1 /* 2 * Wrapper functions for OpenSSL libcrypto 3 * Copyright (c) 2004-2013, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <openssl/opensslv.h> 11 #include <openssl/err.h> 12 #include <openssl/des.h> 13 #include <openssl/aes.h> 14 #include <openssl/bn.h> 15 #include <openssl/evp.h> 16 #include <openssl/dh.h> 17 #include <openssl/hmac.h> 18 #include <openssl/rand.h> 19 #ifdef CONFIG_OPENSSL_CMAC 20 #include <openssl/cmac.h> 21 #endif /* CONFIG_OPENSSL_CMAC */ 22 #ifdef CONFIG_ECC 23 #include <openssl/ec.h> 24 #endif /* CONFIG_ECC */ 25 26 #include "common.h" 27 #include "wpabuf.h" 28 #include "dh_group5.h" 29 #include "sha1.h" 30 #include "sha256.h" 31 #include "crypto.h" 32 33 #if OPENSSL_VERSION_NUMBER < 0x00907000 34 #define DES_key_schedule des_key_schedule 35 #define DES_cblock des_cblock 36 #define DES_set_key(key, schedule) des_set_key((key), *(schedule)) 37 #define DES_ecb_encrypt(input, output, ks, enc) \ 38 des_ecb_encrypt((input), (output), *(ks), (enc)) 39 #endif /* openssl < 0.9.7 */ 40 41 static BIGNUM * get_group5_prime(void) 42 { 43 #if OPENSSL_VERSION_NUMBER < 0x00908000 || defined(OPENSSL_IS_BORINGSSL) 44 static const unsigned char RFC3526_PRIME_1536[] = { 45 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, 46 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, 47 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, 48 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, 49 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, 50 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, 51 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, 52 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, 53 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, 54 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, 55 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, 56 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, 57 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, 58 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, 59 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, 60 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 61 }; 62 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL); 63 #else /* openssl < 0.9.8 */ 64 return get_rfc3526_prime_1536(NULL); 65 #endif /* openssl < 0.9.8 */ 66 } 67 68 #if OPENSSL_VERSION_NUMBER < 0x00908000 69 #ifndef OPENSSL_NO_SHA256 70 #ifndef OPENSSL_FIPS 71 #define NO_SHA256_WRAPPER 72 #endif 73 #endif 74 75 #endif /* openssl < 0.9.8 */ 76 77 #ifdef OPENSSL_NO_SHA256 78 #define NO_SHA256_WRAPPER 79 #endif 80 81 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem, 82 const u8 *addr[], const size_t *len, u8 *mac) 83 { 84 EVP_MD_CTX ctx; 85 size_t i; 86 unsigned int mac_len; 87 88 EVP_MD_CTX_init(&ctx); 89 if (!EVP_DigestInit_ex(&ctx, type, NULL)) { 90 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s", 91 ERR_error_string(ERR_get_error(), NULL)); 92 return -1; 93 } 94 for (i = 0; i < num_elem; i++) { 95 if (!EVP_DigestUpdate(&ctx, addr[i], len[i])) { 96 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate " 97 "failed: %s", 98 ERR_error_string(ERR_get_error(), NULL)); 99 return -1; 100 } 101 } 102 if (!EVP_DigestFinal(&ctx, mac, &mac_len)) { 103 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s", 104 ERR_error_string(ERR_get_error(), NULL)); 105 return -1; 106 } 107 108 return 0; 109 } 110 111 112 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 113 { 114 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac); 115 } 116 117 118 void des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) 119 { 120 u8 pkey[8], next, tmp; 