Home | History | Annotate | Download | only in crypto
      1 /*
      2  * Wrapper functions for OpenSSL libcrypto
      3  * Copyright (c) 2004-2013, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 #include <openssl/opensslv.h>
     11 #include <openssl/err.h>
     12 #include <openssl/des.h>
     13 #include <openssl/aes.h>
     14 #include <openssl/bn.h>
     15 #include <openssl/evp.h>
     16 #include <openssl/dh.h>
     17 #include <openssl/hmac.h>
     18 #include <openssl/rand.h>
     19 #ifdef CONFIG_OPENSSL_CMAC
     20 #include <openssl/cmac.h>
     21 #endif /* CONFIG_OPENSSL_CMAC */
     22 #ifdef CONFIG_ECC
     23 #include <openssl/ec.h>
     24 #endif /* CONFIG_ECC */
     25 
     26 #include "common.h"
     27 #include "wpabuf.h"
     28 #include "dh_group5.h"
     29 #include "crypto.h"
     30 
     31 #if OPENSSL_VERSION_NUMBER < 0x00907000
     32 #define DES_key_schedule des_key_schedule
     33 #define DES_cblock des_cblock
     34 #define DES_set_key(key, schedule) des_set_key((key), *(schedule))
     35 #define DES_ecb_encrypt(input, output, ks, enc) \
     36 	des_ecb_encrypt((input), (output), *(ks), (enc))
     37 #endif /* openssl < 0.9.7 */
     38 
     39 static BIGNUM * get_group5_prime(void)
     40 {
     41 #if OPENSSL_VERSION_NUMBER < 0x00908000
     42 	static const unsigned char RFC3526_PRIME_1536[] = {
     43 		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
     44 		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
     45 		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
     46 		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
     47 		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
     48 		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
     49 		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
     50 		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
     51 		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
     52 		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
     53 		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
     54 		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
     55 		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
     56 		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
     57 		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
     58 		0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     59 	};
     60         return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
     61 #else /* openssl < 0.9.8 */
     62 	return get_rfc3526_prime_1536(NULL);
     63 #endif /* openssl < 0.9.8 */
     64 }
     65 
     66 #if OPENSSL_VERSION_NUMBER < 0x00908000
     67 #ifndef OPENSSL_NO_SHA256
     68 #ifndef OPENSSL_FIPS
     69 #define NO_SHA256_WRAPPER
     70 #endif
     71 #endif
     72 
     73 #endif /* openssl < 0.9.8 */
     74 
     75 #ifdef OPENSSL_NO_SHA256
     76 #define NO_SHA256_WRAPPER
     77 #endif
     78 
     79 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
     80 				 const u8 *addr[], const size_t *len, u8 *mac)
     81 {
     82 	EVP_MD_CTX ctx;
     83 	size_t i;
     84 	unsigned int mac_len;
     85 
     86 	EVP_MD_CTX_init(&ctx);
     87 	if (!EVP_DigestInit_ex(&ctx, type, NULL)) {
     88 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
     89 			   ERR_error_string(ERR_get_error(), NULL));
     90 		return -1;
     91 	}
     92 	for (i = 0; i < num_elem; i++) {
     93 		if (!EVP_DigestUpdate(&ctx, addr[i], len[i])) {
     94 			wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
     95 				   "failed: %s",
     96 				   ERR_error_string(ERR_get_error(), NULL));
     97 			return -1;
     98 		}
     99 	}
    100 	if (!EVP_DigestFinal(&ctx, mac, &mac_len)) {
    101 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
    102 			   ERR_error_string(ERR_get_error(), NULL));
    103 		return -1;
    104 	}
    105 
    106 	return 0;
    107 }
    108 
    109 
    110 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
    111 {
    112 	return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
    113 }
    114 
    115 
    116 void des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
    117 {
    118 	u8 pkey[8], next, tmp;
    119 	int i;
    120 	DES_key_schedule ks;
    121 
    122 	/* Add parity bits to the key */
    123 	next = 0;
    124 	for (i = 0; i < 7; i++) {
