1 /* 2 * Wrapper functions for libwolfssl 3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto.h" 13 14 /* wolfSSL headers */ 15 #include <wolfssl/options.h> 16 #include <wolfssl/wolfcrypt/md4.h> 17 #include <wolfssl/wolfcrypt/md5.h> 18 #include <wolfssl/wolfcrypt/sha.h> 19 #include <wolfssl/wolfcrypt/sha256.h> 20 #include <wolfssl/wolfcrypt/sha512.h> 21 #include <wolfssl/wolfcrypt/hmac.h> 22 #include <wolfssl/wolfcrypt/pwdbased.h> 23 #include <wolfssl/wolfcrypt/arc4.h> 24 #include <wolfssl/wolfcrypt/des3.h> 25 #include <wolfssl/wolfcrypt/aes.h> 26 #include <wolfssl/wolfcrypt/dh.h> 27 #include <wolfssl/wolfcrypt/cmac.h> 28 #include <wolfssl/wolfcrypt/ecc.h> 29 #include <wolfssl/openssl/bn.h> 30 31 32 #ifndef CONFIG_FIPS 33 34 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 35 { 36 Md4 md4; 37 size_t i; 38 39 if (TEST_FAIL()) 40 return -1; 41 42 wc_InitMd4(&md4); 43 44 for (i = 0; i < num_elem; i++) 45 wc_Md4Update(&md4, addr[i], len[i]); 46 47 wc_Md4Final(&md4, mac); 48 49 return 0; 50 } 51 52 53 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 54 { 55 wc_Md5 md5; 56 size_t i; 57 58 if (TEST_FAIL()) 59 return -1; 60 61 wc_InitMd5(&md5); 62 63 for (i = 0; i < num_elem; i++) 64 wc_Md5Update(&md5, addr[i], len[i]); 65 66 wc_Md5Final(&md5, mac); 67 68 return 0; 69 } 70 71 #endif /* CONFIG_FIPS */ 72 73 74 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 75 { 76 wc_Sha sha; 77 size_t i; 78 79 if (TEST_FAIL()) 80 return -1; 81 82 wc_InitSha(&sha); 83 84 for (i = 0; i < num_elem; i++) 85 wc_ShaUpdate(&sha, addr[i], len[i]); 86 87 wc_ShaFinal(&sha, mac); 88 89 return 0; 90 } 91 92 93 #ifndef NO_SHA256_WRAPPER 94 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, 95 u8 *mac) 96 { 97 wc_Sha256 sha256; 98 size_t i; 99 100 if (TEST_FAIL()) 101 return -1; 102 103 wc_InitSha256(&sha256); 104 105 for (i = 0; i < num_elem; i++) 106 wc_Sha256Update(&sha256, addr[i], len[i]); 107 108 wc_Sha256Final(&sha256, mac); 109 110 return 0; 111 } 112 #endif /* NO_SHA256_WRAPPER */ 113 114 115 #ifdef CONFIG_SHA384 116 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len, 117 u8 *mac) 118 { 119 wc_Sha384 sha384; 120 size_t i; 121 122 if (TEST_FAIL()) 123 return -1; 124 125 wc_InitSha384(&sha384); 126 127 for (i = 0; i < num_elem; i++) 128 wc_Sha384Update(&sha384, addr[i], len[i]); 129 130 wc_Sha384Final(&sha384, mac); 131 132 return 0; 133 } 134 #endif /* CONFIG_SHA384 */ 135 136 137 #ifdef CONFIG_SHA512 138 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len, 139 u8 *mac) 140 { 141 wc_Sha512 sha512; 142 size_t i; 143 144 if (TEST_FAIL()) 145 return -1; 146 147 wc_InitSha512(&sha512); 148 149 for (i = 0; i < num_elem; i++) 150 wc_Sha512Update(&sha512, addr[i], len[i]); 151 152 wc_Sha512Final(&sha512, mac); 153 154 return 0; 155 } 156 #endif /* CONFIG_SHA512 */ 157 158 159 static int wolfssl_hmac_vector(int type, const u8 *key, 160 size_t key_len, size_t num_elem, 161 const u8 *addr[], const size_t *len, u8 *mac, 162 unsigned int mdlen) 163 { 164 Hmac hmac; 165 size_t i; 166 167 (void) mdlen; 168 169 if (TEST_FAIL()) 170 return -1; 171 172 if (wc_HmacSetKey(&hmac, type, key, (word32) key_len) != 0) 173 return -1; 174 for (i = 0; i < num_elem; i++) 175 if (wc_HmacUpdate(&hmac, addr[i], len[i]) != 0) 176 return -1; 177 if (wc_HmacFinal(&hmac, mac) != 0) 178 return -1; 179 return 0; 180 } 181 182 183 #ifndef CONFIG_FIPS 184 185 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, 186 const u8 *addr[], const size_t *len, u8 *mac) 187 { 188 return wolfssl_hmac_vector(WC_MD5, key, key_len, num_elem, addr, len, 189 mac, 16); 190 } 191 192 193 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 194 u8 *mac) 195 { 196 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac); 197 } 198 199 #endif /* CONFIG_FIPS */ 200 201 202 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, 203 const u8 *addr[], const size_t *len, u8 *mac) 204 { 205 return wolfssl_hmac_vector(WC_SHA, key, key_len, num_elem, addr, len, 206 mac, 20); 207 } 208 209 210 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 211 u8 *mac) 212 { 213 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); 214 } 215 216 217 #ifdef CONFIG_SHA256 218 219 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, 220 const u8 *addr[], const size_t *len, u8 *mac) 221 { 222 return wolfssl_hmac_vector(WC_SHA256, key, key_len, num_elem, addr, len, 223 mac, 32); 224 } 225 226 227 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 228 size_t data_len, u8 *mac) 229 { 230 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); 231 } 232 233 #endif /* CONFIG_SHA256 */ 234 235 236 #ifdef CONFIG_SHA384 237 238 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, 239 const u8 *addr[], const size_t *len, u8 *mac) 240 { 241 return wolfssl_hmac_vector(WC_SHA384, key, key_len, num_elem, addr, len, 242 mac, 48); 243 } 244 245 246 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, 247 size_t data_len, u8 *mac) 248 { 249 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac); 250 } 251 252 #endif /* CONFIG_SHA384 */ 253 254 255 #ifdef CONFIG_SHA512 256 257 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem, 258 const u8 *addr[], const size_t *len, u8 *mac) 259 { 260 return wolfssl_hmac_vector(WC_SHA512, key, key_len, num_elem, addr, len, 261 mac, 64); 262 } 263 264 265 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data, 266 size_t data_len, u8 *mac) 267 { 268 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac); 269 } 270 271 #endif /* CONFIG_SHA512 */ 272 273 274 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len, 275 int iterations, u8 *buf, size_t buflen) 276 { 277 if (wc_PBKDF2(buf, (const byte*)passphrase, os_strlen(passphrase), ssid, 278 ssid_len, iterations, buflen, WC_SHA) != 0) 279 return -1; 280 return 0; 281 } 282 283 284 #ifdef CONFIG_DES 285 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) 286 { 287 Des des; 288 u8 pkey[8], next, tmp; 289 int i; 290 291 /* Add parity bits to the key */ 292 next = 0; 293 for (i = 0; i < 7; i++) { 294 tmp = key[i]; 295 pkey[i] = (tmp >> i) | next | 1; 296 next = tmp << (7 - i); 297 } 298 pkey[i] = next | 1; 299 300 wc_Des_SetKey(&des, pkey, NULL, DES_ENCRYPTION); 301 wc_Des_EcbEncrypt(&des, cypher, clear, DES_BLOCK_SIZE); 302 303 return 0; 304 } 305 #endif /* CONFIG_DES */ 306 307 308 void * aes_encrypt_init(const u8 *key, size_t len) 309 { 310 Aes *aes; 311 312 if (TEST_FAIL()) 313 return NULL; 314 315 aes = os_malloc(sizeof(Aes)); 316 if (!aes) 317 return NULL; 318 319 if (wc_AesSetKey(aes, key, len, NULL, AES_ENCRYPTION) < 0) { 320 os_free(aes); 321 return NULL; 322 } 323 324 return aes; 325 } 326 327 328 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) 329 { 330 wc_AesEncryptDirect(ctx, crypt, plain); 331 return 0; 332 } 333 334 335 void aes_encrypt_deinit(void *ctx) 336 { 337 os_free(ctx); 338 } 339 340 341 void * aes_decrypt_init(const u8 *key, size_t len) 342 { 343 Aes *aes; 344 345 if (TEST_FAIL()) 346 return NULL; 347 348 aes = os_malloc(sizeof(Aes)); 349 if (!aes) 350 return NULL; 351 352 if (wc_AesSetKey(aes, key, len, NULL, AES_DECRYPTION) < 0) { 353 os_free(aes); 354 return NULL; 355 } 356 357 return aes; 358 } 359 360 361 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) 362 { 363 wc_AesDecryptDirect(ctx, plain, crypt); 364 return 0; 365 } 366 367 368 void aes_decrypt_deinit(void *ctx) 369 { 370 os_free(ctx); 371 } 372 373 374 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 375 { 376 Aes aes; 377 int ret; 378 379 if (TEST_FAIL()) 380 return -1; 381 382 ret = wc_AesSetKey(&aes, key, 16, iv, AES_ENCRYPTION); 383 if (ret != 0) 384 return -1; 385 386 ret = wc_AesCbcEncrypt(&aes, data, data, data_len); 387 if (ret != 0) 388 return -1; 389 return 0; 390 } 391 392 393 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 394 { 395 Aes aes; 396 int ret; 397 398 if (TEST_FAIL()) 399 return -1; 400 401 ret = wc_AesSetKey(&aes, key, 16, iv, AES_DECRYPTION); 402 if (ret != 0) 403 return -1; 404 405 ret = wc_AesCbcDecrypt(&aes, data, data, data_len); 406 if (ret != 0) 407 return -1; 408 return 0; 409 } 410 411 412 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) 413 { 414 int ret; 415 416 if (TEST_FAIL()) 417 return -1; 418 419 ret = wc_AesKeyWrap(kek, kek_len, plain, n * 8, cipher, (n + 1) * 8, 420 NULL); 421 return ret != (n + 1) * 8 ? -1 : 0; 422 } 423 424 425 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, 426 u8 *plain) 427 { 428 int ret; 429 430 if (TEST_FAIL()) 431 return -1; 432 433 ret = wc_AesKeyUnWrap(kek, kek_len, cipher, (n + 1) * 8, plain, n * 8, 434 NULL); 435 return ret != n * 8 ? -1 : 0; 436 } 437 438 439 #ifndef CONFIG_NO_RC4 440 int rc4_skip(const u8 *key, size_t keylen, size_t skip, u8 *data, 441 size_t data_len) 442 { 443 #ifndef NO_RC4 444 Arc4 arc4; 445 unsigned char skip_buf[16]; 446 447 wc_Arc4SetKey(&arc4, key, keylen); 448 449 while (skip >= sizeof(skip_buf)) { 450 size_t len = skip; 451 452 if (len > sizeof(skip_buf)) 453 len = sizeof(skip_buf); 454 wc_Arc4Process(&arc4, skip_buf, skip_buf, len); 455 skip -= len; 456 } 457 458 wc_Arc4Process(&arc4, data, data, data_len); 459 460 return 0; 461 #else /* NO_RC4 */ 462 return -1; 463 #endif /* NO_RC4 */ 464 } 465 #endif /* CONFIG_NO_RC4 */ 466 467 468 #if defined(EAP_IKEV2) || defined(EAP_IKEV2_DYNAMIC) \ 469 || defined(EAP_SERVER_IKEV2) 470 union wolfssl_cipher { 471 Aes aes; 472 Des3 des3; 473 Arc4 arc4; 474 }; 475 476 struct crypto_cipher { 477 enum crypto_cipher_alg alg; 478 union wolfssl_cipher enc; 479 union wolfssl_cipher dec; 480 }; 481 482 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, 483 const u8 *iv, const u8 *key, 484 size_t key_len) 485 { 486 struct crypto_cipher *ctx; 487 488 ctx = os_zalloc(sizeof(*ctx)); 489 if (!ctx) 490 return NULL; 491 492 switch (alg) { 493 #ifndef CONFIG_NO_RC4 494 #ifndef NO_RC4 495 case CRYPTO_CIPHER_ALG_RC4: 496 wc_Arc4SetKey(&ctx->enc.arc4, key, key_len); 497 wc_Arc4SetKey(&ctx->dec.arc4, key, key_len); 498 break; 499 #endif /* NO_RC4 */ 500 #endif /* CONFIG_NO_RC4 */ 501 #ifndef NO_AES 502 case CRYPTO_CIPHER_ALG_AES: 503 