1 /* 2 * Wrapper functions for OpenSSL libcrypto 3 * Copyright (c) 2004-2017, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <openssl/opensslv.h> 11 #include <openssl/err.h> 12 #include <openssl/des.h> 13 #include <openssl/aes.h> 14 #include <openssl/bn.h> 15 #include <openssl/evp.h> 16 #include <openssl/dh.h> 17 #include <openssl/hmac.h> 18 #include <openssl/rand.h> 19 #ifdef CONFIG_OPENSSL_CMAC 20 #include <openssl/cmac.h> 21 #endif /* CONFIG_OPENSSL_CMAC */ 22 #ifdef CONFIG_ECC 23 #include <openssl/ec.h> 24 #endif /* CONFIG_ECC */ 25 26 #include "common.h" 27 #include "wpabuf.h" 28 #include "dh_group5.h" 29 #include "sha1.h" 30 #include "sha256.h" 31 #include "sha384.h" 32 #include "md5.h" 33 #include "aes_wrap.h" 34 #include "crypto.h" 35 36 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 37 /* Compatibility wrappers for older versions. */ 38 39 static HMAC_CTX * HMAC_CTX_new(void) 40 { 41 HMAC_CTX *ctx; 42 43 ctx = os_zalloc(sizeof(*ctx)); 44 if (ctx) 45 HMAC_CTX_init(ctx); 46 return ctx; 47 } 48 49 50 static void HMAC_CTX_free(HMAC_CTX *ctx) 51 { 52 if (!ctx) 53 return; 54 HMAC_CTX_cleanup(ctx); 55 bin_clear_free(ctx, sizeof(*ctx)); 56 } 57 58 59 static EVP_MD_CTX * EVP_MD_CTX_new(void) 60 { 61 EVP_MD_CTX *ctx; 62 63 ctx = os_zalloc(sizeof(*ctx)); 64 if (ctx) 65 EVP_MD_CTX_init(ctx); 66 return ctx; 67 } 68 69 70 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) 71 { 72 if (!ctx) 73 return; 74 EVP_MD_CTX_cleanup(ctx); 75 bin_clear_free(ctx, sizeof(*ctx)); 76 } 77 78 #endif /* OpenSSL version < 1.1.0 */ 79 80 static BIGNUM * get_group5_prime(void) 81 { 82 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) 83 return BN_get_rfc3526_prime_1536(NULL); 84 #elif !defined(OPENSSL_IS_BORINGSSL) 85 return get_rfc3526_prime_1536(NULL); 86 #else 87 static const unsigned char RFC3526_PRIME_1536[] = { 88 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, 89 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, 90 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, 91 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, 92 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, 93 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, 94 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, 95 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, 96 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, 97 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, 98 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, 99 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, 100 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, 101 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, 102 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, 103 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 104 }; 105 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL); 106 #endif 107 } 108 109 #ifdef OPENSSL_NO_SHA256 110 #define NO_SHA256_WRAPPER 111 #endif 112 #ifdef OPENSSL_NO_SHA512 113 #define NO_SHA384_WRAPPER 114 #endif 115 116 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem, 117 const u8 *addr[], const size_t *len, u8 *mac) 118 { 119 EVP_MD_CTX *ctx; 120 size_t i; 121 unsigned int mac_len; 122 123 if (TEST_FAIL()) 124 return -1; 125 126 ctx = EVP_MD_CTX_new(); 127 if (!ctx) 128 return -1; 129 if (!EVP_DigestInit_ex(ctx, type, NULL)) { 130 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s", 131 ERR_error_string(ERR_get_error(), NULL)); 132 EVP_MD_CTX_free(ctx); 133 return -1; 134 } 135 for (i = 0; i < num_elem; i++) { 136 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) { 137 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate " 138 "failed: %s", 139 ERR_error_string(ERR_get_error(), NULL)); 140 EVP_MD_CTX_free(ctx); 141 return -1; 142 } 143 } 144 if (!EVP_DigestFinal(ctx, mac, &mac_len)) { 145 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s", 146 ERR_error_string(ERR_get_error(), NULL)); 147 EVP_MD_CTX_free(ctx); 148 return -1; 149 } 150 EVP_MD_CTX_free(ctx); 151 152 return 0; 153 } 154 155 156 #ifndef CONFIG_FIPS 157 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 158 { 159 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac); 160 } 161 #endif /* CONFIG_FIPS */ 162 163 164 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) 165 { 166 u8 pkey[8], next, tmp; 167 int i; 168 DES_key_schedule ks; 169 170 /* Add parity bits to the key */ 171 next = 0; 172 for (i = 0; i < 7; i++) { 173 tmp = key[i]; 174 pkey[i] = (tmp >> i) | next | 1; 175 next = tmp << (7 - i); 176 } 177 pkey[i] = next | 1; 178 179 DES_set_key((DES_cblock *) &pkey, &ks); 180 DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks, 181 DES_ENCRYPT); 182 return 0; 183 } 184 185 186 #ifndef CONFIG_NO_RC4 187 int rc4_skip(const u8 *key, size_t keylen, size_t skip, 188 u8 *data, size_t data_len) 189 { 190 #ifdef OPENSSL_NO_RC4 191 return -1; 192 #else /* OPENSSL_NO_RC4 */ 193 EVP_CIPHER_CTX *ctx; 194 int outl; 195 int res = -1; 196 unsigned char skip_buf[16]; 197 198 ctx = EVP_CIPHER_CTX_new(); 199 if (!ctx || 200 !EVP_CIPHER_CTX_set_padding(ctx, 0) || 201 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) || 202 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) || 203 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1)) 204 goto out; 205 206 while (skip >= sizeof(skip_buf)) { 207 size_t len = skip; 208 if (len > sizeof(skip_buf)) 209 len = sizeof(skip_buf); 210 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len)) 211 goto out; 212 skip -= len; 213 } 214 215 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len)) 216 res = 0; 217 218 out: 219 if (ctx) 220 