1 /* 2 * Wrapper functions for libwolfssl 3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto.h" 13 14 /* wolfSSL headers */ 15 #include <wolfssl/options.h> 16 #include <wolfssl/wolfcrypt/md4.h> 17 #include <wolfssl/wolfcrypt/md5.h> 18 #include <wolfssl/wolfcrypt/sha.h> 19 #include <wolfssl/wolfcrypt/sha256.h> 20 #include <wolfssl/wolfcrypt/sha512.h> 21 #include <wolfssl/wolfcrypt/hmac.h> 22 #include <wolfssl/wolfcrypt/pwdbased.h> 23 #include <wolfssl/wolfcrypt/arc4.h> 24 #include <wolfssl/wolfcrypt/des3.h> 25 #include <wolfssl/wolfcrypt/aes.h> 26 #include <wolfssl/wolfcrypt/dh.h> 27 #include <wolfssl/wolfcrypt/cmac.h> 28 #include <wolfssl/wolfcrypt/ecc.h> 29 #include <wolfssl/openssl/bn.h> 30 31 32 #ifndef CONFIG_FIPS 33 34 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 35 { 36 Md4 md4; 37 size_t i; 38 39 if (TEST_FAIL()) 40 return -1; 41 42 wc_InitMd4(&md4); 43 44 for (i = 0; i < num_elem; i++) 45 wc_Md4Update(&md4, addr[i], len[i]); 46 47 wc_Md4Final(&md4, mac); 48 49 return 0; 50 } 51 52 53 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 54 { 55 wc_Md5 md5; 56 size_t i; 57 58 if (TEST_FAIL()) 59 return -1; 60 61 wc_InitMd5(&md5); 62 63 for (i = 0; i < num_elem; i++) 64 wc_Md5Update(&md5, addr[i], len[i]); 65 66 wc_Md5Final(&md5, mac); 67 68 return 0; 69 } 70 71 #endif /* CONFIG_FIPS */ 72 73 74 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 75 { 76 wc_Sha sha; 77 size_t i; 78 79 if (TEST_FAIL()) 80 return -1; 81 82 wc_InitSha(&sha); 83 84 for (i = 0; i < num_elem; i++) 85 wc_ShaUpdate(&sha, addr[i], len[i]); 86 87 wc_ShaFinal(&sha, mac); 88 89 return 0; 90 } 91 92 93 #ifndef NO_SHA256_WRAPPER 94 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, 95 u8 *mac) 96 { 97 wc_Sha256 sha256; 98 size_t i; 99 100 if (TEST_FAIL()) 101 return -1; 102 103 wc_InitSha256(&sha256); 104 105 for (i = 0; i < num_elem; i++) 106 wc_Sha256Update(&sha256, addr[i], len[i]); 107 108 wc_Sha256Final(&sha256, mac); 109 110 return 0; 111 } 112 #endif /* NO_SHA256_WRAPPER */ 113 114 115 #ifdef CONFIG_SHA384 116 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len, 117 u8 *mac) 118 { 119 wc_Sha384 sha384; 120 size_t i; 121 122 if (TEST_FAIL()) 123 return -1; 124 125 wc_InitSha384(&sha384); 126 127 for (i = 0; i < num_elem; i++) 128 wc_Sha384Update(&sha384, addr[i], len[i]); 129 130 wc_Sha384Final(&sha384, mac); 131 132 return 0; 133 } 134 #endif /* CONFIG_SHA384 */ 135 136 137 #ifdef CONFIG_SHA512 138 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len, 139 u8 *mac) 140 { 141 wc_Sha512 sha512; 142 size_t i; 143 144 if (TEST_FAIL()) 145 return -1; 146 147 wc_InitSha512(&sha512); 148 149 for (i = 0; i < num_elem; i++) 150 wc_Sha512Update(&sha512, addr[i], len[i]); 151 152 wc_Sha512Final(&sha512, mac); 153 154 return 0; 155 } 156 #endif /* CONFIG_SHA512 */ 157 158 159 static int wolfssl_hmac_vector(int type, const u8 *key, 160 size_t key_len, size_t num_elem, 161 const u8 *addr[], const size_t *len, u8 *mac, 162 unsigned int mdlen) 163 { 164 Hmac hmac; 165 size_t i; 166 167 (void) mdlen; 168 169 if (TEST_FAIL()) 170 return -1; 171 172 if (wc_HmacSetKey(&hmac, type, key, (word32) key_len) != 0) 173 return -1; 174 for (i = 0; i < num_elem; i++) 175 if (wc_HmacUpdate(&hmac, addr[i], len[i]) != 0) 176 return -1; 177 if (wc_HmacFinal(&hmac, mac) != 0) 178 return -1; 179 return 0; 180 } 181 182 183 #ifndef CONFIG_FIPS 184 185 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, 186 const u8 *addr[], const size_t *len, u8 *mac) 187 { 188 return wolfssl_hmac_vector(WC_MD5, key, key_len, num_elem, addr, len, 189 mac, 16); 190 } 191 192 193 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 194 u8 *mac) 195 { 196 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac); 197 } 198 199 #endif /* CONFIG_FIPS */ 200 201 202 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, 203 const u8 *addr[], const size_t *len, u8 *mac) 204 { 205 return wolfssl_hmac_vector(WC_SHA, key, key_len, num_elem, addr, len, 206 mac, 20); 207 } 208 209 210 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 211 u8 *mac) 212 { 213 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); 214 } 215 216 217 #ifdef CONFIG_SHA256 218 219 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, 220 const u8 *addr[], const size_t *len, u8 *mac) 221 { 222 return wolfssl_hmac_vector(WC_SHA256, key, key_len, num_elem, addr, len, 223 mac, 32); 224 } 225 226 227 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 228 size_t data_len, u8 *mac) 229 { 230 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); 231 } 232 233 #endif /* CONFIG_SHA256 */ 234 235 236 #ifdef CONFIG_SHA384 237 238 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, 239 const u8 *addr[], const size_t *len, u8 *mac) 240 { 241 return wolfssl_hmac_vector(WC_SHA384, key, key_len, num_elem, addr, len, 242 mac, 48); 243 } 244 245 246 