1 /*
2 * Wrapper functions for OpenSSL libcrypto
3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #include <openssl/opensslv.h>
11 #include <openssl/err.h>
12 #include <openssl/des.h>
13 #include <openssl/aes.h>
14 #include <openssl/bn.h>
15 #include <openssl/evp.h>
16 #include <openssl/dh.h>
17 #include <openssl/hmac.h>
18 #include <openssl/rand.h>
19 #ifdef CONFIG_OPENSSL_CMAC
20 #include <openssl/cmac.h>
21 #endif /* CONFIG_OPENSSL_CMAC */
22 #ifdef CONFIG_ECC
23 #include <openssl/ec.h>
24 #endif /* CONFIG_ECC */
25
26 #include "common.h"
27 #include "wpabuf.h"
28 #include "dh_group5.h"
29 #include "sha1.h"
30 #include "sha256.h"
31 #include "sha384.h"
32 #include "md5.h"
33 #include "aes_wrap.h"
34 #include "crypto.h"
35
36 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
37 /* Compatibility wrappers for older versions. */
38
HMAC_CTX_new(void)39 static HMAC_CTX * HMAC_CTX_new(void)
40 {
41 HMAC_CTX *ctx;
42
43 ctx = os_zalloc(sizeof(*ctx));
44 if (ctx)
45 HMAC_CTX_init(ctx);
46 return ctx;
47 }
48
49
HMAC_CTX_free(HMAC_CTX * ctx)50 static void HMAC_CTX_free(HMAC_CTX *ctx)
51 {
52 if (!ctx)
53 return;
54 HMAC_CTX_cleanup(ctx);
55 bin_clear_free(ctx, sizeof(*ctx));
56 }
57
58
EVP_MD_CTX_new(void)59 static EVP_MD_CTX * EVP_MD_CTX_new(void)
60 {
61 EVP_MD_CTX *ctx;
62
63 ctx = os_zalloc(sizeof(*ctx));
64 if (ctx)
65 EVP_MD_CTX_init(ctx);
66 return ctx;
67 }
68
69
EVP_MD_CTX_free(EVP_MD_CTX * ctx)70 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
71 {
72 if (!ctx)
73 return;
74 EVP_MD_CTX_cleanup(ctx);
75 bin_clear_free(ctx, sizeof(*ctx));
76 }
77
78 #endif /* OpenSSL version < 1.1.0 */
79
get_group5_prime(void)80 static BIGNUM * get_group5_prime(void)
81 {
82 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
83 return BN_get_rfc3526_prime_1536(NULL);
84 #elif !defined(OPENSSL_IS_BORINGSSL)
85 return get_rfc3526_prime_1536(NULL);
86 #else
87 static const unsigned char RFC3526_PRIME_1536[] = {
88 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
89 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
90 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
91 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
92 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
93 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
94 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
95 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
96 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
97 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
98 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
99 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
100 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
101 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
102 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
103 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
104 };
105 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
106 #endif
107 }
108
109 #ifdef OPENSSL_NO_SHA256
110 #define NO_SHA256_WRAPPER
111 #endif
112 #ifdef OPENSSL_NO_SHA512
113 #define NO_SHA384_WRAPPER
114 #endif
115
openssl_digest_vector(const EVP_MD * type,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)116 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
117 const u8 *addr[], const size_t *len, u8 *mac)
118 {
119 EVP_MD_CTX *ctx;
120 size_t i;
121 unsigned int mac_len;
122
123 if (TEST_FAIL())
124 return -1;
125
126 ctx = EVP_MD_CTX_new();
127 if (!ctx)
128 return -1;
129 if (!EVP_DigestInit_ex(ctx, type, NULL)) {
130 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
131 ERR_error_string(ERR_get_error(), NULL));
132 EVP_MD_CTX_free(ctx);
133 return -1;
134 }
135 for (i = 0; i < num_elem; i++) {
136 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
137 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
138 "failed: %s",
139 ERR_error_string(ERR_get_error(), NULL));
140 EVP_MD_CTX_free(ctx);
141 return -1;
142 }
143 }
144 if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
145 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
146 ERR_error_string(ERR_get_error(), NULL));
147 EVP_MD_CTX_free(ctx);
148 return -1;
149 }
150 EVP_MD_CTX_free(ctx);
151
152 return 0;
153 }
154
155
156 #ifndef CONFIG_FIPS
md4_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)157 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
158 {
159 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
160 }
161 #endif /* CONFIG_FIPS */
162
163
des_encrypt(const u8 * clear,const u8 * key,u8 * cypher)164 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
165 {
166 u8 pkey[8], next, tmp;
167 int i;
168 DES_key_schedule ks;
169
170 /* Add parity bits to the key */
171 next = 0;
172 for (i = 0; i < 7; i++) {
173 tmp = key[i];
174 pkey[i] = (tmp >> i) | next | 1;
175 next = tmp << (7 - i);
176 }
177 pkey[i] = next | 1;
178
179 DES_set_key((DES_cblock *) &pkey, &ks);
180 DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks,
181 DES_ENCRYPT);
182 return 0;
183 }
184
185
186 #ifndef CONFIG_NO_RC4
rc4_skip(const u8 * key,size_t keylen,size_t skip,u8 * data,size_t data_len)187 int rc4_skip(const u8 *key, size_t keylen, size_t skip,
188 u8 *data, size_t data_len)
189 {
190 #ifdef OPENSSL_NO_RC4
191 return -1;
192 #else /* OPENSSL_NO_RC4 */
193 EVP_CIPHER_CTX *ctx;
194 int outl;
195 int res = -1;
196 unsigned char skip_buf[16];
197
198 ctx = EVP_CIPHER_CTX_new();
199 if (!ctx ||
200 !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
201 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
202 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
203 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
204 goto out;
205
206 while (skip >= sizeof(skip_buf)) {
207 size_t len = skip;
208 if (len > sizeof(skip_buf))
209 len = sizeof(skip_buf);
210 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
211 goto out;
212 skip -= len;
213 }
214
215 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
216 res = 0;
217
218 out:
219 if (ctx)
220 EVP_CIPHER_CTX_free(ctx);
221 return res;
222 #endif /* OPENSSL_NO_RC4 */
223 }
224 #endif /* CONFIG_NO_RC4 */
225
226
227 #ifndef CONFIG_FIPS
md5_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)228 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
229 {
230 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