switch (key_len) { 504 case 16: 505 case 24: 506 case 32: 507 break; 508 default: 509 os_free(ctx); 510 return NULL; 511 } 512 if (wc_AesSetKey(&ctx->enc.aes, key, key_len, iv, 513 AES_ENCRYPTION) || 514 wc_AesSetKey(&ctx->dec.aes, key, key_len, iv, 515 AES_DECRYPTION)) { 516 os_free(ctx); 517 return NULL; 518 } 519 break; 520 #endif /* NO_AES */ 521 #ifndef NO_DES3 522 case CRYPTO_CIPHER_ALG_3DES: 523 if (key_len != DES3_KEYLEN || 524 wc_Des3_SetKey(&ctx->enc.des3, key, iv, DES_ENCRYPTION) || 525 wc_Des3_SetKey(&ctx->dec.des3, key, iv, DES_DECRYPTION)) { 526 os_free(ctx); 527 return NULL; 528 } 529 break; 530 #endif /* NO_DES3 */ 531 case CRYPTO_CIPHER_ALG_RC2: 532 case CRYPTO_CIPHER_ALG_DES: 533 default: 534 os_free(ctx); 535 return NULL; 536 } 537 538 ctx->alg = alg; 539 540 return ctx; 541 } 542 543 544 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, 545 u8 *crypt, size_t len) 546 { 547 switch (ctx->alg) { 548 #ifndef CONFIG_NO_RC4 549 #ifndef NO_RC4 550 case CRYPTO_CIPHER_ALG_RC4: 551 wc_Arc4Process(&ctx->enc.arc4, crypt, plain, len); 552 return 0; 553 #endif /* NO_RC4 */ 554 #endif /* CONFIG_NO_RC4 */ 555 #ifndef NO_AES 556 case CRYPTO_CIPHER_ALG_AES: 557 if (wc_AesCbcEncrypt(&ctx->enc.aes, crypt, plain, len) != 0) 558 return -1; 559 return 0; 560 #endif /* NO_AES */ 561 #ifndef NO_DES3 562 case CRYPTO_CIPHER_ALG_3DES: 563 if (wc_Des3_CbcEncrypt(&ctx->enc.des3, crypt, plain, len) != 0) 564 return -1; 565 return 0; 566 #endif /* NO_DES3 */ 567 default: 568 return -1; 569 } 570 return -1; 571 } 572 573 574 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, 575 u8 *plain, size_t len) 576 { 577 switch (ctx->alg) { 578 #ifndef CONFIG_NO_RC4 579 #ifndef NO_RC4 580 case CRYPTO_CIPHER_ALG_RC4: 581 wc_Arc4Process(&ctx->dec.arc4, plain, crypt, len); 582 return 0; 583 #endif /* NO_RC4 */ 584 #endif /* CONFIG_NO_RC4 */ 585 #ifndef NO_AES 586 case CRYPTO_CIPHER_ALG_AES: 587 if (wc_AesCbcDecrypt(&ctx->dec.aes, plain, crypt, len) != 0) 588 return -1; 589 return 0; 590 #endif /* NO_AES */ 591 #ifndef NO_DES3 592 case CRYPTO_CIPHER_ALG_3DES: 593 if (wc_Des3_CbcDecrypt(&ctx->dec.des3, plain, crypt, len) != 0) 594 return -1; 595 return 0; 596 #endif /* NO_DES3 */ 597 default: 598 return -1; 599 } 600 return -1; 601 } 602 603 604 void crypto_cipher_deinit(struct crypto_cipher *ctx) 605 { 606 os_free(ctx); 607 } 608 609 #endif 610 611 612 #ifdef CONFIG_WPS_NFC 613 614 static const unsigned char RFC3526_PRIME_1536[] = { 615 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 616 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 617 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, 618 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 619 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 620 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 621 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, 622 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, 623 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, 624 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, 625 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, 626 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, 627 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, 628 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, 629 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, 630 0xCA, 0x23, 0x73, 0x27, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF 631 }; 632 633 static const unsigned char RFC3526_GENERATOR_1536[] = { 634 0x02 635 }; 636 637 #define RFC3526_LEN sizeof(RFC3526_PRIME_1536) 638 639 640 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) 641 { 642 WC_RNG rng; 643 DhKey *ret = NULL; 644 DhKey *dh = NULL; 645 struct wpabuf *privkey = NULL; 646 struct wpabuf *pubkey = NULL; 647 word32 priv_sz, pub_sz; 648 649 *priv = NULL; 650 wpabuf_free(*publ); 651 *publ = NULL; 652 653 dh = XMALLOC(sizeof(DhKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); 654 if (!dh) 655 return NULL; 656 wc_InitDhKey(dh); 657 658 if (wc_InitRng(&rng) != 0) { 659 XFREE(dh, NULL, DYNAMIC_TYPE_TMP_BUFFER); 660 return NULL; 661 } 662 663 privkey = wpabuf_alloc(RFC3526_LEN); 664 pubkey = wpabuf_alloc(RFC3526_LEN); 665 if (!privkey || !pubkey) 666 goto done; 667 668 if (wc_DhSetKey(dh, RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), 669 RFC3526_GENERATOR_1536, sizeof(RFC3526_GENERATOR_1536)) 670 != 0) 671 goto done; 672 673 if (wc_DhGenerateKeyPair(dh, &rng, wpabuf_mhead(privkey), &priv_sz, 674 wpabuf_mhead(pubkey), &pub_sz) != 0) 675 goto done; 676 677 wpabuf_put(privkey, priv_sz); 678 wpabuf_put(pubkey, pub_sz); 679 680 ret = dh; 681 *priv = privkey; 682 *publ = pubkey; 683 dh = NULL; 684 privkey = NULL; 685 pubkey = NULL; 686 done: 687 wpabuf_clear_free(pubkey); 688 wpabuf_clear_free(privkey); 689 if (dh) { 690 wc_FreeDhKey(dh); 691 XFREE(dh, NULL, DYNAMIC_TYPE_TMP_BUFFER); 692 } 693 wc_FreeRng(&rng); 694 return ret; 695 } 696 697 698 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) 699 { 700 DhKey *ret = NULL; 701 DhKey *dh; 702 byte *secret; 703 word32 secret_sz; 704 705 dh = XMALLOC(sizeof(DhKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); 706 if (!dh) 707 return NULL; 708 wc_InitDhKey(dh); 709 710 secret = XMALLOC(RFC3526_LEN, NULL, DYNAMIC_TYPE_TMP_BUFFER); 711 if (!secret) 712 goto done; 713 714 if (wc_DhSetKey(dh, RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), 715 RFC3526_GENERATOR_1536, sizeof(RFC3526_GENERATOR_1536)) 716 != 0) 717 goto done; 718 719 if (wc_DhAgree(dh, secret, &secret_sz, wpabuf_head(priv), 720 wpabuf_len(priv), RFC3526_GENERATOR_1536, 721 sizeof(RFC3526_GENERATOR_1536)) != 0) 722 goto done; 723 724 if (secret_sz != wpabuf_len(publ) || 725 os_memcmp(secret, wpabuf_head(publ), secret_sz) != 0) 726 goto done; 727 728 ret = dh; 729 dh = NULL; 730 done: 731 if (dh) { 732 wc_FreeDhKey(dh); 733 XFREE(dh, NULL, DYNAMIC_TYPE_TMP_BUFFER); 734 } 735 XFREE(secret, NULL, DYNAMIC_TYPE_TMP_BUFFER); 736 return ret; 737 } 738 739 740 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public, 741 const struct wpabuf *own_private) 742 { 743 struct wpabuf *ret = NULL; 744 struct wpabuf *secret; 745 word32 secret_sz; 746 747 secret = wpabuf_alloc(RFC3526_LEN); 748 if (!secret) 749 goto done; 750 751 if (wc_DhAgree(ctx, wpabuf_mhead(secret), &secret_sz, 752 wpabuf_head(own_private), wpabuf_len(own_private), 753 wpabuf_head(peer_public), wpabuf_len(peer_public)) != 0) 754 goto done; 755 756 wpabuf_put(secret, secret_sz); 757 758 ret = secret; 759 secret = NULL; 760 done: 761 wpabuf_clear_free(secret); 762 return ret; 763 } 764 765 766 void dh5_free(void *ctx) 767 { 768 if (!ctx) 769 return; 770 771 wc_FreeDhKey(ctx); 772 XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER); 773 } 774 775 #endif /* CONFIG_WPS_NFC */ 776 777 778 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey, 779 u8 *pubkey) 780 { 781 int ret = -1; 782 WC_RNG rng; 783 DhKey *dh = NULL; 784 word32 priv_sz, pub_sz; 785 786 if (TEST_FAIL()) 787 return -1; 788 789 dh = os_malloc(sizeof(DhKey)); 790 if (!dh) 791 return -1; 792 wc_InitDhKey(dh); 793 794 if (wc_InitRng(&rng) != 0) { 795 os_free(dh); 796 return -1; 797 } 798 799 if (wc_DhSetKey(dh, prime, prime_len, &generator, 1) != 0) 800 goto done; 801 802 if (wc_DhGenerateKeyPair(dh, &rng, privkey, &priv_sz, pubkey, &pub_sz) 803 != 0) 804 goto done; 805 806 if (priv_sz < prime_len) { 807 size_t pad_sz = prime_len - priv_sz; 808 809 os_memmove(privkey + pad_sz, privkey, priv_sz); 810 os_memset(privkey, 0, pad_sz); 811 } 812 813 if (pub_sz < prime_len) { 814 size_t pad_sz = prime_len - pub_sz; 815 816 os_memmove(pubkey + pad_sz, pubkey, pub_sz); 817 os_memset(pubkey, 0, pad_sz); 818 } 819 ret = 0; 820 done: 821 wc_FreeDhKey(dh); 822 os_free(dh); 823 wc_FreeRng(&rng); 824 return ret; 825 } 826 827 828 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len, 829 const u8 *order, size_t order_len, 830 const u8 *privkey, size_t privkey_len, 831 const u8 *pubkey, size_t pubkey_len, 832 u8 *secret, size_t *len) 833 { 834 int ret = -1; 835 DhKey *dh; 836 word32 secret_sz; 837 838 dh = os_malloc(sizeof(DhKey)); 839 if (!dh) 840 return -1; 841 wc_InitDhKey(dh); 842 843 if (wc_DhSetKey(dh, prime, prime_len, &generator, 1) != 0) 844 goto done; 845 846 if (wc_DhAgree(dh, secret, &secret_sz, privkey, privkey_len, pubkey, 847 pubkey_len) != 0) 848 goto done; 849 850 *len = secret_sz; 851 ret = 0; 852 done: 853 wc_FreeDhKey(dh); 854 os_free(dh); 855 return ret; 856 } 857 858 859 #ifdef CONFIG_FIPS 860 int crypto_get_random(void *buf, size_t len) 861 { 862 int ret = 0; 863 WC_RNG rng; 864 865 if (wc_InitRng(&rng) != 0) 866 return -1; 867 if (wc_RNG_GenerateBlock(&rng, buf, len) != 0) 868 ret = -1; 869 wc_FreeRng(&rng); 870 return ret; 871 } 872 #endif /* CONFIG_FIPS */ 873 874 875 #if defined(EAP_PWD) || defined(EAP_SERVER_PWD) 876 struct crypto_hash { 877 Hmac hmac; 878 int size; 879 }; 880 881 882 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key, 883 size_t key_len) 884 { 885 struct crypto_hash *ret = NULL; 886 struct crypto_hash *hash; 887 int type; 888 889 hash = os_zalloc(sizeof(*hash)); 890 if (!hash) 891 goto done; 892 893 switch (alg) { 894 #ifndef NO_MD5 895 case CRYPTO_HASH_ALG_HMAC_MD5: 896 hash->size = 16; 897 type = WC_MD5; 898 break; 899 #endif /* NO_MD5 */ 900 #ifndef NO_SHA 901 case CRYPTO_HASH_ALG_HMAC_SHA1: 902 type = WC_SHA; 903 hash->size = 20; 904 break; 905 #endif /* NO_SHA */ 906 #ifdef CONFIG_SHA256 907 #ifndef NO_SHA256 908 case CRYPTO_HASH_ALG_HMAC_SHA256: 909 type = WC_SHA256; 910 hash->size = 32; 911 break; 912 #endif /* NO_SHA256 */ 913 #endif /* CONFIG_SHA256 */ 914 default: 915 goto done; 916 } 917 918 if (wc_HmacSetKey(&hash->hmac, type, key, key_len) != 0) 919 goto done; 920 921 ret = hash; 922 hash = NULL; 923 done: 924 os_free(hash); 925 return ret; 926 } 927 928 929 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len) 930 { 931 if (!ctx) 932 return; 933 wc_HmacUpdate(&ctx->hmac, data, len); 934 } 935 936 937 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len) 938 { 939 int ret = 0; 940 941 if (!ctx) 