1 /*
2  * Wrapper functions for OpenSSL libcrypto
3  * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 #include <openssl/opensslv.h>
11 #include <openssl/err.h>
12 #include <openssl/des.h>
13 #include <openssl/aes.h>
14 #include <openssl/bn.h>
15 #include <openssl/evp.h>
16 #include <openssl/dh.h>
17 #include <openssl/hmac.h>
18 #include <openssl/rand.h>
19 #ifdef CONFIG_OPENSSL_CMAC
20 #include <openssl/cmac.h>
21 #endif /* CONFIG_OPENSSL_CMAC */
22 #ifdef CONFIG_ECC
23 #include <openssl/ec.h>
24 #include <openssl/x509.h>
25 #include <openssl/pem.h>
26 #endif /* CONFIG_ECC */
27 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
28 #include <openssl/provider.h>
29 #endif /* OpenSSL version >= 3.0 */
30 
31 #include "common.h"
32 #include "utils/const_time.h"
33 #include "wpabuf.h"
34 #include "dh_group5.h"
35 #include "sha1.h"
36 #include "sha256.h"
37 #include "sha384.h"
38 #include "sha512.h"
39 #include "md5.h"
40 #include "aes_wrap.h"
41 #include "crypto.h"
42 
43 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
44 	(defined(LIBRESSL_VERSION_NUMBER) && \
45 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
46 /* Compatibility wrappers for older versions. */
47 
HMAC_CTX_new(void)48 static HMAC_CTX * HMAC_CTX_new(void)
49 {
50 	HMAC_CTX *ctx;
51 
52 	ctx = os_zalloc(sizeof(*ctx));
53 	if (ctx)
54 		HMAC_CTX_init(ctx);
55 	return ctx;
56 }
57 
58 
HMAC_CTX_free(HMAC_CTX * ctx)59 static void HMAC_CTX_free(HMAC_CTX *ctx)
60 {
61 	if (!ctx)
62 		return;
63 	HMAC_CTX_cleanup(ctx);
64 	bin_clear_free(ctx, sizeof(*ctx));
65 }
66 
67 
EVP_MD_CTX_new(void)68 static EVP_MD_CTX * EVP_MD_CTX_new(void)
69 {
70 	EVP_MD_CTX *ctx;
71 
72 	ctx = os_zalloc(sizeof(*ctx));
73 	if (ctx)
74 		EVP_MD_CTX_init(ctx);
75 	return ctx;
76 }
77 
78 
EVP_MD_CTX_free(EVP_MD_CTX * ctx)79 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
80 {
81 	if (!ctx)
82 		return;
83 	EVP_MD_CTX_cleanup(ctx);
84 	bin_clear_free(ctx, sizeof(*ctx));
85 }
86 
87 
88 #ifdef CONFIG_ECC
89 
EVP_PKEY_get0_EC_KEY(EVP_PKEY * pkey)90 static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
91 {
92 	if (pkey->type != EVP_PKEY_EC)
93 		return NULL;
94 	return pkey->pkey.ec;
95 }
96 
97 
ECDSA_SIG_set0(ECDSA_SIG * sig,BIGNUM * r,BIGNUM * s)98 static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
99 {
100 	sig->r = r;
101 	sig->s = s;
102 	return 1;
103 }
104 
105 
ECDSA_SIG_get0(const ECDSA_SIG * sig,const BIGNUM ** pr,const BIGNUM ** ps)106 static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
107 			   const BIGNUM **ps)
108 {
109 	if (pr)
110 		*pr = sig->r;
111 	if (ps)
112 		*ps = sig->s;
113 }
114 
115 #endif /* CONFIG_ECC */
116 
ASN1_STRING_get0_data(const ASN1_STRING * x)117 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
118 {
119 	return ASN1_STRING_data((ASN1_STRING *) x);
120 }
121 #endif /* OpenSSL version < 1.1.0 */
122 
123 
openssl_load_legacy_provider(void)124 void openssl_load_legacy_provider(void)
125 {
126 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
127 	static bool loaded = false;
128 	OSSL_PROVIDER *legacy;
129 
130 	if (loaded)
131 		return;
132 
133 	legacy = OSSL_PROVIDER_load(NULL, "legacy");
134 
135 	if (legacy) {
136 		OSSL_PROVIDER_load(NULL, "default");
137 		loaded = true;
138 	}
139 #endif /* OpenSSL version >= 3.0 */
140 }
141 
142 
get_group5_prime(void)143 static BIGNUM * get_group5_prime(void)
144 {
145 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
146 	!(defined(LIBRESSL_VERSION_NUMBER) && \
147 	  LIBRESSL_VERSION_NUMBER < 0x20700000L)
148 	return BN_get_rfc3526_prime_1536(NULL);
149 #elif !defined(OPENSSL_IS_BORINGSSL)
150 	return get_rfc3526_prime_1536(NULL);
151 #else
152 	static const unsigned char RFC3526_PRIME_1536[] = {
153 		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
154 		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
155 		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
156 		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
157 		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
158 		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
159 		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
160 		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
161 		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
162 		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
163 		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
164 		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
165 		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
166 		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
167 		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
168 		0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
169 	};
170         return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
171 #endif
172 }
173 
174 
get_group5_order(void)175 static BIGNUM * get_group5_order(void)
176 {
177 	static const unsigned char RFC3526_ORDER_1536[] = {
178 		0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,
179 		0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,
180 		0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,
181 		0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,
182 		0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,
183 		0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,
184 		0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,
185 		0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,
186 		0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,
187 		0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,
188 		0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,
189 		0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,
190 		0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,
191 		0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,
192 		0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,
193 		0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
194 	};
195 	return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);
196 }
197 
198 
199 #ifdef OPENSSL_NO_SHA256
200 #define NO_SHA256_WRAPPER
201 #endif
202 #ifdef OPENSSL_NO_SHA512
203 #define NO_SHA384_WRAPPER
204 #endif
205 
openssl_digest_vector(const EVP_MD * type,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)206 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
207 				 const u8 *addr[], const size_t *len, u8 *mac)
208 {
209 	EVP_MD_CTX *ctx;
210 	size_t i;
211 	unsigned int mac_len;
212 
213 	if (TEST_FAIL())
214 		return -1;
215 
216 	ctx = EVP_MD_CTX_new();
217 	if (!ctx)
218 		return -1;
219 	if (!EVP_DigestInit_ex(ctx, type, NULL)) {
220 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
221 			   ERR_error_string(ERR_get_error(), NULL));
222 		EVP_MD_CTX_free(ctx);
223 		return -1;
224 	}
225 	for (i = 0; i < num_elem; i++) {
226 		if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
227 			wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
228 				   "failed: %s",
229 				   ERR_error_string(ERR_get_error(), NULL));
230 			EVP_MD_CTX_free(ctx);
231 			return -1;
232 		}
233 	}
234 	if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
235 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
236 			   ERR_error_string(ERR_get_error(), NULL));
237 		EVP_MD_CTX_free(ctx);
238 		return -1;
239 	}
240 	EVP_MD_CTX_free(ctx);
241 
242 	return 0;
243 }
244 
245 
246 #ifndef CONFIG_FIPS
md4_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)247 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
248 {
249 	openssl_load_legacy_provider();
250 	return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
251 }
252 #endif /* CONFIG_FIPS */
253 
254 
des_encrypt(const u8 * clear,const u8 * key,u8 * cypher)255 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
256 {
257 	u8 pkey[8], next, tmp;
258 	int i, plen, ret = -1;
259 	EVP_CIPHER_CTX *ctx;
260 
261 	openssl_load_legacy_provider();
262 
263 	/* Add parity bits to the key */
264 	next = 0;
265 	for (i = 0; i < 7; i++) {
266 		tmp = key[i];
267 		pkey[i] = (tmp >> i) | next | 1;
268 		next = tmp << (7 - i);
269 	}
270 	pkey[i] = next | 1;
271 
272 	ctx = EVP_CIPHER_CTX_new();
273 	if (ctx &&
274 	    EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 &&
275 	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
276 	    EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 &&
277 	    EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1)
278 		ret = 0;
279 	else
280 		wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed");
281 
282 	if (ctx)
283 		EVP_CIPHER_CTX_free(ctx);
284 	return ret;
285 }
286 
287 
288 #ifndef CONFIG_NO_RC4
rc4_skip(const u8 * key,size_t keylen,size_t skip,u8 * data,size_t data_len)289 int rc4_skip(const u8 *key, size_t keylen, size_t skip,
290 	     u8 *data, size_t data_len)
291 {
292 #ifdef OPENSSL_NO_RC4
293 	return -1;
294 #else /* OPENSSL_NO_RC4 */
295 	EVP_CIPHER_CTX *ctx;
296 	int outl;
297 	int res = -1;
298 	unsigned char skip_buf[16];
299 
300 	openssl_load_legacy_provider();
301 
302 	ctx = EVP_CIPHER_CTX_new();
303 	if (!ctx ||
304 	    !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
305 	    !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
306 	    !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
307 	    !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
308 		goto out;
309 
310 	while (skip >= sizeof(skip_buf)) {
311 		size_t len = skip;
312 		if (len > sizeof(skip_buf))
313 			len = sizeof(skip_buf);
314 		if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
315 			goto out;
316 		skip -= len;
317 	}
318 
319 	if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
320 		res = 0;
321 
322 out:
323 	if (ctx)
324 		EVP_CIPHER_CTX_free(ctx);
325 	return res;
326 #endif /* OPENSSL_NO_RC4 */
327 }
328 #endif /* CONFIG_NO_RC4 */
329 
330 
331 #ifndef CONFIG_FIPS
md5_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)332 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
333 {
334 	return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
335 }
336 #endif /* CONFIG_FIPS */
337 
338 
sha1_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)339 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
340 {
341 	return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
342 }
343 
344 
345 #ifndef NO_SHA256_WRAPPER
sha256_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)346 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
347 		  u8 *mac)
348 {
349 	return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
350 }
351 #endif /* NO_SHA256_WRAPPER */
352 
353 
354 #ifndef NO_SHA384_WRAPPER
sha384_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)355 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
356 		  u8 *mac)
357 {
358 	return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
359 }
360 #endif /* NO_SHA384_WRAPPER */
361 
362 
363 #ifndef NO_SHA512_WRAPPER
sha512_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)364 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
365 		  u8 *mac)
366 {
367 	return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
368 }
369 #endif /* NO_SHA512_WRAPPER */
370 
371 
aes_get_evp_cipher(size_t keylen)372 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
373 {
374 	switch (keylen) {
375 	case 16:
376 		return EVP_aes_128_ecb();
377 	case 24:
378 		return EVP_aes_192_ecb();
379 	case 32:
380 		return EVP_aes_256_ecb();
381 	}
382 
383 	return NULL;
384 }
385 
386 
aes_encrypt_init(const u8 * key,size_t len)387 void * aes_encrypt_init(const u8 *key, size_t len)