    125 		tmp = key[i];
    126 		pkey[i] = (tmp >> i) | next | 1;
    127 		next = tmp << (7 - i);
    128 	}
    129 	pkey[i] = next | 1;
    130 
    131 	DES_set_key(&pkey, &ks);
    132 	DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks,
    133 			DES_ENCRYPT);
    134 }
    135 
    136 
    137 int rc4_skip(const u8 *key, size_t keylen, size_t skip,
    138 	     u8 *data, size_t data_len)
    139 {
    140 #ifdef OPENSSL_NO_RC4
    141 	return -1;
    142 #else /* OPENSSL_NO_RC4 */
    143 	EVP_CIPHER_CTX ctx;
    144 	int outl;
    145 	int res = -1;
    146 	unsigned char skip_buf[16];
    147 
    148 	EVP_CIPHER_CTX_init(&ctx);
    149 	if (!EVP_CIPHER_CTX_set_padding(&ctx, 0) ||
    150 	    !EVP_CipherInit_ex(&ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
    151 	    !EVP_CIPHER_CTX_set_key_length(&ctx, keylen) ||
    152 	    !EVP_CipherInit_ex(&ctx, NULL, NULL, key, NULL, 1))
    153 		goto out;
    154 
    155 	while (skip >= sizeof(skip_buf)) {
    156 		size_t len = skip;
    157 		if (len > sizeof(skip_buf))
    158 			len = sizeof(skip_buf);
    159 		if (!EVP_CipherUpdate(&ctx, skip_buf, &outl, skip_buf, len))
    160 			goto out;
    161 		skip -= len;
    162 	}
    163 
    164 	if (EVP_CipherUpdate(&ctx, data, &outl, data, data_len))
    165 		res = 0;
    166 
    167 out:
    168 	EVP_CIPHER_CTX_cleanup(&ctx);
    169 	return res;
    170 #endif /* OPENSSL_NO_RC4 */
    171 }
    172 
    173 
    174 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
    175 {
    176 	return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
    177 }
    178 
    179 
    180 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
    181 {
    182 	return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
    183 }
    184 
    185 
    186 #ifndef NO_SHA256_WRAPPER
    187 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
    188 		  u8 *mac)
    189 {
    190 	return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
    191 }
    192 #endif /* NO_SHA256_WRAPPER */
    193 
    194 
    195 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
    196 {
    197 	switch (keylen) {
    198 	case 16:
    199 		return EVP_aes_128_ecb();
    200 	case 24:
    201 		return EVP_aes_192_ecb();
    202 	case 32:
    203 		return EVP_aes_256_ecb();
    204 	}
    205 
    206 	return NULL;
    207 }
    208 
    209 
    210 void * aes_encrypt_init(const u8 *key, size_t len)
    211 {
    212 	EVP_CIPHER_CTX *ctx;
    213 	const EVP_CIPHER *type;
    214 
    215 	type = aes_get_evp_cipher(len);
    216 	if (type == NULL)
    217 		return NULL;
    218 
    219 	ctx = os_malloc(sizeof(*ctx));
    220 	if (ctx == NULL)
    221 		return NULL;
    222 	EVP_CIPHER_CTX_init(ctx);
    223 	if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
    224 		os_free(ctx);
    225 		return NULL;
    226 	}
    227 	EVP_CIPHER_CTX_set_padding(ctx, 0);
    228 	return ctx;
    229 }
    230 
    231 
    232 void aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
    233 {
    234 	EVP_CIPHER_CTX *c = ctx;
    235 	int clen = 16;
    236 	if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
    237 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
    238 			   ERR_error_string(ERR_get_error(), NULL));
    239 	}
    240 }
    241 
    242 
    243 void aes_encrypt_deinit(void *ctx)
    244 {
    245 	EVP_CIPHER_CTX *c = ctx;
    246 	u8 buf[16];
    247 	int len = sizeof(buf);
    248 	if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
    249 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
    250 			   "%s", ERR_error_string(ERR_get_error(), NULL));
    251 	}
    252 	if (len != 0) {
    253 		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
    254 			   "in AES encrypt", len);
    255 	}
    256 	EVP_CIPHER_CTX_cleanup(c);
    257 	os_free(c);
    258 }
    259 
    260 
    261 void * aes_decrypt_init(const u8 *key, size_t len)
    262 {
    263 	EVP_CIPHER_CTX *ctx;
    264 	const EVP_CIPHER *type;
    265 
    266 	type = aes_get_evp_cipher(len);
    267 	if (type == NULL)
    268 		return NULL;
    269 
    270 	ctx = os_malloc(sizeof(*ctx));
    271 	if (ctx == NULL)
    272 		return NULL;
    273 	EVP_CIPHER_CTX_init(ctx);
    274 	if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
    275 		os_free(ctx);
    276 		return NULL;
