1 /*
2 * SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6 #ifdef ESP_PLATFORM
7 #include "esp_system.h"
8 #endif
9
10 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "crypto.h"
13 #include "random.h"
14 #include "sha256.h"
15
16 #include "mbedtls/ecp.h"
17 #include "mbedtls/entropy.h"
18 #include "mbedtls/ctr_drbg.h"
19 #include "mbedtls/md.h"
20 #include "mbedtls/aes.h"
21 #include "mbedtls/bignum.h"
22 #include "mbedtls/pkcs5.h"
23 #include "mbedtls/cmac.h"
24 #include "mbedtls/nist_kw.h"
25 #include "mbedtls/des.h"
26 #include "mbedtls/ccm.h"
27
28 #include "common.h"
29 #include "utils/wpabuf.h"
30 #include "dh_group5.h"
31 #include "md5.h"
32 #include "sha1.h"
33 #include "sha256.h"
34 #include "sha384.h"
35 #include "aes_wrap.h"
36 #include "crypto.h"
37 #ifdef ESPRESSIF_USE
38 #include "mbedtls/esp_config.h"
39 #else
40 #if defined(CONFIG_MBEDTLS)
41 #if !defined(CONFIG_MBEDTLS_CFG_FILE)
42 #include "mbedtls/config.h"
43 #else
44 #include CONFIG_MBEDTLS_CFG_FILE
45 #endif /* CONFIG_MBEDTLS_CFG_FILE */
46 #endif
47 #endif
48
49 #ifdef CONFIG_FAST_PBKDF2
50 #include "fastpbkdf2.h"
51 #endif
52
digest_vector(mbedtls_md_type_t md_type,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)53 static int digest_vector(mbedtls_md_type_t md_type, size_t num_elem,
54 const u8 *addr[], const size_t *len, u8 *mac)
55 {
56 size_t i;
57 const mbedtls_md_info_t *md_info;
58 mbedtls_md_context_t md_ctx;
59 int ret;
60
61 mbedtls_md_init(&md_ctx);
62
63 md_info = mbedtls_md_info_from_type(md_type);
64 if (!md_info) {
65 wpa_printf(MSG_ERROR, "mbedtls_md_info_from_type() failed");
66 return -1;
67 }
68
69 ret = mbedtls_md_setup(&md_ctx, md_info, 0);
70 if (ret != 0) {
71 wpa_printf(MSG_ERROR, "mbedtls_md_setup() returned error");
72 goto cleanup;
73 }
74
75 ret = mbedtls_md_starts(&md_ctx);
76 if (ret != 0) {
77 wpa_printf(MSG_ERROR, "mbedtls_md_starts returned error");
78 goto cleanup;
79 }
80
81 for (i = 0; i < num_elem; i++) {
82 ret = mbedtls_md_update(&md_ctx, addr[i], len[i]);
83 if (ret != 0) {
84 wpa_printf(MSG_ERROR, "mbedtls_md_update ret=%d", ret);
85 goto cleanup;
86 }
87 }
88
89 ret = mbedtls_md_finish(&md_ctx, mac);
90 cleanup:
91 mbedtls_md_free(&md_ctx);
92
93 return ret;
94
95 }
96
sha256_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)97 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
98 u8 *mac)
99 {
100 return digest_vector(MBEDTLS_MD_SHA256, num_elem, addr, len, mac);
101 }
102
sha384_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)103 int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
104 u8 *mac)
105 {
106 return digest_vector(MBEDTLS_MD_SHA384, num_elem, addr, len, mac);
107 }
108
sha512_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)109 int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
110 u8 *mac)
111 {
112 return digest_vector(MBEDTLS_MD_SHA512, num_elem, addr, len, mac);
113 }
114
sha1_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)115 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
116 {
117 return digest_vector(MBEDTLS_MD_SHA1, num_elem, addr, len, mac);
118 }
119
md5_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)120 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
121 {
122 return digest_vector(MBEDTLS_MD_MD5, num_elem, addr, len, mac);
123 }
124
125 #ifdef MBEDTLS_MD4_C
md4_vector(size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)126 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