EVP_CIPHER_CTX_free(ctx); 221 return res; 222 #endif /* OPENSSL_NO_RC4 */ 223 } 224 #endif /* CONFIG_NO_RC4 */ 225 226 227 #ifndef CONFIG_FIPS 228 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 229 { 230 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac); 231 } 232 #endif /* CONFIG_FIPS */ 233 234 235 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 236 { 237 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac); 238 } 239 240 241 #ifndef NO_SHA256_WRAPPER 242 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, 243 u8 *mac) 244 { 245 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac); 246 } 247 #endif /* NO_SHA256_WRAPPER */ 248 249 250 #ifndef NO_SHA384_WRAPPER 251 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len, 252 u8 *mac) 253 { 254 return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac); 255 } 256 #endif /* NO_SHA384_WRAPPER */ 257 258 259 #ifndef NO_SHA512_WRAPPER 260 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len, 261 u8 *mac) 262 { 263 return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac); 264 } 265 #endif /* NO_SHA512_WRAPPER */ 266 267 268 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen) 269 { 270 switch (keylen) { 271 case 16: 272 return EVP_aes_128_ecb(); 273 #ifndef OPENSSL_IS_BORINGSSL 274 case 24: 275 return EVP_aes_192_ecb(); 276 #endif /* OPENSSL_IS_BORINGSSL */ 277 case 32: 278 return EVP_aes_256_ecb(); 279 } 280 281 return NULL; 282 } 283 284 285 void * aes_encrypt_init(const u8 *key, size_t len) 286 { 287 EVP_CIPHER_CTX *ctx; 288 const EVP_CIPHER *type; 289 290 if (TEST_FAIL()) 291 return NULL; 292 293 type = aes_get_evp_cipher(len); 294 if (type == NULL) 295 return NULL; 296 297 ctx = EVP_CIPHER_CTX_new(); 298 if (ctx == NULL) 299 return NULL; 300 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 301 os_free(ctx); 302 return NULL; 303 } 304 EVP_CIPHER_CTX_set_padding(ctx, 0); 305 return ctx; 306 } 307 308 309 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) 310 { 311 EVP_CIPHER_CTX *c = ctx; 312 int clen = 16; 313 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) { 314 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s", 315 ERR_error_string(ERR_get_error(), NULL)); 316 return -1; 317 } 318 return 0; 319 } 320 321 322 void aes_encrypt_deinit(void *ctx) 323 { 324 EVP_CIPHER_CTX *c = ctx; 325 u8 buf[16]; 326 int len = sizeof(buf); 327 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) { 328 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: " 329 "%s", ERR_error_string(ERR_get_error(), NULL)); 330 } 331 if (len != 0) { 332 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 333 "in AES encrypt", len); 334 } 335 EVP_CIPHER_CTX_free(c); 336 } 337 338 339 void * aes_decrypt_init(const u8 *key, size_t len) 340 { 341 EVP_CIPHER_CTX *ctx; 342 const EVP_CIPHER *type; 343 344 if (TEST_FAIL()) 345 return NULL; 346 347 type = aes_get_evp_cipher(len); 348 if (type == NULL) 349 return NULL; 350 351 ctx = EVP_CIPHER_CTX_new(); 352 if (ctx == NULL) 353 return NULL; 354 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 355 EVP_CIPHER_CTX_free(ctx); 356 return NULL; 357 } 358 EVP_CIPHER_CTX_set_padding(ctx, 0); 359 return ctx; 360 } 361 362 363 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) 364 { 365 EVP_CIPHER_CTX *c = ctx; 366 int plen = 16; 367 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) { 368 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s", 369 ERR_error_string(ERR_get_error(), NULL)); 370 return -1; 371 } 372 return 0; 373 } 374 375 376 void aes_decrypt_deinit(void *ctx) 377 { 378 EVP_CIPHER_CTX *c = ctx; 379 u8 buf[16]; 380 int len = sizeof(buf); 381 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) { 382 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: " 383 "%s", ERR_error_string(ERR_get_error(), NULL)); 384 } 385 if (len != 0) { 386 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 387 "in AES decrypt", len); 388 } 389 EVP_CIPHER_CTX_free(c); 390 } 391 392 393 #ifndef CONFIG_FIPS 394 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP 395 396 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) 397 { 398 AES_KEY actx; 399 int res; 400 401 if (TEST_FAIL()) 402 return -1; 403 if (AES_set_encrypt_key(kek, kek_len << 3, &actx)) 404 return -1; 405 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8); 406 OPENSSL_cleanse(&actx, sizeof(actx)); 407 return res <= 0 ? -1 : 0; 408 } 409 410 411 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, 412 u8 *plain) 413 { 414 AES_KEY actx; 415 int res; 416 417 if (TEST_FAIL()) 418 return -1; 419 if (AES_set_decrypt_key(kek, kek_len << 3, &actx)) 420 return -1; 421 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8); 422 OPENSSL_cleanse(&actx, sizeof(actx)); 423 return res <= 0 ? -1 : 0; 424 } 425 426 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */ 427 #endif /* CONFIG_FIPS */ 428 429 430 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 431 { 432 EVP_CIPHER_CTX *ctx; 433 int clen, len; 434 u8 buf[16]; 435 int res = -1; 436 437 if (TEST_FAIL()) 438 return -1; 439 440 ctx = EVP_CIPHER_CTX_new(); 441 if (!ctx) 442 return -1; 443 clen = data_len; 444 len = sizeof(buf); 445 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 446 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 447 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 && 448 clen == (int) data_len && 449 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 450 res = 0; 451 EVP_CIPHER_CTX_free(ctx); 452 453 return res; 454 } 455 456 457 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 458 { 459 EVP_CIPHER_CTX *ctx; 460 int plen, len; 