388 {
389 	EVP_CIPHER_CTX *ctx;
390 	const EVP_CIPHER *type;
391 
392 	if (TEST_FAIL())
393 		return NULL;
394 
395 	type = aes_get_evp_cipher(len);
396 	if (!type) {
397 		wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
398 			   __func__, (unsigned int) len);
399 		return NULL;
400 	}
401 
402 	ctx = EVP_CIPHER_CTX_new();
403 	if (ctx == NULL)
404 		return NULL;
405 	if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
406 		os_free(ctx);
407 		return NULL;
408 	}
409 	EVP_CIPHER_CTX_set_padding(ctx, 0);
410 	return ctx;
411 }
412 
413 
aes_encrypt(void * ctx,const u8 * plain,u8 * crypt)414 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
415 {
416 	EVP_CIPHER_CTX *c = ctx;
417 	int clen = 16;
418 	if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
419 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
420 			   ERR_error_string(ERR_get_error(), NULL));
421 		return -1;
422 	}
423 	return 0;
424 }
425 
426 
aes_encrypt_deinit(void * ctx)427 void aes_encrypt_deinit(void *ctx)
428 {
429 	EVP_CIPHER_CTX *c = ctx;
430 	u8 buf[16];
431 	int len = sizeof(buf);
432 	if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
433 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
434 			   "%s", ERR_error_string(ERR_get_error(), NULL));
435 	}
436 	if (len != 0) {
437 		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
438 			   "in AES encrypt", len);
439 	}
440 	EVP_CIPHER_CTX_free(c);
441 }
442 
443 
aes_decrypt_init(const u8 * key,size_t len)444 void * aes_decrypt_init(const u8 *key, size_t len)
445 {
446 	EVP_CIPHER_CTX *ctx;
447 	const EVP_CIPHER *type;
448 
449 	if (TEST_FAIL())
450 		return NULL;
451 
452 	type = aes_get_evp_cipher(len);
453 	if (!type) {
454 		wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
455 			   __func__, (unsigned int) len);
456 		return NULL;
457 	}
458 
459 	ctx = EVP_CIPHER_CTX_new();
460 	if (ctx == NULL)
461 		return NULL;
462 	if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
463 		EVP_CIPHER_CTX_free(ctx);
464 		return NULL;
465 	}
466 	EVP_CIPHER_CTX_set_padding(ctx, 0);
467 	return ctx;
468 }
469 
470 
aes_decrypt(void * ctx,const u8 * crypt,u8 * plain)471 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
472 {
473 	EVP_CIPHER_CTX *c = ctx;
474 	int plen = 16;
475 	if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
476 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
477 			   ERR_error_string(ERR_get_error(), NULL));
478 		return -1;
479 	}
480 	return 0;
481 }
482 
483 
aes_decrypt_deinit(void * ctx)484 void aes_decrypt_deinit(void *ctx)
485 {
486 	EVP_CIPHER_CTX *c = ctx;
487 	u8 buf[16];
488 	int len = sizeof(buf);
489 	if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
490 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
491 			   "%s", ERR_error_string(ERR_get_error(), NULL));
492 	}
493 	if (len != 0) {
494 		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
495 			   "in AES decrypt", len);
496 	}
497 	EVP_CIPHER_CTX_free(c);
498 }
499 
500 
501 #ifndef CONFIG_FIPS
502 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
503 
aes_wrap(const u8 * kek,size_t kek_len,int n,const u8 * plain,u8 * cipher)504 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
505 {
506 	AES_KEY actx;
507 	int res;
508 
509 	if (TEST_FAIL())
510 		return -1;
511 	if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
512 		return -1;
513 	res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
514 	OPENSSL_cleanse(&actx, sizeof(actx));
515 	return res <= 0 ? -1 : 0;
516 }
517 
518 
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)519 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
520 	       u8 *plain)
521 {
522 	AES_KEY actx;
523 	int res;
524 
525 	if (TEST_FAIL())
526 		return -1;
527 	if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
528 		return -1;
529 	res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
530 	OPENSSL_cleanse(&actx, sizeof(actx));
531 	return res <= 0 ? -1 : 0;
532 }
533 
534 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
535 #endif /* CONFIG_FIPS */
536 
537 
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)538 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
539 {
540 	EVP_CIPHER_CTX *ctx;
541 	int clen, len;
542 	u8 buf[16];
543 	int res = -1;
544 
545 	if (TEST_FAIL())
546 		return -1;
547 
548 	ctx = EVP_CIPHER_CTX_new();
549 	if (!ctx)
550 		return -1;
551 	clen = data_len;
552 	len = sizeof(buf);
553 	if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
554 	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
555 	    EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
556 	    clen == (int) data_len &&
557 	    EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
558 		res = 0;
559 	EVP_CIPHER_CTX_free(ctx);
560 
561 	return res;
562 }
563 
564 
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)565 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
566 {
567 	EVP_CIPHER_CTX *ctx;
568 	int plen, len;
569 	u8 buf[16];
570 	int res = -1;
571 
572 	if (TEST_FAIL())
573 		return -1;
574 
575 	ctx = EVP_CIPHER_CTX_new();
576 	if (!ctx)
577 		return -1;
578 	plen = data_len;
579 	len = sizeof(buf);
580 	if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
581 	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
582 	    EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
583 	    plen == (int) data_len &&
584 	    EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
585 		res = 0;
586 	EVP_CIPHER_CTX_free(ctx);
587 
588 	return res;
589 
590 }
591 
592 
crypto_dh_init(u8 generator,const u8 * prime,size_t prime_len,u8 * privkey,u8 * pubkey)593 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
594 		   u8 *pubkey)
595 {
596 	size_t pubkey_len, pad;
597 
598 	if (os_get_random(privkey, prime_len) < 0)
599 		return -1;
600 	if (os_memcmp(privkey, prime, prime_len) > 0) {
601 		/* Make sure private value is smaller than prime */
602 		privkey[0] = 0;
603 	}
604 
605 	pubkey_len = prime_len;
606 	if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
607 			   pubkey, &pubkey_len) < 0)
608 		return -1;
609 	if (pubkey_len < prime_len) {
610 		pad = prime_len - pubkey_len;
611 		os_memmove(pubkey + pad, pubkey, pubkey_len);
612 		os_memset(pubkey, 0, pad);
613 	}
614 
615 	return 0;
616 }
617 
618 
crypto_dh_derive_secret(u8 generator,const u8 * prime,size_t prime_len,const u8 * order,size_t order_len,const u8 * privkey,size_t privkey_len,const u8 * pubkey,size_t pubkey_len,u8 * secret,size_t * len)619 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
620 			    const u8 *order, size_t order_len,
621 			    const u8 *privkey, size_t privkey_len,
622 			    const u8 *pubkey, size_t pubkey_len,
623 			    u8 *secret, size_t *len)
624 {
625 	BIGNUM *pub, *p;
626 	int res = -1;
627 
628 	pub = BN_bin2bn(pubkey, pubkey_len, NULL);
629 	p = BN_bin2bn(prime, prime_len, NULL);
630 	if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||
631 	    BN_cmp(pub, p) >= 0)
632 		goto fail;
633 
634 	if (order) {
635 		BN_CTX *ctx;
636 		BIGNUM *q, *tmp;
637 		int failed;
638 
639 		/* verify: pubkey^q == 1 mod p */
640 		q = BN_bin2bn(order, order_len, NULL);
641 		ctx = BN_CTX_new();
642 		tmp = BN_new();
643 		failed = !q || !ctx || !tmp ||
644 			!BN_mod_exp(tmp, pub, q, p, ctx) ||
645 			!BN_is_one(tmp);
646 		BN_clear_free(q);
647 		BN_clear_free(tmp);
648 		BN_CTX_free(ctx);
649 		if (failed)
650 			goto fail;
651 	}
652 
653 	res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
654 			     prime, prime_len, secret, len);
655 fail:
656 	BN_clear_free(pub);
657 	BN_clear_free(p);
658 	return res;
659 }
660 
661 
crypto_mod_exp(const u8 * base,size_t base_len,const u8 * power,size_t power_len,const u8 * modulus,size_t modulus_len,u8 * result,size_t * result_len)662 int crypto_mod_exp(const u8 *base, size_t base_len,
663 		   const u8 *power, size_t power_len,
664 		   const u8 *modulus, size_t modulus_len,
665 		   u8 *result, size_t *result_len)
666 {
667 	BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
668 	int ret = -1;
669 	BN_CTX *ctx;
670 
671 	ctx = BN_CTX_new();
672 	if (ctx == NULL)
673 		return -1;
674 
675 	bn_base = BN_bin2bn(base, base_len, NULL);
676 	bn_exp = BN_bin2bn(power, power_len, NULL);
677 	bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
678 	bn_result = BN_new();
679 
680 	if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
681 	    bn_result == NULL)
682 		goto error;
683 
684 	if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
685 				      ctx, NULL) != 1)
686 		goto error;
687 
688 	*result_len = BN_bn2bin(bn_result, result);
689 	ret = 0;
690 
691 error:
692 	BN_clear_free(bn_base);
693 	BN_clear_free(bn_exp);
694 	BN_clear_free(bn_modulus);
695 	BN_clear_free(bn_result);
696 	BN_CTX_free(ctx);
697 	return ret;
698 }
699 
700 
701 struct crypto_cipher {
702 	EVP_CIPHER_CTX *enc;
703 	EVP_CIPHER_CTX *dec;
704 };
705 
706 
crypto_cipher_init(enum crypto_cipher_alg alg,const u8 * iv,const u8 * key,size_t key_len)707 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
708 					  const u8 *iv, const u8 *key,
709 					  size_t key_len)
710 {
711 	struct crypto_cipher *ctx;
712 	const EVP_CIPHER *cipher;
713 
714 	ctx = os_zalloc(sizeof(*ctx));
715 	if (ctx == NULL)
716 		return NULL;
717 
718 	switch (alg) {
719 #ifndef CONFIG_NO_RC4
720 #ifndef OPENSSL_NO_RC4
721 	case CRYPTO_CIPHER_ALG_RC4:
722 		cipher = EVP_rc4();
723 		break;
724 #endif /* OPENSSL_NO_RC4 */
725 #endif /* CONFIG_NO_RC4 */
726 #ifndef OPENSSL_NO_AES
727 	case CRYPTO_CIPHER_ALG_AES:
728 		switch (key_len) {
729 		case 16:
730 			cipher = EVP_aes_128_cbc();
731 			break;
732 #ifndef OPENSSL_IS_BORINGSSL
733 		case 24:
734 			cipher = EVP_aes_192_cbc();
735 			break;
736 #endif /* OPENSSL_IS_BORINGSSL */
737 		case 32:
738 			cipher = EVP_aes_256_cbc();
739 			break;
740 		default:
741 			os_free(ctx);
742 			return NULL;
743 		}
744 		break;
745 #endif /* OPENSSL_NO_AES */
746 #ifndef OPENSSL_NO_DES
747 	case CRYPTO_CIPHER_ALG_3DES:
748 		cipher = EVP_des_ede3_cbc();
749 		break;
750 	case CRYPTO_CIPHER_ALG_DES:
751 		cipher = EVP_des_cbc();
752 		break;
753 #endif /* OPENSSL_NO_DES */
754 #ifndef OPENSSL_NO_RC2
755 	case CRYPTO_CIPHER_ALG_RC2:
756 		cipher = EVP_rc2_ecb();
757 		break;
758 #endif /* OPENSSL_NO_RC2 */
759 	default:
760 		os_free(ctx);
761 		return NULL;
762 	}
763 
764 	if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
765 	    !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
766 	    !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
767 	    !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
768 	    !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
769 		if (ctx->enc)
770 			EVP_CIPHER_CTX_free(ctx->enc);
771 		os_free(ctx);
772 		return NULL;
773 	}
774 
775 	if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
776 	    !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
777 	    !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
778 	    !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
779 	    !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
780 		EVP_CIPHER_CTX_free(ctx->enc);
781 		if (ctx->dec)
782 			EVP_CIPHER_CTX_free(ctx->dec);
783 		os_free(ctx);
784 		return NULL;
785 	}
786 
787 	return ctx;
788 }
789 
790 
crypto_cipher_encrypt(struct crypto_cipher * ctx,const u8 * plain,u8 * crypt,size_t len)791 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
792 			  u8 *crypt, size_t len)
