1 /* 2 * Wrapper functions for OpenSSL libcrypto 3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <openssl/opensslv.h> 11 #include <openssl/err.h> 12 #include <openssl/des.h> 13 #include <openssl/aes.h> 14 #include <openssl/bn.h> 15 #include <openssl/evp.h> 16 #include <openssl/dh.h> 17 #include <openssl/hmac.h> 18 #include <openssl/rand.h> 19 #ifdef CONFIG_OPENSSL_CMAC 20 #include <openssl/cmac.h> 21 #endif /* CONFIG_OPENSSL_CMAC */ 22 #ifdef CONFIG_ECC 23 #include <openssl/ec.h> 24 #endif /* CONFIG_ECC */ 25 26 #include "common.h" 27 #include "wpabuf.h" 28 #include "dh_group5.h" 29 #include "sha1.h" 30 #include "sha256.h" 31 #include "sha384.h" 32 #include "sha512.h" 33 #include "md5.h" 34 #include "aes_wrap.h" 35 #include "crypto.h" 36 37 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ 38 (defined(LIBRESSL_VERSION_NUMBER) && \ 39 LIBRESSL_VERSION_NUMBER < 0x20700000L) 40 /* Compatibility wrappers for older versions. */ 41 42 static HMAC_CTX * HMAC_CTX_new(void) 43 { 44 HMAC_CTX *ctx; 45 46 ctx = os_zalloc(sizeof(*ctx)); 47 if (ctx) 48 HMAC_CTX_init(ctx); 49 return ctx; 50 } 51 52 53 static void HMAC_CTX_free(HMAC_CTX *ctx) 54 { 55 if (!ctx) 56 return; 57 HMAC_CTX_cleanup(ctx); 58 bin_clear_free(ctx, sizeof(*ctx)); 59 } 60 61 62 static EVP_MD_CTX * EVP_MD_CTX_new(void) 63 { 64 EVP_MD_CTX *ctx; 65 66 ctx = os_zalloc(sizeof(*ctx)); 67 if (ctx) 68 EVP_MD_CTX_init(ctx); 69 return ctx; 70 } 71 72 73 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) 74 { 75 if (!ctx) 76 return; 77 EVP_MD_CTX_cleanup(ctx); 78 bin_clear_free(ctx, sizeof(*ctx)); 79 } 80 81 #endif /* OpenSSL version < 1.1.0 */ 82 83 static BIGNUM * get_group5_prime(void) 84 { 85 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ 86 !(defined(LIBRESSL_VERSION_NUMBER) && \ 87 LIBRESSL_VERSION_NUMBER < 0x20700000L) 88 return BN_get_rfc3526_prime_1536(NULL); 89 #elif !defined(OPENSSL_IS_BORINGSSL) 90 return get_rfc3526_prime_1536(NULL); 91 #else 92 static const unsigned char RFC3526_PRIME_1536[] = { 93 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, 94 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, 95 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, 96 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, 97 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, 98 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, 99 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, 100 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, 101 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, 102 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, 103 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, 104 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, 105 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, 106 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, 107 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, 108 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 109 }; 110 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL); 111 #endif 112 } 113 114 #ifdef OPENSSL_NO_SHA256 115 #define NO_SHA256_WRAPPER 116 #endif 117 #ifdef OPENSSL_NO_SHA512 118 #define NO_SHA384_WRAPPER 119 #endif 120 121 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem, 122 const u8 *addr[], const size_t *len, u8 *mac) 123 { 124 EVP_MD_CTX *ctx; 125 size_t i; 126 unsigned int mac_len; 127 128 if (TEST_FAIL()) 129 return -1; 130 131 ctx = EVP_MD_CTX_new(); 132 if (!ctx) 133 return -1; 134 if (!EVP_DigestInit_ex(ctx, type, NULL)) { 135 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s", 136 ERR_error_string(ERR_get_error(), NULL)); 137 EVP_MD_CTX_free(ctx); 138 return -1; 139 } 140 for (i = 0; i < num_elem; i++) { 141 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) { 142 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate " 143 "failed: %s", 144 ERR_error_string(ERR_get_error(), NULL)); 145 EVP_MD_CTX_free(ctx); 146 return -1; 147 } 148 } 149 if (!EVP_DigestFinal(ctx, mac, &mac_len)) { 150 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s", 151 ERR_error_string(ERR_get_error(), NULL)); 152 EVP_MD_CTX_free(ctx); 153 return -1; 154 } 155 EVP_MD_CTX_free(ctx); 156 157 return 0; 158 } 159 160 161 #ifndef CONFIG_FIPS 162 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 163 { 164 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac); 165 } 166 #endif /* CONFIG_FIPS */ 167 168 169 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) 170 { 171 u8 pkey[8], next, tmp; 172 int i; 173 DES_key_schedule ks; 174 175 /* Add parity bits to the key */ 176 next = 0; 177 for (i = 0; i < 7; i++) { 178 tmp = key[i]; 179 pkey[i] = (tmp >> i) | next | 1; 180 next = tmp << (7 - i); 181 } 182 pkey[i] = next | 1; 183 184 DES_set_key((DES_cblock *) &pkey, &ks); 185 DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks, 186 DES_ENCRYPT); 187 return 0; 188 } 189 190 191 #ifndef CONFIG_NO_RC4 192 int rc4_skip(const u8 *key, size_t keylen, size_t skip, 193 u8 *data, size_t data_len) 194 { 195 #ifdef OPENSSL_NO_RC4 196 return -1; 197 #else /* OPENSSL_NO_RC4 */ 198 EVP_CIPHER_CTX *ctx; 199 int outl; 200 int res = -1; 201 unsigned char skip_buf[16]; 202 203 ctx = EVP_CIPHER_CTX_new(); 204 if (!ctx || 205 !EVP_CIPHER_CTX_set_padding(ctx, 0) || 206 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) || 207 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) || 208 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1)) 209 goto out; 210 211 while (skip >= sizeof(skip_buf)) { 212 size_t len = skip; 213 if (len > sizeof(skip_buf)) 214 len = sizeof(skip_buf); 215 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len)) 216 goto out; 217 skip -= len; 218 } 219 220 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len)) 221 res = 0; 222 223 out: 224 if (ctx) 225 EVP_CIPHER_CTX_free(ctx); 226 return res; 227 #endif /* OPENSSL_NO_RC4 */ 228 } 229 #endif /* CONFIG_NO_RC4 */ 230 231 