1/* 2 * Wrapper functions for OpenSSL libcrypto 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10#include <openssl/opensslv.h> 11#include <openssl/err.h> 12#include <openssl/des.h> 13#include <openssl/aes.h> 14#include <openssl/bn.h> 15#include <openssl/evp.h> 16#include <openssl/dh.h> 17#include <openssl/hmac.h> 18#include <openssl/rand.h> 19#ifdef CONFIG_OPENSSL_CMAC 20#include <openssl/cmac.h> 21#endif /* CONFIG_OPENSSL_CMAC */ 22#ifdef CONFIG_ECC 23#include <openssl/ec.h> 24#endif /* CONFIG_ECC */ 25 26#include "common.h" 27#include "wpabuf.h" 28#include "dh_group5.h" 29#include "sha1.h" 30#include "sha256.h" 31#include "sha384.h" 32#include "crypto.h" 33 34#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 35/* Compatibility wrappers for older versions. */ 36 37static HMAC_CTX * HMAC_CTX_new(void) 38{ 39 HMAC_CTX *ctx; 40 41 ctx = os_zalloc(sizeof(*ctx)); 42 if (ctx) 43 HMAC_CTX_init(ctx); 44 return ctx; 45} 46 47 48static void HMAC_CTX_free(HMAC_CTX *ctx) 49{ 50 HMAC_CTX_cleanup(ctx); 51 bin_clear_free(ctx, sizeof(*ctx)); 52} 53 54 55static EVP_MD_CTX * EVP_MD_CTX_new(void) 56{ 57 EVP_MD_CTX *ctx; 58 59 ctx = os_zalloc(sizeof(*ctx)); 60 if (ctx) 61 EVP_MD_CTX_init(ctx); 62 return ctx; 63} 64 65 66static void EVP_MD_CTX_free(EVP_MD_CTX *ctx) 67{ 68 bin_clear_free(ctx, sizeof(*ctx)); 69} 70 71#endif /* OpenSSL version < 1.1.0 */ 72 73static BIGNUM * get_group5_prime(void) 74{ 75#ifdef OPENSSL_IS_BORINGSSL 76 static const unsigned char RFC3526_PRIME_1536[] = { 77 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, 78 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, 79 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, 80 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, 81 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, 82 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, 83 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, 84 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, 85 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, 86 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, 87 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, 88 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, 89 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, 90 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, 91 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, 92 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 93 }; 94 return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL); 95#else /* OPENSSL_IS_BORINGSSL */ 96 return get_rfc3526_prime_1536(NULL); 97#endif /* OPENSSL_IS_BORINGSSL */ 98} 99 100#ifdef OPENSSL_NO_SHA256 101#define NO_SHA256_WRAPPER 102#endif 103 104static int openssl_digest_vector(const EVP_MD *type, size_t num_elem, 105 const u8 *addr[], const size_t *len, u8 *mac) 106{ 107 EVP_MD_CTX *ctx; 108 size_t i; 109 unsigned int mac_len; 110 111 if (TEST_FAIL()) 112 return -1; 113 114 ctx = EVP_MD_CTX_new(); 115 if (!ctx) 116 return -1; 117 if (!EVP_DigestInit_ex(ctx, type, NULL)) { 118 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s", 119 ERR_error_string(ERR_get_error(), NULL)); 120 EVP_MD_CTX_free(ctx); 121 return -1; 122 } 123 for (i = 0; i < num_elem; i++) { 124 if (!EVP_DigestUpdate(ctx, addr[i], len[i])) { 125 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate " 126 "failed: %s", 127 ERR_error_string(ERR_get_error(), NULL)); 128 EVP_MD_CTX_free(ctx); 129 return -1; 130 } 131 } 132 if (!EVP_DigestFinal(ctx, mac, &mac_len)) { 133 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s", 134 ERR_error_string(ERR_get_error(), NULL)); 135 EVP_MD_CTX_free(ctx); 136 return -1; 137 } 138 EVP_MD_CTX_free(ctx); 139 140 return 0; 141} 142 143 144#ifndef CONFIG_FIPS 145int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 146{ 147 return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac); 148} 149#endif /* CONFIG_FIPS */ 150 151 152void des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) 153{ 154 u8 pkey[8], next, tmp; 155 int i; 156 DES_key_schedule ks; 157 158 /* Add parity bits to the key */ 159 next = 0; 160 for (i = 0; i < 7; i++) { 161 tmp = key[i]; 162 pkey[i] = (tmp >> i) | next | 1; 163 next = tmp << (7 - i); 164 } 165 pkey[i] = next | 1; 166 167 DES_set_key((DES_cblock *) &pkey, &ks); 168 DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks, 169 DES_ENCRYPT); 170} 171 172 173#ifndef CONFIG_NO_RC4 174int rc4_skip(const u8 *key, size_t keylen, size_t skip, 175 u8 *data, size_t data_len) 176{ 177#ifdef OPENSSL_NO_RC4 178 return -1; 179#else /* OPENSSL_NO_RC4 */ 180 EVP_CIPHER_CTX *ctx; 181 int outl; 182 int res = -1; 183 unsigned char skip_buf[16]; 184 185 ctx = EVP_CIPHER_CTX_new(); 186 if (!ctx || 187 !EVP_CIPHER_CTX_set_padding(ctx, 0) || 188 !