1 /*
2  * Wrapper functions for OpenSSL libcrypto
3  * Copyright (c) 2004-2017, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 #include <openssl/opensslv.h>
11 #include <openssl/err.h>
12 #include <openssl/des.h>
13 #include <openssl/aes.h>
14 #include <openssl/bn.h>
15 #include <openssl/evp.h>
16 #include <openssl/dh.h>
17 #include <openssl/hmac.h>
18 #include <openssl/rand.h>
19 #ifdef CONFIG_OPENSSL_CMAC
20 #include <openssl/cmac.h>
21 #endif /* CONFIG_OPENSSL_CMAC */
22 #ifdef CONFIG_ECC
23 #include <openssl/ec.h>
24 #include <openssl/x509.h>
25 #endif /* CONFIG_ECC */
26 
27 #include "common.h"
28 #include "utils/const_time.h"
29 #include "wpabuf.h"
30 #include "dh_group5.h"
31 #include "sha1.h"
32 #include "sha256.h"
33 #include "sha384.h"
34 #include "sha512.h"
35 #include "md5.h"
36 #include "aes_wrap.h"
37 #include "crypto.h"
38 
39 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
40 	(defined(LIBRESSL_VERSION_NUMBER) && \
41 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
42 /* Compatibility wrappers for older versions. */
43 
HMAC_CTX_new(void)44 static HMAC_CTX * HMAC_CTX_new(void)
45 {
46 	HMAC_CTX *ctx;
47 
48 	ctx = os_zalloc(sizeof(*ctx));
49 	if (ctx)
50 		HMAC_CTX_init(ctx);
51 	return ctx;
52 }
53 
54 
HMAC_CTX_free(HMAC_CTX * ctx)55 static void HMAC_CTX_free(HMAC_CTX *ctx)
56 {
57 	if (!ctx)
58 		return;
59 	HMAC_CTX_cleanup(ctx);
60 	bin_clear_free(ctx, sizeof(*ctx));
61 }
62 
63 
EVP_MD_CTX_new(void)64 static EVP_MD_CTX * EVP_MD_CTX_new(void)
65 {
66 	EVP_MD_CTX *ctx;
67 
68 	ctx = os_zalloc(sizeof(*ctx));
69 	if (ctx)
70 		EVP_MD_CTX_init(ctx);
71 	return ctx;
72 }
73 
74 
EVP_MD_CTX_free(EVP_MD_CTX * ctx)75 static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
76 {
77 	if (!ctx)
78 		return;
79 	EVP_MD_CTX_cleanup(ctx);
80 	bin_clear_free(ctx, sizeof(*ctx));
81 }
82 
83 
EVP_PKEY_get0_EC_KEY(EVP_PKEY * pkey)84 static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
85 {
86 	if (pkey->type != EVP_PKEY_EC)
87 		return NULL;
88 	return pkey->pkey.ec;
89 }
90 
91 #endif /* OpenSSL version < 1.1.0 */
92 
get_group5_prime(void)93 static BIGNUM * get_group5_prime(void)
94 {
95 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
96 	!(defined(LIBRESSL_VERSION_NUMBER) && \
97 	  LIBRESSL_VERSION_NUMBER < 0x20700000L)
98 	return BN_get_rfc3526_prime_1536(NULL);
99 #elif !defined(OPENSSL_IS_BORINGSSL)
100 	return get_rfc3526_prime_1536(NULL);
101 #else
102 	static const unsigned char RFC3526_PRIME_1536[] = {
103 		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
104 		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
105 		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
106 		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
107 		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
108 		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
109 		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
110 		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
111 		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
112 		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
113 		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
114 		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
115 		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
116 		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
117 		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
118 		0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
119 	};
120         return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
121 #endif
122 }
123 
124 
get_group5_order(void)125 static BIGNUM * get_group5_order(void)
126 {
127 	static const unsigned char RFC3526_ORDER_1536[] = {
128 		0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,
129 		0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,
130 		0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,
131 		0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,
132 		0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,
133 		0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,
134 		0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,
135 		0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,
136 		0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,
137 		0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,
138 		0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,
139 		0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,
140 		0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,
141 		0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,
142 		0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,
143 		0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
144 	};
145 	return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);
146 }
147 
148 
149 #ifdef OPENSSL_NO_SHA256
150 #define NO_SHA256_WRAPPER
151 #endif
152 #ifdef OPENSSL_NO_SHA512
153 #define NO_SHA384_WRAPPER
154 #endif
155 
openssl_digest_vector(const EVP_MD * type,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)156 static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
157 				 const u8 *addr[], const size_t *len, u8 *mac)
158 {
159 	EVP_MD_CTX *ctx;
160 	size_t i;
161 	unsigned int mac_len;
162 
163 	if (TEST_FAIL())
164 		return -1;
165 
166 	ctx = EVP_MD_CTX_new();
167 	if (!ctx)
168 		return -1;
169 	if (!EVP_DigestInit_ex(ctx, type, NULL)) {
170 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
171 			   ERR_error_string(ERR_get_error(), NULL));
172 		EVP_MD_CTX_free(ctx);
173 		return -1;
174 	}
175 	for (i = 0; i < num_elem; i++) {
176 		if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
177 			wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
178 				   "failed: %s",
179 				   ERR_error_string(ERR_get_error(), NULL));
180 			EVP_MD_CTX_free(ctx);
181 			return -1;
182 		}
183 	}
184 	if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
185 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
186 			   ERR_error_string(ERR_get_error(), NULL));
187 		EVP_MD_CTX_free(ctx);
188 		return -1;
189 	}
190 	EVP_MD_CTX_free(ctx);
191 
192 	return 0;
193 }
194 
195 
196 #ifndef CONFIG_FIPS
md4_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)197 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
198 {
199 	return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
200 }
201 #endif /* CONFIG_FIPS */
202 
203 
des_encrypt(const u8 * clear,const u8 * key,u8 * cypher)204 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
205 {
206 	u8 pkey[8], next, tmp;
207 	int i;
208 	DES_key_schedule ks;
209 
210 	/* Add parity bits to the key */
211 	next = 0;
212 	for (i = 0; i < 7; i++) {
213 		tmp = key[i];
214 		pkey[i] = (tmp >> i) | next | 1;
215 		next = tmp << (7 - i);
216 	}
217 	pkey[i] = next | 1;
218 
219 	DES_set_key((DES_cblock *) &pkey, &ks);
220 	DES_ecb_encrypt((DES_cblock *) clear, (DES_cblock *) cypher, &ks,
221 			DES_ENCRYPT);
222 	return 0;
223 }
224 
225 
226 #ifndef CONFIG_NO_RC4
rc4_skip(const u8 * key,size_t keylen,size_t skip,u8 * data,size_t data_len)227 int rc4_skip(const u8 *key, size_t keylen, size_t skip,
228 	     u8 *data, size_t data_len)
229 {
230 #ifdef OPENSSL_NO_RC4
231 	return -1;
232 #else /* OPENSSL_NO_RC4 */
233 	EVP_CIPHER_CTX *ctx;
234 	int outl;
235 	int res = -1;
236 	unsigned char skip_buf[16];
237 
238 	ctx = EVP_CIPHER_CTX_new();
239 	if (!ctx ||
240 	    !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
241 	    !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
242 	    !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
243 	    !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
244 		goto out;
245 
246 	while (skip >= sizeof(skip_buf)) {
247 		size_t len = skip;
248 		if (len > sizeof(skip_buf))
249 			len = sizeof(skip_buf);
250 		if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
251 			goto out;
252 		skip -= len;
253 	}
254 
255 	if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
256 		res = 0;
257 
258 out:
259 	if (ctx)
260 		EVP_CIPHER_CTX_free(ctx);
261 	return res;
262 #endif /* OPENSSL_NO_RC4 */
263 }
264 #endif /* CONFIG_NO_RC4 */
265 
266 
267 #ifndef CONFIG_FIPS
md5_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)268 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
269 {
270 	return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