231 }
232 #endif /* CONFIG_FIPS */
233
234
sha1_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)235 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
236 {
237 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
238 }
239
240
241 #ifndef NO_SHA256_WRAPPER
sha256_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)242 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
243 u8 *mac)
244 {
245 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
246 }
247 #endif /* NO_SHA256_WRAPPER */
248
249
250 #ifndef NO_SHA384_WRAPPER
sha384_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)251 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
252 u8 *mac)
253 {
254 return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
255 }
256 #endif /* NO_SHA384_WRAPPER */
257
258
259 #ifndef NO_SHA512_WRAPPER
sha512_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)260 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
261 u8 *mac)
262 {
263 return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
264 }
265 #endif /* NO_SHA512_WRAPPER */
266
267
aes_get_evp_cipher(size_t keylen)268 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
269 {
270 switch (keylen) {
271 case 16:
272 return EVP_aes_128_ecb();
273 #ifndef OPENSSL_IS_BORINGSSL
274 case 24:
275 return EVP_aes_192_ecb();
276 #endif /* OPENSSL_IS_BORINGSSL */
277 case 32:
278 return EVP_aes_256_ecb();
279 }
280
281 return NULL;
282 }
283
284
aes_encrypt_init(const u8 * key,size_t len)285 void * aes_encrypt_init(const u8 *key, size_t len)
286 {
287 EVP_CIPHER_CTX *ctx;
288 const EVP_CIPHER *type;
289
290 if (TEST_FAIL())
291 return NULL;
292
293 type = aes_get_evp_cipher(len);
294 if (type == NULL)
295 return NULL;
296
297 ctx = EVP_CIPHER_CTX_new();
298 if (ctx == NULL)
299 return NULL;
300 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
301 os_free(ctx);
302 return NULL;
303 }
304 EVP_CIPHER_CTX_set_padding(ctx, 0);
305 return ctx;
306 }
307
308
aes_encrypt(void * ctx,const u8 * plain,u8 * crypt)309 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
310 {
311 EVP_CIPHER_CTX *c = ctx;
312 int clen = 16;
313 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
314 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
315 ERR_error_string(ERR_get_error(), NULL));
316 return -1;
317 }
318 return 0;
319 }
320
321
aes_encrypt_deinit(void * ctx)322 void aes_encrypt_deinit(void *ctx)
323 {
324 EVP_CIPHER_CTX *c = ctx;
325 u8 buf[16];
326 int len = sizeof(buf);
327 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
328 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
329 "%s", ERR_error_string(ERR_get_error(), NULL));
330 }
331 if (len != 0) {
332 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
333 "in AES encrypt", len);
334 }
335 EVP_CIPHER_CTX_free(c);
336 }
337
338
aes_decrypt_init(const u8 * key,size_t len)339 void * aes_decrypt_init(const u8 *key, size_t len)
340 {
341 EVP_CIPHER_CTX *ctx;
342 const EVP_CIPHER *type;
343
344 if (TEST_FAIL())
345 return NULL;
346
347 type = aes_get_evp_cipher(len);
348 if (type == NULL)
349 return NULL;
350
351 ctx = EVP_CIPHER_CTX_new();
352 if (ctx == NULL)
353 return NULL;
354 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
355 EVP_CIPHER_CTX_free(ctx);
356 return NULL;
357 }
358 EVP_CIPHER_CTX_set_padding(ctx, 0);
359 return ctx;
360 }
361
362
aes_decrypt(void * ctx,const u8 * crypt,u8 * plain)363 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
364 {
365 EVP_CIPHER_CTX *c = ctx;
366 int plen = 16;
367 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
368 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
369 ERR_error_string(ERR_get_error(), NULL));
370 return -1;
371 }
372 return 0;
373 }
374
375
aes_decrypt_deinit(void * ctx)376 void aes_decrypt_deinit(void *ctx)
377 {
378 EVP_CIPHER_CTX *c = ctx;
379 u8 buf[16];
380 int len = sizeof(buf);
381 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
382 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
383 "%s", ERR_error_string(ERR_get_error(), NULL));
384 }
385 if (len != 0) {
386 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
387 "in AES decrypt", len);
388 }
389 EVP_CIPHER_CTX_free(c);
390 }
391
392
393 #ifndef CONFIG_FIPS
394 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
395
aes_wrap(const u8 * kek,size_t kek_len,int n,const u8 * plain,u8 * cipher)396 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
397 {
398 AES_KEY actx;
399 int res;
400
401 if (TEST_FAIL())
402 return -1;
403 if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
404 return -1;
405 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
406 OPENSSL_cleanse(&actx, sizeof(actx));
407 return res <= 0 ? -1 : 0;
408 }
409
410
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)411 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
412 u8 *plain)
413 {
414 AES_KEY actx;
415 int res;
416
417 if (TEST_FAIL())
418 return -1;
419 if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
420 return -1;
421 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
422 OPENSSL_cleanse(&actx, sizeof(actx));
423 return res <= 0 ? -1 : 0;
424 }
425
426 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
427 #endif /* CONFIG_FIPS */
428
429
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)430 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
431 {
432 EVP_CIPHER_CTX *ctx;
433 int clen, len;
434 u8 buf[16];
435 int res = -1;
436
437 if (TEST_FAIL())
438 return -1;
439
440 ctx = EVP_CIPHER_CTX_new();
441 if (!ctx)
442 return -1;
443 clen = data_len;
444 len = sizeof(buf);
445 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
446 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
447 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
448 clen == (int) data_len &&
449 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
450 res = 0;
451 EVP_CIPHER_CTX_free(ctx);
452
453 return res;
454 }
455
456
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)457 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
458 {
459 EVP_CIPHER_CTX *ctx;
460 int plen, len;
461 u8 buf[16];
462 int res = -1;
463
464 if (TEST_FAIL())
465 return -1;
466
467 ctx = EVP_CIPHER_CTX_new();
468 if (!ctx)
469 return -1;
470 plen = data_len;
471 len = sizeof(buf);
472 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
