From 65a7b21f5ec22efe12d58cb3b760fb9e93ff8502 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 29 Mar 2015 20:30:58 +0300 Subject: [PATCH] OpenSSL: Implement AES-128 CBC using EVP API This replaces the internal CBC mode implementation in aes_128_cbc_encrypt() and aes_128_cbc_decrypt() with the OpenSSL implementation for CONFIG_TLS=openssl builds. Signed-off-by: Jouni Malinen --- hostapd/Android.mk | 2 ++ hostapd/Makefile | 2 ++ src/crypto/crypto_openssl.c | 50 +++++++++++++++++++++++++++++++++++++ wpa_supplicant/Android.mk | 2 ++ wpa_supplicant/Makefile | 2 ++ 5 files changed, 58 insertions(+) diff --git a/hostapd/Android.mk b/hostapd/Android.mk index 54b139cae..78a150634 100644 --- a/hostapd/Android.mk +++ b/hostapd/Android.mk @@ -688,8 +688,10 @@ endif endif ifdef NEED_AES_CBC NEED_AES_DEC=y +ifneq ($(CONFIG_TLS), openssl) AESOBJS += src/crypto/aes-cbc.c endif +endif ifdef NEED_AES_DEC ifdef CONFIG_INTERNAL_AES AESOBJS += src/crypto/aes-internal-dec.c diff --git a/hostapd/Makefile b/hostapd/Makefile index d718c15ea..3ea131543 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -683,8 +683,10 @@ endif endif ifdef NEED_AES_CBC NEED_AES_DEC=y +ifneq ($(CONFIG_TLS), openssl) AESOBJS += ../src/crypto/aes-cbc.o endif +endif ifdef NEED_AES_DEC ifdef CONFIG_INTERNAL_AES AESOBJS += ../src/crypto/aes-internal-dec.o diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index f158ef43a..9834b25c6 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -324,6 +324,56 @@ int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, } +int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) +{ + EVP_CIPHER_CTX ctx; + int clen, len; + u8 buf[16]; + + EVP_CIPHER_CTX_init(&ctx); + if (EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv) != 1) + return -1; + EVP_CIPHER_CTX_set_padding(&ctx, 0); + + clen = data_len; + if (EVP_EncryptUpdate(&ctx, data, &clen, data, data_len) != 1 || + clen != (int) data_len) + return -1; + + len = sizeof(buf); + if (EVP_EncryptFinal_ex(&ctx, buf, &len) != 1 || len != 0) + return -1; + EVP_CIPHER_CTX_cleanup(&ctx); + + return 0; +} + + +int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) +{ + EVP_CIPHER_CTX ctx; + int plen, len; + u8 buf[16]; + + EVP_CIPHER_CTX_init(&ctx); + if (EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv) != 1) + return -1; + EVP_CIPHER_CTX_set_padding(&ctx, 0); + + plen = data_len; + if (EVP_DecryptUpdate(&ctx, data, &plen, data, data_len) != 1 || + plen != (int) data_len) + return -1; + + len = sizeof(buf); + if (EVP_DecryptFinal_ex(&ctx, buf, &len) != 1 || len != 0) + return -1; + EVP_CIPHER_CTX_cleanup(&ctx); + + return 0; +} + + int crypto_mod_exp(const u8 *base, size_t base_len, const u8 *power, size_t power_len, const u8 *modulus, size_t modulus_len, diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index 75d8dd05a..657784b63 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -1145,8 +1145,10 @@ endif endif ifdef NEED_AES_CBC NEED_AES_ENC=y +ifneq ($(CONFIG_TLS), openssl) AESOBJS += src/crypto/aes-cbc.c endif +endif ifdef NEED_AES_ENC ifdef CONFIG_INTERNAL_AES AESOBJS += src/crypto/aes-internal-enc.c diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index d086eeb65..662e7f87b 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -1162,8 +1162,10 @@ endif endif ifdef NEED_AES_CBC NEED_AES_ENC=y +ifneq ($(CONFIG_TLS), openssl) AESOBJS += ../src/crypto/aes-cbc.o endif +endif ifdef NEED_AES_ENC ifdef CONFIG_INTERNAL_AES AESOBJS += ../src/crypto/aes-internal-enc.o