271 }
272 #endif /* CONFIG_FIPS */
273 
274 
sha1_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)275 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
276 {
277 	return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
278 }
279 
280 
281 #ifndef NO_SHA256_WRAPPER
sha256_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)282 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
283 		  u8 *mac)
284 {
285 	return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
286 }
287 #endif /* NO_SHA256_WRAPPER */
288 
289 
290 #ifndef NO_SHA384_WRAPPER
sha384_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)291 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
292 		  u8 *mac)
293 {
294 	return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
295 }
296 #endif /* NO_SHA384_WRAPPER */
297 
298 
299 #ifndef NO_SHA512_WRAPPER
sha512_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)300 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
301 		  u8 *mac)
302 {
303 	return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
304 }
305 #endif /* NO_SHA512_WRAPPER */
306 
307 
aes_get_evp_cipher(size_t keylen)308 static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
309 {
310 	switch (keylen) {
311 	case 16:
312 		return EVP_aes_128_ecb();
313 	case 24:
314 		return EVP_aes_192_ecb();
315 	case 32:
316 		return EVP_aes_256_ecb();
317 	}
318 
319 	return NULL;
320 }
321 
322 
aes_encrypt_init(const u8 * key,size_t len)323 void * aes_encrypt_init(const u8 *key, size_t len)
324 {
325 	EVP_CIPHER_CTX *ctx;
326 	const EVP_CIPHER *type;
327 
328 	if (TEST_FAIL())
329 		return NULL;
330 
331 	type = aes_get_evp_cipher(len);
332 	if (!type) {
333 		wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
334 			   __func__, (unsigned int) len);
335 		return NULL;
336 	}
337 
338 	ctx = EVP_CIPHER_CTX_new();
339 	if (ctx == NULL)
340 		return NULL;
341 	if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
342 		os_free(ctx);
343 		return NULL;
344 	}
345 	EVP_CIPHER_CTX_set_padding(ctx, 0);
346 	return ctx;
347 }
348 
349 
aes_encrypt(void * ctx,const u8 * plain,u8 * crypt)350 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
351 {
352 	EVP_CIPHER_CTX *c = ctx;
353 	int clen = 16;
354 	if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
355 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
356 			   ERR_error_string(ERR_get_error(), NULL));
357 		return -1;
358 	}
359 	return 0;
360 }
361 
362 
aes_encrypt_deinit(void * ctx)363 void aes_encrypt_deinit(void *ctx)
364 {
365 	EVP_CIPHER_CTX *c = ctx;
366 	u8 buf[16];
367 	int len = sizeof(buf);
368 	if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
369 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
370 			   "%s", ERR_error_string(ERR_get_error(), NULL));
371 	}
372 	if (len != 0) {
373 		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
374 			   "in AES encrypt", len);
375 	}
376 	EVP_CIPHER_CTX_free(c);
377 }
378 
379 
aes_decrypt_init(const u8 * key,size_t len)380 void * aes_decrypt_init(const u8 *key, size_t len)
381 {
382 	EVP_CIPHER_CTX *ctx;
383 	const EVP_CIPHER *type;
384 
385 	if (TEST_FAIL())
386 		return NULL;
387 
388 	type = aes_get_evp_cipher(len);
389 	if (!type) {
390 		wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
391 			   __func__, (unsigned int) len);
392 		return NULL;
393 	}
394 
395 	ctx = EVP_CIPHER_CTX_new();
396 	if (ctx == NULL)
397 		return NULL;
398 	if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1) {
399 		EVP_CIPHER_CTX_free(ctx);
400 		return NULL;
401 	}
402 	EVP_CIPHER_CTX_set_padding(ctx, 0);
403 	return ctx;
404 }
405 
406 
aes_decrypt(void * ctx,const u8 * crypt,u8 * plain)407 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
408 {
409 	EVP_CIPHER_CTX *c = ctx;
410 	int plen = 16;
411 	if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
412 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
413 			   ERR_error_string(ERR_get_error(), NULL));
414 		return -1;
415 	}
416 	return 0;
417 }
418 
419 
aes_decrypt_deinit(void * ctx)420 void aes_decrypt_deinit(void *ctx)
421 {
422 	EVP_CIPHER_CTX *c = ctx;
423 	u8 buf[16];
424 	int len = sizeof(buf);
425 	if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
426 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
427 			   "%s", ERR_error_string(ERR_get_error(), NULL));
428 	}
429 	if (len != 0) {
430 		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
431 			   "in AES decrypt", len);
432 	}
433 	EVP_CIPHER_CTX_free(c);
434 }
435 
436 
437 #ifndef CONFIG_FIPS
438 #ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP
439 
aes_wrap(const u8 * kek,size_t kek_len,int n,const u8 * plain,u8 * cipher)440 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
441 {
442 	AES_KEY actx;
443 	int res;
444 
445 	if (TEST_FAIL())
446 		return -1;
447 	if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
448 		return -1;
449 	res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
450 	OPENSSL_cleanse(&actx, sizeof(actx));
451 	return res <= 0 ? -1 : 0;
452 }
453 
454 
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)455 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
456 	       u8 *plain)
457 {
458 	AES_KEY actx;
459 	int res;
460 
461 	if (TEST_FAIL())
462 		return -1;
463 	if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
464 		return -1;
465 	res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
466 	OPENSSL_cleanse(&actx, sizeof(actx));
467 	return res <= 0 ? -1 : 0;
468 }
469 
470 #endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
471 #endif /* CONFIG_FIPS */
472 
473 
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)474 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
475 {
476 	EVP_CIPHER_CTX *ctx;
477 	int clen, len;
478 	u8 buf[16];
479 	int res = -1;
480 
481 	if (TEST_FAIL())
482 		return -1;
483 
484 	ctx = EVP_CIPHER_CTX_new();
485 	if (!ctx)
486 		return -1;
487 	clen = data_len;
488 	len = sizeof(buf);
489 	if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
490 	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
491 	    EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
492 	    clen == (int) data_len &&
493 	    EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
494 		res = 0;
495 	EVP_CIPHER_CTX_free(ctx);
496 
497 	return res;
498 }
499 
500 
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)501 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
502 {
503 	EVP_CIPHER_CTX *ctx;
504 	int plen, len;
505 	u8 buf[16];
506 	int res = -1;
507 
508 	if (TEST_FAIL())
509 		return -1;
510 
511 	ctx = EVP_CIPHER_CTX_new();
512 	if (!ctx)
513 		return -1;
514 	plen = data_len;
515 	len = sizeof(buf);
516 	if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
517 	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
518 	    EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
519 	    plen == (int) data_len &&
520 	    EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
521 		res = 0;
522 	EVP_CIPHER_CTX_free(ctx);
523 
524 	return res;
525 
526 }
527 
528 
crypto_dh_init(u8 generator,const u8 * prime,size_t prime_len,u8 * privkey,u8 * pubkey)529 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
530 		   u8 *pubkey)
531 {
532 	size_t pubkey_len, pad;
533 
534 	if (os_get_random(privkey, prime_len) < 0)
535 		return -1;
536 	if (os_memcmp(privkey, prime, prime_len) > 0) {
537 		/* Make sure private value is smaller than prime */
538 		privkey[0] = 0;
539 	}
540 
541 	pubkey_len = prime_len;
542 	if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
543 			   pubkey, &pubkey_len) < 0)
544 		return -1;
545 	if (pubkey_len < prime_len) {
546 		pad = prime_len - pubkey_len;
547 		os_memmove(pubkey + pad, pubkey, pubkey_len);
548 		os_memset(pubkey, 0, pad);
549 	}
550 
551 	return 0;
552 }
553 
554 
crypto_dh_derive_secret(u8 generator,const u8 * prime,size_t prime_len,const u8 * order,size_t order_len,const u8 * privkey,size_t privkey_len,const u8 * pubkey,size_t pubkey_len,u8 * secret,size_t * len)555 int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
556 			    const u8 *order, size_t order_len,
557 			    const u8 *privkey, size_t privkey_len,
558 			    const u8 *pubkey, size_t pubkey_len,
559 			    u8 *secret, size_t *len)
560 {
561 	BIGNUM *pub, *p;
