1/*
2 * Wrapper functions for OpenSSL libcrypto
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10#include <openssl/opensslv.h>
11#include <openssl/err.h>
12#include <openssl/des.h>
13#include <openssl/aes.h>
14#include <openssl/bn.h>
15#include <openssl/evp.h>
16#include <openssl/dh.h>
17#include <openssl/hmac.h>
18#include <openssl/rand.h>
19#ifdef CONFIG_OPENSSL_CMAC
20#include <openssl/cmac.h>
21#endif /* CONFIG_OPENSSL_CMAC */
22#ifdef CONFIG_ECC
23#include <openssl/ec.h>
24#endif /* CONFIG_ECC */
25
26#include "common.h"
27#include "wpabuf.h"
28#include "dh_group5.h"
29#include "sha1.h"
30#include "sha256.h"
31#include "sha384.h"
32#include "crypto.h"
33
34#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
35/* Compatibility wrappers for older versions. */
36
37static HMAC_CTX * HMAC_CTX_new(void)
38{
39	HMAC_CTX *ctx;
40
41	ctx = os_zalloc(sizeof(*ctx));
42	if (ctx)
43		HMAC_CTX_init(ctx);
44	return ctx;
45}
46
47
48static void HMAC_CTX_free(HMAC_CTX *ctx)
49{
50	HMAC_CTX_cleanup(ctx);
51	bin_clear_free(ctx, sizeof(*ctx));
52}
53
54
55static EVP_MD_CTX * EVP_MD_CTX_new(void)
56{
57	EVP_MD_CTX *ctx;
58
59	ctx = os_zalloc(sizeof(*ctx));
60	if (ctx)
61		EVP_MD_CTX_init(ctx);
62	return ctx;
63}
64
65
66static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
67{
68	bin_clear_free(ctx, sizeof(*ctx));
69}
70
71#endif /* OpenSSL version < 1.1.0 */
72
73static BIGNUM * get_group5_prime(void)
74{
75#ifdef OPENSSL_IS_BORINGSSL
76	static const unsigned char RFC3526_PRIME_1536[] = {
77		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
78		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
79		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
80		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
81		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
82		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
83		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
84		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
85		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
86		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
87		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
88		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
89		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
90		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
91		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
92		0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
93	};
94        return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
95#else /* OPENSSL_IS_BORINGSSL */
96	return get_rfc3526_prime_1536(NULL);
97#endif /* OPENSSL_IS_BORINGSSL */
98}
99
100#ifdef OPENSSL_NO_SHA256
101#define NO_SHA256_WRAPPER
102#endif
103
104static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
105				 const u8 *addr[], const size_t *len, u8 *mac)
106{
107	EVP_MD_CTX *ctx;
108	size_t i;
109	unsigned int mac_len;
110
111	if (TEST_FAIL())
112		return -1;
113
114	ctx = EVP_MD_CTX_new();
115	if (!ctx)
116		return -1;
117	if (!EVP_DigestInit_ex(ctx, type, NULL)) {
118		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
119			   ERR_error_string(ERR_get_error(), NULL));
120		EVP_MD_CTX_free(ctx);
121		return -1;
122	}
123	for (i = 0; i < num_elem; i++) {
124		if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
125			wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
126				   "failed: %s",
127				   ERR_error_string(ERR_get_error(), NULL));
128			EVP_MD_CTX_free(ctx);
129			return -1;
130		}
131	}
132	if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
133		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
134			   ERR_error_string(ERR_get_error(), NULL));
135		EVP_MD_CTX_free(ctx);
136		return -1;
137	}
138	EVP_MD_CTX_free(ctx);
139
140	return 0;
141}
142
143
144#ifndef CONFIG_FIPS
145int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
146{
147	return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
148}
149#endif /* CONFIG_FIPS */
150
151
152void des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
153{
154	u8 pkey[8], next, tmp;
155	int i;
156	DES_key_schedule ks;
157
158	/* Add parity bits to the key */
159	next = 0;
160	for (i = 0; i < 7; i++) {
161		tmp = key[i];
162		pkey[i] = (tmp >> i) | next | 1;
163		next = tmp << (7 - i);
164	}
165	pkey[i] = next | 1;
166
167	DES_set_key((DES_cblock *) &pkey, &ks);
168	DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks,
169			DES_ENCRYPT);
170}
171
172
173#ifndef CONFIG_NO_RC4
174int rc4_skip(const u8 *key, size_t keylen, size_t skip,
