1 /*
2 * Wrapper functions for OpenSSL libcrypto
3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #include <openssl/opensslv.h>
11 #include <openssl/err.h>
12 #include <openssl/des.h>
13 #include <openssl/aes.h>
14 #include <openssl/bn.h>
15 #include <openssl/evp.h>
16 #include <openssl/dh.h>
17 #include <openssl/hmac.h>
18 #include <openssl/rand.h>
19 #ifdef CONFIG_OPENSSL_CMAC
20 #include <openssl/cmac.h>
21 #endif /* CONFIG_OPENSSL_CMAC */
22 #ifdef CONFIG_ECC
23 #include <openssl/ec.h>
24 #include <openssl/x509.h>
25 #include <openssl/pem.h>
26 #endif /* CONFIG_ECC */
27 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
28 #include <openssl/provider.h>
29 #endif /* OpenSSL version >= 3.0 */
30
31 #include "common.h"
32 #include "utils/const_time.h"
33 #include "wpabuf.h"
34 #include "dh_group5.h"
35 #include "sha1.h"
36 #include "sha256.h"
37 #include "sha384.h"
38 #include "sha512.h"
39 #include "md5.h"
40 #include "aes_wrap.h"
41 #include "crypto.h"
42
43 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
44 (defined(LIBRESSL_VERSION_NUMBER) && \
45 LIBRESSL_VERSION_NUMBER < 0x20700000L)
46 /* Compatibility wrappers for older versions. */
47
HMAC_CTX_new(void)48 static HMAC_CTX * HMAC_CTX_new(void)
49 {
50 HMAC_CTX *ctx;
51
52 ctx = os_zalloc(sizeof(*ctx));
53 if (ctx)
54 HMAC_CTX_init(ctx);
55 return ctx;
56 }
57
58
HMAC_CTX_free(HMAC_CTX * ctx)59 static void HMAC_CTX_free(HMAC_CTX *ctx)
60 {
61 if (!ctx)
62 return;
63 HMAC_CTX_cleanup(ctx);
64 bin_clear_free(ctx, sizeof(*ctx));
65 }
66
67
EVP_MD_CTX_new(void)68 static EVP_MD_CTX * EVP_MD_CTX_new(void)
69 {
70 EVP_MD_CTX *ctx;
71
72 ctx = os_zalloc(sizeof(*ctx));
73 if (ctx)
74 EVP_MD_CTX_init(ctx);
75 return ctx;
76 }
77
78
EVP_MD_CTX_free(EVP_MD_CTX * ctx)79 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
80 {
81 if (!ctx)
82 return;
83 EVP_MD_CTX_cleanup(ctx);
84 bin_clear_free(ctx, sizeof(*ctx));
85 }
86
87
88 #ifdef CONFIG_ECC
89
EVP_PKEY_get0_EC_KEY(EVP_PKEY * pkey)90 static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
91 {
92 if (pkey->type != EVP_PKEY_EC)
93 return NULL;
94 return pkey->pkey.ec;
95 }
96
97
ECDSA_SIG_set0(ECDSA_SIG * sig,BIGNUM * r,BIGNUM * s)98 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
99 {
100 sig->r = r;
101 sig->s = s;
102 return 1;
103 }
104
105
ECDSA_SIG_get0(const ECDSA_SIG * sig,const BIGNUM ** pr,const BIGNUM ** ps)106 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
107 const BIGNUM **ps)
108 {
109 if (pr)
110 *pr = sig->r;
111 if (ps)
112 *ps = sig->s;
113 }
114
115 #endif /* CONFIG_ECC */
116
ASN1_STRING_get0_data(const ASN1_STRING * x)117 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
118 {
119 return ASN1_STRING_data((ASN1_STRING *) x);
120 }
121 #endif /* OpenSSL version < 1.1.0 */
122
123
openssl_load_legacy_provider(void)124 void openssl_load_legacy_provider(void)
125 {
126 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
127 static bool loaded = false;
128 OSSL_PROVIDER *legacy;
129
130 if (loaded)
131 return;
132
133 legacy = OSSL_PROVIDER_load(NULL, "legacy");
134
135 if (legacy) {
136 OSSL_PROVIDER_load(NULL, "default");
137 loaded = true;
138 }
139 #endif /* OpenSSL version >= 3.0 */
140 }
141
142
get_group5_prime(void)143 static BIGNUM * get_group5_prime(void)
144 {
145 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
146 !(defined(LIBRESSL_VERSION_NUMBER) && \
147 LIBRESSL_VERSION_NUMBER < 0x20700000L)
148 return BN_get_rfc3526_prime_1536(NULL);
149 #elif !defined(OPENSSL_IS_BORINGSSL)
150 return get_rfc3526_prime_1536(NULL);
151 #else
152 static const unsigned char RFC3526_PRIME_1536[] = {
153 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
154 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
155 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
156 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
157 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
158 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
159 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
160 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
161 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
162 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
163 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
164 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
165 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
166 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
167 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
168 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
169 };
170 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
171 #endif
172 }
173
174
get_group5_order(void)175 static BIGNUM * get_group5_order(void)
176 {
177 static const unsigned char RFC3526_ORDER_1536[] = {
178 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,
179 0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,
180 0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,
181 0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,
182 0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,
183 0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,
184 0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,
185 0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,
186 0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,
187 0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,
188 0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,
189 0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,
190 0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,
191 0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,
192 0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,
193 0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
194 };
195 return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);
196 }
197
198
199 #ifdef OPENSSL_NO_SHA256
200 #define NO_SHA256_WRAPPER
201 #endif
202 #ifdef OPENSSL_NO_SHA512
203 #define NO_SHA384_WRAPPER
204 #endif
205
openssl_digest_vector(const EVP_MD * type,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)206 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
207 const u8 *addr[], const size_t *len, u8 *mac)
208 {
209 EVP_MD_CTX *ctx;
210 size_t i;
211 unsigned int mac_len;
212
213 if (TEST_FAIL())
214 return -1;
215
216 ctx = EVP_MD_CTX_new();
217 if (!ctx)
218 return -1;
219 if (!EVP_DigestInit_ex(ctx, type, NULL)) {
220 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
221 ERR_error_string(ERR_get_error(), NULL));
222 EVP_MD_CTX_free(ctx);
223 return -1;
224 }
225 for (i = 0; i < num_elem; i++) {
226 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
227 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
228 "failed: %s",
229 ERR_error_string(ERR_get_error(), NULL));
230 EVP_MD_CTX_free(ctx);
231 return -1;
232 }
233 }
234 if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
235 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
236 ERR_error_string(ERR_get_error(), NULL));
237 EVP_MD_CTX_free(ctx);
238 return -1;
239 }
240 EVP_MD_CTX_free(ctx);
241
242 return 0;
243 }
244
245
246 #ifndef CONFIG_FIPS
md4_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)247 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
248 {
249 openssl_load_legacy_provider();
250 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
251 }
252 #endif /* CONFIG_FIPS */
253
254
des_encrypt(const u8 * clear,const u8 * key,u8 * cypher)255 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
256 {
257 u8 pkey[8], next, tmp;
258 int i, plen, ret = -1;
259 EVP_CIPHER_CTX *ctx;
260
261 openssl_load_legacy_provider();
262
263 /* Add parity bits to the key */
264 next = 0;
265 for (i = 0; i < 7; i++) {
266 tmp = key[i];
267 pkey[i] = (tmp >> i) | next | 1;
268 next = tmp << (7 - i);
269 }
270 pkey[i] = next | 1;
271
272 ctx = EVP_CIPHER_CTX_new();
273 if (ctx &&
274 EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 &&
275 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
276 EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 &&
277 EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1)
278 ret = 0;
279 else
280 wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed");
281
282 if (ctx)
283 EVP_CIPHER_CTX_free(ctx);
284 return ret;
285 }
286
287
288 #ifndef CONFIG_NO_RC4
rc4_skip(const u8 * key,size_t keylen,size_t skip,u8 * data,size_t data_len)289 int rc4_skip(const u8 *key, size_t keylen, size_t skip,
290 u8 *data, size_t data_len)
291 {
292 #ifdef OPENSSL_NO_RC4
293 return -1;
294 #else /* OPENSSL_NO_RC4 */
295 EVP_CIPHER_CTX *ctx;
296 int outl;
297 int res = -1;
298 unsigned char skip_buf[16];
299
300 openssl_load_legacy_provider();
301
302 ctx = EVP_CIPHER_CTX_new();
303 if (!ctx ||
304 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
305 !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
306 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
307 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
308 goto out;
309
310 while (skip >= sizeof(skip_buf)) {
311 size_t len = skip;
312 if (len > sizeof(skip_buf))
313 len = sizeof(skip_buf);
314 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
315 goto out;
316 skip -= len;
317 }
318
319 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
320 res = 0;
321
322 out:
323 if (ctx)
324 EVP_CIPHER_CTX_free(ctx);
325 return res;
326 #endif /* OPENSSL_NO_RC4 */
327 }
328 #endif /* CONFIG_NO_RC4 */
329
330
331 #ifndef CONFIG_FIPS
md5_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)332 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
333 {
334 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
335 }
336 #endif /* CONFIG_FIPS */
337
338
sha1_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)339 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
340 {
341 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
342 }
343
344
345 #ifndef NO_SHA256_WRAPPER
sha256_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)346 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
347 u8 *mac)
348 {
349 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
350 }
351 #endif /* NO_SHA256_WRAPPER */
352
353
354 #ifndef NO_SHA384_WRAPPER
sha384_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)355 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
356 u8 *mac)
357 {
358 return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
359 }
360 #endif /* NO_SHA384_WRAPPER */
361
362
363 #ifndef NO_SHA512_WRAPPER
sha512_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)364 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
365 u8 *mac)
366 {
367 return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
368 }
369 #endif /* NO_SHA512_WRAPPER */
370
371
aes_get_evp_cipher(size_t keylen)372 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
373 {
374 switch (keylen) {
375 case 16:
376 return EVP_aes_128_ecb();
377 case 24:
378 return EVP_aes_192_ecb();
379 case 32:
380 return EVP_aes_256_ecb();
381 }
382
383 return NULL;
384 }
385
386