793 {
794 	int outl;
795 	if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
796 		return -1;
797 	return 0;
798 }
799 
800 
crypto_cipher_decrypt(struct crypto_cipher * ctx,const u8 * crypt,u8 * plain,size_t len)801 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
802 			  u8 *plain, size_t len)
803 {
804 	int outl;
805 	outl = len;
806 	if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
807 		return -1;
808 	return 0;
809 }
810 
811 
crypto_cipher_deinit(struct crypto_cipher * ctx)812 void crypto_cipher_deinit(struct crypto_cipher *ctx)
813 {
814 	EVP_CIPHER_CTX_free(ctx->enc);
815 	EVP_CIPHER_CTX_free(ctx->dec);
816 	os_free(ctx);
817 }
818 
819 
dh5_init(struct wpabuf ** priv,struct wpabuf ** publ)820 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
821 {
822 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
823 	(defined(LIBRESSL_VERSION_NUMBER) && \
824 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
825 	DH *dh;
826 	struct wpabuf *pubkey = NULL, *privkey = NULL;
827 	size_t publen, privlen;
828 
829 	*priv = NULL;
830 	wpabuf_free(*publ);
831 	*publ = NULL;
832 
833 	dh = DH_new();
834 	if (dh == NULL)
835 		return NULL;
836 
837 	dh->g = BN_new();
838 	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
839 		goto err;
840 
841 	dh->p = get_group5_prime();
842 	if (dh->p == NULL)
843 		goto err;
844 
845 	dh->q = get_group5_order();
846 	if (!dh->q)
847 		goto err;
848 
849 	if (DH_generate_key(dh) != 1)
850 		goto err;
851 
852 	publen = BN_num_bytes(dh->pub_key);
853 	pubkey = wpabuf_alloc(publen);
854 	if (pubkey == NULL)
855 		goto err;
856 	privlen = BN_num_bytes(dh->priv_key);
857 	privkey = wpabuf_alloc(privlen);
858 	if (privkey == NULL)
859 		goto err;
860 
861 	BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
862 	BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
863 
864 	*priv = privkey;
865 	*publ = pubkey;
866 	return dh;
867 
868 err:
869 	wpabuf_clear_free(pubkey);
870 	wpabuf_clear_free(privkey);
871 	DH_free(dh);
872 	return NULL;
873 #else
874 	DH *dh;
875 	struct wpabuf *pubkey = NULL, *privkey = NULL;
876 	size_t publen, privlen;
877 	BIGNUM *p, *g, *q;
878 	const BIGNUM *priv_key = NULL, *pub_key = NULL;
879 
880 	*priv = NULL;
881 	wpabuf_free(*publ);
882 	*publ = NULL;
883 
884 	dh = DH_new();
885 	if (dh == NULL)
886 		return NULL;
887 
888 	g = BN_new();
889 	p = get_group5_prime();
890 	q = get_group5_order();
891 	if (!g || BN_set_word(g, 2) != 1 || !p || !q ||
892 	    DH_set0_pqg(dh, p, q, g) != 1)
893 		goto err;
894 	p = NULL;
895 	q = NULL;
896 	g = NULL;
897 
898 	if (DH_generate_key(dh) != 1)
899 		goto err;
900 
901 	DH_get0_key(dh, &pub_key, &priv_key);
902 	publen = BN_num_bytes(pub_key);
903 	pubkey = wpabuf_alloc(publen);
904 	if (!pubkey)
905 		goto err;
906 	privlen = BN_num_bytes(priv_key);
907 	privkey = wpabuf_alloc(privlen);
908 	if (!privkey)
909 		goto err;
910 
911 	BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
912 	BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));
913 
914 	*priv = privkey;
915 	*publ = pubkey;
916 	return dh;
917 
918 err:
919 	BN_free(p);
920 	BN_free(q);
921 	BN_free(g);
922 	wpabuf_clear_free(pubkey);
923 	wpabuf_clear_free(privkey);
924 	DH_free(dh);
925 	return NULL;
926 #endif
927 }
928 
929 
dh5_init_fixed(const struct wpabuf * priv,const struct wpabuf * publ)930 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
931 {
932 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
933 	(defined(LIBRESSL_VERSION_NUMBER) && \
934 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
935 	DH *dh;
936 
937 	dh = DH_new();
938 	if (dh == NULL)
939 		return NULL;
940 
941 	dh->g = BN_new();
942 	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
943 		goto err;
944 
945 	dh->p = get_group5_prime();
946 	if (dh->p == NULL)
947 		goto err;
948 
949 	dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
950 	if (dh->priv_key == NULL)
951 		goto err;
952 
953 	dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
954 	if (dh->pub_key == NULL)
955 		goto err;
956 
957 	if (DH_generate_key(dh) != 1)
958 		goto err;
959 
960 	return dh;
961 
962 err:
963 	DH_free(dh);
964 	return NULL;
965 #else
966 	DH *dh;
967 	BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;
968 
969 	dh = DH_new();
970 	if (dh == NULL)
971 		return NULL;
972 
973 	g = BN_new();
974 	p = get_group5_prime();
975 	if (!g || BN_set_word(g, 2) != 1 || !p ||
976 	    DH_set0_pqg(dh, p, NULL, g) != 1)
977 		goto err;
978 	p = NULL;
979 	g = NULL;
980 
981 	priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
982 	pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
983 	if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
984 		goto err;
985 	pub_key = NULL;
986 	priv_key = NULL;
987 
988 	if (DH_generate_key(dh) != 1)
989 		goto err;
990 
991 	return dh;
992 
993 err:
994 	BN_free(p);
995 	BN_free(g);
996 	BN_free(pub_key);
997 	BN_clear_free(priv_key);
998 	DH_free(dh);
999 	return NULL;
1000 #endif
1001 }
1002 
1003 
dh5_derive_shared(void * ctx,const struct wpabuf * peer_public,const struct wpabuf * own_private)1004 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
1005 				  const struct wpabuf *own_private)
1006 {
1007 	BIGNUM *pub_key;
1008 	struct wpabuf *res = NULL;
1009 	size_t rlen;
1010 	DH *dh = ctx;
1011 	int keylen;
1012 
1013 	if (ctx == NULL)
1014 		return NULL;
1015 
1016 	pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
1017 			    NULL);
1018 	if (pub_key == NULL)
1019 		return NULL;
1020 
1021 	rlen = DH_size(dh);
1022 	res = wpabuf_alloc(rlen);
1023 	if (res == NULL)
1024 		goto err;
1025 
1026 	keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
1027 	if (keylen < 0)
1028 		goto err;
1029 	wpabuf_put(res, keylen);
1030 	BN_clear_free(pub_key);
1031 
1032 	return res;
1033 
1034 err:
1035 	BN_clear_free(pub_key);
1036 	wpabuf_clear_free(res);
1037 	return NULL;
1038 }
1039 
1040 
dh5_free(void * ctx)1041 void dh5_free(void *ctx)
1042 {
1043 	DH *dh;
1044 	if (ctx == NULL)
1045 		return;
1046 	dh = ctx;
1047 	DH_free(dh);
1048 }
1049 
1050 
1051 struct crypto_hash {
1052 	HMAC_CTX *ctx;
1053 };
1054 
1055 
crypto_hash_init(enum crypto_hash_alg alg,const u8 * key,size_t key_len)1056 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
1057 				      size_t key_len)
1058 {
1059 	struct crypto_hash *ctx;
1060 	const EVP_MD *md;
1061 
1062 	switch (alg) {
1063 #ifndef OPENSSL_NO_MD5
1064 	case CRYPTO_HASH_ALG_HMAC_MD5:
1065 		md = EVP_md5();
1066 		break;
1067 #endif /* OPENSSL_NO_MD5 */
1068 #ifndef OPENSSL_NO_SHA
1069 	case CRYPTO_HASH_ALG_HMAC_SHA1:
1070 		md = EVP_sha1();
1071 		break;
1072 #endif /* OPENSSL_NO_SHA */
1073 #ifndef OPENSSL_NO_SHA256
1074 #ifdef CONFIG_SHA256
1075 	case CRYPTO_HASH_ALG_HMAC_SHA256:
1076 		md = EVP_sha256();
1077 		break;
1078 #endif /* CONFIG_SHA256 */
1079 #endif /* OPENSSL_NO_SHA256 */
1080 	default:
1081 		return NULL;
1082 	}
1083 
1084 	ctx = os_zalloc(sizeof(*ctx));
1085 	if (ctx == NULL)
1086 		return NULL;
1087 	ctx->ctx = HMAC_CTX_new();
1088 	if (!ctx->ctx) {
1089 		os_free(ctx);
1090 		return NULL;
1091 	}
1092 
1093 	if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
1094 		HMAC_CTX_free(ctx->ctx);
1095 		bin_clear_free(ctx, sizeof(*ctx));
1096 		return NULL;
1097 	}
1098 
1099 	return ctx;
1100 }
1101 
1102 
crypto_hash_update(struct crypto_hash * ctx,const u8 * data,size_t len)1103 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
1104 {
1105 	if (ctx == NULL)
1106 		return;
1107 	HMAC_Update(ctx->ctx, data, len);
1108 }
1109 
1110 
crypto_hash_finish(struct crypto_hash * ctx,u8 * mac,size_t * len)1111 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
1112 {
1113 	unsigned int mdlen;
1114 	int res;
1115 
1116 	if (ctx == NULL)
1117 		return -2;
1118 
1119 	if (mac == NULL || len == NULL) {
1120 		HMAC_CTX_free(ctx->ctx);
1121 		bin_clear_free(ctx, sizeof(*ctx));
1122 		return 0;
1123 	}
1124 
1125 	mdlen = *len;
1126 	res = HMAC_Final(ctx->ctx, mac, &mdlen);
1127 	HMAC_CTX_free(ctx->ctx);
1128 	bin_clear_free(ctx, sizeof(*ctx));
1129 
1130 	if (TEST_FAIL())
1131 		return -1;
1132 
1133 	if (res == 1) {
1134 		*len = mdlen;
1135 		return 0;
1136 	}
1137 
1138 	return -1;
1139 }
1140 
1141 
openssl_hmac_vector(const EVP_MD * type,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac,unsigned int mdlen)1142 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
1143 			       size_t key_len, size_t num_elem,
1144 			       const u8 *addr[], const size_t *len, u8 *mac,
1145 			       unsigned int mdlen)
1146 {
1147 	HMAC_CTX *ctx;
1148 	size_t i;
1149 	int res;
1150 
1151 	if (TEST_FAIL())
1152 		return -1;
1153 
1154 	ctx = HMAC_CTX_new();
1155 	if (!ctx)
1156 		return -1;
1157 	res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
1158 	if (res != 1)
1159 		goto done;
1160 
1161 	for (i = 0; i < num_elem; i++)
1162 		HMAC_Update(ctx, addr[i], len[i]);
1163 
1164 	res = HMAC_Final(ctx, mac, &mdlen);
1165 done:
1166 	HMAC_CTX_free(ctx);
1167 
1168 	return res == 1 ? 0 : -1;
1169 }
1170 
1171 
1172 #ifndef CONFIG_FIPS
1173 
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1174 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
1175 		    const u8 *addr[], const size_t *len, u8 *mac)
1176 {
1177 	return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
1178 				   mac, 16);
1179 }
1180 
1181 
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1182 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1183 	     u8 *mac)
1184 {
1185 	return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
1186 }
1187 
1188 #endif /* CONFIG_FIPS */
1189 
1190 
pbkdf2_sha1(const char * passphrase,const u8 * ssid,size_t ssid_len,int iterations,u8 * buf,size_t buflen)1191 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
1192 		int iterations, u8 *buf, size_t buflen)
1193 {
1194 	if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
1195 				   ssid_len, iterations, buflen, buf) != 1)
1196 		return -1;
1197 	return 0;
1198 }
1199 
1200 
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1201 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1202 		     const u8 *addr[], const size_t *len, u8 *mac)
1203 {
1204 	return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
1205 				   len, mac, 20);
1206 }
1207 
1208 
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1209 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1210 	       u8 *mac)
1211 {
1212 	return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1213 }
1214 
1215 
1216 #ifdef CONFIG_SHA256
1217 
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1218 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1219 		       const u8 *addr[], const size_t *len, u8 *mac)
1220 {
1221 	return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
1222 				   len, mac, 32);
1223 }
1224 
1225 
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1226 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1227 		size_t data_len, u8 *mac)
1228 {
1229 	return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1230 }
1231 
1232 #endif /* CONFIG_SHA256 */
1233 
1234 
1235 #ifdef CONFIG_SHA384
1236 
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1237 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1238 		       const u8 *addr[], const size_t *len, u8 *mac)
1239 {
1240 	return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
1241 				   len, mac, 48);
1242 }
1243 
1244 
