2 * Simultaneous authentication of equals
3 * Copyright (c) 2012-2016, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "utils/const_time.h"
13 #include "crypto/crypto.h"
14 #include "crypto/sha256.h"
15 #include "crypto/random.h"
16 #include "crypto/dh_groups.h"
17 #include "ieee802_11_defs.h"
21 static int sae_suitable_group(int group)
23 #ifdef CONFIG_TESTING_OPTIONS
24 /* Allow all groups for testing purposes in non-production builds. */
26 #else /* CONFIG_TESTING_OPTIONS */
27 /* Enforce REVmd rules on which SAE groups are suitable for production
28 * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
29 * defined over a prime field whose prime is >= 256 bits. Furthermore,
30 * ECC groups defined over a characteristic 2 finite field and ECC
31 * groups with a co-factor greater than 1 are not suitable. */
32 return group == 19 || group == 20 || group == 21 ||
33 group == 28 || group == 29 || group == 30 ||
34 group == 15 || group == 16 || group == 17 || group == 18;
35 #endif /* CONFIG_TESTING_OPTIONS */
39 int sae_set_group(struct sae_data *sae, int group)
41 struct sae_temporary_data *tmp;
43 if (!sae_suitable_group(group)) {
44 wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group);
49 tmp = sae->tmp = os_zalloc(sizeof(*tmp));
53 /* First, check if this is an ECC group */
54 tmp->ec = crypto_ec_init(group);
56 wpa_printf(MSG_DEBUG, "SAE: Selecting supported ECC group %d",
59 tmp->prime_len = crypto_ec_prime_len(tmp->ec);
60 tmp->prime = crypto_ec_get_prime(tmp->ec);
61 tmp->order = crypto_ec_get_order(tmp->ec);
65 /* Not an ECC group, check FFC */
66 tmp->dh = dh_groups_get(group);
68 wpa_printf(MSG_DEBUG, "SAE: Selecting supported FFC group %d",
71 tmp->prime_len = tmp->dh->prime_len;
72 if (tmp->prime_len > SAE_MAX_PRIME_LEN) {
77 tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime,
79 if (tmp->prime_buf == NULL) {
83 tmp->prime = tmp->prime_buf;
85 tmp->order_buf = crypto_bignum_init_set(tmp->dh->order,
87 if (tmp->order_buf == NULL) {
91 tmp->order = tmp->order_buf;
96 /* Unsupported group */
98 "SAE: Group %d not supported by the crypto library", group);
103 void sae_clear_temp_data(struct sae_data *sae)
105 struct sae_temporary_data *tmp;
106 if (sae == NULL || sae->tmp == NULL)
109 crypto_ec_deinit(tmp->ec);
110 crypto_bignum_deinit(tmp->prime_buf, 0);
111 crypto_bignum_deinit(tmp->order_buf, 0);
112 crypto_bignum_deinit(tmp->sae_rand, 1);
113 crypto_bignum_deinit(tmp->pwe_ffc, 1);
114 crypto_bignum_deinit(tmp->own_commit_scalar, 0);
115 crypto_bignum_deinit(tmp->own_commit_element_ffc, 0);
116 crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0);
117 crypto_ec_point_deinit(tmp->pwe_ecc, 1);
118 crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0);
119 crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0);
120 wpabuf_free(tmp->anti_clogging_token);
122 bin_clear_free(tmp, sizeof(*tmp));
127 void sae_clear_data(struct sae_data *sae)
131 sae_clear_temp_data(sae);
132 crypto_bignum_deinit(sae->peer_commit_scalar, 0);
133 os_memset(sae, 0, sizeof(*sae));
137 static void buf_shift_right(u8 *buf, size_t len, size_t bits)
140 for (i = len - 1; i > 0; i--)
141 buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
146 static struct crypto_bignum * sae_get_rand(struct sae_data *sae)
148 u8 val[SAE_MAX_PRIME_LEN];
150 struct crypto_bignum *bn = NULL;
151 int order_len_bits = crypto_bignum_bits(sae->tmp->order);
152 size_t order_len = (order_len_bits + 7) / 8;
154 if (order_len > sizeof(val))
158 if (iter++ > 100 || random_get_bytes(val, order_len) < 0)
160 if (order_len_bits % 8)
161 buf_shift_right(val, order_len, 8 - order_len_bits % 8);
162 bn = crypto_bignum_init_set(val, order_len);
165 if (crypto_bignum_is_zero(bn) ||
166 crypto_bignum_is_one(bn) ||
167 crypto_bignum_cmp(bn, sae->tmp->order) >= 0) {
168 crypto_bignum_deinit(bn, 0);
174 os_memset(val, 0, order_len);
179 static struct crypto_bignum * sae_get_rand_and_mask(struct sae_data *sae)
181 crypto_bignum_deinit(sae->tmp->sae_rand, 1);
182 sae->tmp->sae_rand = sae_get_rand(sae);
183 if (sae->tmp->sae_rand == NULL)
185 return sae_get_rand(sae);
189 static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
191 wpa_printf(MSG_DEBUG, "SAE: PWE derivation - addr1=" MACSTR
192 " addr2=" MACSTR, MAC2STR(addr1), MAC2STR(addr2));
193 if (os_memcmp(addr1, addr2, ETH_ALEN) > 0) {
194 os_memcpy(key, addr1, ETH_ALEN);
195 os_memcpy(key + ETH_ALEN, addr2, ETH_ALEN);
197 os_memcpy(key, addr2, ETH_ALEN);
198 os_memcpy(key + ETH_ALEN, addr1, ETH_ALEN);
203 static struct crypto_bignum *
204 get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
208 struct crypto_bignum *r;
209 u8 tmp[SAE_MAX_ECC_PRIME_LEN];
211 if (random_get_bytes(tmp, prime_len) < 0)
214 buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
215 if (os_memcmp(tmp, prime, prime_len) >= 0)
217 r = crypto_bignum_init_set(tmp, prime_len);
220 if (crypto_bignum_is_zero(r)) {
221 crypto_bignum_deinit(r, 0);
225 *r_odd = tmp[prime_len - 1] & 0x01;
233 static int is_quadratic_residue_blind(struct sae_data *sae,
234 const u8 *prime, size_t bits,
235 const u8 *qr, const u8 *qnr,
236 const struct crypto_bignum *y_sqr)
238 struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
239 int r_odd, check, res = -1;
240 u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
241 size_t prime_len = sae->tmp->prime_len;
245 * Use the blinding technique to mask y_sqr while determining
246 * whether it is a quadratic residue modulo p to avoid leaking
247 * timing information while determining the Legendre symbol.
