1 /*
2 * Wrapper functions for OpenSSL libcrypto
3 * Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #include <openssl/opensslv.h>
11 #include <openssl/err.h>
12 #include <openssl/des.h>
13 #include <openssl/aes.h>
14 #include <openssl/bn.h>
15 #include <openssl/evp.h>
16 #include <openssl/dh.h>
17 #include <openssl/hmac.h>
18 #include <openssl/rand.h>
19 #include <openssl/rsa.h>
20 #include <openssl/pem.h>
21 #ifdef CONFIG_ECC
22 #include <openssl/ec.h>
23 #include <openssl/x509.h>
24 #endif /* CONFIG_ECC */
25 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
26 #include <openssl/provider.h>
27 #include <openssl/core_names.h>
28 #include <openssl/param_build.h>
29 #include <openssl/encoder.h>
30 #include <openssl/decoder.h>
31 #else /* OpenSSL version >= 3.0 */
32 #include <openssl/cmac.h>
33 #endif /* OpenSSL version >= 3.0 */
34
35 #include "common.h"
36 #include "utils/const_time.h"
37 #include "wpabuf.h"
38 #include "dh_group5.h"
39 #include "sha1.h"
40 #include "sha256.h"
41 #include "sha384.h"
42 #include "sha512.h"
43 #include "md5.h"
44 #include "aes_wrap.h"
45 #include "crypto.h"
46
47 #if OPENSSL_VERSION_NUMBER < 0x10100000L
48 /* Compatibility wrappers for older versions. */
49
HMAC_CTX_new(void)50 static HMAC_CTX * HMAC_CTX_new(void)
51 {
52 HMAC_CTX *ctx;
53
54 ctx = os_zalloc(sizeof(*ctx));
55 if (ctx)
56 HMAC_CTX_init(ctx);
57 return ctx;
58 }
59
60
HMAC_CTX_free(HMAC_CTX * ctx)61 static void HMAC_CTX_free(HMAC_CTX *ctx)
62 {
63 if (!ctx)
64 return;
65 HMAC_CTX_cleanup(ctx);
66 bin_clear_free(ctx, sizeof(*ctx));
67 }
68
69
EVP_MD_CTX_new(void)70 static EVP_MD_CTX * EVP_MD_CTX_new(void)
71 {
72 EVP_MD_CTX *ctx;
73
74 ctx = os_zalloc(sizeof(*ctx));
75 if (ctx)
76 EVP_MD_CTX_init(ctx);
77 return ctx;
78 }
79
80
EVP_MD_CTX_free(EVP_MD_CTX * ctx)81 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
82 {
83 if (!ctx)
84 return;
85 EVP_MD_CTX_cleanup(ctx);
86 bin_clear_free(ctx, sizeof(*ctx));
87 }
88
89
90 #ifdef CONFIG_ECC
91
EVP_PKEY_get0_EC_KEY(EVP_PKEY * pkey)92 static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
93 {
94 if (pkey->type != EVP_PKEY_EC)
95 return NULL;
96 return pkey->pkey.ec;
97 }
98
99
ECDSA_SIG_set0(ECDSA_SIG * sig,BIGNUM * r,BIGNUM * s)100 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
101 {
102 sig->r = r;
103 sig->s = s;
104 return 1;
105 }
106
107
ECDSA_SIG_get0(const ECDSA_SIG * sig,const BIGNUM ** pr,const BIGNUM ** ps)108 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
109 const BIGNUM **ps)
110 {
111 if (pr)
112 *pr = sig->r;
113 if (ps)
114 *ps = sig->s;
115 }
116
117 #endif /* CONFIG_ECC */
118
ASN1_STRING_get0_data(const ASN1_STRING * x)119 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
120 {
121 return ASN1_STRING_data((ASN1_STRING *) x);
122 }
123
124
X509_get0_notBefore(const X509 * x)125 static const ASN1_TIME * X509_get0_notBefore(const X509 *x)
126 {
127 return X509_get_notBefore(x);
128 }
129
130
X509_get0_notAfter(const X509 * x)131 static const ASN1_TIME * X509_get0_notAfter(const X509 *x)
132 {
133 return X509_get_notAfter(x);
134 }
135
136 #endif /* OpenSSL version < 1.1.0 */
137
138
139 #if OPENSSL_VERSION_NUMBER < 0x10101000L || \
140 (defined(LIBRESSL_VERSION_NUMBER) && \
141 LIBRESSL_VERSION_NUMBER < 0x30400000L)
142
EC_POINT_get_affine_coordinates(const EC_GROUP * group,const EC_POINT * point,BIGNUM * x,BIGNUM * y,BN_CTX * ctx)143 static int EC_POINT_get_affine_coordinates(const EC_GROUP *group,
144 const EC_POINT *point, BIGNUM *x,
145 BIGNUM *y, BN_CTX *ctx)
146 {
147 return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
148 }
149
150
EC_POINT_set_affine_coordinates(const EC_GROUP * group,EC_POINT * point,const BIGNUM * x,const BIGNUM * y,BN_CTX * ctx)151 static int EC_POINT_set_affine_coordinates(const EC_GROUP *group,
152 EC_POINT *point, const BIGNUM *x,
153 const BIGNUM *y, BN_CTX *ctx)
154 {
155 return EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx);
156 }
157
158 #endif /* OpenSSL version < 1.1.1 */
159
160
161 #if OPENSSL_VERSION_NUMBER < 0x10101000L || \
162 defined(OPENSSL_IS_BORINGSSL) || \
163 (defined(LIBRESSL_VERSION_NUMBER) && \
164 LIBRESSL_VERSION_NUMBER < 0x30400000L)
165
EC_POINT_set_compressed_coordinates(const EC_GROUP * group,EC_POINT * point,const BIGNUM * x,int y_bit,BN_CTX * ctx)166 static int EC_POINT_set_compressed_coordinates(const EC_GROUP *group,
167 EC_POINT *point, const BIGNUM *x,
168 int y_bit, BN_CTX *ctx)
169 {
170 return EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit,
171 ctx);
172 }
173
174
EC_GROUP_get_curve(const EC_GROUP * group,BIGNUM * p,BIGNUM * a,BIGNUM * b,BN_CTX * ctx)175 static int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
176 BIGNUM *b, BN_CTX *ctx)
177 {
178 return EC_GROUP_get_curve_GFp(group, p, a, b, ctx);
179 }
180
181 #endif /* OpenSSL version < 1.1.1 */
182
183
184 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
185 static OSSL_PROVIDER *openssl_legacy_provider = NULL;
186 #endif /* OpenSSL version >= 3.0 */
187
openssl_load_legacy_provider(void)188 void openssl_load_legacy_provider(void)
189 {
190 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
191 if (openssl_legacy_provider)
192 return;
193
194 openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1);
195 #endif /* OpenSSL version >= 3.0 */
196 }
197
198
openssl_unload_legacy_provider(void)199 static void openssl_unload_legacy_provider(void)
200 {
201 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
202 if (openssl_legacy_provider) {
203 OSSL_PROVIDER_unload(openssl_legacy_provider);
204 openssl_legacy_provider = NULL;
205 }
206 #endif /* OpenSSL version >= 3.0 */
207 }
208
209
210 #if OPENSSL_VERSION_NUMBER < 0x30000000L
211
get_group5_prime(void)212 static BIGNUM * get_group5_prime(void)
213 {
214 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
215 return BN_get_rfc3526_prime_1536(NULL);
216 #elif !defined(OPENSSL_IS_BORINGSSL)
217 return get_rfc3526_prime_1536(NULL);
218 #else
219 static const unsigned char RFC3526_PRIME_1536[] = {
220 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
221 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
222 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
223 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
224 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
225 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
226 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
227 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
228 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
229 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
230 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
231 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
232 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
233 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
234 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
235 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
236 };
237 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
238 #endif
239 }
240
241
get_group5_order(void)242 static BIGNUM * get_group5_order(void)
243 {
244 static const unsigned char RFC3526_ORDER_1536[] = {
245 0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,
246 0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,
247 0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,
248 0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,
249 0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,
250 0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,
251 0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,
252 0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,
253 0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,
254 0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,
255 0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,
256 0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,
257 0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,
258 0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,
259 0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,
260 0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
261 };
262 return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);
263 }
264
265 #endif /* OpenSSL version < 3.0 */
266
267
268 #ifdef OPENSSL_NO_SHA256
269 #define NO_SHA256_WRAPPER
270 #endif
271 #ifdef OPENSSL_NO_SHA512
272 #define NO_SHA384_WRAPPER
273 #endif
274
openssl_digest_vector(const EVP_MD * type,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)275 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
276 const u8 *addr[], const size_t *len, u8 *mac)
277 {
278 EVP_MD_CTX *ctx;
279 size_t i;
280 unsigned int mac_len;
281
282 if (TEST_FAIL())
283 return -1;
284
285 ctx = EVP_MD_CTX_new();
286 if (!ctx)
287 return -1;
288 if (!EVP_DigestInit_ex(ctx, type, NULL)) {
289 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
290 ERR_error_string(ERR_get_error(), NULL));
291 EVP_MD_CTX_free(ctx);
292 return -1;
293 }
294 for (i = 0; i < num_elem; i++) {
295 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
296 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
297 "failed: %s",
298 ERR_error_string(ERR_get_error(), NULL));
299 EVP_MD_CTX_free(ctx);
300 return -1;
301 }
302 }
303 if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
304 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
305 ERR_error_string(ERR_get_error(), NULL));
306 EVP_MD_CTX_free(ctx);
307 return -1;
308 }
309 EVP_MD_CTX_free(ctx);
310
311 return 0;
312 }
313
314
315 #ifndef CONFIG_FIPS
316
md4_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)317 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
318 {
319 openssl_load_legacy_provider();
320 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
321 }
322
323
des_encrypt(const u8 * clear,const u8 * key,u8 * cypher)324 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
325 {
326 u8 pkey[8], next, tmp;
327 int i, plen, ret = -1;
328 EVP_CIPHER_CTX *ctx;
329
330 openssl_load_legacy_provider();
331
332 /* Add parity bits to the key */
333 next = 0;
334 for (i = 0; i < 7; i++) {
335 tmp = key[i];
336 pkey[i] = (tmp >> i) | next | 1;
337 next = tmp << (7 - i);
338 }
339 pkey[i] = next | 1;
340
341 ctx = EVP_CIPHER_CTX_new();
342 if (ctx &&
343 EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 &&
344 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
345 EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 &&
346 EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1)
347 ret = 0;
348 else
349 wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed");
350
351 if (ctx)
352 EVP_CIPHER_CTX_free(ctx);
353 return ret;
354 }
355
356
357 #ifndef CONFIG_NO_RC4
rc4_skip(const u8 * key,size_t keylen,size_t skip,u8 * data,size_t data_len)358 int rc4_skip(const u8 *key, size_t keylen, size_t skip,
359 u8 *data, size_t data_len)
360 {
361 #ifdef OPENSSL_NO_RC4
362 return -1;
363 #else /* OPENSSL_NO_RC4 */
364 EVP_CIPHER_CTX *ctx;
365 int outl;
366 int res = -1;
367 unsigned char skip_buf[16];
368
369 openssl_load_legacy_provider();
370
371 ctx = EVP_CIPHER_CTX_new();
372 if (!ctx ||
373 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
374 !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
375 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
376 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
377 goto out;
378
379 while (skip >= sizeof(skip_buf)) {
380 size_t len = skip;
381 if (len > sizeof(skip_buf))
382 len = sizeof(skip_buf);
383 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
384 goto out;
385 skip -= len;
386 }
387
388 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
389 res = 0;
390
391 out:
392 if (ctx)
393 EVP_CIPHER_CTX_free(ctx);
394 return res;
395 #endif /* OPENSSL_NO_RC4 */
396 }
397 #endif /* CONFIG_NO_RC4 */
398
399
md5_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)400 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
401 {
402 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
403 }
404
405 #endif /* CONFIG_FIPS */
406
407
sha1_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)408 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
409 {
410 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
411 }
412
413
414 #ifndef NO_SHA256_WRAPPER
sha256_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)415 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
416 u8 *mac)
417 {
418 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
419 }
420 #endif /* NO_SHA256_WRAPPER */
421
422
423 #ifndef NO_SHA384_WRAPPER
sha384_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)424 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
425 u8 *mac)
426 {
427 return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
428 }
429 #endif /* NO_SHA384_WRAPPER */
430
431
432 #ifndef NO_SHA512_WRAPPER
sha512_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)433 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
434 u8 *mac)
435 {
436 return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
437 }
438 #endif /* NO_SHA512_WRAPPER */
439
440
aes_get_evp_cipher(size_t keylen)441 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
442 {
443 switch (keylen) {
444 case 16:
445 return EVP_aes_128_ecb();
446 case 24:
447 return EVP_aes_192_ecb();
448 case 32:
449 return EVP_aes_256_ecb();
450 default:
451 return NULL;
452 }
453 }
454
455
aes_encrypt_init(const u8 * key,size_t len)456 void * aes_encrypt_init(const u8 *key, size_t len)
457 {
458 EVP_CIPHER_CTX *ctx;
459 const EVP_CIPHER *type;
460
461 if (TEST_FAIL())
462 return NULL;
463
464 type = aes_get_evp_cipher(len);
465 if (!type) {
466 wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
467 __func__, (unsigned int) len);
468 return NULL;
469 }
470
471 ctx = EVP_CIPHER_CTX_new();
472 if (ctx == NULL)
473 return NULL;
474 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
475 EVP_CIPHER_CTX_free(ctx);
476 return NULL;
477 }
478 EVP_CIPHER_CTX_set_padding(ctx, 0);
479 return ctx;
480 }
481
482
aes_encrypt(void * ctx,const u8 * plain,u8 * crypt)483 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
484 {
485 EVP_CIPHER_CTX *c = ctx;
486 int clen = 16;
487 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
488 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
489 ERR_error_string(ERR_get_error(), NULL));
490 return -1;
491 }
492 return 0;
493 }
494
495
aes_encrypt_deinit(void * ctx)496 void aes_encrypt_deinit(void *ctx)
497 {
498 EVP_CIPHER_CTX *c = ctx;
499 u8 buf[16];
500 int len = sizeof(buf);
501 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
502 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
503 "%s", ERR_error_string(ERR_get_error(), NULL));
504 }
505 if (len != 0) {
506 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
507 "in AES encrypt", len);
508 }
509 EVP_CIPHER_CTX_free(c);
510 }
511
512
aes_decrypt_init(const u8 * key,size_t len)513 void * aes_decrypt_init(const u8 *key, size_t len)
514 {
515 EVP_CIPHER_CTX *ctx;
516 const EVP_CIPHER *type;
517
518 if (TEST_FAIL())
519 return NULL;
520
521 type = aes_get_evp_cipher(len);
522 if (!type) {
523 wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
524 __func__, (unsigned int) len);
525 return NULL;
526 }
527
528 ctx = EVP_CIPHER_CTX_new();
529 if (ctx == NULL)
530 return NULL;
531 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
532 EVP_CIPHER_CTX_free(ctx);
533 return NULL;
534 }
535 EVP_CIPHER_CTX_set_padding(ctx, 0);
536 return ctx;
537 }
538
539
aes_decrypt(void * ctx,const u8 * crypt,u8 * plain)540 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
541 {
542 EVP_CIPHER_CTX *c = ctx;
543 int plen = 16;
544 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
545 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
546 ERR_error_string(ERR_get_error(), NULL));
547 return -1;
548 }
549 return 0;
550 }
551
552
aes_decrypt_deinit(void * ctx)553 void aes_decrypt_deinit(void *ctx)
554 {
555 EVP_CIPHER_CTX *c = ctx;
556 u8 buf[16];
557 int len = sizeof(buf);
558 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
559 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
560 "%s", ERR_error_string(ERR_get_error(), NULL));
561 }
562 if (len != 0) {
563 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
564 "in AES decrypt", len);
565 }
566 EVP_CIPHER_CTX_free(c);
567 }
568
569
570 #ifndef CONFIG_FIPS
571 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
572
573 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
aes_get_evp_wrap_cipher(size_t keylen)574 static const EVP_CIPHER * aes_get_evp_wrap_cipher(size_t keylen)
575 {
576 switch (keylen) {
577 case 16:
578 return EVP_aes_128_wrap();
579 case 24:
580 return EVP_aes_192_wrap();
581 case 32:
582 return EVP_aes_256_wrap();
583 default:
584 return NULL;
585 }
586 }
587 #endif /* OpenSSL version >= 3.0 */
588
589
aes_wrap(const u8 * kek,size_t kek_len,int n,const u8 * plain,u8 * cipher)590 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
591 {
592 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
593 EVP_CIPHER_CTX *ctx;
594 const EVP_CIPHER *type;
595 int ret = -1, len;
596 u8 buf[16];
597
598 if (TEST_FAIL())
599 return -1;
600
601 type = aes_get_evp_wrap_cipher(kek_len);
602 if (!type)
603 return -1;
604
605 ctx = EVP_CIPHER_CTX_new();
606 if (!ctx)
607 return -1;
608
609 if (EVP_EncryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&
610 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
611 EVP_EncryptUpdate(ctx, cipher, &len, plain, n * 8) == 1 &&
612 len == (n + 1) * 8 &&
613 EVP_EncryptFinal_ex(ctx, buf, &len) == 1)
614 ret = 0;
615
616 EVP_CIPHER_CTX_free(ctx);
617 return ret;
618 #else /* OpenSSL version >= 3.0 */
619 AES_KEY actx;
620 int res;
621
622 if (TEST_FAIL())
623 return -1;
624 if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
625 return -1;
626 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
627 OPENSSL_cleanse(&actx, sizeof(actx));
628 return res <= 0 ? -1 : 0;
629 #endif /* OpenSSL version >= 3.0 */
630 }
631
632
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)633 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
634 u8 *plain)
635 {
636 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
637 EVP_CIPHER_CTX *ctx;
638 const EVP_CIPHER *type;
639 int ret = -1, len;
640 u8 buf[16];
641
642 if (TEST_FAIL())
643 return -1;
644
645 type = aes_get_evp_wrap_cipher(kek_len);
646 if (!type)
647 return -1;
648
649 ctx = EVP_CIPHER_CTX_new();
650 if (!ctx)
651 return -1;
652
653 if (EVP_DecryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&
654 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
655 EVP_DecryptUpdate(ctx, plain, &len, cipher, (n + 1) * 8) == 1 &&
656 len == n * 8 &&
657 EVP_DecryptFinal_ex(ctx, buf, &len) == 1)
