/*

 * Wrapper functions for OpenSSL libcrypto

 * Copyright (c) 2004-2024, Jouni Malinen <j@w1.fi>

 *

 * This software may be distributed under the terms of the BSD license.

 * See README for more details.

 */

#include "includes.h"

#include <openssl/opensslv.h>

#include <openssl/err.h>

#include <openssl/des.h>

#include <openssl/aes.h>

#include <openssl/bn.h>

#include <openssl/evp.h>

#include <openssl/dh.h>

#include <openssl/hmac.h>

#include <openssl/rand.h>

#include <openssl/rsa.h>

#include <openssl/pem.h>

#ifdef CONFIG_ECC

#include <openssl/ec.h>

#include <openssl/x509.h>

#endif /* CONFIG_ECC */

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

#include <openssl/provider.h>

#include <openssl/core_names.h>

#include <openssl/param_build.h>

#include <openssl/encoder.h>

#include <openssl/decoder.h>

#else /* OpenSSL version >= 3.0 */

#include <openssl/cmac.h>

#endif /* OpenSSL version >= 3.0 */

#ifdef CONFIG_DPP3

#if OPENSSL_VERSION_NUMBER >= 0x30200000L

#include <openssl/hpke.h>

#endif

#endif /* CONFIG_DPP3 */

#include "common.h"

#include "utils/const_time.h"

#include "wpabuf.h"

#include "dh_group5.h"

#include "sha1.h"

#include "sha256.h"

#include "sha384.h"

#include "sha512.h"

#include "md5.h"

#include "aes_wrap.h"

#include "crypto.h"

#if OPENSSL_VERSION_NUMBER < 0x10100000L

/* Compatibility wrappers for older versions. */

static HMAC_CTX * HMAC_CTX_new(void)

{

  HMAC_CTX *ctx;

  ctx = os_zalloc(sizeof(*ctx));

  if (ctx)

    HMAC_CTX_init(ctx);

  return ctx;

}

static void HMAC_CTX_free(HMAC_CTX *ctx)

{

  if (!ctx)

    return;

  HMAC_CTX_cleanup(ctx);

  bin_clear_free(ctx, sizeof(*ctx));

}

static EVP_MD_CTX * EVP_MD_CTX_new(void)

{

  EVP_MD_CTX *ctx;

  ctx = os_zalloc(sizeof(*ctx));

  if (ctx)

    EVP_MD_CTX_init(ctx);

  return ctx;

}

static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)

{

  if (!ctx)

    return;

  EVP_MD_CTX_cleanup(ctx);

  bin_clear_free(ctx, sizeof(*ctx));

}

#ifdef CONFIG_ECC

static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)

{

  if (pkey->type != EVP_PKEY_EC)

    return NULL;

  return pkey->pkey.ec;

}

static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)

{

  sig->r = r;

  sig->s = s;

  return 1;

}

static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,

         const BIGNUM **ps)

{

  if (pr)

    *pr = sig->r;

  if (ps)

    *ps = sig->s;

}

#endif /* CONFIG_ECC */

static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)

{

  return ASN1_STRING_data((ASN1_STRING *) x);

}

static const ASN1_TIME * X509_get0_notBefore(const X509 *x)

{

  return X509_get_notBefore(x);

}

static const ASN1_TIME * X509_get0_notAfter(const X509 *x)

{

  return X509_get_notAfter(x);

}

#endif /* OpenSSL version < 1.1.0 */

#if OPENSSL_VERSION_NUMBER < 0x10101000L || \

  (defined(LIBRESSL_VERSION_NUMBER) && \

   LIBRESSL_VERSION_NUMBER < 0x30400000L)

static int EC_POINT_get_affine_coordinates(const EC_GROUP *group,

             const EC_POINT *point, BIGNUM *x,

             BIGNUM *y, BN_CTX *ctx)

{

  return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);