127 {
128 return digest_vector(MBEDTLS_MD_MD4, num_elem, addr, len, mac);
129 }
130 #endif
131
crypto_hash_init(enum crypto_hash_alg alg,const u8 * key,size_t key_len)132 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
133 size_t key_len)
134 {
135 mbedtls_md_context_t *ctx = NULL;
136 mbedtls_md_type_t md_type;
137 const mbedtls_md_info_t *md_info;
138 int ret;
139 int is_hmac = 0;
140
141 switch (alg) {
142 case CRYPTO_HASH_ALG_MD5:
143 case CRYPTO_HASH_ALG_HMAC_MD5:
144 md_type = MBEDTLS_MD_MD5;
145 break;
146 case CRYPTO_HASH_ALG_SHA1:
147 case CRYPTO_HASH_ALG_HMAC_SHA1:
148 md_type = MBEDTLS_MD_SHA1;
149 break;
150 case CRYPTO_HASH_ALG_SHA256:
151 case CRYPTO_HASH_ALG_HMAC_SHA256:
152 md_type = MBEDTLS_MD_SHA256;
153 break;
154 case CRYPTO_HASH_ALG_SHA384:
155 md_type = MBEDTLS_MD_SHA384;
156 break;
157 case CRYPTO_HASH_ALG_SHA512:
158 md_type = MBEDTLS_MD_SHA512;
159 break;
160 default:
161 return NULL;
162 }
163
164 switch (alg) {
165 case CRYPTO_HASH_ALG_HMAC_MD5:
166 case CRYPTO_HASH_ALG_HMAC_SHA1:
167 case CRYPTO_HASH_ALG_HMAC_SHA256:
168 is_hmac = 1;
169 break;
170 default:
171 break;
172 }
173 ctx = os_zalloc(sizeof(*ctx));
174 if (ctx == NULL) {
175 return NULL;
176 }
177
178 mbedtls_md_init(ctx);
179 md_info = mbedtls_md_info_from_type(md_type);
180 if (!md_info) {
181 goto cleanup;
182 }
183 if (mbedtls_md_setup(ctx, md_info, is_hmac) != 0) {
184 goto cleanup;
185 }
186 if (is_hmac) {
187 ret = mbedtls_md_hmac_starts(ctx, key, key_len);
188 } else {
189 ret = mbedtls_md_starts(ctx);
190 }
191 if (ret < 0) {
192 goto cleanup;
193 }
194
195 return (struct crypto_hash *)ctx;
196 cleanup:
197 mbedtls_md_free(ctx);
198 os_free(ctx);
199 return NULL;
200 }
201
crypto_hash_update(struct crypto_hash * crypto_ctx,const u8 * data,size_t len)202 void crypto_hash_update(struct crypto_hash *crypto_ctx, const u8 *data, size_t len)
203 {
204 int ret;
205 mbedtls_md_context_t *ctx = (mbedtls_md_context_t *)crypto_ctx;
206
207 if (ctx == NULL) {
208 return;
209 }
210 if (ctx->MBEDTLS_PRIVATE(hmac_ctx)) {
211 ret = mbedtls_md_hmac_update(ctx, data, len);
212 } else {
213 ret = mbedtls_md_update(ctx, data, len);
214 }
215 if (ret != 0) {
216 wpa_printf(MSG_ERROR, "%s: mbedtls_md_hmac_update failed", __func__);
217 }
218 }
219
crypto_hash_finish(struct crypto_hash * crypto_ctx,u8 * mac,size_t * len)220 int crypto_hash_finish(struct crypto_hash *crypto_ctx, u8 *mac, size_t *len)
221 {
222 int ret = 0;
223 mbedtls_md_type_t md_type;
224 mbedtls_md_context_t *ctx = (mbedtls_md_context_t *)crypto_ctx;
225
226 if (ctx == NULL) {
227 return -2;
228 }
229
230 if (mac == NULL || len == NULL) {
231 goto err;
232 }
233
234 md_type = mbedtls_md_get_type(mbedtls_md_info_from_ctx(ctx));
235 switch(md_type) {
236 case MBEDTLS_MD_MD5:
237 if (*len < MD5_MAC_LEN) {
238 *len = MD5_MAC_LEN;
239 ret = -1;
240 goto err;
241 }
242 *len = MD5_MAC_LEN;
243 break;
244 case MBEDTLS_MD_SHA1:
245 if (*len < SHA1_MAC_LEN) {
246 *len = SHA1_MAC_LEN;
247 ret = -1;
248 goto err;
249 }
250 *len = SHA1_MAC_LEN;
251 break;
252 case MBEDTLS_MD_SHA256:
253 if (*len < SHA256_MAC_LEN) {
254 *len = SHA256_MAC_LEN;
255 ret = -1;
256 goto err;
257 }
258 *len = SHA256_MAC_LEN;
259 break;
260 case MBEDTLS_MD_SHA384:
261 if (*len < SHA384_MAC_LEN) {
262 *len = SHA384_MAC_LEN;
263 ret = -1;
264 goto err;
265 }
