1 /*
2 * Wrapper functions for OpenSSL libcrypto
3 * Copyright (c) 2004-2024, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #include <openssl/opensslv.h>
11 #include <openssl/err.h>
12 #include <openssl/des.h>
13 #include <openssl/aes.h>
14 #include <openssl/bn.h>
15 #include <openssl/evp.h>
16 #include <openssl/dh.h>
17 #include <openssl/hmac.h>
18 #include <openssl/rand.h>
19 #include <openssl/rsa.h>
20 #include <openssl/pem.h>
21 #ifdef CONFIG_ECC
22 #include <openssl/ec.h>
23 #include <openssl/x509.h>
24 #endif /* CONFIG_ECC */
25 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
26 #include <openssl/provider.h>
27 #include <openssl/core_names.h>
28 #include <openssl/param_build.h>
29 #include <openssl/encoder.h>
30 #include <openssl/decoder.h>
31 #else /* OpenSSL version >= 3.0 */
32 #include <openssl/cmac.h>
33 #endif /* OpenSSL version >= 3.0 */
34 #ifdef CONFIG_DPP3
35 #if OPENSSL_VERSION_NUMBER >= 0x30200000L
36 #include <openssl/hpke.h>
37 #endif
38 #endif /* CONFIG_DPP3 */
39
40 #include "common.h"
41 #include "utils/const_time.h"
42 #include "wpabuf.h"
43 #include "dh_group5.h"
44 #include "sha1.h"
45 #include "sha256.h"
46 #include "sha384.h"
47 #include "sha512.h"
48 #include "md5.h"
49 #include "aes_wrap.h"
50 #include "crypto.h"
51
52 #if OPENSSL_VERSION_NUMBER < 0x10100000L
53 /* Compatibility wrappers for older versions. */
54
HMAC_CTX_new(void)55 static HMAC_CTX * HMAC_CTX_new(void)
56 {
57 HMAC_CTX *ctx;
58
59 ctx = os_zalloc(sizeof(*ctx));
60 if (ctx)
61 HMAC_CTX_init(ctx);
62 return ctx;
63 }
64
65
HMAC_CTX_free(HMAC_CTX * ctx)66 static void HMAC_CTX_free(HMAC_CTX *ctx)
67 {
68 if (!ctx)
69 return;
70 HMAC_CTX_cleanup(ctx);
71 bin_clear_free(ctx, sizeof(*ctx));
72 }
73
74
EVP_MD_CTX_new(void)75 static EVP_MD_CTX * EVP_MD_CTX_new(void)
76 {
77 EVP_MD_CTX *ctx;
78
79 ctx = os_zalloc(sizeof(*ctx));
80 if (ctx)
81 EVP_MD_CTX_init(ctx);
82 return ctx;
83 }
84
85
EVP_MD_CTX_free(EVP_MD_CTX * ctx)86 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
87 {
88 if (!ctx)
89 return;
90 EVP_MD_CTX_cleanup(ctx);
91 bin_clear_free(ctx, sizeof(*ctx));
92 }
93
94
95 #ifdef CONFIG_ECC
96
EVP_PKEY_get0_EC_KEY(EVP_PKEY * pkey)97 static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
98 {
99 if (pkey->type != EVP_PKEY_EC)
100 return NULL;
101 return pkey->pkey.ec;
102 }
103
104
ECDSA_SIG_set0(ECDSA_SIG * sig,BIGNUM * r,BIGNUM * s)105 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
106 {
107 sig->r = r;
108 sig->s = s;
109 return 1;
110 }
111
112
ECDSA_SIG_get0(const ECDSA_SIG * sig,const BIGNUM ** pr,const BIGNUM ** ps)113 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
114 const BIGNUM **ps)
115 {
116 if (pr)
117 *pr = sig->r;
118 if (ps)
119 *ps = sig->s;
120 }
121
122 #endif /* CONFIG_ECC */
123
ASN1_STRING_get0_data(const ASN1_STRING * x)124 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
125 {
126 return ASN1_STRING_data((ASN1_STRING *) x);
127 }
128
129
X509_get0_notBefore(const X509 * x)130 static const ASN1_TIME * X509_get0_notBefore(const X509 *x)
131 {
132 return X509_get_notBefore(x);
133 }
134
135
X509_get0_notAfter(const X509 * x)136 static const ASN1_TIME * X509_get0_notAfter(const X509 *x)
137 {
138 return X509_get_notAfter(x);
139 }
140
141 #endif /* OpenSSL version < 1.1.0 */
142
143
144 #if OPENSSL_VERSION_NUMBER < 0x10101000L || \
145 (defined(LIBRESSL_VERSION_NUMBER) && \
146 LIBRESSL_VERSION_NUMBER < 0x30400000L)
147
EC_POINT_get_affine_coordinates(const EC_GROUP * group,const EC_POINT * point,BIGNUM * x,BIGNUM * y,BN_CTX * ctx)148 static int EC_POINT_get_affine_coordinates(const EC_GROUP *group,
149 const EC_POINT *point, BIGNUM *x,
150 BIGNUM *y, BN_CTX *ctx)
151 {
152 return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
153 }
154
155
EC_POINT_set_affine_coordinates(const EC_GROUP * group,EC_POINT * point,const BIGNUM * x,const BIGNUM * y,BN_CTX * ctx)156 static int EC_POINT_set_affine_coordinates(const EC_GROUP *group,
157 EC_POINT *point, const BIGNUM *x,
158 const BIGNUM *y, BN_CTX *ctx)
159 {
160 return EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx);
161 }
162
163 #endif /* OpenSSL version < 1.1.1 */
164
165
166 #if OPENSSL_VERSION_NUMBER < 0x10101000L || \
167 defined(OPENSSL_IS_BORINGSSL) || \
168 (defined(LIBRESSL_VERSION_NUMBER) && \
169 LIBRESSL_VERSION_NUMBER < 0x30400000L)
170
EC_POINT_set_compressed_coordinates(const EC_GROUP * group,EC_POINT * point,const BIGNUM * x,int y_bit,BN_CTX * ctx)171 static int EC_POINT_set_compressed_coordinates(const EC_GROUP *group,
172 EC_POINT *point, const BIGNUM *x,
173 int y_bit, BN_CTX *ctx)
174 {
175 return EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit,
176 ctx);
177 }
178
179
EC_GROUP_get_curve(const EC_GROUP * group,BIGNUM * p,BIGNUM * a,BIGNUM * b,BN_CTX * ctx)180 static int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
181 BIGNUM *b, BN_CTX *ctx)
182 {
183 return EC_GROUP_get_curve_GFp(group, p, a, b, ctx);
184 }
185
186 #endif /* OpenSSL version < 1.1.1 */
187
188
189 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
190 static OSSL_PROVIDER *openssl_legacy_provider = NULL;
191 #endif /* OpenSSL version >= 3.0 */
192
openssl_load_legacy_provider(void)193 void openssl_load_legacy_provider(void)
194 {
195 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
196 if (openssl_legacy_provider)
197 return;
198
199 openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1);
200 #endif /* OpenSSL version >= 3.0 */
201 }
202
203
openssl_unload_legacy_provider(void)204 static void openssl_unload_legacy_provider(void)
205 {
206 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
207 if (openssl_legacy_provider) {
208 OSSL_PROVIDER_unload(openssl_legacy_provider);
209 openssl_legacy_provider = NULL;
210 }
211 #endif /* OpenSSL version >= 3.0 */
212 }
213
214
215 #if OPENSSL_VERSION_NUMBER < 0x30000000L
216
get_group5_prime(void)217 static BIGNUM * get_group5_prime(void)
218 {
219 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
220 return BN_get_rfc3526_prime_1536(NULL);
221 #elif !defined(OPENSSL_IS_BORINGSSL)
222 return get_rfc3526_prime_1536(NULL);
223 #else
224 static const unsigned char RFC3526_PRIME_1536[] = {
225 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
226 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
227 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
228 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
229 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
230 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
231 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
232 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
233 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
234 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
235 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
236 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
237 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
238 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
239 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
240 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
241 };
242 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
243 #endif
244 }
245
246
get_group5_order(void)247 static BIGNUM * get_group5_order(void)
248 {
249 static const unsigned char RFC3526_ORDER_1536[] = {
250 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,
251 0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,
252 0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,
253 0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,
254 0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,
255 0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,
256 0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,
257 0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,
258 0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,
259 0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,
260 0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,
261 0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,
262 0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,
263 0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,
264 0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,
265 0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
266 };
267 return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);
268 }
269
270 #endif /* OpenSSL version < 3.0 */
271
272
273 #ifdef OPENSSL_NO_SHA256
274 #define NO_SHA256_WRAPPER
275 #endif
276 #ifdef OPENSSL_NO_SHA512
277 #define NO_SHA384_WRAPPER
278 #endif
279
openssl_digest_vector(const EVP_MD * type,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)280 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
281 const u8 *addr[], const size_t *len, u8 *mac)
282 {
283 EVP_MD_CTX *ctx;
284 size_t i;
285 unsigned int mac_len;
286
287 if (TEST_FAIL())
288 return -1;
289
290 ctx = EVP_MD_CTX_new();
291 if (!ctx)
292 return -1;
293 if (!EVP_DigestInit_ex(ctx, type, NULL)) {
294 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
295 ERR_error_string(ERR_get_error(), NULL));
296 EVP_MD_CTX_free(ctx);
297 return -1;
298 }
299 for (i = 0; i < num_elem; i++) {
300 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
301 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
302 "failed: %s",
303 ERR_error_string(ERR_get_error(), NULL));
304 EVP_MD_CTX_free(ctx);
305 return -1;
306 }
307 }
308 if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
309 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
310 ERR_error_string(ERR_get_error(), NULL));
311 EVP_MD_CTX_free(ctx);
312 return -1;
313 }
314 EVP_MD_CTX_free(ctx);
315
316 return 0;
317 }
318
319
320 #ifndef CONFIG_FIPS
321
md4_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)322 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
323 {
324 openssl_load_legacy_provider();
325 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
326 }
327
328
des_encrypt(const u8 * clear,const u8 * key,u8 * cypher)329 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
330 {
331 u8 pkey[8], next, tmp;
332 int i, plen, ret = -1;
333 EVP_CIPHER_CTX *ctx;
334
335 openssl_load_legacy_provider();
336
337 /* Add parity bits to the key */
338 next = 0;
339 for (i = 0; i < 7; i++) {
340 tmp = key[i];
341 pkey[i] = (tmp >> i) | next | 1;
342 next = tmp << (7 - i);
343 }
344 pkey[i] = next | 1;
345
346 ctx = EVP_CIPHER_CTX_new();
347 if (ctx &&
348 EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 &&
349 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
350 EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 &&
351 EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1)
352 ret = 0;
353 else
354 wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed");
355
356 if (ctx)
357 EVP_CIPHER_CTX_free(ctx);
358 return ret;
359 }
360
361
362 #ifndef CONFIG_NO_RC4
rc4_skip(const u8 * key,size_t keylen,size_t skip,u8 * data,size_t data_len)363 int rc4_skip(const u8 *key, size_t keylen, size_t skip,
364 u8 *data, size_t data_len)
365 {
366 #ifdef OPENSSL_NO_RC4
367 return -1;
368 #else /* OPENSSL_NO_RC4 */
369 EVP_CIPHER_CTX *ctx;
370 int outl;
371 int res = -1;
372 unsigned char skip_buf[16];
373
374 openssl_load_legacy_provider();
375
376 ctx = EVP_CIPHER_CTX_new();
377 if (!ctx ||
378 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
379 !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
380 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
381 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
382 goto out;
383
384 while (skip >= sizeof(skip_buf)) {
385 size_t len = skip;
386 if (len > sizeof(skip_buf))
387 len = sizeof(skip_buf);
388 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
389 goto out;
390 skip -= len;
391 }
392
393 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
394 res = 0;
395
396 out:
397 if (ctx)
398 EVP_CIPHER_CTX_free(ctx);
399 return res;
400 #endif /* OPENSSL_NO_RC4 */
401 }
402 #endif /* CONFIG_NO_RC4 */
403
404
md5_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)405 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
406 {
407 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
408 }
409
410 #endif /* CONFIG_FIPS */
411
412
sha1_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)413 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
414 {
415 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
416 }
417
418
419 #ifndef NO_SHA256_WRAPPER
sha256_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)420 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
421 u8 *mac)
422 {
423 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
424 }
425 #endif /* NO_SHA256_WRAPPER */
426
427
428 #ifndef NO_SHA384_WRAPPER
sha384_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)429 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
430 u8 *mac)
431 {
432 return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
433 }
434 #endif /* NO_SHA384_WRAPPER */
435
436
437 #ifndef NO_SHA512_WRAPPER
sha512_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)438 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
439 u8 *mac)
440 {
441 return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
442 }
443 #endif /* NO_SHA512_WRAPPER */
444
445
aes_get_evp_cipher(size_t keylen)446 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
447 {
448 switch (keylen) {
449 case 16:
450 return EVP_aes_128_ecb();
451 case 24:
452 return EVP_aes_192_ecb();
453 case 32:
454 return EVP_aes_256_ecb();
455 default:
456 return NULL;
457 }
458 }
459
460
aes_encrypt_init(const u8 * key,size_t len)461 void * aes_encrypt_init(const u8 *key, size_t len)
462 {
463 EVP_CIPHER_CTX *ctx;
464 const EVP_CIPHER *type;
465
466 if (TEST_FAIL())
467 return NULL;
468
469 type = aes_get_evp_cipher(len);
470 if (!type) {
471 wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
472 __func__, (unsigned int) len);
473 return NULL;
474 }
475
476 ctx = EVP_CIPHER_CTX_new();
477 if (ctx == NULL)
478 return NULL;
479 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1 ||
480 EVP_CIPHER_CTX_set_padding(ctx, 0) != 1) {
481 EVP_CIPHER_CTX_free(ctx);
482 return NULL;
483 }
484 return ctx;
485 }
486
487
aes_encrypt(void * ctx,const u8 * plain,u8 * crypt)488 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
489 {
490 EVP_CIPHER_CTX *c = ctx;
491 int clen = 16;
492 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
493 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
494 ERR_error_string(ERR_get_error(), NULL));
495 return -1;
496 }
497 return 0;
498 }
499
500
aes_encrypt_deinit(void * ctx)501 void aes_encrypt_deinit(void *ctx)
502 {
503 EVP_CIPHER_CTX *c = ctx;
504 u8 buf[16];
505 int len = sizeof(buf);
506 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
507 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
508 "%s", ERR_error_string(ERR_get_error(), NULL));
509 }
510 if (len != 0) {
511 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
512 "in AES encrypt", len);
513 }
514 EVP_CIPHER_CTX_free(c);
515 }
516
517
aes_decrypt_init(const u8 * key,size_t len)518 void * aes_decrypt_init(const u8 *key, size_t len)
519 {
520 EVP_CIPHER_CTX *ctx;
521 const EVP_CIPHER *type;
522
523 if (TEST_FAIL())
524 return NULL;
525
526 type = aes_get_evp_cipher(len);
527 if (!type) {
528 wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
529 __func__, (unsigned int) len);
530 return NULL;
531 }
532
533 ctx = EVP_CIPHER_CTX_new();
534 if (ctx == NULL)
535 return NULL;
536 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1 ||
537 EVP_CIPHER_CTX_set_padding(ctx, 0) != 1) {
538 EVP_CIPHER_CTX_free(ctx);
539 return NULL;
540 }
541 return ctx;
542 }
543
544
aes_decrypt(void * ctx,const u8 * crypt,u8 * plain)545 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
546 {
547 EVP_CIPHER_CTX *c = ctx;
548 int plen = 16;
549 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
550 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
551 ERR_error_string(ERR_get_error(), NULL));
552 return -1;
553 }
554 return 0;
555 }
556
557
aes_decrypt_deinit(void * ctx)558 void aes_decrypt_deinit(void *ctx)
559 {
560 EVP_CIPHER_CTX *c = ctx;
561 u8 buf[16];
562 int len = sizeof(buf);
563 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
564 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
565 "%s", ERR_error_string(ERR_get_error(), NULL));
566 }
567 if (len != 0) {
568 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
569 "in AES decrypt", len);
570 }
571 EVP_CIPHER_CTX_free(c);
572 }
573
574
575 #ifndef CONFIG_FIPS
576 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
577
578 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
aes_get_evp_wrap_cipher(size_t keylen)579 static const EVP_CIPHER * aes_get_evp_wrap_cipher(size_t keylen)
580 {
581 switch (keylen) {
582 case 16:
583 return EVP_aes_128_wrap();
584 case 24:
585 return EVP_aes_192_wrap();
586 case 32:
587 return EVP_aes_256_wrap();
588 default:
589 return NULL;
590 }
591 }
592 #endif /* OpenSSL version >= 3.0 */
593
594
aes_wrap(const u8 * kek,size_t kek_len,int n,const u8 * plain,u8 * cipher)595 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
596 {
597 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
598 EVP_CIPHER_CTX *ctx;
599 const EVP_CIPHER *type;
600 int ret = -1, len;
601 u8 buf[16];
602
603 if (TEST_FAIL())
604 return -1;
605
606 type = aes_get_evp_wrap_cipher(kek_len);
607 if (!type)
608 return -1;
609
610 ctx = EVP_CIPHER_CTX_new();
611 if (!ctx)
612 return -1;
613
614 if (EVP_EncryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&
615 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
616 EVP_EncryptUpdate(ctx, cipher, &len, plain, n * 8) == 1 &&
617 len == (n + 1) * 8 &&
618 EVP_EncryptFinal_ex(ctx, buf, &len) == 1)
619 ret = 0;
620
621 EVP_CIPHER_CTX_free(ctx);
622 return ret;
623 #else /* OpenSSL version >= 3.0 */
624 AES_KEY actx;
625 int res;
626
627 if (TEST_FAIL())
628 return -1;
629 if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
630 return -1;
631 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
632 OPENSSL_cleanse(&actx, sizeof(actx));
633 return res <= 0 ? -1 : 0;
634 #endif /* OpenSSL version >= 3.0 */
635 }
636
637
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)638 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
639 u8 *plain)
640 {
641 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
642 EVP_CIPHER_CTX *ctx;
643 const EVP_CIPHER *type;
644 int ret = -1, len;
645 u8 buf[16];
646
647 if (TEST_FAIL())
648 return -1;
649
650 type = aes_get_evp_wrap_cipher(kek_len);
651 if (!type)
652 return -1;
653
654 ctx = EVP_CIPHER_CTX_new();
655 if (!ctx)
656 return -1;
657
658 if (EVP_DecryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&
659 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
660 EVP_DecryptUpdate(ctx, plain, &len, cipher, (n + 1) * 8) == 1 &&
661 len == n * 8 &&
662 EVP_DecryptFinal_ex(ctx, buf, &len) == 1)
663 ret = 0;
664
665 EVP_CIPHER_CTX_free(ctx);
666 return ret;
667 #else /* OpenSSL version >= 3.0 */
668 AES_KEY actx;
669 int res;
670
671 if (TEST_FAIL())
672 return -1;
673 if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
674 return -1;
675 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
676 OPENSSL_cleanse(&actx, sizeof(actx));
677 return res <= 0 ? -1 : 0;
678 #endif /* OpenSSL version >= 3.0 */
679 }
680
681 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
682 #endif /* CONFIG_FIPS */
683
684
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)685 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
686 {
687 EVP_CIPHER_CTX *ctx;
688 int clen, len;
689 u8 buf[16];
690 int res = -1;
691
692 if (TEST_FAIL())
693 return -1;
694
695 ctx = EVP_CIPHER_CTX_new();
696 if (!ctx)
697 return -1;