}

static int EC_POINT_set_affine_coordinates(const EC_GROUP *group,

             EC_POINT *point, const BIGNUM *x,

             const BIGNUM *y, BN_CTX *ctx)

{

  return EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx);

}

#endif /* OpenSSL version < 1.1.1 */

#if OPENSSL_VERSION_NUMBER < 0x10101000L || \

  defined(OPENSSL_IS_BORINGSSL) || \

  (defined(LIBRESSL_VERSION_NUMBER) && \

   LIBRESSL_VERSION_NUMBER < 0x30400000L)

static int EC_POINT_set_compressed_coordinates(const EC_GROUP *group,

                 EC_POINT *point, const BIGNUM *x,

                 int y_bit, BN_CTX *ctx)

{

  return EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit,

                   ctx);

}

static int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,

            BIGNUM *b, BN_CTX *ctx)

{

  return EC_GROUP_get_curve_GFp(group, p, a, b, ctx);

}

#endif /* OpenSSL version < 1.1.1 */

static void openssl_disable_fips(void)

{

#ifndef CONFIG_FIPS

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

  static bool done = false;

  if (done)

    return;

  done = true;

  if (!EVP_default_properties_is_fips_enabled(NULL))

    return; /* FIPS mode is not enabled */

  if (!EVP_default_properties_enable_fips(NULL, 0))

    wpa_printf(MSG_INFO,

         "OpenSSL: Failed to disable FIPS mode");

  else

    wpa_printf(MSG_DEBUG,

         "OpenSSL: Disabled FIPS mode to enable non-FIPS-compliant algorithms and parameters");

#endif /* OpenSSL version >= 3.0 */

#endif /* !CONFIG_FIPS */

}

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

static OSSL_PROVIDER *openssl_legacy_provider = NULL;

static OSSL_PROVIDER *openssl_default_provider = NULL;

#endif /* OpenSSL version >= 3.0 */

void openssl_load_legacy_provider(void)

{

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

  if (openssl_legacy_provider)

    return;

  openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1);

#endif /* OpenSSL version >= 3.0 */

}

static void openssl_unload_legacy_provider(void)

{

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

  if (openssl_legacy_provider) {

    OSSL_PROVIDER_unload(openssl_legacy_provider);

    openssl_legacy_provider = NULL;

  }

#endif /* OpenSSL version >= 3.0 */

}

static void openssl_load_default_provider_if_fips(void)

{

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

  if (openssl_default_provider)

    return;

  if (!OSSL_PROVIDER_available(NULL, "fips"))

    return;

  wpa_printf(MSG_DEBUG,

       "OpenSSL: Load default provider to replace fips provider when needed");

  openssl_default_provider = OSSL_PROVIDER_try_load(NULL, "default", 1);

  if (!openssl_default_provider)

    wpa_printf(MSG_DEBUG,

         "OpenSSL: Failed to load default provider");

#endif /* OpenSSL version >= 3.0 */

}

static void openssl_unload_default_provider(void)

{

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

  if (openssl_default_provider) {

    OSSL_PROVIDER_unload(openssl_default_provider);

    openssl_default_provider = NULL;

  }

#endif /* OpenSSL version >= 3.0 */

}

#if OPENSSL_VERSION_NUMBER < 0x30000000L

static BIGNUM * get_group5_prime(void)

{

#if OPENSSL_VERSION_NUMBER >= 0x10100000L

  return BN_get_rfc3526_prime_1536(NULL);

#elif !defined(OPENSSL_IS_BORINGSSL)

  return get_rfc3526_prime_1536(NULL);

#else

  static const unsigned char RFC3526_PRIME_1536[] = {

    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,

    0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,

    0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,

    0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,

    0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,

    0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,

    0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,

    0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,

    0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,

    0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,

    0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,

    0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,

    0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,

    0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,

    0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,

    0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,

  };

        return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);

#endif

}

static BIGNUM * get_group5_order(void)