658 ret = 0;
659
660 EVP_CIPHER_CTX_free(ctx);
661 return ret;
662 #else /* OpenSSL version >= 3.0 */
663 AES_KEY actx;
664 int res;
665
666 if (TEST_FAIL())
667 return -1;
668 if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
669 return -1;
670 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
671 OPENSSL_cleanse(&actx, sizeof(actx));
672 return res <= 0 ? -1 : 0;
673 #endif /* OpenSSL version >= 3.0 */
674 }
675
676 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
677 #endif /* CONFIG_FIPS */
678
679
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)680 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
681 {
682 EVP_CIPHER_CTX *ctx;
683 int clen, len;
684 u8 buf[16];
685 int res = -1;
686
687 if (TEST_FAIL())
688 return -1;
689
690 ctx = EVP_CIPHER_CTX_new();
691 if (!ctx)
692 return -1;
693 clen = data_len;
694 len = sizeof(buf);
695 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
696 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
697 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
698 clen == (int) data_len &&
699 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
700 res = 0;
701 EVP_CIPHER_CTX_free(ctx);
702
703 return res;
704 }
705
706
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)707 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
708 {
709 EVP_CIPHER_CTX *ctx;
710 int plen, len;
711 u8 buf[16];
712 int res = -1;
713
714 if (TEST_FAIL())
715 return -1;
716
717 ctx = EVP_CIPHER_CTX_new();
718 if (!ctx)
719 return -1;
720 plen = data_len;
721 len = sizeof(buf);
722 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
723 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
724 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
725 plen == (int) data_len &&
726 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
727 res = 0;
728 EVP_CIPHER_CTX_free(ctx);
729
730 return res;
731
732 }
733
734
crypto_dh_init(u8 generator,const u8 * prime,size_t prime_len,u8 * privkey,u8 * pubkey)735 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
736 u8 *pubkey)
737 {
738 size_t pubkey_len, pad;
739
740 if (os_get_random(privkey, prime_len) < 0)
741 return -1;
742 if (os_memcmp(privkey, prime, prime_len) > 0) {
743 /* Make sure private value is smaller than prime */
744 privkey[0] = 0;
745 }
746
747 pubkey_len = prime_len;
748 if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
749 pubkey, &pubkey_len) < 0)
750 return -1;
751 if (pubkey_len < prime_len) {
752 pad = prime_len - pubkey_len;
753 os_memmove(pubkey + pad, pubkey, pubkey_len);
754 os_memset(pubkey, 0, pad);
755 }
756
757 return 0;
758 }
759
760
crypto_dh_derive_secret(u8 generator,const u8 * prime,size_t prime_len,const u8 * order,size_t order_len,const u8 * privkey,size_t privkey_len,const u8 * pubkey,size_t pubkey_len,u8 * secret,size_t * len)761 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
762 const u8 *order, size_t order_len,
763 const u8 *privkey, size_t privkey_len,
764 const u8 *pubkey, size_t pubkey_len,
765 u8 *secret, size_t *len)
766 {
767 BIGNUM *pub, *p;
768 int res = -1;
769
770 pub = BN_bin2bn(pubkey, pubkey_len, NULL);
771 p = BN_bin2bn(prime, prime_len, NULL);
772 if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||
773 BN_cmp(pub, p) >= 0)
774 goto fail;
775
776 if (order) {
777 BN_CTX *ctx;
778 BIGNUM *q, *tmp;
779 int failed;
780
781 /* verify: pubkey^q == 1 mod p */
782 q = BN_bin2bn(order, order_len, NULL);
783 ctx = BN_CTX_new();
784 tmp = BN_new();
785 failed = !q || !ctx || !tmp ||
786 !BN_mod_exp(tmp, pub, q, p, ctx) ||
787 !BN_is_one(tmp);
788 BN_clear_free(q);
789 BN_clear_free(tmp);
790 BN_CTX_free(ctx);
791 if (failed)
792 goto fail;
793 }
794
795 res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
796 prime, prime_len, secret, len);
797 fail:
798 BN_clear_free(pub);
799 BN_clear_free(p);
800 return res;
801 }
802
803
crypto_mod_exp(const u8 * base,size_t base_len,const u8 * power,size_t power_len,const u8 * modulus,size_t modulus_len,u8 * result,size_t * result_len)804 int crypto_mod_exp(const u8 *base, size_t base_len,
805 const u8 *power, size_t power_len,
806 const u8 *modulus, size_t modulus_len,
807 u8 *result, size_t *result_len)
808 {
809 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
810 int ret = -1;
811 BN_CTX *ctx;
812
813 ctx = BN_CTX_new();
814 if (ctx == NULL)
815 return -1;
816
817 bn_base = BN_bin2bn(base, base_len, NULL);
818 bn_exp = BN_bin2bn(power, power_len, NULL);
819 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
820 bn_result = BN_new();
821
822 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
823 bn_result == NULL)
824 goto error;
825
826 if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
827 ctx, NULL) != 1)
828 goto error;
829
830 *result_len = BN_bn2bin(bn_result, result);
831 ret = 0;
832
833 error:
834 BN_clear_free(bn_base);
835 BN_clear_free(bn_exp);
836 BN_clear_free(bn_modulus);
837 BN_clear_free(bn_result);
838 BN_CTX_free(ctx);
839 return ret;
840 }
841
842
843 struct crypto_cipher {
844 EVP_CIPHER_CTX *enc;
845 EVP_CIPHER_CTX *dec;
846 };
847
848
crypto_cipher_init(enum crypto_cipher_alg alg,const u8 * iv,const u8 * key,size_t key_len)849 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
850 const u8 *iv, const u8 *key,
851 size_t key_len)
852 {
853 struct crypto_cipher *ctx;
854 const EVP_CIPHER *cipher;
855
856 ctx = os_zalloc(sizeof(*ctx));
857 if (ctx == NULL)
858 return NULL;
859
860 switch (alg) {
861 #ifndef CONFIG_NO_RC4
862 #ifndef OPENSSL_NO_RC4
863 case CRYPTO_CIPHER_ALG_RC4:
864 cipher = EVP_rc4();
865 break;
866 #endif /* OPENSSL_NO_RC4 */
867 #endif /* CONFIG_NO_RC4 */
868 #ifndef OPENSSL_NO_AES
869 case CRYPTO_CIPHER_ALG_AES:
870 switch (key_len) {
871 case 16:
872 cipher = EVP_aes_128_cbc();
873 break;
874 #ifndef OPENSSL_IS_BORINGSSL
875 case 24:
876 cipher = EVP_aes_192_cbc();
877 break;
878 #endif /* OPENSSL_IS_BORINGSSL */
879 case 32:
880 cipher = EVP_aes_256_cbc();
881 break;
882 default:
883 os_free(ctx);
884 return NULL;
885 }
886 break;
887 #endif /* OPENSSL_NO_AES */
888 #ifndef OPENSSL_NO_DES
889 case CRYPTO_CIPHER_ALG_3DES:
890 cipher = EVP_des_ede3_cbc();
891 break;
892 case CRYPTO_CIPHER_ALG_DES:
893 cipher = EVP_des_cbc();
894 break;
895 #endif /* OPENSSL_NO_DES */
896 #ifndef OPENSSL_NO_RC2
897 case CRYPTO_CIPHER_ALG_RC2:
898 cipher = EVP_rc2_ecb();
899 break;
900 #endif /* OPENSSL_NO_RC2 */
901 default:
902 os_free(ctx);
903 return NULL;
904 }
905
906 if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
907 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
908 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
909 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
910 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
911 if (ctx->enc)
912 EVP_CIPHER_CTX_free(ctx->enc);
913 os_free(ctx);
914 return NULL;
915 }
916
917 if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
918 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
919 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
920 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
921 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
922 EVP_CIPHER_CTX_free(ctx->enc);
923 if (ctx->dec)
924 EVP_CIPHER_CTX_free(ctx->dec);
925 os_free(ctx);
926 return NULL;
927 }
928
929 return ctx;
930 }
931
932
crypto_cipher_encrypt(struct crypto_cipher * ctx,const u8 * plain,u8 * crypt,size_t len)933 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
934 u8 *crypt, size_t len)
935 {
936 int outl;
937 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
938 return -1;
939 return 0;
940 }
941
942
crypto_cipher_decrypt(struct crypto_cipher * ctx,const u8 * crypt,u8 * plain,size_t len)943 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
944 u8 *plain, size_t len)
945 {
946 int outl;
947 outl = len;
948 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
949 return -1;
950 return 0;
951 }
952
953
crypto_cipher_deinit(struct crypto_cipher * ctx)954 void crypto_cipher_deinit(struct crypto_cipher *ctx)
955 {
956 EVP_CIPHER_CTX_free(ctx->enc);
957 EVP_CIPHER_CTX_free(ctx->dec);
958 os_free(ctx);
959 }
960
961
dh5_init(struct wpabuf ** priv,struct wpabuf ** publ)962 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
963 {
964 #if OPENSSL_VERSION_NUMBER < 0x10100000L
965 DH *dh;
966 struct wpabuf *pubkey = NULL, *privkey = NULL;
967 size_t publen, privlen;
968
969 *priv = NULL;
970 wpabuf_free(*publ);
971 *publ = NULL;
972
973 dh = DH_new();
974 if (dh == NULL)
975 return NULL;
976
977 dh->g = BN_new();
978 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
979 goto err;
980
981 dh->p = get_group5_prime();
982 if (dh->p == NULL)
983 goto err;
984
985 dh->q = get_group5_order();
986 if (!dh->q)
987 goto err;
988
989 if (DH_generate_key(dh) != 1)
990 goto err;
991
992 publen = BN_num_bytes(dh->pub_key);
993 pubkey = wpabuf_alloc(publen);
994 if (pubkey == NULL)
995 goto err;
996 privlen = BN_num_bytes(dh->priv_key);
997 privkey = wpabuf_alloc(privlen);
998 if (privkey == NULL)
999 goto err;
1000
1001 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
1002 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
1003
1004 *priv = privkey;
1005 *publ = pubkey;
1006 return dh;
1007
1008 err:
1009 wpabuf_clear_free(pubkey);
1010 wpabuf_clear_free(privkey);
1011 DH_free(dh);
1012 return NULL;
1013 #elif OPENSSL_VERSION_NUMBER >= 0x30000000L
1014 EVP_PKEY *pkey = NULL;
1015 OSSL_PARAM params[2];
1016 size_t pub_len = OSSL_PARAM_UNMODIFIED;
1017 size_t priv_len;
1018 struct wpabuf *pubkey = NULL, *privkey = NULL;
1019 BIGNUM *priv_bn = NULL;
1020 EVP_PKEY_CTX *gctx;
1021
1022 *priv = NULL;
1023 wpabuf_free(*publ);
1024 *publ = NULL;
1025
1026 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
1027 "modp_1536", 0);
1028 params[1] = OSSL_PARAM_construct_end();
1029
1030 gctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
1031 if (!gctx ||
1032 EVP_PKEY_keygen_init(gctx) != 1 ||
1033 EVP_PKEY_CTX_set_params(gctx, params) != 1 ||
1034 EVP_PKEY_generate(gctx, &pkey) != 1 ||
1035 EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY,
1036 &priv_bn) != 1 ||
1037 EVP_PKEY_get_octet_string_param(pkey,
1038 OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1039 NULL, 0, &pub_len) < 0 ||
1040 pub_len == OSSL_PARAM_UNMODIFIED ||
1041 (priv_len = BN_num_bytes(priv_bn)) == 0 ||
1042 !(pubkey = wpabuf_alloc(pub_len)) ||
1043 !(privkey = wpabuf_alloc(priv_len)) ||
1044 EVP_PKEY_get_octet_string_param(pkey,
1045 OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
1046 wpabuf_put(pubkey, pub_len),
1047 pub_len, NULL) != 1) {
1048 wpa_printf(MSG_INFO, "OpenSSL: failed: %s",
1049 ERR_error_string(ERR_get_error(), NULL));
1050 wpabuf_free(pubkey);
1051 wpabuf_clear_free(privkey);
1052 EVP_PKEY_free(pkey);
1053 pkey = NULL;
1054 } else {
1055 BN_bn2bin(priv_bn, wpabuf_put(privkey, priv_len));
1056
1057 *priv = privkey;
1058 *publ = pubkey;
1059 }
1060
1061 BN_clear_free(priv_bn);
1062 EVP_PKEY_CTX_free(gctx);
1063 return pkey;
1064 #else
1065 DH *dh;
1066 struct wpabuf *pubkey = NULL, *privkey = NULL;
1067 size_t publen, privlen;
1068 BIGNUM *p, *g, *q;
1069 const BIGNUM *priv_key = NULL, *pub_key = NULL;
1070
1071 *priv = NULL;
1072 wpabuf_free(*publ);
1073 *publ = NULL;
1074
1075 dh = DH_new();
1076 if (dh == NULL)
1077 return NULL;
1078
1079 g = BN_new();
1080 p = get_group5_prime();
1081 q = get_group5_order();
1082 if (!g || BN_set_word(g, 2) != 1 || !p || !q ||
1083 DH_set0_pqg(dh, p, q, g) != 1)
1084 goto err;
1085 p = NULL;
1086 q = NULL;
1087 g = NULL;
1088
1089 if (DH_generate_key(dh) != 1)
1090 goto err;
1091
1092 DH_get0_key(dh, &pub_key, &priv_key);
1093 publen = BN_num_bytes(pub_key);
1094 pubkey = wpabuf_alloc(publen);
1095 if (!pubkey)
1096 goto err;
1097 privlen = BN_num_bytes(priv_key);
1098 privkey = wpabuf_alloc(privlen);
1099 if (!privkey)
1100 goto err;
1101
1102 BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
1103 BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));
1104
1105 *priv = privkey;
1106 *publ = pubkey;
1107 return dh;
1108
1109 err:
1110 BN_free(p);
1111 BN_free(q);
1112 BN_free(g);
1113 wpabuf_clear_free(pubkey);
1114 wpabuf_clear_free(privkey);
1115 DH_free(dh);
1116 return NULL;
1117 #endif
1118 }
1119
1120
dh5_init_fixed(const struct wpabuf * priv,const struct wpabuf * publ)1121 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
1122 {
1123 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1124 DH *dh;
1125
1126 dh = DH_new();
1127 if (dh == NULL)
1128 return NULL;
1129
1130 dh->g = BN_new();
1131 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
1132 goto err;
1133
1134 dh->p = get_group5_prime();
1135 if (dh->p == NULL)
1136 goto err;
1137
1138 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
1139 if (dh->priv_key == NULL)
1140 goto err;
1141
1142 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
1143 if (dh->pub_key == NULL)
1144 goto err;
1145
1146 if (DH_generate_key(dh) != 1)
1147 goto err;
1148
1149 return dh;
1150
1151 err:
1152 DH_free(dh);
1153 return NULL;
1154 #elif OPENSSL_VERSION_NUMBER >= 0x30000000L
1155 EVP_PKEY *pkey = NULL;
1156 OSSL_PARAM_BLD *bld;
1157 OSSL_PARAM *params = NULL;
1158 BIGNUM *priv_key, *pub_key;
1159 EVP_PKEY_CTX *fctx;
1160
1161 fctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
1162 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
1163 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
1164 bld = OSSL_PARAM_BLD_new();
1165 if (!fctx || !priv_key || !pub_key || !bld ||
1166 OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME,
1167 "modp_1536", 0) != 1 ||
1168 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
1169 priv_key) != 1 ||
1170 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
1171 pub_key) != 1 ||
1172 !(params = OSSL_PARAM_BLD_to_param(bld)) ||
1173 EVP_PKEY_fromdata_init(fctx) != 1 ||
1174 EVP_PKEY_fromdata(fctx, &pkey, EVP_PKEY_KEYPAIR, params) != 1) {
1175 wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_fromdata failed: %s",
1176 ERR_error_string(ERR_get_error(), NULL));
1177 EVP_PKEY_free(pkey);
1178 pkey = NULL;
1179 }
1180
1181 BN_clear_free(priv_key);
1182 BN_free(pub_key);
1183 EVP_PKEY_CTX_free(fctx);
1184 OSSL_PARAM_BLD_free(bld);
1185 OSSL_PARAM_free(params);
1186 return pkey;
1187 #else
1188 DH *dh;
1189 BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;
1190
1191 dh = DH_new();
1192 if (dh == NULL)
1193 return NULL;
1194
1195 g = BN_new();
1196 p = get_group5_prime();
1197 if (!g || BN_set_word(g, 2) != 1 || !p ||
1198 DH_set0_pqg(dh, p, NULL, g) != 1)
1199 goto err;
1200 p = NULL;
1201 g = NULL;
1202
1203 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
1204 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
1205 if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
1206 goto err;
1207 pub_key = NULL;
1208 priv_key = NULL;
1209
1210 if (DH_generate_key(dh) != 1)
1211 goto err;
1212
1213 return dh;
1214
1215 err:
1216 BN_free(p);
1217 BN_free(g);
1218 BN_free(pub_key);
1219 BN_clear_free(priv_key);
1220 DH_free(dh);
1221 return NULL;
1222 #endif
1223 }
1224
1225
dh5_derive_shared(void * ctx,const struct wpabuf * peer_public,const struct wpabuf * own_private)1226 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
1227 const struct wpabuf *own_private)
1228 {
1229 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1230 EVP_PKEY *pkey = ctx;
1231 EVP_PKEY *peer_pub;
1232 size_t len;
1233 struct wpabuf *res = NULL;
1234 EVP_PKEY_CTX *dctx = NULL;
1235
1236 peer_pub = EVP_PKEY_new();
1237 if (!pkey || !peer_pub ||
1238 EVP_PKEY_copy_parameters(peer_pub, pkey) != 1 ||
1239 EVP_PKEY_set1_encoded_public_key(peer_pub, wpabuf_head(peer_public),
1240 wpabuf_len(peer_public)) != 1 ||
1241 !(dctx = EVP_PKEY_CTX_new(pkey, NULL)) ||
1242 EVP_PKEY_derive_init(dctx) != 1 ||
1243 EVP_PKEY_derive_set_peer(dctx, peer_pub) != 1 ||
1244 EVP_PKEY_derive(dctx, NULL, &len) != 1 ||
1245 !(res = wpabuf_alloc(len)) ||
1246 EVP_PKEY_derive(dctx, wpabuf_mhead(res), &len) != 1) {
1247 wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_derive failed: %s",
1248 ERR_error_string(ERR_get_error(), NULL));
1249 wpabuf_free(res);
1250 res = NULL;
1251 } else {
1252 wpabuf_put(res, len);
1253 }
1254
1255 EVP_PKEY_free(peer_pub);
1256 EVP_PKEY_CTX_free(dctx);
1257 return res;
1258 #else /* OpenSSL version >= 3.0 */
1259 BIGNUM *pub_key;
1260 struct wpabuf *res = NULL;
1261 size_t rlen;
1262 DH *dh = ctx;
1263 int keylen;
1264
1265 if (ctx == NULL)
1266 return NULL;
1267
1268 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
1269 NULL);
1270 if (pub_key == NULL)
1271 return NULL;
1272
1273 rlen = DH_size(dh);
1274 res = wpabuf_alloc(rlen);
1275 if (res == NULL)
1276 goto err;
1277
1278 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
1279 if (keylen < 0)
1280 goto err;
1281 wpabuf_put(res, keylen);
1282 BN_clear_free(pub_key);
1283
1284 return res;
1285
1286 err:
1287 BN_clear_free(pub_key);
1288 wpabuf_clear_free(res);
1289 return NULL;
1290 #endif /* OpenSSL version >= 3.0 */
1291 }
1292
1293
dh5_free(void * ctx)1294 void dh5_free(void *ctx)
1295 {
1296 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1297 EVP_PKEY *pkey = ctx;
1298
1299 EVP_PKEY_free(pkey);
1300 #else /* OpenSSL version >= 3.0 */
1301 DH *dh;
1302 if (ctx == NULL)
1303 return;
1304 dh = ctx;
1305 DH_free(dh);
1306 #endif /* OpenSSL version >= 3.0 */
1307 }
1308
1309
1310 struct crypto_hash {
1311 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1312 EVP_MAC_CTX *ctx;
1313 #else /* OpenSSL version >= 3.0 */
1314 HMAC_CTX *ctx;
1315 #endif /* OpenSSL version >= 3.0 */
1316 };
1317
1318
crypto_hash_init(enum crypto_hash_alg alg,const u8 * key,size_t key_len)1319 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
1320 size_t key_len)
1321 {
1322 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1323 struct crypto_hash *ctx;
1324 EVP_MAC *mac;
1325 OSSL_PARAM params[2];
1326 char *a = NULL;
1327
1328 switch (alg) {
1329 #ifndef OPENSSL_NO_MD5
1330 case CRYPTO_HASH_ALG_HMAC_MD5:
1331 a = "MD5";
1332 break;
1333 #endif /* OPENSSL_NO_MD5 */
1334 #ifndef OPENSSL_NO_SHA
1335 case CRYPTO_HASH_ALG_HMAC_SHA1:
1336 a = "SHA1";
1337 break;
1338 #endif /* OPENSSL_NO_SHA */
1339 #ifndef OPENSSL_NO_SHA256
1340 #ifdef CONFIG_SHA256
1341 case CRYPTO_HASH_ALG_HMAC_SHA256:
1342 a = "SHA256";
1343 break;
1344 #endif /* CONFIG_SHA256 */
1345 #endif /* OPENSSL_NO_SHA256 */
1346 default:
1347 return NULL;
1348 }
1349
1350 mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
1351 if (!mac)
1352 return NULL;
1353
1354 params[0] = OSSL_PARAM_construct_utf8_string("digest", a, 0);
1355 params[1] = OSSL_PARAM_construct_end();
1356
1357 ctx = os_zalloc(sizeof(*ctx));
1358 if (!ctx)
