#include <openssl/rand.h>
#include <openssl/ocsp.h>
#include <openssl/bn.h>
-#ifndef OPENSSL_NO_SRP
-#include <openssl/srp.h>
-#endif
#include "s_apps.h"
#include "timeouts.h"
#ifndef OPENSSL_NO_JPAKE
BIO_printf(bio_err, " -jpake arg - JPAKE secret to use\n");
#endif
-#endif
-#ifndef OPENSSL_NO_SRP
- BIO_printf(bio_err, " -srpuser user - SRP authentification for 'user'\n");
- BIO_printf(bio_err, " -srppass arg - password for 'user'\n");
- BIO_printf(bio_err, " -srp_lateuser - SRP username into second ClientHello message\n");
- BIO_printf(bio_err, " -srp_moregroups - Tolerate other than the known g N values.\n");
- BIO_printf(bio_err, " -srp_strength int - minimal mength in bits for N (default %d).\n", SRP_MINIMAL_N);
#endif
BIO_printf(bio_err, " -ssl3 - just use SSLv3\n");
BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n");
return SSL_TLSEXT_ERR_OK;
}
-#ifndef OPENSSL_NO_SRP
-
-/* This is a context that we pass to all callbacks */
-typedef struct srp_arg_st {
- char *srppassin;
- char *srplogin;
- int msg; /* copy from c_msg */
- int debug; /* copy from c_debug */
- int amp; /* allow more groups */
- int strength /* minimal size for N */ ;
-} SRP_ARG;
-
-#define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
-
-static int
-srp_Verify_N_and_g(BIGNUM * N, BIGNUM * g)
-{
- BN_CTX *bn_ctx = BN_CTX_new();
- BIGNUM *p = BN_new();
- BIGNUM *r = BN_new();
- int ret =
- g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
- BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
- p != NULL && BN_rshift1(p, N) &&
-
- /* p = (N-1)/2 */
- BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
- r != NULL &&
-
- /* verify g^((N-1)/2) == -1 (mod N) */
- BN_mod_exp(r, g, p, N, bn_ctx) &&
- BN_add_word(r, 1) &&
- BN_cmp(r, N) == 0;
-
- if (r)
- BN_free(r);
- if (p)
- BN_free(p);
- if (bn_ctx)
- BN_CTX_free(bn_ctx);
- return ret;
-}
-
-/* This callback is used here for two purposes:
- - extended debugging
- - making some primality tests for unknown groups
- The callback is only called for a non default group.
-
- An application does not need the call back at all if
- only the stanard groups are used. In real life situations,
- client and server already share well known groups,
- thus there is no need to verify them.
- Furthermore, in case that a server actually proposes a group that
- is not one of those defined in RFC 5054, it is more appropriate
- to add the group to a static list and then compare since
- primality tests are rather cpu consuming.
-*/
-
-static int
-ssl_srp_verify_param_cb(SSL * s, void *arg)
-{
- SRP_ARG *srp_arg = (SRP_ARG *) arg;
- BIGNUM *N = NULL, *g = NULL;
- if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
- return 0;
- if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) {
- BIO_printf(bio_err, "SRP parameters:\n");
- BIO_printf(bio_err, "\tN=");
- BN_print(bio_err, N);
- BIO_printf(bio_err, "\n\tg=");
- BN_print(bio_err, g);
- BIO_printf(bio_err, "\n");
- }
- if (SRP_check_known_gN_param(g, N))
- return 1;
-
- if (srp_arg->amp == 1) {
- if (srp_arg->debug)
- BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
-
-/* The srp_moregroups is a real debugging feature.
- Implementors should rather add the value to the known ones.
- The minimal size has already been tested.
