blob: 22f6ab4c18a8f9910227e5ea76d9778844d6a847 [file] [log] [blame]
/*
* Wrapper functions for OpenSSL libcrypto
* Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include <openssl/opensslv.h>
#include <openssl/err.h>
#include <openssl/des.h>
#include <openssl/aes.h>
#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/dh.h>
#include <openssl/hmac.h>
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>
#ifdef CONFIG_ECC
#include <openssl/ec.h>
#include <openssl/x509.h>
#endif /* CONFIG_ECC */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/provider.h>
#include <openssl/core_names.h>
#include <openssl/param_build.h>
#include <openssl/encoder.h>
#include <openssl/decoder.h>
#else /* OpenSSL version >= 3.0 */
#include <openssl/cmac.h>
#endif /* OpenSSL version >= 3.0 */
#include "common.h"
#include "utils/const_time.h"
#include "wpabuf.h"
#include "dh_group5.h"
#include "sha1.h"
#include "sha256.h"
#include "sha384.h"
#include "sha512.h"
#include "md5.h"
#include "aes_wrap.h"
#include "crypto.h"
#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* Compatibility wrappers for older versions. */
static HMAC_CTX * HMAC_CTX_new(void)
{
HMAC_CTX *ctx;
ctx = os_zalloc(sizeof(*ctx));
if (ctx)
HMAC_CTX_init(ctx);
return ctx;
}
static void HMAC_CTX_free(HMAC_CTX *ctx)
{
if (!ctx)
return;
HMAC_CTX_cleanup(ctx);
bin_clear_free(ctx, sizeof(*ctx));
}
static EVP_MD_CTX * EVP_MD_CTX_new(void)
{
EVP_MD_CTX *ctx;
ctx = os_zalloc(sizeof(*ctx));
if (ctx)
EVP_MD_CTX_init(ctx);
return ctx;
}
static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
{
if (!ctx)
return;
EVP_MD_CTX_cleanup(ctx);
bin_clear_free(ctx, sizeof(*ctx));
}
#ifdef CONFIG_ECC
static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
{
if (pkey->type != EVP_PKEY_EC)
return NULL;
return pkey->pkey.ec;
}
static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
{
sig->r = r;
sig->s = s;
return 1;
}
static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
const BIGNUM **ps)
{
if (pr)
*pr = sig->r;
if (ps)
*ps = sig->s;
}
#endif /* CONFIG_ECC */
static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
{
return ASN1_STRING_data((ASN1_STRING *) x);
}
static const ASN1_TIME * X509_get0_notBefore(const X509 *x)
{
return X509_get_notBefore(x);
}
static const ASN1_TIME * X509_get0_notAfter(const X509 *x)
{
return X509_get_notAfter(x);
}
#endif /* OpenSSL version < 1.1.0 */
#if OPENSSL_VERSION_NUMBER < 0x10101000L || \
(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x30400000L)
static int EC_POINT_get_affine_coordinates(const EC_GROUP *group,
const EC_POINT *point, BIGNUM *x,
BIGNUM *y, BN_CTX *ctx)
{
return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
}
static int EC_POINT_set_affine_coordinates(const EC_GROUP *group,
EC_POINT *point, const BIGNUM *x,
const BIGNUM *y, BN_CTX *ctx)
{
return EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx);
}
#endif /* OpenSSL version < 1.1.1 */
#if OPENSSL_VERSION_NUMBER < 0x10101000L || \
defined(OPENSSL_IS_BORINGSSL) || \
(defined(LIBRESSL_VERSION_NUMBER) && \
LIBRESSL_VERSION_NUMBER < 0x30400000L)
static int EC_POINT_set_compressed_coordinates(const EC_GROUP *group,
EC_POINT *point, const BIGNUM *x,
int y_bit, BN_CTX *ctx)
{
return EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit,
ctx);
}
static int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
BIGNUM *b, BN_CTX *ctx)
{
return EC_GROUP_get_curve_GFp(group, p, a, b, ctx);
}
#endif /* OpenSSL version < 1.1.1 */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static OSSL_PROVIDER *openssl_legacy_provider = NULL;
#endif /* OpenSSL version >= 3.0 */
void openssl_load_legacy_provider(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (openssl_legacy_provider)
return;
openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1);
#endif /* OpenSSL version >= 3.0 */
}
static void openssl_unload_legacy_provider(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (openssl_legacy_provider) {
OSSL_PROVIDER_unload(openssl_legacy_provider);
openssl_legacy_provider = NULL;
}
#endif /* OpenSSL version >= 3.0 */
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
static BIGNUM * get_group5_prime(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
return BN_get_rfc3526_prime_1536(NULL);
#elif !defined(OPENSSL_IS_BORINGSSL)
return get_rfc3526_prime_1536(NULL);
#else
static const unsigned char RFC3526_PRIME_1536[] = {
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
};
return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
#endif
}
static BIGNUM * get_group5_order(void)
{
static const unsigned char RFC3526_ORDER_1536[] = {
0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,
0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,
0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,
0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,
0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,
0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,
0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,
0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,
0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,
0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,
0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,
0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,
0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,
0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,
0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,
0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
};
return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);
}
#endif /* OpenSSL version < 3.0 */
#ifdef OPENSSL_NO_SHA256
#define NO_SHA256_WRAPPER
#endif
#ifdef OPENSSL_NO_SHA512
#define NO_SHA384_WRAPPER
#endif
static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
EVP_MD_CTX *ctx;
size_t i;
unsigned int mac_len;
if (TEST_FAIL())
return -1;
ctx = EVP_MD_CTX_new();
if (!ctx)
return -1;
if (!EVP_DigestInit_ex(ctx, type, NULL)) {
wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
ERR_error_string(ERR_get_error(), NULL));
EVP_MD_CTX_free(ctx);
return -1;
}
for (i = 0; i < num_elem; i++) {
if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
"failed: %s",
ERR_error_string(ERR_get_error(), NULL));
EVP_MD_CTX_free(ctx);
return -1;
}
}
if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
ERR_error_string(ERR_get_error(), NULL));
EVP_MD_CTX_free(ctx);
return -1;
}
EVP_MD_CTX_free(ctx);
return 0;
}
#ifndef CONFIG_FIPS
int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
openssl_load_legacy_provider();
return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
}
int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
{
u8 pkey[8], next, tmp;
int i, plen, ret = -1;
EVP_CIPHER_CTX *ctx;
openssl_load_legacy_provider();
/* Add parity bits to the key */
next = 0;
for (i = 0; i < 7; i++) {
tmp = key[i];
pkey[i] = (tmp >> i) | next | 1;
next = tmp << (7 - i);
}
pkey[i] = next | 1;
ctx = EVP_CIPHER_CTX_new();
if (ctx &&
EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 &&
EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 &&
EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1)
ret = 0;
else
wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed");
if (ctx)
EVP_CIPHER_CTX_free(ctx);
return ret;
}
#ifndef CONFIG_NO_RC4
int rc4_skip(const u8 *key, size_t keylen, size_t skip,
u8 *data, size_t data_len)
{
#ifdef OPENSSL_NO_RC4
return -1;
#else /* OPENSSL_NO_RC4 */
EVP_CIPHER_CTX *ctx;
int outl;
int res = -1;
unsigned char skip_buf[16];
openssl_load_legacy_provider();
ctx = EVP_CIPHER_CTX_new();
if (!ctx ||
!EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
!EVP_CIPHER_CTX_set_padding(ctx, 0) ||
!EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
goto out;
while (skip >= sizeof(skip_buf)) {
size_t len = skip;
if (len > sizeof(skip_buf))
len = sizeof(skip_buf);
if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
goto out;
skip -= len;
}
if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
res = 0;
out:
if (ctx)
EVP_CIPHER_CTX_free(ctx);
return res;
#endif /* OPENSSL_NO_RC4 */
}
#endif /* CONFIG_NO_RC4 */
int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
}
#endif /* CONFIG_FIPS */
int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
}
#ifndef NO_SHA256_WRAPPER
int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
u8 *mac)
{
return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
}
#endif /* NO_SHA256_WRAPPER */
#ifndef NO_SHA384_WRAPPER
int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
u8 *mac)
{
return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
}
#endif /* NO_SHA384_WRAPPER */
#ifndef NO_SHA512_WRAPPER
int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
u8 *mac)
{
return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
}
#endif /* NO_SHA512_WRAPPER */
static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
{
switch (keylen) {
case 16:
return EVP_aes_128_ecb();
case 24:
return EVP_aes_192_ecb();
case 32:
return EVP_aes_256_ecb();
default:
return NULL;
}
}
void * aes_encrypt_init(const u8 *key, size_t len)
{
EVP_CIPHER_CTX *ctx;
const EVP_CIPHER *type;
if (TEST_FAIL())
return NULL;
type = aes_get_evp_cipher(len);
if (!type) {
wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
__func__, (unsigned int) len);
return NULL;
}
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL)
return NULL;
if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
EVP_CIPHER_CTX_free(ctx);
return NULL;
}
EVP_CIPHER_CTX_set_padding(ctx, 0);
return ctx;
}
int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
{
EVP_CIPHER_CTX *c = ctx;
int clen = 16;
if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
return 0;
}
void aes_encrypt_deinit(void *ctx)
{
EVP_CIPHER_CTX *c = ctx;
u8 buf[16];
int len = sizeof(buf);
if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
"%s", ERR_error_string(ERR_get_error(), NULL));
}
if (len != 0) {
wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
"in AES encrypt", len);
}
EVP_CIPHER_CTX_free(c);
}
void * aes_decrypt_init(const u8 *key, size_t len)
{
EVP_CIPHER_CTX *ctx;
const EVP_CIPHER *type;
if (TEST_FAIL())
return NULL;
type = aes_get_evp_cipher(len);
if (!type) {
wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
__func__, (unsigned int) len);
return NULL;
}
ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL)
return NULL;
if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
EVP_CIPHER_CTX_free(ctx);
return NULL;
}
EVP_CIPHER_CTX_set_padding(ctx, 0);
return ctx;
}
int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
{
EVP_CIPHER_CTX *c = ctx;
int plen = 16;
if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
return 0;
}
void aes_decrypt_deinit(void *ctx)
{
EVP_CIPHER_CTX *c = ctx;
u8 buf[16];
int len = sizeof(buf);
if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
"%s", ERR_error_string(ERR_get_error(), NULL));
}
if (len != 0) {
wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
"in AES decrypt", len);
}
EVP_CIPHER_CTX_free(c);
}
#ifndef CONFIG_FIPS
#ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static const EVP_CIPHER * aes_get_evp_wrap_cipher(size_t keylen)
{
switch (keylen) {
case 16:
return EVP_aes_128_wrap();
case 24:
return EVP_aes_192_wrap();
case 32:
return EVP_aes_256_wrap();
default:
return NULL;
}
}
#endif /* OpenSSL version >= 3.0 */
int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_CIPHER_CTX *ctx;
const EVP_CIPHER *type;
int ret = -1, len;
u8 buf[16];
if (TEST_FAIL())
return -1;
type = aes_get_evp_wrap_cipher(kek_len);
if (!type)
return -1;
ctx = EVP_CIPHER_CTX_new();
if (!ctx)
return -1;
if (EVP_EncryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&
EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
EVP_EncryptUpdate(ctx, cipher, &len, plain, n * 8) == 1 &&
len == (n + 1) * 8 &&
EVP_EncryptFinal_ex(ctx, buf, &len) == 1)
ret = 0;
EVP_CIPHER_CTX_free(ctx);
return ret;
#else /* OpenSSL version >= 3.0 */
AES_KEY actx;
int res;
if (TEST_FAIL())
return -1;
if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
return -1;
res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
OPENSSL_cleanse(&actx, sizeof(actx));
return res <= 0 ? -1 : 0;
#endif /* OpenSSL version >= 3.0 */
}
int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
u8 *plain)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_CIPHER_CTX *ctx;
const EVP_CIPHER *type;
int ret = -1, len;
u8 buf[16];
if (TEST_FAIL())
return -1;
type = aes_get_evp_wrap_cipher(kek_len);
if (!type)
return -1;
ctx = EVP_CIPHER_CTX_new();
if (!ctx)
return -1;
if (EVP_DecryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&
EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
EVP_DecryptUpdate(ctx, plain, &len, cipher, (n + 1) * 8) == 1 &&
len == n * 8 &&
EVP_DecryptFinal_ex(ctx, buf, &len) == 1)
ret = 0;
EVP_CIPHER_CTX_free(ctx);
return ret;
#else /* OpenSSL version >= 3.0 */
AES_KEY actx;
int res;
if (TEST_FAIL())
return -1;
if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
return -1;
res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
OPENSSL_cleanse(&actx, sizeof(actx));
return res <= 0 ? -1 : 0;
#endif /* OpenSSL version >= 3.0 */
}
#endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
#endif /* CONFIG_FIPS */
int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
{
EVP_CIPHER_CTX *ctx;
int clen, len;
u8 buf[16];
int res = -1;
if (TEST_FAIL())
return -1;
ctx = EVP_CIPHER_CTX_new();
if (!ctx)
return -1;