461 u8 buf[16]; 462 int res = -1; 463 464 if (TEST_FAIL()) 465 return -1; 466 467 ctx = EVP_CIPHER_CTX_new(); 468 if (!ctx) 469 return -1; 470 plen = data_len; 471 len = sizeof(buf); 472 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 473 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 474 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 && 475 plen == (int) data_len && 476 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 477 res = 0; 478 EVP_CIPHER_CTX_free(ctx); 479 480 return res; 481 482 } 483 484 485 int crypto_mod_exp(const u8 *base, size_t base_len, 486 const u8 *power, size_t power_len, 487 const u8 *modulus, size_t modulus_len, 488 u8 *result, size_t *result_len) 489 { 490 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result; 491 int ret = -1; 492 BN_CTX *ctx; 493 494 ctx = BN_CTX_new(); 495 if (ctx == NULL) 496 return -1; 497 498 bn_base = BN_bin2bn(base, base_len, NULL); 499 bn_exp = BN_bin2bn(power, power_len, NULL); 500 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL); 501 bn_result = BN_new(); 502 503 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL || 504 bn_result == NULL) 505 goto error; 506 507 if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1) 508 goto error; 509 510 *result_len = BN_bn2bin(bn_result, result); 511 ret = 0; 512 513 error: 514 BN_clear_free(bn_base); 515 BN_clear_free(bn_exp); 516 BN_clear_free(bn_modulus); 517 BN_clear_free(bn_result); 518 BN_CTX_free(ctx); 519 return ret; 520 } 521 522 523 struct crypto_cipher { 524 EVP_CIPHER_CTX *enc; 525 EVP_CIPHER_CTX *dec; 526 }; 527 528 529 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, 530 const u8 *iv, const u8 *key, 531 size_t key_len) 532 { 533 struct crypto_cipher *ctx; 534 const EVP_CIPHER *cipher; 535 536 ctx = os_zalloc(sizeof(*ctx)); 537 if (ctx == NULL) 538 return NULL; 539 540 switch (alg) { 541 #ifndef CONFIG_NO_RC4 542 #ifndef OPENSSL_NO_RC4 543 case CRYPTO_CIPHER_ALG_RC4: 544 cipher = EVP_rc4(); 545 break; 546 #endif /* OPENSSL_NO_RC4 */ 547 #endif /* CONFIG_NO_RC4 */ 548 #ifndef OPENSSL_NO_AES 549 case CRYPTO_CIPHER_ALG_AES: 550 switch (key_len) { 551 case 16: 552 cipher = EVP_aes_128_cbc(); 553 break; 554 #ifndef OPENSSL_IS_BORINGSSL 555 case 24: 556 cipher = EVP_aes_192_cbc(); 557 break; 558 #endif /* OPENSSL_IS_BORINGSSL */ 559 case 32: 560 cipher = EVP_aes_256_cbc(); 561 break; 562 default: 563 os_free(ctx); 564 return NULL; 565 } 566 break; 567 #endif /* OPENSSL_NO_AES */ 568 #ifndef OPENSSL_NO_DES 569 case CRYPTO_CIPHER_ALG_3DES: 570 cipher = EVP_des_ede3_cbc(); 571 break; 572 case CRYPTO_CIPHER_ALG_DES: 573 cipher = EVP_des_cbc(); 574 break; 575 #endif /* OPENSSL_NO_DES */ 576 #ifndef OPENSSL_NO_RC2 577 case CRYPTO_CIPHER_ALG_RC2: 578 cipher = EVP_rc2_ecb(); 579 break; 580 #endif /* OPENSSL_NO_RC2 */ 581 default: 582 os_free(ctx); 583 return NULL; 584 } 585 586 if (!(ctx->enc = EVP_CIPHER_CTX_new()) || 587 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) || 588 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) || 589 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) || 590 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) { 591 if (ctx->enc) 592 EVP_CIPHER_CTX_free(ctx->enc); 593 os_free(ctx); 594 return NULL; 595 } 596 597 if (!(ctx->dec = EVP_CIPHER_CTX_new()) || 598 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) || 599 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) || 600 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) || 601 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) { 602 EVP_CIPHER_CTX_free(ctx->enc); 603 if (ctx->dec) 604 EVP_CIPHER_CTX_free(ctx->dec); 605 os_free(ctx); 606 return NULL; 607 } 608 609 return ctx; 610 } 611 612 613 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, 614 u8 *crypt, size_t len) 615 { 616 int outl; 617 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len)) 618 return -1; 619 return 0; 620 } 621 622 623 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, 624 u8 *plain, size_t len) 625 { 626 int outl; 627 outl = len; 628 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len)) 629 return -1; 630 return 0; 631 } 632 633 634 void crypto_cipher_deinit(struct crypto_cipher *ctx) 635 { 636 EVP_CIPHER_CTX_free(ctx->enc); 637 EVP_CIPHER_CTX_free(ctx->dec); 638 os_free(ctx); 639 } 640 641 642 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) 643 { 644 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 645 DH *dh; 646 struct wpabuf *pubkey = NULL, *privkey = NULL; 647 size_t publen, privlen; 648 649 *priv = NULL; 650 wpabuf_free(*publ); 651 *publ = NULL; 652 653 dh = DH_new(); 654 if (dh == NULL) 655 return NULL; 656 657 dh->g = BN_new(); 658 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 659 goto err; 660 661 dh->p = get_group5_prime(); 662 if (dh->p == NULL) 663 goto err; 664 665 if (DH_generate_key(dh) != 1) 666 goto err; 667 668 publen = BN_num_bytes(dh->pub_key); 669 pubkey = wpabuf_alloc(publen); 670 if (pubkey == NULL) 671 goto err; 672 privlen = BN_num_bytes(dh->priv_key); 673 privkey = wpabuf_alloc(privlen); 674 if (privkey == NULL) 675 goto err; 676 677 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen)); 678 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen)); 679 680 *priv = privkey; 681 *publ = pubkey; 682 return dh; 683 684 err: 685 wpabuf_clear_free(pubkey); 686 wpabuf_clear_free(privkey); 687 DH_free(dh); 688 return NULL; 689 #else 690 DH *dh; 691 struct wpabuf *pubkey = NULL, *privkey = NULL; 692 size_t publen, privlen; 693 BIGNUM *p = NULL, *g; 694 const BIGNUM *priv_key = NULL, *pub_key = NULL; 695 696 *priv = NULL; 697 