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, 247 size_t data_len, u8 *mac) 248 { 249 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac); 250 } 251 252 #endif /* CONFIG_SHA384 */ 253 254 255 #ifdef CONFIG_SHA512 256 257 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem, 258 const u8 *addr[], const size_t *len, u8 *mac) 259 { 260 return wolfssl_hmac_vector(WC_SHA512, key, key_len, num_elem, addr, len, 261 mac, 64); 262 } 263 264 265 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data, 266 size_t data_len, u8 *mac) 267 { 268 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac); 269 } 270 271 #endif /* CONFIG_SHA512 */ 272 273 274 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len, 275 int iterations, u8 *buf, size_t buflen) 276 { 277 if (wc_PBKDF2(buf, (const byte*)passphrase, os_strlen(passphrase), ssid, 278 ssid_len, iterations, buflen, WC_SHA) != 0) 279 return -1; 280 return 0; 281 } 282 283 284 #ifdef CONFIG_DES 285 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) 286 { 287 Des des; 288 u8 pkey[8], next, tmp; 289 int i; 290 291 /* Add parity bits to the key */ 292 next = 0; 293 for (i = 0; i < 7; i++) { 294 tmp = key[i]; 295 pkey[i] = (tmp >> i) | next | 1; 296 next = tmp << (7 - i); 297 } 298 pkey[i] = next | 1; 299 300 wc_Des_SetKey(&des, pkey, NULL, DES_ENCRYPTION); 301 wc_Des_EcbEncrypt(&des, cypher, clear, DES_BLOCK_SIZE); 302 303 return 0; 304 } 305 #endif /* CONFIG_DES */ 306 307 308 void * aes_encrypt_init(const u8 *key, size_t len) 309 { 310 Aes *aes; 311 312 if (TEST_FAIL()) 313 return NULL; 314 315 aes = os_malloc(sizeof(Aes)); 316 if (!aes) 317 return NULL; 318 319 if (wc_AesSetKey(aes, key, len, NULL, AES_ENCRYPTION) < 0) { 320 os_free(aes); 321 return NULL; 322 } 323 324 return aes; 325 } 326 327 328 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) 329 { 330 wc_AesEncryptDirect(ctx, crypt, plain); 331 return 0; 332 } 333 334 335 void aes_encrypt_deinit(void *ctx) 336 { 337 os_free(ctx); 338 } 339 340 341 void * aes_decrypt_init(const u8 *key, size_t len) 342 { 343 Aes *aes; 344 345 if (TEST_FAIL()) 346 return NULL; 347 348 aes = os_malloc(sizeof(Aes)); 349 if (!aes) 350 return NULL; 351 352 if (wc_AesSetKey(aes, key, len, NULL, AES_DECRYPTION) < 0) { 353 os_free(aes); 354 return NULL; 355 } 356 357 return aes; 358 } 359 360 361 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) 362 { 363 wc_AesDecryptDirect(ctx, plain, crypt); 364 return 0; 365 } 366 367 368 void aes_decrypt_deinit(void *ctx) 369 { 370 os_free(ctx); 371 } 372 373 374 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 375 { 376 Aes aes; 377 int ret; 378 379 if (TEST_FAIL()) 380 return -1; 381 382 ret = wc_AesSetKey(&aes, key, 16, iv, AES_ENCRYPTION); 383 if (ret != 0) 384 return -1; 385 386 ret = wc_AesCbcEncrypt(&aes, data, data, data_len); 387 if (ret != 0) 388 return -1; 389 return 0; 390 } 391 392 393 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 394 { 395 Aes aes; 396 int ret; 397 398 if (TEST_FAIL()) 399 return -1; 400 401 ret = wc_AesSetKey(&aes, key, 16, iv, AES_DECRYPTION); 402 if (ret != 0) 403 return -1; 404 405 ret = wc_AesCbcDecrypt(&aes, data, data, data_len); 406 if (ret != 0) 407 return -1; 408 return 0; 409 } 410 411 412 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) 413 { 414 int ret; 415 416 if (TEST_FAIL()) 417 return -1; 418 419 ret = wc_AesKeyWrap(kek, kek_len, plain, n * 8, cipher, (n + 1) * 8, 420 NULL); 421 return ret != (n + 1) * 8 ? -1 : 0; 422 } 423 424 425 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, 426 u8 *plain) 427 { 428 int ret; 429 430 if (TEST_FAIL()) 431 return -1; 432 433 ret = wc_AesKeyUnWrap(kek, kek_len, cipher, (n + 1) * 8, plain, n * 8, 434 NULL); 435 return ret != n * 8 ? -1 : 0; 436 } 437 438 439 #ifndef CONFIG_NO_RC4 440 int rc4_skip(const u8 *key, size_t keylen, size_t skip, u8 *data, 441 size_t data_len) 442 { 443 #ifndef NO_RC4 444 Arc4 arc4; 445 unsigned char skip_buf[16]; 446 447 wc_Arc4SetKey(&arc4, key, keylen); 448 449 while (skip >= sizeof(skip_buf)) { 450 size_t len = skip; 451 452 if (len > sizeof(skip_buf)) 453 len = sizeof(skip_buf); 454 wc_Arc4Process(&arc4, skip_buf, skip_buf, len); 455 skip -= len; 456 } 457 458 wc_Arc4Process(&arc4, data, data, data_len); 459 460 return 0; 461 #else /* NO_RC4 */ 462 return -1; 463 #endif /* NO_RC4 */ 464 } 465 #endif /* CONFIG_NO_RC4 */ 466 467 468 #if defined(EAP_IKEV2) || defined(EAP_IKEV2_DYNAMIC) \ 469 || defined(EAP_SERVER_IKEV2) 470 union wolfssl_cipher { 471 Aes aes; 472 Des3 des3; 473 Arc4 arc4; 474 }; 475 476 struct crypto_cipher { 477 enum crypto_cipher_alg alg; 478 union wolfssl_cipher enc; 479 union wolfssl_cipher dec; 480 }; 481 482 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, 483 const u8 *iv, const u8 *key, 484 size_t key_len) 485 { 486 struct crypto_cipher *ctx; 487 488 ctx = os_zalloc(sizeof(*ctx)); 489 if (!ctx) 490 return NULL; 