clen = data_len;
len = sizeof(buf);
if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
clen == (int) data_len &&
EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
res = 0;
EVP_CIPHER_CTX_free(ctx);
return res;
}
int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
{
EVP_CIPHER_CTX *ctx;
int plen, len;
u8 buf[16];
int res = -1;
if (TEST_FAIL())
return -1;
ctx = EVP_CIPHER_CTX_new();
if (!ctx)
return -1;
plen = data_len;
len = sizeof(buf);
if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
plen == (int) data_len &&
EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
res = 0;
EVP_CIPHER_CTX_free(ctx);
return res;
}
int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
u8 *pubkey)
{
size_t pubkey_len, pad;
if (os_get_random(privkey, prime_len) < 0)
return -1;
if (os_memcmp(privkey, prime, prime_len) > 0) {
/* Make sure private value is smaller than prime */
privkey[0] = 0;
}
pubkey_len = prime_len;
if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
pubkey, &pubkey_len) < 0)
return -1;
if (pubkey_len < prime_len) {
pad = prime_len - pubkey_len;
os_memmove(pubkey + pad, pubkey, pubkey_len);
os_memset(pubkey, 0, pad);
}
return 0;
}
int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
const u8 *order, size_t order_len,
const u8 *privkey, size_t privkey_len,
const u8 *pubkey, size_t pubkey_len,
u8 *secret, size_t *len)
{
BIGNUM *pub, *p;
int res = -1;
pub = BN_bin2bn(pubkey, pubkey_len, NULL);
p = BN_bin2bn(prime, prime_len, NULL);
if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||
BN_cmp(pub, p) >= 0)
goto fail;
if (order) {
BN_CTX *ctx;
BIGNUM *q, *tmp;
int failed;
/* verify: pubkey^q == 1 mod p */
q = BN_bin2bn(order, order_len, NULL);
ctx = BN_CTX_new();
tmp = BN_new();
failed = !q || !ctx || !tmp ||
!BN_mod_exp(tmp, pub, q, p, ctx) ||
!BN_is_one(tmp);
BN_clear_free(q);
BN_clear_free(tmp);
BN_CTX_free(ctx);
if (failed)
goto fail;
}
res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
prime, prime_len, secret, len);
fail:
BN_clear_free(pub);
BN_clear_free(p);
return res;
}
int crypto_mod_exp(const u8 *base, size_t base_len,
const u8 *power, size_t power_len,
const u8 *modulus, size_t modulus_len,
u8 *result, size_t *result_len)
{
BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
int ret = -1;
BN_CTX *ctx;
ctx = BN_CTX_new();
if (ctx == NULL)
return -1;
bn_base = BN_bin2bn(base, base_len, NULL);
bn_exp = BN_bin2bn(power, power_len, NULL);
bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
bn_result = BN_new();
if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
bn_result == NULL)
goto error;
if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
ctx, NULL) != 1)
goto error;
*result_len = BN_bn2bin(bn_result, result);
ret = 0;
error:
BN_clear_free(bn_base);
BN_clear_free(bn_exp);
BN_clear_free(bn_modulus);
BN_clear_free(bn_result);
BN_CTX_free(ctx);
return ret;
}
struct crypto_cipher {
EVP_CIPHER_CTX *enc;
EVP_CIPHER_CTX *dec;
};
struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
const u8 *iv, const u8 *key,
size_t key_len)
{
struct crypto_cipher *ctx;
const EVP_CIPHER *cipher;
ctx = os_zalloc(sizeof(*ctx));
if (ctx == NULL)
return NULL;
switch (alg) {
#ifndef CONFIG_NO_RC4
#ifndef OPENSSL_NO_RC4
case CRYPTO_CIPHER_ALG_RC4:
cipher = EVP_rc4();
break;
#endif /* OPENSSL_NO_RC4 */
#endif /* CONFIG_NO_RC4 */
#ifndef OPENSSL_NO_AES
case CRYPTO_CIPHER_ALG_AES:
switch (key_len) {
case 16:
cipher = EVP_aes_128_cbc();
break;
#ifndef OPENSSL_IS_BORINGSSL
case 24:
cipher = EVP_aes_192_cbc();
break;
#endif /* OPENSSL_IS_BORINGSSL */
case 32:
cipher = EVP_aes_256_cbc();
break;
default:
os_free(ctx);
return NULL;
}
break;
#endif /* OPENSSL_NO_AES */
#ifndef OPENSSL_NO_DES
case CRYPTO_CIPHER_ALG_3DES:
cipher = EVP_des_ede3_cbc();
break;
case CRYPTO_CIPHER_ALG_DES:
cipher = EVP_des_cbc();
break;
#endif /* OPENSSL_NO_DES */
#ifndef OPENSSL_NO_RC2
case CRYPTO_CIPHER_ALG_RC2:
cipher = EVP_rc2_ecb();
break;
#endif /* OPENSSL_NO_RC2 */
default:
os_free(ctx);
return NULL;
}
if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
!EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
!EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
!EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
!EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
if (ctx->enc)
EVP_CIPHER_CTX_free(ctx->enc);
os_free(ctx);
return NULL;
}
if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
!EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
!EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
!EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
!EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
EVP_CIPHER_CTX_free(ctx->enc);
if (ctx->dec)
EVP_CIPHER_CTX_free(ctx->dec);
os_free(ctx);
return NULL;
}
return ctx;
}
int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
u8 *crypt, size_t len)
{
int outl;
if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
return -1;
return 0;
}
int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
u8 *plain, size_t len)
{
int outl;
outl = len;
if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
return -1;
return 0;
}
void crypto_cipher_deinit(struct crypto_cipher *ctx)
{
EVP_CIPHER_CTX_free(ctx->enc);
EVP_CIPHER_CTX_free(ctx->dec);
os_free(ctx);
}
void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
DH *dh;
struct wpabuf *pubkey = NULL, *privkey = NULL;
size_t publen, privlen;
*priv = NULL;
wpabuf_free(*publ);
*publ = NULL;
dh = DH_new();
if (dh == NULL)
return NULL;
dh->g = BN_new();
if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
goto err;
dh->p = get_group5_prime();
if (dh->p == NULL)
goto err;
dh->q = get_group5_order();
if (!dh->q)
goto err;
if (DH_generate_key(dh) != 1)
goto err;
publen = BN_num_bytes(dh->pub_key);
pubkey = wpabuf_alloc(publen);
if (pubkey == NULL)
goto err;
privlen = BN_num_bytes(dh->priv_key);
privkey = wpabuf_alloc(privlen);
if (privkey == NULL)
goto err;
BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
*priv = privkey;
*publ = pubkey;
return dh;
err:
wpabuf_clear_free(pubkey);
wpabuf_clear_free(privkey);
DH_free(dh);
return NULL;
#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY *pkey = NULL;
OSSL_PARAM params[2];
size_t pub_len = OSSL_PARAM_UNMODIFIED;
size_t priv_len;
struct wpabuf *pubkey = NULL, *privkey = NULL;
BIGNUM *priv_bn = NULL;
EVP_PKEY_CTX *gctx;
*priv = NULL;
wpabuf_free(*publ);
*publ = NULL;
params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
"modp_1536", 0);
params[1] = OSSL_PARAM_construct_end();
gctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
if (!gctx ||
EVP_PKEY_keygen_init(gctx) != 1 ||
EVP_PKEY_CTX_set_params(gctx, params) != 1 ||
EVP_PKEY_generate(gctx, &pkey) != 1 ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY,
&priv_bn) != 1 ||
EVP_PKEY_get_octet_string_param(pkey,
OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
NULL, 0, &pub_len) < 0 ||
pub_len == OSSL_PARAM_UNMODIFIED ||
(priv_len = BN_num_bytes(priv_bn)) == 0 ||
!(pubkey = wpabuf_alloc(pub_len)) ||
!(privkey = wpabuf_alloc(priv_len)) ||
EVP_PKEY_get_octet_string_param(pkey,
OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
wpabuf_put(pubkey, pub_len),
pub_len, NULL) != 1) {
wpa_printf(MSG_INFO, "OpenSSL: failed: %s",
ERR_error_string(ERR_get_error(), NULL));
wpabuf_free(pubkey);
wpabuf_clear_free(privkey);
EVP_PKEY_free(pkey);
pkey = NULL;
} else {
BN_bn2bin(priv_bn, wpabuf_put(privkey, priv_len));
*priv = privkey;
*publ = pubkey;
}
BN_clear_free(priv_bn);
EVP_PKEY_CTX_free(gctx);
return pkey;
#else
DH *dh;
struct wpabuf *pubkey = NULL, *privkey = NULL;
size_t publen, privlen;
BIGNUM *p, *g, *q;
const BIGNUM *priv_key = NULL, *pub_key = NULL;
*priv = NULL;
wpabuf_free(*publ);
*publ = NULL;
dh = DH_new();
if (dh == NULL)
return NULL;
g = BN_new();
p = get_group5_prime();
q = get_group5_order();
if (!g || BN_set_word(g, 2) != 1 || !p || !q ||
DH_set0_pqg(dh, p, q, g) != 1)
goto err;
p = NULL;
q = NULL;
g = NULL;
if (DH_generate_key(dh) != 1)
goto err;
DH_get0_key(dh, &pub_key, &priv_key);
publen = BN_num_bytes(pub_key);
pubkey = wpabuf_alloc(publen);
if (!pubkey)
goto err;
privlen = BN_num_bytes(priv_key);
privkey = wpabuf_alloc(privlen);
if (!privkey)
goto err;
BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));
*priv = privkey;
*publ = pubkey;
return dh;
err:
BN_free(p);
BN_free(q);
BN_free(g);
wpabuf_clear_free(pubkey);
wpabuf_clear_free(privkey);
DH_free(dh);
return NULL;
#endif
}
void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
DH *dh;
dh = DH_new();
if (dh == NULL)
return NULL;
dh->g = BN_new();
if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
goto err;
dh->p = get_group5_prime();
if (dh->p == NULL)
goto err;
dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
if (dh->priv_key == NULL)
goto err;
dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
if (dh->pub_key == NULL)
goto err;
if (DH_generate_key(dh) != 1)
goto err;
return dh;
err:
DH_free(dh);
return NULL;
#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY *pkey = NULL;
OSSL_PARAM_BLD *bld;
OSSL_PARAM *params = NULL;
BIGNUM *priv_key, *pub_key;
EVP_PKEY_CTX *fctx;
fctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
bld = OSSL_PARAM_BLD_new();
if (!fctx || !priv_key || !pub_key || !bld ||
OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME,
"modp_1536", 0) != 1 ||
OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
priv_key) != 1 ||
OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
pub_key) != 1 ||
!(params = OSSL_PARAM_BLD_to_param(bld)) ||
EVP_PKEY_fromdata_init(fctx) != 1 ||
EVP_PKEY_fromdata(fctx, &pkey, EVP_PKEY_KEYPAIR, params) != 1) {
wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_fromdata failed: %s",
ERR_error_string(ERR_get_error(), NULL));
EVP_PKEY_free(pkey);
pkey = NULL;
}
BN_clear_free(priv_key);
BN_free(pub_key);
EVP_PKEY_CTX_free(fctx);
OSSL_PARAM_BLD_free(bld);
OSSL_PARAM_free(params);
return pkey;
#else
DH *dh;
BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;
dh = DH_new();
if (dh == NULL)
return NULL;
g = BN_new();
p = get_group5_prime();
if (!g || BN_set_word(g, 2) != 1 || !p ||
DH_set0_pqg(dh, p, NULL, g) != 1)
goto err;
p = NULL;
g = NULL;
priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
goto err;
pub_key = NULL;
priv_key = NULL;
if (DH_generate_key(dh) != 1)
goto err;
return dh;
err:
BN_free(p);
BN_free(g);
BN_free(pub_key);
BN_clear_free(priv_key);
DH_free(dh);
return NULL;
#endif
}
struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
const struct wpabuf *own_private)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY *pkey = ctx;
EVP_PKEY *peer_pub;
size_t len;
struct wpabuf *res = NULL;
EVP_PKEY_CTX *dctx = NULL;
peer_pub = EVP_PKEY_new();
if (!pkey || !peer_pub ||
EVP_PKEY_copy_parameters(peer_pub, pkey) != 1 ||
EVP_PKEY_set1_encoded_public_key(peer_pub, wpabuf_head(peer_public),
wpabuf_len(peer_public)) != 1 ||
!(dctx = EVP_PKEY_CTX_new(pkey, NULL)) ||
EVP_PKEY_derive_init(dctx) != 1 ||
EVP_PKEY_derive_set_peer(dctx, peer_pub) != 1 ||
EVP_PKEY_derive(dctx, NULL, &len) != 1 ||
!(res = wpabuf_alloc(len)) ||
EVP_PKEY_derive(dctx, wpabuf_mhead(res), &len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_derive failed: %s",
ERR_error_string(ERR_get_error(), NULL));
wpabuf_free(res);
res = NULL;
} else {
wpabuf_put(res, len);
}
EVP_PKEY_free(peer_pub);
EVP_PKEY_CTX_free(dctx);
return res;
#else /* OpenSSL version >= 3.0 */
BIGNUM *pub_key;
struct wpabuf *res = NULL;
size_t rlen;
DH *dh = ctx;
int keylen;
if (ctx == NULL)
return NULL;
pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
NULL);
if (pub_key == NULL)
return NULL;
rlen = DH_size(dh);
res = wpabuf_alloc(rlen);
if (res == NULL)
goto err;
keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
if (keylen < 0)
goto err;
wpabuf_put(res, keylen);
BN_clear_free(pub_key);
return res;
err:
BN_clear_free(pub_key);
wpabuf_clear_free(res);
return NULL;
#endif /* OpenSSL version >= 3.0 */
}
void dh5_free(void *ctx)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY *pkey = ctx;
EVP_PKEY_free(pkey);
#else /* OpenSSL version >= 3.0 */
DH *dh;
if (ctx == NULL)
return;
dh = ctx;
DH_free(dh);
#endif /* OpenSSL version >= 3.0 */
}
struct crypto_hash {
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_MAC_CTX *ctx;
#else /* OpenSSL version >= 3.0 */
HMAC_CTX *ctx;
#endif /* OpenSSL version >= 3.0 */
};
struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
size_t key_len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
struct crypto_hash *ctx;
EVP_MAC *mac;
OSSL_PARAM params[2];
char *a = NULL;
switch (alg) {
#ifndef OPENSSL_NO_MD5
case CRYPTO_HASH_ALG_HMAC_MD5:
a = "MD5";
break;
#endif /* OPENSSL_NO_MD5 */
#ifndef OPENSSL_NO_SHA
case CRYPTO_HASH_ALG_HMAC_SHA1:
a = "SHA1";
break;
#endif /* OPENSSL_NO_SHA */
#ifndef OPENSSL_NO_SHA256
#ifdef CONFIG_SHA256
case CRYPTO_HASH_ALG_HMAC_SHA256:
a = "SHA256";
break;
#endif /* CONFIG_SHA256 */
#endif /* OPENSSL_NO_SHA256 */
default:
return NULL;
}
mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
if (!mac)
return NULL;
params[0] = OSSL_PARAM_construct_utf8_string("digest", a, 0);
params[1] = OSSL_PARAM_construct_end();
ctx = os_zalloc(sizeof(*ctx));
if (!ctx)
goto fail;
ctx->ctx = EVP_MAC_CTX_new(mac);
if (!ctx->ctx) {
os_free(ctx);
ctx = NULL;
goto fail;
}
if (EVP_MAC_init(ctx->ctx, key, key_len, params) != 1) {
EVP_MAC_CTX_free(ctx->ctx);
bin_clear_free(ctx, sizeof(*ctx));
ctx = NULL;
goto fail;
}
fail:
EVP_MAC_free(mac);