473 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
474 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
475 plen == (int) data_len &&
476 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
477 res = 0;
478 EVP_CIPHER_CTX_free(ctx);
479
480 return res;
481
482 }
483
484
crypto_mod_exp(const u8 * base,size_t base_len,const u8 * power,size_t power_len,const u8 * modulus,size_t modulus_len,u8 * result,size_t * result_len)485 int crypto_mod_exp(const u8 *base, size_t base_len,
486 const u8 *power, size_t power_len,
487 const u8 *modulus, size_t modulus_len,
488 u8 *result, size_t *result_len)
489 {
490 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
491 int ret = -1;
492 BN_CTX *ctx;
493
494 ctx = BN_CTX_new();
495 if (ctx == NULL)
496 return -1;
497
498 bn_base = BN_bin2bn(base, base_len, NULL);
499 bn_exp = BN_bin2bn(power, power_len, NULL);
500 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
501 bn_result = BN_new();
502
503 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
504 bn_result == NULL)
505 goto error;
506
507 if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
508 goto error;
509
510 *result_len = BN_bn2bin(bn_result, result);
511 ret = 0;
512
513 error:
514 BN_clear_free(bn_base);
515 BN_clear_free(bn_exp);
516 BN_clear_free(bn_modulus);
517 BN_clear_free(bn_result);
518 BN_CTX_free(ctx);
519 return ret;
520 }
521
522
523 struct crypto_cipher {
524 EVP_CIPHER_CTX *enc;
525 EVP_CIPHER_CTX *dec;
526 };
527
528
crypto_cipher_init(enum crypto_cipher_alg alg,const u8 * iv,const u8 * key,size_t key_len)529 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
530 const u8 *iv, const u8 *key,
531 size_t key_len)
532 {
533 struct crypto_cipher *ctx;
534 const EVP_CIPHER *cipher;
535
536 ctx = os_zalloc(sizeof(*ctx));
537 if (ctx == NULL)
538 return NULL;
539
540 switch (alg) {
541 #ifndef CONFIG_NO_RC4
542 #ifndef OPENSSL_NO_RC4
543 case CRYPTO_CIPHER_ALG_RC4:
544 cipher = EVP_rc4();
545 break;
546 #endif /* OPENSSL_NO_RC4 */
547 #endif /* CONFIG_NO_RC4 */
548 #ifndef OPENSSL_NO_AES
549 case CRYPTO_CIPHER_ALG_AES:
550 switch (key_len) {
551 case 16:
552 cipher = EVP_aes_128_cbc();
553 break;
554 #ifndef OPENSSL_IS_BORINGSSL
555 case 24:
556 cipher = EVP_aes_192_cbc();
557 break;
558 #endif /* OPENSSL_IS_BORINGSSL */
559 case 32:
560 cipher = EVP_aes_256_cbc();
561 break;
562 default:
563 os_free(ctx);
564 return NULL;
565 }
566 break;
567 #endif /* OPENSSL_NO_AES */
568 #ifndef OPENSSL_NO_DES
569 case CRYPTO_CIPHER_ALG_3DES:
570 cipher = EVP_des_ede3_cbc();
571 break;
572 case CRYPTO_CIPHER_ALG_DES:
573 cipher = EVP_des_cbc();
574 break;
575 #endif /* OPENSSL_NO_DES */
576 #ifndef OPENSSL_NO_RC2
577 case CRYPTO_CIPHER_ALG_RC2:
578 cipher = EVP_rc2_ecb();
579 break;
580 #endif /* OPENSSL_NO_RC2 */
581 default:
582 os_free(ctx);
583 return NULL;
584 }
585
586 if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
587 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
588 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
589 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
590 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
591 if (ctx->enc)
592 EVP_CIPHER_CTX_free(ctx->enc);
593 os_free(ctx);
594 return NULL;
595 }
596
597 if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
598 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
599 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
600 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
601 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
602 EVP_CIPHER_CTX_free(ctx->enc);
603 if (ctx->dec)
604 EVP_CIPHER_CTX_free(ctx->dec);
605 os_free(ctx);
606 return NULL;
607 }
608
609 return ctx;
610 }
611
612
crypto_cipher_encrypt(struct crypto_cipher * ctx,const u8 * plain,u8 * crypt,size_t len)613 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
614 u8 *crypt, size_t len)
615 {
616 int outl;
617 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
618 return -1;
619 return 0;
620 }
621
622
crypto_cipher_decrypt(struct crypto_cipher * ctx,const u8 * crypt,u8 * plain,size_t len)623 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
624 u8 *plain, size_t len)
625 {
626 int outl;
627 outl = len;
628 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
629 return -1;
630 return 0;
631 }
632
633
crypto_cipher_deinit(struct crypto_cipher * ctx)634 void crypto_cipher_deinit(struct crypto_cipher *ctx)
635 {
636 EVP_CIPHER_CTX_free(ctx->enc);
637 EVP_CIPHER_CTX_free(ctx->dec);
638 os_free(ctx);
639 }
640
641
dh5_init(struct wpabuf ** priv,struct wpabuf ** publ)642 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
643 {
644 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
645 DH *dh;
646 struct wpabuf *pubkey = NULL, *privkey = NULL;
647 size_t publen, privlen;
648
649 *priv = NULL;
650 wpabuf_free(*publ);
651 *publ = NULL;
652
653 dh = DH_new();
654 if (dh == NULL)
655 return NULL;
656
657 dh->g = BN_new();
658 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
659 goto err;
660
661 dh->p = get_group5_prime();
662 if (dh->p == NULL)
663 goto err;
664
665 if (DH_generate_key(dh) != 1)
666 goto err;
667
668 publen = BN_num_bytes(dh->pub_key);
669 pubkey = wpabuf_alloc(publen);
670 if (pubkey == NULL)
671 goto err;
672 privlen = BN_num_bytes(dh->priv_key);
673 privkey = wpabuf_alloc(privlen);
674 if (privkey == NULL)
675 goto err;
676
677 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
678 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
679
680 *priv = privkey;
681 *publ = pubkey;
682 return dh;
683
684 err:
685 wpabuf_clear_free(pubkey);
686 wpabuf_clear_free(privkey);
687 DH_free(dh);
688 return NULL;
689 #else
690 DH *dh;
691 struct wpabuf *pubkey = NULL, *privkey = NULL;
692 size_t publen, privlen;
693 BIGNUM *p = NULL, *g;
694 const BIGNUM *priv_key = NULL, *pub_key = NULL;
695
696 *priv = NULL;
697 wpabuf_free(*publ);
698 *publ = NULL;
699
700 dh = DH_new();
701 if (dh == NULL)
702 return NULL;
703
704 g = BN_new();
705 p = get_group5_prime();
706 if (!g || BN_set_word(g, 2) != 1 || !p ||
707 DH_set0_pqg(dh, p, NULL, g) != 1)
708 goto err;
709 p = NULL;
710 g = NULL;
711
712 if (DH_generate_key(dh) != 1)
713 goto err;
714
715 DH_get0_key(dh, &pub_key, &priv_key);
716 publen = BN_num_bytes(pub_key);