wpabuf_free(*publ); 698 *publ = NULL; 699 700 dh = DH_new(); 701 if (dh == NULL) 702 return NULL; 703 704 g = BN_new(); 705 p = get_group5_prime(); 706 if (!g || BN_set_word(g, 2) != 1 || !p || 707 DH_set0_pqg(dh, p, NULL, g) != 1) 708 goto err; 709 p = NULL; 710 g = NULL; 711 712 if (DH_generate_key(dh) != 1) 713 goto err; 714 715 DH_get0_key(dh, &pub_key, &priv_key); 716 publen = BN_num_bytes(pub_key); 717 pubkey = wpabuf_alloc(publen); 718 if (!pubkey) 719 goto err; 720 privlen = BN_num_bytes(priv_key); 721 privkey = wpabuf_alloc(privlen); 722 if (!privkey) 723 goto err; 724 725 BN_bn2bin(pub_key, wpabuf_put(pubkey, publen)); 726 BN_bn2bin(priv_key, wpabuf_put(privkey, privlen)); 727 728 *priv = privkey; 729 *publ = pubkey; 730 return dh; 731 732 err: 733 BN_free(p); 734 BN_free(g); 735 wpabuf_clear_free(pubkey); 736 wpabuf_clear_free(privkey); 737 DH_free(dh); 738 return NULL; 739 #endif 740 } 741 742 743 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) 744 { 745 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 746 DH *dh; 747 748 dh = DH_new(); 749 if (dh == NULL) 750 return NULL; 751 752 dh->g = BN_new(); 753 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 754 goto err; 755 756 dh->p = get_group5_prime(); 757 if (dh->p == NULL) 758 goto err; 759 760 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 761 if (dh->priv_key == NULL) 762 goto err; 763 764 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 765 if (dh->pub_key == NULL) 766 goto err; 767 768 if (DH_generate_key(dh) != 1) 769 goto err; 770 771 return dh; 772 773 err: 774 DH_free(dh); 775 return NULL; 776 #else 777 DH *dh; 778 BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL; 779 780 dh = DH_new(); 781 if (dh == NULL) 782 return NULL; 783 784 g = BN_new(); 785 p = get_group5_prime(); 786 if (!g || BN_set_word(g, 2) != 1 || !p || 787 DH_set0_pqg(dh, p, NULL, g) != 1) 788 goto err; 789 p = NULL; 790 g = NULL; 791 792 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 793 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 794 if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1) 795 goto err; 796 pub_key = NULL; 797 priv_key = NULL; 798 799 if (DH_generate_key(dh) != 1) 800 goto err; 801 802 return dh; 803 804 err: 805 BN_free(p); 806 BN_free(g); 807 BN_free(pub_key); 808 BN_clear_free(priv_key); 809 DH_free(dh); 810 return NULL; 811 #endif 812 } 813 814 815 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public, 816 const struct wpabuf *own_private) 817 { 818 BIGNUM *pub_key; 819 struct wpabuf *res = NULL; 820 size_t rlen; 821 DH *dh = ctx; 822 int keylen; 823 824 if (ctx == NULL) 825 return NULL; 826 827 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public), 828 NULL); 829 if (pub_key == NULL) 830 return NULL; 831 832 rlen = DH_size(dh); 833 res = wpabuf_alloc(rlen); 834 if (res == NULL) 835 goto err; 836 837 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh); 838 if (keylen < 0) 839 goto err; 840 wpabuf_put(res, keylen); 841 BN_clear_free(pub_key); 842 843 return res; 844 845 err: 846 BN_clear_free(pub_key); 847 wpabuf_clear_free(res); 848 return NULL; 849 } 850 851 852 void dh5_free(void *ctx) 853 { 854 DH *dh; 855 if (ctx == NULL) 856 return; 857 dh = ctx; 858 DH_free(dh); 859 } 860 861 862 struct crypto_hash { 863 HMAC_CTX *ctx; 864 }; 865 866 867 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key, 868 size_t key_len) 869 { 870 struct crypto_hash *ctx; 871 const EVP_MD *md; 872 873 switch (alg) { 874 #ifndef OPENSSL_NO_MD5 875 case CRYPTO_HASH_ALG_HMAC_MD5: 876 md = EVP_md5(); 877 break; 878 #endif /* OPENSSL_NO_MD5 */ 879 #ifndef OPENSSL_NO_SHA 880 case CRYPTO_HASH_ALG_HMAC_SHA1: 881 md = EVP_sha1(); 882 break; 883 #endif /* OPENSSL_NO_SHA */ 884 #ifndef OPENSSL_NO_SHA256 885 #ifdef CONFIG_SHA256 886 case CRYPTO_HASH_ALG_HMAC_SHA256: 887 md = EVP_sha256(); 888 break; 889 #endif /* CONFIG_SHA256 */ 890 #endif /* OPENSSL_NO_SHA256 */ 891 default: 892 return NULL; 893 } 894 895 ctx = os_zalloc(sizeof(*ctx)); 896 if (ctx == NULL) 897 return NULL; 898 ctx->ctx = HMAC_CTX_new(); 899 if (!ctx->ctx) { 900 os_free(ctx); 901 return NULL; 902 } 903 904 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) { 905 HMAC_CTX_free(ctx->ctx); 906 bin_clear_free(ctx, sizeof(*ctx)); 907 return NULL; 908 } 909 910 return ctx; 911 } 912 913 914 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len) 915 { 916 if (ctx == NULL) 917 return; 918 HMAC_Update(ctx->ctx, data, len); 919 } 920 921 922 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len) 923 { 924 unsigned int mdlen; 925 int res; 926 927 if (ctx == NULL) 928 return -2; 929 930 if (mac == NULL || len == NULL) { 931 HMAC_CTX_free(ctx->ctx); 932 bin_clear_free(ctx, sizeof(*ctx)); 933 return 0; 934 } 935 936 mdlen = *len; 937 res = HMAC_Final(ctx->ctx, mac, &mdlen); 938 HMAC_CTX_free(ctx->ctx); 939 bin_clear_free(ctx, sizeof(*ctx)); 940 941 if (res == 1) { 942 *len = mdlen; 943 return 0; 944 } 945 946 return -1; 947 } 948 949 950 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key, 951 size_t key_len, size_t num_elem, 952 const u8 *addr[], const size_t *len, u8 *mac, 953 unsigned int mdlen) 954 { 955 HMAC_CTX *ctx; 956 size_t i; 957 int res; 958 959 if (TEST_FAIL()) 960 return -1; 961 962 ctx = HMAC_CTX_new(); 963 if (!ctx) 964 return -1; 965 res = HMAC_Init_ex(ctx, key, key_len, type, NULL); 966 if (res != 1) 967 goto done; 968 969 for (i = 0; i < num_elem; i++) 970 HMAC_Update(ctx, addr[i], len[i]); 971 972 res = HMAC_Final(ctx, mac, &mdlen); 973 done: 974 HMAC_CTX_free(ctx); 975 976 return res == 1 ? 