942 return -2; 943 944 if (!mac || !len) 945 goto done; 946 947 if (wc_HmacFinal(&ctx->hmac, mac) != 0) { 948 ret = -1; 949 goto done; 950 } 951 952 *len = ctx->size; 953 ret = 0; 954 done: 955 bin_clear_free(ctx, sizeof(*ctx)); 956 if (TEST_FAIL()) 957 return -1; 958 return ret; 959 } 960 961 #endif 962 963 964 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, 965 const u8 *addr[], const size_t *len, u8 *mac) 966 { 967 Cmac cmac; 968 size_t i; 969 word32 sz; 970 971 if (TEST_FAIL()) 972 return -1; 973 974 if (wc_InitCmac(&cmac, key, key_len, WC_CMAC_AES, NULL) != 0) 975 return -1; 976 977 for (i = 0; i < num_elem; i++) 978 if (wc_CmacUpdate(&cmac, addr[i], len[i]) != 0) 979 return -1; 980 981 sz = AES_BLOCK_SIZE; 982 if (wc_CmacFinal(&cmac, mac, &sz) != 0 || sz != AES_BLOCK_SIZE) 983 return -1; 984 985 return 0; 986 } 987 988 989 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 990 const u8 *addr[], const size_t *len, u8 *mac) 991 { 992 return omac1_aes_vector(key, 16, num_elem, addr, len, mac); 993 } 994 995 996 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 997 { 998 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 999 } 1000 1001 1002 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1003 { 1004 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); 1005 } 1006 1007 1008 struct crypto_bignum * crypto_bignum_init(void) 1009 { 1010 mp_int *a; 1011 1012 if (TEST_FAIL()) 1013 return NULL; 1014 1015 a = os_malloc(sizeof(*a)); 1016 if (!a || mp_init(a) != MP_OKAY) { 1017 os_free(a); 1018 a = NULL; 1019 } 1020 1021 return (struct crypto_bignum *) a; 1022 } 1023 1024 1025 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) 1026 { 1027 mp_int *a; 1028 1029 if (TEST_FAIL()) 1030 return NULL; 1031 1032 a = (mp_int *) crypto_bignum_init(); 1033 if (!a) 1034 return NULL; 1035 1036 if (mp_read_unsigned_bin(a, buf, len) != MP_OKAY) { 1037 os_free(a); 1038 a = NULL; 1039 } 1040 1041 return (struct crypto_bignum *) a; 1042 } 1043 1044 1045 struct crypto_bignum * crypto_bignum_init_uint(unsigned int val) 1046 { 1047 mp_int *a; 1048 1049 if (TEST_FAIL()) 1050 return NULL; 1051 1052 a = (mp_int *) crypto_bignum_init(); 1053 if (!a) 1054 return NULL; 1055 1056 if (mp_set_int(a, val) != MP_OKAY) { 1057 os_free(a); 1058 a = NULL; 1059 } 1060 1061 return (struct crypto_bignum *) a; 1062 } 1063 1064 1065 void crypto_bignum_deinit(struct crypto_bignum *n, int clear) 1066 { 1067 if (!n) 1068 return; 1069 1070 if (clear) 1071 mp_forcezero((mp_int *) n); 1072 mp_clear((mp_int *) n); 1073 os_free((mp_int *) n); 1074 } 1075 1076 1077 int crypto_bignum_to_bin(const struct crypto_bignum *a, 1078 u8 *buf, size_t buflen, size_t padlen) 1079 { 1080 int num_bytes, offset; 1081 1082 if (TEST_FAIL()) 1083 return -1; 1084 1085 if (padlen > buflen) 1086 return -1; 1087 1088 num_bytes = (mp_count_bits((mp_int *) a) + 7) / 8; 1089 if ((size_t) num_bytes > buflen) 1090 return -1; 1091 if (padlen > (size_t) num_bytes) 1092 offset = padlen - num_bytes; 1093 else 1094 offset = 0; 1095 1096 os_memset(buf, 0, offset); 1097 mp_to_unsigned_bin((mp_int *) a, buf + offset); 1098 1099 return num_bytes + offset; 1100 } 1101 1102 1103 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m) 1104 { 1105 int ret = 0; 1106 WC_RNG rng; 1107 size_t len; 1108 u8 *buf; 1109 1110 if (TEST_FAIL()) 1111 return -1; 1112 if (wc_InitRng(&rng) != 0) 1113 return -1; 1114 len = (mp_count_bits((mp_int *) m) + 7) / 8; 1115 buf = os_malloc(len); 1116 if (!buf || wc_RNG_GenerateBlock(&rng, buf, len) != 0 || 1117 mp_read_unsigned_bin((mp_int *) r, buf, len) != MP_OKAY || 1118 mp_mod((mp_int *) r, (mp_int *) m, (mp_int *) r) != 0) 1119 ret = -1; 1120 wc_FreeRng(&rng); 1121 bin_clear_free(buf, len); 1122 return ret; 1123 } 1124 1125 1126 int crypto_bignum_add(const struct crypto_bignum *a, 1127 const struct crypto_bignum *b, 1128 struct crypto_bignum *r) 1129 { 1130 return mp_add((mp_int *) a, (mp_int *) b, 1131 (mp_int *) r) == MP_OKAY ? 0 : -1; 1132 } 1133 1134 1135 int crypto_bignum_mod(const struct crypto_bignum *a, 1136 const struct crypto_bignum *m, 1137 struct crypto_bignum *r) 1138 { 1139 return mp_mod((mp_int *) a, (mp_int *) m, 1140 (mp_int *) r) == MP_OKAY ? 0 : -1; 1141 } 1142 1143 1144 int crypto_bignum_exptmod(const struct crypto_bignum *b, 1145 const struct crypto_bignum *e, 1146 const struct crypto_bignum *m, 1147 struct crypto_bignum *r) 1148 { 1149 if (TEST_FAIL()) 1150 return -1; 1151 1152 return mp_exptmod((mp_int *) b, (mp_int *) e, (mp_int *) m, 1153 (mp_int *) r) == MP_OKAY ? 0 : -1; 1154 } 1155 1156 1157 int crypto_bignum_inverse(const struct crypto_bignum *a, 1158 const struct crypto_bignum *m, 1159 struct crypto_bignum *r) 1160 { 1161 if (TEST_FAIL()) 1162 return -1; 1163 1164 return mp_invmod((mp_int *) a, (mp_int *) m, 1165 (mp_int *) r) == MP_OKAY ? 0 : -1; 1166 } 1167 1168 1169 int crypto_bignum_sub(const struct crypto_bignum *a, 1170 const struct crypto_bignum *b, 1171 struct crypto_bignum *r) 1172 { 1173 if (TEST_FAIL()) 1174 return -1; 1175 1176 return mp_sub((mp_int *) a, (mp_int *) b, 1177 (mp_int *) r) == MP_OKAY ? 