src/crypto/crypto_openssl.c

/*
 * Wrapper functions for OpenSSL libcrypto
 * Copyright (c) 2004-2024, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"
#include <openssl/opensslv.h>
#include <openssl/err.h>
#include <openssl/des.h>
#include <openssl/aes.h>
#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/dh.h>
#include <openssl/hmac.h>
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>
#ifdef CONFIG_ECC
#include <openssl/ec.h>
#include <openssl/x509.h>
#endif /* CONFIG_ECC */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/provider.h>
#include <openssl/core_names.h>
#include <openssl/param_build.h>
#include <openssl/encoder.h>
#include <openssl/decoder.h>
#else /* OpenSSL version >= 3.0 */
#include <openssl/cmac.h>
#endif /* OpenSSL version >= 3.0 */
#ifdef CONFIG_DPP3
#if OPENSSL_VERSION_NUMBER >= 0x30200000L
#include <openssl/hpke.h>
#endif
#endif /* CONFIG_DPP3 */

#include "common.h"
#include "utils/const_time.h"
#include "wpabuf.h"
#include "dh_group5.h"
#include "sha1.h"
#include "sha256.h"
#include "sha384.h"
#include "sha512.h"
#include "md5.h"
#include "aes_wrap.h"
#include "crypto.h"

#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* Compatibility wrappers for older versions. */

static HMAC_CTX * HMAC_CTX_new(void)
{
	HMAC_CTX *ctx;

	ctx = os_zalloc(sizeof(*ctx));
	if (ctx)
		HMAC_CTX_init(ctx);
	return ctx;
}


static void HMAC_CTX_free(HMAC_CTX *ctx)
{
	if (!ctx)
		return;
	HMAC_CTX_cleanup(ctx);
	bin_clear_free(ctx, sizeof(*ctx));
}


static EVP_MD_CTX * EVP_MD_CTX_new(void)
{
	EVP_MD_CTX *ctx;

	ctx = os_zalloc(sizeof(*ctx));
	if (ctx)
		EVP_MD_CTX_init(ctx);
	return ctx;
}


static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
{
	if (!ctx)
		return;
	EVP_MD_CTX_cleanup(ctx);
	bin_clear_free(ctx, sizeof(*ctx));
}


#ifdef CONFIG_ECC

static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
{
	if (pkey->type != EVP_PKEY_EC)
		return NULL;
	return pkey->pkey.ec;
}


static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
{
	sig->r = r;
	sig->s = s;
	return 1;
}


static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
			   const BIGNUM **ps)
{
	if (pr)
		*pr = sig->r;
	if (ps)
		*ps = sig->s;
}

#endif /* CONFIG_ECC */

static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
{
	return ASN1_STRING_data((ASN1_STRING *) x);
}


static const ASN1_TIME * X509_get0_notBefore(const X509 *x)
{
	return X509_get_notBefore(x);
}


static const ASN1_TIME * X509_get0_notAfter(const X509 *x)
{
	return X509_get_notAfter(x);
}

#endif /* OpenSSL version < 1.1.0 */


#if OPENSSL_VERSION_NUMBER < 0x10101000L || \
	(defined(LIBRESSL_VERSION_NUMBER) && \
	 LIBRESSL_VERSION_NUMBER < 0x30400000L)

static int EC_POINT_get_affine_coordinates(const EC_GROUP *group,
					   const EC_POINT *point, BIGNUM *x,
					   BIGNUM *y, BN_CTX *ctx)
{
	return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
}


static int EC_POINT_set_affine_coordinates(const EC_GROUP *group,
					   EC_POINT *point, const BIGNUM *x,
					   const BIGNUM *y, BN_CTX *ctx)
{
	return EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx);
}

#endif /* OpenSSL version < 1.1.1 */


#if OPENSSL_VERSION_NUMBER < 0x10101000L || \
	defined(OPENSSL_IS_BORINGSSL) || \
	(defined(LIBRESSL_VERSION_NUMBER) && \
	 LIBRESSL_VERSION_NUMBER < 0x30400000L)

static int EC_POINT_set_compressed_coordinates(const EC_GROUP *group,
					       EC_POINT *point, const BIGNUM *x,
					       int y_bit, BN_CTX *ctx)
{
	return EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit,
						       ctx);
}


static int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
			      BIGNUM *b, BN_CTX *ctx)
{
	return EC_GROUP_get_curve_GFp(group, p, a, b, ctx);
}

#endif /* OpenSSL version < 1.1.1 */


#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static OSSL_PROVIDER *openssl_legacy_provider = NULL;
#endif /* OpenSSL version >= 3.0 */

void openssl_load_legacy_provider(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	if (openssl_legacy_provider)
		return;

	openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1);
#endif /* OpenSSL version >= 3.0 */
}


static void openssl_unload_legacy_provider(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	if (openssl_legacy_provider) {
		OSSL_PROVIDER_unload(openssl_legacy_provider);
		openssl_legacy_provider = NULL;
	}
#endif /* OpenSSL version >= 3.0 */
}


#if OPENSSL_VERSION_NUMBER < 0x30000000L

static BIGNUM * get_group5_prime(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
	return BN_get_rfc3526_prime_1536(NULL);
#elif !defined(OPENSSL_IS_BORINGSSL)
	return get_rfc3526_prime_1536(NULL);
#else
	static const unsigned char RFC3526_PRIME_1536[] = {
		0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
		0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
		0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
		0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
		0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
		0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
		0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
		0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
		0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
		0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
		0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
		0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
		0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
		0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
		0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
		0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
	};
        return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), NULL);
#endif
}


static BIGNUM * get_group5_order(void)
{
	static const unsigned char RFC3526_ORDER_1536[] = {
		0x7F,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xE4,0x87,0xED,0x51,
		0x10,0xB4,0x61,0x1A,0x62,0x63,0x31,0x45,0xC0,0x6E,0x0E,0x68,
		0x94,0x81,0x27,0x04,0x45,0x33,0xE6,0x3A,0x01,0x05,0xDF,0x53,
		0x1D,0x89,0xCD,0x91,0x28,0xA5,0x04,0x3C,0xC7,0x1A,0x02,0x6E,
		0xF7,0xCA,0x8C,0xD9,0xE6,0x9D,0x21,0x8D,0x98,0x15,0x85,0x36,
		0xF9,0x2F,0x8A,0x1B,0xA7,0xF0,0x9A,0xB6,0xB6,0xA8,0xE1,0x22,
		0xF2,0x42,0xDA,0xBB,0x31,0x2F,0x3F,0x63,0x7A,0x26,0x21,0x74,
		0xD3,0x1B,0xF6,0xB5,0x85,0xFF,0xAE,0x5B,0x7A,0x03,0x5B,0xF6,
		0xF7,0x1C,0x35,0xFD,0xAD,0x44,0xCF,0xD2,0xD7,0x4F,0x92,0x08,
		0xBE,0x25,0x8F,0xF3,0x24,0x94,0x33,0x28,0xF6,0x72,0x2D,0x9E,
		0xE1,0x00,0x3E,0x5C,0x50,0xB1,0xDF,0x82,0xCC,0x6D,0x24,0x1B,
		0x0E,0x2A,0xE9,0xCD,0x34,0x8B,0x1F,0xD4,0x7E,0x92,0x67,0xAF,
		0xC1,0xB2,0xAE,0x91,0xEE,0x51,0xD6,0xCB,0x0E,0x31,0x79,0xAB,
		0x10,0x42,0xA9,0x5D,0xCF,0x6A,0x94,0x83,0xB8,0x4B,0x4B,0x36,
		0xB3,0x86,0x1A,0xA7,0x25,0x5E,0x4C,0x02,0x78,0xBA,0x36,0x04,
		0x65,0x11,0xB9,0x93,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
	};
	return BN_bin2bn(RFC3526_ORDER_1536, sizeof(RFC3526_ORDER_1536), NULL);
}

#endif /* OpenSSL version < 3.0 */


#ifdef OPENSSL_NO_SHA256
#define NO_SHA256_WRAPPER
#endif
#ifdef OPENSSL_NO_SHA512
#define NO_SHA384_WRAPPER
#endif

static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
				 const u8 *addr[], const size_t *len, u8 *mac)
{
	EVP_MD_CTX *ctx;
	size_t i;
	unsigned int mac_len;

	if (TEST_FAIL())
		return -1;

	ctx = EVP_MD_CTX_new();
	if (!ctx)
		return -1;
	if (!EVP_DigestInit_ex(ctx, type, NULL)) {
		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		EVP_MD_CTX_free(ctx);
		return -1;
	}
	for (i = 0; i < num_elem; i++) {
		if (!EVP_DigestUpdate(ctx, addr[i], len[i])) {
			wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestUpdate "
				   "failed: %s",
				   ERR_error_string(ERR_get_error(), NULL));
			EVP_MD_CTX_free(ctx);
			return -1;
		}
	}
	if (!EVP_DigestFinal(ctx, mac, &mac_len)) {
		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestFinal failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		EVP_MD_CTX_free(ctx);
		return -1;
	}
	EVP_MD_CTX_free(ctx);

	return 0;
}


#ifndef CONFIG_FIPS

int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
	openssl_load_legacy_provider();
	return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
}


int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
{
	u8 pkey[8], next, tmp;
	int i, plen, ret = -1;
	EVP_CIPHER_CTX *ctx;

	openssl_load_legacy_provider();

	/* Add parity bits to the key */
	next = 0;
	for (i = 0; i < 7; i++) {
		tmp = key[i];
		pkey[i] = (tmp >> i) | next | 1;
		next = tmp << (7 - i);
	}
	pkey[i] = next | 1;

	ctx = EVP_CIPHER_CTX_new();
	if (ctx &&
	    EVP_EncryptInit_ex(ctx, EVP_des_ecb(), NULL, pkey, NULL) == 1 &&
	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
	    EVP_EncryptUpdate(ctx, cypher, &plen, clear, 8) == 1 &&
	    EVP_EncryptFinal_ex(ctx, &cypher[plen], &plen) == 1)
		ret = 0;
	else
		wpa_printf(MSG_ERROR, "OpenSSL: DES encrypt failed");

	if (ctx)
		EVP_CIPHER_CTX_free(ctx);
	return ret;
}


#ifndef CONFIG_NO_RC4
int rc4_skip(const u8 *key, size_t keylen, size_t skip,
	     u8 *data, size_t data_len)
{
#ifdef OPENSSL_NO_RC4
	return -1;
#else /* OPENSSL_NO_RC4 */
	EVP_CIPHER_CTX *ctx;
	int outl;
	int res = -1;
	unsigned char skip_buf[16];

	openssl_load_legacy_provider();

	ctx = EVP_CIPHER_CTX_new();
	if (!ctx ||
	    !EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
	    !EVP_CIPHER_CTX_set_padding(ctx, 0) ||
	    !EVP_CIPHER_CTX_set_key_length(ctx, keylen) ||
	    !EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, 1))
		goto out;

	while (skip >= sizeof(skip_buf)) {
		size_t len = skip;
		if (len > sizeof(skip_buf))
			len = sizeof(skip_buf);
		if (!EVP_CipherUpdate(ctx, skip_buf, &outl, skip_buf, len))
			goto out;
		skip -= len;
	}

	if (EVP_CipherUpdate(ctx, data, &outl, data, data_len))
		res = 0;

out:
	if (ctx)
		EVP_CIPHER_CTX_free(ctx);
	return res;
#endif /* OPENSSL_NO_RC4 */
}
#endif /* CONFIG_NO_RC4 */


int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac);
}

#endif /* CONFIG_FIPS */


int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac);
}


#ifndef NO_SHA256_WRAPPER
int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len,
		  u8 *mac)
{
	return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac);
}
#endif /* NO_SHA256_WRAPPER */


#ifndef NO_SHA384_WRAPPER
int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len,
		  u8 *mac)
{
	return openssl_digest_vector(EVP_sha384(), num_elem, addr, len, mac);
}
#endif /* NO_SHA384_WRAPPER */


#ifndef NO_SHA512_WRAPPER
int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len,
		  u8 *mac)
{
	return openssl_digest_vector(EVP_sha512(), num_elem, addr, len, mac);
}
#endif /* NO_SHA512_WRAPPER */


static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen)
{
	switch (keylen) {
	case 16:
		return EVP_aes_128_ecb();
	case 24:
		return EVP_aes_192_ecb();
	case 32:
		return EVP_aes_256_ecb();
	default:
		return NULL;
	}
}


void * aes_encrypt_init(const u8 *key, size_t len)
{
	EVP_CIPHER_CTX *ctx;
	const EVP_CIPHER *type;

	if (TEST_FAIL())
		return NULL;

	type = aes_get_evp_cipher(len);
	if (!type) {
		wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
			   __func__, (unsigned int) len);
		return NULL;
	}

	ctx = EVP_CIPHER_CTX_new();
	if (ctx == NULL)
		return NULL;
	if (EVP_EncryptInit_ex(ctx, type, NULL, key, NULL) != 1 ||
	    EVP_CIPHER_CTX_set_padding(ctx, 0) != 1) {
		EVP_CIPHER_CTX_free(ctx);
		return NULL;
	}
	return ctx;
}


int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
{
	EVP_CIPHER_CTX *c = ctx;
	int clen = 16;
	if (EVP_EncryptUpdate(c, crypt, &clen, plain, 16) != 1) {
		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptUpdate failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		return -1;
	}
	return 0;
}


void aes_encrypt_deinit(void *ctx)
{
	EVP_CIPHER_CTX *c = ctx;
	u8 buf[16];
	int len = sizeof(buf);
	if (EVP_EncryptFinal_ex(c, buf, &len) != 1) {
		wpa_printf(MSG_ERROR, "OpenSSL: EVP_EncryptFinal_ex failed: "
			   "%s", ERR_error_string(ERR_get_error(), NULL));
	}
	if (len != 0) {
		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
			   "in AES encrypt", len);
	}
	EVP_CIPHER_CTX_free(c);
}


void * aes_decrypt_init(const u8 *key, size_t len)
{
	EVP_CIPHER_CTX *ctx;
	const EVP_CIPHER *type;

	if (TEST_FAIL())
		return NULL;

	type = aes_get_evp_cipher(len);
	if (!type) {
		wpa_printf(MSG_INFO, "%s: Unsupported len=%u",
			   __func__, (unsigned int) len);
		return NULL;
	}

	ctx = EVP_CIPHER_CTX_new();
	if (ctx == NULL)
		return NULL;
	if (EVP_DecryptInit_ex(ctx, type, NULL, key, NULL) != 1 ||
	    EVP_CIPHER_CTX_set_padding(ctx, 0) != 1) {
		EVP_CIPHER_CTX_free(ctx);
		return NULL;
	}
	return ctx;
}


int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
{
	EVP_CIPHER_CTX *c = ctx;
	int plen = 16;
	if (EVP_DecryptUpdate(c, plain, &plen, crypt, 16) != 1) {
		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptUpdate failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		return -1;
	}
	return 0;
}


void aes_decrypt_deinit(void *ctx)
{
	EVP_CIPHER_CTX *c = ctx;
	u8 buf[16];
	int len = sizeof(buf);
	if (EVP_DecryptFinal_ex(c, buf, &len) != 1) {
		wpa_printf(MSG_ERROR, "OpenSSL: EVP_DecryptFinal_ex failed: "
			   "%s", ERR_error_string(ERR_get_error(), NULL));
	}
	if (len != 0) {
		wpa_printf(MSG_ERROR, "OpenSSL: Unexpected padding length %d "
			   "in AES decrypt", len);
	}
	EVP_CIPHER_CTX_free(c);
}


#ifndef CONFIG_FIPS
#ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP

#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static const EVP_CIPHER * aes_get_evp_wrap_cipher(size_t keylen)
{
	switch (keylen) {
	case 16:
		return EVP_aes_128_wrap();
	case 24:
		return EVP_aes_192_wrap();
	case 32:
		return EVP_aes_256_wrap();
	default:
		return NULL;
	}
}
#endif /* OpenSSL version >= 3.0 */


int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_CIPHER_CTX *ctx;
	const EVP_CIPHER *type;
	int ret = -1, len;
	u8 buf[16];

	if (TEST_FAIL())
		return -1;

	type = aes_get_evp_wrap_cipher(kek_len);
	if (!type)
		return -1;

	ctx = EVP_CIPHER_CTX_new();
	if (!ctx)
		return -1;

	if (EVP_EncryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&
	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
	    EVP_EncryptUpdate(ctx, cipher, &len, plain, n * 8) == 1 &&
	    len == (n + 1) * 8 &&
	    EVP_EncryptFinal_ex(ctx, buf, &len) == 1)
		ret = 0;

	EVP_CIPHER_CTX_free(ctx);
	return ret;
#else /* OpenSSL version >= 3.0 */
	AES_KEY actx;
	int res;

	if (TEST_FAIL())
		return -1;
	if (AES_set_encrypt_key(kek, kek_len << 3, &actx))
		return -1;
	res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);
	OPENSSL_cleanse(&actx, sizeof(actx));
	return res <= 0 ? -1 : 0;
#endif /* OpenSSL version >= 3.0 */
}


int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,
	       u8 *plain)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_CIPHER_CTX *ctx;
	const EVP_CIPHER *type;
	int ret = -1, len;
	u8 buf[16];

	if (TEST_FAIL())
		return -1;

	type = aes_get_evp_wrap_cipher(kek_len);
	if (!type)
		return -1;

	ctx = EVP_CIPHER_CTX_new();
	if (!ctx)
		return -1;

	if (EVP_DecryptInit_ex(ctx, type, NULL, kek, NULL) == 1 &&
	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
	    EVP_DecryptUpdate(ctx, plain, &len, cipher, (n + 1) * 8) == 1 &&
	    len == n * 8 &&
	    EVP_DecryptFinal_ex(ctx, buf, &len) == 1)
		ret = 0;

	EVP_CIPHER_CTX_free(ctx);
	return ret;
#else /* OpenSSL version >= 3.0 */
	AES_KEY actx;
	int res;

	if (TEST_FAIL())
		return -1;
	if (AES_set_decrypt_key(kek, kek_len << 3, &actx))
		return -1;
	res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);
	OPENSSL_cleanse(&actx, sizeof(actx));
	return res <= 0 ? -1 : 0;
#endif /* OpenSSL version >= 3.0 */
}

#endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */
#endif /* CONFIG_FIPS */


int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
{
	EVP_CIPHER_CTX *ctx;
	int clen, len;
	u8 buf[16];
	int res = -1;

	if (TEST_FAIL())
		return -1;

	ctx = EVP_CIPHER_CTX_new();
	if (!ctx)
		return -1;
	clen = data_len;
	len = sizeof(buf);
	if (EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
	    EVP_EncryptUpdate(ctx, data, &clen, data, data_len) == 1 &&
	    clen == (int) data_len &&
	    EVP_EncryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
		res = 0;
	EVP_CIPHER_CTX_free(ctx);

	return res;
}


int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
{
	EVP_CIPHER_CTX *ctx;
	int plen, len;
	u8 buf[16];
	int res = -1;

	if (TEST_FAIL())
		return -1;

	ctx = EVP_CIPHER_CTX_new();
	if (!ctx)
		return -1;
	plen = data_len;
	len = sizeof(buf);
	if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1 &&
	    EVP_CIPHER_CTX_set_padding(ctx, 0) == 1 &&
	    EVP_DecryptUpdate(ctx, data, &plen, data, data_len) == 1 &&
	    plen == (int) data_len &&
	    EVP_DecryptFinal_ex(ctx, buf, &len) == 1 && len == 0)
		res = 0;
	EVP_CIPHER_CTX_free(ctx);

	return res;