250 * r = a random number between 1 and p-1, inclusive
251 * num = (v * r * r) modulo p
253 r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
257 num = crypto_bignum_init();
259 crypto_bignum_mulmod(y_sqr, r, sae->tmp->prime, num) < 0 ||
260 crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
264 * Need to minimize differences in handling different cases, so try to
265 * avoid branches and timing differences.
268 * num = (num * qr) module p
269 * LGR(num, p) = 1 ==> quadratic residue
271 * num = (num * qnr) module p
272 * LGR(num, p) = -1 ==> quadratic residue
274 mask = const_time_is_zero(r_odd);
275 const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
276 qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
278 crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
280 /* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
281 check = const_time_select_int(mask, -1, 1);
283 res = crypto_bignum_legendre(num, sae->tmp->prime);
288 /* branchless version of res = res == check
289 * (res is -1, 0, or 1; check is -1 or 1) */
290 mask = const_time_eq(res, check);
291 res = const_time_select_int(mask, 1, 0);
293 crypto_bignum_deinit(num, 1);
294 crypto_bignum_deinit(r, 1);
295 crypto_bignum_deinit(qr_or_qnr, 1);
300 static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
301 const u8 *prime, const u8 *qr, const u8 *qnr,
304 struct crypto_bignum *y_sqr, *x_cand;
308 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
310 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
311 bits = crypto_ec_prime_len_bits(sae->tmp->ec);
312 if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
313 prime, sae->tmp->prime_len, pwd_value, bits) < 0)
316 buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8);
317 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
318 pwd_value, sae->tmp->prime_len);
320 if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
323 x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
326 y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
327 crypto_bignum_deinit(x_cand, 1);
331 res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
332 crypto_bignum_deinit(y_sqr, 1);
337 /* Returns -1 on fatal failure, 0 if PWE cannot be derived from the provided
338 * pwd-seed, or 1 if a valid PWE was derived from pwd-seed. */
339 static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
340 struct crypto_bignum *pwe)
342 u8 pwd_value[SAE_MAX_PRIME_LEN];
343 size_t bits = sae->tmp->prime_len * 8;
345 struct crypto_bignum *a, *b = NULL;
349 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
351 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
352 if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
353 sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value,
356 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
357 sae->tmp->prime_len);
359 /* Check whether pwd-value < p */
360 res = const_time_memcmp(pwd_value, sae->tmp->dh->prime,
361 sae->tmp->prime_len);
362 /* pwd-value >= p is invalid, so res is < 0 for the valid cases and
363 * the negative sign can be used to fill the mask for constant time
365 pwd_value_valid = const_time_fill_msb(res);
367 /* If pwd-value >= p, force pwd-value to be < p and perform the
368 * calculations anyway to hide timing difference. The derived PWE will
369 * be ignored in that case. */
370 pwd_value[0] = const_time_select_u8(pwd_value_valid, pwd_value[0], 0);
372 /* PWE = pwd-value^((p-1)/r) modulo p */
375 a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
379 /* This is an optimization based on the used group that does not depend
380 * on the password in any way, so it is fine to use separate branches
381 * for this step without constant time operations. */
382 if (sae->tmp->dh->safe_prime) {
384 * r = (p-1)/2 for the group used here, so this becomes:
385 * PWE = pwd-value^2 modulo p
388 b = crypto_bignum_init_set(exp, sizeof(exp));
390 /* Calculate exponent: (p-1)/r */
392 b = crypto_bignum_init_set(exp, sizeof(exp));
394 crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
395 crypto_bignum_div(b, sae->tmp->order, b) < 0)
402 res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
406 /* There were no fatal errors in calculations, so determine the return
407 * value using constant time operations. We get here for number of
408 * invalid cases which are cleared here after having performed all the
409 * computation. PWE is valid if pwd-value was less than prime and
410 * PWE > 1. Start with pwd-value check first and then use constant time
411 * operations to clear res to 0 if PWE is 0 or 1.