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) || 189 !EVP_CIPHER_CTX_set_key_length(ctx, keylen) || 190 !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1)) 191 goto out; 192 193 while (skip >= sizeof(skip_buf)) { 194 size_t len = skip; 195 if (len > sizeof(skip_buf)) 196 len = sizeof(skip_buf); 197 if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len)) 198 goto out; 199 skip -= len; 200 } 201 202 if (EVP_CipherUpdate(ctx, data, &outl, data, data_len)) 203 res = 0; 204 205out: 206 if (ctx) 207 EVP_CIPHER_CTX_free(ctx); 208 return res; 209#endif /* OPENSSL_NO_RC4 */ 210} 211#endif /* CONFIG_NO_RC4 */ 212 213 214#ifndef CONFIG_FIPS 215int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 216{ 217 return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac); 218} 219#endif /* CONFIG_FIPS */ 220 221 222int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) 223{ 224 return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac); 225} 226 227 228#ifndef NO_SHA256_WRAPPER 229int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, 230 u8 *mac) 231{ 232 return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac); 233} 234#endif /* NO_SHA256_WRAPPER */ 235 236 237static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen) 238{ 239 switch (keylen) { 240 case 16: 241 return EVP_aes_128_ecb(); 242#ifndef OPENSSL_IS_BORINGSSL 243 case 24: 244 return EVP_aes_192_ecb(); 245#endif /* OPENSSL_IS_BORINGSSL */ 246 case 32: 247 return EVP_aes_256_ecb(); 248 } 249 250 return NULL; 251} 252 253 254void * aes_encrypt_init(const u8 *key, size_t len) 255{ 256 EVP_CIPHER_CTX *ctx; 257 const EVP_CIPHER *type; 258 259 if (TEST_FAIL()) 260 return NULL; 261 262 type = aes_get_evp_cipher(len); 263 if (type == NULL) 264 return NULL; 265 266 ctx = EVP_CIPHER_CTX_new(); 267 if (ctx == NULL) 268 return NULL; 269 if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 270 os_free(ctx); 271 return NULL; 272 } 273 EVP_CIPHER_CTX_set_padding(ctx, 0); 274 return ctx; 275} 276 277 278void aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) 279{ 280 EVP_CIPHER_CTX *c = ctx; 281 int clen = 16; 282 if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) { 283 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s", 284 ERR_error_string(ERR_get_error(), NULL)); 285 } 286} 287 288 289void aes_encrypt_deinit(void *ctx) 290{ 291 EVP_CIPHER_CTX *c = ctx; 292 u8 buf[16]; 293 int len = sizeof(buf); 294 if (EVP_EncryptFinal_ex(c, buf, &len) != 1) { 295 wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: " 296 "%s", ERR_error_string(ERR_get_error(), NULL)); 297 } 298 if (len != 0) { 299 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 300 "in AES encrypt", len); 301 } 302 EVP_CIPHER_CTX_free(c); 303} 304 305 306void * aes_decrypt_init(const u8 *key, size_t len) 307{ 308 EVP_CIPHER_CTX *ctx; 309 const EVP_CIPHER *type; 310 311 if (TEST_FAIL()) 312 return NULL; 313 314 type = aes_get_evp_cipher(len); 315 if (type == NULL) 316 return NULL; 317 318 ctx = EVP_CIPHER_CTX_new(); 319 if (ctx == NULL) 320 return NULL; 321 if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) { 322 EVP_CIPHER_CTX_free(ctx); 323 return NULL; 324 } 325 EVP_CIPHER_CTX_set_padding(ctx, 0); 326 return ctx; 327} 328 329 330void aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) 331{ 332 EVP_CIPHER_CTX *c = ctx; 333 int plen = 16; 334 if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) { 335 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s", 336 ERR_error_string(ERR_get_error(), NULL)); 337 } 338} 339 340 341void aes_decrypt_deinit(void *ctx) 342{ 343 EVP_CIPHER_CTX *c = ctx; 344 u8 buf[16]; 345 int len = sizeof(buf); 346 if (EVP_DecryptFinal_ex(c, buf, &len) != 1) { 347 wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: " 348 "%s", ERR_error_string(ERR_get_error(), NULL)); 349 } 350 if (len != 0) { 351 wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d " 352 "in AES decrypt", len); 353 } 354 EVP_CIPHER_CTX_free(c); 355} 356 357 358#ifndef CONFIG_FIPS 359#ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP 360 