1 /*
2 * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6 #ifdef ESP_PLATFORM
7 #include "esp_system.h"
8 #endif
9
10 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "crypto.h"
13 #include "random.h"
14 #include "sha256.h"
15
16 #include "mbedtls/ecp.h"
17 #include "mbedtls/entropy.h"
18 #include "mbedtls/ctr_drbg.h"
19 #include "mbedtls/md.h"
20 #include "mbedtls/aes.h"
21 #include "mbedtls/bignum.h"
22 #include "mbedtls/pkcs5.h"
23 #include "mbedtls/cmac.h"
24 #include "mbedtls/nist_kw.h"
25 #include "mbedtls/des.h"
26 #include "mbedtls/ccm.h"
27
28 #include "common.h"
29 #include "utils/wpabuf.h"
30 #include "dh_group5.h"
31 #include "md5.h"
32 #include "sha1.h"
33 #include "sha256.h"
34 #include "sha384.h"
35 #include "aes_wrap.h"
36 #include "crypto.h"
37 #ifdef ESPRESSIF_USE
38 #include "mbedtls/esp_config.h"
39 #else
40 #if defined(CONFIG_MBEDTLS)
41 #if !defined(CONFIG_MBEDTLS_CFG_FILE)
42 #include "mbedtls/config.h"
43 #else
44 #include CONFIG_MBEDTLS_CFG_FILE
45 #endif /* CONFIG_MBEDTLS_CFG_FILE */
46 #endif
47 #endif
48
digest_vector(mbedtls_md_type_t md_type,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)49 static int digest_vector(mbedtls_md_type_t md_type, size_t num_elem,
50 const u8 *addr[], const size_t *len, u8 *mac)
51 {
52 size_t i;
53 const mbedtls_md_info_t *md_info;
54 mbedtls_md_context_t md_ctx;
55 int ret;
56
57 mbedtls_md_init(&md_ctx);
58
59 md_info = mbedtls_md_info_from_type(md_type);
60 if (!md_info) {
61 wpa_printf(MSG_ERROR, "mbedtls_md_info_from_type() failed");
62 return -1;
63 }
64
65 ret = mbedtls_md_setup(&md_ctx, md_info, 0);
66 if (ret != 0) {
67 wpa_printf(MSG_ERROR, "mbedtls_md_setup() returned error");
68 goto cleanup;
69 }
70
71 ret = mbedtls_md_starts(&md_ctx);
72 if (ret != 0) {
73 wpa_printf(MSG_ERROR, "mbedtls_md_starts returned error");
74 goto cleanup;
75 }
76
77 for (i = 0; i < num_elem; i++) {
78 ret = mbedtls_md_update(&md_ctx, addr[i], len[i]);
79 if (ret != 0) {
80 wpa_printf(MSG_ERROR, "mbedtls_md_update ret=%d", ret);
81 goto cleanup;
82 }
83 }
84
85 ret = mbedtls_md_finish(&md_ctx, mac);
86 cleanup:
87 mbedtls_md_free(&md_ctx);
88
89 return ret;
90
91 }
92
sha256_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)93 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
94 u8 *mac)
95 {
96 return digest_vector(MBEDTLS_MD_SHA256, num_elem, addr, len, mac);
97 }
98
sha384_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)99 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
100 u8 *mac)
101 {
102 return digest_vector(MBEDTLS_MD_SHA384, num_elem, addr, len, mac);
103 }
104
sha512_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)105 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
106 u8 *mac)
107 {
108 return digest_vector(MBEDTLS_MD_SHA512, num_elem, addr, len, mac);
109 }
110
sha1_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)111 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
112 {
113 return digest_vector(MBEDTLS_MD_SHA1, num_elem, addr, len, mac);
114 }
115
md5_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)116 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
117 {
118 return digest_vector(MBEDTLS_MD_MD5, num_elem, addr, len, mac);
119 }
120
121 #ifdef MBEDTLS_MD4_C