698 clen = data_len;
699 len = sizeof(buf);
700 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
701 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
702 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
703 clen == (int) data_len &&
704 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
705 res = 0;
706 EVP_CIPHER_CTX_free(ctx);
707
708 return res;
709 }
710
711
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)712 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
713 {
714 EVP_CIPHER_CTX *ctx;
715 int plen, len;
716 u8 buf[16];
717 int res = -1;
718
719 if (TEST_FAIL())
720 return -1;
721
722 ctx = EVP_CIPHER_CTX_new();
723 if (!ctx)
724 return -1;
725 plen = data_len;
726 len = sizeof(buf);
727 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
728 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
729 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
730 plen == (int) data_len &&
731 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
732 res = 0;
733 EVP_CIPHER_CTX_free(ctx);
734
735 return res;
736
737 }
738
739
crypto_dh_init(u8 generator,const u8 * prime,size_t prime_len,u8 * privkey,u8 * pubkey)740 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
741 u8 *pubkey)
742 {
743 size_t pubkey_len, pad;
744
745 if (os_get_random(privkey, prime_len) < 0)
746 return -1;
747 if (os_memcmp(privkey, prime, prime_len) > 0) {
748 /* Make sure private value is smaller than prime */
749 privkey[0] = 0;
750 }
751
752 pubkey_len = prime_len;
753 if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
754 pubkey, &pubkey_len) < 0)
755 return -1;
756 if (pubkey_len < prime_len) {
757 pad = prime_len - pubkey_len;
758 os_memmove(pubkey + pad, pubkey, pubkey_len);
759 os_memset(pubkey, 0, pad);
760 }
761
762 return 0;
763 }
764
765
crypto_dh_derive_secret(u8 generator,const u8 * prime,size_t prime_len,const u8 * order,size_t order_len,const u8 * privkey,size_t privkey_len,const u8 * pubkey,size_t pubkey_len,u8 * secret,size_t * len)766 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
767 const u8 *order, size_t order_len,
768 const u8 *privkey, size_t privkey_len,
769 const u8 *pubkey, size_t pubkey_len,
770 u8 *secret, size_t *len)
771 {
772 BIGNUM *pub, *p;
773 int res = -1;
774
775 pub = BN_bin2bn(pubkey, pubkey_len, NULL);
776 p = BN_bin2bn(prime, prime_len, NULL);
777 if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||
778 BN_cmp(pub, p) >= 0)
779 goto fail;
780
781 if (order) {
782 BN_CTX *ctx;
783 BIGNUM *q, *tmp;
784 int failed;
785
786 /* verify: pubkey^q == 1 mod p */
787 q = BN_bin2bn(order, order_len, NULL);
788 ctx = BN_CTX_new();
789 tmp = BN_new();
790 failed = !q || !ctx || !tmp ||
791 !BN_mod_exp(tmp, pub, q, p, ctx) ||
792 !BN_is_one(tmp);
793 BN_clear_free(q);
794 BN_clear_free(tmp);
795 BN_CTX_free(ctx);
796 if (failed)
797 goto fail;
798 }
799
800 res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
801 prime, prime_len, secret, len);
802 fail:
803 BN_clear_free(pub);
804 BN_clear_free(p);
805 return res;
806 }
807
808
crypto_mod_exp(const u8 * base,size_t base_len,const u8 * power,size_t power_len,const u8 * modulus,size_t modulus_len,u8 * result,size_t * result_len)809 int crypto_mod_exp(const u8 *base, size_t base_len,
810 const u8 *power, size_t power_len,
811 const u8 *modulus, size_t modulus_len,
812 u8 *result, size_t *result_len)
813 {
814 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
815 int ret = -1;
816 BN_CTX *ctx;
817
818 ctx = BN_CTX_new();
819 if (ctx == NULL)
820 return -1;
821
822 bn_base = BN_bin2bn(base, base_len, NULL);
823 bn_exp = BN_bin2bn(power, power_len, NULL);
824 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
825 bn_result = BN_new();
826
827 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
828 bn_result == NULL)
829 goto error;
830
831 if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
832 ctx, NULL) != 1)
833 goto error;
834
835 *result_len = BN_bn2bin(bn_result, result);
836 ret = 0;
837
838 error:
839 BN_clear_free(bn_base);
840 BN_clear_free(bn_exp);
841 BN_clear_free(bn_modulus);
842 BN_clear_free(bn_result);
843 BN_CTX_free(ctx);
844 return ret;
845 }
846
847
848 struct crypto_cipher {
849 EVP_CIPHER_CTX *enc;
850 EVP_CIPHER_CTX *dec;
851 };
852
853
crypto_cipher_init(enum crypto_cipher_alg alg,const u8 * iv,const u8 * key,size_t key_len)854 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
855 const u8 *iv, const u8 *key,
856 size_t key_len)
857 {
858 struct crypto_cipher *ctx;
859 const EVP_CIPHER *cipher;
860
861 ctx = os_zalloc(sizeof(*ctx));
862 if (ctx == NULL)
863 return NULL;
864
865 switch (alg) {
866 #ifndef CONFIG_NO_RC4
867 #ifndef OPENSSL_NO_RC4
868 case CRYPTO_CIPHER_ALG_RC4:
869 cipher = EVP_rc4();
870 break;
871 #endif /* OPENSSL_NO_RC4 */
872 #endif /* CONFIG_NO_RC4 */
873 #ifndef OPENSSL_NO_AES
874 case CRYPTO_CIPHER_ALG_AES:
875 switch (key_len) {
876 case 16:
877 cipher = EVP_aes_128_cbc();
878 break;
879 #ifndef OPENSSL_IS_BORINGSSL
880 case 24:
881 cipher = EVP_aes_192_cbc();
882 break;
883 #endif /* OPENSSL_IS_BORINGSSL */
884 case 32:
885 cipher = EVP_aes_256_cbc();
886 break;
887 default:
888 os_free(ctx);
889 return NULL;
890 }
891 break;
892 #endif /* OPENSSL_NO_AES */
893 #ifndef OPENSSL_NO_DES
894 case CRYPTO_CIPHER_ALG_3DES:
895 cipher = EVP_des_ede3_cbc();
896 break;
897 case CRYPTO_CIPHER_ALG_DES:
898 cipher = EVP_des_cbc();
899 break;
900 #endif /* OPENSSL_NO_DES */
901 #ifndef OPENSSL_NO_RC2
902 case CRYPTO_CIPHER_ALG_RC2:
903 cipher = EVP_rc2_ecb();
904 break;
905 #endif /* OPENSSL_NO_RC2 */
906 default:
907 os_free(ctx);
908 return NULL;
909 }
910
911 if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
912 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
913 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
914 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
915 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
916 if (ctx->enc)
917 EVP_CIPHER_CTX_free(ctx->enc);
918 os_free(ctx);
919 return NULL;
920 }
921
922 if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
923 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
924 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
925 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
926 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
927 EVP_CIPHER_CTX_free(ctx->enc);
928 if (ctx->dec)
929 EVP_CIPHER_CTX_free(ctx->dec);
930 os_free(ctx);
931 return NULL;
932 }
933
934 return ctx;
935 }
936
937
crypto_cipher_encrypt(struct crypto_cipher * ctx,const u8 * plain,u8 * crypt,size_t len)938 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
939 u8 *crypt, size_t len)
940 {
941 int outl;
942 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
943 return -1;
944 return 0;
945 }
946
947
crypto_cipher_decrypt(struct crypto_cipher * ctx,const u8 * crypt,u8 * plain,size_t len)948 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
949 u8 *plain, size_t len)
950 {
951 int outl;
952 outl = len;
953 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
954 return -1;
955 return 0;
956 }
957
958
crypto_cipher_deinit(struct crypto_cipher * ctx)959 void crypto_cipher_deinit(struct crypto_cipher *ctx)
960 {
961 EVP_CIPHER_CTX_free(ctx->enc);
962 EVP_CIPHER_CTX_free(ctx->dec);
963 os_free(ctx);
964 }
965
966
dh5_init(struct wpabuf ** priv,struct wpabuf ** publ)967 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
968 {
969 #if OPENSSL_VERSION_NUMBER < 0x10100000L
970 DH *dh;
971 struct wpabuf *pubkey = NULL, *privkey = NULL;
972 size_t publen, privlen;
973
974 *priv = NULL;
975 wpabuf_free(*publ);
976 *publ = NULL;
977
978 dh = DH_new();
979 if (dh == NULL)
980 return NULL;
981
982 dh->g = BN_new();
983 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
984 goto err;
985
986 dh->p = get_group5_prime();
987 if (dh->p == NULL)
988 goto err;
989
990 dh->q = get_group5_order();
991 if (!dh->q)
992 goto err;
993
994 if (DH_generate_key(dh) != 1)
995 goto err;
996
997 publen = BN_num_bytes(dh->pub_key);
998 pubkey = wpabuf_alloc(publen);
999 if (pubkey == NULL)
1000 goto err;
1001 privlen = BN_num_bytes(dh->priv_key);
1002 privkey = wpabuf_alloc(privlen);
1003 if (privkey == NULL)
1004 goto err;
1005
1006 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
1007 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
1008
1009 *priv = privkey;
1010 *publ = pubkey;
1011 return dh;
1012
1013 err:
1014 wpabuf_clear_free(pubkey);
1015 wpabuf_clear_free(privkey);
1016 DH_free(dh);
1017 return NULL;
1018 #elif OPENSSL_VERSION_NUMBER >= 0x30000000L
1019 EVP_PKEY *pkey = NULL;
1020 OSSL_PARAM params[2];
1021 size_t pub_len = OSSL_PARAM_UNMODIFIED;
1022 size_t priv_len;
1023 struct wpabuf *pubkey = NULL, *privkey = NULL;
1024 BIGNUM *priv_bn = NULL;
1025 EVP_PKEY_CTX *gctx;
1026
1027 *priv = NULL;
1028 wpabuf_free(*publ);
1029 *publ = NULL;
1030
1031 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
1032 "modp_1536", 0);
1033 params[1] = OSSL_PARAM_construct_end();
1034
1035 gctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
1036 if (!gctx ||
1037 EVP_PKEY_keygen_init(gctx) != 1 ||
1038 EVP_PKEY_CTX_set_params(gctx, params) != 1 ||
1039 EVP_PKEY_generate(gctx, &pkey) != 1 ||
1040 EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY,
1041 &priv_bn) != 1 ||
1042 EVP_PKEY_get_octet_string_param(pkey,
1043 OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1044 NULL, 0, &pub_len) < 0 ||
1045 pub_len == OSSL_PARAM_UNMODIFIED ||
1046 (priv_len = BN_num_bytes(priv_bn)) == 0 ||
1047 !(pubkey = wpabuf_alloc(pub_len)) ||
1048 !(privkey = wpabuf_alloc(priv_len)) ||
1049 EVP_PKEY_get_octet_string_param(pkey,
1050 OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1051 wpabuf_put(pubkey, pub_len),
1052 pub_len, NULL) != 1) {
1053 wpa_printf(MSG_INFO, "OpenSSL: failed: %s",
1054 ERR_error_string(ERR_get_error(), NULL));
1055 wpabuf_free(pubkey);
1056 wpabuf_clear_free(privkey);
1057 EVP_PKEY_free(pkey);
1058 pkey = NULL;
1059 } else {
1060 BN_bn2bin(priv_bn, wpabuf_put(privkey, priv_len));
1061
1062 *priv = privkey;
1063 *publ = pubkey;
1064 }
1065
1066 BN_clear_free(priv_bn);
1067 EVP_PKEY_CTX_free(gctx);
1068 return pkey;
1069 #else
1070 DH *dh;
1071 struct wpabuf *pubkey = NULL, *privkey = NULL;
1072 size_t publen, privlen;
1073 BIGNUM *p, *g, *q;
1074 const BIGNUM *priv_key = NULL, *pub_key = NULL;
1075
1076 *priv = NULL;
1077 wpabuf_free(*publ);
1078 *publ = NULL;
1079
1080 dh = DH_new();
1081 if (dh == NULL)
1082 return NULL;
1083
1084 g = BN_new();
1085 p = get_group5_prime();
1086 q = get_group5_order();
1087 if (!g || BN_set_word(g, 2) != 1 || !p || !q ||
1088 DH_set0_pqg(dh, p, q, g) != 1)
1089 goto err;
1090 p = NULL;
1091 q = NULL;
1092 g = NULL;
1093
1094 if (DH_generate_key(dh) != 1)
1095 goto err;
1096
1097 DH_get0_key(dh, &pub_key, &priv_key);
1098 publen = BN_num_bytes(pub_key);
1099 pubkey = wpabuf_alloc(publen);
1100 if (!pubkey)
1101 goto err;
1102 privlen = BN_num_bytes(priv_key);
1103 privkey = wpabuf_alloc(privlen);
1104 if (!privkey)
1105 goto err;
1106
1107 BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
1108 BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));
1109
1110 *priv = privkey;
1111 *publ = pubkey;
1112 return dh;
1113
1114 err:
1115 BN_free(p);
1116 BN_free(q);
1117 BN_free(g);
1118 wpabuf_clear_free(pubkey);
1119 wpabuf_clear_free(privkey);
1120 DH_free(dh);
1121 return NULL;
1122 #endif
1123 }
1124
1125
dh5_init_fixed(const struct wpabuf * priv,const struct wpabuf * publ)1126 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
1127 {
1128 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1129 DH *dh;
1130
1131 dh = DH_new();
1132 if (dh == NULL)
1133 return NULL;
1134
1135 dh->g = BN_new();
1136 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
1137 goto err;
1138
1139 dh->p = get_group5_prime();
1140 if (dh->p == NULL)
1141 goto err;
1142
1143 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
1144 if (dh->priv_key == NULL)
1145 goto err;
1146
1147 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
1148 if (dh->pub_key == NULL)
1149 goto err;
1150
1151 if (DH_generate_key(dh) != 1)
1152 goto err;
1153
1154 return dh;
1155
1156 err:
1157 DH_free(dh);
1158 return NULL;
1159 #elif OPENSSL_VERSION_NUMBER >= 0x30000000L
1160 EVP_PKEY *pkey = NULL;
1161 OSSL_PARAM_BLD *bld;
1162 OSSL_PARAM *params = NULL;
1163 BIGNUM *priv_key, *pub_key;
1164 EVP_PKEY_CTX *fctx;
1165
1166 fctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
1167 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
1168 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
1169 bld = OSSL_PARAM_BLD_new();
1170 if (!fctx || !priv_key || !pub_key || !bld ||
1171 OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME,
1172 "modp_1536", 0) != 1 ||
1173 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
1174 priv_key) != 1 ||
1175 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
1176 pub_key) != 1 ||
1177 !(params = OSSL_PARAM_BLD_to_param(bld)) ||
1178 EVP_PKEY_fromdata_init(fctx) != 1 ||
1179 EVP_PKEY_fromdata(fctx, &pkey, EVP_PKEY_KEYPAIR, params) != 1) {
1180 wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_fromdata failed: %s",
1181 ERR_error_string(ERR_get_error(), NULL));
1182 EVP_PKEY_free(pkey);
1183 pkey = NULL;
1184 }
1185
1186 BN_clear_free(priv_key);
1187 BN_free(pub_key);
1188 EVP_PKEY_CTX_free(fctx);
1189 OSSL_PARAM_BLD_free(bld);
1190 OSSL_PARAM_free(params);
1191 return pkey;
1192 #else
1193 DH *dh;
1194 BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;
1195
1196 dh = DH_new();
1197 if (dh == NULL)
1198 return NULL;
1199
1200 g = BN_new();
1201 p = get_group5_prime();
1202 if (!g || BN_set_word(g, 2) != 1 || !p ||
1203 DH_set0_pqg(dh, p, NULL, g) != 1)
1204 goto err;
1205 p = NULL;
1206 g = NULL;
1207
1208 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
1209 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
1210 if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
1211 goto err;
1212 pub_key = NULL;
1213 priv_key = NULL;
1214
1215 if (DH_generate_key(dh) != 1)
1216 goto err;
1217
1218 return dh;
1219
1220 err:
1221 BN_free(p);
1222 BN_free(g);
1223 BN_free(pub_key);
1224 BN_clear_free(priv_key);
1225 DH_free(dh);
1226 return NULL;
1227 #endif
1228 }
1229
1230
dh5_derive_shared(void * ctx,const struct wpabuf * peer_public,const struct wpabuf * own_private)1231 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
1232 const struct wpabuf *own_private)
1233 {
1234 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1235 EVP_PKEY *pkey = ctx;
1236 EVP_PKEY *peer_pub;
1237 size_t len;
1238 struct wpabuf *res = NULL;
1239 EVP_PKEY_CTX *dctx = NULL;
1240
1241 peer_pub = EVP_PKEY_new();
1242 if (!pkey || !peer_pub ||
1243 EVP_PKEY_copy_parameters(peer_pub, pkey) != 1 ||
1244 EVP_PKEY_set1_encoded_public_key(peer_pub, wpabuf_head(peer_public),
1245 wpabuf_len(peer_public)) != 1 ||
1246 !(dctx = EVP_PKEY_CTX_new(pkey, NULL)) ||
1247 EVP_PKEY_derive_init(dctx) != 1 ||
1248 EVP_PKEY_derive_set_peer(dctx, peer_pub) != 1 ||
1249 EVP_PKEY_derive(dctx, NULL, &len) != 1 ||
1250 !(res = wpabuf_alloc(len)) ||
1251 EVP_PKEY_derive(dctx, wpabuf_mhead(res), &len) != 1) {
1252 wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_derive failed: %s",
1253 ERR_error_string(ERR_get_error(), NULL));
1254 wpabuf_free(res);
1255 res = NULL;
1256 } else {
1257 wpabuf_put(res, len);
1258 }
1259
1260 EVP_PKEY_free(peer_pub);
1261 EVP_PKEY_CTX_free(dctx);
1262 return res;
1263 #else /* OpenSSL version >= 3.0 */
1264 BIGNUM *pub_key;
1265 struct wpabuf *res = NULL;
1266 size_t rlen;
1267 DH *dh = ctx;
1268 int keylen;
1269
1270 if (ctx == NULL)
1271 return NULL;
1272
1273 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
1274 NULL);
1275 if (pub_key == NULL)
1276 return NULL;
1277
1278 rlen = DH_size(dh);
1279 res = wpabuf_alloc(rlen);
1280 if (res == NULL)
1281 goto err;
1282
1283 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
1284 if (keylen < 0)
1285 goto err;
1286 wpabuf_put(res, keylen);
1287 BN_clear_free(pub_key);
1288
1289 return res;
1290
1291 err:
1292 BN_clear_free(pub_key);
1293 wpabuf_clear_free(res);
1294 return NULL;
1295 #endif /* OpenSSL version >= 3.0 */
1296 }
1297
1298
dh5_free(void * ctx)1299 void dh5_free(void *ctx)
1300 {
1301 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1302 EVP_PKEY *pkey = ctx;
1303
1304 EVP_PKEY_free(pkey);
1305 #else /* OpenSSL version >= 3.0 */
1306 DH *dh;
1307 if (ctx == NULL)
1308 return;
1309 dh = ctx;
1310 DH_free(dh);
1311 #endif /* OpenSSL version >= 3.0 */
1312 }
1313
1314
1315 struct crypto_hash {
1316 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1317 EVP_MAC_CTX *ctx;
1318 #else /* OpenSSL version >= 3.0 */
1319 HMAC_CTX *ctx;
1320 #endif /* OpenSSL version >= 3.0 */
1321 bool failed;
1322 };
1323
1324
crypto_hash_init(enum crypto_hash_alg alg,const u8 * key,size_t key_len)1325 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
1326 size_t key_len)
1327 {
1328 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1329 struct crypto_hash *ctx;
1330 EVP_MAC *mac;
1331 OSSL_PARAM params[2];
1332 char *a = NULL;
1333
1334 switch (alg) {
1335 #ifndef OPENSSL_NO_MD5
1336 case CRYPTO_HASH_ALG_HMAC_MD5:
1337 a = "MD5";
1338 break;
1339 #endif /* OPENSSL_NO_MD5 */
1340 #ifndef OPENSSL_NO_SHA
1341 case CRYPTO_HASH_ALG_HMAC_SHA1:
1342 a = "SHA1";
1343 break;
1344 #endif /* OPENSSL_NO_SHA */
1345 #ifndef OPENSSL_NO_SHA256
1346 #ifdef CONFIG_SHA256
1347 case CRYPTO_HASH_ALG_HMAC_SHA256:
1348 a = "SHA256";
1349 break;
1350 #endif /* CONFIG_SHA256 */
1351 #endif /* OPENSSL_NO_SHA256 */
1352 default:
1353 return NULL;
1354 }
1355
1356 mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
1357 if (!mac)
1358 return NULL;
1359
1360 params[0] = OSSL_PARAM_construct_utf8_string("digest", a, 0);
1361 params[1] = OSSL_PARAM_construct_end();
1362
1363 ctx = os_zalloc(sizeof(*ctx));
1364 if (!ctx)
1365 goto fail;
1366 ctx->ctx = EVP_MAC_CTX_new(mac);
1367 if (!ctx->ctx) {
1368 os_free(ctx);
1369 ctx = NULL;
1370 goto fail;
1371 }
1372
1373 if (EVP_MAC_init(ctx->ctx, key, key_len, params) != 1) {
1374 EVP_MAC_CTX_free(ctx->ctx);
1375 bin_clear_free(ctx, sizeof(*ctx));
1376 ctx = NULL;
1377 goto fail;
1378 }
1379
1380 fail:
1381 EVP_MAC_free(mac);
1382 return ctx;
1383 #else /* OpenSSL version >= 3.0 */
1384 struct crypto_hash *ctx;
1385 const EVP_MD *md;
1386
1387 switch (alg) {
1388 #ifndef OPENSSL_NO_MD5
1389 case CRYPTO_HASH_ALG_HMAC_MD5:
1390 md = EVP_md5();
1391 break;
1392 #endif /* OPENSSL_NO_MD5 */
1393 #ifndef OPENSSL_NO_SHA
1394 case CRYPTO_HASH_ALG_HMAC_SHA1:
1395 md = EVP_sha1();
1396 break;
1397 #endif /* OPENSSL_NO_SHA */
1398 #ifndef OPENSSL_NO_SHA256
1399 #ifdef CONFIG_SHA256
1400 case CRYPTO_HASH_ALG_HMAC_SHA256:
1401 md = EVP_sha256();
1402 break;
1403 #endif /* CONFIG_SHA256 */
1404 #endif /* OPENSSL_NO_SHA256 */
1405 default:
1406 return NULL;
1407 }
1408
1409 ctx = os_zalloc(sizeof(*ctx));
1410 if (ctx == NULL)
1411 return NULL;
1412 ctx->ctx = HMAC_CTX_new();
1413 if (!ctx->ctx) {
1414 os_free(ctx);
1415 return NULL;
1416 }
1417
1418 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
1419 HMAC_CTX_free(ctx->ctx);
1420 bin_clear_free(ctx, sizeof(*ctx));
1421 return NULL;
1422 }
1423
1424 return ctx;
1425 #endif /* OpenSSL version >= 3.0 */
1426 }
1427
1428
crypto_hash_update(struct crypto_hash * ctx,const u8 * data,size_t len)1429 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
1430 {
1431 if (ctx == NULL)
1432 return;
1433 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1434 if (!EVP_MAC_update(ctx->ctx, data, len))
1435 ctx->failed = true;
1436 #else /* OpenSSL version >= 3.0 */
1437 if (!HMAC_Update(ctx->ctx, data, len))
1438 ctx->failed = true;
1439 #endif /* OpenSSL version >= 3.0 */