717 pubkey = wpabuf_alloc(publen);
718 if (!pubkey)
719 goto err;
720 privlen = BN_num_bytes(priv_key);
721 privkey = wpabuf_alloc(privlen);
722 if (!privkey)
723 goto err;
724
725 BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
726 BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));
727
728 *priv = privkey;
729 *publ = pubkey;
730 return dh;
731
732 err:
733 BN_free(p);
734 BN_free(g);
735 wpabuf_clear_free(pubkey);
736 wpabuf_clear_free(privkey);
737 DH_free(dh);
738 return NULL;
739 #endif
740 }
741
742
dh5_init_fixed(const struct wpabuf * priv,const struct wpabuf * publ)743 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
744 {
745 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
746 DH *dh;
747
748 dh = DH_new();
749 if (dh == NULL)
750 return NULL;
751
752 dh->g = BN_new();
753 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
754 goto err;
755
756 dh->p = get_group5_prime();
757 if (dh->p == NULL)
758 goto err;
759
760 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
761 if (dh->priv_key == NULL)
762 goto err;
763
764 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
765 if (dh->pub_key == NULL)
766 goto err;
767
768 if (DH_generate_key(dh) != 1)
769 goto err;
770
771 return dh;
772
773 err:
774 DH_free(dh);
775 return NULL;
776 #else
777 DH *dh;
778 BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;
779
780 dh = DH_new();
781 if (dh == NULL)
782 return NULL;
783
784 g = BN_new();
785 p = get_group5_prime();
786 if (!g || BN_set_word(g, 2) != 1 || !p ||
787 DH_set0_pqg(dh, p, NULL, g) != 1)
788 goto err;
789 p = NULL;
790 g = NULL;
791
792 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
793 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
794 if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
795 goto err;
796 pub_key = NULL;
797 priv_key = NULL;
798
799 if (DH_generate_key(dh) != 1)
800 goto err;
801
802 return dh;
803
804 err:
805 BN_free(p);
806 BN_free(g);
807 BN_free(pub_key);
808 BN_clear_free(priv_key);
809 DH_free(dh);
810 return NULL;
811 #endif
812 }
813
814
dh5_derive_shared(void * ctx,const struct wpabuf * peer_public,const struct wpabuf * own_private)815 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
816 const struct wpabuf *own_private)
817 {
818 BIGNUM *pub_key;
819 struct wpabuf *res = NULL;
820 size_t rlen;
821 DH *dh = ctx;
822 int keylen;
823
824 if (ctx == NULL)
825 return NULL;
826
827 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
828 NULL);
829 if (pub_key == NULL)
830 return NULL;
831
832 rlen = DH_size(dh);
833 res = wpabuf_alloc(rlen);
834 if (res == NULL)
835 goto err;
836
837 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
838 if (keylen < 0)
839 goto err;
840 wpabuf_put(res, keylen);
841 BN_clear_free(pub_key);
842
843 return res;
844
845 err:
846 BN_clear_free(pub_key);
847 wpabuf_clear_free(res);
848 return NULL;
849 }
850
851
dh5_free(void * ctx)852 void dh5_free(void *ctx)
853 {
854 DH *dh;
855 if (ctx == NULL)
856 return;
857 dh = ctx;
858 DH_free(dh);
859 }
860
861
862 struct crypto_hash {
863 HMAC_CTX *ctx;
864 };
865
866
crypto_hash_init(enum crypto_hash_alg alg,const u8 * key,size_t key_len)867 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
868 size_t key_len)
869 {
870 struct crypto_hash *ctx;
871 const EVP_MD *md;
872
873 switch (alg) {
874 #ifndef OPENSSL_NO_MD5
875 case CRYPTO_HASH_ALG_HMAC_MD5:
876 md = EVP_md5();
877 break;
878 #endif /* OPENSSL_NO_MD5 */
879 #ifndef OPENSSL_NO_SHA
880 case CRYPTO_HASH_ALG_HMAC_SHA1:
881 md = EVP_sha1();
882 break;
883 #endif /* OPENSSL_NO_SHA */
884 #ifndef OPENSSL_NO_SHA256
885 #ifdef CONFIG_SHA256
886 case CRYPTO_HASH_ALG_HMAC_SHA256:
887 md = EVP_sha256();
888 break;
889 #endif /* CONFIG_SHA256 */
890 #endif /* OPENSSL_NO_SHA256 */
891 default:
892 return NULL;
893 }
894
895 ctx = os_zalloc(sizeof(*ctx));
896 if (ctx == NULL)
897 return NULL;
898 ctx->ctx = HMAC_CTX_new();
899 if (!ctx->ctx) {
900 os_free(ctx);
901 return NULL;
902 }
903
904 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
905 HMAC_CTX_free(ctx->ctx);
906 bin_clear_free(ctx, sizeof(*ctx));
907 return NULL;
908 }
909
910 return ctx;
911 }
912
913
crypto_hash_update(struct crypto_hash * ctx,const u8 * data,size_t len)914 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
915 {
916 if (ctx == NULL)
917 return;
918 HMAC_Update(ctx->ctx, data, len);
919 }
920
921
crypto_hash_finish(struct crypto_hash * ctx,u8 * mac,size_t * len)922 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
923 {
924 unsigned int mdlen;
925 int res;
926
927 if (ctx == NULL)
928 return -2;
929
930 if (mac == NULL || len == NULL) {
931 HMAC_CTX_free(ctx->ctx);
932 bin_clear_free(ctx, sizeof(*ctx));
933 return 0;
934 }
935
936 mdlen = *len;
937 res = HMAC_Final(ctx->ctx, mac, &mdlen);
938 HMAC_CTX_free(ctx->ctx);
939 bin_clear_free(ctx, sizeof(*ctx));
940
941 if (res == 1) {
942 *len = mdlen;
943 return 0;
944 }
945
946 return -1;
947 }
948
949
openssl_hmac_vector(const EVP_MD * type,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac,unsigned int mdlen)950 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
951 size_t key_len, size_t num_elem,
952 const u8 *addr[], const size_t *len, u8 *mac,
953 unsigned int mdlen)
954 {
955 HMAC_CTX *ctx;
956 size_t i;
957 int res;
958
959 if (TEST_FAIL())
960 return -1;
961
962 ctx = HMAC_CTX_new();
963 if (!ctx)
964 return -1;
965 res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
966 if (res != 1)
967 goto done;
968
969 for (i = 0; i < num_elem; i++)
970 HMAC_Update(ctx, addr[i], len[i]);
971
972 res = HMAC_Final(ctx, mac, &mdlen);
973 done:
974 HMAC_CTX_free(ctx);
975
976 return res == 1 ? 0 : -1;
977 }
978
979
980 #ifndef CONFIG_FIPS
981
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)982 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
983 const u8 *addr[], const size_t *len, u8 *mac)
984 {
985 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
986 mac, 16);
987 }
988
989
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)990 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
991 u8 *mac)
992 {
993 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
994 }
995
996 #endif /* CONFIG_FIPS */
997
998
pbkdf2_sha1(const char * passphrase,const u8 * ssid,size_t ssid_len,int iterations,u8 * buf,size_t buflen)999 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