-*/
- if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g))
- return 1;
- }
- BIO_printf(bio_err, "SRP param N and g rejected.\n");
- return 0;
-}
-
-#define PWD_STRLEN 1024
-
-static char *
-ssl_give_srp_client_pwd_cb(SSL * s, void *arg)
-{
- SRP_ARG *srp_arg = (SRP_ARG *) arg;
- char *pass = (char *) malloc(PWD_STRLEN + 1);
- PW_CB_DATA cb_tmp;
- int l;
-
- cb_tmp.password = (char *) srp_arg->srppassin;
- cb_tmp.prompt_info = "SRP user";
- if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) {
- BIO_printf(bio_err, "Can't read Password\n");
- free(pass);
- return NULL;
- }
- *(pass + l) = '\0';
-
- return pass;
-}
-
-#endif
#ifndef OPENSSL_NO_SRTP
char *srtp_profiles = NULL;
#endif
#ifndef OPENSSL_NO_JPAKE
char *jpake_secret = NULL;
#endif
-#ifndef OPENSSL_NO_SRP
- char *srppass = NULL;
- int srp_lateuser = 0;
- SRP_ARG srp_arg = {NULL, NULL, 0, 0, 0, 1024};
-#endif
meth = SSLv23_client_method();
goto bad;
}
}
-#endif
-#ifndef OPENSSL_NO_SRP
- else if (strcmp(*argv, "-srpuser") == 0) {
- if (--argc < 1)
- goto bad;
- srp_arg.srplogin = *(++argv);
- meth = TLSv1_client_method();
- } else if (strcmp(*argv, "-srppass") == 0) {
- if (--argc < 1)
- goto bad;
- srppass = *(++argv);
- meth = TLSv1_client_method();
- } else if (strcmp(*argv, "-srp_strength") == 0) {
- if (--argc < 1)
- goto bad;
- srp_arg.strength = atoi(*(++argv));
- BIO_printf(bio_err, "SRP minimal length for N is %d\n", srp_arg.strength);
- meth = TLSv1_client_method();
- } else if (strcmp(*argv, "-srp_lateuser") == 0) {
- srp_lateuser = 1;
- meth = TLSv1_client_method();
- } else if (strcmp(*argv, "-srp_moregroups") == 0) {
- srp_arg.amp = 1;
- meth = TLSv1_client_method();
- }
#endif
else if (strcmp(*argv, "-ssl3") == 0)
meth = SSLv3_client_method();
bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE);
}
}
-#ifndef OPENSSL_NO_SRP
- if (!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL)) {
- BIO_printf(bio_err, "Error getting password\n");
- goto end;
- }
-#endif
ctx = SSL_CTX_new(meth);
if (ctx == NULL) {
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
}
-#ifndef OPENSSL_NO_SRP
- if (srp_arg.srplogin) {
- if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) {
- BIO_printf(bio_err, "Unable to set SRP username\n");
- goto end;
- }
- srp_arg.msg = c_msg;
- srp_arg.debug = c_debug;
- SSL_CTX_set_srp_cb_arg(ctx, &srp_arg);
- SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
- SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
- if (c_msg || c_debug || srp_arg.amp == 0)
- SSL_CTX_set_srp_verify_param_callback(ctx, ssl_srp_verify_param_cb);
- }
-#endif
#endif
con = SSL_new(ctx);
#ifndef OPENSSL_NO_RSA
#include <openssl/rsa.h>
#endif
-#ifndef OPENSSL_NO_SRP
-#include <openssl/srp.h>
-#endif
#include "s_apps.h"
#include "timeouts.h"
}
#endif
-#ifndef OPENSSL_NO_SRP
-/* This is a context that we pass to callbacks */
-typedef struct srpsrvparm_st {
- char *login;
- SRP_VBASE *vb;
- SRP_user_pwd *user;
-} srpsrvparm;
-
-/* This callback pretends to require some asynchronous logic in order to obtain
- a verifier. When the callback is called for a new connection we return
- with a negative value. This will provoke the accept etc to return with
- an LOOKUP_X509. The main logic of the reinvokes the suspended call
- (which would normally occur after a worker has finished) and we
- set the user parameters.