491 492 switch (alg) { 493 #ifndef CONFIG_NO_RC4 494 #ifndef NO_RC4 495 case CRYPTO_CIPHER_ALG_RC4: 496 wc_Arc4SetKey(&ctx->enc.arc4, key, key_len); 497 wc_Arc4SetKey(&ctx->dec.arc4, key, key_len); 498 break; 499 #endif /* NO_RC4 */ 500 #endif /* CONFIG_NO_RC4 */ 501 #ifndef NO_AES 502 case CRYPTO_CIPHER_ALG_AES: 503 switch (key_len) { 504 case 16: 505 case 24: 506 case 32: 507 break; 508 default: 509 os_free(ctx); 510 return NULL; 511 } 512 if (wc_AesSetKey(&ctx->enc.aes, key, key_len, iv, 513 AES_ENCRYPTION) || 514 wc_AesSetKey(&ctx->dec.aes, key, key_len, iv, 515 AES_DECRYPTION)) { 516 os_free(ctx); 517 return NULL; 518 } 519 break; 520 #endif /* NO_AES */ 521 #ifndef NO_DES3 522 case CRYPTO_CIPHER_ALG_3DES: 523 if (key_len != DES3_KEYLEN || 524 wc_Des3_SetKey(&ctx->enc.des3, key, iv, DES_ENCRYPTION) || 525 wc_Des3_SetKey(&ctx->dec.des3, key, iv, DES_DECRYPTION)) { 526 os_free(ctx); 527 return NULL; 528 } 529 break; 530 #endif /* NO_DES3 */ 531 case CRYPTO_CIPHER_ALG_RC2: 532 case CRYPTO_CIPHER_ALG_DES: 533 default: 534 os_free(ctx); 535 return NULL; 536 } 537 538 ctx->alg = alg; 539 540 return ctx; 541 } 542 543 544 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, 545 u8 *crypt, size_t len) 546 { 547 switch (ctx->alg) { 548 #ifndef CONFIG_NO_RC4 549 #ifndef NO_RC4 550 case CRYPTO_CIPHER_ALG_RC4: 551 wc_Arc4Process(&ctx->enc.arc4, crypt, plain, len); 552 return 0; 553 #endif /* NO_RC4 */ 554 #endif /* CONFIG_NO_RC4 */ 555 #ifndef NO_AES 556 case CRYPTO_CIPHER_ALG_AES: 557 if (wc_AesCbcEncrypt(&ctx->enc.aes, crypt, plain, len) != 0) 558 return -1; 559 return 0; 560 #endif /* NO_AES */ 561 #ifndef NO_DES3 562 case CRYPTO_CIPHER_ALG_3DES: 563 if (wc_Des3_CbcEncrypt(&ctx->enc.des3, crypt, plain, len) != 0) 564 return -1; 565 return 0; 566 #endif /* NO_DES3 */ 567 default: 568 return -1; 569 } 570 return -1; 571 } 572 573 574 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, 575 u8 *plain, size_t len) 576 { 577 switch (ctx->alg) { 578 #ifndef CONFIG_NO_RC4 579 #ifndef NO_RC4 580 case CRYPTO_CIPHER_ALG_RC4: 581 wc_Arc4Process(&ctx->dec.arc4, plain, crypt, len); 582 return 0; 583 #endif /* NO_RC4 */ 584 #endif /* CONFIG_NO_RC4 */ 585 #ifndef NO_AES 586 case CRYPTO_CIPHER_ALG_AES: 587 if (wc_AesCbcDecrypt(&ctx->dec.aes, plain, crypt, len) != 0) 588 return -1; 589 return 0; 590 #endif /* NO_AES */ 591 #ifndef NO_DES3 592 case CRYPTO_CIPHER_ALG_3DES: 593 if (wc_Des3_CbcDecrypt(&ctx->dec.des3, plain, crypt, len) != 0) 594 return -1; 595 return 0; 596 #endif /* NO_DES3 */ 597 default: 598 return -1; 599 } 600 return -1; 601 } 602 603 604 void crypto_cipher_deinit(struct crypto_cipher *ctx) 605 { 606 os_free(ctx); 607 } 608 609 #endif 610 611 612 #ifdef CONFIG_WPS_NFC 613 614 static const unsigned char RFC3526_PRIME_1536[] = { 615 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 616 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 617 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, 618 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 619 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 620 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 621 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, 622 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, 623 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, 624 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, 625 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, 626 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, 627 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, 628 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, 629 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, 630 0xCA, 0x23, 0x73, 0x27, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF 631 }; 632 633 static const unsigned char RFC3526_GENERATOR_1536[] = { 634 0x02 635 }; 636 637 #define RFC3526_LEN sizeof(RFC3526_PRIME_1536) 638 639 640 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) 641 { 642 WC_RNG rng; 643 DhKey *ret = NULL; 644 DhKey *dh = NULL; 645 struct wpabuf *privkey = NULL; 646 struct wpabuf *pubkey = NULL; 647 word32 priv_sz, pub_sz; 648 649 *priv = NULL; 650 wpabuf_free(*publ); 651 *publ = NULL; 652 653 dh = XMALLOC(sizeof(DhKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); 654 if (!dh) 655 return NULL; 656 wc_InitDhKey(dh); 657 658 if (wc_InitRng(&rng) != 0) { 659 XFREE(dh, NULL, DYNAMIC_TYPE_TMP_BUFFER); 660 return NULL; 661 } 662 663 privkey = wpabuf_alloc(RFC3526_LEN); 664 pubkey = wpabuf_alloc(RFC3526_LEN); 665 if (!privkey || !pubkey) 666 goto done; 667 668 if (wc_DhSetKey(dh, RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), 669 RFC3526_GENERATOR_1536, sizeof(RFC3526_GENERATOR_1536)) 670 != 0) 671 goto done; 672 673 if (wc_DhGenerateKeyPair(dh, &rng, wpabuf_mhead(privkey), &priv_sz, 674 wpabuf_mhead(pubkey), &pub_sz) != 0) 675 goto done; 676 677 wpabuf_put(privkey, priv_sz); 