413 res = const_time_select_u8(pwd_value_valid, 1, 0);
414 is_val = crypto_bignum_is_zero(pwe);
415 res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
416 is_val = crypto_bignum_is_one(pwe);
417 res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
420 crypto_bignum_deinit(a, 1);
421 crypto_bignum_deinit(b, 1);
426 static int get_random_qr_qnr(const u8 *prime, size_t prime_len,
427 const struct crypto_bignum *prime_bn,
428 size_t prime_bits, struct crypto_bignum **qr,
429 struct crypto_bignum **qnr)
434 while (!(*qr) || !(*qnr)) {
435 u8 tmp[SAE_MAX_ECC_PRIME_LEN];
436 struct crypto_bignum *q;
439 if (random_get_bytes(tmp, prime_len) < 0)
442 buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
443 if (os_memcmp(tmp, prime, prime_len) >= 0)
445 q = crypto_bignum_init_set(tmp, prime_len);
448 res = crypto_bignum_legendre(q, prime_bn);
450 if (res == 1 && !(*qr))
452 else if (res == -1 && !(*qnr))
455 crypto_bignum_deinit(q, 0);
458 return (*qr && *qnr) ? 0 : -1;
462 static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
463 const u8 *addr2, const u8 *password,
464 size_t password_len, const char *identifier)
467 u8 addrs[2 * ETH_ALEN];
471 u8 *dummy_password, *tmp_password;
472 int pwd_seed_odd = 0;
473 u8 prime[SAE_MAX_ECC_PRIME_LEN];
475 struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
476 u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
477 u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
478 u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
479 u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
482 u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
485 os_memset(x_bin, 0, sizeof(x_bin));
487 dummy_password = os_malloc(password_len);
488 tmp_password = os_malloc(password_len);
489 if (!dummy_password || !tmp_password ||
490 random_get_bytes(dummy_password, password_len) < 0)
493 prime_len = sae->tmp->prime_len;
494 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
497 bits = crypto_ec_prime_len_bits(sae->tmp->ec);
500 * Create a random quadratic residue (qr) and quadratic non-residue
501 * (qnr) modulo p for blinding purposes during the loop.
503 if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
505 crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 ||
506 crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0)
509 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
510 password, password_len);
512 wpa_printf(MSG_DEBUG, "SAE: password identifier: %s",
516 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
517 * base = password [|| identifier]
518 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
521 sae_pwd_seed_key(addr1, addr2, addrs);
523 addr[0] = tmp_password;
524 len[0] = password_len;
527 addr[num_elem] = (const u8 *) identifier;
528 len[num_elem] = os_strlen(identifier);
531 addr[num_elem] = &counter;
532 len[num_elem] = sizeof(counter);
536 * Continue for at least k iterations to protect against side-channel
537 * attacks that attempt to determine the number of iterations required
540 for (counter = 1; counter <= k || !found; counter++) {
541 u8 pwd_seed[SHA256_MAC_LEN];
544 /* This should not happen in practice */
545 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
549 wpa_printf(MSG_DEBUG, "SAE: counter = %03u", counter);
550 const_time_select_bin(found, dummy_password, password,
551 password_len, tmp_password);
552 if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
553 addr, len, pwd_seed) < 0)
556 res = sae_test_pwd_seed_ecc(sae, pwd_seed,
557 prime, qr_bin, qnr_bin, x_cand_bin);
558 const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
560 pwd_seed_odd = const_time_select_u8(
562 pwd_seed[SHA256_MAC_LEN - 1] & 0x01);
563 os_memset(pwd_seed, 0, sizeof(pwd_seed));
566 /* Need to minimize differences in handling res == 0 and 1 here
567 * to avoid differences in timing and instruction cache access,
568 * so use const_time_select_*() to make local copies of the
569 * values based on whether this loop iteration was the one that
570 * found the pwd-seed/x. */
572 /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
573 * (with res converted to 0/0xff) handles this in constant time.