232 #ifndef CONFIG_FIPS 233 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 234 { 235 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac); 236 } 237 #endif /* CONFIG_FIPS */ 238 239 240 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 241 { 242 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac); 243 } 244 245 246 #ifndef NO_SHA256_WRAPPER 247 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, 248 u8 *mac) 249 { 250 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac); 251 } 252 #endif /* NO_SHA256_WRAPPER */ 253 254 255 #ifndef NO_SHA384_WRAPPER 256 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len, 257 u8 *mac) 258 { 259 return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac); 260 } 261 #endif /* NO_SHA384_WRAPPER */ 262 263 264 #ifndef NO_SHA512_WRAPPER 265 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len, 266 u8 *mac) 267 { 268 return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac); 269 } 270 #endif /* NO_SHA512_WRAPPER */ 271 272 273 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen) 274 { 275 switch (keylen) { 276 case 16: 277 return EVP_aes_128_ecb(); 278 case 24: 279 return EVP_aes_192_ecb(); 280 case 32: 281 return EVP_aes_256_ecb(); 282 } 283 284 return NULL; 285 } 286 287 288 void * aes_encrypt_init(const u8 *key, size_t len) 289 { 290 EVP_CIPHER_CTX *ctx; 291 const EVP_CIPHER *type; 292 293 if (TEST_FAIL()) 294 return NULL; 295 296 type = aes_get_evp_cipher(len); 297 if (!type) { 298 wpa_printf(MSG_INFO, "%s: Unsupported len=%u", 299 __func__, (unsigned int) len); 300 return NULL; 301 } 302 303 ctx = EVP_CIPHER_CTX_new(); 304 if (ctx == NULL) 305 return NULL; 306 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 307 os_free(ctx); 308 return NULL; 309 } 310 EVP_CIPHER_CTX_set_padding(ctx, 0); 311 return ctx; 312 } 313 314 315 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) 316 { 317 EVP_CIPHER_CTX *c = ctx; 318 int clen = 16; 319 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) { 320 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s", 321 ERR_error_string(ERR_get_error(), NULL)); 322 return -1; 323 } 324 return 0; 325 } 326 327 328 void aes_encrypt_deinit(void *ctx) 329 { 330 EVP_CIPHER_CTX *c = ctx; 331 u8 buf[16]; 332 int len = sizeof(buf); 333 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) { 334 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: " 335 "%s", ERR_error_string(ERR_get_error(), NULL)); 336 } 337 if (len != 0) { 338 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 339 "in AES encrypt", len); 340 } 341 EVP_CIPHER_CTX_free(c); 342 } 343 344 345 void * aes_decrypt_init(const u8 *key, size_t len) 346 { 347 EVP_CIPHER_CTX *ctx; 348 const EVP_CIPHER *type; 349 350 if (TEST_FAIL()) 351 return NULL; 352 353 type = aes_get_evp_cipher(len); 354 if (!type) { 355 wpa_printf(MSG_INFO, "%s: Unsupported len=%u", 356 __func__, (unsigned int) len); 357 return NULL; 358 } 359 360 ctx = EVP_CIPHER_CTX_new(); 361 if (ctx == NULL) 362 return NULL; 363 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 364 EVP_CIPHER_CTX_free(ctx); 365 return NULL; 366 } 367 EVP_CIPHER_CTX_set_padding(ctx, 0); 368 return ctx; 369 } 370 371 372 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) 373 { 374 EVP_CIPHER_CTX *c = ctx; 375 int plen = 16; 376 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) { 377 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s", 378 ERR_error_string(ERR_get_error(), NULL)); 379 return -1; 380 } 381 return 0; 382 } 383 384 385 void aes_decrypt_deinit(void *ctx) 386 { 387 EVP_CIPHER_CTX *c = ctx; 388 u8 buf[16]; 389 int len = sizeof(buf); 390 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) { 391 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: " 392 "%s", ERR_error_string(ERR_get_error(), NULL)); 393 } 394 if (len != 0) { 395 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 396 "in AES decrypt", len); 397 } 398 EVP_CIPHER_CTX_free(c); 399 } 400 401 402 #ifndef CONFIG_FIPS 403 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP 404 405 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) 406 { 407 AES_KEY actx; 408 int res; 409 410 if (TEST_FAIL()) 411 return -1; 412 if (AES_set_encrypt_key(kek, kek_len << 3, &actx)) 413 return -1; 414 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8); 415 OPENSSL_cleanse(&actx, sizeof(actx)); 416 return res <= 0 ? -1 : 0; 417 } 418 419 420 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, 421 u8 *plain) 422 { 423 AES_KEY actx; 424 int res; 425 426 if (TEST_FAIL()) 427 return -1; 428 if (AES_set_decrypt_key(kek, kek_len << 3, &actx)) 429 return -1; 430 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8); 431 OPENSSL_cleanse(&actx, sizeof(actx)); 432 return res <= 0 ? -1 : 0; 433 } 434 435 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */ 436 #endif /* CONFIG_FIPS */ 437 438 439 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 440 { 441 EVP_CIPHER_CTX *ctx; 442 int clen, len; 443 u8 buf[16]; 444 int res = -1; 445 446 if (TEST_FAIL()) 447 return -1; 448 449 ctx = EVP_CIPHER_CTX_new(); 450 if (!ctx) 451 return -1; 452 clen = data_len; 453 len = sizeof(buf); 454 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 455 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 456 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 && 457 clen == (int) data_len && 458 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 459 res = 0; 460 EVP_CIPHER_CTX_free(ctx); 461 462 return res; 463 } 464 465 466 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 467 { 468 EVP_CIPHER_CTX *ctx; 469 int plen, len; 470 u8 buf[16]; 471 int res = -1; 472 473 if (TEST_FAIL()) 474 return -1; 475 476 ctx = EVP_CIPHER_CTX_new(); 477 if (!ctx) 478 return -1; 479 plen = data_len; 480 len = sizeof(buf); 481 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 482 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 