1 /*
2 * Wrapper functions for OpenSSL libcrypto
3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #include <openssl/opensslv.h>
11 #include <openssl/err.h>
12 #include <openssl/des.h>
13 #include <openssl/aes.h>
14 #include <openssl/bn.h>
15 #include <openssl/evp.h>
16 #include <openssl/dh.h>
17 #include <openssl/hmac.h>
18 #include <openssl/rand.h>
19 #ifdef CONFIG_OPENSSL_CMAC
20 #include <openssl/cmac.h>
21 #endif /* CONFIG_OPENSSL_CMAC */
22 #ifdef CONFIG_ECC
23 #include <openssl/ec.h>
24 #include <openssl/x509.h>
25 #endif /* CONFIG_ECC */
26
27 #include "common.h"
28 #include "utils/const_time.h"
29 #include "wpabuf.h"
30 #include "dh_group5.h"
31 #include "sha1.h"
32 #include "sha256.h"
33 #include "sha384.h"
34 #include "sha512.h"
35 #include "md5.h"
36 #include "aes_wrap.h"
37 #include "crypto.h"
38
39 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
40 (defined(LIBRESSL_VERSION_NUMBER) && \
41 LIBRESSL_VERSION_NUMBER < 0x20700000L)
42 /* Compatibility wrappers for older versions. */
43
HMAC_CTX_new(void)44 static HMAC_CTX * HMAC_CTX_new(void)
45 {
46 HMAC_CTX *ctx;
47
48 ctx = os_zalloc(sizeof(*ctx));
49 if (ctx)
50 HMAC_CTX_init(ctx);
51 return ctx;
52 }
53
54
HMAC_CTX_free(HMAC_CTX * ctx)55 static void HMAC_CTX_free(HMAC_CTX *ctx)
56 {
57 if (!ctx)
58 return;
59 HMAC_CTX_cleanup(ctx);
60 bin_clear_free(ctx, sizeof(*ctx));
61 }
62
63
EVP_MD_CTX_new(void)64 static EVP_MD_CTX * EVP_MD_CTX_new(void)
65 {
66 EVP_MD_CTX *ctx;
67
68 ctx = os_zalloc(sizeof(*ctx));
69 if (ctx)
70 EVP_MD_CTX_init(ctx);
71 return ctx;
72 }
73
74
EVP_MD_CTX_free(EVP_MD_CTX * ctx)75 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
76 {
77 if (!ctx)
78 return;
79 EVP_MD_CTX_cleanup(ctx);
80 bin_clear_free(ctx, sizeof(*ctx));
81 }
82
83
EVP_PKEY_get0_EC_KEY(EVP_PKEY * pkey)84 static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
85 {
86 if (pkey->type != EVP_PKEY_EC)
87 return NULL;
88 return pkey->pkey.ec;
89 }
90
91 #endif /* OpenSSL version < 1.1.0 */
92
get_group5_prime(void)93 static BIGNUM * get_group5_prime(void)
94 {
95 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
96 !(defined(LIBRESSL_VERSION_NUMBER) && \
97 LIBRESSL_VERSION_NUMBER < 0x20700000L)
98 return BN_get_rfc3526_prime_1536(NULL);
99 #elif !defined(OPENSSL_IS_BORINGSSL)
100 return get_rfc3526_prime_1536(NULL);
101 #else
102 static const unsigned char RFC3526_PRIME_1536[] = {
103 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
104 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
105 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
106 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
107 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
108 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
109 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
110 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
111 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
112 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
113 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
114 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
115 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
116 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
117 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
118 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
119 };
120 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
121 #endif
122 }
123
124
get_group5_order(void)125 static BIGNUM * get_group5_order(void)
126 {
127 static const unsigned char RFC3526_ORDER_1536[] = {
128 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,
129 0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,
130 0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,
131 0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,
132 0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,
133 0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,
134 0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,
135 0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,
136 0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,
137 0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,
138 0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,
139 0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,
140 0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,
141 0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,
142 0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,
143 0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
144 };
145 return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);
146 }
147
148
149 #ifdef OPENSSL_NO_SHA256
150 #define NO_SHA256_WRAPPER
151 #endif
152 #ifdef OPENSSL_NO_SHA512
153 #define NO_SHA384_WRAPPER
154 #endif
155
openssl_digest_vector(const EVP_MD * type,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)156 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
157 const u8 *addr[], const size_t *len, u8 *mac)
158 {
159 EVP_MD_CTX *ctx;
160 size_t i;
161 unsigned int mac_len;
162
163 if (TEST_FAIL())
164 return -1;
165
166 ctx = EVP_MD_CTX_new();
167 if (!ctx)
168 return -1;
169 if (!EVP_DigestInit_ex(ctx, type, NULL)) {
170 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
171 ERR_error_string(ERR_get_error(), NULL));
172 EVP_MD_CTX_free(ctx);
173 return -1;
174 }
175 for (i = 0; i < num_elem; i++) {
176 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
177 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
178 "failed: %s",
179 ERR_error_string(ERR_get_error(), NULL));
180 EVP_MD_CTX_free(ctx);
181 return -1;
182 }
183 }
184 if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
185 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
186 ERR_error_string(ERR_get_error(), NULL));
187 EVP_MD_CTX_free(ctx);
188 return -1;
189 }
190 EVP_MD_CTX_free(ctx);
191
192 return 0;
193 }
194
195
196 #ifndef CONFIG_FIPS
md4_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)197 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
198 {
199 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
200 }
201 #endif /* CONFIG_FIPS */
202
203
des_encrypt(const u8 * clear,const u8 * key,u8 * cypher)204 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
205 {
206 u8 pkey[8], next, tmp;
207 int i;
208 DES_key_schedule ks;
209
210 /* Add parity bits to the key */
211 next = 0;
212 for (i = 0; i < 7; i++) {
213 tmp = key[i];
214 pkey[i] = (tmp >> i) | next | 1;
215 next = tmp << (7 - i);
216 }
217 pkey[i] = next | 1;
218
219 DES_set_key((DES_cblock *) &pkey, &ks);
220 DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks,
221 DES_ENCRYPT);
222 return 0;
223 }
224
225
226 #ifndef CONFIG_NO_RC4
rc4_skip(const u8 * key,size_t keylen,size_t skip,u8 * data,size_t data_len)227 int rc4_skip(const u8 *key, size_t keylen, size_t skip,
228 u8 *data, size_t data_len)
229 {
230 #ifdef OPENSSL_NO_RC4
231 return -1;
232 #else /* OPENSSL_NO_RC4 */
233 EVP_CIPHER_CTX *ctx;
234 int outl;
235 int res = -1;
236 unsigned char skip_buf[16];
237
238 ctx = EVP_CIPHER_CTX_new();
239 if (!ctx ||
240 !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
241 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
242 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
243 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
244 goto out;
245
246 while (skip >= sizeof(skip_buf)) {
247 size_t len = skip;
248 if (len > sizeof(skip_buf))
249 len = sizeof(skip_buf);
250 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
251 goto out;
252 skip -= len;
253 }
254
255 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
256 res = 0;
257
258 out:
259 if (ctx)
260 EVP_CIPHER_CTX_free(ctx);
261 return res;
262 #endif /* OPENSSL_NO_RC4 */
263 }
264 #endif /* CONFIG_NO_RC4 */
265
266
267 #ifndef CONFIG_FIPS
md5_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)268 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