-*/
-static int
-ssl_srp_server_param_cb(SSL * s, int *ad, void *arg)
-{
- srpsrvparm *p = (srpsrvparm *) arg;
- if (p->login == NULL && p->user == NULL) {
- p->login = SSL_get_srp_username(s);
- BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
- return (-1);
- }
- if (p->user == NULL) {
- BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
- return SSL3_AL_FATAL;
- }
- if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v,
- p->user->info) < 0) {
- *ad = SSL_AD_INTERNAL_ERROR;
- return SSL3_AL_FATAL;
- }
- BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login, p->user->info);
- /* need to check whether there are memory leaks */
- p->user = NULL;
- p->login = NULL;
- return SSL_ERROR_NONE;
-}
-
-#endif
static void
s_server_init(void)
#ifndef OPENSSL_NO_JPAKE
BIO_printf(bio_err, " -jpake arg - JPAKE secret to use\n");
#endif
-#endif
-#ifndef OPENSSL_NO_SRP
- BIO_printf(bio_err, " -srpvfile file - The verifier file for SRP\n");
- BIO_printf(bio_err, " -srpuserseed string - A seed string for a default user salt.\n");
#endif
BIO_printf(bio_err, " -ssl2 - Just talk SSLv2\n");
BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n");
#ifndef OPENSSL_NO_JPAKE
static char *jpake_secret = NULL;
#endif
-#ifndef OPENSSL_NO_SRP
-static srpsrvparm srp_callback_parm;
-#endif
#ifndef OPENSSL_NO_SRTP
static char *srtp_profiles = NULL;
#endif
#ifndef OPENSSL_NO_PSK
/* by default do not send a PSK identity hint */
static char *psk_identity_hint = NULL;
-#endif
-#ifndef OPENSSL_NO_SRP
- char *srpuserseed = NULL;
- char *srp_verifier_file = NULL;
#endif
meth = SSLv23_server_method();
goto bad;
}
}
-#endif
-#ifndef OPENSSL_NO_SRP
- else if (strcmp(*argv, "-srpvfile") == 0) {
- if (--argc < 1)
- goto bad;
- srp_verifier_file = *(++argv);
- meth = TLSv1_server_method();
- } else if (strcmp(*argv, "-srpuserseed") == 0) {
- if (--argc < 1)
- goto bad;
- srpuserseed = *(++argv);
- meth = TLSv1_server_method();
- }
#endif
else if (strcmp(*argv, "-www") == 0) {
www = 1;
}
#endif
-#ifndef OPENSSL_NO_SRP
- if (srp_verifier_file != NULL) {
- srp_callback_parm.vb = SRP_VBASE_new(srpuserseed);
- srp_callback_parm.user = NULL;
- srp_callback_parm.login = NULL;
- if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR) {
- BIO_printf(bio_err,
- "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
- srp_verifier_file, ret);
- goto end;
- }
- SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
- SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);
- SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
- } else
-#endif
if (CAfile != NULL) {
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
#ifndef OPENSSL_NO_TLSEXT
}
#endif
k = SSL_write(con, &(buf[l]), (unsigned int) i);
-#ifndef OPENSSL_NO_SRP
- while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
- BIO_printf(bio_s_out, "LOOKUP renego during write\n");
- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
- k = SSL_write(con, &(buf[l]), (unsigned int) i);
- }
-#endif
switch (SSL_get_error(con, k)) {
case SSL_ERROR_NONE:
break;
} else {
again:
i = SSL_read(con, (char *) buf, bufsize);
-#ifndef OPENSSL_NO_SRP
- while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
- BIO_printf(bio_s_out, "LOOKUP renego during read\n");
- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
- i = SSL_read(con, (char *) buf, bufsize);
- }
-#endif
switch (SSL_get_error(con, i)) {