678 wpabuf_put(pubkey, pub_sz); 679 680 ret = dh; 681 *priv = privkey; 682 *publ = pubkey; 683 dh = NULL; 684 privkey = NULL; 685 pubkey = NULL; 686 done: 687 wpabuf_clear_free(pubkey); 688 wpabuf_clear_free(privkey); 689 if (dh) { 690 wc_FreeDhKey(dh); 691 XFREE(dh, NULL, DYNAMIC_TYPE_TMP_BUFFER); 692 } 693 wc_FreeRng(&rng); 694 return ret; 695 } 696 697 698 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) 699 { 700 DhKey *ret = NULL; 701 DhKey *dh; 702 byte *secret; 703 word32 secret_sz; 704 705 dh = XMALLOC(sizeof(DhKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); 706 if (!dh) 707 return NULL; 708 wc_InitDhKey(dh); 709 710 secret = XMALLOC(RFC3526_LEN, NULL, DYNAMIC_TYPE_TMP_BUFFER); 711 if (!secret) 712 goto done; 713 714 if (wc_DhSetKey(dh, RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), 715 RFC3526_GENERATOR_1536, sizeof(RFC3526_GENERATOR_1536)) 716 != 0) 717 goto done; 718 719 if (wc_DhAgree(dh, secret, &secret_sz, wpabuf_head(priv), 720 wpabuf_len(priv), RFC3526_GENERATOR_1536, 721 sizeof(RFC3526_GENERATOR_1536)) != 0) 722 goto done; 723 724 if (secret_sz != wpabuf_len(publ) || 725 os_memcmp(secret, wpabuf_head(publ), secret_sz) != 0) 726 goto done; 727 728 ret = dh; 729 dh = NULL; 730 done: 731 if (dh) { 732 wc_FreeDhKey(dh); 733 XFREE(dh, NULL, DYNAMIC_TYPE_TMP_BUFFER); 734 } 735 XFREE(secret, NULL, DYNAMIC_TYPE_TMP_BUFFER); 736 return ret; 737 } 738 739 740 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public, 741 const struct wpabuf *own_private) 742 { 743 struct wpabuf *ret = NULL; 744 struct wpabuf *secret; 745 word32 secret_sz; 746 747 secret = wpabuf_alloc(RFC3526_LEN); 748 if (!secret) 749 goto done; 750 751 if (wc_DhAgree(ctx, wpabuf_mhead(secret), &secret_sz, 752 wpabuf_head(own_private), wpabuf_len(own_private), 753 wpabuf_head(peer_public), wpabuf_len(peer_public)) != 0) 754 goto done; 755 756 wpabuf_put(secret, secret_sz); 757 758 ret = secret; 759 secret = NULL; 760 done: 761 wpabuf_clear_free(secret); 762 return ret; 763 } 764 765 766 void dh5_free(void *ctx) 767 { 768 if (!ctx) 769 return; 770 771 wc_FreeDhKey(ctx); 772 XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER); 773 } 774 775 #endif /* CONFIG_WPS_NFC */ 776 777 778 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey, 779 u8 *pubkey) 780 { 781 int ret = -1; 782 WC_RNG rng; 783 DhKey *dh = NULL; 784 word32 priv_sz, pub_sz; 785 786 if (TEST_FAIL()) 787 return -1; 788 789 dh = os_malloc(sizeof(DhKey)); 790 if (!dh) 791 return -1; 792 wc_InitDhKey(dh); 793 794 if (wc_InitRng(&rng) != 0) { 795 os_free(dh); 796 return -1; 797 } 798 799 if (wc_DhSetKey(dh, prime, prime_len, &generator, 1) != 0) 800 goto done; 801 802 if (wc_DhGenerateKeyPair(dh, &rng, privkey, &priv_sz, pubkey, &pub_sz) 803 != 0) 804 goto done; 805 806 if (priv_sz < prime_len) { 807 size_t pad_sz = prime_len - priv_sz; 808 809 os_memmove(privkey + pad_sz, privkey, priv_sz); 810 os_memset(privkey, 0, pad_sz); 811 } 812 813 if (pub_sz < prime_len) { 814 size_t pad_sz = prime_len - pub_sz; 815 816 os_memmove(pubkey + pad_sz, pubkey, pub_sz); 817 os_memset(pubkey, 0, pad_sz); 818 } 819 ret = 0; 820 done: 821 wc_FreeDhKey(dh); 822 os_free(dh); 823 wc_FreeRng(&rng); 824 return ret; 825 } 826 827 828 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len, 829 const u8 *privkey, size_t privkey_len, 830 const u8 *pubkey, size_t pubkey_len, 831 u8 *secret, size_t *len) 832 { 833 int ret = -1; 834 DhKey *dh; 835 word32 secret_sz; 836 837 dh = os_malloc(sizeof(DhKey)); 838 if (!dh) 839 return -1; 840 wc_InitDhKey(dh); 841 842 if (wc_DhSetKey(dh, prime, prime_len, &generator, 1) != 0) 843 goto done; 844 845 if (wc_DhAgree(dh, secret, &secret_sz, privkey, privkey_len, pubkey, 846 pubkey_len) != 0) 847 goto done; 848 849 *len = secret_sz; 850 ret = 0; 851 done: 852 wc_FreeDhKey(dh); 853 os_free(dh); 854 return ret; 855 } 856 857 858 #ifdef CONFIG_FIPS 859 int crypto_get_random(void *buf, size_t len) 860 { 861 int ret = 0; 862 WC_RNG rng; 863 864 if (wc_InitRng(&rng) != 0) 865 return -1; 866 if (wc_RNG_GenerateBlock(&rng, buf, len) != 0) 867 ret = -1; 868 wc_FreeRng(&rng); 869 return ret; 870 } 871 #endif /* CONFIG_FIPS */ 872 873 874 #if defined(EAP_PWD) || defined(EAP_SERVER_PWD) 875 struct crypto_hash { 876 Hmac hmac; 877 int size; 878 }; 879 880 881 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key, 882 size_t key_len) 883 { 884 struct crypto_hash *ret = NULL; 885 struct crypto_hash *hash; 886 int type; 887 888 hash = os_zalloc(sizeof(*hash)); 889 if (!hash) 890 goto done; 891 892 switch (alg) { 893 #ifndef NO_MD5 894 case CRYPTO_HASH_ALG_HMAC_MD5: 895 hash->size = 16; 896 type = WC_MD5; 897 break; 898 #endif /* NO_MD5 */ 899 #ifndef NO_SHA 900 case CRYPTO_HASH_ALG_HMAC_SHA1: 901 type = WC_SHA; 902 hash->size = 20; 903 break; 904 #endif /* NO_SHA */ 905 #ifdef CONFIG_SHA256 906 #ifndef NO_SHA256 907 case