1359 goto fail;
1360 ctx->ctx = EVP_MAC_CTX_new(mac);
1361 if (!ctx->ctx) {
1362 os_free(ctx);
1363 ctx = NULL;
1364 goto fail;
1365 }
1366
1367 if (EVP_MAC_init(ctx->ctx, key, key_len, params) != 1) {
1368 EVP_MAC_CTX_free(ctx->ctx);
1369 bin_clear_free(ctx, sizeof(*ctx));
1370 ctx = NULL;
1371 goto fail;
1372 }
1373
1374 fail:
1375 EVP_MAC_free(mac);
1376 return ctx;
1377 #else /* OpenSSL version >= 3.0 */
1378 struct crypto_hash *ctx;
1379 const EVP_MD *md;
1380
1381 switch (alg) {
1382 #ifndef OPENSSL_NO_MD5
1383 case CRYPTO_HASH_ALG_HMAC_MD5:
1384 md = EVP_md5();
1385 break;
1386 #endif /* OPENSSL_NO_MD5 */
1387 #ifndef OPENSSL_NO_SHA
1388 case CRYPTO_HASH_ALG_HMAC_SHA1:
1389 md = EVP_sha1();
1390 break;
1391 #endif /* OPENSSL_NO_SHA */
1392 #ifndef OPENSSL_NO_SHA256
1393 #ifdef CONFIG_SHA256
1394 case CRYPTO_HASH_ALG_HMAC_SHA256:
1395 md = EVP_sha256();
1396 break;
1397 #endif /* CONFIG_SHA256 */
1398 #endif /* OPENSSL_NO_SHA256 */
1399 default:
1400 return NULL;
1401 }
1402
1403 ctx = os_zalloc(sizeof(*ctx));
1404 if (ctx == NULL)
1405 return NULL;
1406 ctx->ctx = HMAC_CTX_new();
1407 if (!ctx->ctx) {
1408 os_free(ctx);
1409 return NULL;
1410 }
1411
1412 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
1413 HMAC_CTX_free(ctx->ctx);
1414 bin_clear_free(ctx, sizeof(*ctx));
1415 return NULL;
1416 }
1417
1418 return ctx;
1419 #endif /* OpenSSL version >= 3.0 */
1420 }
1421
1422
crypto_hash_update(struct crypto_hash * ctx,const u8 * data,size_t len)1423 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
1424 {
1425 if (ctx == NULL)
1426 return;
1427 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1428 EVP_MAC_update(ctx->ctx, data, len);
1429 #else /* OpenSSL version >= 3.0 */
1430 HMAC_Update(ctx->ctx, data, len);
1431 #endif /* OpenSSL version >= 3.0 */
1432 }
1433
1434
crypto_hash_finish(struct crypto_hash * ctx,u8 * mac,size_t * len)1435 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
1436 {
1437 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1438 size_t mdlen;
1439 int res;
1440
1441 if (!ctx)
1442 return -2;
1443
1444 if (!mac || !len) {
1445 EVP_MAC_CTX_free(ctx->ctx);
1446 bin_clear_free(ctx, sizeof(*ctx));
1447 return 0;
1448 }
1449
1450 res = EVP_MAC_final(ctx->ctx, NULL, &mdlen, 0);
1451 if (res != 1) {
1452 EVP_MAC_CTX_free(ctx->ctx);
1453 bin_clear_free(ctx, sizeof(*ctx));
1454 return -1;
1455 }
1456 res = EVP_MAC_final(ctx->ctx, mac, &mdlen, mdlen);
1457 EVP_MAC_CTX_free(ctx->ctx);
1458 bin_clear_free(ctx, sizeof(*ctx));
1459
1460 if (TEST_FAIL())
1461 return -1;
1462
1463 if (res == 1) {
1464 *len = mdlen;
1465 return 0;
1466 }
1467
1468 return -1;
1469 #else /* OpenSSL version >= 3.0 */
1470 unsigned int mdlen;
1471 int res;
1472
1473 if (ctx == NULL)
1474 return -2;
1475
1476 if (mac == NULL || len == NULL) {
1477 HMAC_CTX_free(ctx->ctx);
1478 bin_clear_free(ctx, sizeof(*ctx));
1479 return 0;
1480 }
1481
1482 mdlen = *len;
1483 res = HMAC_Final(ctx->ctx, mac, &mdlen);
1484 HMAC_CTX_free(ctx->ctx);
1485 bin_clear_free(ctx, sizeof(*ctx));
1486
1487 if (TEST_FAIL())
1488 return -1;
1489
1490 if (res == 1) {
1491 *len = mdlen;
1492 return 0;
1493 }
1494
1495 return -1;
1496 #endif /* OpenSSL version >= 3.0 */
1497 }
1498
1499
1500 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1501
openssl_hmac_vector(char * digest,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac,unsigned int mdlen)1502 static int openssl_hmac_vector(char *digest, const u8 *key,
1503 size_t key_len, size_t num_elem,
1504 const u8 *addr[], const size_t *len, u8 *mac,
1505 unsigned int mdlen)
1506 {
1507 EVP_MAC *hmac;
1508 OSSL_PARAM params[2];
1509 EVP_MAC_CTX *ctx;
1510 size_t i, mlen;
1511 int res;
1512
1513 if (TEST_FAIL())
1514 return -1;
1515
1516 hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
1517 if (!hmac)
1518 return -1;
1519
1520 params[0] = OSSL_PARAM_construct_utf8_string("digest", digest, 0);
1521 params[1] = OSSL_PARAM_construct_end();
1522
1523 ctx = EVP_MAC_CTX_new(hmac);
1524 EVP_MAC_free(hmac);
1525 if (!ctx)
1526 return -1;
1527
1528 if (EVP_MAC_init(ctx, key, key_len, params) != 1)
1529 goto fail;
1530
1531 for (i = 0; i < num_elem; i++) {
1532 if (EVP_MAC_update(ctx, addr[i], len[i]) != 1)
1533 goto fail;
1534 }
1535
1536 res = EVP_MAC_final(ctx, mac, &mlen, mdlen);
1537 EVP_MAC_CTX_free(ctx);
1538
1539 return res == 1 ? 0 : -1;
1540 fail:
1541 EVP_MAC_CTX_free(ctx);
1542 return -1;
1543 }
1544
1545
1546 #ifndef CONFIG_FIPS
1547
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1548 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
1549 const u8 *addr[], const size_t *len, u8 *mac)
1550 {
1551 return openssl_hmac_vector("MD5", key ,key_len, num_elem, addr, len,
1552 mac, 16);
1553 }
1554
1555
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1556 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1557 u8 *mac)
1558 {
1559 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
1560 }
1561
1562 #endif /* CONFIG_FIPS */
1563
1564
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1565 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1566 const u8 *addr[], const size_t *len, u8 *mac)
1567 {
1568 return openssl_hmac_vector("SHA1", key, key_len, num_elem, addr,
1569 len, mac, 20);
1570 }
1571
1572
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1573 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1574 u8 *mac)
1575 {
1576 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1577 }
1578
1579
1580 #ifdef CONFIG_SHA256
1581
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1582 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1583 const u8 *addr[], const size_t *len, u8 *mac)
1584 {
1585 return openssl_hmac_vector("SHA256", key, key_len, num_elem, addr,
1586 len, mac, 32);
1587 }
1588
1589
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1590 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1591 size_t data_len, u8 *mac)
1592 {
1593 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1594 }
1595
1596 #endif /* CONFIG_SHA256 */
1597
1598
1599 #ifdef CONFIG_SHA384
1600
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1601 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1602 const u8 *addr[], const size_t *len, u8 *mac)
1603 {
1604 return openssl_hmac_vector("SHA384", key, key_len, num_elem, addr,
1605 len, mac, 48);
1606 }
1607
1608
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1609 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1610 size_t data_len, u8 *mac)
1611 {
1612 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1613 }
1614
1615 #endif /* CONFIG_SHA384 */
1616
1617
1618 #ifdef CONFIG_SHA512
1619
hmac_sha512_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1620 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1621 const u8 *addr[], const size_t *len, u8 *mac)
1622 {
1623 return openssl_hmac_vector("SHA512", key, key_len, num_elem, addr,
1624 len, mac, 64);
1625 }
1626
1627
hmac_sha512(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1628 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1629 size_t data_len, u8 *mac)
1630 {
1631 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1632 }
1633
1634 #endif /* CONFIG_SHA512 */
1635
1636 #else /* OpenSSL version >= 3.0 */
1637
openssl_hmac_vector(const EVP_MD * type,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac,unsigned int mdlen)1638 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
1639 size_t key_len, size_t num_elem,
1640 const u8 *addr[], const size_t *len, u8 *mac,
1641 unsigned int mdlen)
1642 {
1643 HMAC_CTX *ctx;
1644 size_t i;
1645 int res;
1646
1647 if (TEST_FAIL())
1648 return -1;
1649
1650 ctx = HMAC_CTX_new();
1651 if (!ctx)
1652 return -1;
1653 res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
1654 if (res != 1)
1655 goto done;
1656
1657 for (i = 0; i < num_elem; i++)
1658 HMAC_Update(ctx, addr[i], len[i]);
1659
1660 res = HMAC_Final(ctx, mac, &mdlen);
1661 done:
1662 HMAC_CTX_free(ctx);
1663
1664 return res == 1 ? 0 : -1;
1665 }
1666
1667
1668 #ifndef CONFIG_FIPS
1669
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1670 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
1671 const u8 *addr[], const size_t *len, u8 *mac)
1672 {
1673 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
1674 mac, 16);
1675 }
1676
1677
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1678 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1679 u8 *mac)
1680 {
1681 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
1682 }
1683
1684 #endif /* CONFIG_FIPS */
1685
1686
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1687 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1688 const u8 *addr[], const size_t *len, u8 *mac)
1689 {
1690 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
1691 len, mac, 20);
1692 }
1693
1694
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1695 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1696 u8 *mac)
1697 {
1698 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1699 }
1700
1701
1702 #ifdef CONFIG_SHA256
1703
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1704 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1705 const u8 *addr[], const size_t *len, u8 *mac)
1706 {
1707 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
1708 len, mac, 32);
1709 }
1710
1711
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1712 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1713 size_t data_len, u8 *mac)
1714 {
1715 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1716 }
1717
1718 #endif /* CONFIG_SHA256 */
1719
1720
1721 #ifdef CONFIG_SHA384
1722
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1723 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1724 const u8 *addr[], const size_t *len, u8 *mac)
1725 {
1726 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
1727 len, mac, 48);
1728 }
1729
1730
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1731 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1732 size_t data_len, u8 *mac)
1733 {
1734 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1735 }
1736
1737 #endif /* CONFIG_SHA384 */
1738
1739
1740 #ifdef CONFIG_SHA512
1741
hmac_sha512_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1742 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1743 const u8 *addr[], const size_t *len, u8 *mac)
1744 {
1745 return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
1746 len, mac, 64);
1747 }
1748
1749
hmac_sha512(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1750 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1751 size_t data_len, u8 *mac)
1752 {
1753 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1754 }
1755
1756 #endif /* CONFIG_SHA512 */
1757
1758 #endif /* OpenSSL version >= 3.0 */
1759
1760
pbkdf2_sha1(const char * passphrase,const u8 * ssid,size_t ssid_len,int iterations,u8 * buf,size_t buflen)1761 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
1762 int iterations, u8 *buf, size_t buflen)
1763 {
1764 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
1765 ssid_len, iterations, buflen, buf) != 1)
1766 return -1;
1767 return 0;
1768 }
1769
1770
crypto_get_random(void * buf,size_t len)1771 int crypto_get_random(void *buf, size_t len)
1772 {
1773 if (RAND_bytes(buf, len) != 1)
1774 return -1;
1775 return 0;
1776 }
1777
1778
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1779 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
1780 const u8 *addr[], const size_t *len, u8 *mac)
1781 {
1782 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
1783 EVP_MAC_CTX *ctx = NULL;
1784 EVP_MAC *emac;
1785 int ret = -1;
1786 size_t outlen, i;
1787 OSSL_PARAM params[2];
1788 char *cipher = NULL;
1789
1790 if (TEST_FAIL())
1791 return -1;
1792
1793 emac = EVP_MAC_fetch(NULL, "CMAC", NULL);
1794
1795 if (key_len == 32)
1796 cipher = "aes-256-cbc";
1797 else if (key_len == 24)
1798 cipher = "aes-192-cbc";
1799 else if (key_len == 16)
1800 cipher = "aes-128-cbc";
1801
1802 params[0] = OSSL_PARAM_construct_utf8_string("cipher", cipher, 0);
1803 params[1] = OSSL_PARAM_construct_end();
1804
1805 if (!emac || !cipher ||
1806 !(ctx = EVP_MAC_CTX_new(emac)) ||
1807 EVP_MAC_init(ctx, key, key_len, params) != 1)
1808 goto fail;
1809
1810 for (i = 0; i < num_elem; i++) {
1811 if (!EVP_MAC_update(ctx, addr[i], len[i]))
1812 goto fail;
1813 }
1814 if (EVP_MAC_final(ctx, mac, &outlen, 16) != 1 || outlen != 16)
1815 goto fail;
1816
1817 ret = 0;
1818 fail:
1819 EVP_MAC_CTX_free(ctx);
1820 return ret;
1821 #else /* OpenSSL version >= 3.0 */
1822 CMAC_CTX *ctx;
1823 int ret = -1;
1824 size_t outlen, i;
1825
1826 if (TEST_FAIL())
1827 return -1;
1828
1829 ctx = CMAC_CTX_new();
1830 if (ctx == NULL)
1831 return -1;
1832
1833 if (key_len == 32) {
1834 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
1835 goto fail;
1836 } else if (key_len == 24) {
1837 if (!CMAC_Init(ctx, key, 24, EVP_aes_192_cbc(), NULL))
1838 goto fail;
1839 } else if (key_len == 16) {
1840 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
1841 goto fail;
1842 } else {
1843 goto fail;
1844 }
1845 for (i = 0; i < num_elem; i++) {
1846 if (!CMAC_Update(ctx, addr[i], len[i]))
1847 goto fail;
1848 }
1849 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
1850 goto fail;
1851
1852 ret = 0;
1853 fail:
1854 CMAC_CTX_free(ctx);
1855 return ret;
1856 #endif /* OpenSSL version >= 3.0 */
1857 }
1858
1859
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1860 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
1861 const u8 *addr[], const size_t *len, u8 *mac)
1862 {
1863 return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
1864 }
1865
1866
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1867 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1868 {
1869 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
1870 }
1871
1872
omac1_aes_256(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1873 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1874 {
1875 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
1876 }
1877
1878
crypto_bignum_init(void)1879 struct crypto_bignum * crypto_bignum_init(void)
1880 {
1881 if (TEST_FAIL())
1882 return NULL;
1883 return (struct crypto_bignum *) BN_new();
1884 }
1885
1886
crypto_bignum_init_set(const u8 * buf,size_t len)1887 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
1888 {
1889 BIGNUM *bn;
1890
1891 if (TEST_FAIL())
1892 return NULL;
1893
1894 bn = BN_bin2bn(buf, len, NULL);
1895 return (struct crypto_bignum *) bn;
1896 }
1897
1898
crypto_bignum_init_uint(unsigned int val)1899 struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
1900 {
1901 BIGNUM *bn;
1902
1903 if (TEST_FAIL())
1904 return NULL;
1905
1906 bn = BN_new();
1907 if (!bn)
1908 return NULL;
1909 if (BN_set_word(bn, val) != 1) {
1910 BN_free(bn);
1911 return NULL;
1912 }
1913 return (struct crypto_bignum *) bn;
1914 }
1915
1916
crypto_bignum_deinit(struct crypto_bignum * n,int clear)1917 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
1918 {
1919 if (clear)
1920 BN_clear_free((BIGNUM *) n);
1921 else
1922 BN_free((BIGNUM *) n);
1923 }
1924
1925
crypto_bignum_to_bin(const struct crypto_bignum * a,u8 * buf,size_t buflen,size_t padlen)1926 int crypto_bignum_to_bin(const struct crypto_bignum *a,
1927 u8 *buf, size_t buflen, size_t padlen)
1928 {
1929 int num_bytes, offset;
1930
1931 if (TEST_FAIL())
1932 return -1;
1933
1934 if (padlen > buflen)
1935 return -1;
1936
1937 if (padlen) {
1938 #ifdef OPENSSL_IS_BORINGSSL
1939 if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
1940 return -1;
1941 return padlen;
1942 #else /* OPENSSL_IS_BORINGSSL */
1943 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
1944 return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
1945 #endif
1946 #endif
1947 }
1948
1949 num_bytes = BN_num_bytes((const BIGNUM *) a);
1950 if ((size_t) num_bytes > buflen)
1951 return -1;
1952 if (padlen > (size_t) num_bytes)
1953 offset = padlen - num_bytes;
1954 else
1955 offset = 0;
1956
1957 os_memset(buf, 0, offset);
1958 BN_bn2bin((const BIGNUM *) a, buf + offset);
1959
1960 return num_bytes + offset;
1961 }
1962
1963
crypto_bignum_rand(struct crypto_bignum * r,const struct crypto_bignum * m)1964 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
1965 {
1966 if (TEST_FAIL())
1967 return -1;
1968 return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1;
1969 }
1970
1971
crypto_bignum_add(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1972 int crypto_bignum_add(const struct crypto_bignum *a,
1973 const struct crypto_bignum *b,
1974 struct crypto_bignum *c)
1975 {
1976 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1977 0 : -1;
1978 }
1979
1980
crypto_bignum_mod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1981 int crypto_bignum_mod(const struct crypto_bignum *a,
1982 const struct crypto_bignum *b,
1983 struct crypto_bignum *c)
1984 {
1985 int res;
1986 BN_CTX *bnctx;
1987
1988 bnctx = BN_CTX_new();
1989 if (bnctx == NULL)
1990 return -1;
1991 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1992 bnctx);
1993 BN_CTX_free(bnctx);
1994
1995 return res ? 0 : -1;
1996 }
1997
1998
crypto_bignum_exptmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1999 int crypto_bignum_exptmod(const struct crypto_bignum *a,
2000 const struct crypto_bignum *b,
2001 const struct crypto_bignum *c,
2002 struct crypto_bignum *d)
2003 {
2004 int res;
2005 BN_CTX *bnctx;
2006
2007 if (TEST_FAIL())
2008 return -1;
2009
2010 bnctx = BN_CTX_new();
2011 if (bnctx == NULL)
2012 return -1;
2013 res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
2014 (const BIGNUM *) b, (const BIGNUM *) c,
2015 bnctx, NULL);
2016 BN_CTX_free(bnctx);
2017
2018 return res ? 0 : -1;
2019 }
2020
2021
crypto_bignum_inverse(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2022 int crypto_bignum_inverse(const struct crypto_bignum *a,
2023 const struct crypto_bignum *b,
2024 struct crypto_bignum *c)
2025 {
2026 BIGNUM *res;
2027 BN_CTX *bnctx;
2028
2029 if (TEST_FAIL())
2030 return -1;
2031 bnctx = BN_CTX_new();
2032 if (bnctx == NULL)
2033 return -1;
2034 #ifdef OPENSSL_IS_BORINGSSL
2035 /* TODO: use BN_mod_inverse_blinded() ? */
2036 #else /* OPENSSL_IS_BORINGSSL */
2037 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
2038 #endif /* OPENSSL_IS_BORINGSSL */
2039 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
2040 (const BIGNUM *) b, bnctx);
2041 BN_CTX_free(bnctx);
2042
2043 return res ? 0 : -1;
2044 }
2045
2046
crypto_bignum_sub(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2047 int crypto_bignum_sub(const struct crypto_bignum *a,
2048 const struct crypto_bignum *b,
2049 struct crypto_bignum *c)
2050 {
2051 if (TEST_FAIL())
2052 return -1;
2053 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