1000 int iterations, u8 *buf, size_t buflen)
1001 {
1002 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
1003 ssid_len, iterations, buflen, buf) != 1)
1004 return -1;
1005 return 0;
1006 }
1007
1008
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1009 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1010 const u8 *addr[], const size_t *len, u8 *mac)
1011 {
1012 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
1013 len, mac, 20);
1014 }
1015
1016
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1017 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1018 u8 *mac)
1019 {
1020 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1021 }
1022
1023
1024 #ifdef CONFIG_SHA256
1025
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1026 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1027 const u8 *addr[], const size_t *len, u8 *mac)
1028 {
1029 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
1030 len, mac, 32);
1031 }
1032
1033
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1034 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1035 size_t data_len, u8 *mac)
1036 {
1037 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1038 }
1039
1040 #endif /* CONFIG_SHA256 */
1041
1042
1043 #ifdef CONFIG_SHA384
1044
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1045 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1046 const u8 *addr[], const size_t *len, u8 *mac)
1047 {
1048 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
1049 len, mac, 48);
1050 }
1051
1052
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1053 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1054 size_t data_len, u8 *mac)
1055 {
1056 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1057 }
1058
1059 #endif /* CONFIG_SHA384 */
1060
1061
1062 #ifdef CONFIG_SHA512
1063
hmac_sha512_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1064 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1065 const u8 *addr[], const size_t *len, u8 *mac)
1066 {
1067 return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
1068 len, mac, 64);
1069 }
1070
1071
hmac_sha512(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1072 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1073 size_t data_len, u8 *mac)
1074 {
1075 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1076 }
1077
1078 #endif /* CONFIG_SHA512 */
1079
1080
crypto_get_random(void * buf,size_t len)1081 int crypto_get_random(void *buf, size_t len)
1082 {
1083 if (RAND_bytes(buf, len) != 1)
1084 return -1;
1085 return 0;
1086 }
1087
1088
1089 #ifdef CONFIG_OPENSSL_CMAC
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1090 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
1091 const u8 *addr[], const size_t *len, u8 *mac)
1092 {
1093 CMAC_CTX *ctx;
1094 int ret = -1;
1095 size_t outlen, i;
1096
1097 if (TEST_FAIL())
1098 return -1;
1099
1100 ctx = CMAC_CTX_new();
1101 if (ctx == NULL)
1102 return -1;
1103
1104 if (key_len == 32) {
1105 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
1106 goto fail;
1107 } else if (key_len == 16) {
1108 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
1109 goto fail;
1110 } else {
1111 goto fail;
1112 }
1113 for (i = 0; i < num_elem; i++) {
1114 if (!CMAC_Update(ctx, addr[i], len[i]))
1115 goto fail;
1116 }
1117 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
1118 goto fail;
1119
1120 ret = 0;
1121 fail:
1122 CMAC_CTX_free(ctx);
1123 return ret;
1124 }
1125
1126
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1127 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
1128 const u8 *addr[], const size_t *len, u8 *mac)
1129 {
1130 return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
1131 }
1132
1133
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1134 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1135 {
1136 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
1137 }
1138
1139
omac1_aes_256(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1140 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1141 {
1142 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
1143 }
1144 #endif /* CONFIG_OPENSSL_CMAC */
1145
1146
crypto_bignum_init(void)1147 struct crypto_bignum * crypto_bignum_init(void)
1148 {
1149 if (TEST_FAIL())
1150 return NULL;
1151 return (struct crypto_bignum *) BN_new();
1152 }
1153
1154
crypto_bignum_init_set(const u8 * buf,size_t len)1155 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
1156 {
1157 BIGNUM *bn;
1158
1159 if (TEST_FAIL())
1160 return NULL;
1161
1162 bn = BN_bin2bn(buf, len, NULL);
1163 return (struct crypto_bignum *) bn;
1164 }
1165
1166
crypto_bignum_deinit(struct crypto_bignum * n,int clear)1167 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
1168 {
1169 if (clear)
1170 BN_clear_free((BIGNUM *) n);
1171 else
1172 BN_free((BIGNUM *) n);
1173 }
1174
1175
crypto_bignum_to_bin(const struct crypto_bignum * a,u8 * buf,size_t buflen,size_t padlen)1176 int crypto_bignum_to_bin(const struct crypto_bignum *a,
1177 u8 *buf, size_t buflen, size_t padlen)
1178 {
1179 int num_bytes, offset;
1180
1181 if (TEST_FAIL())
1182 return -1;
1183
1184 if (padlen > buflen)
1185 return -1;
1186
1187 num_bytes = BN_num_bytes((const BIGNUM *) a);
1188 if ((size_t) num_bytes > buflen)
1189 return -1;
1190 if (padlen > (size_t) num_bytes)
1191 offset = padlen - num_bytes;
1192 else
1193 offset = 0;
1194
1195 os_memset(buf, 0, offset);
1196 BN_bn2bin((const BIGNUM *) a, buf + offset);
1197
1198 return num_bytes + offset;
1199 }
1200
1201
crypto_bignum_add(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1202 int crypto_bignum_add(const struct crypto_bignum *a,
1203 const struct crypto_bignum *b,
1204 struct crypto_bignum *c)
1205 {
1206 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1207 0 : -1;
1208 }
1209
1210
crypto_bignum_mod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1211 int crypto_bignum_mod(const struct crypto_bignum *a,
1212 const struct crypto_bignum *b,
1213 struct crypto_bignum *c)
1214 {
1215 int res;
1216 BN_CTX *bnctx;
1217
1218 bnctx = BN_CTX_new();
1219 if (bnctx == NULL)
1220 return -1;
1221 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1222 bnctx);
1223 BN_CTX_free(bnctx);
1224