361int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) 362{ 363 AES_KEY actx; 364 int res; 365 366 if (AES_set_encrypt_key(kek, kek_len << 3, &actx)) 367 return -1; 368 res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8); 369 OPENSSL_cleanse(&actx, sizeof(actx)); 370 return res <= 0 ? -1 : 0; 371} 372 373 374int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, 375 u8 *plain) 376{ 377 AES_KEY actx; 378 int res; 379 380 if (AES_set_decrypt_key(kek, kek_len << 3, &actx)) 381 return -1; 382 res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8); 383 OPENSSL_cleanse(&actx, sizeof(actx)); 384 return res <= 0 ? -1 : 0; 385} 386 387#endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */ 388#endif /* CONFIG_FIPS */ 389 390 391int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 392{ 393 EVP_CIPHER_CTX *ctx; 394 int clen, len; 395 u8 buf[16]; 396 int res = -1; 397 398 if (TEST_FAIL()) 399 return -1; 400 401 ctx = EVP_CIPHER_CTX_new(); 402 if (!ctx) 403 return -1; 404 clen = data_len; 405 len = sizeof(buf); 406 if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 407 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 408 EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 && 409 clen == (int) data_len && 410 EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 411 res = 0; 412 EVP_CIPHER_CTX_free(ctx); 413 414 return res; 415} 416 417 418int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) 419{ 420 EVP_CIPHER_CTX *ctx; 421 int plen, len; 422 u8 buf[16]; 423 int res = -1; 424 425 if (TEST_FAIL()) 426 return -1; 427 428 ctx = EVP_CIPHER_CTX_new(); 429 if (!ctx) 430 return -1; 431 plen = data_len; 432 len = sizeof(buf); 433 if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 && 434 EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 && 435 EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 && 436 plen == (int) data_len && 437 EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0) 438 res = 0; 439 EVP_CIPHER_CTX_free(ctx); 440 441 return res; 442 443} 444 445 446int crypto_mod_exp(const u8 *base, size_t base_len, 447 const u8 *power, size_t power_len, 448 const u8 *modulus, size_t modulus_len, 449 u8 *result, size_t *result_len) 450{ 451 BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result; 452 int ret = -1; 453 BN_CTX *ctx; 454 455 ctx = BN_CTX_new(); 456 if (ctx == NULL) 457 return -1; 458 459 bn_base = BN_bin2bn(base, base_len, NULL); 460 bn_exp = BN_bin2bn(power, power_len, NULL); 461 bn_modulus = BN_bin2bn(modulus, modulus_len, NULL); 462 bn_result = BN_new(); 463 464 if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL || 465 bn_result == NULL) 466 goto error; 467 468 if (BN_mod_exp(bn_result, bn_base, bn_exp, bn_modulus, ctx) != 1) 469 goto error; 470 471 *result_len = BN_bn2bin(bn_result, result); 472 ret = 0; 473 474error: 475 BN_clear_free(bn_base); 476 BN_clear_free(bn_exp); 477 BN_clear_free(bn_modulus); 478 BN_clear_free(bn_result); 479 BN_CTX_free(ctx); 480 return ret; 481} 482 483 484struct crypto_cipher { 485 EVP_CIPHER_CTX *enc; 486 EVP_CIPHER_CTX *dec; 487}; 488 489 490struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, 491 const u8 *iv, const u8 *key, 492 size_t key_len) 493{ 494 struct crypto_cipher *ctx; 495 const EVP_CIPHER *cipher; 496 497 ctx = os_zalloc(sizeof(*ctx)); 498 if (ctx == NULL) 499 return NULL; 500 501 switch (alg) { 502#ifndef CONFIG_NO_RC4 503#ifndef OPENSSL_NO_RC4 504 case CRYPTO_CIPHER_ALG_RC4: 505 cipher = EVP_rc4(); 506 break; 507#endif /* OPENSSL_NO_RC4 */ 508#endif /* CONFIG_NO_RC4 */ 509#ifndef OPENSSL_NO_AES 510 case CRYPTO_CIPHER_ALG_AES: 511 switch (key_len) { 512 case 16: 513 cipher = EVP_aes_128_cbc(); 514 break; 515#ifndef OPENSSL_IS_BORINGSSL 516 case 24: 517 cipher = EVP_aes_192_cbc(); 518 break; 519#endif /* OPENSSL_IS_BORINGSSL */ 520 case 32: 521 cipher = EVP_aes_256_cbc(); 522 break; 523 default: 524 os_free(ctx); 525 return NULL; 526 } 527 break; 528#endif /* OPENSSL_NO_AES */ 529#ifndef OPENSSL_NO_DES 530 case CRYPTO_CIPHER_ALG_3DES: 531 cipher = EVP_des_ede3_cbc(); 532 break; 533 case CRYPTO_CIPHER_ALG_DES: 534 cipher = EVP_des_cbc(); 535 break; 536#endif /* OPENSSL_NO_DES */ 537#ifndef OPENSSL_NO_RC2 538 case CRYPTO_CIPHER_ALG_RC2: 539 cipher = EVP_rc2_ecb(); 540 break; 541#endif /* OPENSSL_NO_RC2 */ 542 default: 543 os_free(ctx); 544 return NULL; 545 } 546 547 if (!(ctx->enc = EVP_CIPHER_CTX_new()) || 548 !