0 : -1; 1178 } 1179 1180 1181 int crypto_bignum_div(const struct crypto_bignum *a, 1182 const struct crypto_bignum *b, 1183 struct crypto_bignum *d) 1184 { 1185 if (TEST_FAIL()) 1186 return -1; 1187 1188 return mp_div((mp_int *) a, (mp_int *) b, (mp_int *) d, 1189 NULL) == MP_OKAY ? 0 : -1; 1190 } 1191 1192 1193 int crypto_bignum_addmod(const struct crypto_bignum *a, 1194 const struct crypto_bignum *b, 1195 const struct crypto_bignum *c, 1196 struct crypto_bignum *d) 1197 { 1198 if (TEST_FAIL()) 1199 return -1; 1200 1201 return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c, 1202 (mp_int *) d) == MP_OKAY ? 0 : -1; 1203 } 1204 1205 1206 int crypto_bignum_mulmod(const struct crypto_bignum *a, 1207 const struct crypto_bignum *b, 1208 const struct crypto_bignum *m, 1209 struct crypto_bignum *d) 1210 { 1211 if (TEST_FAIL()) 1212 return -1; 1213 1214 return mp_mulmod((mp_int *) a, (mp_int *) b, (mp_int *) m, 1215 (mp_int *) d) == MP_OKAY ? 0 : -1; 1216 } 1217 1218 1219 int crypto_bignum_sqrmod(const struct crypto_bignum *a, 1220 const struct crypto_bignum *b, 1221 struct crypto_bignum *c) 1222 { 1223 if (TEST_FAIL()) 1224 return -1; 1225 1226 return mp_sqrmod((mp_int *) a, (mp_int *) b, 1227 (mp_int *) c) == MP_OKAY ? 0 : -1; 1228 } 1229 1230 1231 int crypto_bignum_rshift(const struct crypto_bignum *a, int n, 1232 struct crypto_bignum *r) 1233 { 1234 if (mp_copy((mp_int *) a, (mp_int *) r) != MP_OKAY) 1235 return -1; 1236 mp_rshb((mp_int *) r, n); 1237 return 0; 1238 } 1239 1240 1241 int crypto_bignum_cmp(const struct crypto_bignum *a, 1242 const struct crypto_bignum *b) 1243 { 1244 return mp_cmp((mp_int *) a, (mp_int *) b); 1245 } 1246 1247 1248 int crypto_bignum_is_zero(const struct crypto_bignum *a) 1249 { 1250 return mp_iszero((mp_int *) a); 1251 } 1252 1253 1254 int crypto_bignum_is_one(const struct crypto_bignum *a) 1255 { 1256 return mp_isone((const mp_int *) a); 1257 } 1258 1259 int crypto_bignum_is_odd(const struct crypto_bignum *a) 1260 { 1261 return mp_isodd((mp_int *) a); 1262 } 1263 1264 1265 int crypto_bignum_legendre(const struct crypto_bignum *a, 1266 const struct crypto_bignum *p) 1267 { 1268 mp_int t; 1269 int ret; 1270 int res = -2; 1271 1272 if (TEST_FAIL()) 1273 return -2; 1274 1275 if (mp_init(&t) != MP_OKAY) 1276 return -2; 1277 1278 /* t = (p-1) / 2 */ 1279 ret = mp_sub_d((mp_int *) p, 1, &t); 1280 if (ret == MP_OKAY) 1281 mp_rshb(&t, 1); 1282 if (ret == MP_OKAY) 1283 ret = mp_exptmod((mp_int *) a, &t, (mp_int *) p, &t); 1284 if (ret == MP_OKAY) { 1285 if (mp_isone(&t)) 1286 res = 1; 1287 else if (mp_iszero(&t)) 1288 res = 0; 1289 else 1290 res = -1; 1291 } 1292 1293 mp_clear(&t); 1294 return res; 1295 } 1296 1297 1298 #ifdef CONFIG_ECC 1299 1300 int ecc_map(ecc_point *, mp_int *, mp_digit); 1301 int ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, 1302 mp_int *a, mp_int *modulus, mp_digit mp); 1303 1304 struct crypto_ec { 1305 ecc_key key; 1306 mp_int a; 1307 mp_int prime; 1308 mp_int order; 1309 mp_digit mont_b; 1310 mp_int b; 1311 }; 1312 1313 1314 struct crypto_ec * crypto_ec_init(int group) 1315 { 1316 int built = 0; 1317 struct crypto_ec *e; 1318 int curve_id; 1319 1320 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */ 1321 switch (group) { 1322 case 19: 1323 curve_id = ECC_SECP256R1; 1324 break; 1325 case 20: 1326 curve_id = ECC_SECP384R1; 1327 break; 1328 case 21: 1329 curve_id = ECC_SECP521R1; 1330 break; 1331 case 25: 1332 curve_id = ECC_SECP192R1; 1333 break; 1334 case 26: 1335 curve_id = ECC_SECP224R1; 1336 break; 1337 #ifdef HAVE_ECC_BRAINPOOL 1338 case 27: 1339 curve_id = ECC_BRAINPOOLP224R1; 1340 break; 1341 case 28: 1342 curve_id = ECC_BRAINPOOLP256R1; 1343 break; 1344 case 29: 1345 curve_id = ECC_BRAINPOOLP384R1; 1346 break; 1347 case 30: 1348 curve_id = ECC_BRAINPOOLP512R1; 1349 break; 1350 #endif /* HAVE_ECC_BRAINPOOL */ 1351 default: 1352 return NULL; 1353 } 1354 1355 e = os_zalloc(sizeof(*e)); 1356 if (!e) 1357 return NULL; 1358 1359 if (wc_ecc_init(&e->key) != 0 || 1360 wc_ecc_set_curve(&e->key, 0, curve_id) != 0 || 1361 mp_init(&e->a) != MP_OKAY || 1362 mp_init(&e->prime) != MP_OKAY || 1363 mp_init(&e->order) != MP_OKAY || 1364 mp_init(&e->b) != MP_OKAY || 1365 mp_read_radix(&e->a, e->key.dp->Af, 16) != MP_OKAY || 1366 mp_read_radix(&e->b, e->key.dp->Bf, 16) != MP_OKAY || 1367 mp_read_radix(&e->prime, e->key.dp->prime, 16) != MP_OKAY || 1368 mp_read_radix(&e->order, e->key.dp->order, 16) != MP_OKAY || 1369 mp_montgomery_setup(&e->prime, &e->mont_b) != MP_OKAY) 1370 goto done; 1371 1372 built = 1; 1373 done: 1374 if (!built) { 1375 crypto_ec_deinit(e); 1376 e = NULL; 1377 } 1378 return e; 1379 } 1380 1381 1382 void crypto_ec_deinit(struct crypto_ec* e) 1383 { 1384 if (!e) 1385 return; 1386 1387 mp_clear(&e->b); 1388 mp_clear(&e->order); 1389 mp_clear(&e->prime); 1390 mp_clear(&e->a); 1391 wc_ecc_free(&e->key); 1392 os_free(e); 1393 } 1394 1395 1396 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e) 1397 { 1398 if (TEST_FAIL()) 