}


int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
		   u8 *pubkey)
{
	size_t pubkey_len, pad;

	if (os_get_random(privkey, prime_len) < 0)
		return -1;
	if (os_memcmp(privkey, prime, prime_len) > 0) {
		/* Make sure private value is smaller than prime */
		privkey[0] = 0;
	}

	pubkey_len = prime_len;
	if (crypto_mod_exp(&generator, 1, privkey, prime_len, prime, prime_len,
			   pubkey, &pubkey_len) < 0)
		return -1;
	if (pubkey_len < prime_len) {
		pad = prime_len - pubkey_len;
		os_memmove(pubkey + pad, pubkey, pubkey_len);
		os_memset(pubkey, 0, pad);
	}

	return 0;
}


int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len,
			    const u8 *order, size_t order_len,
			    const u8 *privkey, size_t privkey_len,
			    const u8 *pubkey, size_t pubkey_len,
			    u8 *secret, size_t *len)
{
	BIGNUM *pub, *p;
	int res = -1;

	pub = BN_bin2bn(pubkey, pubkey_len, NULL);
	p = BN_bin2bn(prime, prime_len, NULL);
	if (!pub || !p || BN_is_zero(pub) || BN_is_one(pub) ||
	    BN_cmp(pub, p) >= 0)
		goto fail;

	if (order) {
		BN_CTX *ctx;
		BIGNUM *q, *tmp;
		int failed;

		/* verify: pubkey^q == 1 mod p */
		q = BN_bin2bn(order, order_len, NULL);
		ctx = BN_CTX_new();
		tmp = BN_new();
		failed = !q || !ctx || !tmp ||
			!BN_mod_exp(tmp, pub, q, p, ctx) ||
			!BN_is_one(tmp);
		BN_clear_free(q);
		BN_clear_free(tmp);
		BN_CTX_free(ctx);
		if (failed)
			goto fail;
	}

	res = crypto_mod_exp(pubkey, pubkey_len, privkey, privkey_len,
			     prime, prime_len, secret, len);
fail:
	BN_clear_free(pub);
	BN_clear_free(p);
	return res;
}


int crypto_mod_exp(const u8 *base, size_t base_len,
		   const u8 *power, size_t power_len,
		   const u8 *modulus, size_t modulus_len,
		   u8 *result, size_t *result_len)
{
	BIGNUM *bn_base, *bn_exp, *bn_modulus, *bn_result;
	int ret = -1;
	BN_CTX *ctx;

	ctx = BN_CTX_new();
	if (ctx == NULL)
		return -1;

	bn_base = BN_bin2bn(base, base_len, NULL);
	bn_exp = BN_bin2bn(power, power_len, NULL);
	bn_modulus = BN_bin2bn(modulus, modulus_len, NULL);
	bn_result = BN_new();

	if (bn_base == NULL || bn_exp == NULL || bn_modulus == NULL ||
	    bn_result == NULL)
		goto error;

	if (BN_mod_exp_mont_consttime(bn_result, bn_base, bn_exp, bn_modulus,
				      ctx, NULL) != 1)
		goto error;

	*result_len = BN_bn2bin(bn_result, result);
	ret = 0;

error:
	BN_clear_free(bn_base);
	BN_clear_free(bn_exp);
	BN_clear_free(bn_modulus);
	BN_clear_free(bn_result);
	BN_CTX_free(ctx);
	return ret;
}


struct crypto_cipher {
	EVP_CIPHER_CTX *enc;
	EVP_CIPHER_CTX *dec;
};


struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
					  const u8 *iv, const u8 *key,
					  size_t key_len)
{
	struct crypto_cipher *ctx;
	const EVP_CIPHER *cipher;

	ctx = os_zalloc(sizeof(*ctx));
	if (ctx == NULL)
		return NULL;

	switch (alg) {
#ifndef CONFIG_NO_RC4
#ifndef OPENSSL_NO_RC4
	case CRYPTO_CIPHER_ALG_RC4:
		cipher = EVP_rc4();
		break;
#endif /* OPENSSL_NO_RC4 */
#endif /* CONFIG_NO_RC4 */
#ifndef OPENSSL_NO_AES
	case CRYPTO_CIPHER_ALG_AES:
		switch (key_len) {
		case 16:
			cipher = EVP_aes_128_cbc();
			break;
#ifndef OPENSSL_IS_BORINGSSL
		case 24:
			cipher = EVP_aes_192_cbc();
			break;
#endif /* OPENSSL_IS_BORINGSSL */
		case 32:
			cipher = EVP_aes_256_cbc();
			break;
		default:
			os_free(ctx);
			return NULL;
		}
		break;
#endif /* OPENSSL_NO_AES */
#ifndef OPENSSL_NO_DES
	case CRYPTO_CIPHER_ALG_3DES:
		cipher = EVP_des_ede3_cbc();
		break;
	case CRYPTO_CIPHER_ALG_DES:
		cipher = EVP_des_cbc();
		break;
#endif /* OPENSSL_NO_DES */
#ifndef OPENSSL_NO_RC2
	case CRYPTO_CIPHER_ALG_RC2:
		cipher = EVP_rc2_ecb();
		break;
#endif /* OPENSSL_NO_RC2 */
	default:
		os_free(ctx);
		return NULL;
	}

	if (!(ctx->enc = EVP_CIPHER_CTX_new()) ||
	    !EVP_EncryptInit_ex(ctx->enc, cipher, NULL, NULL, NULL) ||
	    !EVP_CIPHER_CTX_set_padding(ctx->enc, 0) ||
	    !EVP_CIPHER_CTX_set_key_length(ctx->enc, key_len) ||
	    !EVP_EncryptInit_ex(ctx->enc, NULL, NULL, key, iv)) {
		if (ctx->enc)
			EVP_CIPHER_CTX_free(ctx->enc);
		os_free(ctx);
		return NULL;
	}

	if (!(ctx->dec = EVP_CIPHER_CTX_new()) ||
	    !EVP_DecryptInit_ex(ctx->dec, cipher, NULL, NULL, NULL) ||
	    !EVP_CIPHER_CTX_set_padding(ctx->dec, 0) ||
	    !EVP_CIPHER_CTX_set_key_length(ctx->dec, key_len) ||
	    !EVP_DecryptInit_ex(ctx->dec, NULL, NULL, key, iv)) {
		EVP_CIPHER_CTX_free(ctx->enc);
		if (ctx->dec)
			EVP_CIPHER_CTX_free(ctx->dec);
		os_free(ctx);
		return NULL;
	}

	return ctx;
}


int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain,
			  u8 *crypt, size_t len)
{
	int outl;
	if (!EVP_EncryptUpdate(ctx->enc, crypt, &outl, plain, len))
		return -1;
	return 0;
}


int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt,
			  u8 *plain, size_t len)
{
	int outl;
	outl = len;
	if (!EVP_DecryptUpdate(ctx->dec, plain, &outl, crypt, len))
		return -1;
	return 0;
}


void crypto_cipher_deinit(struct crypto_cipher *ctx)
{
	EVP_CIPHER_CTX_free(ctx->enc);
	EVP_CIPHER_CTX_free(ctx->dec);
	os_free(ctx);
}


void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
	DH *dh;
	struct wpabuf *pubkey = NULL, *privkey = NULL;
	size_t publen, privlen;

	*priv = NULL;
	wpabuf_free(*publ);
	*publ = NULL;

	dh = DH_new();
	if (dh == NULL)
		return NULL;

	dh->g = BN_new();
	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
		goto err;

	dh->p = get_group5_prime();
	if (dh->p == NULL)
		goto err;

	dh->q = get_group5_order();
	if (!dh->q)
		goto err;

	if (DH_generate_key(dh) != 1)
		goto err;

	publen = BN_num_bytes(dh->pub_key);
	pubkey = wpabuf_alloc(publen);
	if (pubkey == NULL)
		goto err;
	privlen = BN_num_bytes(dh->priv_key);
	privkey = wpabuf_alloc(privlen);
	if (privkey == NULL)
		goto err;

	BN_bn2bin(dh->pub_key, wpabuf_put(pubkey, publen));
	BN_bn2bin(dh->priv_key, wpabuf_put(privkey, privlen));

	*priv = privkey;
	*publ = pubkey;
	return dh;

err:
	wpabuf_clear_free(pubkey);
	wpabuf_clear_free(privkey);
	DH_free(dh);
	return NULL;
#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_PKEY *pkey = NULL;
	OSSL_PARAM params[2];
	size_t pub_len = OSSL_PARAM_UNMODIFIED;
	size_t priv_len;
	struct wpabuf *pubkey = NULL, *privkey = NULL;
	BIGNUM *priv_bn = NULL;
	EVP_PKEY_CTX *gctx;

	*priv = NULL;
	wpabuf_free(*publ);
	*publ = NULL;

	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
						     "modp_1536", 0);
	params[1] = OSSL_PARAM_construct_end();

	gctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
	if (!gctx ||
	    EVP_PKEY_keygen_init(gctx) != 1 ||
	    EVP_PKEY_CTX_set_params(gctx, params) != 1 ||
	    EVP_PKEY_generate(gctx, &pkey) != 1 ||
	    EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY,
				  &priv_bn) != 1 ||
	    EVP_PKEY_get_octet_string_param(pkey,
					    OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
					    NULL, 0, &pub_len) < 0 ||
	    pub_len == OSSL_PARAM_UNMODIFIED ||
	    (priv_len = BN_num_bytes(priv_bn)) == 0 ||
	    !(pubkey = wpabuf_alloc(pub_len)) ||
	    !(privkey = wpabuf_alloc(priv_len)) ||
	    EVP_PKEY_get_octet_string_param(pkey,
					    OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
					    wpabuf_put(pubkey, pub_len),
					    pub_len, NULL) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL: failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		wpabuf_free(pubkey);
		wpabuf_clear_free(privkey);
		EVP_PKEY_free(pkey);
		pkey = NULL;
	} else {
		BN_bn2bin(priv_bn, wpabuf_put(privkey, priv_len));

		*priv = privkey;
		*publ = pubkey;
	}

	BN_clear_free(priv_bn);
	EVP_PKEY_CTX_free(gctx);
	return pkey;
#else
	DH *dh;
	struct wpabuf *pubkey = NULL, *privkey = NULL;
	size_t publen, privlen;
	BIGNUM *p, *g, *q;
	const BIGNUM *priv_key = NULL, *pub_key = NULL;

	*priv = NULL;
	wpabuf_free(*publ);
	*publ = NULL;

	dh = DH_new();
	if (dh == NULL)
		return NULL;

	g = BN_new();
	p = get_group5_prime();
	q = get_group5_order();
	if (!g || BN_set_word(g, 2) != 1 || !p || !q ||
	    DH_set0_pqg(dh, p, q, g) != 1)
		goto err;
	p = NULL;
	q = NULL;
	g = NULL;

	if (DH_generate_key(dh) != 1)
		goto err;

	DH_get0_key(dh, &pub_key, &priv_key);
	publen = BN_num_bytes(pub_key);
	pubkey = wpabuf_alloc(publen);
	if (!pubkey)
		goto err;
	privlen = BN_num_bytes(priv_key);
	privkey = wpabuf_alloc(privlen);
	if (!privkey)
		goto err;

	BN_bn2bin(pub_key, wpabuf_put(pubkey, publen));
	BN_bn2bin(priv_key, wpabuf_put(privkey, privlen));

	*priv = privkey;
	*publ = pubkey;
	return dh;

err:
	BN_free(p);
	BN_free(q);
	BN_free(g);
	wpabuf_clear_free(pubkey);
	wpabuf_clear_free(privkey);
	DH_free(dh);
	return NULL;
#endif
}


void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
	DH *dh;

	dh = DH_new();
	if (dh == NULL)
		return NULL;

	dh->g = BN_new();
	if (dh->g == NULL || BN_set_word(dh->g, 2) != 1)
		goto err;

	dh->p = get_group5_prime();
	if (dh->p == NULL)
		goto err;

	dh->priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
	if (dh->priv_key == NULL)
		goto err;

	dh->pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
	if (dh->pub_key == NULL)
		goto err;

	if (DH_generate_key(dh) != 1)
		goto err;

	return dh;

err:
	DH_free(dh);
	return NULL;
#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_PKEY *pkey = NULL;
	OSSL_PARAM_BLD *bld;
	OSSL_PARAM *params = NULL;
	BIGNUM *priv_key, *pub_key;
	EVP_PKEY_CTX *fctx;

	fctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
	priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
	pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
	bld = OSSL_PARAM_BLD_new();
	if (!fctx || !priv_key || !pub_key || !bld ||
	    OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME,
					    "modp_1536", 0) != 1 ||
	    OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
				   priv_key) != 1 ||
	    OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
				   pub_key) != 1 ||
	    !(params = OSSL_PARAM_BLD_to_param(bld)) ||
	    EVP_PKEY_fromdata_init(fctx) != 1 ||
	    EVP_PKEY_fromdata(fctx, &pkey, EVP_PKEY_KEYPAIR, params) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_fromdata failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		EVP_PKEY_free(pkey);
		pkey = NULL;
	}

	BN_clear_free(priv_key);
	BN_free(pub_key);
	EVP_PKEY_CTX_free(fctx);
	OSSL_PARAM_BLD_free(bld);
	OSSL_PARAM_free(params);
	return pkey;
#else
	DH *dh;
	BIGNUM *p = NULL, *g, *priv_key = NULL, *pub_key = NULL;

	dh = DH_new();
	if (dh == NULL)
		return NULL;

	g = BN_new();
	p = get_group5_prime();
	if (!g || BN_set_word(g, 2) != 1 || !p ||
	    DH_set0_pqg(dh, p, NULL, g) != 1)
		goto err;
	p = NULL;
	g = NULL;

	priv_key = BN_bin2bn(wpabuf_head(priv), wpabuf_len(priv), NULL);
	pub_key = BN_bin2bn(wpabuf_head(publ), wpabuf_len(publ), NULL);
	if (!priv_key || !pub_key || DH_set0_key(dh, pub_key, priv_key) != 1)
		goto err;
	pub_key = NULL;
	priv_key = NULL;

	if (DH_generate_key(dh) != 1)
		goto err;

	return dh;

err:
	BN_free(p);
	BN_free(g);
	BN_free(pub_key);
	BN_clear_free(priv_key);
	DH_free(dh);
	return NULL;
#endif
}


struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public,
				  const struct wpabuf *own_private)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_PKEY *pkey = ctx;
	EVP_PKEY *peer_pub;
	size_t len;
	struct wpabuf *res = NULL;
	EVP_PKEY_CTX *dctx = NULL;

	peer_pub = EVP_PKEY_new();
	if (!pkey || !peer_pub ||
	    EVP_PKEY_copy_parameters(peer_pub, pkey) != 1 ||
	    EVP_PKEY_set1_encoded_public_key(peer_pub, wpabuf_head(peer_public),
					     wpabuf_len(peer_public)) != 1 ||
	    !(dctx = EVP_PKEY_CTX_new(pkey, NULL)) ||
	    EVP_PKEY_derive_init(dctx) != 1 ||
	    EVP_PKEY_derive_set_peer(dctx, peer_pub) != 1 ||
	    EVP_PKEY_derive(dctx, NULL, &len) != 1 ||
	    !(res = wpabuf_alloc(len)) ||
	    EVP_PKEY_derive(dctx, wpabuf_mhead(res), &len) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_derive failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		wpabuf_free(res);
		res = NULL;
	} else {
		wpabuf_put(res, len);
	}

	EVP_PKEY_free(peer_pub);
	EVP_PKEY_CTX_free(dctx);
	return res;
#else /* OpenSSL version >= 3.0 */
	BIGNUM *pub_key;
	struct wpabuf *res = NULL;
	size_t rlen;
	DH *dh = ctx;
	int keylen;

	if (ctx == NULL)
		return NULL;

	pub_key = BN_bin2bn(wpabuf_head(peer_public), wpabuf_len(peer_public),
			    NULL);
	if (pub_key == NULL)
		return NULL;

	rlen = DH_size(dh);
	res = wpabuf_alloc(rlen);
	if (res == NULL)
		goto err;

	keylen = DH_compute_key(wpabuf_mhead(res), pub_key, dh);
	if (keylen < 0)
		goto err;
	wpabuf_put(res, keylen);
	BN_clear_free(pub_key);

	return res;

err:
	BN_clear_free(pub_key);
	wpabuf_clear_free(res);
	return NULL;
#endif /* OpenSSL version >= 3.0 */
}


void dh5_free(void *ctx)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_PKEY *pkey = ctx;

	EVP_PKEY_free(pkey);
#else /* OpenSSL version >= 3.0 */
	DH *dh;
	if (ctx == NULL)
		return;
	dh = ctx;
	DH_free(dh);
#endif /* OpenSSL version >= 3.0 */
}


struct crypto_hash {
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_MAC_CTX *ctx;
#else /* OpenSSL version >= 3.0 */
	HMAC_CTX *ctx;
#endif /* OpenSSL version >= 3.0 */
	bool failed;
};


struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
				      size_t key_len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	struct crypto_hash *ctx;
	EVP_MAC *mac;
	OSSL_PARAM params[2];
	char *a = NULL;

	switch (alg) {
#ifndef OPENSSL_NO_MD5
	case CRYPTO_HASH_ALG_HMAC_MD5:
		a = "MD5";
		break;
#endif /* OPENSSL_NO_MD5 */
#ifndef OPENSSL_NO_SHA
	case CRYPTO_HASH_ALG_HMAC_SHA1:
		a = "SHA1";
		break;
#endif /* OPENSSL_NO_SHA */
#ifndef OPENSSL_NO_SHA256
#ifdef CONFIG_SHA256
	case CRYPTO_HASH_ALG_HMAC_SHA256:
		a = "SHA256";
		break;
#endif /* CONFIG_SHA256 */
#endif /* OPENSSL_NO_SHA256 */
	default:
		return NULL;
	}

	mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
	if (!mac)
		return NULL;

	params[0] = OSSL_PARAM_construct_utf8_string("digest", a, 0);
	params[1] = OSSL_PARAM_construct_end();

	ctx = os_zalloc(sizeof(*ctx));
	if (!ctx)
		goto fail;
	ctx->ctx = EVP_MAC_CTX_new(mac);
	if (!ctx->ctx) {
		os_free(ctx);
		ctx = NULL;
		goto fail;
	}

	if (EVP_MAC_init(ctx->ctx, key, key_len, params) != 1) {
		EVP_MAC_CTX_free(ctx->ctx);
		bin_clear_free(ctx, sizeof(*ctx));
		ctx = NULL;
		goto fail;
	}

fail:
	EVP_MAC_free(mac);
	return ctx;
#else /* OpenSSL version >= 3.0 */
	struct crypto_hash *ctx;
	const EVP_MD *md;

	switch (alg) {
#ifndef OPENSSL_NO_MD5
	case CRYPTO_HASH_ALG_HMAC_MD5:
		md = EVP_md5();
		break;
#endif /* OPENSSL_NO_MD5 */
#ifndef OPENSSL_NO_SHA
	case CRYPTO_HASH_ALG_HMAC_SHA1:
		md = EVP_sha1();
		break;
#endif /* OPENSSL_NO_SHA */
#ifndef OPENSSL_NO_SHA256
#ifdef CONFIG_SHA256
	case CRYPTO_HASH_ALG_HMAC_SHA256:
		md = EVP_sha256();
		break;
#endif /* CONFIG_SHA256 */
#endif /* OPENSSL_NO_SHA256 */
	default:
		return NULL;
	}

	ctx = os_zalloc(sizeof(*ctx));
	if (ctx == NULL)
		return NULL;
	ctx->ctx = HMAC_CTX_new();
	if (!ctx->ctx) {
		os_free(ctx);
		return NULL;
	}

	if (HMAC_Init_ex(ctx->ctx, key, key_len, md, NULL) != 1) {
		HMAC_CTX_free(ctx->ctx);
		bin_clear_free(ctx, sizeof(*ctx));
		return NULL;
	}