1440 }
1441
1442
crypto_hash_finish(struct crypto_hash * ctx,u8 * mac,size_t * len)1443 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
1444 {
1445 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1446 size_t mdlen;
1447 int res;
1448 bool failed;
1449
1450 if (!ctx)
1451 return -2;
1452
1453 if (!mac || !len) {
1454 EVP_MAC_CTX_free(ctx->ctx);
1455 bin_clear_free(ctx, sizeof(*ctx));
1456 return 0;
1457 }
1458
1459 res = EVP_MAC_final(ctx->ctx, NULL, &mdlen, 0);
1460 if (res != 1) {
1461 EVP_MAC_CTX_free(ctx->ctx);
1462 bin_clear_free(ctx, sizeof(*ctx));
1463 return -1;
1464 }
1465 res = EVP_MAC_final(ctx->ctx, mac, &mdlen, mdlen);
1466 EVP_MAC_CTX_free(ctx->ctx);
1467 failed = ctx->failed;
1468 bin_clear_free(ctx, sizeof(*ctx));
1469
1470 if (TEST_FAIL())
1471 return -1;
1472
1473 if (failed)
1474 return -2;
1475
1476 if (res == 1) {
1477 *len = mdlen;
1478 return 0;
1479 }
1480
1481 return -1;
1482 #else /* OpenSSL version >= 3.0 */
1483 unsigned int mdlen;
1484 int res;
1485 bool failed;
1486
1487 if (ctx == NULL)
1488 return -2;
1489
1490 if (mac == NULL || len == NULL) {
1491 HMAC_CTX_free(ctx->ctx);
1492 bin_clear_free(ctx, sizeof(*ctx));
1493 return 0;
1494 }
1495
1496 mdlen = *len;
1497 res = HMAC_Final(ctx->ctx, mac, &mdlen);
1498 HMAC_CTX_free(ctx->ctx);
1499 failed = ctx->failed;
1500 bin_clear_free(ctx, sizeof(*ctx));
1501
1502 if (TEST_FAIL())
1503 return -1;
1504
1505 if (failed)
1506 return -2;
1507
1508 if (res == 1) {
1509 *len = mdlen;
1510 return 0;
1511 }
1512
1513 return -1;
1514 #endif /* OpenSSL version >= 3.0 */
1515 }
1516
1517
1518 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1519
openssl_hmac_vector(char * digest,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac,unsigned int mdlen)1520 static int openssl_hmac_vector(char *digest, const u8 *key,
1521 size_t key_len, size_t num_elem,
1522 const u8 *addr[], const size_t *len, u8 *mac,
1523 unsigned int mdlen)
1524 {
1525 EVP_MAC *hmac;
1526 OSSL_PARAM params[2];
1527 EVP_MAC_CTX *ctx;
1528 size_t i, mlen;
1529 int res;
1530
1531 if (TEST_FAIL())
1532 return -1;
1533
1534 hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
1535 if (!hmac)
1536 return -1;
1537
1538 params[0] = OSSL_PARAM_construct_utf8_string("digest", digest, 0);
1539 params[1] = OSSL_PARAM_construct_end();
1540
1541 ctx = EVP_MAC_CTX_new(hmac);
1542 EVP_MAC_free(hmac);
1543 if (!ctx)
1544 return -1;
1545
1546 if (EVP_MAC_init(ctx, key, key_len, params) != 1)
1547 goto fail;
1548
1549 for (i = 0; i < num_elem; i++) {
1550 if (EVP_MAC_update(ctx, addr[i], len[i]) != 1)
1551 goto fail;
1552 }
1553
1554 res = EVP_MAC_final(ctx, mac, &mlen, mdlen);
1555 EVP_MAC_CTX_free(ctx);
1556
1557 return res == 1 ? 0 : -1;
1558 fail:
1559 EVP_MAC_CTX_free(ctx);
1560 return -1;
1561 }
1562
1563
1564 #ifndef CONFIG_FIPS
1565
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1566 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
1567 const u8 *addr[], const size_t *len, u8 *mac)
1568 {
1569 return openssl_hmac_vector("MD5", key ,key_len, num_elem, addr, len,
1570 mac, 16);
1571 }
1572
1573
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1574 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1575 u8 *mac)
1576 {
1577 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
1578 }
1579
1580 #endif /* CONFIG_FIPS */
1581
1582
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1583 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1584 const u8 *addr[], const size_t *len, u8 *mac)
1585 {
1586 return openssl_hmac_vector("SHA1", key, key_len, num_elem, addr,
1587 len, mac, 20);
1588 }
1589
1590
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1591 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1592 u8 *mac)
1593 {
1594 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1595 }
1596
1597
1598 #ifdef CONFIG_SHA256
1599
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1600 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1601 const u8 *addr[], const size_t *len, u8 *mac)
1602 {
1603 return openssl_hmac_vector("SHA256", key, key_len, num_elem, addr,
1604 len, mac, 32);
1605 }
1606
1607
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1608 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1609 size_t data_len, u8 *mac)
1610 {
1611 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1612 }
1613
1614 #endif /* CONFIG_SHA256 */
1615
1616
1617 #ifdef CONFIG_SHA384
1618
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1619 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1620 const u8 *addr[], const size_t *len, u8 *mac)
1621 {
1622 return openssl_hmac_vector("SHA384", key, key_len, num_elem, addr,
1623 len, mac, 48);
1624 }
1625
1626
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1627 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1628 size_t data_len, u8 *mac)
1629 {
1630 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1631 }
1632
1633 #endif /* CONFIG_SHA384 */
1634
1635
1636 #ifdef CONFIG_SHA512
1637
hmac_sha512_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1638 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1639 const u8 *addr[], const size_t *len, u8 *mac)
1640 {
1641 return openssl_hmac_vector("SHA512", key, key_len, num_elem, addr,
1642 len, mac, 64);
1643 }
1644
1645
hmac_sha512(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1646 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1647 size_t data_len, u8 *mac)
1648 {
1649 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1650 }
1651
1652 #endif /* CONFIG_SHA512 */
1653
1654 #else /* OpenSSL version >= 3.0 */
1655
openssl_hmac_vector(const EVP_MD * type,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac,unsigned int mdlen)1656 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
1657 size_t key_len, size_t num_elem,
1658 const u8 *addr[], const size_t *len, u8 *mac,
1659 unsigned int mdlen)
1660 {
1661 HMAC_CTX *ctx;
1662 size_t i;
1663 int res;
1664
1665 if (TEST_FAIL())
1666 return -1;
1667
1668 ctx = HMAC_CTX_new();
1669 if (!ctx)
1670 return -1;
1671 res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
1672 if (res != 1)
1673 goto done;
1674
1675 for (i = 0; i < num_elem; i++)
1676 HMAC_Update(ctx, addr[i], len[i]);
1677
1678 res = HMAC_Final(ctx, mac, &mdlen);
1679 done:
1680 HMAC_CTX_free(ctx);
1681
1682 return res == 1 ? 0 : -1;
1683 }
1684
1685
1686 #ifndef CONFIG_FIPS
1687
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1688 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
1689 const u8 *addr[], const size_t *len, u8 *mac)
1690 {
1691 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
1692 mac, 16);
1693 }
1694
1695
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1696 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1697 u8 *mac)
1698 {
1699 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
1700 }
1701
1702 #endif /* CONFIG_FIPS */
1703
1704
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1705 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1706 const u8 *addr[], const size_t *len, u8 *mac)
1707 {
1708 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
1709 len, mac, 20);
1710 }
1711
1712
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1713 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1714 u8 *mac)
1715 {
1716 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1717 }
1718
1719
1720 #ifdef CONFIG_SHA256
1721
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1722 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1723 const u8 *addr[], const size_t *len, u8 *mac)
1724 {
1725 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
1726 len, mac, 32);
1727 }
1728
1729
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1730 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1731 size_t data_len, u8 *mac)
1732 {
1733 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1734 }
1735
1736 #endif /* CONFIG_SHA256 */
1737
1738
1739 #ifdef CONFIG_SHA384
1740
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1741 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1742 const u8 *addr[], const size_t *len, u8 *mac)
1743 {
1744 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
1745 len, mac, 48);
1746 }
1747
1748
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1749 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1750 size_t data_len, u8 *mac)
1751 {
1752 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1753 }
1754
1755 #endif /* CONFIG_SHA384 */
1756
1757
1758 #ifdef CONFIG_SHA512
1759
hmac_sha512_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1760 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1761 const u8 *addr[], const size_t *len, u8 *mac)
1762 {
1763 return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
1764 len, mac, 64);
1765 }
1766
1767
hmac_sha512(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1768 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1769 size_t data_len, u8 *mac)
1770 {
1771 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1772 }
1773
1774 #endif /* CONFIG_SHA512 */
1775
1776 #endif /* OpenSSL version >= 3.0 */
1777
1778
pbkdf2_sha1(const char * passphrase,const u8 * ssid,size_t ssid_len,int iterations,u8 * buf,size_t buflen)1779 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
1780 int iterations, u8 *buf, size_t buflen)
1781 {
1782 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
1783 ssid_len, iterations, buflen, buf) != 1)
1784 return -1;
1785 return 0;
1786 }
1787
1788
crypto_get_random(void * buf,size_t len)1789 int crypto_get_random(void *buf, size_t len)
1790 {
1791 if (RAND_bytes(buf, len) != 1)
1792 return -1;
1793 return 0;
1794 }
1795
1796 #ifdef CONFIG_OPENSSL_CMAC
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1797 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
1798 const u8 *addr[], const size_t *len, u8 *mac)
1799 {
1800 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1801 EVP_MAC_CTX *ctx = NULL;
1802 EVP_MAC *emac;
1803 int ret = -1;
1804 size_t outlen, i;
1805 OSSL_PARAM params[2];
1806 char *cipher = NULL;
1807
1808 if (TEST_FAIL())
1809 return -1;
1810
1811 emac = EVP_MAC_fetch(NULL, "CMAC", NULL);
1812
1813 if (key_len == 32)
1814 cipher = "aes-256-cbc";
1815 else if (key_len == 24)
1816 cipher = "aes-192-cbc";
1817 else if (key_len == 16)
1818 cipher = "aes-128-cbc";
1819
1820 params[0] = OSSL_PARAM_construct_utf8_string("cipher", cipher, 0);
1821 params[1] = OSSL_PARAM_construct_end();
1822
1823 if (!emac || !cipher ||
1824 !(ctx = EVP_MAC_CTX_new(emac)) ||
1825 EVP_MAC_init(ctx, key, key_len, params) != 1)
1826 goto fail;
1827
1828 for (i = 0; i < num_elem; i++) {
1829 if (!EVP_MAC_update(ctx, addr[i], len[i]))
1830 goto fail;
1831 }
1832 if (EVP_MAC_final(ctx, mac, &outlen, 16) != 1 || outlen != 16)
1833 goto fail;
1834
1835 ret = 0;
1836 fail:
1837 EVP_MAC_CTX_free(ctx);
1838 EVP_MAC_free(emac);
1839 return ret;
1840 #else /* OpenSSL version >= 3.0 */
1841 CMAC_CTX *ctx;
1842 int ret = -1;
1843 size_t outlen, i;
1844
1845 if (TEST_FAIL())
1846 return -1;
1847
1848 ctx = CMAC_CTX_new();
1849 if (ctx == NULL)
1850 return -1;
1851
1852 if (key_len == 32) {
1853 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
1854 goto fail;
1855 } else if (key_len == 24) {
1856 if (!CMAC_Init(ctx, key, 24, EVP_aes_192_cbc(), NULL))
1857 goto fail;
1858 } else if (key_len == 16) {
1859 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
1860 goto fail;
1861 } else {
1862 goto fail;
1863 }
1864 for (i = 0; i < num_elem; i++) {
1865 if (!CMAC_Update(ctx, addr[i], len[i]))
1866 goto fail;
1867 }
1868 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
1869 goto fail;
1870
1871 ret = 0;
1872 fail:
1873 CMAC_CTX_free(ctx);
1874 return ret;
1875 #endif /* OpenSSL version >= 3.0 */
1876 }
1877
1878
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1879 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
1880 const u8 *addr[], const size_t *len, u8 *mac)
1881 {
1882 return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
1883 }
1884
1885
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1886 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1887 {
1888 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
1889 }
1890
1891
omac1_aes_256(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1892 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1893 {
1894 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
1895 }
1896 #endif /* CONFIG_OPENSSL_CMAC */
1897
crypto_bignum_init(void)1898 struct crypto_bignum * crypto_bignum_init(void)
1899 {
1900 if (TEST_FAIL())
1901 return NULL;
1902 return (struct crypto_bignum *) BN_new();
1903 }
1904
1905
crypto_bignum_init_set(const u8 * buf,size_t len)1906 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
1907 {
1908 BIGNUM *bn;
1909
1910 if (TEST_FAIL())
1911 return NULL;
1912
1913 bn = BN_bin2bn(buf, len, NULL);
1914 return (struct crypto_bignum *) bn;
1915 }
1916
1917
crypto_bignum_init_uint(unsigned int val)1918 struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
1919 {
1920 BIGNUM *bn;
1921
1922 if (TEST_FAIL())
1923 return NULL;
1924
1925 bn = BN_new();
1926 if (!bn)
1927 return NULL;
1928 if (BN_set_word(bn, val) != 1) {
1929 BN_free(bn);
1930 return NULL;
1931 }
1932 return (struct crypto_bignum *) bn;
1933 }
1934
1935
crypto_bignum_deinit(struct crypto_bignum * n,int clear)1936 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
1937 {
1938 if (clear)
1939 BN_clear_free((BIGNUM *) n);
1940 else
1941 BN_free((BIGNUM *) n);
1942 }
1943
1944
crypto_bignum_to_bin(const struct crypto_bignum * a,u8 * buf,size_t buflen,size_t padlen)1945 int crypto_bignum_to_bin(const struct crypto_bignum *a,
1946 u8 *buf, size_t buflen, size_t padlen)
1947 {
1948 int num_bytes, offset;
1949
1950 if (TEST_FAIL())
1951 return -1;
1952
1953 if (padlen > buflen)
1954 return -1;
1955
1956 if (padlen) {
1957 #ifdef OPENSSL_IS_BORINGSSL
1958 if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
1959 return -1;
1960 return padlen;
1961 #else /* OPENSSL_IS_BORINGSSL */
1962 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
1963 return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
1964 #endif
1965 #endif
1966 }
1967
1968 num_bytes = BN_num_bytes((const BIGNUM *) a);
1969 if ((size_t) num_bytes > buflen)
1970 return -1;
1971 if (padlen > (size_t) num_bytes)
1972 offset = padlen - num_bytes;
1973 else
1974 offset = 0;
1975
1976 os_memset(buf, 0, offset);
1977 BN_bn2bin((const BIGNUM *) a, buf + offset);
1978
1979 return num_bytes + offset;
1980 }
1981
1982
crypto_bignum_rand(struct crypto_bignum * r,const struct crypto_bignum * m)1983 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
1984 {
1985 if (TEST_FAIL())
1986 return -1;
1987 return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1;
1988 }
1989
1990
crypto_bignum_add(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1991 int crypto_bignum_add(const struct crypto_bignum *a,
1992 const struct crypto_bignum *b,
1993 struct crypto_bignum *c)
1994 {
1995 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1996 0 : -1;
1997 }
1998
1999
crypto_bignum_mod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2000 int crypto_bignum_mod(const struct crypto_bignum *a,
2001 const struct crypto_bignum *b,
2002 struct crypto_bignum *c)
2003 {
2004 int res;
2005 BN_CTX *bnctx;
2006
2007 bnctx = BN_CTX_new();
2008 if (bnctx == NULL)
2009 return -1;
2010 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
2011 bnctx);
2012 BN_CTX_free(bnctx);
2013
2014 return res ? 0 : -1;
2015 }
2016
2017
crypto_bignum_exptmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)2018 int crypto_bignum_exptmod(const struct crypto_bignum *a,
2019 const struct crypto_bignum *b,
2020 const struct crypto_bignum *c,
2021 struct crypto_bignum *d)
2022 {
2023 int res;
2024 BN_CTX *bnctx;
2025
2026 if (TEST_FAIL())
2027 return -1;
2028
2029 bnctx = BN_CTX_new();
2030 if (bnctx == NULL)
2031 return -1;
2032 res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
2033 (const BIGNUM *) b, (const BIGNUM *) c,
2034 bnctx, NULL);
2035 BN_CTX_free(bnctx);
2036
2037 return res ? 0 : -1;
2038 }
2039
2040
crypto_bignum_inverse(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2041 int crypto_bignum_inverse(const struct crypto_bignum *a,
2042 const struct crypto_bignum *b,
2043 struct crypto_bignum *c)
2044 {
2045 BIGNUM *res;
2046 BN_CTX *bnctx;
2047
2048 if (TEST_FAIL())
2049 return -1;
2050 bnctx = BN_CTX_new();
2051 if (bnctx == NULL)
2052 return -1;
2053 #ifdef OPENSSL_IS_BORINGSSL
2054 /* TODO: use BN_mod_inverse_blinded() ? */
2055 #else /* OPENSSL_IS_BORINGSSL */
2056 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
2057 #endif /* OPENSSL_IS_BORINGSSL */
2058 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
2059 (const BIGNUM *) b, bnctx);
2060 BN_CTX_free(bnctx);
2061
2062 return res ? 0 : -1;
2063 }
2064
2065
crypto_bignum_sub(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2066 int crypto_bignum_sub(const struct crypto_bignum *a,
2067 const struct crypto_bignum *b,
2068 struct crypto_bignum *c)
2069 {
2070 if (TEST_FAIL())
2071 return -1;
2072 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
2073 0 : -1;
2074 }
2075
2076
crypto_bignum_div(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2077 int crypto_bignum_div(const struct crypto_bignum *a,
2078 const struct crypto_bignum *b,
2079 struct crypto_bignum *c)
2080 {
2081 int res;
2082
2083 BN_CTX *bnctx;
2084
2085 if (TEST_FAIL())
2086 return -1;
2087
2088 bnctx = BN_CTX_new();
2089 if (bnctx == NULL)
2090 return -1;
2091 #ifndef OPENSSL_IS_BORINGSSL
2092 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
2093 #endif /* OPENSSL_IS_BORINGSSL */
2094 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
2095 (const BIGNUM *) b, bnctx);
2096 BN_CTX_free(bnctx);
2097
2098 return res ? 0 : -1;
2099 }
2100
2101
crypto_bignum_addmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)2102 int crypto_bignum_addmod(const struct crypto_bignum *a,
2103 const struct crypto_bignum *b,
2104 const struct crypto_bignum *c,
2105 struct crypto_bignum *d)
2106 {
2107 int res;
2108 BN_CTX *bnctx;
2109
2110 if (TEST_FAIL())
2111 return -1;
2112
2113 bnctx = BN_CTX_new();
2114 if (!bnctx)
2115 return -1;
2116 res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
2117 (const BIGNUM *) c, bnctx);
2118 BN_CTX_free(bnctx);
2119
2120 return res ? 0 : -1;
2121 }
2122
2123
crypto_bignum_mulmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)2124 int crypto_bignum_mulmod(const struct crypto_bignum *a,
2125 const struct crypto_bignum *b,
2126 const struct crypto_bignum *c,
2127 struct crypto_bignum *d)
2128 {
2129 int res;
2130
2131 BN_CTX *bnctx;
2132
2133 if (TEST_FAIL())
2134 return -1;
2135
2136 bnctx = BN_CTX_new();
2137 if (bnctx == NULL)
2138 return -1;
2139 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
2140 (const BIGNUM *) c, bnctx);
2141 BN_CTX_free(bnctx);
2142
2143 return res ? 0 : -1;
2144 }
2145
2146
crypto_bignum_sqrmod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2147 int crypto_bignum_sqrmod(const struct crypto_bignum *a,
2148 const struct crypto_bignum *b,
2149 struct crypto_bignum *c)
2150 {
2151 int res;
2152 BN_CTX *bnctx;
2153
2154 if (TEST_FAIL())
2155 return -1;
2156
2157 bnctx = BN_CTX_new();
2158 if (!bnctx)
2159 return -1;
2160 res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
2161 bnctx);
2162 BN_CTX_free(bnctx);
2163
2164 return res ? 0 : -1;
2165 }
2166
2167
crypto_bignum_sqrtmod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2168 int crypto_bignum_sqrtmod(const struct crypto_bignum *a,
2169 const struct crypto_bignum *b,
2170 struct crypto_bignum *c)
2171 {
2172 BN_CTX *bnctx;