562 	int res = -1;
563 
564 	pub = BN_bin2bn(pubkey, pubkey_len, NULL);
565 	p = BN_bin2bn(prime, prime_len, NULL);
566 	if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||
567 	    BN_cmp(pub, p) >= 0)
568 		goto fail;
569 
570 	if (order) {
571 		BN_CTX *ctx;
572 		BIGNUM *q, *tmp;
573 		int failed;
574 
575 		/* verify: pubkey^q == 1 mod p */
576 		q = BN_bin2bn(order, order_len, NULL);
577 		ctx = BN_CTX_new();
578 		tmp = BN_new();
579 		failed = !q || !ctx || !tmp ||
580 			!BN_mod_exp(tmp, pub, q, p, ctx) ||
581 			!BN_is_one(tmp);
582 		BN_clear_free(q);
583 		BN_clear_free(tmp);
584 		BN_CTX_free(ctx);
585 		if (failed)
586 			goto fail;
587 	}
588 
589 	res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
590 			     prime, prime_len, secret, len);
591 fail:
592 	BN_clear_free(pub);
593 	BN_clear_free(p);
594 	return res;
595 }
596 
597 
crypto_mod_exp(const u8 * base,size_t base_len,const u8 * power,size_t power_len,const u8 * modulus,size_t modulus_len,u8 * result,size_t * result_len)598 int crypto_mod_exp(const u8 *base, size_t base_len,
599 		   const u8 *power, size_t power_len,
600 		   const u8 *modulus, size_t modulus_len,
601 		   u8 *result, size_t *result_len)
602 {
603 	BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
604 	int ret = -1;
605 	BN_CTX *ctx;
606 
607 	ctx = BN_CTX_new();
608 	if (ctx == NULL)
609 		return -1;
610 
611 	bn_base = BN_bin2bn(base, base_len, NULL);
612 	bn_exp = BN_bin2bn(power, power_len, NULL);
613 	bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
614 	bn_result = BN_new();
615 
616 	if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
617 	    bn_result == NULL)
618 		goto error;
619 
620 	if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
621 				      ctx, NULL) != 1)
622 		goto error;
623 
624 	*result_len = BN_bn2bin(bn_result, result);
625 	ret = 0;
626 
627 error:
628 	BN_clear_free(bn_base);
629 	BN_clear_free(bn_exp);
630 	BN_clear_free(bn_modulus);
631 	BN_clear_free(bn_result);
632 	BN_CTX_free(ctx);
633 	return ret;
634 }
635 
636 
637 struct crypto_cipher {
638 	EVP_CIPHER_CTX *enc;
639 	EVP_CIPHER_CTX *dec;
640 };
641 
642 
crypto_cipher_init(enum crypto_cipher_alg alg,const u8 * iv,const u8 * key,size_t key_len)643 struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
644 					  const u8 *iv, const u8 *key,
645 					  size_t key_len)
646 {
647 	struct crypto_cipher *ctx;
648 	const EVP_CIPHER *cipher;
649 
650 	ctx = os_zalloc(sizeof(*ctx));
651 	if (ctx == NULL)
652 		return NULL;
653 
654 	switch (alg) {
655 #ifndef CONFIG_NO_RC4
656 #ifndef OPENSSL_NO_RC4
657 	case CRYPTO_CIPHER_ALG_RC4:
658 		cipher = EVP_rc4();
659 		break;
660 #endif /* OPENSSL_NO_RC4 */
661 #endif /* CONFIG_NO_RC4 */
662 #ifndef OPENSSL_NO_AES
663 	case CRYPTO_CIPHER_ALG_AES:
664 		switch (key_len) {
665 		case 16:
666 			cipher = EVP_aes_128_cbc();
667 			break;
668 #ifndef OPENSSL_IS_BORINGSSL
669 		case 24:
670 			cipher = EVP_aes_192_cbc();
671 			break;
672 #endif /* OPENSSL_IS_BORINGSSL */
673 		case 32:
674 			cipher = EVP_aes_256_cbc();
675 			break;
676 		default:
677 			os_free(ctx);
678 			return NULL;
679 		}
680 		break;
681 #endif /* OPENSSL_NO_AES */
682 #ifndef OPENSSL_NO_DES
683 	case CRYPTO_CIPHER_ALG_3DES:
684 		cipher = EVP_des_ede3_cbc();
685 		break;
686 	case CRYPTO_CIPHER_ALG_DES:
687 		cipher = EVP_des_cbc();
688 		break;
689 #endif /* OPENSSL_NO_DES */
690 #ifndef OPENSSL_NO_RC2
691 	case CRYPTO_CIPHER_ALG_RC2:
692 		cipher = EVP_rc2_ecb();
693 		break;
694 #endif /* OPENSSL_NO_RC2 */
695 	default:
696 		os_free(ctx);
697 		return NULL;
698 	}
699 
700 	if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
701 	    !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
702 	    !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
703 	    !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
704 	    !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
705 		if (ctx->enc)
706 			EVP_CIPHER_CTX_free(ctx->enc);
707 		os_free(ctx);
708 		return NULL;
709 	}
710 
711 	if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
712 	    !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
713 	    !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
714 	    !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
715 	    !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
716 		EVP_CIPHER_CTX_free(ctx->enc);
717 		if (ctx->dec)
718 			EVP_CIPHER_CTX_free(ctx->dec);
719 		os_free(ctx);
720 		return NULL;
721 	}
722 
723 	return ctx;
724 }
725 
726 
crypto_cipher_encrypt(struct crypto_cipher * ctx,const u8 * plain,u8 * crypt,size_t len)727 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
728 			  u8 *crypt, size_t len)
729 {
730 	int outl;
731 	if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
732 		return -1;
733 	return 0;
734 }
735 
736 
crypto_cipher_decrypt(struct crypto_cipher * ctx,const u8 * crypt,u8 * plain,size_t len)737 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
738 			  u8 *plain, size_t len)
739 {
740 	int outl;
741 	outl = len;
742 	if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
743 		return -1;
744 	return 0;
745 }
746 
747 
crypto_cipher_deinit(struct crypto_cipher * ctx)748 void crypto_cipher_deinit(struct crypto_cipher *ctx)
749 {
750 	EVP_CIPHER_CTX_free(ctx->enc);
751 	EVP_CIPHER_CTX_free(ctx->dec);
752 	os_free(ctx);
753 }
754 
755 
dh5_init(struct wpabuf ** priv,struct wpabuf ** publ)756 void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
757 {
758 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
759 	(defined(LIBRESSL_VERSION_NUMBER) && \
760 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
761 	DH *dh;
762 	struct wpabuf *pubkey = NULL, *privkey = NULL;
763 	size_t publen, privlen;
764 
765 	*priv = NULL;
766 	wpabuf_free(*publ);
767 	*publ = NULL;
768 
769 	dh = DH_new();
770 	if (dh == NULL)
771 		return NULL;
772 
773 	dh->g = BN_new();
774 	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
775 		goto err;
776 
777 	dh->p = get_group5_prime();
778 	if (dh->p == NULL)
779 		goto err;
780 
781 	dh->q = get_group5_order();
782 	if (!dh->q)
783 		goto err;
784 
785 	if (DH_generate_key(dh) != 1)
786 		goto err;
787 
788 	publen = BN_num_bytes(dh->pub_key);
789 	pubkey = wpabuf_alloc(publen);
790 	if (pubkey == NULL)
791 		goto err;
792 	privlen = BN_num_bytes(dh->priv_key);
793 	privkey = wpabuf_alloc(privlen);
794 	if (privkey == NULL)
795 		goto err;
796 
797 	BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
798 	BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));
799 
800 	*priv = privkey;
801 	*publ = pubkey;
802 	return dh;
803 
804 err:
805 	wpabuf_clear_free(pubkey);
806 	wpabuf_clear_free(privkey);
807 	DH_free(dh);
808 	return NULL;
809 #else
810 	DH *dh;
811 	struct wpabuf *pubkey = NULL, *privkey = NULL;
812 	size_t publen, privlen;
813 	BIGNUM *p, *g, *q;
814 	const BIGNUM *priv_key = NULL, *pub_key = NULL;
815 
816 	*priv = NULL;
817 	wpabuf_free(*publ);
818 	*publ = NULL;
819 
820 	dh = DH_new();
821 	if (dh == NULL)
822 		return NULL;
823 
824 	g = BN_new();
825 	p = get_group5_prime();
826 	q = get_group5_order();
827 	if (!g || BN_set_word(g, 2) != 1 || !p || !q ||
828 	    DH_set0_pqg(dh, p, q, g) != 1)
829 		goto err;
830 	p = NULL;
831 	q = NULL;
832 	g = NULL;
833 
834 	if (DH_generate_key(dh) != 1)
835 		goto err;
836 
837 	DH_get0_key(dh, &pub_key, &priv_key);
838 	publen = BN_num_bytes(pub_key);
839 	pubkey = wpabuf_alloc(publen);
840 	if (!pubkey)
841 		goto err;
842 	privlen = BN_num_bytes(priv_key);
843 	privkey = wpabuf_alloc(privlen);
844 	if (!privkey)
845 		goto err;
846 
847 	BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
848 	BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));
849 
850 	*priv = privkey;
851 	*publ = pubkey;
852 	return dh;
853 
854 err:
855 	BN_free(p);
856 	BN_free(q);
857 	BN_free(g);
858 	wpabuf_clear_free(pubkey);
859 	wpabuf_clear_free(privkey);
860 	DH_free(dh);
861 	return NULL;
862 #endif
863 }
864 
865 
dh5_init_fixed(const struct wpabuf * priv,const struct wpabuf * publ)866 void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
867 {
868 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
869 	(defined(LIBRESSL_VERSION_NUMBER) && \
870 	 LIBRESSL_VERSION_NUMBER < 0x20700000L)
871 	DH *dh;
