1 /* 2 * Wrapper functions for OpenSSL libcrypto 3 * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <openssl/opensslv.h> 11 #include <openssl/err.h> 12 #include <openssl/des.h> 13 #include <openssl/aes.h> 14 #include <openssl/bn.h> 15 #include <openssl/evp.h> 16 #include <openssl/dh.h> 17 #include <openssl/hmac.h> 18 #include <openssl/rand.h> 19 #ifdef CONFIG_OPENSSL_CMAC 20 #include <openssl/cmac.h> 21 #endif /* CONFIG_OPENSSL_CMAC */ 22 #ifdef CONFIG_ECC 23 #include <openssl/ec.h> 24 #endif /* CONFIG_ECC */ 25 26 #include "common.h" 27 #include "utils/const_time.h" 28 #include "wpabuf.h" 29 #include "dh_group5.h" 30 #include "sha1.h" 31 #include "sha256.h" 32 #include "sha384.h" 33 #include "sha512.h" 34 #include "md5.h" 35 #include "aes_wrap.h" 36 #include "crypto.h" 37 38 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ 39 (defined(LIBRESSL_VERSION_NUMBER) && \ 40 LIBRESSL_VERSION_NUMBER < 0x20700000L) 41 /* Compatibility wrappers for older versions. */ 42 43 static HMAC_CTX * HMAC_CTX_new(void) 44 { 45 HMAC_CTX *ctx; 46 47 ctx = os_zalloc(sizeof(*ctx)); 48 if (ctx) 49 HMAC_CTX_init(ctx); 50 return ctx; 51 } 52 53 54 static void HMAC_CTX_free(HMAC_CTX *ctx) 55 { 56 if (!ctx) 57 return; 58 HMAC_CTX_cleanup(ctx); 59 bin_clear_free(ctx, sizeof(*ctx)); 60 } 61 62 63 static EVP_MD_CTX * EVP_MD_CTX_new(void) 64 { 65 EVP_MD_CTX *ctx; 66 67 ctx = os_zalloc(sizeof(*ctx)); 68 if (ctx) 69 EVP_MD_CTX_init(ctx); 70 return ctx; 71 } 72 73 74 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) 75 { 76 if (!ctx) 77 return; 78 EVP_MD_CTX_cleanup(ctx); 79 bin_clear_free(ctx, sizeof(*ctx)); 80 } 81 82 #endif /* OpenSSL version < 1.1.0 */ 83 84 static BIGNUM * get_group5_prime(void) 85 { 86 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ 87 !(defined(LIBRESSL_VERSION_NUMBER) && \ 88 LIBRESSL_VERSION_NUMBER < 0x20700000L) 89 return BN_get_rfc3526_prime_1536(NULL); 90 #elif !defined(OPENSSL_IS_BORINGSSL) 91 return get_rfc3526_prime_1536(NULL); 92 #else 93 static const unsigned char RFC3526_PRIME_1536[] = { 94 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, 95 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, 96 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, 97 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, 98 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, 99 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, 100 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, 101 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, 102 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, 103 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, 104 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, 105 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, 106 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, 107 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, 108 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, 109 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 110 }; 111 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL); 112 #endif 113 } 114 115 #ifdef OPENSSL_NO_SHA256 116 #define NO_SHA256_WRAPPER 117 #endif 118 #ifdef OPENSSL_NO_SHA512 119 #define NO_SHA384_WRAPPER 120 #endif 121 122 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem, 123 const u8 *addr[], const size_t *len, u8 *mac) 124 { 125 EVP_MD_CTX *ctx; 126 size_t i; 127 unsigned int mac_len; 128 129 if (TEST_FAIL()) 130 return -1; 131 132 ctx = EVP_MD_CTX_new(); 133 if (!ctx) 134 return -1; 135 if (!EVP_DigestInit_ex(ctx, type, NULL)) { 136 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s", 137 ERR_error_string(ERR_get_error(), NULL)); 138 EVP_MD_CTX_free(ctx); 139 return -1; 140 } 141 for (i = 0; i < num_elem; i++) { 142 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) { 143 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate " 144 "failed: %s", 145 ERR_error_string(ERR_get_error(), NULL)); 146 EVP_MD_CTX_free(ctx); 147 return -1; 148 } 149 } 150 if (!EVP_DigestFinal(ctx, mac, &mac_len)) { 151 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s", 152 ERR_error_string(ERR_get_error(), NULL)); 153 EVP_MD_CTX_free(ctx); 154 return -1; 155 } 156 EVP_MD_CTX_free(ctx); 157 158 return 0; 159 } 160 161 162 #ifndef CONFIG_FIPS 163 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 164 { 165 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac); 166 } 167 #endif /* CONFIG_FIPS */ 168 169 170 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) 171 { 172 u8 pkey[8], next, tmp; 173 int i; 174 DES_key_schedule ks; 175 176 /* Add parity bits to the key */ 177 next = 0; 178 for (i = 0; i < 7; i++) { 179 tmp = key[i]; 180 pkey[i] = (tmp >> i) | next | 1; 181 next = tmp << (7 - i); 182 } 183 pkey[i] = next | 1; 184 185 DES_set_key((DES_cblock *) &pkey, &ks); 186 DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks, 187 DES_ENCRYPT); 188 return 0; 189 } 190 191 192 #ifndef CONFIG_NO_RC4 193 int rc4_skip(const u8 *key, size_t keylen, size_t skip, 194 u8 *data, size_t data_len) 195 { 196 #ifdef OPENSSL_NO_RC4 197 return -1; 198 #else /* OPENSSL_NO_RC4 */ 199 EVP_CIPHER_CTX *ctx; 200 int outl; 201 int res = -1; 202 unsigned char skip_buf[16]; 203 204 ctx = EVP_CIPHER_CTX_new(); 205 if (!ctx || 206 !EVP_CIPHER_CTX_set_padding(ctx, 0) || 207 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) || 208 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) || 209 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1)) 210 goto out; 211 212 while (skip >= sizeof(skip_buf)) { 213 size_t len = skip; 214 if (len > sizeof(skip_buf)) 215 len = sizeof(skip_buf); 216 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len)) 217 goto out; 218 skip -= len; 219 } 220 221 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len)) 222 res = 0; 223 224 out: 225 if (ctx) 226 EVP_CIPHER_CTX_free(ctx); 227 return res; 228 #endif /* OPENSSL_NO_RC4 */ 229 } 230 #endif /* CONFIG_NO_RC4 */ 231 232 233 #ifndef CONFIG_FIPS 234 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 235 { 236 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac); 