{

  static const unsigned char RFC3526_ORDER_1536[] = {

    0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,

    0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,

    0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,

    0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,

    0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,

    0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,

    0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,

    0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,

    0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,

    0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,

    0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,

    0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,

    0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,

    0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,

    0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,

    0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF

  };

  return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);

}

#endif /* OpenSSL version < 3.0 */

#ifdef OPENSSL_NO_SHA256

#define NO_SHA256_WRAPPER

#endif

#ifdef OPENSSL_NO_SHA512

#define NO_SHA384_WRAPPER

#endif

static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,

         const u8 *addr[], const size_t *len, u8 *mac)

{

  EVP_MD_CTX *ctx;

  size_t i;

  unsigned int mac_len;

  if (TEST_FAIL())

    return -1;

  ctx = EVP_MD_CTX_new();

  if (!ctx)

    return -1;

  if (!EVP_DigestInit_ex(ctx, type, NULL)) {

    wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",

         ERR_error_string(ERR_get_error(), NULL));

    EVP_MD_CTX_free(ctx);

    return -1;

  }

  for (i = 0; i < num_elem; i++) {

    if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {

      wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "

           "failed: %s",

           ERR_error_string(ERR_get_error(), NULL));

      EVP_MD_CTX_free(ctx);

      return -1;

    }

  }

  if (!EVP_DigestFinal(ctx, mac, &mac_len)) {

    wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",

         ERR_error_string(ERR_get_error(), NULL));

    EVP_MD_CTX_free(ctx);

    return -1;

  }

  EVP_MD_CTX_free(ctx);

  return 0;

}

#ifndef CONFIG_FIPS

static void openssl_need_md5(void)

{

  openssl_disable_fips();

  openssl_load_default_provider_if_fips();

}

int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)

{

  openssl_disable_fips();

  openssl_load_legacy_provider();

  return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);

}

int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)

{

  u8 pkey[8], next, tmp;

  int i, plen, ret = -1;

  EVP_CIPHER_CTX *ctx;

  openssl_load_legacy_provider();

  /* Add parity bits to the key */

  next = 0;

  for (i = 0; i < 7; i++) {

    tmp = key[i];

    pkey[i] = (tmp >> i) | next | 1;

    next = tmp << (7 - i);

  }

  pkey[i] = next | 1;

  ctx = EVP_CIPHER_CTX_new();

  if (ctx &&

      EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 &&

      EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&

      EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 &&

      EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1)

    ret = 0;

  else

    wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed");

  if (ctx)

    EVP_CIPHER_CTX_free(ctx);

  return ret;

}

#ifndef CONFIG_NO_RC4

int rc4_skip(const u8 *key, size_t keylen, size_t skip,

       u8 *data, size_t data_len)

{

#ifdef OPENSSL_NO_RC4

  return -1;

#else /* OPENSSL_NO_RC4 */

  EVP_CIPHER_CTX *ctx;

  int outl;

  int res = -1;

  unsigned char skip_buf[16] = { 0 };

  openssl_load_legacy_provider();

  ctx = EVP_CIPHER_CTX_new();

  if (!ctx ||

      !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||

      !EVP_CIPHER_CTX_set_padding(ctx, 0) ||

      !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||

      !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))

    goto out;

  while (skip >= sizeof(skip_buf)) {

    size_t len = skip;

    if (len > sizeof(skip_buf))

      len = sizeof(skip_buf);

    if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))

      goto out;

    skip -= len;

  }

  if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))

    res = 0;

out:

  if (ctx)

    EVP_CIPHER_CTX_free(ctx);

  return res;

#endif /* OPENSSL_NO_RC4 */

}

#endif /* CONFIG_NO_RC4 */

int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)

{

  openssl_need_md5();

  return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);

}

#endif /* CONFIG_FIPS */

int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)

{

  return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);

}

#ifndef NO_SHA256_WRAPPER

int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,

      u8 *mac)