    277 	}
    278 	EVP_CIPHER_CTX_set_padding(ctx, 0);
    279 	return ctx;
    280 }
    281 
    282 
    283 void aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
    284 {
    285 	EVP_CIPHER_CTX *c = ctx;
    286 	int plen = 16;
    287 	if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
    288 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
    289 			   ERR_error_string(ERR_get_error(), NULL));
    290 	}
    291 }
    292 
    293 
    294 void aes_decrypt_deinit(void *ctx)
    295 {
    296 	EVP_CIPHER_CTX *c = ctx;
    297 	u8 buf[16];
    298 	int len = sizeof(buf);
    299 	if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
    300 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
    301 			   "%s", ERR_error_string(ERR_get_error(), NULL));
    302 	}
    303 	if (len != 0) {
    304 		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
    305 			   "in AES decrypt", len);
    306 	}
    307 	EVP_CIPHER_CTX_cleanup(c);
    308 	os_free(ctx);
    309 }
    310 
    311 
    312 int crypto_mod_exp(const u8 *base, size_t base_len,
    313 		   const u8 *power, size_t power_len,
    314 		   const u8 *modulus, size_t modulus_len,
    315 		   u8 *result, size_t *result_len)
    316 {
    317 	BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
    318 	int ret = -1;
    319 	BN_CTX *ctx;
    320 
    321 	ctx = BN_CTX_new();
    322 	if (ctx == NULL)
    323 		return -1;
    324 
    325 	bn_base = BN_bin2bn(base, base_len, NULL);
    326 	bn_exp = BN_bin2bn(power, power_len, NULL);
    327 	bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
    328 	bn_result = BN_new();
    329 
    330 	if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
    331 	    bn_result == NULL)
    332 		goto error;
    333 
    334 	if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
    335 		goto error;
    336 
    337 	*result_len = BN_bn2bin(bn_result, result);
    338 	ret = 0;
    339 
    340 error:
    341 	BN_free(bn_base);
    342 	BN_free(bn_exp);
    343 	BN_free(bn_modulus);
    344 	BN_free(bn_result);
    345 	BN_CTX_free(ctx);
    346 	return ret;
    347 }
    348 
    349 
    350 struct crypto_cipher {
    351 	EVP_CIPHER_CTX enc;
    352 	EVP_CIPHER_CTX dec;
    353 };
    354 
    355 
    356 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
    357 					  const u8 *iv, const u8 *key,
    358 					  size_t key_len)
    359 {
    360 	struct crypto_cipher *ctx;
    361 	const EVP_CIPHER *cipher;
    362 
    363 	ctx = os_zalloc(sizeof(*ctx));
    364 	if (ctx == NULL)
    365 		return NULL;
    366 
    367 	switch (alg) {
    368 #ifndef OPENSSL_NO_RC4
    369 	case CRYPTO_CIPHER_ALG_RC4:
    370 		cipher = EVP_rc4();
    371 		break;
    372 #endif /* OPENSSL_NO_RC4 */
    373 #ifndef OPENSSL_NO_AES
    374 	case CRYPTO_CIPHER_ALG_AES:
    375 		switch (key_len) {
    376 		case 16:
    377 			cipher = EVP_aes_128_cbc();
    378 			break;
    379 		case 24:
    380 			cipher = EVP_aes_192_cbc();
    381 			break;
    382 		case 32:
    383 			cipher = EVP_aes_256_cbc();
    384 			break;
    385 		default:
    386 			os_free(ctx);
    387 			return NULL;
    388 		}
    389 		break;
    390 #endif /* OPENSSL_NO_AES */
    391 #ifndef OPENSSL_NO_DES
    392 	case CRYPTO_CIPHER_ALG_3DES:
    393 		cipher = EVP_des_ede3_cbc();
    394 		break;
    395 	case CRYPTO_CIPHER_ALG_DES:
    396 		cipher = EVP_des_cbc();
    397 		break;
    398 #endif /* OPENSSL_NO_DES */
    399 #ifndef OPENSSL_NO_RC2
    400 	case CRYPTO_CIPHER_ALG_RC2:
    401 		cipher = EVP_rc2_ecb();
    402 		break;
    403 #endif /* OPENSSL_NO_RC2 */
    404 	default:
    405 		os_free(ctx);
    406 		return NULL;
    407 	}
    408 
    409 	EVP_CIPHER_CTX_init(&ctx->enc);
    410 	EVP_CIPHER_CTX_set_padding(&ctx->enc, 0);
    411 	if (!EVP_EncryptInit_ex(&ctx->enc, cipher, NULL, NULL, NULL) ||
    412 	    !EVP_CIPHER_CTX_set_key_length(&ctx->enc, key_len) ||
    413 	    !EVP_EncryptInit_ex(&ctx->enc, NULL, NULL, key, iv)) {
    414 		EVP_CIPHER_CTX_cleanup(&ctx->enc);
    415 		os_free(ctx);
    416 		return NULL;
    417 	}
    418 
    419 	EVP_CIPHER_CTX_init(&ctx->dec);
    420 	EVP_CIPHER_CTX_set_padding(&ctx->dec, 0);
    421 	if (!EVP_DecryptInit_ex(&ctx->dec, cipher, NULL, NULL, NULL) ||
    422 	    !EVP_CIPHER_CTX_set_key_length(&ctx->dec, key_len) ||
