1 /* 2 * Wrapper functions for OpenSSL libcrypto 3 * Copyright (c) 2004-2015, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <openssl/opensslv.h> 11 #include <openssl/err.h> 12 #include <openssl/des.h> 13 #include <openssl/aes.h> 14 #include <openssl/bn.h> 15 #include <openssl/evp.h> 16 #include <openssl/dh.h> 17 #include <openssl/hmac.h> 18 #include <openssl/rand.h> 19 #ifdef CONFIG_OPENSSL_CMAC 20 #include <openssl/cmac.h> 21 #endif /* CONFIG_OPENSSL_CMAC */ 22 #ifdef CONFIG_ECC 23 #include <openssl/ec.h> 24 #endif /* CONFIG_ECC */ 25 26 #include "common.h" 27 #include "wpabuf.h" 28 #include "dh_group5.h" 29 #include "sha1.h" 30 #include "sha256.h" 31 #include "sha384.h" 32 #include "md5.h" 33 #include "aes_wrap.h" 34 #include "crypto.h" 35 36 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 37 /* Compatibility wrappers for older versions. */ 38 39 static HMAC_CTX * HMAC_CTX_new(void) 40 { 41 HMAC_CTX *ctx; 42 43 ctx = os_zalloc(sizeof(*ctx)); 44 if (ctx) 45 HMAC_CTX_init(ctx); 46 return ctx; 47 } 48 49 50 static void HMAC_CTX_free(HMAC_CTX *ctx) 51 { 52 if (!ctx) 53 return; 54 HMAC_CTX_cleanup(ctx); 55 bin_clear_free(ctx, sizeof(*ctx)); 56 } 57 58 59 static EVP_MD_CTX * EVP_MD_CTX_new(void) 60 { 61 EVP_MD_CTX *ctx; 62 63 ctx = os_zalloc(sizeof(*ctx)); 64 if (ctx) 65 EVP_MD_CTX_init(ctx); 66 return ctx; 67 } 68 69 70 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) 71 { 72 if (!ctx) 73 return; 74 EVP_MD_CTX_cleanup(ctx); 75 bin_clear_free(ctx, sizeof(*ctx)); 76 } 77 78 #endif /* OpenSSL version < 1.1.0 */ 79 80 static BIGNUM * get_group5_prime(void) 81 { 82 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) 83 return BN_get_rfc3526_prime_1536(NULL); 84 #elif !defined(OPENSSL_IS_BORINGSSL) 85 return get_rfc3526_prime_1536(NULL); 86 #else 87 static const unsigned char RFC3526_PRIME_1536[] = { 88 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, 89 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, 90 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, 91 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, 92 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, 93 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, 94 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, 95 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, 96 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, 97 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, 98 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, 99 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, 100 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, 101 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, 102 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, 103 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 104 }; 105 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL); 106 #endif 107 } 108 109 #ifdef OPENSSL_NO_SHA256 110 #define NO_SHA256_WRAPPER 111 #endif 112 #ifdef OPENSSL_NO_SHA512 113 #define NO_SHA384_WRAPPER 114 #endif 115 116 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem, 117 const u8 *addr[], const size_t *len, u8 *mac) 118 { 119 EVP_MD_CTX *ctx; 120 size_t i; 121 unsigned int mac_len; 122 123 if (TEST_FAIL()) 124 return -1; 125 126 ctx = EVP_MD_CTX_new(); 127 if (!ctx) 128 return -1; 129 if (!EVP_DigestInit_ex(ctx, type, NULL)) { 130 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s", 131 ERR_error_string(ERR_get_error(), NULL)); 132 EVP_MD_CTX_free(ctx); 133 return -1; 134 } 135 for (i = 0; i < num_elem; i++) { 136 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) { 137 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate " 138 "failed: %s", 139 ERR_error_string(ERR_get_error(), NULL)); 140 EVP_MD_CTX_free(ctx); 141 return -1; 142 } 143 } 144 if (!EVP_DigestFinal(ctx, mac, &mac_len)) { 145 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s", 146 ERR_error_string(ERR_get_error(), NULL)); 147 EVP_MD_CTX_free(ctx); 148 return -1; 149 } 150 EVP_MD_CTX_free(ctx); 151 152 return 0; 153 } 154 155 156 #ifndef CONFIG_FIPS 157 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 158 { 159 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac); 160 } 161 #endif /* CONFIG_FIPS */ 162 163 164 void des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) 165 { 166 u8 pkey[8], next, tmp; 167 int i; 168 DES_key_schedule ks; 169 170 /* Add parity bits to the key */ 171 next = 0; 172 for (i = 0; i < 7; i++) { 173 tmp = key[i]; 174 pkey[i] = (tmp >> i) | next | 1; 175 next = tmp << (7 - i); 176 } 177 pkey[i] = next | 1; 178 179 DES_set_key((DES_cblock *) &pkey, &ks); 180 DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks, 181 DES_ENCRYPT); 182 } 183 184 185 #ifndef CONFIG_NO_RC4 186 int rc4_skip(const u8 *key, size_t