xref: /freebsd/contrib/wpa/src/crypto/crypto_openssl.c (revision 6ba2210ee039f2f12878c217bcf058e9c8b26b29)
1 /*
2  * Wrapper functions for OpenSSL libcrypto
3  * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 #include <openssl/opensslv.h>
11 #include <openssl/err.h>
12 #include <openssl/des.h>
13 #include <openssl/aes.h>
14 #include <openssl/bn.h>
15 #include <openssl/evp.h>
16 #include <openssl/dh.h>
17 #include <openssl/hmac.h>
18 #include <openssl/rand.h>
19 #ifdef CONFIG_OPENSSL_CMAC
20 #include <openssl/cmac.h>
21 #endif /* CONFIG_OPENSSL_CMAC */
22 #ifdef CONFIG_ECC
23 #include <openssl/ec.h>
24 #include <openssl/x509.h>
25 #endif /* CONFIG_ECC */
26 
27 #include "common.h"
28 #include "utils/const_time.h"
29 #include "wpabuf.h"
30 #include "dh_group5.h"
31 #include "sha1.h"
32 #include "sha256.h"
33 #include "sha384.h"
34 #include "sha512.h"
35 #include "md5.h"
36 #include "aes_wrap.h"
37 #include "crypto.h"
38 
39 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
40 	(defined(LIBRESSL_VERSION_NUMBER) && \
41 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
42 /* Compatibility wrappers for older versions. */
43 
44 static HMAC_CTX * HMAC_CTX_new(void)
45 {
46 	HMAC_CTX *ctx;
47 
48 	ctx = os_zalloc(sizeof(*ctx));
49 	if (ctx)
50 		HMAC_CTX_init(ctx);
51 	return ctx;
52 }
53 
54 
55 static void HMAC_CTX_free(HMAC_CTX *ctx)
56 {
57 	if (!ctx)
58 		return;
59 	HMAC_CTX_cleanup(ctx);
60 	bin_clear_free(ctx, sizeof(*ctx));
61 }
62 
63 
64 static EVP_MD_CTX * EVP_MD_CTX_new(void)
65 {
66 	EVP_MD_CTX *ctx;
67 
68 	ctx = os_zalloc(sizeof(*ctx));
69 	if (ctx)
70 		EVP_MD_CTX_init(ctx);
71 	return ctx;
72 }
73 
74 
75 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
76 {
77 	if (!ctx)
78 		return;
79 	EVP_MD_CTX_cleanup(ctx);
80 	bin_clear_free(ctx, sizeof(*ctx));
81 }
82 
83 
84 #ifdef CONFIG_ECC
85 static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
86 {
87 	if (pkey->type != EVP_PKEY_EC)
88 		return NULL;
89 	return pkey->pkey.ec;
90 }
91 #endif /* CONFIG_ECC */
92 
93 #endif /* OpenSSL version < 1.1.0 */
94 
95 static BIGNUM * get_group5_prime(void)
96 {
97 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
98 	!(defined(LIBRESSL_VERSION_NUMBER) && \
99 	  LIBRESSL_VERSION_NUMBER < 0x20700000L)
100 	return BN_get_rfc3526_prime_1536(NULL);
101 #elif !defined(OPENSSL_IS_BORINGSSL)
102 	return get_rfc3526_prime_1536(NULL);
103 #else
104 	static const unsigned char RFC3526_PRIME_1536[] = {
105 		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
106 		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
107 		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
108 		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
109 		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
110 		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
111 		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
112 		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
113 		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
114 		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
115 		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
116 		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
117 		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
118 		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
119 		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
120 		0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
121 	};
122         return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
123 #endif
124 }
125 
126 
127 static BIGNUM * get_group5_order(void)
128 {
129 	static const unsigned char RFC3526_ORDER_1536[] = {
130 		0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,
131 		0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,
132 		0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,
133 		0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,
134 		0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,
135 		0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,
136 		0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,
137 		0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,
138 		0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,
139 		0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,
140 		0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,
141 		0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,
142 		0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,
143 		0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,
144 		0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,
145 		0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
146 	};
147 	return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);
148 }
149 
150 
151 #ifdef OPENSSL_NO_SHA256
152 #define NO_SHA256_WRAPPER
153 #endif
154 #ifdef OPENSSL_NO_SHA512
155 #define NO_SHA384_WRAPPER
156 #endif
157 
158 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
159 				 const u8 *addr[], const size_t *len, u8 *mac)
160 {
161 	EVP_MD_CTX *ctx;
162 	size_t i;
163 	unsigned int mac_len;
164 
165 	if (TEST_FAIL())
166 		return -1;
167 
168 	ctx = EVP_MD_CTX_new();
169 	if (!ctx)
170 		return -1;
171 	if (!EVP_DigestInit_ex(ctx, type, NULL)) {
172 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
173 			   ERR_error_string(ERR_get_error(), NULL));
174 		EVP_MD_CTX_free(ctx);
175 		return -1;
176 	}
177 	for (i = 0; i < num_elem; i++) {
178 		if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
179 			wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
180 				   "failed: %s",
181 				   ERR_error_string(ERR_get_error(), NULL));
182 			EVP_MD_CTX_free(ctx);
183 			return -1;
184 		}
185 	}
186 	if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
187 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
188 			   ERR_error_string(ERR_get_error(), NULL));
189 		EVP_MD_CTX_free(ctx);
190 		return -1;
191 	}
192 	EVP_MD_CTX_free(ctx);
193 
194 	return 0;
195 }
196 
197 
198 #ifndef CONFIG_FIPS
199 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
200 {
201 	return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
202 }
203 #endif /* CONFIG_FIPS */
204 
205 
206 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
207 {
208 	u8 pkey[8], next, tmp;
209 	int i;
210 	DES_key_schedule ks;
211 
212 	/* Add parity bits to the key */
213 	next = 0;
214 	for (i = 0; i < 7; i++) {
215 		tmp = key[i];
216 		pkey[i] = (tmp >> i) | next | 1;
217 		next = tmp << (7 - i);
218 	}
219 	pkey[i] = next | 1;
220 
221 	DES_set_key((DES_cblock *) &pkey, &ks);
222 	DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks,
223 			DES_ENCRYPT);
224 	return 0;
225 }
226 
227 
228 #ifndef CONFIG_NO_RC4
229 int rc4_skip(const u8 *key, size_t keylen, size_t skip,
230 	     u8 *data, size_t data_len)
231 {
232 #ifdef OPENSSL_NO_RC4
233 	return -1;
234 #else /* OPENSSL_NO_RC4 */
235 	EVP_CIPHER_CTX *ctx;
236 	int outl;
237 	int res = -1;
238 	unsigned char skip_buf[16];
239 
240 	ctx = EVP_CIPHER_CTX_new();
241 	if (!ctx ||
242 	    !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
243 	    !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
244 	    !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
245 	    !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
246 		goto out;
247 
248 	while (skip >= sizeof(skip_buf)) {
249 		size_t len = skip;
250 		if (len > sizeof(skip_buf))
251 			len = sizeof(skip_buf);