266 *len = SHA384_MAC_LEN;
267 break;
268 case MBEDTLS_MD_SHA512:
269 if (*len < SHA512_MAC_LEN) {
270 *len = SHA512_MAC_LEN;
271 ret = -1;
272 goto err;
273 }
274 *len = SHA512_MAC_LEN;
275 break;
276 default:
277 *len = 0;
278 ret = -1;
279 goto err;
280 }
281 if (ctx->MBEDTLS_PRIVATE(hmac_ctx)) {
282 ret = mbedtls_md_hmac_finish(ctx, mac);
283 } else {
284 ret = mbedtls_md_finish(ctx, mac);
285 }
286
287 err:
288 mbedtls_md_free(ctx);
289 bin_clear_free(ctx, sizeof(*ctx));
290
291 return ret;
292 }
293
hmac_vector(mbedtls_md_type_t md_type,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)294 static int hmac_vector(mbedtls_md_type_t md_type,
295 const u8 *key, size_t key_len,
296 size_t num_elem, const u8 *addr[],
297 const size_t *len, u8 *mac)
298 {
299 size_t i;
300 const mbedtls_md_info_t *md_info;
301 mbedtls_md_context_t md_ctx;
302 int ret;
303
304 mbedtls_md_init(&md_ctx);
305
306 md_info = mbedtls_md_info_from_type(md_type);
307 if (!md_info) {
308 return -1;
309 }
310
311 ret = mbedtls_md_setup(&md_ctx, md_info, 1);
312 if (ret != 0) {
313 return(ret);
314 }
315
316 ret = mbedtls_md_hmac_starts(&md_ctx, key, key_len);
317 if (ret != 0) {
318 return(ret);
319 }
320
321 for (i = 0; i < num_elem; i++) {
322 ret = mbedtls_md_hmac_update(&md_ctx, addr[i], len[i]);
323 if (ret != 0) {
324 return(ret);
325 }
326
327 }
328
329 ret = mbedtls_md_hmac_finish(&md_ctx, mac);
330
331 mbedtls_md_free(&md_ctx);
332
333 return ret;
334 }
335
hmac_sha384_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)336 int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
337 const u8 *addr[], const size_t *len, u8 *mac)
338 {
339 return hmac_vector(MBEDTLS_MD_SHA384, key, key_len, num_elem, addr,
340 len, mac);
341 }
342
343
hmac_sha384(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)344 int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
345 size_t data_len, u8 *mac)
346 {
347 return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
348 }
349
hmac_sha256_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)350 int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
351 const u8 *addr[], const size_t *len, u8 *mac)
352 {
353 return hmac_vector(MBEDTLS_MD_SHA256, key, key_len, num_elem, addr,
354 len, mac);
355 }
356
hmac_sha256(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)357 int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
358 size_t data_len, u8 *mac)
359 {
360 return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
361 }
362
hmac_md5_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)363 int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
364 const u8 *addr[], const size_t *len, u8 *mac)
365 {
366 return hmac_vector(MBEDTLS_MD_MD5, key, key_len,
367 num_elem, addr, len, mac);
368 }
369
hmac_md5(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)370 int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
371 u8 *mac)
372 {
373 return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
374 }
375
hmac_sha1_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)376 int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
377 const u8 *addr[], const size_t *len, u8 *mac)
378 {
379 return hmac_vector(MBEDTLS_MD_SHA1, key, key_len, num_elem, addr,
380 len, mac);
381 }
382
hmac_sha1(const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * mac)383 int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