keylen, size_t skip, 187 u8 *data, size_t data_len) 188 { 189 #ifdef OPENSSL_NO_RC4 190 return -1; 191 #else /* OPENSSL_NO_RC4 */ 192 EVP_CIPHER_CTX *ctx; 193 int outl; 194 int res = -1; 195 unsigned char skip_buf[16]; 196 197 ctx = EVP_CIPHER_CTX_new(); 198 if (!ctx || 199 !EVP_CIPHER_CTX_set_padding(ctx, 0) || 200 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) || 201 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) || 202 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1)) 203 goto out; 204 205 while (skip >= sizeof(skip_buf)) { 206 size_t len = skip; 207 if (len > sizeof(skip_buf)) 208 len = sizeof(skip_buf); 209 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len)) 210 goto out; 211 skip -= len; 212 } 213 214 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len)) 215 res = 0; 216 217 out: 218 if (ctx) 219 EVP_CIPHER_CTX_free(ctx); 220 return res; 221 #endif /* OPENSSL_NO_RC4 */ 222 } 223 #endif /* CONFIG_NO_RC4 */ 224 225 226 #ifndef CONFIG_FIPS 227 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 228 { 229 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac); 230 } 231 #endif /* CONFIG_FIPS */ 232 233 234 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 235 { 236 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac); 237 } 238 239 240 #ifndef NO_SHA256_WRAPPER 241 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, 242 u8 *mac) 243 { 244 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac); 245 } 246 #endif /* NO_SHA256_WRAPPER */ 247 248 #ifndef NO_SHA384_WRAPPER 249 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len, 250 u8 *mac) 251 { 252 return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac); 253 } 254 #endif /* NO_SHA384_WRAPPER */ 255 256 257 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen) 258 { 259 switch (keylen) { 260 case 16: 261 return EVP_aes_128_ecb(); 262 #ifndef OPENSSL_IS_BORINGSSL 263 case 24: 264 return EVP_aes_192_ecb(); 265 #endif /* OPENSSL_IS_BORINGSSL */ 266 case 32: 267 return EVP_aes_256_ecb(); 268 } 269 270 return NULL; 271 } 272 273 274 void * aes_encrypt_init(const u8 *key, size_t len) 275 { 276 EVP_CIPHER_CTX *ctx; 277 const EVP_CIPHER *type; 278 279 if (TEST_FAIL()) 280 return NULL; 281 282 type = aes_get_evp_cipher(len); 283 if (type == NULL) 284 return NULL; 285 286 ctx = EVP_CIPHER_CTX_new(); 287 if (ctx == NULL) 288 return NULL; 289 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 290 os_free(ctx); 291 return NULL; 292 } 293 EVP_CIPHER_CTX_set_padding(ctx, 0); 294 return ctx; 295 } 296 297 298 void aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) 299 { 300 EVP_CIPHER_CTX *c = ctx; 301 int clen = 16; 302 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) { 303 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s", 304 ERR_error_string(ERR_get_error(), NULL)); 305 } 306 } 307 308 309 void aes_encrypt_deinit(void *ctx) 310 { 311 EVP_CIPHER_CTX *c = ctx; 312 u8 buf[16]; 313 int len = sizeof(buf); 314 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) { 315 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: " 316 "%s", ERR_error_string(ERR_get_error(), NULL)); 317 } 318 if (len != 0) { 319 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 320 "in AES encrypt", len); 321 } 322 EVP_CIPHER_CTX_free(c); 323 } 324 325 326 void * aes_decrypt_init(const u8 *key, size_t len) 327 { 328 EVP_CIPHER_CTX *ctx; 329 const EVP_CIPHER *type; 330 331 if (TEST_FAIL()) 332 return NULL; 333 334 type = aes_get_evp_cipher(len); 335 if (type == NULL) 336 return NULL; 337 338 ctx = EVP_CIPHER_CTX_new(); 339 if (ctx == NULL) 340 return NULL; 341 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 342 EVP_CIPHER_CTX_free(ctx); 343 return NULL; 344 } 345 EVP_CIPHER_CTX_set_padding(ctx, 0); 346 return ctx; 347 } 348 349 350 void aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) 351 { 352 EVP_CIPHER_CTX *c = ctx; 353 int plen = 16; 354 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) { 355 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s", 356 ERR_error_string(ERR_get_error(), NULL)); 357 } 358 } 359 360 361 void aes_decrypt_deinit(void *ctx) 362 { 363 EVP_CIPHER_CTX *c = ctx; 364 u8 buf[16]; 365 int len = sizeof(buf); 366 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) { 367 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: " 368 "%s", ERR_error_string(ERR_get_error(), NULL)); 369 } 370 if (len != 0) { 371 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 372 "in AES decrypt", len); 373 } 374 EVP_CIPHER_CTX_free(c); 375 } 376 377 378 #ifndef CONFIG_FIPS 379 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP 380 381 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) 382 { 383 AES_KEY actx; 384 int res; 385 386 if (TEST_FAIL()) 