576 wpa_printf(MSG_DEBUG, "SAE: pwd-seed result %d found=0x%02x",
581 wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
586 x = crypto_bignum_init_set(x_bin, prime_len);
592 if (!sae->tmp->pwe_ecc)
593 sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
594 if (!sae->tmp->pwe_ecc)
597 res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
598 sae->tmp->pwe_ecc, x,
602 * This should not happen since we already checked that there
605 wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
609 crypto_bignum_deinit(qr, 0);
610 crypto_bignum_deinit(qnr, 0);
611 os_free(dummy_password);
612 bin_clear_free(tmp_password, password_len);
613 crypto_bignum_deinit(x, 1);
614 os_memset(x_bin, 0, sizeof(x_bin));
615 os_memset(x_cand_bin, 0, sizeof(x_cand_bin));
621 static int sae_modp_group_require_masking(int group)
623 /* Groups for which pwd-value is likely to be >= p frequently */
624 return group == 22 || group == 23 || group == 24;
628 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
629 const u8 *addr2, const u8 *password,
630 size_t password_len, const char *identifier)
632 u8 counter, k, sel_counter = 0;
633 u8 addrs[2 * ETH_ALEN];
637 u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
640 struct crypto_bignum *pwe;
641 size_t prime_len = sae->tmp->prime_len * 8;
644 crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
645 sae->tmp->pwe_ffc = NULL;
647 /* Allocate a buffer to maintain selected and candidate PWE for constant
649 pwe_buf = os_zalloc(prime_len * 2);
650 pwe = crypto_bignum_init();
651 if (!pwe_buf || !pwe)
654 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
655 password, password_len);
658 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
659 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
660 * password [|| identifier] || counter)
662 sae_pwd_seed_key(addr1, addr2, addrs);
665 len[0] = password_len;
668 addr[num_elem] = (const u8 *) identifier;
669 len[num_elem] = os_strlen(identifier);
672 addr[num_elem] = &counter;
673 len[num_elem] = sizeof(counter);
676 k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
678 for (counter = 1; counter <= k || !found; counter++) {
679 u8 pwd_seed[SHA256_MAC_LEN];
683 /* This should not happen in practice */
684 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
688 wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter);
689 if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
690 addr, len, pwd_seed) < 0)
692 res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
693 /* res is -1 for fatal failure, 0 if a valid PWE was not found,
694 * or 1 if a valid PWE was found. */
697 /* Store the candidate PWE into the second half of pwe_buf and
698 * the selected PWE in the beginning of pwe_buf using constant
700 if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len,
703 const_time_select_bin(found, pwe_buf, pwe_buf + prime_len,
705 sel_counter = const_time_select_u8(found, sel_counter, counter);
706 mask = const_time_eq_u8(res, 1);
707 found = const_time_select_u8(found, found, mask);
713 wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter);
714 sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len);
716 crypto_bignum_deinit(pwe, 1);
717 bin_clear_free(pwe_buf, prime_len * 2);
718 return sae->tmp->pwe_ffc ? 0 : -1;
722 static int sae_derive_commit_element_ecc(struct sae_data *sae,
723 struct crypto_bignum *mask)
725 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
726 if (!sae->tmp->own_commit_element_ecc) {
727 sae->tmp->own_commit_element_ecc =
728 crypto_ec_point_init(sae->tmp->ec);
729 if (!sae->tmp->own_commit_element_ecc)
733 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask,
734 sae->tmp->own_commit_element_ecc) < 0 ||
735 crypto_ec_point_invert(sae->tmp->ec,
736 sae->tmp->own_commit_element_ecc) < 0) {
737 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
745 static int sae_derive_commit_element_ffc(struct sae_data *sae,
746 struct crypto_bignum *mask)
748 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
749 if (!sae->tmp->own_commit_element_ffc) {
750 sae->tmp->own_commit_element_ffc = crypto_bignum_init();
751 if (!sae->tmp->own_commit_element_ffc)
755 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime,
756 sae->tmp->own_commit_element_ffc) < 0 ||
757 crypto_bignum_inverse(sae->tmp->own_commit_element_ffc,
759 sae->tmp->own_commit_element_ffc) < 0) {
760 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
768 static int sae_derive_commit(struct sae_data *sae)
770 struct crypto_bignum *mask;
772 unsigned int counter = 0;
778 * This cannot really happen in practice if the random
779 * number generator is working. Anyway, to avoid even a
780 * theoretical infinite loop, break out after 100
786 mask = sae_get_rand_and_mask(sae);
788 wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask");
792 /* commit-scalar = (rand + mask) modulo r */
793 if (!sae->tmp->own_commit_scalar) {
794 sae->tmp->own_commit_scalar = crypto_bignum_init();
795 if (!sae->tmp->own_commit_scalar)
798 crypto_bignum_add(sae->tmp->sae_rand, mask,
799 sae->tmp->own_commit_scalar);
800 crypto_bignum_mod(sae->tmp->own_commit_scalar, sae->tmp->order,
801 sae->tmp->own_commit_scalar);
802 } while (crypto_bignum_is_zero(sae->tmp->own_commit_scalar) ||
803 crypto_bignum_is_one(sae->tmp->own_commit_scalar));
805 if ((sae->tmp->ec && sae_derive_commit_element_ecc(sae, mask) < 0) ||
806 (sae->tmp->dh && sae_derive_commit_element_ffc(sae, mask) < 0))
811 crypto_bignum_deinit(mask, 1);
816 int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
817 const u8 *password, size_t password_len,
818 const char *identifier, struct sae_data *sae)
820 if (sae->tmp == NULL ||
821 (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password,
824 (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password,
827 sae_derive_commit(sae) < 0)
833 static int sae_derive_k_ecc(struct sae_data *sae, u8 *k)
835 struct crypto_ec_point *K;
838 K = crypto_ec_point_init(sae->tmp->ec);
843 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
844 * PEER-COMMIT-ELEMENT)))
845 * If K is identity element (point-at-infinity), reject
846 * k = F(K) (= x coordinate)
849 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc,
850 sae->peer_commit_scalar, K) < 0 ||
851 crypto_ec_point_add(sae->tmp->ec, K,
852 sae->tmp->peer_commit_element_ecc, K) < 0 ||
853 crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 ||
854 crypto_ec_point_is_at_infinity(sae->tmp->ec, K) ||
855 crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) {
856 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
860 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
864 crypto_ec_point_deinit(K, 1);
869 static int sae_derive_k_ffc(struct sae_data *sae, u8 *k)
871 struct crypto_bignum *K;
874 K = crypto_bignum_init();
879 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
880 * PEER-COMMIT-ELEMENT)))
881 * If K is identity element (one), reject.