md4_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)122 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
123 {
124 return digest_vector(MBEDTLS_MD_MD4, num_elem, addr, len, mac);
125 }
126 #endif
127
crypto_hash_init(enum crypto_hash_alg alg,const u8 * key,size_t key_len)128 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
129 size_t key_len)
130 {
131 mbedtls_md_context_t *ctx = NULL;
132 mbedtls_md_type_t md_type;
133 const mbedtls_md_info_t *md_info;
134 int ret;
135 int is_hmac = 0;
136
137 switch (alg) {
138 case CRYPTO_HASH_ALG_MD5:
139 case CRYPTO_HASH_ALG_HMAC_MD5:
140 md_type = MBEDTLS_MD_MD5;
141 break;
142 case CRYPTO_HASH_ALG_SHA1:
143 case CRYPTO_HASH_ALG_HMAC_SHA1:
144 md_type = MBEDTLS_MD_SHA1;
145 break;
146 case CRYPTO_HASH_ALG_SHA256:
147 case CRYPTO_HASH_ALG_HMAC_SHA256:
148 md_type = MBEDTLS_MD_SHA256;
149 break;
150 case CRYPTO_HASH_ALG_SHA384:
151 md_type = MBEDTLS_MD_SHA384;
152 break;
153 case CRYPTO_HASH_ALG_SHA512:
154 md_type = MBEDTLS_MD_SHA512;
155 break;
156 default:
157 return NULL;
158 }
159
160 switch (alg) {
161 case CRYPTO_HASH_ALG_HMAC_MD5:
162 case CRYPTO_HASH_ALG_HMAC_SHA1:
163 case CRYPTO_HASH_ALG_HMAC_SHA256:
164 is_hmac = 1;
165 break;
166 default:
167 break;
168 }
169 ctx = os_zalloc(sizeof(*ctx));
170 if (ctx == NULL) {
171 return NULL;
172 }
173
174 mbedtls_md_init(ctx);
175 md_info = mbedtls_md_info_from_type(md_type);
176 if (!md_info) {
177 goto cleanup;
178 }
179 if (mbedtls_md_setup(ctx, md_info, is_hmac) != 0) {
180 goto cleanup;
181 }
182 if (is_hmac) {
183 ret = mbedtls_md_hmac_starts(ctx, key, key_len);
184 } else {
185 ret = mbedtls_md_starts(ctx);
186 }
187 if (ret < 0) {
188 goto cleanup;
189 }
190
191 return (struct crypto_hash *)ctx;
192 cleanup:
193 mbedtls_md_free(ctx);
194 os_free(ctx);
195 return NULL;
196 }
197
crypto_hash_update(struct crypto_hash * crypto_ctx,const u8 * data,size_t len)198 void crypto_hash_update(struct crypto_hash *crypto_ctx, const u8 *data, size_t len)
199 {
200 int ret;
201 mbedtls_md_context_t *ctx = (mbedtls_md_context_t *)crypto_ctx;
202
203 if (ctx == NULL) {
204 return;
205 }
206 if (ctx->MBEDTLS_PRIVATE(hmac_ctx)) {
207 ret = mbedtls_md_hmac_update(ctx, data, len);
208 } else {
209 ret = mbedtls_md_update(ctx, data, len);
210 }
211 if (ret != 0) {
212 wpa_printf(MSG_ERROR, "%s: mbedtls_md_hmac_update failed", __func__);
213 }
214 }
215
crypto_hash_finish(struct crypto_hash * crypto_ctx,u8 * mac,size_t * len)216 int crypto_hash_finish(struct crypto_hash *crypto_ctx, u8 *mac, size_t *len)
217 {
218 int ret = 0;
219 mbedtls_md_type_t md_type;
220 mbedtls_md_context_t *ctx = (mbedtls_md_context_t *)crypto_ctx;
221
222 if (ctx == NULL) {
223 return -2;
224 }
225
226 if (mac == NULL || len == NULL) {
227 goto err;
228 }
229
230 md_type = mbedtls_md_get_type(mbedtls_md_info_from_ctx(ctx));
231 switch(md_type) {
232 case MBEDTLS_MD_MD5:
233 if (*len < MD5_MAC_LEN) {
234 *len = MD5_MAC_LEN;
235 ret = -1;
236 goto err;
237 }
238 *len = MD5_MAC_LEN;
239 break;
240 case MBEDTLS_MD_SHA1:
241 if (*len < SHA1_MAC_LEN) {
242 *len = SHA1_MAC_LEN;
243 ret = -1;
244 goto err;
245 }
246 *len = SHA1_MAC_LEN;
247 break;
248 case MBEDTLS_MD_SHA256:
249 if (*len < SHA256_MAC_LEN) {
250 *len = SHA256_MAC_LEN;
251 ret = -1;
252 goto err;
253 }
254 *len = SHA256_MAC_LEN;
255 break;
256 case MBEDTLS_MD_SHA384:
257 if (*len < SHA384_MAC_LEN) {
258 *len = SHA384_MAC_LEN;
259 ret = -1;
260 goto err;
261 }
262 *len = SHA384_MAC_LEN;
263 break;
264 case MBEDTLS_MD_SHA512:
265 if (*len < SHA512_MAC_LEN) {
266 *len = SHA512_MAC_LEN;
267 ret = -1;
268 goto err;
269 }
270 *len = SHA512_MAC_LEN;
271 break;
272 default:
273 *len = 0;
274 ret = -1;
275 goto err;
276 }
277 if (ctx->MBEDTLS_PRIVATE(hmac_ctx)) {
278 ret = mbedtls_md_hmac_finish(ctx, mac);
279 } else {
280 ret = mbedtls_md_finish(ctx, mac);
281 }
282
283 err:
284 mbedtls_md_free(ctx);
285 bin_clear_free(ctx, sizeof(*ctx));
286
287 return ret;
288 }
289
hmac_vector(mbedtls_md_type_t md_type,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)290 static int hmac_vector(mbedtls_md_type_t md_type,
291 const u8 *key, size_t key_len,
292 size_t num_elem, const u8 *addr[],
293 const size_t *len, u8 *mac)
294 {
295 size_t i;
296 const mbedtls_md_info_t *md_info;
297 mbedtls_md_context_t md_ctx;
298 int ret;
299
300 mbedtls_md_init(&md_ctx);
301
302 md_info = mbedtls_md_info_from_type(md_type);
303 if (!md_info) {
304 return -1;
305 }
306
307 ret = mbedtls_md_setup(&md_ctx, md_info, 1);
308 if (ret != 0) {
309 return(ret);
310 }
311
312 ret = mbedtls_md_hmac_starts(&md_ctx, key, key_len);
313 if (ret != 0) {
314 return(ret);
315 }
316
317 for (i = 0; i < num_elem; i++) {
318 ret = mbedtls_md_hmac_update(&md_ctx, addr[i], len[i]);
319 if (ret != 0) {
320 return(ret);
321 }
322
323 }
324
325 ret = mbedtls_md_hmac_finish(&md_ctx, mac);
326
327 mbedtls_md_free(&md_ctx);
328
329 return ret;
330 }
331
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)332 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
333 const u8 *addr[], const size_t *len, u8 *mac)
334 {
335 return hmac_vector(MBEDTLS_MD_SHA384, key, key_len, num_elem, addr,
336 len, mac);
337 }
338
339
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)340 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
341 size_t data_len, u8 *mac)
342 {
343 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
344 }
345
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)346 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
347 const u8 *addr[], const size_t *len, u8 *mac)
348 {
349 return hmac_vector(MBEDTLS_MD_SHA256, key, key_len, num_elem, addr,
350 len, mac);
351 }
352
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)353 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
354 size_t data_len, u8 *mac)
355 {
356 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
357 }
358
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)359 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
360 const u8 *addr[], const size_t *len, u8 *mac)
361 {
362 return hmac_vector(MBEDTLS_MD_MD5, key, key_len,
363 num_elem, addr, len, mac);
364 }
365
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)366 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
367 u8 *mac)
368 {
369 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
370 }
371
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)372 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
373 const u8 *addr[], const size_t *len, u8 *mac)
374 {
375 return hmac_vector(MBEDTLS_MD_SHA1, key, key_len, num_elem, addr,
376 len, mac);
377 }
378
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)379 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