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1245 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1246 		size_t data_len, u8 *mac)
1247 {
1248 	return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1249 }
1250 
1251 #endif /* CONFIG_SHA384 */
1252 
1253 
1254 #ifdef CONFIG_SHA512
1255 
hmac_sha512_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1256 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1257 		       const u8 *addr[], const size_t *len, u8 *mac)
1258 {
1259 	return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
1260 				   len, mac, 64);
1261 }
1262 
1263 
hmac_sha512(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1264 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1265 		size_t data_len, u8 *mac)
1266 {
1267 	return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1268 }
1269 
1270 #endif /* CONFIG_SHA512 */
1271 
1272 
crypto_get_random(void * buf,size_t len)1273 int crypto_get_random(void *buf, size_t len)
1274 {
1275 	if (RAND_bytes(buf, len) != 1)
1276 		return -1;
1277 	return 0;
1278 }
1279 
1280 
1281 #ifdef CONFIG_OPENSSL_CMAC
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1282 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
1283 		     const u8 *addr[], const size_t *len, u8 *mac)
1284 {
1285 	CMAC_CTX *ctx;
1286 	int ret = -1;
1287 	size_t outlen, i;
1288 
1289 	if (TEST_FAIL())
1290 		return -1;
1291 
1292 	ctx = CMAC_CTX_new();
1293 	if (ctx == NULL)
1294 		return -1;
1295 
1296 	if (key_len == 32) {
1297 		if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
1298 			goto fail;
1299 	} else if (key_len == 16) {
1300 		if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
1301 			goto fail;
1302 	} else {
1303 		goto fail;
1304 	}
1305 	for (i = 0; i < num_elem; i++) {
1306 		if (!CMAC_Update(ctx, addr[i], len[i]))
1307 			goto fail;
1308 	}
1309 	if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
1310 		goto fail;
1311 
1312 	ret = 0;
1313 fail:
1314 	CMAC_CTX_free(ctx);
1315 	return ret;
1316 }
1317 
1318 
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1319 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
1320 			 const u8 *addr[], const size_t *len, u8 *mac)
1321 {
1322 	return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
1323 }
1324 
1325 
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1326 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1327 {
1328 	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
1329 }
1330 
1331 
omac1_aes_256(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1332 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1333 {
1334 	return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
1335 }
1336 #endif /* CONFIG_OPENSSL_CMAC */
1337 
1338 
crypto_bignum_init(void)1339 struct crypto_bignum * crypto_bignum_init(void)
1340 {
1341 	if (TEST_FAIL())
1342 		return NULL;
1343 	return (struct crypto_bignum *) BN_new();
1344 }
1345 
1346 
crypto_bignum_init_set(const u8 * buf,size_t len)1347 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
1348 {
1349 	BIGNUM *bn;
1350 
1351 	if (TEST_FAIL())
1352 		return NULL;
1353 
1354 	bn = BN_bin2bn(buf, len, NULL);
1355 	return (struct crypto_bignum *) bn;
1356 }
1357 
1358 
crypto_bignum_init_uint(unsigned int val)1359 struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
1360 {
1361 	BIGNUM *bn;
1362 
1363 	if (TEST_FAIL())
1364 		return NULL;
1365 
1366 	bn = BN_new();
1367 	if (!bn)
1368 		return NULL;
1369 	if (BN_set_word(bn, val) != 1) {
1370 		BN_free(bn);
1371 		return NULL;
1372 	}
1373 	return (struct crypto_bignum *) bn;
1374 }
1375 
1376 
crypto_bignum_deinit(struct crypto_bignum * n,int clear)1377 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
1378 {
1379 	if (clear)
1380 		BN_clear_free((BIGNUM *) n);
1381 	else
1382 		BN_free((BIGNUM *) n);
1383 }
1384 
1385 
crypto_bignum_to_bin(const struct crypto_bignum * a,u8 * buf,size_t buflen,size_t padlen)1386 int crypto_bignum_to_bin(const struct crypto_bignum *a,
1387 			 u8 *buf, size_t buflen, size_t padlen)
1388 {
1389 	int num_bytes, offset;
1390 
1391 	if (TEST_FAIL())
1392 		return -1;
1393 
1394 	if (padlen > buflen)
1395 		return -1;
1396 
1397 	if (padlen) {
1398 #ifdef OPENSSL_IS_BORINGSSL
1399 		if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
1400 			return -1;
1401 		return padlen;
1402 #else /* OPENSSL_IS_BORINGSSL */
1403 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
1404 		return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
1405 #endif
1406 #endif
1407 	}
1408 
1409 	num_bytes = BN_num_bytes((const BIGNUM *) a);
1410 	if ((size_t) num_bytes > buflen)
1411 		return -1;
1412 	if (padlen > (size_t) num_bytes)
1413 		offset = padlen - num_bytes;
1414 	else
1415 		offset = 0;
1416 
1417 	os_memset(buf, 0, offset);
1418 	BN_bn2bin((const BIGNUM *) a, buf + offset);
1419 
1420 	return num_bytes + offset;
1421 }
1422 
1423 
crypto_bignum_rand(struct crypto_bignum * r,const struct crypto_bignum * m)1424 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
1425 {
1426 	if (TEST_FAIL())
1427 		return -1;
1428 	return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1;
1429 }
1430 
1431 
crypto_bignum_add(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1432 int crypto_bignum_add(const struct crypto_bignum *a,
1433 		      const struct crypto_bignum *b,
1434 		      struct crypto_bignum *c)
1435 {
1436 	return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1437 		0 : -1;
1438 }
1439 
1440 
crypto_bignum_mod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1441 int crypto_bignum_mod(const struct crypto_bignum *a,
1442 		      const struct crypto_bignum *b,
1443 		      struct crypto_bignum *c)
1444 {
1445 	int res;
1446 	BN_CTX *bnctx;
1447 
1448 	bnctx = BN_CTX_new();
1449 	if (bnctx == NULL)
1450 		return -1;
1451 	res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1452 		     bnctx);
1453 	BN_CTX_free(bnctx);
1454 
1455 	return res ? 0 : -1;
1456 }
1457 
1458 
crypto_bignum_exptmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1459 int crypto_bignum_exptmod(const struct crypto_bignum *a,
1460 			  const struct crypto_bignum *b,
1461 			  const struct crypto_bignum *c,
1462 			  struct crypto_bignum *d)
1463 {
1464 	int res;
1465 	BN_CTX *bnctx;
1466 
1467 	if (TEST_FAIL())
1468 		return -1;
1469 
1470 	bnctx = BN_CTX_new();
1471 	if (bnctx == NULL)
1472 		return -1;
1473 	res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
1474 					(const BIGNUM *) b, (const BIGNUM *) c,
1475 					bnctx, NULL);
1476 	BN_CTX_free(bnctx);
1477 
1478 	return res ? 0 : -1;
1479 }
1480 
1481 
crypto_bignum_inverse(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1482 int crypto_bignum_inverse(const struct crypto_bignum *a,
1483 			  const struct crypto_bignum *b,
1484 			  struct crypto_bignum *c)
1485 {
1486 	BIGNUM *res;
1487 	BN_CTX *bnctx;
1488 
1489 	if (TEST_FAIL())
1490 		return -1;
1491 	bnctx = BN_CTX_new();
1492 	if (bnctx == NULL)
1493 		return -1;
1494 #ifdef OPENSSL_IS_BORINGSSL
1495 	/* TODO: use BN_mod_inverse_blinded() ? */
1496 #else /* OPENSSL_IS_BORINGSSL */
1497 	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1498 #endif /* OPENSSL_IS_BORINGSSL */
1499 	res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
1500 			     (const BIGNUM *) b, bnctx);
1501 	BN_CTX_free(bnctx);
1502 
1503 	return res ? 0 : -1;
1504 }
1505 
1506 
crypto_bignum_sub(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1507 int crypto_bignum_sub(const struct crypto_bignum *a,
1508 		      const struct crypto_bignum *b,
1509 		      struct crypto_bignum *c)
1510 {
1511 	if (TEST_FAIL())
1512 		return -1;
1513 	return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1514 		0 : -1;
1515 }
1516 
1517 
crypto_bignum_div(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1518 int crypto_bignum_div(const struct crypto_bignum *a,
1519 		      const struct crypto_bignum *b,
1520 		      struct crypto_bignum *c)
1521 {
1522 	int res;
1523 
1524 	BN_CTX *bnctx;
1525 
1526 	if (TEST_FAIL())
1527 		return -1;
1528 
1529 	bnctx = BN_CTX_new();
1530 	if (bnctx == NULL)
1531 		return -1;
1532 #ifndef OPENSSL_IS_BORINGSSL
1533 	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1534 #endif /* OPENSSL_IS_BORINGSSL */
1535 	res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
1536 		     (const BIGNUM *) b, bnctx);
1537 	BN_CTX_free(bnctx);
1538 
1539 	return res ? 0 : -1;
1540 }
1541 
1542 
crypto_bignum_addmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1543 int crypto_bignum_addmod(const struct crypto_bignum *a,
1544 			 const struct crypto_bignum *b,
1545 			 const struct crypto_bignum *c,
1546 			 struct crypto_bignum *d)
1547 {
1548 	int res;
1549 	BN_CTX *bnctx;
1550 
1551 	if (TEST_FAIL())
1552 		return -1;
1553 
1554 	bnctx = BN_CTX_new();
1555 	if (!bnctx)
1556 		return -1;
1557 	res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1558 			 (const BIGNUM *) c, bnctx);
1559 	BN_CTX_free(bnctx);
1560 
1561 	return res ? 0 : -1;
1562 }
1563 
1564 
crypto_bignum_mulmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1565 int crypto_bignum_mulmod(const struct crypto_bignum *a,
1566 			 const struct crypto_bignum *b,
1567 			 const struct crypto_bignum *c,
1568 			 struct crypto_bignum *d)
1569 {
1570 	int res;
1571 
1572 	BN_CTX *bnctx;
1573 
1574 	if (TEST_FAIL())
1575 		return -1;
1576 
1577 	bnctx = BN_CTX_new();
1578 	if (bnctx == NULL)
1579 		return -1;
1580 	res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1581 			 (const BIGNUM *) c, bnctx);
1582 	BN_CTX_free(bnctx);
1583 
1584 	return res ? 0 : -1;
1585 }
1586 
1587 
crypto_bignum_sqrmod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1588 int crypto_bignum_sqrmod(const struct crypto_bignum *a,
1589 			 const struct crypto_bignum *b,
1590 			 struct crypto_bignum *c)
1591 {
1592 	int res;
1593 	BN_CTX *bnctx;
1594 
1595 	if (TEST_FAIL())
1596 		return -1;
1597 
1598 	bnctx = BN_CTX_new();
1599 	if (!bnctx)
1600 		return -1;
1601 	res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1602 			 bnctx);
1603 	BN_CTX_free(bnctx);
1604 
1605 	return res ? 0 : -1;
1606 }
1607 
1608 
crypto_bignum_rshift(const struct crypto_bignum * a,int n,struct crypto_bignum * r)1609 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
1610 			 struct crypto_bignum *r)
1611 {
1612 	/* Note: BN_rshift() does not modify the first argument even though it
1613 	 * has not been marked const. */
1614 	return BN_rshift((BIGNUM *) a, (BIGNUM *) r, n) == 1 ? 0 : -1;
1615 }
1616 
1617 
crypto_bignum_cmp(const struct crypto_bignum * a,const struct crypto_bignum * b)1618 int crypto_bignum_cmp(const struct crypto_bignum *a,
1619 		      const struct crypto_bignum *b)
1620 {
1621 	return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
1622 }
1623 
1624 
crypto_bignum_is_zero(const struct crypto_bignum * a)1625 int crypto_bignum_is_zero(const struct crypto_bignum *a)
1626 {
1627 	return BN_is_zero((const BIGNUM *) a);
1628 }
1629 
1630 
crypto_bignum_is_one(const struct crypto_bignum * a)1631 int crypto_bignum_is_one(const struct crypto_bignum *a)
1632 {
1633 	return BN_is_one((const BIGNUM *) a);
1634 }
1635 
1636 
crypto_bignum_is_odd(const struct crypto_bignum * a)1637 int crypto_bignum_is_odd(const struct crypto_bignum *a)
1638 {
1639 	return BN_is_odd((const BIGNUM *) a);
1640 }
1641 
1642 
crypto_bignum_legendre(const struct crypto_bignum * a,const struct crypto_bignum * p)1643 int crypto_bignum_legendre(const struct crypto_bignum *a,