252 		if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
253 			goto out;
254 		skip -= len;
255 	}
256 
257 	if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
258 		res = 0;
259 
260 out:
261 	if (ctx)
262 		EVP_CIPHER_CTX_free(ctx);
263 	return res;
264 #endif /* OPENSSL_NO_RC4 */
265 }
266 #endif /* CONFIG_NO_RC4 */
267 
268 
269 #ifndef CONFIG_FIPS
270 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
271 {
272 	return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
273 }
274 #endif /* CONFIG_FIPS */
275 
276 
277 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
278 {
279 	return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
280 }
281 
282 
283 #ifndef NO_SHA256_WRAPPER
284 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
285 		  u8 *mac)
286 {
287 	return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
288 }
289 #endif /* NO_SHA256_WRAPPER */
290 
291 
292 #ifndef NO_SHA384_WRAPPER
293 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
294 		  u8 *mac)
295 {
296 	return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
297 }
298 #endif /* NO_SHA384_WRAPPER */
299 
300 
301 #ifndef NO_SHA512_WRAPPER
302 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
303 		  u8 *mac)
304 {
305 	return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
306 }
307 #endif /* NO_SHA512_WRAPPER */
308 
309 
310 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
311 {
312 	switch (keylen) {
313 	case 16:
314 		return EVP_aes_128_ecb();
315 	case 24:
316 		return EVP_aes_192_ecb();
317 	case 32:
318 		return EVP_aes_256_ecb();
319 	}
320 
321 	return NULL;
322 }
323 
324 
325 void * aes_encrypt_init(const u8 *key, size_t len)
326 {
327 	EVP_CIPHER_CTX *ctx;
328 	const EVP_CIPHER *type;
329 
330 	if (TEST_FAIL())
331 		return NULL;
332 
333 	type = aes_get_evp_cipher(len);
334 	if (!type) {
335 		wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
336 			   __func__, (unsigned int) len);
337 		return NULL;
338 	}
339 
340 	ctx = EVP_CIPHER_CTX_new();
341 	if (ctx == NULL)
342 		return NULL;
343 	if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
344 		os_free(ctx);
345 		return NULL;
346 	}
347 	EVP_CIPHER_CTX_set_padding(ctx, 0);
348 	return ctx;
349 }
350 
351 
352 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
353 {
354 	EVP_CIPHER_CTX *c = ctx;
355 	int clen = 16;
356 	if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
357 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
358 			   ERR_error_string(ERR_get_error(), NULL));
359 		return -1;
360 	}
361 	return 0;
362 }
363 
364 
365 void aes_encrypt_deinit(void *ctx)
366 {
367 	EVP_CIPHER_CTX *c = ctx;
368 	u8 buf[16];
369 	int len = sizeof(buf);
370 	if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
371 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
372 			   "%s", ERR_error_string(ERR_get_error(), NULL));
373 	}
374 	if (len != 0) {
375 		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
376 			   "in AES encrypt", len);
377 	}
378 	EVP_CIPHER_CTX_free(c);
379 }
380 
381 
382 void * aes_decrypt_init(const u8 *key, size_t len)
383 {
384 	EVP_CIPHER_CTX *ctx;
385 	const EVP_CIPHER *type;
386 
387 	if (TEST_FAIL())
388 		return NULL;
389 
390 	type = aes_get_evp_cipher(len);
391 	if (!type) {
392 		wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
393 			   __func__, (unsigned int) len);
394 		return NULL;
395 	}
396 
397 	ctx = EVP_CIPHER_CTX_new();
398 	if (ctx == NULL)
399 		return NULL;
400 	if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
401 		EVP_CIPHER_CTX_free(ctx);
402 		return NULL;
403 	}
404 	EVP_CIPHER_CTX_set_padding(ctx, 0);
405 	return ctx;
406 }
407 
408 
409 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
410 {
411 	EVP_CIPHER_CTX *c = ctx;
412 	int plen = 16;
413 	if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
414 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
415 			   ERR_error_string(ERR_get_error(), NULL));
416 		return -1;
417 	}
418 	return 0;
419 }
420 
421 
422 void aes_decrypt_deinit(void *ctx)
423 {
424 	EVP_CIPHER_CTX *c = ctx;
425 	u8 buf[16];
426 	int len = sizeof(buf);
427 	if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
428 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
429 			   "%s", ERR_error_string(ERR_get_error(), NULL));
430 	}
431 	if (len != 0) {
432 		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
433 			   "in AES decrypt", len);
434 	}
435 	EVP_CIPHER_CTX_free(c);
436 }
437 
438 
439 #ifndef CONFIG_FIPS
440 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
441 
442 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
443 {
444 	AES_KEY actx;
445 	int res;
446 
447 	if (TEST_FAIL())
448 		return -1;
449 	if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
450 		return -1;
451 	res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
452 	OPENSSL_cleanse(&actx, sizeof(actx));
453 	return res <= 0 ? -1 : 0;
454 }
455 
456 
457 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
458 	       u8 *plain)
459 {
460 	AES_KEY actx;
461 	int res;
462 
463 	if (TEST_FAIL())
464 		return -1;
465 	if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
466 		return -1;
467 	res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
468 	OPENSSL_cleanse(&actx, sizeof(actx));
469 	return res <= 0 ? -1 : 0;
470 }
471 
472 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
473 #endif /* CONFIG_FIPS */
474 
475 
476 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
477 {
478 	EVP_CIPHER_CTX *ctx;
479 	int clen, len;
480 	u8 buf[16];
481 	int res = -1;
482 
483 	if (TEST_FAIL())
484 		return -1;
485 
486 	ctx = EVP_CIPHER_CTX_new();
487 	if (!ctx)
488 		return -1;
489 	clen = data_len;
490 	len = sizeof(buf);
491 	if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
492 	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
493 	    EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
494 	    clen == (int) data_len &&
495 	    EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
496 		res = 0;
497 	EVP_CIPHER_CTX_free(ctx);
498 
499 	return res;
500 }
501 
502 
503 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
504 {
505 	EVP_CIPHER_CTX *ctx;
506 	int plen, len;
507 	u8 buf[16];
508 	int res = -1;
509 
510 	if (TEST_FAIL())
511 		return -1;
512 
513 	ctx = EVP_CIPHER_CTX_new();
514 	if (!ctx)
515 		return -1;
516 	plen = data_len;
517 	len = sizeof(buf);
518 	if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
519 	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
520 	    EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
521 	    plen == (int) data_len &&
522 	    EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
523 		res = 0;
524 	EVP_CIPHER_CTX_free(ctx);
525 
526 	return res;
527 
528 }
529 
530 
531 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
532 		   u8 *pubkey)
533 {
534 	size_t pubkey_len, pad;
535 
536 	if (os_get_random(privkey, prime_len) < 0)
537 		return -1;
538 	if (os_memcmp(privkey, prime, prime_len) > 0) {
539 		/* Make sure private value is smaller than prime */
540 		privkey[0] = 0;
541 	}
542 
543 	pubkey_len = prime_len;
544 	if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
545 			   pubkey, &pubkey_len) < 0)
546 		return -1;
547 	if (pubkey_len < prime_len) {
548 		pad = prime_len - pubkey_len;
549 		os_memmove(pubkey + pad, pubkey, pubkey_len);