0 : -1; 977 } 978 979 980 #ifndef CONFIG_FIPS 981 982 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, 983 const u8 *addr[], const size_t *len, u8 *mac) 984 { 985 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len, 986 mac, 16); 987 } 988 989 990 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 991 u8 *mac) 992 { 993 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac); 994 } 995 996 #endif /* CONFIG_FIPS */ 997 998 999 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len, 1000 int iterations, u8 *buf, size_t buflen) 1001 { 1002 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid, 1003 ssid_len, iterations, buflen, buf) != 1) 1004 return -1; 1005 return 0; 1006 } 1007 1008 1009 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, 1010 const u8 *addr[], const size_t *len, u8 *mac) 1011 { 1012 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr, 1013 len, mac, 20); 1014 } 1015 1016 1017 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 1018 u8 *mac) 1019 { 1020 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); 1021 } 1022 1023 1024 #ifdef CONFIG_SHA256 1025 1026 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, 1027 const u8 *addr[], const size_t *len, u8 *mac) 1028 { 1029 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr, 1030 len, mac, 32); 1031 } 1032 1033 1034 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 1035 size_t data_len, u8 *mac) 1036 { 1037 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); 1038 } 1039 1040 #endif /* CONFIG_SHA256 */ 1041 1042 1043 #ifdef CONFIG_SHA384 1044 1045 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, 1046 const u8 *addr[], const size_t *len, u8 *mac) 1047 { 1048 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr, 1049 len, mac, 48); 1050 } 1051 1052 1053 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, 1054 size_t data_len, u8 *mac) 1055 { 1056 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac); 1057 } 1058 1059 #endif /* CONFIG_SHA384 */ 1060 1061 1062 #ifdef CONFIG_SHA512 1063 1064 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem, 1065 const u8 *addr[], const size_t *len, u8 *mac) 1066 { 1067 return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr, 1068 len, mac, 64); 1069 } 1070 1071 1072 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data, 1073 size_t data_len, u8 *mac) 1074 { 1075 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac); 1076 } 1077 1078 #endif /* CONFIG_SHA512 */ 1079 1080 1081 int crypto_get_random(void *buf, size_t len) 1082 { 1083 if (RAND_bytes(buf, len) != 1) 1084 return -1; 1085 return 0; 1086 } 1087 1088 1089 #ifdef CONFIG_OPENSSL_CMAC 1090 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, 1091 const u8 *addr[], const size_t *len, u8 *mac) 1092 { 1093 CMAC_CTX *ctx; 1094 int ret = -1; 1095 size_t outlen, i; 1096 1097 if (TEST_FAIL()) 1098 return -1; 1099 1100 ctx = CMAC_CTX_new(); 1101 if (ctx == NULL) 1102 return -1; 1103 1104 if (key_len == 32) { 1105 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL)) 1106 goto fail; 1107 } else if (key_len == 16) { 1108 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL)) 1109 goto fail; 1110 } else { 1111 goto fail; 1112 } 1113 for (i = 0; i < num_elem; i++) { 1114 if (!CMAC_Update(ctx, addr[i], len[i])) 1115 goto fail; 1116 } 1117 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16) 1118 goto fail; 1119 1120 ret = 0; 1121 fail: 1122 CMAC_CTX_free(ctx); 1123 return ret; 1124 } 1125 1126 1127 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 1128 const u8 *addr[], const size_t *len, u8 *mac) 1129 { 1130 return omac1_aes_vector(key, 16, num_elem, addr, len, mac); 1131 } 1132 1133 1134 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1135 { 1136 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 1137 } 1138 1139 1140 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1141 { 1142 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); 1143 } 1144 #endif /* CONFIG_OPENSSL_CMAC */ 1145 1146 1147 struct crypto_bignum * crypto_bignum_init(void) 1148 { 1149 if (TEST_FAIL()) 1150 return NULL; 1151 return (struct crypto_bignum *) BN_new(); 1152 } 1153 1154 1155 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) 1156 { 1157 BIGNUM *bn; 1158 1159 if (TEST_FAIL()) 1160 return NULL; 1161 1162 bn = BN_bin2bn(buf, len, NULL); 1163 return (struct crypto_bignum *) bn; 1164 } 1165 1166 1167 void crypto_bignum_deinit(struct crypto_bignum *n, int clear) 1168 { 1169 if (clear) 1170 BN_clear_free((BIGNUM *) n); 1171 else 1172 BN_free((BIGNUM *) n); 1173 } 1174 1175 1176 int crypto_bignum_to_bin(const struct crypto_bignum *a, 1177 u8 *buf, size_t buflen, size_t padlen) 1178 { 1179 int num_bytes, offset; 1180 1181 if (TEST_FAIL()) 1182 return -1; 1183 1184 if (padlen > buflen) 1185 return -1; 1186 1187 num_bytes = BN_num_bytes((const BIGNUM *) a); 1188 if ((size_t) num_bytes > buflen) 1189 return -1; 1190 if (padlen > (size_t) num_bytes) 1191 offset = padlen - num_bytes; 1192 else 1193 offset = 0; 1194 1195 os_memset(buf, 0, offset); 1196 BN_bn2bin((const BIGNUM *) a, buf + offset); 1197 1198 return num_bytes + offset; 1199 } 1200 1201 1202 int crypto_bignum_add(const struct crypto_bignum *a, 1203 const struct crypto_bignum *b, 1204 struct crypto_bignum *c) 1205 { 1206 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1207 0 : -1; 1208 } 1209 1210 1211 int crypto_bignum_mod(const struct crypto_bignum *a, 1212 const struct crypto_bignum *b, 1213 struct crypto_bignum *c) 1214 { 1215 int res; 1216 BN_CTX *bnctx; 1217 1218 bnctx = BN_CTX_new(); 1219 if (bnctx == NULL) 1220 return -1; 1221 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, 1222 bnctx); 1223 BN_CTX_free(bnctx); 1224 1225 return res ? 