121 int i; 122 DES_key_schedule ks; 123 124 /* Add parity bits to the key */ 125 next = 0; 126 for (i = 0; i < 7; i++) { 127 tmp = key[i]; 128 pkey[i] = (tmp >> i) | next | 1; 129 next = tmp << (7 - i); 130 } 131 pkey[i] = next | 1; 132 133 DES_set_key((DES_cblock *) &pkey, &ks); 134 DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks, 135 DES_ENCRYPT); 136 } 137 138 139 int rc4_skip(const u8 *key, size_t keylen, size_t skip, 140 u8 *data, size_t data_len) 141 { 142 #ifdef OPENSSL_NO_RC4 143 return -1; 144 #else /* OPENSSL_NO_RC4 */ 145 EVP_CIPHER_CTX ctx; 146 int outl; 147 int res = -1; 148 unsigned char skip_buf[16]; 149 150 EVP_CIPHER_CTX_init(&ctx); 151 if (!EVP_CIPHER_CTX_set_padding(&ctx, 0) || 152 !EVP_CipherInit_ex(&ctx, EVP_rc4(), NULL, NULL, NULL, 1) || 153 !EVP_CIPHER_CTX_set_key_length(&ctx, keylen) || 154 !EVP_CipherInit_ex(&ctx, NULL, NULL, key, NULL, 1)) 155 goto out; 156 157 while (skip >= sizeof(skip_buf)) { 158 size_t len = skip; 159 if (len > sizeof(skip_buf)) 160 len = sizeof(skip_buf); 161 if (!EVP_CipherUpdate(&ctx, skip_buf, &outl, skip_buf, len)) 162 goto out; 163 skip -= len; 164 } 165 166 if (EVP_CipherUpdate(&ctx, data, &outl, data, data_len)) 167 res = 0; 168 169 out: 170 EVP_CIPHER_CTX_cleanup(&ctx); 171 return res; 172 #endif /* OPENSSL_NO_RC4 */ 173 } 174 175 176 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 177 { 178 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac); 179 } 180 181 182 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 183 { 184 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac); 185 } 186 187 188 #ifndef NO_SHA256_WRAPPER 189 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, 190 u8 *mac) 191 { 192 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac); 193 } 194 #endif /* NO_SHA256_WRAPPER */ 195 196 197 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen) 198 { 199 switch (keylen) { 200 case 16: 201 return EVP_aes_128_ecb(); 202 #ifndef OPENSSL_IS_BORINGSSL 203 case 24: 204 return EVP_aes_192_ecb(); 205 #endif /* OPENSSL_IS_BORINGSSL */ 206 case 32: 207 return EVP_aes_256_ecb(); 208 } 209 210 return NULL; 211 } 212 213 214 void * aes_encrypt_init(const u8 *key, size_t len) 215 { 216 EVP_CIPHER_CTX *ctx; 217 const EVP_CIPHER *type; 218 219 type = aes_get_evp_cipher(len); 220 if (type == NULL) 221 return NULL; 222 223 ctx = os_malloc(sizeof(*ctx)); 224 if (ctx == NULL) 225 return NULL; 226 EVP_CIPHER_CTX_init(ctx); 227 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 228 os_free(ctx); 229 return NULL; 230 } 231 EVP_CIPHER_CTX_set_padding(ctx, 0); 232 return ctx; 233 } 234 235 236 void aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) 237 { 238 EVP_CIPHER_CTX *c = ctx; 239 int clen = 16; 240 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) { 241 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s", 242 ERR_error_string(ERR_get_error(), NULL)); 243 } 244 } 245 246 247 void aes_encrypt_deinit(void *ctx) 248 { 249 EVP_CIPHER_CTX *c = ctx; 250 u8 buf[16]; 251 int len = sizeof(buf); 252 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) { 253 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: " 254 "%s", ERR_error_string(ERR_get_error(), NULL)); 255 } 256 if (len != 0) { 257 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 258 "in AES encrypt", len); 259 } 260 EVP_CIPHER_CTX_cleanup(c); 261 os_free(c); 262 } 263 264 265 void * aes_decrypt_init(const u8 *key, size_t len) 266 { 267 EVP_CIPHER_CTX *ctx; 268 const EVP_CIPHER *type; 269 270 type = aes_get_evp_cipher(len); 271 if (type == NULL) 272 return NULL; 273 274 ctx = os_malloc(sizeof(*ctx)); 275 if (ctx == NULL) 276 return NULL; 277 EVP_CIPHER_CTX_init(ctx); 278 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 279 os_free(ctx); 280 return NULL; 281 } 282 EVP_CIPHER_CTX_set_padding(ctx, 0); 283 return ctx; 284 } 285 286 287 void aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) 288 { 289 EVP_CIPHER_CTX *c = ctx; 290 int plen = 16; 291 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) { 292 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s", 293 ERR_error_string(ERR_get_error(), NULL)); 294 } 295 } 296 297 298 void aes_decrypt_deinit(void *ctx) 299 { 300 EVP_CIPHER_CTX *c = ctx; 301 u8 buf[16]; 302 int len = sizeof(buf); 303 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) { 304 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: " 305 "%s", ERR_error_string(ERR_get_error(), NULL)); 306 } 307 if (len != 0) { 308 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 309 "in AES decrypt", len); 310 } 311 EVP_CIPHER_CTX_cleanup(c); 312 os_free(ctx); 313 } 314 315 316 int crypto_mod_exp(const u8 *base, size_t base_len, 317 const u8 *power, size_t power_len, 318 const u8 *modulus, size_t modulus_len, 319 u8 *result, size_t *result_len) 320 { 321 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result; 322 int ret = -1; 323 BN_CTX *ctx; 324 325 ctx = BN_CTX_new(); 326 if (ctx == NULL) 327 return -1; 328 329 bn_base = BN_bin2bn(base, base_len, NULL); 330 bn_exp = BN_bin2bn(power, power_len, NULL); 331 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL); 332 bn_result = BN_new(); 333 334 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL || 335 bn_result == NULL) 336 goto error; 337 338 if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1) 339 goto error; 340 341 *result_len = BN_bn2bin(bn_result, result); 342 ret = 0; 343 344 error: 345 BN_clear_free(bn_base); 346 BN_clear_free(bn_exp); 347 BN_clear_free(bn_modulus); 348 BN_clear_free(bn_result); 349 BN_CTX_free(ctx); 350 return ret; 351 } 352 353 354 struct crypto_cipher { 355 EVP_CIPHER_CTX enc; 356 EVP_CIPHER_CTX dec; 357 }; 358 359 360 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, 361 const u8 *iv, const u8 *key, 362 size_t key_len) 363 { 364 struct crypto_cipher *ctx; 365 const EVP_CIPHER *cipher; 366 367 ctx = os_zalloc(sizeof(*ctx)); 368 if (ctx == NULL) 369 return NULL; 370 371 switch (alg) { 372 #ifndef OPENSSL_NO_RC4 373 case CRYPTO_CIPHER_ALG_RC4: 374 cipher = EVP_rc4(); 375 break; 376 #endif /* OPENSSL_NO_RC4 */ 377 #ifndef OPENSSL_NO_AES 378 case CRYPTO_CIPHER_ALG_AES: 379 switch (key_len) { 380 case 16: 381 cipher = EVP_aes_128_cbc(); 382 break; 383 #ifndef OPENSSL_IS_BORINGSSL 384 case 24: 385 cipher = EVP_aes_192_cbc(); 386 break; 387 #endif /* OPENSSL_IS_BORINGSSL */ 388 case 32: 389 cipher = EVP_aes_256_cbc(); 390 break; 391 default: 392 os_free(ctx); 393 return NULL; 394 } 395 break; 396 #endif /* OPENSSL_NO_AES */ 397 #ifndef OPENSSL_NO_DES 398 case CRYPTO_CIPHER_ALG_3DES: 399 cipher = EVP_des_ede3_cbc(); 400 break; 401 case CRYPTO_CIPHER_ALG_DES: 402 cipher = EVP_des_cbc(); 403 break; 404 #endif /* OPENSSL_NO_DES */ 405 #ifndef OPENSSL_NO_RC2 406 case CRYPTO_CIPHER_ALG_RC2: 407 cipher = EVP_rc2_ecb(); 408 break; 409 #endif /* OPENSSL_NO_RC2 */ 410 default: 411 os_free(ctx); 412 return NULL; 413 } 414 415 EVP_CIPHER_CTX_init(&ctx->enc); 416 EVP_CIPHER_CTX_set_padding(&ctx->enc, 0); 417 if (!EVP_EncryptInit_ex(&ctx->enc, cipher, NULL, NULL, NULL) || 418 !EVP_CIPHER_CTX_set_key_length(&ctx->enc, key_len) || 419 !EVP_EncryptInit_ex(&ctx->enc, NULL, NULL, key, iv)) { 420 EVP_CIPHER_CTX_cleanup(&ctx->enc); 