384 u8 *mac)
385 {
386 return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
387 }
388
aes_crypt_init(int mode,const u8 * key,size_t len)389 static void *aes_crypt_init(int mode, const u8 *key, size_t len)
390 {
391 int ret = -1;
392 mbedtls_aes_context *aes = os_malloc(sizeof(*aes));
393 if (!aes) {
394 return NULL;
395 }
396 mbedtls_aes_init(aes);
397
398 if (mode == MBEDTLS_AES_ENCRYPT) {
399 ret = mbedtls_aes_setkey_enc(aes, key, len * 8);
400 } else if (mode == MBEDTLS_AES_DECRYPT){
401 ret = mbedtls_aes_setkey_dec(aes, key, len * 8);
402 }
403 if (ret < 0) {
404 mbedtls_aes_free(aes);
405 os_free(aes);
406 wpa_printf(MSG_ERROR, "%s: mbedtls_aes_setkey_enc/mbedtls_aes_setkey_dec failed", __func__);
407 return NULL;
408 }
409
410 return (void *) aes;
411 }
412
aes_crypt(void * ctx,int mode,const u8 * in,u8 * out)413 static int aes_crypt(void *ctx, int mode, const u8 *in, u8 *out)
414 {
415 return mbedtls_aes_crypt_ecb((mbedtls_aes_context *)ctx,
416 mode, in, out);
417 }
418
aes_crypt_deinit(void * ctx)419 static void aes_crypt_deinit(void *ctx)
420 {
421 mbedtls_aes_free((mbedtls_aes_context *)ctx);
422 os_free(ctx);
423 }
424
aes_encrypt_init(const u8 * key,size_t len)425 void *aes_encrypt_init(const u8 *key, size_t len)
426 {
427 return aes_crypt_init(MBEDTLS_AES_ENCRYPT, key, len);
428 }
429
aes_encrypt(void * ctx,const u8 * plain,u8 * crypt)430 int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
431 {
432 return aes_crypt(ctx, MBEDTLS_AES_ENCRYPT, plain, crypt);
433 }
434
aes_encrypt_deinit(void * ctx)435 void aes_encrypt_deinit(void *ctx)
436 {
437 return aes_crypt_deinit(ctx);
438 }
439
aes_decrypt_init(const u8 * key,size_t len)440 void * aes_decrypt_init(const u8 *key, size_t len)
441 {
442 return aes_crypt_init(MBEDTLS_AES_DECRYPT, key, len);
443 }
444
aes_decrypt(void * ctx,const u8 * crypt,u8 * plain)445 int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
446 {
447 return aes_crypt(ctx, MBEDTLS_AES_DECRYPT, crypt, plain);
448 }
449
aes_decrypt_deinit(void * ctx)450 void aes_decrypt_deinit(void *ctx)
451 {
452 return aes_crypt_deinit(ctx);
453 }
454
aes_128_cbc_encrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)455 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
456 {
457 int ret = 0;
458 mbedtls_aes_context ctx;
459 u8 cbc[MBEDTLS_AES_BLOCK_SIZE];
460
461 mbedtls_aes_init(&ctx);
462
463 ret = mbedtls_aes_setkey_enc(&ctx, key, 128);
464 if (ret < 0) {
465 mbedtls_aes_free(&ctx);
466 return ret;
467 }
468
469 os_memcpy(cbc, iv, MBEDTLS_AES_BLOCK_SIZE);
470 ret = mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_ENCRYPT,
471 data_len, cbc, data, data);
472 mbedtls_aes_free(&ctx);
473
474 return ret;
475 }
476
aes_128_cbc_decrypt(const u8 * key,const u8 * iv,u8 * data,size_t data_len)477 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
478 {
479 int ret = 0;
480 mbedtls_aes_context ctx;
481 u8 cbc[MBEDTLS_AES_BLOCK_SIZE];
482
483 mbedtls_aes_init(&ctx);
484
485 ret = mbedtls_aes_setkey_dec(&ctx, key, 128);
486 if (ret < 0) {
487 mbedtls_aes_free(&ctx);
488 return ret;
489 }
490
491 os_memcpy(cbc, iv, MBEDTLS_AES_BLOCK_SIZE);
492 ret = mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_DECRYPT,
493 data_len, cbc, data, data);
494 mbedtls_aes_free(&ctx);
495
496 return ret;
497
498 }
499
500 #ifdef CONFIG_TLS_INTERNAL_CLIENT
501 struct crypto_cipher {