	return ctx;
#endif /* OpenSSL version >= 3.0 */
}


void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
{
	if (ctx == NULL)
		return;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	if (!EVP_MAC_update(ctx->ctx, data, len))
		ctx->failed = true;
#else /* OpenSSL version >= 3.0 */
	if (!HMAC_Update(ctx->ctx, data, len))
		ctx->failed = true;
#endif /* OpenSSL version >= 3.0 */
}


int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	size_t mdlen;
	int res;
	bool failed;

	if (!ctx)
		return -2;

	if (!mac || !len) {
		EVP_MAC_CTX_free(ctx->ctx);
		bin_clear_free(ctx, sizeof(*ctx));
		return 0;
	}

	res = EVP_MAC_final(ctx->ctx, NULL, &mdlen, 0);
	if (res != 1) {
		EVP_MAC_CTX_free(ctx->ctx);
		bin_clear_free(ctx, sizeof(*ctx));
		return -1;
	}
	res = EVP_MAC_final(ctx->ctx, mac, &mdlen, mdlen);
	EVP_MAC_CTX_free(ctx->ctx);
	failed = ctx->failed;
	bin_clear_free(ctx, sizeof(*ctx));

	if (TEST_FAIL())
		return -1;

	if (failed)
		return -2;

	if (res == 1) {
		*len = mdlen;
		return 0;
	}

	return -1;
#else /* OpenSSL version >= 3.0 */
	unsigned int mdlen;
	int res;
	bool failed;

	if (ctx == NULL)
		return -2;

	if (mac == NULL || len == NULL) {
		HMAC_CTX_free(ctx->ctx);
		bin_clear_free(ctx, sizeof(*ctx));
		return 0;
	}

	mdlen = *len;
	res = HMAC_Final(ctx->ctx, mac, &mdlen);
	HMAC_CTX_free(ctx->ctx);
	failed = ctx->failed;
	bin_clear_free(ctx, sizeof(*ctx));

	if (TEST_FAIL())
		return -1;

	if (failed)
		return -2;

	if (res == 1) {
		*len = mdlen;
		return 0;
	}

	return -1;
#endif /* OpenSSL version >= 3.0 */
}


#if OPENSSL_VERSION_NUMBER >= 0x30000000L

static int openssl_hmac_vector(char *digest, const u8 *key,
			       size_t key_len, size_t num_elem,
			       const u8 *addr[], const size_t *len, u8 *mac,
			       unsigned int mdlen)
{
	EVP_MAC *hmac;
	OSSL_PARAM params[2];
	EVP_MAC_CTX *ctx;
	size_t i, mlen;
	int res;

	if (TEST_FAIL())
		return -1;

	hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
	if (!hmac)
		return -1;

	params[0] = OSSL_PARAM_construct_utf8_string("digest", digest, 0);
	params[1] = OSSL_PARAM_construct_end();

	ctx = EVP_MAC_CTX_new(hmac);
	EVP_MAC_free(hmac);
	if (!ctx)
		return -1;

	if (EVP_MAC_init(ctx, key, key_len, params) != 1)
		goto fail;

	for (i = 0; i < num_elem; i++) {
		if (EVP_MAC_update(ctx, addr[i], len[i]) != 1)
			goto fail;
	}

	res = EVP_MAC_final(ctx, mac, &mlen, mdlen);
	EVP_MAC_CTX_free(ctx);

	return res == 1 ? 0 : -1;
fail:
	EVP_MAC_CTX_free(ctx);
	return -1;
}


#ifndef CONFIG_FIPS

int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
		    const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector("MD5", key ,key_len, num_elem, addr, len,
				   mac, 16);
}


int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
	     u8 *mac)
{
	return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
}

#endif /* CONFIG_FIPS */


int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
		     const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector("SHA1", key, key_len, num_elem, addr,
				   len, mac, 20);
}


int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
	       u8 *mac)
{
	return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
}


#ifdef CONFIG_SHA256

int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
		       const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector("SHA256", key, key_len, num_elem, addr,
				   len, mac, 32);
}


int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
		size_t data_len, u8 *mac)
{
	return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
}

#endif /* CONFIG_SHA256 */


#ifdef CONFIG_SHA384

int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
		       const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector("SHA384", key, key_len, num_elem, addr,
				   len, mac, 48);
}


int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
		size_t data_len, u8 *mac)
{
	return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
}

#endif /* CONFIG_SHA384 */


#ifdef CONFIG_SHA512

int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
		       const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector("SHA512", key, key_len, num_elem, addr,
				   len, mac, 64);
}


int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
		size_t data_len, u8 *mac)
{
	return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
}

#endif /* CONFIG_SHA512 */

#else /* OpenSSL version >= 3.0 */

static int openssl_hmac_vector(const EVP_MD *type, const u8 *key,
			       size_t key_len, size_t num_elem,
			       const u8 *addr[], const size_t *len, u8 *mac,
			       unsigned int mdlen)
{
	HMAC_CTX *ctx;
	size_t i;
	int res;

	if (TEST_FAIL())
		return -1;

	ctx = HMAC_CTX_new();
	if (!ctx)
		return -1;
	res = HMAC_Init_ex(ctx, key, key_len, type, NULL);
	if (res != 1)
		goto done;

	for (i = 0; i < num_elem; i++)
		HMAC_Update(ctx, addr[i], len[i]);

	res = HMAC_Final(ctx, mac, &mdlen);
done:
	HMAC_CTX_free(ctx);

	return res == 1 ? 0 : -1;
}


#ifndef CONFIG_FIPS

int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem,
		    const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector(EVP_md5(), key ,key_len, num_elem, addr, len,
				   mac, 16);
}


int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
	     u8 *mac)
{
	return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac);
}

#endif /* CONFIG_FIPS */


int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem,
		     const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector(EVP_sha1(), key, key_len, num_elem, addr,
				   len, mac, 20);
}


int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len,
	       u8 *mac)
{
	return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac);
}


#ifdef CONFIG_SHA256

int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem,
		       const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector(EVP_sha256(), key, key_len, num_elem, addr,
				   len, mac, 32);
}


int hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
		size_t data_len, u8 *mac)
{
	return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac);
}

#endif /* CONFIG_SHA256 */


#ifdef CONFIG_SHA384

int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem,
		       const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector(EVP_sha384(), key, key_len, num_elem, addr,
				   len, mac, 48);
}


int hmac_sha384(const u8 *key, size_t key_len, const u8 *data,
		size_t data_len, u8 *mac)
{
	return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac);
}

#endif /* CONFIG_SHA384 */


#ifdef CONFIG_SHA512

int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
		       const u8 *addr[], const size_t *len, u8 *mac)
{
	return openssl_hmac_vector(EVP_sha512(), key, key_len, num_elem, addr,
				   len, mac, 64);
}


int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
		size_t data_len, u8 *mac)
{
	return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
}

#endif /* CONFIG_SHA512 */

#endif /* OpenSSL version >= 3.0 */


int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
		int iterations, u8 *buf, size_t buflen)
{
	if (PKCS5_PBKDF2_HMAC_SHA1(passphrase, os_strlen(passphrase), ssid,
				   ssid_len, iterations, buflen, buf) != 1)
		return -1;
	return 0;
}


int crypto_get_random(void *buf, size_t len)
{
	if (RAND_bytes(buf, len) != 1)
		return -1;
	return 0;
}


int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
		     const u8 *addr[], const size_t *len, u8 *mac)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_MAC_CTX *ctx = NULL;
	EVP_MAC *emac;
	int ret = -1;
	size_t outlen, i;
	OSSL_PARAM params[2];
	char *cipher = NULL;

	if (TEST_FAIL())
		return -1;

	emac = EVP_MAC_fetch(NULL, "CMAC", NULL);

	if (key_len == 32)
		cipher = "aes-256-cbc";
	else if (key_len == 24)
		cipher = "aes-192-cbc";
	else if (key_len == 16)
		cipher = "aes-128-cbc";

	params[0] = OSSL_PARAM_construct_utf8_string("cipher", cipher, 0);
	params[1] = OSSL_PARAM_construct_end();

	if (!emac || !cipher ||
	    !(ctx = EVP_MAC_CTX_new(emac)) ||
	    EVP_MAC_init(ctx, key, key_len, params) != 1)
		goto fail;

	for (i = 0; i < num_elem; i++) {
		if (!EVP_MAC_update(ctx, addr[i], len[i]))
			goto fail;
	}
	if (EVP_MAC_final(ctx, mac, &outlen, 16) != 1 || outlen != 16)
		goto fail;

	ret = 0;
fail:
	EVP_MAC_CTX_free(ctx);
	return ret;
#else /* OpenSSL version >= 3.0 */
	CMAC_CTX *ctx;
	int ret = -1;
	size_t outlen, i;

	if (TEST_FAIL())
		return -1;

	ctx = CMAC_CTX_new();
	if (ctx == NULL)
		return -1;

	if (key_len == 32) {
		if (!CMAC_Init(ctx, key, 32, EVP_aes_256_cbc(), NULL))
			goto fail;
	} else if (key_len == 24) {
		if (!CMAC_Init(ctx, key, 24, EVP_aes_192_cbc(), NULL))
			goto fail;
	} else if (key_len == 16) {
		if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
			goto fail;
	} else {
		goto fail;
	}
	for (i = 0; i < num_elem; i++) {
		if (!CMAC_Update(ctx, addr[i], len[i]))
			goto fail;
	}
	if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
		goto fail;

	ret = 0;
fail:
	CMAC_CTX_free(ctx);
	return ret;
#endif /* OpenSSL version >= 3.0 */
}


int omac1_aes_128_vector(const u8 *key, size_t num_elem,
			 const u8 *addr[], const size_t *len, u8 *mac)
{
	return omac1_aes_vector(key, 16, num_elem, addr, len, mac);
}


int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
{
	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
}


int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
{
	return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
}


struct crypto_bignum * crypto_bignum_init(void)
{
	if (TEST_FAIL())
		return NULL;
	return (struct crypto_bignum *) BN_new();
}


struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len)
{
	BIGNUM *bn;

	if (TEST_FAIL())
		return NULL;

	bn = BN_bin2bn(buf, len, NULL);
	return (struct crypto_bignum *) bn;
}


struct crypto_bignum * crypto_bignum_init_uint(unsigned int val)
{
	BIGNUM *bn;

	if (TEST_FAIL())
		return NULL;

	bn = BN_new();
	if (!bn)
		return NULL;
	if (BN_set_word(bn, val) != 1) {
		BN_free(bn);
		return NULL;
	}
	return (struct crypto_bignum *) bn;
}


void crypto_bignum_deinit(struct crypto_bignum *n, int clear)
{
	if (clear)
		BN_clear_free((BIGNUM *) n);
	else
		BN_free((BIGNUM *) n);
}


int crypto_bignum_to_bin(const struct crypto_bignum *a,
			 u8 *buf, size_t buflen, size_t padlen)
{
	int num_bytes, offset;

	if (TEST_FAIL())
		return -1;

	if (padlen > buflen)
		return -1;

	if (padlen) {
#ifdef OPENSSL_IS_BORINGSSL
		if (BN_bn2bin_padded(buf, padlen, (const BIGNUM *) a) == 0)
			return -1;
		return padlen;
#else /* OPENSSL_IS_BORINGSSL */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
		return BN_bn2binpad((const BIGNUM *) a, buf, padlen);
#endif
#endif
	}

	num_bytes = BN_num_bytes((const BIGNUM *) a);
	if ((size_t) num_bytes > buflen)
		return -1;
	if (padlen > (size_t) num_bytes)
		offset = padlen - num_bytes;
	else
		offset = 0;

	os_memset(buf, 0, offset);
	BN_bn2bin((const BIGNUM *) a, buf + offset);

	return num_bytes + offset;
}


int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
{
	if (TEST_FAIL())
		return -1;
	return BN_rand_range((BIGNUM *) r, (const BIGNUM *) m) == 1 ? 0 : -1;
}


int crypto_bignum_add(const struct crypto_bignum *a,
		      const struct crypto_bignum *b,
		      struct crypto_bignum *c)
{
	return BN_add((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
		0 : -1;
}


int crypto_bignum_mod(const struct crypto_bignum *a,
		      const struct crypto_bignum *b,
		      struct crypto_bignum *c)
{
	int res;
	BN_CTX *bnctx;

	bnctx = BN_CTX_new();
	if (bnctx == NULL)
		return -1;
	res = BN_mod((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
		     bnctx);
	BN_CTX_free(bnctx);

	return res ? 0 : -1;
}


int crypto_bignum_exptmod(const struct crypto_bignum *a,
			  const struct crypto_bignum *b,
			  const struct crypto_bignum *c,
			  struct crypto_bignum *d)
{
	int res;
	BN_CTX *bnctx;

	if (TEST_FAIL())
		return -1;

	bnctx = BN_CTX_new();
	if (bnctx == NULL)
		return -1;
	res = BN_mod_exp_mont_consttime((BIGNUM *) d, (const BIGNUM *) a,
					(const BIGNUM *) b, (const BIGNUM *) c,
					bnctx, NULL);
	BN_CTX_free(bnctx);

	return res ? 0 : -1;
}


int crypto_bignum_inverse(const struct crypto_bignum *a,
			  const struct crypto_bignum *b,
			  struct crypto_bignum *c)
{
	BIGNUM *res;
	BN_CTX *bnctx;

	if (TEST_FAIL())
		return -1;
	bnctx = BN_CTX_new();
	if (bnctx == NULL)
		return -1;
#ifdef OPENSSL_IS_BORINGSSL
	/* TODO: use BN_mod_inverse_blinded() ? */
#else /* OPENSSL_IS_BORINGSSL */
	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
#endif /* OPENSSL_IS_BORINGSSL */
	res = BN_mod_inverse((BIGNUM *) c, (const BIGNUM *) a,
			     (const BIGNUM *) b, bnctx);
	BN_CTX_free(bnctx);

	return res ? 0 : -1;
}


int crypto_bignum_sub(const struct crypto_bignum *a,
		      const struct crypto_bignum *b,
		      struct crypto_bignum *c)
{
	if (TEST_FAIL())
		return -1;
	return BN_sub((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b) ?
		0 : -1;
}


int crypto_bignum_div(const struct crypto_bignum *a,
		      const struct crypto_bignum *b,
		      struct crypto_bignum *c)
{
	int res;

	BN_CTX *bnctx;

	if (TEST_FAIL())
		return -1;

	bnctx = BN_CTX_new();
	if (bnctx == NULL)
		return -1;
#ifndef OPENSSL_IS_BORINGSSL
	BN_set_flags((BIGNUM *) a, BN_FLG_CONSTTIME);
#endif /* OPENSSL_IS_BORINGSSL */
	res = BN_div((BIGNUM *) c, NULL, (const BIGNUM *) a,
		     (const BIGNUM *) b, bnctx);
	BN_CTX_free(bnctx);

	return res ? 0 : -1;
}


int crypto_bignum_addmod(const struct crypto_bignum *a,
			 const struct crypto_bignum *b,
			 const struct crypto_bignum *c,
			 struct crypto_bignum *d)
{
	int res;
	BN_CTX *bnctx;

	if (TEST_FAIL())
		return -1;

	bnctx = BN_CTX_new();
	if (!bnctx)
		return -1;
	res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
			 (const BIGNUM *) c, bnctx);
	BN_CTX_free(bnctx);

	return res ? 0 : -1;
}


int crypto_bignum_mulmod(const struct crypto_bignum *a,
			 const struct crypto_bignum *b,
			 const struct crypto_bignum *c,
			 struct crypto_bignum *d)
{
	int res;

	BN_CTX *bnctx;

	if (TEST_FAIL())
		return -1;

	bnctx = BN_CTX_new();
	if (bnctx == NULL)
		return -1;
	res = BN_mod_mul((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b,
			 (const BIGNUM *) c, bnctx);
	BN_CTX_free(bnctx);

	return res ? 0 : -1;
}


int crypto_bignum_sqrmod(const struct crypto_bignum *a,
			 const struct crypto_bignum *b,
			 struct crypto_bignum *c)
{
	int res;
	BN_CTX *bnctx;

	if (TEST_FAIL())
		return -1;

	bnctx = BN_CTX_new();
	if (!bnctx)
		return -1;
	res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b,
			 bnctx);
	BN_CTX_free(bnctx);

	return res ? 0 : -1;
}


int crypto_bignum_rshift(const struct crypto_bignum *a, int n,
			 struct crypto_bignum *r)
{
	return BN_rshift((BIGNUM *) r, (const BIGNUM *) a, n) == 1 ? 0 : -1;
}


int crypto_bignum_cmp(const struct crypto_bignum *a,
		      const struct crypto_bignum *b)
{
	return BN_cmp((const BIGNUM *) a, (const BIGNUM *) b);
}


int crypto_bignum_is_zero(const struct crypto_bignum *a)
{
	return BN_is_zero((const BIGNUM *) a);
}


int crypto_bignum_is_one(const struct crypto_bignum *a)
{
	return BN_is_one((const BIGNUM *) a);
}


int crypto_bignum_is_odd(const struct crypto_bignum *a)
{
	return BN_is_odd((const BIGNUM *) a);
}


int crypto_bignum_legendre(const struct crypto_bignum *a,
			   const struct crypto_bignum *p)
{
	BN_CTX *bnctx;
	BIGNUM *exp = NULL, *tmp = NULL;
	int res = -2;
	unsigned int mask;

	if (TEST_FAIL())
		return -2;

	bnctx = BN_CTX_new();
	if (bnctx == NULL)
		return -2;

	exp = BN_new();
	tmp = BN_new();
	if (!exp || !tmp ||
	    /* exp = (p-1) / 2 */
	    !BN_sub(exp, (const BIGNUM *) p, BN_value_one()) ||
	    !BN_rshift1(exp, exp) ||
	    !BN_mod_exp_mont_consttime(tmp, (const BIGNUM *) a, exp,
				       (const BIGNUM *) p, bnctx, NULL))
		goto fail;

	/* Return 1 if tmp == 1, 0 if tmp == 0, or -1 otherwise. Need to use
	 * constant time selection to avoid branches here. */
	res = -1;
	mask = const_time_eq(BN_is_word(tmp, 1), 1);
	res = const_time_select_int(mask, 1, res);
	mask = const_time_eq(BN_is_zero(tmp), 1);
	res = const_time_select_int(mask, 0, res);

fail:
	BN_clear_free(tmp);
	BN_clear_free(exp);
	BN_CTX_free(bnctx);
	return res;
}


#ifdef CONFIG_ECC

struct crypto_ec {
	EC_GROUP *group;
	int nid;
	int iana_group;
	BN_CTX *bnctx;
	BIGNUM *prime;
	BIGNUM *order;
	BIGNUM *a;
	BIGNUM *b;
};


static int crypto_ec_group_2_nid(int group)
{
	/* Map from IANA registry for IKE D-H groups to OpenSSL NID */
	switch (group) {
	case 19:
		return NID_X9_62_prime256v1;
	case 20:
		return NID_secp384r1;
	case 21:
		return NID_secp521r1;
	case 25:
		return NID_X9_62_prime192v1;
	case 26:
		return NID_secp224r1;
#ifdef NID_brainpoolP224r1
	case 27:
		return NID_brainpoolP224r1;
#endif /* NID_brainpoolP224r1 */
#ifdef NID_brainpoolP256r1
	case 28:
		return NID_brainpoolP256r1;
#endif /* NID_brainpoolP256r1 */
#ifdef NID_brainpoolP384r1
	case 29:
		return NID_brainpoolP384r1;
#endif /* NID_brainpoolP384r1 */
#ifdef NID_brainpoolP512r1
	case 30:
		return NID_brainpoolP512r1;
#endif /* NID_brainpoolP512r1 */
	default:
		return -1;
	}
}