2173 BIGNUM *res;
2174
2175 if (TEST_FAIL())
2176 return -1;
2177
2178 bnctx = BN_CTX_new();
2179 if (!bnctx)
2180 return -1;
2181 res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
2182 bnctx);
2183 BN_CTX_free(bnctx);
2184
2185 return res ? 0 : -1;
2186 }
2187
2188
crypto_bignum_rshift(const struct crypto_bignum * a,int n,struct crypto_bignum * r)2189 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
2190 struct crypto_bignum *r)
2191 {
2192 return BN_rshift((BIGNUM *) r, (const BIGNUM *) a, n) == 1 ? 0 : -1;
2193 }
2194
2195
crypto_bignum_cmp(const struct crypto_bignum * a,const struct crypto_bignum * b)2196 int crypto_bignum_cmp(const struct crypto_bignum *a,
2197 const struct crypto_bignum *b)
2198 {
2199 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
2200 }
2201
2202
crypto_bignum_is_zero(const struct crypto_bignum * a)2203 int crypto_bignum_is_zero(const struct crypto_bignum *a)
2204 {
2205 return BN_is_zero((const BIGNUM *) a);
2206 }
2207
2208
crypto_bignum_is_one(const struct crypto_bignum * a)2209 int crypto_bignum_is_one(const struct crypto_bignum *a)
2210 {
2211 return BN_is_one((const BIGNUM *) a);
2212 }
2213
2214
crypto_bignum_is_odd(const struct crypto_bignum * a)2215 int crypto_bignum_is_odd(const struct crypto_bignum *a)
2216 {
2217 return BN_is_odd((const BIGNUM *) a);
2218 }
2219
2220
crypto_bignum_legendre(const struct crypto_bignum * a,const struct crypto_bignum * p)2221 int crypto_bignum_legendre(const struct crypto_bignum *a,
2222 const struct crypto_bignum *p)
2223 {
2224 BN_CTX *bnctx;
2225 BIGNUM *exp = NULL, *tmp = NULL;
2226 int res = -2;
2227 unsigned int mask;
2228
2229 if (TEST_FAIL())
2230 return -2;
2231
2232 bnctx = BN_CTX_new();
2233 if (bnctx == NULL)
2234 return -2;
2235
2236 exp = BN_new();
2237 tmp = BN_new();
2238 if (!exp || !tmp ||
2239 /* exp = (p-1) / 2 */
2240 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
2241 !BN_rshift1(exp, exp) ||
2242 !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
2243 (const BIGNUM *) p, bnctx, NULL))
2244 goto fail;
2245
2246 /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
2247 * constant time selection to avoid branches here. */
2248 res = -1;
2249 mask = const_time_eq(BN_is_word(tmp, 1), 1);
2250 res = const_time_select_int(mask, 1, res);
2251 mask = const_time_eq(BN_is_zero(tmp), 1);
2252 res = const_time_select_int(mask, 0, res);
2253
2254 fail:
2255 BN_clear_free(tmp);
2256 BN_clear_free(exp);
2257 BN_CTX_free(bnctx);
2258 return res;
2259 }
2260
2261
2262 #ifdef CONFIG_ECC
2263
2264 struct crypto_ec {
2265 EC_GROUP *group;
2266 int nid;
2267 int iana_group;
2268 BN_CTX *bnctx;
2269 BIGNUM *prime;
2270 BIGNUM *order;
2271 BIGNUM *a;
2272 BIGNUM *b;
2273 };
2274
2275
crypto_ec_group_2_nid(int group)2276 static int crypto_ec_group_2_nid(int group)
2277 {
2278 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */
2279 switch (group) {
2280 case 19:
2281 return NID_X9_62_prime256v1;
2282 case 20:
2283 return NID_secp384r1;
2284 case 21:
2285 return NID_secp521r1;
2286 case 25:
2287 return NID_X9_62_prime192v1;
2288 case 26:
2289 return NID_secp224r1;
2290 #ifdef NID_brainpoolP224r1
2291 case 27:
2292 return NID_brainpoolP224r1;
2293 #endif /* NID_brainpoolP224r1 */
2294 #ifdef NID_brainpoolP256r1
2295 case 28:
2296 return NID_brainpoolP256r1;
2297 #endif /* NID_brainpoolP256r1 */
2298 #ifdef NID_brainpoolP384r1
2299 case 29:
2300 return NID_brainpoolP384r1;
2301 #endif /* NID_brainpoolP384r1 */
2302 #ifdef NID_brainpoolP512r1
2303 case 30:
2304 return NID_brainpoolP512r1;
2305 #endif /* NID_brainpoolP512r1 */
2306 default:
2307 return -1;
2308 }
2309 }
2310
2311
2312 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
crypto_ec_group_2_name(int group)2313 static const char * crypto_ec_group_2_name(int group)
2314 {
2315 /* Map from IANA registry for IKE D-H groups to OpenSSL group name */
2316 switch (group) {
2317 case 19:
2318 return "prime256v1";
2319 case 20:
2320 return "secp384r1";
2321 case 21:
2322 return "secp521r1";
2323 case 25:
2324 return "prime192v1";
2325 case 26:
2326 return "secp224r1";
2327 #ifdef NID_brainpoolP224r1
2328 case 27:
2329 return "brainpoolP224r1";
2330 #endif /* NID_brainpoolP224r1 */
2331 #ifdef NID_brainpoolP256r1
2332 case 28:
2333 return "brainpoolP256r1";
2334 #endif /* NID_brainpoolP256r1 */
2335 #ifdef NID_brainpoolP384r1
2336 case 29:
2337 return "brainpoolP384r1";
2338 #endif /* NID_brainpoolP384r1 */
2339 #ifdef NID_brainpoolP512r1
2340 case 30:
2341 return "brainpoolP512r1";
2342 #endif /* NID_brainpoolP512r1 */
2343 default:
2344 return NULL;
2345 }
2346 }
2347 #endif /* OpenSSL version >= 3.0 */
2348
2349
crypto_ec_init(int group)2350 struct crypto_ec * crypto_ec_init(int group)
2351 {
2352 struct crypto_ec *e;
2353 int nid;
2354
2355 nid = crypto_ec_group_2_nid(group);
2356 if (nid < 0)
2357 return NULL;
2358
2359 e = os_zalloc(sizeof(*e));
2360 if (e == NULL)
2361 return NULL;
2362
2363 e->nid = nid;
2364 e->iana_group = group;
2365 e->bnctx = BN_CTX_new();
2366 e->group = EC_GROUP_new_by_curve_name(nid);
2367 e->prime = BN_new();
2368 e->order = BN_new();
2369 e->a = BN_new();
2370 e->b = BN_new();
2371 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
2372 e->order == NULL || e->a == NULL || e->b == NULL ||
2373 !EC_GROUP_get_curve(e->group, e->prime, e->a, e->b, e->bnctx) ||
2374 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
2375 crypto_ec_deinit(e);
2376 e = NULL;
2377 }
2378
2379 return e;
2380 }
2381
2382
crypto_ec_deinit(struct crypto_ec * e)2383 void crypto_ec_deinit(struct crypto_ec *e)
2384 {
2385 if (e == NULL)
2386 return;
2387 BN_clear_free(e->b);
2388 BN_clear_free(e->a);
2389 BN_clear_free(e->order);
2390 BN_clear_free(e->prime);
2391 EC_GROUP_free(e->group);
2392 BN_CTX_free(e->bnctx);
2393 os_free(e);
2394 }
2395
2396
crypto_ec_point_init(struct crypto_ec * e)2397 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
2398 {
2399 if (TEST_FAIL())
2400 return NULL;
2401 if (e == NULL)
2402 return NULL;
2403 return (struct crypto_ec_point *) EC_POINT_new(e->group);
2404 }
2405
2406
crypto_ec_prime_len(struct crypto_ec * e)2407 size_t crypto_ec_prime_len(struct crypto_ec *e)
2408 {
2409 return BN_num_bytes(e->prime);
2410 }
2411
2412
crypto_ec_prime_len_bits(struct crypto_ec * e)2413 size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
2414 {
2415 return BN_num_bits(e->prime);
2416 }
2417
2418
crypto_ec_order_len(struct crypto_ec * e)2419 size_t crypto_ec_order_len(struct crypto_ec *e)
2420 {
2421 return BN_num_bytes(e->order);
2422 }
2423
2424
crypto_ec_get_prime(struct crypto_ec * e)2425 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
2426 {
2427 return (const struct crypto_bignum *) e->prime;
2428 }
2429
2430
crypto_ec_get_order(struct crypto_ec * e)2431 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
2432 {
2433 return (const struct crypto_bignum *) e->order;
2434 }
2435
2436
crypto_ec_get_a(struct crypto_ec * e)2437 const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
2438 {
2439 return (const struct crypto_bignum *) e->a;
2440 }
2441
2442
crypto_ec_get_b(struct crypto_ec * e)2443 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
2444 {
2445 return (const struct crypto_bignum *) e->b;
2446 }
2447
2448
crypto_ec_get_generator(struct crypto_ec * e)2449 const struct crypto_ec_point * crypto_ec_get_generator(struct crypto_ec *e)
2450 {
2451 return (const struct crypto_ec_point *)
2452 EC_GROUP_get0_generator(e->group);
2453 }
2454
2455
crypto_ec_point_deinit(struct crypto_ec_point * p,int clear)2456 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
2457 {
2458 if (clear)
2459 EC_POINT_clear_free((EC_POINT *) p);
2460 else
2461 EC_POINT_free((EC_POINT *) p);
2462 }
2463
2464
crypto_ec_point_x(struct crypto_ec * e,const struct crypto_ec_point * p,struct crypto_bignum * x)2465 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p,
2466 struct crypto_bignum *x)
2467 {
2468 return EC_POINT_get_affine_coordinates(e->group,
2469 (const EC_POINT *) p,
2470 (BIGNUM *) x, NULL,
2471 e->bnctx) == 1 ? 0 : -1;
2472 }
2473
2474
crypto_ec_point_to_bin(struct crypto_ec * e,const struct crypto_ec_point * point,u8 * x,u8 * y)2475 int crypto_ec_point_to_bin(struct crypto_ec *e,
2476 const struct crypto_ec_point *point, u8 *x, u8 *y)
2477 {
2478 BIGNUM *x_bn, *y_bn;
2479 int ret = -1;
2480 int len = BN_num_bytes(e->prime);
2481
2482 if (TEST_FAIL())
2483 return -1;
2484
2485 x_bn = BN_new();
2486 y_bn = BN_new();
2487
2488 if (x_bn && y_bn &&
2489 EC_POINT_get_affine_coordinates(e->group, (EC_POINT *) point,
2490 x_bn, y_bn, e->bnctx)) {
2491 if (x) {
2492 ret = crypto_bignum_to_bin(
2493 (struct crypto_bignum *) x_bn, x, len, len);
2494 }
2495 if (ret >= 0 && y) {
2496 ret = crypto_bignum_to_bin(
2497 (struct crypto_bignum *) y_bn, y, len, len);
2498 }
2499
2500 if (ret > 0)
2501 ret = 0;
2502 }
2503
2504 BN_clear_free(x_bn);
2505 BN_clear_free(y_bn);
2506 return ret;
2507 }
2508
2509
crypto_ec_point_from_bin(struct crypto_ec * e,const u8 * val)2510 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
2511 const u8 *val)
2512 {
2513 BIGNUM *x, *y;
2514 EC_POINT *elem;
2515 int len = BN_num_bytes(e->prime);
2516
2517 if (TEST_FAIL())
2518 return NULL;
2519
2520 x = BN_bin2bn(val, len, NULL);
2521 y = BN_bin2bn(val + len, len, NULL);
2522 elem = EC_POINT_new(e->group);
2523 if (x == NULL || y == NULL || elem == NULL) {
2524 BN_clear_free(x);
2525 BN_clear_free(y);
2526 EC_POINT_clear_free(elem);
2527 return NULL;
2528 }
2529
2530 if (!EC_POINT_set_affine_coordinates(e->group, elem, x, y, e->bnctx)) {
2531 EC_POINT_clear_free(elem);
2532 elem = NULL;
2533 }
2534
2535 BN_clear_free(x);
2536 BN_clear_free(y);
2537
2538 return (struct crypto_ec_point *) elem;
2539 }
2540
2541
crypto_ec_point_add(struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b,struct crypto_ec_point * c)2542 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
2543 const struct crypto_ec_point *b,
2544 struct crypto_ec_point *c)
2545 {
2546 if (TEST_FAIL())
2547 return -1;
2548 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
2549 (const EC_POINT *) b, e->bnctx) ? 0 : -1;
2550 }
2551
2552
crypto_ec_point_mul(struct crypto_ec * e,const struct crypto_ec_point * p,const struct crypto_bignum * b,struct crypto_ec_point * res)2553 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
2554 const struct crypto_bignum *b,
2555 struct crypto_ec_point *res)
2556 {
2557 if (TEST_FAIL())
2558 return -1;
2559 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
2560 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
2561 ? 0 : -1;
2562 }
2563
2564
crypto_ec_point_invert(struct crypto_ec * e,struct crypto_ec_point * p)2565 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
2566 {
2567 if (TEST_FAIL())
2568 return -1;
2569 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
2570 }
2571
2572
2573 struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec * e,const struct crypto_bignum * x)2574 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
2575 const struct crypto_bignum *x)
2576 {
2577 BIGNUM *tmp;
2578
2579 if (TEST_FAIL())
2580 return NULL;
2581
2582 tmp = BN_new();
2583
2584 /* y^2 = x^3 + ax + b = (x^2 + a)x + b */
2585 if (tmp &&
2586 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
2587 BN_mod_add_quick(tmp, e->a, tmp, e->prime) &&
2588 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
2589 BN_mod_add_quick(tmp, tmp, e->b, e->prime))
2590 return (struct crypto_bignum *) tmp;
2591
2592 BN_clear_free(tmp);
2593 return NULL;
2594 }
2595
2596
crypto_ec_point_is_at_infinity(struct crypto_ec * e,const struct crypto_ec_point * p)2597 int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
2598 const struct crypto_ec_point *p)
2599 {
2600 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
2601 }
2602
2603
crypto_ec_point_is_on_curve(struct crypto_ec * e,const struct crypto_ec_point * p)2604 int crypto_ec_point_is_on_curve(struct crypto_ec *e,
2605 const struct crypto_ec_point *p)
2606 {
2607 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
2608 e->bnctx) == 1;
2609 }
2610
2611
crypto_ec_point_cmp(const struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b)2612 int crypto_ec_point_cmp(const struct crypto_ec *e,
2613 const struct crypto_ec_point *a,
2614 const struct crypto_ec_point *b)
2615 {
2616 return EC_POINT_cmp(e->group, (const EC_POINT *) a,
2617 (const EC_POINT *) b, e->bnctx);
2618 }
2619
2620
crypto_ec_point_debug_print(const struct crypto_ec * e,const struct crypto_ec_point * p,const char * title)2621 void crypto_ec_point_debug_print(const struct crypto_ec *e,
2622 const struct crypto_ec_point *p,
2623 const char *title)
2624 {
2625 BIGNUM *x, *y;
2626 char *x_str = NULL, *y_str = NULL;
2627
2628 x = BN_new();
2629 y = BN_new();
2630 if (!x || !y ||
2631 EC_POINT_get_affine_coordinates(e->group, (const EC_POINT *) p,
2632 x, y, e->bnctx) != 1)
2633 goto fail;
2634
2635 x_str = BN_bn2hex(x);
2636 y_str = BN_bn2hex(y);
2637 if (!x_str || !y_str)
2638 goto fail;
2639
2640 wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str);
2641
2642 fail:
2643 OPENSSL_free(x_str);
2644 OPENSSL_free(y_str);
2645 BN_free(x);
2646 BN_free(y);
2647 }
2648
2649
2650 struct crypto_ecdh {
2651 struct crypto_ec *ec;
2652 EVP_PKEY *pkey;
2653 };
2654
crypto_ecdh_init(int group)2655 struct crypto_ecdh * crypto_ecdh_init(int group)
2656 {
2657 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2658 struct crypto_ecdh *ecdh;
2659 const char *name;
2660
2661 ecdh = os_zalloc(sizeof(*ecdh));
2662 if (!ecdh)
2663 goto fail;
2664
2665 ecdh->ec = crypto_ec_init(group);
2666 if (!ecdh->ec)
2667 goto fail;
2668
2669 name = OSSL_EC_curve_nid2name(ecdh->ec->nid);
2670 if (!name)
2671 goto fail;
2672
2673 ecdh->pkey = EVP_EC_gen(name);
2674 if (!ecdh->pkey)
2675 goto fail;
2676
2677 done:
2678 return ecdh;
2679 fail:
2680 crypto_ecdh_deinit(ecdh);
2681 ecdh = NULL;
2682 goto done;
2683 #else /* OpenSSL version >= 3.0 */
2684 struct crypto_ecdh *ecdh;
2685 EVP_PKEY *params = NULL;
2686 EC_KEY *ec_params = NULL;
2687 EVP_PKEY_CTX *kctx = NULL;
2688
2689 ecdh = os_zalloc(sizeof(*ecdh));
2690 if (!ecdh)
2691 goto fail;
2692
2693 ecdh->ec = crypto_ec_init(group);
2694 if (!ecdh->ec)
2695 goto fail;
2696
2697 ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2698 if (!ec_params) {
2699 wpa_printf(MSG_ERROR,
2700 "OpenSSL: Failed to generate EC_KEY parameters");
2701 goto fail;
2702 }
2703 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
2704 params = EVP_PKEY_new();
2705 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
2706 wpa_printf(MSG_ERROR,
2707 "OpenSSL: Failed to generate EVP_PKEY parameters");
2708 goto fail;
2709 }
2710
2711 kctx = EVP_PKEY_CTX_new(params, NULL);
2712 if (!kctx)
2713 goto fail;
2714
2715 if (EVP_PKEY_keygen_init(kctx) != 1) {
2716 wpa_printf(MSG_ERROR,
2717 "OpenSSL: EVP_PKEY_keygen_init failed: %s",
2718 ERR_error_string(ERR_get_error(), NULL));
2719 goto fail;
2720 }
2721
2722 if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
2723 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
2724 ERR_error_string(ERR_get_error(), NULL));
2725 goto fail;
2726 }
2727
2728 done:
2729 EC_KEY_free(ec_params);
2730 EVP_PKEY_free(params);
2731 EVP_PKEY_CTX_free(kctx);
2732
2733 return ecdh;
2734 fail:
2735 crypto_ecdh_deinit(ecdh);
2736 ecdh = NULL;
2737 goto done;
2738 #endif /* OpenSSL version >= 3.0 */
2739 }
2740
2741
crypto_ecdh_init2(int group,struct crypto_ec_key * own_key)2742 struct crypto_ecdh * crypto_ecdh_init2(int group, struct crypto_ec_key *own_key)
2743 {
2744 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2745 struct crypto_ecdh *ecdh;
2746
2747 ecdh = os_zalloc(sizeof(*ecdh));
2748 if (!ecdh)
2749 goto fail;
2750
2751 ecdh->ec = crypto_ec_init(group);
2752 if (!ecdh->ec)
2753 goto fail;
2754
2755 ecdh->pkey = EVP_PKEY_dup((EVP_PKEY *) own_key);
2756 if (!ecdh->pkey)
2757 goto fail;
2758
2759 return ecdh;
2760 fail:
2761 crypto_ecdh_deinit(ecdh);
2762 return NULL;
2763 #else /* OpenSSL version >= 3.0 */
2764 struct crypto_ecdh *ecdh;
2765
2766 ecdh = os_zalloc(sizeof(*ecdh));
2767 if (!ecdh)
2768 goto fail;
2769
2770 ecdh->ec = crypto_ec_init(group);
2771 if (!ecdh->ec)
2772 goto fail;
2773
2774 ecdh->pkey = EVP_PKEY_new();
2775 if (!ecdh->pkey ||
2776 EVP_PKEY_assign_EC_KEY(ecdh->pkey,
2777 EVP_PKEY_get1_EC_KEY((EVP_PKEY *) own_key))
2778 != 1)
2779 goto fail;
2780
2781 return ecdh;
2782 fail:
2783 crypto_ecdh_deinit(ecdh);
2784 return NULL;
2785 #endif /* OpenSSL version >= 3.0 */
2786 }
2787
2788
crypto_ecdh_get_pubkey(struct crypto_ecdh * ecdh,int inc_y)2789 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
2790 {
2791 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2792 struct wpabuf *buf = NULL;
2793 unsigned char *pub;
2794 size_t len, exp_len;
2795
2796 len = EVP_PKEY_get1_encoded_public_key(ecdh->pkey, &pub);
2797 if (len == 0)
2798 return NULL;
2799
2800 /* Encoded using SECG SEC 1, Sec. 2.3.4 format */
2801 exp_len = 1 + 2 * crypto_ec_prime_len(ecdh->ec);
2802 if (len != exp_len) {
2803 wpa_printf(MSG_ERROR,
2804 "OpenSSL:%s: Unexpected encoded public key length %zu (expected %zu)",
2805 __func__, len, exp_len);
2806 goto fail;
2807 }
2808 buf = wpabuf_alloc_copy(pub + 1, inc_y ? len - 1 : len / 2);
2809 fail:
2810 OPENSSL_free(pub);
2811 return buf;
2812 #else /* OpenSSL version >= 3.0 */
2813 struct wpabuf *buf = NULL;
2814 EC_KEY *eckey;
2815 const EC_POINT *pubkey;
2816 BIGNUM *x, *y = NULL;
2817 int len = BN_num_bytes(ecdh->ec->prime);
2818 int res;
2819
2820 eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
2821 if (!eckey)
2822 return NULL;
2823
2824 pubkey = EC_KEY_get0_public_key(eckey);
2825 if (!pubkey)
2826 return NULL;
2827
2828 x = BN_new();
2829 if (inc_y) {
2830 y = BN_new();
2831 if (!y)
2832 goto fail;
2833 }
2834 buf = wpabuf_alloc(inc_y ? 2 * len : len);
2835 if (!x || !buf)
2836 goto fail;
2837
2838 if (EC_POINT_get_affine_coordinates(ecdh->ec->group, pubkey,
2839 x, y, ecdh->ec->bnctx) != 1) {
2840 wpa_printf(MSG_ERROR,
2841 "OpenSSL: EC_POINT_get_affine_coordinates failed: %s",
2842 ERR_error_string(ERR_get_error(), NULL));
2843 goto fail;
2844 }
2845
2846 res = crypto_bignum_to_bin((struct crypto_bignum *) x,
2847 wpabuf_put(buf, len), len, len);
2848 if (res < 0)
2849 goto fail;
2850
2851 if (inc_y) {
2852 res = crypto_bignum_to_bin((struct crypto_bignum *) y,
2853 wpabuf_put(buf, len), len, len);
2854 if (res < 0)
2855 goto fail;
2856 }
2857
2858 done:
2859 BN_clear_free(x);
2860 BN_clear_free(y);
2861 EC_KEY_free(eckey);
2862
2863 return buf;
2864 fail:
2865 wpabuf_free(buf);
2866 buf = NULL;
2867 goto done;
2868 #endif /* OpenSSL version >= 3.0 */
2869 }
2870
2871
crypto_ecdh_set_peerkey(struct crypto_ecdh * ecdh,int inc_y,const u8 * key,size_t len)2872 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
2873 const u8 *key, size_t len)
2874 {
2875 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2876 EVP_PKEY *peerkey = EVP_PKEY_new();
2877 EVP_PKEY_CTX *ctx;
2878 size_t res_len;
2879 struct wpabuf *res = NULL;
2880 u8 *peer;
2881
2882 /* Encode using SECG SEC 1, Sec. 2.3.4 format */
2883 peer = os_malloc(1 + len);
2884 if (!peer) {
2885 EVP_PKEY_free(peerkey);
2886 return NULL;
2887 }
2888 peer[0] = inc_y ? 0x04 : 0x02;
2889 os_memcpy(peer + 1, key, len);
2890
2891 if (!peerkey ||
2892 EVP_PKEY_copy_parameters(peerkey, ecdh->pkey) != 1 ||
2893 EVP_PKEY_set1_encoded_public_key(peerkey, peer, 1 + len) != 1) {
2894 wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_set1_encoded_public_key failed: %s",
2895 ERR_error_string(ERR_get_error(), NULL));
2896 EVP_PKEY_free(peerkey);
2897 os_free(peer);
2898 return NULL;
2899 }
2900 os_free(peer);
2901