380 u8 *mac)
381 {
382 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
383 }
384
aes_crypt_init(int mode,const u8 * key,size_t len)385 static void *aes_crypt_init(int mode, const u8 *key, size_t len)
386 {
387 int ret = -1;
388 mbedtls_aes_context *aes = os_malloc(sizeof(*aes));
389 if (!aes) {
390 return NULL;
391 }
392 mbedtls_aes_init(aes);
393
394 if (mode == MBEDTLS_AES_ENCRYPT) {
395 ret = mbedtls_aes_setkey_enc(aes, key, len * 8);
396 } else if (mode == MBEDTLS_AES_DECRYPT){
397 ret = mbedtls_aes_setkey_dec(aes, key, len * 8);
398 }
399 if (ret < 0) {
400 mbedtls_aes_free(aes);
401 os_free(aes);
402 wpa_printf(MSG_ERROR, "%s: mbedtls_aes_setkey_enc/mbedtls_aes_setkey_dec failed", __func__);
403 return NULL;
404 }
405
406 return (void *) aes;
407 }
408
aes_crypt(void * ctx,int mode,const u8 * in,u8 * out)409 static int aes_crypt(void *ctx, int mode, const u8 *in, u8 *out)
410 {
411 return mbedtls_aes_crypt_ecb((mbedtls_aes_context *)ctx,
412 mode, in, out);
413 }
414
aes_crypt_deinit(void * ctx)415 static void aes_crypt_deinit(void *ctx)
416 {
417 mbedtls_aes_free((mbedtls_aes_context *)ctx);
418 os_free(ctx);
419 }
420
aes_encrypt_init(const u8 * key,size_t len)421 void *aes_encrypt_init(const u8 *key, size_t len)
422 {
423 return aes_crypt_init(MBEDTLS_AES_ENCRYPT, key, len);
424 }
425
aes_encrypt(void * ctx,const u8 * plain,u8 * crypt)426 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
427 {
428 return aes_crypt(ctx, MBEDTLS_AES_ENCRYPT, plain, crypt);
429 }
430
aes_encrypt_deinit(void * ctx)431 void aes_encrypt_deinit(void *ctx)
432 {
433 return aes_crypt_deinit(ctx);
434 }
435
aes_decrypt_init(const u8 * key,size_t len)436 void * aes_decrypt_init(const u8 *key, size_t len)
437 {
438 return aes_crypt_init(MBEDTLS_AES_DECRYPT, key, len);
439 }
440
aes_decrypt(void * ctx,const u8 * crypt,u8 * plain)441 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
442 {
443 return aes_crypt(ctx, MBEDTLS_AES_DECRYPT, crypt, plain);
444 }
445
aes_decrypt_deinit(void * ctx)446 void aes_decrypt_deinit(void *ctx)
447 {
448 return aes_crypt_deinit(ctx);
449 }
450
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)451 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
452 {
453 int ret = 0;
454 mbedtls_aes_context ctx;
455 u8 cbc[MBEDTLS_AES_BLOCK_SIZE];
456
457 mbedtls_aes_init(&ctx);
458
459 ret = mbedtls_aes_setkey_enc(&ctx, key, 128);
460 if (ret < 0) {
461 mbedtls_aes_free(&ctx);
462 return ret;
463 }
464
465 os_memcpy(cbc, iv, MBEDTLS_AES_BLOCK_SIZE);
466 ret = mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_ENCRYPT,
467 data_len, cbc, data, data);
468 mbedtls_aes_free(&ctx);
469
470 return ret;
471 }
472
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)473 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
474 {
475 int ret = 0;
476 mbedtls_aes_context ctx;
477 u8 cbc[MBEDTLS_AES_BLOCK_SIZE];
478
479 mbedtls_aes_init(&ctx);
480
481 ret = mbedtls_aes_setkey_dec(&ctx, key, 128);
482 if (ret < 0) {
483 mbedtls_aes_free(&ctx);
484 return ret;
485 }
486
487 os_memcpy(cbc, iv, MBEDTLS_AES_BLOCK_SIZE);
488 ret = mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_DECRYPT,
489 data_len, cbc, data, data);
490 mbedtls_aes_free(&ctx);
491
492 return ret;
493
494 }
495