aes_encrypt_init(const u8 * key,size_t len)387 void * aes_encrypt_init(const u8 *key, size_t len)
388 {
389 EVP_CIPHER_CTX *ctx;
390 const EVP_CIPHER *type;
391
392 if (TEST_FAIL())
393 return NULL;
394
395 type = aes_get_evp_cipher(len);
396 if (!type) {
397 wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
398 __func__, (unsigned int) len);
399 return NULL;
400 }
401
402 ctx = EVP_CIPHER_CTX_new();
403 if (ctx == NULL)
404 return NULL;
405 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
406 os_free(ctx);
407 return NULL;
408 }
409 EVP_CIPHER_CTX_set_padding(ctx, 0);
410 return ctx;
411 }
412
413
aes_encrypt(void * ctx,const u8 * plain,u8 * crypt)414 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
415 {
416 EVP_CIPHER_CTX *c = ctx;
417 int clen = 16;
418 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
419 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
420 ERR_error_string(ERR_get_error(), NULL));
421 return -1;
422 }
423 return 0;
424 }
425
426
aes_encrypt_deinit(void * ctx)427 void aes_encrypt_deinit(void *ctx)
428 {
429 EVP_CIPHER_CTX *c = ctx;
430 u8 buf[16];
431 int len = sizeof(buf);
432 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
433 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
434 "%s", ERR_error_string(ERR_get_error(), NULL));
435 }
436 if (len != 0) {
437 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
438 "in AES encrypt", len);
439 }
440 EVP_CIPHER_CTX_free(c);
441 }
442
443
aes_decrypt_init(const u8 * key,size_t len)444 void * aes_decrypt_init(const u8 *key, size_t len)
445 {
446 EVP_CIPHER_CTX *ctx;
447 const EVP_CIPHER *type;
448
449 if (TEST_FAIL())
450 return NULL;
451
452 type = aes_get_evp_cipher(len);
453 if (!type) {
454 wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
455 __func__, (unsigned int) len);
456 return NULL;
457 }
458
459 ctx = EVP_CIPHER_CTX_new();
460 if (ctx == NULL)
461 return NULL;
462 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
463 EVP_CIPHER_CTX_free(ctx);
464 return NULL;
465 }
466 EVP_CIPHER_CTX_set_padding(ctx, 0);
467 return ctx;
468 }
469
470
aes_decrypt(void * ctx,const u8 * crypt,u8 * plain)471 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
472 {
473 EVP_CIPHER_CTX *c = ctx;
474 int plen = 16;
475 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
476 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
477 ERR_error_string(ERR_get_error(), NULL));
478 return -1;
479 }
480 return 0;
481 }
482
483
aes_decrypt_deinit(void * ctx)484 void aes_decrypt_deinit(void *ctx)
485 {
486 EVP_CIPHER_CTX *c = ctx;
487 u8 buf[16];
488 int len = sizeof(buf);
489 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
490 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
491 "%s", ERR_error_string(ERR_get_error(), NULL));
492 }
493 if (len != 0) {
494 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
495 "in AES decrypt", len);
496 }
497 EVP_CIPHER_CTX_free(c);
498 }
499
500
501 #ifndef CONFIG_FIPS
502 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
503
aes_wrap(const u8 * kek,size_t kek_len,int n,const u8 * plain,u8 * cipher)504 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
505 {
506 AES_KEY actx;
507 int res;
508
509 if (TEST_FAIL())
510 return -1;
511 if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
512 return -1;
513 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
514 OPENSSL_cleanse(&actx, sizeof(actx));
515 return res <= 0 ? -1 : 0;
516 }
517
518
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)519 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
520 u8 *plain)
521 {
522 AES_KEY actx;
523 int res;
524
525 if (TEST_FAIL())
526 return -1;
527 if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
528 return -1;
529 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
530 OPENSSL_cleanse(&actx, sizeof(actx));
531 return res <= 0 ? -1 : 0;
532 }
533
534 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
535 #endif /* CONFIG_FIPS */
536
537
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)538 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
539 {
540 EVP_CIPHER_CTX *ctx;
541 int clen, len;
542 u8 buf[16];
543 int res = -1;
544
545 if (TEST_FAIL())
546 return -1;
547
548 ctx = EVP_CIPHER_CTX_new();
549 if (!ctx)
550 return -1;
551 clen = data_len;
552 len = sizeof(buf);
553 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
554 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
555 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
556 clen == (int) data_len &&
557 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
558 res = 0;
559 EVP_CIPHER_CTX_free(ctx);
560
561 return res;
562 }
563
564
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)565 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
566 {
567 EVP_CIPHER_CTX *ctx;
568 int plen, len;
569 u8 buf[16];
570 int res = -1;
571
572 if (TEST_FAIL())
573 return -1;
574
575 ctx = EVP_CIPHER_CTX_new();
576 if (!ctx)
577 return -1;
578 plen = data_len;
579 len = sizeof(buf);
580 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
581 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
582 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
583 plen == (int) data_len &&
584 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
585 res = 0;
586 EVP_CIPHER_CTX_free(ctx);
587
588 return res;
589
590 }
591
592
crypto_dh_init(u8 generator,const u8 * prime,size_t prime_len,u8 * privkey,u8 * pubkey)593 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
594 u8 *pubkey)
595 {
596 size_t pubkey_len, pad;
597
598 if (os_get_random(privkey, prime_len) < 0)
599 return -1;
600 if (os_memcmp(privkey, prime, prime_len) > 0) {
601 /* Make sure private value is smaller than prime */
602 privkey[0] = 0;
603 }
604
605 pubkey_len = prime_len;
606 if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
607 pubkey, &pubkey_len) < 0)
608 return -1;
609 if (pubkey_len < prime_len) {
610 pad = prime_len - pubkey_len;
611 os_memmove(pubkey + pad, pubkey, pubkey_len);
612 os_memset(pubkey, 0, pad);
613 }
614
615 return 0;
616 }
617
618
crypto_dh_derive_secret(u8 generator,const u8 * prime,size_t prime_len,const u8 * order,size_t order_len,const u8 * privkey,size_t privkey_len,const u8 * pubkey,size_t pubkey_len,u8 * secret,size_t * len)619 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
620 const u8 *order, size_t order_len,
621 const u8 *privkey, size_t privkey_len,
622 const u8 *pubkey, size_t pubkey_len,
623 u8 *secret, size_t *len)
624 {
625 BIGNUM *pub, *p;
626 int res = -1;
627
628 pub = BN_bin2bn(pubkey, pubkey_len, NULL);
629 p = BN_bin2bn(prime, prime_len, NULL);
630 if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||
631 BN_cmp(pub, p) >= 0)
632 goto fail;
633
634 if (order) {
635 BN_CTX *ctx;
636 BIGNUM *q, *tmp;
637 int failed;
638
639 /* verify: pubkey^q == 1 mod p */
640 q = BN_bin2bn(order, order_len, NULL);
641 ctx = BN_CTX_new();
642 tmp = BN_new();
643 failed = !q || !ctx || !tmp ||
644 !BN_mod_exp(tmp, pub, q, p, ctx) ||
645 !BN_is_one(tmp);
646 BN_clear_free(q);
647 BN_clear_free(tmp);
648 BN_CTX_free(ctx);
649 if (failed)
650 goto fail;
651 }
652
653 res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
654 prime, prime_len, secret, len);
655 fail:
656 BN_clear_free(pub);
657 BN_clear_free(p);
658 return res;
659 }
660
661
crypto_mod_exp(const u8 * base,size_t base_len,const u8 * power,size_t power_len,const u8 * modulus,size_t modulus_len,u8 * result,size_t * result_len)662 int crypto_mod_exp(const u8 *base, size_t base_len,
663 const u8 *power, size_t power_len,
664 const u8 *modulus, size_t modulus_len,
665 u8 *result, size_t *result_len)
666 {
667 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
668 int ret = -1;
669 BN_CTX *ctx;
670
671 ctx = BN_CTX_new();
672 if (ctx == NULL)
673 return -1;
674
675 bn_base = BN_bin2bn(base, base_len, NULL);
676 bn_exp = BN_bin2bn(power, power_len, NULL);
677 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
678 bn_result = BN_new();
679
680 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
681 bn_result == NULL)
682 goto error;
683
684 if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
685 ctx, NULL) != 1)
686 goto error;
687
688 *result_len = BN_bn2bin(bn_result, result);
689 ret = 0;
690
691 error:
692 BN_clear_free(bn_base);
693 BN_clear_free(bn_exp);
694 BN_clear_free(bn_modulus);
695 BN_clear_free(bn_result);
696 BN_CTX_free(ctx);
697 return ret;
698 }
699
700
701 struct crypto_cipher {
702 EVP_CIPHER_CTX *enc;
703 EVP_CIPHER_CTX *dec;
704 };
705
706
crypto_cipher_init(enum crypto_cipher_alg alg,const u8 * iv,const u8 * key,size_t key_len)707 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
708 const u8 *iv, const u8 *key,
709 size_t key_len)
710 {
711 struct crypto_cipher *ctx;
712 const EVP_CIPHER *cipher;
713
714 ctx = os_zalloc(sizeof(*ctx));
715 if (ctx == NULL)
716 return NULL;
717
718 switch (alg) {
719 #ifndef CONFIG_NO_RC4
720 #ifndef OPENSSL_NO_RC4
721 case CRYPTO_CIPHER_ALG_RC4:
722 cipher = EVP_rc4();
723 break;
724 #endif /* OPENSSL_NO_RC4 */
725 #endif /* CONFIG_NO_RC4 */
726 #ifndef OPENSSL_NO_AES
727 case CRYPTO_CIPHER_ALG_AES:
728 switch (key_len) {
729 case 16:
730 cipher = EVP_aes_128_cbc();
731 break;
732 #ifndef OPENSSL_IS_BORINGSSL
733 case 24:
734 cipher = EVP_aes_192_cbc();
735 break;
736 #endif /* OPENSSL_IS_BORINGSSL */
737 case 32:
738 cipher = EVP_aes_256_cbc();
739 break;
740 default:
741 os_free(ctx);
742 return NULL;
743 }
744 break;
745 #endif /* OPENSSL_NO_AES */
746 #ifndef OPENSSL_NO_DES
747 case CRYPTO_CIPHER_ALG_3DES:
748 cipher = EVP_des_ede3_cbc();
749 break;
750 case CRYPTO_CIPHER_ALG_DES:
751 cipher = EVP_des_cbc();
752 break;
753 #endif /* OPENSSL_NO_DES */
754 #ifndef OPENSSL_NO_RC2
755 case CRYPTO_CIPHER_ALG_RC2:
756 cipher = EVP_rc2_ecb();
757 break;
758 #endif /* OPENSSL_NO_RC2 */
759 default:
760 os_free(ctx);
761 return NULL;
762 }
763
764 if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
765 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
766 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
767 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
768 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
769 if (ctx->enc)
770 EVP_CIPHER_CTX_free(ctx->enc);
771 os_free(ctx);
772 return NULL;
773 }
774
775 if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
776 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
777 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
778 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
779 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
780 EVP_CIPHER_CTX_free(ctx->enc);
781 if (ctx->dec)
782 EVP_CIPHER_CTX_free(ctx->dec);
783 os_free(ctx);
784 return NULL;
785 }
786
787 return ctx;
788 }
789
790
crypto_cipher_encrypt(struct crypto_cipher * ctx,const u8 * plain,u8 * crypt,size_t len)791 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
792 u8 *crypt, size_t len)
793 {
794 int outl;
795 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