502 mbedtls_cipher_context_t ctx_enc;
503 mbedtls_cipher_context_t ctx_dec;
504 };
505
crypto_init_cipher_ctx(mbedtls_cipher_context_t * ctx,const mbedtls_cipher_info_t * cipher_info,const u8 * iv,const u8 * key,size_t key_len,mbedtls_operation_t operation)506 static int crypto_init_cipher_ctx(mbedtls_cipher_context_t *ctx,
507 const mbedtls_cipher_info_t *cipher_info,
508 const u8 *iv, const u8 *key, size_t key_len,
509 mbedtls_operation_t operation)
510 {
511 mbedtls_cipher_init(ctx);
512 int ret;
513
514 ret = mbedtls_cipher_setup(ctx, cipher_info);
515 if (ret != 0) {
516 return -1;
517 }
518
519 ret = mbedtls_cipher_setkey(ctx, key, key_len * 8, operation);
520 if (ret != 0) {
521 wpa_printf(MSG_ERROR, "mbedtls_cipher_setkey returned error=%d", ret);
522 return -1;
523 }
524 ret = mbedtls_cipher_set_iv(ctx, iv, cipher_info->MBEDTLS_PRIVATE(iv_size) << MBEDTLS_IV_SIZE_SHIFT);
525 if (ret != 0) {
526 wpa_printf(MSG_ERROR, "mbedtls_cipher_set_iv returned error=%d", ret);
527 return -1;
528 }
529 ret = mbedtls_cipher_reset(ctx);
530 if (ret != 0) {
531 wpa_printf(MSG_ERROR, "mbedtls_cipher_reset() returned error=%d", ret);
532 return -1;
533 }
534
535 return 0;
536 }
537
alg_to_mbedtls_cipher(enum crypto_cipher_alg alg,size_t key_len)538 static mbedtls_cipher_type_t alg_to_mbedtls_cipher(enum crypto_cipher_alg alg,
539 size_t key_len)
540 {
541 switch (alg) {
542 case CRYPTO_CIPHER_ALG_AES:
543 if (key_len == 16) {
544 return MBEDTLS_CIPHER_AES_128_CBC;
545 }
546 if (key_len == 24) {
547 return MBEDTLS_CIPHER_AES_192_CBC;
548 }
549 if (key_len == 32) {
550 return MBEDTLS_CIPHER_AES_256_CBC;
551 }
552 break;
553 #ifdef MBEDTLS_DES_C
554 case CRYPTO_CIPHER_ALG_3DES:
555 return MBEDTLS_CIPHER_DES_EDE3_CBC;
556 case CRYPTO_CIPHER_ALG_DES:
557 return MBEDTLS_CIPHER_DES_CBC;
558 #endif
559 default:
560 break;
561 }
562
563 return MBEDTLS_CIPHER_NONE;
564 }
565
crypto_cipher_init(enum crypto_cipher_alg alg,const u8 * iv,const u8 * key,size_t key_len)566 struct crypto_cipher *crypto_cipher_init(enum crypto_cipher_alg alg,
567 const u8 *iv, const u8 *key,
568 size_t key_len)
569 {
570 struct crypto_cipher *ctx;
571 mbedtls_cipher_type_t cipher_type;
572 const mbedtls_cipher_info_t *cipher_info;
573
574 ctx = (struct crypto_cipher *)os_zalloc(sizeof(*ctx));
575 if (!ctx) {
576 return NULL;
577 }
578
579 cipher_type = alg_to_mbedtls_cipher(alg, key_len);
580 if (cipher_type == MBEDTLS_CIPHER_NONE) {
581 goto cleanup;
582 }
583
584 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
585 if (cipher_info == NULL) {
586 goto cleanup;
587 }
588
589 /* Init both ctx encryption/decryption */
590 if (crypto_init_cipher_ctx(&ctx->ctx_enc, cipher_info, iv, key,
591 key_len, MBEDTLS_ENCRYPT) < 0) {
592 goto cleanup;
593 }
594
595 if (crypto_init_cipher_ctx(&ctx->ctx_dec, cipher_info, iv, key,
596 key_len, MBEDTLS_DECRYPT) < 0) {
597 goto cleanup;
598 }
599
600 if (mbedtls_cipher_set_padding_mode(&ctx->ctx_enc, MBEDTLS_PADDING_NONE) < 0) {
601 goto cleanup;
602 }
603 if (mbedtls_cipher_set_padding_mode(&ctx->ctx_dec, MBEDTLS_PADDING_NONE) < 0) {
604 goto cleanup;
605 }
606 return ctx;
607
608 cleanup:
609 os_free(ctx);
610 return NULL;
611 }
612
crypto_cipher_encrypt(struct crypto_cipher * ctx,const u8 * plain,u8 * crypt,size_t len)613 int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
614 u8 *crypt, size_t len)
615 {
616 int ret;
617 size_t olen = 0;
618