{

  return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);

}

#endif /* NO_SHA256_WRAPPER */

#ifndef NO_SHA384_WRAPPER

int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,

      u8 *mac)

{

  return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);

}

#endif /* NO_SHA384_WRAPPER */

#ifndef NO_SHA512_WRAPPER

int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,

      u8 *mac)

{

  return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);

}

#endif /* NO_SHA512_WRAPPER */

static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)

{

  switch (keylen) {

  case 16:

    return EVP_aes_128_ecb();

  case 24:

    return EVP_aes_192_ecb();

  case 32:

    return EVP_aes_256_ecb();

  default:

    return NULL;

  }

}

void * aes_encrypt_init(const u8 *key, size_t len)

{

  EVP_CIPHER_CTX *ctx;

  const EVP_CIPHER *type;

  if (TEST_FAIL())

    return NULL;

  type = aes_get_evp_cipher(len);

  if (!type) {

    wpa_printf(MSG_INFO, "%s: Unsupported len=%u",

         __func__, (unsigned int) len);

    return NULL;

  }

  ctx = EVP_CIPHER_CTX_new();

  if (ctx == NULL)

    return NULL;

  if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1 ||

      EVP_CIPHER_CTX_set_padding(ctx, 0) != 1) {

    EVP_CIPHER_CTX_free(ctx);

    return NULL;

  }

  return ctx;

}

int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)

{

  EVP_CIPHER_CTX *c = ctx;

  int clen = 16;

  if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {

    wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",

         ERR_error_string(ERR_get_error(), NULL));

    return -1;

  }

  return 0;

}

void aes_encrypt_deinit(void *ctx)

{

  EVP_CIPHER_CTX *c = ctx;

  u8 buf[16];

  int len = sizeof(buf);

  if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {

    wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "

         "%s", ERR_error_string(ERR_get_error(), NULL));

  }

  if (len != 0) {

    wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "

         "in AES encrypt", len);

  }

  EVP_CIPHER_CTX_free(c);

}

void * aes_decrypt_init(const u8 *key, size_t len)

{

  EVP_CIPHER_CTX *ctx;

  const EVP_CIPHER *type;

  if (TEST_FAIL())

    return NULL;

  type = aes_get_evp_cipher(len);

  if (!type) {

    wpa_printf(MSG_INFO, "%s: Unsupported len=%u",

         __func__, (unsigned int) len);

    return NULL;

  }

  ctx = EVP_CIPHER_CTX_new();

  if (ctx == NULL)

    return NULL;

  if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1 ||

      EVP_CIPHER_CTX_set_padding(ctx, 0) != 1) {

    EVP_CIPHER_CTX_free(ctx);

    return NULL;

  }

  return ctx;

}

int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)

{

  EVP_CIPHER_CTX *c = ctx;

  int plen = 16;

  if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {

    wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",

         ERR_error_string(ERR_get_error(), NULL));

    return -1;

  }

  return 0;

}

void aes_decrypt_deinit(void *ctx)

{

  EVP_CIPHER_CTX *c = ctx;

  u8 buf[16];

  int len = sizeof(buf);

  if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {

    wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "

         "%s", ERR_error_string(ERR_get_error(), NULL));

  }

  if (len != 0) {

    wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "

         "in AES decrypt", len);

  }

  EVP_CIPHER_CTX_free(c);

}

#ifndef CONFIG_FIPS

#ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

static const EVP_CIPHER * aes_get_evp_wrap_cipher(size_t keylen)

{

  switch (keylen) {

  case 16:

    return EVP_aes_128_wrap();

  case 24:

    return EVP_aes_192_wrap();

  case 32:

    return EVP_aes_256_wrap();

  default:

    return NULL;

  }

}

#endif /* OpenSSL version >= 3.0 */

int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)