796 return -1;
797 return 0;
798 }
799
800
crypto_cipher_decrypt(struct crypto_cipher * ctx,const u8 * crypt,u8 * plain,size_t len)801 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
802 u8 *plain, size_t len)
803 {
804 int outl;
805 outl = len;
806 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
807 return -1;
808 return 0;
809 }
810
811
crypto_cipher_deinit(struct crypto_cipher * ctx)812 void crypto_cipher_deinit(struct crypto_cipher *ctx)
813 {
814 EVP_CIPHER_CTX_free(ctx->enc);
815 EVP_CIPHER_CTX_free(ctx->dec);
816 os_free(ctx);
817 }
818
819
dh5_init(struct wpabuf ** priv,struct wpabuf ** publ)820 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
821 {
822 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
823 (defined(LIBRESSL_VERSION_NUMBER) && \
824 LIBRESSL_VERSION_NUMBER < 0x20700000L)
825 DH *dh;
826 struct wpabuf *pubkey = NULL, *privkey = NULL;
827 size_t publen, privlen;
828
829 *priv = NULL;
830 wpabuf_free(*publ);
831 *publ = NULL;
832
833 dh = DH_new();
834 if (dh == NULL)
835 return NULL;
836
837 dh->g = BN_new();
838 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
839 goto err;
840
841 dh->p = get_group5_prime();
842 if (dh->p == NULL)
843 goto err;
844
845 dh->q = get_group5_order();
846 if (!dh->q)
847 goto err;
848
849 if (DH_generate_key(dh) != 1)
850 goto err;
851
852 publen = BN_num_bytes(dh->pub_key);
853 pubkey = wpabuf_alloc(publen);
854 if (pubkey == NULL)
855 goto err;
856 privlen = BN_num_bytes(dh->priv_key);
857 privkey = wpabuf_alloc(privlen);
858 if (privkey == NULL)
859 goto err;
860
861 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
862 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
863
864 *priv = privkey;
865 *publ = pubkey;
866 return dh;
867
868 err:
869 wpabuf_clear_free(pubkey);
870 wpabuf_clear_free(privkey);
871 DH_free(dh);
872 return NULL;
873 #else
874 DH *dh;
875 struct wpabuf *pubkey = NULL, *privkey = NULL;
876 size_t publen, privlen;
877 BIGNUM *p, *g, *q;
878 const BIGNUM *priv_key = NULL, *pub_key = NULL;
879
880 *priv = NULL;
881 wpabuf_free(*publ);
882 *publ = NULL;
883
884 dh = DH_new();
885 if (dh == NULL)
886 return NULL;
887
888 g = BN_new();
889 p = get_group5_prime();
890 q = get_group5_order();
891 if (!g || BN_set_word(g, 2) != 1 || !p || !q ||
892 DH_set0_pqg(dh, p, q, g) != 1)
893 goto err;
894 p = NULL;
895 q = NULL;
896 g = NULL;
897
898 if (DH_generate_key(dh) != 1)
899 goto err;
900
901 DH_get0_key(dh, &pub_key, &priv_key);
902 publen = BN_num_bytes(pub_key);
903 pubkey = wpabuf_alloc(publen);
904 if (!pubkey)
905 goto err;
906 privlen = BN_num_bytes(priv_key);
907 privkey = wpabuf_alloc(privlen);
908 if (!privkey)
909 goto err;
910
911 BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
912 BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));
913
914 *priv = privkey;
915 *publ = pubkey;
916 return dh;
917
918 err:
919 BN_free(p);
920 BN_free(q);
921 BN_free(g);
922 wpabuf_clear_free(pubkey);
923 wpabuf_clear_free(privkey);
924 DH_free(dh);
925 return NULL;
926 #endif
927 }
928
929
dh5_init_fixed(const struct wpabuf * priv,const struct wpabuf * publ)930 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
931 {
932 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
933 (defined(LIBRESSL_VERSION_NUMBER) && \
934 LIBRESSL_VERSION_NUMBER < 0x20700000L)
935 DH *dh;
936
937 dh = DH_new();
938 if (dh == NULL)
939 return NULL;
940
941 dh->g = BN_new();
942 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
943 goto err;
944
945 dh->p = get_group5_prime();
946 if (dh->p == NULL)
947 goto err;
948
949 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
950 if (dh->priv_key == NULL)
951 goto err;
952
953 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
954 if (dh->pub_key == NULL)
955 goto err;
956
957 if (DH_generate_key(dh) != 1)
958 goto err;
959
960 return dh;
961
962 err:
963 DH_free(dh);
964 return NULL;
965 #else
966 DH *dh;
967 BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;
968
969 dh = DH_new();
970 if (dh == NULL)
971 return NULL;
972
973 g = BN_new();
974 p = get_group5_prime();
975 if (!g || BN_set_word(g, 2) != 1 || !p ||
976 DH_set0_pqg(dh, p, NULL, g) != 1)
977 goto err;
978 p = NULL;
979 g = NULL;
980
981 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
982 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
983 if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
984 goto err;
985 pub_key = NULL;
986 priv_key = NULL;
987
988 if (DH_generate_key(dh) != 1)
989 goto err;
990
991 return dh;
992
993 err:
994 BN_free(p);
995 BN_free(g);
996 BN_free(pub_key);
997 BN_clear_free(priv_key);
998 DH_free(dh);
999 return NULL;
1000 #endif
1001 }
1002
1003
dh5_derive_shared(void * ctx,const struct wpabuf * peer_public,const struct wpabuf * own_private)1004 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
1005 const struct wpabuf *own_private)
1006 {
1007 BIGNUM *pub_key;
1008 struct wpabuf *res = NULL;
1009 size_t rlen;
1010 DH *dh = ctx;
1011 int keylen;
1012
1013 if (ctx == NULL)
1014 return NULL;
1015
1016 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
1017 NULL);
1018 if (pub_key == NULL)
1019 return NULL;
1020
1021 rlen = DH_size(dh);
1022 res = wpabuf_alloc(rlen);
1023 if (res == NULL)
1024 goto err;
1025
1026 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
1027 if (keylen < 0)
1028 goto err;
1029 wpabuf_put(res, keylen);
1030 BN_clear_free(pub_key);
1031
1032 return res;
1033
1034 err:
1035 BN_clear_free(pub_key);
1036 wpabuf_clear_free(res);
1037 return NULL;
1038 }
1039
1040
dh5_free(void * ctx)1041 void dh5_free(void *ctx)
1042 {
1043 DH *dh;
1044 if (ctx == NULL)
1045 return;
1046 dh = ctx;
1047 DH_free(dh);
1048 }
1049
1050
1051 struct crypto_hash {
1052 HMAC_CTX *ctx;
1053 };
1054
1055
crypto_hash_init(enum crypto_hash_alg alg,const u8 * key,size_t key_len)1056 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
1057 size_t key_len)
1058 {
1059 struct crypto_hash *ctx;
1060 const EVP_MD *md;
1061
1062 switch (alg) {
1063 #ifndef OPENSSL_NO_MD5
1064 case CRYPTO_HASH_ALG_HMAC_MD5:
1065 md = EVP_md5();
1066 break;
1067 #endif /* OPENSSL_NO_MD5 */
1068 #ifndef OPENSSL_NO_SHA
1069 case CRYPTO_HASH_ALG_HMAC_SHA1:
1070 md = EVP_sha1();
1071 break;
1072 #endif /* OPENSSL_NO_SHA */
1073 #ifndef OPENSSL_NO_SHA256
1074 #ifdef CONFIG_SHA256
1075 case CRYPTO_HASH_ALG_HMAC_SHA256:
1076 md = EVP_sha256();
1077 break;
1078 #endif /* CONFIG_SHA256 */
1079 #endif /* OPENSSL_NO_SHA256 */
1080 default:
1081 return NULL;
1082 }
1083
1084 ctx = os_zalloc(sizeof(*ctx));
1085 if (ctx == NULL)
1086 return NULL;
1087 ctx->ctx = HMAC_CTX_new();
1088 if (!ctx->ctx) {
1089 os_free(ctx);
1090 return NULL;
1091 }
1092
1093 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
1094 HMAC_CTX_free(ctx->ctx);
1095 bin_clear_free(ctx, sizeof(*ctx));
1096 return NULL;
1097 }
1098
1099 return ctx;
1100 }
1101
1102
crypto_hash_update(struct crypto_hash * ctx,const u8 * data,size_t len)1103 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
1104 {
1105 if (ctx == NULL)
1106 return;
1107 HMAC_Update(ctx->ctx, data, len);
1108 }
1109
1110
crypto_hash_finish(struct crypto_hash * ctx,u8 * mac,size_t * len)1111 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
1112 {
1113 unsigned int mdlen;
1114 int res;
1115
1116 if (ctx == NULL)
1117 return -2;
1118
1119 if (mac == NULL || len == NULL) {
1120 HMAC_CTX_free(ctx->ctx);
1121 bin_clear_free(ctx, sizeof(*ctx));
1122 return 0;
1123 }
1124
1125 mdlen = *len;
1126 res = HMAC_Final(ctx->ctx, mac, &mdlen);
1127 HMAC_CTX_free(ctx->ctx);
1128 bin_clear_free(ctx, sizeof(*ctx));
1129
1130 if (TEST_FAIL())
1131 return -1;
1132
1133 if (res == 1) {
1134 *len = mdlen;
1135 return 0;
1136 }
1137
1138 return -1;
1139 }
1140
1141
openssl_hmac_vector(const EVP_MD * type,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac,unsigned int mdlen)1142 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
1143 size_t key_len, size_t num_elem,
1144 const u8 *addr[], const size_t *len, u8 *mac,
1145 unsigned int mdlen)
1146 {
1147 HMAC_CTX *ctx;
1148 size_t i;
1149 int res;
1150
1151 if (TEST_FAIL())
1152 return -1;
1153
1154 ctx = HMAC_CTX_new();
1155 if (!ctx)
1156 return -1;
1157 res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
1158 if (res != 1)
1159 goto done;
1160
1161 for (i = 0; i < num_elem; i++)
1162 HMAC_Update(ctx, addr[i], len[i]);
1163
1164 res = HMAC_Final(ctx, mac, &mdlen);
1165 done:
1166 HMAC_CTX_free(ctx);
1167
1168 return res == 1 ? 0 : -1;
1169 }
1170
1171
1172 #ifndef CONFIG_FIPS
1173
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1174 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
1175 const u8 *addr[], const size_t *len, u8 *mac)
1176 {
1177 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
1178 mac, 16);
1179 }
1180
1181
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1182 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1183 u8 *mac)
1184 {
1185 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
1186 }
1187
1188 #endif /* CONFIG_FIPS */
1189
1190
pbkdf2_sha1(const char * passphrase,const u8 * ssid,size_t ssid_len,int iterations,u8 * buf,size_t buflen)1191 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
1192 int iterations, u8 *buf, size_t buflen)
1193 {
1194 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
1195 ssid_len, iterations, buflen, buf) != 1)
1196 return -1;
1197 return 0;
1198 }
1199
1200
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1201 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1202 const u8 *addr[], const size_t *len, u8 *mac)
1203 {
1204 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
1205 len, mac, 20);
1206 }
1207
1208
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1209 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1210 u8 *mac)
1211 {
1212 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1213 }
1214
1215
1216 #ifdef CONFIG_SHA256
1217
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1218 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1219 const u8 *addr[], const size_t *len, u8 *mac)
1220 {
1221 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
1222 len, mac, 32);
1223 }
1224
1225
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1226 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1227 size_t data_len, u8 *mac)
1228 {
1229 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1230 }
1231
1232 #endif /* CONFIG_SHA256 */
1233
1234
1235 #ifdef CONFIG_SHA384
1236
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1237 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1238 const u8 *addr[], const size_t *len, u8 *mac)
1239 {
1240 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
1241 len, mac, 48);
1242 }
1243
1244
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1245 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1246 size_t data_len, u8 *mac)
1247 {
1248 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1249 }