550 		os_memset(pubkey, 0, pad);
551 	}
552 
553 	return 0;
554 }
555 
556 
557 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
558 			    const u8 *order, size_t order_len,
559 			    const u8 *privkey, size_t privkey_len,
560 			    const u8 *pubkey, size_t pubkey_len,
561 			    u8 *secret, size_t *len)
562 {
563 	BIGNUM *pub, *p;
564 	int res = -1;
565 
566 	pub = BN_bin2bn(pubkey, pubkey_len, NULL);
567 	p = BN_bin2bn(prime, prime_len, NULL);
568 	if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||
569 	    BN_cmp(pub, p) >= 0)
570 		goto fail;
571 
572 	if (order) {
573 		BN_CTX *ctx;
574 		BIGNUM *q, *tmp;
575 		int failed;
576 
577 		/* verify: pubkey^q == 1 mod p */
578 		q = BN_bin2bn(order, order_len, NULL);
579 		ctx = BN_CTX_new();
580 		tmp = BN_new();
581 		failed = !q || !ctx || !tmp ||
582 			!BN_mod_exp(tmp, pub, q, p, ctx) ||
583 			!BN_is_one(tmp);
584 		BN_clear_free(q);
585 		BN_clear_free(tmp);
586 		BN_CTX_free(ctx);
587 		if (failed)
588 			goto fail;
589 	}
590 
591 	res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
592 			     prime, prime_len, secret, len);
593 fail:
594 	BN_clear_free(pub);
595 	BN_clear_free(p);
596 	return res;
597 }
598 
599 
600 int crypto_mod_exp(const u8 *base, size_t base_len,
601 		   const u8 *power, size_t power_len,
602 		   const u8 *modulus, size_t modulus_len,
603 		   u8 *result, size_t *result_len)
604 {
605 	BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
606 	int ret = -1;
607 	BN_CTX *ctx;
608 
609 	ctx = BN_CTX_new();
610 	if (ctx == NULL)
611 		return -1;
612 
613 	bn_base = BN_bin2bn(base, base_len, NULL);
614 	bn_exp = BN_bin2bn(power, power_len, NULL);
615 	bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
616 	bn_result = BN_new();
617 
618 	if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
619 	    bn_result == NULL)
620 		goto error;
621 
622 	if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
623 				      ctx, NULL) != 1)
624 		goto error;
625 
626 	*result_len = BN_bn2bin(bn_result, result);
627 	ret = 0;
628 
629 error:
630 	BN_clear_free(bn_base);
631 	BN_clear_free(bn_exp);
632 	BN_clear_free(bn_modulus);
633 	BN_clear_free(bn_result);
634 	BN_CTX_free(ctx);
635 	return ret;
636 }
637 
638 
639 struct crypto_cipher {
640 	EVP_CIPHER_CTX *enc;
641 	EVP_CIPHER_CTX *dec;
642 };
643 
644 
645 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
646 					  const u8 *iv, const u8 *key,
647 					  size_t key_len)
648 {
649 	struct crypto_cipher *ctx;
650 	const EVP_CIPHER *cipher;
651 
652 	ctx = os_zalloc(sizeof(*ctx));
653 	if (ctx == NULL)
654 		return NULL;
655 
656 	switch (alg) {
657 #ifndef CONFIG_NO_RC4
658 #ifndef OPENSSL_NO_RC4
659 	case CRYPTO_CIPHER_ALG_RC4:
660 		cipher = EVP_rc4();
661 		break;
662 #endif /* OPENSSL_NO_RC4 */
663 #endif /* CONFIG_NO_RC4 */
664 #ifndef OPENSSL_NO_AES
665 	case CRYPTO_CIPHER_ALG_AES:
666 		switch (key_len) {
667 		case 16:
668 			cipher = EVP_aes_128_cbc();
669 			break;
670 #ifndef OPENSSL_IS_BORINGSSL
671 		case 24:
672 			cipher = EVP_aes_192_cbc();
673 			break;
674 #endif /* OPENSSL_IS_BORINGSSL */
675 		case 32:
676 			cipher = EVP_aes_256_cbc();
677 			break;
678 		default:
679 			os_free(ctx);
680 			return NULL;
681 		}
682 		break;
683 #endif /* OPENSSL_NO_AES */
684 #ifndef OPENSSL_NO_DES
685 	case CRYPTO_CIPHER_ALG_3DES:
686 		cipher = EVP_des_ede3_cbc();
687 		break;
688 	case CRYPTO_CIPHER_ALG_DES:
689 		cipher = EVP_des_cbc();
690 		break;
691 #endif /* OPENSSL_NO_DES */
692 #ifndef OPENSSL_NO_RC2
693 	case CRYPTO_CIPHER_ALG_RC2:
694 		cipher = EVP_rc2_ecb();
695 		break;
696 #endif /* OPENSSL_NO_RC2 */
697 	default:
698 		os_free(ctx);
699 		return NULL;
700 	}
701 
702 	if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
703 	    !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
704 	    !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
705 	    !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
706 	    !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
707 		if (ctx->enc)
708 			EVP_CIPHER_CTX_free(ctx->enc);
709 		os_free(ctx);
710 		return NULL;
711 	}
712 
713 	if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
714 	    !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
715 	    !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
716 	    !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
717 	    !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
718 		EVP_CIPHER_CTX_free(ctx->enc);
719 		if (ctx->dec)
720 			EVP_CIPHER_CTX_free(ctx->dec);
721 		os_free(ctx);
722 		return NULL;
723 	}
724 
725 	return ctx;
726 }
727 
728 
729 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
730 			  u8 *crypt, size_t len)
731 {
732 	int outl;
733 	if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
734 		return -1;
735 	return 0;
736 }
737 
738 
739 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
740 			  u8 *plain, size_t len)
741 {
742 	int outl;
743 	outl = len;
744 	if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
745 		return -1;
746 	return 0;
747 }
748 
749 
750 void crypto_cipher_deinit(struct crypto_cipher *ctx)
751 {
752 	EVP_CIPHER_CTX_free(ctx->enc);
753 	EVP_CIPHER_CTX_free(ctx->dec);
754 	os_free(ctx);
755 }
756 
757 
758 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
759 {
760 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
761 	(defined(LIBRESSL_VERSION_NUMBER) && \
762 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
763 	DH *dh;
764 	struct wpabuf *pubkey = NULL, *privkey = NULL;
765 	size_t publen, privlen;
766 
767 	*priv = NULL;
768 	wpabuf_free(*publ);
769 	*publ = NULL;
770 
771 	dh = DH_new();
772 	if (dh == NULL)
773 		return NULL;
774 
775 	dh->g = BN_new();
776 	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
777 		goto err;
778 
779 	dh->p = get_group5_prime();
780 	if (dh->p == NULL)
781 		goto err;
782 
783 	dh->q = get_group5_order();
784 	if (!dh->q)
785 		goto err;
786 
787 	if (DH_generate_key(dh) != 1)
788 		goto err;
789 
790 	publen = BN_num_bytes(dh->pub_key);
791 	pubkey = wpabuf_alloc(publen);
792 	if (pubkey == NULL)
793 		goto err;
794 	privlen = BN_num_bytes(dh->priv_key);
795 	privkey = wpabuf_alloc(privlen);
796 	if (privkey == NULL)
797 		goto err;
798 
799 	BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
800 	BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
801 
802 	*priv = privkey;
803 	*publ = pubkey;
804 	return dh;
805 
806 err:
807 	wpabuf_clear_free(pubkey);
808 	wpabuf_clear_free(privkey);
809 	DH_free(dh);
810 	return NULL;
811 #else
812 	DH *dh;
813 	struct wpabuf *pubkey = NULL, *privkey = NULL;
814 	size_t publen, privlen;
815 	BIGNUM *p, *g, *q;
816 	const BIGNUM *priv_key = NULL, *pub_key = NULL;
817 
818 	*priv = NULL;
819 	wpabuf_free(*publ);
820 	*publ = NULL;
821 
822 	dh = DH_new();
823 	if (dh == NULL)
824 		return NULL;
825 
826 	g = BN_new();
827 	p = get_group5_prime();
828 	q = get_group5_order();
829 	if (!g || BN_set_word(g, 2) != 1 || !p || !q ||
830 	    DH_set0_pqg(dh, p, q, g) != 1)
831 		goto err;
832 	p = NULL;
833 	q = NULL;
834 	g = NULL;
835 
836 	if (DH_generate_key(dh) != 1)
837 		goto err;
838 
839 	DH_get0_key(dh, &pub_key, &priv_key);
840 	publen = BN_num_bytes(pub_key);
841 	pubkey = wpabuf_alloc(publen);
842 	if (!pubkey)
843 		goto err;
844 	privlen = BN_num_bytes(priv_key);
845 	privkey = wpabuf_alloc(privlen);