387 return -1; 388 if (AES_set_encrypt_key(kek, kek_len << 3, &actx)) 389 return -1; 390 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8); 391 OPENSSL_cleanse(&actx, sizeof(actx)); 392 return res <= 0 ? -1 : 0; 393 } 394 395 396 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, 397 u8 *plain) 398 { 399 AES_KEY actx; 400 int res; 401 402 if (TEST_FAIL()) 403 return -1; 404 if (AES_set_decrypt_key(kek, kek_len << 3, &actx)) 405 return -1; 406 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8); 407 OPENSSL_cleanse(&actx, sizeof(actx)); 408 return res <= 0 ? -1 : 0; 409 } 410 411 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */ 412 #endif /* CONFIG_FIPS */ 413 414 415 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 416 { 417 EVP_CIPHER_CTX *ctx; 418 int clen, len; 419 u8 buf[16]; 420 int res = -1; 421 422 if (TEST_FAIL()) 423 return -1; 424 425 ctx = EVP_CIPHER_CTX_new(); 426 if (!ctx) 427 return -1; 428 clen = data_len; 429 len = sizeof(buf); 430 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 431 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 432 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 && 433 clen == (int) data_len && 434 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 435 res = 0; 436 EVP_CIPHER_CTX_free(ctx); 437 438 return res; 439 } 440 441 442 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 443 { 444 EVP_CIPHER_CTX *ctx; 445 int plen, len; 446 u8 buf[16]; 447 int res = -1; 448 449 if (TEST_FAIL()) 450 return -1; 451 452 ctx = EVP_CIPHER_CTX_new(); 453 if (!ctx) 454 return -1; 455 plen = data_len; 456 len = sizeof(buf); 457 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 458 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 459 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 && 460 plen == (int) data_len && 461 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 462 res = 0; 463 EVP_CIPHER_CTX_free(ctx); 464 465 return res; 466 467 } 468 469 470 int crypto_mod_exp(const u8 *base, size_t base_len, 471 const u8 *power, size_t power_len, 472 const u8 *modulus, size_t modulus_len, 473 u8 *result, size_t *result_len) 474 { 475 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result; 476 int ret = -1; 477 BN_CTX *ctx; 478 479 ctx = BN_CTX_new(); 480 if (ctx == NULL) 481 return -1; 482 483 bn_base = BN_bin2bn(base, base_len, NULL); 484 bn_exp = BN_bin2bn(power, power_len, NULL); 485 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL); 486 bn_result = BN_new(); 487 488 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL || 489 bn_result == NULL) 490 goto error; 491 492 if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1) 493 goto error; 494 495 *result_len = BN_bn2bin(bn_result, result); 496 ret = 0; 497 498 error: 499 BN_clear_free(bn_base); 500 BN_clear_free(bn_exp); 501 BN_clear_free(bn_modulus); 502 BN_clear_free(bn_result); 503 BN_CTX_free(ctx); 504 return ret; 505 } 506 507 508 struct crypto_cipher { 509 EVP_CIPHER_CTX *enc; 510 EVP_CIPHER_CTX *dec; 511 }; 512 513 514 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, 515 const u8 *iv, const u8 *key, 516 size_t key_len) 517 { 518 struct crypto_cipher *ctx; 519 const EVP_CIPHER *cipher; 520 521 ctx = os_zalloc(sizeof(*ctx)); 522 if (ctx == NULL) 523 return NULL; 524 525 switch (alg) { 526 #ifndef CONFIG_NO_RC4 527 #ifndef OPENSSL_NO_RC4 528 case CRYPTO_CIPHER_ALG_RC4: 529 cipher = EVP_rc4(); 530 break; 531 #endif /* OPENSSL_NO_RC4 */ 532 #endif /* CONFIG_NO_RC4 */ 533 #ifndef OPENSSL_NO_AES 534 case CRYPTO_CIPHER_ALG_AES: 535 switch (key_len) { 536 case 16: 537 cipher = EVP_aes_128_cbc(); 538 break; 539 #ifndef OPENSSL_IS_BORINGSSL 540 case 24: 541 cipher = EVP_aes_192_cbc(); 542 break; 543 #endif /* OPENSSL_IS_BORINGSSL */ 544 case 32: 545 cipher = EVP_aes_256_cbc(); 546 break; 547 default: 548 os_free(ctx); 549 return NULL; 550 } 551 break; 552 #endif /* OPENSSL_NO_AES */ 553 #ifndef OPENSSL_NO_DES 554 case CRYPTO_CIPHER_ALG_3DES: 555 cipher = EVP_des_ede3_cbc(); 556 break; 557 case CRYPTO_CIPHER_ALG_DES: 558 cipher = EVP_des_cbc(); 559 break; 560 #endif /* OPENSSL_NO_DES */ 561 #ifndef OPENSSL_NO_RC2 562 case CRYPTO_CIPHER_ALG_RC2: 563 cipher = EVP_rc2_ecb(); 564 break; 565 #endif /* OPENSSL_NO_RC2 */ 566 default: 567 os_free(ctx); 568 return NULL; 569 } 570 571 if (!(ctx->enc = EVP_CIPHER_CTX_new()) || 572 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) || 573 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) || 574 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) || 575 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) { 576 if (ctx->enc) 577 EVP_CIPHER_CTX_free(ctx->enc); 578 os_free(ctx); 579 return NULL; 580 } 581 582 if (!