175	     u8 *data, size_t data_len)
176{
177#ifdef OPENSSL_NO_RC4
178	return -1;
179#else /* OPENSSL_NO_RC4 */
180	EVP_CIPHER_CTX *ctx;
181	int outl;
182	int res = -1;
183	unsigned char skip_buf[16];
184
185	ctx = EVP_CIPHER_CTX_new();
186	if (!ctx ||
187	    !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
188	    !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
189	    !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
190	    !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
191		goto out;
192
193	while (skip >= sizeof(skip_buf)) {
194		size_t len = skip;
195		if (len > sizeof(skip_buf))
196			len = sizeof(skip_buf);
197		if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
198			goto out;
199		skip -= len;
200	}
201
202	if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
203		res = 0;
204
205out:
206	if (ctx)
207		EVP_CIPHER_CTX_free(ctx);
208	return res;
209#endif /* OPENSSL_NO_RC4 */
210}
211#endif /* CONFIG_NO_RC4 */
212
213
214#ifndef CONFIG_FIPS
215int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
216{
217	return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
218}
219#endif /* CONFIG_FIPS */
220
221
222int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
223{
224	return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
225}
226
227
228#ifndef NO_SHA256_WRAPPER
229int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
230		  u8 *mac)
231{
232	return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
233}
234#endif /* NO_SHA256_WRAPPER */
235
236
237static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
238{
239	switch (keylen) {
240	case 16:
241		return EVP_aes_128_ecb();
242#ifndef OPENSSL_IS_BORINGSSL
243	case 24:
244		return EVP_aes_192_ecb();
245#endif /* OPENSSL_IS_BORINGSSL */
246	case 32:
247		return EVP_aes_256_ecb();
248	}
249
250	return NULL;
251}
252
253
254void * aes_encrypt_init(const u8 *key, size_t len)
255{
256	EVP_CIPHER_CTX *ctx;
257	const EVP_CIPHER *type;
258
259	if (TEST_FAIL())
260		return NULL;
261
262	type = aes_get_evp_cipher(len);
263	if (type == NULL)
264		return NULL;
265
266	ctx = EVP_CIPHER_CTX_new();
267	if (ctx == NULL)
268		return NULL;
269	if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
270		os_free(ctx);
271		return NULL;
272	}
273	EVP_CIPHER_CTX_set_padding(ctx, 0);
274	return ctx;
275}
276
277
278void aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
279{
280	EVP_CIPHER_CTX *c = ctx;
281	int clen = 16;
282	if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
283		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
284			   ERR_error_string(ERR_get_error(), NULL));
285	}
286}
287
288
289void aes_encrypt_deinit(void *ctx)
290{
291	EVP_CIPHER_CTX *c = ctx;
292	u8 buf[16];
293	int len = sizeof(buf);
294	if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
295		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
296			   "%s", ERR_error_string(ERR_get_error(), NULL));
297	}
298	if (len != 0) {
299		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
300			   "in AES encrypt", len);
301	}
302	EVP_CIPHER_CTX_free(c);
303}
304
305
306void * aes_decrypt_init(const u8 *key, size_t len)
307{
308	EVP_CIPHER_CTX *ctx;
309	const EVP_CIPHER *type;
310
311	if (TEST_FAIL())
312		return NULL;
313
314	type = aes_get_evp_cipher(len);
315	if (type == NULL)
316		return NULL;
317
318	ctx = EVP_CIPHER_CTX_new();
319	if (ctx == NULL)
320		return NULL;
321	if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
322		EVP_CIPHER_CTX_free(ctx);
323		return NULL;
324	}
325	EVP_CIPHER_CTX_set_padding(ctx, 0);
326	return ctx;
327}
328
329
330void aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
331{
332	EVP_CIPHER_CTX *c = ctx;
333	int plen = 16;
334	if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
335		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
336			   ERR_error_string(ERR_get_error(), NULL));
337	}
338}
339
340
341void aes_decrypt_deinit(void *ctx)
342{
343	EVP_CIPHER_CTX *c = ctx;
344	u8 buf[16];
345	int len = sizeof(buf);
346	if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
347		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
348			   "%s", ERR_error_string(ERR_get_error(), NULL));
349	}
350	if (len != 0) {
351		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
352			   "in AES decrypt", len);
353	}
354	EVP_CIPHER_CTX_free(c);
355}
356
357
358#ifndef CONFIG_FIPS
359#ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
360
361int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