    423 	    !EVP_DecryptInit_ex(&ctx->dec, NULL, NULL, key, iv)) {
    424 		EVP_CIPHER_CTX_cleanup(&ctx->enc);
    425 		EVP_CIPHER_CTX_cleanup(&ctx->dec);
    426 		os_free(ctx);
    427 		return NULL;
    428 	}
    429 
    430 	return ctx;
    431 }
    432 
    433 
    434 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
    435 			  u8 *crypt, size_t len)
    436 {
    437 	int outl;
    438 	if (!EVP_EncryptUpdate(&ctx->enc, crypt, &outl, plain, len))
    439 		return -1;
    440 	return 0;
    441 }
    442 
    443 
    444 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
    445 			  u8 *plain, size_t len)
    446 {
    447 	int outl;
    448 	outl = len;
    449 	if (!EVP_DecryptUpdate(&ctx->dec, plain, &outl, crypt, len))
    450 		return -1;
    451 	return 0;
    452 }
    453 
    454 
    455 void crypto_cipher_deinit(struct crypto_cipher *ctx)
    456 {
    457 	EVP_CIPHER_CTX_cleanup(&ctx->enc);
    458 	EVP_CIPHER_CTX_cleanup(&ctx->dec);
    459 	os_free(ctx);
    460 }
    461 
    462 
    463 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
    464 {
    465 	DH *dh;
    466 	struct wpabuf *pubkey = NULL, *privkey = NULL;
    467 	size_t publen, privlen;
    468 
    469 	*priv = NULL;
    470 	*publ = NULL;
    471 
    472 	dh = DH_new();
    473 	if (dh == NULL)
    474 		return NULL;
    475 
    476 	dh->g = BN_new();
    477 	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
    478 		goto err;
    479 
    480 	dh->p = get_group5_prime();
    481 	if (dh->p == NULL)
    482 		goto err;
    483 
    484 	if (DH_generate_key(dh) != 1)
    485 		goto err;
    486 
    487 	publen = BN_num_bytes(dh->pub_key);
    488 	pubkey = wpabuf_alloc(publen);
    489 	if (pubkey == NULL)
    490 		goto err;
    491 	privlen = BN_num_bytes(dh->priv_key);
    492 	privkey = wpabuf_alloc(privlen);
    493 	if (privkey == NULL)
    494 		goto err;
    495 
    496 	BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
    497 	BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
    498 
    499 	*priv = privkey;
    500 	*publ = pubkey;
    501 	return dh;
    502 
    503 err:
    504 	wpabuf_free(pubkey);
    505 	wpabuf_free(privkey);
    506 	DH_free(dh);
    507 	return NULL;
    508 }
    509 
    510 
    511 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
    512 {
    513 	DH *dh;
    514 
    515 	dh = DH_new();
    516 	if (dh == NULL)
    517 		return NULL;
    518 
    519 	dh->g = BN_new();
    520 	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
    521 		goto err;
    522 
    523 	dh->p = get_group5_prime();
    524 	if (dh->p == NULL)
    525 		goto err;
    526 
    527 	dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
    528 	if (dh->priv_key == NULL)
    529 		goto err;
    530 
    531 	dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
    532 	if (dh->pub_key == NULL)
    533 		goto err;
    534 
    535 	if (DH_generate_key(dh) != 1)
    536 		goto err;
    537 
    538 	return dh;
    539 
    540 err:
    541 	DH_free(dh);
    542 	return NULL;
    543 }
    544 
    545 
    546 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
    547 				  const struct wpabuf *own_private)
    548 {
    549 	BIGNUM *pub_key;
    550 	struct wpabuf *res = NULL;
    551 	size_t rlen;
    552 	DH *dh = ctx;
    553 	int keylen;
    554 
    555 	if (ctx == NULL)
    556 		return NULL;
    557 
    558 	pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
    559 			    NULL);
    560 	if (pub_key == NULL)
    561 		return NULL;
    562 
    563 	rlen = DH_size(dh);
    564 	res = wpabuf_alloc(rlen);
    565 	if (res == NULL)
    566 		goto err;
    567 
    568 	keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
    569 	if (keylen < 0)
    570 		goto err;
    571 	wpabuf_put(res, keylen);
    572 	BN_free(pub_key);
    573 
    574 	return res;
    575 
    576 err:
    577 	BN_free(pub_key);
    578 	wpabuf_free(res);
    579 	return NULL;
    580 }
    581 
    582 
    583 void dh5_free(void *ctx)
    584 {
    585 	DH *dh;
    586 	if (ctx == NULL)
    587 		return;
    588 	dh = ctx;
    589 	DH_free(dh);
    590 }
    591 
    592 
    593 struct crypto_hash {
    594 	HMAC_CTX ctx;
    595 };
    596 
    597 
    598 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
    599 				      size_t key_len)
    600 {