(ctx->dec = EVP_CIPHER_CTX_new()) || 583 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) || 584 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) || 585 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) || 586 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) { 587 EVP_CIPHER_CTX_free(ctx->enc); 588 if (ctx->dec) 589 EVP_CIPHER_CTX_free(ctx->dec); 590 os_free(ctx); 591 return NULL; 592 } 593 594 return ctx; 595 } 596 597 598 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, 599 u8 *crypt, size_t len) 600 { 601 int outl; 602 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len)) 603 return -1; 604 return 0; 605 } 606 607 608 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, 609 u8 *plain, size_t len) 610 { 611 int outl; 612 outl = len; 613 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len)) 614 return -1; 615 return 0; 616 } 617 618 619 void crypto_cipher_deinit(struct crypto_cipher *ctx) 620 { 621 EVP_CIPHER_CTX_free(ctx->enc); 622 EVP_CIPHER_CTX_free(ctx->dec); 623 os_free(ctx); 624 } 625 626 627 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) 628 { 629 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 630 DH *dh; 631 struct wpabuf *pubkey = NULL, *privkey = NULL; 632 size_t publen, privlen; 633 634 *priv = NULL; 635 wpabuf_free(*publ); 636 *publ = NULL; 637 638 dh = DH_new(); 639 if (dh == NULL) 640 return NULL; 641 642 dh->g = BN_new(); 643 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 644 goto err; 645 646 dh->p = get_group5_prime(); 647 if (dh->p == NULL) 648 goto err; 649 650 if (DH_generate_key(dh) != 1) 651 goto err; 652 653 publen = BN_num_bytes(dh->pub_key); 654 pubkey = wpabuf_alloc(publen); 655 if (pubkey == NULL) 656 goto err; 657 privlen = BN_num_bytes(dh->priv_key); 658 privkey = wpabuf_alloc(privlen); 659 if (privkey == NULL) 660 goto err; 661 662 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen)); 663 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen)); 664 665 *priv = privkey; 666 *publ = pubkey; 667 return dh; 668 669 err: 670 wpabuf_clear_free(pubkey); 671 wpabuf_clear_free(privkey); 672 DH_free(dh); 673 return NULL; 674 #else 675 DH *dh; 676 struct wpabuf *pubkey = NULL, *privkey = NULL; 677 size_t publen, privlen; 678 BIGNUM *p = NULL, *g; 679 const BIGNUM *priv_key = NULL, *pub_key = NULL; 680 681 *priv = NULL; 682 wpabuf_free(*publ); 683 *publ = NULL; 684 685 dh = DH_new(); 686 if (dh == NULL) 687 return NULL; 688 689 g = BN_new(); 690 p = get_group5_prime(); 691 if (!g || BN_set_word(g, 2) != 1 || !p || 692 DH_set0_pqg(dh, p, NULL, g) != 1) 693 goto err; 694 p = NULL; 695 g = NULL; 696 697 if (DH_generate_key(dh) != 1) 698 goto err; 699 700 DH_get0_key(dh, &pub_key, &priv_key); 701 publen = BN_num_bytes(pub_key); 702 pubkey = wpabuf_alloc(publen); 703 if (!pubkey) 704 goto err; 705 privlen = BN_num_bytes(priv_key); 706 privkey = wpabuf_alloc(privlen); 707 if (!privkey) 708 goto err; 709 710 BN_bn2bin(pub_key, wpabuf_put(pubkey, publen)); 711 BN_bn2bin(priv_key, wpabuf_put(privkey, privlen)); 712 713 *priv = privkey; 714 *publ = pubkey; 715 return dh; 716 717 err: 718 BN_free(p); 719 BN_free(g); 720 wpabuf_clear_free(pubkey); 721 wpabuf_clear_free(privkey); 722 DH_free(dh); 723 return NULL; 724 #endif 725 } 726 727 728 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) 729 { 730 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 731 DH *dh; 732 733 dh = DH_new(); 734 if (dh == NULL) 735 return NULL; 736 737 dh->g = BN_new(); 738 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 739 goto err; 740 741 dh->p = get_group5_prime(); 742 if (dh->p == NULL) 743 goto err; 744 745 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 746 if (dh->priv_key == NULL) 747 goto err; 748 749 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 750 if (dh->pub_key == NULL) 751 goto err; 752 753 if (DH_generate_key(dh) != 1) 754 goto err; 755 756 return dh; 757 758 err: 759 DH_free(dh); 760 return NULL; 761 #else 762 DH *dh; 763 BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL; 764 765 dh = DH_new(); 766 if (dh == NULL) 767 return NULL; 768 769 g = BN_new(); 770 p = get_group5_prime(); 771 if (!g || BN_set_word(g, 2) != 1 || !p || 772 DH_set0_pqg(dh, p, NULL, g) != 1) 773 goto err; 774 p = NULL; 775 g = NULL; 776 777 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 778 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 779 if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1) 780 goto err; 781 pub_key = NULL; 782 priv_key = NULL; 783 784 if (DH_generate_key(dh) != 1) 785 goto err; 786 787 return dh; 788 789 err: 790 BN_free(p); 791 BN_free(g); 792 BN_free(pub_key); 793 BN_clear_free(priv_key); 794 DH_free(dh); 795 return NULL; 796 #endif 797 } 798 799 800 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public, 801 