362{
363	AES_KEY actx;
364	int res;
365
366	if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
367		return -1;
368	res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
369	OPENSSL_cleanse(&actx, sizeof(actx));
370	return res <= 0 ? -1 : 0;
371}
372
373
374int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
375	       u8 *plain)
376{
377	AES_KEY actx;
378	int res;
379
380	if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
381		return -1;
382	res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
383	OPENSSL_cleanse(&actx, sizeof(actx));
384	return res <= 0 ? -1 : 0;
385}
386
387#endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
388#endif /* CONFIG_FIPS */
389
390
391int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
392{
393	EVP_CIPHER_CTX *ctx;
394	int clen, len;
395	u8 buf[16];
396	int res = -1;
397
398	if (TEST_FAIL())
399		return -1;
400
401	ctx = EVP_CIPHER_CTX_new();
402	if (!ctx)
403		return -1;
404	clen = data_len;
405	len = sizeof(buf);
406	if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
407	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
408	    EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
409	    clen == (int) data_len &&
410	    EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
411		res = 0;
412	EVP_CIPHER_CTX_free(ctx);
413
414	return res;
415}
416
417
418int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
419{
420	EVP_CIPHER_CTX *ctx;
421	int plen, len;
422	u8 buf[16];
423	int res = -1;
424
425	if (TEST_FAIL())
426		return -1;
427
428	ctx = EVP_CIPHER_CTX_new();
429	if (!ctx)
430		return -1;
431	plen = data_len;
432	len = sizeof(buf);
433	if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
434	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
435	    EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
436	    plen == (int) data_len &&
437	    EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
438		res = 0;
439	EVP_CIPHER_CTX_free(ctx);
440
441	return res;
442
443}
444
445
446int crypto_mod_exp(const u8 *base, size_t base_len,
447		   const u8 *power, size_t power_len,
448		   const u8 *modulus, size_t modulus_len,
449		   u8 *result, size_t *result_len)
450{
451	BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
452	int ret = -1;
453	BN_CTX *ctx;
454
455	ctx = BN_CTX_new();
456	if (ctx == NULL)
457		return -1;
458
459	bn_base = BN_bin2bn(base, base_len, NULL);
460	bn_exp = BN_bin2bn(power, power_len, NULL);
461	bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
462	bn_result = BN_new();
463
464	if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
465	    bn_result == NULL)
466		goto error;
467
468	if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1)
469		goto error;
470
471	*result_len = BN_bn2bin(bn_result, result);
472	ret = 0;
473
474error:
475	BN_clear_free(bn_base);
476	BN_clear_free(bn_exp);
477	BN_clear_free(bn_modulus);
478	BN_clear_free(bn_result);
479	BN_CTX_free(ctx);
480	return ret;
481}
482
483
484struct crypto_cipher {
485	EVP_CIPHER_CTX *enc;
486	EVP_CIPHER_CTX *dec;
487};
488
489
490struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
491					  const u8 *iv, const u8 *key,
492					  size_t key_len)
493{
494	struct crypto_cipher *ctx;
495	const EVP_CIPHER *cipher;
496
497	ctx = os_zalloc(sizeof(*ctx));
498	if (ctx == NULL)
499		return NULL;
500
501	switch (alg) {
502#ifndef CONFIG_NO_RC4
503#ifndef OPENSSL_NO_RC4
504	case CRYPTO_CIPHER_ALG_RC4:
505		cipher = EVP_rc4();
506		break;
507#endif /* OPENSSL_NO_RC4 */
508#endif /* CONFIG_NO_RC4 */
509#ifndef OPENSSL_NO_AES
510	case CRYPTO_CIPHER_ALG_AES:
511		switch (key_len) {
512		case 16:
513			cipher = EVP_aes_128_cbc();
514			break;
515#ifndef OPENSSL_IS_BORINGSSL
516		case 24:
517			cipher = EVP_aes_192_cbc();
518			break;
519#endif /* OPENSSL_IS_BORINGSSL */
520		case 32:
521			cipher = EVP_aes_256_cbc();
522			break;
523		default:
524			os_free(ctx);
525			return NULL;
526		}
527		break;
528#endif /* OPENSSL_NO_AES */
529#ifndef OPENSSL_NO_DES
530	case CRYPTO_CIPHER_ALG_3DES:
531		cipher = EVP_des_ede3_cbc();
532		break;
533	case CRYPTO_CIPHER_ALG_DES:
534		cipher = EVP_des_cbc();
535		break;
536#endif /* OPENSSL_NO_DES */
537#ifndef OPENSSL_NO_RC2
538	case CRYPTO_CIPHER_ALG_RC2:
539		cipher = EVP_rc2_ecb();
540		break;
541#endif /* OPENSSL_NO_RC2 */
542	default:
543		os_free(ctx);
544		return NULL;
545	}
546
547	if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
548	    !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