483 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 && 484 plen == (int) data_len && 485 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 486 res = 0; 487 EVP_CIPHER_CTX_free(ctx); 488 489 return res; 490 491 } 492 493 494 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey, 495 u8 *pubkey) 496 { 497 size_t pubkey_len, pad; 498 499 if (os_get_random(privkey, prime_len) < 0) 500 return -1; 501 if (os_memcmp(privkey, prime, prime_len) > 0) { 502 /* Make sure private value is smaller than prime */ 503 privkey[0] = 0; 504 } 505 506 pubkey_len = prime_len; 507 if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len, 508 pubkey, &pubkey_len) < 0) 509 return -1; 510 if (pubkey_len < prime_len) { 511 pad = prime_len - pubkey_len; 512 os_memmove(pubkey + pad, pubkey, pubkey_len); 513 os_memset(pubkey, 0, pad); 514 } 515 516 return 0; 517 } 518 519 520 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len, 521 const u8 *privkey, size_t privkey_len, 522 const u8 *pubkey, size_t pubkey_len, 523 u8 *secret, size_t *len) 524 { 525 return crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len, 526 prime, prime_len, secret, len); 527 } 528 529 530 int crypto_mod_exp(const u8 *base, size_t base_len, 531 const u8 *power, size_t power_len, 532 const u8 *modulus, size_t modulus_len, 533 u8 *result, size_t *result_len) 534 { 535 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result; 536 int ret = -1; 537 BN_CTX *ctx; 538 539 ctx = BN_CTX_new(); 540 if (ctx == NULL) 541 return -1; 542 543 bn_base = BN_bin2bn(base, base_len, NULL); 544 bn_exp = BN_bin2bn(power, power_len, NULL); 545 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL); 546 bn_result = BN_new(); 547 548 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL || 549 bn_result == NULL) 550 goto error; 551 552 if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1) 553 goto error; 554 555 *result_len = BN_bn2bin(bn_result, result); 556 ret = 0; 557 558 error: 559 BN_clear_free(bn_base); 560 BN_clear_free(bn_exp); 561 BN_clear_free(bn_modulus); 562 BN_clear_free(bn_result); 563 BN_CTX_free(ctx); 564 return ret; 565 } 566 567 568 struct crypto_cipher { 569 EVP_CIPHER_CTX *enc; 570 EVP_CIPHER_CTX *dec; 571 }; 572 573 574 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, 575 const u8 *iv, const u8 *key, 576 size_t key_len) 577 { 578 struct crypto_cipher *ctx; 579 const EVP_CIPHER *cipher; 580 581 ctx = os_zalloc(sizeof(*ctx)); 582 if (ctx == NULL) 583 return NULL; 584 585 switch (alg) { 586 #ifndef CONFIG_NO_RC4 587 #ifndef OPENSSL_NO_RC4 588 case CRYPTO_CIPHER_ALG_RC4: 589 cipher = EVP_rc4(); 590 break; 591 #endif /* OPENSSL_NO_RC4 */ 592 #endif /* CONFIG_NO_RC4 */ 593 #ifndef OPENSSL_NO_AES 594 case CRYPTO_CIPHER_ALG_AES: 595 switch (key_len) { 596 case 16: 597 cipher = EVP_aes_128_cbc(); 598 break; 599 #ifndef OPENSSL_IS_BORINGSSL 600 case 24: 601 cipher = EVP_aes_192_cbc(); 602 break; 603 #endif /* OPENSSL_IS_BORINGSSL */ 604 case 32: 605 cipher = EVP_aes_256_cbc(); 606 break; 607 default: 608 os_free(ctx); 609 return NULL; 610 } 611 break; 612 #endif /* OPENSSL_NO_AES */ 613 #ifndef OPENSSL_NO_DES 614 case CRYPTO_CIPHER_ALG_3DES: 615 cipher = EVP_des_ede3_cbc(); 616 break; 617 case CRYPTO_CIPHER_ALG_DES: 618 cipher = EVP_des_cbc(); 619 break; 620 #endif /* OPENSSL_NO_DES */ 621 #ifndef OPENSSL_NO_RC2 622 case CRYPTO_CIPHER_ALG_RC2: 623 cipher = EVP_rc2_ecb(); 624 break; 625 #endif /* OPENSSL_NO_RC2 */ 626 default: 627 os_free(ctx); 628 return NULL; 629 } 630 631 if (!(ctx->enc = EVP_CIPHER_CTX_new()) || 632 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) || 633 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) || 634 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) || 635 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) { 636 if (ctx->enc) 637 EVP_CIPHER_CTX_free(ctx->enc); 638 os_free(ctx); 639 return NULL; 640 } 641 642 if (!(ctx->dec = EVP_CIPHER_CTX_new()) || 643 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) || 644 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) || 645 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) || 646 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) { 647 EVP_CIPHER_CTX_free(ctx->enc); 648 if (ctx->dec) 649 EVP_CIPHER_CTX_free(ctx->dec); 650 os_free(ctx); 651 return NULL; 652 } 653 654 return ctx; 655 } 656 657 658 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, 659 u8 *crypt, size_t len) 660 { 661 int outl; 662 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len)) 663 return -1; 664 return 0; 665 } 666 667 668 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, 669 u8 *plain, size_t len) 670 { 671 int outl; 672 outl = len; 673 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len)) 674 return -1; 675 return 0; 676 } 677 678 679 void crypto_cipher_deinit(struct crypto_cipher *ctx) 680 { 681 EVP_CIPHER_CTX_free(ctx->enc); 682 EVP_CIPHER_CTX_free(ctx->dec); 683 os_free(ctx); 684 } 685 686 687 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) 688 { 689 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ 690 (defined(LIBRESSL_VERSION_NUMBER) && \ 691 LIBRESSL_VERSION_NUMBER < 0x20700000L) 692 DH *dh; 693 struct wpabuf *pubkey = NULL, *privkey = NULL; 694 size_t publen, privlen; 695 696 *priv = NULL; 697 wpabuf_free(*publ); 698 *publ = NULL; 699 700 dh = DH_new(); 701 if (dh == NULL) 702 return NULL; 703 704 dh->g = BN_new(); 705 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 706 goto err; 707 708 dh->p = get_group5_prime(); 709 if (dh->p == NULL) 710 goto err; 711 712 if (DH_generate_key(dh) != 1) 713 goto err; 714 715 publen = BN_num_bytes(dh->pub_key); 716 pubkey = wpabuf_alloc(publen); 717 if (pubkey == NULL) 718 goto err; 719 privlen = BN_num_bytes(dh->priv_key); 720 privkey = wpabuf_alloc(privlen); 721 if (privkey == NULL) 722 goto err; 723 724 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen)); 