From: Jouni Malinen Date: Tue, 27 Jan 2015 11:57:59 +0000 (+0200) Subject: OpenSSL: Implement aes_wrap() and aes_unwrap() X-Git-Tag: hostap_2_4~299 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;ds=sidebyside;h=f19c907822ad0dec3480b1435b615ae22c5533a1;p=mech_eap.git OpenSSL: Implement aes_wrap() and aes_unwrap() This replaces the implementation in aes-wrap.c and aes-unwrap.c with OpenSSL AES_wrap_key() and AES_unwrap_key() functions when building hostapd or wpa_supplicant with OpenSSL. Signed-off-by: Jouni Malinen --- diff --git a/hostapd/Android.mk b/hostapd/Android.mk index 17674f7..6fcefdd 100644 --- a/hostapd/Android.mk +++ b/hostapd/Android.mk @@ -675,7 +675,9 @@ ifdef CONFIG_INTERNAL_AES AESOBJS += src/crypto/aes-internal.c src/crypto/aes-internal-enc.c endif +ifneq ($(CONFIG_TLS), openssl) AESOBJS += src/crypto/aes-wrap.c +endif ifdef NEED_AES_EAX AESOBJS += src/crypto/aes-eax.c NEED_AES_CTR=y @@ -690,9 +692,11 @@ ifdef NEED_AES_OMAC1 AESOBJS += src/crypto/aes-omac1.c endif ifdef NEED_AES_UNWRAP +ifneq ($(CONFIG_TLS), openssl) NEED_AES_DEC=y AESOBJS += src/crypto/aes-unwrap.c endif +endif ifdef NEED_AES_CBC NEED_AES_DEC=y AESOBJS += src/crypto/aes-cbc.c diff --git a/hostapd/Makefile b/hostapd/Makefile index 513eb95..f30a35d 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -669,7 +669,9 @@ ifdef CONFIG_INTERNAL_AES AESOBJS += ../src/crypto/aes-internal.o ../src/crypto/aes-internal-enc.o endif +ifneq ($(CONFIG_TLS), openssl) AESOBJS += ../src/crypto/aes-wrap.o +endif ifdef NEED_AES_EAX AESOBJS += ../src/crypto/aes-eax.o NEED_AES_CTR=y @@ -684,9 +686,11 @@ ifdef NEED_AES_OMAC1 AESOBJS += ../src/crypto/aes-omac1.o endif ifdef NEED_AES_UNWRAP +ifneq ($(CONFIG_TLS), openssl) NEED_AES_DEC=y AESOBJS += ../src/crypto/aes-unwrap.o endif +endif ifdef NEED_AES_CBC NEED_AES_DEC=y AESOBJS += ../src/crypto/aes-cbc.o diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index ca44386..f158ef4 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -297,6 +297,33 @@ void aes_decrypt_deinit(void *ctx) } +int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) +{ + AES_KEY actx; + int res; + + if (AES_set_encrypt_key(kek, kek_len << 3, &actx)) + return -1; + res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8); + OPENSSL_cleanse(&actx, sizeof(actx)); + return res <= 0 ? -1 : 0; +} + + +int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, + u8 *plain) +{ + AES_KEY actx; + int res; + + if (AES_set_decrypt_key(kek, kek_len << 3, &actx)) + return -1; + res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8); + OPENSSL_cleanse(&actx, sizeof(actx)); + return res <= 0 ? -1 : 0; +} + + int crypto_mod_exp(const u8 *base, size_t base_len, const u8 *power, size_t power_len, const u8 *modulus, size_t modulus_len, diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index 38041b6..579582b 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -1127,7 +1127,9 @@ ifdef CONFIG_INTERNAL_AES AESOBJS += src/crypto/aes-internal.c src/crypto/aes-internal-dec.c endif +ifneq ($(CONFIG_TLS), openssl) AESOBJS += src/crypto/aes-unwrap.c +endif ifdef NEED_AES_EAX AESOBJS += src/crypto/aes-eax.c NEED_AES_CTR=y @@ -1148,8 +1150,10 @@ endif endif ifdef NEED_AES_WRAP NEED_AES_ENC=y +ifneq ($(CONFIG_TLS), openssl) AESOBJS += src/crypto/aes-wrap.c endif +endif ifdef NEED_AES_CBC NEED_AES_ENC=y AESOBJS += src/crypto/aes-cbc.c diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 2ffb00d..35e5d73 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -1142,7 +1142,9 @@ ifdef CONFIG_INTERNAL_AES AESOBJS += ../src/crypto/aes-internal.o ../src/crypto/aes-internal-dec.o endif +ifneq ($(CONFIG_TLS), openssl) AESOBJS += ../src/crypto/aes-unwrap.o +endif ifdef NEED_AES_EAX AESOBJS += ../src/crypto/aes-eax.o NEED_AES_CTR=y @@ -1166,8 +1168,10 @@ AESOBJS += ../src/crypto/aes-siv.o endif ifdef NEED_AES_WRAP NEED_AES_ENC=y +ifneq ($(CONFIG_TLS), openssl) AESOBJS += ../src/crypto/aes-wrap.o endif +endif ifdef NEED_AES_CBC NEED_AES_ENC=y AESOBJS += ../src/crypto/aes-cbc.o