2902 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
2903 if (!ctx ||
2904 EVP_PKEY_derive_init(ctx) != 1 ||
2905 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
2906 EVP_PKEY_derive(ctx, NULL, &res_len) != 1 ||
2907 !(res = wpabuf_alloc(res_len)) ||
2908 EVP_PKEY_derive(ctx, wpabuf_mhead(res), &res_len) != 1) {
2909 wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_derive failed: %s",
2910 ERR_error_string(ERR_get_error(), NULL));
2911 wpabuf_free(res);
2912 res = NULL;
2913 } else {
2914 wpabuf_put(res, res_len);
2915 }
2916
2917 EVP_PKEY_free(peerkey);
2918 EVP_PKEY_CTX_free(ctx);
2919 return res;
2920 #else /* OpenSSL version >= 3.0 */
2921 BIGNUM *x, *y = NULL;
2922 EVP_PKEY_CTX *ctx = NULL;
2923 EVP_PKEY *peerkey = NULL;
2924 struct wpabuf *secret = NULL;
2925 size_t secret_len;
2926 EC_POINT *pub;
2927 EC_KEY *eckey = NULL;
2928
2929 x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
2930 pub = EC_POINT_new(ecdh->ec->group);
2931 if (!x || !pub)
2932 goto fail;
2933
2934 if (inc_y) {
2935 y = BN_bin2bn(key + len / 2, len / 2, NULL);
2936 if (!y)
2937 goto fail;
2938 if (!EC_POINT_set_affine_coordinates(ecdh->ec->group, pub,
2939 x, y, ecdh->ec->bnctx)) {
2940 wpa_printf(MSG_ERROR,
2941 "OpenSSL: EC_POINT_set_affine_coordinates failed: %s",
2942 ERR_error_string(ERR_get_error(), NULL));
2943 goto fail;
2944 }
2945 } else if (!EC_POINT_set_compressed_coordinates(ecdh->ec->group,
2946 pub, x, 0,
2947 ecdh->ec->bnctx)) {
2948 wpa_printf(MSG_ERROR,
2949 "OpenSSL: EC_POINT_set_compressed_coordinates failed: %s",
2950 ERR_error_string(ERR_get_error(), NULL));
2951 goto fail;
2952 }
2953
2954 if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
2955 wpa_printf(MSG_ERROR,
2956 "OpenSSL: ECDH peer public key is not on curve");
2957 goto fail;
2958 }
2959
2960 eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2961 if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
2962 wpa_printf(MSG_ERROR,
2963 "OpenSSL: EC_KEY_set_public_key failed: %s",
2964 ERR_error_string(ERR_get_error(), NULL));
2965 goto fail;
2966 }
2967
2968 peerkey = EVP_PKEY_new();
2969 if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
2970 goto fail;
2971
2972 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
2973 if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
2974 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
2975 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
2976 wpa_printf(MSG_ERROR,
2977 "OpenSSL: EVP_PKEY_derive(1) failed: %s",
2978 ERR_error_string(ERR_get_error(), NULL));
2979 goto fail;
2980 }
2981
2982 secret = wpabuf_alloc(secret_len);
2983 if (!secret)
2984 goto fail;
2985 if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
2986 wpa_printf(MSG_ERROR,
2987 "OpenSSL: EVP_PKEY_derive(2) failed: %s",
2988 ERR_error_string(ERR_get_error(), NULL));
2989 goto fail;
2990 }
2991 if (secret->size != secret_len)
2992 wpa_printf(MSG_DEBUG,
2993 "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
2994 (int) secret->size, (int) secret_len);
2995 wpabuf_put(secret, secret_len);
2996
2997 done:
2998 BN_free(x);
2999 BN_free(y);
3000 EC_KEY_free(eckey);
3001 EC_POINT_free(pub);
3002 EVP_PKEY_CTX_free(ctx);
3003 EVP_PKEY_free(peerkey);
3004 return secret;
3005 fail:
3006 wpabuf_free(secret);
3007 secret = NULL;
3008 goto done;
3009 #endif /* OpenSSL version >= 3.0 */
3010 }
3011
3012
crypto_ecdh_deinit(struct crypto_ecdh * ecdh)3013 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
3014 {
3015 if (ecdh) {
3016 crypto_ec_deinit(ecdh->ec);
3017 EVP_PKEY_free(ecdh->pkey);
3018 os_free(ecdh);
3019 }
3020 }
3021
3022
crypto_ecdh_prime_len(struct crypto_ecdh * ecdh)3023 size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
3024 {
3025 return crypto_ec_prime_len(ecdh->ec);
3026 }
3027
3028
crypto_ec_key_parse_priv(const u8 * der,size_t der_len)3029 struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
3030 {
3031 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3032 EVP_PKEY *pkey = NULL;
3033 OSSL_DECODER_CTX *ctx;
3034
3035 ctx = OSSL_DECODER_CTX_new_for_pkey(
3036 &pkey, "DER", NULL, "EC",
3037 OSSL_KEYMGMT_SELECT_KEYPAIR |
3038 OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
3039 NULL, NULL);
3040 if (!ctx ||
3041 OSSL_DECODER_from_data(ctx, &der, &der_len) != 1) {
3042 wpa_printf(MSG_INFO,
3043 "OpenSSL: Decoding EC private key (DER) failed: %s",
3044 ERR_error_string(ERR_get_error(), NULL));
3045 if (ctx)
3046 OSSL_DECODER_CTX_free(ctx);
3047 goto fail;
3048 }
3049
3050 OSSL_DECODER_CTX_free(ctx);
3051 return (struct crypto_ec_key *) pkey;
3052 fail:
3053 crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
3054 return NULL;
3055 #else /* OpenSSL version >= 3.0 */
3056 EVP_PKEY *pkey = NULL;
3057 EC_KEY *eckey;
3058
3059 eckey = d2i_ECPrivateKey(NULL, &der, der_len);
3060 if (!eckey) {
3061 wpa_printf(MSG_INFO, "OpenSSL: d2i_ECPrivateKey() failed: %s",
3062 ERR_error_string(ERR_get_error(), NULL));
3063 goto fail;
3064 }
3065 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
3066
3067 pkey = EVP_PKEY_new();
3068 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
3069 EC_KEY_free(eckey);
3070 goto fail;
3071 }
3072
3073 return (struct crypto_ec_key *) pkey;
3074 fail:
3075 crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
3076 return NULL;
3077 #endif /* OpenSSL version >= 3.0 */
3078 }
3079
3080
crypto_ec_key_set_priv(int group,const u8 * raw,size_t raw_len)3081 struct crypto_ec_key * crypto_ec_key_set_priv(int group,
3082 const u8 *raw, size_t raw_len)
3083 {
3084 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3085 const char *group_name;
3086 OSSL_PARAM params[4];
3087 EVP_PKEY_CTX *ctx = NULL;
3088 EVP_PKEY *pkey = NULL;
3089 BIGNUM *priv;
3090 EC_POINT *pub = NULL;
3091 EC_GROUP *ec_group = NULL;
3092 size_t len;
3093 u8 *pub_bin = NULL;
3094 u8 *priv_bin = NULL;
3095 int priv_bin_len;
3096
3097 group_name = crypto_ec_group_2_name(group);
3098 if (!group_name)
3099 return NULL;
3100
3101 priv = BN_bin2bn(raw, raw_len, NULL);
3102 if (!priv)
3103 return NULL;
3104 priv_bin = os_malloc(raw_len);
3105 if (!priv_bin)
3106 goto fail;
3107 priv_bin_len = BN_bn2lebinpad(priv, priv_bin, raw_len);
3108 if (priv_bin_len < 0)
3109 goto fail;
3110
3111 ec_group = EC_GROUP_new_by_curve_name(crypto_ec_group_2_nid(group));
3112 if (!ec_group)
3113 goto fail;
3114 pub = EC_POINT_new(ec_group);
3115 if (!pub ||
3116 EC_POINT_mul(ec_group, pub, priv, NULL, NULL, NULL) != 1)
3117 goto fail;
3118 len = EC_POINT_point2oct(ec_group, pub, POINT_CONVERSION_UNCOMPRESSED,
3119 NULL, 0, NULL);
3120 if (len == 0)
3121 goto fail;
3122 pub_bin = os_malloc(len);
3123 if (!pub_bin)
3124 goto fail;
3125 len = EC_POINT_point2oct(ec_group, pub, POINT_CONVERSION_UNCOMPRESSED,
3126 pub_bin, len, NULL);
3127 if (len == 0)
3128 goto fail;
3129
3130 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
3131 (char *) group_name, 0);
3132 params[1] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_PRIV_KEY,
3133 priv_bin, priv_bin_len);
3134 params[2] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
3135 pub_bin, len);
3136 params[3] = OSSL_PARAM_construct_end();
3137
3138 ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
3139 if (!ctx ||
3140 EVP_PKEY_fromdata_init(ctx) <= 0 ||
3141 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
3142 goto fail;
3143
3144 out:
3145 bin_clear_free(priv_bin, raw_len);
3146 os_free(pub_bin);
3147 BN_clear_free(priv);
3148 EVP_PKEY_CTX_free(ctx);
3149 EC_POINT_free(pub);
3150 EC_GROUP_free(ec_group);
3151 return (struct crypto_ec_key *) pkey;
3152
3153 fail:
3154 EVP_PKEY_free(pkey);
3155 pkey = NULL;
3156 goto out;
3157 #else /* OpenSSL version >= 3.0 */
3158 EC_KEY *eckey = NULL;
3159 EVP_PKEY *pkey = NULL;
3160 BIGNUM *priv = NULL;
3161 int nid;
3162 const EC_GROUP *ec_group;
3163 EC_POINT *pub = NULL;
3164
3165 nid = crypto_ec_group_2_nid(group);
3166 if (nid < 0) {
3167 wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
3168 return NULL;
3169 }
3170
3171 eckey = EC_KEY_new_by_curve_name(nid);
3172 priv = BN_bin2bn(raw, raw_len, NULL);
3173 if (!eckey || !priv ||
3174 EC_KEY_set_private_key(eckey, priv) != 1) {
3175 wpa_printf(MSG_ERROR,
3176 "OpenSSL: Failed to set EC_KEY: %s",
3177 ERR_error_string(ERR_get_error(), NULL));
3178 goto fail;
3179 }
3180
3181 ec_group = EC_KEY_get0_group(eckey);
3182 if (!ec_group)
3183 goto fail;
3184 pub = EC_POINT_new(ec_group);
3185 if (!pub ||
3186 EC_POINT_mul(ec_group, pub, priv, NULL, NULL, NULL) != 1 ||
3187 EC_KEY_set_public_key(eckey, pub) != 1) {
3188 wpa_printf(MSG_ERROR,
3189 "OpenSSL: Failed to set EC_KEY(pub): %s",
3190 ERR_error_string(ERR_get_error(), NULL));
3191 goto fail;
3192 }
3193
3194 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
3195
3196 pkey = EVP_PKEY_new();
3197 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
3198 wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
3199 goto fail;
3200 }
3201
3202 out:
3203 BN_clear_free(priv);
3204 EC_POINT_free(pub);
3205 return (struct crypto_ec_key *) pkey;
3206
3207 fail:
3208 EC_KEY_free(eckey);
3209 EVP_PKEY_free(pkey);
3210 pkey = NULL;
3211 goto out;
3212 #endif /* OpenSSL version >= 3.0 */
3213 }
3214
3215
crypto_ec_key_parse_pub(const u8 * der,size_t der_len)3216 struct crypto_ec_key * crypto_ec_key_parse_pub(const u8 *der, size_t der_len)
3217 {
3218 EVP_PKEY *pkey;
3219
3220 pkey = d2i_PUBKEY(NULL, &der, der_len);
3221 if (!pkey) {
3222 wpa_printf(MSG_INFO, "OpenSSL: d2i_PUBKEY() failed: %s",
3223 ERR_error_string(ERR_get_error(), NULL));
3224 goto fail;
3225 }
3226
3227 /* Ensure this is an EC key */
3228 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3229 if (!EVP_PKEY_is_a(pkey, "EC"))
3230 goto fail;
3231 #else /* OpenSSL version >= 3.0 */
3232 if (!EVP_PKEY_get0_EC_KEY(pkey))
3233 goto fail;
3234 #endif /* OpenSSL version >= 3.0 */
3235 return (struct crypto_ec_key *) pkey;
3236 fail:
3237 crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
3238 return NULL;
3239 }
3240
3241
crypto_ec_key_set_pub(int group,const u8 * buf_x,const u8 * buf_y,size_t len)3242 struct crypto_ec_key * crypto_ec_key_set_pub(int group, const u8 *buf_x,
3243 const u8 *buf_y, size_t len)
3244 {
3245 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3246 const char *group_name;
3247 OSSL_PARAM params[3];
3248 u8 *pub;
3249 EVP_PKEY_CTX *ctx;
3250 EVP_PKEY *pkey = NULL;
3251
3252 group_name = crypto_ec_group_2_name(group);
3253 if (!group_name)
3254 return NULL;
3255
3256 pub = os_malloc(1 + len * 2);
3257 if (!pub)
3258 return NULL;
3259 pub[0] = 0x04; /* uncompressed */
3260 os_memcpy(pub + 1, buf_x, len);
3261 os_memcpy(pub + 1 + len, buf_y, len);
3262
3263 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
3264 (char *) group_name, 0);
3265 params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
3266 pub, 1 + len * 2);
3267 params[2] = OSSL_PARAM_construct_end();
3268
3269 ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
3270 if (!ctx) {
3271 os_free(pub);
3272 return NULL;
3273 }
3274 if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
3275 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
3276 os_free(pub);
3277 EVP_PKEY_CTX_free(ctx);
3278 return NULL;
3279 }
3280
3281 os_free(pub);
3282 EVP_PKEY_CTX_free(ctx);
3283
3284 return (struct crypto_ec_key *) pkey;
3285 #else /* OpenSSL version >= 3.0 */
3286 EC_KEY *eckey = NULL;
3287 EVP_PKEY *pkey = NULL;
3288 EC_GROUP *ec_group = NULL;
3289 BN_CTX *ctx;
3290 EC_POINT *point = NULL;
3291 BIGNUM *x = NULL, *y = NULL;
3292 int nid;
3293
3294 if (!buf_x || !buf_y)
3295 return NULL;
3296
3297 nid = crypto_ec_group_2_nid(group);
3298 if (nid < 0) {
3299 wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
3300 return NULL;
3301 }
3302
3303 ctx = BN_CTX_new();
3304 if (!ctx)
3305 goto fail;
3306
3307 ec_group = EC_GROUP_new_by_curve_name(nid);
3308 if (!ec_group)
3309 goto fail;
3310
3311 x = BN_bin2bn(buf_x, len, NULL);
3312 y = BN_bin2bn(buf_y, len, NULL);
3313 point = EC_POINT_new(ec_group);
3314 if (!x || !y || !point)
3315 goto fail;
3316
3317 if (!EC_POINT_set_affine_coordinates(ec_group, point, x, y, ctx)) {
3318 wpa_printf(MSG_ERROR,
3319 "OpenSSL: EC_POINT_set_affine_coordinates failed: %s",
3320 ERR_error_string(ERR_get_error(), NULL));
3321 goto fail;
3322 }
3323
3324 if (!EC_POINT_is_on_curve(ec_group, point, ctx) ||
3325 EC_POINT_is_at_infinity(ec_group, point)) {
3326 wpa_printf(MSG_ERROR, "OpenSSL: Invalid point");
3327 goto fail;
3328 }
3329
3330 eckey = EC_KEY_new();
3331 if (!eckey ||
3332 EC_KEY_set_group(eckey, ec_group) != 1 ||
3333 EC_KEY_set_public_key(eckey, point) != 1) {
3334 wpa_printf(MSG_ERROR,
3335 "OpenSSL: Failed to set EC_KEY: %s",
3336 ERR_error_string(ERR_get_error(), NULL));
3337 goto fail;
3338 }
3339 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
3340
3341 pkey = EVP_PKEY_new();
3342 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
3343 wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
3344 goto fail;
3345 }
3346
3347 out:
3348 EC_GROUP_free(ec_group);
3349 BN_free(x);
3350 BN_free(y);
3351 EC_POINT_free(point);
3352 BN_CTX_free(ctx);
3353 return (struct crypto_ec_key *) pkey;
3354
3355 fail:
3356 EC_KEY_free(eckey);
3357 EVP_PKEY_free(pkey);
3358 pkey = NULL;
3359 goto out;
3360 #endif /* OpenSSL version >= 3.0 */
3361 }
3362
3363
3364 struct crypto_ec_key *
crypto_ec_key_set_pub_point(struct crypto_ec * ec,const struct crypto_ec_point * pub)3365 crypto_ec_key_set_pub_point(struct crypto_ec *ec,
3366 const struct crypto_ec_point *pub)
3367 {
3368 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3369 int len = BN_num_bytes(ec->prime);
3370 struct crypto_ec_key *key;
3371 u8 *buf;
3372
3373 buf = os_malloc(2 * len);
3374 if (!buf)
3375 return NULL;
3376 if (crypto_ec_point_to_bin(ec, pub, buf, buf + len) < 0) {
3377 os_free(buf);
3378 return NULL;
3379 }
3380
3381 key = crypto_ec_key_set_pub(ec->iana_group, buf, buf + len, len);
3382 os_free(buf);
3383
3384 return key;
3385 #else /* OpenSSL version >= 3.0 */
3386 EC_KEY *eckey;
3387 EVP_PKEY *pkey = NULL;
3388
3389 eckey = EC_KEY_new();
3390 if (!eckey ||
3391 EC_KEY_set_group(eckey, ec->group) != 1 ||
3392 EC_KEY_set_public_key(eckey, (const EC_POINT *) pub) != 1) {
3393 wpa_printf(MSG_ERROR,
3394 "OpenSSL: Failed to set EC_KEY: %s",
3395 ERR_error_string(ERR_get_error(), NULL));
3396 goto fail;
3397 }
3398 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
3399
3400 pkey = EVP_PKEY_new();
3401 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
3402 wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
3403 goto fail;
3404 }
3405
3406 out:
3407 return (struct crypto_ec_key *) pkey;
3408
3409 fail:
3410 EVP_PKEY_free(pkey);
3411 EC_KEY_free(eckey);
3412 pkey = NULL;
3413 goto out;
3414 #endif /* OpenSSL version >= 3.0 */
3415 }
3416
3417
crypto_ec_key_gen(int group)3418 struct crypto_ec_key * crypto_ec_key_gen(int group)
3419 {
3420 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3421 EVP_PKEY_CTX *ctx;
3422 OSSL_PARAM params[2];
3423 const char *group_name;
3424 EVP_PKEY *pkey = NULL;
3425
3426 group_name = crypto_ec_group_2_name(group);
3427 if (!group_name)
3428 return NULL;
3429
3430 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
3431 (char *) group_name, 0);
3432 params[1] = OSSL_PARAM_construct_end();
3433
3434 ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
3435 if (!ctx ||
3436 EVP_PKEY_keygen_init(ctx) != 1 ||
3437 EVP_PKEY_CTX_set_params(ctx, params) != 1 ||
3438 EVP_PKEY_generate(ctx, &pkey) != 1) {
3439 wpa_printf(MSG_INFO,
3440 "OpenSSL: failed to generate EC keypair: %s",
3441 ERR_error_string(ERR_get_error(), NULL));
3442 pkey = NULL;
3443 }
3444
3445 EVP_PKEY_CTX_free(ctx);
3446
3447 return (struct crypto_ec_key *) pkey;
3448 #else /* OpenSSL version >= 3.0 */
3449 EVP_PKEY_CTX *kctx = NULL;
3450 EC_KEY *ec_params = NULL, *eckey;
3451 EVP_PKEY *params = NULL, *key = NULL;
3452 int nid;
3453
3454 nid = crypto_ec_group_2_nid(group);
3455 if (nid < 0) {
3456 wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
3457 return NULL;
3458 }
3459
3460 ec_params = EC_KEY_new_by_curve_name(nid);
3461 if (!ec_params) {
3462 wpa_printf(MSG_ERROR,
3463 "OpenSSL: Failed to generate EC_KEY parameters");
3464 goto fail;
3465 }
3466 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
3467 params = EVP_PKEY_new();
3468 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
3469 wpa_printf(MSG_ERROR,
3470 "OpenSSL: Failed to generate EVP_PKEY parameters");
3471 goto fail;
3472 }
3473
3474 kctx = EVP_PKEY_CTX_new(params, NULL);
3475 if (!kctx ||
3476 EVP_PKEY_keygen_init(kctx) != 1 ||
3477 EVP_PKEY_keygen(kctx, &key) != 1) {
3478 wpa_printf(MSG_ERROR, "OpenSSL: Failed to generate EC key");
3479 key = NULL;
3480 goto fail;
3481 }
3482
3483 eckey = EVP_PKEY_get1_EC_KEY(key);
3484 if (!eckey) {
3485 key = NULL;
3486 goto fail;
3487 }
3488 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
3489 EC_KEY_free(eckey);
3490
3491 fail:
3492 EC_KEY_free(ec_params);
3493 EVP_PKEY_free(params);
3494 EVP_PKEY_CTX_free(kctx);
3495 return (struct crypto_ec_key *) key;
3496 #endif /* OpenSSL version >= 3.0 */
3497 }
3498
3499
crypto_ec_key_deinit(struct crypto_ec_key * key)3500 void crypto_ec_key_deinit(struct crypto_ec_key *key)
3501 {
3502 EVP_PKEY_free((EVP_PKEY *) key);
3503 }
3504
3505
3506 #ifdef OPENSSL_IS_BORINGSSL
3507
3508 /* BoringSSL version of i2d_PUBKEY() always outputs public EC key using
3509 * uncompressed form so define a custom function to export EC pubkey using
3510 * the compressed format that is explicitly required for some protocols. */
3511
3512 #include <openssl/asn1.h>
3513 #include <openssl/asn1t.h>
3514
3515 typedef struct {
3516 /* AlgorithmIdentifier ecPublicKey with optional parameters present
3517 * as an OID identifying the curve */
3518 X509_ALGOR *alg;
3519 /* Compressed format public key per ANSI X9.63 */
3520 ASN1_BIT_STRING *pub_key;
3521 } EC_COMP_PUBKEY;
3522
3523 ASN1_SEQUENCE(EC_COMP_PUBKEY) = {
3524 ASN1_SIMPLE(EC_COMP_PUBKEY, alg, X509_ALGOR),
3525 ASN1_SIMPLE(EC_COMP_PUBKEY, pub_key, ASN1_BIT_STRING)
3526 } ASN1_SEQUENCE_END(EC_COMP_PUBKEY);
3527
3528 IMPLEMENT_ASN1_FUNCTIONS(EC_COMP_PUBKEY);
3529
3530 #endif /* OPENSSL_IS_BORINGSSL */
3531
3532
crypto_ec_key_get_subject_public_key(struct crypto_ec_key * key)3533 struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
3534 {
3535 EVP_PKEY *pkey = (EVP_PKEY *) key;
3536 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3537 OSSL_ENCODER_CTX *ctx;
3538 int selection;
3539 unsigned char *pdata = NULL;
3540 size_t pdata_len = 0;
3541 EVP_PKEY *copy = NULL;
3542 struct wpabuf *buf = NULL;
3543
3544 if (EVP_PKEY_get_ec_point_conv_form(pkey) !=
3545 POINT_CONVERSION_COMPRESSED) {
3546 copy = EVP_PKEY_dup(pkey);
3547 if (!copy)
3548 return NULL;
3549 if (EVP_PKEY_set_utf8_string_param(
3550 copy, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
3551 OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED) !=
3552 1) {
3553 wpa_printf(MSG_INFO,
3554 "OpenSSL: Failed to set compressed format");
3555 EVP_PKEY_free(copy);
3556 return NULL;
3557 }
3558 pkey = copy;
3559 }
3560
3561 selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS |
3562 OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
3563
3564 ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER",
3565 "SubjectPublicKeyInfo",
3566 NULL);
3567 if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) {
3568 wpa_printf(MSG_INFO,
3569 "OpenSSL: Failed to encode SubjectPublicKeyInfo: %s",
3570 ERR_error_string(ERR_get_error(), NULL));
3571 pdata = NULL;
3572 }
3573 OSSL_ENCODER_CTX_free(ctx);
3574 if (pdata) {
3575 buf = wpabuf_alloc_copy(pdata, pdata_len);
3576 OPENSSL_free(pdata);
3577 }
3578
3579 EVP_PKEY_free(copy);