725 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen)); 726 727 *priv = privkey; 728 *publ = pubkey; 729 return dh; 730 731 err: 732 wpabuf_clear_free(pubkey); 733 wpabuf_clear_free(privkey); 734 DH_free(dh); 735 return NULL; 736 #else 737 DH *dh; 738 struct wpabuf *pubkey = NULL, *privkey = NULL; 739 size_t publen, privlen; 740 BIGNUM *p = NULL, *g; 741 const BIGNUM *priv_key = NULL, *pub_key = NULL; 742 743 *priv = NULL; 744 wpabuf_free(*publ); 745 *publ = NULL; 746 747 dh = DH_new(); 748 if (dh == NULL) 749 return NULL; 750 751 g = BN_new(); 752 p = get_group5_prime(); 753 if (!g || BN_set_word(g, 2) != 1 || !p || 754 DH_set0_pqg(dh, p, NULL, g) != 1) 755 goto err; 756 p = NULL; 757 g = NULL; 758 759 if (DH_generate_key(dh) != 1) 760 goto err; 761 762 DH_get0_key(dh, &pub_key, &priv_key); 763 publen = BN_num_bytes(pub_key); 764 pubkey = wpabuf_alloc(publen); 765 if (!pubkey) 766 goto err; 767 privlen = BN_num_bytes(priv_key); 768 privkey = wpabuf_alloc(privlen); 769 if (!privkey) 770 goto err; 771 772 BN_bn2bin(pub_key, wpabuf_put(pubkey, publen)); 773 BN_bn2bin(priv_key, wpabuf_put(privkey, privlen)); 774 775 *priv = privkey; 776 *publ = pubkey; 777 return dh; 778 779 err: 780 BN_free(p); 781 BN_free(g); 782 wpabuf_clear_free(pubkey); 783 wpabuf_clear_free(privkey); 784 DH_free(dh); 785 return NULL; 786 #endif 787 } 788 789 790 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) 791 { 792 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ 793 (defined(LIBRESSL_VERSION_NUMBER) && \ 794 LIBRESSL_VERSION_NUMBER < 0x20700000L) 795 DH *dh; 796 797 dh = DH_new(); 798 if (dh == NULL) 799 return NULL; 800 801 dh->g = BN_new(); 802 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 803 goto err; 804 805 dh->p = get_group5_prime(); 806 if (dh->p == NULL) 807 goto err; 808 809 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 810 if (dh->priv_key == NULL) 811 goto err; 812 813 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 814 if (dh->pub_key == NULL) 815 goto err; 816 817 if (DH_generate_key(dh) != 1) 818 goto err; 819 820 return dh; 821 822 err: 823 DH_free(dh); 824 return NULL; 825 #else 826 DH *dh; 827 BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL; 828 829 dh = DH_new(); 830 if (dh == NULL) 831 return NULL; 832 833 g = BN_new(); 834 p = get_group5_prime(); 835 if (!g || BN_set_word(g, 2) != 1 || !p || 836 DH_set0_pqg(dh, p, NULL, g) != 1) 837 goto err; 838 p = NULL; 839 g = NULL; 840 841 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 842 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 843 if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1) 844 goto err; 845 pub_key = NULL; 846 priv_key = NULL; 847 848 if (DH_generate_key(dh) != 1) 849 goto err; 850 851 return dh; 852 853 err: 854 BN_free(p); 855 BN_free(g); 856 BN_free(pub_key); 857 BN_clear_free(priv_key); 858 DH_free(dh); 859 return NULL; 860 #endif 861 } 862 863 864 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public, 865 const struct wpabuf *own_private) 866 { 867 BIGNUM *pub_key; 868 struct wpabuf *res = NULL; 869 size_t rlen; 870 DH *dh = ctx; 871 int keylen; 872 873 if (ctx == NULL) 874 return NULL; 875 876 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public), 877 NULL); 878 if (pub_key == NULL) 879 return NULL; 880 881 rlen = DH_size(dh); 882 res = wpabuf_alloc(rlen); 883 if (res == NULL) 884 goto err; 885 886 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh); 887 if (keylen < 0) 888 goto err; 889 wpabuf_put(res, keylen); 890 BN_clear_free(pub_key); 891 892 return res; 893 894 err: 895 BN_clear_free(pub_key); 896 wpabuf_clear_free(res); 897 return NULL; 898 } 899 900 901 void dh5_free(void *ctx) 902 { 903 DH *dh; 904 if (ctx == NULL) 905 return; 906 dh = ctx; 907 DH_free(dh); 908 } 909 910 911 struct crypto_hash { 912 HMAC_CTX *ctx; 913 }; 914 915 916 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key, 917 size_t key_len) 918 { 919 struct crypto_hash *ctx; 920 const EVP_MD *md; 921 922 switch (alg) { 923 #ifndef OPENSSL_NO_MD5 924 case CRYPTO_HASH_ALG_HMAC_MD5: 925 md = EVP_md5(); 926 break; 927 #endif /* OPENSSL_NO_MD5 */ 928 #ifndef OPENSSL_NO_SHA 929 case CRYPTO_HASH_ALG_HMAC_SHA1: 930 md = EVP_sha1(); 931 break; 932 #endif /* OPENSSL_NO_SHA */ 933 #ifndef OPENSSL_NO_SHA256 934 #ifdef CONFIG_SHA256 935 case CRYPTO_HASH_ALG_HMAC_SHA256: 936 md = EVP_sha256(); 937 break; 938 #endif /* CONFIG_SHA256 */ 939 #endif /* OPENSSL_NO_SHA256 */ 940 default: 941 return NULL; 942 } 943 944 ctx = os_zalloc(sizeof(*ctx)); 945 if (ctx == NULL) 946 return NULL; 947 ctx->ctx = HMAC_CTX_new(); 948 if (!ctx->ctx) { 949 os_free(ctx); 950 return NULL; 951 } 952 953 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) { 954 HMAC_CTX_free(ctx->ctx); 955 bin_clear_free(ctx, sizeof(*ctx)); 956 return NULL; 957 } 958 959 return ctx; 960 } 961 962 963 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len) 964 { 965 if (ctx == NULL) 966 return; 967 HMAC_Update(ctx->ctx, data, len); 968 } 969 970 971 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len) 972 { 973 unsigned int mdlen; 974 int res; 975 976 if (ctx == NULL) 977 return -2; 978 979 if (mac == NULL || len == NULL) { 980 HMAC_CTX_free(ctx->ctx); 981 bin_clear_free(ctx, sizeof(*ctx)); 982 return 0; 983 } 984 985 mdlen = *len; 986 res = HMAC_Final(ctx->ctx, mac, &mdlen); 987 HMAC_CTX_free(ctx->ctx); 988 bin_clear_free(ctx, sizeof(*ctx)); 989 990 if (res == 1) { 991 *len = mdlen; 992 return 0; 993 } 994 995 return -1; 996 } 997 998 999 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key, 1000 size_t key_len, size_t num_elem, 1001 const u8 *addr[], const size_t *len, u8 *mac, 1002 unsigned int mdlen) 1003 { 1004 HMAC_CTX *ctx; 1005 size_t i; 1006 int res; 1007 1008 if (TEST_FAIL()) 1009 return -1; 1010 1011 ctx = HMAC_CTX_new(); 1012 if (!ctx) 1013 return -1; 1014 res = HMAC_Init_ex(ctx, key, key_len, type, NULL); 1015 if (res != 1) 1016 goto done; 1017 1018 for (i = 0; i < num_elem; i++) 1019 HMAC_Update(ctx, addr[i], len[i]); 1020 1021 res = HMAC_Final(ctx, mac, &mdlen); 1022 done: 1023 HMAC_CTX_free(ctx); 1024 1025 return res == 1 ? 