const struct wpabuf *own_private) 802 { 803 BIGNUM *pub_key; 804 struct wpabuf *res = NULL; 805 size_t rlen; 806 DH *dh = ctx; 807 int keylen; 808 809 if (ctx == NULL) 810 return NULL; 811 812 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public), 813 NULL); 814 if (pub_key == NULL) 815 return NULL; 816 817 rlen = DH_size(dh); 818 res = wpabuf_alloc(rlen); 819 if (res == NULL) 820 goto err; 821 822 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh); 823 if (keylen < 0) 824 goto err; 825 wpabuf_put(res, keylen); 826 BN_clear_free(pub_key); 827 828 return res; 829 830 err: 831 BN_clear_free(pub_key); 832 wpabuf_clear_free(res); 833 return NULL; 834 } 835 836 837 void dh5_free(void *ctx) 838 { 839 DH *dh; 840 if (ctx == NULL) 841 return; 842 dh = ctx; 843 DH_free(dh); 844 } 845 846 847 struct crypto_hash { 848 HMAC_CTX *ctx; 849 }; 850 851 852 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key, 853 size_t key_len) 854 { 855 struct crypto_hash *ctx; 856 const EVP_MD *md; 857 858 switch (alg) { 859 #ifndef OPENSSL_NO_MD5 860 case CRYPTO_HASH_ALG_HMAC_MD5: 861 md = EVP_md5(); 862 break; 863 #endif /* OPENSSL_NO_MD5 */ 864 #ifndef OPENSSL_NO_SHA 865 case CRYPTO_HASH_ALG_HMAC_SHA1: 866 md = EVP_sha1(); 867 break; 868 #endif /* OPENSSL_NO_SHA */ 869 #ifndef OPENSSL_NO_SHA256 870 #ifdef CONFIG_SHA256 871 case CRYPTO_HASH_ALG_HMAC_SHA256: 872 md = EVP_sha256(); 873 break; 874 #endif /* CONFIG_SHA256 */ 875 #endif /* OPENSSL_NO_SHA256 */ 876 default: 877 return NULL; 878 } 879 880 ctx = os_zalloc(sizeof(*ctx)); 881 if (ctx == NULL) 882 return NULL; 883 ctx->ctx = HMAC_CTX_new(); 884 if (!ctx->ctx) { 885 os_free(ctx); 886 return NULL; 887 } 888 889 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) { 890 HMAC_CTX_free(ctx->ctx); 891 bin_clear_free(ctx, sizeof(*ctx)); 892 return NULL; 893 } 894 895 return ctx; 896 } 897 898 899 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len) 900 { 901 if (ctx == NULL) 902 return; 903 HMAC_Update(ctx->ctx, data, len); 904 } 905 906 907 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len) 908 { 909 unsigned int mdlen; 910 int res; 911 912 if (ctx == NULL) 913 return -2; 914 915 if (mac == NULL || len == NULL) { 916 HMAC_CTX_free(ctx->ctx); 917 bin_clear_free(ctx, sizeof(*ctx)); 918 return 0; 919 } 920 921 mdlen = *len; 922 res = HMAC_Final(ctx->ctx, mac, &mdlen); 923 HMAC_CTX_free(ctx->ctx); 924 bin_clear_free(ctx, sizeof(*ctx)); 925 926 if (res == 1) { 927 *len = mdlen; 928 return 0; 929 } 930 931 return -1; 932 } 933 934 935 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key, 936 size_t key_len, size_t num_elem, 937 const u8 *addr[], const size_t *len, u8 *mac, 938 unsigned int mdlen) 939 { 940 HMAC_CTX *ctx; 941 size_t i; 942 int res; 943 944 if (TEST_FAIL()) 945 return -1; 946 947 ctx = HMAC_CTX_new(); 948 if (!ctx) 949 return -1; 950 res = HMAC_Init_ex(ctx, key, key_len, type, NULL); 951 if (res != 1) 952 goto done; 953 954 for (i = 0; i < num_elem; i++) 955 HMAC_Update(ctx, addr[i], len[i]); 956 957 res = HMAC_Final(ctx, mac, &mdlen); 958 done: 959 HMAC_CTX_free(ctx); 960 961 return res == 1 ? 0 : -1; 962 } 963 964 965 #ifndef CONFIG_FIPS 966 967 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, 968 const u8 *addr[], const size_t *len, u8 *mac) 969 { 970 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len, 971 mac, 16); 972 } 973 974 975 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 976 u8 *mac) 977 { 978 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac); 979 } 980 981 #endif /* CONFIG_FIPS */ 982 983 984 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len, 985 int iterations, u8 *buf, size_t buflen) 986 { 987 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid, 988 ssid_len, iterations, buflen, buf) != 1) 989 return -1; 990 return 0; 991 } 992 993 994 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, 995 const u8 *addr[], const size_t *len, u8 *mac) 996 { 997 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr, 998 len, mac, 20); 999 } 1000 1001 1002 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 1003 u8 *mac) 1004 { 1005 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); 1006 } 1007 1008 1009 #ifdef CONFIG_SHA256 1010 1011 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, 1012 const u8 *addr[], const size_t *len, u8 *mac) 1013 { 1014 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr, 1015 len, mac, 32); 1016 } 1017 1018 1019 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 1020 size_t data_len, u8 *mac) 1021 { 1022 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); 1023 } 1024 1025 #endif /* CONFIG_SHA256 */ 1026 1027 1028 #ifdef CONFIG_SHA384 1029 1030 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, 1031 const u8 *addr[], const