#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static const char * crypto_ec_group_2_name(int group)
{
	/* Map from IANA registry for IKE D-H groups to OpenSSL group name */
	switch (group) {
	case 19:
		return "prime256v1";
	case 20:
		return "secp384r1";
	case 21:
		return "secp521r1";
	case 25:
		return "prime192v1";
	case 26:
		return "secp224r1";
#ifdef NID_brainpoolP224r1
	case 27:
		return "brainpoolP224r1";
#endif /* NID_brainpoolP224r1 */
#ifdef NID_brainpoolP256r1
	case 28:
		return "brainpoolP256r1";
#endif /* NID_brainpoolP256r1 */
#ifdef NID_brainpoolP384r1
	case 29:
		return "brainpoolP384r1";
#endif /* NID_brainpoolP384r1 */
#ifdef NID_brainpoolP512r1
	case 30:
		return "brainpoolP512r1";
#endif /* NID_brainpoolP512r1 */
	default:
		return NULL;
	}
}
#endif /* OpenSSL version >= 3.0 */


struct crypto_ec * crypto_ec_init(int group)
{
	struct crypto_ec *e;
	int nid;

	nid = crypto_ec_group_2_nid(group);
	if (nid < 0)
		return NULL;

	e = os_zalloc(sizeof(*e));
	if (e == NULL)
		return NULL;

	e->nid = nid;
	e->iana_group = group;
	e->bnctx = BN_CTX_new();
	e->group = EC_GROUP_new_by_curve_name(nid);
	e->prime = BN_new();
	e->order = BN_new();
	e->a = BN_new();
	e->b = BN_new();
	if (e->group == NULL || e->bnctx == NULL || e->prime == NULL ||
	    e->order == NULL || e->a == NULL || e->b == NULL ||
	    !EC_GROUP_get_curve(e->group, e->prime, e->a, e->b, e->bnctx) ||
	    !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
		crypto_ec_deinit(e);
		e = NULL;
	}

	return e;
}


void crypto_ec_deinit(struct crypto_ec *e)
{
	if (e == NULL)
		return;
	BN_clear_free(e->b);
	BN_clear_free(e->a);
	BN_clear_free(e->order);
	BN_clear_free(e->prime);
	EC_GROUP_free(e->group);
	BN_CTX_free(e->bnctx);
	os_free(e);
}


struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e)
{
	if (TEST_FAIL())
		return NULL;
	if (e == NULL)
		return NULL;
	return (struct crypto_ec_point *) EC_POINT_new(e->group);
}


size_t crypto_ec_prime_len(struct crypto_ec *e)
{
	return BN_num_bytes(e->prime);
}


size_t crypto_ec_prime_len_bits(struct crypto_ec *e)
{
	return BN_num_bits(e->prime);
}


size_t crypto_ec_order_len(struct crypto_ec *e)
{
	return BN_num_bytes(e->order);
}


const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e)
{
	return (const struct crypto_bignum *) e->prime;
}


const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
{
	return (const struct crypto_bignum *) e->order;
}


const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
{
	return (const struct crypto_bignum *) e->a;
}


const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
{
	return (const struct crypto_bignum *) e->b;
}


const struct crypto_ec_point * crypto_ec_get_generator(struct crypto_ec *e)
{
	return (const struct crypto_ec_point *)
		EC_GROUP_get0_generator(e->group);
}


void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
{
	if (clear)
		EC_POINT_clear_free((EC_POINT *) p);
	else
		EC_POINT_free((EC_POINT *) p);
}


int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p,
		      struct crypto_bignum *x)
{
	return EC_POINT_get_affine_coordinates(e->group,
					       (const EC_POINT *) p,
					       (BIGNUM *) x, NULL,
					       e->bnctx) == 1 ? 0 : -1;
}


int crypto_ec_point_to_bin(struct crypto_ec *e,
			   const struct crypto_ec_point *point, u8 *x, u8 *y)
{
	BIGNUM *x_bn, *y_bn;
	int ret = -1;
	int len = BN_num_bytes(e->prime);

	if (TEST_FAIL())
		return -1;

	x_bn = BN_new();
	y_bn = BN_new();

	if (x_bn && y_bn &&
	    EC_POINT_get_affine_coordinates(e->group, (EC_POINT *) point,
					    x_bn, y_bn, e->bnctx)) {
		if (x) {
			ret = crypto_bignum_to_bin(
				(struct crypto_bignum *) x_bn, x, len, len);
		}
		if (ret >= 0 && y) {
			ret = crypto_bignum_to_bin(
				(struct crypto_bignum *) y_bn, y, len, len);
		}

		if (ret > 0)
			ret = 0;
	}

	BN_clear_free(x_bn);
	BN_clear_free(y_bn);
	return ret;
}


struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
						  const u8 *val)
{
	BIGNUM *x, *y;
	EC_POINT *elem;
	int len = BN_num_bytes(e->prime);

	if (TEST_FAIL())
		return NULL;

	x = BN_bin2bn(val, len, NULL);
	y = BN_bin2bn(val + len, len, NULL);
	elem = EC_POINT_new(e->group);
	if (x == NULL || y == NULL || elem == NULL) {
		BN_clear_free(x);
		BN_clear_free(y);
		EC_POINT_clear_free(elem);
		return NULL;
	}

	if (!EC_POINT_set_affine_coordinates(e->group, elem, x, y, e->bnctx)) {
		EC_POINT_clear_free(elem);
		elem = NULL;
	}

	BN_clear_free(x);
	BN_clear_free(y);

	return (struct crypto_ec_point *) elem;
}


int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a,
			const struct crypto_ec_point *b,
			struct crypto_ec_point *c)
{
	if (TEST_FAIL())
		return -1;
	return EC_POINT_add(e->group, (EC_POINT *) c, (const EC_POINT *) a,
			    (const EC_POINT *) b, e->bnctx) ? 0 : -1;
}


int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
			const struct crypto_bignum *b,
			struct crypto_ec_point *res)
{
	if (TEST_FAIL())
		return -1;
	return EC_POINT_mul(e->group, (EC_POINT *) res, NULL,
			    (const EC_POINT *) p, (const BIGNUM *) b, e->bnctx)
		? 0 : -1;
}


int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
{
	if (TEST_FAIL())
		return -1;
	return EC_POINT_invert(e->group, (EC_POINT *) p, e->bnctx) ? 0 : -1;
}


struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
			      const struct crypto_bignum *x)
{
	BIGNUM *tmp;

	if (TEST_FAIL())
		return NULL;

	tmp = BN_new();

	/* y^2 = x^3 + ax + b = (x^2 + a)x + b */
	if (tmp &&
	    BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
	    BN_mod_add_quick(tmp, e->a, tmp, e->prime) &&
	    BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
	    BN_mod_add_quick(tmp, tmp, e->b, e->prime))
		return (struct crypto_bignum *) tmp;

	BN_clear_free(tmp);
	return NULL;
}


int crypto_ec_point_is_at_infinity(struct crypto_ec *e,
				   const struct crypto_ec_point *p)
{
	return EC_POINT_is_at_infinity(e->group, (const EC_POINT *) p);
}


int crypto_ec_point_is_on_curve(struct crypto_ec *e,
				const struct crypto_ec_point *p)
{
	return EC_POINT_is_on_curve(e->group, (const EC_POINT *) p,
				    e->bnctx) == 1;
}


int crypto_ec_point_cmp(const struct crypto_ec *e,
			const struct crypto_ec_point *a,
			const struct crypto_ec_point *b)
{
	return EC_POINT_cmp(e->group, (const EC_POINT *) a,
			    (const EC_POINT *) b, e->bnctx);
}


void crypto_ec_point_debug_print(const struct crypto_ec *e,
				 const struct crypto_ec_point *p,
				 const char *title)
{
	BIGNUM *x, *y;
	char *x_str = NULL, *y_str = NULL;

	x = BN_new();
	y = BN_new();
	if (!x || !y ||
	    EC_POINT_get_affine_coordinates(e->group, (const EC_POINT *) p,
					    x, y, e->bnctx) != 1)
		goto fail;

	x_str = BN_bn2hex(x);
	y_str = BN_bn2hex(y);
	if (!x_str || !y_str)
		goto fail;

	wpa_printf(MSG_DEBUG, "%s (%s,%s)", title, x_str, y_str);

fail:
	OPENSSL_free(x_str);
	OPENSSL_free(y_str);
	BN_free(x);
	BN_free(y);
}


struct crypto_ecdh {
	struct crypto_ec *ec;
	EVP_PKEY *pkey;
};

struct crypto_ecdh * crypto_ecdh_init(int group)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	struct crypto_ecdh *ecdh;
	const char *name;

	ecdh = os_zalloc(sizeof(*ecdh));
	if (!ecdh)
		goto fail;

	ecdh->ec = crypto_ec_init(group);
	if (!ecdh->ec)
		goto fail;

	name = OSSL_EC_curve_nid2name(ecdh->ec->nid);
	if (!name)
		goto fail;

	ecdh->pkey = EVP_EC_gen(name);
	if (!ecdh->pkey)
		goto fail;

done:
	return ecdh;
fail:
	crypto_ecdh_deinit(ecdh);
	ecdh = NULL;
	goto done;
#else /* OpenSSL version >= 3.0 */
	struct crypto_ecdh *ecdh;
	EVP_PKEY *params = NULL;
	EC_KEY *ec_params = NULL;
	EVP_PKEY_CTX *kctx = NULL;

	ecdh = os_zalloc(sizeof(*ecdh));
	if (!ecdh)
		goto fail;

	ecdh->ec = crypto_ec_init(group);
	if (!ecdh->ec)
		goto fail;

	ec_params = EC_KEY_new_by_curve_name(ecdh->ec->nid);
	if (!ec_params) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to generate EC_KEY parameters");
		goto fail;
	}
	EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
	params = EVP_PKEY_new();
	if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to generate EVP_PKEY parameters");
		goto fail;
	}

	kctx = EVP_PKEY_CTX_new(params, NULL);
	if (!kctx)
		goto fail;

	if (EVP_PKEY_keygen_init(kctx) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: EVP_PKEY_keygen_init failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	if (EVP_PKEY_keygen(kctx, &ecdh->pkey) != 1) {
		wpa_printf(MSG_ERROR, "OpenSSL: EVP_PKEY_keygen failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

done:
	EC_KEY_free(ec_params);
	EVP_PKEY_free(params);
	EVP_PKEY_CTX_free(kctx);

	return ecdh;
fail:
	crypto_ecdh_deinit(ecdh);
	ecdh = NULL;
	goto done;
#endif /* OpenSSL version >= 3.0 */
}


struct crypto_ecdh * crypto_ecdh_init2(int group, struct crypto_ec_key *own_key)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	struct crypto_ecdh *ecdh;

	ecdh = os_zalloc(sizeof(*ecdh));
	if (!ecdh)
		goto fail;

	ecdh->ec = crypto_ec_init(group);
	if (!ecdh->ec)
		goto fail;

	ecdh->pkey = EVP_PKEY_dup((EVP_PKEY *) own_key);
	if (!ecdh->pkey)
		goto fail;

	return ecdh;
fail:
	crypto_ecdh_deinit(ecdh);
	return NULL;
#else /* OpenSSL version >= 3.0 */
	struct crypto_ecdh *ecdh;

	ecdh = os_zalloc(sizeof(*ecdh));
	if (!ecdh)
		goto fail;

	ecdh->ec = crypto_ec_init(group);
	if (!ecdh->ec)
		goto fail;

	ecdh->pkey = EVP_PKEY_new();
	if (!ecdh->pkey ||
	    EVP_PKEY_assign_EC_KEY(ecdh->pkey,
				   EVP_PKEY_get1_EC_KEY((EVP_PKEY *) own_key))
	    != 1)
		goto fail;

	return ecdh;
fail:
	crypto_ecdh_deinit(ecdh);
	return NULL;
#endif /* OpenSSL version >= 3.0 */
}


struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int inc_y)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	struct wpabuf *buf = NULL;
	unsigned char *pub;
	size_t len, exp_len;

	len = EVP_PKEY_get1_encoded_public_key(ecdh->pkey, &pub);
	if (len == 0)
		return NULL;

	/* Encoded using SECG SEC 1, Sec. 2.3.4 format */
	exp_len = 1 + 2 * crypto_ec_prime_len(ecdh->ec);
	if (len != exp_len) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL:%s: Unexpected encoded public key length %zu (expected %zu)",
			   __func__, len, exp_len);
		goto fail;
	}
	buf = wpabuf_alloc_copy(pub + 1, inc_y ? len - 1 : len / 2);
fail:
	OPENSSL_free(pub);
	return buf;
#else /* OpenSSL version >= 3.0 */
	struct wpabuf *buf = NULL;
	EC_KEY *eckey;
	const EC_POINT *pubkey;
	BIGNUM *x, *y = NULL;
	int len = BN_num_bytes(ecdh->ec->prime);
	int res;

	eckey = EVP_PKEY_get1_EC_KEY(ecdh->pkey);
	if (!eckey)
		return NULL;

	pubkey = EC_KEY_get0_public_key(eckey);
	if (!pubkey)
		return NULL;

	x = BN_new();
	if (inc_y) {
		y = BN_new();
		if (!y)
			goto fail;
	}
	buf = wpabuf_alloc(inc_y ? 2 * len : len);
	if (!x || !buf)
		goto fail;

	if (EC_POINT_get_affine_coordinates(ecdh->ec->group, pubkey,
					    x, y, ecdh->ec->bnctx) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: EC_POINT_get_affine_coordinates failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	res = crypto_bignum_to_bin((struct crypto_bignum *) x,
				   wpabuf_put(buf, len), len, len);
	if (res < 0)
		goto fail;

	if (inc_y) {
		res = crypto_bignum_to_bin((struct crypto_bignum *) y,
					   wpabuf_put(buf, len), len, len);
		if (res < 0)
			goto fail;
	}

done:
	BN_clear_free(x);
	BN_clear_free(y);
	EC_KEY_free(eckey);

	return buf;
fail:
	wpabuf_free(buf);
	buf = NULL;
	goto done;
#endif /* OpenSSL version >= 3.0 */
}


struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
					const u8 *key, size_t len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_PKEY *peerkey = EVP_PKEY_new();
	EVP_PKEY_CTX *ctx;
	size_t res_len;
	struct wpabuf *res = NULL;
	u8 *peer;

	/* Encode using SECG SEC 1, Sec. 2.3.4 format */
	peer = os_malloc(1 + len);
	if (!peer) {
		EVP_PKEY_free(peerkey);
		return NULL;
	}
	peer[0] = inc_y ? 0x04 : 0x02;
	os_memcpy(peer + 1, key, len);

	if (!peerkey ||
	    EVP_PKEY_copy_parameters(peerkey, ecdh->pkey) != 1 ||
	    EVP_PKEY_set1_encoded_public_key(peerkey, peer, 1 + len) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_set1_encoded_public_key failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		EVP_PKEY_free(peerkey);
		os_free(peer);
		return NULL;
	}
	os_free(peer);

	ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
	if (!ctx ||
	    EVP_PKEY_derive_init(ctx) != 1 ||
	    EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
	    EVP_PKEY_derive(ctx, NULL, &res_len) != 1 ||
	    !(res = wpabuf_alloc(res_len)) ||
	    EVP_PKEY_derive(ctx, wpabuf_mhead(res), &res_len) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL: EVP_PKEY_derive failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		wpabuf_free(res);
		res = NULL;
	} else {
		wpabuf_put(res, res_len);
	}

	EVP_PKEY_free(peerkey);
	EVP_PKEY_CTX_free(ctx);
	return res;
#else /* OpenSSL version >= 3.0 */
	BIGNUM *x, *y = NULL;
	EVP_PKEY_CTX *ctx = NULL;
	EVP_PKEY *peerkey = NULL;
	struct wpabuf *secret = NULL;
	size_t secret_len;
	EC_POINT *pub;
	EC_KEY *eckey = NULL;

	x = BN_bin2bn(key, inc_y ? len / 2 : len, NULL);
	pub = EC_POINT_new(ecdh->ec->group);
	if (!x || !pub)
		goto fail;

	if (inc_y) {
		y = BN_bin2bn(key + len / 2, len / 2, NULL);
		if (!y)
			goto fail;
		if (!EC_POINT_set_affine_coordinates(ecdh->ec->group, pub,
						     x, y, ecdh->ec->bnctx)) {
			wpa_printf(MSG_ERROR,
				   "OpenSSL: EC_POINT_set_affine_coordinates failed: %s",
				   ERR_error_string(ERR_get_error(), NULL));
			goto fail;
		}
	} else if (!EC_POINT_set_compressed_coordinates(ecdh->ec->group,
							pub, x, 0,
							ecdh->ec->bnctx)) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: EC_POINT_set_compressed_coordinates failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	if (!EC_POINT_is_on_curve(ecdh->ec->group, pub, ecdh->ec->bnctx)) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: ECDH peer public key is not on curve");
		goto fail;
	}

	eckey = EC_KEY_new_by_curve_name(ecdh->ec->nid);
	if (!eckey || EC_KEY_set_public_key(eckey, pub) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: EC_KEY_set_public_key failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	peerkey = EVP_PKEY_new();
	if (!peerkey || EVP_PKEY_set1_EC_KEY(peerkey, eckey) != 1)
		goto fail;

	ctx = EVP_PKEY_CTX_new(ecdh->pkey, NULL);
	if (!ctx || EVP_PKEY_derive_init(ctx) != 1 ||
	    EVP_PKEY_derive_set_peer(ctx, peerkey) != 1 ||
	    EVP_PKEY_derive(ctx, NULL, &secret_len) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: EVP_PKEY_derive(1) failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	secret = wpabuf_alloc(secret_len);
	if (!secret)
		goto fail;
	if (EVP_PKEY_derive(ctx, wpabuf_put(secret, 0), &secret_len) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: EVP_PKEY_derive(2) failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}
	if (secret->size != secret_len)
		wpa_printf(MSG_DEBUG,
			   "OpenSSL: EVP_PKEY_derive(2) changed secret_len %d -> %d",
			   (int) secret->size, (int) secret_len);
	wpabuf_put(secret, secret_len);

done:
	BN_free(x);
	BN_free(y);
	EC_KEY_free(eckey);
	EC_POINT_free(pub);
	EVP_PKEY_CTX_free(ctx);
	EVP_PKEY_free(peerkey);
	return secret;
fail:
	wpabuf_free(secret);
	secret = NULL;
	goto done;
#endif /* OpenSSL version >= 3.0 */
}


void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
{
	if (ecdh) {
		crypto_ec_deinit(ecdh->ec);
		EVP_PKEY_free(ecdh->pkey);
		os_free(ecdh);
	}
}


size_t crypto_ecdh_prime_len(struct crypto_ecdh *ecdh)
{
	return crypto_ec_prime_len(ecdh->ec);
}


struct crypto_ec_key * crypto_ec_key_parse_priv(const u8 *der, size_t der_len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_PKEY *pkey = NULL;
	OSSL_DECODER_CTX *ctx;

	ctx = OSSL_DECODER_CTX_new_for_pkey(
		&pkey, "DER", NULL, "EC",
		OSSL_KEYMGMT_SELECT_KEYPAIR |
		OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
		NULL, NULL);
	if (!ctx ||
	    OSSL_DECODER_from_data(ctx, &der, &der_len) != 1) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: Decoding EC private key (DER) failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		if (ctx)
			OSSL_DECODER_CTX_free(ctx);
		goto fail;
	}