0 : -1; 1226 } 1227 1228 1229 int crypto_bignum_exptmod(const struct crypto_bignum *a, 1230 const struct crypto_bignum *b, 1231 const struct crypto_bignum *c, 1232 struct crypto_bignum *d) 1233 { 1234 int res; 1235 BN_CTX *bnctx; 1236 1237 if (TEST_FAIL()) 1238 return -1; 1239 1240 bnctx = BN_CTX_new(); 1241 if (bnctx == NULL) 1242 return -1; 1243 res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 1244 (const BIGNUM *) c, bnctx); 1245 BN_CTX_free(bnctx); 1246 1247 return res ? 0 : -1; 1248 } 1249 1250 1251 int crypto_bignum_inverse(const struct crypto_bignum *a, 1252 const struct crypto_bignum *b, 1253 struct crypto_bignum *c) 1254 { 1255 BIGNUM *res; 1256 BN_CTX *bnctx; 1257 1258 if (TEST_FAIL()) 1259 return -1; 1260 bnctx = BN_CTX_new(); 1261 if (bnctx == NULL) 1262 return -1; 1263 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a, 1264 (const BIGNUM *) b, bnctx); 1265 BN_CTX_free(bnctx); 1266 1267 return res ? 0 : -1; 1268 } 1269 1270 1271 int crypto_bignum_sub(const struct crypto_bignum *a, 1272 const struct crypto_bignum *b, 1273 struct crypto_bignum *c) 1274 { 1275 if (TEST_FAIL()) 1276 return -1; 1277 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1278 0 : -1; 1279 } 1280 1281 1282 int crypto_bignum_div(const struct crypto_bignum *a, 1283 const struct crypto_bignum *b, 1284 struct crypto_bignum *c) 1285 { 1286 int res; 1287 1288 BN_CTX *bnctx; 1289 1290 if (TEST_FAIL()) 1291 return -1; 1292 1293 bnctx = BN_CTX_new(); 1294 if (bnctx == NULL) 1295 return -1; 1296 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a, 1297 (const BIGNUM *) b, bnctx); 1298 BN_CTX_free(bnctx); 1299 1300 return res ? 0 : -1; 1301 } 1302 1303 1304 int crypto_bignum_mulmod(const struct crypto_bignum *a, 1305 const struct crypto_bignum *b, 1306 const struct crypto_bignum *c, 1307 struct crypto_bignum *d) 1308 { 1309 int res; 1310 1311 BN_CTX *bnctx; 1312 1313 if (TEST_FAIL()) 1314 return -1; 1315 1316 bnctx = BN_CTX_new(); 1317 if (bnctx == NULL) 1318 return -1; 1319 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 1320 (const BIGNUM *) c, bnctx); 1321 BN_CTX_free(bnctx); 1322 1323 return res ? 0 : -1; 1324 } 1325 1326 1327 int crypto_bignum_cmp(const struct crypto_bignum *a, 1328 const struct crypto_bignum *b) 1329 { 1330 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b); 1331 } 1332 1333 1334 int crypto_bignum_bits(const struct crypto_bignum *a) 1335 { 1336 return BN_num_bits((const BIGNUM *) a); 1337 } 1338 1339 1340 int crypto_bignum_is_zero(const struct crypto_bignum *a) 1341 { 1342 return BN_is_zero((const BIGNUM *) a); 1343 } 1344 1345 1346 int crypto_bignum_is_one(const struct crypto_bignum *a) 1347 { 1348 return BN_is_one((const BIGNUM *) a); 1349 } 1350 1351 1352 int crypto_bignum_legendre(const struct crypto_bignum *a, 1353 const struct crypto_bignum *p) 1354 { 1355 BN_CTX *bnctx; 1356 BIGNUM *exp = NULL, *tmp = NULL; 1357 int res = -2; 1358 1359 if (TEST_FAIL()) 1360 return -2; 1361 1362 bnctx = BN_CTX_new(); 1363 if (bnctx == NULL) 1364 return -2; 1365 1366 exp = BN_new(); 1367 tmp = BN_new(); 1368 if (!exp || !tmp || 1369 /* exp = (p-1) / 2 */ 1370 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) || 1371 !BN_rshift1(exp, exp) || 1372 !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p, 1373 bnctx)) 1374 goto fail; 1375 1376 if (BN_is_word(tmp, 1)) 1377 res = 1; 1378 else if (BN_is_zero(tmp)) 1379 res = 0; 1380 else 1381 res = -1; 1382 1383 fail: 1384 BN_clear_free(tmp); 1385 BN_clear_free(exp); 1386 BN_CTX_free(bnctx); 1387 return res; 1388 } 1389 1390 1391 #ifdef CONFIG_ECC 1392 1393 struct crypto_ec { 1394 EC_GROUP *group; 1395 int nid; 1396 BN_CTX *bnctx; 1397 BIGNUM *prime; 1398 BIGNUM *order; 1399 BIGNUM *a; 1400 BIGNUM *b; 1401 }; 1402 1403 struct crypto_ec * crypto_ec_init(int group) 1404 { 1405 struct crypto_ec *e; 1406 int nid; 1407 1408 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */ 1409 switch (group) { 1410 case 19: 1411 nid = NID_X9_62_prime256v1; 1412 break; 1413 case 20: 1414 nid = NID_secp384r1; 1415 break; 1416 case 21: 1417 nid = NID_secp521r1; 1418 break; 1419 case 25: 1420 nid = NID_X9_62_prime192v1; 1421 break; 1422 case 26: 1423 nid = NID_secp224r1; 1424 break; 1425 #ifdef NID_brainpoolP224r1 1426 case 27: 1427 nid = NID_brainpoolP224r1; 1428 break; 1429 #endif /* NID_brainpoolP224r1 */ 1430 #ifdef NID_brainpoolP256r1 1431 case 28: 1432 nid = NID_brainpoolP256r1; 1433 break; 1434 #endif /* NID_brainpoolP256r1 */ 1435 #ifdef NID_brainpoolP384r1 1436 case 29: 1437 nid = NID_brainpoolP384r1; 1438 break; 1439 #endif /* NID_brainpoolP384r1 */ 1440 #ifdef NID_brainpoolP512r1 1441 case 30: 1442 nid = NID_brainpoolP512r1; 1443 break; 1444 #endif /* NID_brainpoolP512r1 */ 1445 default: 1446 return NULL; 1447 } 1448 1449 e = os_zalloc(sizeof(*e)); 1450 if (e == NULL) 1451 return NULL; 1452 1453 e->nid = nid; 1454 e->bnctx = BN_CTX_new(); 1455 e->group = EC_GROUP_new_by_curve_name(nid); 1456 e->prime = BN_new(); 1457 e->order = BN_new(); 1458 e->a = BN_new(); 1459 e->b = BN_new(); 1460 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL || 1461 e->order == NULL || e->a == NULL || e->b == NULL || 1462 !