1644 			   const struct crypto_bignum *p)
1645 {
1646 	BN_CTX *bnctx;
1647 	BIGNUM *exp = NULL, *tmp = NULL;
1648 	int res = -2;
1649 	unsigned int mask;
1650 
1651 	if (TEST_FAIL())
1652 		return -2;
1653 
1654 	bnctx = BN_CTX_new();
1655 	if (bnctx == NULL)
1656 		return -2;
1657 
1658 	exp = BN_new();
1659 	tmp = BN_new();
1660 	if (!exp || !tmp ||
1661 	    /* exp = (p-1) / 2 */
1662 	    !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
1663 	    !BN_rshift1(exp, exp) ||
1664 	    !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
1665 				       (const BIGNUM *) p, bnctx, NULL))
1666 		goto fail;
1667 
1668 	/* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
1669 	 * constant time selection to avoid branches here. */
1670 	res = -1;
1671 	mask = const_time_eq(BN_is_word(tmp, 1), 1);
1672 	res = const_time_select_int(mask, 1, res);
1673 	mask = const_time_eq(BN_is_zero(tmp), 1);
1674 	res = const_time_select_int(mask, 0, res);
1675 
1676 fail:
1677 	BN_clear_free(tmp);
1678 	BN_clear_free(exp);
1679 	BN_CTX_free(bnctx);
1680 	return res;
1681 }
1682 
1683 
1684 #ifdef CONFIG_ECC
1685 
1686 struct crypto_ec {
1687 	EC_GROUP *group;
1688 	int nid;
1689 	BN_CTX *bnctx;
1690 	BIGNUM *prime;
1691 	BIGNUM *order;
1692 	BIGNUM *a;
1693 	BIGNUM *b;
1694 };
1695 
1696 
crypto_ec_group_2_nid(int group)1697 static int crypto_ec_group_2_nid(int group)
1698 {
1699 	/* Map from IANA registry for IKE D-H groups to OpenSSL NID */
1700 	switch (group) {
1701 	case 19:
1702 		return NID_X9_62_prime256v1;
1703 	case 20:
1704 		return NID_secp384r1;
1705 	case 21:
1706 		return NID_secp521r1;
1707 	case 25:
1708 		return NID_X9_62_prime192v1;
1709 	case 26:
1710 		return NID_secp224r1;
1711 #ifdef NID_brainpoolP224r1
1712 	case 27:
1713 		return NID_brainpoolP224r1;
1714 #endif /* NID_brainpoolP224r1 */
1715 #ifdef NID_brainpoolP256r1
1716 	case 28:
1717 		return NID_brainpoolP256r1;
1718 #endif /* NID_brainpoolP256r1 */
1719 #ifdef NID_brainpoolP384r1
1720 	case 29:
1721 		return NID_brainpoolP384r1;
1722 #endif /* NID_brainpoolP384r1 */
1723 #ifdef NID_brainpoolP512r1
1724 	case 30:
1725 		return NID_brainpoolP512r1;
1726 #endif /* NID_brainpoolP512r1 */
1727 	default:
1728 		return -1;
1729 	}
1730 }
1731 
1732 
crypto_ec_init(int group)1733 struct crypto_ec * crypto_ec_init(int group)
1734 {
1735 	struct crypto_ec *e;
1736 	int nid;
1737 
1738 	nid = crypto_ec_group_2_nid(group);
1739 	if (nid < 0)
1740 		return NULL;
1741 
1742 	e = os_zalloc(sizeof(*e));
1743 	if (e == NULL)
1744 		return NULL;
1745 
1746 	e->nid = nid;
1747 	e->bnctx = BN_CTX_new();
1748 	e->group = EC_GROUP_new_by_curve_name(nid);
1749 	e->prime = BN_new();
1750 	e->order = BN_new();
1751 	e->a = BN_new();
1752 	e->b = BN_new();
1753 	if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
1754 	    e->order == NULL || e->a == NULL || e->b == NULL ||
1755 	    !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) ||
1756 	    !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
1757 		crypto_ec_deinit(e);
1758 		e = NULL;
1759 	}
1760 
1761 	return e;
1762 }
1763 
1764 
crypto_ec_deinit(struct crypto_ec * e)1765 void crypto_ec_deinit(struct crypto_ec *e)
1766 {
1767 	if (e == NULL)
1768 		return;
1769 	BN_clear_free(e->b);
1770 	BN_clear_free(e->a);
1771 	BN_clear_free(e->order);
1772 	BN_clear_free(e->prime);
1773 	EC_GROUP_free(e->group);
1774 	BN_CTX_free(e->bnctx);
1775 	os_free(e);
1776 }
1777 
1778 
crypto_ec_point_init(struct crypto_ec * e)1779 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
1780 {
1781 	if (TEST_FAIL())
1782 		return NULL;
1783 	if (e == NULL)
1784 		return NULL;
1785 	return (struct crypto_ec_point *) EC_POINT_new(e->group);
1786 }
1787 
1788 
crypto_ec_prime_len(struct crypto_ec * e)1789 size_t crypto_ec_prime_len(struct crypto_ec *e)
1790 {
1791 	return BN_num_bytes(e->prime);
1792 }
1793 
1794 
crypto_ec_prime_len_bits(struct crypto_ec * e)1795 size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
1796 {
1797 	return BN_num_bits(e->prime);
1798 }
1799 
1800 
crypto_ec_order_len(struct crypto_ec * e)1801 size_t crypto_ec_order_len(struct crypto_ec *e)
1802 {
1803 	return BN_num_bytes(e->order);
1804 }
1805 
1806 
crypto_ec_get_prime(struct crypto_ec * e)1807 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
1808 {
1809 	return (const struct crypto_bignum *) e->prime;
1810 }
1811 
1812 
crypto_ec_get_order(struct crypto_ec * e)1813 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
1814 {
1815 	return (const struct crypto_bignum *) e->order;
1816 }
1817 
1818 
crypto_ec_get_a(struct crypto_ec * e)1819 const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
1820 {
1821 	return (const struct crypto_bignum *) e->a;
1822 }
1823 
1824 
crypto_ec_get_b(struct crypto_ec * e)1825 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
1826 {
1827 	return (const struct crypto_bignum *) e->b;
1828 }
1829 
1830 
crypto_ec_get_generator(struct crypto_ec * e)1831 const struct crypto_ec_point * crypto_ec_get_generator(struct crypto_ec *e)
1832 {
1833 	return (const struct crypto_ec_point *)
1834 		EC_GROUP_get0_generator(e->group);
1835 }
1836 
1837 
crypto_ec_point_deinit(struct crypto_ec_point * p,int clear)1838 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
1839 {
1840 	if (clear)
1841 		EC_POINT_clear_free((EC_POINT *) p);
1842 	else
1843 		EC_POINT_free((EC_POINT *) p);
1844 }
1845 
1846 
crypto_ec_point_x(struct crypto_ec * e,const struct crypto_ec_point * p,struct crypto_bignum * x)1847 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p,
1848 		      struct crypto_bignum *x)
1849 {
1850 	return EC_POINT_get_affine_coordinates_GFp(e->group,
1851 						   (const EC_POINT *) p,
1852 						   (BIGNUM *) x, NULL,
1853 						   e->bnctx) == 1 ? 0 : -1;
1854 }
1855 
1856 
crypto_ec_point_to_bin(struct crypto_ec * e,const struct crypto_ec_point * point,u8 * x,u8 * y)1857 int crypto_ec_point_to_bin(struct crypto_ec *e,
1858 			   const struct crypto_ec_point *point, u8 *x, u8 *y)
1859 {
1860 	BIGNUM *x_bn, *y_bn;
1861 	int ret = -1;
1862 	int len = BN_num_bytes(e->prime);
1863 
1864 	if (TEST_FAIL())
1865 		return -1;
1866 
1867 	x_bn = BN_new();
1868 	y_bn = BN_new();
1869 
1870 	if (x_bn && y_bn &&
1871 	    EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point,
1872 						x_bn, y_bn, e->bnctx)) {
1873 		if (x) {
1874 			crypto_bignum_to_bin((struct crypto_bignum *) x_bn,
1875 					     x, len, len);
1876 		}
1877 		if (y) {
1878 			crypto_bignum_to_bin((struct crypto_bignum *) y_bn,
1879 					     y, len, len);
1880 		}
1881 		ret = 0;
1882 	}
1883 
1884 	BN_clear_free(x_bn);
1885 	BN_clear_free(y_bn);
1886 	return ret;
1887 }
1888 
1889 
crypto_ec_point_from_bin(struct crypto_ec * e,const u8 * val)1890 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
1891 						  const u8 *val)
1892 {
1893 	BIGNUM *x, *y;
1894 	EC_POINT *elem;
1895 	int len = BN_num_bytes(e->prime);
1896 
1897 	if (TEST_FAIL())
1898 		return NULL;
1899 
1900 	x = BN_bin2bn(val, len, NULL);
1901 	y = BN_bin2bn(val + len, len, NULL);
1902 	elem = EC_POINT_new(e->group);
1903 	if (x == NULL || y == NULL || elem == NULL) {
1904 		BN_clear_free(x);
1905 		BN_clear_free(y);
1906 		EC_POINT_clear_free(elem);
1907 		return NULL;
1908 	}
1909 
1910 	if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y,
1911 						 e->bnctx)) {
1912 		EC_POINT_clear_free(elem);
1913 		elem = NULL;
1914 	}
1915 
1916 	BN_clear_free(x);
1917 	BN_clear_free(y);
1918 
1919 	return (struct crypto_ec_point *) elem;
1920 }
1921 
1922 
crypto_ec_point_add(struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b,struct crypto_ec_point * c)1923 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
1924 			const struct crypto_ec_point *b,
1925 			struct crypto_ec_point *c)
1926 {
1927 	if (TEST_FAIL())
1928 		return -1;
1929 	return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
1930 			    (const EC_POINT *) b, e->bnctx) ? 0 : -1;
1931 }
1932 
1933 
crypto_ec_point_mul(struct crypto_ec * e,const struct crypto_ec_point * p,const struct crypto_bignum * b,struct crypto_ec_point * res)1934 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
1935 			const struct crypto_bignum *b,
1936 			struct crypto_ec_point *res)
1937 {
1938 	if (TEST_FAIL())
1939 		return -1;
1940 	return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
1941 			    (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
1942 		? 0 : -1;
1943 }
1944 
1945 
crypto_ec_point_invert(struct crypto_ec * e,struct crypto_ec_point * p)1946 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
1947 {
1948 	if (TEST_FAIL())
1949 		return -1;
1950 	return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
1951 }
1952 
1953 
1954 struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec * e,const struct crypto_bignum * x)1955 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
1956 			      const struct crypto_bignum *x)
1957 {
1958 	BIGNUM *tmp;
1959 
1960 	if (TEST_FAIL())
1961 		return NULL;
1962 
1963 	tmp = BN_new();
1964 
1965 	/* y^2 = x^3 + ax + b = (x^2 + a)x + b */
1966 	if (tmp &&
1967 	    BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1968 	    BN_mod_add_quick(tmp, e->a, tmp, e->prime) &&
1969 	    BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1970 	    BN_mod_add_quick(tmp, tmp, e->b, e->prime))
1971 		return (struct crypto_bignum *) tmp;
1972 
1973 	BN_clear_free(tmp);
1974 	return NULL;
1975 }
1976 
1977 
crypto_ec_point_is_at_infinity(struct crypto_ec * e,const struct crypto_ec_point * p)1978 int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
1979 				   const struct crypto_ec_point *p)
1980 {
1981 	return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
1982 }
1983 
1984 
crypto_ec_point_is_on_curve(struct crypto_ec * e,const struct crypto_ec_point * p)1985 int crypto_ec_point_is_on_curve(struct crypto_ec *e,
1986 				const struct crypto_ec_point *p)
1987 {
1988 	return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
1989 				    e->bnctx) == 1;
1990 }
1991 
1992 
crypto_ec_point_cmp(const struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b)1993 int crypto_ec_point_cmp(const struct crypto_ec *e,
1994 			const struct crypto_ec_point *a,
1995 			const struct crypto_ec_point *b)
1996 {
1997 	return EC_POINT_cmp(e->group, (const EC_POINT *) a,
1998 			    (const EC_POINT *) b, e->bnctx);
1999 }
2000 
2001 
crypto_ec_point_debug_print(const struct crypto_ec * e,const struct crypto_ec_point * p,const char * title)2002 void crypto_ec_point_debug_print(const struct crypto_ec *e,
2003 				 const struct crypto_ec_point *p,
2004 				 const char *title)
2005 {
2006 	BIGNUM *x, *y;
2007 	char *x_str = NULL, *y_str = NULL;
2008 
2009 	x = BN_new();
2010 	y = BN_new();
2011 	if (!x || !y ||
2012 	    EC_POINT_get_affine_coordinates_GFp(e->group, (const EC_POINT *) p,
2013 						x, y, e->bnctx) != 1)
2014 		goto fail;
2015 
2016 	x_str = BN_bn2hex(x);
2017 	y_str = BN_bn2hex(y);
2018 	if (!x_str || !y_str)
2019 		goto fail;
2020 
2021 	wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str);
2022 
2023 fail:
2024 	OPENSSL_free(x_str);
2025 	OPENSSL_free(y_str);
2026 	BN_free(x);
2027 	BN_free(y);
2028 }
2029 
2030 
2031 struct crypto_ecdh {
2032 	struct crypto_ec *ec;
2033 	EVP_PKEY *pkey;
2034 };
2035 
crypto_ecdh_init(int group)2036 struct crypto_ecdh * crypto_ecdh_init(int group)
2037 {
2038 	struct crypto_ecdh *ecdh;
2039 	EVP_PKEY *params = NULL;
2040 	EC_KEY *ec_params = NULL;