872 
873 	dh = DH_new();
874 	if (dh == NULL)
875 		return NULL;
876 
877 	dh->g = BN_new();
878 	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
879 		goto err;
880 
881 	dh->p = get_group5_prime();
882 	if (dh->p == NULL)
883 		goto err;
884 
885 	dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
886 	if (dh->priv_key == NULL)
887 		goto err;
888 
889 	dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
890 	if (dh->pub_key == NULL)
891 		goto err;
892 
893 	if (DH_generate_key(dh) != 1)
894 		goto err;
895 
896 	return dh;
897 
898 err:
899 	DH_free(dh);
900 	return NULL;
901 #else
902 	DH *dh;
903 	BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;
904 
905 	dh = DH_new();
906 	if (dh == NULL)
907 		return NULL;
908 
909 	g = BN_new();
910 	p = get_group5_prime();
911 	if (!g || BN_set_word(g, 2) != 1 || !p ||
912 	    DH_set0_pqg(dh, p, NULL, g) != 1)
913 		goto err;
914 	p = NULL;
915 	g = NULL;
916 
917 	priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
918 	pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
919 	if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
920 		goto err;
921 	pub_key = NULL;
922 	priv_key = NULL;
923 
924 	if (DH_generate_key(dh) != 1)
925 		goto err;
926 
927 	return dh;
928 
929 err:
930 	BN_free(p);
931 	BN_free(g);
932 	BN_free(pub_key);
933 	BN_clear_free(priv_key);
934 	DH_free(dh);
935 	return NULL;
936 #endif
937 }
938 
939 
dh5_derive_shared(void * ctx,const struct wpabuf * peer_public,const struct wpabuf * own_private)940 struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
941 				  const struct wpabuf *own_private)
942 {
943 	BIGNUM *pub_key;
944 	struct wpabuf *res = NULL;
945 	size_t rlen;
946 	DH *dh = ctx;
947 	int keylen;
948 
949 	if (ctx == NULL)
950 		return NULL;
951 
952 	pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
953 			    NULL);
954 	if (pub_key == NULL)
955 		return NULL;
956 
957 	rlen = DH_size(dh);
958 	res = wpabuf_alloc(rlen);
959 	if (res == NULL)
960 		goto err;
961 
962 	keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
963 	if (keylen < 0)
964 		goto err;
965 	wpabuf_put(res, keylen);
966 	BN_clear_free(pub_key);
967 
968 	return res;
969 
970 err:
971 	BN_clear_free(pub_key);
972 	wpabuf_clear_free(res);
973 	return NULL;
974 }
975 
976 
dh5_free(void * ctx)977 void dh5_free(void *ctx)
978 {
979 	DH *dh;
980 	if (ctx == NULL)
981 		return;
982 	dh = ctx;
983 	DH_free(dh);
984 }
985 
986 
987 struct crypto_hash {
988 	HMAC_CTX *ctx;
989 };
990 
991 
crypto_hash_init(enum crypto_hash_alg alg,const u8 * key,size_t key_len)992 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
993 				      size_t key_len)
994 {
995 	struct crypto_hash *ctx;
996 	const EVP_MD *md;
997 
998 	switch (alg) {
999 #ifndef OPENSSL_NO_MD5
1000 	case CRYPTO_HASH_ALG_HMAC_MD5:
1001 		md = EVP_md5();
1002 		break;
1003 #endif /* OPENSSL_NO_MD5 */
1004 #ifndef OPENSSL_NO_SHA
1005 	case CRYPTO_HASH_ALG_HMAC_SHA1:
1006 		md = EVP_sha1();
1007 		break;
1008 #endif /* OPENSSL_NO_SHA */
1009 #ifndef OPENSSL_NO_SHA256
1010 #ifdef CONFIG_SHA256
1011 	case CRYPTO_HASH_ALG_HMAC_SHA256:
1012 		md = EVP_sha256();
1013 		break;
1014 #endif /* CONFIG_SHA256 */
1015 #endif /* OPENSSL_NO_SHA256 */
1016 	default:
1017 		return NULL;
1018 	}
1019 
1020 	ctx = os_zalloc(sizeof(*ctx));
1021 	if (ctx == NULL)
1022 		return NULL;
1023 	ctx->ctx = HMAC_CTX_new();
1024 	if (!ctx->ctx) {
1025 		os_free(ctx);
1026 		return NULL;
1027 	}
1028 
1029 	if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
1030 		HMAC_CTX_free(ctx->ctx);
1031 		bin_clear_free(ctx, sizeof(*ctx));
1032 		return NULL;
1033 	}
1034 
1035 	return ctx;
1036 }
1037 
1038 
crypto_hash_update(struct crypto_hash * ctx,const u8 * data,size_t len)1039 void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
1040 {
1041 	if (ctx == NULL)
1042 		return;
1043 	HMAC_Update(ctx->ctx, data, len);
1044 }
1045 
1046 
crypto_hash_finish(struct crypto_hash * ctx,u8 * mac,size_t * len)1047 int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
1048 {
1049 	unsigned int mdlen;
1050 	int res;
1051 
1052 	if (ctx == NULL)
1053 		return -2;
1054 
1055 	if (mac == NULL || len == NULL) {
1056 		HMAC_CTX_free(ctx->ctx);
1057 		bin_clear_free(ctx, sizeof(*ctx));
1058 		return 0;
1059 	}
1060 
1061 	mdlen = *len;
1062 	res = HMAC_Final(ctx->ctx, mac, &mdlen);
1063 	HMAC_CTX_free(ctx->ctx);
1064 	bin_clear_free(ctx, sizeof(*ctx));
1065 
1066 	if (TEST_FAIL())
1067 		return -1;
1068 
1069 	if (res == 1) {
1070 		*len = mdlen;
1071 		return 0;
1072 	}
1073 
1074 	return -1;
1075 }
1076 
1077 
openssl_hmac_vector(const EVP_MD * type,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac,unsigned int mdlen)1078 static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
1079 			       size_t key_len, size_t num_elem,
1080 			       const u8 *addr[], const size_t *len, u8 *mac,
1081 			       unsigned int mdlen)
1082 {
1083 	HMAC_CTX *ctx;
1084 	size_t i;
1085 	int res;
1086 
1087 	if (TEST_FAIL())
1088 		return -1;
1089 
1090 	ctx = HMAC_CTX_new();
1091 	if (!ctx)
1092 		return -1;
1093 	res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
1094 	if (res != 1)
1095 		goto done;
1096 
1097 	for (i = 0; i < num_elem; i++)
1098 		HMAC_Update(ctx, addr[i], len[i]);
1099 
1100 	res = HMAC_Final(ctx, mac, &mdlen);
1101 done:
1102 	HMAC_CTX_free(ctx);
1103 
1104 	return res == 1 ? 0 : -1;
1105 }
1106 
1107 
1108 #ifndef CONFIG_FIPS
1109 
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1110 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
1111 		    const u8 *addr[], const size_t *len, u8 *mac)
1112 {
1113 	return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
1114 				   mac, 16);
1115 }
1116 
1117 
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1118 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1119 	     u8 *mac)
1120 {
1121 	return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
1122 }
1123 
1124 #endif /* CONFIG_FIPS */
1125 
1126 
pbkdf2_sha1(const char * passphrase,const u8 * ssid,size_t ssid_len,int iterations,u8 * buf,size_t buflen)1127 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
1128 		int iterations, u8 *buf, size_t buflen)
1129 {
1130 	if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
1131 				   ssid_len, iterations, buflen, buf) != 1)
1132 		return -1;
1133 	return 0;
1134 }
1135 
1136 
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1137 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
1138 		     const u8 *addr[], const size_t *len, u8 *mac)
1139 {
1140 	return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
1141 				   len, mac, 20);
1142 }
1143 
1144 
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1145 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
1146 	       u8 *mac)
1147 {
1148 	return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
1149 }
1150 
1151 
1152 #ifdef CONFIG_SHA256
1153 
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1154 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
1155 		       const u8 *addr[], const size_t *len, u8 *mac)
1156 {
1157 	return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
1158 				   len, mac, 32);
1159 }
1160 
1161 
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1162 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
1163 		size_t data_len, u8 *mac)
1164 {
1165 	return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
1166 }
1167 
1168 #endif /* CONFIG_SHA256 */
1169 
1170 
1171 #ifdef CONFIG_SHA384
1172 
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1173 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
1174 		       const u8 *addr[], const size_t *len, u8 *mac)
1175 {
1176 	return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
1177 				   len, mac, 48);
1178 }
1179 
1180 
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1181 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
1182 		size_t data_len, u8 *mac)
1183 {
1184 	return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
1185 }
1186 
1187 #endif /* CONFIG_SHA384 */
1188 
1189 
1190 #ifdef CONFIG_SHA512
1191 
hmac_sha512_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1192 int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
1193 		       const u8 *addr[], const size_t *len, u8 *mac)