237 } 238 #endif /* CONFIG_FIPS */ 239 240 241 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 242 { 243 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac); 244 } 245 246 247 #ifndef NO_SHA256_WRAPPER 248 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, 249 u8 *mac) 250 { 251 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac); 252 } 253 #endif /* NO_SHA256_WRAPPER */ 254 255 256 #ifndef NO_SHA384_WRAPPER 257 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len, 258 u8 *mac) 259 { 260 return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac); 261 } 262 #endif /* NO_SHA384_WRAPPER */ 263 264 265 #ifndef NO_SHA512_WRAPPER 266 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len, 267 u8 *mac) 268 { 269 return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac); 270 } 271 #endif /* NO_SHA512_WRAPPER */ 272 273 274 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen) 275 { 276 switch (keylen) { 277 case 16: 278 return EVP_aes_128_ecb(); 279 case 24: 280 return EVP_aes_192_ecb(); 281 case 32: 282 return EVP_aes_256_ecb(); 283 } 284 285 return NULL; 286 } 287 288 289 void * aes_encrypt_init(const u8 *key, size_t len) 290 { 291 EVP_CIPHER_CTX *ctx; 292 const EVP_CIPHER *type; 293 294 if (TEST_FAIL()) 295 return NULL; 296 297 type = aes_get_evp_cipher(len); 298 if (!type) { 299 wpa_printf(MSG_INFO, "%s: Unsupported len=%u", 300 __func__, (unsigned int) len); 301 return NULL; 302 } 303 304 ctx = EVP_CIPHER_CTX_new(); 305 if (ctx == NULL) 306 return NULL; 307 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 308 os_free(ctx); 309 return NULL; 310 } 311 EVP_CIPHER_CTX_set_padding(ctx, 0); 312 return ctx; 313 } 314 315 316 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) 317 { 318 EVP_CIPHER_CTX *c = ctx; 319 int clen = 16; 320 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) { 321 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s", 322 ERR_error_string(ERR_get_error(), NULL)); 323 return -1; 324 } 325 return 0; 326 } 327 328 329 void aes_encrypt_deinit(void *ctx) 330 { 331 EVP_CIPHER_CTX *c = ctx; 332 u8 buf[16]; 333 int len = sizeof(buf); 334 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) { 335 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: " 336 "%s", ERR_error_string(ERR_get_error(), NULL)); 337 } 338 if (len != 0) { 339 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 340 "in AES encrypt", len); 341 } 342 EVP_CIPHER_CTX_free(c); 343 } 344 345 346 void * aes_decrypt_init(const u8 *key, size_t len) 347 { 348 EVP_CIPHER_CTX *ctx; 349 const EVP_CIPHER *type; 350 351 if (TEST_FAIL()) 352 return NULL; 353 354 type = aes_get_evp_cipher(len); 355 if (!type) { 356 wpa_printf(MSG_INFO, "%s: Unsupported len=%u", 357 __func__, (unsigned int) len); 358 return NULL; 359 } 360 361 ctx = EVP_CIPHER_CTX_new(); 362 if (ctx == NULL) 363 return NULL; 364 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 365 EVP_CIPHER_CTX_free(ctx); 366 return NULL; 367 } 368 EVP_CIPHER_CTX_set_padding(ctx, 0); 369 return ctx; 370 } 371 372 373 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) 374 { 375 EVP_CIPHER_CTX *c = ctx; 376 int plen = 16; 377 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) { 378 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s", 379 ERR_error_string(ERR_get_error(), NULL)); 380 return -1; 381 } 382 return 0; 383 } 384 385 386 void aes_decrypt_deinit(void *ctx) 387 { 388 EVP_CIPHER_CTX *c = ctx; 389 u8 buf[16]; 390 int len = sizeof(buf); 391 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) { 392 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: " 393 "%s", ERR_error_string(ERR_get_error(), NULL)); 394 } 395 if (len != 0) { 396 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 397 "in AES decrypt", len); 398 } 399 EVP_CIPHER_CTX_free(c); 400 } 401 402 403 #ifndef CONFIG_FIPS 404 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP 405 406 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) 407 { 408 AES_KEY actx; 409 int res; 410 411 if (TEST_FAIL()) 412 return -1; 413 if (AES_set_encrypt_key(kek, kek_len << 3, &actx)) 414 return -1; 415 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8); 416 OPENSSL_cleanse(&actx, sizeof(actx)); 417 return res <= 0 ? -1 : 0; 418 } 419 420 421 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, 422 u8 *plain) 423 { 424 AES_KEY actx; 425 int res; 426 427 if (TEST_FAIL()) 428 return -1; 429 if (AES_set_decrypt_key(kek, kek_len << 3, &actx)) 430 return -1; 431 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8); 432 OPENSSL_cleanse(&actx, sizeof(actx)); 433 return res <= 0 ? -1 : 0; 434 } 435 436 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */ 437 #endif /* CONFIG_FIPS */ 438 439 440 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 441 { 442 EVP_CIPHER_CTX *ctx; 443 int clen, len; 444 u8 buf[16]; 445 int res = -1; 446 447 if (TEST_FAIL()) 448 return -1; 449 450 ctx = EVP_CIPHER_CTX_new(); 451 if (!ctx) 452 return -1; 453 clen = data_len; 454 len = sizeof(buf); 455 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 456 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 457 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 && 458 clen == (int) data_len && 459 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 460 res = 0; 461 EVP_CIPHER_CTX_free(ctx); 462 463 return res; 464 } 465 466 467 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 468 { 469 EVP_CIPHER_CTX *ctx; 470 int plen, len; 471 u8 buf[16]; 472 int res = -1; 473 474 if (TEST_FAIL()) 475 return -1; 476 477 ctx = EVP_CIPHER_CTX_new(); 478 if (!ctx) 479 return -1; 480 plen = data_len; 481 len = sizeof(buf); 482 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 483 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 484 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 && 485 plen == (int) data_len && 486 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 487 res = 0; 488 EVP_CIPHER_CTX_free(ctx); 489 490 return res; 491 492 } 493 494 495 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey, 