CRYPTO_HASH_ALG_HMAC_SHA256: 908 type = WC_SHA256; 909 hash->size = 32; 910 break; 911 #endif /* NO_SHA256 */ 912 #endif /* CONFIG_SHA256 */ 913 default: 914 goto done; 915 } 916 917 if (wc_HmacSetKey(&hash->hmac, type, key, key_len) != 0) 918 goto done; 919 920 ret = hash; 921 hash = NULL; 922 done: 923 os_free(hash); 924 return ret; 925 } 926 927 928 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len) 929 { 930 if (!ctx) 931 return; 932 wc_HmacUpdate(&ctx->hmac, data, len); 933 } 934 935 936 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len) 937 { 938 int ret = 0; 939 940 if (!ctx) 941 return -2; 942 943 if (!mac || !len) 944 goto done; 945 946 if (wc_HmacFinal(&ctx->hmac, mac) != 0) { 947 ret = -1; 948 goto done; 949 } 950 951 *len = ctx->size; 952 ret = 0; 953 done: 954 bin_clear_free(ctx, sizeof(*ctx)); 955 return ret; 956 } 957 958 #endif 959 960 961 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, 962 const u8 *addr[], const size_t *len, u8 *mac) 963 { 964 Cmac cmac; 965 size_t i; 966 word32 sz; 967 968 if (TEST_FAIL()) 969 return -1; 970 971 if (wc_InitCmac(&cmac, key, key_len, WC_CMAC_AES, NULL) != 0) 972 return -1; 973 974 for (i = 0; i < num_elem; i++) 975 if (wc_CmacUpdate(&cmac, addr[i], len[i]) != 0) 976 return -1; 977 978 sz = AES_BLOCK_SIZE; 979 if (wc_CmacFinal(&cmac, mac, &sz) != 0 || sz != AES_BLOCK_SIZE) 980 return -1; 981 982 return 0; 983 } 984 985 986 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 987 const u8 *addr[], const size_t *len, u8 *mac) 988 { 989 return omac1_aes_vector(key, 16, num_elem, addr, len, mac); 990 } 991 992 993 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 994 { 995 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 996 } 997 998 999 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1000 { 1001 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); 1002 } 1003 1004 1005 struct crypto_bignum * crypto_bignum_init(void) 1006 { 1007 mp_int *a; 1008 1009 if (TEST_FAIL()) 1010 return NULL; 1011 1012 a = os_malloc(sizeof(*a)); 1013 if (!a || mp_init(a) != MP_OKAY) { 1014 os_free(a); 1015 a = NULL; 1016 } 1017 1018 return (struct crypto_bignum *) a; 1019 } 1020 1021 1022 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) 1023 { 1024 mp_int *a; 1025 1026 if (TEST_FAIL()) 1027 return NULL; 1028 1029 a = (mp_int *) crypto_bignum_init(); 1030 if (!a) 1031 return NULL; 1032 1033 if (mp_read_unsigned_bin(a, buf, len) != MP_OKAY) { 1034 os_free(a); 1035 a = NULL; 1036 } 1037 1038 return (struct crypto_bignum *) a; 1039 } 1040 1041 1042 void crypto_bignum_deinit(struct crypto_bignum *n, int clear) 1043 { 1044 if (!n) 1045 return; 1046 1047 if (clear) 1048 mp_forcezero((mp_int *) n); 1049 mp_clear((mp_int *) n); 1050 os_free((mp_int *) n); 1051 } 1052 1053 1054 int crypto_bignum_to_bin(const struct crypto_bignum *a, 1055 u8 *buf, size_t buflen, size_t padlen) 1056 { 1057 int num_bytes, offset; 1058 1059 if (TEST_FAIL()) 1060 return -1; 1061 1062 if (padlen > buflen) 1063 return -1; 1064 1065 num_bytes = (mp_count_bits((mp_int *) a) + 7) / 8; 1066 if ((size_t) num_bytes > buflen) 1067 return -1; 1068 if (padlen > (size_t) num_bytes) 1069 offset = padlen - num_bytes; 1070 else 1071 offset = 0; 1072 1073 os_memset(buf, 0, offset); 1074 mp_to_unsigned_bin((mp_int *) a, buf + offset); 1075 1076 return num_bytes + offset; 1077 } 1078 1079 1080 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m) 1081 { 1082 int ret = 0; 1083 WC_RNG rng; 1084 1085 if (wc_InitRng(&rng) != 0) 1086 return -1; 1087 if (mp_rand_prime((mp_int *) r, 1088 (mp_count_bits((mp_int *) m) + 7) / 8 * 2, 1089 &rng, NULL) != 0) 1090 ret = -1; 1091 if (ret == 0 && 1092 mp_mod((mp_int *) r, (mp_int *) m, (mp_int *) r) != 0) 1093 ret = -1; 1094 wc_FreeRng(&rng); 1095 return ret; 1096 } 1097 1098 1099 int crypto_bignum_add(const struct crypto_bignum *a, 1100 const struct crypto_bignum *b, 1101 struct crypto_bignum *r) 1102 { 1103 return mp_add((mp_int *) a, (mp_int *) b, 1104 (mp_int *) r) == MP_OKAY ? 0 : -1; 1105 } 1106 1107 1108 int crypto_bignum_mod(const struct crypto_bignum *a, 1109 const struct crypto_bignum *m, 1110 struct crypto_bignum *r) 1111 { 1112 return mp_mod((mp_int *) a, (mp_int *) m, 1113 (mp_int *) r) == MP_OKAY ? 0 : -1; 1114 } 1115 1116 1117 int crypto_bignum_exptmod(const struct crypto_bignum *b, 1118 const struct crypto_bignum *e, 1119 const struct crypto_bignum *m, 1120 struct crypto_bignum *r) 1121 { 1122 if (TEST_FAIL()) 1123 return -1; 1124 1125 return mp_exptmod((mp_int *) b, (mp_int *) e, (mp_int *) m, 1126 (mp_int *) r) == MP_OKAY ? 0 : -1; 1127 } 1128 1129 1130 int crypto_bignum_inverse(const struct crypto_bignum *a, 1131 const struct crypto_bignum *m, 1132 struct crypto_bignum *r) 1133 { 1134 if (TEST_FAIL()) 1135 return -1; 1136 1137 return mp_invmod((mp_int *) a, (mp_int *) m, 1138 (mp_int *) r) == MP_OKAY ? 