0 : -1; 1026 } 1027 1028 1029 #ifndef CONFIG_FIPS 1030 1031 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, 1032 const u8 *addr[], const size_t *len, u8 *mac) 1033 { 1034 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len, 1035 mac, 16); 1036 } 1037 1038 1039 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 1040 u8 *mac) 1041 { 1042 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac); 1043 } 1044 1045 #endif /* CONFIG_FIPS */ 1046 1047 1048 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len, 1049 int iterations, u8 *buf, size_t buflen) 1050 { 1051 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid, 1052 ssid_len, iterations, buflen, buf) != 1) 1053 return -1; 1054 return 0; 1055 } 1056 1057 1058 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, 1059 const u8 *addr[], const size_t *len, u8 *mac) 1060 { 1061 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr, 1062 len, mac, 20); 1063 } 1064 1065 1066 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 1067 u8 *mac) 1068 { 1069 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); 1070 } 1071 1072 1073 #ifdef CONFIG_SHA256 1074 1075 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, 1076 const u8 *addr[], const size_t *len, u8 *mac) 1077 { 1078 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr, 1079 len, mac, 32); 1080 } 1081 1082 1083 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 1084 size_t data_len, u8 *mac) 1085 { 1086 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); 1087 } 1088 1089 #endif /* CONFIG_SHA256 */ 1090 1091 1092 #ifdef CONFIG_SHA384 1093 1094 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, 1095 const u8 *addr[], const size_t *len, u8 *mac) 1096 { 1097 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr, 1098 len, mac, 48); 1099 } 1100 1101 1102 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, 1103 size_t data_len, u8 *mac) 1104 { 1105 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac); 1106 } 1107 1108 #endif /* CONFIG_SHA384 */ 1109 1110 1111 #ifdef CONFIG_SHA512 1112 1113 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem, 1114 const u8 *addr[], const size_t *len, u8 *mac) 1115 { 1116 return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr, 1117 len, mac, 64); 1118 } 1119 1120 1121 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data, 1122 size_t data_len, u8 *mac) 1123 { 1124 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac); 1125 } 1126 1127 #endif /* CONFIG_SHA512 */ 1128 1129 1130 int crypto_get_random(void *buf, size_t len) 1131 { 1132 if (RAND_bytes(buf, len) != 1) 1133 return -1; 1134 return 0; 1135 } 1136 1137 1138 #ifdef CONFIG_OPENSSL_CMAC 1139 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, 1140 const u8 *addr[], const size_t *len, u8 *mac) 1141 { 1142 CMAC_CTX *ctx; 1143 int ret = -1; 1144 size_t outlen, i; 1145 1146 if (TEST_FAIL()) 1147 return -1; 1148 1149 ctx = CMAC_CTX_new(); 1150 if (ctx == NULL) 1151 return -1; 1152 1153 if (key_len == 32) { 1154 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL)) 1155 goto fail; 1156 } else if (key_len == 16) { 1157 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL)) 1158 goto fail; 1159 } else { 1160 goto fail; 1161 } 1162 for (i = 0; i < num_elem; i++) { 1163 if (!CMAC_Update(ctx, addr[i], len[i])) 1164 goto fail; 1165 } 1166 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16) 1167 goto fail; 1168 1169 ret = 0; 1170 fail: 1171 CMAC_CTX_free(ctx); 1172 return ret; 1173 } 1174 1175 1176 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 1177 const u8 *addr[], const size_t *len, u8 *mac) 1178 { 1179 return omac1_aes_vector(key, 16, num_elem, addr, len, mac); 1180 } 1181 1182 1183 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1184 { 1185 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 1186 } 1187 1188 1189 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1190 { 1191 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); 1192 } 1193 #endif /* CONFIG_OPENSSL_CMAC */ 1194 1195 1196 struct crypto_bignum * crypto_bignum_init(void) 1197 { 1198 if (TEST_FAIL()) 1199 return NULL; 1200 return (struct crypto_bignum *) BN_new(); 1201 } 1202 1203 1204 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) 1205 { 1206 BIGNUM *bn; 1207 1208 if (TEST_FAIL()) 1209 return NULL; 1210 1211 bn = BN_bin2bn(buf, len, NULL); 1212 return (struct crypto_bignum *) bn; 1213 } 1214 1215 1216 void crypto_bignum_deinit(struct crypto_bignum *n, int clear) 1217 { 1218 if (clear) 1219 BN_clear_free((BIGNUM *) n); 1220 else 1221 BN_free((BIGNUM *) n); 1222 } 1223 1224 1225 int crypto_bignum_to_bin(const struct crypto_bignum *a, 1226 u8 *buf, size_t buflen, size_t padlen) 1227 { 1228 int num_bytes, offset; 1229 1230 if (TEST_FAIL()) 1231 return -1; 1232 1233 if (padlen > buflen) 1234 return -1; 1235 1236 num_bytes = BN_num_bytes((const BIGNUM *) a); 1237 if ((size_t) num_bytes > buflen) 1238 return -1; 1239 if (padlen > (size_t) num_bytes) 1240 offset = padlen - num_bytes; 1241 else 1242 offset = 0; 1243 1244 os_memset(buf, 0, offset); 1245 BN_bn2bin((const BIGNUM *) a, buf + offset); 1246 1247 return num_bytes + offset; 1248 } 1249 1250 1251 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m) 1252 { 1253 return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1; 1254 } 1255 1256 1257 int crypto_bignum_add(const struct crypto_bignum *a, 1258 const struct crypto_bignum *b, 1259 struct crypto_bignum *c) 1260 { 1261 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1262 0 : -1; 1263 } 1264 1265 1266 int crypto_bignum_mod(const struct crypto_bignum *a, 1267 const struct crypto_bignum *b, 1268 struct crypto_bignum *c) 1269 { 1270 int res; 1271 BN_CTX *bnctx; 1272 1273 bnctx = BN_CTX_new(); 1274 if (bnctx == NULL) 1275 return -1; 1276 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, 1277 bnctx); 1278 BN_CTX_free(bnctx); 1279 1280 return res ? 