2041 	EVP_PKEY_CTX *kctx = NULL;
2042 
2043 	ecdh = os_zalloc(sizeof(*ecdh));
2044 	if (!ecdh)
2045 		goto fail;
2046 
2047 	ecdh->ec = crypto_ec_init(group);
2048 	if (!ecdh->ec)
2049 		goto fail;
2050 
2051 	ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2052 	if (!ec_params) {
2053 		wpa_printf(MSG_ERROR,
2054 			   "OpenSSL: Failed to generate EC_KEY parameters");
2055 		goto fail;
2056 	}
2057 	EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
2058 	params = EVP_PKEY_new();
2059 	if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
2060 		wpa_printf(MSG_ERROR,
2061 			   "OpenSSL: Failed to generate EVP_PKEY parameters");
2062 		goto fail;
2063 	}
2064 
2065 	kctx = EVP_PKEY_CTX_new(params, NULL);
2066 	if (!kctx)
2067 		goto fail;
2068 
2069 	if (EVP_PKEY_keygen_init(kctx) != 1) {
2070 		wpa_printf(MSG_ERROR,
2071 			   "OpenSSL: EVP_PKEY_keygen_init failed: %s",
2072 			   ERR_error_string(ERR_get_error(), NULL));
2073 		goto fail;
2074 	}
2075 
2076 	if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
2077 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
2078 			   ERR_error_string(ERR_get_error(), NULL));
2079 		goto fail;
2080 	}
2081 
2082 done:
2083 	EC_KEY_free(ec_params);
2084 	EVP_PKEY_free(params);
2085 	EVP_PKEY_CTX_free(kctx);
2086 
2087 	return ecdh;
2088 fail:
2089 	crypto_ecdh_deinit(ecdh);
2090 	ecdh = NULL;
2091 	goto done;
2092 }
2093 
2094 
crypto_ecdh_init2(int group,struct crypto_ec_key * own_key)2095 struct crypto_ecdh * crypto_ecdh_init2(int group, struct crypto_ec_key *own_key)
2096 {
2097 	struct crypto_ecdh *ecdh;
2098 
2099 	ecdh = os_zalloc(sizeof(*ecdh));
2100 	if (!ecdh)
2101 		goto fail;
2102 
2103 	ecdh->ec = crypto_ec_init(group);
2104 	if (!ecdh->ec)
2105 		goto fail;
2106 
2107 	ecdh->pkey = EVP_PKEY_new();
2108 	if (!ecdh->pkey ||
2109 	    EVP_PKEY_assign_EC_KEY(ecdh->pkey,
2110 				   EVP_PKEY_get1_EC_KEY((EVP_PKEY *) own_key))
2111 	    != 1)
2112 		goto fail;
2113 
2114 	return ecdh;
2115 fail:
2116 	crypto_ecdh_deinit(ecdh);
2117 	return NULL;
2118 }
2119 
2120 
crypto_ecdh_get_pubkey(struct crypto_ecdh * ecdh,int inc_y)2121 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
2122 {
2123 	struct wpabuf *buf = NULL;
2124 	EC_KEY *eckey;
2125 	const EC_POINT *pubkey;
2126 	BIGNUM *x, *y = NULL;
2127 	int len = BN_num_bytes(ecdh->ec->prime);
2128 	int res;
2129 
2130 	eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
2131 	if (!eckey)
2132 		return NULL;
2133 
2134 	pubkey = EC_KEY_get0_public_key(eckey);
2135 	if (!pubkey)
2136 		return NULL;
2137 
2138 	x = BN_new();
2139 	if (inc_y) {
2140 		y = BN_new();
2141 		if (!y)
2142 			goto fail;
2143 	}
2144 	buf = wpabuf_alloc(inc_y ? 2 * len : len);
2145 	if (!x || !buf)
2146 		goto fail;
2147 
2148 	if (EC_POINT_get_affine_coordinates_GFp(ecdh->ec->group, pubkey,
2149 						x, y, ecdh->ec->bnctx) != 1) {
2150 		wpa_printf(MSG_ERROR,
2151 			   "OpenSSL: EC_POINT_get_affine_coordinates_GFp failed: %s",
2152 			   ERR_error_string(ERR_get_error(), NULL));
2153 		goto fail;
2154 	}
2155 
2156 	res = crypto_bignum_to_bin((struct crypto_bignum *) x,
2157 				   wpabuf_put(buf, len), len, len);
2158 	if (res < 0)
2159 		goto fail;
2160 
2161 	if (inc_y) {
2162 		res = crypto_bignum_to_bin((struct crypto_bignum *) y,
2163 					   wpabuf_put(buf, len), len, len);
2164 		if (res < 0)
2165 			goto fail;
2166 	}
2167 
2168 done:
2169 	BN_clear_free(x);
2170 	BN_clear_free(y);
2171 	EC_KEY_free(eckey);
2172 
2173 	return buf;
2174 fail:
2175 	wpabuf_free(buf);
2176 	buf = NULL;
2177 	goto done;
2178 }
2179 
2180 
crypto_ecdh_set_peerkey(struct crypto_ecdh * ecdh,int inc_y,const u8 * key,size_t len)2181 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
2182 					const u8 *key, size_t len)
2183 {
2184 	BIGNUM *x, *y = NULL;
2185 	EVP_PKEY_CTX *ctx = NULL;
2186 	EVP_PKEY *peerkey = NULL;
2187 	struct wpabuf *secret = NULL;
2188 	size_t secret_len;
2189 	EC_POINT *pub;
2190 	EC_KEY *eckey = NULL;
2191 
2192 	x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
2193 	pub = EC_POINT_new(ecdh->ec->group);
2194 	if (!x || !pub)
2195 		goto fail;
2196 
2197 	if (inc_y) {
2198 		y = BN_bin2bn(key + len / 2, len / 2, NULL);
2199 		if (!y)
2200 			goto fail;
2201 		if (!EC_POINT_set_affine_coordinates_GFp(ecdh->ec->group, pub,
2202 							 x, y,
2203 							 ecdh->ec->bnctx)) {
2204 			wpa_printf(MSG_ERROR,
2205 				   "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
2206 				   ERR_error_string(ERR_get_error(), NULL));
2207 			goto fail;
2208 		}
2209 	} else if (!EC_POINT_set_compressed_coordinates_GFp(ecdh->ec->group,
2210 							    pub, x, 0,
2211 							    ecdh->ec->bnctx)) {
2212 		wpa_printf(MSG_ERROR,
2213 			   "OpenSSL: EC_POINT_set_compressed_coordinates_GFp failed: %s",
2214 			   ERR_error_string(ERR_get_error(), NULL));
2215 		goto fail;
2216 	}
2217 
2218 	if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
2219 		wpa_printf(MSG_ERROR,
2220 			   "OpenSSL: ECDH peer public key is not on curve");
2221 		goto fail;
2222 	}
2223 
2224 	eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2225 	if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
2226 		wpa_printf(MSG_ERROR,
2227 			   "OpenSSL: EC_KEY_set_public_key failed: %s",
2228 			   ERR_error_string(ERR_get_error(), NULL));
2229 		goto fail;
2230 	}
2231 
2232 	peerkey = EVP_PKEY_new();
2233 	if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
2234 		goto fail;
2235 
2236 	ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
2237 	if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
2238 	    EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
2239 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
2240 		wpa_printf(MSG_ERROR,
2241 			   "OpenSSL: EVP_PKEY_derive(1) failed: %s",
2242 			   ERR_error_string(ERR_get_error(), NULL));
2243 		goto fail;
2244 	}
2245 
2246 	secret = wpabuf_alloc(secret_len);
2247 	if (!secret)
2248 		goto fail;
2249 	if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
2250 		wpa_printf(MSG_ERROR,
2251 			   "OpenSSL: EVP_PKEY_derive(2) failed: %s",
2252 			   ERR_error_string(ERR_get_error(), NULL));
2253 		goto fail;
2254 	}
2255 	if (secret->size != secret_len)
2256 		wpa_printf(MSG_DEBUG,
2257 			   "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
2258 			   (int) secret->size, (int) secret_len);
2259 	wpabuf_put(secret, secret_len);
2260 
2261 done:
2262 	BN_free(x);
2263 	BN_free(y);
2264 	EC_KEY_free(eckey);
2265 	EC_POINT_free(pub);
2266 	EVP_PKEY_CTX_free(ctx);
2267 	EVP_PKEY_free(peerkey);
2268 	return secret;
2269 fail:
2270 	wpabuf_free(secret);
2271 	secret = NULL;
2272 	goto done;
2273 }
2274 
2275 
crypto_ecdh_deinit(struct crypto_ecdh * ecdh)2276 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
2277 {
2278 	if (ecdh) {
2279 		crypto_ec_deinit(ecdh->ec);
2280 		EVP_PKEY_free(ecdh->pkey);
2281 		os_free(ecdh);
2282 	}
2283 }
2284 
2285 
crypto_ecdh_prime_len(struct crypto_ecdh * ecdh)2286 size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
2287 {
2288 	return crypto_ec_prime_len(ecdh->ec);
2289 }
2290 
2291 
crypto_ec_key_parse_priv(const u8 * der,size_t der_len)2292 struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
2293 {
2294 	EVP_PKEY *pkey = NULL;
2295 	EC_KEY *eckey;
2296 
2297 	eckey = d2i_ECPrivateKey(NULL, &der, der_len);
2298 	if (!eckey) {
2299 		wpa_printf(MSG_INFO, "OpenSSL: d2i_ECPrivateKey() failed: %s",
2300 			   ERR_error_string(ERR_get_error(), NULL));
2301 		goto fail;
2302 	}
2303 	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
2304 
2305 	pkey = EVP_PKEY_new();
2306 	if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
2307 		EC_KEY_free(eckey);
2308 		goto fail;
2309 	}
2310 
2311 	return (struct crypto_ec_key *) pkey;
2312 fail:
2313 	crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
2314 	return NULL;
2315 }
2316 
2317 
crypto_ec_key_parse_pub(const u8 * der,size_t der_len)2318 struct crypto_ec_key * crypto_ec_key_parse_pub(const u8 *der, size_t der_len)
2319 {
2320 	EVP_PKEY *pkey;
2321 
2322 	pkey = d2i_PUBKEY(NULL, &der, der_len);
2323 	if (!pkey) {
2324 		wpa_printf(MSG_INFO, "OpenSSL: d2i_PUBKEY() failed: %s",
2325 			   ERR_error_string(ERR_get_error(), NULL));
2326 		goto fail;
2327 	}
2328 
2329 	/* Ensure this is an EC key */
2330 	if (!EVP_PKEY_get0_EC_KEY(pkey))
2331 		goto fail;
2332 	return (struct crypto_ec_key *) pkey;
2333 fail:
2334 	crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
2335 	return NULL;
2336 }
2337 
2338 
crypto_ec_key_set_pub(int group,const u8 * buf_x,const u8 * buf_y,size_t len)2339 struct crypto_ec_key * crypto_ec_key_set_pub(int group, const u8 *buf_x,
2340 					     const u8 *buf_y, size_t len)
2341 {
2342 	EC_KEY *eckey = NULL;
2343 	EVP_PKEY *pkey = NULL;
2344 	EC_GROUP *ec_group = NULL;
2345 	BN_CTX *ctx;
2346 	EC_POINT *point = NULL;
2347 	BIGNUM *x = NULL, *y = NULL;
2348 	int nid;
2349 
2350 	if (!buf_x || !buf_y)
2351 		return NULL;
2352 
2353 	nid = crypto_ec_group_2_nid(group);
2354 	if (nid < 0) {
2355 		wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
2356 		return NULL;
2357 	}
2358 
2359 	ctx = BN_CTX_new();
2360 	if (!ctx)
2361 		goto fail;
2362 
2363 	ec_group = EC_GROUP_new_by_curve_name(nid);
2364 	if (!ec_group)
2365 		goto fail;
2366 
2367 	x = BN_bin2bn(buf_x, len, NULL);
2368 	y = BN_bin2bn(buf_y, len, NULL);
2369 	point = EC_POINT_new(ec_group);
2370 	if (!x || !y || !point)
2371 		goto fail;
2372 
2373 	if (!EC_POINT_set_affine_coordinates_GFp(ec_group, point, x, y, ctx)) {
2374 		wpa_printf(MSG_ERROR,
2375 			   "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
2376 			   ERR_error_string(ERR_get_error(), NULL));
2377 		goto fail;
2378 	}
2379 
2380 	if (!EC_POINT_is_on_curve(ec_group, point, ctx) ||
2381 	    EC_POINT_is_at_infinity(ec_group, point)) {
2382 		wpa_printf(MSG_ERROR, "OpenSSL: Invalid point");
2383 		goto fail;
2384 	}
2385 
2386 	eckey = EC_KEY_new();
2387 	if (!eckey ||
2388 	    EC_KEY_set_group(eckey, ec_group) != 1 ||
2389 	    EC_KEY_set_public_key(eckey, point) != 1) {
2390 		wpa_printf(MSG_ERROR,
2391 			   "OpenSSL: Failed to set EC_KEY: %s",
2392 			   ERR_error_string(ERR_get_error(), NULL));
2393 		goto fail;
2394 	}
2395 	EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
2396 
2397 	pkey = EVP_PKEY_new();
2398 	if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
2399 		wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
2400 		goto fail;
2401 	}
2402 
2403 out:
2404 	EC_GROUP_free(ec_group);
2405 	BN_free(x);
2406 	BN_free(y);
2407 	EC_POINT_free(point);
2408 	BN_CTX_free(ctx);
2409 	return (struct crypto_ec_key *) pkey;
2410 
2411 fail:
2412 	EC_KEY_free(eckey);
2413 	EVP_PKEY_free(pkey);
2414 	pkey = NULL;
2415 	goto out;
2416 }
2417 
2418 
2419 struct crypto_ec_key *
crypto_ec_key_set_pub_point(struct crypto_ec * ec,const struct crypto_ec_point * pub)2420 crypto_ec_key_set_pub_point(struct crypto_ec *ec,
2421 			    const struct crypto_ec_point *pub)
2422 {
2423 	EC_KEY *eckey;
2424 	EVP_PKEY *pkey = NULL;
2425 
2426 	eckey = EC_KEY_new();
2427 	if (!eckey ||
2428 	    EC_KEY_set_group(eckey, ec->group) != 1 ||
2429 	    EC_KEY_set_public_key(eckey, (const EC_POINT *) pub) != 1) {
2430 		wpa_printf(MSG_ERROR,
2431 			   "OpenSSL: Failed to set EC_KEY: %s",
2432 			   ERR_error_string(ERR_get_error(), NULL));
2433 		goto fail;
2434 	}
2435 	EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
2436 
2437 	pkey = EVP_PKEY_new();