269 {
270 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
271 }
272 #endif /* CONFIG_FIPS */
273
274
sha1_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)275 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
276 {
277 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
278 }
279
280
281 #ifndef NO_SHA256_WRAPPER
sha256_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)282 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
283 u8 *mac)
284 {
285 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
286 }
287 #endif /* NO_SHA256_WRAPPER */
288
289
290 #ifndef NO_SHA384_WRAPPER
sha384_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)291 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
292 u8 *mac)
293 {
294 return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
295 }
296 #endif /* NO_SHA384_WRAPPER */
297
298
299 #ifndef NO_SHA512_WRAPPER
sha512_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)300 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
301 u8 *mac)
302 {
303 return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
304 }
305 #endif /* NO_SHA512_WRAPPER */
306
307
aes_get_evp_cipher(size_t keylen)308 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
309 {
310 switch (keylen) {
311 case 16:
312 return EVP_aes_128_ecb();
313 case 24:
314 return EVP_aes_192_ecb();
315 case 32:
316 return EVP_aes_256_ecb();
317 }
318
319 return NULL;
320 }
321
322
aes_encrypt_init(const u8 * key,size_t len)323 void * aes_encrypt_init(const u8 *key, size_t len)
324 {
325 EVP_CIPHER_CTX *ctx;
326 const EVP_CIPHER *type;
327
328 if (TEST_FAIL())
329 return NULL;
330
331 type = aes_get_evp_cipher(len);
332 if (!type) {
333 wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
334 __func__, (unsigned int) len);
335 return NULL;
336 }
337
338 ctx = EVP_CIPHER_CTX_new();
339 if (ctx == NULL)
340 return NULL;
341 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
342 os_free(ctx);
343 return NULL;
344 }
345 EVP_CIPHER_CTX_set_padding(ctx, 0);
346 return ctx;
347 }
348
349
aes_encrypt(void * ctx,const u8 * plain,u8 * crypt)350 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
351 {
352 EVP_CIPHER_CTX *c = ctx;
353 int clen = 16;
354 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
355 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
356 ERR_error_string(ERR_get_error(), NULL));
357 return -1;
358 }
359 return 0;
360 }
361
362
aes_encrypt_deinit(void * ctx)363 void aes_encrypt_deinit(void *ctx)
364 {
365 EVP_CIPHER_CTX *c = ctx;
366 u8 buf[16];
367 int len = sizeof(buf);
368 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
369 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
370 "%s", ERR_error_string(ERR_get_error(), NULL));
371 }
372 if (len != 0) {
373 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
374 "in AES encrypt", len);
375 }
376 EVP_CIPHER_CTX_free(c);
377 }
378
379
aes_decrypt_init(const u8 * key,size_t len)380 void * aes_decrypt_init(const u8 *key, size_t len)
381 {
382 EVP_CIPHER_CTX *ctx;
383 const EVP_CIPHER *type;
384
385 if (TEST_FAIL())
386 return NULL;
387
388 type = aes_get_evp_cipher(len);
389 if (!type) {
390 wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
391 __func__, (unsigned int) len);
392 return NULL;
393 }
394
395 ctx = EVP_CIPHER_CTX_new();
396 if (ctx == NULL)
397 return NULL;
398 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
399 EVP_CIPHER_CTX_free(ctx);
400 return NULL;
401 }
402 EVP_CIPHER_CTX_set_padding(ctx, 0);
403 return ctx;
404 }
405
406
aes_decrypt(void * ctx,const u8 * crypt,u8 * plain)407 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
408 {
409 EVP_CIPHER_CTX *c = ctx;
410 int plen = 16;
411 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
412 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
413 ERR_error_string(ERR_get_error(), NULL));
414 return -1;
415 }
416 return 0;
417 }
418
419
aes_decrypt_deinit(void * ctx)420 void aes_decrypt_deinit(void *ctx)
421 {
422 EVP_CIPHER_CTX *c = ctx;
423 u8 buf[16];
424 int len = sizeof(buf);
425 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
426 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
427 "%s", ERR_error_string(ERR_get_error(), NULL));
428 }
429 if (len != 0) {
430 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
431 "in AES decrypt", len);
432 }
433 EVP_CIPHER_CTX_free(c);
434 }
435
436
437 #ifndef CONFIG_FIPS
438 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
439
aes_wrap(const u8 * kek,size_t kek_len,int n,const u8 * plain,u8 * cipher)440 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
441 {
442 AES_KEY actx;
443 int res;
444
445 if (TEST_FAIL())
446 return -1;
447 if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
448 return -1;
449 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
450 OPENSSL_cleanse(&actx, sizeof(actx));
451 return res <= 0 ? -1 : 0;
452 }
453
454
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)455 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
456 u8 *plain)
457 {
458 AES_KEY actx;
459 int res;
460
461 if (TEST_FAIL())
462 return -1;
463 if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
464 return -1;
465 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
466 OPENSSL_cleanse(&actx, sizeof(actx));
467 return res <= 0 ? -1 : 0;
468 }
469
470 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
471 #endif /* CONFIG_FIPS */
472
473
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)474 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
475 {
476 EVP_CIPHER_CTX *ctx;
477 int clen, len;
478 u8 buf[16];
479 int res = -1;
480
481 if (TEST_FAIL())
482 return -1;
483
484 ctx = EVP_CIPHER_CTX_new();
485 if (!ctx)
486 return -1;
487 clen = data_len;
488 len = sizeof(buf);
489 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
490 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
491 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
492 clen == (int) data_len &&
493 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
494 res = 0;
495 EVP_CIPHER_CTX_free(ctx);
496
497 return res;
498 }
499
500
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)501 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
502 {
503 EVP_CIPHER_CTX *ctx;
504 int plen, len;
505 u8 buf[16];
506 int res = -1;
507
508 if (TEST_FAIL())
509 return -1;
510
511 ctx = EVP_CIPHER_CTX_new();
512 if (!ctx)
513 return -1;
514 plen = data_len;
515 len = sizeof(buf);
516 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
517 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
518 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
519 plen == (int) data_len &&
520 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
521 res = 0;
522 EVP_CIPHER_CTX_free(ctx);
523
524 return res;
525
526 }
527
528
crypto_dh_init(u8 generator,const u8 * prime,size_t prime_len,u8 * privkey,u8 * pubkey)529 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
530 u8 *pubkey)
531 {
532 size_t pubkey_len, pad;
533
534 if (os_get_random(privkey, prime_len) < 0)
535 return -1;
536 if (os_memcmp(privkey, prime, prime_len) > 0) {
537 /* Make sure private value is smaller than prime */
538 privkey[0] = 0;
539 }
540
541 pubkey_len = prime_len;
542 if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
543 pubkey, &pubkey_len) < 0)
544 return -1;
545 if (pubkey_len < prime_len) {
546 pad = prime_len - pubkey_len;
547 os_memmove(pubkey + pad, pubkey, pubkey_len);
548 os_memset(pubkey, 0, pad);
549 }
550
551 return 0;
552 }
553
554
crypto_dh_derive_secret(u8 generator,const u8 * prime,size_t prime_len,const u8 * order,size_t order_len,const u8 * privkey,size_t privkey_len,const u8 * pubkey,size_t pubkey_len,u8 * secret,size_t * len)555 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
556 const u8 *order, size_t order_len,