1194 {
1195 	return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
1196 				   len, mac, 64);
1197 }
1198 
1199 
hmac_sha512(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)1200 int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
1201 		size_t data_len, u8 *mac)
1202 {
1203 	return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
1204 }
1205 
1206 #endif /* CONFIG_SHA512 */
1207 
1208 
crypto_get_random(void * buf,size_t len)1209 int crypto_get_random(void *buf, size_t len)
1210 {
1211 	if (RAND_bytes(buf, len) != 1)
1212 		return -1;
1213 	return 0;
1214 }
1215 
1216 
1217 #ifdef CONFIG_OPENSSL_CMAC
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1218 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
1219 		     const u8 *addr[], const size_t *len, u8 *mac)
1220 {
1221 	CMAC_CTX *ctx;
1222 	int ret = -1;
1223 	size_t outlen, i;
1224 
1225 	if (TEST_FAIL())
1226 		return -1;
1227 
1228 	ctx = CMAC_CTX_new();
1229 	if (ctx == NULL)
1230 		return -1;
1231 
1232 	if (key_len == 32) {
1233 		if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
1234 			goto fail;
1235 	} else if (key_len == 16) {
1236 		if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
1237 			goto fail;
1238 	} else {
1239 		goto fail;
1240 	}
1241 	for (i = 0; i < num_elem; i++) {
1242 		if (!CMAC_Update(ctx, addr[i], len[i]))
1243 			goto fail;
1244 	}
1245 	if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
1246 		goto fail;
1247 
1248 	ret = 0;
1249 fail:
1250 	CMAC_CTX_free(ctx);
1251 	return ret;
1252 }
1253 
1254 
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)1255 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
1256 			 const u8 *addr[], const size_t *len, u8 *mac)
1257 {
1258 	return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
1259 }
1260 
1261 
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1262 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1263 {
1264 	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
1265 }
1266 
1267 
omac1_aes_256(const u8 * key,const u8 * data,size_t data_len,u8 * mac)1268 int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
1269 {
1270 	return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
1271 }
1272 #endif /* CONFIG_OPENSSL_CMAC */
1273 
1274 
crypto_bignum_init(void)1275 struct crypto_bignum * crypto_bignum_init(void)
1276 {
1277 	if (TEST_FAIL())
1278 		return NULL;
1279 	return (struct crypto_bignum *) BN_new();
1280 }
1281 
1282 
crypto_bignum_init_set(const u8 * buf,size_t len)1283 struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
1284 {
1285 	BIGNUM *bn;
1286 
1287 	if (TEST_FAIL())
1288 		return NULL;
1289 
1290 	bn = BN_bin2bn(buf, len, NULL);
1291 	return (struct crypto_bignum *) bn;
1292 }
1293 
1294 
crypto_bignum_init_uint(unsigned int val)1295 struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
1296 {
1297 	BIGNUM *bn;
1298 
1299 	if (TEST_FAIL())
1300 		return NULL;
1301 
1302 	bn = BN_new();
1303 	if (!bn)
1304 		return NULL;
1305 	if (BN_set_word(bn, val) != 1) {
1306 		BN_free(bn);
1307 		return NULL;
1308 	}
1309 	return (struct crypto_bignum *) bn;
1310 }
1311 
1312 
crypto_bignum_deinit(struct crypto_bignum * n,int clear)1313 void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
1314 {
1315 	if (clear)
1316 		BN_clear_free((BIGNUM *) n);
1317 	else
1318 		BN_free((BIGNUM *) n);
1319 }
1320 
1321 
crypto_bignum_to_bin(const struct crypto_bignum * a,u8 * buf,size_t buflen,size_t padlen)1322 int crypto_bignum_to_bin(const struct crypto_bignum *a,
1323 			 u8 *buf, size_t buflen, size_t padlen)
1324 {
1325 	int num_bytes, offset;
1326 
1327 	if (TEST_FAIL())
1328 		return -1;
1329 
1330 	if (padlen > buflen)
1331 		return -1;
1332 
1333 	if (padlen) {
1334 #ifdef OPENSSL_IS_BORINGSSL
1335 		if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
1336 			return -1;
1337 		return padlen;
1338 #else /* OPENSSL_IS_BORINGSSL */
1339 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
1340 		return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
1341 #endif
1342 #endif
1343 	}
1344 
1345 	num_bytes = BN_num_bytes((const BIGNUM *) a);
1346 	if ((size_t) num_bytes > buflen)
1347 		return -1;
1348 	if (padlen > (size_t) num_bytes)
1349 		offset = padlen - num_bytes;
1350 	else
1351 		offset = 0;
1352 
1353 	os_memset(buf, 0, offset);
1354 	BN_bn2bin((const BIGNUM *) a, buf + offset);
1355 
1356 	return num_bytes + offset;
1357 }
1358 
1359 
crypto_bignum_rand(struct crypto_bignum * r,const struct crypto_bignum * m)1360 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
1361 {
1362 	if (TEST_FAIL())
1363 		return -1;
1364 	return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1;
1365 }
1366 
1367 
crypto_bignum_add(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1368 int crypto_bignum_add(const struct crypto_bignum *a,
1369 		      const struct crypto_bignum *b,
1370 		      struct crypto_bignum *c)
1371 {
1372 	return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1373 		0 : -1;
1374 }
1375 
1376 
crypto_bignum_mod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1377 int crypto_bignum_mod(const struct crypto_bignum *a,
1378 		      const struct crypto_bignum *b,
1379 		      struct crypto_bignum *c)
1380 {
1381 	int res;
1382 	BN_CTX *bnctx;
1383 
1384 	bnctx = BN_CTX_new();
1385 	if (bnctx == NULL)
1386 		return -1;
1387 	res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1388 		     bnctx);
1389 	BN_CTX_free(bnctx);
1390 
1391 	return res ? 0 : -1;
1392 }
1393 
1394 
crypto_bignum_exptmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1395 int crypto_bignum_exptmod(const struct crypto_bignum *a,
1396 			  const struct crypto_bignum *b,
1397 			  const struct crypto_bignum *c,
1398 			  struct crypto_bignum *d)
1399 {
1400 	int res;
1401 	BN_CTX *bnctx;
1402 
1403 	if (TEST_FAIL())
1404 		return -1;
1405 
1406 	bnctx = BN_CTX_new();
1407 	if (bnctx == NULL)
1408 		return -1;
1409 	res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
1410 					(const BIGNUM *) b, (const BIGNUM *) c,
1411 					bnctx, NULL);
1412 	BN_CTX_free(bnctx);
1413 
1414 	return res ? 0 : -1;
1415 }
1416 
1417 
crypto_bignum_inverse(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1418 int crypto_bignum_inverse(const struct crypto_bignum *a,
1419 			  const struct crypto_bignum *b,
1420 			  struct crypto_bignum *c)
1421 {
1422 	BIGNUM *res;
1423 	BN_CTX *bnctx;
1424 
1425 	if (TEST_FAIL())
1426 		return -1;
1427 	bnctx = BN_CTX_new();
1428 	if (bnctx == NULL)
1429 		return -1;
1430 #ifdef OPENSSL_IS_BORINGSSL
1431 	/* TODO: use BN_mod_inverse_blinded() ? */
1432 #else /* OPENSSL_IS_BORINGSSL */
1433 	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1434 #endif /* OPENSSL_IS_BORINGSSL */
1435 	res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
1436 			     (const BIGNUM *) b, bnctx);
1437 	BN_CTX_free(bnctx);
1438 
1439 	return res ? 0 : -1;
1440 }
1441 
1442 
crypto_bignum_sub(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1443 int crypto_bignum_sub(const struct crypto_bignum *a,
1444 		      const struct crypto_bignum *b,
1445 		      struct crypto_bignum *c)
1446 {
1447 	if (TEST_FAIL())
1448 		return -1;
1449 	return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
1450 		0 : -1;
1451 }
1452 
1453 
crypto_bignum_div(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1454 int crypto_bignum_div(const struct crypto_bignum *a,
1455 		      const struct crypto_bignum *b,
1456 		      struct crypto_bignum *c)
1457 {
1458 	int res;
1459 
1460 	BN_CTX *bnctx;
1461 
1462 	if (TEST_FAIL())
1463 		return -1;
1464 
1465 	bnctx = BN_CTX_new();
1466 	if (bnctx == NULL)
1467 		return -1;
1468 #ifndef OPENSSL_IS_BORINGSSL
1469 	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
1470 #endif /* OPENSSL_IS_BORINGSSL */
1471 	res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
1472 		     (const BIGNUM *) b, bnctx);
1473 	BN_CTX_free(bnctx);
1474 
1475 	return res ? 0 : -1;
1476 }
1477 
1478 
crypto_bignum_addmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1479 int crypto_bignum_addmod(const struct crypto_bignum *a,
1480 			 const struct crypto_bignum *b,
1481 			 const struct crypto_bignum *c,
1482 			 struct crypto_bignum *d)
1483 {
1484 	int res;
1485 	BN_CTX *bnctx;
1486 