return ctx;
#else /* OpenSSL version >= 3.0 */
struct crypto_hash *ctx;
const EVP_MD *md;
switch (alg) {
#ifndef OPENSSL_NO_MD5
case CRYPTO_HASH_ALG_HMAC_MD5:
md = EVP_md5();
break;
#endif /* OPENSSL_NO_MD5 */
#ifndef OPENSSL_NO_SHA
case CRYPTO_HASH_ALG_HMAC_SHA1:
md = EVP_sha1();
break;
#endif /* OPENSSL_NO_SHA */
#ifndef OPENSSL_NO_SHA256
#ifdef CONFIG_SHA256
case CRYPTO_HASH_ALG_HMAC_SHA256:
md = EVP_sha256();
break;
#endif /* CONFIG_SHA256 */
#endif /* OPENSSL_NO_SHA256 */
default:
return NULL;
}
ctx = os_zalloc(sizeof(*ctx));
if (ctx == NULL)
return NULL;
ctx->ctx = HMAC_CTX_new();
if (!ctx->ctx) {
os_free(ctx);
return NULL;
}
if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
HMAC_CTX_free(ctx->ctx);
bin_clear_free(ctx, sizeof(*ctx));
return NULL;
}
return ctx;
#endif /* OpenSSL version >= 3.0 */
}
void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
{
if (ctx == NULL)
return;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_MAC_update(ctx->ctx, data, len);
#else /* OpenSSL version >= 3.0 */
HMAC_Update(ctx->ctx, data, len);
#endif /* OpenSSL version >= 3.0 */
}
int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
size_t mdlen;
int res;
if (!ctx)
return -2;
if (!mac || !len) {
EVP_MAC_CTX_free(ctx->ctx);
bin_clear_free(ctx, sizeof(*ctx));
return 0;
}
res = EVP_MAC_final(ctx->ctx, NULL, &mdlen, 0);
if (res != 1) {
EVP_MAC_CTX_free(ctx->ctx);
bin_clear_free(ctx, sizeof(*ctx));
return -1;
}
res = EVP_MAC_final(ctx->ctx, mac, &mdlen, mdlen);
EVP_MAC_CTX_free(ctx->ctx);
bin_clear_free(ctx, sizeof(*ctx));
if (TEST_FAIL())
return -1;
if (res == 1) {
*len = mdlen;
return 0;
}
return -1;
#else /* OpenSSL version >= 3.0 */
unsigned int mdlen;
int res;
if (ctx == NULL)
return -2;
if (mac == NULL || len == NULL) {
HMAC_CTX_free(ctx->ctx);
bin_clear_free(ctx, sizeof(*ctx));
return 0;
}
mdlen = *len;
res = HMAC_Final(ctx->ctx, mac, &mdlen);
HMAC_CTX_free(ctx->ctx);
bin_clear_free(ctx, sizeof(*ctx));
if (TEST_FAIL())
return -1;
if (res == 1) {
*len = mdlen;
return 0;
}
return -1;
#endif /* OpenSSL version >= 3.0 */
}
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static int openssl_hmac_vector(char *digest, const u8 *key,
size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac,
unsigned int mdlen)
{
EVP_MAC *hmac;
OSSL_PARAM params[2];
EVP_MAC_CTX *ctx;
size_t i, mlen;
int res;
if (TEST_FAIL())
return -1;
hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
if (!hmac)
return -1;
params[0] = OSSL_PARAM_construct_utf8_string("digest", digest, 0);
params[1] = OSSL_PARAM_construct_end();
ctx = EVP_MAC_CTX_new(hmac);
EVP_MAC_free(hmac);
if (!ctx)
return -1;
if (EVP_MAC_init(ctx, key, key_len, params) != 1)
goto fail;
for (i = 0; i < num_elem; i++) {
if (EVP_MAC_update(ctx, addr[i], len[i]) != 1)
goto fail;
}
res = EVP_MAC_final(ctx, mac, &mlen, mdlen);
EVP_MAC_CTX_free(ctx);
return res == 1 ? 0 : -1;
fail:
EVP_MAC_CTX_free(ctx);
return -1;
}
#ifndef CONFIG_FIPS
int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector("MD5", key ,key_len, num_elem, addr, len,
mac, 16);
}
int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
u8 *mac)
{
return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
}
#endif /* CONFIG_FIPS */
int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector("SHA1", key, key_len, num_elem, addr,
len, mac, 20);
}
int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
u8 *mac)
{
return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
}
#ifdef CONFIG_SHA256
int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector("SHA256", key, key_len, num_elem, addr,
len, mac, 32);
}
int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
size_t data_len, u8 *mac)
{
return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
}
#endif /* CONFIG_SHA256 */
#ifdef CONFIG_SHA384
int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector("SHA384", key, key_len, num_elem, addr,
len, mac, 48);
}
int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
size_t data_len, u8 *mac)
{
return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
}
#endif /* CONFIG_SHA384 */
#ifdef CONFIG_SHA512
int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector("SHA512", key, key_len, num_elem, addr,
len, mac, 64);
}
int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
size_t data_len, u8 *mac)
{
return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
}
#endif /* CONFIG_SHA512 */
#else /* OpenSSL version >= 3.0 */
static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac,
unsigned int mdlen)
{
HMAC_CTX *ctx;
size_t i;
int res;
if (TEST_FAIL())
return -1;
ctx = HMAC_CTX_new();
if (!ctx)
return -1;
res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
if (res != 1)
goto done;
for (i = 0; i < num_elem; i++)
HMAC_Update(ctx, addr[i], len[i]);
res = HMAC_Final(ctx, mac, &mdlen);
done:
HMAC_CTX_free(ctx);
return res == 1 ? 0 : -1;
}
#ifndef CONFIG_FIPS
int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
mac, 16);
}
int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
u8 *mac)
{
return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
}
#endif /* CONFIG_FIPS */
int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
len, mac, 20);
}
int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
u8 *mac)
{
return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
}
#ifdef CONFIG_SHA256
int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
len, mac, 32);
}
int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
size_t data_len, u8 *mac)
{
return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
}
#endif /* CONFIG_SHA256 */
#ifdef CONFIG_SHA384
int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
len, mac, 48);
}
int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
size_t data_len, u8 *mac)
{
return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
}
#endif /* CONFIG_SHA384 */
#ifdef CONFIG_SHA512
int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
len, mac, 64);
}
int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
size_t data_len, u8 *mac)
{
return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
}
#endif /* CONFIG_SHA512 */
#endif /* OpenSSL version >= 3.0 */
int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
int iterations, u8 *buf, size_t buflen)
{
if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
ssid_len, iterations, buflen, buf) != 1)
return -1;
return 0;
}
int crypto_get_random(void *buf, size_t len)
{
if (RAND_bytes(buf, len) != 1)
return -1;
return 0;
}
int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_MAC_CTX *ctx = NULL;
EVP_MAC *emac;
int ret = -1;
size_t outlen, i;
OSSL_PARAM params[2];
char *cipher = NULL;
if (TEST_FAIL())
return -1;
emac = EVP_MAC_fetch(NULL, "CMAC", NULL);
if (key_len == 32)
cipher = "aes-256-cbc";
else if (key_len == 24)
cipher = "aes-192-cbc";
else if (key_len == 16)
cipher = "aes-128-cbc";
params[0] = OSSL_PARAM_construct_utf8_string("cipher", cipher, 0);
params[1] = OSSL_PARAM_construct_end();
if (!emac || !cipher ||
!(ctx = EVP_MAC_CTX_new(emac)) ||
EVP_MAC_init(ctx, key, key_len, params) != 1)
goto fail;
for (i = 0; i < num_elem; i++) {
if (!EVP_MAC_update(ctx, addr[i], len[i]))
goto fail;
}
if (EVP_MAC_final(ctx, mac, &outlen, 16) != 1 || outlen != 16)
goto fail;
ret = 0;
fail:
EVP_MAC_CTX_free(ctx);
return ret;
#else /* OpenSSL version >= 3.0 */
CMAC_CTX *ctx;
int ret = -1;
size_t outlen, i;
if (TEST_FAIL())
return -1;
ctx = CMAC_CTX_new();
if (ctx == NULL)
return -1;
if (key_len == 32) {
if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
goto fail;
} else if (key_len == 24) {
if (!CMAC_Init(ctx, key, 24, EVP_aes_192_cbc(), NULL))
goto fail;
} else if (key_len == 16) {
if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
goto fail;
} else {
goto fail;
}
for (i = 0; i < num_elem; i++) {
if (!CMAC_Update(ctx, addr[i], len[i]))
goto fail;
}
if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
goto fail;
ret = 0;
fail:
CMAC_CTX_free(ctx);
return ret;
#endif /* OpenSSL version >= 3.0 */
}
int omac1_aes_128_vector(const u8 *key, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
}
int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
{
return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
}
int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
{
return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
}
struct crypto_bignum * crypto_bignum_init(void)
{
if (TEST_FAIL())
return NULL;
return (struct crypto_bignum *) BN_new();
}
struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
{
BIGNUM *bn;
if (TEST_FAIL())
return NULL;
bn = BN_bin2bn(buf, len, NULL);
return (struct crypto_bignum *) bn;
}
struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
{
BIGNUM *bn;
if (TEST_FAIL())
return NULL;
bn = BN_new();
if (!bn)
return NULL;
if (BN_set_word(bn, val) != 1) {
BN_free(bn);
return NULL;
}
return (struct crypto_bignum *) bn;
}
void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
{
if (clear)
BN_clear_free((BIGNUM *) n);
else
BN_free((BIGNUM *) n);
}
int crypto_bignum_to_bin(const struct crypto_bignum *a,
u8 *buf, size_t buflen, size_t padlen)
{
int num_bytes, offset;
if (TEST_FAIL())
return -1;
if (padlen > buflen)
return -1;
if (padlen) {
#ifdef OPENSSL_IS_BORINGSSL
if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
return -1;
return padlen;
#else /* OPENSSL_IS_BORINGSSL */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
#endif
#endif
}
num_bytes = BN_num_bytes((const BIGNUM *) a);
if ((size_t) num_bytes > buflen)
return -1;
if (padlen > (size_t) num_bytes)
offset = padlen - num_bytes;
else
offset = 0;
os_memset(buf, 0, offset);
BN_bn2bin((const BIGNUM *) a, buf + offset);
return num_bytes + offset;
}
int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
{
if (TEST_FAIL())
return -1;
return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1;
}
int crypto_bignum_add(const struct crypto_bignum *a,
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
0 : -1;
}
int crypto_bignum_mod(const struct crypto_bignum *a,
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
int res;
BN_CTX *bnctx;
bnctx = BN_CTX_new();
if (bnctx == NULL)
return -1;
res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
bnctx);
BN_CTX_free(bnctx);
return res ? 0 : -1;
}
int crypto_bignum_exptmod(const struct crypto_bignum *a,
const struct crypto_bignum *b,
const struct crypto_bignum *c,
struct crypto_bignum *d)
{
int res;
BN_CTX *bnctx;
if (TEST_FAIL())
return -1;
bnctx = BN_CTX_new();
if (bnctx == NULL)
return -1;
res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
(const BIGNUM *) b, (const BIGNUM *) c,
bnctx, NULL);
BN_CTX_free(bnctx);
return res ? 0 : -1;
}
int crypto_bignum_inverse(const struct crypto_bignum *a,
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
BIGNUM *res;
BN_CTX *bnctx;
if (TEST_FAIL())
return -1;
bnctx = BN_CTX_new();
if (bnctx == NULL)
return -1;
#ifdef OPENSSL_IS_BORINGSSL
/* TODO: use BN_mod_inverse_blinded() ? */
#else /* OPENSSL_IS_BORINGSSL */
BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
#endif /* OPENSSL_IS_BORINGSSL */
res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
(const BIGNUM *) b, bnctx);
BN_CTX_free(bnctx);
return res ? 0 : -1;
}
int crypto_bignum_sub(const struct crypto_bignum *a,
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
if (TEST_FAIL())
return -1;
return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
0 : -1;
}
int crypto_bignum_div(const struct crypto_bignum *a,
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
int res;
BN_CTX *bnctx;
if (TEST_FAIL())
return -1;
bnctx = BN_CTX_new();
if (bnctx == NULL)
return -1;
#ifndef OPENSSL_IS_BORINGSSL
BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
#endif /* OPENSSL_IS_BORINGSSL */
res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
(const BIGNUM *) b, bnctx);
BN_CTX_free(bnctx);
return res ? 0 : -1;
}
int crypto_bignum_addmod(const struct crypto_bignum *a,
const struct crypto_bignum *b,
const struct crypto_bignum *c,
struct crypto_bignum *d)
{
int res;
BN_CTX *bnctx;
if (TEST_FAIL())
return -1;
bnctx = BN_CTX_new();
if (!bnctx)
return -1;
res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
(const BIGNUM *) c, bnctx);
BN_CTX_free(bnctx);
return res ? 0 : -1;
}
int crypto_bignum_mulmod(const struct crypto_bignum *a,
const struct crypto_bignum *b,
const struct crypto_bignum *c,
struct crypto_bignum *d)
{
int res;
BN_CTX *bnctx;
if (TEST_FAIL())
return -1;
bnctx = BN_CTX_new();
if (bnctx == NULL)
return -1;
res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
(const BIGNUM *) c, bnctx);
BN_CTX_free(bnctx);
return res ? 0 : -1;
}
int crypto_bignum_sqrmod(const struct crypto_bignum *a,
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
int res;
BN_CTX *bnctx;
if (TEST_FAIL())
return -1;
bnctx = BN_CTX_new();
if (!bnctx)
return -1;
res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
bnctx);
BN_CTX_free(bnctx);
return res ? 0 : -1;
}
int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
struct crypto_bignum *r)
{
return BN_rshift((BIGNUM *) r, (const BIGNUM *) a, n) == 1 ? 0 : -1;
}
int crypto_bignum_cmp(const struct crypto_bignum *a,
const struct crypto_bignum *b)
{
return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
}
int crypto_bignum_is_zero(const struct crypto_bignum *a)
{
return BN_is_zero((const BIGNUM *) a);
}
int crypto_bignum_is_one(const struct crypto_bignum *a)
{
return BN_is_one((const BIGNUM *) a);
}