496 #ifdef CONFIG_TLS_INTERNAL_CLIENT
497 struct crypto_cipher {
498 mbedtls_cipher_context_t ctx_enc;
499 mbedtls_cipher_context_t ctx_dec;
500 };
501
crypto_init_cipher_ctx(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,const u8 * iv,const u8 * key,size_t key_len,mbedtls_operation_t operation)502 static int crypto_init_cipher_ctx(mbedtls_cipher_context_t *ctx,
503 const mbedtls_cipher_info_t *cipher_info,
504 const u8 *iv, const u8 *key, size_t key_len,
505 mbedtls_operation_t operation)
506 {
507 mbedtls_cipher_init(ctx);
508 int ret;
509
510 ret = mbedtls_cipher_setup(ctx, cipher_info);
511 if (ret != 0) {
512 return -1;
513 }
514
515 if (mbedtls_cipher_setkey(ctx, key, key_len * 8, operation) != 0) {
516 wpa_printf(MSG_ERROR, "mbedtls_cipher_setkey returned error");
517 return -1;
518 }
519 if (mbedtls_cipher_set_iv(ctx, iv, cipher_info->MBEDTLS_PRIVATE(iv_size)) != 0) {
520 wpa_printf(MSG_ERROR, "mbedtls_cipher_set_iv returned error");
521 return -1;
522 }
523 if (mbedtls_cipher_reset(ctx) != 0) {
524 wpa_printf(MSG_ERROR, "mbedtls_cipher_reset() returned error");
525 return -1;
526 }
527
528 return 0;
529 }
530
alg_to_mbedtls_cipher(enum crypto_cipher_alg alg,size_t key_len)531 static mbedtls_cipher_type_t alg_to_mbedtls_cipher(enum crypto_cipher_alg alg,
532 size_t key_len)
533 {
534 switch (alg) {
535 case CRYPTO_CIPHER_ALG_AES:
536 if (key_len == 16) {
537 return MBEDTLS_CIPHER_AES_128_CBC;
538 }
539 if (key_len == 24) {
540 return MBEDTLS_CIPHER_AES_192_CBC;
541 }
542 if (key_len == 32) {
543 return MBEDTLS_CIPHER_AES_256_CBC;
544 }
545 break;
546 #ifdef MBEDTLS_DES_C
547 case CRYPTO_CIPHER_ALG_3DES:
548 return MBEDTLS_CIPHER_DES_EDE3_CBC;
549 case CRYPTO_CIPHER_ALG_DES:
550 return MBEDTLS_CIPHER_DES_CBC;
551 #endif
552 default:
553 break;
554 }
555
556 return MBEDTLS_CIPHER_NONE;
557 }
558
crypto_cipher_init(enum crypto_cipher_alg alg,const u8 * iv,const u8 * key,size_t key_len)559 struct crypto_cipher *crypto_cipher_init(enum crypto_cipher_alg alg,
560 const u8 *iv, const u8 *key,
561 size_t key_len)
562 {
563 struct crypto_cipher *ctx;
564 mbedtls_cipher_type_t cipher_type;
565 const mbedtls_cipher_info_t *cipher_info;
566
567 ctx = (struct crypto_cipher *)os_zalloc(sizeof(*ctx));
568 if (!ctx) {
569 return NULL;
570 }
571
572 cipher_type = alg_to_mbedtls_cipher(alg, key_len);
573 if (cipher_type == MBEDTLS_CIPHER_NONE) {
574 goto cleanup;
575 }
576
577 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
578 if (cipher_info == NULL) {
579 goto cleanup;
580 }
581
582 /* Init both ctx encryption/decryption */
583 if (crypto_init_cipher_ctx(&ctx->ctx_enc, cipher_info, iv, key,
584 key_len, MBEDTLS_ENCRYPT) < 0) {
585 goto cleanup;
586 }
587
588 if (crypto_init_cipher_ctx(&ctx->ctx_dec, cipher_info, iv, key,
589 key_len, MBEDTLS_DECRYPT) < 0) {
590 goto cleanup;
591 }
592
593 if (mbedtls_cipher_set_padding_mode(&ctx->ctx_enc, MBEDTLS_PADDING_NONE) < 0) {
594 goto cleanup;
595 }
596 if (mbedtls_cipher_set_padding_mode(&ctx->ctx_dec, MBEDTLS_PADDING_NONE) < 0) {
597 goto cleanup;
598 }
599 return ctx;
600
601 cleanup:
602 os_free(ctx);
603 return NULL;
604 }
605
crypto_cipher_encrypt(struct crypto_cipher * ctx,const u8 * plain,u8 * crypt,size_t len)606 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
607 u8 *crypt, size_t len)