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) || 549 !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) || 550 !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) || 551 !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) { 552 if (ctx->enc) 553 EVP_CIPHER_CTX_free(ctx->enc); 554 os_free(ctx); 555 return NULL; 556 } 557 558 if (!(ctx->dec = EVP_CIPHER_CTX_new()) || 559 !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) || 560 !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) || 561 !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) || 562 !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) { 563 EVP_CIPHER_CTX_free(ctx->enc); 564 if (ctx->dec) 565 EVP_CIPHER_CTX_free(ctx->dec); 566 os_free(ctx); 567 return NULL; 568 } 569 570 return ctx; 571} 572 573 574int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, 575 u8 *crypt, size_t len) 576{ 577 int outl; 578 if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len)) 579 return -1; 580 return 0; 581} 582 583 584int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, 585 u8 *plain, size_t len) 586{ 587 int outl; 588 outl = len; 589 if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len)) 590 return -1; 591 return 0; 592} 593 594 595void crypto_cipher_deinit(struct crypto_cipher *ctx) 596{ 597 EVP_CIPHER_CTX_free(ctx->enc); 598 EVP_CIPHER_CTX_free(ctx->dec); 599 os_free(ctx); 600} 601 602 603void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) 604{ 605 DH *dh; 606 struct wpabuf *pubkey = NULL, *privkey = NULL; 607 size_t publen, privlen; 608 609 *priv = NULL; 610 *publ = NULL; 611 612 dh = DH_new(); 613 if (dh == NULL) 614 return NULL; 615 616 dh->g = BN_new(); 617 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 618 goto err; 619 620 dh->p = get_group5_prime(); 621 if (dh->p == NULL) 622 goto err; 623 624 if (DH_generate_key(dh) != 1) 625 goto err; 626 627 publen = BN_num_bytes(dh->pub_key); 628 pubkey = wpabuf_alloc(publen); 629 if (pubkey == NULL) 630 goto err; 631 privlen = BN_num_bytes(dh->priv_key); 632 privkey = wpabuf_alloc(privlen); 633 if (privkey == NULL) 634 goto err; 635 636 BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen)); 637 BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen)); 638 639 *priv = privkey; 640 *publ = pubkey; 641 return dh; 642 643err: 644 wpabuf_clear_free(pubkey); 645 wpabuf_clear_free(privkey); 646 DH_free(dh); 647 return NULL; 648} 649 650 651void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) 652{ 653 DH *dh; 654 655 dh = DH_new(); 656 if (dh == NULL) 657 return NULL; 658 659 dh->g = BN_new(); 660 if (dh->g == NULL || BN_set_word(dh->g, 2) != 1) 661 goto err; 662 663 dh->p = get_group5_prime(); 664 if (dh->p == NULL) 665 goto err; 666 667 dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL); 668 if (dh->priv_key == NULL) 669 goto err; 670 671 dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL); 672 if (dh->pub_key == NULL) 673 goto err; 674 675 if (DH_generate_key(dh) != 1) 676 goto err; 677 678 return dh; 679 680err: 681 DH_free(dh); 682 return NULL; 683} 684 685 686struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public, 687 const struct wpabuf *own_private) 688{ 689 BIGNUM *pub_key; 690 struct wpabuf *res = NULL; 691 size_t rlen; 692 DH *dh = ctx; 693 int keylen; 694 695 if (ctx == NULL) 696 return NULL; 697 698 pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public), 699 NULL); 700 if (pub_key == NULL) 701 return NULL; 702 703 rlen = DH_size(dh); 704 res = wpabuf_alloc(rlen); 705 if (res == NULL) 706 goto err; 707 708 keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh); 709 if (keylen < 0) 710 goto err; 711 wpabuf_put(res, keylen); 712 BN_clear_free(pub_key); 713 714 return res; 715 716err: 717 BN_clear_free(pub_key); 718 wpabuf_clear_free(res); 719 return NULL; 720} 721 722 723void dh5_free(void *ctx) 724{ 725 DH *dh; 726 if (ctx == NULL) 727 return; 728 dh = ctx; 729 DH_free(dh); 730} 731 732 733struct crypto_hash { 734 HMAC_CTX *ctx; 735}; 736 737 738struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key, 739 size_t key_len) 740{ 741 struct crypto_hash *ctx; 742 const EVP_MD *md; 743 744 switch (alg) { 745#ifndef OPENSSL_NO_MD5 746 case CRYPTO_HASH_ALG_HMAC_MD5: 747 md = EVP_md5(); 748 break; 749#endif /* OPENSSL_NO_MD5 */ 750#ifndef OPENSSL_NO_SHA 751 case CRYPTO_HASH_ALG_HMAC_SHA1: 752 md = EVP_sha1(); 753 break; 754#endif /* OPENSSL_NO_SHA */ 755#ifndef