882 * k = F(K) (= x coordinate)
885 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar,
886 sae->tmp->prime, K) < 0 ||
887 crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc,
888 sae->tmp->prime, K) < 0 ||
889 crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0
891 crypto_bignum_is_one(K) ||
892 crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) <
894 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
898 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
902 crypto_bignum_deinit(K, 1);
907 static int sae_derive_keys(struct sae_data *sae, const u8 *k)
909 u8 null_key[SAE_KEYSEED_KEY_LEN], val[SAE_MAX_PRIME_LEN];
910 u8 keyseed[SHA256_MAC_LEN];
911 u8 keys[SAE_KCK_LEN + SAE_PMK_LEN];
912 struct crypto_bignum *tmp;
915 tmp = crypto_bignum_init();
919 /* keyseed = H(<0>32, k)
920 * KCK || PMK = KDF-512(keyseed, "SAE KCK and PMK",
921 * (commit-scalar + peer-commit-scalar) modulo r)
922 * PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
925 os_memset(null_key, 0, sizeof(null_key));
926 hmac_sha256(null_key, sizeof(null_key), k, sae->tmp->prime_len,
928 wpa_hexdump_key(MSG_DEBUG, "SAE: keyseed", keyseed, sizeof(keyseed));
930 crypto_bignum_add(sae->tmp->own_commit_scalar, sae->peer_commit_scalar,
932 crypto_bignum_mod(tmp, sae->tmp->order, tmp);
933 crypto_bignum_to_bin(tmp, val, sizeof(val), sae->tmp->prime_len);
934 wpa_hexdump(MSG_DEBUG, "SAE: PMKID", val, SAE_PMKID_LEN);
935 if (sha256_prf(keyseed, sizeof(keyseed), "SAE KCK and PMK",
936 val, sae->tmp->prime_len, keys, sizeof(keys)) < 0)
938 os_memset(keyseed, 0, sizeof(keyseed));
939 os_memcpy(sae->tmp->kck, keys, SAE_KCK_LEN);
940 os_memcpy(sae->pmk, keys + SAE_KCK_LEN, SAE_PMK_LEN);
941 os_memcpy(sae->pmkid, val, SAE_PMKID_LEN);
942 os_memset(keys, 0, sizeof(keys));
943 wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", sae->tmp->kck, SAE_KCK_LEN);
944 wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, SAE_PMK_LEN);
948 crypto_bignum_deinit(tmp, 0);
953 int sae_process_commit(struct sae_data *sae)
955 u8 k[SAE_MAX_PRIME_LEN];
956 if (sae->tmp == NULL ||
957 (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) ||
958 (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) ||
959 sae_derive_keys(sae, k) < 0)
965 void sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
966 const struct wpabuf *token, const char *identifier)
970 if (sae->tmp == NULL)
973 wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */
975 wpabuf_put_buf(buf, token);
976 wpa_hexdump(MSG_DEBUG, "SAE: Anti-clogging token",
977 wpabuf_head(token), wpabuf_len(token));
979 pos = wpabuf_put(buf, sae->tmp->prime_len);
980 crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos,
981 sae->tmp->prime_len, sae->tmp->prime_len);
982 wpa_hexdump(MSG_DEBUG, "SAE: own commit-scalar",
983 pos, sae->tmp->prime_len);
985 pos = wpabuf_put(buf, 2 * sae->tmp->prime_len);
986 crypto_ec_point_to_bin(sae->tmp->ec,
987 sae->tmp->own_commit_element_ecc,
988 pos, pos + sae->tmp->prime_len);
989 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(x)",
990 pos, sae->tmp->prime_len);
991 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(y)",
992 pos + sae->tmp->prime_len, sae->tmp->prime_len);
994 pos = wpabuf_put(buf, sae->tmp->prime_len);
995 crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos,
996 sae->tmp->prime_len, sae->tmp->prime_len);
997 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element",
998 pos, sae->tmp->prime_len);
1002 /* Password Identifier element */
1003 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
1004 wpabuf_put_u8(buf, 1 + os_strlen(identifier));
1005 wpabuf_put_u8(buf, WLAN_EID_EXT_PASSWORD_IDENTIFIER);
1006 wpabuf_put_str(buf, identifier);
1007 wpa_printf(MSG_DEBUG, "SAE: own Password Identifier: %s",
1013 u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group)
1015 if (allowed_groups) {
1017 for (i = 0; allowed_groups[i] > 0; i++) {
1018 if (allowed_groups[i] == group)
1021 if (allowed_groups[i] != group) {
1022 wpa_printf(MSG_DEBUG, "SAE: Proposed group %u not "
1023 "enabled in the current configuration",
1025 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1029 if (sae->state == SAE_COMMITTED && group != sae->group) {
1030 wpa_printf(MSG_DEBUG, "SAE: Do not allow group to be changed");
1031 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1034 if (group != sae->group && sae_set_group(sae, group) < 0) {
1035 wpa_printf(MSG_DEBUG, "SAE: Unsupported Finite Cyclic Group %u",
1037 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1040 if (sae->tmp == NULL) {
1041 wpa_printf(MSG_DEBUG, "SAE: Group information not yet initialized");