size_t *len, u8 *mac) 1032 { 1033 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr, 1034 len, mac, 48); 1035 } 1036 1037 1038 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, 1039 size_t data_len, u8 *mac) 1040 { 1041 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac); 1042 } 1043 1044 #endif /* CONFIG_SHA384 */ 1045 1046 1047 int crypto_get_random(void *buf, size_t len) 1048 { 1049 if (RAND_bytes(buf, len) != 1) 1050 return -1; 1051 return 0; 1052 } 1053 1054 1055 #ifdef CONFIG_OPENSSL_CMAC 1056 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, 1057 const u8 *addr[], const size_t *len, u8 *mac) 1058 { 1059 CMAC_CTX *ctx; 1060 int ret = -1; 1061 size_t outlen, i; 1062 1063 if (TEST_FAIL()) 1064 return -1; 1065 1066 ctx = CMAC_CTX_new(); 1067 if (ctx == NULL) 1068 return -1; 1069 1070 if (key_len == 32) { 1071 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL)) 1072 goto fail; 1073 } else if (key_len == 16) { 1074 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL)) 1075 goto fail; 1076 } else { 1077 goto fail; 1078 } 1079 for (i = 0; i < num_elem; i++) { 1080 if (!CMAC_Update(ctx, addr[i], len[i])) 1081 goto fail; 1082 } 1083 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16) 1084 goto fail; 1085 1086 ret = 0; 1087 fail: 1088 CMAC_CTX_free(ctx); 1089 return ret; 1090 } 1091 1092 1093 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 1094 const u8 *addr[], const size_t *len, u8 *mac) 1095 { 1096 return omac1_aes_vector(key, 16, num_elem, addr, len, mac); 1097 } 1098 1099 1100 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1101 { 1102 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 1103 } 1104 1105 1106 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1107 { 1108 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); 1109 } 1110 #endif /* CONFIG_OPENSSL_CMAC */ 1111 1112 1113 struct crypto_bignum * crypto_bignum_init(void) 1114 { 1115 if (TEST_FAIL()) 1116 return NULL; 1117 return (struct crypto_bignum *) BN_new(); 1118 } 1119 1120 1121 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) 1122 { 1123 BIGNUM *bn; 1124 1125 if (TEST_FAIL()) 1126 return NULL; 1127 1128 bn = BN_bin2bn(buf, len, NULL); 1129 return (struct crypto_bignum *) bn; 1130 } 1131 1132 1133 void crypto_bignum_deinit(struct crypto_bignum *n, int clear) 1134 { 1135 if (clear) 1136 BN_clear_free((BIGNUM *) n); 1137 else 1138 BN_free((BIGNUM *) n); 1139 } 1140 1141 1142 int crypto_bignum_to_bin(const struct crypto_bignum *a, 1143 u8 *buf, size_t buflen, size_t padlen) 1144 { 1145 int num_bytes, offset; 1146 1147 if (TEST_FAIL()) 1148 return -1; 1149 1150 if (padlen > buflen) 1151 return -1; 1152 1153 num_bytes = BN_num_bytes((const BIGNUM *) a); 1154 if ((size_t) num_bytes > buflen) 1155 return -1; 1156 if (padlen > (size_t) num_bytes) 1157 offset = padlen - num_bytes; 1158 else 1159 offset = 0; 1160 1161 os_memset(buf, 0, offset); 1162 BN_bn2bin((const BIGNUM *) a, buf + offset); 1163 1164 return num_bytes + offset; 1165 } 1166 1167 1168 int crypto_bignum_add(const struct crypto_bignum *a, 1169 const struct crypto_bignum *b, 1170 struct crypto_bignum *c) 1171 { 1172 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1173 0 : -1; 1174 } 1175 1176 1177 int crypto_bignum_mod(const struct crypto_bignum *a, 1178 const struct crypto_bignum *b, 1179 struct crypto_bignum *c) 1180 { 1181 int res; 1182 BN_CTX *bnctx; 1183 1184 bnctx = BN_CTX_new(); 1185 if (bnctx == NULL) 1186 return -1; 1187 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, 1188 bnctx); 1189 BN_CTX_free(bnctx); 1190 1191 return res ? 0 : -1; 1192 } 1193 1194 1195 int crypto_bignum_exptmod(const struct crypto_bignum *a, 1196 const struct crypto_bignum *b, 1197 const struct crypto_bignum *c, 1198 struct crypto_bignum *d) 1199 { 1200 int res; 1201 BN_CTX *bnctx; 1202 1203 if (TEST_FAIL()) 1204 return -1; 1205 1206 bnctx = BN_CTX_new(); 1207 if (bnctx == NULL) 1208 return -1; 1209 res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 1210 (const BIGNUM *) c, bnctx); 1211 BN_CTX_free(bnctx); 1212 1213 return res ? 0 : -1; 1214 } 1215 1216 1217 int crypto_bignum_inverse(const struct crypto_bignum *a, 1218 const struct crypto_bignum *b, 1219 struct crypto_bignum *c) 1220 { 1221 BIGNUM *res; 1222 BN_CTX *bnctx; 1223 1224 if (TEST_FAIL()) 1225 return -1; 1226 bnctx = BN_CTX_new(); 1227 if (bnctx == NULL) 1228 return -1; 1229 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a, 1230 (const BIGNUM *) b, bnctx); 1231 BN_CTX_free(bnctx); 1232 1233 return res ? 