OPENSSL_NO_SHA256 756#ifdef CONFIG_SHA256 757 case CRYPTO_HASH_ALG_HMAC_SHA256: 758 md = EVP_sha256(); 759 break; 760#endif /* CONFIG_SHA256 */ 761#endif /* OPENSSL_NO_SHA256 */ 762 default: 763 return NULL; 764 } 765 766 ctx = os_zalloc(sizeof(*ctx)); 767 if (ctx == NULL) 768 return NULL; 769 ctx->ctx = HMAC_CTX_new(); 770 if (!ctx->ctx) { 771 os_free(ctx); 772 return NULL; 773 } 774 775 if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) { 776 HMAC_CTX_free(ctx->ctx); 777 bin_clear_free(ctx, sizeof(*ctx)); 778 return NULL; 779 } 780 781 return ctx; 782} 783 784 785void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len) 786{ 787 if (ctx == NULL) 788 return; 789 HMAC_Update(ctx->ctx, data, len); 790} 791 792 793int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len) 794{ 795 unsigned int mdlen; 796 int res; 797 798 if (ctx == NULL) 799 return -2; 800 801 if (mac == NULL || len == NULL) { 802 HMAC_CTX_free(ctx->ctx); 803 bin_clear_free(ctx, sizeof(*ctx)); 804 return 0; 805 } 806 807 mdlen = *len; 808 res = HMAC_Final(ctx->ctx, mac, &mdlen); 809 HMAC_CTX_free(ctx->ctx); 810 bin_clear_free(ctx, sizeof(*ctx)); 811 812 if (res == 1) { 813 *len = mdlen; 814 return 0; 815 } 816 817 return -1; 818} 819 820 821static int openssl_hmac_vector(const EVP_MD *type, const u8 *key, 822 size_t key_len, size_t num_elem, 823 const u8 *addr[], const size_t *len, u8 *mac, 824 unsigned int mdlen) 825{ 826 HMAC_CTX *ctx; 827 size_t i; 828 int res; 829 830 if (TEST_FAIL()) 831 return -1; 832 833 ctx = HMAC_CTX_new(); 834 if (!ctx) 835 return -1; 836 res = HMAC_Init_ex(ctx, key, key_len, type, NULL); 837 if (res != 1) 838 goto done; 839 840 for (i = 0; i < num_elem; i++) 841 HMAC_Update(ctx, addr[i], len[i]); 842 843 res = HMAC_Final(ctx, mac, &mdlen); 844done: 845 HMAC_CTX_free(ctx); 846 847 return res == 1 ? 0 : -1; 848} 849 850 851#ifndef CONFIG_FIPS 852 853int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, 854 const u8 *addr[], const size_t *len, u8 *mac) 855{ 856 return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len, 857 mac, 16); 858} 859 860 861int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 862 u8 *mac) 863{ 864 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac); 865} 866 867#endif /* CONFIG_FIPS */ 868 869 870int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len, 871 int iterations, u8 *buf, size_t buflen) 872{ 873 if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid, 874 ssid_len, iterations, buflen, buf) != 1) 875 return -1; 876 return 0; 877} 878 879 880int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, 881 const u8 *addr[], const size_t *len, u8 *mac) 882{ 883 return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr, 884 len, mac, 20); 885} 886 887 888int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, 889 u8 *mac) 890{ 891 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); 892} 893 894 895#ifdef CONFIG_SHA256 896 897int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, 898 const u8 *addr[], const size_t *len, u8 *mac) 899{ 900 return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr, 901 len, mac, 32); 902} 903 904 905int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 906 size_t data_len, u8 *mac) 907{ 908 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); 909} 910 911#endif /* CONFIG_SHA256 */ 912 913 914#ifdef CONFIG_SHA384 915 916int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, 917 const u8 *addr[], const size_t *len, u8 *mac) 918{ 919 return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr, 920 len, mac, 32); 921} 922 923 924int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, 925 size_t data_len, u8 *mac) 926{ 927 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac); 928} 929 930#endif /* CONFIG_SHA384 */ 931 932 933int crypto_get_random(void *buf, size_t len) 934{ 935 if (RAND_bytes(buf, len) != 1) 936 return -1; 937 return 0; 938} 939 940 941#ifdef CONFIG_OPENSSL_CMAC 942int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, 943 const u8 *addr[], const size_t *len, u8 *mac) 944{ 945 CMAC_CTX *ctx; 946 int ret = -1; 947 size_t outlen, i; 948 949 if (TEST_FAIL()) 950 return -1; 951 952 ctx = CMAC_CTX_new(); 953 if (ctx == NULL) 954 return -1; 955 956 if (key_len == 32) { 957 if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL)) 958 goto fail; 959 } else if (key_len == 16) { 960 if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL)) 