{

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

  EVP_CIPHER_CTX *ctx;

  const EVP_CIPHER *type;

  int ret = -1, len;

  u8 buf[16];

  if (TEST_FAIL())

    return -1;

  type = aes_get_evp_wrap_cipher(kek_len);

  if (!type)

    return -1;

  ctx = EVP_CIPHER_CTX_new();

  if (!ctx)

    return -1;

  if (EVP_EncryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&

      EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&

      EVP_EncryptUpdate(ctx, cipher, &len, plain, n * 8) == 1 &&

      len == (n + 1) * 8 &&

      EVP_EncryptFinal_ex(ctx, buf, &len) == 1)

    ret = 0;

  EVP_CIPHER_CTX_free(ctx);

  return ret;

#else /* OpenSSL version >= 3.0 */

  AES_KEY actx;

  int res;

  if (TEST_FAIL())

    return -1;

  if (AES_set_encrypt_key(kek, kek_len << 3, &actx))

    return -1;

  res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);

  OPENSSL_cleanse(&actx, sizeof(actx));

  return res <= 0 ? -1 : 0;

#endif /* OpenSSL version >= 3.0 */

}

int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,

         u8 *plain)

{

#if OPENSSL_VERSION_NUMBER >= 0x30000000L

  EVP_CIPHER_CTX *ctx;

  const EVP_CIPHER *type;

  int ret = -1, len;

  u8 buf[16];

  if (TEST_FAIL())

    return -1;

  type = aes_get_evp_wrap_cipher(kek_len);

  if (!type)

    return -1;

  ctx = EVP_CIPHER_CTX_new();

  if (!ctx)

    return -1;

  if (EVP_DecryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&

      EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&

      EVP_DecryptUpdate(ctx, plain, &len, cipher, (n + 1) * 8) == 1 &&

      len == n * 8 &&

      EVP_DecryptFinal_ex(ctx, buf, &len) == 1)

    ret = 0;

  EVP_CIPHER_CTX_free(ctx);

  return ret;

#else /* OpenSSL version >= 3.0 */

  AES_KEY actx;

  int res;

  if (TEST_FAIL())

    return -1;

  if (AES_set_decrypt_key(kek, kek_len << 3, &actx))

    return -1;

  res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);

  OPENSSL_cleanse(&actx, sizeof(actx));

  return res <= 0 ? -1 : 0;

#endif /* OpenSSL version >= 3.0 */

}

#endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */

#endif /* CONFIG_FIPS */

int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)

{

  EVP_CIPHER_CTX *ctx;

  int clen, len;

  u8 buf[16];

  int res = -1;

  if (TEST_FAIL())

    return -1;

  ctx = EVP_CIPHER_CTX_new();

  if (!ctx)

    return -1;

  clen = data_len;

  len = sizeof(buf);

  if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&

      EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&

      EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&

      clen == (int) data_len &&

      EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)

    res = 0;

  EVP_CIPHER_CTX_free(ctx);

  return res;

}

int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)

{

  EVP_CIPHER_CTX *ctx;

  int plen, len;

  u8 buf[16];

  int res = -1;

  if (TEST_FAIL())

    return -1;

  ctx = EVP_CIPHER_CTX_new();

  if (!ctx)

    return -1;

  plen = data_len;

  len = sizeof(buf);

  if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&

      EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&

      EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&

      plen == (int) data_len &&

      EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)

    res = 0;

  EVP_CIPHER_CTX_free(ctx);

  return res;

}

int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,

       u8 *pubkey)

{

  size_t pubkey_len, pad;

  if (os_get_random(privkey, prime_len) < 0)

    return -1;

  if (os_memcmp(privkey, prime, prime_len) > 0) {

    /* Make sure private value is smaller than prime */

    privkey[0] = 0;

  }

  pubkey_len = prime_len;

  if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,

         pubkey, &pubkey_len) < 0)

    return -1;

  if (pubkey_len < prime_len) {

    pad = prime_len - pubkey_len;

    os_memmove(pubkey + pad, pubkey, pubkey_len);

    os_memset(pubkey, 0, pad);