496 u8 *pubkey) 497 { 498 size_t pubkey_len, pad; 499 500 if (os_get_random(privkey, prime_len) < 0) 501 return -1; 502 if (os_memcmp(privkey, prime, prime_len) > 0) { 503 /* Make sure private value is smaller than prime */ 504 privkey[0] = 0; 505 } 506 507 pubkey_len = prime_len; 508 if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len, 509 pubkey, &pubkey_len) < 0) 510 return -1; 511 if (pubkey_len < prime_len) { 512 pad = prime_len - pubkey_len; 513 os_memmove(pubkey + pad, pubkey, pubkey_len); 514 os_memset(pubkey, 0, pad); 515 } 516 517 return 0; 518 } 519 520 521 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len, 522 const u8 *privkey, size_t privkey_len, 523 const u8 *pubkey, size_t pubkey_len, 524 u8 *secret, size_t *len) 525 { 526 return crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len, 527 prime, prime_len, secret, len); 528 } 529 530 531 int crypto_mod_exp(const u8 *base, size_t base_len, 532 const u8 *power, size_t power_len, 533 const u8 *modulus, size_t modulus_len, 534 u8 *result, size_t *result_len) 535 { 536 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result; 537 int ret = -1; 538 BN_CTX *ctx; 539 540 ctx = BN_CTX_new(); 541 if (ctx == NULL) 542 return -1; 543 544 bn_base = BN_bin2bn(base, base_len, NULL); 545 bn_exp = BN_bin2bn(power, power_len, NULL); 546 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL); 547 bn_result = BN_new(); 548 549 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL || 550 bn_result == NULL) 551 goto error; 552 553 if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus, 554 ctx, NULL) != 1) 555 goto error; 556 557 *result_len = BN_bn2bin(bn_result, result); 558 ret = 0; 559 560 error: 561 BN_clear_free(bn_base); 562 BN_clear_free(bn_exp); 563 BN_clear_free(bn_modulus); 564 BN_clear_free(bn_result); 565 BN_CTX_free(ctx); 566 return ret; 567 } 568 569 570 struct crypto_cipher { 571 EVP_CIPHER_CTX *enc; 572 EVP_CIPHER_CTX *dec; 573 }; 574 575 576 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, 577 const u8 *iv, const u8 *key, 578 size_t key_len) 579 { 580 struct crypto_cipher *ctx; 581 const EVP_CIPHER *cipher; 582 583 ctx = os_zalloc(sizeof(*ctx)); 584 if (ctx == NULL) 585 return NULL; 586 587 switch (alg) { 588 #ifndef CONFIG_NO_RC4 589 #ifndef OPENSSL_NO_RC4 590 case CRYPTO_CIPHER_ALG_RC4: 591 cipher = EVP_rc4(); 592 break; 593 #endif /* OPENSSL_NO_RC4 */ 594 #endif /* CONFIG_NO_RC4 */ 595 #ifndef OPENSSL_NO_AES 596 case CRYPTO_CIPHER_ALG_AES: 597 switch (key_len) { 598 case 16: 599 cipher = EVP_aes_128_cbc(); 600 break; 601 #ifndef OPENSSL_IS_BORINGSSL 602 case 24: 603 cipher = EVP_aes_192_cbc(); 604 break; 605 #endif /* OPENSSL_IS_BORINGSSL */ 606 case 32: 607 cipher = EVP_aes_256_cbc(); 608 break; 609 default: 610 os_free(ctx); 611 return NULL; 612 } 613 break; 614 #endif /* OPENSSL_NO_AES */ 615 #ifndef OPENSSL_NO_DES 616 case CRYPTO_CIPHER_ALG_3DES: 617 cipher = EVP_des_ede3_cbc(); 618 break; 619 case CRYPTO_CIPHER_ALG_DES: 620 cipher = EVP_des_cbc(); 621 break; 622 #endif /* OPENSSL_NO_DES */ 623 #ifndef OPENSSL_NO_RC2 624 case CRYPTO_CIPHER_ALG_RC2: 625 cipher = EVP_rc2_ecb(); 626 break; 627 #endif /* OPENSSL_NO_RC2 */ 628 default: 629 os_free(ctx); 630 return NULL; 631 } 632 633 if (!(ctx->enc = EVP_CIPHER_CTX_new()) || 634 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) || 635 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) || 636 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) || 637 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) { 638 if (ctx->enc) 639 EVP_CIPHER_CTX_free(ctx->enc); 640 os_free(ctx); 641 return NULL; 642 } 643 644 if (!(ctx->dec = EVP_CIPHER_CTX_new()) || 645 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) || 646 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) || 647 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) || 648 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) { 649 EVP_CIPHER_CTX_free(ctx->enc); 650 if (ctx->dec) 651 EVP_CIPHER_CTX_free(ctx->dec); 652 os_free(ctx); 653 return NULL; 654 } 655 656 return ctx; 657 } 658 659 660 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, 661 u8 *crypt, size_t len) 662 { 663 int outl; 664 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len)) 665 return -1; 666 return 0; 667 } 668 669 670 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, 671 u8 *plain, size_t len) 672 { 673 int outl; 674 outl = len; 675 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len)) 676 return -1; 677 return 0; 678 } 679 680 681 void crypto_cipher_deinit(struct crypto_cipher *ctx) 682 { 683 EVP_CIPHER_CTX_free(ctx->enc); 684 EVP_CIPHER_CTX_free(ctx->dec); 685 os_free(ctx); 686 } 687 688 689 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) 690 { 691 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ 692 (defined(LIBRESSL_VERSION_NUMBER) && \ 693 LIBRESSL_VERSION_NUMBER < 0x20700000L) 694 DH *dh; 695 struct wpabuf *pubkey = NULL, *privkey = NULL; 696 size_t publen, privlen; 697 698 *priv = NULL; 699 wpabuf_free(*publ); 700 *publ = NULL; 701 702 dh = DH_new(); 703 if (dh == NULL) 704 return NULL; 705 706 dh->g = BN_new(); 707 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 708 goto err; 709 710 dh->p = get_group5_prime(); 711 if (dh->p == NULL) 712 goto err; 713 714 if (DH_generate_key(dh) != 1) 715 goto err; 716 717 publen = BN_num_bytes(dh->pub_key); 718 pubkey = wpabuf_alloc(publen); 719 if (pubkey == NULL) 720 goto err; 721 privlen = BN_num_bytes(dh->priv_key); 722 privkey = wpabuf_alloc(privlen); 723 if (privkey == NULL) 724 goto err; 725 726 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen)); 727 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen)); 728 729 *priv = privkey; 730 *publ = pubkey; 731 return dh; 732 733 err: 734 wpabuf_clear_free(pubkey); 735 wpabuf_clear_free(privkey); 736 DH_free(dh); 737 return NULL; 738 #else 739 DH *dh; 740 struct wpabuf *pubkey = NULL, *privkey = NULL; 741 size_t publen, privlen; 742 BIGNUM *p = NULL, *g; 743 const BIGNUM *priv_key = NULL, *pub_key = NULL; 744 745 *priv = NULL; 746 wpabuf_free(*publ); 747 *publ = NULL; 748 749 dh = DH_new(); 750 if (dh == NULL) 751 return NULL; 752 753 g = BN_new(); 754 p = get_group5_prime(); 755 if (!g || BN_set_word(g, 2) != 1 || !p || 756 DH_set0_pqg(dh, p, NULL, g) != 1) 757 goto err; 758 p = NULL; 759 g = NULL; 760 761 if (DH_generate_key(dh) != 1) 762 goto err; 763 764 DH_get0_key(dh, &pub_key, &priv_key); 765 publen = BN_num_bytes(pub_key); 766 pubkey = wpabuf_alloc(publen); 767 if (!pubkey) 768 goto err; 769 privlen = BN_num_bytes(priv_key); 770 privkey = wpabuf_alloc(privlen); 771 if (!privkey) 772 goto err; 773 774 BN_bn2bin(pub_key, wpabuf_put(pubkey, publen)); 775 BN_bn2bin(priv_key, wpabuf_put(privkey, privlen)); 776 777 *priv = privkey; 778 *publ = pubkey; 779 return dh; 780 781 err: 782 BN_free(p); 783 BN_free(g); 784 wpabuf_clear_free(pubkey); 785 wpabuf_clear_free(privkey); 786 DH_free(dh); 787 return NULL; 788 #endif 789 } 790 791 792 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) 793 { 794 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ 795 (defined(LIBRESSL_VERSION_NUMBER) && \ 796 LIBRESSL_VERSION_NUMBER < 0x20700000L) 797 DH *dh; 798 799 dh = DH_new(); 800 if (dh == NULL) 801 return NULL; 802 803 dh->g = BN_new(); 804 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 805 goto err; 806 807 dh->p = get_group5_prime(); 808 if (dh->p == NULL) 809 goto err; 810 811 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 812 if (dh->priv_key == NULL) 813 goto err; 814 815 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 816 if (dh->pub_key == NULL) 817 goto err; 818 819 if (DH_generate_key(dh) != 1) 820 goto err; 821 822 return dh; 823 824 err: 825 DH_free(dh); 826 return NULL; 827 #else 828 DH *dh; 829 BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL; 830 831 dh = DH_new(); 832 if (dh == NULL) 833 return NULL; 834 835 g = BN_new(); 836 p = get_group5_prime(); 837 if (!g || BN_set_word(g, 2) != 1 || !p || 838 DH_set0_pqg(dh, p, NULL, g) != 1) 839 goto err; 840 p = NULL; 841 g = NULL; 842 843 priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 844 pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 845 if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1) 846 goto err; 847 pub_key = NULL; 848 priv_key = NULL; 849 850 if (DH_generate_key(dh) != 1) 851 goto err; 852 853 return dh; 854 855 err: 856 BN_free(p); 857 BN_free(g); 858 BN_free(pub_key); 859 BN_clear_free(priv_key); 860 DH_free(dh); 861 return NULL; 862 #endif 863 } 864 865 866 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public, 867 const struct wpabuf *own_private) 868 { 869 BIGNUM *pub_key; 870 struct wpabuf *res = NULL; 871 size_t rlen; 872 DH *dh = ctx; 873 int keylen; 874 875 if (ctx == NULL) 876 return NULL; 877 878 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public), 879 NULL); 880 if (pub_key == NULL) 881 return NULL; 882 883 rlen = DH_size(dh); 884 res = wpabuf_alloc(rlen); 885 if (res == NULL) 886 goto err; 887 888 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh); 889 if (keylen < 0) 890 goto err; 891 wpabuf_put(res, keylen); 892 BN_clear_free(pub_key); 893 894 return res; 895 896 err: 897 BN_clear_free(pub_key); 898 wpabuf_clear_free(res); 899 return NULL; 900 } 901 902 903 void dh5_free(void *ctx) 904 { 905 DH *dh; 906 if (ctx == NULL) 907 return; 908 dh = ctx; 909 DH_free(dh); 910 } 911 912 913 struct crypto_hash { 914 HMAC_CTX *ctx; 915 }; 916 917 918 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key, 919 size_t key_len) 920 { 921 struct crypto_hash *ctx; 922 const EVP_MD *md; 923 924 switch (alg) { 925 #ifndef OPENSSL_NO_MD5 926 case CRYPTO_HASH_ALG_HMAC_MD5: 927 md = EVP_md5(); 928 break; 929 #endif /* OPENSSL_NO_MD5 */ 930 #ifndef OPENSSL_NO_SHA 931 case CRYPTO_HASH_ALG_HMAC_SHA1: 932 md = EVP_sha1(); 933 break; 934 #endif /* OPENSSL_NO_SHA */ 935 #ifndef OPENSSL_NO_SHA256 936 #ifdef CONFIG_SHA256 937 case CRYPTO_HASH_ALG_HMAC_SHA256: 938 md = EVP_sha256(); 939 break; 940 #endif /* CONFIG_SHA256 */ 941 #endif /* OPENSSL_NO_SHA256 */ 942 default: 943 return NULL; 944 } 945 946 ctx = os_zalloc(sizeof(*ctx)); 947 if (ctx == NULL) 948 return NULL; 949 ctx->ctx = HMAC_CTX_new(); 950 if (!ctx->ctx) { 951 os_free(ctx); 952 return NULL; 953 } 954 955 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) { 956 HMAC_CTX_free(ctx->ctx); 957 bin_clear_free(ctx, sizeof(*ctx)); 958 return NULL; 959 } 960 961 return ctx; 962 } 963 964 965 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len) 966 { 967 if (ctx == NULL) 968 return; 969 HMAC_Update(ctx->ctx, data, len); 970 } 971 972 973 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len) 974 { 975 unsigned int mdlen; 976 int res; 977 978 if (ctx == NULL) 979 return -2; 980 981 if (mac == NULL || len == NULL) { 982 HMAC_CTX_free(ctx->ctx); 983 bin_clear_free(ctx, sizeof(*ctx)); 984 return 0; 985 } 986 987 mdlen = *len; 988 res = HMAC_Final(ctx->ctx, mac, &mdlen); 989 HMAC_CTX_free(ctx->ctx); 990 bin_clear_free(ctx, sizeof(*ctx)); 991 992 if (res == 1) { 993 *len = mdlen; 994 return 0; 995 } 996 997 return -1; 998 } 999 1000 1001 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key, 1002 size_t key_len, size_t num_elem, 1003 const u8 *addr[], const size_t *len, u8 *mac, 1004 unsigned int mdlen) 1005 { 1006 HMAC_CTX *ctx; 1007 size_t i; 1008 int res; 1009 1010 if (TEST_FAIL()) 1011 return -1; 1012 1013 ctx = HMAC_CTX_new(); 1014 if (!ctx) 1015 return -1; 1016 res = HMAC_Init_ex(ctx, key, key_len, type, NULL); 1017 if (res != 1) 1018 goto done; 1019 1020 for (i = 0; i < num_elem; i++) 1021 HMAC_Update(ctx, addr[i], len[i]); 1022 1023 res = HMAC_Final(ctx, mac, &mdlen); 1024 done: 1025 HMAC_CTX_free(ctx); 1026 1027 return res == 1 ? 