3580
3581 return buf;
3582 #else /* OpenSSL version >= 3.0 */
3583 #ifdef OPENSSL_IS_BORINGSSL
3584 unsigned char *der = NULL;
3585 int der_len;
3586 const EC_KEY *eckey;
3587 struct wpabuf *ret = NULL;
3588 size_t len;
3589 const EC_GROUP *group;
3590 const EC_POINT *point;
3591 BN_CTX *ctx;
3592 EC_COMP_PUBKEY *pubkey = NULL;
3593 int nid;
3594
3595 ctx = BN_CTX_new();
3596 eckey = EVP_PKEY_get0_EC_KEY(pkey);
3597 if (!ctx || !eckey)
3598 goto fail;
3599
3600 group = EC_KEY_get0_group(eckey);
3601 point = EC_KEY_get0_public_key(eckey);
3602 if (!group || !point)
3603 goto fail;
3604 nid = EC_GROUP_get_curve_name(group);
3605
3606 pubkey = EC_COMP_PUBKEY_new();
3607 if (!pubkey ||
3608 X509_ALGOR_set0(pubkey->alg, OBJ_nid2obj(EVP_PKEY_EC),
3609 V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1)
3610 goto fail;
3611
3612 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
3613 NULL, 0, ctx);
3614 if (len == 0)
3615 goto fail;
3616
3617 der = OPENSSL_malloc(len);
3618 if (!der)
3619 goto fail;
3620 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
3621 der, len, ctx);
3622
3623 OPENSSL_free(pubkey->pub_key->data);
3624 pubkey->pub_key->data = der;
3625 der = NULL;
3626 pubkey->pub_key->length = len;
3627 /* No unused bits */
3628 pubkey->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
3629 pubkey->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
3630
3631 der_len = i2d_EC_COMP_PUBKEY(pubkey, &der);
3632 if (der_len <= 0) {
3633 wpa_printf(MSG_ERROR,
3634 "BoringSSL: Failed to build DER encoded public key");
3635 goto fail;
3636 }
3637
3638 ret = wpabuf_alloc_copy(der, der_len);
3639 fail:
3640 EC_COMP_PUBKEY_free(pubkey);
3641 OPENSSL_free(der);
3642 BN_CTX_free(ctx);
3643 return ret;
3644 #else /* OPENSSL_IS_BORINGSSL */
3645 unsigned char *der = NULL;
3646 int der_len;
3647 struct wpabuf *buf;
3648 EC_KEY *eckey;
3649
3650 eckey = EVP_PKEY_get1_EC_KEY(pkey);
3651 if (!eckey)
3652 return NULL;
3653
3654 /* For now, all users expect COMPRESSED form */
3655 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
3656
3657 der_len = i2d_PUBKEY((EVP_PKEY *) key, &der);
3658 EC_KEY_free(eckey);
3659 if (der_len <= 0) {
3660 wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
3661 ERR_error_string(ERR_get_error(), NULL));
3662 return NULL;
3663 }
3664
3665 buf = wpabuf_alloc_copy(der, der_len);
3666 OPENSSL_free(der);
3667 return buf;
3668 #endif /* OPENSSL_IS_BORINGSSL */
3669 #endif /* OpenSSL version >= 3.0 */
3670 }
3671
3672
crypto_ec_key_get_ecprivate_key(struct crypto_ec_key * key,bool include_pub)3673 struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key,
3674 bool include_pub)
3675 {
3676 EVP_PKEY *pkey = (EVP_PKEY *) key;
3677 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3678 OSSL_ENCODER_CTX *ctx;
3679 int selection;
3680 unsigned char *pdata = NULL;
3681 size_t pdata_len = 0;
3682 struct wpabuf *buf;
3683 EVP_PKEY *copy = NULL;
3684
3685 selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS |
3686 OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
3687 if (include_pub) {
3688 selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
3689 } else {
3690 /* Not including OSSL_KEYMGMT_SELECT_PUBLIC_KEY does not seem
3691 * to really be sufficient, so clone the key and explicitly
3692 * mark it not to include the public key. */
3693 copy = EVP_PKEY_dup(pkey);
3694 if (!copy)
3695 return NULL;
3696 EVP_PKEY_set_int_param(copy, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC,
3697 0);
3698 pkey = copy;
3699 }
3700
3701 ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER",
3702 "type-specific", NULL);
3703 if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) {
3704 OSSL_ENCODER_CTX_free(ctx);
3705 EVP_PKEY_free(copy);
3706 return NULL;
3707 }
3708 OSSL_ENCODER_CTX_free(ctx);
3709 buf = wpabuf_alloc_copy(pdata, pdata_len);
3710 OPENSSL_free(pdata);
3711 EVP_PKEY_free(copy);
3712 return buf;
3713 #else /* OpenSSL version >= 3.0 */
3714 EC_KEY *eckey;
3715 unsigned char *der = NULL;
3716 int der_len;
3717 struct wpabuf *buf;
3718 unsigned int key_flags;
3719
3720 eckey = EVP_PKEY_get1_EC_KEY(pkey);
3721 if (!eckey)
3722 return NULL;
3723
3724 key_flags = EC_KEY_get_enc_flags(eckey);
3725 if (include_pub)
3726 key_flags &= ~EC_PKEY_NO_PUBKEY;
3727 else
3728 key_flags |= EC_PKEY_NO_PUBKEY;
3729 EC_KEY_set_enc_flags(eckey, key_flags);
3730
3731 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
3732
3733 der_len = i2d_ECPrivateKey(eckey, &der);
3734 EC_KEY_free(eckey);
3735 if (der_len <= 0)
3736 return NULL;
3737 buf = wpabuf_alloc_copy(der, der_len);
3738 OPENSSL_free(der);
3739
3740 return buf;
3741 #endif /* OpenSSL version >= 3.0 */
3742 }
3743
3744
crypto_ec_key_get_pubkey_point(struct crypto_ec_key * key,int prefix)3745 struct wpabuf * crypto_ec_key_get_pubkey_point(struct crypto_ec_key *key,
3746 int prefix)
3747 {
3748 EVP_PKEY *pkey = (EVP_PKEY *) key;
3749 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3750 struct wpabuf *buf;
3751 unsigned char *pos;
3752 size_t pub_len = OSSL_PARAM_UNMODIFIED;
3753
3754 buf = NULL;
3755 if (!EVP_PKEY_is_a(pkey, "EC") ||
3756 EVP_PKEY_get_octet_string_param(pkey,
3757 OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
3758 NULL, 0, &pub_len) < 0 ||
3759 pub_len == OSSL_PARAM_UNMODIFIED ||
3760 !(buf = wpabuf_alloc(pub_len)) ||
3761 EVP_PKEY_get_octet_string_param(pkey,
3762 OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
3763 wpabuf_put(buf, pub_len),
3764 pub_len, NULL) != 1 ||
3765 wpabuf_head_u8(buf)[0] != 0x04) {
3766 wpa_printf(MSG_INFO,
3767 "OpenSSL: Failed to get encoded public key: %s",
3768 ERR_error_string(ERR_get_error(), NULL));
3769 wpabuf_free(buf);
3770 return NULL;
3771 }
3772
3773 if (!prefix) {
3774 /* Remove 0x04 prefix if requested */
3775 pos = wpabuf_mhead(buf);
3776 os_memmove(pos, pos + 1, pub_len - 1);
3777 buf->used--;
3778 }
3779
3780 return buf;
3781 #else /* OpenSSL version >= 3.0 */
3782 int len, res;
3783 EC_KEY *eckey;
3784 struct wpabuf *buf;
3785 unsigned char *pos;
3786
3787 eckey = EVP_PKEY_get1_EC_KEY(pkey);
3788 if (!eckey)
3789 return NULL;
3790 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
3791 len = i2o_ECPublicKey(eckey, NULL);
3792 if (len <= 0) {
3793 wpa_printf(MSG_ERROR,
3794 "OpenSSL: Failed to determine public key encoding length");
3795 EC_KEY_free(eckey);
3796 return NULL;
3797 }
3798
3799 buf = wpabuf_alloc(len);
3800 if (!buf) {
3801 EC_KEY_free(eckey);
3802 return NULL;
3803 }
3804
3805 pos = wpabuf_put(buf, len);
3806 res = i2o_ECPublicKey(eckey, &pos);
3807 EC_KEY_free(eckey);
3808 if (res != len) {
3809 wpa_printf(MSG_ERROR,
3810 "OpenSSL: Failed to encode public key (res=%d/%d)",
3811 res, len);
3812 wpabuf_free(buf);
3813 return NULL;
3814 }
3815
3816 if (!prefix) {
3817 /* Remove 0x04 prefix if requested */
3818 pos = wpabuf_mhead(buf);
3819 os_memmove(pos, pos + 1, len - 1);
3820 buf->used--;
3821 }
3822
3823 return buf;
3824 #endif /* OpenSSL version >= 3.0 */
3825 }
3826
3827
3828 struct crypto_ec_point *
crypto_ec_key_get_public_key(struct crypto_ec_key * key)3829 crypto_ec_key_get_public_key(struct crypto_ec_key *key)
3830 {
3831 EVP_PKEY *pkey = (EVP_PKEY *) key;
3832 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3833 char group[64];
3834 unsigned char pub[256];
3835 size_t len;
3836 EC_POINT *point = NULL;
3837 EC_GROUP *grp;
3838 int res = 0;
3839 OSSL_PARAM params[2];
3840
3841 if (!EVP_PKEY_is_a(pkey, "EC") ||
3842 EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
3843 group, sizeof(group), &len) != 1 ||
3844 EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PUB_KEY,
3845 pub, sizeof(pub), &len) != 1)
3846 return NULL;
3847
3848 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
3849 group, 0);
3850 params[1] = OSSL_PARAM_construct_end();
3851 grp = EC_GROUP_new_from_params(params, NULL, NULL);
3852 if (!grp)
3853 goto fail;
3854 point = EC_POINT_new(grp);
3855 if (!point)
3856 goto fail;
3857 res = EC_POINT_oct2point(grp, point, pub, len, NULL);
3858
3859 fail:
3860 if (res != 1) {
3861 EC_POINT_free(point);
3862 point = NULL;
3863 }
3864
3865 EC_GROUP_free(grp);
3866
3867 return (struct crypto_ec_point *) point;
3868 #else /* OpenSSL version >= 3.0 */
3869 const EC_KEY *eckey;
3870 const EC_POINT *point;
3871 const EC_GROUP *group;
3872
3873 eckey = EVP_PKEY_get0_EC_KEY(pkey);
3874 if (!eckey)
3875 return NULL;
3876 group = EC_KEY_get0_group(eckey);
3877 if (!group)
3878 return NULL;
3879 point = EC_KEY_get0_public_key(eckey);
3880 if (!point)
3881 return NULL;
3882 return (struct crypto_ec_point *) EC_POINT_dup(point, group);
3883 #endif /* OpenSSL version >= 3.0 */
3884 }
3885
3886
3887 struct crypto_bignum *
crypto_ec_key_get_private_key(struct crypto_ec_key * key)3888 crypto_ec_key_get_private_key(struct crypto_ec_key *key)
3889 {
3890 EVP_PKEY *pkey = (EVP_PKEY *) key;
3891 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3892 BIGNUM *bn = NULL;
3893
3894 if (!EVP_PKEY_is_a(pkey, "EC") ||
3895 EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &bn) != 1)
3896 return NULL;
3897 return (struct crypto_bignum *) bn;
3898 #else /* OpenSSL version >= 3.0 */
3899 const EC_KEY *eckey;
3900 const BIGNUM *bn;
3901
3902 eckey = EVP_PKEY_get0_EC_KEY(pkey);
3903 if (!eckey)
3904 return NULL;
3905 bn = EC_KEY_get0_private_key(eckey);
3906 if (!bn)
3907 return NULL;
3908 return (struct crypto_bignum *) BN_dup(bn);
3909 #endif /* OpenSSL version >= 3.0 */
3910 }
3911
3912
crypto_ec_key_sign(struct crypto_ec_key * key,const u8 * data,size_t len)3913 struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
3914 size_t len)
3915 {
3916 EVP_PKEY_CTX *pkctx;
3917 struct wpabuf *sig_der;
3918 size_t sig_len;
3919
3920 sig_len = EVP_PKEY_size((EVP_PKEY *) key);
3921 sig_der = wpabuf_alloc(sig_len);
3922 if (!sig_der)
3923 return NULL;
3924
3925 pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
3926 if (!pkctx ||
3927 EVP_PKEY_sign_init(pkctx) <= 0 ||
3928 EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
3929 data, len) <= 0) {
3930 wpabuf_free(sig_der);
3931 sig_der = NULL;
3932 } else {
3933 wpabuf_put(sig_der, sig_len);
3934 }
3935
3936 EVP_PKEY_CTX_free(pkctx);
3937 return sig_der;
3938 }
3939
3940
openssl_evp_pkey_ec_prime_len(struct crypto_ec_key * key)3941 static int openssl_evp_pkey_ec_prime_len(struct crypto_ec_key *key)
3942 {
3943 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3944 char gname[50];
3945 int nid;
3946 EC_GROUP *group;
3947 BIGNUM *prime = NULL;
3948 int prime_len = -1;
3949
3950 if (EVP_PKEY_get_group_name((EVP_PKEY *) key, gname, sizeof(gname),
3951 NULL) != 1)
3952 return -1;
3953 nid = OBJ_txt2nid(gname);
3954 group = EC_GROUP_new_by_curve_name(nid);
3955 prime = BN_new();
3956 if (!group || !prime)
3957 goto fail;
3958 if (EC_GROUP_get_curve(group, prime, NULL, NULL, NULL) == 1)
3959 prime_len = BN_num_bytes(prime);
3960 fail:
3961 EC_GROUP_free(group);
3962 BN_free(prime);
3963 return prime_len;
3964 #else
3965 const EC_GROUP *group;
3966 const EC_KEY *eckey;
3967 BIGNUM *prime = NULL;
3968 int prime_len = -1;
3969
3970 eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
3971 if (!eckey)
3972 goto fail;
3973 group = EC_KEY_get0_group(eckey);
3974 prime = BN_new();
3975 if (!prime || !group ||
3976 !EC_GROUP_get_curve(group, prime, NULL, NULL, NULL))
3977 goto fail;
3978 prime_len = BN_num_bytes(prime);
3979 fail:
3980 BN_free(prime);
3981 return prime_len;
3982 #endif
3983 }
3984
3985
crypto_ec_key_sign_r_s(struct crypto_ec_key * key,const u8 * data,size_t len)3986 struct wpabuf * crypto_ec_key_sign_r_s(struct crypto_ec_key *key,
3987 const u8 *data, size_t len)
3988 {
3989 ECDSA_SIG *sig = NULL;
3990 const BIGNUM *r, *s;
3991 u8 *r_buf, *s_buf;
3992 struct wpabuf *buf;
3993 const unsigned char *p;
3994 int prime_len;
3995
3996 prime_len = openssl_evp_pkey_ec_prime_len(key);
3997 if (prime_len < 0)
3998 return NULL;
3999
4000 buf = crypto_ec_key_sign(key, data, len);
4001 if (!buf)
4002 return NULL;
4003
4004 /* Extract (r,s) from Ecdsa-Sig-Value */
4005
4006 p = wpabuf_head(buf);
4007 sig = d2i_ECDSA_SIG(NULL, &p, wpabuf_len(buf));
4008 if (!sig)
4009 goto fail;
4010 ECDSA_SIG_get0(sig, &r, &s);
4011
4012 /* Re-use wpabuf returned by crypto_ec_key_sign() */
4013 buf->used = 0;
4014 r_buf = wpabuf_put(buf, prime_len);
4015 s_buf = wpabuf_put(buf, prime_len);
4016 if (crypto_bignum_to_bin((const struct crypto_bignum *) r, r_buf,
4017 prime_len, prime_len) < 0 ||
4018 crypto_bignum_to_bin((const struct crypto_bignum *) s, s_buf,
4019 prime_len, prime_len) < 0)
4020 goto fail;
4021
4022 out:
4023 ECDSA_SIG_free(sig);
4024 return buf;
4025 fail:
4026 wpabuf_clear_free(buf);
4027 buf = NULL;
4028 goto out;
4029 }
4030
4031
crypto_ec_key_verify_signature(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * sig,size_t sig_len)4032 int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
4033 size_t len, const u8 *sig, size_t sig_len)
4034 {
4035 EVP_PKEY_CTX *pkctx;
4036 int ret;
4037
4038 pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
4039 if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
4040 EVP_PKEY_CTX_free(pkctx);
4041 return -1;
4042 }
4043
4044 ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
4045 EVP_PKEY_CTX_free(pkctx);
4046 if (ret == 1)
4047 return 1; /* signature ok */
4048 if (ret == 0)
4049 return 0; /* incorrect signature */
4050 return -1;
4051 }
4052
4053
crypto_ec_key_verify_signature_r_s(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * r,size_t r_len,const u8 * s,size_t s_len)4054 int crypto_ec_key_verify_signature_r_s(struct crypto_ec_key *key,
4055 const u8 *data, size_t len,
4056 const u8 *r, size_t r_len,
4057 const u8 *s, size_t s_len)
4058 {
4059 ECDSA_SIG *sig;
4060 BIGNUM *r_bn, *s_bn;
4061 unsigned char *der = NULL;
4062 int der_len;
4063 int ret = -1;
4064
4065 r_bn = BN_bin2bn(r, r_len, NULL);
4066 s_bn = BN_bin2bn(s, s_len, NULL);
4067 sig = ECDSA_SIG_new();
4068 if (!r_bn || !s_bn || !sig || ECDSA_SIG_set0(sig, r_bn, s_bn) != 1)
4069 goto fail;
4070 r_bn = NULL;
4071 s_bn = NULL;
4072
4073 der_len = i2d_ECDSA_SIG(sig, &der);
4074 if (der_len <= 0) {
4075 wpa_printf(MSG_DEBUG,
4076 "OpenSSL: Could not DER encode signature");
4077 goto fail;
4078 }
4079
4080 ret = crypto_ec_key_verify_signature(key, data, len, der, der_len);
4081
4082 fail:
4083 OPENSSL_free(der);
4084 BN_free(r_bn);
4085 BN_free(s_bn);
4086 ECDSA_SIG_free(sig);
4087 return ret;
4088 }
4089
4090
crypto_ec_key_group(struct crypto_ec_key * key)4091 int crypto_ec_key_group(struct crypto_ec_key *key)
4092 {
4093 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4094 char gname[50];
4095 int nid;
4096
4097 if (EVP_PKEY_get_group_name((EVP_PKEY *) key, gname, sizeof(gname),
4098 NULL) != 1)
4099 return -1;
4100 nid = OBJ_txt2nid(gname);
4101 #else
4102 const EC_KEY *eckey;
4103 const EC_GROUP *group;
4104 int nid;
4105
4106 eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
4107 if (!eckey)
4108 return -1;
4109 group = EC_KEY_get0_group(eckey);
4110 if (!group)
4111 return -1;
4112 nid = EC_GROUP_get_curve_name(group);
4113 #endif
4114 switch (nid) {
4115 case NID_X9_62_prime256v1:
4116 return 19;
4117 case NID_secp384r1:
4118 return 20;
4119 case NID_secp521r1:
4120 return 21;
4121 #ifdef NID_brainpoolP256r1
4122 case NID_brainpoolP256r1:
4123 return 28;
4124 #endif /* NID_brainpoolP256r1 */
4125 #ifdef NID_brainpoolP384r1
4126 case NID_brainpoolP384r1:
4127 return 29;
4128 #endif /* NID_brainpoolP384r1 */
4129 #ifdef NID_brainpoolP512r1
4130 case NID_brainpoolP512r1:
4131 return 30;
4132 #endif /* NID_brainpoolP512r1 */
4133 default:
4134 wpa_printf(MSG_ERROR,
4135 "OpenSSL: Unsupported curve (nid=%d) in EC key",
4136 nid);
4137 return -1;
4138 }
4139 }
4140
4141
crypto_ec_key_cmp(struct crypto_ec_key * key1,struct crypto_ec_key * key2)4142 int crypto_ec_key_cmp(struct crypto_ec_key *key1, struct crypto_ec_key *key2)
4143 {
4144 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4145 if (EVP_PKEY_eq((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
4146 return -1;
4147 #else
4148 if (EVP_PKEY_cmp((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
4149 return -1;
4150 #endif
4151 return 0;
4152 }
4153
4154
crypto_ec_key_debug_print(const struct crypto_ec_key * key,const char * title)4155 void crypto_ec_key_debug_print(const struct crypto_ec_key *key,
4156 const char *title)
4157 {
4158 BIO *out;
4159 size_t rlen;
4160 char *txt;
4161 int res;
4162
4163 out = BIO_new(BIO_s_mem());
4164 if (!out)
4165 return;
4166
4167 EVP_PKEY_print_private(out, (EVP_PKEY *) key, 0, NULL);
4168 rlen = BIO_ctrl_pending(out);
4169 txt = os_malloc(rlen + 1);
4170 if (txt) {
4171 res = BIO_read(out, txt, rlen);
4172 if (res > 0) {
4173 txt[res] = '\0';
4174 wpa_printf(MSG_DEBUG, "%s: %s", title, txt);
4175 }
4176 os_free(txt);
4177 }
4178 BIO_free(out);
4179 }
4180
4181
crypto_pkcs7_get_certificates(const struct wpabuf * pkcs7)4182 struct wpabuf * crypto_pkcs7_get_certificates(const struct wpabuf *pkcs7)
4183 {
4184 #ifdef OPENSSL_IS_BORINGSSL
4185 CBS pkcs7_cbs;
4186 #else /* OPENSSL_IS_BORINGSSL */
4187 PKCS7 *p7 = NULL;
4188 const unsigned char *p = wpabuf_head(pkcs7);
4189 #endif /* OPENSSL_IS_BORINGSSL */
4190 STACK_OF(X509) *certs;
4191 int i, num;
4192 BIO *out = NULL;
4193 size_t rlen;
4194 struct wpabuf *pem = NULL;
4195 int res;
4196
4197 #ifdef OPENSSL_IS_BORINGSSL
4198 certs = sk_X509_new_null();
4199 if (!certs)
4200 goto fail;
4201 CBS_init(&pkcs7_cbs, wpabuf_head(pkcs7), wpabuf_len(pkcs7));
4202 if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
4203 wpa_printf(MSG_INFO,
4204 "OpenSSL: Could not parse PKCS#7 object: %s",
4205 ERR_error_string(ERR_get_error(), NULL));
4206 goto fail;
4207 }
4208 #else /* OPENSSL_IS_BORINGSSL */
4209 p7 = d2i_PKCS7(NULL, &p, wpabuf_len(pkcs7));
4210 if (!p7) {
4211 wpa_printf(MSG_INFO,
4212 "OpenSSL: Could not parse PKCS#7 object: %s",
4213 ERR_error_string(ERR_get_error(), NULL));
4214 goto fail;
4215 }
4216
4217 switch (OBJ_obj2nid(p7->type)) {
4218 case NID_pkcs7_signed:
4219 certs = p7->d.sign->cert;
4220 break;
4221 case NID_pkcs7_signedAndEnveloped:
4222 certs = p7->d.signed_and_enveloped->cert;
4223 break;
4224 default:
4225 certs = NULL;
4226 break;
4227 }
4228 #endif /* OPENSSL_IS_BORINGSSL */
4229
4230 if (!certs || ((num = sk_X509_num(certs)) == 0)) {
4231 wpa_printf(MSG_INFO,
4232 "OpenSSL: No certificates found in PKCS#7 object");
4233 goto fail;
4234 }
4235
4236 out = BIO_new(BIO_s_mem());
4237 if (!out)
4238 goto fail;
4239
4240 for (i = 0; i < num; i++) {
4241 X509 *cert = sk_X509_value(certs, i);
4242
4243 PEM_write_bio_X509(out, cert);
4244 }
4245
4246 rlen = BIO_ctrl_pending(out);
4247 pem = wpabuf_alloc(rlen);
4248 if (!pem)
4249 goto fail;
4250 res = BIO_read(out, wpabuf_put(pem, 0), rlen);
4251 if (res <= 0) {
4252 wpabuf_free(pem);
4253 pem = NULL;
4254 goto fail;
4255 }
4256 wpabuf_put(pem, res);
4257
4258 fail:
4259 #ifdef OPENSSL_IS_BORINGSSL
4260 if (certs)
4261 sk_X509_pop_free(certs, X509_free);
4262 #else /* OPENSSL_IS_BORINGSSL */
4263 PKCS7_free(p7);
4264 #endif /* OPENSSL_IS_BORINGSSL */
4265 if (out)
4266 BIO_free_all(out);
4267
4268 return pem;
4269 }
4270
4271
crypto_csr_init()4272 struct crypto_csr * crypto_csr_init()
4273 {
4274 return (struct crypto_csr *)X509_REQ_new();
4275 }
4276
4277
crypto_csr_verify(const struct wpabuf * req)4278 struct crypto_csr * crypto_csr_verify(const struct wpabuf *req)
4279 {
4280 X509_REQ *csr;
4281 EVP_PKEY *pkey = NULL;
4282 const u8 *der = wpabuf_head(req);
4283
4284 csr = d2i_X509_REQ(NULL, &der, wpabuf_len(req));
4285 if (!csr)
4286 return NULL;
4287
4288 pkey = X509_REQ_get_pubkey((X509_REQ *)csr);
4289 if (!pkey)
4290 goto fail;
4291