1225 return res ? 0 : -1;
1226 }
1227
1228
crypto_bignum_exptmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1229 int crypto_bignum_exptmod(const struct crypto_bignum *a,
1230 const struct crypto_bignum *b,
1231 const struct crypto_bignum *c,
1232 struct crypto_bignum *d)
1233 {
1234 int res;
1235 BN_CTX *bnctx;
1236
1237 if (TEST_FAIL())
1238 return -1;
1239
1240 bnctx = BN_CTX_new();
1241 if (bnctx == NULL)
1242 return -1;
1243 res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1244 (const BIGNUM *) c, bnctx);
1245 BN_CTX_free(bnctx);
1246
1247 return res ? 0 : -1;
1248 }
1249
1250
crypto_bignum_inverse(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1251 int crypto_bignum_inverse(const struct crypto_bignum *a,
1252 const struct crypto_bignum *b,
1253 struct crypto_bignum *c)
1254 {
1255 BIGNUM *res;
1256 BN_CTX *bnctx;
1257
1258 if (TEST_FAIL())
1259 return -1;
1260 bnctx = BN_CTX_new();
1261 if (bnctx == NULL)
1262 return -1;
1263 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
1264 (const BIGNUM *) b, bnctx);
1265 BN_CTX_free(bnctx);
1266
1267 return res ? 0 : -1;
1268 }
1269
1270
crypto_bignum_sub(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1271 int crypto_bignum_sub(const struct crypto_bignum *a,
1272 const struct crypto_bignum *b,
1273 struct crypto_bignum *c)
1274 {
1275 if (TEST_FAIL())
1276 return -1;
1277 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1278 0 : -1;
1279 }
1280
1281
crypto_bignum_div(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1282 int crypto_bignum_div(const struct crypto_bignum *a,
1283 const struct crypto_bignum *b,
1284 struct crypto_bignum *c)
1285 {
1286 int res;
1287
1288 BN_CTX *bnctx;
1289
1290 if (TEST_FAIL())
1291 return -1;
1292
1293 bnctx = BN_CTX_new();
1294 if (bnctx == NULL)
1295 return -1;
1296 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
1297 (const BIGNUM *) b, bnctx);
1298 BN_CTX_free(bnctx);
1299
1300 return res ? 0 : -1;
1301 }
1302
1303
crypto_bignum_mulmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1304 int crypto_bignum_mulmod(const struct crypto_bignum *a,
1305 const struct crypto_bignum *b,
1306 const struct crypto_bignum *c,
1307 struct crypto_bignum *d)
1308 {
1309 int res;
1310
1311 BN_CTX *bnctx;
1312
1313 if (TEST_FAIL())
1314 return -1;
1315
1316 bnctx = BN_CTX_new();
1317 if (bnctx == NULL)
1318 return -1;
1319 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1320 (const BIGNUM *) c, bnctx);
1321 BN_CTX_free(bnctx);
1322
1323 return res ? 0 : -1;
1324 }
1325
1326
crypto_bignum_cmp(const struct crypto_bignum * a,const struct crypto_bignum * b)1327 int crypto_bignum_cmp(const struct crypto_bignum *a,
1328 const struct crypto_bignum *b)
1329 {
1330 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
1331 }
1332
1333
crypto_bignum_bits(const struct crypto_bignum * a)1334 int crypto_bignum_bits(const struct crypto_bignum *a)
1335 {
1336 return BN_num_bits((const BIGNUM *) a);
1337 }
1338
1339
crypto_bignum_is_zero(const struct crypto_bignum * a)1340 int crypto_bignum_is_zero(const struct crypto_bignum *a)
1341 {
1342 return BN_is_zero((const BIGNUM *) a);
1343 }
1344
1345
crypto_bignum_is_one(const struct crypto_bignum * a)1346 int crypto_bignum_is_one(const struct crypto_bignum *a)
1347 {
1348 return BN_is_one((const BIGNUM *) a);
1349 }
1350
1351
crypto_bignum_legendre(const struct crypto_bignum * a,const struct crypto_bignum * p)1352 int crypto_bignum_legendre(const struct crypto_bignum *a,
1353 const struct crypto_bignum *p)
1354 {
1355 BN_CTX *bnctx;
1356 BIGNUM *exp = NULL, *tmp = NULL;
1357 int res = -2;
1358
1359 if (TEST_FAIL())
1360 return -2;
1361
1362 bnctx = BN_CTX_new();
1363 if (bnctx == NULL)
1364 return -2;
1365
1366 exp = BN_new();
1367 tmp = BN_new();
1368 if (!exp || !tmp ||
1369 /* exp = (p-1) / 2 */
1370 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
1371 !BN_rshift1(exp, exp) ||
1372 !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p,
1373 bnctx))
1374 goto fail;
1375
1376 if (BN_is_word(tmp, 1))
1377 res = 1;
1378 else if (BN_is_zero(tmp))
1379 res = 0;
1380 else
1381 res = -1;
1382
1383 fail:
1384 BN_clear_free(tmp);
1385 BN_clear_free(exp);
1386 BN_CTX_free(bnctx);
1387 return res;
1388 }
1389
1390
1391 #ifdef CONFIG_ECC
1392
1393 struct crypto_ec {
1394 EC_GROUP *group;
1395 int nid;
1396 BN_CTX *bnctx;
1397 BIGNUM *prime;
1398 BIGNUM *order;
1399 BIGNUM *a;
1400 BIGNUM *b;
1401 };
1402
crypto_ec_init(int group)1403 struct crypto_ec * crypto_ec_init(int group)
1404 {
1405 struct crypto_ec *e;
1406 int nid;
1407
1408 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */
1409 switch (group) {
1410 case 19:
1411 nid = NID_X9_62_prime256v1;
1412 break;
1413 case 20:
1414 nid = NID_secp384r1;
1415 break;
1416 case 21:
1417 nid = NID_secp521r1;
1418 break;
1419 case 25:
1420 nid = NID_X9_62_prime192v1;
1421 break;
1422 case 26:
1423 nid = NID_secp224r1;
1424 break;
1425 #ifdef NID_brainpoolP224r1
1426 case 27:
1427 nid = NID_brainpoolP224r1;
1428 break;
1429 #endif /* NID_brainpoolP224r1 */
1430 #ifdef NID_brainpoolP256r1
1431 case 28:
1432 nid = NID_brainpoolP256r1;
1433 break;
1434 #endif /* NID_brainpoolP256r1 */
1435 #ifdef NID_brainpoolP384r1
1436 case 29:
1437 nid = NID_brainpoolP384r1;
1438 break;
1439 #endif /* NID_brainpoolP384r1 */
1440 #ifdef NID_brainpoolP512r1
1441 case 30:
1442 nid = NID_brainpoolP512r1;
1443 break;
1444 #endif /* NID_brainpoolP512r1 */
1445 default:
1446 return NULL;
1447 }
1448
1449 e = os_zalloc(sizeof(*e));
1450 if (e == NULL)
1451 return NULL;
1452
1453 e->nid = nid;
1454 e->bnctx = BN_CTX_new();
1455 e->group = EC_GROUP_new_by_curve_name(nid);
1456 e->prime = BN_new();
1457 e->order = BN_new();
1458 e->a = BN_new();
1459 e->b = BN_new();
1460 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
1461 e->order == NULL || e->a == NULL || e->b == NULL ||
1462 !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) ||
1463 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
1464 crypto_ec_deinit(e);
1465 e = NULL;
1466 }
1467
1468 return e;
1469 }
1470
1471
crypto_ec_deinit(struct crypto_ec * e)1472 void crypto_ec_deinit(struct crypto_ec *e)
1473 {
1474 if (e == NULL)
1475 return;
1476 BN_clear_free(e->b);
1477 BN_clear_free(e->a);
1478 BN_clear_free(e->order);
1479 BN_clear_free(e->prime);