557 const u8 *privkey, size_t privkey_len,
558 const u8 *pubkey, size_t pubkey_len,
559 u8 *secret, size_t *len)
560 {
561 BIGNUM *pub, *p;
562 int res = -1;
563
564 pub = BN_bin2bn(pubkey, pubkey_len, NULL);
565 p = BN_bin2bn(prime, prime_len, NULL);
566 if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||
567 BN_cmp(pub, p) >= 0)
568 goto fail;
569
570 if (order) {
571 BN_CTX *ctx;
572 BIGNUM *q, *tmp;
573 int failed;
574
575 /* verify: pubkey^q == 1 mod p */
576 q = BN_bin2bn(order, order_len, NULL);
577 ctx = BN_CTX_new();
578 tmp = BN_new();
579 failed = !q || !ctx || !tmp ||
580 !BN_mod_exp(tmp, pub, q, p, ctx) ||
581 !BN_is_one(tmp);
582 BN_clear_free(q);
583 BN_clear_free(tmp);
584 BN_CTX_free(ctx);
585 if (failed)
586 goto fail;
587 }
588
589 res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
590 prime, prime_len, secret, len);
591 fail:
592 BN_clear_free(pub);
593 BN_clear_free(p);
594 return res;
595 }
596
597
crypto_mod_exp(const u8 * base,size_t base_len,const u8 * power,size_t power_len,const u8 * modulus,size_t modulus_len,u8 * result,size_t * result_len)598 int crypto_mod_exp(const u8 *base, size_t base_len,
599 const u8 *power, size_t power_len,
600 const u8 *modulus, size_t modulus_len,
601 u8 *result, size_t *result_len)
602 {
603 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
604 int ret = -1;
605 BN_CTX *ctx;
606
607 ctx = BN_CTX_new();
608 if (ctx == NULL)
609 return -1;
610
611 bn_base = BN_bin2bn(base, base_len, NULL);
612 bn_exp = BN_bin2bn(power, power_len, NULL);
613 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
614 bn_result = BN_new();
615
616 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
617 bn_result == NULL)
618 goto error;
619
620 if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
621 ctx, NULL) != 1)
622 goto error;
623
624 *result_len = BN_bn2bin(bn_result, result);
625 ret = 0;
626
627 error:
628 BN_clear_free(bn_base);
629 BN_clear_free(bn_exp);
630 BN_clear_free(bn_modulus);
631 BN_clear_free(bn_result);
632 BN_CTX_free(ctx);
633 return ret;
634 }
635
636
637 struct crypto_cipher {
638 EVP_CIPHER_CTX *enc;
639 EVP_CIPHER_CTX *dec;
640 };
641
642
crypto_cipher_init(enum crypto_cipher_alg alg,const u8 * iv,const u8 * key,size_t key_len)643 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
644 const u8 *iv, const u8 *key,
645 size_t key_len)
646 {
647 struct crypto_cipher *ctx;
648 const EVP_CIPHER *cipher;
649
650 ctx = os_zalloc(sizeof(*ctx));
651 if (ctx == NULL)
652 return NULL;
653
654 switch (alg) {
655 #ifndef CONFIG_NO_RC4
656 #ifndef OPENSSL_NO_RC4
657 case CRYPTO_CIPHER_ALG_RC4:
658 cipher = EVP_rc4();
659 break;
660 #endif /* OPENSSL_NO_RC4 */
661 #endif /* CONFIG_NO_RC4 */
662 #ifndef OPENSSL_NO_AES
663 case CRYPTO_CIPHER_ALG_AES:
664 switch (key_len) {
665 case 16:
666 cipher = EVP_aes_128_cbc();
667 break;
668 #ifndef OPENSSL_IS_BORINGSSL
669 case 24:
670 cipher = EVP_aes_192_cbc();
671 break;
672 #endif /* OPENSSL_IS_BORINGSSL */
673 case 32:
674 cipher = EVP_aes_256_cbc();
675 break;
676 default:
677 os_free(ctx);
678 return NULL;
679 }
680 break;
681 #endif /* OPENSSL_NO_AES */
682 #ifndef OPENSSL_NO_DES
683 case CRYPTO_CIPHER_ALG_3DES:
684 cipher = EVP_des_ede3_cbc();
685 break;
686 case CRYPTO_CIPHER_ALG_DES:
687 cipher = EVP_des_cbc();
688 break;
689 #endif /* OPENSSL_NO_DES */
690 #ifndef OPENSSL_NO_RC2
691 case CRYPTO_CIPHER_ALG_RC2:
692 cipher = EVP_rc2_ecb();
693 break;
694 #endif /* OPENSSL_NO_RC2 */
695 default:
696 os_free(ctx);
697 return NULL;
698 }
699
700 if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
701 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
702 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
703 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
704 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
705 if (ctx->enc)
706 EVP_CIPHER_CTX_free(ctx->enc);
707 os_free(ctx);
708 return NULL;
709 }
710
711 if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
712 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
713 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
714 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
715 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
716 EVP_CIPHER_CTX_free(ctx->enc);
717 if (ctx->dec)
718 EVP_CIPHER_CTX_free(ctx->dec);
719 os_free(ctx);
720 return NULL;
721 }
722
723 return ctx;
724 }
725
726
crypto_cipher_encrypt(struct crypto_cipher * ctx,const u8 * plain,u8 * crypt,size_t len)727 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
728 u8 *crypt, size_t len)
729 {
730 int outl;
731 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
732 return -1;
733 return 0;
734 }
735
736
crypto_cipher_decrypt(struct crypto_cipher * ctx,const u8 * crypt,u8 * plain,size_t len)737 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
738 u8 *plain, size_t len)
739 {
740 int outl;
741 outl = len;
742 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
743 return -1;
744 return 0;
745 }
746
747
crypto_cipher_deinit(struct crypto_cipher * ctx)748 void crypto_cipher_deinit(struct crypto_cipher *ctx)
749 {
750 EVP_CIPHER_CTX_free(ctx->enc);
751 EVP_CIPHER_CTX_free(ctx->dec);
752 os_free(ctx);
753 }
754
755
dh5_init(struct wpabuf ** priv,struct wpabuf ** publ)756 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
757 {
758 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
759 (defined(LIBRESSL_VERSION_NUMBER) && \
760 LIBRESSL_VERSION_NUMBER < 0x20700000L)
761 DH *dh;
762 struct wpabuf *pubkey = NULL, *privkey = NULL;
763 size_t publen, privlen;
764
765 *priv = NULL;
766 wpabuf_free(*publ);
767 *publ = NULL;
768
769 dh = DH_new();
770 if (dh == NULL)
771 return NULL;
772
773 dh->g = BN_new();
774 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
775 goto err;
776
777 dh->p = get_group5_prime();
778 if (dh->p == NULL)
779 goto err;
780
781 dh->q = get_group5_order();
782 if (!dh->q)
783 goto err;
784
785 if (DH_generate_key(dh) != 1)
786 goto err;
787
788 publen = BN_num_bytes(dh->pub_key);
789 pubkey = wpabuf_alloc(publen);
790 if (pubkey == NULL)
791 goto err;
792 privlen = BN_num_bytes(dh->priv_key);
793 privkey = wpabuf_alloc(privlen);
794 if (privkey == NULL)
795 goto err;
796
797 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
798 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
799
800 *priv = privkey;
801 *publ = pubkey;
802 return dh;
803
804 err:
805 wpabuf_clear_free(pubkey);
806 wpabuf_clear_free(privkey);
807 DH_free(dh);
808 return NULL;
809 #else
810 DH *dh;
811 struct wpabuf *pubkey = NULL, *privkey = NULL;
812 size_t publen, privlen;
813 BIGNUM *p, *g, *q;
814 const BIGNUM *priv_key = NULL, *pub_key = NULL;
815
816 *priv = NULL;
817 wpabuf_free(*publ);
818 *publ = NULL;
819
820 dh = DH_new();
821 if (dh == NULL)
822 return NULL;
823
824 g = BN_new();
825 p = get_group5_prime();
826 q = get_group5_order();
827 if (!g || BN_set_word(g, 2) != 1 || !p || !q ||
828 DH_set0_pqg(dh, p, q, g) != 1)
829 goto err;
830 p = NULL;
831 q = NULL;
832 g = NULL;
833
834 if (DH_generate_key(dh) != 1)
835 goto err;
836
837 DH_get0_key(dh, &pub_key, &priv_key);
838 publen = BN_num_bytes(pub_key);
839 pubkey = wpabuf_alloc(publen);
840 if (!pubkey)
841 goto err;
842 privlen = BN_num_bytes(priv_key);
843 privkey = wpabuf_alloc(privlen);
844 if (!privkey)
845 goto err;
846
847 BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
848 BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));
849
850 *priv = privkey;
851 *publ = pubkey;
852 return dh;
853
854 err:
855 BN_free(p);
856 BN_free(q);
857 BN_free(g);
858 wpabuf_clear_free(pubkey);
859 wpabuf_clear_free(privkey);
860 DH_free(dh);
861 return NULL;
862 #endif
863 }
864
865
dh5_init_fixed(const struct wpabuf * priv,const struct wpabuf * publ)866 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
867 {