	OSSL_DECODER_CTX_free(ctx);
	return (struct crypto_ec_key *) pkey;
fail:
	crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
	return NULL;
#else /* OpenSSL version >= 3.0 */
	EVP_PKEY *pkey = NULL;
	EC_KEY *eckey;

	eckey = d2i_ECPrivateKey(NULL, &der, der_len);
	if (!eckey) {
		wpa_printf(MSG_INFO, "OpenSSL: d2i_ECPrivateKey() failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}
	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);

	pkey = EVP_PKEY_new();
	if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
		EC_KEY_free(eckey);
		goto fail;
	}

	return (struct crypto_ec_key *) pkey;
fail:
	crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
	return NULL;
#endif /* OpenSSL version >= 3.0 */
}


struct crypto_ec_key * crypto_ec_key_set_priv(int group,
					      const u8 *raw, size_t raw_len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	const char *group_name;
	OSSL_PARAM params[4];
	EVP_PKEY_CTX *ctx = NULL;
	EVP_PKEY *pkey = NULL;
	BIGNUM *priv;
	EC_POINT *pub = NULL;
	EC_GROUP *ec_group = NULL;
	size_t len;
	u8 *pub_bin = NULL;
	u8 *priv_bin = NULL;
	int priv_bin_len;

	group_name = crypto_ec_group_2_name(group);
	if (!group_name)
		return NULL;

	priv = BN_bin2bn(raw, raw_len, NULL);
	if (!priv)
		return NULL;
	priv_bin = os_malloc(raw_len);
	if (!priv_bin)
		goto fail;
	priv_bin_len = BN_bn2lebinpad(priv, priv_bin, raw_len);
	if (priv_bin_len < 0)
		goto fail;

	ec_group = EC_GROUP_new_by_curve_name(crypto_ec_group_2_nid(group));
	if (!ec_group)
		goto fail;
	pub = EC_POINT_new(ec_group);
	if (!pub ||
	    EC_POINT_mul(ec_group, pub, priv, NULL, NULL, NULL) != 1)
		goto fail;
	len = EC_POINT_point2oct(ec_group, pub, POINT_CONVERSION_UNCOMPRESSED,
				 NULL, 0, NULL);
	if (len == 0)
		goto fail;
	pub_bin = os_malloc(len);
	if (!pub_bin)
		goto fail;
	len = EC_POINT_point2oct(ec_group, pub, POINT_CONVERSION_UNCOMPRESSED,
				 pub_bin, len, NULL);
	if (len == 0)
		goto fail;

	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
						     (char *) group_name, 0);
	params[1] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_PRIV_KEY,
					    priv_bin, priv_bin_len);
	params[2] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
						      pub_bin, len);
	params[3] = OSSL_PARAM_construct_end();

	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
	if (!ctx ||
	    EVP_PKEY_fromdata_init(ctx) <= 0 ||
	    EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
		goto fail;

out:
	bin_clear_free(priv_bin, raw_len);
	os_free(pub_bin);
	BN_clear_free(priv);
	EVP_PKEY_CTX_free(ctx);
	EC_POINT_free(pub);
	EC_GROUP_free(ec_group);
	return (struct crypto_ec_key *) pkey;

fail:
	EVP_PKEY_free(pkey);
	pkey = NULL;
	goto out;
#else /* OpenSSL version >= 3.0 */
	EC_KEY *eckey = NULL;
	EVP_PKEY *pkey = NULL;
	BIGNUM *priv = NULL;
	int nid;
	const EC_GROUP *ec_group;
	EC_POINT *pub = NULL;

	nid = crypto_ec_group_2_nid(group);
	if (nid < 0) {
		wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
		return NULL;
	}

	eckey = EC_KEY_new_by_curve_name(nid);
	priv = BN_bin2bn(raw, raw_len, NULL);
	if (!eckey || !priv ||
	    EC_KEY_set_private_key(eckey, priv) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to set EC_KEY: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	ec_group = EC_KEY_get0_group(eckey);
	if (!ec_group)
		goto fail;
	pub = EC_POINT_new(ec_group);
	if (!pub ||
	    EC_POINT_mul(ec_group, pub, priv, NULL, NULL, NULL) != 1 ||
	    EC_KEY_set_public_key(eckey, pub) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to set EC_KEY(pub): %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);

	pkey = EVP_PKEY_new();
	if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
		wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
		goto fail;
	}

out:
	BN_clear_free(priv);
	EC_POINT_free(pub);
	return (struct crypto_ec_key *) pkey;

fail:
	EC_KEY_free(eckey);
	EVP_PKEY_free(pkey);
	pkey = NULL;
	goto out;
#endif /* OpenSSL version >= 3.0 */
}


struct crypto_ec_key * crypto_ec_key_parse_pub(const u8 *der, size_t der_len)
{
	EVP_PKEY *pkey;

	pkey = d2i_PUBKEY(NULL, &der, der_len);
	if (!pkey) {
		wpa_printf(MSG_INFO, "OpenSSL: d2i_PUBKEY() failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	/* Ensure this is an EC key */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	if (!EVP_PKEY_is_a(pkey, "EC"))
		goto fail;
#else /* OpenSSL version >= 3.0 */
	if (!EVP_PKEY_get0_EC_KEY(pkey))
		goto fail;
#endif /* OpenSSL version >= 3.0 */
	return (struct crypto_ec_key *) pkey;
fail:
	crypto_ec_key_deinit((struct crypto_ec_key *) pkey);
	return NULL;
}


struct crypto_ec_key * crypto_ec_key_set_pub(int group, const u8 *buf_x,
					     const u8 *buf_y, size_t len)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	const char *group_name;
	OSSL_PARAM params[3];
	u8 *pub;
	EVP_PKEY_CTX *ctx;
	EVP_PKEY *pkey = NULL;

	group_name = crypto_ec_group_2_name(group);
	if (!group_name)
		return NULL;

	pub = os_malloc(1 + len * 2);
	if (!pub)
		return NULL;
	pub[0] = 0x04; /* uncompressed */
	os_memcpy(pub + 1, buf_x, len);
	os_memcpy(pub + 1 + len, buf_y, len);

	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
						     (char *) group_name, 0);
	params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
						      pub, 1 + len * 2);
	params[2] = OSSL_PARAM_construct_end();

	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
	if (!ctx) {
		os_free(pub);
		return NULL;
	}
	if (EVP_PKEY_fromdata_init(ctx) <= 0 ||
	    EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
		os_free(pub);
		EVP_PKEY_CTX_free(ctx);
		return NULL;
	}

	os_free(pub);
	EVP_PKEY_CTX_free(ctx);

	return (struct crypto_ec_key *) pkey;
#else /* OpenSSL version >= 3.0 */
	EC_KEY *eckey = NULL;
	EVP_PKEY *pkey = NULL;
	EC_GROUP *ec_group = NULL;
	BN_CTX *ctx;
	EC_POINT *point = NULL;
	BIGNUM *x = NULL, *y = NULL;
	int nid;

	if (!buf_x || !buf_y)
		return NULL;

	nid = crypto_ec_group_2_nid(group);
	if (nid < 0) {
		wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
		return NULL;
	}

	ctx = BN_CTX_new();
	if (!ctx)
		goto fail;

	ec_group = EC_GROUP_new_by_curve_name(nid);
	if (!ec_group)
		goto fail;

	x = BN_bin2bn(buf_x, len, NULL);
	y = BN_bin2bn(buf_y, len, NULL);
	point = EC_POINT_new(ec_group);
	if (!x || !y || !point)
		goto fail;

	if (!EC_POINT_set_affine_coordinates(ec_group, point, x, y, ctx)) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: EC_POINT_set_affine_coordinates failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	if (!EC_POINT_is_on_curve(ec_group, point, ctx) ||
	    EC_POINT_is_at_infinity(ec_group, point)) {
		wpa_printf(MSG_ERROR, "OpenSSL: Invalid point");
		goto fail;
	}

	eckey = EC_KEY_new();
	if (!eckey ||
	    EC_KEY_set_group(eckey, ec_group) != 1 ||
	    EC_KEY_set_public_key(eckey, point) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to set EC_KEY: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}
	EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);

	pkey = EVP_PKEY_new();
	if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
		wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
		goto fail;
	}

out:
	EC_GROUP_free(ec_group);
	BN_free(x);
	BN_free(y);
	EC_POINT_free(point);
	BN_CTX_free(ctx);
	return (struct crypto_ec_key *) pkey;

fail:
	EC_KEY_free(eckey);
	EVP_PKEY_free(pkey);
	pkey = NULL;
	goto out;
#endif /* OpenSSL version >= 3.0 */
}


struct crypto_ec_key *
crypto_ec_key_set_pub_point(struct crypto_ec *ec,
			    const struct crypto_ec_point *pub)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	int len = BN_num_bytes(ec->prime);
	struct crypto_ec_key *key;
	u8 *buf;

	buf = os_malloc(2 * len);
	if (!buf)
		return NULL;
	if (crypto_ec_point_to_bin(ec, pub, buf, buf + len) < 0) {
		os_free(buf);
		return NULL;
	}

	key = crypto_ec_key_set_pub(ec->iana_group, buf, buf + len, len);
	os_free(buf);

	return key;
#else /* OpenSSL version >= 3.0 */
	EC_KEY *eckey;
	EVP_PKEY *pkey = NULL;

	eckey = EC_KEY_new();
	if (!eckey ||
	    EC_KEY_set_group(eckey, ec->group) != 1 ||
	    EC_KEY_set_public_key(eckey, (const EC_POINT *) pub) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to set EC_KEY: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}
	EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);

	pkey = EVP_PKEY_new();
	if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, eckey) != 1) {
		wpa_printf(MSG_ERROR, "OpenSSL: Could not create EVP_PKEY");
		goto fail;
	}

out:
	return (struct crypto_ec_key *) pkey;

fail:
	EVP_PKEY_free(pkey);
	EC_KEY_free(eckey);
	pkey = NULL;
	goto out;
#endif /* OpenSSL version >= 3.0 */
}


struct crypto_ec_key * crypto_ec_key_gen(int group)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_PKEY_CTX *ctx;
	OSSL_PARAM params[2];
	const char *group_name;
	EVP_PKEY *pkey = NULL;

	group_name = crypto_ec_group_2_name(group);
	if (!group_name)
		return NULL;

	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
						     (char *) group_name, 0);
	params[1] = OSSL_PARAM_construct_end();

	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
	if (!ctx ||
	    EVP_PKEY_keygen_init(ctx) != 1 ||
	    EVP_PKEY_CTX_set_params(ctx, params) != 1 ||
	    EVP_PKEY_generate(ctx, &pkey) != 1) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: failed to generate EC keypair: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		pkey = NULL;
	}

	EVP_PKEY_CTX_free(ctx);

	return (struct crypto_ec_key *) pkey;
#else /* OpenSSL version >= 3.0 */
	EVP_PKEY_CTX *kctx = NULL;
	EC_KEY *ec_params = NULL, *eckey;
	EVP_PKEY *params = NULL, *key = NULL;
	int nid;

	nid = crypto_ec_group_2_nid(group);
	if (nid < 0) {
		wpa_printf(MSG_ERROR, "OpenSSL: Unsupported group %d", group);
		return NULL;
	}

	ec_params = EC_KEY_new_by_curve_name(nid);
	if (!ec_params) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to generate EC_KEY parameters");
		goto fail;
	}
	EC_KEY_set_asn1_flag(ec_params, OPENSSL_EC_NAMED_CURVE);
	params = EVP_PKEY_new();
	if (!params || EVP_PKEY_set1_EC_KEY(params, ec_params) != 1) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to generate EVP_PKEY parameters");
		goto fail;
	}

	kctx = EVP_PKEY_CTX_new(params, NULL);
	if (!kctx ||
	    EVP_PKEY_keygen_init(kctx) != 1 ||
	    EVP_PKEY_keygen(kctx, &key) != 1) {
		wpa_printf(MSG_ERROR, "OpenSSL: Failed to generate EC key");
		key = NULL;
		goto fail;
	}

	eckey = EVP_PKEY_get1_EC_KEY(key);
	if (!eckey) {
		key = NULL;
		goto fail;
	}
	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
	EC_KEY_free(eckey);

fail:
	EC_KEY_free(ec_params);
	EVP_PKEY_free(params);
	EVP_PKEY_CTX_free(kctx);
	return (struct crypto_ec_key *) key;
#endif /* OpenSSL version >= 3.0 */
}


void crypto_ec_key_deinit(struct crypto_ec_key *key)
{
	EVP_PKEY_free((EVP_PKEY *) key);
}


#ifdef OPENSSL_IS_BORINGSSL

/* BoringSSL version of i2d_PUBKEY() always outputs public EC key using
 * uncompressed form so define a custom function to export EC pubkey using
 * the compressed format that is explicitly required for some protocols. */

#include <openssl/asn1.h>
#include <openssl/asn1t.h>

typedef struct {
	/* AlgorithmIdentifier ecPublicKey with optional parameters present
	 * as an OID identifying the curve */
	X509_ALGOR *alg;
	/* Compressed format public key per ANSI X9.63 */
	ASN1_BIT_STRING *pub_key;
} EC_COMP_PUBKEY;

ASN1_SEQUENCE(EC_COMP_PUBKEY) = {
	ASN1_SIMPLE(EC_COMP_PUBKEY, alg, X509_ALGOR),
	ASN1_SIMPLE(EC_COMP_PUBKEY, pub_key, ASN1_BIT_STRING)
} ASN1_SEQUENCE_END(EC_COMP_PUBKEY);

IMPLEMENT_ASN1_FUNCTIONS(EC_COMP_PUBKEY);

#endif /* OPENSSL_IS_BORINGSSL */


struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
{
	EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	OSSL_ENCODER_CTX *ctx;
	int selection;
	unsigned char *pdata = NULL;
	size_t pdata_len = 0;
	EVP_PKEY *copy = NULL;
	struct wpabuf *buf = NULL;

	if (EVP_PKEY_get_ec_point_conv_form(pkey) !=
	    POINT_CONVERSION_COMPRESSED) {
		copy = EVP_PKEY_dup(pkey);
		if (!copy)
			return NULL;
		if (EVP_PKEY_set_utf8_string_param(
			    copy, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
			    OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED) !=
		    1) {
			wpa_printf(MSG_INFO,
				   "OpenSSL: Failed to set compressed format");
			EVP_PKEY_free(copy);
			return NULL;
		}
		pkey = copy;
	}

	selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS |
		OSSL_KEYMGMT_SELECT_PUBLIC_KEY;

	ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER",
					    "SubjectPublicKeyInfo",
					    NULL);
	if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: Failed to encode SubjectPublicKeyInfo: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		pdata = NULL;
	}
	OSSL_ENCODER_CTX_free(ctx);
	if (pdata) {
		buf = wpabuf_alloc_copy(pdata, pdata_len);
		OPENSSL_free(pdata);
	}

	EVP_PKEY_free(copy);

	return buf;
#else /* OpenSSL version >= 3.0 */
#ifdef OPENSSL_IS_BORINGSSL
	unsigned char *der = NULL;
	int der_len;
	const EC_KEY *eckey;
	struct wpabuf *ret = NULL;
	size_t len;
	const EC_GROUP *group;
	const EC_POINT *point;
	BN_CTX *ctx;
	EC_COMP_PUBKEY *pubkey = NULL;
	int nid;

	ctx = BN_CTX_new();
	eckey = EVP_PKEY_get0_EC_KEY(pkey);
	if (!ctx || !eckey)
		goto fail;

	group = EC_KEY_get0_group(eckey);
	point = EC_KEY_get0_public_key(eckey);
	if (!group || !point)
		goto fail;
	nid = EC_GROUP_get_curve_name(group);

	pubkey = EC_COMP_PUBKEY_new();
	if (!pubkey ||
	    X509_ALGOR_set0(pubkey->alg, OBJ_nid2obj(EVP_PKEY_EC),
			    V_ASN1_OBJECT, (void *) OBJ_nid2obj(nid)) != 1)
		goto fail;

	len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
				 NULL, 0, ctx);
	if (len == 0)
		goto fail;

	der = OPENSSL_malloc(len);
	if (!der)
		goto fail;
	len = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED,
				 der, len, ctx);

	OPENSSL_free(pubkey->pub_key->data);
	pubkey->pub_key->data = der;
	der = NULL;
	pubkey->pub_key->length = len;
	/* No unused bits */
	pubkey->pub_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
	pubkey->pub_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;

	der_len = i2d_EC_COMP_PUBKEY(pubkey, &der);
	if (der_len <= 0) {
		wpa_printf(MSG_ERROR,
			   "BoringSSL: Failed to build DER encoded public key");
		goto fail;
	}

	ret = wpabuf_alloc_copy(der, der_len);
fail:
	EC_COMP_PUBKEY_free(pubkey);
	OPENSSL_free(der);
	BN_CTX_free(ctx);
	return ret;
#else /* OPENSSL_IS_BORINGSSL */
	unsigned char *der = NULL;
	int der_len;
	struct wpabuf *buf;
	EC_KEY *eckey;

	eckey = EVP_PKEY_get1_EC_KEY(pkey);
	if (!eckey)
		return NULL;

	/* For now, all users expect COMPRESSED form */
	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);

	der_len = i2d_PUBKEY((EVP_PKEY *) key, &der);
	EC_KEY_free(eckey);
	if (der_len <= 0) {
		wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		return NULL;
	}

	buf = wpabuf_alloc_copy(der, der_len);
	OPENSSL_free(der);
	return buf;
#endif /* OPENSSL_IS_BORINGSSL */
#endif /* OpenSSL version >= 3.0 */
}


struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key,
						bool include_pub)
{
	EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	OSSL_ENCODER_CTX *ctx;
	int selection;
	unsigned char *pdata = NULL;
	size_t pdata_len = 0;
	struct wpabuf *buf;
	EVP_PKEY *copy = NULL;

	selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS |
		OSSL_KEYMGMT_SELECT_PRIVATE_KEY;
	if (include_pub) {
		selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
	} else {
		/* Not including OSSL_KEYMGMT_SELECT_PUBLIC_KEY does not seem
		 * to really be sufficient, so clone the key and explicitly
		 * mark it not to include the public key. */
		copy = EVP_PKEY_dup(pkey);
		if (!copy)
			return NULL;
		EVP_PKEY_set_int_param(copy, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC,
				       0);
		pkey = copy;
	}

	ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER",
					    "type-specific", NULL);
	if (!ctx || OSSL_ENCODER_to_data(ctx, &pdata, &pdata_len) != 1) {
		OSSL_ENCODER_CTX_free(ctx);
		EVP_PKEY_free(copy);
		return NULL;
	}
	OSSL_ENCODER_CTX_free(ctx);
	buf = wpabuf_alloc_copy(pdata, pdata_len);
	OPENSSL_free(pdata);
	EVP_PKEY_free(copy);
	return buf;
#else /* OpenSSL version >= 3.0 */
	EC_KEY *eckey;
	unsigned char *der = NULL;
	int der_len;
	struct wpabuf *buf;
	unsigned int key_flags;

	eckey = EVP_PKEY_get1_EC_KEY(pkey);
	if (!eckey)
		return NULL;

	key_flags = EC_KEY_get_enc_flags(eckey);
	if (include_pub)
		key_flags &= ~EC_PKEY_NO_PUBKEY;
	else
		key_flags |= EC_PKEY_NO_PUBKEY;
	EC_KEY_set_enc_flags(eckey, key_flags);