0 : -1; 1281 } 1282 1283 1284 int crypto_bignum_exptmod(const struct crypto_bignum *a, 1285 const struct crypto_bignum *b, 1286 const struct crypto_bignum *c, 1287 struct crypto_bignum *d) 1288 { 1289 int res; 1290 BN_CTX *bnctx; 1291 1292 if (TEST_FAIL()) 1293 return -1; 1294 1295 bnctx = BN_CTX_new(); 1296 if (bnctx == NULL) 1297 return -1; 1298 res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 1299 (const BIGNUM *) c, bnctx); 1300 BN_CTX_free(bnctx); 1301 1302 return res ? 0 : -1; 1303 } 1304 1305 1306 int crypto_bignum_inverse(const struct crypto_bignum *a, 1307 const struct crypto_bignum *b, 1308 struct crypto_bignum *c) 1309 { 1310 BIGNUM *res; 1311 BN_CTX *bnctx; 1312 1313 if (TEST_FAIL()) 1314 return -1; 1315 bnctx = BN_CTX_new(); 1316 if (bnctx == NULL) 1317 return -1; 1318 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a, 1319 (const BIGNUM *) b, bnctx); 1320 BN_CTX_free(bnctx); 1321 1322 return res ? 0 : -1; 1323 } 1324 1325 1326 int crypto_bignum_sub(const struct crypto_bignum *a, 1327 const struct crypto_bignum *b, 1328 struct crypto_bignum *c) 1329 { 1330 if (TEST_FAIL()) 1331 return -1; 1332 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1333 0 : -1; 1334 } 1335 1336 1337 int crypto_bignum_div(const struct crypto_bignum *a, 1338 const struct crypto_bignum *b, 1339 struct crypto_bignum *c) 1340 { 1341 int res; 1342 1343 BN_CTX *bnctx; 1344 1345 if (TEST_FAIL()) 1346 return -1; 1347 1348 bnctx = BN_CTX_new(); 1349 if (bnctx == NULL) 1350 return -1; 1351 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a, 1352 (const BIGNUM *) b, bnctx); 1353 BN_CTX_free(bnctx); 1354 1355 return res ? 0 : -1; 1356 } 1357 1358 1359 int crypto_bignum_mulmod(const struct crypto_bignum *a, 1360 const struct crypto_bignum *b, 1361 const struct crypto_bignum *c, 1362 struct crypto_bignum *d) 1363 { 1364 int res; 1365 1366 BN_CTX *bnctx; 1367 1368 if (TEST_FAIL()) 1369 return -1; 1370 1371 bnctx = BN_CTX_new(); 1372 if (bnctx == NULL) 1373 return -1; 1374 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 1375 (const BIGNUM *) c, bnctx); 1376 BN_CTX_free(bnctx); 1377 1378 return res ? 0 : -1; 1379 } 1380 1381 1382 int crypto_bignum_rshift(const struct crypto_bignum *a, int n, 1383 struct crypto_bignum *r) 1384 { 1385 /* Note: BN_rshift() does not modify the first argument even though it 1386 * has not been marked const. */ 1387 return BN_rshift((BIGNUM *) a, (BIGNUM *) r, n) == 1 ? 0 : -1; 1388 } 1389 1390 1391 int crypto_bignum_cmp(const struct crypto_bignum *a, 1392 const struct crypto_bignum *b) 1393 { 1394 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b); 1395 } 1396 1397 1398 int crypto_bignum_bits(const struct crypto_bignum *a) 1399 { 1400 return BN_num_bits((const BIGNUM *) a); 1401 } 1402 1403 1404 int crypto_bignum_is_zero(const struct crypto_bignum *a) 1405 { 1406 return BN_is_zero((const BIGNUM *) a); 1407 } 1408 1409 1410 int crypto_bignum_is_one(const struct crypto_bignum *a) 1411 { 1412 return BN_is_one((const BIGNUM *) a); 1413 } 1414 1415 1416 int crypto_bignum_is_odd(const struct crypto_bignum *a) 1417 { 1418 return BN_is_odd((const BIGNUM *) a); 1419 } 1420 1421 1422 int crypto_bignum_legendre(const struct crypto_bignum *a, 1423 const struct crypto_bignum *p) 1424 { 1425 BN_CTX *bnctx; 1426 BIGNUM *exp = NULL, *tmp = NULL; 1427 int res = -2; 1428 1429 if (TEST_FAIL()) 1430 return -2; 1431 1432 bnctx = BN_CTX_new(); 1433 if (bnctx == NULL) 1434 return -2; 1435 1436 exp = BN_new(); 1437 tmp = BN_new(); 1438 if (!exp || !tmp || 1439 /* exp = (p-1) / 2 */ 1440 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) || 1441 !BN_rshift1(exp, exp) || 1442 !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p, 1443 bnctx)) 1444 goto fail; 1445 1446 if (BN_is_word(tmp, 1)) 1447 res = 1; 1448 else if (BN_is_zero(tmp)) 1449 res = 0; 1450 else 1451 res = -1; 1452 1453 fail: 1454 BN_clear_free(tmp); 1455 BN_clear_free(exp); 1456 BN_CTX_free(bnctx); 1457 return res; 1458 } 1459 1460 1461 #ifdef CONFIG_ECC 1462 1463 struct crypto_ec { 1464 EC_GROUP *group; 1465 int nid; 1466 BN_CTX *bnctx; 1467 BIGNUM *prime; 1468 BIGNUM *order; 1469 BIGNUM *a; 1470 BIGNUM *b; 1471 }; 1472 1473 struct crypto_ec * crypto_ec_init(int group) 1474 { 1475 struct crypto_ec *e; 1476 int nid; 1477 1478 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */ 1479 switch (group) { 1480 case 19: 1481 nid = NID_X9_62_prime256v1; 1482 break; 1483 case 20: 1484 nid = NID_secp384r1; 1485 break; 1486 case 21: 1487 nid = NID_secp521r1; 1488 break; 1489 case 25: 1490 nid = NID_X9_62_prime192v1; 1491 break; 1492 case 26: 1493 nid = NID_secp224r1; 1494 break; 1495 #ifdef NID_brainpoolP224r1 1496 case 27: 1497 nid = NID_brainpoolP224r1; 1498 break; 1499 #endif /* NID_brainpoolP224r1 */ 1500 #ifdef NID_brainpoolP256r1 1501 case 28: 1502 nid = NID_brainpoolP256r1; 1503 break; 1504 #endif /* NID_brainpoolP256r1 */ 1505 #ifdef NID_brainpoolP384r1 1506 case 29: 1507 nid = NID_brainpoolP384r1; 1508 break; 1509 #endif /* NID_brainpoolP384r1 */ 1510 #ifdef NID_brainpoolP512r1 1511 case 30: 1512 nid = NID_brainpoolP512r1; 1513 break; 1514 #endif /* NID_brainpoolP512r1 */ 1515 default: 1516 return NULL; 1517 } 1518 1519 e = os_zalloc(sizeof(*e)); 1520 if (e == NULL) 1521 return NULL; 1522 1523 e->nid = nid; 1524 e->bnctx = BN_CTX_new(); 1525 e->group = EC_GROUP_new_by_curve_name(nid); 1526 e->prime = BN_new(); 1527 e->order = BN_new(); 1528 e->a = BN_new(); 1529 e->b = BN_new(); 1530 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL || 1531 e->order == NULL || e->a == NULL || e->b == NULL || 1532 !