1487 	if (TEST_FAIL())
1488 		return -1;
1489 
1490 	bnctx = BN_CTX_new();
1491 	if (!bnctx)
1492 		return -1;
1493 	res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1494 			 (const BIGNUM *) c, bnctx);
1495 	BN_CTX_free(bnctx);
1496 
1497 	return res ? 0 : -1;
1498 }
1499 
1500 
crypto_bignum_mulmod(const struct crypto_bignum * a,const struct crypto_bignum * b,const struct crypto_bignum * c,struct crypto_bignum * d)1501 int crypto_bignum_mulmod(const struct crypto_bignum *a,
1502 			 const struct crypto_bignum *b,
1503 			 const struct crypto_bignum *c,
1504 			 struct crypto_bignum *d)
1505 {
1506 	int res;
1507 
1508 	BN_CTX *bnctx;
1509 
1510 	if (TEST_FAIL())
1511 		return -1;
1512 
1513 	bnctx = BN_CTX_new();
1514 	if (bnctx == NULL)
1515 		return -1;
1516 	res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
1517 			 (const BIGNUM *) c, bnctx);
1518 	BN_CTX_free(bnctx);
1519 
1520 	return res ? 0 : -1;
1521 }
1522 
1523 
crypto_bignum_sqrmod(const struct crypto_bignum * a,const struct crypto_bignum * b,struct crypto_bignum * c)1524 int crypto_bignum_sqrmod(const struct crypto_bignum *a,
1525 			 const struct crypto_bignum *b,
1526 			 struct crypto_bignum *c)
1527 {
1528 	int res;
1529 	BN_CTX *bnctx;
1530 
1531 	if (TEST_FAIL())
1532 		return -1;
1533 
1534 	bnctx = BN_CTX_new();
1535 	if (!bnctx)
1536 		return -1;
1537 	res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
1538 			 bnctx);
1539 	BN_CTX_free(bnctx);
1540 
1541 	return res ? 0 : -1;
1542 }
1543 
1544 
crypto_bignum_rshift(const struct crypto_bignum * a,int n,struct crypto_bignum * r)1545 int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
1546 			 struct crypto_bignum *r)
1547 {
1548 	/* Note: BN_rshift() does not modify the first argument even though it
1549 	 * has not been marked const. */
1550 	return BN_rshift((BIGNUM *) a, (BIGNUM *) r, n) == 1 ? 0 : -1;
1551 }
1552 
1553 
crypto_bignum_cmp(const struct crypto_bignum * a,const struct crypto_bignum * b)1554 int crypto_bignum_cmp(const struct crypto_bignum *a,
1555 		      const struct crypto_bignum *b)
1556 {
1557 	return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
1558 }
1559 
1560 
crypto_bignum_is_zero(const struct crypto_bignum * a)1561 int crypto_bignum_is_zero(const struct crypto_bignum *a)
1562 {
1563 	return BN_is_zero((const BIGNUM *) a);
1564 }
1565 
1566 
crypto_bignum_is_one(const struct crypto_bignum * a)1567 int crypto_bignum_is_one(const struct crypto_bignum *a)
1568 {
1569 	return BN_is_one((const BIGNUM *) a);
1570 }
1571 
1572 
crypto_bignum_is_odd(const struct crypto_bignum * a)1573 int crypto_bignum_is_odd(const struct crypto_bignum *a)
1574 {
1575 	return BN_is_odd((const BIGNUM *) a);
1576 }
1577 
1578 
crypto_bignum_legendre(const struct crypto_bignum * a,const struct crypto_bignum * p)1579 int crypto_bignum_legendre(const struct crypto_bignum *a,
1580 			   const struct crypto_bignum *p)
1581 {
1582 	BN_CTX *bnctx;
1583 	BIGNUM *exp = NULL, *tmp = NULL;
1584 	int res = -2;
1585 	unsigned int mask;
1586 
1587 	if (TEST_FAIL())
1588 		return -2;
1589 
1590 	bnctx = BN_CTX_new();
1591 	if (bnctx == NULL)
1592 		return -2;
1593 
1594 	exp = BN_new();
1595 	tmp = BN_new();
1596 	if (!exp || !tmp ||
1597 	    /* exp = (p-1) / 2 */
1598 	    !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
1599 	    !BN_rshift1(exp, exp) ||
1600 	    !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
1601 				       (const BIGNUM *) p, bnctx, NULL))
1602 		goto fail;
1603 
1604 	/* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
1605 	 * constant time selection to avoid branches here. */
1606 	res = -1;
1607 	mask = const_time_eq(BN_is_word(tmp, 1), 1);
1608 	res = const_time_select_int(mask, 1, res);
1609 	mask = const_time_eq(BN_is_zero(tmp), 1);
1610 	res = const_time_select_int(mask, 0, res);
1611 
1612 fail:
1613 	BN_clear_free(tmp);
1614 	BN_clear_free(exp);
1615 	BN_CTX_free(bnctx);
1616 	return res;
1617 }
1618 
1619 
1620 #ifdef CONFIG_ECC
1621 
1622 struct crypto_ec {
1623 	EC_GROUP *group;
1624 	int nid;
1625 	BN_CTX *bnctx;
1626 	BIGNUM *prime;
1627 	BIGNUM *order;
1628 	BIGNUM *a;
1629 	BIGNUM *b;
1630 };
1631 
crypto_ec_init(int group)1632 struct crypto_ec * crypto_ec_init(int group)
1633 {
1634 	struct crypto_ec *e;
1635 	int nid;
1636 
1637 	/* Map from IANA registry for IKE D-H groups to OpenSSL NID */
1638 	switch (group) {
1639 	case 19:
1640 		nid = NID_X9_62_prime256v1;
1641 		break;
1642 	case 20:
1643 		nid = NID_secp384r1;
1644 		break;
1645 	case 21:
1646 		nid = NID_secp521r1;
1647 		break;
1648 	case 25:
1649 		nid = NID_X9_62_prime192v1;
1650 		break;
1651 	case 26:
1652 		nid = NID_secp224r1;
1653 		break;
1654 #ifdef NID_brainpoolP224r1
1655 	case 27:
1656 		nid = NID_brainpoolP224r1;
1657 		break;
1658 #endif /* NID_brainpoolP224r1 */
1659 #ifdef NID_brainpoolP256r1
1660 	case 28:
1661 		nid = NID_brainpoolP256r1;
1662 		break;
1663 #endif /* NID_brainpoolP256r1 */
1664 #ifdef NID_brainpoolP384r1
1665 	case 29:
1666 		nid = NID_brainpoolP384r1;
1667 		break;
1668 #endif /* NID_brainpoolP384r1 */
1669 #ifdef NID_brainpoolP512r1
1670 	case 30:
1671 		nid = NID_brainpoolP512r1;
1672 		break;
1673 #endif /* NID_brainpoolP512r1 */
1674 	default:
1675 		return NULL;
1676 	}
1677 
1678 	e = os_zalloc(sizeof(*e));
1679 	if (e == NULL)
1680 		return NULL;
1681 
1682 	e->nid = nid;
1683 	e->bnctx = BN_CTX_new();
1684 	e->group = EC_GROUP_new_by_curve_name(nid);
1685 	e->prime = BN_new();
1686 	e->order = BN_new();
1687 	e->a = BN_new();
1688 	e->b = BN_new();
1689 	if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
1690 	    e->order == NULL || e->a == NULL || e->b == NULL ||
1691 	    !EC_GROUP_get_curve_GFp(e->group, e->prime, e->a, e->b, e->bnctx) ||
1692 	    !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
1693 		crypto_ec_deinit(e);
1694 		e = NULL;
1695 	}
1696 
1697 	return e;
1698 }
1699 
1700 
crypto_ec_deinit(struct crypto_ec * e)1701 void crypto_ec_deinit(struct crypto_ec *e)
1702 {
1703 	if (e == NULL)
1704 		return;
1705 	BN_clear_free(e->b);
1706 	BN_clear_free(e->a);
1707 	BN_clear_free(e->order);
1708 	BN_clear_free(e->prime);
1709 	EC_GROUP_free(e->group);
1710 	BN_CTX_free(e->bnctx);
1711 	os_free(e);
1712 }
1713 
1714 
crypto_ec_point_init(struct crypto_ec * e)1715 struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
1716 {
1717 	if (TEST_FAIL())
1718 		return NULL;
1719 	if (e == NULL)
1720 		return NULL;
1721 	return (struct crypto_ec_point *) EC_POINT_new(e->group);
1722 }
1723 
1724 
crypto_ec_prime_len(struct crypto_ec * e)1725 size_t crypto_ec_prime_len(struct crypto_ec *e)
1726 {
1727 	return BN_num_bytes(e->prime);
1728 }
1729 
1730 
crypto_ec_prime_len_bits(struct crypto_ec * e)1731 size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
1732 {
1733 	return BN_num_bits(e->prime);
1734 }
1735 
1736 
crypto_ec_order_len(struct crypto_ec * e)1737 size_t crypto_ec_order_len(struct crypto_ec *e)
1738 {
1739 	return BN_num_bytes(e->order);
1740 }
1741 
1742 
crypto_ec_get_prime(struct crypto_ec * e)1743 const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
1744 {
1745 	return (const struct crypto_bignum *) e->prime;
1746 }
1747 
1748 
crypto_ec_get_order(struct crypto_ec * e)1749 const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
1750 {
1751 	return (const struct crypto_bignum *) e->order;
1752 }
1753 
1754 
crypto_ec_get_a(struct crypto_ec * e)1755 const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
1756 {
1757 	return (const struct crypto_bignum *) e->a;
1758 }
1759 
1760 
crypto_ec_get_b(struct crypto_ec * e)1761 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
1762 {
1763 	return (const struct crypto_bignum *) e->b;
1764 }
1765 
1766 
crypto_ec_point_deinit(struct crypto_ec_point * p,int clear)1767 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
1768 {
1769 	if (clear)
1770 		EC_POINT_clear_free((EC_POINT *) p);
1771 	else
1772 		EC_POINT_free((EC_POINT *) p);
1773 }
1774 
1775 
crypto_ec_point_x(struct crypto_ec * e,const struct crypto_ec_point * p,struct crypto_bignum * x)1776 int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p,
1777 		      struct crypto_bignum *x)
1778 {
1779 	return EC_POINT_get_affine_coordinates_GFp(e->group,
1780 						   (const EC_POINT *) p,
1781 						   (BIGNUM *) x, NULL,