868 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
869 (defined(LIBRESSL_VERSION_NUMBER) && \
870 LIBRESSL_VERSION_NUMBER < 0x20700000L)
871 DH *dh;
872
873 dh = DH_new();
874 if (dh == NULL)
875 return NULL;
876
877 dh->g = BN_new();
878 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
879 goto err;
880
881 dh->p = get_group5_prime();
882 if (dh->p == NULL)
883 goto err;
884
885 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
886 if (dh->priv_key == NULL)
887 goto err;
888
889 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
890 if (dh->pub_key == NULL)
891 goto err;
892
893 if (DH_generate_key(dh) != 1)
894 goto err;
895
896 return dh;
897
898 err:
899 DH_free(dh);
900 return NULL;
901 #else
902 DH *dh;
903 BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;
904
905 dh = DH_new();
906 if (dh == NULL)
907 return NULL;
908
909 g = BN_new();
910 p = get_group5_prime();
911 if (!g || BN_set_word(g, 2) != 1 || !p ||
912 DH_set0_pqg(dh, p, NULL, g) != 1)
913 goto err;
914 p = NULL;
915 g = NULL;
916
917 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
918 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
919 if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
920 goto err;
921 pub_key = NULL;
922 priv_key = NULL;
923
924 if (DH_generate_key(dh) != 1)
925 goto err;
926
927 return dh;
928
929 err:
930 BN_free(p);
931 BN_free(g);
932 BN_free(pub_key);
933 BN_clear_free(priv_key);
934 DH_free(dh);
935 return NULL;
936 #endif
937 }
938
939
dh5_derive_shared(void * ctx,const struct wpabuf * peer_public,const struct wpabuf * own_private)940 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
941 const struct wpabuf *own_private)
942 {
943 BIGNUM *pub_key;
944 struct wpabuf *res = NULL;
945 size_t rlen;
946 DH *dh = ctx;
947 int keylen;
948
949 if (ctx == NULL)
950 return NULL;
951
952 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
953 NULL);
954 if (pub_key == NULL)
955 return NULL;
956
957 rlen = DH_size(dh);
958 res = wpabuf_alloc(rlen);
959 if (res == NULL)
960 goto err;
961
962 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
963 if (keylen < 0)
964 goto err;
965 wpabuf_put(res, keylen);
966 BN_clear_free(pub_key);
967
968 return res;
969
970 err:
971 BN_clear_free(pub_key);
972 wpabuf_clear_free(res);
973 return NULL;
974 }
975
976
dh5_free(void * ctx)977 void dh5_free(void *ctx)
978 {
979 DH *dh;
980 if (ctx == NULL)
981 return;
982 dh = ctx;
983 DH_free(dh);
984 }
985
986
987 struct crypto_hash {
988 HMAC_CTX *ctx;
989 };
990
991
crypto_hash_init(enum crypto_hash_alg alg,const u8 * key,size_t key_len)992 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
993 size_t key_len)
994 {
995 struct crypto_hash *ctx;
996 const EVP_MD *md;
997
998 switch (alg) {
999 #ifndef OPENSSL_NO_MD5
1000 case CRYPTO_HASH_ALG_HMAC_MD5:
1001 md = EVP_md5();
1002 break;
1003 #endif /* OPENSSL_NO_MD5 */
1004 #ifndef OPENSSL_NO_SHA
1005 case CRYPTO_HASH_ALG_HMAC_SHA1:
1006 md = EVP_sha1();
1007 break;
1008 #endif /* OPENSSL_NO_SHA */
1009 #ifndef OPENSSL_NO_SHA256
1010 #ifdef CONFIG_SHA256
1011 case CRYPTO_HASH_ALG_HMAC_SHA256:
1012 md = EVP_sha256();
1013 break;
1014 #endif /* CONFIG_SHA256 */
1015 #endif /* OPENSSL_NO_SHA256 */
1016 default:
1017 return NULL;
1018 }
1019
1020 ctx = os_zalloc(sizeof(*ctx));
1021 if (ctx == NULL)
1022 return NULL;
1023 ctx->ctx = HMAC_CTX_new();
1024 if (!ctx->ctx) {
1025 os_free(ctx);
1026 return NULL;
1027 }
1028
1029 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
1030 HMAC_CTX_free(ctx->ctx);
1031 bin_clear_free(ctx, sizeof(*ctx));
1032 return NULL;
1033 }
1034
1035 return ctx;
1036 }
1037
1038
crypto_hash_update(struct crypto_hash * ctx,const u8 * data,size_t len)1039 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
1040 {
1041 if (ctx == NULL)
1042 return;
1043 HMAC_Update(ctx->ctx, data, len);
1044 }
1045
1046
crypto_hash_finish(struct crypto_hash * ctx,u8 * mac,size_t * len)1047 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
1048 {
1049 unsigned int mdlen;
1050 int res;
1051
1052 if (ctx == NULL)
1053 return -2;
1054
1055 if (mac == NULL || len == NULL) {
1056 HMAC_CTX_free(ctx->ctx);
1057 bin_clear_free(ctx, sizeof(*ctx));
1058 return 0;
1059 }
1060
1061 mdlen = *len;
1062 res = HMAC_Final(ctx->ctx, mac, &mdlen);
1063 HMAC_CTX_free(ctx->ctx);
1064 bin_clear_free(ctx, sizeof(*ctx));
1065
1066 if (TEST_FAIL())
1067 return -1;
1068
1069 if (res == 1) {
1070 *len = mdlen;
1071 return 0;
1072 }
1073
1074 return -1;
1075 }
1076
1077
openssl_hmac_vector(const EVP_MD * type,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac,unsigned int mdlen)1078 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
1079 size_t key_len, size_t num_elem,
1080 const u8 *addr[], const size_t *len, u8 *mac,
1081 unsigned int mdlen)
1082 {
1083 HMAC_CTX *ctx;
1084 size_t i;
1085 int res;
1086
1087 if (TEST_FAIL())
1088 return -1;
1089
1090 ctx = HMAC_CTX_new();
1091 if (!ctx)
1092 return -1;
1093 res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
1094 if (res != 1)
1095 goto done;
1096
1097 for (i = 0; i < num_elem; i++)
1098 HMAC_Update(ctx, addr[i], len[i]);
1099
1100 res = HMAC_Final(ctx, mac, &mdlen);
1101 done:
1102 HMAC_CTX_free(ctx);
1103
1104 return res == 1 ? 0 : -1;
1105 }
1106
1107
1108 #ifndef CONFIG_FIPS
1109
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1110 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
1111 const u8 *addr[], const size_t *len, u8 *mac)
1112 {
1113 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
1114 mac, 16);
1115 }
1116
1117
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1118 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1119 u8 *mac)
1120 {
1121 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
1122 }
1123
1124 #endif /* CONFIG_FIPS */
1125
1126
pbkdf2_sha1(const char * passphrase,const u8 * ssid,size_t ssid_len,int iterations,u8 * buf,size_t buflen)1127 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
1128 int iterations, u8 *buf, size_t buflen)
1129 {
1130 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
1131 ssid_len, iterations, buflen, buf) != 1)
1132 return -1;
1133 return 0;
1134 }
1135
1136
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1137 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1138 const u8 *addr[], const size_t *len, u8 *mac)
1139 {
1140 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
1141 len, mac, 20);
1142 }
1143
1144
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1145 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1146 u8 *mac)
1147 {
1148 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1149 }
1150
1151
1152 #ifdef CONFIG_SHA256
1153
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1154 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1155 const u8 *addr[], const size_t *len, u8 *mac)
1156 {
1157 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
1158 len, mac, 32);
1159 }
1160
1161
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1162 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1163 size_t data_len, u8 *mac)
1164 {
1165 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1166 }
1167
1168 #endif /* CONFIG_SHA256 */
1169
1170
1171 #ifdef CONFIG_SHA384
1172
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1173 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1174 const u8 *addr[], const size_t *len, u8 *mac)
1175 {
1176 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
1177 len, mac, 48);
1178 }
1179
1180
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1181 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1182 size_t data_len, u8 *mac)
1183 {
1184 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1185 }
1186
1187 #endif /* CONFIG_SHA384 */
1188
1189
1190 #ifdef CONFIG_SHA512
1191