0 : -1; 1234 } 1235 1236 1237 int crypto_bignum_sub(const struct crypto_bignum *a, 1238 const struct crypto_bignum *b, 1239 struct crypto_bignum *c) 1240 { 1241 if (TEST_FAIL()) 1242 return -1; 1243 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1244 0 : -1; 1245 } 1246 1247 1248 int crypto_bignum_div(const struct crypto_bignum *a, 1249 const struct crypto_bignum *b, 1250 struct crypto_bignum *c) 1251 { 1252 int res; 1253 1254 BN_CTX *bnctx; 1255 1256 if (TEST_FAIL()) 1257 return -1; 1258 1259 bnctx = BN_CTX_new(); 1260 if (bnctx == NULL) 1261 return -1; 1262 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a, 1263 (const BIGNUM *) b, bnctx); 1264 BN_CTX_free(bnctx); 1265 1266 return res ? 0 : -1; 1267 } 1268 1269 1270 int crypto_bignum_mulmod(const struct crypto_bignum *a, 1271 const struct crypto_bignum *b, 1272 const struct crypto_bignum *c, 1273 struct crypto_bignum *d) 1274 { 1275 int res; 1276 1277 BN_CTX *bnctx; 1278 1279 if (TEST_FAIL()) 1280 return -1; 1281 1282 bnctx = BN_CTX_new(); 1283 if (bnctx == NULL) 1284 return -1; 1285 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 1286 (const BIGNUM *) c, bnctx); 1287 BN_CTX_free(bnctx); 1288 1289 return res ? 0 : -1; 1290 } 1291 1292 1293 int crypto_bignum_cmp(const struct crypto_bignum *a, 1294 const struct crypto_bignum *b) 1295 { 1296 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b); 1297 } 1298 1299 1300 int crypto_bignum_bits(const struct crypto_bignum *a) 1301 { 1302 return BN_num_bits((const BIGNUM *) a); 1303 } 1304 1305 1306 int crypto_bignum_is_zero(const struct crypto_bignum *a) 1307 { 1308 return BN_is_zero((const BIGNUM *) a); 1309 } 1310 1311 1312 int crypto_bignum_is_one(const struct crypto_bignum *a) 1313 { 1314 return BN_is_one((const BIGNUM *) a); 1315 } 1316 1317 1318 int crypto_bignum_legendre(const struct crypto_bignum *a, 1319 const struct crypto_bignum *p) 1320 { 1321 BN_CTX *bnctx; 1322 BIGNUM *exp = NULL, *tmp = NULL; 1323 int res = -2; 1324 1325 if (TEST_FAIL()) 1326 return -2; 1327 1328 bnctx = BN_CTX_new(); 1329 if (bnctx == NULL) 1330 return -2; 1331 1332 exp = BN_new(); 1333 tmp = BN_new(); 1334 if (!exp || !tmp || 1335 /* exp = (p-1) / 2 */ 1336 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) || 1337 !BN_rshift1(exp, exp) || 1338 !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p, 1339 bnctx)) 1340 goto fail; 1341 1342 if (BN_is_word(tmp, 1)) 1343 res = 1; 1344 else if (BN_is_zero(tmp)) 1345 res = 0; 1346 else 1347 res = -1; 1348 1349 fail: 1350 BN_clear_free(tmp); 1351 BN_clear_free(exp); 1352 BN_CTX_free(bnctx); 1353 return res; 1354 } 1355 1356 1357 #ifdef CONFIG_ECC 1358 1359 struct crypto_ec { 1360 EC_GROUP *group; 1361 BN_CTX *bnctx; 1362 BIGNUM *prime; 1363 BIGNUM *order; 1364 BIGNUM *a; 1365 BIGNUM *b; 1366 }; 1367 1368 struct crypto_ec * crypto_ec_init(int group) 1369 { 1370 struct crypto_ec *e; 1371 int nid; 1372 1373 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */ 1374 switch (group) { 1375 case 19: 1376 nid = NID_X9_62_prime256v1; 1377 break; 1378 case 20: 1379 nid = NID_secp384r1; 1380 break; 1381 case 21: 1382 nid = NID_secp521r1; 1383 break; 1384 case 25: 1385 nid = NID_X9_62_prime192v1; 1386 break; 1387 case 26: 1388 nid = NID_secp224r1; 1389 break; 1390 #ifdef NID_brainpoolP224r1 1391 case 27: 1392 nid = NID_brainpoolP224r1; 1393 break; 1394 #endif /* NID_brainpoolP224r1 */ 1395 #ifdef NID_brainpoolP256r1 1396 case 28: 1397 nid = NID_brainpoolP256r1; 1398 break; 1399 #endif /* NID_brainpoolP256r1 */ 1400 #ifdef NID_brainpoolP384r1 1401 case 29: 1402 nid = NID_brainpoolP384r1; 1403 break; 1404 #endif /* NID_brainpoolP384r1 */ 1405 #ifdef NID_brainpoolP512r1 1406 case 30: 1407 nid = NID_brainpoolP512r1; 1408 break; 1409 #endif /* NID_brainpoolP512r1 */ 1410 default: 1411 return NULL; 1412 } 1413 1414 e = os_zalloc(sizeof(*e)); 1415 if (e == NULL) 1416 return NULL; 1417 1418 e->bnctx = BN_CTX_new(); 1419 e->group = EC_GROUP_new_by_curve_name(nid); 1420 e->prime = BN_new(); 1421 e->order = BN_new(); 1422 e->a = BN_new(); 1423 e->b = BN_new(); 1424 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL || 1425 e->order == NULL || e->a == NULL || e->b == NULL || 1426 !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) || 1427 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) { 1428 crypto_ec_deinit(e); 1429 e = NULL; 1430 } 1431 1432 return e; 1433 } 1434 1435 1436 void crypto_ec_deinit(struct crypto_ec *e) 1437 { 1438 if (e == NULL) 1439 return; 1440 BN_clear_free(e->b); 1441 BN_clear_free(e->a); 1442 BN_clear_free(e->order); 1443 BN_clear_free(e->prime); 1444 EC_GROUP_free(e->group); 1445 BN_CTX_free(e->bnctx); 1446 os_free(e); 1447 } 1448 1449 1450 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e) 1451 { 1452 if (TEST_FAIL()) 1453 return NULL; 1454 if (e == NULL) 1455 return NULL; 1456 return (struct crypto_ec_point *) EC_POINT_new(e->group); 1457 } 1458 1459 1460 size_t crypto_ec_prime_len(struct crypto_ec *e) 1461 { 1462 return BN_num_bytes(e->prime); 