1250
1251 #endif /* CONFIG_SHA384 */
1252
1253
1254 #ifdef CONFIG_SHA512
1255
hmac_sha512_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1256 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1257 const u8 *addr[], const size_t *len, u8 *mac)
1258 {
1259 return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
1260 len, mac, 64);
1261 }
1262
1263
hmac_sha512(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1264 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1265 size_t data_len, u8 *mac)
1266 {
1267 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1268 }
1269
1270 #endif /* CONFIG_SHA512 */
1271
1272
crypto_get_random(void * buf,size_t len)1273 int crypto_get_random(void *buf, size_t len)
1274 {
1275 if (RAND_bytes(buf, len) != 1)
1276 return -1;
1277 return 0;
1278 }
1279
1280
1281 #ifdef CONFIG_OPENSSL_CMAC
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1282 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
1283 const u8 *addr[], const size_t *len, u8 *mac)
1284 {
1285 CMAC_CTX *ctx;
1286 int ret = -1;
1287 size_t outlen, i;
1288
1289 if (TEST_FAIL())
1290 return -1;
1291
1292 ctx = CMAC_CTX_new();
1293 if (ctx == NULL)
1294 return -1;
1295
1296 if (key_len == 32) {
1297 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
1298 goto fail;
1299 } else if (key_len == 16) {
1300 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
1301 goto fail;
1302 } else {
1303 goto fail;
1304 }
1305 for (i = 0; i < num_elem; i++) {
1306 if (!CMAC_Update(ctx, addr[i], len[i]))
1307 goto fail;
1308 }
1309 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
1310 goto fail;
1311
1312 ret = 0;
1313 fail:
1314 CMAC_CTX_free(ctx);
1315 return ret;
1316 }
1317
1318
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1319 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
1320 const u8 *addr[], const size_t *len, u8 *mac)
1321 {
1322 return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
1323 }
1324
1325
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1326 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1327 {
1328 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
1329 }
1330
1331
omac1_aes_256(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1332 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1333 {
1334 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
1335 }
1336 #endif /* CONFIG_OPENSSL_CMAC */
1337
1338
crypto_bignum_init(void)1339 struct crypto_bignum * crypto_bignum_init(void)
1340 {
1341 if (TEST_FAIL())
1342 return NULL;
1343 return (struct crypto_bignum *) BN_new();
1344 }
1345
1346
crypto_bignum_init_set(const u8 * buf,size_t len)1347 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
1348 {
1349 BIGNUM *bn;
1350
1351 if (TEST_FAIL())
1352 return NULL;
1353
1354 bn = BN_bin2bn(buf, len, NULL);
1355 return (struct crypto_bignum *) bn;
1356 }
1357
1358
crypto_bignum_init_uint(unsigned int val)1359 struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
1360 {
1361 BIGNUM *bn;
1362
1363 if (TEST_FAIL())
1364 return NULL;
1365
1366 bn = BN_new();
1367 if (!bn)
1368 return NULL;
1369 if (BN_set_word(bn, val) != 1) {
1370 BN_free(bn);
1371 return NULL;
1372 }
1373 return (struct crypto_bignum *) bn;
1374 }
1375
1376
crypto_bignum_deinit(struct crypto_bignum * n,int clear)1377 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
1378 {
1379 if (clear)
1380 BN_clear_free((BIGNUM *) n);
1381 else
1382 BN_free((BIGNUM *) n);
1383 }
1384
1385
crypto_bignum_to_bin(const struct crypto_bignum * a,u8 * buf,size_t buflen,size_t padlen)1386 int crypto_bignum_to_bin(const struct crypto_bignum *a,
1387 u8 *buf, size_t buflen, size_t padlen)
1388 {
1389 int num_bytes, offset;
1390
1391 if (TEST_FAIL())
1392 return -1;
1393
1394 if (padlen > buflen)
1395 return -1;
1396
1397 if (padlen) {
1398 #ifdef OPENSSL_IS_BORINGSSL
1399 if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
1400 return -1;
1401 return padlen;
1402 #else /* OPENSSL_IS_BORINGSSL */
1403 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
1404 return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
1405 #endif
1406 #endif
1407 }
1408
1409 num_bytes = BN_num_bytes((const BIGNUM *) a);
1410 if ((size_t) num_bytes > buflen)
1411 return -1;
1412 if (padlen > (size_t) num_bytes)
1413 offset = padlen - num_bytes;
1414 else
1415 offset = 0;
1416
1417 os_memset(buf, 0, offset);
1418 BN_bn2bin((const BIGNUM *) a, buf + offset);
1419
1420 return num_bytes + offset;
1421 }
1422
1423
crypto_bignum_rand(struct crypto_bignum * r,const struct crypto_bignum * m)1424 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
1425 {
1426 if (TEST_FAIL())
1427 return -1;
1428 return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1;
1429 }
1430
1431
crypto_bignum_add(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1432 int crypto_bignum_add(const struct crypto_bignum *a,
1433 const struct crypto_bignum *b,
1434 struct crypto_bignum *c)
1435 {
1436 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1437 0 : -1;
1438 }
1439
1440
crypto_bignum_mod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1441 int crypto_bignum_mod(const struct crypto_bignum *a,
1442 const struct crypto_bignum *b,
1443 struct crypto_bignum *c)
1444 {
1445 int res;
1446 BN_CTX *bnctx;
1447
1448 bnctx = BN_CTX_new();
1449 if (bnctx == NULL)
1450 return -1;
1451 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1452 bnctx);
1453 BN_CTX_free(bnctx);
1454
1455 return res ? 0 : -1;
1456 }
1457
1458
crypto_bignum_exptmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1459 int crypto_bignum_exptmod(const struct crypto_bignum *a,
1460 const struct crypto_bignum *b,
1461 const struct crypto_bignum *c,
1462 struct crypto_bignum *d)
1463 {
1464 int res;
1465 BN_CTX *bnctx;
1466
1467 if (TEST_FAIL())
1468 return -1;
1469
1470 bnctx = BN_CTX_new();
1471 if (bnctx == NULL)
1472 return -1;
1473 res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
1474 (const BIGNUM *) b, (const BIGNUM *) c,
1475 bnctx, NULL);
1476 BN_CTX_free(bnctx);
1477
1478 return res ? 0 : -1;
1479 }
1480
1481
crypto_bignum_inverse(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1482 int crypto_bignum_inverse(const struct crypto_bignum *a,
1483 const struct crypto_bignum *b,
1484 struct crypto_bignum *c)
1485 {
1486 BIGNUM *res;
1487 BN_CTX *bnctx;
1488
1489 if (TEST_FAIL())
1490 return -1;
1491 bnctx = BN_CTX_new();
1492 if (bnctx == NULL)
1493 return -1;
1494 #ifdef OPENSSL_IS_BORINGSSL
1495 /* TODO: use BN_mod_inverse_blinded() ? */
1496 #else /* OPENSSL_IS_BORINGSSL */
1497 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1498 #endif /* OPENSSL_IS_BORINGSSL */
1499 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
1500 (const BIGNUM *) b, bnctx);
1501 BN_CTX_free(bnctx);
1502
1503 return res ? 0 : -1;
1504 }
1505
1506
crypto_bignum_sub(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1507 int crypto_bignum_sub(const struct crypto_bignum *a,
1508 const struct crypto_bignum *b,
1509 struct crypto_bignum *c)
1510 {
1511 if (TEST_FAIL())
1512 return -1;
1513 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1514 0 : -1;
1515 }
1516
1517
crypto_bignum_div(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1518 int crypto_bignum_div(const struct crypto_bignum *a,
1519 const struct crypto_bignum *b,
1520 struct crypto_bignum *c)
1521 {
1522 int res;
1523
1524 BN_CTX *bnctx;
1525
1526 if (TEST_FAIL())
1527 return -1;
1528
1529 bnctx = BN_CTX_new();
1530 if (bnctx == NULL)
1531 return -1;
1532 #ifndef OPENSSL_IS_BORINGSSL
1533 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1534 #endif /* OPENSSL_IS_BORINGSSL */
1535 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
1536 (const BIGNUM *) b, bnctx);
1537 BN_CTX_free(bnctx);
1538
1539 return res ? 0 : -1;
1540 }
1541
1542
crypto_bignum_addmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1543 int crypto_bignum_addmod(const struct crypto_bignum *a,
1544 const struct crypto_bignum *b,
1545 const struct crypto_bignum *c,
1546 struct crypto_bignum *d)
1547 {
1548 int res;
1549 BN_CTX *bnctx;
1550
1551 if (TEST_FAIL())
1552 return -1;
1553
1554 bnctx = BN_CTX_new();
1555 if (!bnctx)
1556 return -1;
1557 res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1558 (const BIGNUM *) c, bnctx);
1559 BN_CTX_free(bnctx);
1560
1561 return res ? 0 : -1;
1562 }
1563
1564
crypto_bignum_mulmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1565 int crypto_bignum_mulmod(const struct crypto_bignum *a,
1566 const struct crypto_bignum *b,
1567 const struct crypto_bignum *c,
1568 struct crypto_bignum *d)
1569 {
1570 int res;
1571
1572 BN_CTX *bnctx;
1573
1574 if (TEST_FAIL())
1575 return -1;
1576
1577 bnctx = BN_CTX_new();
1578 if (bnctx == NULL)
1579 return -1;
1580 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1581 (const BIGNUM *) c, bnctx);
1582 BN_CTX_free(bnctx);
1583
1584 return res ? 0 : -1;
1585 }
1586
1587
crypto_bignum_sqrmod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1588 int crypto_bignum_sqrmod(const struct crypto_bignum *a,
1589 const struct crypto_bignum *b,
1590 struct crypto_bignum *c)
1591 {
1592 int res;
1593 BN_CTX *bnctx;
1594
1595 if (TEST_FAIL())
1596 return -1;
1597
1598 bnctx = BN_CTX_new();
1599 if (!bnctx)
1600 return -1;
1601 res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1602 bnctx);
1603 BN_CTX_free(bnctx);
1604
1605 return res ? 0 : -1;
1606 }
1607
1608
crypto_bignum_sqrtmod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1609 int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
1610 const struct crypto_bignum *b,
1611 struct crypto_bignum *c)
1612 {
1613 BN_CTX *bnctx;
1614 BIGNUM *res;
1615
1616 if (TEST_FAIL())
1617 return -1;
1618
1619 bnctx = BN_CTX_new();
1620 if (!bnctx)
1621 return -1;
1622 res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1623 bnctx);
1624 BN_CTX_free(bnctx);
1625
1626 return res ? 0 : -1;
1627 }
1628
1629
crypto_bignum_rshift(const struct crypto_bignum * a,int n,struct crypto_bignum * r)1630 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
1631 struct crypto_bignum *r)
1632 {
1633 /* Note: BN_rshift() does not modify the first argument even though it
1634 * has not been marked const. */
1635 return BN_rshift((BIGNUM *) a, (BIGNUM *) r, n) == 1 ? 0 : -1;
1636 }
1637
1638
crypto_bignum_cmp(const struct crypto_bignum * a,const struct crypto_bignum * b)1639 int crypto_bignum_cmp(const struct crypto_bignum *a,
1640 const struct crypto_bignum *b)
1641 {
1642 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
1643 }
1644
1645
crypto_bignum_is_zero(const struct crypto_bignum * a)1646 int crypto_bignum_is_zero(const struct crypto_bignum *a)
1647 {
1648 return BN_is_zero((const BIGNUM *) a);
1649 }
1650
1651
crypto_bignum_is_one(const struct crypto_bignum * a)1652 int crypto_bignum_is_one(const struct crypto_bignum *a)
1653 {
1654 return BN_is_one((const BIGNUM *) a);
1655 }
1656
1657
crypto_bignum_is_odd(const struct crypto_bignum * a)1658 int crypto_bignum_is_odd(const struct crypto_bignum *a)