case SSL_ERROR_NONE:
write(fileno(stdout), buf,
i = SSL_accept(con);
-#ifndef OPENSSL_NO_SRP
- while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
- BIO_printf(bio_s_out, "LOOKUP during accept %s\n", srp_callback_parm.login);
- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
- i = SSL_accept(con);
- }
-#endif
if (i <= 0) {
if (BIO_sock_should_retry(i)) {
BIO_printf(bio_s_out, "DELAY\n");
for (;;) {
if (hack) {
i = SSL_accept(con);
-#ifndef OPENSSL_NO_SRP
- while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
- BIO_printf(bio_s_out, "LOOKUP during accept %s\n", srp_callback_parm.login);
- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
- i = SSL_accept(con);
- }
-#endif
switch (SSL_get_error(con, i)) {
case SSL_ERROR_NONE:
break;
+++ /dev/null
-/* apps/srp.c */
-/* Written by Peter Sylvester (peter.sylvester@edelweb.fr)
- * for the EdelKey project and contributed to the OpenSSL project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <openssl/opensslconf.h>
-
-#ifndef OPENSSL_NO_SRP
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <openssl/conf.h>
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/txt_db.h>
-#include <openssl/buffer.h>
-#include <openssl/srp.h>
-
-#include "apps.h"
-
-
-#define BASE_SECTION "srp"
-
-#define ENV_RANDFILE "RANDFILE"
-
-#define ENV_DATABASE "srpvfile"
-#define ENV_DEFAULT_SRP "default_srp"
-
-static char *srp_usage[] = {
- "usage: srp [args] [user] \n",
- "\n",
- " -verbose Talk alot while doing things\n",
- " -config file A config file\n",
- " -name arg The particular srp definition to use\n",
- " -srpvfile arg The srp verifier file name\n",
- " -add add an user and srp verifier\n",
- " -modify modify the srp verifier of an existing user\n",
- " -delete delete user from verifier file\n",
- " -list list user\n",
- " -gn arg g and N values to be used for new verifier\n",
- " -userinfo arg additional info to be set for user\n",
- " -passin arg input file pass phrase source\n",
- " -passout arg output file pass phrase source\n",
-#ifndef OPENSSL_NO_ENGINE
- " -engine e - use engine e, possibly a hardware device.\n",
-#endif
- NULL
-};
-
-#ifdef EFENCE
-extern int EF_PROTECT_FREE;
-extern int EF_PROTECT_BELOW;
-extern int EF_ALIGNMENT;
-#endif
-
-static CONF *conf = NULL;
-static char *section = NULL;
-
-#define VERBOSE if (verbose)
-#define VVERBOSE if (verbose>1)
-
-
-int srp_main(int, char **);
-
-static int
-get_index(CA_DB * db, char *id, char type)
-{
- char **pp;
- int i;
- if (id == NULL)
- return -1;
- if (type == DB_SRP_INDEX)
- for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
- pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
- if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id, pp[DB_srpid]))
- return i;
- }
- else
- for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
- pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
-
- if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id, pp[DB_srpid]))
- return i;
- }
-
- return -1;
-}
-
-static void
-print_entry(CA_DB * db, BIO * bio, int indx, int verbose, char *s)
-{
- if (indx >= 0 && verbose) {
- int j;
- char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx);
- BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]);
- for (j = 0; j < DB_NUMBER; j++) {
- BIO_printf(bio_err, " %d = \"%s\"\n", j, pp[j]);
- }
- }
-}
-
-static void