549	    !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
550	    !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
551	    !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
552		if (ctx->enc)
553			EVP_CIPHER_CTX_free(ctx->enc);
554		os_free(ctx);
555		return NULL;
556	}
557
558	if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
559	    !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
560	    !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
561	    !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
562	    !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
563		EVP_CIPHER_CTX_free(ctx->enc);
564		if (ctx->dec)
565			EVP_CIPHER_CTX_free(ctx->dec);
566		os_free(ctx);
567		return NULL;
568	}
569
570	return ctx;
571}
572
573
574int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
575			  u8 *crypt, size_t len)
576{
577	int outl;
578	if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
579		return -1;
580	return 0;
581}
582
583
584int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
585			  u8 *plain, size_t len)
586{
587	int outl;
588	outl = len;
589	if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
590		return -1;
591	return 0;
592}
593
594
595void crypto_cipher_deinit(struct crypto_cipher *ctx)
596{
597	EVP_CIPHER_CTX_free(ctx->enc);
598	EVP_CIPHER_CTX_free(ctx->dec);
599	os_free(ctx);
600}
601
602
603void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
604{
605	DH *dh;
606	struct wpabuf *pubkey = NULL, *privkey = NULL;
607	size_t publen, privlen;
608
609	*priv = NULL;
610	*publ = NULL;
611
612	dh = DH_new();
613	if (dh == NULL)
614		return NULL;
615
616	dh->g = BN_new();
617	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
618		goto err;
619
620	dh->p = get_group5_prime();
621	if (dh->p == NULL)
622		goto err;
623
624	if (DH_generate_key(dh) != 1)
625		goto err;
626
627	publen = BN_num_bytes(dh->pub_key);
628	pubkey = wpabuf_alloc(publen);
629	if (pubkey == NULL)
630		goto err;
631	privlen = BN_num_bytes(dh->priv_key);
632	privkey = wpabuf_alloc(privlen);
633	if (privkey == NULL)
634		goto err;
635
636	BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
637	BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
638
639	*priv = privkey;
640	*publ = pubkey;
641	return dh;
642
643err:
644	wpabuf_clear_free(pubkey);
645	wpabuf_clear_free(privkey);
646	DH_free(dh);
647	return NULL;
648}
649
650
651void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
652{
653	DH *dh;
654
655	dh = DH_new();
656	if (dh == NULL)
657		return NULL;
658
659	dh->g = BN_new();
660	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
661		goto err;
662
663	dh->p = get_group5_prime();
664	if (dh->p == NULL)
665		goto err;
666
667	dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
668	if (dh->priv_key == NULL)
669		goto err;
670
671	dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
672	if (dh->pub_key == NULL)
673		goto err;
674
675	if (DH_generate_key(dh) != 1)
676		goto err;
677
678	return dh;
679
680err:
681	DH_free(dh);
682	return NULL;
683}
684
685
686struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
687				  const struct wpabuf *own_private)
688{
689	BIGNUM *pub_key;
690	struct wpabuf *res = NULL;
691	size_t rlen;
692	DH *dh = ctx;
693	int keylen;
694
695	if (ctx == NULL)
696		return NULL;
697
698	pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
699			    NULL);
700	if (pub_key == NULL)
701		return NULL;
702
703	rlen = DH_size(dh);
704	res = wpabuf_alloc(rlen);
705	if (res == NULL)
706		goto err;
707
708	keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
709	if (keylen < 0)
710		goto err;
711	wpabuf_put(res, keylen);
712	BN_clear_free(pub_key);
713
714	return res;
715
716err:
717	BN_clear_free(pub_key);
718	wpabuf_clear_free(res);
719	return NULL;
720}
721
722
723void dh5_free(void *ctx)
724{
725	DH *dh;
726	if (ctx == NULL)
727		return;
728	dh = ctx;
729	DH_free(dh);
730}
731
732
733struct crypto_hash {
734	HMAC_CTX *ctx;
735};
736
737
738struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
739				      size_t key_len)
740{
741	struct crypto_hash *ctx;
742	const EVP_MD *md;
743
744	switch (alg) {
745#ifndef OPENSSL_NO_MD5
746	case CRYPTO_HASH_ALG_HMAC_MD5:
747		md = EVP_md5();
748		break;
749#endif /* OPENSSL_NO_MD5 */
750#ifndef OPENSSL_NO_SHA
751	case CRYPTO_HASH_ALG_HMAC_SHA1:
752		md = EVP_sha1();
753		break;
754#endif /* OPENSSL_NO_SHA */
755#ifndef OPENSSL_NO_SHA256
756#ifdef CONFIG_SHA256
757	case CRYPTO_HASH_ALG_HMAC_SHA256:
758		md = EVP_sha256();
759		break;
760#endif /* CONFIG_SHA256 */
761#endif /* OPENSSL_NO_SHA256 */
762	default:
763		return NULL;
764	}
765
766	ctx = os_zalloc(sizeof(*ctx));
767	if (ctx == NULL)
768		return NULL;
769	ctx->ctx = HMAC_CTX_new();
770	if (!ctx->ctx) {
771		os_free(ctx);
772		return NULL;
773	}
774
775	if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
776		HMAC_CTX_free(ctx->ctx);
777		bin_clear_free(ctx, sizeof(*ctx));
778		return NULL;
779	}
780
781	return ctx;
782}
783
784
785void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
786{
787	if (ctx == NULL)
788		return;
789	HMAC_Update(ctx->ctx, data, len);
790}
791
792
793int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
794{
795	unsigned int mdlen;
796	int res;
797
798	if (ctx == NULL)
799		return -2;
800
801	if (mac == NULL || len == NULL) {
802		HMAC_CTX_free(ctx->ctx);
803		bin_clear_free(ctx, sizeof(*ctx));
804		return 0;
805	}
806
807	mdlen = *len;
808	res = HMAC_Final(ctx->ctx, mac, &mdlen);
809	HMAC_CTX_free(ctx->ctx);
810	bin_clear_free(ctx, sizeof(*ctx));
811
812	if (res == 1) {
813		*len = mdlen;
814		return 0;
815	}
816
817	return -1;
818}
819
820
821static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
822			       size_t key_len, size_t num_elem,
823			       const u8 *addr[], const size_t *len, u8 *mac,
824			       unsigned int mdlen)
825{
826	HMAC_CTX *ctx;
827	size_t i;
828	int res;
829
830	if (TEST_FAIL())
831		return -1;
832
833	ctx = HMAC_CTX_new();
834	if (!ctx)
835		return -1;
836	res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
837	if (res != 1)
838		goto done;
839
840	for (i = 0; i < num_elem; i++)
841		HMAC_Update(ctx, addr[i], len[i]);
842
843	res = HMAC_Final(ctx, mac, &mdlen);
844done:
845	HMAC_CTX_free(ctx);
846
847	return res == 1 ? 0 : -1;
848}
849
850
851#ifndef CONFIG_FIPS
852
853int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
854		    const u8 *addr[], const size_t *len, u8 *mac)
855{
856	return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
857				   mac, 16);
858}
859
860
861int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
862	     u8 *mac)
863{
864	return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
865}
866
867#endif /* CONFIG_FIPS */
868
869
870int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
871		int iterations, u8 *buf, size_t buflen)
872{
873	if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
874				   ssid_len, iterations, buflen, buf) != 1)
875		return -1;
876	return 0;
877}
878
879
880int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
881		     const u8 *addr[], const size_t *len, u8 *mac)
882{
883	return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
884				   len, mac, 20);
885}
886
887
888int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
889	       u8 *mac)
890{
891	return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
892}
893
894
895#ifdef CONFIG_SHA256
896
897int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
898		       const u8 *addr[], const size_t *len, u8 *mac)
899{
900	return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
901				   len, mac, 32);
902}
903
904
905int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
906		size_t data_len, u8 *mac)
907{
908	return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
909}
910
911#endif /* CONFIG_SHA256 */
912
913
914#ifdef CONFIG_SHA384
915
916int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
917		       const u8 *addr[], const size_t *len, u8 *mac)
918{
919	return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
920				   len, mac, 32);
921}
922
923
924int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
925		size_t data_len, u8 *mac)
926{
927	return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
928}
929
930#endif /* CONFIG_SHA384 */
931
932
933int crypto_get_random(void *buf, size_t len)
934{
935	if (RAND_bytes(buf, len) != 1)
936		return -1;
937	return 0;
938}
939
940
941#ifdef CONFIG_OPENSSL_CMAC
942int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
943		     const u8 *addr[], const size_t *len, u8 *mac)
944{
945	CMAC_CTX *ctx;
946	int ret = -1;
947	size_t outlen, i;
948
949	if (TEST_FAIL())
950		return -1;
951
952	ctx = CMAC_CTX_new();
953	if (ctx == NULL)
954		return -1;
955
956	if (key_len == 32) {
957		if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
958			goto fail;
959	} else if (key_len == 16) {
960		if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
961			goto fail;
962	} else {
963		goto fail;
964	}