int crypto_bignum_is_odd(const struct crypto_bignum *a)
{
return BN_is_odd((const BIGNUM *) a);
}
int crypto_bignum_legendre(const struct crypto_bignum *a,
const struct crypto_bignum *p)
{
BN_CTX *bnctx;
BIGNUM *exp = NULL, *tmp = NULL;
int res = -2;
unsigned int mask;
if (TEST_FAIL())
return -2;
bnctx = BN_CTX_new();
if (bnctx == NULL)
return -2;
exp = BN_new();
tmp = BN_new();
if (!exp || !tmp ||
/* exp = (p-1) / 2 */
!BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
!BN_rshift1(exp, exp) ||
!BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
(const BIGNUM *) p, bnctx, NULL))
goto fail;
/* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
* constant time selection to avoid branches here. */
res = -1;
mask = const_time_eq(BN_is_word(tmp, 1), 1);
res = const_time_select_int(mask, 1, res);
mask = const_time_eq(BN_is_zero(tmp), 1);
res = const_time_select_int(mask, 0, res);
fail:
BN_clear_free(tmp);
BN_clear_free(exp);
BN_CTX_free(bnctx);
return res;
}
#ifdef CONFIG_ECC
struct crypto_ec {
EC_GROUP *group;
int nid;
int iana_group;
BN_CTX *bnctx;
BIGNUM *prime;
BIGNUM *order;
BIGNUM *a;
BIGNUM *b;
};
static int crypto_ec_group_2_nid(int group)
{
/* Map from IANA registry for IKE D-H groups to OpenSSL NID */
switch (group) {
case 19:
return NID_X9_62_prime256v1;
case 20:
return NID_secp384r1;
case 21:
return NID_secp521r1;
case 25:
return NID_X9_62_prime192v1;
case 26:
return NID_secp224r1;
#ifdef NID_brainpoolP224r1
case 27:
return NID_brainpoolP224r1;
#endif /* NID_brainpoolP224r1 */
#ifdef NID_brainpoolP256r1
case 28:
return NID_brainpoolP256r1;
#endif /* NID_brainpoolP256r1 */
#ifdef NID_brainpoolP384r1
case 29:
return NID_brainpoolP384r1;
#endif /* NID_brainpoolP384r1 */
#ifdef NID_brainpoolP512r1
case 30:
return NID_brainpoolP512r1;
#endif /* NID_brainpoolP512r1 */
default:
return -1;
}
}
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static const char * crypto_ec_group_2_name(int group)
{
/* Map from IANA registry for IKE D-H groups to OpenSSL group name */
switch (group) {
case 19:
return "prime256v1";
case 20:
return "secp384r1";
case 21:
return "secp521r1";
case 25:
return "prime192v1";
case 26:
return "secp224r1";
#ifdef NID_brainpoolP224r1
case 27:
return "brainpoolP224r1";
#endif /* NID_brainpoolP224r1 */
#ifdef NID_brainpoolP256r1
case 28:
return "brainpoolP256r1";
#endif /* NID_brainpoolP256r1 */
#ifdef NID_brainpoolP384r1
case 29:
return "brainpoolP384r1";
#endif /* NID_brainpoolP384r1 */
#ifdef NID_brainpoolP512r1
case 30:
return "brainpoolP512r1";
#endif /* NID_brainpoolP512r1 */
default:
return NULL;
}
}
#endif /* OpenSSL version >= 3.0 */
struct crypto_ec * crypto_ec_init(int group)
{
struct crypto_ec *e;
int nid;
nid = crypto_ec_group_2_nid(group);
if (nid < 0)
return NULL;
e = os_zalloc(sizeof(*e));
if (e == NULL)
return NULL;
e->nid = nid;
e->iana_group = group;
e->bnctx = BN_CTX_new();
e->group = EC_GROUP_new_by_curve_name(nid);
e->prime = BN_new();
e->order = BN_new();
e->a = BN_new();
e->b = BN_new();
if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
e->order == NULL || e->a == NULL || e->b == NULL ||
!EC_GROUP_get_curve(e->group, e->prime, e->a, e->b, e->bnctx) ||
!EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
crypto_ec_deinit(e);
e = NULL;
}
return e;
}
void crypto_ec_deinit(struct crypto_ec *e)
{
if (e == NULL)
return;
BN_clear_free(e->b);
BN_clear_free(e->a);
BN_clear_free(e->order);
BN_clear_free(e->prime);
EC_GROUP_free(e->group);
BN_CTX_free(e->bnctx);
os_free(e);
}
struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
{
if (TEST_FAIL())
return NULL;
if (e == NULL)
return NULL;
return (struct crypto_ec_point *) EC_POINT_new(e->group);
}
size_t crypto_ec_prime_len(struct crypto_ec *e)
{
return BN_num_bytes(e->prime);
}
size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
{
return BN_num_bits(e->prime);
}
size_t crypto_ec_order_len(struct crypto_ec *e)
{
return BN_num_bytes(e->order);
}
const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
{
return (const struct crypto_bignum *) e->prime;
}
const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
{
return (const struct crypto_bignum *) e->order;
}
const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
{
return (const struct crypto_bignum *) e->a;
}
const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
{
return (const struct crypto_bignum *) e->b;
}
const struct crypto_ec_point * crypto_ec_get_generator(struct crypto_ec *e)
{
return (const struct crypto_ec_point *)
EC_GROUP_get0_generator(e->group);
}
void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
{
if (clear)
EC_POINT_clear_free((EC_POINT *) p);
else
EC_POINT_free((EC_POINT *) p);
}
int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p,
struct crypto_bignum *x)
{
return EC_POINT_get_affine_coordinates(e->group,
(const EC_POINT *) p,
(BIGNUM *) x, NULL,
e->bnctx) == 1 ? 0 : -1;
}
int crypto_ec_point_to_bin(struct crypto_ec *e,
const struct crypto_ec_point *point, u8 *x, u8 *y)
{
BIGNUM *x_bn, *y_bn;
int ret = -1;
int len = BN_num_bytes(e->prime);
if (TEST_FAIL())
return -1;
x_bn = BN_new();
y_bn = BN_new();
if (x_bn && y_bn &&
EC_POINT_get_affine_coordinates(e->group, (EC_POINT *) point,
x_bn, y_bn, e->bnctx)) {
if (x) {
ret = crypto_bignum_to_bin(
(struct crypto_bignum *) x_bn, x, len, len);
}
if (ret >= 0 && y) {
ret = crypto_bignum_to_bin(
(struct crypto_bignum *) y_bn, y, len, len);
}
if (ret > 0)
ret = 0;
}
BN_clear_free(x_bn);
BN_clear_free(y_bn);
return ret;
}
struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
const u8 *val)
{
BIGNUM *x, *y;
EC_POINT *elem;
int len = BN_num_bytes(e->prime);
if (TEST_FAIL())
return NULL;
x = BN_bin2bn(val, len, NULL);
y = BN_bin2bn(val + len, len, NULL);
elem = EC_POINT_new(e->group);
if (x == NULL || y == NULL || elem == NULL) {
BN_clear_free(x);
BN_clear_free(y);
EC_POINT_clear_free(elem);
return NULL;
}
if (!EC_POINT_set_affine_coordinates(e->group, elem, x, y, e->bnctx)) {
EC_POINT_clear_free(elem);
elem = NULL;
}
BN_clear_free(x);
BN_clear_free(y);
return (struct crypto_ec_point *) elem;
}
int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
const struct crypto_ec_point *b,
struct crypto_ec_point *c)
{
if (TEST_FAIL())
return -1;
return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
(const EC_POINT *) b, e->bnctx) ? 0 : -1;
}
int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
const struct crypto_bignum *b,
struct crypto_ec_point *res)
{
if (TEST_FAIL())
return -1;
return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
(const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
? 0 : -1;
}
int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
{
if (TEST_FAIL())
return -1;
return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
}
struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
const struct crypto_bignum *x)
{
BIGNUM *tmp;
if (TEST_FAIL())
return NULL;
tmp = BN_new();
/* y^2 = x^3 + ax + b = (x^2 + a)x + b */
if (tmp &&
BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
BN_mod_add_quick(tmp, e->a, tmp, e->prime) &&
BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
BN_mod_add_quick(tmp, tmp, e->b, e->prime))
return (struct crypto_bignum *) tmp;
BN_clear_free(tmp);
return NULL;
}
int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
const struct crypto_ec_point *p)
{
return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
}
int crypto_ec_point_is_on_curve(struct crypto_ec *e,
const struct crypto_ec_point *p)
{
return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
e->bnctx) == 1;
}
int crypto_ec_point_cmp(const struct crypto_ec *e,
const struct crypto_ec_point *a,
const struct crypto_ec_point *b)
{
return EC_POINT_cmp(e->group, (const EC_POINT *) a,
(const EC_POINT *) b, e->bnctx);
}
void crypto_ec_point_debug_print(const struct crypto_ec *e,
const struct crypto_ec_point *p,
const char *title)
{
BIGNUM *x, *y;
char *x_str = NULL, *y_str = NULL;
x = BN_new();
y = BN_new();
if (!x || !y ||
EC_POINT_get_affine_coordinates(e->group, (const EC_POINT *) p,
x, y, e->bnctx) != 1)
goto fail;
x_str = BN_bn2hex(x);
y_str = BN_bn2hex(y);
if (!x_str || !y_str)
goto fail;
wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str);
fail:
OPENSSL_free(x_str);
OPENSSL_free(y_str);
BN_free(x);
BN_free(y);
}
struct crypto_ecdh {
struct crypto_ec *ec;
EVP_PKEY *pkey;
};
struct crypto_ecdh * crypto_ecdh_init(int group)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
struct crypto_ecdh *ecdh;
const char *name;
ecdh = os_zalloc(sizeof(*ecdh));
if (!ecdh)
goto fail;
ecdh->ec = crypto_ec_init(group);
if (!ecdh->ec)
goto fail;
name = OSSL_EC_curve_nid2name(ecdh->ec->nid);
if (!name)
goto fail;
ecdh->pkey = EVP_EC_gen(name);
if (!ecdh->pkey)
goto fail;
done:
return ecdh;
fail:
crypto_ecdh_deinit(ecdh);
ecdh = NULL;
goto done;
#else /* OpenSSL version >= 3.0 */
struct crypto_ecdh *ecdh;
EVP_PKEY *params = NULL;
EC_KEY *ec_params = NULL;
EVP_PKEY_CTX *kctx = NULL;
ecdh = os_zalloc(sizeof(*ecdh));
if (!ecdh)
goto fail;
ecdh->ec = crypto_ec_init(group);
if (!ecdh->ec)
goto fail;
ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid);
if (!ec_params) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to generate EC_KEY parameters");
goto fail;
}
EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
params = EVP_PKEY_new();
if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to generate EVP_PKEY parameters");
goto fail;
}
kctx = EVP_PKEY_CTX_new(params, NULL);
if (!kctx)
goto fail;
if (EVP_PKEY_keygen_init(kctx) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: EVP_PKEY_keygen_init failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
done:
EC_KEY_free(ec_params);
EVP_PKEY_free(params);
EVP_PKEY_CTX_free(kctx);
return ecdh;
fail:
crypto_ecdh_deinit(ecdh);
ecdh = NULL;
goto done;
#endif /* OpenSSL version >= 3.0 */
}
struct crypto_ecdh * crypto_ecdh_init2(int group, struct crypto_ec_key *own_key)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
struct crypto_ecdh *ecdh;
ecdh = os_zalloc(sizeof(*ecdh));
if (!ecdh)
goto fail;
ecdh->ec = crypto_ec_init(group);
if (!ecdh->ec)
goto fail;
ecdh->pkey = EVP_PKEY_dup((EVP_PKEY *) own_key);
if (!ecdh->pkey)
goto fail;
return ecdh;
fail:
crypto_ecdh_deinit(ecdh);
return NULL;
#else /* OpenSSL version >= 3.0 */
struct crypto_ecdh *ecdh;
ecdh = os_zalloc(sizeof(*ecdh));
if (!ecdh)
goto fail;
ecdh->ec = crypto_ec_init(group);
if (!ecdh->ec)
goto fail;
ecdh->pkey = EVP_PKEY_new();
if (!ecdh->pkey ||
EVP_PKEY_assign_EC_KEY(ecdh->pkey,
EVP_PKEY_get1_EC_KEY((EVP_PKEY *) own_key))
!= 1)
goto fail;
return ecdh;
fail:
crypto_ecdh_deinit(ecdh);
return NULL;
#endif /* OpenSSL version >= 3.0 */
}
struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
struct wpabuf *buf = NULL;
unsigned char *pub;
size_t len, exp_len;
len = EVP_PKEY_get1_encoded_public_key(ecdh->pkey, &pub);
if (len == 0)
return NULL;
/* Encoded using SECG SEC 1, Sec. 2.3.4 format */
exp_len = 1 + 2 * crypto_ec_prime_len(ecdh->ec);
if (len != exp_len) {
wpa_printf(MSG_ERROR,
"OpenSSL:%s: Unexpected encoded public key length %zu (expected %zu)",
__func__, len, exp_len);
goto fail;
}
buf = wpabuf_alloc_copy(pub + 1, inc_y ? len - 1 : len / 2);
fail:
OPENSSL_free(pub);
return buf;
#else /* OpenSSL version >= 3.0 */
struct wpabuf *buf = NULL;
EC_KEY *eckey;
const EC_POINT *pubkey;
BIGNUM *x, *y = NULL;
int len = BN_num_bytes(ecdh->ec->prime);
int res;
eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
if (!eckey)
return NULL;
pubkey = EC_KEY_get0_public_key(eckey);
if (!pubkey)
return NULL;
x = BN_new();
if (inc_y) {
y = BN_new();
if (!y)
goto fail;
}
buf = wpabuf_alloc(inc_y ? 2 * len : len);
if (!x || !buf)
goto fail;
if (EC_POINT_get_affine_coordinates(ecdh->ec->group, pubkey,
x, y, ecdh->ec->bnctx) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: EC_POINT_get_affine_coordinates failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
res = crypto_bignum_to_bin((struct crypto_bignum *) x,
wpabuf_put(buf, len), len, len);
if (res < 0)
goto fail;
if (inc_y) {
res = crypto_bignum_to_bin((struct crypto_bignum *) y,
wpabuf_put(buf, len), len, len);
if (res < 0)
goto fail;
}
done:
BN_clear_free(x);
BN_clear_free(y);
EC_KEY_free(eckey);
return buf;
fail:
wpabuf_free(buf);
buf = NULL;
goto done;
#endif /* OpenSSL version >= 3.0 */
}
struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
const u8 *key, size_t len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY *peerkey = EVP_PKEY_new();
EVP_PKEY_CTX *ctx;
size_t res_len;
struct wpabuf *res = NULL;
u8 *peer;
/* Encode using SECG SEC 1, Sec. 2.3.4 format */
peer = os_malloc(1 + len);
if (!peer)
return NULL;
peer[0] = inc_y ? 0x04 : 0x02;
os_memcpy(peer + 1, key, len);
if (!peerkey ||
EVP_PKEY_copy_parameters(peerkey, ecdh->pkey) != 1 ||
EVP_PKEY_set1_encoded_public_key(peerkey, peer, 1 + len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_set1_encoded_public_key failed: %s",
ERR_error_string(ERR_get_error(), NULL));
EVP_PKEY_free(peerkey);
os_free(peer);
return NULL;
}
os_free(peer);
ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
if (!ctx ||
EVP_PKEY_derive_init(ctx) != 1 ||
EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
EVP_PKEY_derive(ctx, NULL, &res_len) != 1 ||
!(res = wpabuf_alloc(res_len)) ||
EVP_PKEY_derive(ctx, wpabuf_mhead(res), &res_len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_derive failed: %s",
ERR_error_string(ERR_get_error(), NULL));