2054 0 : -1;
2055 }
2056
2057
crypto_bignum_div(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2058 int crypto_bignum_div(const struct crypto_bignum *a,
2059 const struct crypto_bignum *b,
2060 struct crypto_bignum *c)
2061 {
2062 int res;
2063
2064 BN_CTX *bnctx;
2065
2066 if (TEST_FAIL())
2067 return -1;
2068
2069 bnctx = BN_CTX_new();
2070 if (bnctx == NULL)
2071 return -1;
2072 #ifndef OPENSSL_IS_BORINGSSL
2073 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
2074 #endif /* OPENSSL_IS_BORINGSSL */
2075 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
2076 (const BIGNUM *) b, bnctx);
2077 BN_CTX_free(bnctx);
2078
2079 return res ? 0 : -1;
2080 }
2081
2082
crypto_bignum_addmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)2083 int crypto_bignum_addmod(const struct crypto_bignum *a,
2084 const struct crypto_bignum *b,
2085 const struct crypto_bignum *c,
2086 struct crypto_bignum *d)
2087 {
2088 int res;
2089 BN_CTX *bnctx;
2090
2091 if (TEST_FAIL())
2092 return -1;
2093
2094 bnctx = BN_CTX_new();
2095 if (!bnctx)
2096 return -1;
2097 res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
2098 (const BIGNUM *) c, bnctx);
2099 BN_CTX_free(bnctx);
2100
2101 return res ? 0 : -1;
2102 }
2103
2104
crypto_bignum_mulmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)2105 int crypto_bignum_mulmod(const struct crypto_bignum *a,
2106 const struct crypto_bignum *b,
2107 const struct crypto_bignum *c,
2108 struct crypto_bignum *d)
2109 {
2110 int res;
2111
2112 BN_CTX *bnctx;
2113
2114 if (TEST_FAIL())
2115 return -1;
2116
2117 bnctx = BN_CTX_new();
2118 if (bnctx == NULL)
2119 return -1;
2120 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
2121 (const BIGNUM *) c, bnctx);
2122 BN_CTX_free(bnctx);
2123
2124 return res ? 0 : -1;
2125 }
2126
2127
crypto_bignum_sqrmod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)2128 int crypto_bignum_sqrmod(const struct crypto_bignum *a,
2129 const struct crypto_bignum *b,
2130 struct crypto_bignum *c)
2131 {
2132 int res;
2133 BN_CTX *bnctx;
2134
2135 if (TEST_FAIL())
2136 return -1;
2137
2138 bnctx = BN_CTX_new();
2139 if (!bnctx)
2140 return -1;
2141 res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
2142 bnctx);
2143 BN_CTX_free(bnctx);
2144
2145 return res ? 0 : -1;
2146 }
2147
2148
crypto_bignum_rshift(const struct crypto_bignum * a,int n,struct crypto_bignum * r)2149 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
2150 struct crypto_bignum *r)
2151 {
2152 return BN_rshift((BIGNUM *) r, (const BIGNUM *) a, n) == 1 ? 0 : -1;
2153 }
2154
2155
crypto_bignum_cmp(const struct crypto_bignum * a,const struct crypto_bignum * b)2156 int crypto_bignum_cmp(const struct crypto_bignum *a,
2157 const struct crypto_bignum *b)
2158 {
2159 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
2160 }
2161
2162
crypto_bignum_is_zero(const struct crypto_bignum * a)2163 int crypto_bignum_is_zero(const struct crypto_bignum *a)
2164 {
2165 return BN_is_zero((const BIGNUM *) a);
2166 }
2167
2168
crypto_bignum_is_one(const struct crypto_bignum * a)2169 int crypto_bignum_is_one(const struct crypto_bignum *a)
2170 {
2171 return BN_is_one((const BIGNUM *) a);
2172 }
2173
2174
crypto_bignum_is_odd(const struct crypto_bignum * a)2175 int crypto_bignum_is_odd(const struct crypto_bignum *a)
2176 {
2177 return BN_is_odd((const BIGNUM *) a);
2178 }
2179
2180
crypto_bignum_legendre(const struct crypto_bignum * a,const struct crypto_bignum * p)2181 int crypto_bignum_legendre(const struct crypto_bignum *a,
2182 const struct crypto_bignum *p)
2183 {
2184 BN_CTX *bnctx;
2185 BIGNUM *exp = NULL, *tmp = NULL;
2186 int res = -2;
2187 unsigned int mask;
2188
2189 if (TEST_FAIL())
2190 return -2;
2191
2192 bnctx = BN_CTX_new();
2193 if (bnctx == NULL)
2194 return -2;
2195
2196 exp = BN_new();
2197 tmp = BN_new();
2198 if (!exp || !tmp ||
2199 /* exp = (p-1) / 2 */
2200 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
2201 !BN_rshift1(exp, exp) ||
2202 !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
2203 (const BIGNUM *) p, bnctx, NULL))
2204 goto fail;
2205
2206 /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
2207 * constant time selection to avoid branches here. */
2208 res = -1;
2209 mask = const_time_eq(BN_is_word(tmp, 1), 1);
2210 res = const_time_select_int(mask, 1, res);
2211 mask = const_time_eq(BN_is_zero(tmp), 1);
2212 res = const_time_select_int(mask, 0, res);
2213
2214 fail:
2215 BN_clear_free(tmp);
2216 BN_clear_free(exp);
2217 BN_CTX_free(bnctx);
2218 return res;
2219 }
2220
2221
2222 #ifdef CONFIG_ECC
2223
2224 struct crypto_ec {
2225 EC_GROUP *group;
2226 int nid;
2227 int iana_group;
2228 BN_CTX *bnctx;
2229 BIGNUM *prime;
2230 BIGNUM *order;
2231 BIGNUM *a;
2232 BIGNUM *b;
2233 };
2234
2235
crypto_ec_group_2_nid(int group)2236 static int crypto_ec_group_2_nid(int group)
2237 {
2238 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */
2239 switch (group) {
2240 case 19:
2241 return NID_X9_62_prime256v1;
2242 case 20:
2243 return NID_secp384r1;
2244 case 21:
2245 return NID_secp521r1;
2246 case 25:
2247 return NID_X9_62_prime192v1;
2248 case 26:
2249 return NID_secp224r1;
2250 #ifdef NID_brainpoolP224r1
2251 case 27:
2252 return NID_brainpoolP224r1;
2253 #endif /* NID_brainpoolP224r1 */
2254 #ifdef NID_brainpoolP256r1
2255 case 28:
2256 return NID_brainpoolP256r1;
2257 #endif /* NID_brainpoolP256r1 */
2258 #ifdef NID_brainpoolP384r1
2259 case 29:
2260 return NID_brainpoolP384r1;
2261 #endif /* NID_brainpoolP384r1 */
2262 #ifdef NID_brainpoolP512r1
2263 case 30:
2264 return NID_brainpoolP512r1;
2265 #endif /* NID_brainpoolP512r1 */
2266 default:
2267 return -1;
2268 }
2269 }
2270
2271
2272 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
crypto_ec_group_2_name(int group)2273 static const char * crypto_ec_group_2_name(int group)
2274 {
2275 /* Map from IANA registry for IKE D-H groups to OpenSSL group name */
2276 switch (group) {
2277 case 19:
2278 return "prime256v1";
2279 case 20:
2280 return "secp384r1";
2281 case 21:
2282 return "secp521r1";
2283 case 25:
2284 return "prime192v1";
2285 case 26:
2286 return "secp224r1";
2287 #ifdef NID_brainpoolP224r1
2288 case 27:
2289 return "brainpoolP224r1";
2290 #endif /* NID_brainpoolP224r1 */
2291 #ifdef NID_brainpoolP256r1
2292 case 28:
2293 return "brainpoolP256r1";
2294 #endif /* NID_brainpoolP256r1 */
2295 #ifdef NID_brainpoolP384r1
2296 case 29:
2297 return "brainpoolP384r1";
2298 #endif /* NID_brainpoolP384r1 */
2299 #ifdef NID_brainpoolP512r1
2300 case 30:
2301 return "brainpoolP512r1";
2302 #endif /* NID_brainpoolP512r1 */
2303 default:
2304 return NULL;
2305 }
2306 }
2307 #endif /* OpenSSL version >= 3.0 */
2308
2309
crypto_ec_init(int group)2310 struct crypto_ec * crypto_ec_init(int group)
2311 {
2312 struct crypto_ec *e;
2313 int nid;
2314
2315 nid = crypto_ec_group_2_nid(group);
2316 if (nid < 0)
2317 return NULL;
2318
2319 e = os_zalloc(sizeof(*e));
2320 if (e == NULL)
2321 return NULL;
2322
2323 e->nid = nid;
2324 e->iana_group = group;
2325 e->bnctx = BN_CTX_new();
2326 e->group = EC_GROUP_new_by_curve_name(nid);
2327 e->prime = BN_new();
2328 e->order = BN_new();
2329 e->a = BN_new();
2330 e->b = BN_new();
2331 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
2332 e->order == NULL || e->a == NULL || e->b == NULL ||
2333 !EC_GROUP_get_curve(e->group, e->prime, e->a, e->b, e->bnctx) ||
2334 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
2335 crypto_ec_deinit(e);
2336 e = NULL;
2337 }
2338
2339 return e;
2340 }
2341
2342
crypto_ec_deinit(struct crypto_ec * e)2343 void crypto_ec_deinit(struct crypto_ec *e)
2344 {
2345 if (e == NULL)
2346 return;
2347 BN_clear_free(e->b);
2348 BN_clear_free(e->a);
2349 BN_clear_free(e->order);
2350 BN_clear_free(e->prime);
2351 EC_GROUP_free(e->group);
2352 BN_CTX_free(e->bnctx);
2353 os_free(e);
2354 }
2355
2356
crypto_ec_point_init(struct crypto_ec * e)2357 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
2358 {
2359 if (TEST_FAIL())
2360 return NULL;
2361 if (e == NULL)
2362 return NULL;
2363 return (struct crypto_ec_point *) EC_POINT_new(e->group);
2364 }
2365
2366
crypto_ec_prime_len(struct crypto_ec * e)2367 size_t crypto_ec_prime_len(struct crypto_ec *e)
2368 {
2369 return BN_num_bytes(e->prime);
2370 }
2371
2372
crypto_ec_prime_len_bits(struct crypto_ec * e)2373 size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
2374 {
2375 return BN_num_bits(e->prime);
2376 }
2377
2378
crypto_ec_order_len(struct crypto_ec * e)2379 size_t crypto_ec_order_len(struct crypto_ec *e)
2380 {
2381 return BN_num_bytes(e->order);
2382 }
2383
2384
crypto_ec_get_prime(struct crypto_ec * e)2385 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
2386 {
2387 return (const struct crypto_bignum *) e->prime;
2388 }
2389
2390
crypto_ec_get_order(struct crypto_ec * e)2391 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
2392 {
2393 return (const struct crypto_bignum *) e->order;
2394 }
2395
2396
crypto_ec_get_a(struct crypto_ec * e)2397 const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
2398 {
2399 return (const struct crypto_bignum *) e->a;
2400 }
2401
2402
crypto_ec_get_b(struct crypto_ec * e)2403 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
2404 {
2405 return (const struct crypto_bignum *) e->b;
2406 }
2407
2408
crypto_ec_get_generator(struct crypto_ec * e)2409 const struct crypto_ec_point * crypto_ec_get_generator(struct crypto_ec *e)
2410 {
2411 return (const struct crypto_ec_point *)
2412 EC_GROUP_get0_generator(e->group);
2413 }
2414
2415
crypto_ec_point_deinit(struct crypto_ec_point * p,int clear)2416 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
2417 {
2418 if (clear)
2419 EC_POINT_clear_free((EC_POINT *) p);
2420 else
2421 EC_POINT_free((EC_POINT *) p);
2422 }
2423
2424
crypto_ec_point_x(struct crypto_ec * e,const struct crypto_ec_point * p,struct crypto_bignum * x)2425 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p,
2426 struct crypto_bignum *x)
2427 {
2428 return EC_POINT_get_affine_coordinates(e->group,
2429 (const EC_POINT *) p,
2430 (BIGNUM *) x, NULL,
2431 e->bnctx) == 1 ? 0 : -1;
2432 }
2433
2434
crypto_ec_point_to_bin(struct crypto_ec * e,const struct crypto_ec_point * point,u8 * x,u8 * y)2435 int crypto_ec_point_to_bin(struct crypto_ec *e,
2436 const struct crypto_ec_point *point, u8 *x, u8 *y)
2437 {
2438 BIGNUM *x_bn, *y_bn;
2439 int ret = -1;
2440 int len = BN_num_bytes(e->prime);
2441
2442 if (TEST_FAIL())
2443 return -1;
2444
2445 x_bn = BN_new();
2446 y_bn = BN_new();
2447
2448 if (x_bn && y_bn &&
2449 EC_POINT_get_affine_coordinates(e->group, (EC_POINT *) point,
2450 x_bn, y_bn, e->bnctx)) {
2451 if (x) {
2452 ret = crypto_bignum_to_bin(
2453 (struct crypto_bignum *) x_bn, x, len, len);
2454 }
2455 if (ret >= 0 && y) {
2456 ret = crypto_bignum_to_bin(
2457 (struct crypto_bignum *) y_bn, y, len, len);
2458 }
2459
2460 if (ret > 0)
2461 ret = 0;
2462 }
2463
2464 BN_clear_free(x_bn);
2465 BN_clear_free(y_bn);
2466 return ret;
2467 }
2468
2469
crypto_ec_point_from_bin(struct crypto_ec * e,const u8 * val)2470 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
2471 const u8 *val)
2472 {
2473 BIGNUM *x, *y;
2474 EC_POINT *elem;
2475 int len = BN_num_bytes(e->prime);
2476
2477 if (TEST_FAIL())
2478 return NULL;
2479
2480 x = BN_bin2bn(val, len, NULL);
2481 y = BN_bin2bn(val + len, len, NULL);
2482 elem = EC_POINT_new(e->group);
2483 if (x == NULL || y == NULL || elem == NULL) {
2484 BN_clear_free(x);
2485 BN_clear_free(y);
2486 EC_POINT_clear_free(elem);
2487 return NULL;
2488 }
2489
2490 if (!EC_POINT_set_affine_coordinates(e->group, elem, x, y, e->bnctx)) {
2491 EC_POINT_clear_free(elem);
2492 elem = NULL;
2493 }
2494
2495 BN_clear_free(x);
2496 BN_clear_free(y);
2497
2498 return (struct crypto_ec_point *) elem;
2499 }
2500
2501
crypto_ec_point_add(struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b,struct crypto_ec_point * c)2502 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
2503 const struct crypto_ec_point *b,
2504 struct crypto_ec_point *c)
2505 {
2506 if (TEST_FAIL())
2507 return -1;
2508 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
2509 (const EC_POINT *) b, e->bnctx) ? 0 : -1;
2510 }
2511
2512
crypto_ec_point_mul(struct crypto_ec * e,const struct crypto_ec_point * p,const struct crypto_bignum * b,struct crypto_ec_point * res)2513 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
2514 const struct crypto_bignum *b,
2515 struct crypto_ec_point *res)
2516 {
2517 if (TEST_FAIL())
2518 return -1;
2519 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
2520 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
2521 ? 0 : -1;
2522 }
2523
2524
crypto_ec_point_invert(struct crypto_ec * e,struct crypto_ec_point * p)2525 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
2526 {
2527 if (TEST_FAIL())
2528 return -1;
2529 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
2530 }
2531
2532
2533 struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec * e,const struct crypto_bignum * x)2534 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
2535 const struct crypto_bignum *x)
2536 {
2537 BIGNUM *tmp;
2538
2539 if (TEST_FAIL())
2540 return NULL;
2541
2542 tmp = BN_new();
2543
2544 /* y^2 = x^3 + ax + b = (x^2 + a)x + b */
2545 if (tmp &&
2546 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
2547 BN_mod_add_quick(tmp, e->a, tmp, e->prime) &&
2548 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
2549 BN_mod_add_quick(tmp, tmp, e->b, e->prime))
2550 return (struct crypto_bignum *) tmp;
2551
2552 BN_clear_free(tmp);
2553 return NULL;
2554 }
2555
2556
crypto_ec_point_is_at_infinity(struct crypto_ec * e,const struct crypto_ec_point * p)2557 int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
2558 const struct crypto_ec_point *p)
2559 {
2560 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
2561 }
2562
2563
crypto_ec_point_is_on_curve(struct crypto_ec * e,const struct crypto_ec_point * p)2564 int crypto_ec_point_is_on_curve(struct crypto_ec *e,
2565 const struct crypto_ec_point *p)
2566 {
2567 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
2568 e->bnctx) == 1;
2569 }
2570
2571
crypto_ec_point_cmp(const struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b)2572 int crypto_ec_point_cmp(const struct crypto_ec *e,
2573 const struct crypto_ec_point *a,
2574 const struct crypto_ec_point *b)
2575 {
2576 return EC_POINT_cmp(e->group, (const EC_POINT *) a,
2577 (const EC_POINT *) b, e->bnctx);
2578 }
2579
2580
crypto_ec_point_debug_print(const struct crypto_ec * e,const struct crypto_ec_point * p,const char * title)2581 void crypto_ec_point_debug_print(const struct crypto_ec *e,
2582 const struct crypto_ec_point *p,
2583 const char *title)
2584 {
2585 BIGNUM *x, *y;
2586 char *x_str = NULL, *y_str = NULL;
2587
2588 x = BN_new();
2589 y = BN_new();
2590 if (!x || !y ||
2591 EC_POINT_get_affine_coordinates(e->group, (const EC_POINT *) p,
2592 x, y, e->bnctx) != 1)
2593 goto fail;
2594
2595 x_str = BN_bn2hex(x);
2596 y_str = BN_bn2hex(y);
2597 if (!x_str || !y_str)
2598 goto fail;
2599
2600 wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str);
2601
2602 fail:
2603 OPENSSL_free(x_str);
2604 OPENSSL_free(y_str);
2605 BN_free(x);
2606 BN_free(y);
2607 }
2608
2609
2610 struct crypto_ecdh {
2611 struct crypto_ec *ec;
2612 EVP_PKEY *pkey;
2613 };
2614
crypto_ecdh_init(int group)2615 struct crypto_ecdh * crypto_ecdh_init(int group)
2616 {
2617 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2618 struct crypto_ecdh *ecdh;
2619 const char *name;
2620
2621 ecdh = os_zalloc(sizeof(*ecdh));
2622 if (!ecdh)
2623 goto fail;
2624
2625 ecdh->ec = crypto_ec_init(group);
2626 if (!ecdh->ec)
2627 goto fail;
2628
2629 name = OSSL_EC_curve_nid2name(ecdh->ec->nid);
2630 if (!name)
2631 goto fail;
2632
2633 ecdh->pkey = EVP_EC_gen(name);
2634 if (!ecdh->pkey)
2635 goto fail;
2636
2637 done:
2638 return ecdh;
2639 fail:
2640 crypto_ecdh_deinit(ecdh);
2641 ecdh = NULL;
2642 goto done;
2643 #else /* OpenSSL version >= 3.0 */
2644 struct crypto_ecdh *ecdh;
2645 EVP_PKEY *params = NULL;
2646 EC_KEY *ec_params = NULL;
2647 EVP_PKEY_CTX *kctx = NULL;
2648
2649 ecdh = os_zalloc(sizeof(*ecdh));
2650 if (!ecdh)
2651 goto fail;
2652
2653 ecdh->ec = crypto_ec_init(group);
2654 if (!ecdh->ec)
2655 goto fail;
2656
2657 ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2658 if (!ec_params) {
2659 wpa_printf(MSG_ERROR,
2660 "OpenSSL: Failed to generate EC_KEY parameters");
2661 goto fail;
2662 }
2663 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
2664 params = EVP_PKEY_new();
2665 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
2666 wpa_printf(MSG_ERROR,
2667 "OpenSSL: Failed to generate EVP_PKEY parameters");
2668 goto fail;
2669 }
2670
2671 kctx = EVP_PKEY_CTX_new(params, NULL);
2672 if (!kctx)
2673 goto fail;
2674
2675 if (EVP_PKEY_keygen_init(kctx) != 1) {
2676 wpa_printf(MSG_ERROR,
2677 "OpenSSL: EVP_PKEY_keygen_init failed: %s",
2678 ERR_error_string(ERR_get_error(), NULL));
2679 goto fail;
2680 }
2681
2682 if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
2683 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
2684 ERR_error_string(ERR_get_error(), NULL));
2685 goto fail;
2686 }
2687
2688 done:
2689 EC_KEY_free(ec_params);
2690 EVP_PKEY_free(params);
2691 EVP_PKEY_CTX_free(kctx);
2692
2693 return ecdh;
2694 fail:
2695 crypto_ecdh_deinit(ecdh);
2696 ecdh = NULL;
2697 goto done;
2698 #endif /* OpenSSL version >= 3.0 */
2699 }
2700
2701
crypto_ecdh_init2(int group,struct crypto_ec_key * own_key)2702 struct crypto_ecdh * crypto_ecdh_init2(int group, struct crypto_ec_key *own_key)
2703 {
2704 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2705 struct crypto_ecdh *ecdh;
2706
2707 ecdh = os_zalloc(sizeof(*ecdh));
2708 if (!ecdh)
2709 goto fail;
2710
2711 ecdh->ec = crypto_ec_init(group);
2712 if (!ecdh->ec)
2713 goto fail;
2714
2715 ecdh->pkey = EVP_PKEY_dup((EVP_PKEY *) own_key);
2716 if (!ecdh->pkey)
2717 goto fail;
2718
2719 return ecdh;
2720 fail:
2721 crypto_ecdh_deinit(ecdh);
2722 return NULL;
2723 #else /* OpenSSL version >= 3.0 */
2724 struct crypto_ecdh *ecdh;
2725
2726 ecdh = os_zalloc(sizeof(*ecdh));
2727 if (!ecdh)
2728 goto fail;
2729
2730 ecdh->ec = crypto_ec_init(group);
2731 if (!ecdh->ec)
2732 goto fail;
2733
2734 ecdh->pkey = EVP_PKEY_new();
2735 if (!ecdh->pkey ||
2736 EVP_PKEY_assign_EC_KEY(ecdh->pkey,
2737 EVP_PKEY_get1_EC_KEY((EVP_PKEY *) own_key))
2738 != 1)
2739 goto fail;
2740
2741 return ecdh;
2742 fail:
2743 crypto_ecdh_deinit(ecdh);
2744 return NULL;
2745 #endif /* OpenSSL version >= 3.0 */
2746 }
2747
2748
crypto_ecdh_get_pubkey(struct crypto_ecdh * ecdh,int inc_y)2749 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