846 	if (!privkey)
847 		goto err;
848 
849 	BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
850 	BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));
851 
852 	*priv = privkey;
853 	*publ = pubkey;
854 	return dh;
855 
856 err:
857 	BN_free(p);
858 	BN_free(q);
859 	BN_free(g);
860 	wpabuf_clear_free(pubkey);
861 	wpabuf_clear_free(privkey);
862 	DH_free(dh);
863 	return NULL;
864 #endif
865 }
866 
867 
868 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
869 {
870 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
871 	(defined(LIBRESSL_VERSION_NUMBER) && \
872 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
873 	DH *dh;
874 
875 	dh = DH_new();
876 	if (dh == NULL)
877 		return NULL;
878 
879 	dh->g = BN_new();
880 	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
881 		goto err;
882 
883 	dh->p = get_group5_prime();
884 	if (dh->p == NULL)
885 		goto err;
886 
887 	dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
888 	if (dh->priv_key == NULL)
889 		goto err;
890 
891 	dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
892 	if (dh->pub_key == NULL)
893 		goto err;
894 
895 	if (DH_generate_key(dh) != 1)
896 		goto err;
897 
898 	return dh;
899 
900 err:
901 	DH_free(dh);
902 	return NULL;
903 #else
904 	DH *dh;
905 	BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;
906 
907 	dh = DH_new();
908 	if (dh == NULL)
909 		return NULL;
910 
911 	g = BN_new();
912 	p = get_group5_prime();
913 	if (!g || BN_set_word(g, 2) != 1 || !p ||
914 	    DH_set0_pqg(dh, p, NULL, g) != 1)
915 		goto err;
916 	p = NULL;
917 	g = NULL;
918 
919 	priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
920 	pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
921 	if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
922 		goto err;
923 	pub_key = NULL;
924 	priv_key = NULL;
925 
926 	if (DH_generate_key(dh) != 1)
927 		goto err;
928 
929 	return dh;
930 
931 err:
932 	BN_free(p);
933 	BN_free(g);
934 	BN_free(pub_key);
935 	BN_clear_free(priv_key);
936 	DH_free(dh);
937 	return NULL;
938 #endif
939 }
940 
941 
942 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
943 				  const struct wpabuf *own_private)
944 {
945 	BIGNUM *pub_key;
946 	struct wpabuf *res = NULL;
947 	size_t rlen;
948 	DH *dh = ctx;
949 	int keylen;
950 
951 	if (ctx == NULL)
952 		return NULL;
953 
954 	pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
955 			    NULL);
956 	if (pub_key == NULL)
957 		return NULL;
958 
959 	rlen = DH_size(dh);
960 	res = wpabuf_alloc(rlen);
961 	if (res == NULL)
962 		goto err;
963 
964 	keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
965 	if (keylen < 0)
966 		goto err;
967 	wpabuf_put(res, keylen);
968 	BN_clear_free(pub_key);
969 
970 	return res;
971 
972 err:
973 	BN_clear_free(pub_key);
974 	wpabuf_clear_free(res);
975 	return NULL;
976 }
977 
978 
979 void dh5_free(void *ctx)
980 {
981 	DH *dh;
982 	if (ctx == NULL)
983 		return;
984 	dh = ctx;
985 	DH_free(dh);
986 }
987 
988 
989 struct crypto_hash {
990 	HMAC_CTX *ctx;
991 };
992 
993 
994 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
995 				      size_t key_len)
996 {
997 	struct crypto_hash *ctx;
998 	const EVP_MD *md;
999 
1000 	switch (alg) {
1001 #ifndef OPENSSL_NO_MD5
1002 	case CRYPTO_HASH_ALG_HMAC_MD5:
1003 		md = EVP_md5();
1004 		break;
1005 #endif /* OPENSSL_NO_MD5 */
1006 #ifndef OPENSSL_NO_SHA
1007 	case CRYPTO_HASH_ALG_HMAC_SHA1:
1008 		md = EVP_sha1();
1009 		break;
1010 #endif /* OPENSSL_NO_SHA */
1011 #ifndef OPENSSL_NO_SHA256
1012 #ifdef CONFIG_SHA256
1013 	case CRYPTO_HASH_ALG_HMAC_SHA256:
1014 		md = EVP_sha256();
1015 		break;
1016 #endif /* CONFIG_SHA256 */
1017 #endif /* OPENSSL_NO_SHA256 */
1018 	default:
1019 		return NULL;
1020 	}
1021 
1022 	ctx = os_zalloc(sizeof(*ctx));
1023 	if (ctx == NULL)
1024 		return NULL;
1025 	ctx->ctx = HMAC_CTX_new();
1026 	if (!ctx->ctx) {
1027 		os_free(ctx);
1028 		return NULL;
1029 	}
1030 
1031 	if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
1032 		HMAC_CTX_free(ctx->ctx);
1033 		bin_clear_free(ctx, sizeof(*ctx));
1034 		return NULL;
1035 	}
1036 
1037 	return ctx;
1038 }
1039 
1040 
1041 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
1042 {
1043 	if (ctx == NULL)
1044 		return;
1045 	HMAC_Update(ctx->ctx, data, len);
1046 }
1047 
1048 
1049 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
1050 {
1051 	unsigned int mdlen;
1052 	int res;
1053 
1054 	if (ctx == NULL)
1055 		return -2;
1056 
1057 	if (mac == NULL || len == NULL) {
1058 		HMAC_CTX_free(ctx->ctx);
1059 		bin_clear_free(ctx, sizeof(*ctx));
1060 		return 0;
1061 	}
1062 
1063 	mdlen = *len;
1064 	res = HMAC_Final(ctx->ctx, mac, &mdlen);
1065 	HMAC_CTX_free(ctx->ctx);
1066 	bin_clear_free(ctx, sizeof(*ctx));
1067 
1068 	if (TEST_FAIL())
1069 		return -1;
1070 
1071 	if (res == 1) {
1072 		*len = mdlen;
1073 		return 0;
1074 	}
1075 
1076 	return -1;
1077 }
1078 
1079 
1080 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
1081 			       size_t key_len, size_t num_elem,
1082 			       const u8 *addr[], const size_t *len, u8 *mac,
1083 			       unsigned int mdlen)
1084 {
1085 	HMAC_CTX *ctx;
1086 	size_t i;
1087 	int res;
1088 
1089 	if (TEST_FAIL())
1090 		return -1;
1091 
1092 	ctx = HMAC_CTX_new();
1093 	if (!ctx)
1094 		return -1;
1095 	res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
1096 	if (res != 1)
1097 		goto done;
1098 
1099 	for (i = 0; i < num_elem; i++)
1100 		HMAC_Update(ctx, addr[i], len[i]);
1101 
1102 	res = HMAC_Final(ctx, mac, &mdlen);
1103 done:
1104 	HMAC_CTX_free(ctx);
1105 
1106 	return res == 1 ? 0 : -1;
1107 }
1108 
1109 
1110 #ifndef CONFIG_FIPS
1111 
1112 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
1113 		    const u8 *addr[], const size_t *len, u8 *mac)
1114 {
1115 	return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
1116 				   mac, 16);
1117 }
1118 
1119 
1120 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1121 	     u8 *mac)
1122 {
1123 	return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
1124 }
1125 
1126 #endif /* CONFIG_FIPS */
1127 
1128 
1129 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
1130 		int iterations, u8 *buf, size_t buflen)
1131 {
1132 	if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
1133 				   ssid_len, iterations, buflen, buf) != 1)
1134 		return -1;
1135 	return 0;
1136 }
1137 
1138 
1139 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1140 		     const u8 *addr[], const size_t *len, u8 *mac)
1141 {
1142 	return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
1143 				   len, mac, 20);
1144 }
1145 
1146 
1147 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1148 	       u8 *mac)
1149 {
1150 	return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1151 }
1152 
1153 
1154 #ifdef CONFIG_SHA256
1155 
1156 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1157 		       const u8 *addr[], const size_t *len, u8 *mac)
1158 {
1159 	return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
1160 				   len, mac, 32);
1161 }
1162 
1163 
1164 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1165 		size_t data_len, u8 *mac)
1166 {
1167 	return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1168 }
1169 
1170 #endif /* CONFIG_SHA256 */
1171 
1172 
1173 #ifdef CONFIG_SHA384
1174 
1175 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1176 		       const u8 *addr[], const size_t *len, u8 *mac)