wpabuf_free(res);
res = NULL;
} else {
wpabuf_put(res, res_len);
}
EVP_PKEY_free(peerkey);
EVP_PKEY_CTX_free(ctx);
return res;
#else /* OpenSSL version >= 3.0 */
BIGNUM *x, *y = NULL;
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *peerkey = NULL;
struct wpabuf *secret = NULL;
size_t secret_len;
EC_POINT *pub;
EC_KEY *eckey = NULL;
x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
pub = EC_POINT_new(ecdh->ec->group);
if (!x || !pub)
goto fail;
if (inc_y) {
y = BN_bin2bn(key + len / 2, len / 2, NULL);
if (!y)
goto fail;
if (!EC_POINT_set_affine_coordinates(ecdh->ec->group, pub,
x, y, ecdh->ec->bnctx)) {
wpa_printf(MSG_ERROR,
"OpenSSL: EC_POINT_set_affine_coordinates failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
} else if (!EC_POINT_set_compressed_coordinates(ecdh->ec->group,
pub, x, 0,
ecdh->ec->bnctx)) {
wpa_printf(MSG_ERROR,
"OpenSSL: EC_POINT_set_compressed_coordinates failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
wpa_printf(MSG_ERROR,
"OpenSSL: ECDH peer public key is not on curve");
goto fail;
}
eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: EC_KEY_set_public_key failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
peerkey = EVP_PKEY_new();
if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
goto fail;
ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: EVP_PKEY_derive(1) failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
secret = wpabuf_alloc(secret_len);
if (!secret)
goto fail;
if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: EVP_PKEY_derive(2) failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
if (secret->size != secret_len)
wpa_printf(MSG_DEBUG,
"OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
(int) secret->size, (int) secret_len);
wpabuf_put(secret, secret_len);
done:
BN_free(x);
BN_free(y);
EC_KEY_free(eckey);
EC_POINT_free(pub);
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(peerkey);
return secret;
fail:
wpabuf_free(secret);
secret = NULL;
goto done;
#endif /* OpenSSL version >= 3.0 */
}
void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
{
if (ecdh) {
crypto_ec_deinit(ecdh->ec);
EVP_PKEY_free(ecdh->pkey);
os_free(ecdh);
}
}
size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
{
return crypto_ec_prime_len(ecdh->ec);
}
struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY *pkey = NULL;
OSSL_DECODER_CTX *ctx;
ctx = OSSL_DECODER_CTX_new_for_pkey(
&pkey, "DER", NULL, "EC",
OSSL_KEYMGMT_SELECT_KEYPAIR |
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
NULL, NULL);
if (!ctx ||
OSSL_DECODER_from_data(ctx, &der, &der_len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL: Decoding EC private key (DER) failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
return (struct crypto_ec_key *) pkey;
fail:
crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
return NULL;
#else /* OpenSSL version >= 3.0 */
EVP_PKEY *pkey = NULL;
EC_KEY *eckey;
eckey = d2i_ECPrivateKey(NULL, &der, der_len);
if (!eckey) {
wpa_printf(MSG_INFO, "OpenSSL: d2i_ECPrivateKey() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
pkey = EVP_PKEY_new();
if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
EC_KEY_free(eckey);
goto fail;
}
return (struct crypto_ec_key *) pkey;
fail:
crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
return NULL;
#endif /* OpenSSL version >= 3.0 */
}
struct crypto_ec_key * crypto_ec_key_set_priv(int group,
const u8 *raw, size_t raw_len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
const char *group_name;
OSSL_PARAM params[4];
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *pkey = NULL;
BIGNUM *priv;
EC_POINT *pub = NULL;
EC_GROUP *ec_group = NULL;
size_t len;
u8 *pub_bin = NULL;
u8 *priv_bin = NULL;
int priv_bin_len;
group_name = crypto_ec_group_2_name(group);
if (!group_name)
return NULL;
priv = BN_bin2bn(raw, raw_len, NULL);
if (!priv)
return NULL;
priv_bin = os_malloc(raw_len);
if (!priv_bin)
goto fail;
priv_bin_len = BN_bn2lebinpad(priv, priv_bin, raw_len);
if (priv_bin_len < 0)
goto fail;
ec_group = EC_GROUP_new_by_curve_name(crypto_ec_group_2_nid(group));
if (!ec_group)
goto fail;
pub = EC_POINT_new(ec_group);
if (!pub ||
EC_POINT_mul(ec_group, pub, priv, NULL, NULL, NULL) != 1)
goto fail;
len = EC_POINT_point2oct(ec_group, pub, POINT_CONVERSION_UNCOMPRESSED,
NULL, 0, NULL);
if (len == 0)
goto fail;
pub_bin = os_malloc(len);
if (!pub_bin)
goto fail;
len = EC_POINT_point2oct(ec_group, pub, POINT_CONVERSION_UNCOMPRESSED,
pub_bin, len, NULL);
if (len == 0)
goto fail;
params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
(char *) group_name, 0);
params[1] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_PRIV_KEY,
priv_bin, priv_bin_len);
params[2] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
pub_bin, len);
params[3] = OSSL_PARAM_construct_end();
ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
if (!ctx ||
EVP_PKEY_fromdata_init(ctx) <= 0 ||
EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
goto fail;
out:
bin_clear_free(priv_bin, raw_len);
os_free(pub_bin);
BN_clear_free(priv);
EVP_PKEY_CTX_free(ctx);
EC_POINT_free(pub);
EC_GROUP_free(ec_group);
return (struct crypto_ec_key *) pkey;
fail:
EVP_PKEY_free(pkey);
pkey = NULL;
goto out;
#else /* OpenSSL version >= 3.0 */
EC_KEY *eckey = NULL;
EVP_PKEY *pkey = NULL;
BIGNUM *priv = NULL;
int nid;
const EC_GROUP *ec_group;
EC_POINT *pub = NULL;
nid = crypto_ec_group_2_nid(group);
if (nid < 0) {
wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
return NULL;
}
eckey = EC_KEY_new_by_curve_name(nid);
priv = BN_bin2bn(raw, raw_len, NULL);
if (!eckey || !priv ||
EC_KEY_set_private_key(eckey, priv) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to set EC_KEY: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
ec_group = EC_KEY_get0_group(eckey);
if (!ec_group)
goto fail;
pub = EC_POINT_new(ec_group);
if (!pub ||
EC_POINT_mul(ec_group, pub, priv, NULL, NULL, NULL) != 1 ||
EC_KEY_set_public_key(eckey, pub) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to set EC_KEY(pub): %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
pkey = EVP_PKEY_new();
if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
goto fail;
}
out:
BN_clear_free(priv);
EC_POINT_free(pub);
return (struct crypto_ec_key *) pkey;
fail:
EC_KEY_free(eckey);
EVP_PKEY_free(pkey);
pkey = NULL;
goto out;
#endif /* OpenSSL version >= 3.0 */
}
struct crypto_ec_key * crypto_ec_key_parse_pub(const u8 *der, size_t der_len)
{
EVP_PKEY *pkey;
pkey = d2i_PUBKEY(NULL, &der, der_len);
if (!pkey) {
wpa_printf(MSG_INFO, "OpenSSL: d2i_PUBKEY() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
/* Ensure this is an EC key */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (!EVP_PKEY_is_a(pkey, "EC"))
goto fail;
#else /* OpenSSL version >= 3.0 */
if (!EVP_PKEY_get0_EC_KEY(pkey))
goto fail;
#endif /* OpenSSL version >= 3.0 */
return (struct crypto_ec_key *) pkey;
fail:
crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
return NULL;
}
struct crypto_ec_key * crypto_ec_key_set_pub(int group, const u8 *buf_x,
const u8 *buf_y, size_t len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
const char *group_name;
OSSL_PARAM params[3];
u8 *pub;
EVP_PKEY_CTX *ctx;
EVP_PKEY *pkey = NULL;
group_name = crypto_ec_group_2_name(group);
if (!group_name)
return NULL;
pub = os_malloc(1 + len * 2);
if (!pub)
return NULL;
pub[0] = 0x04; /* uncompressed */
os_memcpy(pub + 1, buf_x, len);
os_memcpy(pub + 1 + len, buf_y, len);
params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
(char *) group_name, 0);
params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
pub, 1 + len * 2);
params[2] = OSSL_PARAM_construct_end();
ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
if (!ctx) {
os_free(pub);
return NULL;
}
if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
os_free(pub);
EVP_PKEY_CTX_free(ctx);
return NULL;
}
os_free(pub);
EVP_PKEY_CTX_free(ctx);
return (struct crypto_ec_key *) pkey;
#else /* OpenSSL version >= 3.0 */
EC_KEY *eckey = NULL;
EVP_PKEY *pkey = NULL;
EC_GROUP *ec_group = NULL;
BN_CTX *ctx;
EC_POINT *point = NULL;
BIGNUM *x = NULL, *y = NULL;
int nid;
if (!buf_x || !buf_y)
return NULL;
nid = crypto_ec_group_2_nid(group);
if (nid < 0) {
wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
return NULL;
}
ctx = BN_CTX_new();
if (!ctx)
goto fail;
ec_group = EC_GROUP_new_by_curve_name(nid);
if (!ec_group)
goto fail;
x = BN_bin2bn(buf_x, len, NULL);
y = BN_bin2bn(buf_y, len, NULL);
point = EC_POINT_new(ec_group);
if (!x || !y || !point)
goto fail;
if (!EC_POINT_set_affine_coordinates(ec_group, point, x, y, ctx)) {
wpa_printf(MSG_ERROR,
"OpenSSL: EC_POINT_set_affine_coordinates failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
if (!EC_POINT_is_on_curve(ec_group, point, ctx) ||
EC_POINT_is_at_infinity(ec_group, point)) {
wpa_printf(MSG_ERROR, "OpenSSL: Invalid point");
goto fail;
}
eckey = EC_KEY_new();
if (!eckey ||
EC_KEY_set_group(eckey, ec_group) != 1 ||
EC_KEY_set_public_key(eckey, point) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to set EC_KEY: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
pkey = EVP_PKEY_new();
if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
goto fail;
}
out:
EC_GROUP_free(ec_group);
BN_free(x);
BN_free(y);
EC_POINT_free(point);
BN_CTX_free(ctx);
return (struct crypto_ec_key *) pkey;
fail:
EC_KEY_free(eckey);
EVP_PKEY_free(pkey);
pkey = NULL;
goto out;
#endif /* OpenSSL version >= 3.0 */
}
struct crypto_ec_key *
crypto_ec_key_set_pub_point(struct crypto_ec *ec,
const struct crypto_ec_point *pub)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
int len = BN_num_bytes(ec->prime);
struct crypto_ec_key *key;
u8 *buf;
buf = os_malloc(2 * len);
if (!buf)
return NULL;
if (crypto_ec_point_to_bin(ec, pub, buf, buf + len) < 0) {
os_free(buf);
return NULL;
}
key = crypto_ec_key_set_pub(ec->iana_group, buf, buf + len, len);
os_free(buf);
return key;
#else /* OpenSSL version >= 3.0 */
EC_KEY *eckey;
EVP_PKEY *pkey = NULL;
eckey = EC_KEY_new();
if (!eckey ||
EC_KEY_set_group(eckey, ec->group) != 1 ||
EC_KEY_set_public_key(eckey, (const EC_POINT *) pub) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to set EC_KEY: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
pkey = EVP_PKEY_new();
if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
goto fail;
}
out:
return (struct crypto_ec_key *) pkey;
fail:
EVP_PKEY_free(pkey);
EC_KEY_free(eckey);
pkey = NULL;
goto out;
#endif /* OpenSSL version >= 3.0 */
}
struct crypto_ec_key * crypto_ec_key_gen(int group)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY_CTX *ctx;
OSSL_PARAM params[2];
const char *group_name;
EVP_PKEY *pkey = NULL;
group_name = crypto_ec_group_2_name(group);
if (!group_name)
return NULL;
params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
(char *) group_name, 0);
params[1] = OSSL_PARAM_construct_end();
ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
if (!ctx ||
EVP_PKEY_keygen_init(ctx) != 1 ||
EVP_PKEY_CTX_set_params(ctx, params) != 1 ||
EVP_PKEY_generate(ctx, &pkey) != 1) {
wpa_printf(MSG_INFO,
"OpenSSL: failed to generate EC keypair: %s",
ERR_error_string(ERR_get_error(), NULL));
pkey = NULL;
}
EVP_PKEY_CTX_free(ctx);
return (struct crypto_ec_key *) pkey;
#else /* OpenSSL version >= 3.0 */
EVP_PKEY_CTX *kctx = NULL;
EC_KEY *ec_params = NULL, *eckey;
EVP_PKEY *params = NULL, *key = NULL;
int nid;
nid = crypto_ec_group_2_nid(group);
if (nid < 0) {
wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
return NULL;
}
ec_params = EC_KEY_new_by_curve_name(nid);
if (!ec_params) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to generate EC_KEY parameters");
goto fail;
}
EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
params = EVP_PKEY_new();
if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to generate EVP_PKEY parameters");
goto fail;
}
kctx = EVP_PKEY_CTX_new(params, NULL);
if (!kctx ||
EVP_PKEY_keygen_init(kctx) != 1 ||
EVP_PKEY_keygen(kctx, &key) != 1) {
wpa_printf(MSG_ERROR, "OpenSSL: Failed to generate EC key");
key = NULL;
goto fail;
}
eckey = EVP_PKEY_get1_EC_KEY(key);
if (!eckey) {
key = NULL;
goto fail;
}
EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
EC_KEY_free(eckey);
fail:
EC_KEY_free(ec_params);
EVP_PKEY_free(params);
EVP_PKEY_CTX_free(kctx);
return (struct crypto_ec_key *) key;
#endif /* OpenSSL version >= 3.0 */
}
void crypto_ec_key_deinit(struct crypto_ec_key *key)
{
EVP_PKEY_free((EVP_PKEY *) key);
}
#ifdef OPENSSL_IS_BORINGSSL
/* BoringSSL version of i2d_PUBKEY() always outputs public EC key using
* uncompressed form so define a custom function to export EC pubkey using
* the compressed format that is explicitly required for some protocols. */
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
typedef struct {
/* AlgorithmIdentifier ecPublicKey with optional parameters present
* as an OID identifying the curve */
X509_ALGOR *alg;
/* Compressed format public key per ANSI X9.63 */
ASN1_BIT_STRING *pub_key;
} EC_COMP_PUBKEY;
ASN1_SEQUENCE(EC_COMP_PUBKEY) = {
ASN1_SIMPLE(EC_COMP_PUBKEY, alg, X509_ALGOR),
ASN1_SIMPLE(EC_COMP_PUBKEY, pub_key, ASN1_BIT_STRING)
} ASN1_SEQUENCE_END(EC_COMP_PUBKEY);
IMPLEMENT_ASN1_FUNCTIONS(EC_COMP_PUBKEY);
#endif /* OPENSSL_IS_BORINGSSL */
struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
{
EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
OSSL_ENCODER_CTX *ctx;
int selection;
unsigned char *pdata = NULL;
size_t pdata_len = 0;