961 goto fail; 962 } else { 963 goto fail; 964 } 965 for (i = 0; i < num_elem; i++) { 966 if (!CMAC_Update(ctx, addr[i], len[i])) 967 goto fail; 968 } 969 if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16) 970 goto fail; 971 972 ret = 0; 973fail: 974 CMAC_CTX_free(ctx); 975 return ret; 976} 977 978 979int omac1_aes_128_vector(const u8 *key, size_t num_elem, 980 const u8 *addr[], const size_t *len, u8 *mac) 981{ 982 return omac1_aes_vector(key, 16, num_elem, addr, len, mac); 983} 984 985 986int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 987{ 988 return omac1_aes_128_vector(key, 1, &data, &data_len, mac); 989} 990 991 992int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) 993{ 994 return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); 995} 996#endif /* CONFIG_OPENSSL_CMAC */ 997 998 999struct crypto_bignum * crypto_bignum_init(void) 1000{ 1001 if (TEST_FAIL()) 1002 return NULL; 1003 return (struct crypto_bignum *) BN_new(); 1004} 1005 1006 1007struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) 1008{ 1009 BIGNUM *bn; 1010 1011 if (TEST_FAIL()) 1012 return NULL; 1013 1014 bn = BN_bin2bn(buf, len, NULL); 1015 return (struct crypto_bignum *) bn; 1016} 1017 1018 1019void crypto_bignum_deinit(struct crypto_bignum *n, int clear) 1020{ 1021 if (clear) 1022 BN_clear_free((BIGNUM *) n); 1023 else 1024 BN_free((BIGNUM *) n); 1025} 1026 1027 1028int crypto_bignum_to_bin(const struct crypto_bignum *a, 1029 u8 *buf, size_t buflen, size_t padlen) 1030{ 1031 int num_bytes, offset; 1032 1033 if (TEST_FAIL()) 1034 return -1; 1035 1036 if (padlen > buflen) 1037 return -1; 1038 1039 num_bytes = BN_num_bytes((const BIGNUM *) a); 1040 if ((size_t) num_bytes > buflen) 1041 return -1; 1042 if (padlen > (size_t) num_bytes) 1043 offset = padlen - num_bytes; 1044 else 1045 offset = 0; 1046 1047 os_memset(buf, 0, offset); 1048 BN_bn2bin((const BIGNUM *) a, buf + offset); 1049 1050 return num_bytes + offset; 1051} 1052 1053 1054int crypto_bignum_add(const struct crypto_bignum *a, 1055 const struct crypto_bignum *b, 1056 struct crypto_bignum *c) 1057{ 1058 return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1059 0 : -1; 1060} 1061 1062 1063int crypto_bignum_mod(const struct crypto_bignum *a, 1064 const struct crypto_bignum *b, 1065 struct crypto_bignum *c) 1066{ 1067 int res; 1068 BN_CTX *bnctx; 1069 1070 bnctx = BN_CTX_new(); 1071 if (bnctx == NULL) 1072 return -1; 1073 res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, 1074 bnctx); 1075 BN_CTX_free(bnctx); 1076 1077 return res ? 0 : -1; 1078} 1079 1080 1081int crypto_bignum_exptmod(const struct crypto_bignum *a, 1082 const struct crypto_bignum *b, 1083 const struct crypto_bignum *c, 1084 struct crypto_bignum *d) 1085{ 1086 int res; 1087 BN_CTX *bnctx; 1088 1089 if (TEST_FAIL()) 1090 return -1; 1091 1092 bnctx = BN_CTX_new(); 1093 if (bnctx == NULL) 1094 return -1; 1095 res = BN_mod_exp((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 1096 (const BIGNUM *) c, bnctx); 1097 BN_CTX_free(bnctx); 1098 1099 return res ? 0 : -1; 1100} 1101 1102 1103int crypto_bignum_inverse(const struct crypto_bignum *a, 1104 const struct crypto_bignum *b, 1105 struct crypto_bignum *c) 1106{ 1107 BIGNUM *res; 1108 BN_CTX *bnctx; 1109 1110 if (TEST_FAIL()) 1111 return -1; 1112 bnctx = BN_CTX_new(); 1113 if (bnctx == NULL) 1114 return -1; 1115 res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a, 1116 (const BIGNUM *) b, bnctx); 1117 BN_CTX_free(bnctx); 1118 1119 return res ? 0 : -1; 1120} 1121 1122 1123int crypto_bignum_sub(const struct crypto_bignum *a, 1124 const struct crypto_bignum *b, 1125 struct crypto_bignum *c) 1126{ 1127 if (TEST_FAIL()) 1128 return -1; 1129 return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ? 1130 0 : -1; 1131} 1132 1133 1134int crypto_bignum_div(const struct crypto_bignum *a, 1135 const struct crypto_bignum *b, 1136 struct crypto_bignum *c) 1137{ 1138 int res; 1139 1140 BN_CTX *bnctx; 1141 1142 if (TEST_FAIL()) 1143 return -1; 1144 1145 bnctx = BN_CTX_new(); 1146 if (bnctx == NULL) 1147 return -1; 1148 res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a, 1149 (const BIGNUM *) b, bnctx); 1150 BN_CTX_free(bnctx); 1151 1152 return res ? 