1042 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1045 if (sae->tmp->dh && !allowed_groups) {
1046 wpa_printf(MSG_DEBUG, "SAE: Do not allow FFC group %u without "
1047 "explicit configuration enabling it", group);
1048 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
1051 return WLAN_STATUS_SUCCESS;
1055 static int sae_is_password_id_elem(const u8 *pos, const u8 *end)
1057 return end - pos >= 3 &&
1058 pos[0] == WLAN_EID_EXTENSION &&
1060 end - pos - 2 >= pos[1] &&
1061 pos[2] == WLAN_EID_EXT_PASSWORD_IDENTIFIER;
1065 static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos,
1066 const u8 *end, const u8 **token,
1069 size_t scalar_elem_len, tlen;
1077 scalar_elem_len = (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len;
1078 if (scalar_elem_len >= (size_t) (end - *pos))
1079 return; /* No extra data beyond peer scalar and element */
1081 /* It is a bit difficult to parse this now that there is an
1082 * optional variable length Anti-Clogging Token field and
1083 * optional variable length Password Identifier element in the
1084 * frame. We are sending out fixed length Anti-Clogging Token
1085 * fields, so use that length as a requirement for the received
1086 * token and check for the presence of possible Password
1087 * Identifier element based on the element header information.
1089 tlen = end - (*pos + scalar_elem_len);
1091 if (tlen < SHA256_MAC_LEN) {
1092 wpa_printf(MSG_DEBUG,
1093 "SAE: Too short optional data (%u octets) to include our Anti-Clogging Token",
1094 (unsigned int) tlen);
1098 elem = *pos + scalar_elem_len;
1099 if (sae_is_password_id_elem(elem, end)) {
1100 /* Password Identifier element takes out all available
1101 * extra octets, so there can be no Anti-Clogging token in
1106 elem += SHA256_MAC_LEN;
1107 if (sae_is_password_id_elem(elem, end)) {
1108 /* Password Identifier element is included in the end, so
1109 * remove its length from the Anti-Clogging token field. */
1110 tlen -= 2 + elem[1];
1113 wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token", *pos, tlen);
1122 static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
1125 struct crypto_bignum *peer_scalar;
1127 if (sae->tmp->prime_len > end - *pos) {
1128 wpa_printf(MSG_DEBUG, "SAE: Not enough data for scalar");
1129 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1132 peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len);
1133 if (peer_scalar == NULL)
1134 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1137 * IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for
1138 * the peer and it is in Authenticated state, the new Commit Message
1139 * shall be dropped if the peer-scalar is identical to the one used in
1140 * the existing protocol instance.
1142 if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar &&
1143 crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) {
1144 wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous "
1145 "peer-commit-scalar");
1146 crypto_bignum_deinit(peer_scalar, 0);
1147 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1150 /* 1 < scalar < r */
1151 if (crypto_bignum_is_zero(peer_scalar) ||
1152 crypto_bignum_is_one(peer_scalar) ||
1153 crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) {
1154 wpa_printf(MSG_DEBUG, "SAE: Invalid peer scalar");
1155 crypto_bignum_deinit(peer_scalar, 0);
1156 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1160 crypto_bignum_deinit(sae->peer_commit_scalar, 0);
1161 sae->peer_commit_scalar = peer_scalar;
1162 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-scalar",
1163 *pos, sae->tmp->prime_len);
1164 *pos += sae->tmp->prime_len;
1166 return WLAN_STATUS_SUCCESS;
1170 static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 **pos,
1173 u8 prime[SAE_MAX_ECC_PRIME_LEN];
1175 if (2 * sae->tmp->prime_len > end - *pos) {
1176 wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
1178 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1181 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
1182 sae->tmp->prime_len) < 0)
1183 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1185 /* element x and y coordinates < p */
1186 if (os_memcmp(*pos, prime, sae->tmp->prime_len) >= 0 ||
1187 os_memcmp(*pos + sae->tmp->prime_len, prime,
1188 sae->tmp->prime_len) >= 0) {
1189 wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer "
1191 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1194 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(x)",
1195 *pos, sae->tmp->prime_len);
1196 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(y)",
1197 *pos + sae->tmp->prime_len, sae->tmp->prime_len);