421 os_free(ctx); 422 return NULL; 423 } 424 425 EVP_CIPHER_CTX_init(&ctx->dec); 426 EVP_CIPHER_CTX_set_padding(&ctx->dec, 0); 427 if (!EVP_DecryptInit_ex(&ctx->dec, cipher, NULL, NULL, NULL) || 428 !EVP_CIPHER_CTX_set_key_length(&ctx->dec, key_len) || 429 !EVP_DecryptInit_ex(&ctx->dec, NULL, NULL, key, iv)) { 430 EVP_CIPHER_CTX_cleanup(&ctx->enc); 431 EVP_CIPHER_CTX_cleanup(&ctx->dec); 432 os_free(ctx); 433 return NULL; 434 } 435 436 return ctx; 437 } 438 439 440 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, 441 u8 *crypt, size_t len) 442 { 443 int outl; 444 if (!EVP_EncryptUpdate(&ctx->enc, crypt, &outl, plain, len)) 445 return -1; 446 return 0; 447 } 448 449 450 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, 451 u8 *plain, size_t len) 452 { 453 int outl; 454 outl = len; 455 if (!EVP_DecryptUpdate(&ctx->dec, plain, &outl, crypt, len)) 456 return -1; 457 return 0; 458 } 459 460 461 void crypto_cipher_deinit(struct crypto_cipher *ctx) 462 { 463 EVP_CIPHER_CTX_cleanup(&ctx->enc); 464 EVP_CIPHER_CTX_cleanup(&ctx->dec); 465 os_free(ctx); 466 } 467 468 469 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) 470 { 471 DH *dh; 472 struct wpabuf *pubkey = NULL, *privkey = NULL; 473 size_t publen, privlen; 474 475 *priv = NULL; 476 *publ = NULL; 477 478 dh = DH_new(); 479 if (dh == NULL) 480 return NULL; 481 482 dh->g = BN_new(); 483 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 484 goto err; 485 486 dh->p = get_group5_prime(); 487 if (dh->p == NULL) 488 goto err; 489 490 if (DH_generate_key(dh) != 1) 491 goto err; 492 493 publen = BN_num_bytes(dh->pub_key); 494 pubkey = wpabuf_alloc(publen); 495 if (pubkey == NULL) 496 goto err; 497 privlen = BN_num_bytes(dh->priv_key); 498 privkey = wpabuf_alloc(privlen); 499 if (privkey == NULL) 500 goto err; 501 502 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen)); 503 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen)); 504 505 *priv = privkey; 506 *publ = pubkey; 507 return dh; 508 509 err: 510 wpabuf_free(pubkey); 511 wpabuf_free(privkey); 512 DH_free(dh); 513 return NULL; 514 } 515 516 517 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) 518 { 519 DH *dh; 520 521 dh = DH_new(); 522 if (dh == NULL) 523 return NULL; 524 525 dh->g = BN_new(); 526 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 527 goto err; 528 529 dh->p = get_group5_prime(); 530 if (dh->p == NULL) 531 goto err; 532 533 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 534 if (dh->priv_key == NULL) 535 goto err; 536 537 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 538 if (dh->pub_key == NULL) 539 goto err; 540 541 if (DH_generate_key(dh) != 1) 542 goto err; 543 544 return dh; 545 546 err: 547 DH_free(dh); 548 return NULL; 549 } 550 551 552 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public, 553 const struct wpabuf *own_private) 554 { 555 BIGNUM *pub_key; 556 struct wpabuf *res = NULL; 557 size_t rlen; 558 DH *dh = ctx; 559 int keylen; 560 561 if (ctx == NULL) 562 return NULL; 563 564 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public), 565 NULL); 566 if (pub_key == NULL) 567 return NULL; 568 569 rlen = DH_size(dh); 570 res = wpabuf_alloc(rlen); 571 if (res == NULL) 572 goto err; 573 574 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh); 575 if (keylen < 0) 576 goto err; 577 wpabuf_put(res, keylen); 578 BN_clear_free(pub_key); 579 580 return res; 581 582 err: 583 BN_clear_free(pub_key); 584 wpabuf_free(res); 585 return NULL; 586 } 587 588 589 void dh5_free(void *ctx) 590 { 591 DH *dh; 592 if (ctx == NULL) 593 return; 594 dh = ctx; 595 DH_free(dh); 596 } 597 598 599 struct crypto_hash { 600 HMAC_CTX ctx; 601 }; 602 603 604 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key, 605 size_t key_len) 606 { 607 struct crypto_hash *ctx; 608 const EVP_MD *md; 609 610 switch (alg) { 611 #ifndef OPENSSL_NO_MD5 612 case CRYPTO_HASH_ALG_HMAC_MD5: 613 md = EVP_md5(); 614 break; 615 #endif /* OPENSSL_NO_MD5 */ 616 #ifndef OPENSSL_NO_SHA 617 case CRYPTO_HASH_ALG_HMAC_SHA1: 618 md = EVP_sha1(); 619 break; 620 #endif /* OPENSSL_NO_SHA */ 621 #ifndef OPENSSL_NO_SHA256 622 #ifdef CONFIG_SHA256 623 case CRYPTO_HASH_ALG_HMAC_SHA256: 624 md = EVP_sha256(); 625 break; 626 #endif /* CONFIG_SHA256 */ 627 #endif /* OPENSSL_NO_SHA256 */ 628 default: 629 return NULL; 630 } 631 632 ctx = os_zalloc(sizeof(*ctx)); 633 if (ctx == NULL) 634 return NULL; 635 HMAC_CTX_init(&ctx->ctx); 636 637 #if OPENSSL_VERSION_NUMBER < 0x00909000 638 HMAC_Init_ex(&ctx->ctx, key, key_len, md, NULL); 639 #else /* openssl < 0.9.9 */ 640 if (HMAC_Init_ex(&ctx->ctx, key, key_len, md, NULL) != 1) { 641 os_free(ctx); 642 return NULL; 643 } 644 #endif /* openssl < 0.9.9 */ 645 646 return ctx; 647 } 648 649 650 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len) 651 { 652 if (ctx == NULL) 653 return; 654 HMAC_Update(&ctx->ctx, data, len); 655 } 656 657 658 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len) 659 { 660 unsigned int mdlen; 661 int res; 662 663 if (ctx == NULL) 664 return -2; 665 666 if (mac == NULL || len == NULL) { 667 os_free(ctx); 668 return 0; 669 } 670 671 mdlen = *len; 672 #if OPENSSL_VERSION_NUMBER < 0x00909000 673 HMAC_Final(&ctx->ctx, mac, &mdlen); 674 res = 1; 675 #else /* openssl < 0.9.9 */ 676 res = HMAC_Final(&ctx->ctx, mac, &mdlen); 677 #endif /* openssl < 0.9.9 */ 678 HMAC_CTX_cleanup(&ctx->ctx); 679 os_free(ctx); 680 681 if (res == 1) { 682 *len = mdlen; 683 return 0; 684 } 685 686 return -1; 687 } 688 689 690 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len, 691 int iterations, u8 *buf, size_t buflen) 692 { 693 #if OPENSSL_VERSION_NUMBER < 0x00908000 694 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), 695 (unsigned char *) ssid, 696 ssid_len, 4096, buflen, buf) != 1) 697 return -1; 698 #else /* openssl < 0.9.8 */ 699 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid, 700 ssid_len, 4096, buflen, buf) != 1) 701 return -1; 702 #endif /* openssl < 0.9.8 */ 703 return 0; 704 } 705 706 707 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, 708 const u8 *addr[], const size_t *len, u8 *mac) 709 { 710 HMAC_CTX ctx; 711 size_t i; 712 unsigned int mdlen; 713 int res; 714 715 HMAC_CTX_init(&ctx); 716 #if OPENSSL_VERSION_NUMBER < 0x00909000 717 HMAC_Init_ex(&ctx, key, key_len, EVP_sha1(), NULL); 718 #else /* openssl < 0.9.9 */ 719 if (HMAC_Init_ex(&ctx, key, key_len, EVP_sha1(), NULL) != 1) 720 return -1; 721 #endif /* openssl < 0.9.9 */ 722 723 for (i = 0; i < num_elem; i++) 724 HMAC_Update(&ctx, addr[i], len[i]); 725 726 mdlen = 20; 727 #if OPENSSL_VERSION_NUMBER < 0x00909000 728 HMAC_Final(&ctx, mac, &mdlen); 729 res = 1; 730 #else /* openssl < 0.9.9 */ 731 res = HMAC_Final(&ctx, mac, &mdlen); 732 #endif /* openssl < 0.9.9 */ 733 HMAC_CTX_cleanup(&ctx); 734 735 return res == 1 ? 