1463 } 1464 1465 1466 size_t crypto_ec_prime_len_bits(struct crypto_ec *e) 1467 { 1468 return BN_num_bits(e->prime); 1469 } 1470 1471 1472 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e) 1473 { 1474 return (const struct crypto_bignum *) e->prime; 1475 } 1476 1477 1478 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) 1479 { 1480 return (const struct crypto_bignum *) e->order; 1481 } 1482 1483 1484 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) 1485 { 1486 if (clear) 1487 EC_POINT_clear_free((EC_POINT *) p); 1488 else 1489 EC_POINT_free((EC_POINT *) p); 1490 } 1491 1492 1493 int crypto_ec_point_to_bin(struct crypto_ec *e, 1494 const struct crypto_ec_point *point, u8 *x, u8 *y) 1495 { 1496 BIGNUM *x_bn, *y_bn; 1497 int ret = -1; 1498 int len = BN_num_bytes(e->prime); 1499 1500 if (TEST_FAIL()) 1501 return -1; 1502 1503 x_bn = BN_new(); 1504 y_bn = BN_new(); 1505 1506 if (x_bn && y_bn && 1507 EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point, 1508 x_bn, y_bn, e->bnctx)) { 1509 if (x) { 1510 crypto_bignum_to_bin((struct crypto_bignum *) x_bn, 1511 x, len, len); 1512 } 1513 if (y) { 1514 crypto_bignum_to_bin((struct crypto_bignum *) y_bn, 1515 y, len, len); 1516 } 1517 ret = 0; 1518 } 1519 1520 BN_clear_free(x_bn); 1521 BN_clear_free(y_bn); 1522 return ret; 1523 } 1524 1525 1526 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e, 1527 const u8 *val) 1528 { 1529 BIGNUM *x, *y; 1530 EC_POINT *elem; 1531 int len = BN_num_bytes(e->prime); 1532 1533 if (TEST_FAIL()) 1534 return NULL; 1535 1536 x = BN_bin2bn(val, len, NULL); 1537 y = BN_bin2bn(val + len, len, NULL); 1538 elem = EC_POINT_new(e->group); 1539 if (x == NULL || y == NULL || elem == NULL) { 1540 BN_clear_free(x); 1541 BN_clear_free(y); 1542 EC_POINT_clear_free(elem); 1543 return NULL; 1544 } 1545 1546 if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y, 1547 e->bnctx)) { 1548 EC_POINT_clear_free(elem); 1549 elem = NULL; 1550 } 1551 1552 BN_clear_free(x); 1553 BN_clear_free(y); 1554 1555 return (struct crypto_ec_point *) elem; 1556 } 1557 1558 1559 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a, 1560 const struct crypto_ec_point *b, 1561 struct crypto_ec_point *c) 1562 { 1563 if (TEST_FAIL()) 1564 return -1; 1565 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a, 1566 (const EC_POINT *) b, e->bnctx) ? 0 : -1; 1567 } 1568 1569 1570 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p, 1571 const struct crypto_bignum *b, 1572 struct crypto_ec_point *res) 1573 { 1574 if (TEST_FAIL()) 1575 return -1; 1576 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL, 1577 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx) 1578 ? 0 : -1; 1579 } 1580 1581 1582 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p) 1583 { 1584 if (TEST_FAIL()) 1585 return -1; 1586 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1; 1587 } 1588 1589 1590 int crypto_ec_point_solve_y_coord(struct crypto_ec *e, 1591 struct crypto_ec_point *p, 1592 const struct crypto_bignum *x, int y_bit) 1593 { 1594 if (TEST_FAIL()) 1595 return -1; 1596 if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p, 1597 (const BIGNUM *) x, y_bit, 1598 e->bnctx) || 1599 !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx)) 1600 return -1; 1601 return 0; 1602 } 1603 1604 1605 struct crypto_bignum * 1606 crypto_ec_point_compute_y_sqr(struct crypto_ec *e, 1607 const struct crypto_bignum *x) 1608 { 1609 BIGNUM *tmp, *tmp2, *y_sqr = NULL; 1610 1611 if (TEST_FAIL()) 1612 return NULL; 1613 1614 tmp = BN_new(); 1615 tmp2 = BN_new(); 1616 1617 /* y^2 = x^3 + ax + b */ 1618 if (tmp && tmp2 && 1619 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1620 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1621 BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) && 1622 BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) && 1623 BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) { 1624 y_sqr = tmp2; 1625 tmp2 = NULL; 1626 } 1627 1628 BN_clear_free(tmp); 1629 BN_clear_free(tmp2); 1630 1631 return (struct crypto_bignum *) y_sqr; 1632 } 1633 1634 1635 int crypto_ec_point_is_at_infinity(struct crypto_ec *e, 1636 const struct crypto_ec_point *p) 1637 { 1638 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p); 1639 } 1640 1641 1642 int crypto_ec_point_is_on_curve(struct crypto_ec *e, 1643 const struct crypto_ec_point *p) 1644 { 1645 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p, 1646 e->bnctx) == 1; 1647 } 1648 1649 1650 int crypto_ec_point_cmp(const struct crypto_ec *e, 1651 const struct crypto_ec_point *a, 1652 const struct crypto_ec_point *b) 1653 { 1654 return EC_POINT_cmp(e->group, (const EC_POINT *) a, 1655 (const EC_POINT *) b, e->bnctx); 1656 } 1657 1658 #endif /* CONFIG_ECC */ 1659