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) || 1463 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) { 1464 crypto_ec_deinit(e); 1465 e = NULL; 1466 } 1467 1468 return e; 1469 } 1470 1471 1472 void crypto_ec_deinit(struct crypto_ec *e) 1473 { 1474 if (e == NULL) 1475 return; 1476 BN_clear_free(e->b); 1477 BN_clear_free(e->a); 1478 BN_clear_free(e->order); 1479 BN_clear_free(e->prime); 1480 EC_GROUP_free(e->group); 1481 BN_CTX_free(e->bnctx); 1482 os_free(e); 1483 } 1484 1485 1486 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e) 1487 { 1488 if (TEST_FAIL()) 1489 return NULL; 1490 if (e == NULL) 1491 return NULL; 1492 return (struct crypto_ec_point *) EC_POINT_new(e->group); 1493 } 1494 1495 1496 size_t crypto_ec_prime_len(struct crypto_ec *e) 1497 { 1498 return BN_num_bytes(e->prime); 1499 } 1500 1501 1502 size_t crypto_ec_prime_len_bits(struct crypto_ec *e) 1503 { 1504 return BN_num_bits(e->prime); 1505 } 1506 1507 1508 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e) 1509 { 1510 return (const struct crypto_bignum *) e->prime; 1511 } 1512 1513 1514 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) 1515 { 1516 return (const struct crypto_bignum *) e->order; 1517 } 1518 1519 1520 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) 1521 { 1522 if (clear) 1523 EC_POINT_clear_free((EC_POINT *) p); 1524 else 1525 EC_POINT_free((EC_POINT *) p); 1526 } 1527 1528 1529 int crypto_ec_point_to_bin(struct crypto_ec *e, 1530 const struct crypto_ec_point *point, u8 *x, u8 *y) 1531 { 1532 BIGNUM *x_bn, *y_bn; 1533 int ret = -1; 1534 int len = BN_num_bytes(e->prime); 1535 1536 if (TEST_FAIL()) 1537 return -1; 1538 1539 x_bn = BN_new(); 1540 y_bn = BN_new(); 1541 1542 if (x_bn && y_bn && 1543 EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point, 1544 x_bn, y_bn, e->bnctx)) { 1545 if (x) { 1546 crypto_bignum_to_bin((struct crypto_bignum *) x_bn, 1547 x, len, len); 1548 } 1549 if (y) { 1550 crypto_bignum_to_bin((struct crypto_bignum *) y_bn, 1551 y, len, len); 1552 } 1553 ret = 0; 1554 } 1555 1556 BN_clear_free(x_bn); 1557 BN_clear_free(y_bn); 1558 return ret; 1559 } 1560 1561 1562 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e, 1563 const u8 *val) 1564 { 1565 BIGNUM *x, *y; 1566 EC_POINT *elem; 1567 int len = BN_num_bytes(e->prime); 1568 1569 if (TEST_FAIL()) 1570 return NULL; 1571 1572 x = BN_bin2bn(val, len, NULL); 1573 y = BN_bin2bn(val + len, len, NULL); 1574 elem = EC_POINT_new(e->group); 1575 if (x == NULL || y == NULL || elem == NULL) { 1576 BN_clear_free(x); 1577 BN_clear_free(y); 1578 EC_POINT_clear_free(elem); 1579 return NULL; 1580 } 1581 1582 if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y, 1583 e->bnctx)) { 1584 EC_POINT_clear_free(elem); 1585 elem = NULL; 1586 } 1587 1588 BN_clear_free(x); 1589 BN_clear_free(y); 1590 1591 return (struct crypto_ec_point *) elem; 1592 } 1593 1594 1595 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a, 1596 const struct crypto_ec_point *b, 1597 struct crypto_ec_point *c) 1598 { 1599 if (TEST_FAIL()) 1600 return -1; 1601 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a, 1602 (const EC_POINT *) b, e->bnctx) ? 0 : -1; 1603 } 1604 1605 1606 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p, 1607 const struct crypto_bignum *b, 1608 struct crypto_ec_point *res) 1609 { 1610 if (TEST_FAIL()) 1611 return -1; 1612 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL, 1613 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx) 1614 ? 0 : -1; 1615 } 1616 1617 1618 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p) 1619 { 1620 if (TEST_FAIL()) 1621 return -1; 1622 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1; 1623 } 1624 1625 1626 int crypto_ec_point_solve_y_coord(struct crypto_ec *e, 1627 struct crypto_ec_point *p, 1628 const struct crypto_bignum *x, int y_bit) 1629 { 1630 if (TEST_FAIL()) 1631 return -1; 1632 if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p, 1633 (const BIGNUM *) x, y_bit, 1634 e->bnctx) || 1635 !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx)) 1636 return -1; 1637 return 0; 1638 } 1639 1640 1641 struct crypto_bignum * 1642 crypto_ec_point_compute_y_sqr(struct crypto_ec *e, 1643 const struct crypto_bignum *x) 1644 { 1645 BIGNUM *tmp, *tmp2, *y_sqr = NULL; 1646 1647 if (TEST_FAIL()) 1648 return NULL; 1649 1650 tmp = BN_new(); 1651 tmp2 = BN_new(); 1652 1653 /* y^2 = x^3 + ax + b */ 1654 if (tmp && tmp2 && 1655 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1656 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1657 BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) && 1658 BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) && 1659 BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) { 1660 y_sqr = tmp2; 1661 tmp2 = NULL; 1662 } 1663 1664 BN_clear_free(tmp); 1665 BN_clear_free(tmp2); 1666 1667 return (struct crypto_bignum *) y_sqr; 1668 } 1669 1670 1671 int crypto_ec_point_is_at_infinity(struct crypto_ec *e, 1672 const struct crypto_ec_point *p) 1673 { 1674 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p); 1675 } 1676 1677 1678 int crypto_ec_point_is_on_curve(struct crypto_ec *e, 1679 const struct crypto_ec_point *p) 1680 { 1681 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p, 1682 e->bnctx) == 1; 1683 } 1684 1685 1686 int crypto_ec_point_cmp(const struct crypto_ec *e, 1687 const struct crypto_ec_point *a, 1688 const struct crypto_ec_point *b) 1689 { 1690 return EC_POINT_cmp(e->group, (const EC_POINT *) a, 1691 (const EC_POINT *) b, e->bnctx); 1692 } 1693 1694 1695 struct crypto_ecdh { 1696 struct crypto_ec *ec; 1697 EVP_PKEY *pkey; 1698 }; 1699 1700 struct crypto_ecdh * crypto_ecdh_init(int group) 1701 { 1702 struct crypto_ecdh *ecdh; 1703 EVP_PKEY *params = NULL; 1704 EVP_PKEY_CTX *pctx = NULL; 1705 EVP_PKEY_CTX *kctx = NULL; 1706 1707 ecdh = os_zalloc(sizeof(*ecdh)); 1708 if (!ecdh) 1709 goto fail; 1710 1711 ecdh->ec = crypto_ec_init(group); 1712 if (!ecdh->ec) 1713 goto fail; 1714 1715 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); 