    601 	struct crypto_hash *ctx;
    602 	const EVP_MD *md;
    603 
    604 	switch (alg) {
    605 #ifndef OPENSSL_NO_MD5
    606 	case CRYPTO_HASH_ALG_HMAC_MD5:
    607 		md = EVP_md5();
    608 		break;
    609 #endif /* OPENSSL_NO_MD5 */
    610 #ifndef OPENSSL_NO_SHA
    611 	case CRYPTO_HASH_ALG_HMAC_SHA1:
    612 		md = EVP_sha1();
    613 		break;
    614 #endif /* OPENSSL_NO_SHA */
    615 #ifndef OPENSSL_NO_SHA256
    616 #ifdef CONFIG_SHA256
    617 	case CRYPTO_HASH_ALG_HMAC_SHA256:
    618 		md = EVP_sha256();
    619 		break;
    620 #endif /* CONFIG_SHA256 */
    621 #endif /* OPENSSL_NO_SHA256 */
    622 	default:
    623 		return NULL;
    624 	}
    625 
    626 	ctx = os_zalloc(sizeof(*ctx));
    627 	if (ctx == NULL)
    628 		return NULL;
    629 	HMAC_CTX_init(&ctx->ctx);
    630 
    631 #if OPENSSL_VERSION_NUMBER < 0x00909000
    632 	HMAC_Init_ex(&ctx->ctx, key, key_len, md, NULL);
    633 #else /* openssl < 0.9.9 */
    634 	if (HMAC_Init_ex(&ctx->ctx, key, key_len, md, NULL) != 1) {
    635 		os_free(ctx);
    636 		return NULL;
    637 	}
    638 #endif /* openssl < 0.9.9 */
    639 
    640 	return ctx;
    641 }
    642 
    643 
    644 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
    645 {
    646 	if (ctx == NULL)
    647 		return;
    648 	HMAC_Update(&ctx->ctx, data, len);
    649 }
    650 
    651 
    652 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
    653 {
    654 	unsigned int mdlen;
    655 	int res;
    656 
    657 	if (ctx == NULL)
    658 		return -2;
    659 
    660 	if (mac == NULL || len == NULL) {
    661 		os_free(ctx);
    662 		return 0;
    663 	}
    664 
    665 	mdlen = *len;
    666 #if OPENSSL_VERSION_NUMBER < 0x00909000
    667 	HMAC_Final(&ctx->ctx, mac, &mdlen);
    668 	res = 1;
    669 #else /* openssl < 0.9.9 */
    670 	res = HMAC_Final(&ctx->ctx, mac, &mdlen);
    671 #endif /* openssl < 0.9.9 */
    672 	HMAC_CTX_cleanup(&ctx->ctx);
    673 	os_free(ctx);
    674 
    675 	if (res == 1) {
    676 		*len = mdlen;
    677 		return 0;
    678 	}
    679 
    680 	return -1;
    681 }
    682 
    683 
    684 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
    685 		int iterations, u8 *buf, size_t buflen)
    686 {
    687 #if OPENSSL_VERSION_NUMBER < 0x00908000
    688 	if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase),
    689 				   (unsigned char *) ssid,
    690 				   ssid_len, 4096, buflen, buf) != 1)
    691 		return -1;
    692 #else /* openssl < 0.9.8 */
    693 	if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
    694 				   ssid_len, 4096, buflen, buf) != 1)
    695 		return -1;
    696 #endif /* openssl < 0.9.8 */
    697 	return 0;
    698 }
    699 
    700 
    701 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
    702 		     const u8 *addr[], const size_t *len, u8 *mac)
    703 {
    704 	HMAC_CTX ctx;
    705 	size_t i;
    706 	unsigned int mdlen;
    707 	int res;
    708 
    709 	HMAC_CTX_init(&ctx);
    710 #if OPENSSL_VERSION_NUMBER < 0x00909000
    711 	HMAC_Init_ex(&ctx, key, key_len, EVP_sha1(), NULL);
    712 #else /* openssl < 0.9.9 */
    713 	if (HMAC_Init_ex(&ctx, key, key_len, EVP_sha1(), NULL) != 1)
    714 		return -1;
    715 #endif /* openssl < 0.9.9 */
    716 
    717 	for (i = 0; i < num_elem; i++)
    718 		HMAC_Update(&ctx, addr[i], len[i]);
    719 
    720 	mdlen = 20;
    721 #if OPENSSL_VERSION_NUMBER < 0x00909000
    722 	HMAC_Final(&ctx, mac, &mdlen);
    723 	res = 1;
    724 #else /* openssl < 0.9.9 */
    725 	res = HMAC_Final(&ctx, mac, &mdlen);
    726 #endif /* openssl < 0.9.9 */
    727 	HMAC_CTX_cleanup(&ctx);
    728 
    729 	return res == 1 ? 0 : -1;
    730 }
    731 
    732 
    733 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
    734 	       u8 *mac)
    735 {
    736 	return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
    737 }
    738 
    739 
    740 #ifdef CONFIG_SHA256
    741 
    742 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
    743 		       const u8 *addr[], const size_t *len, u8 *mac)
    744 {
    745 	HMAC_CTX ctx;
    746 	size_t i;
    747 	unsigned int mdlen;
    748 	int res;
    749 
    750 	HMAC_CTX_init(&ctx);
    751 #if OPENSSL_VERSION_NUMBER < 0x00909000
    752 	HMAC_Init_ex(&ctx, key, key_len, EVP_sha256(), NULL);
    753 #else /* openssl < 0.9.9 */