1177 {
1178 	return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
1179 				   len, mac, 48);
1180 }
1181 
1182 
1183 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1184 		size_t data_len, u8 *mac)
1185 {
1186 	return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1187 }
1188 
1189 #endif /* CONFIG_SHA384 */
1190 
1191 
1192 #ifdef CONFIG_SHA512
1193 
1194 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1195 		       const u8 *addr[], const size_t *len, u8 *mac)
1196 {
1197 	return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
1198 				   len, mac, 64);
1199 }
1200 
1201 
1202 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1203 		size_t data_len, u8 *mac)
1204 {
1205 	return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1206 }
1207 
1208 #endif /* CONFIG_SHA512 */
1209 
1210 
1211 int crypto_get_random(void *buf, size_t len)
1212 {
1213 	if (RAND_bytes(buf, len) != 1)
1214 		return -1;
1215 	return 0;
1216 }
1217 
1218 
1219 #ifdef CONFIG_OPENSSL_CMAC
1220 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
1221 		     const u8 *addr[], const size_t *len, u8 *mac)
1222 {
1223 	CMAC_CTX *ctx;
1224 	int ret = -1;
1225 	size_t outlen, i;
1226 
1227 	if (TEST_FAIL())
1228 		return -1;
1229 
1230 	ctx = CMAC_CTX_new();
1231 	if (ctx == NULL)
1232 		return -1;
1233 
1234 	if (key_len == 32) {
1235 		if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
1236 			goto fail;
1237 	} else if (key_len == 16) {
1238 		if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
1239 			goto fail;
1240 	} else {
1241 		goto fail;
1242 	}
1243 	for (i = 0; i < num_elem; i++) {
1244 		if (!CMAC_Update(ctx, addr[i], len[i]))
1245 			goto fail;
1246 	}
1247 	if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
1248 		goto fail;
1249 
1250 	ret = 0;
1251 fail:
1252 	CMAC_CTX_free(ctx);
1253 	return ret;
1254 }
1255 
1256 
1257 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
1258 			 const u8 *addr[], const size_t *len, u8 *mac)
1259 {
1260 	return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
1261 }
1262 
1263 
1264 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1265 {
1266 	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
1267 }
1268 
1269 
1270 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1271 {
1272 	return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
1273 }
1274 #endif /* CONFIG_OPENSSL_CMAC */
1275 
1276 
1277 struct crypto_bignum * crypto_bignum_init(void)
1278 {
1279 	if (TEST_FAIL())
1280 		return NULL;
1281 	return (struct crypto_bignum *) BN_new();
1282 }
1283 
1284 
1285 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
1286 {
1287 	BIGNUM *bn;
1288 
1289 	if (TEST_FAIL())
1290 		return NULL;
1291 
1292 	bn = BN_bin2bn(buf, len, NULL);
1293 	return (struct crypto_bignum *) bn;
1294 }
1295 
1296 
1297 struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
1298 {
1299 	BIGNUM *bn;
1300 
1301 	if (TEST_FAIL())
1302 		return NULL;
1303 
1304 	bn = BN_new();
1305 	if (!bn)
1306 		return NULL;
1307 	if (BN_set_word(bn, val) != 1) {
1308 		BN_free(bn);
1309 		return NULL;
1310 	}
1311 	return (struct crypto_bignum *) bn;
1312 }
1313 
1314 
1315 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
1316 {
1317 	if (clear)
1318 		BN_clear_free((BIGNUM *) n);
1319 	else
1320 		BN_free((BIGNUM *) n);
1321 }
1322 
1323 
1324 int crypto_bignum_to_bin(const struct crypto_bignum *a,
1325 			 u8 *buf, size_t buflen, size_t padlen)
1326 {
1327 	int num_bytes, offset;
1328 
1329 	if (TEST_FAIL())
1330 		return -1;
1331 
1332 	if (padlen > buflen)
1333 		return -1;
1334 
1335 	if (padlen) {
1336 #ifdef OPENSSL_IS_BORINGSSL
1337 		if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
1338 			return -1;
1339 		return padlen;
1340 #else /* OPENSSL_IS_BORINGSSL */
1341 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
1342 		return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
1343 #endif
1344 #endif
1345 	}
1346 
1347 	num_bytes = BN_num_bytes((const BIGNUM *) a);
1348 	if ((size_t) num_bytes > buflen)
1349 		return -1;
1350 	if (padlen > (size_t) num_bytes)
1351 		offset = padlen - num_bytes;
1352 	else
1353 		offset = 0;
1354 
1355 	os_memset(buf, 0, offset);
1356 	BN_bn2bin((const BIGNUM *) a, buf + offset);
1357 
1358 	return num_bytes + offset;
1359 }
1360 
1361 
1362 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
1363 {
1364 	if (TEST_FAIL())
1365 		return -1;
1366 	return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1;
1367 }
1368 
1369 
1370 int crypto_bignum_add(const struct crypto_bignum *a,
1371 		      const struct crypto_bignum *b,
1372 		      struct crypto_bignum *c)
1373 {
1374 	return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1375 		0 : -1;
1376 }
1377 
1378 
1379 int crypto_bignum_mod(const struct crypto_bignum *a,
1380 		      const struct crypto_bignum *b,
1381 		      struct crypto_bignum *c)
1382 {
1383 	int res;
1384 	BN_CTX *bnctx;
1385 
1386 	bnctx = BN_CTX_new();
1387 	if (bnctx == NULL)
1388 		return -1;
1389 	res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1390 		     bnctx);
1391 	BN_CTX_free(bnctx);
1392 
1393 	return res ? 0 : -1;
1394 }
1395 
1396 
1397 int crypto_bignum_exptmod(const struct crypto_bignum *a,
1398 			  const struct crypto_bignum *b,
1399 			  const struct crypto_bignum *c,
1400 			  struct crypto_bignum *d)
1401 {
1402 	int res;
1403 	BN_CTX *bnctx;
1404 
1405 	if (TEST_FAIL())
1406 		return -1;
1407 
1408 	bnctx = BN_CTX_new();
1409 	if (bnctx == NULL)
1410 		return -1;
1411 	res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
1412 					(const BIGNUM *) b, (const BIGNUM *) c,
1413 					bnctx, NULL);
1414 	BN_CTX_free(bnctx);
1415 
1416 	return res ? 0 : -1;
1417 }
1418 
1419 
1420 int crypto_bignum_inverse(const struct crypto_bignum *a,
1421 			  const struct crypto_bignum *b,
1422 			  struct crypto_bignum *c)
1423 {
1424 	BIGNUM *res;
1425 	BN_CTX *bnctx;
1426 
1427 	if (TEST_FAIL())
1428 		return -1;
1429 	bnctx = BN_CTX_new();
1430 	if (bnctx == NULL)
1431 		return -1;
1432 #ifdef OPENSSL_IS_BORINGSSL
1433 	/* TODO: use BN_mod_inverse_blinded() ? */
1434 #else /* OPENSSL_IS_BORINGSSL */
1435 	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1436 #endif /* OPENSSL_IS_BORINGSSL */
1437 	res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
1438 			     (const BIGNUM *) b, bnctx);
1439 	BN_CTX_free(bnctx);
1440 
1441 	return res ? 0 : -1;
1442 }
1443 
1444 
1445 int crypto_bignum_sub(const struct crypto_bignum *a,
1446 		      const struct crypto_bignum *b,
1447 		      struct crypto_bignum *c)
1448 {
1449 	if (TEST_FAIL())
1450 		return -1;
1451 	return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1452 		0 : -1;
1453 }
1454 
1455 
1456 int crypto_bignum_div(const struct crypto_bignum *a,
1457 		      const struct crypto_bignum *b,
1458 		      struct crypto_bignum *c)
1459 {
1460 	int res;
1461 
1462 	BN_CTX *bnctx;
1463 
1464 	if (TEST_FAIL())
1465 		return -1;
1466 
1467 	bnctx = BN_CTX_new();
1468 	if (bnctx == NULL)
1469 		return -1;
1470 #ifndef OPENSSL_IS_BORINGSSL
1471 	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1472 #endif /* OPENSSL_IS_BORINGSSL */
1473 	res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
1474 		     (const BIGNUM *) b, bnctx);
1475 	BN_CTX_free(bnctx);
1476 
1477 	return res ? 0 : -1;
1478 }
1479 
1480 