608 {
609 int ret;
610 size_t olen = 0;
611
612 ret = mbedtls_cipher_update(&ctx->ctx_enc, plain, len, crypt, &olen);
613 if (ret != 0) {
614 return -1;
615 }
616
617 ret = mbedtls_cipher_finish(&ctx->ctx_enc, crypt + olen, &olen);
618 if (ret != 0) {
619 return -1;
620 }
621
622 return 0;
623 }
624
crypto_cipher_decrypt(struct crypto_cipher * ctx,const u8 * crypt,u8 * plain,size_t len)625 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
626 u8 *plain, size_t len)
627 {
628 int ret;
629 size_t olen = 0;
630
631 ret = mbedtls_cipher_update(&ctx->ctx_dec, crypt, len, plain, &olen);
632 if (ret != 0) {
633 return -1;
634 }
635
636 ret = mbedtls_cipher_finish(&ctx->ctx_dec, plain + olen, &olen);
637 if (ret != 0) {
638 return -1;
639 }
640
641 return 0;
642 }
643
crypto_cipher_deinit(struct crypto_cipher * ctx)644 void crypto_cipher_deinit(struct crypto_cipher *ctx)
645 {
646 mbedtls_cipher_free(&ctx->ctx_enc);
647 mbedtls_cipher_free(&ctx->ctx_dec);
648 os_free(ctx);
649 }
650 #endif
651
aes_ctr_encrypt(const u8 * key,size_t key_len,const u8 * nonce,u8 * data,size_t data_len)652 int aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
653 u8 *data, size_t data_len)
654 {
655 int ret;
656 mbedtls_aes_context ctx;
657 uint8_t stream_block[MBEDTLS_AES_BLOCK_SIZE];
658 size_t offset = 0;
659
660 mbedtls_aes_init(&ctx);
661 ret = mbedtls_aes_setkey_enc(&ctx, key, key_len * 8);
662 if (ret < 0) {
663 goto cleanup;
664 }
665 ret = mbedtls_aes_crypt_ctr(&ctx, data_len, &offset, (u8 *)nonce,
666 stream_block, data, data);
667 cleanup:
668 mbedtls_aes_free(&ctx);
669 return ret;
670 }
671
aes_128_ctr_encrypt(const u8 * key,const u8 * nonce,u8 * data,size_t data_len)672 int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
673 u8 *data, size_t data_len)
674 {
675 return aes_ctr_encrypt(key, 16, nonce, data, data_len);
676 }
677
678
679 #ifdef MBEDTLS_NIST_KW_C
aes_wrap(const u8 * kek,size_t kek_len,int n,const u8 * plain,u8 * cipher)680 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
681 {
682 mbedtls_nist_kw_context ctx;
683 size_t olen;
684 int ret = 0;
685 mbedtls_nist_kw_init(&ctx);
686
687 ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
688 kek, kek_len * 8, 1);
689 if (ret != 0) {
690 return ret;
691 }
692
693 ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KW, plain,
694 n * 8, cipher, &olen, (n + 1) * 8);
695
696 mbedtls_nist_kw_free(&ctx);
697 return ret;
698 }
699
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)700 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
701 u8 *plain)
702 {
703 mbedtls_nist_kw_context ctx;
704 size_t olen;
705 int ret = 0;
706 mbedtls_nist_kw_init(&ctx);
707
708 ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
709 kek, kek_len * 8, 0);
710 if (ret != 0) {
711 return ret;
712 }
713
714 ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KW, cipher,
715 (n + 1) * 8, plain, &olen, (n * 8));
716
717 mbedtls_nist_kw_free(&ctx);
718 return ret;
719 }
720 #endif
721
crypto_mod_exp(const uint8_t * base,size_t base_len,const uint8_t * power,size_t power_len,const uint8_t * modulus,size_t modulus_len,uint8_t * result,size_t * result_len)722 int crypto_mod_exp(const uint8_t *base, size_t base_len,
723 const uint8_t *power, size_t power_len,
724 const uint8_t *modulus, size_t modulus_len,