    754 	if (HMAC_Init_ex(&ctx, key, key_len, EVP_sha256(), NULL) != 1)
    755 		return -1;
    756 #endif /* openssl < 0.9.9 */
    757 
    758 	for (i = 0; i < num_elem; i++)
    759 		HMAC_Update(&ctx, addr[i], len[i]);
    760 
    761 	mdlen = 32;
    762 #if OPENSSL_VERSION_NUMBER < 0x00909000
    763 	HMAC_Final(&ctx, mac, &mdlen);
    764 	res = 1;
    765 #else /* openssl < 0.9.9 */
    766 	res = HMAC_Final(&ctx, mac, &mdlen);
    767 #endif /* openssl < 0.9.9 */
    768 	HMAC_CTX_cleanup(&ctx);
    769 
    770 	return res == 1 ? 0 : -1;
    771 }
    772 
    773 
    774 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
    775 		size_t data_len, u8 *mac)
    776 {
    777 	return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
    778 }
    779 
    780 #endif /* CONFIG_SHA256 */
    781 
    782 
    783 int crypto_get_random(void *buf, size_t len)
    784 {
    785 	if (RAND_bytes(buf, len) != 1)
    786 		return -1;
    787 	return 0;
    788 }
    789 
    790 
    791 #ifdef CONFIG_OPENSSL_CMAC
    792 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
    793 			 const u8 *addr[], const size_t *len, u8 *mac)
    794 {
    795 	CMAC_CTX *ctx;
    796 	int ret = -1;
    797 	size_t outlen, i;
    798 
    799 	ctx = CMAC_CTX_new();
    800 	if (ctx == NULL)
    801 		return -1;
    802 
    803 	if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
    804 		goto fail;
    805 	for (i = 0; i < num_elem; i++) {
    806 		if (!CMAC_Update(ctx, addr[i], len[i]))
    807 			goto fail;
    808 	}
    809 	if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
    810 		goto fail;
    811 
    812 	ret = 0;
    813 fail:
    814 	CMAC_CTX_free(ctx);
    815 	return ret;
    816 }
    817 
    818 
    819 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
    820 {
    821 	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
    822 }
    823 #endif /* CONFIG_OPENSSL_CMAC */
    824 
    825 
    826 struct crypto_bignum * crypto_bignum_init(void)
    827 {
    828 	return (struct crypto_bignum *) BN_new();
    829 }
    830 
    831 
    832 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
    833 {
    834 	BIGNUM *bn = BN_bin2bn(buf, len, NULL);
    835 	return (struct crypto_bignum *) bn;
    836 }
    837 
    838 
    839 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
    840 {
    841 	if (clear)
    842 		BN_clear_free((BIGNUM *) n);
    843 	else
    844 		BN_free((BIGNUM *) n);
    845 }
    846 
    847 
    848 int crypto_bignum_to_bin(const struct crypto_bignum *a,
    849 			 u8 *buf, size_t buflen, size_t padlen)
    850 {
    851 	int num_bytes, offset;
    852 
    853 	if (padlen > buflen)
    854 		return -1;
    855 
    856 	num_bytes = BN_num_bytes((const BIGNUM *) a);
    857 	if ((size_t) num_bytes > buflen)
    858 		return -1;
    859 	if (padlen > (size_t) num_bytes)
    860 		offset = padlen - num_bytes;
    861 	else
    862 		offset = 0;
    863 
    864 	os_memset(buf, 0, offset);
    865 	BN_bn2bin((const BIGNUM *) a, buf + offset);
    866 
    867 	return num_bytes + offset;
    868 }
    869 
    870 
    871 int crypto_bignum_add(const struct crypto_bignum *a,
    872 		      const struct crypto_bignum *b,
    873 		      struct crypto_bignum *c)
    874 {
    875 	return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
    876 		0 : -1;
    877 }
    878 
    879 
    880 int crypto_bignum_mod(const struct crypto_bignum *a,
    881 		      const struct crypto_bignum *b,
    882 		      struct crypto_bignum *c)
    883 {
    884 	int res;
    885 	BN_CTX *bnctx;
    886 
    887 	bnctx = BN_CTX_new();
    888 	if (bnctx == NULL)
    889 		return -1;
    890 	res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
    891 		     bnctx);
    892 	BN_CTX_free(bnctx);
    893 
    894 	return res ? 0 : -1;
    895 }
    896 
    897 
    898 int crypto_bignum_exptmod(const struct crypto_bignum *a,
    899 			  const struct crypto_bignum *b,
    900 			  const struct crypto_bignum *c,
    901 			  struct crypto_bignum *d)
    902 {
    903 	int res;
    904 	BN_CTX *bnctx;
    905 
    906 	bnctx = BN_CTX_new();
    907 	if (bnctx == NULL)
    908 		return -1;
    909 	res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
    910 			 (const BIGNUM *) c, bnctx);
    911 	BN_CTX_free(bnctx);
    912 
    913 	return res ? 0 : -1;
    914 }