1399 return NULL; 1400 if (!e) 1401 return NULL; 1402 return (struct crypto_ec_point *) wc_ecc_new_point(); 1403 } 1404 1405 1406 size_t crypto_ec_prime_len(struct crypto_ec *e) 1407 { 1408 return (mp_count_bits(&e->prime) + 7) / 8; 1409 } 1410 1411 1412 size_t crypto_ec_prime_len_bits(struct crypto_ec *e) 1413 { 1414 return mp_count_bits(&e->prime); 1415 } 1416 1417 1418 size_t crypto_ec_order_len(struct crypto_ec *e) 1419 { 1420 return (mp_count_bits(&e->order) + 7) / 8; 1421 } 1422 1423 1424 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e) 1425 { 1426 return (const struct crypto_bignum *) &e->prime; 1427 } 1428 1429 1430 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) 1431 { 1432 return (const struct crypto_bignum *) &e->order; 1433 } 1434 1435 1436 const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e) 1437 { 1438 return (const struct crypto_bignum *) &e->a; 1439 } 1440 1441 1442 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e) 1443 { 1444 return (const struct crypto_bignum *) &e->b; 1445 } 1446 1447 1448 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) 1449 { 1450 ecc_point *point = (ecc_point *) p; 1451 1452 if (!p) 1453 return; 1454 1455 if (clear) { 1456 mp_forcezero(point->x); 1457 mp_forcezero(point->y); 1458 mp_forcezero(point->z); 1459 } 1460 wc_ecc_del_point(point); 1461 } 1462 1463 1464 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p, 1465 struct crypto_bignum *x) 1466 { 1467 return mp_copy(((ecc_point *) p)->x, (mp_int *) x) == MP_OKAY ? 0 : -1; 1468 } 1469 1470 1471 int crypto_ec_point_to_bin(struct crypto_ec *e, 1472 const struct crypto_ec_point *point, u8 *x, u8 *y) 1473 { 1474 ecc_point *p = (ecc_point *) point; 1475 1476 if (TEST_FAIL()) 1477 return -1; 1478 1479 if (!mp_isone(p->z)) { 1480 if (ecc_map(p, &e->prime, e->mont_b) != MP_OKAY) 1481 return -1; 1482 } 1483 1484 if (x) { 1485 if (crypto_bignum_to_bin((struct crypto_bignum *)p->x, x, 1486 e->key.dp->size, 1487 e->key.dp->size) <= 0) 1488 return -1; 1489 } 1490 1491 if (y) { 1492 if (crypto_bignum_to_bin((struct crypto_bignum *) p->y, y, 1493 e->key.dp->size, 1494 e->key.dp->size) <= 0) 1495 return -1; 1496 } 1497 1498 return 0; 1499 } 1500 1501 1502 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e, 1503 const u8 *val) 1504 { 1505 ecc_point *point = NULL; 1506 int loaded = 0; 1507 1508 if (TEST_FAIL()) 1509 return NULL; 1510 1511 point = wc_ecc_new_point(); 1512 if (!point) 1513 goto done; 1514 1515 if (mp_read_unsigned_bin(point->x, val, e->key.dp->size) != MP_OKAY) 1516 goto done; 1517 val += e->key.dp->size; 1518 if (mp_read_unsigned_bin(point->y, val, e->key.dp->size) != MP_OKAY) 1519 goto done; 1520 mp_set(point->z, 1); 1521 1522 loaded = 1; 1523 done: 1524 if (!loaded) { 1525 wc_ecc_del_point(point); 1526 point = NULL; 1527 } 1528 return (struct crypto_ec_point *) point; 1529 } 1530 1531 1532 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a, 1533 const struct crypto_ec_point *b, 1534 struct crypto_ec_point *c) 1535 { 1536 mp_int mu; 1537 ecc_point *ta = NULL, *tb = NULL; 1538 ecc_point *pa = (ecc_point *) a, *pb = (ecc_point *) b; 1539 mp_int *modulus = &e->prime; 1540 int ret; 1541 1542 if (TEST_FAIL()) 1543 return -1; 1544 1545 ret = mp_init(&mu); 1546 if (ret != MP_OKAY) 1547 return -1; 1548 1549 ret = mp_montgomery_calc_normalization(&mu, modulus); 1550 if (ret != MP_OKAY) { 1551 mp_clear(&mu); 1552 return -1; 1553 } 1554 1555 if (!mp_isone(&mu)) { 1556 ta = wc_ecc_new_point(); 1557 if (!ta) { 1558 mp_clear(&mu); 1559 return -1; 1560 } 1561 tb = wc_ecc_new_point(); 1562 if (!tb) { 1563 wc_ecc_del_point(ta); 1564 mp_clear(&mu); 1565 return -1; 1566 } 1567 1568 if (mp_mulmod(pa->x, &mu, modulus, ta->x) != MP_OKAY || 1569 mp_mulmod(pa->y, &mu, modulus, ta->y) != MP_OKAY || 1570 mp_mulmod(pa->z, &mu, modulus, ta->z) != MP_OKAY || 1571 mp_mulmod(pb->x, &mu, modulus, tb->x) != MP_OKAY || 1572 mp_mulmod(pb->y, &mu, modulus, tb->y) != MP_OKAY || 1573 mp_mulmod(pb->z, &mu, modulus, tb->z) != MP_OKAY) { 1574 ret = -1; 1575 goto end; 1576 } 1577 pa = ta; 1578 pb = tb; 1579 } 1580 1581 ret = ecc_projective_add_point(pa, pb, (ecc_point *) c, &e->a, 1582 &e->prime, e->mont_b); 1583 if (ret != 0) { 1584 ret = -1; 1585 goto end; 1586 } 1587 1588 if (ecc_map((ecc_point *) c, &e->prime, e->mont_b) != MP_OKAY) 1589 ret = -1; 1590 else 1591 ret = 0; 1592 end: 1593 wc_ecc_del_point(tb); 1594 wc_ecc_del_point(ta); 1595 mp_clear(&mu); 1596 return ret; 1597 } 1598 1599 1600 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p, 1601 const struct crypto_bignum *b, 1602 struct crypto_ec_point *res) 1603 { 1604 int ret; 1605 1606 if (TEST_FAIL()) 1607 return -1; 1608 1609 ret = wc_ecc_mulmod((mp_int *) b, (ecc_point *) p, (ecc_point *) res, 1610 &e->a, &e->prime, 1); 1611 return ret == 0 ? 