0 : -1; 1153} 1154 1155 1156int crypto_bignum_mulmod(const struct crypto_bignum *a, 1157 const struct crypto_bignum *b, 1158 const struct crypto_bignum *c, 1159 struct crypto_bignum *d) 1160{ 1161 int res; 1162 1163 BN_CTX *bnctx; 1164 1165 if (TEST_FAIL()) 1166 return -1; 1167 1168 bnctx = BN_CTX_new(); 1169 if (bnctx == NULL) 1170 return -1; 1171 res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, 1172 (const BIGNUM *) c, bnctx); 1173 BN_CTX_free(bnctx); 1174 1175 return res ? 0 : -1; 1176} 1177 1178 1179int crypto_bignum_cmp(const struct crypto_bignum *a, 1180 const struct crypto_bignum *b) 1181{ 1182 return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b); 1183} 1184 1185 1186int crypto_bignum_bits(const struct crypto_bignum *a) 1187{ 1188 return BN_num_bits((const BIGNUM *) a); 1189} 1190 1191 1192int crypto_bignum_is_zero(const struct crypto_bignum *a) 1193{ 1194 return BN_is_zero((const BIGNUM *) a); 1195} 1196 1197 1198int crypto_bignum_is_one(const struct crypto_bignum *a) 1199{ 1200 return BN_is_one((const BIGNUM *) a); 1201} 1202 1203 1204int crypto_bignum_legendre(const struct crypto_bignum *a, 1205 const struct crypto_bignum *p) 1206{ 1207 BN_CTX *bnctx; 1208 BIGNUM *exp = NULL, *tmp = NULL; 1209 int res = -2; 1210 1211 if (TEST_FAIL()) 1212 return -2; 1213 1214 bnctx = BN_CTX_new(); 1215 if (bnctx == NULL) 1216 return -2; 1217 1218 exp = BN_new(); 1219 tmp = BN_new(); 1220 if (!exp || !tmp || 1221 /* exp = (p-1) / 2 */ 1222 !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) || 1223 !BN_rshift1(exp, exp) || 1224 !BN_mod_exp(tmp, (const BIGNUM *) a, exp, (const BIGNUM *) p, 1225 bnctx)) 1226 goto fail; 1227 1228 if (BN_is_word(tmp, 1)) 1229 res = 1; 1230 else if (BN_is_zero(tmp)) 1231 res = 0; 1232 else 1233 res = -1; 1234 1235fail: 1236 BN_clear_free(tmp); 1237 BN_clear_free(exp); 1238 BN_CTX_free(bnctx); 1239 return res; 1240} 1241 1242 1243#ifdef CONFIG_ECC 1244 1245struct crypto_ec { 1246 EC_GROUP *group; 1247 BN_CTX *bnctx; 1248 BIGNUM *prime; 1249 BIGNUM *order; 1250 BIGNUM *a; 1251 BIGNUM *b; 1252}; 1253 1254struct crypto_ec * crypto_ec_init(int group) 1255{ 1256 struct crypto_ec *e; 1257 int nid; 1258 1259 /* Map from IANA registry for IKE D-H groups to OpenSSL NID */ 1260 switch (group) { 1261 case 19: 1262 nid = NID_X9_62_prime256v1; 1263 break; 1264 case 20: 1265 nid = NID_secp384r1; 1266 break; 1267 case 21: 1268 nid = NID_secp521r1; 1269 break; 1270 case 25: 1271 nid = NID_X9_62_prime192v1; 1272 break; 1273 case 26: 1274 nid = NID_secp224r1; 1275 break; 1276#ifdef NID_brainpoolP224r1 1277 case 27: 1278 nid = NID_brainpoolP224r1; 1279 break; 1280#endif /* NID_brainpoolP224r1 */ 1281#ifdef NID_brainpoolP256r1 1282 case 28: 1283 nid = NID_brainpoolP256r1; 1284 break; 1285#endif /* NID_brainpoolP256r1 */ 1286#ifdef NID_brainpoolP384r1 1287 case 29: 1288 nid = NID_brainpoolP384r1; 1289 break; 1290#endif /* NID_brainpoolP384r1 */ 1291#ifdef NID_brainpoolP512r1 1292 case 30: 1293 nid = NID_brainpoolP512r1; 1294 break; 1295#endif /* NID_brainpoolP512r1 */ 1296 default: 1297 return NULL; 1298 } 1299 1300 e = os_zalloc(sizeof(*e)); 1301 if (e == NULL) 1302 return NULL; 1303 1304 e->bnctx = BN_CTX_new(); 1305 e->group = EC_GROUP_new_by_curve_name(nid); 1306 e->prime = BN_new(); 1307 e->order = BN_new(); 1308 e->a = BN_new(); 1309 e->b = BN_new(); 1310 if (e->group == NULL || e->bnctx == NULL || e->prime == NULL || 1311 e->order == NULL || e->a == NULL || e->b == NULL || 1312 !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) || 1313 !EC_GROUP_get_order(e->group, e->order, e->bnctx)) { 1314 crypto_ec_deinit(e); 1315 e = NULL; 1316 } 1317 1318 return e; 1319} 1320 1321 1322void crypto_ec_deinit(struct crypto_ec *e) 1323{ 1324 if (e == NULL) 1325 return; 1326 BN_clear_free(e->b); 1327 BN_clear_free(e->a); 1328 BN_clear_free(e->order); 1329 BN_clear_free(e->prime); 1330 EC_GROUP_free(e->group); 1331 BN_CTX_free(e->bnctx); 1332 os_free(e); 1333} 1334 1335 1336struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e) 1337{ 1338 if (TEST_FAIL()) 1339 return NULL; 1340 if (e == NULL) 1341 return NULL; 1342 return (struct crypto_ec_point *) EC_POINT_new(e->group); 1343} 1344 1345 1346size_t crypto_ec_prime_len(struct crypto_ec *e) 1347{ 1348 return BN_num_bytes(e->prime); 1349} 1350 1351 1352size_t crypto_ec_prime_len_bits(struct crypto_ec *e) 1353{ 1354 return BN_num_bits(e->prime); 1355} 1356 1357 1358const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e) 1359{ 1360 return (const struct crypto_bignum *) e->prime; 1361} 1362 1363 1364const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) 1365{ 