2750 {
2751 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2752 struct wpabuf *buf = NULL;
2753 unsigned char *pub;
2754 size_t len, exp_len;
2755
2756 len = EVP_PKEY_get1_encoded_public_key(ecdh->pkey, &pub);
2757 if (len == 0)
2758 return NULL;
2759
2760 /* Encoded using SECG SEC 1, Sec. 2.3.4 format */
2761 exp_len = 1 + 2 * crypto_ec_prime_len(ecdh->ec);
2762 if (len != exp_len) {
2763 wpa_printf(MSG_ERROR,
2764 "OpenSSL:%s: Unexpected encoded public key length %zu (expected %zu)",
2765 __func__, len, exp_len);
2766 goto fail;
2767 }
2768 buf = wpabuf_alloc_copy(pub + 1, inc_y ? len - 1 : len / 2);
2769 fail:
2770 OPENSSL_free(pub);
2771 return buf;
2772 #else /* OpenSSL version >= 3.0 */
2773 struct wpabuf *buf = NULL;
2774 EC_KEY *eckey;
2775 const EC_POINT *pubkey;
2776 BIGNUM *x, *y = NULL;
2777 int len = BN_num_bytes(ecdh->ec->prime);
2778 int res;
2779
2780 eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
2781 if (!eckey)
2782 return NULL;
2783
2784 pubkey = EC_KEY_get0_public_key(eckey);
2785 if (!pubkey)
2786 return NULL;
2787
2788 x = BN_new();
2789 if (inc_y) {
2790 y = BN_new();
2791 if (!y)
2792 goto fail;
2793 }
2794 buf = wpabuf_alloc(inc_y ? 2 * len : len);
2795 if (!x || !buf)
2796 goto fail;
2797
2798 if (EC_POINT_get_affine_coordinates(ecdh->ec->group, pubkey,
2799 x, y, ecdh->ec->bnctx) != 1) {
2800 wpa_printf(MSG_ERROR,
2801 "OpenSSL: EC_POINT_get_affine_coordinates failed: %s",
2802 ERR_error_string(ERR_get_error(), NULL));
2803 goto fail;
2804 }
2805
2806 res = crypto_bignum_to_bin((struct crypto_bignum *) x,
2807 wpabuf_put(buf, len), len, len);
2808 if (res < 0)
2809 goto fail;
2810
2811 if (inc_y) {
2812 res = crypto_bignum_to_bin((struct crypto_bignum *) y,
2813 wpabuf_put(buf, len), len, len);
2814 if (res < 0)
2815 goto fail;
2816 }
2817
2818 done:
2819 BN_clear_free(x);
2820 BN_clear_free(y);
2821 EC_KEY_free(eckey);
2822
2823 return buf;
2824 fail:
2825 wpabuf_free(buf);
2826 buf = NULL;
2827 goto done;
2828 #endif /* OpenSSL version >= 3.0 */
2829 }
2830
2831
crypto_ecdh_set_peerkey(struct crypto_ecdh * ecdh,int inc_y,const u8 * key,size_t len)2832 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
2833 const u8 *key, size_t len)
2834 {
2835 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2836 EVP_PKEY *peerkey = EVP_PKEY_new();
2837 EVP_PKEY_CTX *ctx;
2838 size_t res_len;
2839 struct wpabuf *res = NULL;
2840 u8 *peer;
2841
2842 /* Encode using SECG SEC 1, Sec. 2.3.4 format */
2843 peer = os_malloc(1 + len);
2844 if (!peer)
2845 return NULL;
2846 peer[0] = inc_y ? 0x04 : 0x02;
2847 os_memcpy(peer + 1, key, len);
2848
2849 if (!peerkey ||
2850 EVP_PKEY_copy_parameters(peerkey, ecdh->pkey) != 1 ||
2851 EVP_PKEY_set1_encoded_public_key(peerkey, peer, 1 + len) != 1) {
2852 wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_set1_encoded_public_key failed: %s",
2853 ERR_error_string(ERR_get_error(), NULL));
2854 EVP_PKEY_free(peerkey);
2855 os_free(peer);
2856 return NULL;
2857 }
2858 os_free(peer);
2859
2860 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
2861 if (!ctx ||
2862 EVP_PKEY_derive_init(ctx) != 1 ||
2863 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
2864 EVP_PKEY_derive(ctx, NULL, &res_len) != 1 ||
2865 !(res = wpabuf_alloc(res_len)) ||
2866 EVP_PKEY_derive(ctx, wpabuf_mhead(res), &res_len) != 1) {
2867 wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_derive failed: %s",
2868 ERR_error_string(ERR_get_error(), NULL));
2869 wpabuf_free(res);
2870 res = NULL;
2871 } else {
2872 wpabuf_put(res, res_len);
2873 }
2874
2875 EVP_PKEY_free(peerkey);
2876 EVP_PKEY_CTX_free(ctx);
2877 return res;
2878 #else /* OpenSSL version >= 3.0 */
2879 BIGNUM *x, *y = NULL;
2880 EVP_PKEY_CTX *ctx = NULL;
2881 EVP_PKEY *peerkey = NULL;
2882 struct wpabuf *secret = NULL;
2883 size_t secret_len;
2884 EC_POINT *pub;
2885 EC_KEY *eckey = NULL;
2886
2887 x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
2888 pub = EC_POINT_new(ecdh->ec->group);
2889 if (!x || !pub)
2890 goto fail;
2891
2892 if (inc_y) {
2893 y = BN_bin2bn(key + len / 2, len / 2, NULL);
2894 if (!y)
2895 goto fail;
2896 if (!EC_POINT_set_affine_coordinates(ecdh->ec->group, pub,
2897 x, y, ecdh->ec->bnctx)) {
2898 wpa_printf(MSG_ERROR,
2899 "OpenSSL: EC_POINT_set_affine_coordinates failed: %s",
2900 ERR_error_string(ERR_get_error(), NULL));
2901 goto fail;
2902 }
2903 } else if (!EC_POINT_set_compressed_coordinates(ecdh->ec->group,
2904 pub, x, 0,
2905 ecdh->ec->bnctx)) {
2906 wpa_printf(MSG_ERROR,
2907 "OpenSSL: EC_POINT_set_compressed_coordinates failed: %s",
2908 ERR_error_string(ERR_get_error(), NULL));
2909 goto fail;
2910 }
2911
2912 if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
2913 wpa_printf(MSG_ERROR,
2914 "OpenSSL: ECDH peer public key is not on curve");
2915 goto fail;
2916 }
2917
2918 eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2919 if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
2920 wpa_printf(MSG_ERROR,
2921 "OpenSSL: EC_KEY_set_public_key failed: %s",
2922 ERR_error_string(ERR_get_error(), NULL));
2923 goto fail;
2924 }
2925
2926 peerkey = EVP_PKEY_new();
2927 if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
2928 goto fail;
2929
2930 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
2931 if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
2932 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
2933 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
2934 wpa_printf(MSG_ERROR,
2935 "OpenSSL: EVP_PKEY_derive(1) failed: %s",
2936 ERR_error_string(ERR_get_error(), NULL));
2937 goto fail;
2938 }
2939
2940 secret = wpabuf_alloc(secret_len);
2941 if (!secret)
2942 goto fail;
2943 if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
2944 wpa_printf(MSG_ERROR,
2945 "OpenSSL: EVP_PKEY_derive(2) failed: %s",
2946 ERR_error_string(ERR_get_error(), NULL));
2947 goto fail;
2948 }
2949 if (secret->size != secret_len)
2950 wpa_printf(MSG_DEBUG,
2951 "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
2952 (int) secret->size, (int) secret_len);
2953 wpabuf_put(secret, secret_len);
2954
2955 done:
2956 BN_free(x);
2957 BN_free(y);
2958 EC_KEY_free(eckey);
2959 EC_POINT_free(pub);
2960 EVP_PKEY_CTX_free(ctx);
2961 EVP_PKEY_free(peerkey);
2962 return secret;
2963 fail:
2964 wpabuf_free(secret);
2965 secret = NULL;
2966 goto done;
2967 #endif /* OpenSSL version >= 3.0 */
2968 }
2969
2970
crypto_ecdh_deinit(struct crypto_ecdh * ecdh)2971 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
2972 {
2973 if (ecdh) {
2974 crypto_ec_deinit(ecdh->ec);
2975 EVP_PKEY_free(ecdh->pkey);
2976 os_free(ecdh);
2977 }
2978 }
2979
2980
crypto_ecdh_prime_len(struct crypto_ecdh * ecdh)2981 size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
2982 {
2983 return crypto_ec_prime_len(ecdh->ec);
2984 }
2985
2986
crypto_ec_key_parse_priv(const u8 * der,size_t der_len)2987 struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
2988 {
2989 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2990 EVP_PKEY *pkey = NULL;
2991 OSSL_DECODER_CTX *ctx;
2992
2993 ctx = OSSL_DECODER_CTX_new_for_pkey(
2994 &pkey, "DER", NULL, "EC",
2995 OSSL_KEYMGMT_SELECT_KEYPAIR |
2996 OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
2997 NULL, NULL);
2998 if (!ctx ||
2999 OSSL_DECODER_from_data(ctx, &der, &der_len) != 1) {
3000 wpa_printf(MSG_INFO, "OpenSSL: Decoding EC private key (DER) failed: %s",
3001 ERR_error_string(ERR_get_error(), NULL));
3002 goto fail;
3003 }
3004
3005 return (struct crypto_ec_key *) pkey;
3006 fail:
3007 crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
3008 return NULL;
3009 #else /* OpenSSL version >= 3.0 */
3010 EVP_PKEY *pkey = NULL;
3011 EC_KEY *eckey;
3012
3013 eckey = d2i_ECPrivateKey(NULL, &der, der_len);
3014 if (!eckey) {
3015 wpa_printf(MSG_INFO, "OpenSSL: d2i_ECPrivateKey() failed: %s",
3016 ERR_error_string(ERR_get_error(), NULL));
3017 goto fail;
3018 }
3019 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
3020
3021 pkey = EVP_PKEY_new();
3022 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
3023 EC_KEY_free(eckey);
3024 goto fail;
3025 }
3026
3027 return (struct crypto_ec_key *) pkey;
3028 fail:
3029 crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
3030 return NULL;
3031 #endif /* OpenSSL version >= 3.0 */
3032 }
3033
3034
crypto_ec_key_set_priv(int group,const u8 * raw,size_t raw_len)3035 struct crypto_ec_key * crypto_ec_key_set_priv(int group,
3036 const u8 *raw, size_t raw_len)
3037 {
3038 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3039 const char *group_name;
3040 OSSL_PARAM params[4];
3041 EVP_PKEY_CTX *ctx = NULL;
3042 EVP_PKEY *pkey = NULL;
3043 BIGNUM *priv;
3044 EC_POINT *pub = NULL;
3045 EC_GROUP *ec_group = NULL;
3046 size_t len;
3047 u8 *pub_bin = NULL;
3048 u8 *priv_bin = NULL;
3049 int priv_bin_len;
3050
3051 group_name = crypto_ec_group_2_name(group);
3052 if (!group_name)
3053 return NULL;
3054
3055 priv = BN_bin2bn(raw, raw_len, NULL);
3056 if (!priv)
3057 return NULL;
3058 priv_bin = os_malloc(raw_len);
3059 if (!priv_bin)
3060 goto fail;
3061 priv_bin_len = BN_bn2lebinpad(priv, priv_bin, raw_len);
3062 if (priv_bin_len < 0)
3063 goto fail;
3064
3065 ec_group = EC_GROUP_new_by_curve_name(crypto_ec_group_2_nid(group));
3066 if (!ec_group)
3067 goto fail;
3068 pub = EC_POINT_new(ec_group);
3069 if (!pub ||
3070 EC_POINT_mul(ec_group, pub, priv, NULL, NULL, NULL) != 1)
3071 goto fail;
3072 len = EC_POINT_point2oct(ec_group, pub, POINT_CONVERSION_UNCOMPRESSED,
3073 NULL, 0, NULL);
3074 if (len == 0)
3075 goto fail;
3076 pub_bin = os_malloc(len);
3077 if (!pub_bin)
3078 goto fail;
3079 len = EC_POINT_point2oct(ec_group, pub, POINT_CONVERSION_UNCOMPRESSED,
3080 pub_bin, len, NULL);
3081 if (len == 0)
3082 goto fail;
3083
3084 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
3085 (char *) group_name, 0);
3086 params[1] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_PRIV_KEY,
3087 priv_bin, priv_bin_len);
3088 params[2] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
3089 pub_bin, len);
3090 params[3] = OSSL_PARAM_construct_end();
3091
3092 ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
3093 if (!ctx ||
3094 EVP_PKEY_fromdata_init(ctx) <= 0 ||
3095 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
3096 goto fail;
3097
3098 out:
3099 bin_clear_free(priv_bin, raw_len);
3100 os_free(pub_bin);
3101 BN_clear_free(priv);
3102 EVP_PKEY_CTX_free(ctx);
3103 EC_POINT_free(pub);
3104 EC_GROUP_free(ec_group);
3105 return (struct crypto_ec_key *) pkey;
3106
3107 fail:
3108 EVP_PKEY_free(pkey);
3109 pkey = NULL;
3110 goto out;
3111 #else /* OpenSSL version >= 3.0 */
3112 EC_KEY *eckey = NULL;
3113 EVP_PKEY *pkey = NULL;
3114 BIGNUM *priv = NULL;
3115 int nid;
3116 const EC_GROUP *ec_group;
3117 EC_POINT *pub = NULL;
3118
3119 nid = crypto_ec_group_2_nid(group);
3120 if (nid < 0) {
3121 wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
3122 return NULL;
3123 }
3124
3125 eckey = EC_KEY_new_by_curve_name(nid);
3126 priv = BN_bin2bn(raw, raw_len, NULL);
3127 if (!eckey || !priv ||
3128 EC_KEY_set_private_key(eckey, priv) != 1) {
3129 wpa_printf(MSG_ERROR,
3130 "OpenSSL: Failed to set EC_KEY: %s",
3131 ERR_error_string(ERR_get_error(), NULL));
3132 goto fail;
3133 }
3134
3135 ec_group = EC_KEY_get0_group(eckey);
3136 if (!ec_group)
3137 goto fail;
3138 pub = EC_POINT_new(ec_group);
3139 if (!pub ||
3140 EC_POINT_mul(ec_group, pub, priv, NULL, NULL, NULL) != 1 ||
3141 EC_KEY_set_public_key(eckey, pub) != 1) {
3142 wpa_printf(MSG_ERROR,
3143 "OpenSSL: Failed to set EC_KEY(pub): %s",
3144 ERR_error_string(ERR_get_error(), NULL));
3145 goto fail;
3146 }
3147
3148 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
3149
3150 pkey = EVP_PKEY_new();
3151 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
3152 wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
3153 goto fail;
3154 }
3155
3156 out:
3157 BN_clear_free(priv);
3158 EC_POINT_free(pub);
3159 return (struct crypto_ec_key *) pkey;
3160
3161 fail:
3162 EC_KEY_free(eckey);
3163 EVP_PKEY_free(pkey);
3164 pkey = NULL;
3165 goto out;
3166 #endif /* OpenSSL version >= 3.0 */
3167 }
3168
3169
crypto_ec_key_parse_pub(const u8 * der,size_t der_len)3170 struct crypto_ec_key * crypto_ec_key_parse_pub(const u8 *der, size_t der_len)
3171 {
3172 EVP_PKEY *pkey;
3173
3174 pkey = d2i_PUBKEY(NULL, &der, der_len);
3175 if (!pkey) {
3176 wpa_printf(MSG_INFO, "OpenSSL: d2i_PUBKEY() failed: %s",
3177 ERR_error_string(ERR_get_error(), NULL));
3178 goto fail;
3179 }
3180
3181 /* Ensure this is an EC key */
3182 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3183 if (!EVP_PKEY_is_a(pkey, "EC"))
3184 goto fail;
3185 #else /* OpenSSL version >= 3.0 */
3186 if (!EVP_PKEY_get0_EC_KEY(pkey))
3187 goto fail;
3188 #endif /* OpenSSL version >= 3.0 */
3189 return (struct crypto_ec_key *) pkey;
3190 fail:
3191 crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
3192 return NULL;
3193 }
3194
3195
crypto_ec_key_set_pub(int group,const u8 * buf_x,const u8 * buf_y,size_t len)3196 struct crypto_ec_key * crypto_ec_key_set_pub(int group, const u8 *buf_x,
3197 const u8 *buf_y, size_t len)
3198 {
3199 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3200 const char *group_name;
3201 OSSL_PARAM params[3];
3202 u8 *pub;
3203 EVP_PKEY_CTX *ctx;
3204 EVP_PKEY *pkey = NULL;
3205
3206 group_name = crypto_ec_group_2_name(group);
3207 if (!group_name)
3208 return NULL;
3209
3210 pub = os_malloc(1 + len * 2);
3211 if (!pub)
3212 return NULL;
3213 pub[0] = 0x04; /* uncompressed */
3214 os_memcpy(pub + 1, buf_x, len);
3215 os_memcpy(pub + 1 + len, buf_y, len);
3216
3217 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
3218 (char *) group_name, 0);
3219 params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
3220 pub, 1 + len * 2);
3221 params[2] = OSSL_PARAM_construct_end();
3222
3223 ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
3224 if (!ctx) {
3225 os_free(pub);
3226 return NULL;
3227 }
3228 if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
3229 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
3230 os_free(pub);
3231 EVP_PKEY_CTX_free(ctx);
3232 return NULL;
3233 }
3234
3235 os_free(pub);
3236 EVP_PKEY_CTX_free(ctx);
3237
3238 return (struct crypto_ec_key *) pkey;
3239 #else /* OpenSSL version >= 3.0 */
3240 EC_KEY *eckey = NULL;
3241 EVP_PKEY *pkey = NULL;
3242 EC_GROUP *ec_group = NULL;
3243 BN_CTX *ctx;
3244 EC_POINT *point = NULL;
3245 BIGNUM *x = NULL, *y = NULL;
3246 int nid;
3247
3248 if (!buf_x || !buf_y)
3249 return NULL;
3250
3251 nid = crypto_ec_group_2_nid(group);
3252 if (nid < 0) {
3253 wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
3254 return NULL;
3255 }
3256
3257 ctx = BN_CTX_new();
3258 if (!ctx)
3259 goto fail;
3260
3261 ec_group = EC_GROUP_new_by_curve_name(nid);
3262 if (!ec_group)
3263 goto fail;
3264
3265 x = BN_bin2bn(buf_x, len, NULL);
3266 y = BN_bin2bn(buf_y, len, NULL);
3267 point = EC_POINT_new(ec_group);
3268 if (!x || !y || !point)
3269 goto fail;
3270
3271 if (!EC_POINT_set_affine_coordinates(ec_group, point, x, y, ctx)) {
3272 wpa_printf(MSG_ERROR,
3273 "OpenSSL: EC_POINT_set_affine_coordinates failed: %s",
3274 ERR_error_string(ERR_get_error(), NULL));
3275 goto fail;
3276 }
3277
3278 if (!EC_POINT_is_on_curve(ec_group, point, ctx) ||
3279 EC_POINT_is_at_infinity(ec_group, point)) {
3280 wpa_printf(MSG_ERROR, "OpenSSL: Invalid point");
3281 goto fail;
3282 }
3283
3284 eckey = EC_KEY_new();
3285 if (!eckey ||
3286 EC_KEY_set_group(eckey, ec_group) != 1 ||
3287 EC_KEY_set_public_key(eckey, point) != 1) {
3288 wpa_printf(MSG_ERROR,
3289 "OpenSSL: Failed to set EC_KEY: %s",
3290 ERR_error_string(ERR_get_error(), NULL));
3291 goto fail;
3292 }
3293 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
3294
3295 pkey = EVP_PKEY_new();
3296 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
3297 wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
3298 goto fail;
3299 }
3300
3301 out:
3302 EC_GROUP_free(ec_group);
3303 BN_free(x);
3304 BN_free(y);
3305 EC_POINT_free(point);
3306 BN_CTX_free(ctx);
3307 return (struct crypto_ec_key *) pkey;
3308
3309 fail:
3310 EC_KEY_free(eckey);
3311 EVP_PKEY_free(pkey);
3312 pkey = NULL;
3313 goto out;
3314 #endif /* OpenSSL version >= 3.0 */
3315 }
3316
3317
3318 struct crypto_ec_key *
crypto_ec_key_set_pub_point(struct crypto_ec * ec,const struct crypto_ec_point * pub)3319 crypto_ec_key_set_pub_point(struct crypto_ec *ec,
3320 const struct crypto_ec_point *pub)
3321 {
3322 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3323 int len = BN_num_bytes(ec->prime);
3324 struct crypto_ec_key *key;
3325 u8 *buf;
3326
3327 buf = os_malloc(2 * len);
3328 if (!buf)
3329 return NULL;
3330 if (crypto_ec_point_to_bin(ec, pub, buf, buf + len) < 0) {
3331 os_free(buf);
3332 return NULL;
3333 }
3334
3335 key = crypto_ec_key_set_pub(ec->iana_group, buf, buf + len, len);
3336 os_free(buf);
3337
3338 return key;
3339 #else /* OpenSSL version >= 3.0 */
3340 EC_KEY *eckey;
3341 EVP_PKEY *pkey = NULL;
3342
3343 eckey = EC_KEY_new();
3344 if (!eckey ||
3345 EC_KEY_set_group(eckey, ec->group) != 1 ||
3346 EC_KEY_set_public_key(eckey, (const EC_POINT *) pub) != 1) {
3347 wpa_printf(MSG_ERROR,
3348 "OpenSSL: Failed to set EC_KEY: %s",
3349 ERR_error_string(ERR_get_error(), NULL));
3350 goto fail;
3351 }
3352 EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
3353
3354 pkey = EVP_PKEY_new();
3355 if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
3356 wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
3357 goto fail;
3358 }
3359
3360 out:
3361 return (struct crypto_ec_key *) pkey;
3362
3363 fail:
3364 EVP_PKEY_free(pkey);
3365 EC_KEY_free(eckey);
3366 pkey = NULL;
3367 goto out;
3368 #endif /* OpenSSL version >= 3.0 */
3369 }
3370
3371
crypto_ec_key_gen(int group)3372 struct crypto_ec_key * crypto_ec_key_gen(int group)
3373 {
3374 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3375 EVP_PKEY_CTX *ctx;
3376 OSSL_PARAM params[2];
3377 const char *group_name;
3378 EVP_PKEY *pkey = NULL;
3379
3380 group_name = crypto_ec_group_2_name(group);
3381 if (!group_name)
3382 return NULL;
3383
3384 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
3385 (char *) group_name, 0);
3386 params[1] = OSSL_PARAM_construct_end();
3387
3388 ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
3389 if (!ctx ||
3390 EVP_PKEY_keygen_init(ctx) != 1 ||
3391 EVP_PKEY_CTX_set_params(ctx, params) != 1 ||
3392 EVP_PKEY_generate(ctx, &pkey) != 1) {
3393 wpa_printf(MSG_INFO,
3394 "OpenSSL: failed to generate EC keypair: %s",
3395 ERR_error_string(ERR_get_error(), NULL));
3396 pkey = NULL;
3397 }
3398
3399 EVP_PKEY_CTX_free(ctx);
3400
3401 return (struct crypto_ec_key *) pkey;
3402 #else /* OpenSSL version >= 3.0 */