725 uint8_t *result, size_t *result_len)
726 {
727 mbedtls_mpi bn_base, bn_exp, bn_modulus, bn_result, bn_rinv;
728 int ret = 0;
729
730 mbedtls_mpi_init(&bn_base);
731 mbedtls_mpi_init(&bn_exp);
732 mbedtls_mpi_init(&bn_modulus);
733 mbedtls_mpi_init(&bn_result);
734 mbedtls_mpi_init(&bn_rinv);
735
736 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&bn_base, base, base_len));
737 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&bn_exp, power, power_len));
738 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&bn_modulus, modulus, modulus_len));
739
740 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&bn_result, &bn_base, &bn_exp, &bn_modulus,
741 &bn_rinv));
742
743 ret = mbedtls_mpi_write_binary(&bn_result, result, *result_len);
744
745 cleanup:
746 mbedtls_mpi_free(&bn_base);
747 mbedtls_mpi_free(&bn_exp);
748 mbedtls_mpi_free(&bn_modulus);
749 mbedtls_mpi_free(&bn_result);
750 mbedtls_mpi_free(&bn_rinv);
751
752 return ret;
753 }
754
pbkdf2_sha1(const char * passphrase,const u8 * ssid,size_t ssid_len,int iterations,u8 * buf,size_t buflen)755 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
756 int iterations, u8 *buf, size_t buflen)
757 {
758 int ret = mbedtls_pkcs5_pbkdf2_hmac_ext(MBEDTLS_MD_SHA1, (const u8 *) passphrase,
759 os_strlen(passphrase) , ssid,
760 ssid_len, iterations, 32, buf);
761 if (ret != 0) {
762 ret = -1;
763 goto cleanup;
764 }
765
766 cleanup:
767 return ret;
768 }
769
770 #ifdef MBEDTLS_DES_C
des_encrypt(const u8 * clear,const u8 * key,u8 * cypher)771 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
772 {
773 int ret;
774 mbedtls_des_context des;
775 u8 pkey[8], next, tmp;
776 int i;
777
778 /* Add parity bits to the key */
779 next = 0;
780 for (i = 0; i < 7; i++) {
781 tmp = key[i];
782 pkey[i] = (tmp >> i) | next | 1;
783 next = tmp << (7 - i);
784 }
785 pkey[i] = next | 1;
786
787 mbedtls_des_init(&des);
788 ret = mbedtls_des_setkey_enc(&des, pkey);
789 if (ret < 0) {
790 return ret;
791 }
792 ret = mbedtls_des_crypt_ecb(&des, clear, cypher);
793 mbedtls_des_free(&des);
794
795 return ret;
796 }
797 #endif
798
799 /* Only enable this if all other ciphers are using MbedTLS implementation */
800 #if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CMAC_C) && defined(MBEDTLS_NIST_KW_C)
aes_ccm_ae(const u8 * key,size_t key_len,const u8 * nonce,size_t M,const u8 * plain,size_t plain_len,const u8 * aad,size_t aad_len,u8 * crypt,u8 * auth)801 int aes_ccm_ae(const u8 *key, size_t key_len, const u8 *nonce,
802 size_t M, const u8 *plain, size_t plain_len,
803 const u8 *aad, size_t aad_len, u8 *crypt, u8 *auth)
804 {
805 int ret;
806 mbedtls_ccm_context ccm;
807
808 mbedtls_ccm_init(&ccm);
809
810 ret = mbedtls_ccm_setkey(&ccm, MBEDTLS_CIPHER_ID_AES,
811 key, key_len * 8);
812 if (ret < 0) {
813 wpa_printf(MSG_ERROR, "mbedtls_ccm_setkey failed");
814 goto cleanup;
815 }
816
817 ret = mbedtls_ccm_encrypt_and_tag(&ccm, plain_len, nonce, 13, aad,
818 aad_len, plain, crypt, auth, M);
819
820 cleanup:
821 mbedtls_ccm_free(&ccm);
822
823 return ret;
824 }
825
aes_ccm_ad(const u8 * key,size_t key_len,const u8 * nonce,size_t M,const u8 * crypt,size_t crypt_len,const u8 * aad,size_t aad_len,const u8 * auth,u8 * plain)826 int aes_ccm_ad(const u8 *key, size_t key_len, const u8 *nonce,