0 : -1; 1139 } 1140 1141 1142 int crypto_bignum_sub(const struct crypto_bignum *a, 1143 const struct crypto_bignum *b, 1144 struct crypto_bignum *r) 1145 { 1146 if (TEST_FAIL()) 1147 return -1; 1148 1149 return mp_add((mp_int *) a, (mp_int *) b, 1150 (mp_int *) r) == MP_OKAY ? 0 : -1; 1151 } 1152 1153 1154 int crypto_bignum_div(const struct crypto_bignum *a, 1155 const struct crypto_bignum *b, 1156 struct crypto_bignum *d) 1157 { 1158 if (TEST_FAIL()) 1159 return -1; 1160 1161 return mp_div((mp_int *) a, (mp_int *) b, (mp_int *) d, 1162 NULL) == MP_OKAY ? 0 : -1; 1163 } 1164 1165 1166 int crypto_bignum_mulmod(const struct crypto_bignum *a, 1167 const struct crypto_bignum *b, 1168 const struct crypto_bignum *m, 1169 struct crypto_bignum *d) 1170 { 1171 if (TEST_FAIL()) 1172 return -1; 1173 1174 return mp_mulmod((mp_int *) a, (mp_int *) b, (mp_int *) m, 1175 (mp_int *) d) == MP_OKAY ? 0 : -1; 1176 } 1177 1178 1179 int crypto_bignum_rshift(const struct crypto_bignum *a, int n, 1180 struct crypto_bignum *r) 1181 { 1182 if (mp_copy((mp_int *) a, (mp_int *) r) != MP_OKAY) 1183 return -1; 1184 mp_rshb((mp_int *) r, n); 1185 return 0; 1186 } 1187 1188 1189 int crypto_bignum_cmp(const struct crypto_bignum *a, 1190 const struct crypto_bignum *b) 1191 { 1192 return mp_cmp((mp_int *) a, (mp_int *) b); 1193 } 1194 1195 1196 int crypto_bignum_bits(const struct crypto_bignum *a) 1197 { 1198 return mp_count_bits((mp_int *) a); 1199 } 1200 1201 1202 int crypto_bignum_is_zero(const struct crypto_bignum *a) 1203 { 1204 return mp_iszero((mp_int *) a); 1205 } 1206 1207 1208 int crypto_bignum_is_one(const struct crypto_bignum *a) 1209 { 1210 return mp_isone((const mp_int *) a); 1211 } 1212 1213 int crypto_bignum_is_odd(const struct crypto_bignum *a) 1214 { 1215 return mp_isodd((mp_int *) a); 1216 } 1217 1218 1219 int crypto_bignum_legendre(const struct crypto_bignum *a, 1220 const struct crypto_bignum *p) 1221 { 1222 mp_int t; 1223 int ret; 1224 int res = -2; 1225 1226 if (TEST_FAIL()) 1227 return -2; 1228 1229 if (mp_init(&t) != MP_OKAY) 1230 return -2; 1231 1232 /* t = (p-1) / 2 */ 1233 ret = mp_sub_d((mp_int *) p, 1, &t); 1234 if (ret == MP_OKAY) 1235 mp_rshb(&t, 1); 1236 if (ret == MP_OKAY) 1237 ret = mp_exptmod((mp_int *) a, &t, (mp_int *) p, &t); 1238 if (ret == MP_OKAY) { 1239 if (mp_isone(&t)) 1240 res = 1; 1241 else if (mp_iszero(&t)) 1242 res = 0; 1243 else 1244 res = -1; 1245 } 1246 1247 mp_clear(&t); 1248 return res; 1249 } 1250 1251 1252 #ifdef CONFIG_ECC 1253 1254 int ecc_map(ecc_point *, mp_int *, mp_digit); 1255 int ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, 1256 mp_int *a, mp_int *modulus, mp_digit mp); 1257 1258 struct crypto_ec { 1259 ecc_key key; 1260 mp_int a; 1261 mp_int prime; 1262 mp_int order; 1263 mp_digit mont_b; 1264 mp_int b; 1265 }; 1266 1267 1268 struct crypto_ec * crypto_ec_init(int group) 1269 { 1270 int built = 0; 1271 struct crypto_ec *e; 1272 int curve_id; 1273 1274 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */ 1275 switch (group) { 1276 case 19: 1277 curve_id = ECC_SECP256R1; 1278 break; 1279 case 20: 1280 curve_id = ECC_SECP384R1; 1281 break; 1282 case 21: 1283 curve_id = ECC_SECP521R1; 1284 break; 1285 case 25: 1286 curve_id = ECC_SECP192R1; 1287 break; 1288 case 26: 1289 curve_id = ECC_SECP224R1; 1290 break; 1291 #ifdef HAVE_ECC_BRAINPOOL 1292 case 27: 1293 curve_id = ECC_BRAINPOOLP224R1; 1294 break; 1295 case 28: 1296 curve_id = ECC_BRAINPOOLP256R1; 1297 break; 1298 case 29: 1299 curve_id = ECC_BRAINPOOLP384R1; 1300 break; 1301 case 30: 1302 curve_id = ECC_BRAINPOOLP512R1; 1303 break; 1304 #endif /* HAVE_ECC_BRAINPOOL */ 1305 default: 1306 return NULL; 1307 } 1308 1309 e = os_zalloc(sizeof(*e)); 1310 if (!e) 1311 return NULL; 1312 1313 if (wc_ecc_init(&e->key) != 0 || 1314 wc_ecc_set_curve(&e->key, 0, curve_id) != 0 || 1315 mp_init(&e->a) != MP_OKAY || 1316 mp_init(&e->prime) != MP_OKAY || 1317 mp_init(&e->order) != MP_OKAY || 1318 mp_init(&e->b) != MP_OKAY || 1319 mp_read_radix(&e->a, e->key.dp->Af, 16) != MP_OKAY || 1320 mp_read_radix(&e->b, e->key.dp->Bf, 16) != MP_OKAY || 1321 mp_read_radix(&e->prime, e->key.dp->prime, 16) != MP_OKAY || 1322 mp_read_radix(&e->order, e->key.dp->order, 16) != MP_OKAY || 1323 mp_montgomery_setup(&e->prime, &e->mont_b) != MP_OKAY) 1324 goto done; 1325 1326 built = 1; 1327 done: 1328 if (!built) { 1329 crypto_ec_deinit(e); 1330 e = NULL; 1331 } 1332 return e; 1333 } 1334 1335 1336 void crypto_ec_deinit(struct crypto_ec* e) 1337 { 1338 if (!e) 1339 return; 1340 1341 mp_clear(&e->b); 1342 mp_clear(&e->order); 1343 mp_clear(&e->prime); 1344 mp_clear(&e->a); 1345 wc_ecc_free(&e->key); 1346 os_free(e); 1347 } 1348 1349 1350 int crypto_ec_cofactor(struct crypto_ec *e, struct crypto_bignum *cofactor) 1351 { 1352 if (!e || !cofactor) 1353 return -1; 1354 1355 mp_set((mp_int *) cofactor, e->key.dp->cofactor); 1356 return 0; 1357 } 1358 1359 1360 