1716 if (!pctx) 1717 goto fail; 1718 1719 if (EVP_PKEY_paramgen_init(pctx) != 1) { 1720 wpa_printf(MSG_ERROR, 1721 "OpenSSL: EVP_PKEY_paramgen_init failed: %s", 1722 ERR_error_string(ERR_get_error(), NULL)); 1723 goto fail; 1724 } 1725 1726 if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ecdh->ec->nid) != 1) { 1727 wpa_printf(MSG_ERROR, 1728 "OpenSSL: EVP_PKEY_CTX_set_ec_paramgen_curve_nid failed: %s", 1729 ERR_error_string(ERR_get_error(), NULL)); 1730 goto fail; 1731 } 1732 1733 if (EVP_PKEY_paramgen(pctx, ¶ms) != 1) { 1734 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_paramgen failed: %s", 1735 ERR_error_string(ERR_get_error(), NULL)); 1736 goto fail; 1737 } 1738 1739 kctx = EVP_PKEY_CTX_new(params, NULL); 1740 if (!kctx) 1741 goto fail; 1742 1743 if (EVP_PKEY_keygen_init(kctx) != 1) { 1744 wpa_printf(MSG_ERROR, 1745 "OpenSSL: EVP_PKEY_keygen_init failed: %s", 1746 ERR_error_string(ERR_get_error(), NULL)); 1747 goto fail; 1748 } 1749 1750 if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) { 1751 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s", 1752 ERR_error_string(ERR_get_error(), NULL)); 1753 goto fail; 1754 } 1755 1756 done: 1757 EVP_PKEY_free(params); 1758 EVP_PKEY_CTX_free(pctx); 1759 EVP_PKEY_CTX_free(kctx); 1760 1761 return ecdh; 1762 fail: 1763 crypto_ecdh_deinit(ecdh); 1764 ecdh = NULL; 1765 goto done; 1766 } 1767 1768 1769 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y) 1770 { 1771 struct wpabuf *buf = NULL; 1772 EC_KEY *eckey; 1773 const EC_POINT *pubkey; 1774 BIGNUM *x, *y = NULL; 1775 int len = BN_num_bytes(ecdh->ec->prime); 1776 int res; 1777 1778 eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey); 1779 if (!eckey) 1780 return NULL; 1781 1782 pubkey = EC_KEY_get0_public_key(eckey); 1783 if (!pubkey) 1784 return NULL; 1785 1786 x = BN_new(); 1787 if (inc_y) { 1788 y = BN_new(); 1789 if (!y) 1790 goto fail; 1791 } 1792 buf = wpabuf_alloc(inc_y ? 2 * len : len); 1793 if (!x || !buf) 1794 goto fail; 1795 1796 if (EC_POINT_get_affine_coordinates_GFp(ecdh->ec->group, pubkey, 1797 x, y, ecdh->ec->bnctx) != 1) { 1798 wpa_printf(MSG_ERROR, 1799 "OpenSSL: EC_POINT_get_affine_coordinates_GFp failed: %s", 1800 ERR_error_string(ERR_get_error(), NULL)); 1801 goto fail; 1802 } 1803 1804 res = crypto_bignum_to_bin((struct crypto_bignum *) x, 1805 wpabuf_put(buf, len), len, len); 1806 if (res < 0) 1807 goto fail; 1808 1809 if (inc_y) { 1810 res = crypto_bignum_to_bin((struct crypto_bignum *) y, 1811 wpabuf_put(buf, len), len, len); 1812 if (res < 0) 1813 goto fail; 1814 } 1815 1816 done: 1817 BN_clear_free(x); 1818 BN_clear_free(y); 1819 EC_KEY_free(eckey); 1820 1821 return buf; 1822 fail: 1823 wpabuf_free(buf); 1824 buf = NULL; 1825 goto done; 1826 } 1827 1828 1829 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y, 1830 const u8 *key, size_t len) 1831 { 1832 BIGNUM *x, *y = NULL; 1833 EVP_PKEY_CTX *ctx = NULL; 1834 EVP_PKEY *peerkey = NULL; 1835 struct wpabuf *secret = NULL; 1836 size_t secret_len; 1837 EC_POINT *pub; 1838 EC_KEY *eckey = NULL; 1839 1840 x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL); 1841 pub = EC_POINT_new(ecdh->ec->group); 1842 if (!x || !pub) 1843 goto fail; 1844 1845 if (inc_y) { 1846 y = BN_bin2bn(key + len / 2, len / 2, NULL); 1847 if (!y) 1848 goto fail; 1849 if (!EC_POINT_set_affine_coordinates_GFp(ecdh->ec->group, pub, 1850 x, y, 1851 ecdh->ec->bnctx)) { 1852 wpa_printf(MSG_ERROR, 1853 "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s", 1854 ERR_error_string(ERR_get_error(), NULL)); 1855 goto fail; 1856 } 1857 } else if (!EC_POINT_set_compressed_coordinates_GFp(ecdh->ec->group, 1858 pub, x, 0, 1859 ecdh->ec->bnctx)) { 1860 wpa_printf(MSG_ERROR, 1861 "OpenSSL: EC_POINT_set_compressed_coordinates_GFp failed: %s", 1862 ERR_error_string(ERR_get_error(), NULL)); 1863 goto fail; 1864 } 1865 1866 if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) { 1867 wpa_printf(MSG_ERROR, 1868 "OpenSSL: ECDH peer public key is not on curve"); 1869 goto fail; 1870 } 1871 1872 eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid); 1873 if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) { 1874 wpa_printf(MSG_ERROR, 1875 "OpenSSL: EC_KEY_set_public_key failed: %s", 1876 ERR_error_string(ERR_get_error(), NULL)); 1877 goto fail; 1878 } 1879 1880 peerkey = EVP_PKEY_new(); 1881 if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1) 1882 goto fail; 1883 1884 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL); 1885 if (!ctx || EVP_PKEY_derive_init(ctx) != 1 || 1886 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 || 1887 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) { 1888 wpa_printf(MSG_ERROR, 1889 "OpenSSL: EVP_PKEY_derive(1) failed: %s", 1890 ERR_error_string(ERR_get_error(), NULL)); 1891 goto fail; 1892 } 1893 1894 secret = wpabuf_alloc(secret_len); 1895 if (!secret) 1896 goto fail; 1897 if (EVP_PKEY_derive(ctx, wpabuf_put(secret, secret_len), 1898 &secret_len) != 1) { 1899 wpa_printf(MSG_ERROR, 1900 "OpenSSL: EVP_PKEY_derive(2) failed: %s", 1901 ERR_error_string(ERR_get_error(), NULL)); 1902 goto fail; 1903 } 1904 1905 done: 1906 BN_free(x); 1907 BN_free(y); 1908 EC_KEY_free(eckey); 1909 EC_POINT_free(pub); 1910 EVP_PKEY_CTX_free(ctx); 1911 EVP_PKEY_free(peerkey); 1912 return secret; 1913 fail: 1914 wpabuf_free(secret); 1915 secret = NULL; 1916 goto done; 1917 } 1918 1919 1920 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh) 1921 { 1922 if (ecdh) { 1923 crypto_ec_deinit(ecdh->ec); 1924 EVP_PKEY_free(ecdh->pkey); 1925 os_free(ecdh); 1926 } 1927 } 1928 1929 #endif /* CONFIG_ECC */ 1930