619 ret = mbedtls_cipher_update(&ctx->ctx_enc, plain, len, crypt, &olen);
620 if (ret != 0) {
621 return -1;
622 }
623
624 ret = mbedtls_cipher_finish(&ctx->ctx_enc, crypt + olen, &olen);
625 if (ret != 0) {
626 return -1;
627 }
628
629 return 0;
630 }
631
crypto_cipher_decrypt(struct crypto_cipher * ctx,const u8 * crypt,u8 * plain,size_t len)632 int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
633 u8 *plain, size_t len)
634 {
635 int ret;
636 size_t olen = 0;
637
638 ret = mbedtls_cipher_update(&ctx->ctx_dec, crypt, len, plain, &olen);
639 if (ret != 0) {
640 return -1;
641 }
642
643 ret = mbedtls_cipher_finish(&ctx->ctx_dec, plain + olen, &olen);
644 if (ret != 0) {
645 return -1;
646 }
647
648 return 0;
649 }
650
crypto_cipher_deinit(struct crypto_cipher * ctx)651 void crypto_cipher_deinit(struct crypto_cipher *ctx)
652 {
653 mbedtls_cipher_free(&ctx->ctx_enc);
654 mbedtls_cipher_free(&ctx->ctx_dec);
655 os_free(ctx);
656 }
657 #endif
658
aes_ctr_encrypt(const u8 * key,size_t key_len,const u8 * nonce,u8 * data,size_t data_len)659 int aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
660 u8 *data, size_t data_len)
661 {
662 int ret;
663 mbedtls_aes_context ctx;
664 uint8_t stream_block[MBEDTLS_AES_BLOCK_SIZE];
665 size_t offset = 0;
666
667 mbedtls_aes_init(&ctx);
668 ret = mbedtls_aes_setkey_enc(&ctx, key, key_len * 8);
669 if (ret < 0) {
670 goto cleanup;
671 }
672 ret = mbedtls_aes_crypt_ctr(&ctx, data_len, &offset, (u8 *)nonce,
673 stream_block, data, data);
674 cleanup:
675 mbedtls_aes_free(&ctx);
676 return ret;
677 }
678
aes_128_ctr_encrypt(const u8 * key,const u8 * nonce,u8 * data,size_t data_len)679 int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
680 u8 *data, size_t data_len)
681 {
682 return aes_ctr_encrypt(key, 16, nonce, data, data_len);
683 }
684
685
686 #ifdef MBEDTLS_NIST_KW_C
aes_wrap(const u8 * kek,size_t kek_len,int n,const u8 * plain,u8 * cipher)687 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
688 {
689 mbedtls_nist_kw_context ctx;
690 size_t olen;
691 int ret = 0;
692 mbedtls_nist_kw_init(&ctx);
693
694 ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
695 kek, kek_len * 8, 1);
696 if (ret != 0) {
697 return ret;
698 }
699
700 ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KW, plain,
701 n * 8, cipher, &olen, (n + 1) * 8);
702
703 mbedtls_nist_kw_free(&ctx);
704 return ret;
705 }
706
aes_unwrap(const u8 * kek,size_t kek_len,int n,const u8 * cipher,u8 * plain)707 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
708 u8 *plain)
709 {
710 mbedtls_nist_kw_context ctx;
711 size_t olen;
712 int ret = 0;
713 mbedtls_nist_kw_init(&ctx);
714
715 ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
716 kek, kek_len * 8, 0);
717 if (ret != 0) {
718 return ret;
719 }
720
721 ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KW, cipher,
722 (n + 1) * 8, plain, &olen, (n * 8));
723
724 mbedtls_nist_kw_free(&ctx);
725 return ret;
726 }
727 #endif
728
crypto_mod_exp(const uint8_t * base,size_t base_len,const uint8_t * power,size_t power_len,const uint8_t * modulus,size_t modulus_len,uint8_t * result,size_t * result_len)729 int crypto_mod_exp(const uint8_t *base, size_t base_len,
730 const uint8_t *power, size_t power_len,
731 const uint8_t *modulus, size_t modulus_len,
732 uint8_t *result, size_t *result_len)
733 {
734 mbedtls_mpi bn_base, bn_exp, bn_modulus, bn_result, bn_rinv;