    915 
    916 
    917 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
    918 			 struct crypto_bignum *b)
    919 {
    920 	return BN_rshift((BIGNUM *) b, (const BIGNUM *) a, n) ? 0 : -1;
    921 }
    922 
    923 
    924 int crypto_bignum_inverse(const struct crypto_bignum *a,
    925 			  const struct crypto_bignum *b,
    926 			  struct crypto_bignum *c)
    927 {
    928 	BIGNUM *res;
    929 	BN_CTX *bnctx;
    930 
    931 	bnctx = BN_CTX_new();
    932 	if (bnctx == NULL)
    933 		return -1;
    934 	res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
    935 			     (const BIGNUM *) b, bnctx);
    936 	BN_CTX_free(bnctx);
    937 
    938 	return res ? 0 : -1;
    939 }
    940 
    941 
    942 int crypto_bignum_sub(const struct crypto_bignum *a,
    943 		      const struct crypto_bignum *b,
    944 		      struct crypto_bignum *c)
    945 {
    946 	return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
    947 		0 : -1;
    948 }
    949 
    950 
    951 int crypto_bignum_div(const struct crypto_bignum *a,
    952 		      const struct crypto_bignum *b,
    953 		      struct crypto_bignum *c)
    954 {
    955 	int res;
    956 
    957 	BN_CTX *bnctx;
    958 
    959 	bnctx = BN_CTX_new();
    960 	if (bnctx == NULL)
    961 		return -1;
    962 	res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
    963 		     (const BIGNUM *) b, bnctx);
    964 	BN_CTX_free(bnctx);
    965 
    966 	return res ? 0 : -1;
    967 }
    968 
    969 
    970 int crypto_bignum_mulmod(const struct crypto_bignum *a,
    971 			 const struct crypto_bignum *b,
    972 			 const struct crypto_bignum *c,
    973 			 struct crypto_bignum *d)
    974 {
    975 	int res;
    976 
    977 	BN_CTX *bnctx;
    978 
    979 	bnctx = BN_CTX_new();
    980 	if (bnctx == NULL)
    981 		return -1;
    982 	res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
    983 			 (const BIGNUM *) c, bnctx);
    984 	BN_CTX_free(bnctx);
    985 
    986 	return res ? 0 : -1;
    987 }
    988 
    989 
    990 int crypto_bignum_cmp(const struct crypto_bignum *a,
    991 		      const struct crypto_bignum *b)
    992 {
    993 	return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
    994 }
    995 
    996 
    997 int crypto_bignum_bits(const struct crypto_bignum *a)
    998 {
    999 	return BN_num_bits((const BIGNUM *) a);
   1000 }
   1001 
   1002 
   1003 int crypto_bignum_is_zero(const struct crypto_bignum *a)
   1004 {
   1005 	return BN_is_zero((const BIGNUM *) a);
   1006 }
   1007 
   1008 
   1009 int crypto_bignum_is_one(const struct crypto_bignum *a)
   1010 {
   1011 	return BN_is_one((const BIGNUM *) a);
   1012 }
   1013 
   1014 
   1015 #ifdef CONFIG_ECC
   1016 
   1017 struct crypto_ec {
   1018 	EC_GROUP *group;
   1019 	BN_CTX *bnctx;
   1020 	BIGNUM *prime;
   1021 	BIGNUM *order;
   1022 };
   1023 
   1024 struct crypto_ec * crypto_ec_init(int group)
   1025 {
   1026 	struct crypto_ec *e;
   1027 	int nid;
   1028 
   1029 	/* Map from IANA registry for IKE D-H groups to OpenSSL NID */
   1030 	switch (group) {
   1031 	case 19:
   1032 		nid = NID_X9_62_prime256v1;
   1033 		break;
   1034 	case 20:
   1035 		nid = NID_secp384r1;
   1036 		break;
   1037 	case 21:
   1038 		nid = NID_secp521r1;
   1039 		break;
   1040 	case 25:
   1041 		nid = NID_X9_62_prime192v1;
   1042 		break;
   1043 	case 26:
   1044 		nid = NID_secp224r1;
   1045 		break;
   1046 	default:
   1047 		return NULL;
   1048 	}
   1049 
   1050 	e = os_zalloc(sizeof(*e));
   1051 	if (e == NULL)
   1052 		return NULL;
   1053 
   1054 	e->bnctx = BN_CTX_new();
   1055 	e->group = EC_GROUP_new_by_curve_name(nid);
   1056 	e->prime = BN_new();
   1057 	e->order = BN_new();
   1058 	if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
   1059 	    e->order == NULL ||
   1060 	    !EC_GROUP_get_curve_GFp(e->group, e->prime, NULL, NULL, e->bnctx) ||
   1061 	    !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
   1062 		crypto_ec_deinit(e);
   1063 		e = NULL;
   1064 	}
   1065 
   1066 	return e;
   1067 }
   1068 
   1069 
   1070 void crypto_ec_deinit(struct crypto_ec *e)
   1071 {
   1072 	if (e == NULL)
   1073 		return;
   1074 	BN_free(e->order);
   1075 	EC_GROUP_free(e->group);
   1076 	BN_CTX_free(e->bnctx);
   1077 	os_free(e);
   1078 }
   1079 
   1080 
