OpenSSL: Implement AES-128 CBC using EVP API

This replaces the internal CBC mode implementation in
aes_128_cbc_encrypt() and aes_128_cbc_decrypt() with the OpenSSL
implementation for CONFIG_TLS=openssl builds.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index 54b139c..78a1506 100644 (file)
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -688,8 +688,10 @@ endif
 endif
 ifdef NEED_AES_CBC
 NEED_AES_DEC=y
+ifneq ($(CONFIG_TLS), openssl)
 AESOBJS += src/crypto/aes-cbc.c
 endif
+endif
 ifdef NEED_AES_DEC
 ifdef CONFIG_INTERNAL_AES
 AESOBJS += src/crypto/aes-internal-dec.c

diff --git a/hostapd/Makefile b/hostapd/Makefile
index d718c15..3ea1315 100644 (file)
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -683,8 +683,10 @@ endif
 endif
 ifdef NEED_AES_CBC
 NEED_AES_DEC=y
+ifneq ($(CONFIG_TLS), openssl)
 AESOBJS += ../src/crypto/aes-cbc.o
 endif
+endif
 ifdef NEED_AES_DEC
 ifdef CONFIG_INTERNAL_AES
 AESOBJS += ../src/crypto/aes-internal-dec.o

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index f158ef4..9834b25 100644 (file)
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -324,6 +324,56 @@ int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
 }
 
 
+int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
+{
+       EVP_CIPHER_CTX ctx;
+       int clen, len;
+       u8 buf[16];
+
+       EVP_CIPHER_CTX_init(&ctx);
+       if (EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv) != 1)
+               return -1;
+       EVP_CIPHER_CTX_set_padding(&ctx, 0);
+
+       clen = data_len;
+       if (EVP_EncryptUpdate(&ctx, data, &clen, data, data_len) != 1 ||
+           clen != (int) data_len)
+               return -1;
+
+       len = sizeof(buf);
+       if (EVP_EncryptFinal_ex(&ctx, buf, &len) != 1 || len != 0)
+               return -1;
+       EVP_CIPHER_CTX_cleanup(&ctx);
+
+       return 0;
+}
+
+
+int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
+{
+       EVP_CIPHER_CTX ctx;
+       int plen, len;
+       u8 buf[16];
+
+       EVP_CIPHER_CTX_init(&ctx);
+       if (EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv) != 1)
+               return -1;
+       EVP_CIPHER_CTX_set_padding(&ctx, 0);
+
+       plen = data_len;
+       if (EVP_DecryptUpdate(&ctx, data, &plen, data, data_len) != 1 ||
+           plen != (int) data_len)
+               return -1;
+
+       len = sizeof(buf);
+       if (EVP_DecryptFinal_ex(&ctx, buf, &len) != 1 || len != 0)
+               return -1;
+       EVP_CIPHER_CTX_cleanup(&ctx);
+
+       return 0;
+}
+
+
 int crypto_mod_exp(const u8 *base, size_t base_len,
                   const u8 *power, size_t power_len,
                   const u8 *modulus, size_t modulus_len,

diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
index 75d8dd0..657784b 100644 (file)
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@@ -1145,8 +1145,10 @@ endif
 endif
 ifdef NEED_AES_CBC
 NEED_AES_ENC=y
+ifneq ($(CONFIG_TLS), openssl)
 AESOBJS += src/crypto/aes-cbc.c
 endif
+endif
 ifdef NEED_AES_ENC
 ifdef CONFIG_INTERNAL_AES
 AESOBJS += src/crypto/aes-internal-enc.c

diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index d086eeb..662e7f8 100644 (file)
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1162,8 +1162,10 @@ endif
 endif
 ifdef NEED_AES_CBC
 NEED_AES_ENC=y
+ifneq ($(CONFIG_TLS), openssl)
 AESOBJS += ../src/crypto/aes-cbc.o
 endif
+endif
 ifdef NEED_AES_ENC
 ifdef CONFIG_INTERNAL_AES
 AESOBJS += ../src/crypto/aes-internal-enc.o