	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);

	der_len = i2d_ECPrivateKey(eckey, &der);
	EC_KEY_free(eckey);
	if (der_len <= 0)
		return NULL;
	buf = wpabuf_alloc_copy(der, der_len);
	OPENSSL_free(der);

	return buf;
#endif /* OpenSSL version >= 3.0 */
}


struct wpabuf * crypto_ec_key_get_pubkey_point(struct crypto_ec_key *key,
					       int prefix)
{
	EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	struct wpabuf *buf;
	unsigned char *pos;
	size_t pub_len = OSSL_PARAM_UNMODIFIED;

	buf = NULL;
	if (!EVP_PKEY_is_a(pkey, "EC") ||
	    EVP_PKEY_get_octet_string_param(pkey,
					    OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
					    NULL, 0, &pub_len) < 0 ||
	    pub_len == OSSL_PARAM_UNMODIFIED ||
	    !(buf = wpabuf_alloc(pub_len)) ||
	    EVP_PKEY_get_octet_string_param(pkey,
					    OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY,
					    wpabuf_put(buf, pub_len),
					    pub_len, NULL) != 1 ||
	    wpabuf_head_u8(buf)[0] != 0x04) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: Failed to get encoded public key: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		wpabuf_free(buf);
		return NULL;
	}

	if (!prefix) {
		/* Remove 0x04 prefix if requested */
		pos = wpabuf_mhead(buf);
		os_memmove(pos, pos + 1, pub_len - 1);
		buf->used--;
	}

	return buf;
#else /* OpenSSL version >= 3.0 */
	int len, res;
	EC_KEY *eckey;
	struct wpabuf *buf;
	unsigned char *pos;

	eckey = EVP_PKEY_get1_EC_KEY(pkey);
	if (!eckey)
		return NULL;
	EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
	len = i2o_ECPublicKey(eckey, NULL);
	if (len <= 0) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to determine public key encoding length");
		EC_KEY_free(eckey);
		return NULL;
	}

	buf = wpabuf_alloc(len);
	if (!buf) {
		EC_KEY_free(eckey);
		return NULL;
	}

	pos = wpabuf_put(buf, len);
	res = i2o_ECPublicKey(eckey, &pos);
	EC_KEY_free(eckey);
	if (res != len) {
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Failed to encode public key (res=%d/%d)",
			   res, len);
		wpabuf_free(buf);
		return NULL;
	}

	if (!prefix) {
		/* Remove 0x04 prefix if requested */
		pos = wpabuf_mhead(buf);
		os_memmove(pos, pos + 1, len - 1);
		buf->used--;
	}

	return buf;
#endif /* OpenSSL version >= 3.0 */
}


struct crypto_ec_point *
crypto_ec_key_get_public_key(struct crypto_ec_key *key)
{
	EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	char group[64];
	unsigned char pub[256];
	size_t len;
	EC_POINT *point = NULL;
	EC_GROUP *grp;
	int res = 0;
	OSSL_PARAM params[2];

	if (!EVP_PKEY_is_a(pkey, "EC") ||
	    EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
					   group, sizeof(group), &len) != 1 ||
	    EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PUB_KEY,
					    pub, sizeof(pub), &len) != 1)
		return NULL;

	params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
						     group, 0);
	params[1] = OSSL_PARAM_construct_end();
	grp = EC_GROUP_new_from_params(params, NULL, NULL);
	if (!grp)
		goto fail;
	point = EC_POINT_new(grp);
	if (!point)
		goto fail;
	res = EC_POINT_oct2point(grp, point, pub, len, NULL);

fail:
	if (res != 1) {
		EC_POINT_free(point);
		point = NULL;
	}

	EC_GROUP_free(grp);

	return (struct crypto_ec_point *) point;
#else /* OpenSSL version >= 3.0 */
	const EC_KEY *eckey;
	const EC_POINT *point;
	const EC_GROUP *group;

	eckey = EVP_PKEY_get0_EC_KEY(pkey);
	if (!eckey)
		return NULL;
	group = EC_KEY_get0_group(eckey);
	if (!group)
		return NULL;
	point = EC_KEY_get0_public_key(eckey);
	if (!point)
		return NULL;
	return (struct crypto_ec_point *) EC_POINT_dup(point, group);
#endif /* OpenSSL version >= 3.0 */
}


struct crypto_bignum *
crypto_ec_key_get_private_key(struct crypto_ec_key *key)
{
	EVP_PKEY *pkey = (EVP_PKEY *) key;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	BIGNUM *bn = NULL;

	if (!EVP_PKEY_is_a(pkey, "EC") ||
	    EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &bn) != 1)
		return NULL;
	return (struct crypto_bignum *) bn;
#else /* OpenSSL version >= 3.0 */
	const EC_KEY *eckey;
	const BIGNUM *bn;

	eckey = EVP_PKEY_get0_EC_KEY(pkey);
	if (!eckey)
		return NULL;
	bn = EC_KEY_get0_private_key(eckey);
	if (!bn)
		return NULL;
	return (struct crypto_bignum *) BN_dup(bn);
#endif /* OpenSSL version >= 3.0 */
}


struct wpabuf * crypto_ec_key_sign(struct crypto_ec_key *key, const u8 *data,
				   size_t len)
{
	EVP_PKEY_CTX *pkctx;
	struct wpabuf *sig_der;
	size_t sig_len;

	sig_len = EVP_PKEY_size((EVP_PKEY *) key);
	sig_der = wpabuf_alloc(sig_len);
	if (!sig_der)
		return NULL;

	pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
	if (!pkctx ||
	    EVP_PKEY_sign_init(pkctx) <= 0 ||
	    EVP_PKEY_sign(pkctx, wpabuf_put(sig_der, 0), &sig_len,
			  data, len) <= 0) {
		wpabuf_free(sig_der);
		sig_der = NULL;
	} else {
		wpabuf_put(sig_der, sig_len);
	}

	EVP_PKEY_CTX_free(pkctx);
	return sig_der;
}


static int openssl_evp_pkey_ec_prime_len(struct crypto_ec_key *key)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	char gname[50];
	int nid;
	EC_GROUP *group;
	BIGNUM *prime = NULL;
	int prime_len = -1;

	if (EVP_PKEY_get_group_name((EVP_PKEY *) key, gname, sizeof(gname),
				    NULL) != 1)
		return -1;
	nid = OBJ_txt2nid(gname);
	group = EC_GROUP_new_by_curve_name(nid);
	prime = BN_new();
	if (!group || !prime)
		return -1;
	if (EC_GROUP_get_curve(group, prime, NULL, NULL, NULL) == 1)
		prime_len = BN_num_bytes(prime);
	EC_GROUP_free(group);
	BN_free(prime);
	return prime_len;
#else
	const EC_GROUP *group;
	const EC_KEY *eckey;
	BIGNUM *prime = NULL;
	int prime_len = -1;

	eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
	if (!eckey)
		goto fail;
	group = EC_KEY_get0_group(eckey);
	prime = BN_new();
	if (!prime || !group ||
	    !EC_GROUP_get_curve(group, prime, NULL, NULL, NULL))
		goto fail;
	prime_len = BN_num_bytes(prime);
fail:
	BN_free(prime);
	return prime_len;
#endif
}


struct wpabuf * crypto_ec_key_sign_r_s(struct crypto_ec_key *key,
				       const u8 *data, size_t len)
{
	ECDSA_SIG *sig = NULL;
	const BIGNUM *r, *s;
	u8 *r_buf, *s_buf;
	struct wpabuf *buf;
	const unsigned char *p;
	int prime_len;

	prime_len = openssl_evp_pkey_ec_prime_len(key);
	if (prime_len < 0)
		return NULL;

	buf = crypto_ec_key_sign(key, data, len);
	if (!buf)
		return NULL;

	/* Extract (r,s) from Ecdsa-Sig-Value */

	p = wpabuf_head(buf);
	sig = d2i_ECDSA_SIG(NULL, &p, wpabuf_len(buf));
	if (!sig)
		goto fail;
	ECDSA_SIG_get0(sig, &r, &s);

	/* Re-use wpabuf returned by crypto_ec_key_sign() */
	buf->used = 0;
	r_buf = wpabuf_put(buf, prime_len);
	s_buf = wpabuf_put(buf, prime_len);
	if (crypto_bignum_to_bin((const struct crypto_bignum *) r, r_buf,
				 prime_len, prime_len) < 0 ||
	    crypto_bignum_to_bin((const struct crypto_bignum *) s, s_buf,
				 prime_len, prime_len) < 0)
		goto fail;

out:
	ECDSA_SIG_free(sig);
	return buf;
fail:
	wpabuf_clear_free(buf);
	buf = NULL;
	goto out;
}


int crypto_ec_key_verify_signature(struct crypto_ec_key *key, const u8 *data,
				   size_t len, const u8 *sig, size_t sig_len)
{
	EVP_PKEY_CTX *pkctx;
	int ret;

	pkctx = EVP_PKEY_CTX_new((EVP_PKEY *) key, NULL);
	if (!pkctx || EVP_PKEY_verify_init(pkctx) <= 0) {
		EVP_PKEY_CTX_free(pkctx);
		return -1;
	}

	ret = EVP_PKEY_verify(pkctx, sig, sig_len, data, len);
	EVP_PKEY_CTX_free(pkctx);
	if (ret == 1)
		return 1; /* signature ok */
	if (ret == 0)
		return 0; /* incorrect signature */
	return -1;
}


int crypto_ec_key_verify_signature_r_s(struct crypto_ec_key *key,
				       const u8 *data, size_t len,
				       const u8 *r, size_t r_len,
				       const u8 *s, size_t s_len)
{
	ECDSA_SIG *sig;
	BIGNUM *r_bn, *s_bn;
	unsigned char *der = NULL;
	int der_len;
	int ret = -1;

	r_bn = BN_bin2bn(r, r_len, NULL);
	s_bn = BN_bin2bn(s, s_len, NULL);
	sig = ECDSA_SIG_new();
	if (!r_bn || !s_bn || !sig || ECDSA_SIG_set0(sig, r_bn, s_bn) != 1)
		goto fail;
	r_bn = NULL;
	s_bn = NULL;

	der_len = i2d_ECDSA_SIG(sig, &der);
	if (der_len <= 0) {
		wpa_printf(MSG_DEBUG,
			   "OpenSSL: Could not DER encode signature");
		goto fail;
	}

	ret = crypto_ec_key_verify_signature(key, data, len, der, der_len);

fail:
	OPENSSL_free(der);
	BN_free(r_bn);
	BN_free(s_bn);
	ECDSA_SIG_free(sig);
	return ret;
}


int crypto_ec_key_group(struct crypto_ec_key *key)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	char gname[50];
	int nid;

	if (EVP_PKEY_get_group_name((EVP_PKEY *) key, gname, sizeof(gname),
				    NULL) != 1)
		return -1;
	nid = OBJ_txt2nid(gname);
#else
	const EC_KEY *eckey;
	const EC_GROUP *group;
	int nid;

	eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
	if (!eckey)
		return -1;
	group = EC_KEY_get0_group(eckey);
	if (!group)
		return -1;
	nid = EC_GROUP_get_curve_name(group);
#endif
	switch (nid) {
	case NID_X9_62_prime256v1:
		return 19;
	case NID_secp384r1:
		return 20;
	case NID_secp521r1:
		return 21;
#ifdef NID_brainpoolP256r1
	case NID_brainpoolP256r1:
		return 28;
#endif /* NID_brainpoolP256r1 */
#ifdef NID_brainpoolP384r1
	case NID_brainpoolP384r1:
		return 29;
#endif /* NID_brainpoolP384r1 */
#ifdef NID_brainpoolP512r1
	case NID_brainpoolP512r1:
		return 30;
#endif /* NID_brainpoolP512r1 */
	default:
		wpa_printf(MSG_ERROR,
			   "OpenSSL: Unsupported curve (nid=%d) in EC key",
			   nid);
		return -1;
	}
}


int crypto_ec_key_cmp(struct crypto_ec_key *key1, struct crypto_ec_key *key2)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	if (EVP_PKEY_eq((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
		return -1;
#else
	if (EVP_PKEY_cmp((EVP_PKEY *) key1, (EVP_PKEY *) key2) != 1)
		return -1;
#endif
	return 0;
}


void crypto_ec_key_debug_print(const struct crypto_ec_key *key,
			       const char *title)
{
	BIO *out;
	size_t rlen;
	char *txt;
	int res;

	out = BIO_new(BIO_s_mem());
	if (!out)
		return;

	EVP_PKEY_print_private(out, (EVP_PKEY *) key, 0, NULL);
	rlen = BIO_ctrl_pending(out);
	txt = os_malloc(rlen + 1);
	if (txt) {
		res = BIO_read(out, txt, rlen);
		if (res > 0) {
			txt[res] = '\0';
			wpa_printf(MSG_DEBUG, "%s: %s", title, txt);
		}
		os_free(txt);
	}
	BIO_free(out);
}


struct wpabuf * crypto_pkcs7_get_certificates(const struct wpabuf *pkcs7)
{
#ifdef OPENSSL_IS_BORINGSSL
	CBS pkcs7_cbs;
#else /* OPENSSL_IS_BORINGSSL */
	PKCS7 *p7 = NULL;
	const unsigned char *p = wpabuf_head(pkcs7);
#endif /* OPENSSL_IS_BORINGSSL */
	STACK_OF(X509) *certs;
	int i, num;
	BIO *out = NULL;
	size_t rlen;
	struct wpabuf *pem = NULL;
	int res;

#ifdef OPENSSL_IS_BORINGSSL
	certs = sk_X509_new_null();
	if (!certs)
		goto fail;
	CBS_init(&pkcs7_cbs, wpabuf_head(pkcs7), wpabuf_len(pkcs7));
	if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: Could not parse PKCS#7 object: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}
#else /* OPENSSL_IS_BORINGSSL */
	p7 = d2i_PKCS7(NULL, &p, wpabuf_len(pkcs7));
	if (!p7) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: Could not parse PKCS#7 object: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	switch (OBJ_obj2nid(p7->type)) {
	case NID_pkcs7_signed:
		certs = p7->d.sign->cert;
		break;
	case NID_pkcs7_signedAndEnveloped:
		certs = p7->d.signed_and_enveloped->cert;
		break;
	default:
		certs = NULL;
		break;
	}
#endif /* OPENSSL_IS_BORINGSSL */

	if (!certs || ((num = sk_X509_num(certs)) == 0)) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: No certificates found in PKCS#7 object");
		goto fail;
	}

	out = BIO_new(BIO_s_mem());
	if (!out)
		goto fail;

	for (i = 0; i < num; i++) {
		X509 *cert = sk_X509_value(certs, i);

		PEM_write_bio_X509(out, cert);
	}

	rlen = BIO_ctrl_pending(out);
	pem = wpabuf_alloc(rlen);
	if (!pem)
		goto fail;
	res = BIO_read(out, wpabuf_put(pem, 0), rlen);
	if (res <= 0) {
		wpabuf_free(pem);
		pem = NULL;
		goto fail;
	}
	wpabuf_put(pem, res);

fail:
#ifdef OPENSSL_IS_BORINGSSL
	if (certs)
		sk_X509_pop_free(certs, X509_free);
#else /* OPENSSL_IS_BORINGSSL */
	PKCS7_free(p7);
#endif /* OPENSSL_IS_BORINGSSL */
	if (out)
		BIO_free_all(out);

	return pem;
}


struct crypto_csr * crypto_csr_init()
{
	return (struct crypto_csr *)X509_REQ_new();
}


struct crypto_csr * crypto_csr_verify(const struct wpabuf *req)
{
	X509_REQ *csr;
	EVP_PKEY *pkey = NULL;
	const u8 *der = wpabuf_head(req);

	csr = d2i_X509_REQ(NULL, &der, wpabuf_len(req));
	if (!csr)
		return NULL;

	pkey = X509_REQ_get_pubkey((X509_REQ *)csr);
	if (!pkey)
		goto fail;

	if (X509_REQ_verify((X509_REQ *)csr, pkey) != 1)
		goto fail;

	return (struct crypto_csr *)csr;
fail:
	X509_REQ_free(csr);
	return NULL;
}


void crypto_csr_deinit(struct crypto_csr *csr)
{
	X509_REQ_free((X509_REQ *)csr);
}


int crypto_csr_set_ec_public_key(struct crypto_csr *csr, struct crypto_ec_key *key)
{
	if (!X509_REQ_set_pubkey((X509_REQ *)csr, (EVP_PKEY *)key))
		return -1;

	return 0;
}


int crypto_csr_set_name(struct crypto_csr *csr, enum crypto_csr_name type,
			const char *name)
{
	X509_NAME *n;
	int nid;

	switch (type) {
	case CSR_NAME_CN:
		nid = NID_commonName;
		break;
	case CSR_NAME_SN:
		nid = NID_surname;
		break;
	case CSR_NAME_C:
		nid = NID_countryName;
		break;
	case CSR_NAME_O:
		nid = NID_organizationName;
		break;
	case CSR_NAME_OU:
		nid = NID_organizationalUnitName;
		break;
	default:
		return -1;
	}

	n = X509_REQ_get_subject_name((X509_REQ *) csr);
	if (!n)
		return -1;

#if OPENSSL_VERSION_NUMBER < 0x10100000L
	if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
					(unsigned char *) name,
					os_strlen(name), -1, 0))
		return -1;
#else
	if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_UTF8,
					(const unsigned char *) name,
					os_strlen(name), -1, 0))
		return -1;
#endif

	return 0;
}


int crypto_csr_set_attribute(struct crypto_csr *csr, enum crypto_csr_attr attr,
			     int attr_type, const u8 *value, size_t len)
{
	int nid;

	switch (attr) {
	case CSR_ATTR_CHALLENGE_PASSWORD:
		nid = NID_pkcs9_challengePassword;
		break;
	default:
		return -1;
	}

	if (!X509_REQ_add1_attr_by_NID((X509_REQ *) csr, nid, attr_type, value,
				       len))
		return -1;

	return 0;
}


const u8 * crypto_csr_get_attribute(struct crypto_csr *csr,
				    enum crypto_csr_attr attr,
				    size_t *len, int *type)
{
	X509_ATTRIBUTE *attrib;
	ASN1_TYPE *attrib_type;
	ASN1_STRING *data;
	int loc;
	int nid;

	switch (attr) {
	case CSR_ATTR_CHALLENGE_PASSWORD:
		nid = NID_pkcs9_challengePassword;
		break;
	default:
		return NULL;
	}

	loc = X509_REQ_get_attr_by_NID((X509_REQ *) csr, nid, -1);
	if (loc < 0)
		return NULL;

	attrib = X509_REQ_get_attr((X509_REQ *) csr, loc);
	if (!attrib)
		return NULL;

	attrib_type = X509_ATTRIBUTE_get0_type(attrib, 0);
	if (!attrib_type)
		return NULL;
	*type = ASN1_TYPE_get(attrib_type);
	data = X509_ATTRIBUTE_get0_data(attrib, 0, *type, NULL);
	if (!data)
		return NULL;
	*len = ASN1_STRING_length(data);
	return ASN1_STRING_get0_data(data);
}


struct wpabuf * crypto_csr_sign(struct crypto_csr *csr,
				struct crypto_ec_key *key,
				enum crypto_hash_alg algo)
{
	const EVP_MD *sign_md;
	struct wpabuf *buf;
	unsigned char *der = NULL;
	int der_len;

	switch (algo) {
	case CRYPTO_HASH_ALG_SHA256:
		sign_md = EVP_sha256();
		break;
	case CRYPTO_HASH_ALG_SHA384:
		sign_md = EVP_sha384();
		break;
	case CRYPTO_HASH_ALG_SHA512:
		sign_md = EVP_sha512();
		break;
	default:
		return NULL;
	}

	if (!X509_REQ_sign((X509_REQ *) csr, (EVP_PKEY *) key, sign_md))
		return NULL;

	der_len = i2d_X509_REQ((X509_REQ *) csr, &der);
	if (der_len < 0)
		return NULL;

	buf = wpabuf_alloc_copy(der, der_len);
	OPENSSL_free(der);

	return buf;
}

#endif /* CONFIG_ECC */


static EVP_PKEY * crypto_rsa_key_read_public(FILE *f)
{
	EVP_PKEY *pkey;
	X509 *x509;
	const ASN1_TIME *not_before, *not_after;
	int res_before, res_after;

	pkey = PEM_read_PUBKEY(f, NULL, NULL, NULL);
	if (pkey)
		return pkey;

	rewind(f);
	x509 = PEM_read_X509(f, NULL, NULL, NULL);
	if (!x509)
		return NULL;

	not_before = X509_get0_notBefore(x509);
	not_after = X509_get0_notAfter(x509);
	if (!not_before || !not_after)
		goto fail;
	res_before = X509_cmp_current_time(not_before);
	res_after = X509_cmp_current_time(not_after);
	if (!res_before || !res_after)
		goto fail;
	if (res_before > 0 || res_after < 0) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: Certificate for RSA public key is not valid at this time (%d %d)",
			   res_before, res_after);
		goto fail;
	}

	pkey = X509_get_pubkey(x509);
	X509_free(x509);

	if (!pkey)
		return NULL;
	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) {
		wpa_printf(MSG_INFO, "OpenSSL: No RSA public key found");
		EVP_PKEY_free(pkey);
		return NULL;
	}

	return pkey;
fail:
	X509_free(x509);
	return NULL;
}


struct crypto_rsa_key * crypto_rsa_key_read(const char *file, bool private_key)
{
	FILE *f;
	EVP_PKEY *pkey;

	f = fopen(file, "r");
	if (!f)
		return NULL;
	if (private_key)
		pkey = PEM_read_PrivateKey(f, NULL, NULL, NULL);
	else
		pkey = crypto_rsa_key_read_public(f);
	fclose(f);
	return (struct crypto_rsa_key *) pkey;
}