0 : -1; 1612 } 1613 1614 1615 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p) 1616 { 1617 ecc_point *point = (ecc_point *) p; 1618 1619 if (TEST_FAIL()) 1620 return -1; 1621 1622 if (mp_sub(&e->prime, point->y, point->y) != MP_OKAY) 1623 return -1; 1624 1625 return 0; 1626 } 1627 1628 1629 int crypto_ec_point_solve_y_coord(struct crypto_ec *e, 1630 struct crypto_ec_point *p, 1631 const struct crypto_bignum *x, int y_bit) 1632 { 1633 byte buf[1 + 2 * MAX_ECC_BYTES]; 1634 int ret; 1635 int prime_len = crypto_ec_prime_len(e); 1636 1637 if (TEST_FAIL()) 1638 return -1; 1639 1640 buf[0] = y_bit ? ECC_POINT_COMP_ODD : ECC_POINT_COMP_EVEN; 1641 ret = crypto_bignum_to_bin(x, buf + 1, prime_len, prime_len); 1642 if (ret <= 0) 1643 return -1; 1644 ret = wc_ecc_import_point_der(buf, 1 + 2 * ret, e->key.idx, 1645 (ecc_point *) p); 1646 if (ret != 0) 1647 return -1; 1648 1649 return 0; 1650 } 1651 1652 1653 struct crypto_bignum * 1654 crypto_ec_point_compute_y_sqr(struct crypto_ec *e, 1655 const struct crypto_bignum *x) 1656 { 1657 mp_int *y2 = NULL; 1658 mp_int t; 1659 int calced = 0; 1660 1661 if (TEST_FAIL()) 1662 return NULL; 1663 1664 if (mp_init(&t) != MP_OKAY) 1665 return NULL; 1666 1667 y2 = (mp_int *) crypto_bignum_init(); 1668 if (!y2) 1669 goto done; 1670 1671 if (mp_sqrmod((mp_int *) x, &e->prime, y2) != 0 || 1672 mp_mulmod((mp_int *) x, y2, &e->prime, y2) != 0 || 1673 mp_mulmod((mp_int *) x, &e->a, &e->prime, &t) != 0 || 1674 mp_addmod(y2, &t, &e->prime, y2) != 0 || 1675 mp_addmod(y2, &e->b, &e->prime, y2) != 0) 1676 goto done; 1677 1678 calced = 1; 1679 done: 1680 if (!calced) { 1681 if (y2) { 1682 mp_clear(y2); 1683 os_free(y2); 1684 } 1685 mp_clear(&t); 1686 } 1687 1688 return (struct crypto_bignum *) y2; 1689 } 1690 1691 1692 int crypto_ec_point_is_at_infinity(struct crypto_ec *e, 1693 const struct crypto_ec_point *p) 1694 { 1695 return wc_ecc_point_is_at_infinity((ecc_point *) p); 1696 } 1697 1698 1699 int crypto_ec_point_is_on_curve(struct crypto_ec *e, 1700 const struct crypto_ec_point *p) 1701 { 1702 return wc_ecc_is_point((ecc_point *) p, &e->a, &e->b, &e->prime) == 1703 MP_OKAY; 1704 } 1705 1706 1707 int crypto_ec_point_cmp(const struct crypto_ec *e, 1708 const struct crypto_ec_point *a, 1709 const struct crypto_ec_point *b) 1710 { 1711 return wc_ecc_cmp_point((ecc_point *) a, (ecc_point *) b); 1712 } 1713 1714 1715 struct crypto_ecdh { 1716 struct crypto_ec *ec; 1717 }; 1718 1719 struct crypto_ecdh * crypto_ecdh_init(int group) 1720 { 1721 struct crypto_ecdh *ecdh = NULL; 1722 WC_RNG rng; 1723 int ret; 1724 1725 if (wc_InitRng(&rng) != 0) 1726 goto fail; 1727 1728 ecdh = os_zalloc(sizeof(*ecdh)); 1729 if (!ecdh) 1730 goto fail; 1731 1732 ecdh->ec = crypto_ec_init(group); 1733 if (!ecdh->ec) 1734 goto fail; 1735 1736 ret = wc_ecc_make_key_ex(&rng, ecdh->ec->key.dp->size, &ecdh->ec->key, 1737 ecdh->ec->key.dp->id); 1738 if (ret < 0) 1739 goto fail; 1740 1741 done: 1742 wc_FreeRng(&rng); 1743 1744 return ecdh; 1745 fail: 1746 crypto_ecdh_deinit(ecdh); 1747 ecdh = NULL; 1748 goto done; 1749 } 1750 1751 1752 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh) 1753 { 1754 if (ecdh) { 1755 crypto_ec_deinit(ecdh->ec); 1756 os_free(ecdh); 1757 } 1758 } 1759 1760 1761 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y) 1762 { 1763 struct wpabuf *buf = NULL; 1764 int ret; 1765 int len = ecdh->ec->key.dp->size; 1766 1767 buf = wpabuf_alloc(inc_y ? 2 * len : len); 1768 if (!buf) 1769 goto fail; 1770 1771 ret = crypto_bignum_to_bin((struct crypto_bignum *) 1772 ecdh->ec->key.pubkey.x, wpabuf_put(buf, len), 1773 len, len); 1774 if (ret < 0) 1775 goto fail; 1776 if (inc_y) { 1777 ret = crypto_bignum_to_bin((struct crypto_bignum *) 1778 ecdh->ec->key.pubkey.y, 1779 wpabuf_put(buf, len), len, len); 1780 if (ret < 0) 1781 goto fail; 1782 } 1783 1784 done: 1785 return buf; 1786 fail: 1787 wpabuf_free(buf); 1788 buf = NULL; 1789 goto done; 1790 } 1791 1792 1793 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y, 1794 const u8 *key, size_t len) 1795 { 1796 int ret; 1797 struct wpabuf *pubkey = NULL; 1798 struct wpabuf *secret = NULL; 1799 word32 key_len = ecdh->ec->key.dp->size; 1800 ecc_point *point = NULL; 1801 size_t need_key_len = inc_y ? 2 * key_len : key_len; 1802 1803 if (len < need_key_len) 1804 goto fail; 1805 pubkey = wpabuf_alloc(1 + 2 * key_len); 1806 if (!pubkey) 1807 goto fail; 1808 wpabuf_put_u8(pubkey, inc_y ? ECC_POINT_UNCOMP : ECC_POINT_COMP_EVEN); 1809 wpabuf_put_data(pubkey, key, need_key_len); 1810 1811 point = wc_ecc_new_point(); 1812 if (!point) 1813 goto fail; 1814 1815 ret = wc_ecc_import_point_der(wpabuf_mhead(pubkey), 1 + 2 * key_len, 1816 ecdh->ec->key.idx, point); 1817 if (ret != MP_OKAY) 1818 goto fail; 1819 1820 secret = wpabuf_alloc(key_len); 1821 if (!secret) 1822 goto fail; 1823 1824 ret = wc_ecc_shared_secret_ex(&ecdh->ec->key, point, 1825 wpabuf_put(secret, key_len), &key_len); 1826 if (ret != MP_OKAY) 1827 goto fail; 1828 1829 done: 1830 wc_ecc_del_point(point); 1831 wpabuf_free(pubkey); 1832 return secret; 1833 fail: 1834 wpabuf_free(secret); 1835 secret = NULL; 1836 goto done; 1837 } 1838 1839 1840 size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh) 1841 { 1842 return crypto_ec_prime_len(ecdh->ec); 1843 } 1844 1845 #endif /* CONFIG_ECC */ 1846