0 : -1; 736 } 737 738 739 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 740 u8 *mac) 741 { 742 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); 743 } 744 745 746 #ifdef CONFIG_SHA256 747 748 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, 749 const u8 *addr[], const size_t *len, u8 *mac) 750 { 751 HMAC_CTX ctx; 752 size_t i; 753 unsigned int mdlen; 754 int res; 755 756 HMAC_CTX_init(&ctx); 757 #if OPENSSL_VERSION_NUMBER < 0x00909000 758 HMAC_Init_ex(&ctx, key, key_len, EVP_sha256(), NULL); 759 #else /* openssl < 0.9.9 */ 760 if (HMAC_Init_ex(&ctx, key, key_len, EVP_sha256(), NULL) != 1) 761 return -1; 762 #endif /* openssl < 0.9.9 */ 763 764 for (i = 0; i < num_elem; i++) 765 HMAC_Update(&ctx, addr[i], len[i]); 766 767 mdlen = 32; 768 #if OPENSSL_VERSION_NUMBER < 0x00909000 769 HMAC_Final(&ctx, mac, &mdlen); 770 res = 1; 771 #else /* openssl < 0.9.9 */ 772 res = HMAC_Final(&ctx, mac, &mdlen); 773 #endif /* openssl < 0.9.9 */ 774 HMAC_CTX_cleanup(&ctx); 775 776 return res == 1 ? 0 : -1; 777 } 778 779 780 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 781 size_t data_len, u8 *mac) 782 { 783 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); 784 } 785 786 #endif /* CONFIG_SHA256 */ 787 788 789 int crypto_get_random(void *buf, size_t len) 790 { 791 if (RAND_bytes(buf, len) != 1) 792 return -1; 793 return 0; 794 } 795 796 797 #ifdef CONFIG_OPENSSL_CMAC 798 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 799 const u8 *addr[], const size_t *len, u8 *mac) 800 { 801 CMAC_CTX *ctx; 802 int ret = -1; 803 size_t outlen, i; 804 805 ctx = CMAC_CTX_new(); 806 if (ctx == NULL) 807 return -1; 808 809 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL)) 810 goto fail; 811 for (i = 0; i < num_elem; i++) { 812 if (!CMAC_Update(ctx, addr[i], len[i])) 813 goto fail; 814 } 815 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16) 816 goto fail; 817 818 ret = 0; 819 fail: 820 CMAC_CTX_free(ctx); 821 return ret; 822 } 823 824 825 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 826 { 827 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 828 } 829 #endif /* CONFIG_OPENSSL_CMAC */ 830 831 832 struct crypto_bignum * crypto_bignum_init(void) 833 { 834 return (struct crypto_bignum *) BN_new(); 835 } 836 837 838 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) 839 { 840 BIGNUM *bn = BN_bin2bn(buf, len, NULL); 841 return (struct crypto_bignum *) bn; 842 } 843 844 845 void crypto_bignum_deinit(struct crypto_bignum *n, int clear) 846 { 847 if (clear) 848 BN_clear_free((BIGNUM *) n); 849 else 850 BN_free((BIGNUM *) n); 851 } 852 853 854 int crypto_bignum_to_bin(const struct crypto_bignum *a, 855 u8 *buf, size_t buflen, size_t padlen) 856 { 857 int num_bytes, offset; 858 859 if (padlen > buflen) 860 return -1; 861 862 num_bytes = BN_num_bytes((const BIGNUM *) a); 863 if ((size_t) num_bytes > buflen) 864 return -1; 865 if (padlen > (size_t) num_bytes) 866 offset = padlen - num_bytes; 867 else 868 offset = 0; 869 870 os_memset(buf, 0, offset); 871 BN_bn2bin((const BIGNUM *) a, buf + offset); 872 873 return num_bytes + offset; 874 } 875 876 877 int crypto_bignum_add(const struct crypto_bignum *a, 878 const struct crypto_bignum *b, 879 struct crypto_bignum *c) 880 { 881 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 882 0 : -1; 883 } 884 885 886 int crypto_bignum_mod(const struct crypto_bignum *a, 887 const struct crypto_bignum *b, 888 struct crypto_bignum *c) 889 { 890 int res; 891 BN_CTX *bnctx; 892 893 bnctx = BN_CTX_new(); 894 if (bnctx == NULL) 895 return -1; 896 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, 897 bnctx); 898 BN_CTX_free(bnctx); 899 900 return res ? 0 : -1; 901 } 902 903 904 int crypto_bignum_exptmod(const struct crypto_bignum *a, 905 const struct crypto_bignum *b, 906 const struct crypto_bignum *c, 907 struct crypto_bignum *d) 908 { 909 int res; 910 BN_CTX *bnctx; 911 912 bnctx = BN_CTX_new(); 913 if (bnctx == NULL) 914 return -1; 915 res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 916 (const BIGNUM *) c, bnctx); 917 BN_CTX_free(bnctx); 918 919 return res ? 