735 int ret = 0;
736
737 mbedtls_mpi_init(&bn_base);
738 mbedtls_mpi_init(&bn_exp);
739 mbedtls_mpi_init(&bn_modulus);
740 mbedtls_mpi_init(&bn_result);
741 mbedtls_mpi_init(&bn_rinv);
742
743 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&bn_base, base, base_len));
744 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&bn_exp, power, power_len));
745 MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&bn_modulus, modulus, modulus_len));
746
747 MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&bn_result, &bn_base, &bn_exp, &bn_modulus,
748 &bn_rinv));
749
750 ret = mbedtls_mpi_write_binary(&bn_result, result, *result_len);
751
752 cleanup:
753 mbedtls_mpi_free(&bn_base);
754 mbedtls_mpi_free(&bn_exp);
755 mbedtls_mpi_free(&bn_modulus);
756 mbedtls_mpi_free(&bn_result);
757 mbedtls_mpi_free(&bn_rinv);
758
759 return ret;
760 }
761
pbkdf2_sha1(const char * passphrase,const u8 * ssid,size_t ssid_len,int iterations,u8 * buf,size_t buflen)762 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
763 int iterations, u8 *buf, size_t buflen)
764 {
765 #ifdef CONFIG_FAST_PBKDF2
766 fastpbkdf2_hmac_sha1((const u8 *) passphrase, os_strlen(passphrase),
767 ssid, ssid_len, iterations, buf, buflen);
768 return 0;
769 #else
770 int ret = mbedtls_pkcs5_pbkdf2_hmac_ext(MBEDTLS_MD_SHA1, (const u8 *) passphrase,
771 os_strlen(passphrase) , ssid,
772 ssid_len, iterations, buflen, buf);
773 if (ret != 0) {
774 ret = -1;
775 goto cleanup;
776 }
777
778 cleanup:
779 return ret;
780 #endif
781 }
782
783 #ifdef MBEDTLS_DES_C
des_encrypt(const u8 * clear,const u8 * key,u8 * cypher)784 int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
785 {
786 int ret;
787 mbedtls_des_context des;
788 u8 pkey[8], next, tmp;
789 int i;
790
791 /* Add parity bits to the key */
792 next = 0;
793 for (i = 0; i < 7; i++) {
794 tmp = key[i];
795 pkey[i] = (tmp >> i) | next | 1;
796 next = tmp << (7 - i);
797 }
798 pkey[i] = next | 1;
799
800 mbedtls_des_init(&des);
801 ret = mbedtls_des_setkey_enc(&des, pkey);
802 if (ret < 0) {
803 return ret;
804 }
805 ret = mbedtls_des_crypt_ecb(&des, clear, cypher);
806 mbedtls_des_free(&des);
807
808 return ret;
809 }
810 #endif
811
812 /* Only enable this if all other ciphers are using MbedTLS implementation */
813 #if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_CMAC_C) && defined(MBEDTLS_NIST_KW_C)
aes_ccm_ae(const u8 * key,size_t key_len,const u8 * nonce,size_t M,const u8 * plain,size_t plain_len,const u8 * aad,size_t aad_len,u8 * crypt,u8 * auth)814 int aes_ccm_ae(const u8 *key, size_t key_len, const u8 *nonce,
815 size_t M, const u8 *plain, size_t plain_len,
816 const u8 *aad, size_t aad_len, u8 *crypt, u8 *auth)
817 {
818 int ret;
819 mbedtls_ccm_context ccm;
820
821 mbedtls_ccm_init(&ccm);
822
823 ret = mbedtls_ccm_setkey(&ccm, MBEDTLS_CIPHER_ID_AES,
824 key, key_len * 8);
825 if (ret < 0) {
826 wpa_printf(MSG_ERROR, "mbedtls_ccm_setkey failed");
827 goto cleanup;
828 }
829
830 ret = mbedtls_ccm_encrypt_and_tag(&ccm, plain_len, nonce, 13, aad,
831 aad_len, plain, crypt, auth, M);
832
833 cleanup:
834 mbedtls_ccm_free(&ccm);
835
836 return ret;
837 }
838
aes_ccm_ad(const u8 * key,size_t key_len,const u8 * nonce,size_t M,const u8 * crypt,size_t crypt_len,const u8 * aad,size_t aad_len,const u8 * auth,u8 * plain)839 int aes_ccm_ad(const u8 *key, size_t key_len, const u8 *nonce,