1659 {
1660 return BN_is_odd((const BIGNUM *) a);
1661 }
1662
1663
crypto_bignum_legendre(const struct crypto_bignum * a,const struct crypto_bignum * p)1664 int crypto_bignum_legendre(const struct crypto_bignum *a,
1665 const struct crypto_bignum *p)
1666 {
1667 BN_CTX *bnctx;
1668 BIGNUM *exp = NULL, *tmp = NULL;
1669 int res = -2;
1670 unsigned int mask;
1671
1672 if (TEST_FAIL())
1673 return -2;
1674
1675 bnctx = BN_CTX_new();
1676 if (bnctx == NULL)
1677 return -2;
1678
1679 exp = BN_new();
1680 tmp = BN_new();
1681 if (!exp || !tmp ||
1682 /* exp = (p-1) / 2 */
1683 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
1684 !BN_rshift1(exp, exp) ||
1685 !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
1686 (const BIGNUM *) p, bnctx, NULL))
1687 goto fail;
1688
1689 /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
1690 * constant time selection to avoid branches here. */
1691 res = -1;
1692 mask = const_time_eq(BN_is_word(tmp, 1), 1);
1693 res = const_time_select_int(mask, 1, res);
1694 mask = const_time_eq(BN_is_zero(tmp), 1);
1695 res = const_time_select_int(mask, 0, res);
1696
1697 fail:
1698 BN_clear_free(tmp);
1699 BN_clear_free(exp);
1700 BN_CTX_free(bnctx);
1701 return res;
1702 }
1703
1704
1705 #ifdef CONFIG_ECC
1706
1707 struct crypto_ec {
1708 EC_GROUP *group;
1709 int nid;
1710 BN_CTX *bnctx;
1711 BIGNUM *prime;
1712 BIGNUM *order;
1713 BIGNUM *a;
1714 BIGNUM *b;
1715 };
1716
1717
crypto_ec_group_2_nid(int group)1718 static int crypto_ec_group_2_nid(int group)
1719 {
1720 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */
1721 switch (group) {
1722 case 19:
1723 return NID_X9_62_prime256v1;
1724 case 20:
1725 return NID_secp384r1;
1726 case 21:
1727 return NID_secp521r1;
1728 case 25:
1729 return NID_X9_62_prime192v1;
1730 case 26:
1731 return NID_secp224r1;
1732 #ifdef NID_brainpoolP224r1
1733 case 27:
1734 return NID_brainpoolP224r1;
1735 #endif /* NID_brainpoolP224r1 */
1736 #ifdef NID_brainpoolP256r1
1737 case 28:
1738 return NID_brainpoolP256r1;
1739 #endif /* NID_brainpoolP256r1 */
1740 #ifdef NID_brainpoolP384r1
1741 case 29:
1742 return NID_brainpoolP384r1;
1743 #endif /* NID_brainpoolP384r1 */
1744 #ifdef NID_brainpoolP512r1
1745 case 30:
1746 return NID_brainpoolP512r1;
1747 #endif /* NID_brainpoolP512r1 */
1748 default:
1749 return -1;
1750 }
1751 }
1752
1753
crypto_ec_init(int group)1754 struct crypto_ec * crypto_ec_init(int group)
1755 {
1756 struct crypto_ec *e;
1757 int nid;
1758
1759 nid = crypto_ec_group_2_nid(group);
1760 if (nid < 0)
1761 return NULL;
1762
1763 e = os_zalloc(sizeof(*e));
1764 if (e == NULL)
1765 return NULL;
1766
1767 e->nid = nid;
1768 e->bnctx = BN_CTX_new();
1769 e->group = EC_GROUP_new_by_curve_name(nid);
1770 e->prime = BN_new();
1771 e->order = BN_new();
1772 e->a = BN_new();
1773 e->b = BN_new();
1774 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
1775 e->order == NULL || e->a == NULL || e->b == NULL ||
1776 !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) ||
1777 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
1778 crypto_ec_deinit(e);
1779 e = NULL;
1780 }
1781
1782 return e;
1783 }
1784
1785
crypto_ec_deinit(struct crypto_ec * e)1786 void crypto_ec_deinit(struct crypto_ec *e)
1787 {
1788 if (e == NULL)
1789 return;
1790 BN_clear_free(e->b);
1791 BN_clear_free(e->a);
1792 BN_clear_free(e->order);
1793 BN_clear_free(e->prime);
1794 EC_GROUP_free(e->group);
1795 BN_CTX_free(e->bnctx);
1796 os_free(e);
1797 }
1798
1799
crypto_ec_point_init(struct crypto_ec * e)1800 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
1801 {
1802 if (TEST_FAIL())
1803 return NULL;
1804 if (e == NULL)
1805 return NULL;
1806 return (struct crypto_ec_point *) EC_POINT_new(e->group);
1807 }
1808
1809
crypto_ec_prime_len(struct crypto_ec * e)1810 size_t crypto_ec_prime_len(struct crypto_ec *e)
1811 {
1812 return BN_num_bytes(e->prime);
1813 }
1814
1815
crypto_ec_prime_len_bits(struct crypto_ec * e)1816 size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
1817 {
1818 return BN_num_bits(e->prime);
1819 }
1820
1821
crypto_ec_order_len(struct crypto_ec * e)1822 size_t crypto_ec_order_len(struct crypto_ec *e)
1823 {
1824 return BN_num_bytes(e->order);
1825 }
1826
1827
crypto_ec_get_prime(struct crypto_ec * e)1828 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
1829 {
1830 return (const struct crypto_bignum *) e->prime;
1831 }
1832
1833
crypto_ec_get_order(struct crypto_ec * e)1834 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
1835 {
1836 return (const struct crypto_bignum *) e->order;
1837 }
1838
1839
crypto_ec_get_a(struct crypto_ec * e)1840 const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
1841 {
1842 return (const struct crypto_bignum *) e->a;
1843 }
1844
1845
crypto_ec_get_b(struct crypto_ec * e)1846 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
1847 {
1848 return (const struct crypto_bignum *) e->b;
1849 }
1850
1851
crypto_ec_get_generator(struct crypto_ec * e)1852 const struct crypto_ec_point * crypto_ec_get_generator(struct crypto_ec *e)
1853 {
1854 return (const struct crypto_ec_point *)
1855 EC_GROUP_get0_generator(e->group);
1856 }
1857
1858
crypto_ec_point_deinit(struct crypto_ec_point * p,int clear)1859 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
1860 {
1861 if (clear)
1862 EC_POINT_clear_free((EC_POINT *) p);
1863 else
1864 EC_POINT_free((EC_POINT *) p);
1865 }
1866
1867
crypto_ec_point_x(struct crypto_ec * e,const struct crypto_ec_point * p,struct crypto_bignum * x)1868 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p,
1869 struct crypto_bignum *x)
1870 {
1871 return EC_POINT_get_affine_coordinates_GFp(e->group,
1872 (const EC_POINT *) p,
1873 (BIGNUM *) x, NULL,
1874 e->bnctx) == 1 ? 0 : -1;
1875 }
1876
1877
crypto_ec_point_to_bin(struct crypto_ec * e,const struct crypto_ec_point * point,u8 * x,u8 * y)1878 int crypto_ec_point_to_bin(struct crypto_ec *e,
1879 const struct crypto_ec_point *point, u8 *x, u8 *y)
1880 {
1881 BIGNUM *x_bn, *y_bn;
1882 int ret = -1;
1883 int len = BN_num_bytes(e->prime);
1884
1885 if (TEST_FAIL())
1886 return -1;
1887
1888 x_bn = BN_new();
1889 y_bn = BN_new();
1890
1891 if (x_bn && y_bn &&
1892 EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point,
1893 x_bn, y_bn, e->bnctx)) {
1894 if (x) {
1895 crypto_bignum_to_bin((struct crypto_bignum *) x_bn,
1896 x, len, len);
1897 }
1898 if (y) {
1899 crypto_bignum_to_bin((struct crypto_bignum *) y_bn,
1900 y, len, len);
1901 }
1902 ret = 0;
1903 }
1904
1905 BN_clear_free(x_bn);
1906 BN_clear_free(y_bn);
1907 return ret;
1908 }
1909
1910
crypto_ec_point_from_bin(struct crypto_ec * e,const u8 * val)1911 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
1912 const u8 *val)
1913 {
1914 BIGNUM *x, *y;
1915 EC_POINT *elem;
1916 int len = BN_num_bytes(e->prime);
1917
1918 if (TEST_FAIL())
1919 return NULL;
1920
1921 x = BN_bin2bn(val, len, NULL);
1922 y = BN_bin2bn(val + len, len, NULL);
1923 elem = EC_POINT_new(e->group);
1924 if (x == NULL || y == NULL || elem == NULL) {
1925 BN_clear_free(x);
1926 BN_clear_free(y);
1927 EC_POINT_clear_free(elem);
1928 return NULL;
1929 }
1930
1931 if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y,
1932 e->bnctx)) {
1933 EC_POINT_clear_free(elem);
1934 elem = NULL;
1935 }
1936
1937 BN_clear_free(x);
1938 BN_clear_free(y);
1939
1940 return (struct crypto_ec_point *) elem;
1941 }
1942
1943
crypto_ec_point_add(struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b,struct crypto_ec_point * c)1944 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
1945 const struct crypto_ec_point *b,
1946 struct crypto_ec_point *c)
1947 {
1948 if (TEST_FAIL())
1949 return -1;
1950 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
1951 (const EC_POINT *) b, e->bnctx) ? 0 : -1;
1952 }
1953
1954
crypto_ec_point_mul(struct crypto_ec * e,const struct crypto_ec_point * p,const struct crypto_bignum * b,struct crypto_ec_point * res)1955 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
1956 const struct crypto_bignum *b,
1957 struct crypto_ec_point *res)
1958 {
1959 if (TEST_FAIL())
1960 return -1;
1961 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
1962 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
1963 ? 0 : -1;
1964 }
1965
1966
crypto_ec_point_invert(struct crypto_ec * e,struct crypto_ec_point * p)1967 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
1968 {
1969 if (TEST_FAIL())
1970 return -1;
1971 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
1972 }
1973
1974
1975 struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec * e,const struct crypto_bignum * x)1976 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
1977 const struct crypto_bignum *x)
1978 {
1979 BIGNUM *tmp;
1980
1981 if (TEST_FAIL())
1982 return NULL;
1983
1984 tmp = BN_new();
1985
1986 /* y^2 = x^3 + ax + b = (x^2 + a)x + b */
1987 if (tmp &&
1988 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1989 BN_mod_add_quick(tmp, e->a, tmp, e->prime) &&
1990 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1991 BN_mod_add_quick(tmp, tmp, e->b, e->prime))
1992 return (struct crypto_bignum *) tmp;
1993
1994 BN_clear_free(tmp);
1995 return NULL;
1996 }
1997
1998
crypto_ec_point_is_at_infinity(struct crypto_ec * e,const struct crypto_ec_point * p)1999 int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
2000 const struct crypto_ec_point *p)
2001 {
2002 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
2003 }
2004
2005
crypto_ec_point_is_on_curve(struct crypto_ec * e,const struct crypto_ec_point * p)2006 int crypto_ec_point_is_on_curve(struct crypto_ec *e,
2007 const struct crypto_ec_point *p)
2008 {
2009 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
2010 e->bnctx) == 1;
2011 }
2012
2013
crypto_ec_point_cmp(const struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b)2014 int crypto_ec_point_cmp(const struct crypto_ec *e,
2015 const struct crypto_ec_point *a,
2016 const struct crypto_ec_point *b)
2017 {
2018 return EC_POINT_cmp(e->group, (const EC_POINT *) a,
2019 (const EC_POINT *) b, e->bnctx);
2020 }
2021
2022
crypto_ec_point_debug_print(const struct crypto_ec * e,const struct crypto_ec_point * p,const char * title)2023 void crypto_ec_point_debug_print(const struct crypto_ec *e,
2024 const struct crypto_ec_point *p,
2025 const char *title)
2026 {
2027 BIGNUM *x, *y;
2028 char *x_str = NULL, *y_str = NULL;
2029
2030 x = BN_new();
2031 y = BN_new();
2032 if (!x || !y ||
2033 EC_POINT_get_affine_coordinates_GFp(e->group, (const EC_POINT *) p,
2034 x, y, e->bnctx) != 1)
2035 goto fail;
2036
2037 x_str = BN_bn2hex(x);
2038 y_str = BN_bn2hex(y);
2039 if (!x_str || !y_str)
2040 goto fail;
2041
2042 wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str);
2043
2044 fail:
2045 OPENSSL_free(x_str);
2046 OPENSSL_free(y_str);
2047 BN_free(x);
2048 BN_free(y);
2049 }
2050
2051
2052 struct crypto_ecdh {
2053 struct crypto_ec *ec;
2054 EVP_PKEY *pkey;
2055 };