#ifndef OPENSSL_NO_SHA256

struct wpabuf * crypto_rsa_oaep_sha256_encrypt(struct crypto_rsa_key *key,
					       const struct wpabuf *in)
{
#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
	EVP_PKEY *pkey = (EVP_PKEY *) key;
	EVP_PKEY_CTX *pkctx;
	struct wpabuf *res = NULL;
	size_t outlen;

	pkctx = EVP_PKEY_CTX_new(pkey, NULL);
	if (!pkctx)
		goto fail;

	if (EVP_PKEY_encrypt_init(pkctx) != 1 ||
	    EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||
	    EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, EVP_sha256()) <= 0 ||
	    EVP_PKEY_encrypt(pkctx, NULL, &outlen, wpabuf_head(in),
			     wpabuf_len(in)) != 1 ||
	    !(res = wpabuf_alloc(outlen)) ||
	    EVP_PKEY_encrypt(pkctx, wpabuf_put(res, 0), &outlen,
			     wpabuf_head(in), wpabuf_len(in)) != 1) {
		wpabuf_free(res);
		res = NULL;
		goto fail;
	}
	wpabuf_put(res, outlen);

fail:
	EVP_PKEY_CTX_free(pkctx);
	return res;
#else
	wpa_printf(MSG_ERROR, "%s() not supported", __func__);
	return NULL;
#endif
}


struct wpabuf * crypto_rsa_oaep_sha256_decrypt(struct crypto_rsa_key *key,
					       const struct wpabuf *in)
{
#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
	EVP_PKEY *pkey = (EVP_PKEY *) key;
	EVP_PKEY_CTX *pkctx;
	struct wpabuf *res = NULL;
	size_t outlen;

	pkctx = EVP_PKEY_CTX_new(pkey, NULL);
	if (!pkctx)
		goto fail;

	if (EVP_PKEY_decrypt_init(pkctx) != 1 ||
	    EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0 ||
	    EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, EVP_sha256()) <= 0 ||
	    EVP_PKEY_decrypt(pkctx, NULL, &outlen, wpabuf_head(in),
			     wpabuf_len(in)) != 1 ||
	    !(res = wpabuf_alloc(outlen)) ||
	    EVP_PKEY_decrypt(pkctx, wpabuf_put(res, 0), &outlen,
			     wpabuf_head(in), wpabuf_len(in)) != 1) {
		wpabuf_free(res);
		res = NULL;
		goto fail;
	}
	wpabuf_put(res, outlen);

fail:
	EVP_PKEY_CTX_free(pkctx);
	return res;
#else
	wpa_printf(MSG_ERROR, "%s() not supported", __func__);
	return NULL;
#endif
}

#endif /* OPENSSL_NO_SHA256 */


void crypto_rsa_key_free(struct crypto_rsa_key *key)
{
	EVP_PKEY_free((EVP_PKEY *) key);
}


#ifdef CONFIG_DPP3

#define HPKE_MAX_SHARED_SECRET_LEN 66
#define HPKE_MAX_HASH_LEN 64
#define HPKE_MAX_KEY_LEN 32
#define HPKE_MAX_NONCE_LEN 12
#define HPKE_MAX_PUB_LEN (1 + 2 * 66)

struct hpke_context {
	/* KEM */
	enum hpke_kem_id kem_id;
	int kem_nid;
	int iana_group;
	size_t n_pk;
	size_t n_secret;
	const EVP_MD *kem_h;
	size_t kem_n_h;

	/* KDF */
	enum hpke_kdf_id kdf_id;
	const EVP_MD *kdf_h;
	size_t n_h;

	/* AEAD */
	enum hpke_aead_id aead_id;
	const EVP_CIPHER *cipher;
	size_t n_k;
	size_t n_n;
	size_t n_t;
	u8 key[HPKE_MAX_KEY_LEN];
	u8 base_nonce[HPKE_MAX_NONCE_LEN];
};


static void hpke_free_context(struct hpke_context *ctx)
{
	bin_clear_free(ctx, sizeof(*ctx));
}


static struct hpke_context * hpke_get_context(enum hpke_kem_id kem_id,
					      enum hpke_kdf_id kdf_id,
					      enum hpke_aead_id aead_id,
					      struct crypto_ec_key *key)
{
	struct hpke_context *ctx;
	int group;

	ctx = os_zalloc(sizeof(*ctx));
	if (!ctx)
		return NULL;

	ctx->kem_id = kem_id;
	switch (kem_id) {
	case HPKE_DHKEM_P256_HKDF_SHA256:
		ctx->kem_nid = NID_X9_62_prime256v1;
		ctx->iana_group = 19;
		ctx->n_pk = 65;
		ctx->n_secret = 32;
		ctx->kem_h = EVP_sha256();
		ctx->kem_n_h = 32;
		break;
	case HPKE_DHKEM_P384_HKDF_SHA384:
		ctx->kem_nid = NID_secp384r1;
		ctx->iana_group = 20;
		ctx->n_pk = 97;
		ctx->n_secret = 48;
		ctx->kem_h = EVP_sha384();
		ctx->kem_n_h = 48;
		break;
	case HPKE_DHKEM_P521_HKDF_SHA512:
		ctx->kem_nid = NID_secp521r1;
		ctx->iana_group = 21;
		ctx->n_pk = 133;
		ctx->n_secret = 64;
		ctx->kem_h = EVP_sha512();
		ctx->kem_n_h = 64;
		break;
	default:
		goto fail;
	}

	ctx->kdf_id = kdf_id;
	switch (kdf_id) {
	case HPKE_KDF_HKDF_SHA256:
		ctx->kdf_h = EVP_sha256();
		ctx->n_h = 32;
		break;
	case HPKE_KDF_HKDF_SHA384:
		ctx->kdf_h = EVP_sha384();
		ctx->n_h = 48;
		break;
	case HPKE_KDF_HKDF_SHA512:
		ctx->kdf_h = EVP_sha512();
		ctx->n_h = 64;
		break;
	default:
		goto fail;
	}

	ctx->aead_id = aead_id;
	switch (aead_id) {
	case HPKE_AEAD_AES_128_GCM:
		ctx->cipher = EVP_aes_128_gcm();
		ctx->n_k = 16;
		ctx->n_n = 12;
		ctx->n_t = 16;
		break;
	case HPKE_AEAD_AES_256_GCM:
		ctx->cipher = EVP_aes_256_gcm();
		ctx->n_k = 32;
		ctx->n_n = 12;
		ctx->n_t = 16;
		break;
	default:
		goto fail;
	}

	/* Convert BP-256/384/512 to P-256/384/521 for DPP */
	group = crypto_ec_key_group(key);
	if (group == 28 && ctx->iana_group == 19) {
		ctx->iana_group = 28;
	} else if (group == 29 && ctx->iana_group == 20) {
		ctx->iana_group = 29;
	} else if (group == 30 && ctx->iana_group == 21) {
		ctx->iana_group = 30;
		ctx->n_pk = 129;
	}
	if (group != ctx->iana_group) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:group mismatch (%d != %d)",
			   __func__, group, ctx->iana_group);
		goto fail;
	}

	return ctx;
fail:
	hpke_free_context(ctx);
	return NULL;
}


static size_t hpke_suite_id(struct hpke_context *ctx, bool kem, u8 *suite_id)
{
	size_t suite_id_len;

	if (kem) {
		os_memcpy(suite_id, "KEM", 3);
		WPA_PUT_BE16(&suite_id[3], ctx->kem_id);
		suite_id_len = 5;
	} else {
		os_memcpy(suite_id, "HPKE", 4);
		WPA_PUT_BE16(&suite_id[4], ctx->kem_id);
		WPA_PUT_BE16(&suite_id[6], ctx->kdf_id);
		WPA_PUT_BE16(&suite_id[8], ctx->aead_id);
		suite_id_len = 10;
	}
	return suite_id_len;
}


static int hpke_labeled_extract(struct hpke_context *ctx, bool kem,
				const u8 *salt, size_t salt_len,
				const char *label,
				const u8 *ikm, size_t ikm_len, u8 *prk)
{
	u8 zero[HPKE_MAX_HASH_LEN];
	u8 suite_id[10];
	size_t suite_id_len;
	unsigned int mdlen = kem ? ctx->kem_n_h : ctx->n_h;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_MAC *hmac;
	OSSL_PARAM params[2];
	EVP_MAC_CTX *hctx;
	size_t mlen;
	int res;
#else /* OpenSSL version >= 3.0 */
	HMAC_CTX *hctx;
	int res;
#endif /* OpenSSL version >= 3.0 */

	if (!salt || !salt_len) {
		salt_len = mdlen;
		os_memset(zero, 0, salt_len);
		salt = zero;
	}

	suite_id_len = hpke_suite_id(ctx, kem, suite_id);

	/* labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
	 * return Extract(salt, labeled_ikm) */

#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
	if (!hmac)
		return -1;

	params[0] = OSSL_PARAM_construct_utf8_string(
		"digest",
		(char *) EVP_MD_get0_name(kem ? ctx->kem_h : ctx->kdf_h), 0);
	params[1] = OSSL_PARAM_construct_end();

	hctx = EVP_MAC_CTX_new(hmac);
	EVP_MAC_free(hmac);
	if (!hctx)
		return -1;

	if (EVP_MAC_init(hctx, salt, salt_len, params) != 1)
		goto fail;

	if (EVP_MAC_update(hctx, (const unsigned char *) "HPKE-v1", 7) != 1 ||
	    EVP_MAC_update(hctx, suite_id, suite_id_len) != 1 ||
	    EVP_MAC_update(hctx, (const unsigned char *) label,
			   os_strlen(label)) != 1 ||
	    EVP_MAC_update(hctx, ikm, ikm_len) != 1)
		goto fail;

	res = EVP_MAC_final(hctx, prk, &mlen, mdlen);
	EVP_MAC_CTX_free(hctx);

	return res == 1 ? 0 : -1;
fail:
	EVP_MAC_CTX_free(hctx);
	return -1;
#else /* OpenSSL version >= 3.0 */
	hctx = HMAC_CTX_new();
	if (!hctx)
		return -1;
	res = HMAC_Init_ex(hctx, salt, salt_len, kem ? ctx->kem_h : ctx->kdf_h,
			   NULL);
	if (res != 1)
		goto done;

	HMAC_Update(hctx, (const unsigned char *) "HPKE-v1", 7);
	HMAC_Update(hctx, suite_id, suite_id_len);
	HMAC_Update(hctx, (const unsigned char *) label, os_strlen(label));
	HMAC_Update(hctx, ikm, ikm_len);

	res = HMAC_Final(hctx, prk, &mdlen);
done:
	HMAC_CTX_free(hctx);

	return res == 1 ? 0 : -1;
#endif /* OpenSSL version >= 3.0 */
}


static int
hpke_labeled_expand(struct hpke_context *ctx, bool kem, const u8 *prk,
		    const char *label, const u8 *info, size_t info_len,
		    u8 *out, size_t out_len)
{
	u8 suite_id[10];
	size_t suite_id_len;
	u8 hash[HPKE_MAX_HASH_LEN];
	u8 iter = 0;
	size_t label_len = os_strlen(label);
	u8 *pos;
	size_t left = out_len, clen;
	int res = -1;
	u8 *labeled_info;
	size_t labeled_info_len;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_MAC *hmac;
	OSSL_PARAM params[2];
	EVP_MAC_CTX *hctx = NULL;
	size_t mdlen;
#else /* OpenSSL version >= 3.0 */
	HMAC_CTX *hctx;
	unsigned int mdlen;
#endif /* OpenSSL version >= 3.0 */

	/* labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
	 *                       label, info)
	 * return Expand(prk, labeled_info, L) */
	suite_id_len = hpke_suite_id(ctx, kem, suite_id);
	labeled_info_len = 2 + 7 + suite_id_len + label_len + info_len;
	labeled_info = os_malloc(labeled_info_len);
	if (!labeled_info)
		return -1;
	pos = labeled_info;
	WPA_PUT_BE16(pos, out_len);
	pos += 2;
	os_memcpy(pos, "HPKE-v1", 7);
	pos += 7;
	os_memcpy(pos, suite_id, suite_id_len);
	pos += suite_id_len;
	os_memcpy(pos, label, label_len);
	pos += label_len;
	if (info && info_len)
		os_memcpy(pos, info, info_len);

	pos = out;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
	if (!hmac)
		return -1;

	params[0] = OSSL_PARAM_construct_utf8_string(
		"digest",
		(char *) EVP_MD_get0_name(kem ? ctx->kem_h : ctx->kdf_h), 0);
	params[1] = OSSL_PARAM_construct_end();
#else /* OpenSSL version >= 3.0 */
	hctx = HMAC_CTX_new();
	if (!hctx)
		return -1;
#endif /* OpenSSL version >= 3.0 */

	while (left > 0) {
		mdlen = kem ? ctx->kem_n_h : ctx->n_h;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
		EVP_MAC_CTX_free(hctx);
		hctx = EVP_MAC_CTX_new(hmac);
		if (!hctx)
			return -1;

		if (EVP_MAC_init(hctx, prk, mdlen, params) != 1)
			goto fail;

		if (iter > 0 && EVP_MAC_update(hctx, hash, mdlen) != 1)
			goto fail;
		if (iter == 255)
			goto fail;
		iter++;

		if (EVP_MAC_update(hctx, labeled_info, labeled_info_len) != 1 ||
		    EVP_MAC_update(hctx, &iter, sizeof(iter)) != 1)
			goto fail;

		if (EVP_MAC_final(hctx, hash, &mdlen, mdlen) != 1)
			goto fail;
#else /* OpenSSL version >= 3.0 */
		if (HMAC_Init_ex(hctx, prk, mdlen,
				 kem ? ctx->kem_h : ctx->kdf_h,
				 NULL) != 1)
			goto fail;

		if (iter > 0)
			HMAC_Update(hctx, hash, mdlen);
		if (iter == 255)
			goto fail;
		iter++;
		HMAC_Update(hctx, labeled_info, labeled_info_len);
		HMAC_Update(hctx, &iter, sizeof(iter));

		if (HMAC_Final(hctx, hash, &mdlen) != 1)
			goto fail;
		HMAC_CTX_reset(hctx);
#endif /* OpenSSL version >= 3.0 */

		clen = left > mdlen ? mdlen : left;
		os_memcpy(pos, hash, clen);
		pos += clen;
		left -= clen;
	}
	res = 0;
fail:
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
	EVP_MAC_free(hmac);
	EVP_MAC_CTX_free(hctx);
#else /* OpenSSL version >= 3.0 */
	HMAC_CTX_free(hctx);
#endif /* OpenSSL version >= 3.0 */
	os_free(labeled_info);

	return res;
}


static int hpke_extract_and_expand(struct hpke_context *ctx,
				   const u8 *dhss, size_t dhss_len,
				   const u8 *enc, size_t enc_len,
				   const u8 *pk_rm, size_t pk_rm_len,
				   u8 *shared_secret)
{
	u8 kem_context[2 * HPKE_MAX_PUB_LEN];
	u8 eae_prk[HPKE_MAX_HASH_LEN];

	/* eae_prk = LabeledExtract("", "eae_prk", dh) */
	if (hpke_labeled_extract(ctx, true, NULL, 0, "eae_prk", dhss, dhss_len,
				 eae_prk) < 0)
		return -1;

	if (enc_len > HPKE_MAX_PUB_LEN || pk_rm_len > HPKE_MAX_PUB_LEN)
		return -1;
	/* kem_context = concat(enc, pkRm) */
	os_memcpy(kem_context, enc, enc_len);
	os_memcpy(&kem_context[enc_len], pk_rm, pk_rm_len);

	/* shared_secret = LabeledExpand(eae_prk, "shared_secret",
	 *                               kem_context, Nsecret) */
	if (hpke_labeled_expand(ctx, true, eae_prk, "shared_secret",
				kem_context, enc_len + pk_rm_len,
				shared_secret, ctx->n_secret) < 0)
		return -1;

	forced_memzero(eae_prk, sizeof(eae_prk));
	return 0;
}


static int hpke_key_schedule(struct hpke_context *ctx, const u8 *shared_secret,
			     const u8 *info, size_t info_len)
{
	u8 key_schedule_context[1 + 2 * HPKE_MAX_HASH_LEN];
	u8 secret[HPKE_MAX_HASH_LEN];
	int res = -1;

	/* key_schedule_context = concat(mode, psk_id_hash, info_hash) */
	key_schedule_context[0] = HPKE_MODE_BASE;

	/* psk_id_hash = LabeledExtract("", "psk_id_hash", psk_id) */
	if (hpke_labeled_extract(ctx, false, NULL, 0, "psk_id_hash",
				 NULL, 0, &key_schedule_context[1]) < 0)
		goto fail;

	/* info_hash = LabeledExtract("", "info_hash", info) */
	if (hpke_labeled_extract(ctx, false, NULL, 0, "info_hash",
				 info, info_len,
				 &key_schedule_context[1 + ctx->n_h]) < 0)
		goto fail;

	/* secret = LabeledExtract(shared_secret, "secret", psk) */
	if (hpke_labeled_extract(ctx, false, shared_secret, ctx->n_secret,
				 "secret", NULL, 0, secret) < 0)
		goto fail;

	/* key = LabeledExpand(secret, "key", key_schedule_context, Nk) */
	if (hpke_labeled_expand(ctx, false, secret, "key",
				key_schedule_context, 1 + 2 * ctx->n_h,
				ctx->key, ctx->n_k) < 0)
		goto fail;

	/* base_nonce = LabeledExpand(secret, "base_nonce",
	 *                            key_schedule_context, Nn) */
	if (hpke_labeled_expand(ctx, false, secret, "base_nonce",
				key_schedule_context, 1 + 2 * ctx->n_h,
				ctx->base_nonce, ctx->n_n) < 0)
		goto fail;
	res = 0;
fail:
	forced_memzero(key_schedule_context, sizeof(key_schedule_context));
	forced_memzero(secret, sizeof(secret));
	return res;
}


static int hpke_encap(struct hpke_context *ctx, struct crypto_ec_key *pk_r,
		      u8 *shared_secret, u8 *enc)
{
	EVP_PKEY_CTX *pctx = NULL;
	struct crypto_ec_key *sk_e;
	int res = -1;
	u8 *dhss = NULL;
	size_t dhss_len = 0;
	struct wpabuf *enc_buf = NULL, *pk_rm = NULL;