827 size_t M, const u8 *crypt, size_t crypt_len,
828 const u8 *aad, size_t aad_len, const u8 *auth,
829 u8 *plain)
830 {
831 int ret;
832 mbedtls_ccm_context ccm;
833
834 mbedtls_ccm_init(&ccm);
835
836 ret = mbedtls_ccm_setkey(&ccm, MBEDTLS_CIPHER_ID_AES,
837 key, key_len * 8);
838 if (ret < 0) {
839 goto cleanup;;
840 }
841
842 ret = mbedtls_ccm_star_auth_decrypt(&ccm, crypt_len,
843 nonce, 13, aad, aad_len,
844 crypt, plain, auth, M);
845
846 cleanup:
847 mbedtls_ccm_free(&ccm);
848
849 return ret;
850 }
851 #endif
852
853 #ifdef MBEDTLS_CMAC_C
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)854 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
855 const u8 *addr[], const size_t *len, u8 *mac)
856 {
857 const mbedtls_cipher_info_t *cipher_info;
858 int i, ret = 0;
859 mbedtls_cipher_type_t cipher_type;
860 mbedtls_cipher_context_t ctx;
861
862 switch (key_len) {
863 case 16:
864 cipher_type = MBEDTLS_CIPHER_AES_128_ECB;
865 break;
866 case 24:
867 cipher_type = MBEDTLS_CIPHER_AES_192_ECB;
868 break;
869 case 32:
870 cipher_type = MBEDTLS_CIPHER_AES_256_ECB;
871 break;
872 default:
873 cipher_type = MBEDTLS_CIPHER_NONE;
874 break;
875 }
876 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
877 if (cipher_info == NULL) {
878 /* Failing at this point must be due to a build issue */
879 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
880 goto cleanup;
881 }
882
883 if (key == NULL || mac == NULL) {
884 return -1;
885 }
886
887 mbedtls_cipher_init(&ctx);
888
889 ret = mbedtls_cipher_setup(&ctx, cipher_info);
890 if (ret != 0) {
891 goto cleanup;
892 }
893
894 ret = mbedtls_cipher_cmac_starts(&ctx, key, key_len * 8);
895 if (ret != 0) {
896 goto cleanup;
897 }
898
899 for (i = 0 ; i < num_elem; i++) {
900 ret = mbedtls_cipher_cmac_update(&ctx, addr[i], len[i]);
901 if (ret != 0) {
902 goto cleanup;
903 }
904 }
905
906 ret = mbedtls_cipher_cmac_finish(&ctx, mac);
907 cleanup:
908 mbedtls_cipher_free(&ctx);
909 return(ret);
910 }
911
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)912 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
913 const u8 *addr[], const size_t *len, u8 *mac)
914 {
915 return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
916 }
917
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)918 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
919 {
920 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
921 }
922 #endif
923
crypto_dh_init(u8 generator,const u8 * prime,size_t prime_len,u8 * privkey,u8 * pubkey)924 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
925 u8 *pubkey)
926 {
927 size_t pubkey_len, pad;
928
929 if (os_get_random(privkey, prime_len) < 0) {
930 return -1;
931 }
932 if (os_memcmp(privkey, prime, prime_len) > 0) {
933 /* Make sure private value is smaller than prime */
934 privkey[0] = 0;
935 }
936
937 pubkey_len = prime_len;
938 if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
939 pubkey, &pubkey_len) < 0) {
940 return -1;
941 }
942 if (pubkey_len < prime_len) {
943 pad = prime_len - pubkey_len;
944 os_memmove(pubkey + pad, pubkey, pubkey_len);
945 os_memset(pubkey, 0, pad);
946 }
947
948 return 0;
949 }
950
crypto_global_init(void)951 int crypto_global_init(void)
952 {
953 return 0;
954 }
955
crypto_global_deinit(void)956 void crypto_global_deinit(void)
957 {
958 }
959