0 : -1; 1028 } 1029 1030 1031 #ifndef CONFIG_FIPS 1032 1033 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, 1034 const u8 *addr[], const size_t *len, u8 *mac) 1035 { 1036 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len, 1037 mac, 16); 1038 } 1039 1040 1041 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 1042 u8 *mac) 1043 { 1044 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac); 1045 } 1046 1047 #endif /* CONFIG_FIPS */ 1048 1049 1050 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len, 1051 int iterations, u8 *buf, size_t buflen) 1052 { 1053 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid, 1054 ssid_len, iterations, buflen, buf) != 1) 1055 return -1; 1056 return 0; 1057 } 1058 1059 1060 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, 1061 const u8 *addr[], const size_t *len, u8 *mac) 1062 { 1063 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr, 1064 len, mac, 20); 1065 } 1066 1067 1068 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 1069 u8 *mac) 1070 { 1071 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); 1072 } 1073 1074 1075 #ifdef CONFIG_SHA256 1076 1077 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, 1078 const u8 *addr[], const size_t *len, u8 *mac) 1079 { 1080 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr, 1081 len, mac, 32); 1082 } 1083 1084 1085 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 1086 size_t data_len, u8 *mac) 1087 { 1088 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); 1089 } 1090 1091 #endif /* CONFIG_SHA256 */ 1092 1093 1094 #ifdef CONFIG_SHA384 1095 1096 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, 1097 const u8 *addr[], const size_t *len, u8 *mac) 1098 { 1099 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr, 1100 len, mac, 48); 1101 } 1102 1103 1104 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, 1105 size_t data_len, u8 *mac) 1106 { 1107 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac); 1108 } 1109 1110 #endif /* CONFIG_SHA384 */ 1111 1112 1113 #ifdef CONFIG_SHA512 1114 1115 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem, 1116 const u8 *addr[], const size_t *len, u8 *mac) 1117 { 1118 return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr, 1119 len, mac, 64); 1120 } 1121 1122 1123 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data, 1124 size_t data_len, u8 *mac) 1125 { 1126 return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac); 1127 } 1128 1129 #endif /* CONFIG_SHA512 */ 1130 1131 1132 int crypto_get_random(void *buf, size_t len) 1133 { 1134 if (RAND_bytes(buf, len) != 1) 1135 return -1; 1136 return 0; 1137 } 1138 1139 1140 #ifdef CONFIG_OPENSSL_CMAC 1141 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, 1142 const u8 *addr[], const size_t *len, u8 *mac) 1143 { 1144 CMAC_CTX *ctx; 1145 int ret = -1; 1146 size_t outlen, i; 1147 1148 if (TEST_FAIL()) 1149 return -1; 1150 1151 ctx = CMAC_CTX_new(); 1152 if (ctx == NULL) 1153 return -1; 1154 1155 if (key_len == 32) { 1156 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL)) 1157 goto fail; 1158 } else if (key_len == 16) { 1159 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL)) 1160 goto fail; 1161 } else { 1162 goto fail; 1163 } 1164 for (i = 0; i < num_elem; i++) { 1165 if (!CMAC_Update(ctx, addr[i], len[i])) 1166 goto fail; 1167 } 1168 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16) 1169 goto fail; 1170 1171 ret = 0; 1172 fail: 1173 CMAC_CTX_free(ctx); 1174 return ret; 1175 } 1176 1177 1178 int omac1_aes_128_vector(const u8 *key, size_t num_elem, 1179 const u8 *addr[], const size_t *len, u8 *mac) 1180 { 1181 return omac1_aes_vector(key, 16, num_elem, addr, len, mac); 1182 } 1183 1184 1185 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1186 { 1187 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 1188 } 1189 1190 1191 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 1192 { 1193 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); 1194 } 1195 #endif /* CONFIG_OPENSSL_CMAC */ 1196 1197 1198 struct crypto_bignum * crypto_bignum_init(void) 1199 { 1200 if (TEST_FAIL()) 1201 return NULL; 1202 return (struct crypto_bignum *) BN_new(); 1203 } 1204 1205 1206 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) 1207 { 1208 BIGNUM *bn; 1209 1210 if (TEST_FAIL()) 1211 return NULL; 1212 1213 bn = BN_bin2bn(buf, len, NULL); 1214 return (struct crypto_bignum *) bn; 1215 } 1216 1217 1218 void crypto_bignum_deinit(struct crypto_bignum *n, int clear) 1219 { 1220 if (clear) 1221 BN_clear_free((BIGNUM *) n); 1222 else 1223 BN_free((BIGNUM *) n); 1224 } 1225 1226 1227 int crypto_bignum_to_bin(const struct crypto_bignum *a, 1228 u8 *buf, size_t buflen, size_t padlen) 1229 { 1230 #ifdef OPENSSL_IS_BORINGSSL 1231 #else /* OPENSSL_IS_BORINGSSL */ 1232 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) 1233 #else 1234 int num_bytes, offset; 1235 #endif 1236 #endif /* OPENSSL_IS_BORINGSSL */ 1237 1238 if (TEST_FAIL()) 1239 return -1; 1240 1241 if (padlen > buflen) 1242 return -1; 1243 1244 #ifdef OPENSSL_IS_BORINGSSL 1245 if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0) 1246 return -1; 1247 return padlen; 1248 #else /* OPENSSL_IS_BORINGSSL */ 1249 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) 1250 return BN_bn2binpad((const BIGNUM *) a, buf, padlen); 1251 #else 1252 num_bytes = BN_num_bytes((const BIGNUM *) a); 1253 if ((size_t) num_bytes > buflen) 1254 return -1; 1255 if (padlen > (size_t) num_bytes) 1256 offset = padlen - num_bytes; 1257 else 1258 offset = 0; 1259 1260 os_memset(buf, 0, offset); 1261 BN_bn2bin((const BIGNUM *) a, buf + offset); 1262 1263 return num_bytes + offset; 1264 #endif 1265 #endif /* OPENSSL_IS_BORINGSSL */ 1266 } 1267 1268 1269 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m) 1270 { 1271 return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1; 1272 } 1273 1274 1275 int crypto_bignum_add(const struct crypto_bignum *a, 1276 const struct crypto_bignum *b, 1277 struct crypto_bignum *c) 1278 { 1279 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1280 0 : -1; 1281 } 1282 1283 1284 int crypto_bignum_mod(const struct crypto_bignum *a, 1285 const struct crypto_bignum *b, 1286 struct crypto_bignum *c) 1287 { 1288 int res; 1289 BN_CTX *bnctx; 1290 1291 bnctx = BN_CTX_new(); 1292 if (bnctx == NULL) 1293 return -1; 1294 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, 1295 bnctx); 1296 BN_CTX_free(bnctx); 1297 1298 return res ? 