2056
crypto_ecdh_init(int group)2057 struct crypto_ecdh * crypto_ecdh_init(int group)
2058 {
2059 struct crypto_ecdh *ecdh;
2060 EVP_PKEY *params = NULL;
2061 EC_KEY *ec_params = NULL;
2062 EVP_PKEY_CTX *kctx = NULL;
2063
2064 ecdh = os_zalloc(sizeof(*ecdh));
2065 if (!ecdh)
2066 goto fail;
2067
2068 ecdh->ec = crypto_ec_init(group);
2069 if (!ecdh->ec)
2070 goto fail;
2071
2072 ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2073 if (!ec_params) {
2074 wpa_printf(MSG_ERROR,
2075 "OpenSSL: Failed to generate EC_KEY parameters");
2076 goto fail;
2077 }
2078 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
2079 params = EVP_PKEY_new();
2080 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
2081 wpa_printf(MSG_ERROR,
2082 "OpenSSL: Failed to generate EVP_PKEY parameters");
2083 goto fail;
2084 }
2085
2086 kctx = EVP_PKEY_CTX_new(params, NULL);
2087 if (!kctx)
2088 goto fail;
2089
2090 if (EVP_PKEY_keygen_init(kctx) != 1) {
2091 wpa_printf(MSG_ERROR,
2092 "OpenSSL: EVP_PKEY_keygen_init failed: %s",
2093 ERR_error_string(ERR_get_error(), NULL));
2094 goto fail;
2095 }
2096
2097 if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
2098 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
2099 ERR_error_string(ERR_get_error(), NULL));
2100 goto fail;
2101 }
2102
2103 done:
2104 EC_KEY_free(ec_params);
2105 EVP_PKEY_free(params);
2106 EVP_PKEY_CTX_free(kctx);
2107
2108 return ecdh;
2109 fail:
2110 crypto_ecdh_deinit(ecdh);
2111 ecdh = NULL;
2112 goto done;
2113 }
2114
2115
crypto_ecdh_init2(int group,struct crypto_ec_key * own_key)2116 struct crypto_ecdh * crypto_ecdh_init2(int group, struct crypto_ec_key *own_key)
2117 {
2118 struct crypto_ecdh *ecdh;
2119
2120 ecdh = os_zalloc(sizeof(*ecdh));
2121 if (!ecdh)
2122 goto fail;
2123
2124 ecdh->ec = crypto_ec_init(group);
2125 if (!ecdh->ec)
2126 goto fail;
2127
2128 ecdh->pkey = EVP_PKEY_new();
2129 if (!ecdh->pkey ||
2130 EVP_PKEY_assign_EC_KEY(ecdh->pkey,
2131 EVP_PKEY_get1_EC_KEY((EVP_PKEY *) own_key))
2132 != 1)
2133 goto fail;
2134
2135 return ecdh;
2136 fail:
2137 crypto_ecdh_deinit(ecdh);
2138 return NULL;
2139 }
2140
2141
crypto_ecdh_get_pubkey(struct crypto_ecdh * ecdh,int inc_y)2142 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
2143 {
2144 struct wpabuf *buf = NULL;
2145 EC_KEY *eckey;
2146 const EC_POINT *pubkey;
2147 BIGNUM *x, *y = NULL;
2148 int len = BN_num_bytes(ecdh->ec->prime);
2149 int res;
2150
2151 eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
2152 if (!eckey)
2153 return NULL;
2154
2155 pubkey = EC_KEY_get0_public_key(eckey);
2156 if (!pubkey)
2157 return NULL;
2158
2159 x = BN_new();
2160 if (inc_y) {
2161 y = BN_new();
2162 if (!y)
2163 goto fail;
2164 }
2165 buf = wpabuf_alloc(inc_y ? 2 * len : len);
2166 if (!x || !buf)
2167 goto fail;
2168
2169 if (EC_POINT_get_affine_coordinates_GFp(ecdh->ec->group, pubkey,
2170 x, y, ecdh->ec->bnctx) != 1) {
2171 wpa_printf(MSG_ERROR,
2172 "OpenSSL: EC_POINT_get_affine_coordinates_GFp failed: %s",
2173 ERR_error_string(ERR_get_error(), NULL));
2174 goto fail;
2175 }
2176
2177 res = crypto_bignum_to_bin((struct crypto_bignum *) x,
2178 wpabuf_put(buf, len), len, len);
2179 if (res < 0)
2180 goto fail;
2181
2182 if (inc_y) {
2183 res = crypto_bignum_to_bin((struct crypto_bignum *) y,
2184 wpabuf_put(buf, len), len, len);
2185 if (res < 0)
2186 goto fail;
2187 }
2188
2189 done:
2190 BN_clear_free(x);
2191 BN_clear_free(y);
2192 EC_KEY_free(eckey);
2193
2194 return buf;
2195 fail:
2196 wpabuf_free(buf);
2197 buf = NULL;
2198 goto done;
2199 }
2200
2201
crypto_ecdh_set_peerkey(struct crypto_ecdh * ecdh,int inc_y,const u8 * key,size_t len)2202 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
2203 const u8 *key, size_t len)
2204 {
2205 BIGNUM *x, *y = NULL;
2206 EVP_PKEY_CTX *ctx = NULL;
2207 EVP_PKEY *peerkey = NULL;
2208 struct wpabuf *secret = NULL;
2209 size_t secret_len;
2210 EC_POINT *pub;
2211 EC_KEY *eckey = NULL;
2212
2213 x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
2214 pub = EC_POINT_new(ecdh->ec->group);
2215 if (!x || !pub)
2216 goto fail;
2217
2218 if (inc_y) {
2219 y = BN_bin2bn(key + len / 2, len / 2, NULL);
2220 if (!y)
2221 goto fail;
2222 if (!EC_POINT_set_affine_coordinates_GFp(ecdh->ec->group, pub,
2223 x, y,
2224 ecdh->ec->bnctx)) {
2225 wpa_printf(MSG_ERROR,
2226 "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
2227 ERR_error_string(ERR_get_error(), NULL));
2228 goto fail;
2229 }
2230 } else if (!EC_POINT_set_compressed_coordinates_GFp(ecdh->ec->group,
2231 pub, x, 0,
2232 ecdh->ec->bnctx)) {
2233 wpa_printf(MSG_ERROR,
2234 "OpenSSL: EC_POINT_set_compressed_coordinates_GFp failed: %s",
2235 ERR_error_string(ERR_get_error(), NULL));
2236 goto fail;
2237 }
2238
2239 if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
2240 wpa_printf(MSG_ERROR,
2241 "OpenSSL: ECDH peer public key is not on curve");
2242 goto fail;
2243 }
2244
2245 eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2246 if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
2247 wpa_printf(MSG_ERROR,
2248 "OpenSSL: EC_KEY_set_public_key failed: %s",
2249 ERR_error_string(ERR_get_error(), NULL));
2250 goto fail;
2251 }
2252
2253 peerkey = EVP_PKEY_new();
2254 if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
2255 goto fail;
2256
2257 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
2258 if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
2259 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
2260 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
2261 wpa_printf(MSG_ERROR,
2262 "OpenSSL: EVP_PKEY_derive(1) failed: %s",
2263 ERR_error_string(ERR_get_error(), NULL));
2264 goto fail;
2265 }
2266
2267 secret = wpabuf_alloc(secret_len);
2268 if (!secret)
2269 goto fail;
2270 if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
2271 wpa_printf(MSG_ERROR,
2272 "OpenSSL: EVP_PKEY_derive(2) failed: %s",
2273 ERR_error_string(ERR_get_error(), NULL));
2274 goto fail;
2275 }
2276 if (secret->size != secret_len)
2277 wpa_printf(MSG_DEBUG,
2278 "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
2279 (int) secret->size, (int) secret_len);
2280 wpabuf_put(secret, secret_len);
2281
2282 done:
2283 BN_free(x);
2284 BN_free(y);
2285 EC_KEY_free(eckey);
2286 EC_POINT_free(pub);
2287 EVP_PKEY_CTX_free(ctx);
2288 EVP_PKEY_free(peerkey);
2289 return secret;
2290 fail:
2291 wpabuf_free(secret);
2292 secret = NULL;
2293 goto done;
2294 }
2295
2296
crypto_ecdh_deinit(struct crypto_ecdh * ecdh)2297 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
2298 {
2299 if (ecdh) {
2300 crypto_ec_deinit(ecdh->ec);
2301 EVP_PKEY_free(ecdh->pkey);
2302 os_free(ecdh);
2303 }
2304 }
2305
2306
crypto_ecdh_prime_len(struct crypto_ecdh * ecdh)2307 size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
2308 {
2309 return crypto_ec_prime_len(ecdh->ec);
2310 }
2311
2312
crypto_ec_key_parse_priv(const u8 * der,size_t der_len)2313 struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
2314 {
2315 EVP_PKEY *pkey = NULL;
2316 EC_KEY *eckey;
2317
2318 eckey = d2i_ECPrivateKey(NULL, &der, der_len);
2319 if (!eckey) {
2320 wpa_printf(MSG_INFO, "OpenSSL: d2i_ECPrivateKey() failed: %s",
2321 ERR_error_string(ERR_get_error(), NULL));
2322 goto fail;
2323 }
2324 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
2325
2326 pkey = EVP_PKEY_new();
2327 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
2328 EC_KEY_free(eckey);
2329 goto fail;
2330 }
2331
2332 return (struct crypto_ec_key *) pkey;
2333 fail:
2334 crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
2335 return NULL;
2336 }
2337
2338
crypto_ec_key_parse_pub(const u8 * der,size_t der_len)2339 struct crypto_ec_key * crypto_ec_key_parse_pub(const u8 *der, size_t der_len)
2340 {
2341 EVP_PKEY *pkey;
2342
2343 pkey = d2i_PUBKEY(NULL, &der, der_len);
2344 if (!pkey) {
2345 wpa_printf(MSG_INFO, "OpenSSL: d2i_PUBKEY() failed: %s",
2346 ERR_error_string(ERR_get_error(), NULL));
2347 goto fail;
2348 }
2349
2350 /* Ensure this is an EC key */
2351 if (!EVP_PKEY_get0_EC_KEY(pkey))
2352 goto fail;
2353 return (struct crypto_ec_key *) pkey;
2354 fail:
2355 crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
2356 return NULL;
2357 }
2358
2359
crypto_ec_key_set_pub(int group,const u8 * buf_x,const u8 * buf_y,size_t len)2360 struct crypto_ec_key * crypto_ec_key_set_pub(int group, const u8 *buf_x,
2361 const u8 *buf_y, size_t len)
2362 {
2363 EC_KEY *eckey = NULL;
2364 EVP_PKEY *pkey = NULL;
2365 EC_GROUP *ec_group = NULL;
2366 BN_CTX *ctx;
2367 EC_POINT *point = NULL;
2368 BIGNUM *x = NULL, *y = NULL;
2369 int nid;
2370
2371 if (!buf_x || !buf_y)
2372 return NULL;
2373
2374 nid = crypto_ec_group_2_nid(group);
2375 if (nid < 0) {
2376 wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
2377 return NULL;
2378 }
2379
2380 ctx = BN_CTX_new();
2381 if (!ctx)
2382 goto fail;
2383
2384 ec_group = EC_GROUP_new_by_curve_name(nid);
2385 if (!ec_group)
2386 goto fail;
2387
2388 x = BN_bin2bn(buf_x, len, NULL);
2389 y = BN_bin2bn(buf_y, len, NULL);
2390 point = EC_POINT_new(ec_group);
2391 if (!x || !y || !point)
2392 goto fail;
2393
2394 if (!EC_POINT_set_affine_coordinates_GFp(ec_group, point, x, y, ctx)) {
2395 wpa_printf(MSG_ERROR,
2396 "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
2397 ERR_error_string(ERR_get_error(), NULL));
2398 goto fail;
2399 }
2400
2401 if (!EC_POINT_is_on_curve(ec_group, point, ctx) ||
2402 EC_POINT_is_at_infinity(ec_group, point)) {
2403 wpa_printf(MSG_ERROR, "OpenSSL: Invalid point");
2404 goto fail;
2405 }
2406
2407 eckey = EC_KEY_new();
2408 if (!eckey ||
2409 EC_KEY_set_group(eckey, ec_group) != 1 ||
2410 EC_KEY_set_public_key(eckey, point) != 1) {
2411 wpa_printf(MSG_ERROR,
2412 "OpenSSL: Failed to set EC_KEY: %s",
2413 ERR_error_string(ERR_get_error(), NULL));
2414 goto fail;
2415 }
2416 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
2417
2418 pkey = EVP_PKEY_new();
2419 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
2420 wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
2421 goto fail;
2422 }
2423
2424 out:
2425 EC_GROUP_free(ec_group);
2426 BN_free(x);
2427 BN_free(y);
2428 EC_POINT_free(point);
2429 BN_CTX_free(ctx);
2430 return (struct crypto_ec_key *) pkey;
2431
2432 fail:
2433 EC_KEY_free(eckey);
2434 EVP_PKEY_free(pkey);
2435 pkey = NULL;
2436 goto out;
2437 }
2438
2439
2440 struct crypto_ec_key *
crypto_ec_key_set_pub_point(struct crypto_ec * ec,const struct crypto_ec_point * pub)2441 crypto_ec_key_set_pub_point(struct crypto_ec *ec,
2442 const struct crypto_ec_point *pub)
2443 {
2444 EC_KEY *eckey;
2445 EVP_PKEY *pkey = NULL;
2446
2447 eckey = EC_KEY_new();
2448 if (!eckey ||
2449 EC_KEY_set_group(eckey, ec->group) != 1 ||
2450 EC_KEY_set_public_key(eckey, (const EC_POINT *) pub) != 1) {
2451 wpa_printf(MSG_ERROR,
2452 "OpenSSL: Failed to set EC_KEY: %s",
2453 ERR_error_string(ERR_get_error(), NULL));
2454 goto fail;
2455 }
2456 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
2457
2458 pkey = EVP_PKEY_new();