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e) 1361 { 1362 if (TEST_FAIL()) 1363 return NULL; 1364 if (!e) 1365 return NULL; 1366 return (struct crypto_ec_point *) wc_ecc_new_point(); 1367 } 1368 1369 1370 size_t crypto_ec_prime_len(struct crypto_ec *e) 1371 { 1372 return (mp_count_bits(&e->prime) + 7) / 8; 1373 } 1374 1375 1376 size_t crypto_ec_prime_len_bits(struct crypto_ec *e) 1377 { 1378 return mp_count_bits(&e->prime); 1379 } 1380 1381 1382 size_t crypto_ec_order_len(struct crypto_ec *e) 1383 { 1384 return (mp_count_bits(&e->order) + 7) / 8; 1385 } 1386 1387 1388 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e) 1389 { 1390 return (const struct crypto_bignum *) &e->prime; 1391 } 1392 1393 1394 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) 1395 { 1396 return (const struct crypto_bignum *) &e->order; 1397 } 1398 1399 1400 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) 1401 { 1402 ecc_point *point = (ecc_point *) p; 1403 1404 if (!p) 1405 return; 1406 1407 if (clear) { 1408 mp_forcezero(point->x); 1409 mp_forcezero(point->y); 1410 mp_forcezero(point->z); 1411 } 1412 wc_ecc_del_point(point); 1413 } 1414 1415 1416 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p, 1417 struct crypto_bignum *x) 1418 { 1419 return mp_copy(((ecc_point *) p)->x, (mp_int *) x) == MP_OKAY ? 0 : -1; 1420 } 1421 1422 1423 int crypto_ec_point_to_bin(struct crypto_ec *e, 1424 const struct crypto_ec_point *point, u8 *x, u8 *y) 1425 { 1426 ecc_point *p = (ecc_point *) point; 1427 1428 if (TEST_FAIL()) 1429 return -1; 1430 1431 if (!mp_isone(p->z)) { 1432 if (ecc_map(p, &e->prime, e->mont_b) != MP_OKAY) 1433 return -1; 1434 } 1435 1436 if (x) { 1437 if (crypto_bignum_to_bin((struct crypto_bignum *)p->x, x, 1438 e->key.dp->size, 1439 e->key.dp->size) <= 0) 1440 return -1; 1441 } 1442 1443 if (y) { 1444 if (crypto_bignum_to_bin((struct crypto_bignum *) p->y, y, 1445 e->key.dp->size, 1446 e->key.dp->size) <= 0) 1447 return -1; 1448 } 1449 1450 return 0; 1451 } 1452 1453 1454 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e, 1455 const u8 *val) 1456 { 1457 ecc_point *point = NULL; 1458 int loaded = 0; 1459 1460 if (TEST_FAIL()) 1461 return NULL; 1462 1463 point = wc_ecc_new_point(); 1464 if (!point) 1465 goto done; 1466 1467 if (mp_read_unsigned_bin(point->x, val, e->key.dp->size) != MP_OKAY) 1468 goto done; 1469 val += e->key.dp->size; 1470 if (mp_read_unsigned_bin(point->y, val, e->key.dp->size) != MP_OKAY) 1471 goto done; 1472 mp_set(point->z, 1); 1473 1474 loaded = 1; 1475 done: 1476 if (!loaded) { 1477 wc_ecc_del_point(point); 1478 point = NULL; 1479 } 1480 return (struct crypto_ec_point *) point; 1481 } 1482 1483 1484 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a, 1485 const struct crypto_ec_point *b, 1486 struct crypto_ec_point *c) 1487 { 1488 mp_int mu; 1489 ecc_point *ta = NULL, *tb = NULL; 1490 ecc_point *pa = (ecc_point *) a, *pb = (ecc_point *) b; 1491 mp_int *modulus = &e->prime; 1492 int ret; 1493 1494 if (TEST_FAIL()) 1495 return -1; 1496 1497 ret = mp_init(&mu); 1498 if (ret != MP_OKAY) 1499 return -1; 1500 1501 ret = mp_montgomery_calc_normalization(&mu, modulus); 1502 if (ret != MP_OKAY) { 1503 mp_clear(&mu); 1504 return -1; 1505 } 1506 1507 if (!mp_isone(&mu)) { 1508 ta = wc_ecc_new_point(); 1509 if (!ta) { 1510 mp_clear(&mu); 1511 return -1; 1512 } 1513 tb = wc_ecc_new_point(); 1514 if (!tb) { 1515 wc_ecc_del_point(ta); 1516 mp_clear(&mu); 1517 return -1; 1518 } 1519 1520 if (mp_mulmod(pa->x, &mu, modulus, ta->x) != MP_OKAY || 1521 mp_mulmod(pa->y, &mu, modulus, ta->y) != MP_OKAY || 1522 mp_mulmod(pa->z, &mu, modulus, ta->z) != MP_OKAY || 1523 mp_mulmod(pb->x, &mu, modulus, tb->x) != MP_OKAY || 1524 mp_mulmod(pb->y, &mu, modulus, tb->y) != MP_OKAY || 1525 mp_mulmod(pb->z, &mu, modulus, tb->z) != MP_OKAY) { 1526 ret = -1; 1527 goto end; 1528 } 1529 pa = ta; 1530 pb = tb; 1531 } 1532 1533 ret = ecc_projective_add_point(pa, pb, (ecc_point *) c, &e->a, 1534 &e->prime, e->mont_b); 1535 if (ret != 0) { 1536 ret = -1; 1537 goto end; 1538 } 1539 1540 if (ecc_map((ecc_point *) c, &e->prime, e->mont_b) != MP_OKAY) 1541 ret = -1; 1542 else 1543 ret = 0; 1544 end: 1545 wc_ecc_del_point(tb); 1546 wc_ecc_del_point(ta); 1547 mp_clear(&mu); 1548 return ret; 1549 } 1550 1551 1552 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p, 1553 const struct crypto_bignum *b, 1554 struct crypto_ec_point *res) 1555 { 1556 int ret; 1557 1558 if (TEST_FAIL()) 1559 return -1; 1560 1561 ret = wc_ecc_mulmod((mp_int *) b, (ecc_point *) p, (ecc_point *) res, 1562 &e->a, &e->prime, 1); 1563 return ret == 0 ? 