1481 int crypto_bignum_addmod(const struct crypto_bignum *a,
1482 			 const struct crypto_bignum *b,
1483 			 const struct crypto_bignum *c,
1484 			 struct crypto_bignum *d)
1485 {
1486 	int res;
1487 	BN_CTX *bnctx;
1488 
1489 	if (TEST_FAIL())
1490 		return -1;
1491 
1492 	bnctx = BN_CTX_new();
1493 	if (!bnctx)
1494 		return -1;
1495 	res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1496 			 (const BIGNUM *) c, bnctx);
1497 	BN_CTX_free(bnctx);
1498 
1499 	return res ? 0 : -1;
1500 }
1501 
1502 
1503 int crypto_bignum_mulmod(const struct crypto_bignum *a,
1504 			 const struct crypto_bignum *b,
1505 			 const struct crypto_bignum *c,
1506 			 struct crypto_bignum *d)
1507 {
1508 	int res;
1509 
1510 	BN_CTX *bnctx;
1511 
1512 	if (TEST_FAIL())
1513 		return -1;
1514 
1515 	bnctx = BN_CTX_new();
1516 	if (bnctx == NULL)
1517 		return -1;
1518 	res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1519 			 (const BIGNUM *) c, bnctx);
1520 	BN_CTX_free(bnctx);
1521 
1522 	return res ? 0 : -1;
1523 }
1524 
1525 
1526 int crypto_bignum_sqrmod(const struct crypto_bignum *a,
1527 			 const struct crypto_bignum *b,
1528 			 struct crypto_bignum *c)
1529 {
1530 	int res;
1531 	BN_CTX *bnctx;
1532 
1533 	if (TEST_FAIL())
1534 		return -1;
1535 
1536 	bnctx = BN_CTX_new();
1537 	if (!bnctx)
1538 		return -1;
1539 	res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1540 			 bnctx);
1541 	BN_CTX_free(bnctx);
1542 
1543 	return res ? 0 : -1;
1544 }
1545 
1546 
1547 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
1548 			 struct crypto_bignum *r)
1549 {
1550 	/* Note: BN_rshift() does not modify the first argument even though it
1551 	 * has not been marked const. */
1552 	return BN_rshift((BIGNUM *) a, (BIGNUM *) r, n) == 1 ? 0 : -1;
1553 }
1554 
1555 
1556 int crypto_bignum_cmp(const struct crypto_bignum *a,
1557 		      const struct crypto_bignum *b)
1558 {
1559 	return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
1560 }
1561 
1562 
1563 int crypto_bignum_is_zero(const struct crypto_bignum *a)
1564 {
1565 	return BN_is_zero((const BIGNUM *) a);
1566 }
1567 
1568 
1569 int crypto_bignum_is_one(const struct crypto_bignum *a)
1570 {
1571 	return BN_is_one((const BIGNUM *) a);
1572 }
1573 
1574 
1575 int crypto_bignum_is_odd(const struct crypto_bignum *a)
1576 {
1577 	return BN_is_odd((const BIGNUM *) a);
1578 }
1579 
1580 
1581 int crypto_bignum_legendre(const struct crypto_bignum *a,
1582 			   const struct crypto_bignum *p)
1583 {
1584 	BN_CTX *bnctx;
1585 	BIGNUM *exp = NULL, *tmp = NULL;
1586 	int res = -2;
1587 	unsigned int mask;
1588 
1589 	if (TEST_FAIL())
1590 		return -2;
1591 
1592 	bnctx = BN_CTX_new();
1593 	if (bnctx == NULL)
1594 		return -2;
1595 
1596 	exp = BN_new();
1597 	tmp = BN_new();
1598 	if (!exp || !tmp ||
1599 	    /* exp = (p-1) / 2 */
1600 	    !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
1601 	    !BN_rshift1(exp, exp) ||
1602 	    !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
1603 				       (const BIGNUM *) p, bnctx, NULL))
1604 		goto fail;
1605 
1606 	/* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
1607 	 * constant time selection to avoid branches here. */
1608 	res = -1;
1609 	mask = const_time_eq(BN_is_word(tmp, 1), 1);
1610 	res = const_time_select_int(mask, 1, res);
1611 	mask = const_time_eq(BN_is_zero(tmp), 1);
1612 	res = const_time_select_int(mask, 0, res);
1613 
1614 fail:
1615 	BN_clear_free(tmp);
1616 	BN_clear_free(exp);
1617 	BN_CTX_free(bnctx);
1618 	return res;
1619 }
1620 
1621 
1622 #ifdef CONFIG_ECC
1623 
1624 struct crypto_ec {
1625 	EC_GROUP *group;
1626 	int nid;
1627 	BN_CTX *bnctx;
1628 	BIGNUM *prime;
1629 	BIGNUM *order;
1630 	BIGNUM *a;
1631 	BIGNUM *b;
1632 };
1633 
1634 struct crypto_ec * crypto_ec_init(int group)
1635 {
1636 	struct crypto_ec *e;
1637 	int nid;
1638 
1639 	/* Map from IANA registry for IKE D-H groups to OpenSSL NID */
1640 	switch (group) {
1641 	case 19:
1642 		nid = NID_X9_62_prime256v1;
1643 		break;
1644 	case 20:
1645 		nid = NID_secp384r1;
1646 		break;
1647 	case 21:
1648 		nid = NID_secp521r1;
1649 		break;
1650 	case 25:
1651 		nid = NID_X9_62_prime192v1;
1652 		break;
1653 	case 26:
1654 		nid = NID_secp224r1;
1655 		break;
1656 #ifdef NID_brainpoolP224r1
1657 	case 27:
1658 		nid = NID_brainpoolP224r1;
1659 		break;
1660 #endif /* NID_brainpoolP224r1 */
1661 #ifdef NID_brainpoolP256r1
1662 	case 28:
1663 		nid = NID_brainpoolP256r1;
1664 		break;
1665 #endif /* NID_brainpoolP256r1 */
1666 #ifdef NID_brainpoolP384r1
1667 	case 29:
1668 		nid = NID_brainpoolP384r1;
1669 		break;
1670 #endif /* NID_brainpoolP384r1 */
1671 #ifdef NID_brainpoolP512r1
1672 	case 30:
1673 		nid = NID_brainpoolP512r1;
1674 		break;
1675 #endif /* NID_brainpoolP512r1 */
1676 	default:
1677 		return NULL;
1678 	}
1679 
1680 	e = os_zalloc(sizeof(*e));
1681 	if (e == NULL)
1682 		return NULL;
1683 
1684 	e->nid = nid;
1685 	e->bnctx = BN_CTX_new();
1686 	e->group = EC_GROUP_new_by_curve_name(nid);
1687 	e->prime = BN_new();
1688 	e->order = BN_new();
1689 	e->a = BN_new();
1690 	e->b = BN_new();
1691 	if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
1692 	    e->order == NULL || e->a == NULL || e->b == NULL ||
1693 	    !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) ||
1694 	    !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
1695 		crypto_ec_deinit(e);
1696 		e = NULL;
1697 	}
1698 
1699 	return e;
1700 }
1701 
1702 
1703 void crypto_ec_deinit(struct crypto_ec *e)
1704 {
1705 	if (e == NULL)
1706 		return;
1707 	BN_clear_free(e->b);
1708 	BN_clear_free(e->a);
1709 	BN_clear_free(e->order);
1710 	BN_clear_free(e->prime);
1711 	EC_GROUP_free(e->group);
1712 	BN_CTX_free(e->bnctx);
1713 	os_free(e);
1714 }
1715 
1716 
1717 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
1718 {
1719 	if (TEST_FAIL())
1720 		return NULL;
1721 	if (e == NULL)
1722 		return NULL;
1723 	return (struct crypto_ec_point *) EC_POINT_new(e->group);
1724 }
1725 
1726 
1727 size_t crypto_ec_prime_len(struct crypto_ec *e)
1728 {
1729 	return BN_num_bytes(e->prime);
1730 }
1731 
1732 
1733 size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
1734 {
1735 	return BN_num_bits(e->prime);
1736 }
1737 
1738 
1739 size_t crypto_ec_order_len(struct crypto_ec *e)
1740 {
1741 	return BN_num_bytes(e->order);
1742 }
1743 
1744 
1745 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
1746 {
1747 	return (const struct crypto_bignum *) e->prime;
1748 }
1749 
1750 
1751 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
1752 {
1753 	return (const struct crypto_bignum *) e->order;
1754 }
1755 
1756 
1757 const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
1758 {
1759 	return (const struct crypto_bignum *) e->a;
1760 }
1761 
1762 
1763 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
1764 {
1765 	return (const struct crypto_bignum *) e->b;
1766 }
1767 
1768 
1769 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
1770 {
1771 	if (clear)
1772 		EC_POINT_clear_free((EC_POINT *) p);
1773 	else
1774 		EC_POINT_free((EC_POINT *) p);
1775 }
1776 
1777 
1778 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p,
1779 		      struct crypto_bignum *x)
1780 {
1781 	return EC_POINT_get_affine_coordinates_GFp(e->group,
1782 						   (const EC_POINT *) p,
1783 						   (BIGNUM *) x, NULL,
1784 						   e->bnctx) == 1 ? 0 : -1;
1785 }
1786 
1787 
1788 int crypto_ec_point_to_bin(struct crypto_ec *e,