1199 crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0);
1200 sae->tmp->peer_commit_element_ecc =
1201 crypto_ec_point_from_bin(sae->tmp->ec, *pos);
1202 if (sae->tmp->peer_commit_element_ecc == NULL)
1203 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1205 if (!crypto_ec_point_is_on_curve(sae->tmp->ec,
1206 sae->tmp->peer_commit_element_ecc)) {
1207 wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve");
1208 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1211 *pos += 2 * sae->tmp->prime_len;
1213 return WLAN_STATUS_SUCCESS;
1217 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 **pos,
1220 struct crypto_bignum *res, *one;
1221 const u8 one_bin[1] = { 0x01 };
1223 if (sae->tmp->prime_len > end - *pos) {
1224 wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
1226 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1228 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", *pos,
1229 sae->tmp->prime_len);
1231 crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0);
1232 sae->tmp->peer_commit_element_ffc =
1233 crypto_bignum_init_set(*pos, sae->tmp->prime_len);
1234 if (sae->tmp->peer_commit_element_ffc == NULL)
1235 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1236 /* 1 < element < p - 1 */
1237 res = crypto_bignum_init();
1238 one = crypto_bignum_init_set(one_bin, sizeof(one_bin));
1240 crypto_bignum_sub(sae->tmp->prime, one, res) ||
1241 crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) ||
1242 crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) ||
1243 crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, res) >= 0) {
1244 crypto_bignum_deinit(res, 0);
1245 crypto_bignum_deinit(one, 0);
1246 wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
1247 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1249 crypto_bignum_deinit(one, 0);
1251 /* scalar-op(r, ELEMENT) = 1 modulo p */
1252 if (crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
1253 sae->tmp->order, sae->tmp->prime, res) < 0 ||
1254 !crypto_bignum_is_one(res)) {
1255 wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)");
1256 crypto_bignum_deinit(res, 0);
1257 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1259 crypto_bignum_deinit(res, 0);
1261 *pos += sae->tmp->prime_len;
1263 return WLAN_STATUS_SUCCESS;
1267 static u16 sae_parse_commit_element(struct sae_data *sae, const u8 **pos,
1271 return sae_parse_commit_element_ffc(sae, pos, end);
1272 return sae_parse_commit_element_ecc(sae, pos, end);
1276 static int sae_parse_password_identifier(struct sae_data *sae,
1277 const u8 *pos, const u8 *end)
1279 wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
1281 if (!sae_is_password_id_elem(pos, end)) {
1282 if (sae->tmp->pw_id) {
1283 wpa_printf(MSG_DEBUG,
1284 "SAE: No Password Identifier included, but expected one (%s)",
1286 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
1288 os_free(sae->tmp->pw_id);
1289 sae->tmp->pw_id = NULL;
1290 return WLAN_STATUS_SUCCESS; /* No Password Identifier */
1293 if (sae->tmp->pw_id &&
1294 (pos[1] - 1 != (int) os_strlen(sae->tmp->pw_id) ||
1295 os_memcmp(sae->tmp->pw_id, pos + 3, pos[1] - 1) != 0)) {
1296 wpa_printf(MSG_DEBUG,
1297 "SAE: The included Password Identifier does not match the expected one (%s)",
1299 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
1302 os_free(sae->tmp->pw_id);
1303 sae->tmp->pw_id = os_malloc(pos[1]);
1304 if (!sae->tmp->pw_id)
1305 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1306 os_memcpy(sae->tmp->pw_id, pos + 3, pos[1] - 1);
1307 sae->tmp->pw_id[pos[1] - 1] = '\0';
1308 wpa_hexdump_ascii(MSG_DEBUG, "SAE: Received Password Identifier",
1309 sae->tmp->pw_id, pos[1] - 1);
1310 return WLAN_STATUS_SUCCESS;
1314 u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
1315 const u8 **token, size_t *token_len, int *allowed_groups)
1317 const u8 *pos = data, *end = data + len;
1320 /* Check Finite Cyclic Group */
1322 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1323 res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos));
1324 if (res != WLAN_STATUS_SUCCESS)
1328 /* Optional Anti-Clogging Token */
1329 sae_parse_commit_token(sae, &pos, end, token, token_len);
1332 res = sae_parse_commit_scalar(sae, &pos, end);
1333 if (res != WLAN_STATUS_SUCCESS)
1336 /* commit-element */
1337 res = sae_parse_commit_element(sae, &pos, end);
1338 if (res != WLAN_STATUS_SUCCESS)
1341 /* Optional Password Identifier element */
1342 res = sae_parse_password_identifier(sae, pos, end);
1343 if (res != WLAN_STATUS_SUCCESS)
1347 * Check whether peer-commit-scalar and PEER-COMMIT-ELEMENT are same as
1348 * the values we sent which would be evidence of a reflection attack.