1480 EC_GROUP_free(e->group);
1481 BN_CTX_free(e->bnctx);
1482 os_free(e);
1483 }
1484
1485
crypto_ec_point_init(struct crypto_ec * e)1486 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
1487 {
1488 if (TEST_FAIL())
1489 return NULL;
1490 if (e == NULL)
1491 return NULL;
1492 return (struct crypto_ec_point *) EC_POINT_new(e->group);
1493 }
1494
1495
crypto_ec_prime_len(struct crypto_ec * e)1496 size_t crypto_ec_prime_len(struct crypto_ec *e)
1497 {
1498 return BN_num_bytes(e->prime);
1499 }
1500
1501
crypto_ec_prime_len_bits(struct crypto_ec * e)1502 size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
1503 {
1504 return BN_num_bits(e->prime);
1505 }
1506
1507
crypto_ec_get_prime(struct crypto_ec * e)1508 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
1509 {
1510 return (const struct crypto_bignum *) e->prime;
1511 }
1512
1513
crypto_ec_get_order(struct crypto_ec * e)1514 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
1515 {
1516 return (const struct crypto_bignum *) e->order;
1517 }
1518
1519
crypto_ec_point_deinit(struct crypto_ec_point * p,int clear)1520 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
1521 {
1522 if (clear)
1523 EC_POINT_clear_free((EC_POINT *) p);
1524 else
1525 EC_POINT_free((EC_POINT *) p);
1526 }
1527
1528
crypto_ec_point_to_bin(struct crypto_ec * e,const struct crypto_ec_point * point,u8 * x,u8 * y)1529 int crypto_ec_point_to_bin(struct crypto_ec *e,
1530 const struct crypto_ec_point *point, u8 *x, u8 *y)
1531 {
1532 BIGNUM *x_bn, *y_bn;
1533 int ret = -1;
1534 int len = BN_num_bytes(e->prime);
1535
1536 if (TEST_FAIL())
1537 return -1;
1538
1539 x_bn = BN_new();
1540 y_bn = BN_new();
1541
1542 if (x_bn && y_bn &&
1543 EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point,
1544 x_bn, y_bn, e->bnctx)) {
1545 if (x) {
1546 crypto_bignum_to_bin((struct crypto_bignum *) x_bn,
1547 x, len, len);
1548 }
1549 if (y) {
1550 crypto_bignum_to_bin((struct crypto_bignum *) y_bn,
1551 y, len, len);
1552 }
1553 ret = 0;
1554 }
1555
1556 BN_clear_free(x_bn);
1557 BN_clear_free(y_bn);
1558 return ret;
1559 }
1560
1561
crypto_ec_point_from_bin(struct crypto_ec * e,const u8 * val)1562 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
1563 const u8 *val)
1564 {
1565 BIGNUM *x, *y;
1566 EC_POINT *elem;
1567 int len = BN_num_bytes(e->prime);
1568
1569 if (TEST_FAIL())
1570 return NULL;
1571
1572 x = BN_bin2bn(val, len, NULL);
1573 y = BN_bin2bn(val + len, len, NULL);
1574 elem = EC_POINT_new(e->group);
1575 if (x == NULL || y == NULL || elem == NULL) {
1576 BN_clear_free(x);
1577 BN_clear_free(y);
1578 EC_POINT_clear_free(elem);
1579 return NULL;
1580 }
1581
1582 if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y,
1583 e->bnctx)) {
1584 EC_POINT_clear_free(elem);
1585 elem = NULL;
1586 }
1587
1588 BN_clear_free(x);
1589 BN_clear_free(y);
1590
1591 return (struct crypto_ec_point *) elem;
1592 }
1593
1594
crypto_ec_point_add(struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b,struct crypto_ec_point * c)1595 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
1596 const struct crypto_ec_point *b,
1597 struct crypto_ec_point *c)
1598 {
1599 if (TEST_FAIL())
1600 return -1;
1601 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
1602 (const EC_POINT *) b, e->bnctx) ? 0 : -1;
1603 }
1604
1605
crypto_ec_point_mul(struct crypto_ec * e,const struct crypto_ec_point * p,const struct crypto_bignum * b,struct crypto_ec_point * res)1606 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
1607 const struct crypto_bignum *b,
1608 struct crypto_ec_point *res)
1609 {
1610 if (TEST_FAIL())
1611 return -1;
1612 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
1613 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
1614 ? 0 : -1;
1615 }
1616
1617
crypto_ec_point_invert(struct crypto_ec * e,struct crypto_ec_point * p)1618 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
1619 {
1620 if (TEST_FAIL())
1621 return -1;
1622 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
1623 }
1624
1625
crypto_ec_point_solve_y_coord(struct crypto_ec * e,struct crypto_ec_point * p,const struct crypto_bignum * x,int y_bit)1626 int crypto_ec_point_solve_y_coord(struct crypto_ec *e,
1627 struct crypto_ec_point *p,
1628 const struct crypto_bignum *x, int y_bit)
1629 {
1630 if (TEST_FAIL())
1631 return -1;
1632 if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p,
1633 (const BIGNUM *) x, y_bit,
1634 e->bnctx) ||
1635 !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx))
1636 return -1;
1637 return 0;
1638 }
1639
1640
1641 struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec * e,const struct crypto_bignum * x)1642 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
1643 const struct crypto_bignum *x)
1644 {
1645 BIGNUM *tmp, *tmp2, *y_sqr = NULL;
1646
1647 if (TEST_FAIL())
1648 return NULL;
1649
1650 tmp = BN_new();
1651 tmp2 = BN_new();
1652
1653 /* y^2 = x^3 + ax + b */
1654 if (tmp && tmp2 &&
1655 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1656 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1657 BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) &&
1658 BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) &&
1659 BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) {
1660 y_sqr = tmp2;
1661 tmp2 = NULL;
1662 }
1663
1664 BN_clear_free(tmp);
1665 BN_clear_free(tmp2);
1666
1667 return (struct crypto_bignum *) y_sqr;
1668 }
1669
1670
crypto_ec_point_is_at_infinity(struct crypto_ec * e,const struct crypto_ec_point * p)1671 int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
1672 const struct crypto_ec_point *p)
1673 {
1674 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
1675 }
1676
1677
crypto_ec_point_is_on_curve(struct crypto_ec * e,const struct crypto_ec_point * p)1678 int crypto_ec_point_is_on_curve(struct crypto_ec *e,
1679 const struct crypto_ec_point *p)
1680 {
1681 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
1682 e->bnctx) == 1;
1683 }
1684
1685
crypto_ec_point_cmp(const struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b)1686 int crypto_ec_point_cmp(const struct crypto_ec *e,
1687 const struct crypto_ec_point *a,
1688 const struct crypto_ec_point *b)
1689 {
1690 return EC_POINT_cmp(e->group, (const EC_POINT *) a,
1691 (const EC_POINT *) b, e->bnctx);
1692 }