965	for (i = 0; i < num_elem; i++) {
966		if (!CMAC_Update(ctx, addr[i], len[i]))
967			goto fail;
968	}
969	if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
970		goto fail;
971
972	ret = 0;
973fail:
974	CMAC_CTX_free(ctx);
975	return ret;
976}
977
978
979int omac1_aes_128_vector(const u8 *key, size_t num_elem,
980			 const u8 *addr[], const size_t *len, u8 *mac)
981{
982	return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
983}
984
985
986int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
987{
988	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
989}
990
991
992int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
993{
994	return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
995}
996#endif /* CONFIG_OPENSSL_CMAC */
997
998
999struct crypto_bignum * crypto_bignum_init(void)
1000{
1001	if (TEST_FAIL())
1002		return NULL;
1003	return (struct crypto_bignum *) BN_new();
1004}
1005
1006
1007struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
1008{
1009	BIGNUM *bn;
1010
1011	if (TEST_FAIL())
1012		return NULL;
1013
1014	bn = BN_bin2bn(buf, len, NULL);
1015	return (struct crypto_bignum *) bn;
1016}
1017
1018
1019void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
1020{
1021	if (clear)
1022		BN_clear_free((BIGNUM *) n);
1023	else
1024		BN_free((BIGNUM *) n);
1025}
1026
1027
1028int crypto_bignum_to_bin(const struct crypto_bignum *a,
1029			 u8 *buf, size_t buflen, size_t padlen)
1030{
1031	int num_bytes, offset;
1032
1033	if (TEST_FAIL())
1034		return -1;
1035
1036	if (padlen > buflen)
1037		return -1;
1038
1039	num_bytes = BN_num_bytes((const BIGNUM *) a);
1040	if ((size_t) num_bytes > buflen)
1041		return -1;
1042	if (padlen > (size_t) num_bytes)
1043		offset = padlen - num_bytes;
1044	else
1045		offset = 0;
1046
1047	os_memset(buf, 0, offset);
1048	BN_bn2bin((const BIGNUM *) a, buf + offset);
1049
1050	return num_bytes + offset;
1051}
1052
1053
1054int crypto_bignum_add(const struct crypto_bignum *a,
1055		      const struct crypto_bignum *b,
1056		      struct crypto_bignum *c)
1057{
1058	return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1059		0 : -1;
1060}
1061
1062
1063int crypto_bignum_mod(const struct crypto_bignum *a,
1064		      const struct crypto_bignum *b,
1065		      struct crypto_bignum *c)
1066{
1067	int res;
1068	BN_CTX *bnctx;
1069
1070	bnctx = BN_CTX_new();
1071	if (bnctx == NULL)
1072		return -1;
1073	res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1074		     bnctx);
1075	BN_CTX_free(bnctx);
1076
1077	return res ? 0 : -1;
1078}
1079
1080
1081int crypto_bignum_exptmod(const struct crypto_bignum *a,
1082			  const struct crypto_bignum *b,
1083			  const struct crypto_bignum *c,
1084			  struct crypto_bignum *d)
1085{
1086	int res;
1087	BN_CTX *bnctx;
1088
1089	if (TEST_FAIL())
1090		return -1;
1091
1092	bnctx = BN_CTX_new();
1093	if (bnctx == NULL)
1094		return -1;
1095	res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1096			 (const BIGNUM *) c, bnctx);
1097	BN_CTX_free(bnctx);
1098
1099	return res ? 0 : -1;
1100}
1101
1102
1103int crypto_bignum_inverse(const struct crypto_bignum *a,
1104			  const struct crypto_bignum *b,
1105			  struct crypto_bignum *c)
1106{
1107	BIGNUM *res;
1108	BN_CTX *bnctx;
1109
1110	if (TEST_FAIL())
1111		return -1;
1112	bnctx = BN_CTX_new();
1113	if (bnctx == NULL)
1114		return -1;
1115	res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
1116			     (const BIGNUM *) b, bnctx);
1117	BN_CTX_free(bnctx);
1118
1119	return res ? 0 : -1;
1120}
1121
1122
1123int crypto_bignum_sub(const struct crypto_bignum *a,
1124		      const struct crypto_bignum *b,
1125		      struct crypto_bignum *c)
1126{
1127	if (TEST_FAIL())
1128		return -1;
1129	return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1130		0 : -1;
1131}
1132
1133
1134int crypto_bignum_div(const struct crypto_bignum *a,
1135		      const struct crypto_bignum *b,
1136		      struct crypto_bignum *c)
1137{
1138	int res;
1139
1140	BN_CTX *bnctx;
1141
1142	if (TEST_FAIL())
1143		return -1;
1144
1145	bnctx = BN_CTX_new();
1146	if (bnctx == NULL)
1147		return -1;
1148	res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
1149		     (const BIGNUM *) b, bnctx);
1150	BN_CTX_free(bnctx);
1151
1152	return res ? 0 : -1;
1153}
1154
1155
1156int crypto_bignum_mulmod(const struct crypto_bignum *a,
1157			 const struct crypto_bignum *b,
1158			 const struct crypto_bignum *c,
1159			 struct crypto_bignum *d)
1160{
1161	int res;
1162
1163	BN_CTX *bnctx;
1164
1165	if (TEST_FAIL())