-print_index(CA_DB * db, BIO * bio, int indexindex, int verbose)
-{
- print_entry(db, bio, indexindex, verbose, "g N entry");
-}
-
-static void
-print_user(CA_DB * db, BIO * bio, int userindex, int verbose)
-{
- if (verbose > 0) {
- char **pp = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
-
- if (pp[DB_srptype][0] != 'I') {
- print_entry(db, bio, userindex, verbose, "User entry");
- print_entry(db, bio, get_index(db, pp[DB_srpgN], 'I'), verbose, "g N entry");
- }
- }
-}
-
-static int
-update_index(CA_DB * db, BIO * bio, char **row)
-{
- char **irow;
- int i;
-
- if ((irow = (char **) malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- return 0;
- }
- for (i = 0; i < DB_NUMBER; i++) {
- irow[i] = row[i];
- row[i] = NULL;
- }
- irow[DB_NUMBER] = NULL;
-
- if (!TXT_DB_insert(db->db, irow)) {
- BIO_printf(bio, "failed to update srpvfile\n");
- BIO_printf(bio, "TXT_DB error number %ld\n", db->db->error);
- free(irow);
- return 0;
- }
- return 1;
-}
-
-static void
-lookup_fail(const char *name, char *tag)
-{
- BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
-}
-
-
-static char *
-srp_verify_user(const char *user, const char *srp_verifier,
- char *srp_usersalt, const char *g, const char *N,
- const char *passin, BIO * bio, int verbose)
-{
- char password[1024];
- PW_CB_DATA cb_tmp;
- char *verifier = NULL;
- char *gNid = NULL;
-
- cb_tmp.prompt_info = user;
- cb_tmp.password = passin;
-
- if (password_callback(password, 1024, 0, &cb_tmp) > 0) {
- VERBOSE BIO_printf(bio, "Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n", user, srp_verifier, srp_usersalt, g, N);
- BIO_printf(bio, "Pass %s\n", password);
-
- if (!(gNid = SRP_create_verifier(user, password, &srp_usersalt, &verifier, N, g))) {
- BIO_printf(bio, "Internal error validating SRP verifier\n");
- } else {
- if (strcmp(verifier, srp_verifier))
- gNid = NULL;
- free(verifier);
- }
- }
- return gNid;
-}
-
-static char *
-srp_create_user(char *user, char **srp_verifier,
- char **srp_usersalt, char *g, char *N,
- char *passout, BIO * bio, int verbose)
-{
- char password[1024];
- PW_CB_DATA cb_tmp;
- char *gNid = NULL;
- char *salt = NULL;
- cb_tmp.prompt_info = user;
- cb_tmp.password = passout;
-
- if (password_callback(password, 1024, 1, &cb_tmp) > 0) {
- VERBOSE BIO_printf(bio, "Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n", user, g, N);
- if (!(gNid = SRP_create_verifier(user, password, &salt, srp_verifier, N, g))) {
- BIO_printf(bio, "Internal error creating SRP verifier\n");
- } else
- *srp_usersalt = salt;
- VVERBOSE BIO_printf(bio, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n", gNid, salt, *srp_verifier);
-
- }
- return gNid;
-}
-
-int
-srp_main(int argc, char **argv)
-{
- int add_user = 0;
- int list_user = 0;
- int delete_user = 0;
- int modify_user = 0;
- char *user = NULL;
-
- char *passargin = NULL, *passargout = NULL;
- char *passin = NULL, *passout = NULL;
- char *gN = NULL;
- int gNindex = -1;
- char **gNrow = NULL;
- int maxgN = -1;
-
- char *userinfo = NULL;
-
- int badops = 0;
- int ret = 1;
- int errors = 0;
- int verbose = 0;
- int doupdatedb = 0;
- char *configfile = NULL;
- char *dbfile = NULL;
- CA_DB *db = NULL;
- char **pp;
- int i;
- long errorline = -1;
-#ifndef OPENSSL_NO_ENGINE
- char *engine = NULL;
-#endif
- char *tofree = NULL;
- DB_ATTR db_attr;
-
-#ifdef EFENCE
- EF_PROTECT_FREE = 1;
- EF_PROTECT_BELOW = 1;
- EF_ALIGNMENT = 0;