EVP_PKEY *copy = NULL;
struct wpabuf *buf = NULL;
if (EVP_PKEY_get_ec_point_conv_form(pkey) !=
POINT_CONVERSION_COMPRESSED) {
copy = EVP_PKEY_dup(pkey);
if (!copy)
return NULL;
if (EVP_PKEY_set_utf8_string_param(
copy, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED) !=
1) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to set compressed format");
EVP_PKEY_free(copy);
return NULL;
}
pkey = copy;
}
selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS |
OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER",
"SubjectPublicKeyInfo",
NULL);
if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to encode SubjectPublicKeyInfo: %s",
ERR_error_string(ERR_get_error(), NULL));
pdata = NULL;
}
OSSL_ENCODER_CTX_free(ctx);
if (pdata) {
buf = wpabuf_alloc_copy(pdata, pdata_len);
OPENSSL_free(pdata);
}
EVP_PKEY_free(copy);
return buf;
#else /* OpenSSL version >= 3.0 */
#ifdef OPENSSL_IS_BORINGSSL
unsigned char *der = NULL;
int der_len;
const EC_KEY *eckey;
struct wpabuf *ret = NULL;
size_t len;
const EC_GROUP *group;
const EC_POINT *point;
BN_CTX *ctx;
EC_COMP_PUBKEY *pubkey = NULL;
int nid;
ctx = BN_CTX_new();
eckey = EVP_PKEY_get0_EC_KEY(pkey);
if (!ctx || !eckey)
goto fail;
group = EC_KEY_get0_group(eckey);
point = EC_KEY_get0_public_key(eckey);
if (!group || !point)
goto fail;
nid = EC_GROUP_get_curve_name(group);
pubkey = EC_COMP_PUBKEY_new();
if (!pubkey ||
X509_ALGOR_set0(pubkey->alg, OBJ_nid2obj(EVP_PKEY_EC),
V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1)
goto fail;
len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
NULL, 0, ctx);
if (len == 0)
goto fail;
der = OPENSSL_malloc(len);
if (!der)
goto fail;
len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
der, len, ctx);
OPENSSL_free(pubkey->pub_key->data);
pubkey->pub_key->data = der;
der = NULL;
pubkey->pub_key->length = len;
/* No unused bits */
pubkey->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
pubkey->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
der_len = i2d_EC_COMP_PUBKEY(pubkey, &der);
if (der_len <= 0) {
wpa_printf(MSG_ERROR,
"BoringSSL: Failed to build DER encoded public key");
goto fail;
}
ret = wpabuf_alloc_copy(der, der_len);
fail:
EC_COMP_PUBKEY_free(pubkey);
OPENSSL_free(der);
BN_CTX_free(ctx);
return ret;
#else /* OPENSSL_IS_BORINGSSL */
unsigned char *der = NULL;
int der_len;
struct wpabuf *buf;
EC_KEY *eckey;
eckey = EVP_PKEY_get1_EC_KEY(pkey);
if (!eckey)
return NULL;
/* For now, all users expect COMPRESSED form */
EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
der_len = i2d_PUBKEY((EVP_PKEY *) key, &der);
EC_KEY_free(eckey);
if (der_len <= 0) {
wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
return NULL;
}
buf = wpabuf_alloc_copy(der, der_len);
OPENSSL_free(der);
return buf;
#endif /* OPENSSL_IS_BORINGSSL */
#endif /* OpenSSL version >= 3.0 */
}
struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key,
bool include_pub)
{
EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
OSSL_ENCODER_CTX *ctx;
int selection;
unsigned char *pdata = NULL;
size_t pdata_len = 0;
struct wpabuf *buf;
EVP_PKEY *copy = NULL;
selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS |
OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
if (include_pub) {
selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
} else {
/* Not including OSSL_KEYMGMT_SELECT_PUBLIC_KEY does not seem
* to really be sufficient, so clone the key and explicitly
* mark it not to include the public key. */
copy = EVP_PKEY_dup(pkey);
if (!copy)
return NULL;
EVP_PKEY_set_int_param(copy, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC,
0);
pkey = copy;
}
ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER",
"type-specific", NULL);
if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) {
OSSL_ENCODER_CTX_free(ctx);
EVP_PKEY_free(copy);
return NULL;
}
OSSL_ENCODER_CTX_free(ctx);
buf = wpabuf_alloc_copy(pdata, pdata_len);
OPENSSL_free(pdata);
EVP_PKEY_free(copy);
return buf;
#else /* OpenSSL version >= 3.0 */
EC_KEY *eckey;
unsigned char *der = NULL;
int der_len;
struct wpabuf *buf;
unsigned int key_flags;
eckey = EVP_PKEY_get1_EC_KEY(pkey);
if (!eckey)
return NULL;
key_flags = EC_KEY_get_enc_flags(eckey);
if (include_pub)
key_flags &= ~EC_PKEY_NO_PUBKEY;
else
key_flags |= EC_PKEY_NO_PUBKEY;
EC_KEY_set_enc_flags(eckey, key_flags);
EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
der_len = i2d_ECPrivateKey(eckey, &der);
EC_KEY_free(eckey);
if (der_len <= 0)
return NULL;
buf = wpabuf_alloc_copy(der, der_len);
OPENSSL_free(der);
return buf;
#endif /* OpenSSL version >= 3.0 */
}
struct wpabuf * crypto_ec_key_get_pubkey_point(struct crypto_ec_key *key,
int prefix)
{
EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
struct wpabuf *buf;
unsigned char *pos;
size_t pub_len = OSSL_PARAM_UNMODIFIED;
buf = NULL;
if (!EVP_PKEY_is_a(pkey, "EC") ||
EVP_PKEY_get_octet_string_param(pkey,
OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
NULL, 0, &pub_len) < 0 ||
pub_len == OSSL_PARAM_UNMODIFIED ||
!(buf = wpabuf_alloc(pub_len)) ||
EVP_PKEY_get_octet_string_param(pkey,
OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
wpabuf_put(buf, pub_len),
pub_len, NULL) != 1 ||
wpabuf_head_u8(buf)[0] != 0x04) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to get encoded public key: %s",
ERR_error_string(ERR_get_error(), NULL));
wpabuf_free(buf);
return NULL;
}
if (!prefix) {
/* Remove 0x04 prefix if requested */
pos = wpabuf_mhead(buf);
os_memmove(pos, pos + 1, pub_len - 1);
buf->used--;
}
return buf;
#else /* OpenSSL version >= 3.0 */
int len, res;
EC_KEY *eckey;
struct wpabuf *buf;
unsigned char *pos;
eckey = EVP_PKEY_get1_EC_KEY(pkey);
if (!eckey)
return NULL;
EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
len = i2o_ECPublicKey(eckey, NULL);
if (len <= 0) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to determine public key encoding length");
EC_KEY_free(eckey);
return NULL;
}
buf = wpabuf_alloc(len);
if (!buf) {
EC_KEY_free(eckey);
return NULL;
}
pos = wpabuf_put(buf, len);
res = i2o_ECPublicKey(eckey, &pos);
EC_KEY_free(eckey);
if (res != len) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to encode public key (res=%d/%d)",
res, len);
wpabuf_free(buf);
return NULL;
}
if (!prefix) {
/* Remove 0x04 prefix if requested */
pos = wpabuf_mhead(buf);
os_memmove(pos, pos + 1, len - 1);
buf->used--;
}
return buf;
#endif /* OpenSSL version >= 3.0 */
}
struct crypto_ec_point *
crypto_ec_key_get_public_key(struct crypto_ec_key *key)
{
EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
char group[64];
unsigned char pub[256];
size_t len;
EC_POINT *point = NULL;
EC_GROUP *grp;
int res = 0;
OSSL_PARAM params[2];
if (!EVP_PKEY_is_a(pkey, "EC") ||
EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
group, sizeof(group), &len) != 1 ||
EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PUB_KEY,
pub, sizeof(pub), &len) != 1)
return NULL;
params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
group, 0);
params[1] = OSSL_PARAM_construct_end();
grp = EC_GROUP_new_from_params(params, NULL, NULL);
if (!grp)
goto fail;
point = EC_POINT_new(grp);
if (!point)
goto fail;
res = EC_POINT_oct2point(grp, point, pub, len, NULL);
fail:
if (res != 1) {
EC_POINT_free(point);
point = NULL;
}
EC_GROUP_free(grp);
return (struct crypto_ec_point *) point;
#else /* OpenSSL version >= 3.0 */
const EC_KEY *eckey;
const EC_POINT *point;
const EC_GROUP *group;
eckey = EVP_PKEY_get0_EC_KEY(pkey);
if (!eckey)
return NULL;
group = EC_KEY_get0_group(eckey);
if (!group)
return NULL;
point = EC_KEY_get0_public_key(eckey);
if (!point)
return NULL;
return (struct crypto_ec_point *) EC_POINT_dup(point, group);
#endif /* OpenSSL version >= 3.0 */
}
struct crypto_bignum *
crypto_ec_key_get_private_key(struct crypto_ec_key *key)
{
EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
BIGNUM *bn = NULL;
if (!EVP_PKEY_is_a(pkey, "EC") ||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &bn) != 1)
return NULL;
return (struct crypto_bignum *) bn;
#else /* OpenSSL version >= 3.0 */
const EC_KEY *eckey;
const BIGNUM *bn;
eckey = EVP_PKEY_get0_EC_KEY(pkey);
if (!eckey)
return NULL;
bn = EC_KEY_get0_private_key(eckey);
if (!bn)
return NULL;
return (struct crypto_bignum *) BN_dup(bn);
#endif /* OpenSSL version >= 3.0 */
}
struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
size_t len)
{
EVP_PKEY_CTX *pkctx;
struct wpabuf *sig_der;
size_t sig_len;
sig_len = EVP_PKEY_size((EVP_PKEY *) key);
sig_der = wpabuf_alloc(sig_len);
if (!sig_der)
return NULL;
pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
if (!pkctx ||
EVP_PKEY_sign_init(pkctx) <= 0 ||
EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
data, len) <= 0) {
wpabuf_free(sig_der);
sig_der = NULL;
} else {
wpabuf_put(sig_der, sig_len);
}
EVP_PKEY_CTX_free(pkctx);
return sig_der;
}
static int openssl_evp_pkey_ec_prime_len(struct crypto_ec_key *key)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
char gname[50];
int nid;
EC_GROUP *group;
BIGNUM *prime = NULL;
int prime_len = -1;
if (EVP_PKEY_get_group_name((EVP_PKEY *) key, gname, sizeof(gname),
NULL) != 1)
return -1;
nid = OBJ_txt2nid(gname);
group = EC_GROUP_new_by_curve_name(nid);
prime = BN_new();
if (!group || !prime)
return -1;
if (EC_GROUP_get_curve(group, prime, NULL, NULL, NULL) == 1)
prime_len = BN_num_bytes(prime);
EC_GROUP_free(group);
BN_free(prime);
return prime_len;
#else
const EC_GROUP *group;
const EC_KEY *eckey;
BIGNUM *prime = NULL;
int prime_len = -1;
eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
if (!eckey)
goto fail;
group = EC_KEY_get0_group(eckey);
prime = BN_new();
if (!prime || !group ||
!EC_GROUP_get_curve(group, prime, NULL, NULL, NULL))
goto fail;
prime_len = BN_num_bytes(prime);
fail:
BN_free(prime);
return prime_len;
#endif
}
struct wpabuf * crypto_ec_key_sign_r_s(struct crypto_ec_key *key,
const u8 *data, size_t len)
{
ECDSA_SIG *sig = NULL;
const BIGNUM *r, *s;
u8 *r_buf, *s_buf;
struct wpabuf *buf;
const unsigned char *p;
int prime_len;
prime_len = openssl_evp_pkey_ec_prime_len(key);
if (prime_len < 0)
return NULL;
buf = crypto_ec_key_sign(key, data, len);
if (!buf)
return NULL;
/* Extract (r,s) from Ecdsa-Sig-Value */
p = wpabuf_head(buf);
sig = d2i_ECDSA_SIG(NULL, &p, wpabuf_len(buf));
if (!sig)
goto fail;
ECDSA_SIG_get0(sig, &r, &s);
/* Re-use wpabuf returned by crypto_ec_key_sign() */
buf->used = 0;
r_buf = wpabuf_put(buf, prime_len);
s_buf = wpabuf_put(buf, prime_len);
if (crypto_bignum_to_bin((const struct crypto_bignum *) r, r_buf,
prime_len, prime_len) < 0 ||
crypto_bignum_to_bin((const struct crypto_bignum *) s, s_buf,
prime_len, prime_len) < 0)
goto fail;
out:
ECDSA_SIG_free(sig);
return buf;
fail:
wpabuf_clear_free(buf);
buf = NULL;
goto out;
}
int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
size_t len, const u8 *sig, size_t sig_len)
{
EVP_PKEY_CTX *pkctx;
int ret;
pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
EVP_PKEY_CTX_free(pkctx);
return -1;
}
ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
EVP_PKEY_CTX_free(pkctx);
if (ret == 1)
return 1; /* signature ok */
if (ret == 0)
return 0; /* incorrect signature */
return -1;
}
int crypto_ec_key_verify_signature_r_s(struct crypto_ec_key *key,
const u8 *data, size_t len,
const u8 *r, size_t r_len,
const u8 *s, size_t s_len)
{
ECDSA_SIG *sig;
BIGNUM *r_bn, *s_bn;
unsigned char *der = NULL;
int der_len;
int ret = -1;
r_bn = BN_bin2bn(r, r_len, NULL);
s_bn = BN_bin2bn(s, s_len, NULL);
sig = ECDSA_SIG_new();
if (!r_bn || !s_bn || !sig || ECDSA_SIG_set0(sig, r_bn, s_bn) != 1)
goto fail;
r_bn = NULL;
s_bn = NULL;
der_len = i2d_ECDSA_SIG(sig, &der);
if (der_len <= 0) {
wpa_printf(MSG_DEBUG,
"OpenSSL: Could not DER encode signature");
goto fail;
}
ret = crypto_ec_key_verify_signature(key, data, len, der, der_len);
fail:
OPENSSL_free(der);
BN_free(r_bn);
BN_free(s_bn);
ECDSA_SIG_free(sig);
return ret;
}
int crypto_ec_key_group(struct crypto_ec_key *key)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
char gname[50];
int nid;
if (EVP_PKEY_get_group_name((EVP_PKEY *) key, gname, sizeof(gname),
NULL) != 1)
return -1;
nid = OBJ_txt2nid(gname);
#else
const EC_KEY *eckey;
const EC_GROUP *group;
int nid;
eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
if (!eckey)
return -1;
group = EC_KEY_get0_group(eckey);
if (!group)
return -1;
nid = EC_GROUP_get_curve_name(group);
#endif
switch (nid) {
case NID_X9_62_prime256v1:
return 19;
case NID_secp384r1:
return 20;
case NID_secp521r1:
return 21;
#ifdef NID_brainpoolP256r1
case NID_brainpoolP256r1:
return 28;
#endif /* NID_brainpoolP256r1 */
#ifdef NID_brainpoolP384r1
case NID_brainpoolP384r1:
return 29;
#endif /* NID_brainpoolP384r1 */
#ifdef NID_brainpoolP512r1
case NID_brainpoolP512r1:
return 30;
#endif /* NID_brainpoolP512r1 */
default:
wpa_printf(MSG_ERROR,
"OpenSSL: Unsupported curve (nid=%d) in EC key",
nid);
return -1;
}
}
int crypto_ec_key_cmp(struct crypto_ec_key *key1, struct crypto_ec_key *key2)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (EVP_PKEY_eq((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
return -1;
#else
if (EVP_PKEY_cmp((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
return -1;
#endif
return 0;
}
void crypto_ec_key_debug_print(const struct crypto_ec_key *key,
const char *title)
{
BIO *out;
size_t rlen;
char *txt;
int res;
out = BIO_new(BIO_s_mem());
if (!out)
return;
EVP_PKEY_print_private(out, (EVP_PKEY *) key, 0, NULL);