4292 if (X509_REQ_verify((X509_REQ *)csr, pkey) != 1)
4293 goto fail;
4294
4295 return (struct crypto_csr *)csr;
4296 fail:
4297 X509_REQ_free(csr);
4298 return NULL;
4299 }
4300
4301
crypto_csr_deinit(struct crypto_csr * csr)4302 void crypto_csr_deinit(struct crypto_csr *csr)
4303 {
4304 X509_REQ_free((X509_REQ *)csr);
4305 }
4306
4307
crypto_csr_set_ec_public_key(struct crypto_csr * csr,struct crypto_ec_key * key)4308 int crypto_csr_set_ec_public_key(struct crypto_csr *csr, struct crypto_ec_key *key)
4309 {
4310 if (!X509_REQ_set_pubkey((X509_REQ *)csr, (EVP_PKEY *)key))
4311 return -1;
4312
4313 return 0;
4314 }
4315
4316
crypto_csr_set_name(struct crypto_csr * csr,enum crypto_csr_name type,const char * name)4317 int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
4318 const char *name)
4319 {
4320 X509_NAME *n;
4321 int nid;
4322
4323 switch (type) {
4324 case CSR_NAME_CN:
4325 nid = NID_commonName;
4326 break;
4327 case CSR_NAME_SN:
4328 nid = NID_surname;
4329 break;
4330 case CSR_NAME_C:
4331 nid = NID_countryName;
4332 break;
4333 case CSR_NAME_O:
4334 nid = NID_organizationName;
4335 break;
4336 case CSR_NAME_OU:
4337 nid = NID_organizationalUnitName;
4338 break;
4339 default:
4340 return -1;
4341 }
4342
4343 n = X509_REQ_get_subject_name((X509_REQ *) csr);
4344 if (!n)
4345 return -1;
4346
4347 #if OPENSSL_VERSION_NUMBER < 0x10100000L
4348 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
4349 (unsigned char *) name,
4350 os_strlen(name), -1, 0))
4351 return -1;
4352 #else
4353 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
4354 (const unsigned char *) name,
4355 os_strlen(name), -1, 0))
4356 return -1;
4357 #endif
4358
4359 return 0;
4360 }
4361
4362
crypto_csr_set_attribute(struct crypto_csr * csr,enum crypto_csr_attr attr,int attr_type,const u8 * value,size_t len)4363 int crypto_csr_set_attribute(struct crypto_csr *csr, enum crypto_csr_attr attr,
4364 int attr_type, const u8 *value, size_t len)
4365 {
4366 int nid;
4367
4368 switch (attr) {
4369 case CSR_ATTR_CHALLENGE_PASSWORD:
4370 nid = NID_pkcs9_challengePassword;
4371 break;
4372 default:
4373 return -1;
4374 }
4375
4376 if (!X509_REQ_add1_attr_by_NID((X509_REQ *) csr, nid, attr_type, value,
4377 len))
4378 return -1;
4379
4380 return 0;
4381 }
4382
4383
crypto_csr_get_attribute(struct crypto_csr * csr,enum crypto_csr_attr attr,size_t * len,int * type)4384 const u8 * crypto_csr_get_attribute(struct crypto_csr *csr,
4385 enum crypto_csr_attr attr,
4386 size_t *len, int *type)
4387 {
4388 X509_ATTRIBUTE *attrib;
4389 ASN1_TYPE *attrib_type;
4390 ASN1_STRING *data;
4391 int loc;
4392 int nid;
4393
4394 switch (attr) {
4395 case CSR_ATTR_CHALLENGE_PASSWORD:
4396 nid = NID_pkcs9_challengePassword;
4397 break;
4398 default:
4399 return NULL;
4400 }
4401
4402 loc = X509_REQ_get_attr_by_NID((X509_REQ *) csr, nid, -1);
4403 if (loc < 0)
4404 return NULL;
4405
4406 attrib = X509_REQ_get_attr((X509_REQ *) csr, loc);
4407 if (!attrib)
4408 return NULL;
4409
4410 attrib_type = X509_ATTRIBUTE_get0_type(attrib, 0);
4411 if (!attrib_type)
4412 return NULL;
4413 *type = ASN1_TYPE_get(attrib_type);
4414 data = X509_ATTRIBUTE_get0_data(attrib, 0, *type, NULL);
4415 if (!data)
4416 return NULL;
4417 *len = ASN1_STRING_length(data);
4418 return ASN1_STRING_get0_data(data);
4419 }
4420
4421
crypto_csr_sign(struct crypto_csr * csr,struct crypto_ec_key * key,enum crypto_hash_alg algo)4422 struct wpabuf * crypto_csr_sign(struct crypto_csr *csr,
4423 struct crypto_ec_key *key,
4424 enum crypto_hash_alg algo)
4425 {
4426 const EVP_MD *sign_md;
4427 struct wpabuf *buf;
4428 unsigned char *der = NULL;
4429 int der_len;
4430
4431 switch (algo) {
4432 case CRYPTO_HASH_ALG_SHA256:
4433 sign_md = EVP_sha256();
4434 break;
4435 case CRYPTO_HASH_ALG_SHA384:
4436 sign_md = EVP_sha384();
4437 break;
4438 case CRYPTO_HASH_ALG_SHA512:
4439 sign_md = EVP_sha512();
4440 break;
4441 default:
4442 return NULL;
4443 }
4444
4445 if (!X509_REQ_sign((X509_REQ *) csr, (EVP_PKEY *) key, sign_md))
4446 return NULL;
4447
4448 der_len = i2d_X509_REQ((X509_REQ *) csr, &der);
4449 if (der_len < 0)
4450 return NULL;
4451
4452 buf = wpabuf_alloc_copy(der, der_len);
4453 OPENSSL_free(der);
4454
4455 return buf;
4456 }
4457
4458 #endif /* CONFIG_ECC */
4459
4460
crypto_rsa_key_read_public(FILE * f)4461 static EVP_PKEY * crypto_rsa_key_read_public(FILE *f)
4462 {
4463 EVP_PKEY *pkey;
4464 X509 *x509;
4465 const ASN1_TIME *not_before, *not_after;
4466 int res_before, res_after;
4467
4468 pkey = PEM_read_PUBKEY(f, NULL, NULL, NULL);
4469 if (pkey)
4470 return pkey;
4471
4472 rewind(f);
4473 x509 = PEM_read_X509(f, NULL, NULL, NULL);
4474 if (!x509)
4475 return NULL;
4476
4477 not_before = X509_get0_notBefore(x509);
4478 not_after = X509_get0_notAfter(x509);
4479 if (!not_before || !not_after)
4480 goto fail;
4481 res_before = X509_cmp_current_time(not_before);
4482 res_after = X509_cmp_current_time(not_after);
4483 if (!res_before || !res_after)
4484 goto fail;
4485 if (res_before > 0 || res_after < 0) {
4486 wpa_printf(MSG_INFO,
4487 "OpenSSL: Certificate for RSA public key is not valid at this time (%d %d)",
4488 res_before, res_after);
4489 goto fail;
4490 }
4491
4492 pkey = X509_get_pubkey(x509);
4493 X509_free(x509);
4494
4495 if (!pkey)
4496 return NULL;
4497 if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
4498 wpa_printf(MSG_INFO, "OpenSSL: No RSA public key found");
4499 EVP_PKEY_free(pkey);
4500 return NULL;
4501 }
4502
4503 return pkey;
4504 fail:
4505 X509_free(x509);
4506 return NULL;
4507 }
4508
4509
crypto_rsa_key_read(const char * file,bool private_key)4510 struct crypto_rsa_key * crypto_rsa_key_read(const char *file, bool private_key)
4511 {
4512 FILE *f;
4513 EVP_PKEY *pkey;
4514
4515 f = fopen(file, "r");
4516 if (!f)
4517 return NULL;
4518 if (private_key)
4519 pkey = PEM_read_PrivateKey(f, NULL, NULL, NULL);
4520 else
4521 pkey = crypto_rsa_key_read_public(f);
4522 fclose(f);
4523 return (struct crypto_rsa_key *) pkey;
4524 }
4525
4526
4527 #ifndef OPENSSL_NO_SHA256
4528
crypto_rsa_oaep_sha256_encrypt(struct crypto_rsa_key * key,const struct wpabuf * in)4529 struct wpabuf * crypto_rsa_oaep_sha256_encrypt(struct crypto_rsa_key *key,
4530 const struct wpabuf *in)
4531 {
4532 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
4533 EVP_PKEY *pkey = (EVP_PKEY *) key;
4534 EVP_PKEY_CTX *pkctx;
4535 struct wpabuf *res = NULL;
4536 size_t outlen;
4537
4538 pkctx = EVP_PKEY_CTX_new(pkey, NULL);
4539 if (!pkctx)
4540 goto fail;
4541
4542 if (EVP_PKEY_encrypt_init(pkctx) != 1 ||
4543 EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||
4544 EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, EVP_sha256()) <= 0 ||
4545 EVP_PKEY_encrypt(pkctx, NULL, &outlen, wpabuf_head(in),
4546 wpabuf_len(in)) != 1 ||
4547 !(res = wpabuf_alloc(outlen)) ||
4548 EVP_PKEY_encrypt(pkctx, wpabuf_put(res, 0), &outlen,
4549 wpabuf_head(in), wpabuf_len(in)) != 1) {
4550 wpabuf_free(res);
4551 res = NULL;
4552 goto fail;
4553 }
4554 wpabuf_put(res, outlen);
4555
4556 fail:
4557 EVP_PKEY_CTX_free(pkctx);
4558 return res;
4559 #else
4560 wpa_printf(MSG_ERROR, "%s() not supported", __func__);
4561 return NULL;
4562 #endif
4563 }
4564
4565
crypto_rsa_oaep_sha256_decrypt(struct crypto_rsa_key * key,const struct wpabuf * in)4566 struct wpabuf * crypto_rsa_oaep_sha256_decrypt(struct crypto_rsa_key *key,
4567 const struct wpabuf *in)
4568 {
4569 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
4570 EVP_PKEY *pkey = (EVP_PKEY *) key;
4571 EVP_PKEY_CTX *pkctx;
4572 struct wpabuf *res = NULL;
4573 size_t outlen;
4574
4575 pkctx = EVP_PKEY_CTX_new(pkey, NULL);
4576 if (!pkctx)
4577 goto fail;
4578
4579 if (EVP_PKEY_decrypt_init(pkctx) != 1 ||
4580 EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||
4581 EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, EVP_sha256()) <= 0 ||
4582 EVP_PKEY_decrypt(pkctx, NULL, &outlen, wpabuf_head(in),
4583 wpabuf_len(in)) != 1 ||
4584 !(res = wpabuf_alloc(outlen)) ||
4585 EVP_PKEY_decrypt(pkctx, wpabuf_put(res, 0), &outlen,
4586 wpabuf_head(in), wpabuf_len(in)) != 1) {
4587 wpabuf_free(res);
4588 res = NULL;
4589 goto fail;
4590 }
4591 wpabuf_put(res, outlen);
4592
4593 fail:
4594 EVP_PKEY_CTX_free(pkctx);
4595 return res;
4596 #else
4597 wpa_printf(MSG_ERROR, "%s() not supported", __func__);
4598 return NULL;
4599 #endif
4600 }
4601
4602 #endif /* OPENSSL_NO_SHA256 */
4603
4604
crypto_rsa_key_free(struct crypto_rsa_key * key)4605 void crypto_rsa_key_free(struct crypto_rsa_key *key)
4606 {
4607 EVP_PKEY_free((EVP_PKEY *) key);
4608 }
4609
4610
4611 #ifdef CONFIG_DPP3
4612
4613 #define HPKE_MAX_SHARED_SECRET_LEN 66
4614 #define HPKE_MAX_HASH_LEN 64
4615 #define HPKE_MAX_KEY_LEN 32
4616 #define HPKE_MAX_NONCE_LEN 12
4617 #define HPKE_MAX_PUB_LEN (1 + 2 * 66)
4618
4619 struct hpke_context {
4620 /* KEM */
4621 enum hpke_kem_id kem_id;
4622 int kem_nid;
4623 int iana_group;
4624 size_t n_pk;
4625 size_t n_secret;
4626 const EVP_MD *kem_h;
4627 size_t kem_n_h;
4628
4629 /* KDF */
4630 enum hpke_kdf_id kdf_id;
4631 const EVP_MD *kdf_h;
4632 size_t n_h;
4633
4634 /* AEAD */
4635 enum hpke_aead_id aead_id;
4636 const EVP_CIPHER *cipher;
4637 size_t n_k;
4638 size_t n_n;
4639 size_t n_t;
4640 u8 key[HPKE_MAX_KEY_LEN];
4641 u8 base_nonce[HPKE_MAX_NONCE_LEN];
4642 };
4643
4644
hpke_free_context(struct hpke_context * ctx)4645 static void hpke_free_context(struct hpke_context *ctx)
4646 {
4647 bin_clear_free(ctx, sizeof(*ctx));
4648 }
4649
4650
hpke_get_context(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * key)4651 static struct hpke_context * hpke_get_context(enum hpke_kem_id kem_id,
4652 enum hpke_kdf_id kdf_id,
4653 enum hpke_aead_id aead_id,
4654 struct crypto_ec_key *key)
4655 {
4656 struct hpke_context *ctx;
4657 int group;
4658
4659 ctx = os_zalloc(sizeof(*ctx));
4660 if (!ctx)
4661 return NULL;
4662
4663 ctx->kem_id = kem_id;
4664 switch (kem_id) {
4665 case HPKE_DHKEM_P256_HKDF_SHA256:
4666 ctx->kem_nid = NID_X9_62_prime256v1;
4667 ctx->iana_group = 19;
4668 ctx->n_pk = 65;
4669 ctx->n_secret = 32;
4670 ctx->kem_h = EVP_sha256();
4671 ctx->kem_n_h = 32;
4672 break;
4673 case HPKE_DHKEM_P384_HKDF_SHA384:
4674 ctx->kem_nid = NID_secp384r1;
4675 ctx->iana_group = 20;
4676 ctx->n_pk = 97;
4677 ctx->n_secret = 48;
4678 ctx->kem_h = EVP_sha384();
4679 ctx->kem_n_h = 48;
4680 break;
4681 case HPKE_DHKEM_P521_HKDF_SHA512:
4682 ctx->kem_nid = NID_secp521r1;
4683 ctx->iana_group = 21;
4684 ctx->n_pk = 133;
4685 ctx->n_secret = 64;
4686 ctx->kem_h = EVP_sha512();
4687 ctx->kem_n_h = 64;
4688 break;
4689 default:
4690 goto fail;
4691 }
4692
4693 ctx->kdf_id = kdf_id;
4694 switch (kdf_id) {
4695 case HPKE_KDF_HKDF_SHA256:
4696 ctx->kdf_h = EVP_sha256();
4697 ctx->n_h = 32;
4698 break;
4699 case HPKE_KDF_HKDF_SHA384:
4700 ctx->kdf_h = EVP_sha384();
4701 ctx->n_h = 48;
4702 break;
4703 case HPKE_KDF_HKDF_SHA512:
4704 ctx->kdf_h = EVP_sha512();
4705 ctx->n_h = 64;
4706 break;
4707 default:
4708 goto fail;
4709 }
4710
4711 ctx->aead_id = aead_id;
4712 switch (aead_id) {
4713 case HPKE_AEAD_AES_128_GCM:
4714 ctx->cipher = EVP_aes_128_gcm();
4715 ctx->n_k = 16;
4716 ctx->n_n = 12;
4717 ctx->n_t = 16;
4718 break;
4719 case HPKE_AEAD_AES_256_GCM:
4720 ctx->cipher = EVP_aes_256_gcm();
4721 ctx->n_k = 32;
4722 ctx->n_n = 12;
4723 ctx->n_t = 16;
4724 break;
4725 default:
4726 goto fail;
4727 }
4728
4729 /* Convert BP-256/384/512 to P-256/384/521 for DPP */
4730 group = crypto_ec_key_group(key);
4731 if (group == 28 && ctx->iana_group == 19) {
4732 ctx->iana_group = 28;
4733 } else if (group == 29 && ctx->iana_group == 20) {
4734 ctx->iana_group = 29;
4735 } else if (group == 30 && ctx->iana_group == 21) {
4736 ctx->iana_group = 30;
4737 ctx->n_pk = 129;
4738 }
4739 if (group != ctx->iana_group) {
4740 wpa_printf(MSG_INFO, "OpenSSL:%s:group mismatch (%d != %d)",
4741 __func__, group, ctx->iana_group);
4742 goto fail;
4743 }
4744
4745 return ctx;
4746 fail:
4747 hpke_free_context(ctx);
4748 return NULL;
4749 }
4750
4751
hpke_suite_id(struct hpke_context * ctx,bool kem,u8 * suite_id)4752 static size_t hpke_suite_id(struct hpke_context *ctx, bool kem, u8 *suite_id)
4753 {
4754 size_t suite_id_len;
4755
4756 if (kem) {
4757 os_memcpy(suite_id, "KEM", 3);
4758 WPA_PUT_BE16(&suite_id[3], ctx->kem_id);
4759 suite_id_len = 5;
4760 } else {
4761 os_memcpy(suite_id, "HPKE", 4);
4762 WPA_PUT_BE16(&suite_id[4], ctx->kem_id);
4763 WPA_PUT_BE16(&suite_id[6], ctx->kdf_id);
4764 WPA_PUT_BE16(&suite_id[8], ctx->aead_id);
4765 suite_id_len = 10;
4766 }
4767 return suite_id_len;
4768 }
4769
4770
hpke_labeled_extract(struct hpke_context * ctx,bool kem,const u8 * salt,size_t salt_len,const char * label,const u8 * ikm,size_t ikm_len,u8 * prk)4771 static int hpke_labeled_extract(struct hpke_context *ctx, bool kem,
4772 const u8 *salt, size_t salt_len,
4773 const char *label,
4774 const u8 *ikm, size_t ikm_len, u8 *prk)
4775 {
4776 u8 zero[HPKE_MAX_HASH_LEN];
4777 u8 suite_id[10];
4778 size_t suite_id_len;
4779 unsigned int mdlen = kem ? ctx->kem_n_h : ctx->n_h;
4780 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4781 EVP_MAC *hmac;
4782 OSSL_PARAM params[2];
4783 EVP_MAC_CTX *hctx;
4784 size_t mlen;
4785 int res;
4786 #else /* OpenSSL version >= 3.0 */
4787 HMAC_CTX *hctx;
4788 int res;
4789 #endif /* OpenSSL version >= 3.0 */
4790
4791 if (!salt || !salt_len) {
4792 salt_len = mdlen;
4793 os_memset(zero, 0, salt_len);
4794 salt = zero;
4795 }
4796
4797 suite_id_len = hpke_suite_id(ctx, kem, suite_id);
4798
4799 /* labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
4800 * return Extract(salt, labeled_ikm) */
4801
4802 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4803 hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
4804 if (!hmac)
4805 return -1;
4806
4807 params[0] = OSSL_PARAM_construct_utf8_string(
4808 "digest",
4809 (char *) EVP_MD_get0_name(kem ? ctx->kem_h : ctx->kdf_h), 0);
4810 params[1] = OSSL_PARAM_construct_end();
4811
4812 hctx = EVP_MAC_CTX_new(hmac);
4813 EVP_MAC_free(hmac);
4814 if (!hctx)
4815 return -1;
4816
4817 if (EVP_MAC_init(hctx, salt, salt_len, params) != 1)
4818 goto fail;
4819
4820 if (EVP_MAC_update(hctx, (const unsigned char *) "HPKE-v1", 7) != 1 ||
4821 EVP_MAC_update(hctx, suite_id, suite_id_len) != 1 ||
4822 EVP_MAC_update(hctx, (const unsigned char *) label,
4823 os_strlen(label)) != 1 ||
4824 EVP_MAC_update(hctx, ikm, ikm_len) != 1)
4825 goto fail;
4826
4827 res = EVP_MAC_final(hctx, prk, &mlen, mdlen);
4828 EVP_MAC_CTX_free(hctx);
4829
4830 return res == 1 ? 0 : -1;
4831 fail:
4832 EVP_MAC_CTX_free(hctx);
4833 return -1;
4834 #else /* OpenSSL version >= 3.0 */
4835 hctx = HMAC_CTX_new();
4836 if (!hctx)
4837 return -1;
4838 res = HMAC_Init_ex(hctx, salt, salt_len, kem ? ctx->kem_h : ctx->kdf_h,
4839 NULL);
4840 if (res != 1)
4841 goto done;
4842
4843 HMAC_Update(hctx, (const unsigned char *) "HPKE-v1", 7);
4844 HMAC_Update(hctx, suite_id, suite_id_len);
4845 HMAC_Update(hctx, (const unsigned char *) label, os_strlen(label));
4846 HMAC_Update(hctx, ikm, ikm_len);
4847
4848 res = HMAC_Final(hctx, prk, &mdlen);
4849 done:
4850 HMAC_CTX_free(hctx);
4851
4852 return res == 1 ? 0 : -1;
4853 #endif /* OpenSSL version >= 3.0 */
4854 }
4855
4856
4857 static int
hpke_labeled_expand(struct hpke_context * ctx,bool kem,const u8 * prk,const char * label,const u8 * info,size_t info_len,u8 * out,size_t out_len)4858 hpke_labeled_expand(struct hpke_context *ctx, bool kem, const u8 *prk,
4859 const char *label, const u8 *info, size_t info_len,
4860 u8 *out, size_t out_len)
4861 {
4862 u8 suite_id[10];
4863 size_t suite_id_len;
4864 u8 hash[HPKE_MAX_HASH_LEN];
4865 u8 iter = 0;
4866 size_t label_len = os_strlen(label);
4867 u8 *pos;
4868 size_t left = out_len, clen;
4869 int res = -1;
4870 u8 *labeled_info;
4871 size_t labeled_info_len;
4872 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4873 EVP_MAC *hmac;
4874 OSSL_PARAM params[2];
4875 EVP_MAC_CTX *hctx = NULL;
4876 size_t mdlen;
4877 #else /* OpenSSL version >= 3.0 */
4878 HMAC_CTX *hctx;
4879 unsigned int mdlen;
4880 #endif /* OpenSSL version >= 3.0 */
4881
4882 /* labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
4883 * label, info)
4884 * return Expand(prk, labeled_info, L) */
4885 suite_id_len = hpke_suite_id(ctx, kem, suite_id);
4886 labeled_info_len = 2 + 7 + suite_id_len + label_len + info_len;
4887 labeled_info = os_malloc(labeled_info_len);
4888 if (!labeled_info)
4889 return -1;
4890 pos = labeled_info;
4891 WPA_PUT_BE16(pos, out_len);
4892 pos += 2;
4893 os_memcpy(pos, "HPKE-v1", 7);
4894 pos += 7;
4895 os_memcpy(pos, suite_id, suite_id_len);
4896 pos += suite_id_len;
4897 os_memcpy(pos, label, label_len);
4898 pos += label_len;
4899 if (info && info_len)
4900 os_memcpy(pos, info, info_len);
4901
4902 pos = out;
4903 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4904 hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
4905 if (!hmac)
4906 goto fail;
4907
4908 params[0] = OSSL_PARAM_construct_utf8_string(
4909 "digest",
4910 (char *) EVP_MD_get0_name(kem ? ctx->kem_h : ctx->kdf_h), 0);
4911 params[1] = OSSL_PARAM_construct_end();
4912 #else /* OpenSSL version >= 3.0 */
4913 hctx = HMAC_CTX_new();
4914 if (!hctx)
4915 goto fail;
4916 #endif /* OpenSSL version >= 3.0 */
4917
4918 while (left > 0) {
4919 mdlen = kem ? ctx->kem_n_h : ctx->n_h;
4920 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4921 EVP_MAC_CTX_free(hctx);
4922 hctx = EVP_MAC_CTX_new(hmac);
4923 if (!hctx)
4924 goto fail;
4925
4926 if (EVP_MAC_init(hctx, prk, mdlen, params) != 1)
4927 goto fail;
4928
4929 if (iter > 0 && EVP_MAC_update(hctx, hash, mdlen) != 1)
4930 goto fail;
4931 if (iter == 255)
4932 goto fail;
4933 iter++;
4934
4935 if (EVP_MAC_update(hctx, labeled_info, labeled_info_len) != 1 ||
4936 EVP_MAC_update(hctx, &iter, sizeof(iter)) != 1)
4937 goto fail;
4938
4939 if (EVP_MAC_final(hctx, hash, &mdlen, mdlen) != 1)
4940 goto fail;
4941 #else /* OpenSSL version >= 3.0 */
4942 if (HMAC_Init_ex(hctx, prk, mdlen,
4943 kem ? ctx->kem_h : ctx->kdf_h,
4944 NULL) != 1)
4945 goto fail;
4946
4947 if (iter > 0)
4948 HMAC_Update(hctx, hash, mdlen);
4949 if (iter == 255)
4950 goto fail;
4951 iter++;
4952 HMAC_Update(hctx, labeled_info, labeled_info_len);
4953 HMAC_Update(hctx, &iter, sizeof(iter));
4954
4955 if (HMAC_Final(hctx, hash, &mdlen) != 1)
4956 goto fail;
4957 HMAC_CTX_reset(hctx);
4958 #endif /* OpenSSL version >= 3.0 */
4959
4960 clen = left > mdlen ? mdlen : left;
4961 os_memcpy(pos, hash, clen);
4962 pos += clen;
4963 left -= clen;
4964 }
4965 res = 0;
4966 fail:
4967 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4968 EVP_MAC_free(hmac);
4969 EVP_MAC_CTX_free(hctx);
4970 #else /* OpenSSL version >= 3.0 */
4971 HMAC_CTX_free(hctx);
4972 #endif /* OpenSSL version >= 3.0 */
4973 os_free(labeled_info);
4974
4975 return res;
4976 }
4977
4978
hpke_extract_and_expand(struct hpke_context * ctx,const u8 * dhss,size_t dhss_len,const u8 * enc,size_t enc_len,const u8 * pk_rm,size_t pk_rm_len,u8 * shared_secret)4979 static int hpke_extract_and_expand(struct hpke_context *ctx,
4980 const u8 *dhss, size_t dhss_len,
4981 const u8 *enc, size_t enc_len,
4982 const u8 *pk_rm, size_t pk_rm_len,
4983 u8 *shared_secret)
4984 {
4985 u8 kem_context[2 * HPKE_MAX_PUB_LEN];
4986 u8 eae_prk[HPKE_MAX_HASH_LEN];
4987
4988 /* eae_prk = LabeledExtract("", "eae_prk", dh) */
4989 if (hpke_labeled_extract(ctx, true, NULL, 0, "eae_prk", dhss, dhss_len,
4990 eae_prk) < 0)
4991 return -1;
4992
4993 if (enc_len > HPKE_MAX_PUB_LEN || pk_rm_len > HPKE_MAX_PUB_LEN)
4994 return -1;
4995 /* kem_context = concat(enc, pkRm) */
4996 os_memcpy(kem_context, enc, enc_len);
4997 os_memcpy(&kem_context[enc_len], pk_rm, pk_rm_len);
4998
4999 /* shared_secret = LabeledExpand(eae_prk, "shared_secret",