1166		return -1;
1167
1168	bnctx = BN_CTX_new();
1169	if (bnctx == NULL)
1170		return -1;
1171	res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1172			 (const BIGNUM *) c, bnctx);
1173	BN_CTX_free(bnctx);
1174
1175	return res ? 0 : -1;
1176}
1177
1178
1179int crypto_bignum_cmp(const struct crypto_bignum *a,
1180		      const struct crypto_bignum *b)
1181{
1182	return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
1183}
1184
1185
1186int crypto_bignum_bits(const struct crypto_bignum *a)
1187{
1188	return BN_num_bits((const BIGNUM *) a);
1189}
1190
1191
1192int crypto_bignum_is_zero(const struct crypto_bignum *a)
1193{
1194	return BN_is_zero((const BIGNUM *) a);
1195}
1196
1197
1198int crypto_bignum_is_one(const struct crypto_bignum *a)
1199{
1200	return BN_is_one((const BIGNUM *) a);
1201}
1202
1203
1204int crypto_bignum_legendre(const struct crypto_bignum *a,
1205			   const struct crypto_bignum *p)
1206{
1207	BN_CTX *bnctx;
1208	BIGNUM *exp = NULL, *tmp = NULL;
1209	int res = -2;
1210
1211	if (TEST_FAIL())
1212		return -2;
1213
1214	bnctx = BN_CTX_new();
1215	if (bnctx == NULL)
1216		return -2;
1217
1218	exp = BN_new();
1219	tmp = BN_new();
1220	if (!exp || !tmp ||
1221	    /* exp = (p-1) / 2 */
1222	    !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
1223	    !BN_rshift1(exp, exp) ||
1224	    !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p,
1225			bnctx))
1226		goto fail;
1227
1228	if (BN_is_word(tmp, 1))
1229		res = 1;
1230	else if (BN_is_zero(tmp))
1231		res = 0;
1232	else
1233		res = -1;
1234
1235fail:
1236	BN_clear_free(tmp);
1237	BN_clear_free(exp);
1238	BN_CTX_free(bnctx);
1239	return res;
1240}
1241
1242
1243#ifdef CONFIG_ECC
1244
1245struct crypto_ec {
1246	EC_GROUP *group;
1247	BN_CTX *bnctx;
1248	BIGNUM *prime;
1249	BIGNUM *order;
1250	BIGNUM *a;
1251	BIGNUM *b;
1252};
1253
1254struct crypto_ec * crypto_ec_init(int group)
1255{
1256	struct crypto_ec *e;
1257	int nid;
1258
1259	/* Map from IANA registry for IKE D-H groups to OpenSSL NID */
1260	switch (group) {
1261	case 19:
1262		nid = NID_X9_62_prime256v1;
1263		break;
1264	case 20:
1265		nid = NID_secp384r1;
1266		break;
1267	case 21:
1268		nid = NID_secp521r1;
1269		break;
1270	case 25:
1271		nid = NID_X9_62_prime192v1;
1272		break;
1273	case 26:
1274		nid = NID_secp224r1;
1275		break;
1276#ifdef NID_brainpoolP224r1
1277	case 27:
1278		nid = NID_brainpoolP224r1;
1279		break;
1280#endif /* NID_brainpoolP224r1 */
1281#ifdef NID_brainpoolP256r1
1282	case 28:
1283		nid = NID_brainpoolP256r1;
1284		break;
1285#endif /* NID_brainpoolP256r1 */
1286#ifdef NID_brainpoolP384r1
1287	case 29:
1288		nid = NID_brainpoolP384r1;
1289		break;
1290#endif /* NID_brainpoolP384r1 */
1291#ifdef NID_brainpoolP512r1
1292	case 30:
1293		nid = NID_brainpoolP512r1;
1294		break;
1295#endif /* NID_brainpoolP512r1 */
1296	default:
1297		return NULL;
1298	}
1299
1300	e = os_zalloc(sizeof(*e));
1301	if (e == NULL)
1302		return NULL;
1303
1304	e->bnctx = BN_CTX_new();
1305	e->group = EC_GROUP_new_by_curve_name(nid);
1306	e->prime = BN_new();
1307	e->order = BN_new();
1308	e->a = BN_new();
1309	e->b = BN_new();
1310	if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
1311	    e->order == NULL || e->a == NULL || e->b == NULL ||
1312	    !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) ||
1313	    !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
1314		crypto_ec_deinit(e);
1315		e = NULL;
1316	}
1317
1318	return e;
1319}
1320
1321
1322void crypto_ec_deinit(struct crypto_ec *e)
1323{
1324	if (e == NULL)
1325		return;
1326	BN_clear_free(e->b);
1327	BN_clear_free(e->a);
1328	BN_clear_free(e->order);
1329	BN_clear_free(e->prime);
1330	EC_GROUP_free(e->group);
1331	BN_CTX_free(e->bnctx);
1332	os_free(e);
1333}
1334
1335
1336struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
1337{
1338	if (TEST_FAIL())
1339		return NULL;
1340	if (e == NULL)
1341		return NULL;
1342	return (struct crypto_ec_point *) EC_POINT_new(e->group);
1343}
1344
1345
1346size_t crypto_ec_prime_len(struct crypto_ec *e)
1347{
1348	return BN_num_bytes(e->prime);
1349}
1350
1351
1352size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
1353{
1354	return BN_num_bits(e->prime);
1355}
1356
1357
1358const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
1359{
1360	return (const struct crypto_bignum *) e->prime;
1361}
1362
1363
1364const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
1365{
1366	return (const struct crypto_bignum *) e->order;
1367}
1368
1369