rlen = BIO_ctrl_pending(out);
txt = os_malloc(rlen + 1);
if (txt) {
res = BIO_read(out, txt, rlen);
if (res > 0) {
txt[res] = '\0';
wpa_printf(MSG_DEBUG, "%s: %s", title, txt);
}
os_free(txt);
}
BIO_free(out);
}
struct wpabuf * crypto_pkcs7_get_certificates(const struct wpabuf *pkcs7)
{
#ifdef OPENSSL_IS_BORINGSSL
CBS pkcs7_cbs;
#else /* OPENSSL_IS_BORINGSSL */
PKCS7 *p7 = NULL;
const unsigned char *p = wpabuf_head(pkcs7);
#endif /* OPENSSL_IS_BORINGSSL */
STACK_OF(X509) *certs;
int i, num;
BIO *out = NULL;
size_t rlen;
struct wpabuf *pem = NULL;
int res;
#ifdef OPENSSL_IS_BORINGSSL
certs = sk_X509_new_null();
if (!certs)
goto fail;
CBS_init(&pkcs7_cbs, wpabuf_head(pkcs7), wpabuf_len(pkcs7));
if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
wpa_printf(MSG_INFO,
"OpenSSL: Could not parse PKCS#7 object: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
#else /* OPENSSL_IS_BORINGSSL */
p7 = d2i_PKCS7(NULL, &p, wpabuf_len(pkcs7));
if (!p7) {
wpa_printf(MSG_INFO,
"OpenSSL: Could not parse PKCS#7 object: %s",
ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
switch (OBJ_obj2nid(p7->type)) {
case NID_pkcs7_signed:
certs = p7->d.sign->cert;
break;
case NID_pkcs7_signedAndEnveloped:
certs = p7->d.signed_and_enveloped->cert;
break;
default:
certs = NULL;
break;
}
#endif /* OPENSSL_IS_BORINGSSL */
if (!certs || ((num = sk_X509_num(certs)) == 0)) {
wpa_printf(MSG_INFO,
"OpenSSL: No certificates found in PKCS#7 object");
goto fail;
}
out = BIO_new(BIO_s_mem());
if (!out)
goto fail;
for (i = 0; i < num; i++) {
X509 *cert = sk_X509_value(certs, i);
PEM_write_bio_X509(out, cert);
}
rlen = BIO_ctrl_pending(out);
pem = wpabuf_alloc(rlen);
if (!pem)
goto fail;
res = BIO_read(out, wpabuf_put(pem, 0), rlen);
if (res <= 0) {
wpabuf_free(pem);
pem = NULL;
goto fail;
}
wpabuf_put(pem, res);
fail:
#ifdef OPENSSL_IS_BORINGSSL
if (certs)
sk_X509_pop_free(certs, X509_free);
#else /* OPENSSL_IS_BORINGSSL */
PKCS7_free(p7);
#endif /* OPENSSL_IS_BORINGSSL */
if (out)
BIO_free_all(out);
return pem;
}
struct crypto_csr * crypto_csr_init()
{
return (struct crypto_csr *)X509_REQ_new();
}
struct crypto_csr * crypto_csr_verify(const struct wpabuf *req)
{
X509_REQ *csr;
EVP_PKEY *pkey = NULL;
const u8 *der = wpabuf_head(req);
csr = d2i_X509_REQ(NULL, &der, wpabuf_len(req));
if (!csr)
return NULL;
pkey = X509_REQ_get_pubkey((X509_REQ *)csr);
if (!pkey)
goto fail;
if (X509_REQ_verify((X509_REQ *)csr, pkey) != 1)
goto fail;
return (struct crypto_csr *)csr;
fail:
X509_REQ_free(csr);
return NULL;
}
void crypto_csr_deinit(struct crypto_csr *csr)
{
X509_REQ_free((X509_REQ *)csr);
}
int crypto_csr_set_ec_public_key(struct crypto_csr *csr, struct crypto_ec_key *key)
{
if (!X509_REQ_set_pubkey((X509_REQ *)csr, (EVP_PKEY *)key))
return -1;
return 0;
}
int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
const char *name)
{
X509_NAME *n;
int nid;
switch (type) {
case CSR_NAME_CN:
nid = NID_commonName;
break;
case CSR_NAME_SN:
nid = NID_surname;
break;
case CSR_NAME_C:
nid = NID_countryName;
break;
case CSR_NAME_O:
nid = NID_organizationName;
break;
case CSR_NAME_OU:
nid = NID_organizationalUnitName;
break;
default:
return -1;
}
n = X509_REQ_get_subject_name((X509_REQ *) csr);
if (!n)
return -1;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
(unsigned char *) name,
os_strlen(name), -1, 0))
return -1;
#else
if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
(const unsigned char *) name,
os_strlen(name), -1, 0))
return -1;
#endif
return 0;
}
int crypto_csr_set_attribute(struct crypto_csr *csr, enum crypto_csr_attr attr,
int attr_type, const u8 *value, size_t len)
{
int nid;
switch (attr) {
case CSR_ATTR_CHALLENGE_PASSWORD:
nid = NID_pkcs9_challengePassword;
break;
default:
return -1;
}
if (!X509_REQ_add1_attr_by_NID((X509_REQ *) csr, nid, attr_type, value,
len))
return -1;
return 0;
}
const u8 * crypto_csr_get_attribute(struct crypto_csr *csr,
enum crypto_csr_attr attr,
size_t *len, int *type)
{
X509_ATTRIBUTE *attrib;
ASN1_TYPE *attrib_type;
ASN1_STRING *data;
int loc;
int nid;
switch (attr) {
case CSR_ATTR_CHALLENGE_PASSWORD:
nid = NID_pkcs9_challengePassword;
break;
default:
return NULL;
}
loc = X509_REQ_get_attr_by_NID((X509_REQ *) csr, nid, -1);
if (loc < 0)
return NULL;
attrib = X509_REQ_get_attr((X509_REQ *) csr, loc);
if (!attrib)
return NULL;
attrib_type = X509_ATTRIBUTE_get0_type(attrib, 0);
if (!attrib_type)
return NULL;
*type = ASN1_TYPE_get(attrib_type);
data = X509_ATTRIBUTE_get0_data(attrib, 0, *type, NULL);
if (!data)
return NULL;
*len = ASN1_STRING_length(data);
return ASN1_STRING_get0_data(data);
}
struct wpabuf * crypto_csr_sign(struct crypto_csr *csr,
struct crypto_ec_key *key,
enum crypto_hash_alg algo)
{
const EVP_MD *sign_md;
struct wpabuf *buf;
unsigned char *der = NULL;
int der_len;
switch (algo) {
case CRYPTO_HASH_ALG_SHA256:
sign_md = EVP_sha256();
break;
case CRYPTO_HASH_ALG_SHA384:
sign_md = EVP_sha384();
break;
case CRYPTO_HASH_ALG_SHA512:
sign_md = EVP_sha512();
break;
default:
return NULL;
}
if (!X509_REQ_sign((X509_REQ *) csr, (EVP_PKEY *) key, sign_md))
return NULL;
der_len = i2d_X509_REQ((X509_REQ *) csr, &der);
if (der_len < 0)
return NULL;
buf = wpabuf_alloc_copy(der, der_len);
OPENSSL_free(der);
return buf;
}
#endif /* CONFIG_ECC */
static EVP_PKEY * crypto_rsa_key_read_public(FILE *f)
{
EVP_PKEY *pkey;
X509 *x509;
const ASN1_TIME *not_before, *not_after;
int res_before, res_after;
pkey = PEM_read_PUBKEY(f, NULL, NULL, NULL);
if (pkey)
return pkey;
rewind(f);
x509 = PEM_read_X509(f, NULL, NULL, NULL);
if (!x509)
return NULL;
not_before = X509_get0_notBefore(x509);
not_after = X509_get0_notAfter(x509);
if (!not_before || !not_after)
goto fail;
res_before = X509_cmp_current_time(not_before);
res_after = X509_cmp_current_time(not_after);
if (!res_before || !res_after)
goto fail;
if (res_before > 0 || res_after < 0) {
wpa_printf(MSG_INFO,
"OpenSSL: Certificate for RSA public key is not valid at this time (%d %d)",
res_before, res_after);
goto fail;
}
pkey = X509_get_pubkey(x509);
X509_free(x509);
if (!pkey)
return NULL;
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
wpa_printf(MSG_INFO, "OpenSSL: No RSA public key found");
EVP_PKEY_free(pkey);
return NULL;
}
return pkey;
fail:
X509_free(x509);
return NULL;
}
struct crypto_rsa_key * crypto_rsa_key_read(const char *file, bool private_key)
{
FILE *f;
EVP_PKEY *pkey;
f = fopen(file, "r");
if (!f)
return NULL;
if (private_key)
pkey = PEM_read_PrivateKey(f, NULL, NULL, NULL);
else
pkey = crypto_rsa_key_read_public(f);
fclose(f);
return (struct crypto_rsa_key *) pkey;
}
#ifndef OPENSSL_NO_SHA256
struct wpabuf * crypto_rsa_oaep_sha256_encrypt(struct crypto_rsa_key *key,
const struct wpabuf *in)
{
#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
EVP_PKEY *pkey = (EVP_PKEY *) key;
EVP_PKEY_CTX *pkctx;
struct wpabuf *res = NULL;
size_t outlen;
pkctx = EVP_PKEY_CTX_new(pkey, NULL);
if (!pkctx)
goto fail;
if (EVP_PKEY_encrypt_init(pkctx) != 1 ||
EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||
EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, EVP_sha256()) <= 0 ||
EVP_PKEY_encrypt(pkctx, NULL, &outlen, wpabuf_head(in),
wpabuf_len(in)) != 1 ||
!(res = wpabuf_alloc(outlen)) ||
EVP_PKEY_encrypt(pkctx, wpabuf_put(res, 0), &outlen,
wpabuf_head(in), wpabuf_len(in)) != 1) {
wpabuf_free(res);
res = NULL;
goto fail;
}
wpabuf_put(res, outlen);
fail:
EVP_PKEY_CTX_free(pkctx);
return res;
#else
wpa_printf(MSG_ERROR, "%s() not supported", __func__);
return NULL;
#endif
}
struct wpabuf * crypto_rsa_oaep_sha256_decrypt(struct crypto_rsa_key *key,
const struct wpabuf *in)
{
#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
EVP_PKEY *pkey = (EVP_PKEY *) key;
EVP_PKEY_CTX *pkctx;
struct wpabuf *res = NULL;
size_t outlen;
pkctx = EVP_PKEY_CTX_new(pkey, NULL);
if (!pkctx)
goto fail;
if (EVP_PKEY_decrypt_init(pkctx) != 1 ||
EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||
EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, EVP_sha256()) <= 0 ||
EVP_PKEY_decrypt(pkctx, NULL, &outlen, wpabuf_head(in),
wpabuf_len(in)) != 1 ||
!(res = wpabuf_alloc(outlen)) ||
EVP_PKEY_decrypt(pkctx, wpabuf_put(res, 0), &outlen,
wpabuf_head(in), wpabuf_len(in)) != 1) {
wpabuf_free(res);
res = NULL;
goto fail;
}
wpabuf_put(res, outlen);
fail:
EVP_PKEY_CTX_free(pkctx);
return res;
#else
wpa_printf(MSG_ERROR, "%s() not supported", __func__);
return NULL;
#endif
}
#endif /* OPENSSL_NO_SHA256 */
void crypto_rsa_key_free(struct crypto_rsa_key *key)
{
EVP_PKEY_free((EVP_PKEY *) key);
}
#ifdef CONFIG_DPP3
#define HPKE_MAX_SHARED_SECRET_LEN 66
#define HPKE_MAX_HASH_LEN 64
#define HPKE_MAX_KEY_LEN 32
#define HPKE_MAX_NONCE_LEN 12
#define HPKE_MAX_PUB_LEN (1 + 2 * 66)
struct hpke_context {
/* KEM */
enum hpke_kem_id kem_id;
int kem_nid;
int iana_group;
size_t n_pk;
size_t n_secret;
const EVP_MD *kem_h;
size_t kem_n_h;
/* KDF */
enum hpke_kdf_id kdf_id;
const EVP_MD *kdf_h;
size_t n_h;
/* AEAD */
enum hpke_aead_id aead_id;
const EVP_CIPHER *cipher;
size_t n_k;
size_t n_n;
size_t n_t;
u8 key[HPKE_MAX_KEY_LEN];
u8 base_nonce[HPKE_MAX_NONCE_LEN];
};
static void hpke_free_context(struct hpke_context *ctx)
{
bin_clear_free(ctx, sizeof(*ctx));
}
static struct hpke_context * hpke_get_context(enum hpke_kem_id kem_id,
enum hpke_kdf_id kdf_id,
enum hpke_aead_id aead_id,
struct crypto_ec_key *key)
{
struct hpke_context *ctx;
int group;
ctx = os_zalloc(sizeof(*ctx));
if (!ctx)
return NULL;
ctx->kem_id = kem_id;
switch (kem_id) {
case HPKE_DHKEM_P256_HKDF_SHA256:
ctx->kem_nid = NID_X9_62_prime256v1;
ctx->iana_group = 19;
ctx->n_pk = 65;
ctx->n_secret = 32;
ctx->kem_h = EVP_sha256();
ctx->kem_n_h = 32;
break;
case HPKE_DHKEM_P384_HKDF_SHA384:
ctx->kem_nid = NID_secp384r1;
ctx->iana_group = 20;
ctx->n_pk = 97;
ctx->n_secret = 48;
ctx->kem_h = EVP_sha384();
ctx->kem_n_h = 48;
break;
case HPKE_DHKEM_P521_HKDF_SHA512:
ctx->kem_nid = NID_secp521r1;
ctx->iana_group = 21;
ctx->n_pk = 133;
ctx->n_secret = 64;
ctx->kem_h = EVP_sha512();
ctx->kem_n_h = 64;
break;
default:
goto fail;
}
ctx->kdf_id = kdf_id;
switch (kdf_id) {
case HPKE_KDF_HKDF_SHA256:
ctx->kdf_h = EVP_sha256();
ctx->n_h = 32;
break;
case HPKE_KDF_HKDF_SHA384:
ctx->kdf_h = EVP_sha384();
ctx->n_h = 48;
break;
case HPKE_KDF_HKDF_SHA512:
ctx->kdf_h = EVP_sha512();
ctx->n_h = 64;
break;
default:
goto fail;
}
ctx->aead_id = aead_id;
switch (aead_id) {
case HPKE_AEAD_AES_128_GCM:
ctx->cipher = EVP_aes_128_gcm();
ctx->n_k = 16;
ctx->n_n = 12;
ctx->n_t = 16;
break;
case HPKE_AEAD_AES_256_GCM:
ctx->cipher = EVP_aes_256_gcm();
ctx->n_k = 32;
ctx->n_n = 12;
ctx->n_t = 16;
break;
default:
goto fail;
}
/* Convert BP-256/384/512 to P-256/384/521 for DPP */
group = crypto_ec_key_group(key);
if (group == 28 && ctx->iana_group == 19) {
ctx->iana_group = 28;
} else if (group == 29 && ctx->iana_group == 20) {
ctx->iana_group = 29;
} else if (group == 30 && ctx->iana_group == 21) {
ctx->iana_group = 30;
ctx->n_pk = 129;
}
if (group != ctx->iana_group) {
wpa_printf(MSG_INFO, "OpenSSL:%s:group mismatch (%d != %d)",
__func__, group, ctx->iana_group);
goto fail;
}
return ctx;
fail:
hpke_free_context(ctx);
return NULL;
}
static size_t hpke_suite_id(struct hpke_context *ctx, bool kem, u8 *suite_id)
{
size_t suite_id_len;
if (kem) {
os_memcpy(suite_id, "KEM", 3);
WPA_PUT_BE16(&suite_id[3], ctx->kem_id);
suite_id_len = 5;
} else {
os_memcpy(suite_id, "HPKE", 4);
WPA_PUT_BE16(&suite_id[4], ctx->kem_id);
WPA_PUT_BE16(&suite_id[6], ctx->kdf_id);
WPA_PUT_BE16(&suite_id[8], ctx->aead_id);
suite_id_len = 10;
}
return suite_id_len;
}
static int hpke_labeled_extract(struct hpke_context *ctx, bool kem,
const u8 *salt, size_t salt_len,
const char *label,
const u8 *ikm, size_t ikm_len, u8 *prk)
{
u8 zero[HPKE_MAX_HASH_LEN];
u8 suite_id[10];
size_t suite_id_len;
unsigned int mdlen = kem ? ctx->kem_n_h : ctx->n_h;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_MAC *hmac;
OSSL_PARAM params[2];
EVP_MAC_CTX *hctx;
size_t mlen;
int res;
#else /* OpenSSL version >= 3.0 */
HMAC_CTX *hctx;
int res;
#endif /* OpenSSL version >= 3.0 */
if (!salt || !salt_len) {
salt_len = mdlen;
os_memset(zero, 0, salt_len);
salt = zero;
}
suite_id_len = hpke_suite_id(ctx, kem, suite_id);
/* labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
* return Extract(salt, labeled_ikm) */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
if (!hmac)
return -1;
params[0] = OSSL_PARAM_construct_utf8_string(
"digest",
(char *) EVP_MD_get0_name(kem ? ctx->kem_h : ctx->kdf_h), 0);
params[1] = OSSL_PARAM_construct_end();
hctx = EVP_MAC_CTX_new(hmac);
EVP_MAC_free(hmac);
if (!hctx)
return -1;
if (EVP_MAC_init(hctx, salt, salt_len, params) != 1)
goto fail;
if (EVP_MAC_update(hctx, (const unsigned char *) "HPKE-v1", 7) != 1 ||
EVP_MAC_update(hctx, suite_id, suite_id_len) != 1 ||
EVP_MAC_update(hctx, (const unsigned char *) label,
os_strlen(label)) != 1 ||
EVP_MAC_update(hctx, ikm, ikm_len) != 1)
goto fail;
res = EVP_MAC_final(hctx, prk, &mlen, mdlen);
EVP_MAC_CTX_free(hctx);
return res == 1 ? 0 : -1;
fail:
EVP_MAC_CTX_free(hctx);
return -1;
#else /* OpenSSL version >= 3.0 */
hctx = HMAC_CTX_new();
if (!hctx)
return -1;
res = HMAC_Init_ex(hctx, salt, salt_len, kem ? ctx->kem_h : ctx->kdf_h,
NULL);
if (res != 1)
goto done;
HMAC_Update(hctx, (const unsigned char *) "HPKE-v1", 7);
HMAC_Update(hctx, suite_id, suite_id_len);
HMAC_Update(hctx, (const unsigned char *) label, os_strlen(label));
HMAC_Update(hctx, ikm, ikm_len);