0 : -1; 1299 } 1300 1301 1302 int crypto_bignum_exptmod(const struct crypto_bignum *a, 1303 const struct crypto_bignum *b, 1304 const struct crypto_bignum *c, 1305 struct crypto_bignum *d) 1306 { 1307 int res; 1308 BN_CTX *bnctx; 1309 1310 if (TEST_FAIL()) 1311 return -1; 1312 1313 bnctx = BN_CTX_new(); 1314 if (bnctx == NULL) 1315 return -1; 1316 res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a, 1317 (const BIGNUM *) b, (const BIGNUM *) c, 1318 bnctx, NULL); 1319 BN_CTX_free(bnctx); 1320 1321 return res ? 0 : -1; 1322 } 1323 1324 1325 int crypto_bignum_inverse(const struct crypto_bignum *a, 1326 const struct crypto_bignum *b, 1327 struct crypto_bignum *c) 1328 { 1329 BIGNUM *res; 1330 BN_CTX *bnctx; 1331 1332 if (TEST_FAIL()) 1333 return -1; 1334 bnctx = BN_CTX_new(); 1335 if (bnctx == NULL) 1336 return -1; 1337 #ifdef OPENSSL_IS_BORINGSSL 1338 /* TODO: use BN_mod_inverse_blinded() ? */ 1339 #else /* OPENSSL_IS_BORINGSSL */ 1340 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME); 1341 #endif /* OPENSSL_IS_BORINGSSL */ 1342 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a, 1343 (const BIGNUM *) b, bnctx); 1344 BN_CTX_free(bnctx); 1345 1346 return res ? 0 : -1; 1347 } 1348 1349 1350 int crypto_bignum_sub(const struct crypto_bignum *a, 1351 const struct crypto_bignum *b, 1352 struct crypto_bignum *c) 1353 { 1354 if (TEST_FAIL()) 1355 return -1; 1356 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1357 0 : -1; 1358 } 1359 1360 1361 int crypto_bignum_div(const struct crypto_bignum *a, 1362 const struct crypto_bignum *b, 1363 struct crypto_bignum *c) 1364 { 1365 int res; 1366 1367 BN_CTX *bnctx; 1368 1369 if (TEST_FAIL()) 1370 return -1; 1371 1372 bnctx = BN_CTX_new(); 1373 if (bnctx == NULL) 1374 return -1; 1375 #ifndef OPENSSL_IS_BORINGSSL 1376 BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME); 1377 #endif /* OPENSSL_IS_BORINGSSL */ 1378 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a, 1379 (const BIGNUM *) b, bnctx); 1380 BN_CTX_free(bnctx); 1381 1382 return res ? 0 : -1; 1383 } 1384 1385 1386 int crypto_bignum_mulmod(const struct crypto_bignum *a, 1387 const struct crypto_bignum *b, 1388 const struct crypto_bignum *c, 1389 struct crypto_bignum *d) 1390 { 1391 int res; 1392 1393 BN_CTX *bnctx; 1394 1395 if (TEST_FAIL()) 1396 return -1; 1397 1398 bnctx = BN_CTX_new(); 1399 if (bnctx == NULL) 1400 return -1; 1401 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 1402 (const BIGNUM *) c, bnctx); 1403 BN_CTX_free(bnctx); 1404 1405 return res ? 0 : -1; 1406 } 1407 1408 1409 int crypto_bignum_rshift(const struct crypto_bignum *a, int n, 1410 struct crypto_bignum *r) 1411 { 1412 /* Note: BN_rshift() does not modify the first argument even though it 1413 * has not been marked const. */ 1414 return BN_rshift((BIGNUM *) a, (BIGNUM *) r, n) == 1 ? 0 : -1; 1415 } 1416 1417 1418 int crypto_bignum_cmp(const struct crypto_bignum *a, 1419 const struct crypto_bignum *b) 1420 { 1421 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b); 1422 } 1423 1424 1425 int crypto_bignum_bits(const struct crypto_bignum *a) 1426 { 1427 return BN_num_bits((const BIGNUM *) a); 1428 } 1429 1430 1431 int crypto_bignum_is_zero(const struct crypto_bignum *a) 1432 { 1433 return BN_is_zero((const BIGNUM *) a); 1434 } 1435 1436 1437 int crypto_bignum_is_one(const struct crypto_bignum *a) 1438 { 1439 return BN_is_one((const BIGNUM *) a); 1440 } 1441 1442 1443 int crypto_bignum_is_odd(const struct crypto_bignum *a) 1444 { 1445 return BN_is_odd((const BIGNUM *) a); 1446 } 1447 1448 1449 int crypto_bignum_legendre(const struct crypto_bignum *a, 1450 const struct crypto_bignum *p) 1451 { 1452 BN_CTX *bnctx; 1453 BIGNUM *exp = NULL, *tmp = NULL; 1454 int res = -2; 1455 unsigned int mask; 1456 1457 if (TEST_FAIL()) 1458 return -2; 1459 1460 bnctx = BN_CTX_new(); 1461 if (bnctx == NULL) 1462 return -2; 1463 1464 exp = BN_new(); 1465 tmp = BN_new(); 1466 if (!exp || !tmp || 1467 /* exp = (p-1) / 2 */ 1468 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) || 1469 !BN_rshift1(exp, exp) || 1470 !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp, 1471 (const BIGNUM *) p, bnctx, NULL)) 1472 goto fail; 1473 1474 /* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use 1475 * constant time selection to avoid branches here. */ 1476 res = -1; 1477 mask = const_time_eq(BN_is_word(tmp, 1), 1); 1478 res = const_time_select_int(mask, 1, res); 1479 mask = const_time_eq(BN_is_zero(tmp), 1); 1480 res = const_time_select_int(mask, 0, res); 1481 1482 fail: 1483 BN_clear_free(tmp); 1484 BN_clear_free(exp); 1485 BN_CTX_free(bnctx); 1486 return res; 1487 } 1488 1489 1490 #ifdef CONFIG_ECC 1491 1492 struct crypto_ec { 1493 EC_GROUP *group; 1494 int nid; 1495 BN_CTX *bnctx; 1496 BIGNUM *prime; 1497 BIGNUM *order; 1498 BIGNUM *a; 1499 BIGNUM *b; 1500 }; 1501 1502 struct crypto_ec * crypto_ec_init(int group) 1503 { 1504 struct crypto_ec *e; 1505 int nid; 1506 1507 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */ 1508 switch (group) { 1509 case 19: 1510 nid = NID_X9_62_prime256v1; 1511 break; 1512 case 20: 1513 nid = NID_secp384r1; 1514 break; 1515 case 21: 1516 nid = NID_secp521r1; 1517 break; 1518 case 25: 1519 nid = NID_X9_62_prime192v1; 1520 break; 1521 case 26: 1522 nid = NID_secp224r1; 1523 break; 1524 #ifdef NID_brainpoolP224r1 1525 case 27: 1526 nid = NID_brainpoolP224r1; 1527 break; 1528 #endif /* NID_brainpoolP224r1 */ 1529 #ifdef NID_brainpoolP256r1 1530 case 28: 1531 nid = NID_brainpoolP256r1; 1532 break; 1533 #endif /* NID_brainpoolP256r1 */ 1534 #ifdef NID_brainpoolP384r1 1535 case 29: 1536 nid = NID_brainpoolP384r1; 1537 break; 1538 #endif /* NID_brainpoolP384r1 */ 1539 #ifdef NID_brainpoolP512r1 1540 case 30: 1541 nid = NID_brainpoolP512r1; 1542 break; 1543 #endif /* NID_brainpoolP512r1 */ 1544 default: 1545 return NULL; 1546 } 1547 1548 e = os_zalloc(sizeof(*e)); 1549 if (e == NULL) 1550 return NULL; 1551 1552 e->nid = nid; 1553 e->bnctx = BN_CTX_new(); 1554 e->group = EC_GROUP_new_by_curve_name(nid); 1555 e->prime = BN_new(); 1556 e->order = BN_new(); 1557 e->a = BN_new(); 1558 e->b = BN_new(); 1559 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL || 1560 e->order == NULL || e->a == NULL || e->b == NULL || 1561 !