diff options
Diffstat (limited to 'src/common/dpp.c')
-rw-r--r-- | src/common/dpp.c | 175 |
1 files changed, 66 insertions, 109 deletions
diff --git a/src/common/dpp.c b/src/common/dpp.c index 3c8c7682d514..1fd074f05627 100644 --- a/src/common/dpp.c +++ b/src/common/dpp.c @@ -8,8 +8,6 @@ */ #include "utils/includes.h" -#include <openssl/opensslv.h> -#include <openssl/err.h> #include "utils/common.h" #include "utils/base64.h" @@ -38,22 +36,6 @@ int dpp_version_override = 1; enum dpp_test_behavior dpp_test = DPP_TEST_DISABLED; #endif /* CONFIG_TESTING_OPTIONS */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - (defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER < 0x20700000L) -/* Compatibility wrappers for older versions. */ - -#ifdef CONFIG_DPP2 -static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) -{ - if (pkey->type != EVP_PKEY_EC) - return NULL; - return pkey->pkey.ec; -} -#endif /* CONFIG_DPP2 */ - -#endif - void dpp_auth_fail(struct dpp_authentication *auth, const char *txt) { @@ -180,7 +162,7 @@ void dpp_bootstrap_info_free(struct dpp_bootstrap_info *info) os_free(info->info); os_free(info->chan); os_free(info->pk); - EVP_PKEY_free(info->pubkey); + crypto_ec_key_deinit(info->pubkey); str_clear_free(info->configurator_params); os_free(info); } @@ -1268,9 +1250,9 @@ void dpp_auth_deinit(struct dpp_authentication *auth) dpp_configuration_free(auth->conf2_ap); dpp_configuration_free(auth->conf_sta); dpp_configuration_free(auth->conf2_sta); - EVP_PKEY_free(auth->own_protocol_key); - EVP_PKEY_free(auth->peer_protocol_key); - EVP_PKEY_free(auth->reconfig_old_protocol_key); + crypto_ec_key_deinit(auth->own_protocol_key); + crypto_ec_key_deinit(auth->peer_protocol_key); + crypto_ec_key_deinit(auth->reconfig_old_protocol_key); wpabuf_free(auth->req_msg); wpabuf_free(auth->resp_msg); wpabuf_free(auth->conf_req); @@ -1360,14 +1342,15 @@ dpp_build_conf_start(struct dpp_authentication *auth, } -int dpp_build_jwk(struct wpabuf *buf, const char *name, EVP_PKEY *key, - const char *kid, const struct dpp_curve_params *curve) +int dpp_build_jwk(struct wpabuf *buf, const char *name, + struct crypto_ec_key *key, const char *kid, + const struct dpp_curve_params *curve) { struct wpabuf *pub; const u8 *pos; int ret = -1; - pub = dpp_get_pubkey_point(key, 0); + pub = crypto_ec_key_get_pubkey_point(key, 0); if (!pub) goto fail; @@ -2160,14 +2143,13 @@ static int dpp_parse_cred_legacy(struct dpp_config_obj *conf, } -EVP_PKEY * dpp_parse_jwk(struct json_token *jwk, - const struct dpp_curve_params **key_curve) +struct crypto_ec_key * dpp_parse_jwk(struct json_token *jwk, + const struct dpp_curve_params **key_curve) { struct json_token *token; const struct dpp_curve_params *curve; struct wpabuf *x = NULL, *y = NULL; - EC_GROUP *group; - EVP_PKEY *pkey = NULL; + struct crypto_ec_key *key = NULL; token = json_get_member(jwk, "kty"); if (!token || token->type != JSON_STRING) { @@ -2220,22 +2202,18 @@ EVP_PKEY * dpp_parse_jwk(struct json_token *jwk, goto fail; } - group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name)); - if (!group) { - wpa_printf(MSG_DEBUG, "DPP: Could not prepare group for JWK"); + key = crypto_ec_key_set_pub(curve->ike_group, wpabuf_head(x), + wpabuf_head(y), wpabuf_len(x)); + if (!key) goto fail; - } - pkey = dpp_set_pubkey_point_group(group, wpabuf_head(x), wpabuf_head(y), - wpabuf_len(x)); - EC_GROUP_free(group); *key_curve = curve; fail: wpabuf_free(x); wpabuf_free(y); - return pkey; + return key; } @@ -2325,7 +2303,7 @@ static int dpp_parse_connector(struct dpp_authentication *auth, { struct json_token *root, *groups, *netkey, *token; int ret = -1; - EVP_PKEY *key = NULL; + struct crypto_ec_key *key = NULL; const struct dpp_curve_params *curve; unsigned int rules = 0; @@ -2392,7 +2370,7 @@ skip_groups: goto fail; dpp_debug_print_key("DPP: Received netAccessKey", key); - if (EVP_PKEY_cmp(key, auth->own_protocol_key) != 1) { + if (crypto_ec_key_cmp(key, auth->own_protocol_key)) { wpa_printf(MSG_DEBUG, "DPP: netAccessKey in connector does not match own protocol key"); #ifdef CONFIG_TESTING_OPTIONS @@ -2409,47 +2387,45 @@ skip_groups: ret = 0; fail: - EVP_PKEY_free(key); + crypto_ec_key_deinit(key); json_free(root); return ret; } -static void dpp_copy_csign(struct dpp_config_obj *conf, EVP_PKEY *csign) +static void dpp_copy_csign(struct dpp_config_obj *conf, + struct crypto_ec_key *csign) { - unsigned char *der = NULL; - int der_len; + struct wpabuf *c_sign_key; - der_len = i2d_PUBKEY(csign, &der); - if (der_len <= 0) + c_sign_key = crypto_ec_key_get_subject_public_key(csign); + if (!c_sign_key) return; + wpabuf_free(conf->c_sign_key); - conf->c_sign_key = wpabuf_alloc_copy(der, der_len); - OPENSSL_free(der); + conf->c_sign_key = c_sign_key; } -static void dpp_copy_ppkey(struct dpp_config_obj *conf, EVP_PKEY *ppkey) +static void dpp_copy_ppkey(struct dpp_config_obj *conf, + struct crypto_ec_key *ppkey) { - unsigned char *der = NULL; - int der_len; + struct wpabuf *pp_key; - der_len = i2d_PUBKEY(ppkey, &der); - if (der_len <= 0) + pp_key = crypto_ec_key_get_subject_public_key(ppkey); + if (!pp_key) return; + wpabuf_free(conf->pp_key); - conf->pp_key = wpabuf_alloc_copy(der, der_len); - OPENSSL_free(der); + conf->pp_key = pp_key; } static void dpp_copy_netaccesskey(struct dpp_authentication *auth, struct dpp_config_obj *conf) { - unsigned char *der = NULL; - int der_len; - EC_KEY *eckey; - EVP_PKEY *own_key; + struct wpabuf *net_access_key; + struct crypto_ec_key *own_key; own_key = auth->own_protocol_key; #ifdef CONFIG_DPP2 @@ -2457,19 +2433,13 @@ static void dpp_copy_netaccesskey(struct dpp_authentication *auth, auth->reconfig_old_protocol_key) own_key = auth->reconfig_old_protocol_key; #endif /* CONFIG_DPP2 */ - eckey = EVP_PKEY_get1_EC_KEY(own_key); - if (!eckey) - return; - der_len = i2d_ECPrivateKey(eckey, &der); - if (der_len <= 0) { - EC_KEY_free(eckey); + net_access_key = crypto_ec_key_get_ecprivate_key(own_key, true); + if (!net_access_key) return; - } + wpabuf_free(auth->net_access_key); - auth->net_access_key = wpabuf_alloc_copy(der, der_len); - OPENSSL_free(der); - EC_KEY_free(eckey); + auth->net_access_key = net_access_key; } @@ -2480,7 +2450,7 @@ static int dpp_parse_cred_dpp(struct dpp_authentication *auth, struct dpp_signed_connector_info info; struct json_token *token, *csign, *ppkey; int ret = -1; - EVP_PKEY *csign_pub = NULL, *pp_pub = NULL; + struct crypto_ec_key *csign_pub = NULL, *pp_pub = NULL; const struct dpp_curve_params *key_curve = NULL, *pp_curve = NULL; const char *signed_connector; @@ -2560,8 +2530,8 @@ static int dpp_parse_cred_dpp(struct dpp_authentication *auth, ret = 0; fail: - EVP_PKEY_free(csign_pub); - EVP_PKEY_free(pp_pub); + crypto_ec_key_deinit(csign_pub); + crypto_ec_key_deinit(pp_pub); os_free(info.payload); return ret; } @@ -2586,7 +2556,7 @@ static int dpp_parse_cred_dot1x(struct dpp_authentication *auth, return -1; } wpa_hexdump_buf(MSG_MSGDUMP, "DPP: Received certBag", conf->certbag); - conf->certs = dpp_pkcs7_certs(conf->certbag); + conf->certs = crypto_pkcs7_get_certificates(conf->certbag); if (!conf->certs) { dpp_auth_fail(auth, "No certificates in certBag"); return -1; @@ -3394,11 +3364,11 @@ void dpp_configurator_free(struct dpp_configurator *conf) { if (!conf) return; - EVP_PKEY_free(conf->csign); + crypto_ec_key_deinit(conf->csign); os_free(conf->kid); os_free(conf->connector); - EVP_PKEY_free(conf->connector_key); - EVP_PKEY_free(conf->pp_key); + crypto_ec_key_deinit(conf->connector_key); + crypto_ec_key_deinit(conf->pp_key); os_free(conf); } @@ -3406,23 +3376,19 @@ void dpp_configurator_free(struct dpp_configurator *conf) int dpp_configurator_get_key(const struct dpp_configurator *conf, char *buf, size_t buflen) { - EC_KEY *eckey; - int key_len, ret = -1; - unsigned char *key = NULL; + struct wpabuf *key; + int ret = -1; if (!conf->csign) return -1; - eckey = EVP_PKEY_get1_EC_KEY(conf->csign); - if (!eckey) + key = crypto_ec_key_get_ecprivate_key(conf->csign, true); + if (!key) return -1; - key_len = i2d_ECPrivateKey(eckey, &key); - if (key_len > 0) - ret = wpa_snprintf_hex(buf, buflen, key, key_len); + ret = wpa_snprintf_hex(buf, buflen, wpabuf_head(key), wpabuf_len(key)); - EC_KEY_free(eckey); - OPENSSL_free(key); + wpabuf_clear_free(key); return ret; } @@ -3434,7 +3400,7 @@ static int dpp_configurator_gen_kid(struct dpp_configurator *conf) size_t len[1]; int res; - csign_pub = dpp_get_pubkey_point(conf->csign, 1); + csign_pub = crypto_ec_key_get_pubkey_point(conf->csign, 1); if (!csign_pub) { wpa_printf(MSG_INFO, "DPP: Failed to extract C-sign-key"); return -1; @@ -3670,7 +3636,7 @@ dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, struct json_token *root = NULL, *netkey, *token; struct json_token *own_root = NULL; enum dpp_status_error ret = 255, res; - EVP_PKEY *own_key = NULL, *peer_key = NULL; + struct crypto_ec_key *own_key = NULL, *peer_key = NULL; struct wpabuf *own_key_pub = NULL; const struct dpp_curve_params *curve, *own_curve; struct dpp_signed_connector_info info; @@ -3776,9 +3742,9 @@ fail: os_memset(intro, 0, sizeof(*intro)); os_memset(Nx, 0, sizeof(Nx)); os_free(info.payload); - EVP_PKEY_free(own_key); + crypto_ec_key_deinit(own_key); wpabuf_free(own_key_pub); - EVP_PKEY_free(peer_key); + crypto_ec_key_deinit(peer_key); json_free(root); json_free(own_root); return ret; @@ -4129,7 +4095,7 @@ static int dpp_nfc_update_bi_key(struct dpp_bootstrap_info *own_bi, wpa_printf(MSG_DEBUG, "DPP: Update own bootstrapping key to match peer curve from NFC handover"); - EVP_PKEY_free(own_bi->pubkey); + crypto_ec_key_deinit(own_bi->pubkey); own_bi->pubkey = NULL; if (dpp_keygen(own_bi, peer_bi->curve->name, NULL, 0) < 0 || @@ -4275,33 +4241,24 @@ int dpp_configurator_from_backup(struct dpp_global *dpp, struct dpp_asymmetric_key *key) { struct dpp_configurator *conf; - const EC_KEY *eckey, *eckey_pp; - const EC_GROUP *group, *group_pp; - int nid; - const struct dpp_curve_params *curve; + const struct dpp_curve_params *curve, *curve_pp; if (!key->csign || !key->pp_key) return -1; - eckey = EVP_PKEY_get0_EC_KEY(key->csign); - if (!eckey) - return -1; - group = EC_KEY_get0_group(eckey); - if (!group) - return -1; - nid = EC_GROUP_get_curve_name(group); - curve = dpp_get_curve_nid(nid); + + curve = dpp_get_curve_ike_group(crypto_ec_key_group(key->csign)); if (!curve) { wpa_printf(MSG_INFO, "DPP: Unsupported group in c-sign-key"); return -1; } - eckey_pp = EVP_PKEY_get0_EC_KEY(key->pp_key); - if (!eckey_pp) - return -1; - group_pp = EC_KEY_get0_group(eckey_pp); - if (!group_pp) + + curve_pp = dpp_get_curve_ike_group(crypto_ec_key_group(key->pp_key)); + if (!curve_pp) { + wpa_printf(MSG_INFO, "DPP: Unsupported group in ppKey"); return -1; - if (EC_GROUP_get_curve_name(group) != - EC_GROUP_get_curve_name(group_pp)) { + } + + if (curve != curve_pp) { wpa_printf(MSG_INFO, "DPP: Mismatch in c-sign-key and ppKey groups"); return -1; |