2438 	if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
2439 		wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
2440 		goto fail;
2441 	}
2442 
2443 out:
2444 	return (struct crypto_ec_key *) pkey;
2445 
2446 fail:
2447 	EVP_PKEY_free(pkey);
2448 	EC_KEY_free(eckey);
2449 	pkey = NULL;
2450 	goto out;
2451 }
2452 
2453 
crypto_ec_key_gen(int group)2454 struct crypto_ec_key * crypto_ec_key_gen(int group)
2455 {
2456 	EVP_PKEY_CTX *kctx = NULL;
2457 	EC_KEY *ec_params = NULL, *eckey;
2458 	EVP_PKEY *params = NULL, *key = NULL;
2459 	int nid;
2460 
2461 	nid = crypto_ec_group_2_nid(group);
2462 	if (nid < 0) {
2463 		wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
2464 		return NULL;
2465 	}
2466 
2467 	ec_params = EC_KEY_new_by_curve_name(nid);
2468 	if (!ec_params) {
2469 		wpa_printf(MSG_ERROR,
2470 			   "OpenSSL: Failed to generate EC_KEY parameters");
2471 		goto fail;
2472 	}
2473 	EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
2474 	params = EVP_PKEY_new();
2475 	if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
2476 		wpa_printf(MSG_ERROR,
2477 			   "OpenSSL: Failed to generate EVP_PKEY parameters");
2478 		goto fail;
2479 	}
2480 
2481 	kctx = EVP_PKEY_CTX_new(params, NULL);
2482 	if (!kctx ||
2483 	    EVP_PKEY_keygen_init(kctx) != 1 ||
2484 	    EVP_PKEY_keygen(kctx, &key) != 1) {
2485 		wpa_printf(MSG_ERROR, "OpenSSL: Failed to generate EC key");
2486 		key = NULL;
2487 		goto fail;
2488 	}
2489 
2490 	eckey = EVP_PKEY_get1_EC_KEY(key);
2491 	if (!eckey) {
2492 		key = NULL;
2493 		goto fail;
2494 	}
2495 	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
2496 	EC_KEY_free(eckey);
2497 
2498 fail:
2499 	EC_KEY_free(ec_params);
2500 	EVP_PKEY_free(params);
2501 	EVP_PKEY_CTX_free(kctx);
2502 	return (struct crypto_ec_key *) key;
2503 }
2504 
2505 
crypto_ec_key_deinit(struct crypto_ec_key * key)2506 void crypto_ec_key_deinit(struct crypto_ec_key *key)
2507 {
2508 	EVP_PKEY_free((EVP_PKEY *) key);
2509 }
2510 
2511 
2512 #ifdef OPENSSL_IS_BORINGSSL
2513 
2514 /* BoringSSL version of i2d_PUBKEY() always outputs public EC key using
2515  * uncompressed form so define a custom function to export EC pubkey using
2516  * the compressed format that is explicitly required for some protocols. */
2517 
2518 #include <openssl/asn1.h>
2519 #include <openssl/asn1t.h>
2520 
2521 typedef struct {
2522 	/* AlgorithmIdentifier ecPublicKey with optional parameters present
2523 	 * as an OID identifying the curve */
2524 	X509_ALGOR *alg;
2525 	/* Compressed format public key per ANSI X9.63 */
2526 	ASN1_BIT_STRING *pub_key;
2527 } EC_COMP_PUBKEY;
2528 
2529 ASN1_SEQUENCE(EC_COMP_PUBKEY) = {
2530 	ASN1_SIMPLE(EC_COMP_PUBKEY, alg, X509_ALGOR),
2531 	ASN1_SIMPLE(EC_COMP_PUBKEY, pub_key, ASN1_BIT_STRING)
2532 } ASN1_SEQUENCE_END(EC_COMP_PUBKEY);
2533 
2534 IMPLEMENT_ASN1_FUNCTIONS(EC_COMP_PUBKEY);
2535 
2536 #endif /* OPENSSL_IS_BORINGSSL */
2537 
2538 
crypto_ec_key_get_subject_public_key(struct crypto_ec_key * key)2539 struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
2540 {
2541 #ifdef OPENSSL_IS_BORINGSSL
2542 	unsigned char *der = NULL;
2543 	int der_len;
2544 	const EC_KEY *eckey;
2545 	struct wpabuf *ret = NULL;
2546 	size_t len;
2547 	const EC_GROUP *group;
2548 	const EC_POINT *point;
2549 	BN_CTX *ctx;
2550 	EC_COMP_PUBKEY *pubkey = NULL;
2551 	int nid;
2552 
2553 	ctx = BN_CTX_new();
2554 	eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2555 	if (!ctx || !eckey)
2556 		goto fail;
2557 
2558 	group = EC_KEY_get0_group(eckey);
2559 	point = EC_KEY_get0_public_key(eckey);
2560 	if (!group || !point)
2561 		goto fail;
2562 	nid = EC_GROUP_get_curve_name(group);
2563 
2564 	pubkey = EC_COMP_PUBKEY_new();
2565 	if (!pubkey ||
2566 	    X509_ALGOR_set0(pubkey->alg, OBJ_nid2obj(EVP_PKEY_EC),
2567 			    V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1)
2568 		goto fail;
2569 
2570 	len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
2571 				 NULL, 0, ctx);
2572 	if (len == 0)
2573 		goto fail;
2574 
2575 	der = OPENSSL_malloc(len);
2576 	if (!der)
2577 		goto fail;
2578 	len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
2579 				 der, len, ctx);
2580 
2581 	OPENSSL_free(pubkey->pub_key->data);
2582 	pubkey->pub_key->data = der;
2583 	der = NULL;
2584 	pubkey->pub_key->length = len;
2585 	/* No unused bits */
2586 	pubkey->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
2587 	pubkey->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
2588 
2589 	der_len = i2d_EC_COMP_PUBKEY(pubkey, &der);
2590 	if (der_len <= 0) {
2591 		wpa_printf(MSG_ERROR,
2592 			   "BoringSSL: Failed to build DER encoded public key");
2593 		goto fail;
2594 	}
2595 
2596 	ret = wpabuf_alloc_copy(der, der_len);
2597 fail:
2598 	EC_COMP_PUBKEY_free(pubkey);
2599 	OPENSSL_free(der);
2600 	BN_CTX_free(ctx);
2601 	return ret;
2602 #else /* OPENSSL_IS_BORINGSSL */
2603 	unsigned char *der = NULL;
2604 	int der_len;
2605 	struct wpabuf *buf;
2606 	EC_KEY *eckey;
2607 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2608 	EVP_PKEY *tmp;
2609 #endif /* OpenSSL version >= 3.0 */
2610 
2611 	eckey = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) key);
2612 	if (!eckey)
2613 		return NULL;
2614 
2615 	/* For now, all users expect COMPRESSED form */
2616 	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
2617 
2618 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2619 	tmp = EVP_PKEY_new();
2620 	if (!tmp)
2621 		return NULL;
2622 	if (EVP_PKEY_set1_EC_KEY(tmp, eckey) != 1) {
2623 		EVP_PKEY_free(tmp);
2624 		return NULL;
2625 	}
2626 	key = (struct crypto_ec_key *) tmp;
2627 #endif /* OpenSSL version >= 3.0 */
2628 
2629 	der_len = i2d_PUBKEY((EVP_PKEY *) key, &der);
2630 	EC_KEY_free(eckey);
2631 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
2632 	EVP_PKEY_free(tmp);
2633 #endif /* OpenSSL version >= 3.0 */
2634 	if (der_len <= 0) {
2635 		wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
2636 			   ERR_error_string(ERR_get_error(), NULL));
2637 		return NULL;
2638 	}
2639 
2640 	buf = wpabuf_alloc_copy(der, der_len);
2641 	OPENSSL_free(der);
2642 	return buf;
2643 #endif /* OPENSSL_IS_BORINGSSL */
2644 }
2645 
2646 
crypto_ec_key_get_ecprivate_key(struct crypto_ec_key * key,bool include_pub)2647 struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key,
2648 						bool include_pub)
2649 {
2650 	EC_KEY *eckey;
2651 	unsigned char *der = NULL;
2652 	int der_len;
2653 	struct wpabuf *buf;
2654 	unsigned int key_flags;
2655 
2656 	eckey = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) key);
2657 	if (!eckey)
2658 		return NULL;
2659 
2660 	key_flags = EC_KEY_get_enc_flags(eckey);
2661 	if (include_pub)
2662 		key_flags &= ~EC_PKEY_NO_PUBKEY;
2663 	else
2664 		key_flags |= EC_PKEY_NO_PUBKEY;
2665 	EC_KEY_set_enc_flags(eckey, key_flags);
2666 
2667 	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
2668 
2669 	der_len = i2d_ECPrivateKey(eckey, &der);
2670 	EC_KEY_free(eckey);
2671 	if (der_len <= 0)
2672 		return NULL;
2673 	buf = wpabuf_alloc_copy(der, der_len);
2674 	OPENSSL_free(der);
2675 
2676 	return buf;
2677 }
2678 
2679 
crypto_ec_key_get_pubkey_point(struct crypto_ec_key * key,int prefix)2680 struct wpabuf * crypto_ec_key_get_pubkey_point(struct crypto_ec_key *key,
2681 					       int prefix)
2682 {
2683 	int len, res;
2684 	EC_KEY *eckey;
2685 	struct wpabuf *buf;
2686 	unsigned char *pos;
2687 
2688 	eckey = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) key);
2689 	if (!eckey)
2690 		return NULL;
2691 	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
2692 	len = i2o_ECPublicKey(eckey, NULL);
2693 	if (len <= 0) {
2694 		wpa_printf(MSG_ERROR,
2695 			   "OpenSSL: Failed to determine public key encoding length");
2696 		EC_KEY_free(eckey);
2697 		return NULL;
2698 	}
2699 
2700 	buf = wpabuf_alloc(len);
2701 	if (!buf) {
2702 		EC_KEY_free(eckey);
2703 		return NULL;
2704 	}
2705 
2706 	pos = wpabuf_put(buf, len);
2707 	res = i2o_ECPublicKey(eckey, &pos);
2708 	EC_KEY_free(eckey);
2709 	if (res != len) {
2710 		wpa_printf(MSG_ERROR,
2711 			   "OpenSSL: Failed to encode public key (res=%d/%d)",
2712 			   res, len);
2713 		wpabuf_free(buf);
2714 		return NULL;
2715 	}
2716 
2717 	if (!prefix) {
2718 		/* Remove 0x04 prefix if requested */
2719 		pos = wpabuf_mhead(buf);
2720 		os_memmove(pos, pos + 1, len - 1);
2721 		buf->used--;
2722 	}
2723 
2724 	return buf;
2725 }
2726 
2727 
2728 const struct crypto_ec_point *
crypto_ec_key_get_public_key(struct crypto_ec_key * key)2729 crypto_ec_key_get_public_key(struct crypto_ec_key *key)
2730 {
2731 	const EC_KEY *eckey;
2732 
2733 	eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2734 	if (!eckey)
2735 		return NULL;
2736 	return (const struct crypto_ec_point *) EC_KEY_get0_public_key(eckey);
2737 }
2738 
2739 
2740 const struct crypto_bignum *
crypto_ec_key_get_private_key(struct crypto_ec_key * key)2741 crypto_ec_key_get_private_key(struct crypto_ec_key *key)
2742 {
2743 	const EC_KEY *eckey;
2744 
2745 	eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2746 	if (!eckey)
2747 		return NULL;
2748 	return (const struct crypto_bignum *) EC_KEY_get0_private_key(eckey);
2749 }
2750 
2751 
crypto_ec_key_sign(struct crypto_ec_key * key,const u8 * data,size_t len)2752 struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
2753 				   size_t len)
2754 {
2755 	EVP_PKEY_CTX *pkctx;
2756 	struct wpabuf *sig_der;
2757 	size_t sig_len;
2758 
2759 	sig_len = EVP_PKEY_size((EVP_PKEY *) key);
2760 	sig_der = wpabuf_alloc(sig_len);
2761 	if (!sig_der)
2762 		return NULL;
2763 
2764 	pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
2765 	if (!pkctx ||
2766 	    EVP_PKEY_sign_init(pkctx) <= 0 ||
2767 	    EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
2768 			  data, len) <= 0) {
2769 		wpabuf_free(sig_der);
2770 		sig_der = NULL;
2771 	} else {
2772 		wpabuf_put(sig_der, sig_len);
2773 	}
2774 
2775 	EVP_PKEY_CTX_free(pkctx);
2776 	return sig_der;
2777 }
2778 
2779 
crypto_ec_key_sign_r_s(struct crypto_ec_key * key,const u8 * data,size_t len)2780 struct wpabuf * crypto_ec_key_sign_r_s(struct crypto_ec_key *key,
2781 				       const u8 *data, size_t len)
2782 {
2783 	const EC_GROUP *group;
2784 	const EC_KEY *eckey;
2785 	BIGNUM *prime = NULL;
2786 	ECDSA_SIG *sig = NULL;
2787 	const BIGNUM *r, *s;
2788 	u8 *r_buf, *s_buf;
2789 	struct wpabuf *buf;
2790 	const unsigned char *p;
2791 	int prime_len;
2792 
2793 	buf = crypto_ec_key_sign(key, data, len);
2794 	if (!buf)
2795 		return NULL;
2796 
2797 	/* Extract (r,s) from Ecdsa-Sig-Value */
2798 	eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2799 	if (!eckey)
2800 		goto fail;
2801 	group = EC_KEY_get0_group(eckey);
2802 	prime = BN_new();
2803 	if (!prime || !group ||
2804 	    !EC_GROUP_get_curve_GFp(group, prime, NULL, NULL, NULL))
2805 		goto fail;
2806 	prime_len = BN_num_bytes(prime);
2807 
2808 	p = wpabuf_head(buf);
2809 	sig = d2i_ECDSA_SIG(NULL, &p, wpabuf_len(buf));
2810 	if (!sig)
2811 		goto fail;
2812 	ECDSA_SIG_get0(sig, &r, &s);
2813 
2814 	/* Re-use wpabuf returned by crypto_ec_key_sign() */
2815 	buf->used = 0;
2816 	r_buf = wpabuf_put(buf, prime_len);
2817 	s_buf = wpabuf_put(buf, prime_len);
2818 	if (crypto_bignum_to_bin((const struct crypto_bignum *) r, r_buf,
2819 				 prime_len, prime_len) < 0 ||
2820 	    crypto_bignum_to_bin((const struct crypto_bignum *) s, s_buf,
2821 				 prime_len, prime_len) < 0)
2822 		goto fail;
2823 
2824 out:
2825 	BN_free(prime);
2826 	ECDSA_SIG_free(sig);