hmac_sha512_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1192 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1193 const u8 *addr[], const size_t *len, u8 *mac)
1194 {
1195 return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
1196 len, mac, 64);
1197 }
1198
1199
hmac_sha512(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1200 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1201 size_t data_len, u8 *mac)
1202 {
1203 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1204 }
1205
1206 #endif /* CONFIG_SHA512 */
1207
1208
crypto_get_random(void * buf,size_t len)1209 int crypto_get_random(void *buf, size_t len)
1210 {
1211 if (RAND_bytes(buf, len) != 1)
1212 return -1;
1213 return 0;
1214 }
1215
1216
1217 #ifdef CONFIG_OPENSSL_CMAC
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1218 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
1219 const u8 *addr[], const size_t *len, u8 *mac)
1220 {
1221 CMAC_CTX *ctx;
1222 int ret = -1;
1223 size_t outlen, i;
1224
1225 if (TEST_FAIL())
1226 return -1;
1227
1228 ctx = CMAC_CTX_new();
1229 if (ctx == NULL)
1230 return -1;
1231
1232 if (key_len == 32) {
1233 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
1234 goto fail;
1235 } else if (key_len == 16) {
1236 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
1237 goto fail;
1238 } else {
1239 goto fail;
1240 }
1241 for (i = 0; i < num_elem; i++) {
1242 if (!CMAC_Update(ctx, addr[i], len[i]))
1243 goto fail;
1244 }
1245 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
1246 goto fail;
1247
1248 ret = 0;
1249 fail:
1250 CMAC_CTX_free(ctx);
1251 return ret;
1252 }
1253
1254
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1255 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
1256 const u8 *addr[], const size_t *len, u8 *mac)
1257 {
1258 return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
1259 }
1260
1261
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1262 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1263 {
1264 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
1265 }
1266
1267
omac1_aes_256(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1268 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1269 {
1270 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
1271 }
1272 #endif /* CONFIG_OPENSSL_CMAC */
1273
1274
crypto_bignum_init(void)1275 struct crypto_bignum * crypto_bignum_init(void)
1276 {
1277 if (TEST_FAIL())
1278 return NULL;
1279 return (struct crypto_bignum *) BN_new();
1280 }
1281
1282
crypto_bignum_init_set(const u8 * buf,size_t len)1283 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
1284 {
1285 BIGNUM *bn;
1286
1287 if (TEST_FAIL())
1288 return NULL;
1289
1290 bn = BN_bin2bn(buf, len, NULL);
1291 return (struct crypto_bignum *) bn;
1292 }
1293
1294
crypto_bignum_init_uint(unsigned int val)1295 struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
1296 {
1297 BIGNUM *bn;
1298
1299 if (TEST_FAIL())
1300 return NULL;
1301
1302 bn = BN_new();
1303 if (!bn)
1304 return NULL;
1305 if (BN_set_word(bn, val) != 1) {
1306 BN_free(bn);
1307 return NULL;
1308 }
1309 return (struct crypto_bignum *) bn;
1310 }
1311
1312
crypto_bignum_deinit(struct crypto_bignum * n,int clear)1313 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
1314 {
1315 if (clear)
1316 BN_clear_free((BIGNUM *) n);
1317 else
1318 BN_free((BIGNUM *) n);
1319 }
1320
1321
crypto_bignum_to_bin(const struct crypto_bignum * a,u8 * buf,size_t buflen,size_t padlen)1322 int crypto_bignum_to_bin(const struct crypto_bignum *a,
1323 u8 *buf, size_t buflen, size_t padlen)
1324 {
1325 int num_bytes, offset;
1326
1327 if (TEST_FAIL())
1328 return -1;
1329
1330 if (padlen > buflen)
1331 return -1;
1332
1333 if (padlen) {
1334 #ifdef OPENSSL_IS_BORINGSSL
1335 if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
1336 return -1;
1337 return padlen;
1338 #else /* OPENSSL_IS_BORINGSSL */
1339 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
1340 return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
1341 #endif
1342 #endif
1343 }
1344
1345 num_bytes = BN_num_bytes((const BIGNUM *) a);
1346 if ((size_t) num_bytes > buflen)
1347 return -1;
1348 if (padlen > (size_t) num_bytes)
1349 offset = padlen - num_bytes;
1350 else
1351 offset = 0;
1352
1353 os_memset(buf, 0, offset);
1354 BN_bn2bin((const BIGNUM *) a, buf + offset);
1355
1356 return num_bytes + offset;
1357 }
1358
1359
crypto_bignum_rand(struct crypto_bignum * r,const struct crypto_bignum * m)1360 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
1361 {
1362 if (TEST_FAIL())
1363 return -1;
1364 return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1;
1365 }
1366
1367
crypto_bignum_add(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1368 int crypto_bignum_add(const struct crypto_bignum *a,
1369 const struct crypto_bignum *b,
1370 struct crypto_bignum *c)
1371 {
1372 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1373 0 : -1;
1374 }
1375
1376
crypto_bignum_mod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1377 int crypto_bignum_mod(const struct crypto_bignum *a,
1378 const struct crypto_bignum *b,
1379 struct crypto_bignum *c)
1380 {
1381 int res;
1382 BN_CTX *bnctx;
1383
1384 bnctx = BN_CTX_new();
1385 if (bnctx == NULL)
1386 return -1;
1387 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1388 bnctx);
1389 BN_CTX_free(bnctx);
1390
1391 return res ? 0 : -1;
1392 }
1393
1394
crypto_bignum_exptmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1395 int crypto_bignum_exptmod(const struct crypto_bignum *a,
1396 const struct crypto_bignum *b,
1397 const struct crypto_bignum *c,
1398 struct crypto_bignum *d)
1399 {
1400 int res;
1401 BN_CTX *bnctx;
1402
1403 if (TEST_FAIL())
1404 return -1;
1405
1406 bnctx = BN_CTX_new();
1407 if (bnctx == NULL)
1408 return -1;
1409 res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
1410 (const BIGNUM *) b, (const BIGNUM *) c,
1411 bnctx, NULL);
1412 BN_CTX_free(bnctx);
1413
1414 return res ? 0 : -1;
1415 }
1416
1417
crypto_bignum_inverse(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1418 int crypto_bignum_inverse(const struct crypto_bignum *a,
1419 const struct crypto_bignum *b,
1420 struct crypto_bignum *c)
1421 {
1422 BIGNUM *res;
1423 BN_CTX *bnctx;
1424
1425 if (TEST_FAIL())
1426 return -1;
1427 bnctx = BN_CTX_new();
1428 if (bnctx == NULL)
1429 return -1;
1430 #ifdef OPENSSL_IS_BORINGSSL
1431 /* TODO: use BN_mod_inverse_blinded() ? */
1432 #else /* OPENSSL_IS_BORINGSSL */
1433 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1434 #endif /* OPENSSL_IS_BORINGSSL */
1435 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
1436 (const BIGNUM *) b, bnctx);
1437 BN_CTX_free(bnctx);
1438
1439 return res ? 0 : -1;
1440 }
1441
1442
crypto_bignum_sub(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1443 int crypto_bignum_sub(const struct crypto_bignum *a,
1444 const struct crypto_bignum *b,
1445 struct crypto_bignum *c)
1446 {
1447 if (TEST_FAIL())
1448 return -1;
1449 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1450 0 : -1;
1451 }
1452
1453
crypto_bignum_div(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1454 int crypto_bignum_div(const struct crypto_bignum *a,
1455 const struct crypto_bignum *b,
1456 struct crypto_bignum *c)
1457 {
1458 int res;
1459
1460 BN_CTX *bnctx;
1461
1462 if (TEST_FAIL())
1463 return -1;
1464
1465 bnctx = BN_CTX_new();
1466 if (bnctx == NULL)
1467 return -1;
1468 #ifndef OPENSSL_IS_BORINGSSL
1469 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1470 #endif /* OPENSSL_IS_BORINGSSL */
1471 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
1472 (const BIGNUM *) b, bnctx);
1473 BN_CTX_free(bnctx);
1474
1475 return res ? 0 : -1;
1476 }
1477
1478
crypto_bignum_addmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1479 int crypto_bignum_addmod(const struct crypto_bignum *a,
1480 const struct crypto_bignum *b,