0 : -1; 920 } 921 922 923 int crypto_bignum_inverse(const struct crypto_bignum *a, 924 const struct crypto_bignum *b, 925 struct crypto_bignum *c) 926 { 927 BIGNUM *res; 928 BN_CTX *bnctx; 929 930 bnctx = BN_CTX_new(); 931 if (bnctx == NULL) 932 return -1; 933 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a, 934 (const BIGNUM *) b, bnctx); 935 BN_CTX_free(bnctx); 936 937 return res ? 0 : -1; 938 } 939 940 941 int crypto_bignum_sub(const struct crypto_bignum *a, 942 const struct crypto_bignum *b, 943 struct crypto_bignum *c) 944 { 945 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 946 0 : -1; 947 } 948 949 950 int crypto_bignum_div(const struct crypto_bignum *a, 951 const struct crypto_bignum *b, 952 struct crypto_bignum *c) 953 { 954 int res; 955 956 BN_CTX *bnctx; 957 958 bnctx = BN_CTX_new(); 959 if (bnctx == NULL) 960 return -1; 961 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a, 962 (const BIGNUM *) b, bnctx); 963 BN_CTX_free(bnctx); 964 965 return res ? 0 : -1; 966 } 967 968 969 int crypto_bignum_mulmod(const struct crypto_bignum *a, 970 const struct crypto_bignum *b, 971 const struct crypto_bignum *c, 972 struct crypto_bignum *d) 973 { 974 int res; 975 976 BN_CTX *bnctx; 977 978 bnctx = BN_CTX_new(); 979 if (bnctx == NULL) 980 return -1; 981 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 982 (const BIGNUM *) c, bnctx); 983 BN_CTX_free(bnctx); 984 985 return res ? 0 : -1; 986 } 987 988 989 int crypto_bignum_cmp(const struct crypto_bignum *a, 990 const struct crypto_bignum *b) 991 { 992 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b); 993 } 994 995 996 int crypto_bignum_bits(const struct crypto_bignum *a) 997 { 998 return BN_num_bits((const BIGNUM *) a); 999 } 1000 1001 1002 int crypto_bignum_is_zero(const struct crypto_bignum *a) 1003 { 1004 return BN_is_zero((const BIGNUM *) a); 1005 } 1006 1007 1008 int crypto_bignum_is_one(const struct crypto_bignum *a) 1009 { 1010 return BN_is_one((const BIGNUM *) a); 1011 } 1012 1013 1014 #ifdef CONFIG_ECC 1015 1016 struct crypto_ec { 1017 EC_GROUP *group; 1018 BN_CTX *bnctx; 1019 BIGNUM *prime; 1020 BIGNUM *order; 1021 }; 1022 1023 struct crypto_ec * crypto_ec_init(int group) 1024 { 1025 struct crypto_ec *e; 1026 int nid; 1027 1028 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */ 1029 switch (group) { 1030 case 19: 1031 nid = NID_X9_62_prime256v1; 1032 break; 1033 case 20: 1034 nid = NID_secp384r1; 1035 break; 1036 case 21: 1037 nid = NID_secp521r1; 1038 break; 1039 case 25: 1040 nid = NID_X9_62_prime192v1; 1041 break; 1042 case 26: 1043 nid = NID_secp224r1; 1044 break; 1045 default: 1046 return NULL; 1047 } 1048 1049 e = os_zalloc(sizeof(*e)); 1050 if (e == NULL) 1051 return NULL; 1052 1053 e->bnctx = BN_CTX_new(); 1054 e->group = EC_GROUP_new_by_curve_name(nid); 1055 e->prime = BN_new(); 1056 e->order = BN_new(); 1057 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL || 1058 e->order == NULL || 1059 !EC_GROUP_get_curve_GFp(e->group, e->prime, NULL, NULL, e->bnctx) || 1060 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) { 1061 crypto_ec_deinit(e); 1062 e = NULL; 1063 } 1064 1065 return e; 1066 } 1067 1068 1069 void crypto_ec_deinit(struct crypto_ec *e) 1070 { 1071 if (e == NULL) 1072 return; 1073 BN_clear_free(e->order); 1074 BN_clear_free(e->prime); 1075 EC_GROUP_free(e->group); 1076 BN_CTX_free(e->bnctx); 1077 os_free(e); 1078 } 1079 1080 1081 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e) 1082 { 1083 if (e == NULL) 1084 return NULL; 1085 return (struct