3403 EVP_PKEY_CTX *kctx = NULL;
3404 EC_KEY *ec_params = NULL, *eckey;
3405 EVP_PKEY *params = NULL, *key = NULL;
3406 int nid;
3407
3408 nid = crypto_ec_group_2_nid(group);
3409 if (nid < 0) {
3410 wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
3411 return NULL;
3412 }
3413
3414 ec_params = EC_KEY_new_by_curve_name(nid);
3415 if (!ec_params) {
3416 wpa_printf(MSG_ERROR,
3417 "OpenSSL: Failed to generate EC_KEY parameters");
3418 goto fail;
3419 }
3420 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
3421 params = EVP_PKEY_new();
3422 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
3423 wpa_printf(MSG_ERROR,
3424 "OpenSSL: Failed to generate EVP_PKEY parameters");
3425 goto fail;
3426 }
3427
3428 kctx = EVP_PKEY_CTX_new(params, NULL);
3429 if (!kctx ||
3430 EVP_PKEY_keygen_init(kctx) != 1 ||
3431 EVP_PKEY_keygen(kctx, &key) != 1) {
3432 wpa_printf(MSG_ERROR, "OpenSSL: Failed to generate EC key");
3433 key = NULL;
3434 goto fail;
3435 }
3436
3437 eckey = EVP_PKEY_get1_EC_KEY(key);
3438 if (!eckey) {
3439 key = NULL;
3440 goto fail;
3441 }
3442 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
3443 EC_KEY_free(eckey);
3444
3445 fail:
3446 EC_KEY_free(ec_params);
3447 EVP_PKEY_free(params);
3448 EVP_PKEY_CTX_free(kctx);
3449 return (struct crypto_ec_key *) key;
3450 #endif /* OpenSSL version >= 3.0 */
3451 }
3452
3453
crypto_ec_key_deinit(struct crypto_ec_key * key)3454 void crypto_ec_key_deinit(struct crypto_ec_key *key)
3455 {
3456 EVP_PKEY_free((EVP_PKEY *) key);
3457 }
3458
3459
3460 #ifdef OPENSSL_IS_BORINGSSL
3461
3462 /* BoringSSL version of i2d_PUBKEY() always outputs public EC key using
3463 * uncompressed form so define a custom function to export EC pubkey using
3464 * the compressed format that is explicitly required for some protocols. */
3465
3466 #include <openssl/asn1.h>
3467 #include <openssl/asn1t.h>
3468
3469 typedef struct {
3470 /* AlgorithmIdentifier ecPublicKey with optional parameters present
3471 * as an OID identifying the curve */
3472 X509_ALGOR *alg;
3473 /* Compressed format public key per ANSI X9.63 */
3474 ASN1_BIT_STRING *pub_key;
3475 } EC_COMP_PUBKEY;
3476
3477 ASN1_SEQUENCE(EC_COMP_PUBKEY) = {
3478 ASN1_SIMPLE(EC_COMP_PUBKEY, alg, X509_ALGOR),
3479 ASN1_SIMPLE(EC_COMP_PUBKEY, pub_key, ASN1_BIT_STRING)
3480 } ASN1_SEQUENCE_END(EC_COMP_PUBKEY);
3481
3482 IMPLEMENT_ASN1_FUNCTIONS(EC_COMP_PUBKEY);
3483
3484 #endif /* OPENSSL_IS_BORINGSSL */
3485
3486
crypto_ec_key_get_subject_public_key(struct crypto_ec_key * key)3487 struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
3488 {
3489 EVP_PKEY *pkey = (EVP_PKEY *) key;
3490 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3491 OSSL_ENCODER_CTX *ctx;
3492 int selection;
3493 unsigned char *pdata = NULL;
3494 size_t pdata_len = 0;
3495 EVP_PKEY *copy = NULL;
3496 struct wpabuf *buf = NULL;
3497
3498 if (EVP_PKEY_get_ec_point_conv_form(pkey) !=
3499 POINT_CONVERSION_COMPRESSED) {
3500 copy = EVP_PKEY_dup(pkey);
3501 if (!copy)
3502 return NULL;
3503 if (EVP_PKEY_set_utf8_string_param(
3504 copy, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
3505 OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED) !=
3506 1) {
3507 wpa_printf(MSG_INFO,
3508 "OpenSSL: Failed to set compressed format");
3509 EVP_PKEY_free(copy);
3510 return NULL;
3511 }
3512 pkey = copy;
3513 }
3514
3515 selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS |
3516 OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
3517
3518 ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER",
3519 "SubjectPublicKeyInfo",
3520 NULL);
3521 if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) {
3522 wpa_printf(MSG_INFO,
3523 "OpenSSL: Failed to encode SubjectPublicKeyInfo: %s",
3524 ERR_error_string(ERR_get_error(), NULL));
3525 pdata = NULL;
3526 }
3527 OSSL_ENCODER_CTX_free(ctx);
3528 if (pdata) {
3529 buf = wpabuf_alloc_copy(pdata, pdata_len);
3530 OPENSSL_free(pdata);
3531 }
3532
3533 EVP_PKEY_free(copy);
3534
3535 return buf;
3536 #else /* OpenSSL version >= 3.0 */
3537 #ifdef OPENSSL_IS_BORINGSSL
3538 unsigned char *der = NULL;
3539 int der_len;
3540 const EC_KEY *eckey;
3541 struct wpabuf *ret = NULL;
3542 size_t len;
3543 const EC_GROUP *group;
3544 const EC_POINT *point;
3545 BN_CTX *ctx;
3546 EC_COMP_PUBKEY *pubkey = NULL;
3547 int nid;
3548
3549 ctx = BN_CTX_new();
3550 eckey = EVP_PKEY_get0_EC_KEY(pkey);
3551 if (!ctx || !eckey)
3552 goto fail;
3553
3554 group = EC_KEY_get0_group(eckey);
3555 point = EC_KEY_get0_public_key(eckey);
3556 if (!group || !point)
3557 goto fail;
3558 nid = EC_GROUP_get_curve_name(group);
3559
3560 pubkey = EC_COMP_PUBKEY_new();
3561 if (!pubkey ||
3562 X509_ALGOR_set0(pubkey->alg, OBJ_nid2obj(EVP_PKEY_EC),
3563 V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1)
3564 goto fail;
3565
3566 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
3567 NULL, 0, ctx);
3568 if (len == 0)
3569 goto fail;
3570
3571 der = OPENSSL_malloc(len);
3572 if (!der)
3573 goto fail;
3574 len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
3575 der, len, ctx);
3576
3577 OPENSSL_free(pubkey->pub_key->data);
3578 pubkey->pub_key->data = der;
3579 der = NULL;
3580 pubkey->pub_key->length = len;
3581 /* No unused bits */
3582 pubkey->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
3583 pubkey->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
3584
3585 der_len = i2d_EC_COMP_PUBKEY(pubkey, &der);
3586 if (der_len <= 0) {
3587 wpa_printf(MSG_ERROR,
3588 "BoringSSL: Failed to build DER encoded public key");
3589 goto fail;
3590 }
3591
3592 ret = wpabuf_alloc_copy(der, der_len);
3593 fail:
3594 EC_COMP_PUBKEY_free(pubkey);
3595 OPENSSL_free(der);
3596 BN_CTX_free(ctx);
3597 return ret;
3598 #else /* OPENSSL_IS_BORINGSSL */
3599 unsigned char *der = NULL;
3600 int der_len;
3601 struct wpabuf *buf;
3602 EC_KEY *eckey;
3603
3604 eckey = EVP_PKEY_get1_EC_KEY(pkey);
3605 if (!eckey)
3606 return NULL;
3607
3608 /* For now, all users expect COMPRESSED form */
3609 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
3610
3611 der_len = i2d_PUBKEY((EVP_PKEY *) key, &der);
3612 EC_KEY_free(eckey);
3613 if (der_len <= 0) {
3614 wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
3615 ERR_error_string(ERR_get_error(), NULL));
3616 return NULL;
3617 }
3618
3619 buf = wpabuf_alloc_copy(der, der_len);
3620 OPENSSL_free(der);
3621 return buf;
3622 #endif /* OPENSSL_IS_BORINGSSL */
3623 #endif /* OpenSSL version >= 3.0 */
3624 }
3625
3626
crypto_ec_key_get_ecprivate_key(struct crypto_ec_key * key,bool include_pub)3627 struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key,
3628 bool include_pub)
3629 {
3630 EVP_PKEY *pkey = (EVP_PKEY *) key;
3631 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3632 OSSL_ENCODER_CTX *ctx;
3633 int selection;
3634 unsigned char *pdata = NULL;
3635 size_t pdata_len = 0;
3636 struct wpabuf *buf;
3637 EVP_PKEY *copy = NULL;
3638
3639 selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS |
3640 OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
3641 if (include_pub) {
3642 selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
3643 } else {
3644 /* Not including OSSL_KEYMGMT_SELECT_PUBLIC_KEY does not seem
3645 * to really be sufficient, so clone the key and explicitly
3646 * mark it not to include the public key. */
3647 copy = EVP_PKEY_dup(pkey);
3648 if (!copy)
3649 return NULL;
3650 EVP_PKEY_set_int_param(copy, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC,
3651 0);
3652 pkey = copy;
3653 }
3654
3655 ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER",
3656 "type-specific", NULL);
3657 if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) {
3658 OSSL_ENCODER_CTX_free(ctx);
3659 EVP_PKEY_free(copy);
3660 return NULL;
3661 }
3662 OSSL_ENCODER_CTX_free(ctx);
3663 buf = wpabuf_alloc_copy(pdata, pdata_len);
3664 OPENSSL_free(pdata);
3665 EVP_PKEY_free(copy);
3666 return buf;
3667 #else /* OpenSSL version >= 3.0 */
3668 EC_KEY *eckey;
3669 unsigned char *der = NULL;
3670 int der_len;
3671 struct wpabuf *buf;
3672 unsigned int key_flags;
3673
3674 eckey = EVP_PKEY_get1_EC_KEY(pkey);
3675 if (!eckey)
3676 return NULL;
3677
3678 key_flags = EC_KEY_get_enc_flags(eckey);
3679 if (include_pub)
3680 key_flags &= ~EC_PKEY_NO_PUBKEY;
3681 else
3682 key_flags |= EC_PKEY_NO_PUBKEY;
3683 EC_KEY_set_enc_flags(eckey, key_flags);
3684
3685 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
3686
3687 der_len = i2d_ECPrivateKey(eckey, &der);
3688 EC_KEY_free(eckey);
3689 if (der_len <= 0)
3690 return NULL;
3691 buf = wpabuf_alloc_copy(der, der_len);
3692 OPENSSL_free(der);
3693
3694 return buf;
3695 #endif /* OpenSSL version >= 3.0 */
3696 }
3697
3698
crypto_ec_key_get_pubkey_point(struct crypto_ec_key * key,int prefix)3699 struct wpabuf * crypto_ec_key_get_pubkey_point(struct crypto_ec_key *key,
3700 int prefix)
3701 {
3702 EVP_PKEY *pkey = (EVP_PKEY *) key;
3703 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3704 struct wpabuf *buf;
3705 unsigned char *pos;
3706 size_t pub_len = OSSL_PARAM_UNMODIFIED;
3707
3708 buf = NULL;
3709 if (!EVP_PKEY_is_a(pkey, "EC") ||
3710 EVP_PKEY_get_octet_string_param(pkey,
3711 OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
3712 NULL, 0, &pub_len) < 0 ||
3713 pub_len == OSSL_PARAM_UNMODIFIED ||
3714 !(buf = wpabuf_alloc(pub_len)) ||
3715 EVP_PKEY_get_octet_string_param(pkey,
3716 OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
3717 wpabuf_put(buf, pub_len),
3718 pub_len, NULL) != 1 ||
3719 wpabuf_head_u8(buf)[0] != 0x04) {
3720 wpa_printf(MSG_INFO,
3721 "OpenSSL: Failed to get encoded public key: %s",
3722 ERR_error_string(ERR_get_error(), NULL));
3723 wpabuf_free(buf);
3724 return NULL;
3725 }
3726
3727 if (!prefix) {
3728 /* Remove 0x04 prefix if requested */
3729 pos = wpabuf_mhead(buf);
3730 os_memmove(pos, pos + 1, pub_len - 1);
3731 buf->used--;
3732 }
3733
3734 return buf;
3735 #else /* OpenSSL version >= 3.0 */
3736 int len, res;
3737 EC_KEY *eckey;
3738 struct wpabuf *buf;
3739 unsigned char *pos;
3740
3741 eckey = EVP_PKEY_get1_EC_KEY(pkey);
3742 if (!eckey)
3743 return NULL;
3744 EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
3745 len = i2o_ECPublicKey(eckey, NULL);
3746 if (len <= 0) {
3747 wpa_printf(MSG_ERROR,
3748 "OpenSSL: Failed to determine public key encoding length");
3749 EC_KEY_free(eckey);
3750 return NULL;
3751 }
3752
3753 buf = wpabuf_alloc(len);
3754 if (!buf) {
3755 EC_KEY_free(eckey);
3756 return NULL;
3757 }
3758
3759 pos = wpabuf_put(buf, len);
3760 res = i2o_ECPublicKey(eckey, &pos);
3761 EC_KEY_free(eckey);
3762 if (res != len) {
3763 wpa_printf(MSG_ERROR,
3764 "OpenSSL: Failed to encode public key (res=%d/%d)",
3765 res, len);
3766 wpabuf_free(buf);
3767 return NULL;
3768 }
3769
3770 if (!prefix) {
3771 /* Remove 0x04 prefix if requested */
3772 pos = wpabuf_mhead(buf);
3773 os_memmove(pos, pos + 1, len - 1);
3774 buf->used--;
3775 }
3776
3777 return buf;
3778 #endif /* OpenSSL version >= 3.0 */
3779 }
3780
3781
3782 struct crypto_ec_point *
crypto_ec_key_get_public_key(struct crypto_ec_key * key)3783 crypto_ec_key_get_public_key(struct crypto_ec_key *key)
3784 {
3785 EVP_PKEY *pkey = (EVP_PKEY *) key;
3786 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3787 char group[64];
3788 unsigned char pub[256];
3789 size_t len;
3790 EC_POINT *point = NULL;
3791 EC_GROUP *grp;
3792 int res = 0;
3793 OSSL_PARAM params[2];
3794
3795 if (!EVP_PKEY_is_a(pkey, "EC") ||
3796 EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
3797 group, sizeof(group), &len) != 1 ||
3798 EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PUB_KEY,
3799 pub, sizeof(pub), &len) != 1)
3800 return NULL;
3801
3802 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
3803 group, 0);
3804 params[1] = OSSL_PARAM_construct_end();
3805 grp = EC_GROUP_new_from_params(params, NULL, NULL);
3806 if (!grp)
3807 goto fail;
3808 point = EC_POINT_new(grp);
3809 if (!point)
3810 goto fail;
3811 res = EC_POINT_oct2point(grp, point, pub, len, NULL);
3812
3813 fail:
3814 if (res != 1) {
3815 EC_POINT_free(point);
3816 point = NULL;
3817 }
3818
3819 EC_GROUP_free(grp);
3820
3821 return (struct crypto_ec_point *) point;
3822 #else /* OpenSSL version >= 3.0 */
3823 const EC_KEY *eckey;
3824 const EC_POINT *point;
3825 const EC_GROUP *group;
3826
3827 eckey = EVP_PKEY_get0_EC_KEY(pkey);
3828 if (!eckey)
3829 return NULL;
3830 group = EC_KEY_get0_group(eckey);
3831 if (!group)
3832 return NULL;
3833 point = EC_KEY_get0_public_key(eckey);
3834 if (!point)
3835 return NULL;
3836 return (struct crypto_ec_point *) EC_POINT_dup(point, group);
3837 #endif /* OpenSSL version >= 3.0 */
3838 }
3839
3840
3841 struct crypto_bignum *
crypto_ec_key_get_private_key(struct crypto_ec_key * key)3842 crypto_ec_key_get_private_key(struct crypto_ec_key *key)
3843 {
3844 EVP_PKEY *pkey = (EVP_PKEY *) key;
3845 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3846 BIGNUM *bn = NULL;
3847
3848 if (!EVP_PKEY_is_a(pkey, "EC") ||
3849 EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &bn) != 1)
3850 return NULL;
3851 return (struct crypto_bignum *) bn;
3852 #else /* OpenSSL version >= 3.0 */
3853 const EC_KEY *eckey;
3854 const BIGNUM *bn;
3855
3856 eckey = EVP_PKEY_get0_EC_KEY(pkey);
3857 if (!eckey)
3858 return NULL;
3859 bn = EC_KEY_get0_private_key(eckey);
3860 if (!bn)
3861 return NULL;
3862 return (struct crypto_bignum *) BN_dup(bn);
3863 #endif /* OpenSSL version >= 3.0 */
3864 }
3865
3866
crypto_ec_key_sign(struct crypto_ec_key * key,const u8 * data,size_t len)3867 struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
3868 size_t len)
3869 {
3870 EVP_PKEY_CTX *pkctx;
3871 struct wpabuf *sig_der;
3872 size_t sig_len;
3873
3874 sig_len = EVP_PKEY_size((EVP_PKEY *) key);
3875 sig_der = wpabuf_alloc(sig_len);
3876 if (!sig_der)
3877 return NULL;
3878
3879 pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
3880 if (!pkctx ||
3881 EVP_PKEY_sign_init(pkctx) <= 0 ||
3882 EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
3883 data, len) <= 0) {
3884 wpabuf_free(sig_der);
3885 sig_der = NULL;
3886 } else {
3887 wpabuf_put(sig_der, sig_len);
3888 }
3889
3890 EVP_PKEY_CTX_free(pkctx);
3891 return sig_der;
3892 }
3893
3894
openssl_evp_pkey_ec_prime_len(struct crypto_ec_key * key)3895 static int openssl_evp_pkey_ec_prime_len(struct crypto_ec_key *key)
3896 {
3897 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3898 char gname[50];
3899 int nid;
3900 EC_GROUP *group;
3901 BIGNUM *prime = NULL;
3902 int prime_len = -1;
3903
3904 if (EVP_PKEY_get_group_name((EVP_PKEY *) key, gname, sizeof(gname),
3905 NULL) != 1)
3906 return -1;
3907 nid = OBJ_txt2nid(gname);
3908 group = EC_GROUP_new_by_curve_name(nid);
3909 prime = BN_new();
3910 if (!group || !prime)
3911 return -1;
3912 if (EC_GROUP_get_curve(group, prime, NULL, NULL, NULL) == 1)
3913 prime_len = BN_num_bytes(prime);
3914 EC_GROUP_free(group);
3915 BN_free(prime);
3916 return prime_len;
3917 #else
3918 const EC_GROUP *group;
3919 const EC_KEY *eckey;
3920 BIGNUM *prime = NULL;
3921 int prime_len = -1;
3922
3923 eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
3924 if (!eckey)
3925 goto fail;
3926 group = EC_KEY_get0_group(eckey);
3927 prime = BN_new();
3928 if (!prime || !group ||
3929 !EC_GROUP_get_curve(group, prime, NULL, NULL, NULL))
3930 goto fail;
3931 prime_len = BN_num_bytes(prime);
3932 fail:
3933 BN_free(prime);
3934 return prime_len;
3935 #endif
3936 }
3937
3938
crypto_ec_key_sign_r_s(struct crypto_ec_key * key,const u8 * data,size_t len)3939 struct wpabuf * crypto_ec_key_sign_r_s(struct crypto_ec_key *key,
3940 const u8 *data, size_t len)
3941 {
3942 ECDSA_SIG *sig = NULL;
3943 const BIGNUM *r, *s;
3944 u8 *r_buf, *s_buf;
3945 struct wpabuf *buf;
3946 const unsigned char *p;
3947 int prime_len;
3948
3949 prime_len = openssl_evp_pkey_ec_prime_len(key);
3950 if (prime_len < 0)
3951 return NULL;
3952
3953 buf = crypto_ec_key_sign(key, data, len);
3954 if (!buf)
3955 return NULL;
3956
3957 /* Extract (r,s) from Ecdsa-Sig-Value */
3958
3959 p = wpabuf_head(buf);
3960 sig = d2i_ECDSA_SIG(NULL, &p, wpabuf_len(buf));
3961 if (!sig)
3962 goto fail;
3963 ECDSA_SIG_get0(sig, &r, &s);
3964
3965 /* Re-use wpabuf returned by crypto_ec_key_sign() */
3966 buf->used = 0;
3967 r_buf = wpabuf_put(buf, prime_len);
3968 s_buf = wpabuf_put(buf, prime_len);
3969 if (crypto_bignum_to_bin((const struct crypto_bignum *) r, r_buf,
3970 prime_len, prime_len) < 0 ||
3971 crypto_bignum_to_bin((const struct crypto_bignum *) s, s_buf,
3972 prime_len, prime_len) < 0)
3973 goto fail;
3974
3975 out:
3976 ECDSA_SIG_free(sig);
3977 return buf;
3978 fail:
3979 wpabuf_clear_free(buf);
3980 buf = NULL;
3981 goto out;
3982 }
3983
3984
crypto_ec_key_verify_signature(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * sig,size_t sig_len)3985 int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
3986 size_t len, const u8 *sig, size_t sig_len)
3987 {
3988 EVP_PKEY_CTX *pkctx;
3989 int ret;
3990
3991 pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
3992 if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
3993 EVP_PKEY_CTX_free(pkctx);
3994 return -1;
3995 }
3996
3997 ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
3998 EVP_PKEY_CTX_free(pkctx);
3999 if (ret == 1)
4000 return 1; /* signature ok */
4001 if (ret == 0)
4002 return 0; /* incorrect signature */
4003 return -1;
4004 }
4005
4006
crypto_ec_key_verify_signature_r_s(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * r,size_t r_len,const u8 * s,size_t s_len)4007 int crypto_ec_key_verify_signature_r_s(struct crypto_ec_key *key,
4008 const u8 *data, size_t len,
4009 const u8 *r, size_t r_len,
4010 const u8 *s, size_t s_len)
4011 {
4012 ECDSA_SIG *sig;
4013 BIGNUM *r_bn, *s_bn;
4014 unsigned char *der = NULL;
4015 int der_len;
4016 int ret = -1;
4017
4018 r_bn = BN_bin2bn(r, r_len, NULL);
4019 s_bn = BN_bin2bn(s, s_len, NULL);
4020 sig = ECDSA_SIG_new();
4021 if (!r_bn || !s_bn || !sig || ECDSA_SIG_set0(sig, r_bn, s_bn) != 1)
4022 goto fail;
4023 r_bn = NULL;
4024 s_bn = NULL;
4025
4026 der_len = i2d_ECDSA_SIG(sig, &der);
4027 if (der_len <= 0) {
4028 wpa_printf(MSG_DEBUG,
4029 "OpenSSL: Could not DER encode signature");
4030 goto fail;
4031 }
4032
4033 ret = crypto_ec_key_verify_signature(key, data, len, der, der_len);
4034
4035 fail:
4036 OPENSSL_free(der);
4037 BN_free(r_bn);
4038 BN_free(s_bn);
4039 ECDSA_SIG_free(sig);
4040 return ret;
4041 }
4042
4043
crypto_ec_key_group(struct crypto_ec_key * key)4044 int crypto_ec_key_group(struct crypto_ec_key *key)
4045 {
4046 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4047 char gname[50];
4048 int nid;
4049
4050 if (EVP_PKEY_get_group_name((EVP_PKEY *) key, gname, sizeof(gname),