1481 const struct crypto_bignum *c,
1482 struct crypto_bignum *d)
1483 {
1484 int res;
1485 BN_CTX *bnctx;
1486
1487 if (TEST_FAIL())
1488 return -1;
1489
1490 bnctx = BN_CTX_new();
1491 if (!bnctx)
1492 return -1;
1493 res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1494 (const BIGNUM *) c, bnctx);
1495 BN_CTX_free(bnctx);
1496
1497 return res ? 0 : -1;
1498 }
1499
1500
crypto_bignum_mulmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1501 int crypto_bignum_mulmod(const struct crypto_bignum *a,
1502 const struct crypto_bignum *b,
1503 const struct crypto_bignum *c,
1504 struct crypto_bignum *d)
1505 {
1506 int res;
1507
1508 BN_CTX *bnctx;
1509
1510 if (TEST_FAIL())
1511 return -1;
1512
1513 bnctx = BN_CTX_new();
1514 if (bnctx == NULL)
1515 return -1;
1516 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1517 (const BIGNUM *) c, bnctx);
1518 BN_CTX_free(bnctx);
1519
1520 return res ? 0 : -1;
1521 }
1522
1523
crypto_bignum_sqrmod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1524 int crypto_bignum_sqrmod(const struct crypto_bignum *a,
1525 const struct crypto_bignum *b,
1526 struct crypto_bignum *c)
1527 {
1528 int res;
1529 BN_CTX *bnctx;
1530
1531 if (TEST_FAIL())
1532 return -1;
1533
1534 bnctx = BN_CTX_new();
1535 if (!bnctx)
1536 return -1;
1537 res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1538 bnctx);
1539 BN_CTX_free(bnctx);
1540
1541 return res ? 0 : -1;
1542 }
1543
1544
crypto_bignum_rshift(const struct crypto_bignum * a,int n,struct crypto_bignum * r)1545 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
1546 struct crypto_bignum *r)
1547 {
1548 /* Note: BN_rshift() does not modify the first argument even though it
1549 * has not been marked const. */
1550 return BN_rshift((BIGNUM *) a, (BIGNUM *) r, n) == 1 ? 0 : -1;
1551 }
1552
1553
crypto_bignum_cmp(const struct crypto_bignum * a,const struct crypto_bignum * b)1554 int crypto_bignum_cmp(const struct crypto_bignum *a,
1555 const struct crypto_bignum *b)
1556 {
1557 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
1558 }
1559
1560
crypto_bignum_is_zero(const struct crypto_bignum * a)1561 int crypto_bignum_is_zero(const struct crypto_bignum *a)
1562 {
1563 return BN_is_zero((const BIGNUM *) a);
1564 }
1565
1566
crypto_bignum_is_one(const struct crypto_bignum * a)1567 int crypto_bignum_is_one(const struct crypto_bignum *a)
1568 {
1569 return BN_is_one((const BIGNUM *) a);
1570 }
1571
1572
crypto_bignum_is_odd(const struct crypto_bignum * a)1573 int crypto_bignum_is_odd(const struct crypto_bignum *a)
1574 {
1575 return BN_is_odd((const BIGNUM *) a);
1576 }
1577
1578
crypto_bignum_legendre(const struct crypto_bignum * a,const struct crypto_bignum * p)1579 int crypto_bignum_legendre(const struct crypto_bignum *a,
1580 const struct crypto_bignum *p)
1581 {
1582 BN_CTX *bnctx;
1583 BIGNUM *exp = NULL, *tmp = NULL;
1584 int res = -2;
1585 unsigned int mask;
1586
1587 if (TEST_FAIL())
1588 return -2;
1589
1590 bnctx = BN_CTX_new();
1591 if (bnctx == NULL)
1592 return -2;
1593
1594 exp = BN_new();
1595 tmp = BN_new();
1596 if (!exp || !tmp ||
1597 /* exp = (p-1) / 2 */
1598 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
1599 !BN_rshift1(exp, exp) ||
1600 !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
1601 (const BIGNUM *) p, bnctx, NULL))
1602 goto fail;
1603
1604 /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
1605 * constant time selection to avoid branches here. */
1606 res = -1;
1607 mask = const_time_eq(BN_is_word(tmp, 1), 1);
1608 res = const_time_select_int(mask, 1, res);
1609 mask = const_time_eq(BN_is_zero(tmp), 1);
1610 res = const_time_select_int(mask, 0, res);
1611
1612 fail:
1613 BN_clear_free(tmp);
1614 BN_clear_free(exp);
1615 BN_CTX_free(bnctx);
1616 return res;
1617 }
1618
1619
1620 #ifdef CONFIG_ECC
1621
1622 struct crypto_ec {
1623 EC_GROUP *group;
1624 int nid;
1625 BN_CTX *bnctx;
1626 BIGNUM *prime;
1627 BIGNUM *order;
1628 BIGNUM *a;
1629 BIGNUM *b;
1630 };
1631
crypto_ec_init(int group)1632 struct crypto_ec * crypto_ec_init(int group)
1633 {
1634 struct crypto_ec *e;
1635 int nid;
1636
1637 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */
1638 switch (group) {
1639 case 19:
1640 nid = NID_X9_62_prime256v1;
1641 break;
1642 case 20:
1643 nid = NID_secp384r1;
1644 break;
1645 case 21:
1646 nid = NID_secp521r1;
1647 break;
1648 case 25:
1649 nid = NID_X9_62_prime192v1;
1650 break;
1651 case 26:
1652 nid = NID_secp224r1;
1653 break;
1654 #ifdef NID_brainpoolP224r1
1655 case 27:
1656 nid = NID_brainpoolP224r1;
1657 break;
1658 #endif /* NID_brainpoolP224r1 */
1659 #ifdef NID_brainpoolP256r1
1660 case 28:
1661 nid = NID_brainpoolP256r1;
1662 break;
1663 #endif /* NID_brainpoolP256r1 */
1664 #ifdef NID_brainpoolP384r1
1665 case 29:
1666 nid = NID_brainpoolP384r1;
1667 break;
1668 #endif /* NID_brainpoolP384r1 */
1669 #ifdef NID_brainpoolP512r1
1670 case 30:
1671 nid = NID_brainpoolP512r1;
1672 break;
1673 #endif /* NID_brainpoolP512r1 */
1674 default:
1675 return NULL;
1676 }
1677
1678 e = os_zalloc(sizeof(*e));
1679 if (e == NULL)
1680 return NULL;
1681
1682 e->nid = nid;
1683 e->bnctx = BN_CTX_new();
1684 e->group = EC_GROUP_new_by_curve_name(nid);
1685 e->prime = BN_new();
1686 e->order = BN_new();
1687 e->a = BN_new();
1688 e->b = BN_new();
1689 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
1690 e->order == NULL || e->a == NULL || e->b == NULL ||
1691 !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) ||
1692 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
1693 crypto_ec_deinit(e);
1694 e = NULL;
1695 }
1696
1697 return e;
1698 }
1699
1700
crypto_ec_deinit(struct crypto_ec * e)1701 void crypto_ec_deinit(struct crypto_ec *e)
1702 {
1703 if (e == NULL)
1704 return;
1705 BN_clear_free(e->b);
1706 BN_clear_free(e->a);
1707 BN_clear_free(e->order);
1708 BN_clear_free(e->prime);
1709 EC_GROUP_free(e->group);
1710 BN_CTX_free(e->bnctx);
1711 os_free(e);
1712 }
1713
1714
crypto_ec_point_init(struct crypto_ec * e)1715 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
1716 {
1717 if (TEST_FAIL())
1718 return NULL;
1719 if (e == NULL)
1720 return NULL;
1721 return (struct crypto_ec_point *) EC_POINT_new(e->group);
1722 }
1723
1724
crypto_ec_prime_len(struct crypto_ec * e)1725 size_t crypto_ec_prime_len(struct crypto_ec *e)
1726 {
1727 return BN_num_bytes(e->prime);
1728 }
1729
1730
crypto_ec_prime_len_bits(struct crypto_ec * e)1731 size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
1732 {
1733 return BN_num_bits(e->prime);
1734 }
1735
1736
crypto_ec_order_len(struct crypto_ec * e)1737 size_t crypto_ec_order_len(struct crypto_ec *e)
1738 {
1739 return BN_num_bytes(e->order);
1740 }
1741
1742
crypto_ec_get_prime(struct crypto_ec * e)1743 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
1744 {
1745 return (const struct crypto_bignum *) e->prime;
1746 }
1747
1748
crypto_ec_get_order(struct crypto_ec * e)1749 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
1750 {
1751 return (const struct crypto_bignum *) e->order;
1752 }
1753
1754
crypto_ec_get_a(struct crypto_ec * e)1755 const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
1756 {
1757 return (const struct crypto_bignum *) e->a;
1758 }
1759
1760
crypto_ec_get_b(struct crypto_ec * e)1761 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
1762 {
1763 return (const struct crypto_bignum *) e->b;
1764 }
1765
1766
crypto_ec_point_deinit(struct crypto_ec_point * p,int clear)1767 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
1768 {
1769 if (clear)
1770 EC_POINT_clear_free((EC_POINT *) p);
1771 else
1772 EC_POINT_free((EC_POINT *) p);
1773 }
1774
1775
crypto_ec_point_x(struct crypto_ec * e,const struct crypto_ec_point * p,struct crypto_bignum * x)1776 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p,
1777 struct crypto_bignum *x)
1778 {