-#endif
-
- signal(SIGPIPE, SIG_IGN);
-
- conf = NULL;
- section = NULL;
-
- if (bio_err == NULL)
- if ((bio_err = BIO_new(BIO_s_file())) != NULL)
- BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
- argc--;
- argv++;
- while (argc >= 1 && badops == 0) {
- if (strcmp(*argv, "-verbose") == 0)
- verbose++;
- else if (strcmp(*argv, "-config") == 0) {
- if (--argc < 1)
- goto bad;
- configfile = *(++argv);
- } else if (strcmp(*argv, "-name") == 0) {
- if (--argc < 1)
- goto bad;
- section = *(++argv);
- } else if (strcmp(*argv, "-srpvfile") == 0) {
- if (--argc < 1)
- goto bad;
- dbfile = *(++argv);
- } else if (strcmp(*argv, "-add") == 0)
- add_user = 1;
- else if (strcmp(*argv, "-delete") == 0)
- delete_user = 1;
- else if (strcmp(*argv, "-modify") == 0)
- modify_user = 1;
- else if (strcmp(*argv, "-list") == 0)
- list_user = 1;
- else if (strcmp(*argv, "-gn") == 0) {
- if (--argc < 1)
- goto bad;
- gN = *(++argv);
- } else if (strcmp(*argv, "-userinfo") == 0) {
- if (--argc < 1)
- goto bad;
- userinfo = *(++argv);
- } else if (strcmp(*argv, "-passin") == 0) {
- if (--argc < 1)
- goto bad;
- passargin = *(++argv);
- } else if (strcmp(*argv, "-passout") == 0) {
- if (--argc < 1)
- goto bad;
- passargout = *(++argv);
- }
-#ifndef OPENSSL_NO_ENGINE
- else if (strcmp(*argv, "-engine") == 0) {
- if (--argc < 1)
- goto bad;
- engine = *(++argv);
- }
-#endif
-
- else if (**argv == '-') {
- bad:
- BIO_printf(bio_err, "unknown option %s\n", *argv);
- badops = 1;
- break;
- } else
- break;
-
- argc--;
- argv++;
- }
-
- if (dbfile && configfile) {
- BIO_printf(bio_err, "-dbfile and -configfile cannot be specified together.\n");
- badops = 1;
- }
- if (add_user + delete_user + modify_user + list_user != 1) {
- BIO_printf(bio_err, "Exactly one of the options -add, -delete, -modify -list must be specified.\n");
- badops = 1;
- }
- if (delete_user + modify_user + delete_user == 1 && argc <= 0) {
- BIO_printf(bio_err, "Need at least one user for options -add, -delete, -modify. \n");
- badops = 1;
- }
- if ((passin || passout) && argc != 1) {
- BIO_printf(bio_err, "-passin, -passout arguments only valid with one user.\n");
- badops = 1;
- }
- if (badops) {
- for (pp = srp_usage; (*pp != NULL); pp++)
- BIO_printf(bio_err, "%s", *pp);
-
- BIO_printf(bio_err, " -rand file:file:...\n");
- BIO_printf(bio_err, " load the file (or the files in the directory) into\n");
- BIO_printf(bio_err, " the random number generator\n");
- goto err;
- }
- ERR_load_crypto_strings();
-
-#ifndef OPENSSL_NO_ENGINE
- setup_engine(bio_err, engine, 0);
-#endif
-
- if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
- BIO_printf(bio_err, "Error getting passwords\n");
- goto err;
- }
- if (!dbfile) {
-
-
- /*****************************************************************/
- tofree = NULL;
- if (configfile == NULL)
- configfile = getenv("OPENSSL_CONF");
- if (configfile == NULL)
- configfile = getenv("SSLEAY_CONF");
- if (configfile == NULL) {
- if ((tofree = make_config_name()) == NULL) {
- BIO_printf(bio_err, "error making config file name\n");
- goto err;
- }
- configfile = tofree;
- }
- VERBOSE BIO_printf(bio_err, "Using configuration from %s\n", configfile);
- conf = NCONF_new(NULL);
- if (NCONF_load(conf, configfile, &errorline) <= 0) {
- if (errorline <= 0)
- BIO_printf(bio_err, "error loading the config file '%s'\n",
- configfile);
- else