5000 * kem_context, Nsecret) */
5001 if (hpke_labeled_expand(ctx, true, eae_prk, "shared_secret",
5002 kem_context, enc_len + pk_rm_len,
5003 shared_secret, ctx->n_secret) < 0)
5004 return -1;
5005
5006 forced_memzero(eae_prk, sizeof(eae_prk));
5007 return 0;
5008 }
5009
5010
hpke_key_schedule(struct hpke_context * ctx,const u8 * shared_secret,const u8 * info,size_t info_len)5011 static int hpke_key_schedule(struct hpke_context *ctx, const u8 *shared_secret,
5012 const u8 *info, size_t info_len)
5013 {
5014 u8 key_schedule_context[1 + 2 * HPKE_MAX_HASH_LEN];
5015 u8 secret[HPKE_MAX_HASH_LEN];
5016 int res = -1;
5017
5018 /* key_schedule_context = concat(mode, psk_id_hash, info_hash) */
5019 key_schedule_context[0] = HPKE_MODE_BASE;
5020
5021 /* psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id) */
5022 if (hpke_labeled_extract(ctx, false, NULL, 0, "psk_id_hash",
5023 NULL, 0, &key_schedule_context[1]) < 0)
5024 goto fail;
5025
5026 /* info_hash = LabeledExtract("", "info_hash", info) */
5027 if (hpke_labeled_extract(ctx, false, NULL, 0, "info_hash",
5028 info, info_len,
5029 &key_schedule_context[1 + ctx->n_h]) < 0)
5030 goto fail;
5031
5032 /* secret = LabeledExtract(shared_secret, "secret", psk) */
5033 if (hpke_labeled_extract(ctx, false, shared_secret, ctx->n_secret,
5034 "secret", NULL, 0, secret) < 0)
5035 goto fail;
5036
5037 /* key = LabeledExpand(secret, "key", key_schedule_context, Nk) */
5038 if (hpke_labeled_expand(ctx, false, secret, "key",
5039 key_schedule_context, 1 + 2 * ctx->n_h,
5040 ctx->key, ctx->n_k) < 0)
5041 goto fail;
5042
5043 /* base_nonce = LabeledExpand(secret, "base_nonce",
5044 * key_schedule_context, Nn) */
5045 if (hpke_labeled_expand(ctx, false, secret, "base_nonce",
5046 key_schedule_context, 1 + 2 * ctx->n_h,
5047 ctx->base_nonce, ctx->n_n) < 0)
5048 goto fail;
5049 res = 0;
5050 fail:
5051 forced_memzero(key_schedule_context, sizeof(key_schedule_context));
5052 forced_memzero(secret, sizeof(secret));
5053 return res;
5054 }
5055
5056
hpke_encap(struct hpke_context * ctx,struct crypto_ec_key * pk_r,u8 * shared_secret,u8 * enc)5057 static int hpke_encap(struct hpke_context *ctx, struct crypto_ec_key *pk_r,
5058 u8 *shared_secret, u8 *enc)
5059 {
5060 EVP_PKEY_CTX *pctx = NULL;
5061 struct crypto_ec_key *sk_e;
5062 int res = -1;
5063 u8 *dhss = NULL;
5064 size_t dhss_len = 0;
5065 struct wpabuf *enc_buf = NULL, *pk_rm = NULL;
5066
5067 /* skE, pkE = GenerateKeyPair() */
5068 sk_e = crypto_ec_key_gen(ctx->iana_group);
5069 if (!sk_e) {
5070 wpa_printf(MSG_INFO, "OpenSSL:%s:Could not generate key pair",
5071 __func__);
5072 goto fail;
5073 }
5074
5075 /* dh = DH(skE, pkR) */
5076 dhss_len = sizeof(dhss);
5077 pctx = EVP_PKEY_CTX_new((EVP_PKEY *) sk_e, NULL);
5078 if (!pctx ||
5079 EVP_PKEY_derive_init(pctx) != 1 ||
5080 EVP_PKEY_derive_set_peer(pctx, (EVP_PKEY *) pk_r) != 1 ||
5081 EVP_PKEY_derive(pctx, NULL, &dhss_len) != 1 ||
5082 !(dhss = os_malloc(dhss_len)) ||
5083 EVP_PKEY_derive(pctx, dhss, &dhss_len) != 1 ||
5084 dhss_len > HPKE_MAX_SHARED_SECRET_LEN) {
5085 wpa_printf(MSG_INFO,
5086 "OpenSSL: hpke_encap: EVP_PKEY_derive failed (dhss_len=%zu): %s",
5087 dhss_len, ERR_error_string(ERR_get_error(), NULL));
5088 goto fail;
5089 }
5090
5091 /* enc = SerializePublicKey(pkE) */
5092 enc_buf = crypto_ec_key_get_pubkey_point(sk_e, 1);
5093 if (!enc_buf)
5094 goto fail;
5095 os_memcpy(enc, wpabuf_head(enc_buf), wpabuf_len(enc_buf));
5096
5097 /* pkRm = SerializePublicKey(pkR) */
5098 pk_rm = crypto_ec_key_get_pubkey_point(pk_r, 1);
5099 if (!pk_rm)
5100 goto fail;
5101
5102 /* kem_context = concat(enc, pkRm) */
5103 /* shared_secret = ExtractAndExpand(dh, kem_context) */
5104 /* return shared_secret, enc */
5105 res = hpke_extract_and_expand(ctx, dhss, dhss_len, enc, ctx->n_pk,
5106 wpabuf_head(pk_rm),
5107 wpabuf_len(pk_rm), shared_secret);
5108 fail:
5109 bin_clear_free(dhss, dhss_len);
5110 crypto_ec_key_deinit(sk_e);
5111 EVP_PKEY_CTX_free(pctx);
5112 wpabuf_free(enc_buf);
5113 wpabuf_free(pk_rm);
5114 return res;
5115 }
5116
5117
5118 static struct wpabuf *
hpke_aead_seal(struct hpke_context * ctx,const u8 * aad,size_t aad_len,const u8 * pt,size_t pt_len)5119 hpke_aead_seal(struct hpke_context *ctx, const u8 *aad, size_t aad_len,
5120 const u8 *pt, size_t pt_len)
5121 {
5122 EVP_CIPHER_CTX *cctx;
5123 int len = 0;
5124 struct wpabuf *ct = NULL;
5125
5126 /* No need to xor in sequence number since we support only the
5127 * single-shot API, i.e., base_nonce can be used as-is. */
5128
5129 cctx = EVP_CIPHER_CTX_new();
5130 if (!cctx ||
5131 EVP_EncryptInit_ex(cctx, ctx->cipher, NULL, ctx->key,
5132 ctx->base_nonce) != 1) {
5133 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptInit_ex failed",
5134 __func__);
5135 goto fail;
5136 }
5137 if (aad && aad_len &&
5138 EVP_EncryptUpdate(cctx, NULL, &len, aad, aad_len) != 1) {
5139 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_EncryptUpdate(AAD) failed",
5140 __func__);
5141 goto fail;
5142 }
5143 ct = wpabuf_alloc(pt_len + AES_BLOCK_SIZE + ctx->n_t);
5144 if (!ct)
5145 goto fail;
5146 if (EVP_EncryptUpdate(cctx, wpabuf_put(ct, 0), &len, pt, pt_len) != 1) {
5147 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_EncryptUpdate failed",
5148 __func__);
5149 goto fail;
5150 }
5151 wpabuf_put(ct, len);
5152
5153 if (EVP_EncryptFinal(cctx, wpabuf_put(ct, 0), &len) != 1) {
5154 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptFinal failed",
5155 __func__);
5156 wpabuf_free(ct);
5157 ct = NULL;
5158 goto fail;
5159 }
5160
5161 if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_GET_TAG, ctx->n_t,
5162 wpabuf_put(ct, ctx->n_t)) != 1) {
5163 wpa_printf(MSG_INFO, "OpenSSL:%s:Could not get tag",
5164 __func__);
5165 wpabuf_free(ct);
5166 ct = NULL;
5167 goto fail;
5168 }
5169 fail:
5170 EVP_CIPHER_CTX_free(cctx);
5171 return ct;
5172 }
5173
5174
hpke_base_seal_int(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * peer_pub,const u8 * info,size_t info_len,const u8 * aad,size_t aad_len,const u8 * pt,size_t pt_len)5175 static struct wpabuf * hpke_base_seal_int(enum hpke_kem_id kem_id,
5176 enum hpke_kdf_id kdf_id,
5177 enum hpke_aead_id aead_id,
5178 struct crypto_ec_key *peer_pub,
5179 const u8 *info, size_t info_len,
5180 const u8 *aad, size_t aad_len,
5181 const u8 *pt, size_t pt_len)
5182 {
5183 struct hpke_context *ctx;
5184 u8 shared_secret[HPKE_MAX_SHARED_SECRET_LEN];
5185 u8 enc[1 + 2 * HPKE_MAX_PUB_LEN];
5186 struct wpabuf *ct = NULL, *enc_ct = NULL;
5187
5188 ctx = hpke_get_context(kem_id, kdf_id, aead_id, peer_pub);
5189 if (!ctx)
5190 return NULL;
5191
5192 /* shared_secret, enc = Encap(pkR) */
5193 if (hpke_encap(ctx, peer_pub, shared_secret, enc) < 0)
5194 goto fail;
5195
5196 /* KeyScheduleS(mode_base, shared_secret, info,
5197 * default_psk, default_psk_id) */
5198 if (hpke_key_schedule(ctx, shared_secret, info, info_len) < 0)
5199 goto fail;
5200
5201 /* ct = ctx.Seal(aad, pt) */
5202 ct = hpke_aead_seal(ctx, aad, aad_len, pt, pt_len);
5203 if (!ct)
5204 goto fail;
5205
5206 /* return enc, ct */
5207 enc_ct = wpabuf_alloc(ctx->n_pk + wpabuf_len(ct));
5208 if (!enc_ct)
5209 goto fail;
5210 wpabuf_put_data(enc_ct, enc, ctx->n_pk);
5211 wpabuf_put_buf(enc_ct, ct);
5212
5213 fail:
5214 forced_memzero(shared_secret, sizeof(shared_secret));
5215 hpke_free_context(ctx);
5216 wpabuf_free(ct);
5217 return enc_ct;
5218 }
5219
5220
hpke_decap(struct hpke_context * ctx,const u8 * enc,size_t enc_ct_len,struct crypto_ec_key * sk_r,u8 * shared_secret)5221 static int hpke_decap(struct hpke_context *ctx, const u8 *enc,
5222 size_t enc_ct_len, struct crypto_ec_key *sk_r,
5223 u8 *shared_secret)
5224 {
5225 EVP_PKEY_CTX *pctx = NULL;
5226 struct wpabuf *pk_rm = NULL;
5227 size_t len;
5228 int res = -1;
5229 struct crypto_ec_key *pk_e = NULL;
5230 u8 *dhss = NULL;
5231 size_t dhss_len = 0;
5232
5233 /* pkE = DeserializePublicKey(enc) */
5234 if (enc_ct_len < ctx->n_pk)
5235 return -1; /* not enough room for enc */
5236 if (enc[0] != 0x04)
5237 return -1; /* not in uncompressed form */
5238 len = (ctx->n_pk - 1) / 2;
5239 pk_e = crypto_ec_key_set_pub(ctx->iana_group, &enc[1],
5240 &enc[1 + len], len);
5241 if (!pk_e)
5242 return -1; /* invalid public key point */
5243 /* dh = DH(skR, pkE) */
5244 pctx = EVP_PKEY_CTX_new((EVP_PKEY *) sk_r, NULL);
5245 if (!pctx ||
5246 EVP_PKEY_derive_init(pctx) != 1 ||
5247 EVP_PKEY_derive_set_peer(pctx, (EVP_PKEY *) pk_e) != 1 ||
5248 EVP_PKEY_derive(pctx, NULL, &dhss_len) != 1 ||
5249 !(dhss = os_malloc(dhss_len)) ||
5250 EVP_PKEY_derive(pctx, dhss, &dhss_len) != 1 ||
5251 dhss_len > HPKE_MAX_SHARED_SECRET_LEN) {
5252 wpa_printf(MSG_INFO,
5253 "OpenSSL: hpke_decap: EVP_PKEY_derive failed (dhss_len=%zu): %s",
5254 dhss_len, ERR_error_string(ERR_get_error(), NULL));
5255 goto fail;
5256 }
5257
5258 /* pkRm = SerializePublicKey(pk(skR)) */
5259 pk_rm = crypto_ec_key_get_pubkey_point(sk_r, 1);
5260 if (!pk_rm)
5261 goto fail;
5262
5263 /* kem_context = concat(enc, pkRm) */
5264 /* shared_secret = ExtractAndExpand(dh, kem_context) */
5265 res = hpke_extract_and_expand(ctx, dhss, dhss_len, enc, ctx->n_pk,
5266 wpabuf_head(pk_rm),
5267 wpabuf_len(pk_rm), shared_secret);
5268 fail:
5269 bin_clear_free(dhss, dhss_len);
5270 crypto_ec_key_deinit(pk_e);
5271 EVP_PKEY_CTX_free(pctx);
5272 wpabuf_free(pk_rm);
5273 return res;
5274 }
5275
5276
5277 static struct wpabuf *
hpke_aead_open(struct hpke_context * ctx,const u8 * aad,size_t aad_len,const u8 * ct,size_t ct_len)5278 hpke_aead_open(struct hpke_context *ctx, const u8 *aad, size_t aad_len,
5279 const u8 *ct, size_t ct_len)
5280 {
5281 EVP_CIPHER_CTX *cctx;
5282 int len = 0;
5283 const u8 *tag;
5284 struct wpabuf *pt = NULL;
5285
5286 if (ct_len < ctx->n_t)
5287 return NULL;
5288 tag = ct + ct_len - ctx->n_t;
5289 ct_len -= ctx->n_t;
5290
5291 /* No need to xor in sequence number since we support only the
5292 * single-shot API, i.e., base_nonce can be used as-is. */
5293
5294 cctx = EVP_CIPHER_CTX_new();
5295 if (!cctx ||
5296 EVP_DecryptInit_ex(cctx, ctx->cipher, NULL, ctx->key,
5297 ctx->base_nonce) != 1) {
5298 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptInit_ex failed",
5299 __func__);
5300 goto fail;
5301 }
5302 if (aad && aad_len &&
5303 EVP_DecryptUpdate(cctx, NULL, &len, aad, aad_len) != 1) {
5304 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptUpdate(AAD) failed",
5305 __func__);
5306 goto fail;
5307 }
5308 pt = wpabuf_alloc(ct_len + AES_BLOCK_SIZE);
5309 if (!pt)
5310 goto fail;
5311 if (EVP_DecryptUpdate(cctx, wpabuf_put(pt, 0), &len, ct, ct_len) != 1) {
5312 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptUpdate failed",
5313 __func__);
5314 goto fail;
5315 }
5316 wpabuf_put(pt, len);
5317
5318 if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_SET_TAG, ctx->n_t,
5319 (void *) tag) != 1) {
5320 wpa_printf(MSG_INFO, "OpenSSL:%s:Could not set tag",
5321 __func__);
5322 wpabuf_free(pt);
5323 pt = NULL;
5324 goto fail;
5325 }
5326
5327 if (EVP_DecryptFinal(cctx, wpabuf_put(pt, 0), &len) != 1) {
5328 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptFinal failed",
5329 __func__);
5330 wpabuf_free(pt);
5331 pt = NULL;
5332 }
5333 fail:
5334 EVP_CIPHER_CTX_free(cctx);
5335 return pt;
5336 }
5337
5338
hpke_base_open_int(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * own_priv,const u8 * info,size_t info_len,const u8 * aad,size_t aad_len,const u8 * enc_ct,size_t enc_ct_len)5339 static struct wpabuf * hpke_base_open_int(enum hpke_kem_id kem_id,
5340 enum hpke_kdf_id kdf_id,
5341 enum hpke_aead_id aead_id,
5342 struct crypto_ec_key *own_priv,
5343 const u8 *info, size_t info_len,
5344 const u8 *aad, size_t aad_len,
5345 const u8 *enc_ct, size_t enc_ct_len)
5346 {
5347 struct hpke_context *ctx;
5348 u8 shared_secret[HPKE_MAX_SHARED_SECRET_LEN];
5349 struct wpabuf *pt = NULL;
5350
5351 ctx = hpke_get_context(kem_id, kdf_id, aead_id, own_priv);
5352 if (!ctx)
5353 return NULL;
5354
5355 /* shared_secret = Decap(enc, skR) */
5356 if (hpke_decap(ctx, enc_ct, enc_ct_len, own_priv, shared_secret) < 0)
5357 goto fail;
5358
5359 /* KeyScheduleR(mode_base, shared_secret, info,
5360 * default_psk, default_psk_id) */
5361 if (hpke_key_schedule(ctx, shared_secret, info, info_len) < 0)
5362 goto fail;
5363
5364 /* return ctx.Open(aad, ct) */
5365 pt = hpke_aead_open(ctx, aad, aad_len,
5366 &enc_ct[ctx->n_pk], enc_ct_len - ctx->n_pk);
5367
5368 fail:
5369 forced_memzero(shared_secret, sizeof(shared_secret));
5370 hpke_free_context(ctx);
5371 return pt;
5372 }
5373
5374
5375 #if OPENSSL_VERSION_NUMBER >= 0x30200000L
5376
hpke_set_suite(OSSL_HPKE_SUITE * suite,enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id)5377 static bool hpke_set_suite(OSSL_HPKE_SUITE *suite,
5378 enum hpke_kem_id kem_id,
5379 enum hpke_kdf_id kdf_id,
5380 enum hpke_aead_id aead_id)
5381 {
5382 os_memset(suite, 0, sizeof(*suite));
5383
5384 switch (kem_id) {
5385 case HPKE_DHKEM_P256_HKDF_SHA256:
5386 suite->kem_id = OSSL_HPKE_KEM_ID_P256;
5387 break;
5388 case HPKE_DHKEM_P384_HKDF_SHA384:
5389 suite->kem_id = OSSL_HPKE_KEM_ID_P384;
5390 break;
5391 case HPKE_DHKEM_P521_HKDF_SHA512:
5392 suite->kem_id = OSSL_HPKE_KEM_ID_P521;
5393 break;
5394 default:
5395 return false;
5396 }
5397
5398 switch (kdf_id) {
5399 case HPKE_KDF_HKDF_SHA256:
5400 suite->kdf_id = OSSL_HPKE_KDF_ID_HKDF_SHA256;
5401 break;
5402 case HPKE_KDF_HKDF_SHA384:
5403 suite->kdf_id = OSSL_HPKE_KDF_ID_HKDF_SHA384;
5404 break;
5405 case HPKE_KDF_HKDF_SHA512:
5406 suite->kdf_id = OSSL_HPKE_KDF_ID_HKDF_SHA512;
5407 break;
5408 default:
5409 return false;
5410 }
5411
5412 switch (aead_id) {
5413 case HPKE_AEAD_AES_128_GCM:
5414 suite->aead_id = OSSL_HPKE_AEAD_ID_AES_GCM_128;
5415 break;
5416 case HPKE_AEAD_AES_256_GCM:
5417 suite->aead_id = OSSL_HPKE_AEAD_ID_AES_GCM_256;
5418 break;
5419 default:
5420 return false;
5421 }
5422
5423 if (!OSSL_HPKE_suite_check(*suite)) {
5424 wpa_printf(MSG_INFO,
5425 "OpenSSL: HPKE suite kem_id=%d kdf_id=%d aead_id=%d not supported",
5426 kem_id, kdf_id, aead_id);
5427 return false;
5428 }
5429
5430 return true;
5431 }
5432
5433
hpke_base_seal(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * peer_pub,const u8 * info,size_t info_len,const u8 * aad,size_t aad_len,const u8 * pt,size_t pt_len)5434 struct wpabuf * hpke_base_seal(enum hpke_kem_id kem_id,
5435 enum hpke_kdf_id kdf_id,
5436 enum hpke_aead_id aead_id,
5437 struct crypto_ec_key *peer_pub,
5438 const u8 *info, size_t info_len,
5439 const u8 *aad, size_t aad_len,
5440 const u8 *pt, size_t pt_len)
5441 {
5442 OSSL_HPKE_SUITE suite;
5443 OSSL_HPKE_CTX *ctx = NULL;
5444 struct wpabuf *res = NULL, *buf, *pub = NULL;
5445 size_t enc_len, ct_len;
5446 int group;
5447
5448 group = crypto_ec_key_group(peer_pub);
5449 if (group == 28 || group == 29 || group == 30) {
5450 /* Use the internal routines for the special DPP use case with
5451 * brainpool curves, */
5452 return hpke_base_seal_int(kem_id, kdf_id, aead_id, peer_pub,
5453 info, info_len, aad, aad_len,
5454 pt, pt_len);
5455 }
5456
5457
5458 if (!hpke_set_suite(&suite, kem_id, kdf_id, aead_id))
5459 return NULL;
5460
5461 enc_len = OSSL_HPKE_get_public_encap_size(suite);
5462 ct_len = OSSL_HPKE_get_ciphertext_size(suite, pt_len);
5463 buf = wpabuf_alloc(enc_len + ct_len);
5464 if (!buf)
5465 goto out;
5466
5467 pub = crypto_ec_key_get_pubkey_point(peer_pub, 1);
5468 if (!pub)
5469 goto out;
5470
5471 ctx = OSSL_HPKE_CTX_new(OSSL_HPKE_MODE_BASE, suite,
5472 OSSL_HPKE_ROLE_SENDER, NULL, NULL);
5473 if (!ctx)
5474 goto out;
5475
5476 if (OSSL_HPKE_encap(ctx, wpabuf_put(buf, 0), &enc_len,
5477 wpabuf_head(pub), wpabuf_len(pub),
5478 info, info_len) != 1) {
5479 wpa_printf(MSG_DEBUG, "OpenSSL: OSSL_HPKE_encap failed: %s",
5480 ERR_error_string(ERR_get_error(), NULL));
5481 goto out;
5482 }
5483 wpabuf_put(buf, enc_len);
5484
5485 if (OSSL_HPKE_seal(ctx, wpabuf_put(buf, 0), &ct_len, aad, aad_len,
5486 pt, pt_len) != 1) {
5487 wpa_printf(MSG_DEBUG, "OpenSSL: OSSL_HPKE_seal failed: %s",
5488 ERR_error_string(ERR_get_error(), NULL));
5489 goto out;
5490 }
5491 wpabuf_put(buf, ct_len);
5492 res = buf;
5493 buf = NULL;
5494
5495 out:
5496 OSSL_HPKE_CTX_free(ctx);
5497 wpabuf_free(buf);
5498 wpabuf_free(pub);
5499 return res;
5500 }
5501
5502
hpke_base_open(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * own_priv,const u8 * info,size_t info_len,const u8 * aad,size_t aad_len,const u8 * enc_ct,size_t enc_ct_len)5503 struct wpabuf * hpke_base_open(enum hpke_kem_id kem_id,
5504 enum hpke_kdf_id kdf_id,
5505 enum hpke_aead_id aead_id,
5506 struct crypto_ec_key *own_priv,
5507 const u8 *info, size_t info_len,
5508 const u8 *aad, size_t aad_len,
5509 const u8 *enc_ct, size_t enc_ct_len)
5510 {
5511 OSSL_HPKE_SUITE suite;
5512 OSSL_HPKE_CTX *ctx;
5513 struct wpabuf *buf = NULL, *res = NULL;
5514 size_t len, enc_len;
5515 int group;
5516
5517 group = crypto_ec_key_group(own_priv);
5518 if (group == 28 || group == 29 || group == 30) {
5519 /* Use the internal routines for the special DPP use case with
5520 * brainpool curves, */
5521 return hpke_base_open_int(kem_id, kdf_id, aead_id, own_priv,
5522 info, info_len, aad, aad_len,
5523 enc_ct, enc_ct_len);
5524 }
5525
5526 if (!hpke_set_suite(&suite, kem_id, kdf_id, aead_id))
5527 return NULL;
5528
5529 enc_len = OSSL_HPKE_get_public_encap_size(suite);
5530 if (enc_ct_len < enc_len) {
5531 wpa_printf(MSG_DEBUG, "OpenSSL: Too short HPKE enc_ct data");
5532 return NULL;
5533 }
5534
5535 ctx = OSSL_HPKE_CTX_new(OSSL_HPKE_MODE_BASE, suite,
5536 OSSL_HPKE_ROLE_RECEIVER, NULL, NULL);
5537 if (!ctx)
5538 goto out;
5539
5540 if (OSSL_HPKE_decap(ctx, enc_ct, enc_len, (EVP_PKEY *) own_priv,
5541 info, info_len) != 1) {
5542 wpa_printf(MSG_DEBUG, "OpenSSL: OSSL_HPKE_decap failed: %s",
5543 ERR_error_string(ERR_get_error(), NULL));
5544 goto out;
5545 }
5546
5547 len = enc_ct_len;
5548 buf = wpabuf_alloc(len);
5549 if (!buf)
5550 goto out;
5551
5552 if (OSSL_HPKE_open(ctx, wpabuf_put(buf, 0), &len, aad, aad_len,
5553 enc_ct + enc_len, enc_ct_len - enc_len) != 1) {
5554 wpa_printf(MSG_DEBUG, "OpenSSL: OSSL_HPKE_open failed: %s",
5555 ERR_error_string(ERR_get_error(), NULL));
5556 goto out;
5557 }
5558
5559 wpabuf_put(buf, len);
5560 res = buf;
5561 buf = NULL;
5562
5563 out:
5564 OSSL_HPKE_CTX_free(ctx);
5565 wpabuf_free(buf);
5566 return res;
5567 }
5568
5569 #else /* OpenSSL < 3.2 */
5570
hpke_base_seal(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * peer_pub,const u8 * info,size_t info_len,const u8 * aad,size_t aad_len,const u8 * pt,size_t pt_len)5571 struct wpabuf * hpke_base_seal(enum hpke_kem_id kem_id,
5572 enum hpke_kdf_id kdf_id,
5573 enum hpke_aead_id aead_id,
5574 struct crypto_ec_key *peer_pub,
5575 const u8 *info, size_t info_len,
5576 const u8 *aad, size_t aad_len,
5577 const u8 *pt, size_t pt_len)
5578 {
5579 return hpke_base_seal_int(kem_id, kdf_id, aead_id, peer_pub,
5580 info, info_len, aad, aad_len, pt, pt_len);
5581 }
5582
5583
hpke_base_open(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * own_priv,const u8 * info,size_t info_len,const u8 * aad,size_t aad_len,const u8 * enc_ct,size_t enc_ct_len)5584 struct wpabuf * hpke_base_open(enum hpke_kem_id kem_id,
5585 enum hpke_kdf_id kdf_id,
5586 enum hpke_aead_id aead_id,
5587 struct crypto_ec_key *own_priv,
5588 const u8 *info, size_t info_len,
5589 const u8 *aad, size_t aad_len,
5590 const u8 *enc_ct, size_t enc_ct_len)
5591 {
5592 return hpke_base_open_int(kem_id, kdf_id, aead_id, own_priv,
5593 info, info_len, aad, aad_len,
5594 enc_ct, enc_ct_len);
5595 }
5596
5597 #endif /* OpenSSL < 3.2 */
5598
5599 #endif /* CONFIG_DPP3 */
5600
5601
crypto_unload(void)5602 void crypto_unload(void)
5603 {
5604 openssl_unload_legacy_provider();
5605 }
5606