2827 	return buf;
2828 fail:
2829 	wpabuf_clear_free(buf);
2830 	buf = NULL;
2831 	goto out;
2832 }
2833 
2834 
crypto_ec_key_verify_signature(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * sig,size_t sig_len)2835 int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
2836 				   size_t len, const u8 *sig, size_t sig_len)
2837 {
2838 	EVP_PKEY_CTX *pkctx;
2839 	int ret;
2840 
2841 	pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
2842 	if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
2843 		EVP_PKEY_CTX_free(pkctx);
2844 		return -1;
2845 	}
2846 
2847 	ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
2848 	EVP_PKEY_CTX_free(pkctx);
2849 	if (ret == 1)
2850 		return 1; /* signature ok */
2851 	if (ret == 0)
2852 		return 0; /* incorrect signature */
2853 	return -1;
2854 }
2855 
2856 
crypto_ec_key_verify_signature_r_s(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * r,size_t r_len,const u8 * s,size_t s_len)2857 int crypto_ec_key_verify_signature_r_s(struct crypto_ec_key *key,
2858 				       const u8 *data, size_t len,
2859 				       const u8 *r, size_t r_len,
2860 				       const u8 *s, size_t s_len)
2861 {
2862 	ECDSA_SIG *sig;
2863 	BIGNUM *r_bn, *s_bn;
2864 	unsigned char *der = NULL;
2865 	int der_len;
2866 	int ret = -1;
2867 
2868 	r_bn = BN_bin2bn(r, r_len, NULL);
2869 	s_bn = BN_bin2bn(s, s_len, NULL);
2870 	sig = ECDSA_SIG_new();
2871 	if (!r_bn || !s_bn || !sig || ECDSA_SIG_set0(sig, r_bn, s_bn) != 1)
2872 		goto fail;
2873 	r_bn = NULL;
2874 	s_bn = NULL;
2875 
2876 	der_len = i2d_ECDSA_SIG(sig, &der);
2877 	if (der_len <= 0) {
2878 		wpa_printf(MSG_DEBUG,
2879 			   "OpenSSL: Could not DER encode signature");
2880 		goto fail;
2881 	}
2882 
2883 	ret = crypto_ec_key_verify_signature(key, data, len, der, der_len);
2884 
2885 fail:
2886 	OPENSSL_free(der);
2887 	BN_free(r_bn);
2888 	BN_free(s_bn);
2889 	ECDSA_SIG_free(sig);
2890 	return ret;
2891 }
2892 
2893 
crypto_ec_key_group(struct crypto_ec_key * key)2894 int crypto_ec_key_group(struct crypto_ec_key *key)
2895 {
2896 	const EC_KEY *eckey;
2897 	const EC_GROUP *group;
2898 	int nid;
2899 
2900 	eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
2901 	if (!eckey)
2902 		return -1;
2903 	group = EC_KEY_get0_group(eckey);
2904 	if (!group)
2905 		return -1;
2906 	nid = EC_GROUP_get_curve_name(group);
2907 	switch (nid) {
2908 	case NID_X9_62_prime256v1:
2909 		return 19;
2910 	case NID_secp384r1:
2911 		return 20;
2912 	case NID_secp521r1:
2913 		return 21;
2914 #ifdef NID_brainpoolP256r1
2915 	case NID_brainpoolP256r1:
2916 		return 28;
2917 #endif /* NID_brainpoolP256r1 */
2918 #ifdef NID_brainpoolP384r1
2919 	case NID_brainpoolP384r1:
2920 		return 29;
2921 #endif /* NID_brainpoolP384r1 */
2922 #ifdef NID_brainpoolP512r1
2923 	case NID_brainpoolP512r1:
2924 		return 30;
2925 #endif /* NID_brainpoolP512r1 */
2926 	}
2927 	wpa_printf(MSG_ERROR, "OpenSSL: Unsupported curve (nid=%d) in EC key",
2928 		   nid);
2929 	return -1;
2930 }
2931 
2932 
crypto_ec_key_cmp(struct crypto_ec_key * key1,struct crypto_ec_key * key2)2933 int crypto_ec_key_cmp(struct crypto_ec_key *key1, struct crypto_ec_key *key2)
2934 {
2935 	if (EVP_PKEY_cmp((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
2936 		return -1;
2937 	return 0;
2938 }
2939 
2940 
crypto_ec_key_debug_print(const struct crypto_ec_key * key,const char * title)2941 void crypto_ec_key_debug_print(const struct crypto_ec_key *key,
2942 			       const char *title)
2943 {
2944 	BIO *out;
2945 	size_t rlen;
2946 	char *txt;
2947 	int res;
2948 
2949 	out = BIO_new(BIO_s_mem());
2950 	if (!out)
2951 		return;
2952 
2953 	EVP_PKEY_print_private(out, (EVP_PKEY *) key, 0, NULL);
2954 	rlen = BIO_ctrl_pending(out);
2955 	txt = os_malloc(rlen + 1);
2956 	if (txt) {
2957 		res = BIO_read(out, txt, rlen);
2958 		if (res > 0) {
2959 			txt[res] = '\0';
2960 			wpa_printf(MSG_DEBUG, "%s: %s", title, txt);
2961 		}
2962 		os_free(txt);
2963 	}
2964 	BIO_free(out);
2965 }
2966 
2967 
crypto_pkcs7_get_certificates(const struct wpabuf * pkcs7)2968 struct wpabuf * crypto_pkcs7_get_certificates(const struct wpabuf *pkcs7)
2969 {
2970 #ifdef OPENSSL_IS_BORINGSSL
2971 	CBS pkcs7_cbs;
2972 #else /* OPENSSL_IS_BORINGSSL */
2973 	PKCS7 *p7 = NULL;
2974 	const unsigned char *p = wpabuf_head(pkcs7);
2975 #endif /* OPENSSL_IS_BORINGSSL */
2976 	STACK_OF(X509) *certs;
2977 	int i, num;
2978 	BIO *out = NULL;
2979 	size_t rlen;
2980 	struct wpabuf *pem = NULL;
2981 	int res;
2982 
2983 #ifdef OPENSSL_IS_BORINGSSL
2984 	certs = sk_X509_new_null();
2985 	if (!certs)
2986 		goto fail;
2987 	CBS_init(&pkcs7_cbs, wpabuf_head(pkcs7), wpabuf_len(pkcs7));
2988 	if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
2989 		wpa_printf(MSG_INFO,
2990 			   "OpenSSL: Could not parse PKCS#7 object: %s",
2991 			   ERR_error_string(ERR_get_error(), NULL));
2992 		goto fail;
2993 	}
2994 #else /* OPENSSL_IS_BORINGSSL */
2995 	p7 = d2i_PKCS7(NULL, &p, wpabuf_len(pkcs7));
2996 	if (!p7) {
2997 		wpa_printf(MSG_INFO,
2998 			   "OpenSSL: Could not parse PKCS#7 object: %s",
2999 			   ERR_error_string(ERR_get_error(), NULL));
3000 		goto fail;
3001 	}
3002 
3003 	switch (OBJ_obj2nid(p7->type)) {
3004 	case NID_pkcs7_signed:
3005 		certs = p7->d.sign->cert;
3006 		break;
3007 	case NID_pkcs7_signedAndEnveloped:
3008 		certs = p7->d.signed_and_enveloped->cert;
3009 		break;
3010 	default:
3011 		certs = NULL;
3012 		break;
3013 	}
3014 #endif /* OPENSSL_IS_BORINGSSL */
3015 
3016 	if (!certs || ((num = sk_X509_num(certs)) == 0)) {
3017 		wpa_printf(MSG_INFO,
3018 			   "OpenSSL: No certificates found in PKCS#7 object");
3019 		goto fail;
3020 	}
3021 
3022 	out = BIO_new(BIO_s_mem());
3023 	if (!out)
3024 		goto fail;
3025 
3026 	for (i = 0; i < num; i++) {
3027 		X509 *cert = sk_X509_value(certs, i);
3028 
3029 		PEM_write_bio_X509(out, cert);
3030 	}
3031 
3032 	rlen = BIO_ctrl_pending(out);
3033 	pem = wpabuf_alloc(rlen);
3034 	if (!pem)
3035 		goto fail;
3036 	res = BIO_read(out, wpabuf_put(pem, 0), rlen);
3037 	if (res <= 0) {
3038 		wpabuf_free(pem);
3039 		pem = NULL;
3040 		goto fail;
3041 	}
3042 	wpabuf_put(pem, res);
3043 
3044 fail:
3045 #ifdef OPENSSL_IS_BORINGSSL
3046 	if (certs)
3047 		sk_X509_pop_free(certs, X509_free);
3048 #else /* OPENSSL_IS_BORINGSSL */
3049 	PKCS7_free(p7);
3050 #endif /* OPENSSL_IS_BORINGSSL */
3051 	if (out)
3052 		BIO_free_all(out);
3053 
3054 	return pem;
3055 }
3056 
3057 
crypto_csr_init()3058 struct crypto_csr * crypto_csr_init()
3059 {
3060 	return (struct crypto_csr *)X509_REQ_new();
3061 }
3062 
3063 
crypto_csr_verify(const struct wpabuf * req)3064 struct crypto_csr * crypto_csr_verify(const struct wpabuf *req)
3065 {
3066 	X509_REQ *csr;
3067 	EVP_PKEY *pkey = NULL;
3068 	const u8 *der = wpabuf_head(req);
3069 
3070 	csr = d2i_X509_REQ(NULL, &der, wpabuf_len(req));
3071 	if (!csr)
3072 		return NULL;
3073 
3074 	pkey = X509_REQ_get_pubkey((X509_REQ *)csr);
3075 	if (!pkey)
3076 		goto fail;
3077 
3078 	if (X509_REQ_verify((X509_REQ *)csr, pkey) != 1)
3079 		goto fail;
3080 
3081 	return (struct crypto_csr *)csr;
3082 fail:
3083 	X509_REQ_free(csr);
3084 	return NULL;
3085 }
3086 
3087 
crypto_csr_deinit(struct crypto_csr * csr)3088 void crypto_csr_deinit(struct crypto_csr *csr)
3089 {
3090 	X509_REQ_free((X509_REQ *)csr);
3091 }
3092 
3093 
crypto_csr_set_ec_public_key(struct crypto_csr * csr,struct crypto_ec_key * key)3094 int crypto_csr_set_ec_public_key(struct crypto_csr *csr, struct crypto_ec_key *key)
3095 {
3096 	if (!X509_REQ_set_pubkey((X509_REQ *)csr, (EVP_PKEY *)key))
3097 		return -1;
3098 
3099 	return 0;
3100 }
3101 
3102 
crypto_csr_set_name(struct crypto_csr * csr,enum crypto_csr_name type,const char * name)3103 int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
3104 			const char *name)
3105 {
3106 	X509_NAME *n;
3107 	int nid;
3108 
3109 	switch (type) {
3110 	case CSR_NAME_CN:
3111 		nid = NID_commonName;
3112 		break;
3113 	case CSR_NAME_SN:
3114 		nid = NID_surname;
3115 		break;
3116 	case CSR_NAME_C:
3117 		nid = NID_countryName;
3118 		break;
3119 	case CSR_NAME_O:
3120 		nid = NID_organizationName;
3121 		break;
3122 	case CSR_NAME_OU:
3123 		nid = NID_organizationalUnitName;
3124 		break;
3125 	default:
3126 		return -1;
3127 	}
3128 
3129 	n = X509_REQ_get_subject_name((X509_REQ *) csr);
3130 	if (!n)
3131 		return -1;
3132 
3133 #if OPENSSL_VERSION_NUMBER < 0x10100000L
3134 	if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
3135 					(unsigned char *) name,
3136 					os_strlen(name), -1, 0))
3137 		return -1;
3138 #else
3139 	if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
3140 					(const unsigned char *) name,
3141 					os_strlen(name), -1, 0))
3142 		return -1;
3143 #endif
3144 
3145 	return 0;
3146 }
3147 
3148 
crypto_csr_set_attribute(struct crypto_csr * csr,enum crypto_csr_attr attr,int attr_type,const u8 * value,size_t len)3149 int crypto_csr_set_attribute(struct crypto_csr *csr, enum crypto_csr_attr attr,
3150 			     int attr_type, const u8 *value, size_t len)
3151 {
3152 	int nid;
3153 
3154 	switch (attr) {
3155 	case CSR_ATTR_CHALLENGE_PASSWORD:
3156 		nid = NID_pkcs9_challengePassword;
3157 		break;
3158 	default:
3159 		return -1;
3160 	}
3161 
3162 	if (!X509_REQ_add1_attr_by_NID((X509_REQ *) csr, nid, attr_type, value,
3163 				       len))
3164 		return -1;
3165 
3166 	return 0;
3167 }
3168 
3169 
crypto_csr_get_attribute(struct crypto_csr * csr,enum crypto_csr_attr attr,size_t * len,int * type)3170 const u8 * crypto_csr_get_attribute(struct crypto_csr *csr,
3171 				    enum crypto_csr_attr attr,
3172 				    size_t *len, int *type)
3173 {
3174 	X509_ATTRIBUTE *attrib;
3175 	ASN1_TYPE *attrib_type;
3176 	ASN1_STRING *data;
3177 	int loc;
3178 	int nid;
3179 
3180 	switch (attr) {
3181 	case CSR_ATTR_CHALLENGE_PASSWORD:
3182 		nid = NID_pkcs9_challengePassword;
3183 		break;
3184 	default:
3185 		return NULL;
3186 	}
3187 
3188 	loc = X509_REQ_get_attr_by_NID((X509_REQ *) csr, nid, -1);
3189 	if (loc < 0)
3190 		return NULL;
3191 
3192 	attrib = X509_REQ_get_attr((X509_REQ *) csr, loc);
3193 	if (!attrib)
3194 		return NULL;
3195 
3196 	attrib_type = X509_ATTRIBUTE_get0_type(attrib, 0);
3197 	if (!attrib_type)
3198 		return NULL;
3199 	*type = ASN1_TYPE_get(attrib_type);
3200 	data = X509_ATTRIBUTE_get0_data(attrib, 0, *type, NULL);
3201 	if (!data)
3202 		return NULL;
3203 	*len = ASN1_STRING_length(data);
3204 	return ASN1_STRING_get0_data(data);
3205 }
3206 
3207 
crypto_csr_sign(struct crypto_csr * csr,struct crypto_ec_key * key,enum crypto_hash_alg algo)3208 struct wpabuf * crypto_csr_sign(struct crypto_csr *csr,
3209 				struct crypto_ec_key *key,
3210 				enum crypto_hash_alg algo)
3211 {
3212 	const EVP_MD *sign_md;
3213 	struct wpabuf *buf;
3214 	unsigned char *der = NULL;
3215 	int der_len;
3216 
3217 	switch (algo) {
3218 	case CRYPTO_HASH_ALG_SHA256:
3219 		sign_md = EVP_sha256();
3220 		break;
3221 	case CRYPTO_HASH_ALG_SHA384:
3222 		sign_md = EVP_sha384();
3223 		break;
3224 	case CRYPTO_HASH_ALG_SHA512:
3225 		sign_md = EVP_sha512();
3226 		break;
3227 	default:
3228 		return NULL;
3229 	}
3230 
3231 	if (!X509_REQ_sign((X509_REQ *) csr, (EVP_PKEY *) key, sign_md))
3232 		return NULL;
3233 
3234 	der_len = i2d_X509_REQ((X509_REQ *) csr, &der);
3235 	if (der_len < 0)
3236 		return NULL;
3237 
3238 	buf = wpabuf_alloc_copy(der, der_len);
3239 	OPENSSL_free(der);
3240 
3241 	return buf;
3242 }
3243 
3244 #endif /* CONFIG_ECC */
3245