4051 NULL) != 1)
4052 return -1;
4053 nid = OBJ_txt2nid(gname);
4054 #else
4055 const EC_KEY *eckey;
4056 const EC_GROUP *group;
4057 int nid;
4058
4059 eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
4060 if (!eckey)
4061 return -1;
4062 group = EC_KEY_get0_group(eckey);
4063 if (!group)
4064 return -1;
4065 nid = EC_GROUP_get_curve_name(group);
4066 #endif
4067 switch (nid) {
4068 case NID_X9_62_prime256v1:
4069 return 19;
4070 case NID_secp384r1:
4071 return 20;
4072 case NID_secp521r1:
4073 return 21;
4074 #ifdef NID_brainpoolP256r1
4075 case NID_brainpoolP256r1:
4076 return 28;
4077 #endif /* NID_brainpoolP256r1 */
4078 #ifdef NID_brainpoolP384r1
4079 case NID_brainpoolP384r1:
4080 return 29;
4081 #endif /* NID_brainpoolP384r1 */
4082 #ifdef NID_brainpoolP512r1
4083 case NID_brainpoolP512r1:
4084 return 30;
4085 #endif /* NID_brainpoolP512r1 */
4086 default:
4087 wpa_printf(MSG_ERROR,
4088 "OpenSSL: Unsupported curve (nid=%d) in EC key",
4089 nid);
4090 return -1;
4091 }
4092 }
4093
4094
crypto_ec_key_cmp(struct crypto_ec_key * key1,struct crypto_ec_key * key2)4095 int crypto_ec_key_cmp(struct crypto_ec_key *key1, struct crypto_ec_key *key2)
4096 {
4097 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4098 if (EVP_PKEY_eq((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
4099 return -1;
4100 #else
4101 if (EVP_PKEY_cmp((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
4102 return -1;
4103 #endif
4104 return 0;
4105 }
4106
4107
crypto_ec_key_debug_print(const struct crypto_ec_key * key,const char * title)4108 void crypto_ec_key_debug_print(const struct crypto_ec_key *key,
4109 const char *title)
4110 {
4111 BIO *out;
4112 size_t rlen;
4113 char *txt;
4114 int res;
4115
4116 out = BIO_new(BIO_s_mem());
4117 if (!out)
4118 return;
4119
4120 EVP_PKEY_print_private(out, (EVP_PKEY *) key, 0, NULL);
4121 rlen = BIO_ctrl_pending(out);
4122 txt = os_malloc(rlen + 1);
4123 if (txt) {
4124 res = BIO_read(out, txt, rlen);
4125 if (res > 0) {
4126 txt[res] = '\0';
4127 wpa_printf(MSG_DEBUG, "%s: %s", title, txt);
4128 }
4129 os_free(txt);
4130 }
4131 BIO_free(out);
4132 }
4133
4134
crypto_pkcs7_get_certificates(const struct wpabuf * pkcs7)4135 struct wpabuf * crypto_pkcs7_get_certificates(const struct wpabuf *pkcs7)
4136 {
4137 #ifdef OPENSSL_IS_BORINGSSL
4138 CBS pkcs7_cbs;
4139 #else /* OPENSSL_IS_BORINGSSL */
4140 PKCS7 *p7 = NULL;
4141 const unsigned char *p = wpabuf_head(pkcs7);
4142 #endif /* OPENSSL_IS_BORINGSSL */
4143 STACK_OF(X509) *certs;
4144 int i, num;
4145 BIO *out = NULL;
4146 size_t rlen;
4147 struct wpabuf *pem = NULL;
4148 int res;
4149
4150 #ifdef OPENSSL_IS_BORINGSSL
4151 certs = sk_X509_new_null();
4152 if (!certs)
4153 goto fail;
4154 CBS_init(&pkcs7_cbs, wpabuf_head(pkcs7), wpabuf_len(pkcs7));
4155 if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
4156 wpa_printf(MSG_INFO,
4157 "OpenSSL: Could not parse PKCS#7 object: %s",
4158 ERR_error_string(ERR_get_error(), NULL));
4159 goto fail;
4160 }
4161 #else /* OPENSSL_IS_BORINGSSL */
4162 p7 = d2i_PKCS7(NULL, &p, wpabuf_len(pkcs7));
4163 if (!p7) {
4164 wpa_printf(MSG_INFO,
4165 "OpenSSL: Could not parse PKCS#7 object: %s",
4166 ERR_error_string(ERR_get_error(), NULL));
4167 goto fail;
4168 }
4169
4170 switch (OBJ_obj2nid(p7->type)) {
4171 case NID_pkcs7_signed:
4172 certs = p7->d.sign->cert;
4173 break;
4174 case NID_pkcs7_signedAndEnveloped:
4175 certs = p7->d.signed_and_enveloped->cert;
4176 break;
4177 default:
4178 certs = NULL;
4179 break;
4180 }
4181 #endif /* OPENSSL_IS_BORINGSSL */
4182
4183 if (!certs || ((num = sk_X509_num(certs)) == 0)) {
4184 wpa_printf(MSG_INFO,
4185 "OpenSSL: No certificates found in PKCS#7 object");
4186 goto fail;
4187 }
4188
4189 out = BIO_new(BIO_s_mem());
4190 if (!out)
4191 goto fail;
4192
4193 for (i = 0; i < num; i++) {
4194 X509 *cert = sk_X509_value(certs, i);
4195
4196 PEM_write_bio_X509(out, cert);
4197 }
4198
4199 rlen = BIO_ctrl_pending(out);
4200 pem = wpabuf_alloc(rlen);
4201 if (!pem)
4202 goto fail;
4203 res = BIO_read(out, wpabuf_put(pem, 0), rlen);
4204 if (res <= 0) {
4205 wpabuf_free(pem);
4206 pem = NULL;
4207 goto fail;
4208 }
4209 wpabuf_put(pem, res);
4210
4211 fail:
4212 #ifdef OPENSSL_IS_BORINGSSL
4213 if (certs)
4214 sk_X509_pop_free(certs, X509_free);
4215 #else /* OPENSSL_IS_BORINGSSL */
4216 PKCS7_free(p7);
4217 #endif /* OPENSSL_IS_BORINGSSL */
4218 if (out)
4219 BIO_free_all(out);
4220
4221 return pem;
4222 }
4223
4224
crypto_csr_init()4225 struct crypto_csr * crypto_csr_init()
4226 {
4227 return (struct crypto_csr *)X509_REQ_new();
4228 }
4229
4230
crypto_csr_verify(const struct wpabuf * req)4231 struct crypto_csr * crypto_csr_verify(const struct wpabuf *req)
4232 {
4233 X509_REQ *csr;
4234 EVP_PKEY *pkey = NULL;
4235 const u8 *der = wpabuf_head(req);
4236
4237 csr = d2i_X509_REQ(NULL, &der, wpabuf_len(req));
4238 if (!csr)
4239 return NULL;
4240
4241 pkey = X509_REQ_get_pubkey((X509_REQ *)csr);
4242 if (!pkey)
4243 goto fail;
4244
4245 if (X509_REQ_verify((X509_REQ *)csr, pkey) != 1)
4246 goto fail;
4247
4248 return (struct crypto_csr *)csr;
4249 fail:
4250 X509_REQ_free(csr);
4251 return NULL;
4252 }
4253
4254
crypto_csr_deinit(struct crypto_csr * csr)4255 void crypto_csr_deinit(struct crypto_csr *csr)
4256 {
4257 X509_REQ_free((X509_REQ *)csr);
4258 }
4259
4260
crypto_csr_set_ec_public_key(struct crypto_csr * csr,struct crypto_ec_key * key)4261 int crypto_csr_set_ec_public_key(struct crypto_csr *csr, struct crypto_ec_key *key)
4262 {
4263 if (!X509_REQ_set_pubkey((X509_REQ *)csr, (EVP_PKEY *)key))
4264 return -1;
4265
4266 return 0;
4267 }
4268
4269
crypto_csr_set_name(struct crypto_csr * csr,enum crypto_csr_name type,const char * name)4270 int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
4271 const char *name)
4272 {
4273 X509_NAME *n;
4274 int nid;
4275
4276 switch (type) {
4277 case CSR_NAME_CN:
4278 nid = NID_commonName;
4279 break;
4280 case CSR_NAME_SN:
4281 nid = NID_surname;
4282 break;
4283 case CSR_NAME_C:
4284 nid = NID_countryName;
4285 break;
4286 case CSR_NAME_O:
4287 nid = NID_organizationName;
4288 break;
4289 case CSR_NAME_OU:
4290 nid = NID_organizationalUnitName;
4291 break;
4292 default:
4293 return -1;
4294 }
4295
4296 n = X509_REQ_get_subject_name((X509_REQ *) csr);
4297 if (!n)
4298 return -1;
4299
4300 #if OPENSSL_VERSION_NUMBER < 0x10100000L
4301 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
4302 (unsigned char *) name,
4303 os_strlen(name), -1, 0))
4304 return -1;
4305 #else
4306 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
4307 (const unsigned char *) name,
4308 os_strlen(name), -1, 0))
4309 return -1;
4310 #endif
4311
4312 return 0;
4313 }
4314
4315
crypto_csr_set_attribute(struct crypto_csr * csr,enum crypto_csr_attr attr,int attr_type,const u8 * value,size_t len)4316 int crypto_csr_set_attribute(struct crypto_csr *csr, enum crypto_csr_attr attr,
4317 int attr_type, const u8 *value, size_t len)
4318 {
4319 int nid;
4320
4321 switch (attr) {
4322 case CSR_ATTR_CHALLENGE_PASSWORD:
4323 nid = NID_pkcs9_challengePassword;
4324 break;
4325 default:
4326 return -1;
4327 }
4328
4329 if (!X509_REQ_add1_attr_by_NID((X509_REQ *) csr, nid, attr_type, value,
4330 len))
4331 return -1;
4332
4333 return 0;
4334 }
4335
4336
crypto_csr_get_attribute(struct crypto_csr * csr,enum crypto_csr_attr attr,size_t * len,int * type)4337 const u8 * crypto_csr_get_attribute(struct crypto_csr *csr,
4338 enum crypto_csr_attr attr,
4339 size_t *len, int *type)
4340 {
4341 X509_ATTRIBUTE *attrib;
4342 ASN1_TYPE *attrib_type;
4343 ASN1_STRING *data;
4344 int loc;
4345 int nid;
4346
4347 switch (attr) {
4348 case CSR_ATTR_CHALLENGE_PASSWORD:
4349 nid = NID_pkcs9_challengePassword;
4350 break;
4351 default:
4352 return NULL;
4353 }
4354
4355 loc = X509_REQ_get_attr_by_NID((X509_REQ *) csr, nid, -1);
4356 if (loc < 0)
4357 return NULL;
4358
4359 attrib = X509_REQ_get_attr((X509_REQ *) csr, loc);
4360 if (!attrib)
4361 return NULL;
4362
4363 attrib_type = X509_ATTRIBUTE_get0_type(attrib, 0);
4364 if (!attrib_type)
4365 return NULL;
4366 *type = ASN1_TYPE_get(attrib_type);
4367 data = X509_ATTRIBUTE_get0_data(attrib, 0, *type, NULL);
4368 if (!data)
4369 return NULL;
4370 *len = ASN1_STRING_length(data);
4371 return ASN1_STRING_get0_data(data);
4372 }
4373
4374
crypto_csr_sign(struct crypto_csr * csr,struct crypto_ec_key * key,enum crypto_hash_alg algo)4375 struct wpabuf * crypto_csr_sign(struct crypto_csr *csr,
4376 struct crypto_ec_key *key,
4377 enum crypto_hash_alg algo)
4378 {
4379 const EVP_MD *sign_md;
4380 struct wpabuf *buf;
4381 unsigned char *der = NULL;
4382 int der_len;
4383
4384 switch (algo) {
4385 case CRYPTO_HASH_ALG_SHA256:
4386 sign_md = EVP_sha256();
4387 break;
4388 case CRYPTO_HASH_ALG_SHA384:
4389 sign_md = EVP_sha384();
4390 break;
4391 case CRYPTO_HASH_ALG_SHA512:
4392 sign_md = EVP_sha512();
4393 break;
4394 default:
4395 return NULL;
4396 }
4397
4398 if (!X509_REQ_sign((X509_REQ *) csr, (EVP_PKEY *) key, sign_md))
4399 return NULL;
4400
4401 der_len = i2d_X509_REQ((X509_REQ *) csr, &der);
4402 if (der_len < 0)
4403 return NULL;
4404
4405 buf = wpabuf_alloc_copy(der, der_len);
4406 OPENSSL_free(der);
4407
4408 return buf;
4409 }
4410
4411 #endif /* CONFIG_ECC */
4412
4413
crypto_rsa_key_read_public(FILE * f)4414 static EVP_PKEY * crypto_rsa_key_read_public(FILE *f)
4415 {
4416 EVP_PKEY *pkey;
4417 X509 *x509;
4418 const ASN1_TIME *not_before, *not_after;
4419 int res_before, res_after;
4420
4421 pkey = PEM_read_PUBKEY(f, NULL, NULL, NULL);
4422 if (pkey)
4423 return pkey;
4424
4425 rewind(f);
4426 x509 = PEM_read_X509(f, NULL, NULL, NULL);
4427 if (!x509)
4428 return NULL;
4429
4430 not_before = X509_get0_notBefore(x509);
4431 not_after = X509_get0_notAfter(x509);
4432 if (!not_before || !not_after)
4433 goto fail;
4434 res_before = X509_cmp_current_time(not_before);
4435 res_after = X509_cmp_current_time(not_after);
4436 if (!res_before || !res_after)
4437 goto fail;
4438 if (res_before > 0 || res_after < 0) {
4439 wpa_printf(MSG_INFO,
4440 "OpenSSL: Certificate for RSA public key is not valid at this time (%d %d)",
4441 res_before, res_after);
4442 goto fail;
4443 }
4444
4445 pkey = X509_get_pubkey(x509);
4446 X509_free(x509);
4447
4448 if (!pkey)
4449 return NULL;
4450 if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
4451 wpa_printf(MSG_INFO, "OpenSSL: No RSA public key found");
4452 EVP_PKEY_free(pkey);
4453 return NULL;
4454 }
4455
4456 return pkey;
4457 fail:
4458 X509_free(x509);
4459 return NULL;
4460 }
4461
4462
crypto_rsa_key_read(const char * file,bool private_key)4463 struct crypto_rsa_key * crypto_rsa_key_read(const char *file, bool private_key)
4464 {
4465 FILE *f;
4466 EVP_PKEY *pkey;
4467
4468 f = fopen(file, "r");
4469 if (!f)
4470 return NULL;
4471 if (private_key)
4472 pkey = PEM_read_PrivateKey(f, NULL, NULL, NULL);
4473 else
4474 pkey = crypto_rsa_key_read_public(f);
4475 fclose(f);
4476 return (struct crypto_rsa_key *) pkey;
4477 }
4478
4479
4480 #ifndef OPENSSL_NO_SHA256
4481
crypto_rsa_oaep_sha256_encrypt(struct crypto_rsa_key * key,const struct wpabuf * in)4482 struct wpabuf * crypto_rsa_oaep_sha256_encrypt(struct crypto_rsa_key *key,
4483 const struct wpabuf *in)
4484 {
4485 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
4486 EVP_PKEY *pkey = (EVP_PKEY *) key;
4487 EVP_PKEY_CTX *pkctx;
4488 struct wpabuf *res = NULL;
4489 size_t outlen;
4490
4491 pkctx = EVP_PKEY_CTX_new(pkey, NULL);
4492 if (!pkctx)
4493 goto fail;
4494
4495 if (EVP_PKEY_encrypt_init(pkctx) != 1 ||
4496 EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||
4497 EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, EVP_sha256()) <= 0 ||
4498 EVP_PKEY_encrypt(pkctx, NULL, &outlen, wpabuf_head(in),
4499 wpabuf_len(in)) != 1 ||
4500 !(res = wpabuf_alloc(outlen)) ||
4501 EVP_PKEY_encrypt(pkctx, wpabuf_put(res, 0), &outlen,
4502 wpabuf_head(in), wpabuf_len(in)) != 1) {
4503 wpabuf_free(res);
4504 res = NULL;
4505 goto fail;
4506 }
4507 wpabuf_put(res, outlen);
4508
4509 fail:
4510 EVP_PKEY_CTX_free(pkctx);
4511 return res;
4512 #else
4513 wpa_printf(MSG_ERROR, "%s() not supported", __func__);
4514 return NULL;
4515 #endif
4516 }
4517
4518
crypto_rsa_oaep_sha256_decrypt(struct crypto_rsa_key * key,const struct wpabuf * in)4519 struct wpabuf * crypto_rsa_oaep_sha256_decrypt(struct crypto_rsa_key *key,
4520 const struct wpabuf *in)
4521 {
4522 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
4523 EVP_PKEY *pkey = (EVP_PKEY *) key;
4524 EVP_PKEY_CTX *pkctx;
4525 struct wpabuf *res = NULL;
4526 size_t outlen;
4527
4528 pkctx = EVP_PKEY_CTX_new(pkey, NULL);
4529 if (!pkctx)
4530 goto fail;
4531
4532 if (EVP_PKEY_decrypt_init(pkctx) != 1 ||
4533 EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||
4534 EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, EVP_sha256()) <= 0 ||
4535 EVP_PKEY_decrypt(pkctx, NULL, &outlen, wpabuf_head(in),
4536 wpabuf_len(in)) != 1 ||
4537 !(res = wpabuf_alloc(outlen)) ||
4538 EVP_PKEY_decrypt(pkctx, wpabuf_put(res, 0), &outlen,
4539 wpabuf_head(in), wpabuf_len(in)) != 1) {
4540 wpabuf_free(res);
4541 res = NULL;
4542 goto fail;
4543 }
4544 wpabuf_put(res, outlen);
4545
4546 fail:
4547 EVP_PKEY_CTX_free(pkctx);
4548 return res;
4549 #else
4550 wpa_printf(MSG_ERROR, "%s() not supported", __func__);
4551 return NULL;
4552 #endif
4553 }
4554
4555 #endif /* OPENSSL_NO_SHA256 */
4556
4557
crypto_rsa_key_free(struct crypto_rsa_key * key)4558 void crypto_rsa_key_free(struct crypto_rsa_key *key)
4559 {
4560 EVP_PKEY_free((EVP_PKEY *) key);
4561 }
4562
4563
4564 #ifdef CONFIG_DPP3
4565
4566 #define HPKE_MAX_SHARED_SECRET_LEN 66
4567 #define HPKE_MAX_HASH_LEN 64
4568 #define HPKE_MAX_KEY_LEN 32
4569 #define HPKE_MAX_NONCE_LEN 12
4570 #define HPKE_MAX_PUB_LEN (1 + 2 * 66)
4571
4572 struct hpke_context {
4573 /* KEM */
4574 enum hpke_kem_id kem_id;
4575 int kem_nid;
4576 int iana_group;
4577 size_t n_pk;
4578 size_t n_secret;
4579 const EVP_MD *kem_h;
4580 size_t kem_n_h;
4581
4582 /* KDF */
4583 enum hpke_kdf_id kdf_id;
4584 const EVP_MD *kdf_h;
4585 size_t n_h;
4586
4587 /* AEAD */
4588 enum hpke_aead_id aead_id;
4589 const EVP_CIPHER *cipher;
4590 size_t n_k;
4591 size_t n_n;
4592 size_t n_t;
4593 u8 key[HPKE_MAX_KEY_LEN];
4594 u8 base_nonce[HPKE_MAX_NONCE_LEN];
4595 };
4596
4597
hpke_free_context(struct hpke_context * ctx)4598 static void hpke_free_context(struct hpke_context *ctx)
4599 {
4600 bin_clear_free(ctx, sizeof(*ctx));
4601 }
4602
4603
hpke_get_context(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * key)4604 static struct hpke_context * hpke_get_context(enum hpke_kem_id kem_id,
4605 enum hpke_kdf_id kdf_id,
4606 enum hpke_aead_id aead_id,
4607 struct crypto_ec_key *key)
4608 {
4609 struct hpke_context *ctx;
4610 int group;
4611
4612 ctx = os_zalloc(sizeof(*ctx));
4613 if (!ctx)
4614 return NULL;
4615
4616 ctx->kem_id = kem_id;
4617 switch (kem_id) {
4618 case HPKE_DHKEM_P256_HKDF_SHA256:
4619 ctx->kem_nid = NID_X9_62_prime256v1;
4620 ctx->iana_group = 19;
4621 ctx->n_pk = 65;
4622 ctx->n_secret = 32;
4623 ctx->kem_h = EVP_sha256();
4624 ctx->kem_n_h = 32;
4625 break;
4626 case HPKE_DHKEM_P384_HKDF_SHA384:
4627 ctx->kem_nid = NID_secp384r1;
4628 ctx->iana_group = 20;
4629 ctx->n_pk = 97;
4630 ctx->n_secret = 48;
4631 ctx->kem_h = EVP_sha384();
4632 ctx->kem_n_h = 48;
4633 break;
4634 case HPKE_DHKEM_P521_HKDF_SHA512:
4635 ctx->kem_nid = NID_secp521r1;
4636 ctx->iana_group = 21;
4637 ctx->n_pk = 133;
4638 ctx->n_secret = 64;
4639 ctx->kem_h = EVP_sha512();
4640 ctx->kem_n_h = 64;
4641 break;
4642 default:
4643 goto fail;
4644 }
4645
4646 ctx->kdf_id = kdf_id;
4647 switch (kdf_id) {
4648 case HPKE_KDF_HKDF_SHA256:
4649 ctx->kdf_h = EVP_sha256();
4650 ctx->n_h = 32;
4651 break;
4652 case HPKE_KDF_HKDF_SHA384:
4653 ctx->kdf_h = EVP_sha384();
4654 ctx->n_h = 48;
4655 break;
4656 case HPKE_KDF_HKDF_SHA512:
4657 ctx->kdf_h = EVP_sha512();
4658 ctx->n_h = 64;
4659 break;
4660 default:
4661 goto fail;
4662 }
4663
4664 ctx->aead_id = aead_id;
4665 switch (aead_id) {
4666 case HPKE_AEAD_AES_128_GCM:
4667 ctx->cipher = EVP_aes_128_gcm();
4668 ctx->n_k = 16;
4669 ctx->n_n = 12;
4670 ctx->n_t = 16;
4671 break;
4672 case HPKE_AEAD_AES_256_GCM:
4673 ctx->cipher = EVP_aes_256_gcm();
4674 ctx->n_k = 32;
4675 ctx->n_n = 12;
4676 ctx->n_t = 16;
4677 break;
4678 default:
4679 goto fail;
4680 }
4681
4682 /* Convert BP-256/384/512 to P-256/384/521 for DPP */
4683 group = crypto_ec_key_group(key);
4684 if (group == 28 && ctx->iana_group == 19) {
4685 ctx->iana_group = 28;
4686 } else if (group == 29 && ctx->iana_group == 20) {
4687 ctx->iana_group = 29;
4688 } else if (group == 30 && ctx->iana_group == 21) {
4689 ctx->iana_group = 30;
4690 ctx->n_pk = 129;
4691 }
4692 if (group != ctx->iana_group) {
4693 wpa_printf(MSG_INFO, "OpenSSL:%s:group mismatch (%d != %d)",
4694 __func__, group, ctx->iana_group);
4695 goto fail;
4696 }
4697
4698 return ctx;
4699 fail:
4700 hpke_free_context(ctx);
4701 return NULL;
4702 }
4703
4704
hpke_suite_id(struct hpke_context * ctx,bool kem,u8 * suite_id)4705 static size_t hpke_suite_id(struct hpke_context *ctx, bool kem, u8 *suite_id)
4706 {
4707 size_t suite_id_len;
4708
4709 if (kem) {
4710 os_memcpy(suite_id, "KEM", 3);
4711 WPA_PUT_BE16(&suite_id[3], ctx->kem_id);
4712 suite_id_len = 5;
4713 } else {
4714 os_memcpy(suite_id, "HPKE", 4);
4715 WPA_PUT_BE16(&suite_id[4], ctx->kem_id);
4716 WPA_PUT_BE16(&suite_id[6], ctx->kdf_id);
4717 WPA_PUT_BE16(&suite_id[8], ctx->aead_id);
4718 suite_id_len = 10;
4719 }
4720 return suite_id_len;
4721 }
4722
4723
hpke_labeled_extract(struct hpke_context * ctx,bool kem,const u8 * salt,size_t salt_len,const char * label,const u8 * ikm,size_t ikm_len,u8 * prk)4724 static int hpke_labeled_extract(struct hpke_context *ctx, bool kem,
4725 const u8 *salt, size_t salt_len,
4726 const char *label,
4727 const u8 *ikm, size_t ikm_len, u8 *prk)
4728 {
4729 u8 zero[HPKE_MAX_HASH_LEN];
4730 u8 suite_id[10];
4731 size_t suite_id_len;
4732 unsigned int mdlen = kem ? ctx->kem_n_h : ctx->n_h;
4733 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4734 EVP_MAC *hmac;
4735 OSSL_PARAM params[2];
4736 EVP_MAC_CTX *hctx;
4737 size_t mlen;
4738 int res;
4739 #else /* OpenSSL version >= 3.0 */
4740 HMAC_CTX *hctx;
4741 int res;
4742 #endif /* OpenSSL version >= 3.0 */
4743
4744 if (!salt || !salt_len) {
4745 salt_len = mdlen;
4746 os_memset(zero, 0, salt_len);
4747 salt = zero;
4748 }
4749
4750 suite_id_len = hpke_suite_id(ctx, kem, suite_id);
4751
4752 /* labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
4753 * return Extract(salt, labeled_ikm) */
4754
4755 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4756 hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