1693
1694
1695 struct crypto_ecdh {
1696 struct crypto_ec *ec;
1697 EVP_PKEY *pkey;
1698 };
1699
crypto_ecdh_init(int group)1700 struct crypto_ecdh * crypto_ecdh_init(int group)
1701 {
1702 struct crypto_ecdh *ecdh;
1703 EVP_PKEY *params = NULL;
1704 EVP_PKEY_CTX *pctx = NULL;
1705 EVP_PKEY_CTX *kctx = NULL;
1706
1707 ecdh = os_zalloc(sizeof(*ecdh));
1708 if (!ecdh)
1709 goto fail;
1710
1711 ecdh->ec = crypto_ec_init(group);
1712 if (!ecdh->ec)
1713 goto fail;
1714
1715 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
1716 if (!pctx)
1717 goto fail;
1718
1719 if (EVP_PKEY_paramgen_init(pctx) != 1) {
1720 wpa_printf(MSG_ERROR,
1721 "OpenSSL: EVP_PKEY_paramgen_init failed: %s",
1722 ERR_error_string(ERR_get_error(), NULL));
1723 goto fail;
1724 }
1725
1726 if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ecdh->ec->nid) != 1) {
1727 wpa_printf(MSG_ERROR,
1728 "OpenSSL: EVP_PKEY_CTX_set_ec_paramgen_curve_nid failed: %s",
1729 ERR_error_string(ERR_get_error(), NULL));
1730 goto fail;
1731 }
1732
1733 if (EVP_PKEY_paramgen(pctx, ¶ms) != 1) {
1734 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_paramgen failed: %s",
1735 ERR_error_string(ERR_get_error(), NULL));
1736 goto fail;
1737 }
1738
1739 kctx = EVP_PKEY_CTX_new(params, NULL);
1740 if (!kctx)
1741 goto fail;
1742
1743 if (EVP_PKEY_keygen_init(kctx) != 1) {
1744 wpa_printf(MSG_ERROR,
1745 "OpenSSL: EVP_PKEY_keygen_init failed: %s",
1746 ERR_error_string(ERR_get_error(), NULL));
1747 goto fail;
1748 }
1749
1750 if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
1751 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
1752 ERR_error_string(ERR_get_error(), NULL));
1753 goto fail;
1754 }
1755
1756 done:
1757 EVP_PKEY_free(params);
1758 EVP_PKEY_CTX_free(pctx);
1759 EVP_PKEY_CTX_free(kctx);
1760
1761 return ecdh;
1762 fail:
1763 crypto_ecdh_deinit(ecdh);
1764 ecdh = NULL;
1765 goto done;
1766 }
1767
1768
crypto_ecdh_get_pubkey(struct crypto_ecdh * ecdh,int inc_y)1769 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
1770 {
1771 struct wpabuf *buf = NULL;
1772 EC_KEY *eckey;
1773 const EC_POINT *pubkey;
1774 BIGNUM *x, *y = NULL;
1775 int len = BN_num_bytes(ecdh->ec->prime);
1776 int res;
1777
1778 eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
1779 if (!eckey)
1780 return NULL;
1781
1782 pubkey = EC_KEY_get0_public_key(eckey);
1783 if (!pubkey)
1784 return NULL;
1785
1786 x = BN_new();
1787 if (inc_y) {
1788 y = BN_new();
1789 if (!y)
1790 goto fail;
1791 }
1792 buf = wpabuf_alloc(inc_y ? 2 * len : len);
1793 if (!x || !buf)
1794 goto fail;
1795
1796 if (EC_POINT_get_affine_coordinates_GFp(ecdh->ec->group, pubkey,
1797 x, y, ecdh->ec->bnctx) != 1) {
1798 wpa_printf(MSG_ERROR,
1799 "OpenSSL: EC_POINT_get_affine_coordinates_GFp failed: %s",
1800 ERR_error_string(ERR_get_error(), NULL));
1801 goto fail;
1802 }
1803
1804 res = crypto_bignum_to_bin((struct crypto_bignum *) x,
1805 wpabuf_put(buf, len), len, len);
1806 if (res < 0)
1807 goto fail;
1808
1809 if (inc_y) {
1810 res = crypto_bignum_to_bin((struct crypto_bignum *) y,
1811 wpabuf_put(buf, len), len, len);
1812 if (res < 0)
1813 goto fail;
1814 }
1815
1816 done:
1817 BN_clear_free(x);
1818 BN_clear_free(y);
1819 EC_KEY_free(eckey);
1820
1821 return buf;
1822 fail:
1823 wpabuf_free(buf);
1824 buf = NULL;
1825 goto done;
1826 }
1827
1828
crypto_ecdh_set_peerkey(struct crypto_ecdh * ecdh,int inc_y,const u8 * key,size_t len)1829 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
1830 const u8 *key, size_t len)
1831 {
1832 BIGNUM *x, *y = NULL;
1833 EVP_PKEY_CTX *ctx = NULL;
1834 EVP_PKEY *peerkey = NULL;
1835 struct wpabuf *secret = NULL;
1836 size_t secret_len;
1837 EC_POINT *pub;
1838 EC_KEY *eckey = NULL;
1839
1840 x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
1841 pub = EC_POINT_new(ecdh->ec->group);
1842 if (!x || !pub)
1843 goto fail;
1844
1845 if (inc_y) {
1846 y = BN_bin2bn(key + len / 2, len / 2, NULL);
1847 if (!y)
1848 goto fail;
1849 if (!EC_POINT_set_affine_coordinates_GFp(ecdh->ec->group, pub,
1850 x, y,
1851 ecdh->ec->bnctx)) {
1852 wpa_printf(MSG_ERROR,
1853 "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
1854 ERR_error_string(ERR_get_error(), NULL));
1855 goto fail;
1856 }
1857 } else if (!EC_POINT_set_compressed_coordinates_GFp(ecdh->ec->group,
1858 pub, x, 0,
1859 ecdh->ec->bnctx)) {
1860 wpa_printf(MSG_ERROR,
1861 "OpenSSL: EC_POINT_set_compressed_coordinates_GFp failed: %s",
1862 ERR_error_string(ERR_get_error(), NULL));
1863 goto fail;
1864 }
1865
1866 if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
1867 wpa_printf(MSG_ERROR,
1868 "OpenSSL: ECDH peer public key is not on curve");
1869 goto fail;
1870 }
1871
1872 eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
1873 if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
1874 wpa_printf(MSG_ERROR,
1875 "OpenSSL: EC_KEY_set_public_key failed: %s",
1876 ERR_error_string(ERR_get_error(), NULL));
1877 goto fail;
1878 }
1879
1880 peerkey = EVP_PKEY_new();
1881 if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
1882 goto fail;
1883
1884 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
1885 if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
1886 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
1887 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
1888 wpa_printf(MSG_ERROR,
1889 "OpenSSL: EVP_PKEY_derive(1) failed: %s",
1890 ERR_error_string(ERR_get_error(), NULL));
1891 goto fail;
1892 }
1893
1894 secret = wpabuf_alloc(secret_len);
1895 if (!secret)
1896 goto fail;
1897 if (EVP_PKEY_derive(ctx, wpabuf_put(secret, secret_len),
1898 &secret_len) != 1) {
1899 wpa_printf(MSG_ERROR,
1900 "OpenSSL: EVP_PKEY_derive(2) failed: %s",
1901 ERR_error_string(ERR_get_error(), NULL));
1902 goto fail;
1903 }
1904
1905 done:
1906 BN_free(x);
1907 BN_free(y);
1908 EC_KEY_free(eckey);
1909 EC_POINT_free(pub);
1910 EVP_PKEY_CTX_free(ctx);
1911 EVP_PKEY_free(peerkey);
1912 return secret;
1913 fail:
1914 wpabuf_free(secret);
1915 secret = NULL;
1916 goto done;
1917 }
1918
1919
crypto_ecdh_deinit(struct crypto_ecdh * ecdh)1920 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
1921 {
1922 if (ecdh) {
1923 crypto_ec_deinit(ecdh->ec);
1924 EVP_PKEY_free(ecdh->pkey);
1925 os_free(ecdh);
1926 }
1927 }
1928
1929 #endif /* CONFIG_ECC */
1930