aboutsummaryrefslogtreecommitdiffstats
path: root/src/crypto
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2020-06-16 10:16:39 (GMT)
committerJouni Malinen <j@w1.fi>2020-06-16 15:26:09 (GMT)
commitdbbb0d5b82e388f25480a76af538cfdd7d332231 (patch)
tree24db03d324c6dd766544957144f09486a8592fc1 /src/crypto
parent5abf8ad9b2bf2fcec31adec86dd4e8346f51406b (diff)
downloadhostap-dbbb0d5b82e388f25480a76af538cfdd7d332231.zip
hostap-dbbb0d5b82e388f25480a76af538cfdd7d332231.tar.gz
hostap-dbbb0d5b82e388f25480a76af538cfdd7d332231.tar.bz2
OpenSSL: Use EVP-based interface for ECDSA sign/verify
The low level ECDSA interface is not available in BoringSSL and has been deprecetated in OpenSSL 3.0, so move to using a higher layer EVP-based interface for performing the ECDSA sign/verify operations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Diffstat (limited to 'src/crypto')
-rw-r--r--src/crypto/crypto_openssl.c39
1 files changed, 22 insertions, 17 deletions
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index 54bfcd2..72f93c1 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -2187,8 +2187,6 @@ size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
struct crypto_ec_key {
EVP_PKEY *pkey;
EC_KEY *eckey;
- BIGNUM *kinv;
- BIGNUM *rp;
};
@@ -2215,8 +2213,6 @@ struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
goto fail;
}
- if (ECDSA_sign_setup(key->eckey, NULL, &key->kinv, &key->rp) != 1)
- goto fail;
return key;
fail:
crypto_ec_key_deinit(key);
@@ -2253,8 +2249,6 @@ void crypto_ec_key_deinit(struct crypto_ec_key *key)
{
if (key) {
EVP_PKEY_free(key->pkey);
- BN_clear_free(key->kinv);
- BN_clear_free(key->rp);
os_free(key);
}
}
@@ -2282,22 +2276,27 @@ struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
size_t len)
{
+ EVP_PKEY_CTX *pkctx;
struct wpabuf *sig_der;
- int res;
- unsigned int sig_len;
+ size_t sig_len;
- sig_len = ECDSA_size(key->eckey);
+ sig_len = EVP_PKEY_size(key->pkey);
sig_der = wpabuf_alloc(sig_len);
if (!sig_der)
return NULL;
- res = ECDSA_sign_ex(0, data, len, wpabuf_put(sig_der, 0), &sig_len,
- key->kinv, key->rp, key->eckey);
- if (res != 1) {
+
+ pkctx = EVP_PKEY_CTX_new(key->pkey, NULL);
+ if (!pkctx ||
+ EVP_PKEY_sign_init(pkctx) <= 0 ||
+ EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
+ data, len) <= 0) {
wpabuf_free(sig_der);
- return NULL;
+ sig_der = NULL;
+ } else {
+ wpabuf_put(sig_der, sig_len);
}
- wpabuf_put(sig_der, sig_len);
+ EVP_PKEY_CTX_free(pkctx);
return sig_der;
}
@@ -2305,15 +2304,21 @@ struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
size_t len, const u8 *sig, size_t sig_len)
{
+ EVP_PKEY_CTX *pkctx;
int ret;
- ret = ECDSA_verify(0, data, len, sig, sig_len, key->eckey);
+ pkctx = EVP_PKEY_CTX_new(key->pkey, NULL);
+ if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
+ EVP_PKEY_CTX_free(pkctx);
+ return -1;
+ }
+
+ ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
+ EVP_PKEY_CTX_free(pkctx);
if (ret == 1)
return 1; /* signature ok */
if (ret == 0)
return 0; /* incorrect signature */
- wpa_printf(MSG_INFO, "OpenSSL: ECDSA_verify() failed: %s",
- ERR_error_string(ERR_get_error(), NULL));
return -1;
}