- BIO_printf(bio_err, "error on line %ld of config file '%s'\n"
- ,errorline, configfile);
- goto err;
- }
- if (tofree) {
- free(tofree);
- tofree = NULL;
- }
- if (!load_config(bio_err, conf))
- goto err;
-
- /* Lets get the config section we are using */
- if (section == NULL) {
- VERBOSE BIO_printf(bio_err, "trying to read " ENV_DEFAULT_SRP " in \" BASE_SECTION \"\n");
-
- section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_SRP);
- if (section == NULL) {
- lookup_fail(BASE_SECTION, ENV_DEFAULT_SRP);
- goto err;
- }
- }
-
- VERBOSE BIO_printf(bio_err, "trying to read " ENV_DATABASE " in section \"%s\"\n", section);
-
- if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
- lookup_fail(section, ENV_DATABASE);
- goto err;
- }
- }
- ERR_clear_error();
-
- VERBOSE BIO_printf(bio_err, "Trying to read SRP verifier file \"%s\"\n", dbfile);
-
- db = load_index(dbfile, &db_attr);
- if (db == NULL)
- goto err;
-
- /* Lets check some fields */
- for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
- pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
-
- if (pp[DB_srptype][0] == DB_SRP_INDEX) {
- maxgN = i;
- if (gNindex < 0 && gN != NULL && !strcmp(gN, pp[DB_srpid]))
- gNindex = i;
-
- print_index(db, bio_err, i, verbose > 1);
- }
- }
-
- VERBOSE BIO_printf(bio_err, "Database initialised\n");
-
- if (gNindex >= 0) {
- gNrow = sk_OPENSSL_PSTRING_value(db->db->data, gNindex);
- print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N");
- } else if (maxgN > 0 && !SRP_get_default_gN(gN)) {
- BIO_printf(bio_err, "No g and N value for index \"%s\"\n", gN);
- goto err;
- } else {
- VERBOSE BIO_printf(bio_err, "Database has no g N information.\n");
- gNrow = NULL;
- }
-
-
- VVERBOSE BIO_printf(bio_err, "Starting user processing\n");
-
- if (argc > 0)
- user = *(argv++);
-
- while (list_user || user) {
- int userindex = -1;
- if (user)
- VVERBOSE BIO_printf(bio_err, "Processing user \"%s\"\n", user);
- if ((userindex = get_index(db, user, 'U')) >= 0) {
- print_user(db, bio_err, userindex, (verbose > 0) || list_user);
- }
- if (list_user) {
- if (user == NULL) {
- BIO_printf(bio_err, "List all users\n");
-
- for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
- print_user(db, bio_err, i, 1);
- }
- list_user = 0;
- } else if (userindex < 0) {
- BIO_printf(bio_err, "user \"%s\" does not exist, ignored. t\n",
- user);
- errors++;
- }
- } else if (add_user) {
- if (userindex >= 0) {
- /* reactivation of a new user */
- char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
- BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
- row[DB_srptype][0] = 'V';
-
- doupdatedb = 1;
- } else {
- char *row[DB_NUMBER];
- char *gNid;
- row[DB_srpverifier] = NULL;
- row[DB_srpsalt] = NULL;
- row[DB_srpinfo] = NULL;
- if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]), &(row[DB_srpsalt]), gNrow ? gNrow[DB_srpsalt] : gN, gNrow ? gNrow[DB_srpverifier] : NULL, passout, bio_err, verbose))) {
- BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned .\n", user);
- errors++;
- goto err;
- }
- row[DB_srpid] = BUF_strdup(user);
- row[DB_srptype] = BUF_strdup("v");
- row[DB_srpgN] = BUF_strdup(gNid);
-
- if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype] || !row[DB_srpverifier] || !row[DB_srpsalt] ||
- (userinfo && (!(row[DB_srpinfo] = BUF_strdup(userinfo)))) ||
- !update_index(db, bio_err, row)) {