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) || 1533 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) { 1534 crypto_ec_deinit(e); 1535 e = NULL; 1536 } 1537 1538 return e; 1539 } 1540 1541 1542 void crypto_ec_deinit(struct crypto_ec *e) 1543 { 1544 if (e == NULL) 1545 return; 1546 BN_clear_free(e->b); 1547 BN_clear_free(e->a); 1548 BN_clear_free(e->order); 1549 BN_clear_free(e->prime); 1550 EC_GROUP_free(e->group); 1551 BN_CTX_free(e->bnctx); 1552 os_free(e); 1553 } 1554 1555 1556 int crypto_ec_cofactor(struct crypto_ec *e, struct crypto_bignum *cofactor) 1557 { 1558 return EC_GROUP_get_cofactor(e->group, (BIGNUM *) cofactor, 1559 e->bnctx) == 0 ? -1 : 0; 1560 } 1561 1562 1563 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e) 1564 { 1565 if (TEST_FAIL()) 1566 return NULL; 1567 if (e == NULL) 1568 return NULL; 1569 return (struct crypto_ec_point *) EC_POINT_new(e->group); 1570 } 1571 1572 1573 size_t crypto_ec_prime_len(struct crypto_ec *e) 1574 { 1575 return BN_num_bytes(e->prime); 1576 } 1577 1578 1579 size_t crypto_ec_prime_len_bits(struct crypto_ec *e) 1580 { 1581 return BN_num_bits(e->prime); 1582 } 1583 1584 1585 size_t crypto_ec_order_len(struct crypto_ec *e) 1586 { 1587 return BN_num_bytes(e->order); 1588 } 1589 1590 1591 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e) 1592 { 1593 return (const struct crypto_bignum *) e->prime; 1594 } 1595 1596 1597 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) 1598 { 1599 return (const struct crypto_bignum *) e->order; 1600 } 1601 1602 1603 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) 1604 { 1605 if (clear) 1606 EC_POINT_clear_free((EC_POINT *) p); 1607 else 1608 EC_POINT_free((EC_POINT *) p); 1609 } 1610 1611 1612 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p, 1613 struct crypto_bignum *x) 1614 { 1615 return EC_POINT_get_affine_coordinates_GFp(e->group, 1616 (const EC_POINT *) p, 1617 (BIGNUM *) x, NULL, 1618 e->bnctx) == 1 ? 0 : -1; 1619 } 1620 1621 1622 int crypto_ec_point_to_bin(struct crypto_ec *e, 1623 const struct crypto_ec_point *point, u8 *x, u8 *y) 1624 { 1625 BIGNUM *x_bn, *y_bn; 1626 int ret = -1; 1627 int len = BN_num_bytes(e->prime); 1628 1629 if (TEST_FAIL()) 1630 return -1; 1631 1632 x_bn = BN_new(); 1633 y_bn = BN_new(); 1634 1635 if (x_bn && y_bn && 1636 EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point, 1637 x_bn, y_bn, e->bnctx)) { 1638 if (x) { 1639 crypto_bignum_to_bin((struct crypto_bignum *) x_bn, 1640 x, len, len); 1641 } 1642 if (y) { 1643 crypto_bignum_to_bin((struct crypto_bignum *) y_bn, 1644 y, len, len); 1645 } 1646 ret = 0; 1647 } 1648 1649 BN_clear_free(x_bn); 1650 BN_clear_free(y_bn); 1651 return ret; 1652 } 1653 1654 1655 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e, 1656 const u8 *val) 1657 { 1658 BIGNUM *x, *y; 1659 EC_POINT *elem; 1660 int len = BN_num_bytes(e->prime); 1661 1662 if (TEST_FAIL()) 1663 return NULL; 1664 1665 x = BN_bin2bn(val, len, NULL); 1666 y = BN_bin2bn(val + len, len, NULL); 1667 elem = EC_POINT_new(e->group); 1668 if (x == NULL || y == NULL || elem == NULL) { 1669 BN_clear_free(x); 1670 BN_clear_free(y); 1671 EC_POINT_clear_free(elem); 1672 return NULL; 1673 } 1674 1675 if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y, 1676 e->bnctx)) { 1677 EC_POINT_clear_free(elem); 1678 elem = NULL; 1679 } 1680 1681 BN_clear_free(x); 1682 BN_clear_free(y); 1683 1684 return (struct crypto_ec_point *) elem; 1685 } 1686 1687 1688 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a, 1689 const struct crypto_ec_point *b, 1690 struct crypto_ec_point *c) 1691 { 1692 if (TEST_FAIL()) 1693 return -1; 1694 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a, 1695 (const EC_POINT *) b, e->bnctx) ? 0 : -1; 1696 } 1697 1698 1699 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p, 1700 const struct crypto_bignum *b, 1701 struct crypto_ec_point *res) 1702 { 1703 if (TEST_FAIL()) 1704 return -1; 1705 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL, 1706 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx) 1707 ? 0 : -1; 1708 } 1709 1710 1711 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p) 1712 { 1713 if (TEST_FAIL()) 1714 return -1; 1715 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1; 1716 } 1717 1718 1719 int crypto_ec_point_solve_y_coord(struct crypto_ec *e, 1720 struct crypto_ec_point *p, 1721 const struct crypto_bignum *x, int y_bit) 1722 { 1723 if (TEST_FAIL()) 1724 return -1; 1725 if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p, 1726 (const BIGNUM *) x, y_bit, 1727 e->bnctx) || 1728 !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx)) 1729 return -1; 1730 return 0; 1731 } 1732 1733 1734 struct crypto_bignum * 1735 crypto_ec_point_compute_y_sqr(struct crypto_ec *e, 1736 const struct crypto_bignum *x) 1737 { 1738 BIGNUM *tmp, *tmp2, *y_sqr = NULL; 1739 1740 if (TEST_FAIL()) 1741 return NULL; 1742 1743 tmp = BN_new(); 1744 tmp2 = BN_new(); 1745 1746 /* y^2 = x^3 + ax + b */ 1747 if (tmp && tmp2 && 1748 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1749 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1750 BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) && 1751 BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) && 1752 BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) { 1753 y_sqr = tmp2; 1754 tmp2 = NULL; 1755 } 1756 1757 BN_clear_free(tmp); 1758 BN_clear_free(tmp2); 1759 1760 return (struct crypto_bignum *) y_sqr; 1761 } 1762 1763 1764 int crypto_ec_point_is_at_infinity(struct crypto_ec *e, 1765 const struct crypto_ec_point *p) 1766 { 1767 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p); 1768 } 1769 1770 1771 int crypto_ec_point_is_on_curve(struct crypto_ec *e, 1772 const struct crypto_ec_point *p) 1773 { 1774 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p, 1775 e->bnctx) == 1; 1776 } 1777 1778 1779 int crypto_ec_point_cmp(const struct crypto_ec *e, 1780 const struct crypto_ec_point *a, 1781 const struct