   1081 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
   1082 {
   1083 	if (e == NULL)
   1084 		return NULL;
   1085 	return (struct crypto_ec_point *) EC_POINT_new(e->group);
   1086 }
   1087 
   1088 
   1089 size_t crypto_ec_prime_len(struct crypto_ec *e)
   1090 {
   1091 	return BN_num_bytes(e->prime);
   1092 }
   1093 
   1094 
   1095 size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
   1096 {
   1097 	return BN_num_bits(e->prime);
   1098 }
   1099 
   1100 
   1101 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
   1102 {
   1103 	return (const struct crypto_bignum *) e->prime;
   1104 }
   1105 
   1106 
   1107 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
   1108 {
   1109 	return (const struct crypto_bignum *) e->order;
   1110 }
   1111 
   1112 
   1113 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
   1114 {
   1115 	if (clear)
   1116 		EC_POINT_clear_free((EC_POINT *) p);
   1117 	else
   1118 		EC_POINT_free((EC_POINT *) p);
   1119 }
   1120 
   1121 
   1122 int crypto_ec_point_to_bin(struct crypto_ec *e,
   1123 			   const struct crypto_ec_point *point, u8 *x, u8 *y)
   1124 {
   1125 	BIGNUM *x_bn, *y_bn;
   1126 	int ret = -1;
   1127 	int len = BN_num_bytes(e->prime);
   1128 
   1129 	x_bn = BN_new();
   1130 	y_bn = BN_new();
   1131 
   1132 	if (x_bn && y_bn &&
   1133 	    EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point,
   1134 						x_bn, y_bn, e->bnctx)) {
   1135 		if (x) {
   1136 			crypto_bignum_to_bin((struct crypto_bignum *) x_bn,
   1137 					     x, len, len);
   1138 		}
   1139 		if (y) {
   1140 			crypto_bignum_to_bin((struct crypto_bignum *) y_bn,
   1141 					     y, len, len);
   1142 		}
   1143 		ret = 0;
   1144 	}
   1145 
   1146 	BN_free(x_bn);
   1147 	BN_free(y_bn);
   1148 	return ret;
   1149 }
   1150 
   1151 
   1152 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
   1153 						  const u8 *val)
   1154 {
   1155 	BIGNUM *x, *y;
   1156 	EC_POINT *elem;
   1157 	int len = BN_num_bytes(e->prime);
   1158 
   1159 	x = BN_bin2bn(val, len, NULL);
   1160 	y = BN_bin2bn(val + len, len, NULL);
   1161 	elem = EC_POINT_new(e->group);
   1162 	if (x == NULL || y == NULL || elem == NULL) {
   1163 		BN_free(x);
   1164 		BN_free(y);
   1165 		EC_POINT_free(elem);
   1166 		return NULL;
   1167 	}
   1168 
   1169 	if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y,
   1170 						 e->bnctx)) {
   1171 		EC_POINT_free(elem);
   1172 		elem = NULL;
   1173 	}
   1174 
   1175 	BN_free(x);
   1176 	BN_free(y);
   1177 
   1178 	return (struct crypto_ec_point *) elem;
   1179 }
   1180 
   1181 
   1182 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
   1183 			const struct crypto_ec_point *b,
   1184 			struct crypto_ec_point *c)
   1185 {
   1186 	return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
   1187 			    (const EC_POINT *) b, e->bnctx) ? 0 : -1;
   1188 }
   1189 
   1190 
   1191 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
   1192 			const struct crypto_bignum *b,
   1193 			struct crypto_ec_point *res)
   1194 {
   1195 	return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
   1196 			    (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
   1197 		? 0 : -1;
   1198 }
   1199 
   1200 
   1201 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
   1202 {
   1203 	return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
   1204 }
   1205 
   1206 
   1207 int crypto_ec_point_solve_y_coord(struct crypto_ec *e,
   1208 				  struct crypto_ec_point *p,
   1209 				  const struct crypto_bignum *x, int y_bit)
   1210 {
   1211 	if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p,
   1212 						     (const BIGNUM *) x, y_bit,
   1213 						     e->bnctx) ||
   1214 	    !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx))
   1215 		return -1;
   1216 	return 0;
   1217 }
   1218 
   1219 
   1220 int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
   1221 				   const struct crypto_ec_point *p)
   1222 {
   1223 	return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
   1224 }
   1225 
   1226 
   1227 int crypto_ec_point_is_on_curve(struct crypto_ec *e,
   1228 				const struct crypto_ec_point *p)
   1229 {
   1230 	return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p, e->bnctx);
   1231 }
   1232 
   1233 #endif /* CONFIG_ECC */
   1234