1789 			   const struct crypto_ec_point *point, u8 *x, u8 *y)
1790 {
1791 	BIGNUM *x_bn, *y_bn;
1792 	int ret = -1;
1793 	int len = BN_num_bytes(e->prime);
1794 
1795 	if (TEST_FAIL())
1796 		return -1;
1797 
1798 	x_bn = BN_new();
1799 	y_bn = BN_new();
1800 
1801 	if (x_bn && y_bn &&
1802 	    EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point,
1803 						x_bn, y_bn, e->bnctx)) {
1804 		if (x) {
1805 			crypto_bignum_to_bin((struct crypto_bignum *) x_bn,
1806 					     x, len, len);
1807 		}
1808 		if (y) {
1809 			crypto_bignum_to_bin((struct crypto_bignum *) y_bn,
1810 					     y, len, len);
1811 		}
1812 		ret = 0;
1813 	}
1814 
1815 	BN_clear_free(x_bn);
1816 	BN_clear_free(y_bn);
1817 	return ret;
1818 }
1819 
1820 
1821 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
1822 						  const u8 *val)
1823 {
1824 	BIGNUM *x, *y;
1825 	EC_POINT *elem;
1826 	int len = BN_num_bytes(e->prime);
1827 
1828 	if (TEST_FAIL())
1829 		return NULL;
1830 
1831 	x = BN_bin2bn(val, len, NULL);
1832 	y = BN_bin2bn(val + len, len, NULL);
1833 	elem = EC_POINT_new(e->group);
1834 	if (x == NULL || y == NULL || elem == NULL) {
1835 		BN_clear_free(x);
1836 		BN_clear_free(y);
1837 		EC_POINT_clear_free(elem);
1838 		return NULL;
1839 	}
1840 
1841 	if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y,
1842 						 e->bnctx)) {
1843 		EC_POINT_clear_free(elem);
1844 		elem = NULL;
1845 	}
1846 
1847 	BN_clear_free(x);
1848 	BN_clear_free(y);
1849 
1850 	return (struct crypto_ec_point *) elem;
1851 }
1852 
1853 
1854 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
1855 			const struct crypto_ec_point *b,
1856 			struct crypto_ec_point *c)
1857 {
1858 	if (TEST_FAIL())
1859 		return -1;
1860 	return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
1861 			    (const EC_POINT *) b, e->bnctx) ? 0 : -1;
1862 }
1863 
1864 
1865 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
1866 			const struct crypto_bignum *b,
1867 			struct crypto_ec_point *res)
1868 {
1869 	if (TEST_FAIL())
1870 		return -1;
1871 	return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
1872 			    (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
1873 		? 0 : -1;
1874 }
1875 
1876 
1877 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
1878 {
1879 	if (TEST_FAIL())
1880 		return -1;
1881 	return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
1882 }
1883 
1884 
1885 int crypto_ec_point_solve_y_coord(struct crypto_ec *e,
1886 				  struct crypto_ec_point *p,
1887 				  const struct crypto_bignum *x, int y_bit)
1888 {
1889 	if (TEST_FAIL())
1890 		return -1;
1891 	if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p,
1892 						     (const BIGNUM *) x, y_bit,
1893 						     e->bnctx) ||
1894 	    !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx))
1895 		return -1;
1896 	return 0;
1897 }
1898 
1899 
1900 struct crypto_bignum *
1901 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
1902 			      const struct crypto_bignum *x)
1903 {
1904 	BIGNUM *tmp, *tmp2, *y_sqr = NULL;
1905 
1906 	if (TEST_FAIL())
1907 		return NULL;
1908 
1909 	tmp = BN_new();
1910 	tmp2 = BN_new();
1911 
1912 	/* y^2 = x^3 + ax + b */
1913 	if (tmp && tmp2 &&
1914 	    BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1915 	    BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1916 	    BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) &&
1917 	    BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) &&
1918 	    BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) {
1919 		y_sqr = tmp2;
1920 		tmp2 = NULL;
1921 	}
1922 
1923 	BN_clear_free(tmp);
1924 	BN_clear_free(tmp2);
1925 
1926 	return (struct crypto_bignum *) y_sqr;
1927 }
1928 
1929 
1930 int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
1931 				   const struct crypto_ec_point *p)
1932 {
1933 	return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
1934 }
1935 
1936 
1937 int crypto_ec_point_is_on_curve(struct crypto_ec *e,
1938 				const struct crypto_ec_point *p)
1939 {
1940 	return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
1941 				    e->bnctx) == 1;
1942 }
1943 
1944 
1945 int crypto_ec_point_cmp(const struct crypto_ec *e,
1946 			const struct crypto_ec_point *a,
1947 			const struct crypto_ec_point *b)
1948 {
1949 	return EC_POINT_cmp(e->group, (const EC_POINT *) a,
1950 			    (const EC_POINT *) b, e->bnctx);
1951 }
1952 
1953 
1954 struct crypto_ecdh {
1955 	struct crypto_ec *ec;
1956 	EVP_PKEY *pkey;
1957 };
1958 
1959 struct crypto_ecdh * crypto_ecdh_init(int group)
1960 {
1961 	struct crypto_ecdh *ecdh;
1962 	EVP_PKEY *params = NULL;
1963 	EC_KEY *ec_params = NULL;
1964 	EVP_PKEY_CTX *kctx = NULL;
1965 
1966 	ecdh = os_zalloc(sizeof(*ecdh));
1967 	if (!ecdh)
1968 		goto fail;
1969 
1970 	ecdh->ec = crypto_ec_init(group);
1971 	if (!ecdh->ec)
1972 		goto fail;
1973 
1974 	ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid);
1975 	if (!ec_params) {
1976 		wpa_printf(MSG_ERROR,
1977 			   "OpenSSL: Failed to generate EC_KEY parameters");
1978 		goto fail;
1979 	}
1980 	EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
1981 	params = EVP_PKEY_new();
1982 	if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
1983 		wpa_printf(MSG_ERROR,
1984 			   "OpenSSL: Failed to generate EVP_PKEY parameters");
1985 		goto fail;
1986 	}
1987 
1988 	kctx = EVP_PKEY_CTX_new(params, NULL);
1989 	if (!kctx)
1990 		goto fail;
1991 
1992 	if (EVP_PKEY_keygen_init(kctx) != 1) {
1993 		wpa_printf(MSG_ERROR,
1994 			   "OpenSSL: EVP_PKEY_keygen_init failed: %s",
1995 			   ERR_error_string(ERR_get_error(), NULL));
1996 		goto fail;
1997 	}
1998 
1999 	if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
2000 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
2001 			   ERR_error_string(ERR_get_error(), NULL));
2002 		goto fail;
2003 	}
2004 
2005 done:
2006 	EC_KEY_free(ec_params);
2007 	EVP_PKEY_free(params);
2008 	EVP_PKEY_CTX_free(kctx);
2009 
2010 	return ecdh;
2011 fail:
2012 	crypto_ecdh_deinit(ecdh);
2013 	ecdh = NULL;
2014 	goto done;
2015 }
2016 
2017 
2018 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
2019 {
2020 	struct wpabuf *buf = NULL;
2021 	EC_KEY *eckey;
2022 	const EC_POINT *pubkey;
2023 	BIGNUM *x, *y = NULL;
2024 	int len = BN_num_bytes(ecdh->ec->prime);
2025 	int res;
2026 
2027 	eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
2028 	if (!eckey)
2029 		return NULL;
2030 
2031 	pubkey = EC_KEY_get0_public_key(eckey);
2032 	if (!pubkey)
2033 		return NULL;
2034 
2035 	x = BN_new();
2036 	if (inc_y) {
2037 		y = BN_new();
2038 		if (!y)
2039 			goto fail;
2040 	}
2041 	buf = wpabuf_alloc(inc_y ? 2 * len : len);
2042 	if (!x || !buf)
2043 		goto fail;
2044 
2045 	if (EC_POINT_get_affine_coordinates_GFp(ecdh->ec->group, pubkey,
2046 						x, y, ecdh->ec->bnctx) != 1) {
2047 		wpa_printf(MSG_ERROR,
2048 			   "OpenSSL: EC_POINT_get_affine_coordinates_GFp failed: %s",
2049 			   ERR_error_string(ERR_get_error(), NULL));
2050 		goto fail;
2051 	}
2052 
2053 	res = crypto_bignum_to_bin((struct crypto_bignum *) x,
2054 				   wpabuf_put(buf, len), len, len);
2055 	if (res < 0)
2056 		goto fail;
2057 
2058 	if (inc_y) {
2059 		res = crypto_bignum_to_bin((struct crypto_bignum *) y,
2060 					   wpabuf_put(buf, len), len, len);
2061 		if (res < 0)
2062 			goto fail;
2063 	}
2064 
2065 done:
2066 	BN_clear_free(x);
2067 	BN_clear_free(y);