  }

  return 0;

}

int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,

          const u8 *order, size_t order_len,

          const u8 *privkey, size_t privkey_len,

          const u8 *pubkey, size_t pubkey_len,

          u8 *secret, size_t *len)

{

  BIGNUM *pub, *p;

  int res = -1;

  pub = BN_bin2bn(pubkey, pubkey_len, NULL);

  p = BN_bin2bn(prime, prime_len, NULL);

  if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||

      BN_cmp(pub, p) >= 0)

    goto fail;

  if (order) {

    BN_CTX *ctx;

    BIGNUM *q, *tmp;

    int failed;

    /* verify: pubkey^q == 1 mod p */

    q = BN_bin2bn(order, order_len, NULL);

    ctx = BN_CTX_new();

    tmp = BN_new();

    failed = !q || !ctx || !tmp ||

      !BN_mod_exp(tmp, pub, q, p, ctx) ||

      !BN_is_one(tmp);

    BN_clear_free(q);

    BN_clear_free(tmp);

    BN_CTX_free(ctx);

    if (failed)

      goto fail;

  }

  res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,

           prime, prime_len, secret, len);

fail:

  BN_clear_free(pub);

  BN_clear_free(p);

  return res;

}

int crypto_mod_exp(const u8 *base, size_t base_len,

       const u8 *power, size_t power_len,

       const u8 *modulus, size_t modulus_len,

       u8 *result, size_t *result_len)

{

  BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;

  int ret = -1;

  BN_CTX *ctx;

  ctx = BN_CTX_new();

  if (ctx == NULL)

    return -1;

  bn_base = BN_bin2bn(base, base_len, NULL);

  bn_exp = BN_bin2bn(power, power_len, NULL);

  bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);

  bn_result = BN_new();

  if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||

      bn_result == NULL)

    goto error;

  if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,

              ctx, NULL) != 1)

    goto error;

  *result_len = BN_bn2bin(bn_result, result);

  ret = 0;

error:

  BN_clear_free(bn_base);

  BN_clear_free(bn_exp);

  BN_clear_free(bn_modulus);

  BN_clear_free(bn_result);

  BN_CTX_free(ctx);

  return ret;

}

struct crypto_cipher {

  EVP_CIPHER_CTX *enc;

  EVP_CIPHER_CTX *dec;

};

struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,

            const u8 *iv, const u8 *key,

            size_t key_len)

{

  struct crypto_cipher *ctx;

  const EVP_CIPHER *cipher;

  ctx = os_zalloc(sizeof(*ctx));

  if (ctx == NULL)

    return NULL;

  switch (alg) {

#ifndef CONFIG_NO_RC4

#ifndef OPENSSL_NO_RC4

  case CRYPTO_CIPHER_ALG_RC4:

    cipher = EVP_rc4();

    break;

#endif /* OPENSSL_NO_RC4 */

#endif /* CONFIG_NO_RC4 */

#ifndef OPENSSL_NO_AES

  case CRYPTO_CIPHER_ALG_AES:

    switch (key_len) {

    case 16:

      cipher = EVP_aes_128_cbc();

      break;

#ifndef OPENSSL_IS_BORINGSSL

    case 24:

      cipher = EVP_aes_192_cbc();

      break;

#endif /* OPENSSL_IS_BORINGSSL */

    case 32:

      cipher = EVP_aes_256_cbc();

      break;

    default:

      os_free(ctx);

      return NULL;

    }

    break;

#endif /* OPENSSL_NO_AES */

#ifndef OPENSSL_NO_DES

  case CRYPTO_CIPHER_ALG_3DES:

    cipher = EVP_des_ede3_cbc();

    break;

  case CRYPTO_CIPHER_ALG_DES:

    cipher = EVP_des_cbc();