handshake to proceed normally but the first client will be rejected with
a "bad_record_mac" alert, as if the password was incorrect.
If no matching user is found and the seed_key is not set, NULL is returned.
Ownership of the returned pointer is released to the caller, it must be freed
with SRP_user_pwd_free().

=head1 RETURN VALUES

SRP_VBASE_init() returns B<SRP_NO_ERROR> (0) on success and a positive value
on failure.
The error codes are B<SRP_ERR_OPEN_FILE> if the file could not be opened,
B<SRP_ERR_VBASE_INCOMPLETE_FILE> if the file could not be parsed,
B<SRP_ERR_MEMORY> on memory allocation failure and B<SRP_ERR_VBASE_BN_LIB>
for invalid decoded parameter values.

=head1 SEE ALSO

L<srp(1)>,
L<SRP_create_verifier(3)>,
L<SSL_CTX_set_srp_password(3)>

=head1 HISTORY

These functions were first added to OpenSSL 1.0.1.

=head1 COPYRIGHT

Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
@@ -0,0 +1,115 @@
=pod

=head1 NAME

SRP_create_verifier,
SRP_create_verifier_BN,
SRP_check_known_gN_param,
SRP_get_default_gN
- SRP authentication primitives

=head1 SYNOPSIS

#include <openssl/srp.h>

char *SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
BIGNUM **verifier, const BIGNUM *N, const BIGNUM *g);
char *SRP_create_verifier(const char *user, const char *pass, char **salt,
char **verifier, const char *N, const char *g);

char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N);
SRP_gN *SRP_get_default_gN(const char *id);

=head1 DESCRIPTION

The SRP_create_verifier_BN() function creates an SRP password verifier from
the supplied parameters as defined in section 2.4 of RFC 5054.
On successful exit B<*verifier> will point to a newly allocated BIGNUM containing
the verifier and (if a salt was not provided) B<*salt> will be populated with a
newly allocated BIGNUM containing a random salt. If B<*salt> is not NULL then
the provided salt is used instead.
The caller is responsible for freeing the allocated B<*salt> and B<*verifier>
BIGNUMS (use L<BN_free(3)>).

The SRP_create_verifier() function is similar to SRP_create_verifier_BN() but
all numeric parameters are in a non-standard base64 encoding originally designed
for compatibility with libsrp. This is mainly present for historical compatibility
and its use is discouraged.
It is possible to pass NULL as B<N> and an SRP group id as B<g> instead to
load the appropriate gN values (see SRP_get_default_gN()).
If both B<N> and B<g> are NULL the 8192-bit SRP group parameters are used.
The caller is responsible for freeing the allocated *salt and *verifier char*
(use L<OPENSSL_free(3)>).

The SRP_check_known_gN_param() function checks that B<g> and B<N> are valid
SRP group parameters from RFC 5054 appendix A.

The SRP_get_default_gN() function returns the gN parameters for the RFC 5054 B<id>
SRP group size.
The known ids are "1024", "1536", "2048", "3072", "4096", "6144" and "8192".

=head1 RETURN VALUES

SRP_create_verifier_BN() returns 1 on success and 0 on failure.

SRP_create_verifier() returns NULL on failure and a non-NULL value on success:
"*" if B<N> is not NULL, the selected group id otherwise. This value should
not be freed.

SRP_check_known_gN_param() returns the text representation of the group id
(ie. the prime bit size) or NULL if the arguments are not valid SRP group parameters.
This value should not be freed.

SRP_get_default_gN() returns NULL if B<id> is not a valid group size,
or the 8192-bit group parameters if B<id> is NULL.

=head1 EXAMPLES

Generate and store a 8192 bit password verifier (error handling
omitted for clarity):

#include <openssl/bn.h>
#include <openssl/srp.h>

const char *username = "username";
const char *password = "password";

SRP_VBASE *srpData = SRP_VBASE_new(NULL);

SRP_user_pwd *pwd = (SRP_user_pwd*) OPENSSL_malloc(sizeof(SRP_user_pwd));
SRP_gN *gN = SRP_get_default_gN("8192");

BIGNUM *salt = NULL, *verifier = NULL;
SRP_create_verifier_BN(username, password, &salt, &verifier, gN->N, gN->g);

// TODO: replace with SRP_user_pwd_new()
pwd->id = OPENSSL_strdup(username);
pwd->g = gN->g;
pwd->N = gN->N;
pwd->s = salt;
pwd->v = verifier;
pwd->info = NULL;

sk_SRP_user_pwd_push(srpData->users_pwd, pwd);

=head1 SEE ALSO

L<srp(1)>,
L<BN_new(3)>,
L<OPENSSL_malloc(3)>,
L<SRP_VBASE_new(3)>

=head1 HISTORY

These functions were first added to OpenSSL 1.0.1.

=head1 COPYRIGHT

Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
@@ -26,9 +26,11 @@ after another.
SSL_CTX_get_extra_chain_certs() retrieves the extra chain certificates
associated with B<ctx>, or the chain associated with the current certificate
of B<ctx> if the extra chain is empty.
The returned stack should not be freed by the caller.

SSL_CTX_get_extra_chain_certs_only() retrieves the extra chain certificates
associated with B<ctx>.
The returned stack should not be freed by the caller.

SSL_CTX_clear_extra_chain_certs() clears all extra chain certificates
associated with B<ctx>.
Oops, something went wrong.

0 comments on commit 495a1e5

Please sign in to comment.