840 size_t M, const u8 *crypt, size_t crypt_len,
841 const u8 *aad, size_t aad_len, const u8 *auth,
842 u8 *plain)
843 {
844 int ret;
845 mbedtls_ccm_context ccm;
846
847 mbedtls_ccm_init(&ccm);
848
849 ret = mbedtls_ccm_setkey(&ccm, MBEDTLS_CIPHER_ID_AES,
850 key, key_len * 8);
851 if (ret < 0) {
852 goto cleanup;;
853 }
854
855 ret = mbedtls_ccm_star_auth_decrypt(&ccm, crypt_len,
856 nonce, 13, aad, aad_len,
857 crypt, plain, auth, M);
858
859 cleanup:
860 mbedtls_ccm_free(&ccm);
861
862 return ret;
863 }
864 #endif
865
866 #ifdef MBEDTLS_CMAC_C
omac1_aes_vector(const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)867 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
868 const u8 *addr[], const size_t *len, u8 *mac)
869 {
870 const mbedtls_cipher_info_t *cipher_info;
871 int i, ret = 0;
872 mbedtls_cipher_type_t cipher_type;
873 mbedtls_cipher_context_t ctx;
874
875 switch (key_len) {
876 case 16:
877 cipher_type = MBEDTLS_CIPHER_AES_128_ECB;
878 break;
879 case 24:
880 cipher_type = MBEDTLS_CIPHER_AES_192_ECB;
881 break;
882 case 32:
883 cipher_type = MBEDTLS_CIPHER_AES_256_ECB;
884 break;
885 default:
886 cipher_type = MBEDTLS_CIPHER_NONE;
887 break;
888 }
889 cipher_info = mbedtls_cipher_info_from_type(cipher_type);
890 if (cipher_info == NULL) {
891 /* Failing at this point must be due to a build issue */
892 ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
893 goto cleanup;
894 }
895
896 if (key == NULL || mac == NULL) {
897 return -1;
898 }
899
900 mbedtls_cipher_init(&ctx);
901
902 ret = mbedtls_cipher_setup(&ctx, cipher_info);
903 if (ret != 0) {
904 goto cleanup;
905 }
906
907 ret = mbedtls_cipher_cmac_starts(&ctx, key, key_len * 8);
908 if (ret != 0) {
909 goto cleanup;
910 }
911
912 for (i = 0 ; i < num_elem; i++) {
913 ret = mbedtls_cipher_cmac_update(&ctx, addr[i], len[i]);
914 if (ret != 0) {
915 goto cleanup;
916 }
917 }
918
919 ret = mbedtls_cipher_cmac_finish(&ctx, mac);
920 cleanup:
921 mbedtls_cipher_free(&ctx);
922 return(ret);
923 }
924
omac1_aes_128_vector(const u8 * key,size_t num_elem,const u8 * addr[],const size_t * len,u8 * mac)925 int omac1_aes_128_vector(const u8 *key, size_t num_elem,
926 const u8 *addr[], const size_t *len, u8 *mac)
927 {
928 return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
929 }
930
omac1_aes_128(const u8 * key,const u8 * data,size_t data_len,u8 * mac)931 int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
932 {
933 return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
934 }
935 #endif
936
crypto_dh_init(u8 generator,const u8 * prime,size_t prime_len,u8 * privkey,u8 * pubkey)937 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
938 u8 *pubkey)
939 {
940 size_t pubkey_len, pad;
941
942 if (os_get_random(privkey, prime_len) < 0) {
943 return -1;
944 }
945 if (os_memcmp(privkey, prime, prime_len) > 0) {
946 /* Make sure private value is smaller than prime */
947 privkey[0] = 0;
948 }
949
950 pubkey_len = prime_len;
951 if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
952 pubkey, &pubkey_len) < 0) {
953 return -1;
954 }
955 if (pubkey_len < prime_len) {
956 pad = prime_len - pubkey_len;
957 os_memmove(pubkey + pad, pubkey, pubkey_len);
958 os_memset(pubkey, 0, pad);
959 }
960
961 return 0;
962 }
963
crypto_global_init(void)964 int crypto_global_init(void)
965 {
966 return 0;
967 }
968
crypto_global_deinit(void)969 void crypto_global_deinit(void)
970 {
971 }
972