res = HMAC_Final(hctx, prk, &mdlen);
done:
HMAC_CTX_free(hctx);
return res == 1 ? 0 : -1;
#endif /* OpenSSL version >= 3.0 */
}
static int
hpke_labeled_expand(struct hpke_context *ctx, bool kem, const u8 *prk,
const char *label, const u8 *info, size_t info_len,
u8 *out, size_t out_len)
{
u8 suite_id[10];
size_t suite_id_len;
u8 hash[HPKE_MAX_HASH_LEN];
u8 iter = 0;
size_t label_len = os_strlen(label);
u8 *pos;
size_t left = out_len, clen;
int res = -1;
u8 *labeled_info;
size_t labeled_info_len;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_MAC *hmac;
OSSL_PARAM params[2];
EVP_MAC_CTX *hctx = NULL;
size_t mdlen;
#else /* OpenSSL version >= 3.0 */
HMAC_CTX *hctx;
unsigned int mdlen;
#endif /* OpenSSL version >= 3.0 */
/* labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
* label, info)
* return Expand(prk, labeled_info, L) */
suite_id_len = hpke_suite_id(ctx, kem, suite_id);
labeled_info_len = 2 + 7 + suite_id_len + label_len + info_len;
labeled_info = os_malloc(labeled_info_len);
if (!labeled_info)
return -1;
pos = labeled_info;
WPA_PUT_BE16(pos, out_len);
pos += 2;
os_memcpy(pos, "HPKE-v1", 7);
pos += 7;
os_memcpy(pos, suite_id, suite_id_len);
pos += suite_id_len;
os_memcpy(pos, label, label_len);
pos += label_len;
if (info && info_len)
os_memcpy(pos, info, info_len);
pos = out;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
if (!hmac)
return -1;
params[0] = OSSL_PARAM_construct_utf8_string(
"digest",
(char *) EVP_MD_get0_name(kem ? ctx->kem_h : ctx->kdf_h), 0);
params[1] = OSSL_PARAM_construct_end();
#else /* OpenSSL version >= 3.0 */
hctx = HMAC_CTX_new();
if (!hctx)
return -1;
#endif /* OpenSSL version >= 3.0 */
while (left > 0) {
mdlen = kem ? ctx->kem_n_h : ctx->n_h;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_MAC_CTX_free(hctx);
hctx = EVP_MAC_CTX_new(hmac);
if (!hctx)
return -1;
if (EVP_MAC_init(hctx, prk, mdlen, params) != 1)
goto fail;
if (iter > 0 && EVP_MAC_update(hctx, hash, mdlen) != 1)
goto fail;
if (iter == 255)
goto fail;
iter++;
if (EVP_MAC_update(hctx, labeled_info, labeled_info_len) != 1 ||
EVP_MAC_update(hctx, &iter, sizeof(iter)) != 1)
goto fail;
if (EVP_MAC_final(hctx, hash, &mdlen, mdlen) != 1)
goto fail;
#else /* OpenSSL version >= 3.0 */
if (HMAC_Init_ex(hctx, prk, mdlen,
kem ? ctx->kem_h : ctx->kdf_h,
NULL) != 1)
goto fail;
if (iter > 0)
HMAC_Update(hctx, hash, mdlen);
if (iter == 255)
goto fail;
iter++;
HMAC_Update(hctx, labeled_info, labeled_info_len);
HMAC_Update(hctx, &iter, sizeof(iter));
if (HMAC_Final(hctx, hash, &mdlen) != 1)
goto fail;
HMAC_CTX_reset(hctx);
#endif /* OpenSSL version >= 3.0 */
clen = left > mdlen ? mdlen : left;
os_memcpy(pos, hash, clen);
pos += clen;
left -= clen;
}
res = 0;
fail:
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_MAC_free(hmac);
EVP_MAC_CTX_free(hctx);
#else /* OpenSSL version >= 3.0 */
HMAC_CTX_free(hctx);
#endif /* OpenSSL version >= 3.0 */
os_free(labeled_info);
return res;
}
static int hpke_extract_and_expand(struct hpke_context *ctx,
const u8 *dhss, size_t dhss_len,
const u8 *enc, size_t enc_len,
const u8 *pk_rm, size_t pk_rm_len,
u8 *shared_secret)
{
u8 kem_context[2 * HPKE_MAX_PUB_LEN];
u8 eae_prk[HPKE_MAX_HASH_LEN];
/* eae_prk = LabeledExtract("", "eae_prk", dh) */
if (hpke_labeled_extract(ctx, true, NULL, 0, "eae_prk", dhss, dhss_len,
eae_prk) < 0)
return -1;
if (enc_len > HPKE_MAX_PUB_LEN || pk_rm_len > HPKE_MAX_PUB_LEN)
return -1;
/* kem_context = concat(enc, pkRm) */
os_memcpy(kem_context, enc, enc_len);
os_memcpy(&kem_context[enc_len], pk_rm, pk_rm_len);
/* shared_secret = LabeledExpand(eae_prk, "shared_secret",
* kem_context, Nsecret) */
if (hpke_labeled_expand(ctx, true, eae_prk, "shared_secret",
kem_context, enc_len + pk_rm_len,
shared_secret, ctx->n_secret) < 0)
return -1;
forced_memzero(eae_prk, sizeof(eae_prk));
return 0;
}
static int hpke_key_schedule(struct hpke_context *ctx, const u8 *shared_secret,
const u8 *info, size_t info_len)
{
u8 key_schedule_context[1 + 2 * HPKE_MAX_HASH_LEN];
u8 secret[HPKE_MAX_HASH_LEN];
int res = -1;
/* key_schedule_context = concat(mode, psk_id_hash, info_hash) */
key_schedule_context[0] = HPKE_MODE_BASE;
/* psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id) */
if (hpke_labeled_extract(ctx, false, NULL, 0, "psk_id_hash",
NULL, 0, &key_schedule_context[1]) < 0)
goto fail;
/* info_hash = LabeledExtract("", "info_hash", info) */
if (hpke_labeled_extract(ctx, false, NULL, 0, "info_hash",
info, info_len,
&key_schedule_context[1 + ctx->n_h]) < 0)
goto fail;
/* secret = LabeledExtract(shared_secret, "secret", psk) */
if (hpke_labeled_extract(ctx, false, shared_secret, ctx->n_secret,
"secret", NULL, 0, secret) < 0)
goto fail;
/* key = LabeledExpand(secret, "key", key_schedule_context, Nk) */
if (hpke_labeled_expand(ctx, false, secret, "key",
key_schedule_context, 1 + 2 * ctx->n_h,
ctx->key, ctx->n_k) < 0)
goto fail;
/* base_nonce = LabeledExpand(secret, "base_nonce",
* key_schedule_context, Nn) */
if (hpke_labeled_expand(ctx, false, secret, "base_nonce",
key_schedule_context, 1 + 2 * ctx->n_h,
ctx->base_nonce, ctx->n_n) < 0)
goto fail;
res = 0;
fail:
forced_memzero(key_schedule_context, sizeof(key_schedule_context));
forced_memzero(secret, sizeof(secret));
return res;
}
static int hpke_encap(struct hpke_context *ctx, struct crypto_ec_key *pk_r,
u8 *shared_secret, u8 *enc)
{
EVP_PKEY_CTX *pctx = NULL;
struct crypto_ec_key *sk_e;
int res = -1;
u8 *dhss = NULL;
size_t dhss_len = 0;
struct wpabuf *enc_buf = NULL, *pk_rm = NULL;
/* skE, pkE = GenerateKeyPair() */
sk_e = crypto_ec_key_gen(ctx->iana_group);
if (!sk_e) {
wpa_printf(MSG_INFO, "OpenSSL:%s:Could not generate key pair",
__func__);
goto fail;
}
/* dh = DH(skE, pkR) */
dhss_len = sizeof(dhss);
pctx = EVP_PKEY_CTX_new((EVP_PKEY *) sk_e, NULL);
if (!pctx ||
EVP_PKEY_derive_init(pctx) != 1 ||
EVP_PKEY_derive_set_peer(pctx, (EVP_PKEY *) pk_r) != 1 ||
EVP_PKEY_derive(pctx, NULL, &dhss_len) != 1 ||
!(dhss = os_malloc(dhss_len)) ||
EVP_PKEY_derive(pctx, dhss, &dhss_len) != 1 ||
dhss_len > HPKE_MAX_SHARED_SECRET_LEN) {
wpa_printf(MSG_INFO,
"OpenSSL: hpke_encap: EVP_PKEY_derive failed (dhss_len=%zu): %s",
dhss_len, ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
/* enc = SerializePublicKey(pkE) */
enc_buf = crypto_ec_key_get_pubkey_point(sk_e, 1);
if (!enc_buf)
goto fail;
os_memcpy(enc, wpabuf_head(enc_buf), wpabuf_len(enc_buf));
/* pkRm = SerializePublicKey(pkR) */
pk_rm = crypto_ec_key_get_pubkey_point(pk_r, 1);
if (!pk_rm)
goto fail;
/* kem_context = concat(enc, pkRm) */
/* shared_secret = ExtractAndExpand(dh, kem_context) */
/* return shared_secret, enc */
res = hpke_extract_and_expand(ctx, dhss, dhss_len, enc, ctx->n_pk,
wpabuf_head(pk_rm),
wpabuf_len(pk_rm), shared_secret);
fail:
bin_clear_free(dhss, dhss_len);
crypto_ec_key_deinit(sk_e);
EVP_PKEY_CTX_free(pctx);
wpabuf_free(enc_buf);
wpabuf_free(pk_rm);
return res;
}
static struct wpabuf *
hpke_aead_seal(struct hpke_context *ctx, const u8 *aad, size_t aad_len,
const u8 *pt, size_t pt_len)
{
EVP_CIPHER_CTX *cctx;
int len = 0;
struct wpabuf *ct = NULL;
/* No need to xor in sequence number since we support only the
* single-shot API, i.e., base_nonce can be used as-is. */
cctx = EVP_CIPHER_CTX_new();
if (!cctx ||
EVP_EncryptInit_ex(cctx, ctx->cipher, NULL, ctx->key,
ctx->base_nonce) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptInit_ex failed",
__func__);
goto fail;
}
if (aad && aad_len &&
EVP_EncryptUpdate(cctx, NULL, &len, aad, aad_len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_EncryptUpdate(AAD) failed",
__func__);
goto fail;
}
ct = wpabuf_alloc(pt_len + AES_BLOCK_SIZE + ctx->n_t);
if (!ct)
goto fail;
if (EVP_EncryptUpdate(cctx, wpabuf_put(ct, 0), &len, pt, pt_len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_EncryptUpdate failed",
__func__);
goto fail;
}
wpabuf_put(ct, len);
if (EVP_EncryptFinal(cctx, wpabuf_put(ct, 0), &len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptFinal failed",
__func__);
wpabuf_free(ct);
ct = NULL;
goto fail;
}
if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_GET_TAG, ctx->n_t,
wpabuf_put(ct, ctx->n_t)) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:Could not get tag",
__func__);
wpabuf_free(ct);
ct = NULL;
goto fail;
}
fail:
EVP_CIPHER_CTX_free(cctx);
return ct;
}
struct wpabuf * hpke_base_seal(enum hpke_kem_id kem_id,
enum hpke_kdf_id kdf_id,
enum hpke_aead_id aead_id,
struct crypto_ec_key *peer_pub,
const u8 *info, size_t info_len,
const u8 *aad, size_t aad_len,
const u8 *pt, size_t pt_len)
{
struct hpke_context *ctx;
u8 shared_secret[HPKE_MAX_SHARED_SECRET_LEN];
u8 enc[1 + 2 * HPKE_MAX_PUB_LEN];
struct wpabuf *ct = NULL, *enc_ct = NULL;
ctx = hpke_get_context(kem_id, kdf_id, aead_id, peer_pub);
if (!ctx)
return NULL;
/* shared_secret, enc = Encap(pkR) */
if (hpke_encap(ctx, peer_pub, shared_secret, enc) < 0)
goto fail;
/* KeyScheduleS(mode_base, shared_secret, info,
* default_psk, default_psk_id) */
if (hpke_key_schedule(ctx, shared_secret, info, info_len) < 0)
goto fail;
/* ct = ctx.Seal(aad, pt) */
ct = hpke_aead_seal(ctx, aad, aad_len, pt, pt_len);
if (!ct)
goto fail;
/* return enc, ct */
enc_ct = wpabuf_alloc(ctx->n_pk + wpabuf_len(ct));
if (!enc_ct)
goto fail;
wpabuf_put_data(enc_ct, enc, ctx->n_pk);
wpabuf_put_buf(enc_ct, ct);
fail:
forced_memzero(shared_secret, sizeof(shared_secret));
hpke_free_context(ctx);
wpabuf_free(ct);
return enc_ct;
}
static int hpke_decap(struct hpke_context *ctx, const u8 *enc,
size_t enc_ct_len, struct crypto_ec_key *sk_r,
u8 *shared_secret)
{
EVP_PKEY_CTX *pctx = NULL;
struct wpabuf *pk_rm = NULL;
size_t len;
int res = -1;
struct crypto_ec_key *pk_e = NULL;
u8 *dhss = NULL;
size_t dhss_len = 0;
/* pkE = DeserializePublicKey(enc) */
if (enc_ct_len < ctx->n_pk)
return -1; /* not enough room for enc */
if (enc[0] != 0x04)
return -1; /* not in uncompressed form */
len = (ctx->n_pk - 1) / 2;
pk_e = crypto_ec_key_set_pub(ctx->iana_group, &enc[1],
&enc[1 + len], len);
if (!pk_e)
return -1; /* invalid public key point */
/* dh = DH(skR, pkE) */
pctx = EVP_PKEY_CTX_new((EVP_PKEY *) sk_r, NULL);
if (!pctx ||
EVP_PKEY_derive_init(pctx) != 1 ||
EVP_PKEY_derive_set_peer(pctx, (EVP_PKEY *) pk_e) != 1 ||
EVP_PKEY_derive(pctx, NULL, &dhss_len) != 1 ||
!(dhss = os_malloc(dhss_len)) ||
EVP_PKEY_derive(pctx, dhss, &dhss_len) != 1 ||
dhss_len > HPKE_MAX_SHARED_SECRET_LEN) {
wpa_printf(MSG_INFO,
"OpenSSL: hpke_decap: EVP_PKEY_derive failed (dhss_len=%zu): %s",
dhss_len, ERR_error_string(ERR_get_error(), NULL));
goto fail;
}
/* pkRm = SerializePublicKey(pk(skR)) */
pk_rm = crypto_ec_key_get_pubkey_point(sk_r, 1);
if (!pk_rm)
goto fail;
/* kem_context = concat(enc, pkRm) */
/* shared_secret = ExtractAndExpand(dh, kem_context) */
res = hpke_extract_and_expand(ctx, dhss, dhss_len, enc, ctx->n_pk,
wpabuf_head(pk_rm),
wpabuf_len(pk_rm), shared_secret);
fail:
bin_clear_free(dhss, dhss_len);
crypto_ec_key_deinit(pk_e);
EVP_PKEY_CTX_free(pctx);
wpabuf_free(pk_rm);
return res;
}
static struct wpabuf *
hpke_aead_open(struct hpke_context *ctx, const u8 *aad, size_t aad_len,
const u8 *ct, size_t ct_len)
{
EVP_CIPHER_CTX *cctx;
int len = 0;
const u8 *tag;
struct wpabuf *pt = NULL;
if (ct_len < ctx->n_t)
return NULL;
tag = ct + ct_len - ctx->n_t;
ct_len -= ctx->n_t;
/* No need to xor in sequence number since we support only the
* single-shot API, i.e., base_nonce can be used as-is. */
cctx = EVP_CIPHER_CTX_new();
if (!cctx ||
EVP_DecryptInit_ex(cctx, ctx->cipher, NULL, ctx->key,
ctx->base_nonce) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptInit_ex failed",
__func__);
goto fail;
}
if (aad && aad_len &&
EVP_DecryptUpdate(cctx, NULL, &len, aad, aad_len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptUpdate(AAD) failed",
__func__);
goto fail;
}
pt = wpabuf_alloc(ct_len + AES_BLOCK_SIZE);
if (!pt)
goto fail;
if (EVP_DecryptUpdate(cctx, wpabuf_put(pt, 0), &len, ct, ct_len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptUpdate failed",
__func__);
goto fail;
}
wpabuf_put(pt, len);
if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_SET_TAG, ctx->n_t,
(void *) tag) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:Could not set tag",
__func__);
wpabuf_free(pt);
pt = NULL;
goto fail;
}
if (EVP_DecryptFinal(cctx, wpabuf_put(pt, 0), &len) != 1) {
wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptFinal failed",
__func__);
wpabuf_free(pt);
pt = NULL;
}
fail:
EVP_CIPHER_CTX_free(cctx);
return pt;
}
struct wpabuf * hpke_base_open(enum hpke_kem_id kem_id,
enum hpke_kdf_id kdf_id,
enum hpke_aead_id aead_id,
struct crypto_ec_key *own_priv,
const u8 *info, size_t info_len,
const u8 *aad, size_t aad_len,
const u8 *enc_ct, size_t enc_ct_len)
{
struct hpke_context *ctx;
u8 shared_secret[HPKE_MAX_SHARED_SECRET_LEN];
struct wpabuf *pt = NULL;
ctx = hpke_get_context(kem_id, kdf_id, aead_id, own_priv);
if (!ctx)
return NULL;
/* shared_secret = Decap(enc, skR) */
if (hpke_decap(ctx, enc_ct, enc_ct_len, own_priv, shared_secret) < 0)
goto fail;
/* KeyScheduleR(mode_base, shared_secret, info,
* default_psk, default_psk_id) */
if (hpke_key_schedule(ctx, shared_secret, info, info_len) < 0)
goto fail;
/* return ctx.Open(aad, ct) */
pt = hpke_aead_open(ctx, aad, aad_len,
&enc_ct[ctx->n_pk], enc_ct_len - ctx->n_pk);
fail:
forced_memzero(shared_secret, sizeof(shared_secret));
hpke_free_context(ctx);
return pt;
}
#endif /* CONFIG_DPP3 */
void crypto_unload(void)
{
openssl_unload_legacy_provider();
}