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) || 1562 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) { 1563 crypto_ec_deinit(e); 1564 e = NULL; 1565 } 1566 1567 return e; 1568 } 1569 1570 1571 void crypto_ec_deinit(struct crypto_ec *e) 1572 { 1573 if (e == NULL) 1574 return; 1575 BN_clear_free(e->b); 1576 BN_clear_free(e->a); 1577 BN_clear_free(e->order); 1578 BN_clear_free(e->prime); 1579 EC_GROUP_free(e->group); 1580 BN_CTX_free(e->bnctx); 1581 os_free(e); 1582 } 1583 1584 1585 int crypto_ec_cofactor(struct crypto_ec *e, struct crypto_bignum *cofactor) 1586 { 1587 return EC_GROUP_get_cofactor(e->group, (BIGNUM *) cofactor, 1588 e->bnctx) == 0 ? -1 : 0; 1589 } 1590 1591 1592 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e) 1593 { 1594 if (TEST_FAIL()) 1595 return NULL; 1596 if (e == NULL) 1597 return NULL; 1598 return (struct crypto_ec_point *) EC_POINT_new(e->group); 1599 } 1600 1601 1602 size_t crypto_ec_prime_len(struct crypto_ec *e) 1603 { 1604 return BN_num_bytes(e->prime); 1605 } 1606 1607 1608 size_t crypto_ec_prime_len_bits(struct crypto_ec *e) 1609 { 1610 return BN_num_bits(e->prime); 1611 } 1612 1613 1614 size_t crypto_ec_order_len(struct crypto_ec *e) 1615 { 1616 return BN_num_bytes(e->order); 1617 } 1618 1619 1620 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e) 1621 { 1622 return (const struct crypto_bignum *) e->prime; 1623 } 1624 1625 1626 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) 1627 { 1628 return (const struct crypto_bignum *) e->order; 1629 } 1630 1631 1632 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) 1633 { 1634 if (clear) 1635 EC_POINT_clear_free((EC_POINT *) p); 1636 else 1637 EC_POINT_free((EC_POINT *) p); 1638 } 1639 1640 1641 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p, 1642 struct crypto_bignum *x) 1643 { 1644 return EC_POINT_get_affine_coordinates_GFp(e->group, 1645 (const EC_POINT *) p, 1646 (BIGNUM *) x, NULL, 1647 e->bnctx) == 1 ? 0 : -1; 1648 } 1649 1650 1651 int crypto_ec_point_to_bin(struct crypto_ec *e, 1652 const struct crypto_ec_point *point, u8 *x, u8 *y) 1653 { 1654 BIGNUM *x_bn, *y_bn; 1655 int ret = -1; 1656 int len = BN_num_bytes(e->prime); 1657 1658 if (TEST_FAIL()) 1659 return -1; 1660 1661 x_bn = BN_new(); 1662 y_bn = BN_new(); 1663 1664 if (x_bn && y_bn && 1665 EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point, 1666 x_bn, y_bn, e->bnctx)) { 1667 if (x) { 1668 crypto_bignum_to_bin((struct crypto_bignum *) x_bn, 1669 x, len, len); 1670 } 1671 if (y) { 1672 crypto_bignum_to_bin((struct crypto_bignum *) y_bn, 1673 y, len, len); 1674 } 1675 ret = 0; 1676 } 1677 1678 BN_clear_free(x_bn); 1679 BN_clear_free(y_bn); 1680 return ret; 1681 } 1682 1683 1684 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e, 1685 const u8 *val) 1686 { 1687 BIGNUM *x, *y; 1688 EC_POINT *elem; 1689 int len = BN_num_bytes(e->prime); 1690 1691 if (TEST_FAIL()) 1692 return NULL; 1693 1694 x = BN_bin2bn(val, len, NULL); 1695 y = BN_bin2bn(val + len, len, NULL); 1696 elem = EC_POINT_new(e->group); 1697 if (x == NULL || y == NULL || elem == NULL) { 1698 BN_clear_free(x); 1699 BN_clear_free(y); 1700 EC_POINT_clear_free(elem); 1701 return NULL; 1702 } 1703 1704 if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y, 1705 e->bnctx)) { 1706 EC_POINT_clear_free(elem); 1707 elem = NULL; 1708 } 1709 1710 BN_clear_free(x); 1711 BN_clear_free(y); 1712 1713 return (struct crypto_ec_point *) elem; 1714 } 1715 1716 1717 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a, 1718 const struct crypto_ec_point *b, 1719 struct crypto_ec_point *c) 1720 { 1721 if (TEST_FAIL()) 1722 return -1; 1723 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a, 1724 (const EC_POINT *) b, e->bnctx) ? 0 : -1; 1725 } 1726 1727 1728 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p, 1729 const struct crypto_bignum *b, 1730 struct crypto_ec_point *res) 1731 { 1732 if (TEST_FAIL()) 1733 return -1; 1734 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL, 1735 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx) 1736 ? 0 : -1; 1737 } 1738 1739 1740 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p) 1741 { 1742 if (TEST_FAIL()) 1743 return -1; 1744 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1; 1745 } 1746 1747 1748 int crypto_ec_point_solve_y_coord(struct crypto_ec *e, 1749 struct crypto_ec_point *p, 1750 const struct crypto_bignum *x, int y_bit) 1751 { 1752 if (TEST_FAIL()) 1753 return -1; 1754 if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p, 1755 (const BIGNUM *) x, y_bit, 1756 e->bnctx) || 1757 !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx)) 1758 return -1; 1759 return 0; 1760 } 1761 1762 1763 struct crypto_bignum * 1764 crypto_ec_point_compute_y_sqr(struct crypto_ec *e, 1765 const struct crypto_bignum *x) 1766 { 1767 BIGNUM *tmp, *tmp2, *y_sqr = NULL; 1768 1769 if (TEST_FAIL()) 1770 return NULL; 1771 1772 tmp = BN_new(); 1773 tmp2 = BN_new(); 1774 1775 /* y^2 = x^3 + ax + b */ 1776 if (tmp && tmp2 && 1777 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1778 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1779 BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) && 1780 BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) && 1781 BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) { 1782 y_sqr = tmp2; 1783 tmp2 = NULL; 1784 } 1785 1786 BN_clear_free(tmp); 1787 BN_clear_free(tmp2); 1788 1789 return (struct crypto_bignum *) y_sqr; 1790 } 1791 1792 1793 int crypto_ec_point_is_at_infinity(struct crypto_ec *e, 1794 const struct crypto_ec_point *p) 1795 { 1796 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p); 1797 } 1798 1799 1800 int crypto_ec_point_is_on_curve(struct crypto_ec *e, 1801 const struct crypto_ec_point *p) 1802 { 1803 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p, 