- if (row[DB_srpid])
- free(row[DB_srpid]);
- if (row[DB_srpgN])
- free(row[DB_srpgN]);
- if (row[DB_srpinfo])
- free(row[DB_srpinfo]);
- if (row[DB_srptype])
- free(row[DB_srptype]);
- if (row[DB_srpverifier])
- free(row[DB_srpverifier]);
- if (row[DB_srpsalt])
- free(row[DB_srpsalt]);
- goto err;
- }
- doupdatedb = 1;
- }
- } else if (modify_user) {
- if (userindex < 0) {
- BIO_printf(bio_err, "user \"%s\" does not exist, operation ignored.\n", user);
- errors++;
- } else {
-
- char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
- char type = row[DB_srptype][0];
- if (type == 'v') {
- BIO_printf(bio_err, "user \"%s\" already updated, operation ignored.\n", user);
- errors++;
- } else {
- char *gNid;
-
- if (row[DB_srptype][0] == 'V') {
- int user_gN;
- char **irow = NULL;
- VERBOSE BIO_printf(bio_err, "Verifying password for user \"%s\"\n", user);
- if ((user_gN = get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0)
- irow = (char **) sk_OPENSSL_PSTRING_value(db->db->data, userindex);
-
- if (!srp_verify_user(user, row[DB_srpverifier], row[DB_srpsalt], irow ? irow[DB_srpsalt] : row[DB_srpgN], irow ? irow[DB_srpverifier] : NULL, passin, bio_err, verbose)) {
- BIO_printf(bio_err, "Invalid password for user \"%s\", operation abandoned.\n", user);
- errors++;
- goto err;
- }
- }
- VERBOSE BIO_printf(bio_err, "Password for user \"%s\" ok.\n", user);
-
- if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]), &(row[DB_srpsalt]), gNrow ? gNrow[DB_srpsalt] : NULL, gNrow ? gNrow[DB_srpverifier] : NULL, passout, bio_err, verbose))) {
- BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
- errors++;
- goto err;
- }
- row[DB_srptype][0] = 'v';
- row[DB_srpgN] = BUF_strdup(gNid);
-
- if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype] || !row[DB_srpverifier] || !row[DB_srpsalt] ||
- (userinfo && (!(row[DB_srpinfo] = BUF_strdup(userinfo)))))
- goto err;
-
- doupdatedb = 1;
- }
- }
- } else if (delete_user) {
- if (userindex < 0) {
- BIO_printf(bio_err, "user \"%s\" does not exist, operation ignored. t\n", user);
- errors++;
- } else {
- char **xpp = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
- BIO_printf(bio_err, "user \"%s\" revoked. t\n", user);
-
- xpp[DB_srptype][0] = 'R';
-
- doupdatedb = 1;
- }
- }
- if (--argc > 0)
- user = *(argv++);
- else {
- user = NULL;
- list_user = 0;
- }
- }
-
- VERBOSE BIO_printf(bio_err, "User procession done.\n");
-
-
- if (doupdatedb) {
- /* Lets check some fields */
- for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
- pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
-
- if (pp[DB_srptype][0] == 'v') {
- pp[DB_srptype][0] = 'V';
- print_user(db, bio_err, i, verbose);
- }
- }
-
- VERBOSE BIO_printf(bio_err, "Trying to update srpvfile.\n");
- if (!save_index(dbfile, "new", db))
- goto err;
-
- VERBOSE BIO_printf(bio_err, "Temporary srpvfile created.\n");
- if (!rotate_index(dbfile, "new", "old"))
- goto err;
-
- VERBOSE BIO_printf(bio_err, "srpvfile updated.\n");
- }
- ret = (errors != 0);
-err:
- if (errors != 0)
- VERBOSE BIO_printf(bio_err, "User errors %d.\n", errors);
-
- VERBOSE BIO_printf(bio_err, "SRP terminating with code %d.\n", ret);
- if (tofree)
- free(tofree);
- if (ret)
- ERR_print_errors(bio_err);
- if (conf)
- NCONF_free(conf);
- if (db)
- free_index(db);
-
- OBJ_cleanup();
-
- return (ret);
-}
-
-
-
-#endif
projects / openbsd / commitdiff