2459 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
2460 wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
2461 goto fail;
2462 }
2463
2464 out:
2465 return (struct crypto_ec_key *) pkey;
2466
2467 fail:
2468 EVP_PKEY_free(pkey);
2469 EC_KEY_free(eckey);
2470 pkey = NULL;
2471 goto out;
2472 }
2473
2474
crypto_ec_key_gen(int group)2475 struct crypto_ec_key * crypto_ec_key_gen(int group)
2476 {
2477 EVP_PKEY_CTX *kctx = NULL;
2478 EC_KEY *ec_params = NULL, *eckey;
2479 EVP_PKEY *params = NULL, *key = NULL;
2480 int nid;
2481
2482 nid = crypto_ec_group_2_nid(group);
2483 if (nid < 0) {
2484 wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
2485 return NULL;
2486 }
2487
2488 ec_params = EC_KEY_new_by_curve_name(nid);
2489 if (!ec_params) {
2490 wpa_printf(MSG_ERROR,
2491 "OpenSSL: Failed to generate EC_KEY parameters");
2492 goto fail;
2493 }
2494 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
2495 params = EVP_PKEY_new();
2496 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
2497 wpa_printf(MSG_ERROR,
2498 "OpenSSL: Failed to generate EVP_PKEY parameters");
2499 goto fail;
2500 }
2501
2502 kctx = EVP_PKEY_CTX_new(params, NULL);
2503 if (!kctx ||
2504 EVP_PKEY_keygen_init(kctx) != 1 ||
2505 EVP_PKEY_keygen(kctx, &key) != 1) {
2506 wpa_printf(MSG_ERROR, "OpenSSL: Failed to generate EC key");
2507 key = NULL;
2508 goto fail;
2509 }
2510
2511 eckey = EVP_PKEY_get1_EC_KEY(key);
2512 if (!eckey) {
2513 key = NULL;
2514 goto fail;
2515 }
2516 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
2517 EC_KEY_free(eckey);
2518
2519 fail:
2520 EC_KEY_free(ec_params);
2521 EVP_PKEY_free(params);
2522 EVP_PKEY_CTX_free(kctx);
2523 return (struct crypto_ec_key *) key;
2524 }
2525
2526
crypto_ec_key_deinit(struct crypto_ec_key * key)2527 void crypto_ec_key_deinit(struct crypto_ec_key *key)
2528 {
2529 EVP_PKEY_free((EVP_PKEY *) key);
2530 }
2531
2532
2533 #ifdef OPENSSL_IS_BORINGSSL
2534
2535 /* BoringSSL version of i2d_PUBKEY() always outputs public EC key using
2536 * uncompressed form so define a custom function to export EC pubkey using
2537 * the compressed format that is explicitly required for some protocols. */
2538
2539 #include <openssl/asn1.h>
2540 #include <openssl/asn1t.h>
2541
2542 typedef struct {
2543 /* AlgorithmIdentifier ecPublicKey with optional parameters present
2544 * as an OID identifying the curve */
2545 X509_ALGOR *alg;
2546 /* Compressed format public key per ANSI X9.63 */
2547 ASN1_BIT_STRING *pub_key;
2548 } EC_COMP_PUBKEY;
2549
2550 ASN1_SEQUENCE(EC_COMP_PUBKEY) = {
2551 ASN1_SIMPLE(EC_COMP_PUBKEY, alg, X509_ALGOR),
2552 ASN1_SIMPLE(EC_COMP_PUBKEY, pub_key, ASN1_BIT_STRING)
2553 } ASN1_SEQUENCE_END(EC_COMP_PUBKEY);
2554
2555 IMPLEMENT_ASN1_FUNCTIONS(EC_COMP_PUBKEY);
2556
2557 #endif /* OPENSSL_IS_BORINGSSL */
2558
2559
crypto_ec_key_get_subject_public_key(struct crypto_ec_key * key)2560 struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
2561 {
2562 #ifdef OPENSSL_IS_BORINGSSL
2563 unsigned char *der = NULL;
2564 int der_len;
2565 const EC_KEY *eckey;
2566 struct wpabuf *ret = NULL;
2567 size_t len;
2568 const EC_GROUP *group;
2569 const EC_POINT *point;
2570 BN_CTX *ctx;
2571 EC_COMP_PUBKEY *pubkey = NULL;
2572 int nid;
2573
2574 ctx = BN_CTX_new();
2575 eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2576 if (!ctx || !eckey)
2577 goto fail;
2578
2579 group = EC_KEY_get0_group(eckey);
2580 point = EC_KEY_get0_public_key(eckey);
2581 if (!group || !point)
2582 goto fail;
2583 nid = EC_GROUP_get_curve_name(group);
2584
2585 pubkey = EC_COMP_PUBKEY_new();
2586 if (!pubkey ||
2587 X509_ALGOR_set0(pubkey->alg, OBJ_nid2obj(EVP_PKEY_EC),
2588 V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1)
2589 goto fail;
2590
2591 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
2592 NULL, 0, ctx);
2593 if (len == 0)
2594 goto fail;
2595
2596 der = OPENSSL_malloc(len);
2597 if (!der)
2598 goto fail;
2599 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
2600 der, len, ctx);
2601
2602 OPENSSL_free(pubkey->pub_key->data);
2603 pubkey->pub_key->data = der;
2604 der = NULL;
2605 pubkey->pub_key->length = len;
2606 /* No unused bits */
2607 pubkey->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
2608 pubkey->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
2609
2610 der_len = i2d_EC_COMP_PUBKEY(pubkey, &der);
2611 if (der_len <= 0) {
2612 wpa_printf(MSG_ERROR,
2613 "BoringSSL: Failed to build DER encoded public key");
2614 goto fail;
2615 }
2616
2617 ret = wpabuf_alloc_copy(der, der_len);
2618 fail:
2619 EC_COMP_PUBKEY_free(pubkey);
2620 OPENSSL_free(der);
2621 BN_CTX_free(ctx);
2622 return ret;
2623 #else /* OPENSSL_IS_BORINGSSL */
2624 unsigned char *der = NULL;
2625 int der_len;
2626 struct wpabuf *buf;
2627 EC_KEY *eckey;
2628 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2629 EVP_PKEY *tmp;
2630 #endif /* OpenSSL version >= 3.0 */
2631
2632 eckey = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) key);
2633 if (!eckey)
2634 return NULL;
2635
2636 /* For now, all users expect COMPRESSED form */
2637 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
2638
2639 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2640 tmp = EVP_PKEY_new();
2641 if (!tmp)
2642 return NULL;
2643 if (EVP_PKEY_set1_EC_KEY(tmp, eckey) != 1) {
2644 EVP_PKEY_free(tmp);
2645 return NULL;
2646 }
2647 key = (struct crypto_ec_key *) tmp;
2648 #endif /* OpenSSL version >= 3.0 */
2649
2650 der_len = i2d_PUBKEY((EVP_PKEY *) key, &der);
2651 EC_KEY_free(eckey);
2652 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2653 EVP_PKEY_free(tmp);
2654 #endif /* OpenSSL version >= 3.0 */
2655 if (der_len <= 0) {
2656 wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
2657 ERR_error_string(ERR_get_error(), NULL));
2658 return NULL;
2659 }
2660
2661 buf = wpabuf_alloc_copy(der, der_len);
2662 OPENSSL_free(der);
2663 return buf;
2664 #endif /* OPENSSL_IS_BORINGSSL */
2665 }
2666
2667
crypto_ec_key_get_ecprivate_key(struct crypto_ec_key * key,bool include_pub)2668 struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key,
2669 bool include_pub)
2670 {
2671 EC_KEY *eckey;
2672 unsigned char *der = NULL;
2673 int der_len;
2674 struct wpabuf *buf;
2675 unsigned int key_flags;
2676
2677 eckey = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) key);
2678 if (!eckey)
2679 return NULL;
2680
2681 key_flags = EC_KEY_get_enc_flags(eckey);
2682 if (include_pub)
2683 key_flags &= ~EC_PKEY_NO_PUBKEY;
2684 else
2685 key_flags |= EC_PKEY_NO_PUBKEY;
2686 EC_KEY_set_enc_flags(eckey, key_flags);
2687
2688 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
2689
2690 der_len = i2d_ECPrivateKey(eckey, &der);
2691 EC_KEY_free(eckey);
2692 if (der_len <= 0)
2693 return NULL;
2694 buf = wpabuf_alloc_copy(der, der_len);
2695 OPENSSL_free(der);
2696
2697 return buf;
2698 }
2699
2700
crypto_ec_key_get_pubkey_point(struct crypto_ec_key * key,int prefix)2701 struct wpabuf * crypto_ec_key_get_pubkey_point(struct crypto_ec_key *key,
2702 int prefix)
2703 {
2704 int len, res;
2705 EC_KEY *eckey;
2706 struct wpabuf *buf;
2707 unsigned char *pos;
2708
2709 eckey = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) key);
2710 if (!eckey)
2711 return NULL;
2712 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
2713 len = i2o_ECPublicKey(eckey, NULL);
2714 if (len <= 0) {
2715 wpa_printf(MSG_ERROR,
2716 "OpenSSL: Failed to determine public key encoding length");
2717 EC_KEY_free(eckey);
2718 return NULL;
2719 }
2720
2721 buf = wpabuf_alloc(len);
2722 if (!buf) {
2723 EC_KEY_free(eckey);
2724 return NULL;
2725 }
2726
2727 pos = wpabuf_put(buf, len);
2728 res = i2o_ECPublicKey(eckey, &pos);
2729 EC_KEY_free(eckey);
2730 if (res != len) {
2731 wpa_printf(MSG_ERROR,
2732 "OpenSSL: Failed to encode public key (res=%d/%d)",
2733 res, len);
2734 wpabuf_free(buf);
2735 return NULL;
2736 }
2737
2738 if (!prefix) {
2739 /* Remove 0x04 prefix if requested */
2740 pos = wpabuf_mhead(buf);
2741 os_memmove(pos, pos + 1, len - 1);
2742 buf->used--;
2743 }
2744
2745 return buf;
2746 }
2747
2748
2749 const struct crypto_ec_point *
crypto_ec_key_get_public_key(struct crypto_ec_key * key)2750 crypto_ec_key_get_public_key(struct crypto_ec_key *key)
2751 {
2752 const EC_KEY *eckey;
2753
2754 eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2755 if (!eckey)
2756 return NULL;
2757 return (const struct crypto_ec_point *) EC_KEY_get0_public_key(eckey);
2758 }
2759
2760
2761 const struct crypto_bignum *
crypto_ec_key_get_private_key(struct crypto_ec_key * key)2762 crypto_ec_key_get_private_key(struct crypto_ec_key *key)
2763 {
2764 const EC_KEY *eckey;
2765
2766 eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2767 if (!eckey)
2768 return NULL;
2769 return (const struct crypto_bignum *) EC_KEY_get0_private_key(eckey);
2770 }
2771
2772
crypto_ec_key_sign(struct crypto_ec_key * key,const u8 * data,size_t len)2773 struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
2774 size_t len)
2775 {
2776 EVP_PKEY_CTX *pkctx;
2777 struct wpabuf *sig_der;
2778 size_t sig_len;
2779
2780 sig_len = EVP_PKEY_size((EVP_PKEY *) key);
2781 sig_der = wpabuf_alloc(sig_len);
2782 if (!sig_der)
2783 return NULL;
2784
2785 pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
2786 if (!pkctx ||
2787 EVP_PKEY_sign_init(pkctx) <= 0 ||
2788 EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
2789 data, len) <= 0) {
2790 wpabuf_free(sig_der);
2791 sig_der = NULL;
2792 } else {
2793 wpabuf_put(sig_der, sig_len);
2794 }
2795
2796 EVP_PKEY_CTX_free(pkctx);
2797 return sig_der;
2798 }
2799
2800
crypto_ec_key_sign_r_s(struct crypto_ec_key * key,const u8 * data,size_t len)2801 struct wpabuf * crypto_ec_key_sign_r_s(struct crypto_ec_key *key,
2802 const u8 *data, size_t len)
2803 {
2804 const EC_GROUP *group;
2805 const EC_KEY *eckey;
2806 BIGNUM *prime = NULL;
2807 ECDSA_SIG *sig = NULL;
2808 const BIGNUM *r, *s;
2809 u8 *r_buf, *s_buf;
2810 struct wpabuf *buf;
2811 const unsigned char *p;
2812 int prime_len;
2813
2814 buf = crypto_ec_key_sign(key, data, len);
2815 if (!buf)
2816 return NULL;
2817
2818 /* Extract (r,s) from Ecdsa-Sig-Value */
2819 eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2820 if (!eckey)
2821 goto fail;
2822 group = EC_KEY_get0_group(eckey);
2823 prime = BN_new();
2824 if (!prime || !group ||
2825 !EC_GROUP_get_curve_GFp(group, prime, NULL, NULL, NULL))
2826 goto fail;
2827 prime_len = BN_num_bytes(prime);
2828
2829 p = wpabuf_head(buf);
2830 sig = d2i_ECDSA_SIG(NULL, &p, wpabuf_len(buf));
2831 if (!sig)
2832 goto fail;
2833 ECDSA_SIG_get0(sig, &r, &s);
2834
2835 /* Re-use wpabuf returned by crypto_ec_key_sign() */
2836 buf->used = 0;
2837 r_buf = wpabuf_put(buf, prime_len);
2838 s_buf = wpabuf_put(buf, prime_len);
2839 if (crypto_bignum_to_bin((const struct crypto_bignum *) r, r_buf,
2840 prime_len, prime_len) < 0 ||
2841 crypto_bignum_to_bin((const struct crypto_bignum *) s, s_buf,
2842 prime_len, prime_len) < 0)
2843 goto fail;
2844