1782 						   e->bnctx) == 1 ? 0 : -1;
1783 }
1784 
1785 
crypto_ec_point_to_bin(struct crypto_ec * e,const struct crypto_ec_point * point,u8 * x,u8 * y)1786 int crypto_ec_point_to_bin(struct crypto_ec *e,
1787 			   const struct crypto_ec_point *point, u8 *x, u8 *y)
1788 {
1789 	BIGNUM *x_bn, *y_bn;
1790 	int ret = -1;
1791 	int len = BN_num_bytes(e->prime);
1792 
1793 	if (TEST_FAIL())
1794 		return -1;
1795 
1796 	x_bn = BN_new();
1797 	y_bn = BN_new();
1798 
1799 	if (x_bn && y_bn &&
1800 	    EC_POINT_get_affine_coordinates_GFp(e->group, (EC_POINT *) point,
1801 						x_bn, y_bn, e->bnctx)) {
1802 		if (x) {
1803 			crypto_bignum_to_bin((struct crypto_bignum *) x_bn,
1804 					     x, len, len);
1805 		}
1806 		if (y) {
1807 			crypto_bignum_to_bin((struct crypto_bignum *) y_bn,
1808 					     y, len, len);
1809 		}
1810 		ret = 0;
1811 	}
1812 
1813 	BN_clear_free(x_bn);
1814 	BN_clear_free(y_bn);
1815 	return ret;
1816 }
1817 
1818 
crypto_ec_point_from_bin(struct crypto_ec * e,const u8 * val)1819 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
1820 						  const u8 *val)
1821 {
1822 	BIGNUM *x, *y;
1823 	EC_POINT *elem;
1824 	int len = BN_num_bytes(e->prime);
1825 
1826 	if (TEST_FAIL())
1827 		return NULL;
1828 
1829 	x = BN_bin2bn(val, len, NULL);
1830 	y = BN_bin2bn(val + len, len, NULL);
1831 	elem = EC_POINT_new(e->group);
1832 	if (x == NULL || y == NULL || elem == NULL) {
1833 		BN_clear_free(x);
1834 		BN_clear_free(y);
1835 		EC_POINT_clear_free(elem);
1836 		return NULL;
1837 	}
1838 
1839 	if (!EC_POINT_set_affine_coordinates_GFp(e->group, elem, x, y,
1840 						 e->bnctx)) {
1841 		EC_POINT_clear_free(elem);
1842 		elem = NULL;
1843 	}
1844 
1845 	BN_clear_free(x);
1846 	BN_clear_free(y);
1847 
1848 	return (struct crypto_ec_point *) elem;
1849 }
1850 
1851 
crypto_ec_point_add(struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b,struct crypto_ec_point * c)1852 int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
1853 			const struct crypto_ec_point *b,
1854 			struct crypto_ec_point *c)
1855 {
1856 	if (TEST_FAIL())
1857 		return -1;
1858 	return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
1859 			    (const EC_POINT *) b, e->bnctx) ? 0 : -1;
1860 }
1861 
1862 
crypto_ec_point_mul(struct crypto_ec * e,const struct crypto_ec_point * p,const struct crypto_bignum * b,struct crypto_ec_point * res)1863 int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
1864 			const struct crypto_bignum *b,
1865 			struct crypto_ec_point *res)
1866 {
1867 	if (TEST_FAIL())
1868 		return -1;
1869 	return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
1870 			    (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
1871 		? 0 : -1;
1872 }
1873 
1874 
crypto_ec_point_invert(struct crypto_ec * e,struct crypto_ec_point * p)1875 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
1876 {
1877 	if (TEST_FAIL())
1878 		return -1;
1879 	return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
1880 }
1881 
1882 
crypto_ec_point_solve_y_coord(struct crypto_ec * e,struct crypto_ec_point * p,const struct crypto_bignum * x,int y_bit)1883 int crypto_ec_point_solve_y_coord(struct crypto_ec *e,
1884 				  struct crypto_ec_point *p,
1885 				  const struct crypto_bignum *x, int y_bit)
1886 {
1887 	if (TEST_FAIL())
1888 		return -1;
1889 	if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p,
1890 						     (const BIGNUM *) x, y_bit,
1891 						     e->bnctx) ||
1892 	    !EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx))
1893 		return -1;
1894 	return 0;
1895 }
1896 
1897 
1898 struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec * e,const struct crypto_bignum * x)1899 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
1900 			      const struct crypto_bignum *x)
1901 {
1902 	BIGNUM *tmp, *tmp2, *y_sqr = NULL;
1903 
1904 	if (TEST_FAIL())
1905 		return NULL;
1906 
1907 	tmp = BN_new();
1908 	tmp2 = BN_new();
1909 
1910 	/* y^2 = x^3 + ax + b */
1911 	if (tmp && tmp2 &&
1912 	    BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1913 	    BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
1914 	    BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) &&
1915 	    BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) &&
1916 	    BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) {
1917 		y_sqr = tmp2;
1918 		tmp2 = NULL;
1919 	}
1920 
1921 	BN_clear_free(tmp);
1922 	BN_clear_free(tmp2);
1923 
1924 	return (struct crypto_bignum *) y_sqr;
1925 }
1926 
1927 
crypto_ec_point_is_at_infinity(struct crypto_ec * e,const struct crypto_ec_point * p)1928 int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
1929 				   const struct crypto_ec_point *p)
1930 {
1931 	return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
1932 }
1933 
1934 
crypto_ec_point_is_on_curve(struct crypto_ec * e,const struct crypto_ec_point * p)1935 int crypto_ec_point_is_on_curve(struct crypto_ec *e,
1936 				const struct crypto_ec_point *p)
1937 {
1938 	return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
1939 				    e->bnctx) == 1;
1940 }
1941 
1942 
crypto_ec_point_cmp(const struct crypto_ec * e,const struct crypto_ec_point * a,const struct crypto_ec_point * b)1943 int crypto_ec_point_cmp(const struct crypto_ec *e,
1944 			const struct crypto_ec_point *a,
1945 			const struct crypto_ec_point *b)
1946 {
1947 	return EC_POINT_cmp(e->group, (const EC_POINT *) a,
1948 			    (const EC_POINT *) b, e->bnctx);
1949 }
1950 
1951 
1952 struct crypto_ecdh {
1953 	struct crypto_ec *ec;
1954 	EVP_PKEY *pkey;
1955 };
1956 
crypto_ecdh_init(int group)1957 struct crypto_ecdh * crypto_ecdh_init(int group)
1958 {
1959 	struct crypto_ecdh *ecdh;
1960 	EVP_PKEY *params = NULL;
1961 	EC_KEY *ec_params = NULL;
1962 	EVP_PKEY_CTX *kctx = NULL;
1963 
1964 	ecdh = os_zalloc(sizeof(*ecdh));
1965 	if (!ecdh)
1966 		goto fail;
1967 
1968 	ecdh->ec = crypto_ec_init(group);
1969 	if (!ecdh->ec)
1970 		goto fail;
1971 
1972 	ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid);
1973 	if (!ec_params) {
1974 		wpa_printf(MSG_ERROR,
1975 			   "OpenSSL: Failed to generate EC_KEY parameters");
1976 		goto fail;
1977 	}
1978 	EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
1979 	params = EVP_PKEY_new();
1980 	if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
1981 		wpa_printf(MSG_ERROR,
1982 			   "OpenSSL: Failed to generate EVP_PKEY parameters");
1983 		goto fail;
1984 	}
1985 
1986 	kctx = EVP_PKEY_CTX_new(params, NULL);
1987 	if (!kctx)
1988 		goto fail;
1989 
1990 	if (EVP_PKEY_keygen_init(kctx) != 1) {
1991 		wpa_printf(MSG_ERROR,
1992 			   "OpenSSL: EVP_PKEY_keygen_init failed: %s",
1993 			   ERR_error_string(ERR_get_error(), NULL));
1994 		goto fail;
1995 	}
1996 
1997 	if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
1998 		wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
1999 			   ERR_error_string(ERR_get_error(), NULL));
2000 		goto fail;
2001 	}
2002 
2003 done:
2004 	EC_KEY_free(ec_params);
2005 	EVP_PKEY_free(params);
2006 	EVP_PKEY_CTX_free(kctx);
2007 
2008 	return ecdh;
2009 fail:
2010 	crypto_ecdh_deinit(ecdh);
2011 	ecdh = NULL;
2012 	goto done;
2013 }
2014 
2015 
crypto_ecdh_get_pubkey(struct crypto_ecdh * ecdh,int inc_y)2016 struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
2017 {
2018 	struct wpabuf *buf = NULL;
2019 	EC_KEY *eckey;
2020 	const EC_POINT *pubkey;
2021 	BIGNUM *x, *y = NULL;
2022 	int len = BN_num_bytes(ecdh->ec->prime);
2023 	int res;
2024 
2025 	eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
2026 	if (!eckey)
2027 		return NULL;
2028 
2029 	pubkey = EC_KEY_get0_public_key(eckey);
2030 	if (!pubkey)
2031 		return NULL;
2032 
2033 	x = BN_new();
2034 	if (inc_y) {
2035 		y = BN_new();
2036 		if (!y)
2037 			goto fail;
2038 	}
2039 	buf = wpabuf_alloc(inc_y ? 2 * len : len);
2040 	if (!x || !buf)
2041 		goto fail;
2042 
2043 	if (EC_POINT_get_affine_coordinates_GFp(ecdh->ec->group, pubkey,
2044 						x, y, ecdh->ec->bnctx) != 1) {
2045 		wpa_printf(MSG_ERROR,
2046 			   "OpenSSL: EC_POINT_get_affine_coordinates_GFp failed: %s",
2047 			   ERR_error_string(ERR_get_error(), NULL));
2048 		goto fail;
2049 	}
2050 
2051 	res = crypto_bignum_to_bin((struct crypto_bignum *) x,
2052 				   wpabuf_put(buf, len), len, len);
2053 	if (res < 0)