	/* skE, pkE = GenerateKeyPair() */
	sk_e = crypto_ec_key_gen(ctx->iana_group);
	if (!sk_e) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:Could not generate key pair",
			   __func__);
		goto fail;
	}

	/* dh = DH(skE, pkR) */
	dhss_len = sizeof(dhss);
	pctx = EVP_PKEY_CTX_new((EVP_PKEY *) sk_e, NULL);
	if (!pctx ||
	    EVP_PKEY_derive_init(pctx) != 1 ||
	    EVP_PKEY_derive_set_peer(pctx, (EVP_PKEY *) pk_r) != 1 ||
	    EVP_PKEY_derive(pctx, NULL, &dhss_len) != 1 ||
	    !(dhss = os_malloc(dhss_len)) ||
	    EVP_PKEY_derive(pctx, dhss, &dhss_len) != 1 ||
	    dhss_len > HPKE_MAX_SHARED_SECRET_LEN) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: hpke_encap: EVP_PKEY_derive failed (dhss_len=%zu): %s",
			   dhss_len, ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	/* enc = SerializePublicKey(pkE) */
	enc_buf = crypto_ec_key_get_pubkey_point(sk_e, 1);
	if (!enc_buf)
		goto fail;
	os_memcpy(enc, wpabuf_head(enc_buf), wpabuf_len(enc_buf));

	/* pkRm = SerializePublicKey(pkR) */
	pk_rm = crypto_ec_key_get_pubkey_point(pk_r, 1);
	if (!pk_rm)
		goto fail;

	/* kem_context = concat(enc, pkRm) */
	/* shared_secret = ExtractAndExpand(dh, kem_context) */
	/* return shared_secret, enc */
	res = hpke_extract_and_expand(ctx, dhss, dhss_len, enc, ctx->n_pk,
				      wpabuf_head(pk_rm),
				      wpabuf_len(pk_rm), shared_secret);
fail:
	bin_clear_free(dhss, dhss_len);
	crypto_ec_key_deinit(sk_e);
	EVP_PKEY_CTX_free(pctx);
	wpabuf_free(enc_buf);
	wpabuf_free(pk_rm);
	return res;
}


static struct wpabuf *
hpke_aead_seal(struct hpke_context *ctx, const u8 *aad, size_t aad_len,
	       const u8 *pt, size_t pt_len)
{
	EVP_CIPHER_CTX *cctx;
	int len = 0;
	struct wpabuf *ct = NULL;

	/* No need to xor in sequence number since we support only the
	 * single-shot API, i.e., base_nonce can be used as-is. */

	cctx = EVP_CIPHER_CTX_new();
	if (!cctx ||
	    EVP_EncryptInit_ex(cctx, ctx->cipher, NULL, ctx->key,
			       ctx->base_nonce) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptInit_ex failed",
			   __func__);
		goto fail;
	}
	if (aad && aad_len &&
	    EVP_EncryptUpdate(cctx, NULL, &len, aad, aad_len) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_EncryptUpdate(AAD) failed",
			   __func__);
		goto fail;
	}
	ct = wpabuf_alloc(pt_len + AES_BLOCK_SIZE + ctx->n_t);
	if (!ct)
		goto fail;
	if (EVP_EncryptUpdate(cctx, wpabuf_put(ct, 0), &len, pt, pt_len) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_EncryptUpdate failed",
			   __func__);
		goto fail;
	}
	wpabuf_put(ct, len);

	if (EVP_EncryptFinal(cctx, wpabuf_put(ct, 0), &len) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptFinal failed",
			   __func__);
		wpabuf_free(ct);
		ct = NULL;
		goto fail;
	}

	if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_GET_TAG, ctx->n_t,
				wpabuf_put(ct, ctx->n_t)) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:Could not get tag",
			   __func__);
		wpabuf_free(ct);
		ct = NULL;
		goto fail;
	}
fail:
	EVP_CIPHER_CTX_free(cctx);
	return ct;
}


static struct wpabuf * hpke_base_seal_int(enum hpke_kem_id kem_id,
					  enum hpke_kdf_id kdf_id,
					  enum hpke_aead_id aead_id,
					  struct crypto_ec_key *peer_pub,
					  const u8 *info, size_t info_len,
					  const u8 *aad, size_t aad_len,
					  const u8 *pt, size_t pt_len)
{
	struct hpke_context *ctx;
	u8 shared_secret[HPKE_MAX_SHARED_SECRET_LEN];
	u8 enc[1 + 2 * HPKE_MAX_PUB_LEN];
	struct wpabuf *ct = NULL, *enc_ct = NULL;

	ctx = hpke_get_context(kem_id, kdf_id, aead_id, peer_pub);
	if (!ctx)
		return NULL;

	/* shared_secret, enc = Encap(pkR) */
	if (hpke_encap(ctx, peer_pub, shared_secret, enc) < 0)
		goto fail;

	/* KeyScheduleS(mode_base, shared_secret, info,
	 *              default_psk, default_psk_id) */
	if (hpke_key_schedule(ctx, shared_secret, info, info_len) < 0)
		goto fail;

	/* ct = ctx.Seal(aad, pt) */
	ct = hpke_aead_seal(ctx, aad, aad_len, pt, pt_len);
	if (!ct)
		goto fail;

	/* return enc, ct */
	enc_ct = wpabuf_alloc(ctx->n_pk + wpabuf_len(ct));
	if (!enc_ct)
		goto fail;
	wpabuf_put_data(enc_ct, enc, ctx->n_pk);
	wpabuf_put_buf(enc_ct, ct);

fail:
	forced_memzero(shared_secret, sizeof(shared_secret));
	hpke_free_context(ctx);
	wpabuf_free(ct);
	return enc_ct;
}


static int hpke_decap(struct hpke_context *ctx, const u8 *enc,
		      size_t enc_ct_len, struct crypto_ec_key *sk_r,
		      u8 *shared_secret)
{
	EVP_PKEY_CTX *pctx = NULL;
	struct wpabuf *pk_rm = NULL;
	size_t len;
	int res = -1;
	struct crypto_ec_key *pk_e = NULL;
	u8 *dhss = NULL;
	size_t dhss_len = 0;

	/* pkE = DeserializePublicKey(enc) */
	if (enc_ct_len < ctx->n_pk)
		return -1; /* not enough room for enc */
	if (enc[0] != 0x04)
		return -1; /* not in uncompressed form */
	len = (ctx->n_pk - 1) / 2;
	pk_e = crypto_ec_key_set_pub(ctx->iana_group, &enc[1],
				     &enc[1 + len], len);
	if (!pk_e)
		return -1; /* invalid public key point */
	/* dh = DH(skR, pkE) */
	pctx = EVP_PKEY_CTX_new((EVP_PKEY *) sk_r, NULL);
	if (!pctx ||
	    EVP_PKEY_derive_init(pctx) != 1 ||
	    EVP_PKEY_derive_set_peer(pctx, (EVP_PKEY *) pk_e) != 1 ||
	    EVP_PKEY_derive(pctx, NULL, &dhss_len) != 1 ||
	    !(dhss = os_malloc(dhss_len)) ||
	    EVP_PKEY_derive(pctx, dhss, &dhss_len) != 1 ||
	    dhss_len > HPKE_MAX_SHARED_SECRET_LEN) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: hpke_decap: EVP_PKEY_derive failed (dhss_len=%zu): %s",
			   dhss_len, ERR_error_string(ERR_get_error(), NULL));
		goto fail;
	}

	/* pkRm = SerializePublicKey(pk(skR)) */
	pk_rm = crypto_ec_key_get_pubkey_point(sk_r, 1);
	if (!pk_rm)
		goto fail;

	/* kem_context = concat(enc, pkRm) */
	/* shared_secret = ExtractAndExpand(dh, kem_context) */
	res = hpke_extract_and_expand(ctx, dhss, dhss_len, enc, ctx->n_pk,
				      wpabuf_head(pk_rm),
				      wpabuf_len(pk_rm), shared_secret);
fail:
	bin_clear_free(dhss, dhss_len);
	crypto_ec_key_deinit(pk_e);
	EVP_PKEY_CTX_free(pctx);
	wpabuf_free(pk_rm);
	return res;
}


static struct wpabuf *
hpke_aead_open(struct hpke_context *ctx, const u8 *aad, size_t aad_len,
	       const u8 *ct, size_t ct_len)
{
	EVP_CIPHER_CTX *cctx;
	int len = 0;
	const u8 *tag;
	struct wpabuf *pt = NULL;

	if (ct_len < ctx->n_t)
		return NULL;
	tag = ct + ct_len - ctx->n_t;
	ct_len -= ctx->n_t;

	/* No need to xor in sequence number since we support only the
	 * single-shot API, i.e., base_nonce can be used as-is. */

	cctx = EVP_CIPHER_CTX_new();
	if (!cctx ||
	    EVP_DecryptInit_ex(cctx, ctx->cipher, NULL, ctx->key,
			       ctx->base_nonce) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptInit_ex failed",
			   __func__);
		goto fail;
	}
	if (aad && aad_len &&
	    EVP_DecryptUpdate(cctx, NULL, &len, aad, aad_len) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptUpdate(AAD) failed",
			   __func__);
		goto fail;
	}
	pt = wpabuf_alloc(ct_len + AES_BLOCK_SIZE);
	if (!pt)
		goto fail;
	if (EVP_DecryptUpdate(cctx, wpabuf_put(pt, 0), &len, ct, ct_len) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptUpdate failed",
			   __func__);
		goto fail;
	}
	wpabuf_put(pt, len);

	if (EVP_CIPHER_CTX_ctrl(cctx, EVP_CTRL_AEAD_SET_TAG, ctx->n_t,
				(void *) tag) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:Could not set tag",
			   __func__);
		wpabuf_free(pt);
		pt = NULL;
		goto fail;
	}

	if (EVP_DecryptFinal(cctx, wpabuf_put(pt, 0), &len) != 1) {
		wpa_printf(MSG_INFO, "OpenSSL:%s:EVP_DecryptFinal failed",
			   __func__);
		wpabuf_free(pt);
		pt = NULL;
	}
fail:
	EVP_CIPHER_CTX_free(cctx);
	return pt;
}


static struct wpabuf * hpke_base_open_int(enum hpke_kem_id kem_id,
					  enum hpke_kdf_id kdf_id,
					  enum hpke_aead_id aead_id,
					  struct crypto_ec_key *own_priv,
					  const u8 *info, size_t info_len,
					  const u8 *aad, size_t aad_len,
					  const u8 *enc_ct, size_t enc_ct_len)
{
	struct hpke_context *ctx;
	u8 shared_secret[HPKE_MAX_SHARED_SECRET_LEN];
	struct wpabuf *pt = NULL;

	ctx = hpke_get_context(kem_id, kdf_id, aead_id, own_priv);
	if (!ctx)
		return NULL;

	/* shared_secret = Decap(enc, skR) */
	if (hpke_decap(ctx, enc_ct, enc_ct_len, own_priv, shared_secret) < 0)
		goto fail;

	/* KeyScheduleR(mode_base, shared_secret, info,
	 *              default_psk, default_psk_id) */
	if (hpke_key_schedule(ctx, shared_secret, info, info_len) < 0)
		goto fail;

	/* return ctx.Open(aad, ct) */
	pt = hpke_aead_open(ctx, aad, aad_len,
			    &enc_ct[ctx->n_pk], enc_ct_len - ctx->n_pk);

fail:
	forced_memzero(shared_secret, sizeof(shared_secret));
	hpke_free_context(ctx);
	return pt;
}


#if OPENSSL_VERSION_NUMBER >= 0x30200000L

static bool hpke_set_suite(OSSL_HPKE_SUITE *suite,
			   enum hpke_kem_id kem_id,
			   enum hpke_kdf_id kdf_id,
			   enum hpke_aead_id aead_id)
{
	os_memset(suite, 0, sizeof(*suite));

	switch (kem_id) {
	case HPKE_DHKEM_P256_HKDF_SHA256:
		suite->kem_id = OSSL_HPKE_KEM_ID_P256;
		break;
	case HPKE_DHKEM_P384_HKDF_SHA384:
		suite->kem_id = OSSL_HPKE_KEM_ID_P384;
		break;
	case HPKE_DHKEM_P521_HKDF_SHA512:
		suite->kem_id = OSSL_HPKE_KEM_ID_P521;
		break;
	default:
		return false;
	}

	switch (kdf_id) {
	case HPKE_KDF_HKDF_SHA256:
		suite->kdf_id = OSSL_HPKE_KDF_ID_HKDF_SHA256;
		break;
	case HPKE_KDF_HKDF_SHA384:
		suite->kdf_id = OSSL_HPKE_KDF_ID_HKDF_SHA384;
		break;
	case HPKE_KDF_HKDF_SHA512:
		suite->kdf_id = OSSL_HPKE_KDF_ID_HKDF_SHA512;
		break;
	default:
		return false;
	}

	switch (aead_id) {
	case HPKE_AEAD_AES_128_GCM:
		suite->aead_id = OSSL_HPKE_AEAD_ID_AES_GCM_128;
		break;
	case HPKE_AEAD_AES_256_GCM:
		suite->aead_id = OSSL_HPKE_AEAD_ID_AES_GCM_256;
		break;
	default:
		return false;
	}

	if (!OSSL_HPKE_suite_check(*suite)) {
		wpa_printf(MSG_INFO,
			   "OpenSSL: HPKE suite kem_id=%d kdf_id=%d aead_id=%d not supported",
			   kem_id, kdf_id, aead_id);
		return false;
	}

	return true;
}


struct wpabuf * hpke_base_seal(enum hpke_kem_id kem_id,
			       enum hpke_kdf_id kdf_id,
			       enum hpke_aead_id aead_id,
			       struct crypto_ec_key *peer_pub,
			       const u8 *info, size_t info_len,
			       const u8 *aad, size_t aad_len,
			       const u8 *pt, size_t pt_len)
{
	OSSL_HPKE_SUITE suite;
	OSSL_HPKE_CTX *ctx = NULL;
	struct wpabuf *res = NULL, *buf, *pub = NULL;
	size_t enc_len, ct_len;
	int group;

	group = crypto_ec_key_group(peer_pub);
	if (group == 28 || group == 29 || group == 30) {
		/* Use the internal routines for the special DPP use case with
		 * brainpool curves, */
		return hpke_base_seal_int(kem_id, kdf_id, aead_id, peer_pub,
					  info, info_len, aad, aad_len,
					  pt, pt_len);
	}


	if (!hpke_set_suite(&suite, kem_id, kdf_id, aead_id))
		return NULL;

	enc_len = OSSL_HPKE_get_public_encap_size(suite);
	ct_len = OSSL_HPKE_get_ciphertext_size(suite, pt_len);
	buf = wpabuf_alloc(enc_len + ct_len);
	if (!buf)
		goto out;

	pub = crypto_ec_key_get_pubkey_point(peer_pub, 1);
	if (!pub)
		goto out;

	ctx = OSSL_HPKE_CTX_new(OSSL_HPKE_MODE_BASE, suite,
				OSSL_HPKE_ROLE_SENDER, NULL, NULL);
	if (!ctx)
		goto out;

	if (OSSL_HPKE_encap(ctx, wpabuf_put(buf, 0), &enc_len,
			    wpabuf_head(pub), wpabuf_len(pub),
			    info, info_len) != 1) {
		wpa_printf(MSG_DEBUG, "OpenSSL: OSSL_HPKE_encap failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto out;
	}
	wpabuf_put(buf, enc_len);

	if (OSSL_HPKE_seal(ctx, wpabuf_put(buf, 0), &ct_len, aad, aad_len,
			   pt, pt_len) != 1) {
		wpa_printf(MSG_DEBUG, "OpenSSL: OSSL_HPKE_seal failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto out;
	}
	wpabuf_put(buf, ct_len);
	res = buf;
	buf = NULL;

out:
	OSSL_HPKE_CTX_free(ctx);
	wpabuf_free(buf);
	wpabuf_free(pub);
	return res;
}


struct wpabuf * hpke_base_open(enum hpke_kem_id kem_id,
			       enum hpke_kdf_id kdf_id,
			       enum hpke_aead_id aead_id,
			       struct crypto_ec_key *own_priv,
			       const u8 *info, size_t info_len,
			       const u8 *aad, size_t aad_len,
			       const u8 *enc_ct, size_t enc_ct_len)
{
	OSSL_HPKE_SUITE suite;
	OSSL_HPKE_CTX *ctx;
	struct wpabuf *buf = NULL, *res = NULL;
	size_t len, enc_len;
	int group;

	group = crypto_ec_key_group(own_priv);
	if (group == 28 || group == 29 || group == 30) {
		/* Use the internal routines for the special DPP use case with
		 * brainpool curves, */
		return hpke_base_open_int(kem_id, kdf_id, aead_id, own_priv,
					  info, info_len, aad, aad_len,
					  enc_ct, enc_ct_len);
	}

	if (!hpke_set_suite(&suite, kem_id, kdf_id, aead_id))
		return NULL;

	enc_len = OSSL_HPKE_get_public_encap_size(suite);
	if (enc_ct_len < enc_len) {
		wpa_printf(MSG_DEBUG, "OpenSSL: Too short HPKE enc_ct data");
		return NULL;
	}

	ctx = OSSL_HPKE_CTX_new(OSSL_HPKE_MODE_BASE, suite,
				OSSL_HPKE_ROLE_RECEIVER, NULL, NULL);
	if (!ctx)
		goto out;

	if (OSSL_HPKE_decap(ctx, enc_ct, enc_len, (EVP_PKEY *) own_priv,
			    info, info_len) != 1) {
		wpa_printf(MSG_DEBUG, "OpenSSL: OSSL_HPKE_decap failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto out;
	}

	len = enc_ct_len;
	buf = wpabuf_alloc(len);
	if (!buf)
		goto out;

	if (OSSL_HPKE_open(ctx, wpabuf_put(buf, 0), &len, aad, aad_len,
			   enc_ct + enc_len, enc_ct_len - enc_len) != 1) {
		wpa_printf(MSG_DEBUG, "OpenSSL: OSSL_HPKE_open failed: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		goto out;
	}

	wpabuf_put(buf, len);
	res = buf;
	buf = NULL;

out:
	OSSL_HPKE_CTX_free(ctx);
	wpabuf_free(buf);
	return res;
}

#else /* OpenSSL < 3.2 */

struct wpabuf * hpke_base_seal(enum hpke_kem_id kem_id,
			       enum hpke_kdf_id kdf_id,
			       enum hpke_aead_id aead_id,
			       struct crypto_ec_key *peer_pub,
			       const u8 *info, size_t info_len,
			       const u8 *aad, size_t aad_len,
			       const u8 *pt, size_t pt_len)
{
	return hpke_base_seal_int(kem_id, kdf_id, aead_id, peer_pub,
				  info, info_len, aad, aad_len, pt, pt_len);
}


struct wpabuf * hpke_base_open(enum hpke_kem_id kem_id,
			       enum hpke_kdf_id kdf_id,
			       enum hpke_aead_id aead_id,
			       struct crypto_ec_key *own_priv,
			       const u8 *info, size_t info_len,
			       const u8 *aad, size_t aad_len,
			       const u8 *enc_ct, size_t enc_ct_len)
{
	return hpke_base_open_int(kem_id, kdf_id, aead_id, own_priv,
				  info, info_len, aad, aad_len,
				  enc_ct, enc_ct_len);
}

#endif /* OpenSSL < 3.2 */

#endif /* CONFIG_DPP3 */


void crypto_unload(void)
{
	openssl_unload_legacy_provider();
}