2845 out:
2846 BN_free(prime);
2847 ECDSA_SIG_free(sig);
2848 return buf;
2849 fail:
2850 wpabuf_clear_free(buf);
2851 buf = NULL;
2852 goto out;
2853 }
2854
2855
crypto_ec_key_verify_signature(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * sig,size_t sig_len)2856 int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
2857 size_t len, const u8 *sig, size_t sig_len)
2858 {
2859 EVP_PKEY_CTX *pkctx;
2860 int ret;
2861
2862 pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
2863 if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
2864 EVP_PKEY_CTX_free(pkctx);
2865 return -1;
2866 }
2867
2868 ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
2869 EVP_PKEY_CTX_free(pkctx);
2870 if (ret == 1)
2871 return 1; /* signature ok */
2872 if (ret == 0)
2873 return 0; /* incorrect signature */
2874 return -1;
2875 }
2876
2877
crypto_ec_key_verify_signature_r_s(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * r,size_t r_len,const u8 * s,size_t s_len)2878 int crypto_ec_key_verify_signature_r_s(struct crypto_ec_key *key,
2879 const u8 *data, size_t len,
2880 const u8 *r, size_t r_len,
2881 const u8 *s, size_t s_len)
2882 {
2883 ECDSA_SIG *sig;
2884 BIGNUM *r_bn, *s_bn;
2885 unsigned char *der = NULL;
2886 int der_len;
2887 int ret = -1;
2888
2889 r_bn = BN_bin2bn(r, r_len, NULL);
2890 s_bn = BN_bin2bn(s, s_len, NULL);
2891 sig = ECDSA_SIG_new();
2892 if (!r_bn || !s_bn || !sig || ECDSA_SIG_set0(sig, r_bn, s_bn) != 1)
2893 goto fail;
2894 r_bn = NULL;
2895 s_bn = NULL;
2896
2897 der_len = i2d_ECDSA_SIG(sig, &der);
2898 if (der_len <= 0) {
2899 wpa_printf(MSG_DEBUG,
2900 "OpenSSL: Could not DER encode signature");
2901 goto fail;
2902 }
2903
2904 ret = crypto_ec_key_verify_signature(key, data, len, der, der_len);
2905
2906 fail:
2907 OPENSSL_free(der);
2908 BN_free(r_bn);
2909 BN_free(s_bn);
2910 ECDSA_SIG_free(sig);
2911 return ret;
2912 }
2913
2914
crypto_ec_key_group(struct crypto_ec_key * key)2915 int crypto_ec_key_group(struct crypto_ec_key *key)
2916 {
2917 const EC_KEY *eckey;
2918 const EC_GROUP *group;
2919 int nid;
2920
2921 eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2922 if (!eckey)
2923 return -1;
2924 group = EC_KEY_get0_group(eckey);
2925 if (!group)
2926 return -1;
2927 nid = EC_GROUP_get_curve_name(group);
2928 switch (nid) {
2929 case NID_X9_62_prime256v1:
2930 return 19;
2931 case NID_secp384r1:
2932 return 20;
2933 case NID_secp521r1:
2934 return 21;
2935 #ifdef NID_brainpoolP256r1
2936 case NID_brainpoolP256r1:
2937 return 28;
2938 #endif /* NID_brainpoolP256r1 */
2939 #ifdef NID_brainpoolP384r1
2940 case NID_brainpoolP384r1:
2941 return 29;
2942 #endif /* NID_brainpoolP384r1 */
2943 #ifdef NID_brainpoolP512r1
2944 case NID_brainpoolP512r1:
2945 return 30;
2946 #endif /* NID_brainpoolP512r1 */
2947 }
2948 wpa_printf(MSG_ERROR, "OpenSSL: Unsupported curve (nid=%d) in EC key",
2949 nid);
2950 return -1;
2951 }
2952
2953
crypto_ec_key_cmp(struct crypto_ec_key * key1,struct crypto_ec_key * key2)2954 int crypto_ec_key_cmp(struct crypto_ec_key *key1, struct crypto_ec_key *key2)
2955 {
2956 if (EVP_PKEY_cmp((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
2957 return -1;
2958 return 0;
2959 }
2960
2961
crypto_ec_key_debug_print(const struct crypto_ec_key * key,const char * title)2962 void crypto_ec_key_debug_print(const struct crypto_ec_key *key,
2963 const char *title)
2964 {
2965 BIO *out;
2966 size_t rlen;
2967 char *txt;
2968 int res;
2969
2970 out = BIO_new(BIO_s_mem());
2971 if (!out)
2972 return;
2973
2974 EVP_PKEY_print_private(out, (EVP_PKEY *) key, 0, NULL);
2975 rlen = BIO_ctrl_pending(out);
2976 txt = os_malloc(rlen + 1);
2977 if (txt) {
2978 res = BIO_read(out, txt, rlen);
2979 if (res > 0) {
2980 txt[res] = '\0';
2981 wpa_printf(MSG_DEBUG, "%s: %s", title, txt);
2982 }
2983 os_free(txt);
2984 }
2985 BIO_free(out);
2986 }
2987
2988
crypto_pkcs7_get_certificates(const struct wpabuf * pkcs7)2989 struct wpabuf * crypto_pkcs7_get_certificates(const struct wpabuf *pkcs7)
2990 {
2991 #ifdef OPENSSL_IS_BORINGSSL
2992 CBS pkcs7_cbs;
2993 #else /* OPENSSL_IS_BORINGSSL */
2994 PKCS7 *p7 = NULL;
2995 const unsigned char *p = wpabuf_head(pkcs7);
2996 #endif /* OPENSSL_IS_BORINGSSL */
2997 STACK_OF(X509) *certs;
2998 int i, num;
2999 BIO *out = NULL;
3000 size_t rlen;
3001 struct wpabuf *pem = NULL;
3002 int res;
3003
3004 #ifdef OPENSSL_IS_BORINGSSL
3005 certs = sk_X509_new_null();
3006 if (!certs)
3007 goto fail;
3008 CBS_init(&pkcs7_cbs, wpabuf_head(pkcs7), wpabuf_len(pkcs7));
3009 if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
3010 wpa_printf(MSG_INFO,
3011 "OpenSSL: Could not parse PKCS#7 object: %s",
3012 ERR_error_string(ERR_get_error(), NULL));
3013 goto fail;
3014 }
3015 #else /* OPENSSL_IS_BORINGSSL */
3016 p7 = d2i_PKCS7(NULL, &p, wpabuf_len(pkcs7));
3017 if (!p7) {
3018 wpa_printf(MSG_INFO,
3019 "OpenSSL: Could not parse PKCS#7 object: %s",
3020 ERR_error_string(ERR_get_error(), NULL));
3021 goto fail;
3022 }
3023
3024 switch (OBJ_obj2nid(p7->type)) {
3025 case NID_pkcs7_signed:
3026 certs = p7->d.sign->cert;
3027 break;
3028 case NID_pkcs7_signedAndEnveloped:
3029 certs = p7->d.signed_and_enveloped->cert;
3030 break;
3031 default:
3032 certs = NULL;
3033 break;
3034 }
3035 #endif /* OPENSSL_IS_BORINGSSL */
3036
3037 if (!certs || ((num = sk_X509_num(certs)) == 0)) {
3038 wpa_printf(MSG_INFO,
3039 "OpenSSL: No certificates found in PKCS#7 object");
3040 goto fail;
3041 }
3042
3043 out = BIO_new(BIO_s_mem());
3044 if (!out)
3045 goto fail;
3046
3047 for (i = 0; i < num; i++) {
3048 X509 *cert = sk_X509_value(certs, i);
3049
3050 PEM_write_bio_X509(out, cert);
3051 }
3052
3053 rlen = BIO_ctrl_pending(out);
3054 pem = wpabuf_alloc(rlen);
3055 if (!pem)
3056 goto fail;
3057 res = BIO_read(out, wpabuf_put(pem, 0), rlen);
3058 if (res <= 0) {
3059 wpabuf_free(pem);
3060 pem = NULL;
3061 goto fail;
3062 }
3063 wpabuf_put(pem, res);
3064
3065 fail:
3066 #ifdef OPENSSL_IS_BORINGSSL
3067 if (certs)
3068 sk_X509_pop_free(certs, X509_free);
3069 #else /* OPENSSL_IS_BORINGSSL */
3070 PKCS7_free(p7);
3071 #endif /* OPENSSL_IS_BORINGSSL */
3072 if (out)
3073 BIO_free_all(out);
3074
3075 return pem;
3076 }
3077
3078
crypto_csr_init()3079 struct crypto_csr * crypto_csr_init()
3080 {
3081 return (struct crypto_csr *)X509_REQ_new();
3082 }
3083
3084
crypto_csr_verify(const struct wpabuf * req)3085 struct crypto_csr * crypto_csr_verify(const struct wpabuf *req)
3086 {
3087 X509_REQ *csr;
3088 EVP_PKEY *pkey = NULL;
3089 const u8 *der = wpabuf_head(req);
3090
3091 csr = d2i_X509_REQ(NULL, &der, wpabuf_len(req));
3092 if (!csr)
3093 return NULL;
3094
3095 pkey = X509_REQ_get_pubkey((X509_REQ *)csr);
3096 if (!pkey)
3097 goto fail;
3098
3099 if (X509_REQ_verify((X509_REQ *)csr, pkey) != 1)
3100 goto fail;
3101
3102 return (struct crypto_csr *)csr;
3103 fail:
3104 X509_REQ_free(csr);
3105 return NULL;
3106 }
3107
3108
crypto_csr_deinit(struct crypto_csr * csr)3109 void crypto_csr_deinit(struct crypto_csr *csr)
3110 {
3111 X509_REQ_free((X509_REQ *)csr);
3112 }
3113
3114
crypto_csr_set_ec_public_key(struct crypto_csr * csr,struct crypto_ec_key * key)3115 int crypto_csr_set_ec_public_key(struct crypto_csr *csr, struct crypto_ec_key *key)
3116 {
3117 if (!X509_REQ_set_pubkey((X509_REQ *)csr, (EVP_PKEY *)key))
3118 return -1;
3119
3120 return 0;
3121 }
3122
3123
crypto_csr_set_name(struct crypto_csr * csr,enum crypto_csr_name type,const char * name)3124 int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
3125 const char *name)
3126 {
3127 X509_NAME *n;
3128 int nid;
3129
3130 switch (type) {
3131 case CSR_NAME_CN:
3132 nid = NID_commonName;
3133 break;
3134 case CSR_NAME_SN:
3135 nid = NID_surname;
3136 break;
3137 case CSR_NAME_C:
3138 nid = NID_countryName;
3139 break;
3140 case CSR_NAME_O:
3141 nid = NID_organizationName;
3142 break;
3143 case CSR_NAME_OU:
3144 nid = NID_organizationalUnitName;
3145 break;
3146 default:
3147 return -1;
3148 }
3149
3150 n = X509_REQ_get_subject_name((X509_REQ *) csr);
3151 if (!n)
3152 return -1;
3153
3154 #if OPENSSL_VERSION_NUMBER < 0x10100000L
3155 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
3156 (unsigned char *) name,
3157 os_strlen(name), -1, 0))
3158 return -1;
3159 #else
3160 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
3161 (const unsigned char *) name,
3162 os_strlen(name), -1, 0))
3163 return -1;
3164 #endif
3165
3166 return 0;
3167 }
3168
3169
crypto_csr_set_attribute(struct crypto_csr * csr,enum crypto_csr_attr attr,int attr_type,const u8 * value,size_t len)3170 int crypto_csr_set_attribute(struct crypto_csr *csr, enum crypto_csr_attr attr,
3171 int attr_type, const u8 *value, size_t len)
3172 {
3173 int nid;
3174
3175 switch (attr) {
3176 case CSR_ATTR_CHALLENGE_PASSWORD:
3177 nid = NID_pkcs9_challengePassword;
3178 break;
3179 default:
3180 return -1;
3181 }
3182
3183 if (!X509_REQ_add1_attr_by_NID((X509_REQ *) csr, nid, attr_type, value,
3184 len))
3185 return -1;
3186
3187 return 0;
3188 }
3189
3190
crypto_csr_get_attribute(struct crypto_csr * csr,enum crypto_csr_attr attr,size_t * len,int * type)3191 const u8 * crypto_csr_get_attribute(struct crypto_csr *csr,
3192 enum crypto_csr_attr attr,
3193 size_t *len, int *type)
3194 {
3195 X509_ATTRIBUTE *attrib;
3196 ASN1_TYPE *attrib_type;
3197 ASN1_STRING *data;
3198 int loc;
3199 int nid;
3200
3201 switch (attr) {
3202 case CSR_ATTR_CHALLENGE_PASSWORD:
3203 nid = NID_pkcs9_challengePassword;
3204 break;
3205 default:
3206 return NULL;
3207 }
3208
3209 loc = X509_REQ_get_attr_by_NID((X509_REQ *) csr, nid, -1);
3210 if (loc < 0)
3211 return NULL;
3212
3213 attrib = X509_REQ_get_attr((X509_REQ *) csr, loc);
3214 if (!attrib)
3215 return NULL;
3216
3217 attrib_type = X509_ATTRIBUTE_get0_type(attrib, 0);
3218 if (!attrib_type)
3219 return NULL;
3220 *type = ASN1_TYPE_get(attrib_type);
3221 data = X509_ATTRIBUTE_get0_data(attrib, 0, *type, NULL);
3222 if (!data)
3223 return NULL;
3224 *len = ASN1_STRING_length(data);
3225 return ASN1_STRING_get0_data(data);
3226 }
3227
3228
crypto_csr_sign(struct crypto_csr * csr,struct crypto_ec_key * key,enum crypto_hash_alg algo)3229 struct wpabuf * crypto_csr_sign(struct crypto_csr *csr,
3230 struct crypto_ec_key *key,
3231 enum crypto_hash_alg algo)
3232 {
3233 const EVP_MD *sign_md;
3234 struct wpabuf *buf;
3235 unsigned char *der = NULL;
3236 int der_len;
3237
3238 switch (algo) {
3239 case CRYPTO_HASH_ALG_SHA256:
3240 sign_md = EVP_sha256();
3241 break;
3242 case CRYPTO_HASH_ALG_SHA384:
3243 sign_md = EVP_sha384();
3244 break;
3245 case CRYPTO_HASH_ALG_SHA512:
3246 sign_md = EVP_sha512();
3247 break;
3248 default:
3249 return NULL;
3250 }
3251
3252 if (!X509_REQ_sign((X509_REQ *) csr, (EVP_PKEY *) key, sign_md))
3253 return NULL;
3254
3255 der_len = i2d_X509_REQ((X509_REQ *) csr, &der);
3256 if (der_len < 0)
3257 return NULL;
3258
3259 buf = wpabuf_alloc_copy(der, der_len);
3260 OPENSSL_free(der);
3261
3262 return buf;
3263 }
3264
3265 #endif /* CONFIG_ECC */
3266