0 : -1; 1564 } 1565 1566 1567 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p) 1568 { 1569 ecc_point *point = (ecc_point *) p; 1570 1571 if (TEST_FAIL()) 1572 return -1; 1573 1574 if (mp_sub(&e->prime, point->y, point->y) != MP_OKAY) 1575 return -1; 1576 1577 return 0; 1578 } 1579 1580 1581 int crypto_ec_point_solve_y_coord(struct crypto_ec *e, 1582 struct crypto_ec_point *p, 1583 const struct crypto_bignum *x, int y_bit) 1584 { 1585 byte buf[1 + 2 * MAX_ECC_BYTES]; 1586 int ret; 1587 int prime_len = crypto_ec_prime_len(e); 1588 1589 if (TEST_FAIL()) 1590 return -1; 1591 1592 buf[0] = y_bit ? ECC_POINT_COMP_ODD : ECC_POINT_COMP_EVEN; 1593 ret = crypto_bignum_to_bin(x, buf + 1, prime_len, prime_len); 1594 if (ret <= 0) 1595 return -1; 1596 ret = wc_ecc_import_point_der(buf, 1 + 2 * ret, e->key.idx, 1597 (ecc_point *) p); 1598 if (ret != 0) 1599 return -1; 1600 1601 return 0; 1602 } 1603 1604 1605 struct crypto_bignum * 1606 crypto_ec_point_compute_y_sqr(struct crypto_ec *e, 1607 const struct crypto_bignum *x) 1608 { 1609 mp_int *y2 = NULL; 1610 mp_int t; 1611 int calced = 0; 1612 1613 if (TEST_FAIL()) 1614 return NULL; 1615 1616 if (mp_init(&t) != MP_OKAY) 1617 return NULL; 1618 1619 y2 = (mp_int *) crypto_bignum_init(); 1620 if (!y2) 1621 goto done; 1622 1623 if (mp_sqrmod((mp_int *) x, &e->prime, y2) != 0 || 1624 mp_mulmod((mp_int *) x, y2, &e->prime, y2) != 0 || 1625 mp_mulmod((mp_int *) x, &e->a, &e->prime, &t) != 0 || 1626 mp_addmod(y2, &t, &e->prime, y2) != 0 || 1627 mp_addmod(y2, &e->b, &e->prime, y2) != 0) 1628 goto done; 1629 1630 calced = 1; 1631 done: 1632 if (!calced) { 1633 if (y2) { 1634 mp_clear(y2); 1635 os_free(y2); 1636 } 1637 mp_clear(&t); 1638 } 1639 1640 return (struct crypto_bignum *) y2; 1641 } 1642 1643 1644 int crypto_ec_point_is_at_infinity(struct crypto_ec *e, 1645 const struct crypto_ec_point *p) 1646 { 1647 return wc_ecc_point_is_at_infinity((ecc_point *) p); 1648 } 1649 1650 1651 int crypto_ec_point_is_on_curve(struct crypto_ec *e, 1652 const struct crypto_ec_point *p) 1653 { 1654 return wc_ecc_is_point((ecc_point *) p, &e->a, &e->b, &e->prime) == 1655 MP_OKAY; 1656 } 1657 1658 1659 int crypto_ec_point_cmp(const struct crypto_ec *e, 1660 const struct crypto_ec_point *a, 1661 const struct crypto_ec_point *b) 1662 { 1663 return wc_ecc_cmp_point((ecc_point *) a, (ecc_point *) b); 1664 } 1665 1666 1667 struct crypto_ecdh { 1668 struct crypto_ec *ec; 1669 }; 1670 1671 struct crypto_ecdh * crypto_ecdh_init(int group) 1672 { 1673 struct crypto_ecdh *ecdh = NULL; 1674 WC_RNG rng; 1675 int ret; 1676 1677 if (wc_InitRng(&rng) != 0) 1678 goto fail; 1679 1680 ecdh = os_zalloc(sizeof(*ecdh)); 1681 if (!ecdh) 1682 goto fail; 1683 1684 ecdh->ec = crypto_ec_init(group); 1685 if (!ecdh->ec) 1686 goto fail; 1687 1688 ret = wc_ecc_make_key_ex(&rng, ecdh->ec->key.dp->size, &ecdh->ec->key, 1689 ecdh->ec->key.dp->id); 1690 if (ret < 0) 1691 goto fail; 1692 1693 done: 1694 wc_FreeRng(&rng); 1695 1696 return ecdh; 1697 fail: 1698 crypto_ecdh_deinit(ecdh); 1699 ecdh = NULL; 1700 goto done; 1701 } 1702 1703 1704 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh) 1705 { 1706 if (ecdh) { 1707 crypto_ec_deinit(ecdh->ec); 1708 os_free(ecdh); 1709 } 1710 } 1711 1712 1713 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y) 1714 { 1715 struct wpabuf *buf = NULL; 1716 int ret; 1717 int len = ecdh->ec->key.dp->size; 1718 1719 buf = wpabuf_alloc(inc_y ? 2 * len : len); 1720 if (!buf) 1721 goto fail; 1722 1723 ret = crypto_bignum_to_bin((struct crypto_bignum *) 1724 ecdh->ec->key.pubkey.x, wpabuf_put(buf, len), 1725 len, len); 1726 if (ret < 0) 1727 goto fail; 1728 if (inc_y) { 1729 ret = crypto_bignum_to_bin((struct crypto_bignum *) 1730 ecdh->ec->key.pubkey.y, 1731 wpabuf_put(buf, len), len, len); 1732 if (ret < 0) 1733 goto fail; 1734 } 1735 1736 done: 1737 return buf; 1738 fail: 1739 wpabuf_free(buf); 1740 buf = NULL; 1741 goto done; 1742 } 1743 1744 1745 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y, 1746 const u8 *key, size_t len) 1747 { 1748 int ret; 1749 struct wpabuf *pubkey = NULL; 1750 struct wpabuf *secret = NULL; 1751 word32 key_len = ecdh->ec->key.dp->size; 1752 ecc_point *point = NULL; 1753 size_t need_key_len = inc_y ? 2 * key_len : key_len; 1754 1755 if (len < need_key_len) 1756 goto fail; 1757 pubkey = wpabuf_alloc(1 + 2 * key_len); 1758 if (!pubkey) 1759 goto fail; 1760 wpabuf_put_u8(pubkey, inc_y ? ECC_POINT_UNCOMP : ECC_POINT_COMP_EVEN); 1761 wpabuf_put_data(pubkey, key, need_key_len); 1762 1763 point = wc_ecc_new_point(); 1764 if (!point) 1765 goto fail; 1766 1767 ret = wc_ecc_import_point_der(wpabuf_mhead(pubkey), 1 + 2 * key_len, 1768 ecdh->ec->key.idx, point); 1769 if (ret != MP_OKAY) 1770 goto fail; 1771 1772 secret = wpabuf_alloc(key_len); 1773 if (!secret) 1774 goto fail; 1775 1776 ret = wc_ecc_shared_secret_ex(&ecdh->ec->key, point, 1777 wpabuf_put(secret, key_len), &key_len); 1778 if (ret != MP_OKAY) 1779 goto fail; 1780 1781 done: 1782 wc_ecc_del_point(point); 1783 wpabuf_free(pubkey); 1784 return secret; 1785 fail: 1786 wpabuf_free(secret); 1787 secret = NULL; 1788 goto done; 1789 } 1790 1791 #endif /* CONFIG_ECC */ 1792