2068 	EC_KEY_free(eckey);
2069 
2070 	return buf;
2071 fail:
2072 	wpabuf_free(buf);
2073 	buf = NULL;
2074 	goto done;
2075 }
2076 
2077 
2078 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
2079 					const u8 *key, size_t len)
2080 {
2081 	BIGNUM *x, *y = NULL;
2082 	EVP_PKEY_CTX *ctx = NULL;
2083 	EVP_PKEY *peerkey = NULL;
2084 	struct wpabuf *secret = NULL;
2085 	size_t secret_len;
2086 	EC_POINT *pub;
2087 	EC_KEY *eckey = NULL;
2088 
2089 	x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
2090 	pub = EC_POINT_new(ecdh->ec->group);
2091 	if (!x || !pub)
2092 		goto fail;
2093 
2094 	if (inc_y) {
2095 		y = BN_bin2bn(key + len / 2, len / 2, NULL);
2096 		if (!y)
2097 			goto fail;
2098 		if (!EC_POINT_set_affine_coordinates_GFp(ecdh->ec->group, pub,
2099 							 x, y,
2100 							 ecdh->ec->bnctx)) {
2101 			wpa_printf(MSG_ERROR,
2102 				   "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
2103 				   ERR_error_string(ERR_get_error(), NULL));
2104 			goto fail;
2105 		}
2106 	} else if (!EC_POINT_set_compressed_coordinates_GFp(ecdh->ec->group,
2107 							    pub, x, 0,
2108 							    ecdh->ec->bnctx)) {
2109 		wpa_printf(MSG_ERROR,
2110 			   "OpenSSL: EC_POINT_set_compressed_coordinates_GFp failed: %s",
2111 			   ERR_error_string(ERR_get_error(), NULL));
2112 		goto fail;
2113 	}
2114 
2115 	if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
2116 		wpa_printf(MSG_ERROR,
2117 			   "OpenSSL: ECDH peer public key is not on curve");
2118 		goto fail;
2119 	}
2120 
2121 	eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2122 	if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
2123 		wpa_printf(MSG_ERROR,
2124 			   "OpenSSL: EC_KEY_set_public_key failed: %s",
2125 			   ERR_error_string(ERR_get_error(), NULL));
2126 		goto fail;
2127 	}
2128 
2129 	peerkey = EVP_PKEY_new();
2130 	if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
2131 		goto fail;
2132 
2133 	ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
2134 	if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
2135 	    EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
2136 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
2137 		wpa_printf(MSG_ERROR,
2138 			   "OpenSSL: EVP_PKEY_derive(1) failed: %s",
2139 			   ERR_error_string(ERR_get_error(), NULL));
2140 		goto fail;
2141 	}
2142 
2143 	secret = wpabuf_alloc(secret_len);
2144 	if (!secret)
2145 		goto fail;
2146 	if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
2147 		wpa_printf(MSG_ERROR,
2148 			   "OpenSSL: EVP_PKEY_derive(2) failed: %s",
2149 			   ERR_error_string(ERR_get_error(), NULL));
2150 		goto fail;
2151 	}
2152 	if (secret->size != secret_len)
2153 		wpa_printf(MSG_DEBUG,
2154 			   "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
2155 			   (int) secret->size, (int) secret_len);
2156 	wpabuf_put(secret, secret_len);
2157 
2158 done:
2159 	BN_free(x);
2160 	BN_free(y);
2161 	EC_KEY_free(eckey);
2162 	EC_POINT_free(pub);
2163 	EVP_PKEY_CTX_free(ctx);
2164 	EVP_PKEY_free(peerkey);
2165 	return secret;
2166 fail:
2167 	wpabuf_free(secret);
2168 	secret = NULL;
2169 	goto done;
2170 }
2171 
2172 
2173 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
2174 {
2175 	if (ecdh) {
2176 		crypto_ec_deinit(ecdh->ec);
2177 		EVP_PKEY_free(ecdh->pkey);
2178 		os_free(ecdh);
2179 	}
2180 }
2181 
2182 
2183 size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
2184 {
2185 	return crypto_ec_prime_len(ecdh->ec);
2186 }
2187 
2188 
2189 struct crypto_ec_key {
2190 	EVP_PKEY *pkey;
2191 	EC_KEY *eckey;
2192 };
2193 
2194 
2195 struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
2196 {
2197 	struct crypto_ec_key *key;
2198 
2199 	key = os_zalloc(sizeof(*key));
2200 	if (!key)
2201 		return NULL;
2202 
2203 	key->eckey = d2i_ECPrivateKey(NULL, &der, der_len);
2204 	if (!key->eckey) {
2205 		wpa_printf(MSG_INFO, "OpenSSL: d2i_ECPrivateKey() failed: %s",
2206 			   ERR_error_string(ERR_get_error(), NULL));
2207 		goto fail;
2208 	}
2209 	EC_KEY_set_conv_form(key->eckey, POINT_CONVERSION_COMPRESSED);
2210 
2211 	key->pkey = EVP_PKEY_new();
2212 	if (!key->pkey || EVP_PKEY_assign_EC_KEY(key->pkey, key->eckey) != 1) {
2213 		EC_KEY_free(key->eckey);
2214 		key->eckey = NULL;
2215 		goto fail;
2216 	}
2217 
2218 	return key;
2219 fail:
2220 	crypto_ec_key_deinit(key);
2221 	return NULL;
2222 }
2223 
2224 
2225 struct crypto_ec_key * crypto_ec_key_parse_pub(const u8 *der, size_t der_len)
2226 {
2227 	struct crypto_ec_key *key;
2228 
2229 	key = os_zalloc(sizeof(*key));
2230 	if (!key)
2231 		return NULL;
2232 
2233 	key->pkey = d2i_PUBKEY(NULL, &der, der_len);
2234 	if (!key->pkey) {
2235 		wpa_printf(MSG_INFO, "OpenSSL: d2i_PUBKEY() failed: %s",
2236 			   ERR_error_string(ERR_get_error(), NULL));
2237 		goto fail;
2238 	}
2239 
2240 	key->eckey = EVP_PKEY_get0_EC_KEY(key->pkey);
2241 	if (!key->eckey)
2242 		goto fail;
2243 	return key;
2244 fail:
2245 	crypto_ec_key_deinit(key);
2246 	return NULL;
2247 }
2248 
2249 
2250 void crypto_ec_key_deinit(struct crypto_ec_key *key)
2251 {
2252 	if (key) {
2253 		EVP_PKEY_free(key->pkey);
2254 		os_free(key);
2255 	}
2256 }
2257 
2258 
2259 struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
2260 {
2261 	unsigned char *der = NULL;
2262 	int der_len;
2263 	struct wpabuf *buf;
2264 
2265 	der_len = i2d_PUBKEY(key->pkey, &der);
2266 	if (der_len <= 0) {
2267 		wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
2268 			   ERR_error_string(ERR_get_error(), NULL));
2269 		return NULL;
2270 	}
2271 
2272 	buf = wpabuf_alloc_copy(der, der_len);
2273 	OPENSSL_free(der);
2274 	return buf;
2275 }
2276 
2277 
2278 struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
2279 				   size_t len)
2280 {
2281 	EVP_PKEY_CTX *pkctx;
2282 	struct wpabuf *sig_der;
2283 	size_t sig_len;
2284 
2285 	sig_len = EVP_PKEY_size(key->pkey);
2286 	sig_der = wpabuf_alloc(sig_len);
2287 	if (!sig_der)
2288 		return NULL;
2289 
2290 	pkctx = EVP_PKEY_CTX_new(key->pkey, NULL);
2291 	if (!pkctx ||
2292 	    EVP_PKEY_sign_init(pkctx) <= 0 ||
2293 	    EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
2294 			  data, len) <= 0) {
2295 		wpabuf_free(sig_der);
2296 		sig_der = NULL;
2297 	} else {
2298 		wpabuf_put(sig_der, sig_len);
2299 	}
2300 
2301 	EVP_PKEY_CTX_free(pkctx);
2302 	return sig_der;
2303 }
2304 
2305 
2306 int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
2307 				   size_t len, const u8 *sig, size_t sig_len)
2308 {
2309 	EVP_PKEY_CTX *pkctx;
2310 	int ret;
2311 
2312 	pkctx = EVP_PKEY_CTX_new(key->pkey, NULL);
2313 	if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
2314 		EVP_PKEY_CTX_free(pkctx);
2315 		return -1;
2316 	}
2317 
2318 	ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
2319 	EVP_PKEY_CTX_free(pkctx);
2320 	if (ret == 1)
2321 		return 1; /* signature ok */
2322 	if (ret == 0)
2323 		return 0; /* incorrect signature */
2324 	return -1;
2325 }
2326 
2327 
2328 int crypto_ec_key_group(struct crypto_ec_key *key)
2329 {
2330 	const EC_GROUP *group;
2331 	int nid;
2332 
2333 	group = EC_KEY_get0_group(key->eckey);
2334 	if (!group)
2335 		return -1;
2336 	nid = EC_GROUP_get_curve_name(group);
2337 	switch (nid) {
2338 	case NID_X9_62_prime256v1:
2339 		return 19;
2340 	case NID_secp384r1:
2341 		return 20;
2342 	case NID_secp521r1:
2343 		return 21;
2344 	}
2345 	return -1;
2346 }
2347 
2348 #endif /* CONFIG_ECC */
2349