1366 return (const struct crypto_bignum *) e->order; 1367} 1368 1369 1370void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) 1371{ 1372 if (clear) 1373 EC_POINT_clear_free((EC_POINT *) p); 1374 else 1375 EC_POINT_free((EC_POINT *) p); 1376} 1377 1378 1379int crypto_ec_point_to_bin(struct crypto_ec *e, 1380 const struct crypto_ec_point *point, u8 *x, u8 *y) 1381{ 1382 BIGNUM *x_bn, *y_bn; 1383 int ret = -1; 1384 int len = BN_num_bytes(e->prime); 1385 1386 if (TEST_FAIL()) 1387 return -1; 1388 1389 x_bn = BN_new(); 1390 y_bn = BN_new(); 1391 1392 if (x_bn && y_bn && 1393 EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point, 1394 x_bn, y_bn, e->bnctx)) { 1395 if (x) { 1396 crypto_bignum_to_bin((struct crypto_bignum *) x_bn, 1397 x, len, len); 1398 } 1399 if (y) { 1400 crypto_bignum_to_bin((struct crypto_bignum *) y_bn, 1401 y, len, len); 1402 } 1403 ret = 0; 1404 } 1405 1406 BN_clear_free(x_bn); 1407 BN_clear_free(y_bn); 1408 return ret; 1409} 1410 1411 1412struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e, 1413 const u8 *val) 1414{ 1415 BIGNUM *x, *y; 1416 EC_POINT *elem; 1417 int len = BN_num_bytes(e->prime); 1418 1419 if (TEST_FAIL()) 1420 return NULL; 1421 1422 x = BN_bin2bn(val, len, NULL); 1423 y = BN_bin2bn(val + len, len, NULL); 1424 elem = EC_POINT_new(e->group); 1425 if (x == NULL || y == NULL || elem == NULL) { 1426 BN_clear_free(x); 1427 BN_clear_free(y); 1428 EC_POINT_clear_free(elem); 1429 return NULL; 1430 } 1431 1432 if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y, 1433 e->bnctx)) { 1434 EC_POINT_clear_free(elem); 1435 elem = NULL; 1436 } 1437 1438 BN_clear_free(x); 1439 BN_clear_free(y); 1440 1441 return (struct crypto_ec_point *) elem; 1442} 1443 1444 1445int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a, 1446 const struct crypto_ec_point *b, 1447 struct crypto_ec_point *c) 1448{ 1449 if (TEST_FAIL()) 1450 return -1; 1451 return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a, 1452 (const EC_POINT *) b, e->bnctx) ? 0 : -1; 1453} 1454 1455 1456int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p, 1457 const struct crypto_bignum *b, 1458 struct crypto_ec_point *res) 1459{ 1460 if (TEST_FAIL()) 1461 return -1; 1462 return EC_POINT_mul(e->group, (EC_POINT *) res, NULL, 1463 (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx) 1464 ? 0 : -1; 1465} 1466 1467 1468int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p) 1469{ 1470 if (TEST_FAIL()) 1471 return -1; 1472 return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1; 1473} 1474 1475 1476int crypto_ec_point_solve_y_coord(struct crypto_ec *e, 1477 struct crypto_ec_point *p, 1478 const struct crypto_bignum *x, int y_bit) 1479{ 1480 if (TEST_FAIL()) 1481 return -1; 1482 if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p, 1483 (const BIGNUM *) x, y_bit, 1484 e->bnctx) || 1485 !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx)) 1486 return -1; 1487 return 0; 1488} 1489 1490 1491struct crypto_bignum * 1492crypto_ec_point_compute_y_sqr(struct crypto_ec *e, 1493 const struct crypto_bignum *x) 1494{ 1495 BIGNUM *tmp, *tmp2, *y_sqr = NULL; 1496 1497 if (TEST_FAIL()) 1498 return NULL; 1499 1500 tmp = BN_new(); 1501 tmp2 = BN_new(); 1502 1503 /* y^2 = x^3 + ax + b */ 1504 if (tmp && tmp2 && 1505 BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1506 BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) && 1507 BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) && 1508 BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) && 1509 BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) { 1510 y_sqr = tmp2; 1511 tmp2 = NULL; 1512 } 1513 1514 BN_clear_free(tmp); 1515 BN_clear_free(tmp2); 1516 1517 return (struct crypto_bignum *) y_sqr; 1518} 1519 1520 1521int crypto_ec_point_is_at_infinity(struct crypto_ec *e, 1522 const struct crypto_ec_point *p) 1523{ 1524 return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p); 1525} 1526 1527 1528int crypto_ec_point_is_on_curve(struct crypto_ec *e, 1529 const struct crypto_ec_point *p) 1530{ 1531 return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p, 1532 e->bnctx) == 1; 1533} 1534 1535 1536int crypto_ec_point_cmp(const struct crypto_ec *e, 1537 const struct crypto_ec_point *a, 1538 const struct crypto_ec_point *b) 1539{ 1540 return EC_POINT_cmp(e->group, (const EC_POINT *) a, 1541 (const EC_POINT *) b, e->bnctx); 1542} 1543 1544#endif /* CONFIG_ECC */ 1545