1370void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
1371{
1372	if (clear)
1373		EC_POINT_clear_free((EC_POINT *) p);
1374	else
1375		EC_POINT_free((EC_POINT *) p);
1376}
1377
1378
1379int crypto_ec_point_to_bin(struct crypto_ec *e,
1380			   const struct crypto_ec_point *point, u8 *x, u8 *y)
1381{
1382	BIGNUM *x_bn, *y_bn;
1383	int ret = -1;
1384	int len = BN_num_bytes(e->prime);
1385
1386	if (TEST_FAIL())
1387		return -1;
1388
1389	x_bn = BN_new();
1390	y_bn = BN_new();
1391
1392	if (x_bn && y_bn &&
1393	    EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point,
1394						x_bn, y_bn, e->bnctx)) {
1395		if (x) {
1396			crypto_bignum_to_bin((struct crypto_bignum *) x_bn,
1397					     x, len, len);
1398		}
1399		if (y) {
1400			crypto_bignum_to_bin((struct crypto_bignum *) y_bn,
1401					     y, len, len);
1402		}
1403		ret = 0;
1404	}
1405
1406	BN_clear_free(x_bn);
1407	BN_clear_free(y_bn);
1408	return ret;
1409}
1410
1411
1412struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
1413						  const u8 *val)
1414{
1415	BIGNUM *x, *y;
1416	EC_POINT *elem;
1417	int len = BN_num_bytes(e->prime);
1418
1419	if (TEST_FAIL())
1420		return NULL;
1421
1422	x = BN_bin2bn(val, len, NULL);
1423	y = BN_bin2bn(val + len, len, NULL);
1424	elem = EC_POINT_new(e->group);
1425	if (x == NULL || y == NULL || elem == NULL) {
1426		BN_clear_free(x);
1427		BN_clear_free(y);
1428		EC_POINT_clear_free(elem);
1429		return NULL;
1430	}
1431
1432	if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y,
1433						 e->bnctx)) {
1434		EC_POINT_clear_free(elem);
1435		elem = NULL;
1436	}
1437
1438	BN_clear_free(x);
1439	BN_clear_free(y);
1440
1441	return (struct crypto_ec_point *) elem;
1442}
1443
1444
1445int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
1446			const struct crypto_ec_point *b,
1447			struct crypto_ec_point *c)
1448{
1449	if (TEST_FAIL())
1450		return -1;
1451	return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
1452			    (const EC_POINT *) b, e->bnctx) ? 0 : -1;
1453}
1454
1455
1456int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
1457			const struct crypto_bignum *b,
1458			struct crypto_ec_point *res)
1459{
1460	if (TEST_FAIL())
1461		return -1;
1462	return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
1463			    (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
1464		? 0 : -1;
1465}
1466
1467
1468int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
1469{
1470	if (TEST_FAIL())
1471		return -1;
1472	return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
1473}
1474
1475
1476int crypto_ec_point_solve_y_coord(struct crypto_ec *e,
1477				  struct crypto_ec_point *p,
1478				  const struct crypto_bignum *x, int y_bit)
1479{
1480	if (TEST_FAIL())
1481		return -1;
1482	if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p,
1483						     (const BIGNUM *) x, y_bit,
1484						     e->bnctx) ||
1485	    !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx))
1486		return -1;
1487	return 0;
1488}
1489
1490
1491struct crypto_bignum *
1492crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
1493			      const struct crypto_bignum *x)
1494{
1495	BIGNUM *tmp, *tmp2, *y_sqr = NULL;
1496
1497	if (TEST_FAIL())
1498		return NULL;
1499
1500	tmp = BN_new();
1501	tmp2 = BN_new();
1502
1503	/* y^2 = x^3 + ax + b */
1504	if (tmp && tmp2 &&
1505	    BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1506	    BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1507	    BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) &&
1508	    BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) &&
1509	    BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) {
1510		y_sqr = tmp2;
1511		tmp2 = NULL;
1512	}
1513
1514	BN_clear_free(tmp);
1515	BN_clear_free(tmp2);
1516
1517	return (struct crypto_bignum *) y_sqr;
1518}
1519
1520
1521int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
1522				   const struct crypto_ec_point *p)
1523{
1524	return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
1525}
1526
1527
1528int crypto_ec_point_is_on_curve(struct crypto_ec *e,
1529				const struct crypto_ec_point *p)
1530{
1531	return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
1532				    e->bnctx) == 1;
1533}
1534
1535
1536int crypto_ec_point_cmp(const struct crypto_ec *e,
1537			const struct crypto_ec_point *a,
1538			const struct crypto_ec_point *b)
1539{
1540	return EC_POINT_cmp(e->group, (const EC_POINT *) a,
1541			    (const EC_POINT *) b, e->bnctx);
1542}
1543
1544#endif /* CONFIG_ECC */
1545