1779 return EC_POINT_get_affine_coordinates_GFp(e->group,
1780 (const EC_POINT *) p,
1781 (BIGNUM *) x, NULL,
1782 e->bnctx) == 1 ? 0 : -1;
1783 }
1784
1785
crypto_ec_point_to_bin(struct crypto_ec * e,const struct crypto_ec_point * point,u8 * x,u8 * y)1786 int crypto_ec_point_to_bin(struct crypto_ec *e,
1787 const struct crypto_ec_point *point, u8 *x, u8 *y)
1788 {
1789 BIGNUM *x_bn, *y_bn;
1790 int ret = -1;
1791 int len = BN_num_bytes(e->prime);
1792
1793 if (TEST_FAIL())
1794 return -1;
1795
1796 x_bn = BN_new();
1797 y_bn = BN_new();
1798
1799 if (x_bn && y_bn &&
1800 EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point,
1801 x_bn, y_bn, e->bnctx)) {
1802 if (x) {
1803 crypto_bignum_to_bin((struct crypto_bignum *) x_bn,
1804 x, len, len);
1805 }
1806 if (y) {
1807 crypto_bignum_to_bin((struct crypto_bignum *) y_bn,
1808 y, len, len);
1809 }
1810 ret = 0;
1811 }
1812
1813 BN_clear_free(x_bn);
1814 BN_clear_free(y_bn);
1815 return ret;
1816 }
1817
1818
crypto_ec_point_from_bin(struct crypto_ec * e,const u8 * val)1819 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
1820 const u8 *val)
1821 {
1822 BIGNUM *x, *y;
1823 EC_POINT *elem;
1824 int len = BN_num_bytes(e->prime);
1825
1826 if (TEST_FAIL())
1827 return NULL;
1828
1829 x = BN_bin2bn(val, len, NULL);
1830 y = BN_bin2bn(val + len, len, NULL);
1831 elem = EC_POINT_new(e->group);
1832 if (x == NULL || y == NULL || elem == NULL) {
1833 BN_clear_free(x);
1834 BN_clear_free(y);
1835 EC_POINT_clear_free(elem);
1836 return NULL;
1837 }
1838
1839 if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y,
1840 e->bnctx)) {
1841 EC_POINT_clear_free(elem);
1842 elem = NULL;
1843 }
1844
1845 BN_clear_free(x);
1846 BN_clear_free(y);
1847
1848 return (struct crypto_ec_point *) elem;
1849 }
1850
1851
crypto_ec_point_add(struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b,struct crypto_ec_point * c)1852 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
1853 const struct crypto_ec_point *b,
1854 struct crypto_ec_point *c)
1855 {
1856 if (TEST_FAIL())
1857 return -1;
1858 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
1859 (const EC_POINT *) b, e->bnctx) ? 0 : -1;
1860 }
1861
1862
crypto_ec_point_mul(struct crypto_ec * e,const struct crypto_ec_point * p,const struct crypto_bignum * b,struct crypto_ec_point * res)1863 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
1864 const struct crypto_bignum *b,
1865 struct crypto_ec_point *res)
1866 {
1867 if (TEST_FAIL())
1868 return -1;
1869 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
1870 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
1871 ? 0 : -1;
1872 }
1873
1874
crypto_ec_point_invert(struct crypto_ec * e,struct crypto_ec_point * p)1875 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
1876 {
1877 if (TEST_FAIL())
1878 return -1;
1879 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
1880 }
1881
1882
crypto_ec_point_solve_y_coord(struct crypto_ec * e,struct crypto_ec_point * p,const struct crypto_bignum * x,int y_bit)1883 int crypto_ec_point_solve_y_coord(struct crypto_ec *e,
1884 struct crypto_ec_point *p,
1885 const struct crypto_bignum *x, int y_bit)
1886 {
1887 if (TEST_FAIL())
1888 return -1;
1889 if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p,
1890 (const BIGNUM *) x, y_bit,
1891 e->bnctx) ||
1892 !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx))
1893 return -1;
1894 return 0;
1895 }
1896
1897
1898 struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec * e,const struct crypto_bignum * x)1899 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
1900 const struct crypto_bignum *x)
1901 {
1902 BIGNUM *tmp, *tmp2, *y_sqr = NULL;
1903
1904 if (TEST_FAIL())
1905 return NULL;
1906
1907 tmp = BN_new();
1908 tmp2 = BN_new();
1909
1910 /* y^2 = x^3 + ax + b */
1911 if (tmp && tmp2 &&
1912 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1913 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1914 BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) &&
1915 BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) &&
1916 BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) {
1917 y_sqr = tmp2;
1918 tmp2 = NULL;
1919 }
1920
1921 BN_clear_free(tmp);
1922 BN_clear_free(tmp2);
1923
1924 return (struct crypto_bignum *) y_sqr;
1925 }
1926
1927
crypto_ec_point_is_at_infinity(struct crypto_ec * e,const struct crypto_ec_point * p)1928 int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
1929 const struct crypto_ec_point *p)
1930 {
1931 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
1932 }
1933
1934
crypto_ec_point_is_on_curve(struct crypto_ec * e,const struct crypto_ec_point * p)1935 int crypto_ec_point_is_on_curve(struct crypto_ec *e,
1936 const struct crypto_ec_point *p)
1937 {
1938 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
1939 e->bnctx) == 1;
1940 }
1941
1942
crypto_ec_point_cmp(const struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b)1943 int crypto_ec_point_cmp(const struct crypto_ec *e,
1944 const struct crypto_ec_point *a,
1945 const struct crypto_ec_point *b)
1946 {
1947 return EC_POINT_cmp(e->group, (const EC_POINT *) a,
1948 (const EC_POINT *) b, e->bnctx);
1949 }
1950
1951
1952 struct crypto_ecdh {
1953 struct crypto_ec *ec;
1954 EVP_PKEY *pkey;
1955 };
1956
crypto_ecdh_init(int group)1957 struct crypto_ecdh * crypto_ecdh_init(int group)
1958 {
1959 struct crypto_ecdh *ecdh;
1960 EVP_PKEY *params = NULL;
1961 EC_KEY *ec_params = NULL;
1962 EVP_PKEY_CTX *kctx = NULL;
1963
1964 ecdh = os_zalloc(sizeof(*ecdh));
1965 if (!ecdh)
1966 goto fail;
1967
1968 ecdh->ec = crypto_ec_init(group);
1969 if (!ecdh->ec)
1970 goto fail;
1971
1972 ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid);
1973 if (!ec_params) {
1974 wpa_printf(MSG_ERROR,
1975 "OpenSSL: Failed to generate EC_KEY parameters");
1976 goto fail;
1977 }
1978 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
1979 params = EVP_PKEY_new();
1980 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
1981 wpa_printf(MSG_ERROR,
1982 "OpenSSL: Failed to generate EVP_PKEY parameters");
1983 goto fail;
1984 }
1985
1986 kctx = EVP_PKEY_CTX_new(params, NULL);
1987 if (!kctx)
1988 goto fail;
1989
1990 if (EVP_PKEY_keygen_init(kctx) != 1) {
1991 wpa_printf(MSG_ERROR,
1992 "OpenSSL: EVP_PKEY_keygen_init failed: %s",
1993 ERR_error_string(ERR_get_error(), NULL));
1994 goto fail;
1995 }
1996
1997 if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
1998 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
1999 ERR_error_string(ERR_get_error(), NULL));
2000 goto fail;
2001 }
2002
2003 done:
2004 EC_KEY_free(ec_params);
2005 EVP_PKEY_free(params);
2006 EVP_PKEY_CTX_free(kctx);
2007
2008 return ecdh;
2009 fail:
2010 crypto_ecdh_deinit(ecdh);
2011 ecdh = NULL;
2012 goto done;
2013 }
2014
2015
crypto_ecdh_get_pubkey(struct crypto_ecdh * ecdh,int inc_y)2016 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
2017 {
2018 struct wpabuf *buf = NULL;
2019 EC_KEY *eckey;
2020 const EC_POINT *pubkey;
2021 BIGNUM *x, *y = NULL;
2022 int len = BN_num_bytes(ecdh->ec->prime);
2023 int res;
2024
2025 eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
2026 if (!eckey)
2027 return NULL;
2028
2029 pubkey = EC_KEY_get0_public_key(eckey);
2030 if (!pubkey)
2031 return NULL;
2032
2033 x = BN_new();
2034 if (inc_y) {
2035 y = BN_new();
2036 if (!y)
2037 goto fail;
2038 }
2039 buf = wpabuf_alloc(inc_y ? 2 * len : len);
2040 if (!x || !buf)
2041 goto fail;
2042
2043 if (EC_POINT_get_affine_coordinates_GFp(ecdh->ec->group, pubkey,
2044 x, y, ecdh->ec->bnctx) != 1) {
2045 wpa_printf(MSG_ERROR,
2046 "OpenSSL: EC_POINT_get_affine_coordinates_GFp failed: %s",
2047 ERR_error_string(ERR_get_error(), NULL));
2048 goto fail;
2049 }
2050
2051 res = crypto_bignum_to_bin((struct crypto_bignum *) x,
2052 wpabuf_put(buf, len), len, len);
2053 if (res < 0)