1804 e->bnctx) == 1; 1805 } 1806 1807 1808 int crypto_ec_point_cmp(const struct crypto_ec *e, 1809 const struct crypto_ec_point *a, 1810 const struct crypto_ec_point *b) 1811 { 1812 return EC_POINT_cmp(e->group, (const EC_POINT *) a, 1813 (const EC_POINT *) b, e->bnctx); 1814 } 1815 1816 1817 struct crypto_ecdh { 1818 struct crypto_ec *ec; 1819 EVP_PKEY *pkey; 1820 }; 1821 1822 struct crypto_ecdh * crypto_ecdh_init(int group) 1823 { 1824 struct crypto_ecdh *ecdh; 1825 EVP_PKEY *params = NULL; 1826 EC_KEY *ec_params; 1827 EVP_PKEY_CTX *kctx = NULL; 1828 1829 ecdh = os_zalloc(sizeof(*ecdh)); 1830 if (!ecdh) 1831 goto fail; 1832 1833 ecdh->ec = crypto_ec_init(group); 1834 if (!ecdh->ec) 1835 goto fail; 1836 1837 ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid); 1838 if (!ec_params) { 1839 wpa_printf(MSG_ERROR, 1840 "OpenSSL: Failed to generate EC_KEY parameters"); 1841 goto fail; 1842 } 1843 EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE); 1844 params = EVP_PKEY_new(); 1845 if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) { 1846 wpa_printf(MSG_ERROR, 1847 "OpenSSL: Failed to generate EVP_PKEY parameters"); 1848 goto fail; 1849 } 1850 1851 kctx = EVP_PKEY_CTX_new(params, NULL); 1852 if (!kctx) 1853 goto fail; 1854 1855 if (EVP_PKEY_keygen_init(kctx) != 1) { 1856 wpa_printf(MSG_ERROR, 1857 "OpenSSL: EVP_PKEY_keygen_init failed: %s", 1858 ERR_error_string(ERR_get_error(), NULL)); 1859 goto fail; 1860 } 1861 1862 if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) { 1863 wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s", 1864 ERR_error_string(ERR_get_error(), NULL)); 1865 goto fail; 1866 } 1867 1868 done: 1869 EVP_PKEY_free(params); 1870 EVP_PKEY_CTX_free(kctx); 1871 1872 return ecdh; 1873 fail: 1874 crypto_ecdh_deinit(ecdh); 1875 ecdh = NULL; 1876 goto done; 1877 } 1878 1879 1880 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y) 1881 { 1882 struct wpabuf *buf = NULL; 1883 EC_KEY *eckey; 1884 const EC_POINT *pubkey; 1885 BIGNUM *x, *y = NULL; 1886 int len = BN_num_bytes(ecdh->ec->prime); 1887 int res; 1888 1889 eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey); 1890 if (!eckey) 1891 return NULL; 1892 1893 pubkey = EC_KEY_get0_public_key(eckey); 1894 if (!pubkey) 1895 return NULL; 1896 1897 x = BN_new(); 1898 if (inc_y) { 1899 y = BN_new(); 1900 if (!y) 1901 goto fail; 1902 } 1903 buf = wpabuf_alloc(inc_y ? 2 * len : len); 1904 if (!x || !buf) 1905 goto fail; 1906 1907 if (EC_POINT_get_affine_coordinates_GFp(ecdh->ec->group, pubkey, 1908 x, y, ecdh->ec->bnctx) != 1) { 1909 wpa_printf(MSG_ERROR, 1910 "OpenSSL: EC_POINT_get_affine_coordinates_GFp failed: %s", 1911 ERR_error_string(ERR_get_error(), NULL)); 1912 goto fail; 1913 } 1914 1915 res = crypto_bignum_to_bin((struct crypto_bignum *) x, 1916 wpabuf_put(buf, len), len, len); 1917 if (res < 0) 1918 goto fail; 1919 1920 if (inc_y) { 1921 res = crypto_bignum_to_bin((struct crypto_bignum *) y, 1922 wpabuf_put(buf, len), len, len); 1923 if (res < 0) 1924 goto fail; 1925 } 1926 1927 done: 1928 BN_clear_free(x); 1929 BN_clear_free(y); 1930 EC_KEY_free(eckey); 1931 1932 return buf; 1933 fail: 1934 wpabuf_free(buf); 1935 buf = NULL; 1936 goto done; 1937 } 1938 1939 1940 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y, 1941 const u8 *key, size_t len) 1942 { 1943 BIGNUM *x, *y = NULL; 1944 EVP_PKEY_CTX *ctx = NULL; 1945 EVP_PKEY *peerkey = NULL; 1946 struct wpabuf *secret = NULL; 1947 size_t secret_len; 1948 EC_POINT *pub; 1949 EC_KEY *eckey = NULL; 1950 1951 x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL); 1952 pub = EC_POINT_new(ecdh->ec->group); 1953 if (!x || !pub) 1954 goto fail; 1955 1956 if (inc_y) { 1957 y = BN_bin2bn(key + len / 2, len / 2, NULL); 1958 if (!y) 1959 goto fail; 1960 if (!EC_POINT_set_affine_coordinates_GFp(ecdh->ec->group, pub, 1961 x, y, 1962 ecdh->ec->bnctx)) { 1963 wpa_printf(MSG_ERROR, 1964 "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s", 1965 ERR_error_string(ERR_get_error(), NULL)); 1966 goto fail; 1967 } 1968 } else if (!EC_POINT_set_compressed_coordinates_GFp(ecdh->ec->group, 1969 pub, x, 0, 1970 ecdh->ec->bnctx)) { 1971 wpa_printf(MSG_ERROR, 1972 "OpenSSL: EC_POINT_set_compressed_coordinates_GFp failed: %s", 1973 ERR_error_string(ERR_get_error(), NULL)); 1974 goto fail; 1975 } 1976 1977 if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) { 1978 wpa_printf(MSG_ERROR, 1979 "OpenSSL: ECDH peer public key is not on curve"); 1980 goto fail; 1981 } 1982 1983 eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid); 1984 if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) { 1985 wpa_printf(MSG_ERROR, 1986 "OpenSSL: EC_KEY_set_public_key failed: %s", 1987 ERR_error_string(ERR_get_error(), NULL)); 1988 goto fail; 1989 } 1990 1991 peerkey = EVP_PKEY_new(); 1992 if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1) 1993 goto fail; 1994 1995 ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL); 1996 if (!ctx || EVP_PKEY_derive_init(ctx) != 1 || 1997 EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 || 1998 EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) { 1999 wpa_printf(MSG_ERROR, 2000 "OpenSSL: EVP_PKEY_derive(1) failed: %s", 2001 ERR_error_string(ERR_get_error(), NULL)); 2002 goto fail; 2003 } 2004 2005 secret = wpabuf_alloc(secret_len); 2006 if (!secret) 2007 goto fail; 2008 if (EVP_PKEY_derive(ctx, wpabuf_put(secret, secret_len), 2009 &secret_len) != 1) { 2010 wpa_printf(MSG_ERROR, 2011 "OpenSSL: EVP_PKEY_derive(2) failed: %s", 2012 ERR_error_string(ERR_get_error(), NULL)); 2013 goto fail; 2014 } 2015 2016 done: 2017 BN_free(x); 2018 BN_free(y); 2019 EC_KEY_free(eckey); 2020 EC_POINT_free(pub); 2021 EVP_PKEY_CTX_free(ctx); 2022 EVP_PKEY_free(peerkey); 2023 return secret; 2024 fail: 2025 wpabuf_free(secret); 2026 secret = NULL; 2027 goto done; 2028 } 2029 2030 2031 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh) 2032 { 2033 if (ecdh) { 2034 crypto_ec_deinit(ecdh->ec); 2035 EVP_PKEY_free(ecdh->pkey); 2036 os_free(ecdh); 2037 } 2038 } 2039 2040 #endif /* CONFIG_ECC */ 2041