4757 if (!hmac)
4758 return -1;
4759
4760 params[0] = OSSL_PARAM_construct_utf8_string(
4761 "digest",
4762 (char *) EVP_MD_get0_name(kem ? ctx->kem_h : ctx->kdf_h), 0);
4763 params[1] = OSSL_PARAM_construct_end();
4764
4765 hctx = EVP_MAC_CTX_new(hmac);
4766 EVP_MAC_free(hmac);
4767 if (!hctx)
4768 return -1;
4769
4770 if (EVP_MAC_init(hctx, salt, salt_len, params) != 1)
4771 goto fail;
4772
4773 if (EVP_MAC_update(hctx, (const unsigned char *) "HPKE-v1", 7) != 1 ||
4774 EVP_MAC_update(hctx, suite_id, suite_id_len) != 1 ||
4775 EVP_MAC_update(hctx, (const unsigned char *) label,
4776 os_strlen(label)) != 1 ||
4777 EVP_MAC_update(hctx, ikm, ikm_len) != 1)
4778 goto fail;
4779
4780 res = EVP_MAC_final(hctx, prk, &mlen, mdlen);
4781 EVP_MAC_CTX_free(hctx);
4782
4783 return res == 1 ? 0 : -1;
4784 fail:
4785 EVP_MAC_CTX_free(hctx);
4786 return -1;
4787 #else /* OpenSSL version >= 3.0 */
4788 hctx = HMAC_CTX_new();
4789 if (!hctx)
4790 return -1;
4791 res = HMAC_Init_ex(hctx, salt, salt_len, kem ? ctx->kem_h : ctx->kdf_h,
4792 NULL);
4793 if (res != 1)
4794 goto done;
4795
4796 HMAC_Update(hctx, (const unsigned char *) "HPKE-v1", 7);
4797 HMAC_Update(hctx, suite_id, suite_id_len);
4798 HMAC_Update(hctx, (const unsigned char *) label, os_strlen(label));
4799 HMAC_Update(hctx, ikm, ikm_len);
4800
4801 res = HMAC_Final(hctx, prk, &mdlen);
4802 done:
4803 HMAC_CTX_free(hctx);
4804
4805 return res == 1 ? 0 : -1;
4806 #endif /* OpenSSL version >= 3.0 */
4807 }
4808
4809
4810 static int
hpke_labeled_expand(struct hpke_context * ctx,bool kem,const u8 * prk,const char * label,const u8 * info,size_t info_len,u8 * out,size_t out_len)4811 hpke_labeled_expand(struct hpke_context *ctx, bool kem, const u8 *prk,
4812 const char *label, const u8 *info, size_t info_len,
4813 u8 *out, size_t out_len)
4814 {
4815 u8 suite_id[10];
4816 size_t suite_id_len;
4817 u8 hash[HPKE_MAX_HASH_LEN];
4818 u8 iter = 0;
4819 size_t label_len = os_strlen(label);
4820 u8 *pos;
4821 size_t left = out_len, clen;
4822 int res = -1;
4823 u8 *labeled_info;
4824 size_t labeled_info_len;
4825 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4826 EVP_MAC *hmac;
4827 OSSL_PARAM params[2];
4828 EVP_MAC_CTX *hctx = NULL;
4829 size_t mdlen;
4830 #else /* OpenSSL version >= 3.0 */
4831 HMAC_CTX *hctx;
4832 unsigned int mdlen;
4833 #endif /* OpenSSL version >= 3.0 */
4834
4835 /* labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
4836 * label, info)
4837 * return Expand(prk, labeled_info, L) */
4838 suite_id_len = hpke_suite_id(ctx, kem, suite_id);
4839 labeled_info_len = 2 + 7 + suite_id_len + label_len + info_len;
4840 labeled_info = os_malloc(labeled_info_len);
4841 if (!labeled_info)
4842 return -1;
4843 pos = labeled_info;
4844 WPA_PUT_BE16(pos, out_len);
4845 pos += 2;
4846 os_memcpy(pos, "HPKE-v1", 7);
4847 pos += 7;
4848 os_memcpy(pos, suite_id, suite_id_len);
4849 pos += suite_id_len;
4850 os_memcpy(pos, label, label_len);
4851 pos += label_len;
4852 if (info && info_len)
4853 os_memcpy(pos, info, info_len);
4854
4855 pos = out;
4856 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4857 hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
4858 if (!hmac)
4859 return -1;
4860
4861 params[0] = OSSL_PARAM_construct_utf8_string(
4862 "digest",
4863 (char *) EVP_MD_get0_name(kem ? ctx->kem_h : ctx->kdf_h), 0);
4864 params[1] = OSSL_PARAM_construct_end();
4865 #else /* OpenSSL version >= 3.0 */
4866 hctx = HMAC_CTX_new();
4867 if (!hctx)
4868 return -1;
4869 #endif /* OpenSSL version >= 3.0 */
4870
4871 while (left > 0) {
4872 mdlen = kem ? ctx->kem_n_h : ctx->n_h;
4873 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4874 EVP_MAC_CTX_free(hctx);
4875 hctx = EVP_MAC_CTX_new(hmac);
4876 if (!hctx)
4877 return -1;
4878
4879 if (EVP_MAC_init(hctx, prk, mdlen, params) != 1)
4880 goto fail;
4881
4882 if (iter > 0 && EVP_MAC_update(hctx, hash, mdlen) != 1)
4883 goto fail;
4884 if (iter == 255)
4885 goto fail;
4886 iter++;
4887
4888 if (EVP_MAC_update(hctx, labeled_info, labeled_info_len) != 1 ||
4889 EVP_MAC_update(hctx, &iter, sizeof(iter)) != 1)
4890 goto fail;
4891
4892 if (EVP_MAC_final(hctx, hash, &mdlen, mdlen) != 1)
4893 goto fail;
4894 #else /* OpenSSL version >= 3.0 */
4895 if (HMAC_Init_ex(hctx, prk, mdlen,
4896 kem ? ctx->kem_h : ctx->kdf_h,
4897 NULL) != 1)
4898 goto fail;
4899
4900 if (iter > 0)
4901 HMAC_Update(hctx, hash, mdlen);
4902 if (iter == 255)
4903 goto fail;
4904 iter++;
4905 HMAC_Update(hctx, labeled_info, labeled_info_len);
4906 HMAC_Update(hctx, &iter, sizeof(iter));
4907
4908 if (HMAC_Final(hctx, hash, &mdlen) != 1)
4909 goto fail;
4910 HMAC_CTX_reset(hctx);
4911 #endif /* OpenSSL version >= 3.0 */
4912
4913 clen = left > mdlen ? mdlen : left;
4914 os_memcpy(pos, hash, clen);
4915 pos += clen;
4916 left -= clen;
4917 }
4918 res = 0;
4919 fail:
4920 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
4921 EVP_MAC_free(hmac);
4922 EVP_MAC_CTX_free(hctx);
4923 #else /* OpenSSL version >= 3.0 */
4924 HMAC_CTX_free(hctx);
4925 #endif /* OpenSSL version >= 3.0 */
4926 os_free(labeled_info);
4927
4928 return res;
4929 }
4930
4931
hpke_extract_and_expand(struct hpke_context * ctx,const u8 * dhss,size_t dhss_len,const u8 * enc,size_t enc_len,const u8 * pk_rm,size_t pk_rm_len,u8 * shared_secret)4932 static int hpke_extract_and_expand(struct hpke_context *ctx,
4933 const u8 *dhss, size_t dhss_len,
4934 const u8 *enc, size_t enc_len,
4935 const u8 *pk_rm, size_t pk_rm_len,
4936 u8 *shared_secret)
4937 {
4938 u8 kem_context[2 * HPKE_MAX_PUB_LEN];
4939 u8 eae_prk[HPKE_MAX_HASH_LEN];
4940
4941 /* eae_prk = LabeledExtract("", "eae_prk", dh) */
4942 if (hpke_labeled_extract(ctx, true, NULL, 0, "eae_prk", dhss, dhss_len,
4943 eae_prk) < 0)
4944 return -1;
4945
4946 if (enc_len > HPKE_MAX_PUB_LEN || pk_rm_len > HPKE_MAX_PUB_LEN)
4947 return -1;
4948 /* kem_context = concat(enc, pkRm) */
4949 os_memcpy(kem_context, enc, enc_len);
4950 os_memcpy(&kem_context[enc_len], pk_rm, pk_rm_len);
4951
4952 /* shared_secret = LabeledExpand(eae_prk, "shared_secret",
4953 * kem_context, Nsecret) */
4954 if (hpke_labeled_expand(ctx, true, eae_prk, "shared_secret",
4955 kem_context, enc_len + pk_rm_len,
4956 shared_secret, ctx->n_secret) < 0)
4957 return -1;
4958
4959 forced_memzero(eae_prk, sizeof(eae_prk));
4960 return 0;
4961 }
4962
4963
hpke_key_schedule(struct hpke_context * ctx,const u8 * shared_secret,const u8 * info,size_t info_len)4964 static int hpke_key_schedule(struct hpke_context *ctx, const u8 *shared_secret,
4965 const u8 *info, size_t info_len)
4966 {
4967 u8 key_schedule_context[1 + 2 * HPKE_MAX_HASH_LEN];
4968 u8 secret[HPKE_MAX_HASH_LEN];
4969 int res = -1;
4970
4971 /* key_schedule_context = concat(mode, psk_id_hash, info_hash) */
4972 key_schedule_context[0] = HPKE_MODE_BASE;
4973
4974 /* psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id) */
4975 if (hpke_labeled_extract(ctx, false, NULL, 0, "psk_id_hash",
4976 NULL, 0, &key_schedule_context[1]) < 0)
4977 goto fail;
4978
4979 /* info_hash = LabeledExtract("", "info_hash", info) */
4980 if (hpke_labeled_extract(ctx, false, NULL, 0, "info_hash",
4981 info, info_len,
4982 &key_schedule_context[1 + ctx->n_h]) < 0)
4983 goto fail;
4984
4985 /* secret = LabeledExtract(shared_secret, "secret", psk) */
4986 if (hpke_labeled_extract(ctx, false, shared_secret, ctx->n_secret,
4987 "secret", NULL, 0, secret) < 0)
4988 goto fail;
4989
4990 /* key = LabeledExpand(secret, "key", key_schedule_context, Nk) */
4991 if (hpke_labeled_expand(ctx, false, secret, "key",
4992 key_schedule_context, 1 + 2 * ctx->n_h,
4993 ctx->key, ctx->n_k) < 0)
4994 goto fail;
4995
4996 /* base_nonce = LabeledExpand(secret, "base_nonce",
4997 * key_schedule_context, Nn) */
4998 if (hpke_labeled_expand(ctx, false, secret, "base_nonce",
4999 key_schedule_context, 1 + 2 * ctx->n_h,
5000 ctx->base_nonce, ctx->n_n) < 0)
5001 goto fail;
5002 res = 0;
5003 fail:
5004 forced_memzero(key_schedule_context, sizeof(key_schedule_context));
5005 forced_memzero(secret, sizeof(secret));
5006 return res;
5007 }
5008
5009
hpke_encap(struct hpke_context * ctx,struct crypto_ec_key * pk_r,u8 * shared_secret,u8 * enc)5010 static int hpke_encap(struct hpke_context *ctx, struct crypto_ec_key *pk_r,
5011 u8 *shared_secret, u8 *enc)
5012 {
5013 EVP_PKEY_CTX *pctx = NULL;
5014 struct crypto_ec_key *sk_e;
5015 int res = -1;
5016 u8 *dhss = NULL;
5017 size_t dhss_len = 0;
5018 struct wpabuf *enc_buf = NULL, *pk_rm = NULL;
5019
5020 /* skE, pkE = GenerateKeyPair() */
5021 sk_e = crypto_ec_key_gen(ctx->iana_group);
5022 if (!sk_e) {
5023 wpa_printf(MSG_INFO, "OpenSSL:%s:Could not generate key pair",
5024 __func__);
5025 goto fail;
5026 }
5027
5028 /* dh = DH(skE, pkR) */
5029 dhss_len = sizeof(dhss);
5030 pctx = EVP_PKEY_CTX_new((EVP_PKEY *) sk_e, NULL);
5031 if (!pctx ||
5032 EVP_PKEY_derive_init(pctx) != 1 ||
5033 EVP_PKEY_derive_set_peer(pctx, (EVP_PKEY *) pk_r) != 1 ||
5034 EVP_PKEY_derive(pctx, NULL, &dhss_len) != 1 ||
5035 !(dhss = os_malloc(dhss_len)) ||
5036 EVP_PKEY_derive(pctx, dhss, &dhss_len) != 1 ||
5037 dhss_len > HPKE_MAX_SHARED_SECRET_LEN) {
5038 wpa_printf(MSG_INFO,
5039 "OpenSSL: hpke_encap: EVP_PKEY_derive failed (dhss_len=%zu): %s",
5040 dhss_len, ERR_error_string(ERR_get_error(), NULL));
5041 goto fail;
5042 }
5043
5044 /* enc = SerializePublicKey(pkE) */
5045 enc_buf = crypto_ec_key_get_pubkey_point(sk_e, 1);
5046 if (!enc_buf)
5047 goto fail;
5048 os_memcpy(enc, wpabuf_head(enc_buf), wpabuf_len(enc_buf));
5049
5050 /* pkRm = SerializePublicKey(pkR) */
5051 pk_rm = crypto_ec_key_get_pubkey_point(pk_r, 1);
5052 if (!pk_rm)
5053 goto fail;
5054
5055 /* kem_context = concat(enc, pkRm) */
5056 /* shared_secret = ExtractAndExpand(dh, kem_context) */
5057 /* return shared_secret, enc */
5058 res = hpke_extract_and_expand(ctx, dhss, dhss_len, enc, ctx->n_pk,
5059 wpabuf_head(pk_rm),
5060 wpabuf_len(pk_rm), shared_secret);
5061 fail:
5062 bin_clear_free(dhss, dhss_len);
5063 crypto_ec_key_deinit(sk_e);
5064 EVP_PKEY_CTX_free(pctx);
5065 wpabuf_free(enc_buf);
5066 wpabuf_free(pk_rm);
5067 return res;
5068 }
5069
5070
5071 static struct wpabuf *
hpke_aead_seal(struct hpke_context * ctx,const u8 * aad,size_t aad_len,const u8 * pt,size_t pt_len)5072 hpke_aead_seal(struct hpke_context *ctx, const u8 *aad, size_t aad_len,
5073 const u8 *pt, size_t pt_len)
5074 {
5075 EVP_CIPHER_CTX *cctx;
5076 int len = 0;
5077 struct wpabuf *ct = NULL;
5078
5079 /* No need to xor in sequence number since we support only the
5080 * single-shot API, i.e., base_nonce can be used as-is. */
5081
5082 cctx = EVP_CIPHER_CTX_new();
5083 if (!cctx ||
5084 EVP_EncryptInit_ex(cctx, ctx->cipher, NULL, ctx->key,
5085 ctx->base_nonce) != 1) {
5086 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptInit_ex failed",
5087 __func__);
5088 goto fail;
5089 }
5090 if (aad && aad_len &&
5091 EVP_EncryptUpdate(cctx, NULL, &len, aad, aad_len) != 1) {
5092 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_EncryptUpdate(AAD) failed",
5093 __func__);
5094 goto fail;
5095 }
5096 ct = wpabuf_alloc(pt_len + AES_BLOCK_SIZE + ctx->n_t);
5097 if (!ct)
5098 goto fail;
5099 if (EVP_EncryptUpdate(cctx, wpabuf_put(ct, 0), &len, pt, pt_len) != 1) {
5100 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_EncryptUpdate failed",
5101 __func__);
5102 goto fail;
5103 }
5104 wpabuf_put(ct, len);
5105
5106 if (EVP_EncryptFinal(cctx, wpabuf_put(ct, 0), &len) != 1) {
5107 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptFinal failed",
5108 __func__);
5109 wpabuf_free(ct);
5110 ct = NULL;
5111 goto fail;
5112 }
5113
5114 if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_GET_TAG, ctx->n_t,
5115 wpabuf_put(ct, ctx->n_t)) != 1) {
5116 wpa_printf(MSG_INFO, "OpenSSL:%s:Could not get tag",
5117 __func__);
5118 wpabuf_free(ct);
5119 ct = NULL;
5120 goto fail;
5121 }
5122 fail:
5123 EVP_CIPHER_CTX_free(cctx);
5124 return ct;
5125 }
5126
5127
hpke_base_seal(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * peer_pub,const u8 * info,size_t info_len,const u8 * aad,size_t aad_len,const u8 * pt,size_t pt_len)5128 struct wpabuf * hpke_base_seal(enum hpke_kem_id kem_id,
5129 enum hpke_kdf_id kdf_id,
5130 enum hpke_aead_id aead_id,
5131 struct crypto_ec_key *peer_pub,
5132 const u8 *info, size_t info_len,
5133 const u8 *aad, size_t aad_len,
5134 const u8 *pt, size_t pt_len)
5135 {
5136 struct hpke_context *ctx;
5137 u8 shared_secret[HPKE_MAX_SHARED_SECRET_LEN];
5138 u8 enc[1 + 2 * HPKE_MAX_PUB_LEN];
5139 struct wpabuf *ct = NULL, *enc_ct = NULL;
5140
5141 ctx = hpke_get_context(kem_id, kdf_id, aead_id, peer_pub);
5142 if (!ctx)
5143 return NULL;
5144
5145 /* shared_secret, enc = Encap(pkR) */
5146 if (hpke_encap(ctx, peer_pub, shared_secret, enc) < 0)
5147 goto fail;
5148
5149 /* KeyScheduleS(mode_base, shared_secret, info,
5150 * default_psk, default_psk_id) */
5151 if (hpke_key_schedule(ctx, shared_secret, info, info_len) < 0)
5152 goto fail;
5153
5154 /* ct = ctx.Seal(aad, pt) */
5155 ct = hpke_aead_seal(ctx, aad, aad_len, pt, pt_len);
5156 if (!ct)
5157 goto fail;
5158
5159 /* return enc, ct */
5160 enc_ct = wpabuf_alloc(ctx->n_pk + wpabuf_len(ct));
5161 if (!enc_ct)
5162 goto fail;
5163 wpabuf_put_data(enc_ct, enc, ctx->n_pk);
5164 wpabuf_put_buf(enc_ct, ct);
5165
5166 fail:
5167 forced_memzero(shared_secret, sizeof(shared_secret));
5168 hpke_free_context(ctx);
5169 wpabuf_free(ct);
5170 return enc_ct;
5171 }
5172
5173
hpke_decap(struct hpke_context * ctx,const u8 * enc,size_t enc_ct_len,struct crypto_ec_key * sk_r,u8 * shared_secret)5174 static int hpke_decap(struct hpke_context *ctx, const u8 *enc,
5175 size_t enc_ct_len, struct crypto_ec_key *sk_r,
5176 u8 *shared_secret)
5177 {
5178 EVP_PKEY_CTX *pctx = NULL;
5179 struct wpabuf *pk_rm = NULL;
5180 size_t len;
5181 int res = -1;
5182 struct crypto_ec_key *pk_e = NULL;
5183 u8 *dhss = NULL;
5184 size_t dhss_len = 0;
5185
5186 /* pkE = DeserializePublicKey(enc) */
5187 if (enc_ct_len < ctx->n_pk)
5188 return -1; /* not enough room for enc */
5189 if (enc[0] != 0x04)
5190 return -1; /* not in uncompressed form */
5191 len = (ctx->n_pk - 1) / 2;
5192 pk_e = crypto_ec_key_set_pub(ctx->iana_group, &enc[1],
5193 &enc[1 + len], len);
5194 if (!pk_e)
5195 return -1; /* invalid public key point */
5196 /* dh = DH(skR, pkE) */
5197 pctx = EVP_PKEY_CTX_new((EVP_PKEY *) sk_r, NULL);
5198 if (!pctx ||
5199 EVP_PKEY_derive_init(pctx) != 1 ||
5200 EVP_PKEY_derive_set_peer(pctx, (EVP_PKEY *) pk_e) != 1 ||
5201 EVP_PKEY_derive(pctx, NULL, &dhss_len) != 1 ||
5202 !(dhss = os_malloc(dhss_len)) ||
5203 EVP_PKEY_derive(pctx, dhss, &dhss_len) != 1 ||
5204 dhss_len > HPKE_MAX_SHARED_SECRET_LEN) {
5205 wpa_printf(MSG_INFO,
5206 "OpenSSL: hpke_decap: EVP_PKEY_derive failed (dhss_len=%zu): %s",
5207 dhss_len, ERR_error_string(ERR_get_error(), NULL));
5208 goto fail;
5209 }
5210
5211 /* pkRm = SerializePublicKey(pk(skR)) */
5212 pk_rm = crypto_ec_key_get_pubkey_point(sk_r, 1);
5213 if (!pk_rm)
5214 goto fail;
5215
5216 /* kem_context = concat(enc, pkRm) */
5217 /* shared_secret = ExtractAndExpand(dh, kem_context) */
5218 res = hpke_extract_and_expand(ctx, dhss, dhss_len, enc, ctx->n_pk,
5219 wpabuf_head(pk_rm),
5220 wpabuf_len(pk_rm), shared_secret);
5221 fail:
5222 bin_clear_free(dhss, dhss_len);
5223 crypto_ec_key_deinit(pk_e);
5224 EVP_PKEY_CTX_free(pctx);
5225 wpabuf_free(pk_rm);
5226 return res;
5227 }
5228
5229
5230 static struct wpabuf *
hpke_aead_open(struct hpke_context * ctx,const u8 * aad,size_t aad_len,const u8 * ct,size_t ct_len)5231 hpke_aead_open(struct hpke_context *ctx, const u8 *aad, size_t aad_len,
5232 const u8 *ct, size_t ct_len)
5233 {
5234 EVP_CIPHER_CTX *cctx;
5235 int len = 0;
5236 const u8 *tag;
5237 struct wpabuf *pt = NULL;
5238
5239 if (ct_len < ctx->n_t)
5240 return NULL;
5241 tag = ct + ct_len - ctx->n_t;
5242 ct_len -= ctx->n_t;
5243
5244 /* No need to xor in sequence number since we support only the
5245 * single-shot API, i.e., base_nonce can be used as-is. */
5246
5247 cctx = EVP_CIPHER_CTX_new();
5248 if (!cctx ||
5249 EVP_DecryptInit_ex(cctx, ctx->cipher, NULL, ctx->key,
5250 ctx->base_nonce) != 1) {
5251 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptInit_ex failed",
5252 __func__);
5253 goto fail;
5254 }
5255 if (aad && aad_len &&
5256 EVP_DecryptUpdate(cctx, NULL, &len, aad, aad_len) != 1) {
5257 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptUpdate(AAD) failed",
5258 __func__);
5259 goto fail;
5260 }
5261 pt = wpabuf_alloc(ct_len + AES_BLOCK_SIZE);
5262 if (!pt)
5263 goto fail;
5264 if (EVP_DecryptUpdate(cctx, wpabuf_put(pt, 0), &len, ct, ct_len) != 1) {
5265 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptUpdate failed",
5266 __func__);
5267 goto fail;
5268 }
5269 wpabuf_put(pt, len);
5270
5271 if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_SET_TAG, ctx->n_t,
5272 (void *) tag) != 1) {
5273 wpa_printf(MSG_INFO, "OpenSSL:%s:Could not set tag",
5274 __func__);
5275 wpabuf_free(pt);
5276 pt = NULL;
5277 goto fail;
5278 }
5279
5280 if (EVP_DecryptFinal(cctx, wpabuf_put(pt, 0), &len) != 1) {
5281 wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptFinal failed",
5282 __func__);
5283 wpabuf_free(pt);
5284 pt = NULL;
5285 }
5286 fail:
5287 EVP_CIPHER_CTX_free(cctx);
5288 return pt;
5289 }
5290
5291
hpke_base_open(enum hpke_kem_id kem_id,enum hpke_kdf_id kdf_id,enum hpke_aead_id aead_id,struct crypto_ec_key * own_priv,const u8 * info,size_t info_len,const u8 * aad,size_t aad_len,const u8 * enc_ct,size_t enc_ct_len)5292 struct wpabuf * hpke_base_open(enum hpke_kem_id kem_id,
5293 enum hpke_kdf_id kdf_id,
5294 enum hpke_aead_id aead_id,
5295 struct crypto_ec_key *own_priv,
5296 const u8 *info, size_t info_len,
5297 const u8 *aad, size_t aad_len,
5298 const u8 *enc_ct, size_t enc_ct_len)
5299 {
5300 struct hpke_context *ctx;
5301 u8 shared_secret[HPKE_MAX_SHARED_SECRET_LEN];
5302 struct wpabuf *pt = NULL;
5303
5304 ctx = hpke_get_context(kem_id, kdf_id, aead_id, own_priv);
5305 if (!ctx)
5306 return NULL;
5307
5308 /* shared_secret = Decap(enc, skR) */
5309 if (hpke_decap(ctx, enc_ct, enc_ct_len, own_priv, shared_secret) < 0)
5310 goto fail;
5311
5312 /* KeyScheduleR(mode_base, shared_secret, info,
5313 * default_psk, default_psk_id) */
5314 if (hpke_key_schedule(ctx, shared_secret, info, info_len) < 0)
5315 goto fail;
5316
5317 /* return ctx.Open(aad, ct) */
5318 pt = hpke_aead_open(ctx, aad, aad_len,
5319 &enc_ct[ctx->n_pk], enc_ct_len - ctx->n_pk);
5320
5321 fail:
5322 forced_memzero(shared_secret, sizeof(shared_secret));
5323 hpke_free_context(ctx);
5324 return pt;
5325 }
5326
5327 #endif /* CONFIG_DPP3 */
5328
5329
crypto_unload(void)5330 void crypto_unload(void)
5331 {
5332 openssl_unload_legacy_provider();
5333 }
5334