2054 goto fail;
2055
2056 if (inc_y) {
2057 res = crypto_bignum_to_bin((struct crypto_bignum *) y,
2058 wpabuf_put(buf, len), len, len);
2059 if (res < 0)
2060 goto fail;
2061 }
2062
2063 done:
2064 BN_clear_free(x);
2065 BN_clear_free(y);
2066 EC_KEY_free(eckey);
2067
2068 return buf;
2069 fail:
2070 wpabuf_free(buf);
2071 buf = NULL;
2072 goto done;
2073 }
2074
2075
crypto_ecdh_set_peerkey(struct crypto_ecdh * ecdh,int inc_y,const u8 * key,size_t len)2076 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
2077 const u8 *key, size_t len)
2078 {
2079 BIGNUM *x, *y = NULL;
2080 EVP_PKEY_CTX *ctx = NULL;
2081 EVP_PKEY *peerkey = NULL;
2082 struct wpabuf *secret = NULL;
2083 size_t secret_len;
2084 EC_POINT *pub;
2085 EC_KEY *eckey = NULL;
2086
2087 x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
2088 pub = EC_POINT_new(ecdh->ec->group);
2089 if (!x || !pub)
2090 goto fail;
2091
2092 if (inc_y) {
2093 y = BN_bin2bn(key + len / 2, len / 2, NULL);
2094 if (!y)
2095 goto fail;
2096 if (!EC_POINT_set_affine_coordinates_GFp(ecdh->ec->group, pub,
2097 x, y,
2098 ecdh->ec->bnctx)) {
2099 wpa_printf(MSG_ERROR,
2100 "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
2101 ERR_error_string(ERR_get_error(), NULL));
2102 goto fail;
2103 }
2104 } else if (!EC_POINT_set_compressed_coordinates_GFp(ecdh->ec->group,
2105 pub, x, 0,
2106 ecdh->ec->bnctx)) {
2107 wpa_printf(MSG_ERROR,
2108 "OpenSSL: EC_POINT_set_compressed_coordinates_GFp failed: %s",
2109 ERR_error_string(ERR_get_error(), NULL));
2110 goto fail;
2111 }
2112
2113 if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
2114 wpa_printf(MSG_ERROR,
2115 "OpenSSL: ECDH peer public key is not on curve");
2116 goto fail;
2117 }
2118
2119 eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2120 if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
2121 wpa_printf(MSG_ERROR,
2122 "OpenSSL: EC_KEY_set_public_key failed: %s",
2123 ERR_error_string(ERR_get_error(), NULL));
2124 goto fail;
2125 }
2126
2127 peerkey = EVP_PKEY_new();
2128 if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
2129 goto fail;
2130
2131 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
2132 if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
2133 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
2134 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
2135 wpa_printf(MSG_ERROR,
2136 "OpenSSL: EVP_PKEY_derive(1) failed: %s",
2137 ERR_error_string(ERR_get_error(), NULL));
2138 goto fail;
2139 }
2140
2141 secret = wpabuf_alloc(secret_len);
2142 if (!secret)
2143 goto fail;
2144 if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
2145 wpa_printf(MSG_ERROR,
2146 "OpenSSL: EVP_PKEY_derive(2) failed: %s",
2147 ERR_error_string(ERR_get_error(), NULL));
2148 goto fail;
2149 }
2150 if (secret->size != secret_len)
2151 wpa_printf(MSG_DEBUG,
2152 "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
2153 (int) secret->size, (int) secret_len);
2154 wpabuf_put(secret, secret_len);
2155
2156 done:
2157 BN_free(x);
2158 BN_free(y);
2159 EC_KEY_free(eckey);
2160 EC_POINT_free(pub);
2161 EVP_PKEY_CTX_free(ctx);
2162 EVP_PKEY_free(peerkey);
2163 return secret;
2164 fail:
2165 wpabuf_free(secret);
2166 secret = NULL;
2167 goto done;
2168 }
2169
2170
crypto_ecdh_deinit(struct crypto_ecdh * ecdh)2171 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
2172 {
2173 if (ecdh) {
2174 crypto_ec_deinit(ecdh->ec);
2175 EVP_PKEY_free(ecdh->pkey);
2176 os_free(ecdh);
2177 }
2178 }
2179
2180
crypto_ecdh_prime_len(struct crypto_ecdh * ecdh)2181 size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
2182 {
2183 return crypto_ec_prime_len(ecdh->ec);
2184 }
2185
2186
2187 struct crypto_ec_key {
2188 EVP_PKEY *pkey;
2189 EC_KEY *eckey;
2190 };
2191
2192
crypto_ec_key_parse_priv(const u8 * der,size_t der_len)2193 struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
2194 {
2195 struct crypto_ec_key *key;
2196
2197 key = os_zalloc(sizeof(*key));
2198 if (!key)
2199 return NULL;
2200
2201 key->eckey = d2i_ECPrivateKey(NULL, &der, der_len);
2202 if (!key->eckey) {
2203 wpa_printf(MSG_INFO, "OpenSSL: d2i_ECPrivateKey() failed: %s",
2204 ERR_error_string(ERR_get_error(), NULL));
2205 goto fail;
2206 }
2207 EC_KEY_set_conv_form(key->eckey, POINT_CONVERSION_COMPRESSED);
2208
2209 key->pkey = EVP_PKEY_new();
2210 if (!key->pkey || EVP_PKEY_assign_EC_KEY(key->pkey, key->eckey) != 1) {
2211 EC_KEY_free(key->eckey);
2212 key->eckey = NULL;
2213 goto fail;
2214 }
2215
2216 return key;
2217 fail:
2218 crypto_ec_key_deinit(key);
2219 return NULL;
2220 }
2221
2222
crypto_ec_key_parse_pub(const u8 * der,size_t der_len)2223 struct crypto_ec_key * crypto_ec_key_parse_pub(const u8 *der, size_t der_len)
2224 {
2225 struct crypto_ec_key *key;
2226
2227 key = os_zalloc(sizeof(*key));
2228 if (!key)
2229 return NULL;
2230
2231 key->pkey = d2i_PUBKEY(NULL, &der, der_len);
2232 if (!key->pkey) {
2233 wpa_printf(MSG_INFO, "OpenSSL: d2i_PUBKEY() failed: %s",
2234 ERR_error_string(ERR_get_error(), NULL));
2235 goto fail;
2236 }
2237
2238 key->eckey = EVP_PKEY_get0_EC_KEY(key->pkey);
2239 if (!key->eckey)
2240 goto fail;
2241 return key;
2242 fail:
2243 crypto_ec_key_deinit(key);
2244 return NULL;
2245 }
2246
2247
crypto_ec_key_deinit(struct crypto_ec_key * key)2248 void crypto_ec_key_deinit(struct crypto_ec_key *key)
2249 {
2250 if (key) {
2251 EVP_PKEY_free(key->pkey);
2252 os_free(key);
2253 }
2254 }
2255
2256
crypto_ec_key_get_subject_public_key(struct crypto_ec_key * key)2257 struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
2258 {
2259 unsigned char *der = NULL;
2260 int der_len;
2261 struct wpabuf *buf;
2262
2263 der_len = i2d_PUBKEY(key->pkey, &der);
2264 if (der_len <= 0) {
2265 wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
2266 ERR_error_string(ERR_get_error(), NULL));
2267 return NULL;
2268 }
2269
2270 buf = wpabuf_alloc_copy(der, der_len);
2271 OPENSSL_free(der);
2272 return buf;
2273 }
2274
2275
crypto_ec_key_sign(struct crypto_ec_key * key,const u8 * data,size_t len)2276 struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
2277 size_t len)
2278 {
2279 EVP_PKEY_CTX *pkctx;
2280 struct wpabuf *sig_der;
2281 size_t sig_len;
2282
2283 sig_len = EVP_PKEY_size(key->pkey);
2284 sig_der = wpabuf_alloc(sig_len);
2285 if (!sig_der)
2286 return NULL;
2287
2288 pkctx = EVP_PKEY_CTX_new(key->pkey, NULL);
2289 if (!pkctx ||
2290 EVP_PKEY_sign_init(pkctx) <= 0 ||
2291 EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
2292 data, len) <= 0) {
2293 wpabuf_free(sig_der);
2294 sig_der = NULL;
2295 } else {
2296 wpabuf_put(sig_der, sig_len);
2297 }
2298
2299 EVP_PKEY_CTX_free(pkctx);
2300 return sig_der;
2301 }
2302
2303
crypto_ec_key_verify_signature(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * sig,size_t sig_len)2304 int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
2305 size_t len, const u8 *sig, size_t sig_len)
2306 {
2307 EVP_PKEY_CTX *pkctx;
2308 int ret;
2309
2310 pkctx = EVP_PKEY_CTX_new(key->pkey, NULL);
2311 if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
2312 EVP_PKEY_CTX_free(pkctx);
2313 return -1;
2314 }
2315
2316 ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
2317 EVP_PKEY_CTX_free(pkctx);
2318 if (ret == 1)
2319 return 1; /* signature ok */
2320 if (ret == 0)
2321 return 0; /* incorrect signature */
2322 return -1;
2323 }
2324
2325
crypto_ec_key_group(struct crypto_ec_key * key)2326 int crypto_ec_key_group(struct crypto_ec_key *key)
2327 {
2328 const EC_GROUP *group;
2329 int nid;
2330
2331 group = EC_KEY_get0_group(key->eckey);
2332 if (!group)
2333 return -1;
2334 nid = EC_GROUP_get_curve_name(group);
2335 switch (nid) {
2336 case NID_X9_62_prime256v1:
2337 return 19;
2338 case NID_secp384r1:
2339 return 20;
2340 case NID_secp521r1:
2341 return 21;
2342 }
2343 return -1;
2344 }
2345
2346 #endif /* CONFIG_ECC */
2347