crypto_ec_point *) EC_POINT_new(e->group); 1086 } 1087 1088 1089 size_t crypto_ec_prime_len(struct crypto_ec *e) 1090 { 1091 return BN_num_bytes(e->prime); 1092 } 1093 1094 1095 size_t crypto_ec_prime_len_bits(struct crypto_ec *e) 1096 { 1097 return BN_num_bits(e->prime); 1098 } 1099 1100 1101 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e) 1102 { 1103 return (const struct crypto_bignum *) e->prime; 1104 } 1105 1106 1107 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) 1108 { 1109 return (const struct crypto_bignum *) e->order; 1110 } 1111 1112 1113 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) 1114 { 1115 if (clear) 1116 EC_POINT_clear_free((EC_POINT *) p); 1117 else 1118 EC_POINT_free((EC_POINT *) p); 1119 } 1120 1121 1122 int crypto_ec_point_to_bin(struct crypto_ec *e, 1123 const struct crypto_ec_point *point, u8 *x, u8 *y) 1124 { 1125 BIGNUM *x_bn, *y_bn; 1126 int ret = -1; 1127 int len = BN_num_bytes(e->prime); 1128 1129 x_bn = BN_new(); 1130 y_bn = BN_new(); 1131 1132 if (x_bn && y_bn && 1133 EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point, 1134 x_bn, y_bn, e->bnctx)) { 1135 if (x) { 1136 crypto_bignum_to_bin((struct crypto_bignum *) x_bn, 1137 x, len, len); 1138 } 1139 if (y) { 1140 crypto_bignum_to_bin((struct crypto_bignum *) y_bn, 1141 y, len, len); 1142 } 1143 ret = 0; 1144 } 1145 1146 BN_clear_free(x_bn); 1147 BN_clear_free(y_bn); 1148 return ret; 1149 } 1150 1151 1152 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e, 1153 const u8 *val) 1154 { 1155 BIGNUM *x, *y; 1156 EC_POINT *elem; 1157 int len = BN_num_bytes(e->prime); 1158 1159 x = BN_bin2bn(val, len, NULL); 1160 y = BN_bin2bn(val + len, len, NULL); 1161 elem = EC_POINT_new(e->group); 1162 if (x == NULL || y == NULL || elem == NULL) { 1163 BN_clear_free(x); 1164 BN_clear_free(y); 1165 EC_POINT_clear_free(elem); 1166 return NULL; 1167 } 1168 1169 if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y, 1170 e->bnctx)) { 1171 EC_POINT_clear_free(elem); 1172 elem = NULL; 1173 } 1174 1175 BN_clear_free(x); 1176 BN_clear_free(y); 1177 1178 return (struct crypto_ec_point *) elem; 1179 } 1180 1181 1182 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a, 1183 const struct crypto_ec_point *b, 1184 struct crypto_ec_point *c) 1185 { 1186 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a, 1187 (const EC_POINT *) b, e->bnctx) ? 0 : -1; 1188 } 1189 1190 1191 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p, 1192 const struct crypto_bignum *b, 1193 struct crypto_ec_point *res) 1194 { 1195 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL, 1196 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx) 1197 ? 0 : -1; 1198 } 1199 1200 1201 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p) 1202 { 1203 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1; 1204 } 1205 1206 1207 int crypto_ec_point_solve_y_coord(struct crypto_ec *e, 1208 struct crypto_ec_point *p, 1209 const struct crypto_bignum *x, int y_bit) 1210 { 1211 if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p, 1212 (const BIGNUM *) x, y_bit, 1213 e->bnctx) || 1214 !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx)) 1215 return -1; 1216 return 0; 1217 } 1218 1219 1220 int crypto_ec_point_is_at_infinity(struct crypto_ec *e, 1221 const struct crypto_ec_point *p) 1222 { 1223 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p); 1224 } 1225 1226 1227 int crypto_ec_point_is_on_curve(struct crypto_ec *e, 1228 const struct crypto_ec_point *p) 1229 { 1230 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p, e->bnctx); 1231 } 1232 1233 #endif /* CONFIG_ECC */ 1234