2054 		goto fail;
2055 
2056 	if (inc_y) {
2057 		res = crypto_bignum_to_bin((struct crypto_bignum *) y,
2058 					   wpabuf_put(buf, len), len, len);
2059 		if (res < 0)
2060 			goto fail;
2061 	}
2062 
2063 done:
2064 	BN_clear_free(x);
2065 	BN_clear_free(y);
2066 	EC_KEY_free(eckey);
2067 
2068 	return buf;
2069 fail:
2070 	wpabuf_free(buf);
2071 	buf = NULL;
2072 	goto done;
2073 }
2074 
2075 
crypto_ecdh_set_peerkey(struct crypto_ecdh * ecdh,int inc_y,const u8 * key,size_t len)2076 struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
2077 					const u8 *key, size_t len)
2078 {
2079 	BIGNUM *x, *y = NULL;
2080 	EVP_PKEY_CTX *ctx = NULL;
2081 	EVP_PKEY *peerkey = NULL;
2082 	struct wpabuf *secret = NULL;
2083 	size_t secret_len;
2084 	EC_POINT *pub;
2085 	EC_KEY *eckey = NULL;
2086 
2087 	x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
2088 	pub = EC_POINT_new(ecdh->ec->group);
2089 	if (!x || !pub)
2090 		goto fail;
2091 
2092 	if (inc_y) {
2093 		y = BN_bin2bn(key + len / 2, len / 2, NULL);
2094 		if (!y)
2095 			goto fail;
2096 		if (!EC_POINT_set_affine_coordinates_GFp(ecdh->ec->group, pub,
2097 							 x, y,
2098 							 ecdh->ec->bnctx)) {
2099 			wpa_printf(MSG_ERROR,
2100 				   "OpenSSL: EC_POINT_set_affine_coordinates_GFp failed: %s",
2101 				   ERR_error_string(ERR_get_error(), NULL));
2102 			goto fail;
2103 		}
2104 	} else if (!EC_POINT_set_compressed_coordinates_GFp(ecdh->ec->group,
2105 							    pub, x, 0,
2106 							    ecdh->ec->bnctx)) {
2107 		wpa_printf(MSG_ERROR,
2108 			   "OpenSSL: EC_POINT_set_compressed_coordinates_GFp failed: %s",
2109 			   ERR_error_string(ERR_get_error(), NULL));
2110 		goto fail;
2111 	}
2112 
2113 	if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
2114 		wpa_printf(MSG_ERROR,
2115 			   "OpenSSL: ECDH peer public key is not on curve");
2116 		goto fail;
2117 	}
2118 
2119 	eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
2120 	if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
2121 		wpa_printf(MSG_ERROR,
2122 			   "OpenSSL: EC_KEY_set_public_key failed: %s",
2123 			   ERR_error_string(ERR_get_error(), NULL));
2124 		goto fail;
2125 	}
2126 
2127 	peerkey = EVP_PKEY_new();
2128 	if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
2129 		goto fail;
2130 
2131 	ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
2132 	if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
2133 	    EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
2134 	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
2135 		wpa_printf(MSG_ERROR,
2136 			   "OpenSSL: EVP_PKEY_derive(1) failed: %s",
2137 			   ERR_error_string(ERR_get_error(), NULL));
2138 		goto fail;
2139 	}
2140 
2141 	secret = wpabuf_alloc(secret_len);
2142 	if (!secret)
2143 		goto fail;
2144 	if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
2145 		wpa_printf(MSG_ERROR,
2146 			   "OpenSSL: EVP_PKEY_derive(2) failed: %s",
2147 			   ERR_error_string(ERR_get_error(), NULL));
2148 		goto fail;
2149 	}
2150 	if (secret->size != secret_len)
2151 		wpa_printf(MSG_DEBUG,
2152 			   "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
2153 			   (int) secret->size, (int) secret_len);
2154 	wpabuf_put(secret, secret_len);
2155 
2156 done:
2157 	BN_free(x);
2158 	BN_free(y);
2159 	EC_KEY_free(eckey);
2160 	EC_POINT_free(pub);
2161 	EVP_PKEY_CTX_free(ctx);
2162 	EVP_PKEY_free(peerkey);
2163 	return secret;
2164 fail:
2165 	wpabuf_free(secret);
2166 	secret = NULL;
2167 	goto done;
2168 }
2169 
2170 
crypto_ecdh_deinit(struct crypto_ecdh * ecdh)2171 void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
2172 {
2173 	if (ecdh) {
2174 		crypto_ec_deinit(ecdh->ec);
2175 		EVP_PKEY_free(ecdh->pkey);
2176 		os_free(ecdh);
2177 	}
2178 }
2179 
2180 
crypto_ecdh_prime_len(struct crypto_ecdh * ecdh)2181 size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
2182 {
2183 	return crypto_ec_prime_len(ecdh->ec);
2184 }
2185 
2186 
2187 struct crypto_ec_key {
2188 	EVP_PKEY *pkey;
2189 	EC_KEY *eckey;
2190 };
2191 
2192 
crypto_ec_key_parse_priv(const u8 * der,size_t der_len)2193 struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
2194 {
2195 	struct crypto_ec_key *key;
2196 
2197 	key = os_zalloc(sizeof(*key));
2198 	if (!key)
2199 		return NULL;
2200 
2201 	key->eckey = d2i_ECPrivateKey(NULL, &der, der_len);
2202 	if (!key->eckey) {
2203 		wpa_printf(MSG_INFO, "OpenSSL: d2i_ECPrivateKey() failed: %s",
2204 			   ERR_error_string(ERR_get_error(), NULL));
2205 		goto fail;
2206 	}
2207 	EC_KEY_set_conv_form(key->eckey, POINT_CONVERSION_COMPRESSED);
2208 
2209 	key->pkey = EVP_PKEY_new();
2210 	if (!key->pkey || EVP_PKEY_assign_EC_KEY(key->pkey, key->eckey) != 1) {
2211 		EC_KEY_free(key->eckey);
2212 		key->eckey = NULL;
2213 		goto fail;
2214 	}
2215 
2216 	return key;
2217 fail:
2218 	crypto_ec_key_deinit(key);
2219 	return NULL;
2220 }
2221 
2222 
crypto_ec_key_parse_pub(const u8 * der,size_t der_len)2223 struct crypto_ec_key * crypto_ec_key_parse_pub(const u8 *der, size_t der_len)
2224 {
2225 	struct crypto_ec_key *key;
2226 
2227 	key = os_zalloc(sizeof(*key));
2228 	if (!key)
2229 		return NULL;
2230 
2231 	key->pkey = d2i_PUBKEY(NULL, &der, der_len);
2232 	if (!key->pkey) {
2233 		wpa_printf(MSG_INFO, "OpenSSL: d2i_PUBKEY() failed: %s",
2234 			   ERR_error_string(ERR_get_error(), NULL));
2235 		goto fail;
2236 	}
2237 
2238 	key->eckey = EVP_PKEY_get0_EC_KEY(key->pkey);
2239 	if (!key->eckey)
2240 		goto fail;
2241 	return key;
2242 fail:
2243 	crypto_ec_key_deinit(key);
2244 	return NULL;
2245 }
2246 
2247 
crypto_ec_key_deinit(struct crypto_ec_key * key)2248 void crypto_ec_key_deinit(struct crypto_ec_key *key)
2249 {
2250 	if (key) {
2251 		EVP_PKEY_free(key->pkey);
2252 		os_free(key);
2253 	}
2254 }
2255 
2256 
crypto_ec_key_get_subject_public_key(struct crypto_ec_key * key)2257 struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
2258 {
2259 	unsigned char *der = NULL;
2260 	int der_len;
2261 	struct wpabuf *buf;
2262 
2263 	der_len = i2d_PUBKEY(key->pkey, &der);
2264 	if (der_len <= 0) {
2265 		wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
2266 			   ERR_error_string(ERR_get_error(), NULL));
2267 		return NULL;
2268 	}
2269 
2270 	buf = wpabuf_alloc_copy(der, der_len);
2271 	OPENSSL_free(der);
2272 	return buf;
2273 }
2274 
2275 
crypto_ec_key_sign(struct crypto_ec_key * key,const u8 * data,size_t len)2276 struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
2277 				   size_t len)
2278 {
2279 	EVP_PKEY_CTX *pkctx;
2280 	struct wpabuf *sig_der;
2281 	size_t sig_len;
2282 
2283 	sig_len = EVP_PKEY_size(key->pkey);
2284 	sig_der = wpabuf_alloc(sig_len);
2285 	if (!sig_der)
2286 		return NULL;
2287 
2288 	pkctx = EVP_PKEY_CTX_new(key->pkey, NULL);
2289 	if (!pkctx ||
2290 	    EVP_PKEY_sign_init(pkctx) <= 0 ||
2291 	    EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
2292 			  data, len) <= 0) {
2293 		wpabuf_free(sig_der);
2294 		sig_der = NULL;
2295 	} else {
2296 		wpabuf_put(sig_der, sig_len);
2297 	}
2298 
2299 	EVP_PKEY_CTX_free(pkctx);
2300 	return sig_der;
2301 }
2302 
2303 
crypto_ec_key_verify_signature(struct crypto_ec_key * key,const u8 * data,size_t len,const u8 * sig,size_t sig_len)2304 int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
2305 				   size_t len, const u8 *sig, size_t sig_len)
2306 {
2307 	EVP_PKEY_CTX *pkctx;
2308 	int ret;
2309 
2310 	pkctx = EVP_PKEY_CTX_new(key->pkey, NULL);
2311 	if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
2312 		EVP_PKEY_CTX_free(pkctx);
2313 		return -1;
2314 	}
2315 
2316 	ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
2317 	EVP_PKEY_CTX_free(pkctx);
2318 	if (ret == 1)
2319 		return 1; /* signature ok */
2320 	if (ret == 0)
2321 		return 0; /* incorrect signature */
2322 	return -1;
2323 }
2324 
2325 
crypto_ec_key_group(struct crypto_ec_key * key)2326 int crypto_ec_key_group(struct crypto_ec_key *key)
2327 {
2328 	const EC_GROUP *group;
2329 	int nid;
2330 
2331 	group = EC_KEY_get0_group(key->eckey);
2332 	if (!group)
2333 		return -1;
2334 	nid = EC_GROUP_get_curve_name(group);
2335 	switch (nid) {
2336 	case NID_X9_62_prime256v1:
2337 		return 19;
2338 	case NID_secp384r1:
2339 		return 20;
2340 	case NID_secp521r1:
2341 		return 21;
2342 	}
2343 	return -1;
2344 }
2345 
2346 #endif /* CONFIG_ECC */
2347