crypto_ec_point *b) 1782 { 1783 return EC_POINT_cmp(e->group, (const EC_POINT *) a, 1784 (const EC_POINT *) b, e->bnctx); 1785 } 1786 1787 1788 struct crypto_ecdh { 1789 struct crypto_ec *ec; 1790 EVP_PKEY *pkey; 1791 }; 1792 1793 struct crypto_ecdh * crypto_ecdh_init(int group) 1794 { 1795 struct crypto_ecdh *ecdh; 1796 EVP_PKEY *params = NULL; 1797 EC_KEY *ec_params; 1798 EVP_PKEY_CTX *kctx = NULL; 1799 1800 ecdh = os_zalloc(sizeof(*ecdh)); 1801 if (!ecdh) 1802 goto fail; 1803 1804 ecdh->ec = crypto_ec_init(group); 1805 if (!ecdh->ec) 1806 goto fail; 1807 1808 ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid); 1809 if (!ec_params) { 1810 wpa_printf(MSG_ERROR, 1811 "OpenSSL: Failed to generate EC_KEY parameters"); 1812 goto fail; 1813 } 1814 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE); 1815 params = EVP_PKEY_new(); 1816 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) { 1817 wpa_printf(MSG_ERROR, 1818 "OpenSSL: Failed to generate EVP_PKEY parameters"); 1819 goto fail; 1820 } 1821 1822 kctx = EVP_PKEY_CTX_new(params, NULL); 1823 if (!kctx) 1824 goto fail; 1825 1826 if (EVP_PKEY_keygen_init(kctx) != 1) { 1827 wpa_printf(MSG_ERROR, 1828 "OpenSSL: EVP_PKEY_keygen_init failed: %s", 1829 ERR_error_string(ERR_get_error(), NULL)); 1830 goto fail; 1831 } 1832 1833 if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) { 1834 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s", 1835 ERR_error_string(ERR_get_error(), NULL)); 1836 goto fail; 1837 } 1838 1839 done: 1840 EVP_PKEY_free(params); 1841 EVP_PKEY_CTX_free(kctx); 1842 1843 return ecdh; 1844 fail: 1845 crypto_ecdh_deinit(ecdh); 1846 ecdh = NULL; 1847 goto done; 1848 } 1849 1850 1851 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y) 1852 { 1853 struct wpabuf *buf = NULL; 1854 EC_KEY *eckey; 1855 const EC_POINT *pubkey; 1856 BIGNUM *x, *y = NULL; 1857 int len = BN_num_bytes(ecdh->ec->prime); 1858 int res; 1859 1860 eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey); 1861 if (!eckey) 1862 return NULL; 1863 1864 pubkey = EC_KEY_get0_public_key(eckey); 1865 if (!pubkey) 1866 return NULL; 1867 1868 x = BN_new(); 1869 if (inc_y) { 1870 y = BN_new(); 1871 if (!y) 1872 goto fail; 1873 } 1874 buf = wpabuf_alloc(inc_y ? 2 * len : len); 1875 if (!x || !buf) 1876 goto fail; 1877 1878 if (EC_POINT_get_affine_coordinates_GFp(ecdh->ec->group, pubkey, 1879 x, y, ecdh->ec->bnctx) != 1) { 1880 wpa_printf(MSG_ERROR, 1881 "OpenSSL: EC_POINT_get_affine_coordinates_GFp failed: %s", 1882 ERR_error_string(ERR_get_error(), NULL)); 1883 goto fail; 1884 } 1885 1886 res = crypto_bignum_to_bin((struct crypto_bignum *) x, 1887 wpabuf_put(buf, len), len, len); 1888 if (res < 0) 1889 goto fail; 1890 1891 if (inc_y) { 1892 res = crypto_bignum_to_bin((struct crypto_bignum *) y, 1893 wpabuf_put(buf, len), len, len); 1894 if (res < 0) 1895 goto fail; 1896 } 1897 1898 done: 1899 BN_clear_free(x); 1900 BN_clear_free(y); 1901 EC_KEY_free(eckey); 1902 1903 return buf; 1904 fail: 1905 wpabuf_free(buf); 1906 buf = NULL; 1907 goto done; 1908 } 1909 1910 1911 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y, 1912 const u8 *key, size_t len) 1913 { 1914 BIGNUM *x, *y = NULL; 1915 EVP_PKEY_CTX *ctx = NULL; 1916 EVP_PKEY *peerkey = NULL; 1917 struct wpabuf *secret = NULL; 1918 size_t secret_len; 1919 EC_POINT *pub; 1920 EC_KEY *eckey = NULL; 1921 1922 x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL); 1923 pub = EC_POINT_new(ecdh->ec->group); 1924 if (!x || !pub) 1925 goto fail; 1926 1927 if (inc_y) { 1928 y = BN_bin2bn(key + len / 2, len / 2, NULL); 1929 if (!y) 1930 goto fail; 1931 if (!EC_POINT_set_affine_coordinates_GFp(ecdh->ec->group, pub, 1932 x, y, 1933 ecdh->ec->bnctx)) { 1934 wpa_printf(MSG_ERROR, 1935 "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s", 1936 ERR_error_string(ERR_get_error(), NULL)); 1937 goto fail; 1938 } 1939 } else if (!EC_POINT_set_compressed_coordinates_GFp(ecdh->ec->group, 1940 pub, x, 0, 1941 ecdh->ec->bnctx)) { 1942 wpa_printf(MSG_ERROR, 1943 "OpenSSL: EC_POINT_set_compressed_coordinates_GFp failed: %s", 1944 ERR_error_string(ERR_get_error(), NULL)); 1945 goto fail; 1946 } 1947 1948 if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) { 1949 wpa_printf(MSG_ERROR, 1950 "OpenSSL: ECDH peer public key is not on curve"); 1951 goto fail; 1952 } 1953 1954 eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid); 1955 if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) { 1956 wpa_printf(MSG_ERROR, 1957 "OpenSSL: EC_KEY_set_public_key failed: %s", 1958 ERR_error_string(ERR_get_error(), NULL)); 1959 goto fail; 1960 } 1961 1962 peerkey = EVP_PKEY_new(); 1963 if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1) 1964 goto fail; 1965 1966 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL); 1967 if (!ctx || EVP_PKEY_derive_init(ctx) != 1 || 1968 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 || 1969 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) { 1970 wpa_printf(MSG_ERROR, 1971 "OpenSSL: EVP_PKEY_derive(1) failed: %s", 1972 ERR_error_string(ERR_get_error(), NULL)); 1973 goto fail; 1974 } 1975 1976 secret = wpabuf_alloc(secret_len); 1977 if (!secret) 1978 goto fail; 1979 if (EVP_PKEY_derive(ctx, wpabuf_put(secret, secret_len), 1980 &secret_len) != 1) { 1981 wpa_printf(MSG_ERROR, 1982 "OpenSSL: EVP_PKEY_derive(2) failed: %s", 1983 ERR_error_string(ERR_get_error(), NULL)); 1984 goto fail; 1985 } 1986 1987 done: 1988 BN_free(x); 1989 BN_free(y); 1990 EC_KEY_free(eckey); 1991 EC_POINT_free(pub); 1992 EVP_PKEY_CTX_free(ctx); 1993 EVP_PKEY_free(peerkey); 1994 return secret; 1995 fail: 1996 wpabuf_free(secret); 1997 secret = NULL; 1998 goto done; 1999 } 2000 2001 2002 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh) 2003 { 2004 if (ecdh) { 2005 crypto_ec_deinit(ecdh->ec); 2006 EVP_PKEY_free(ecdh->pkey); 2007 os_free(ecdh); 2008 } 2009 } 2010 2011 #endif /* CONFIG_ECC */ 2012