1350 if (!sae->tmp->own_commit_scalar ||
1351 crypto_bignum_cmp(sae->tmp->own_commit_scalar,
1352 sae->peer_commit_scalar) != 0 ||
1354 (!sae->tmp->own_commit_element_ffc ||
1355 crypto_bignum_cmp(sae->tmp->own_commit_element_ffc,
1356 sae->tmp->peer_commit_element_ffc) != 0)) ||
1358 (!sae->tmp->own_commit_element_ecc ||
1359 crypto_ec_point_cmp(sae->tmp->ec,
1360 sae->tmp->own_commit_element_ecc,
1361 sae->tmp->peer_commit_element_ecc) != 0)))
1362 return WLAN_STATUS_SUCCESS; /* scalars/elements are different */
1365 * This is a reflection attack - return special value to trigger caller
1366 * to silently discard the frame instead of replying with a specific
1369 return SAE_SILENTLY_DISCARD;
1373 static void sae_cn_confirm(struct sae_data *sae, const u8 *sc,
1374 const struct crypto_bignum *scalar1,
1375 const u8 *element1, size_t element1_len,
1376 const struct crypto_bignum *scalar2,
1377 const u8 *element2, size_t element2_len,
1382 u8 scalar_b1[SAE_MAX_PRIME_LEN], scalar_b2[SAE_MAX_PRIME_LEN];
1385 * CN(key, X, Y, Z, ...) =
1386 * HMAC-SHA256(key, D2OS(X) || D2OS(Y) || D2OS(Z) | ...)
1387 * confirm = CN(KCK, send-confirm, commit-scalar, COMMIT-ELEMENT,
1388 * peer-commit-scalar, PEER-COMMIT-ELEMENT)
1389 * verifier = CN(KCK, peer-send-confirm, peer-commit-scalar,
1390 * PEER-COMMIT-ELEMENT, commit-scalar, COMMIT-ELEMENT)
1394 crypto_bignum_to_bin(scalar1, scalar_b1, sizeof(scalar_b1),
1395 sae->tmp->prime_len);
1396 addr[1] = scalar_b1;
1397 len[1] = sae->tmp->prime_len;
1399 len[2] = element1_len;
1400 crypto_bignum_to_bin(scalar2, scalar_b2, sizeof(scalar_b2),
1401 sae->tmp->prime_len);
1402 addr[3] = scalar_b2;
1403 len[3] = sae->tmp->prime_len;
1405 len[4] = element2_len;
1406 hmac_sha256_vector(sae->tmp->kck, sizeof(sae->tmp->kck), 5, addr, len,
1411 static void sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc,
1412 const struct crypto_bignum *scalar1,
1413 const struct crypto_ec_point *element1,
1414 const struct crypto_bignum *scalar2,
1415 const struct crypto_ec_point *element2,
1418 u8 element_b1[2 * SAE_MAX_ECC_PRIME_LEN];
1419 u8 element_b2[2 * SAE_MAX_ECC_PRIME_LEN];
1421 crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1,
1422 element_b1 + sae->tmp->prime_len);
1423 crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2,
1424 element_b2 + sae->tmp->prime_len);
1426 sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len,
1427 scalar2, element_b2, 2 * sae->tmp->prime_len, confirm);
1431 static void sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc,
1432 const struct crypto_bignum *scalar1,
1433 const struct crypto_bignum *element1,
1434 const struct crypto_bignum *scalar2,
1435 const struct crypto_bignum *element2,
1438 u8 element_b1[SAE_MAX_PRIME_LEN];
1439 u8 element_b2[SAE_MAX_PRIME_LEN];
1441 crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1),
1442 sae->tmp->prime_len);
1443 crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2),
1444 sae->tmp->prime_len);
1446 sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len,
1447 scalar2, element_b2, sae->tmp->prime_len, confirm);
1451 void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf)
1455 if (sae->tmp == NULL)
1459 sc = wpabuf_put(buf, 0);
1460 wpabuf_put_le16(buf, sae->send_confirm);
1461 if (sae->send_confirm < 0xffff)
1462 sae->send_confirm++;
1465 sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,
1466 sae->tmp->own_commit_element_ecc,
1467 sae->peer_commit_scalar,
1468 sae->tmp->peer_commit_element_ecc,
1469 wpabuf_put(buf, SHA256_MAC_LEN));
1471 sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar,
1472 sae->tmp->own_commit_element_ffc,
1473 sae->peer_commit_scalar,
1474 sae->tmp->peer_commit_element_ffc,
1475 wpabuf_put(buf, SHA256_MAC_LEN));
1479 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
1481 u8 verifier[SHA256_MAC_LEN];
1483 if (len < 2 + SHA256_MAC_LEN) {
1484 wpa_printf(MSG_DEBUG, "SAE: Too short confirm message");
1488 wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
1490 if (!sae->tmp || !sae->peer_commit_scalar ||
1491 !sae->tmp->own_commit_scalar) {
1492 wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
1497 if (!sae->tmp->peer_commit_element_ecc ||
1498 !sae->tmp->own_commit_element_ecc)
1500 sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
1501 sae->tmp->peer_commit_element_ecc,
1502 sae->tmp->own_commit_scalar,
1503 sae->tmp->own_commit_element_ecc,
1506 if (!sae->tmp->peer_commit_element_ffc ||
1507 !sae->tmp->own_commit_element_ffc)
1509 sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
1510 sae->tmp->peer_commit_element_ffc,
1511 sae->tmp->own_commit_scalar,
1512 sae->tmp->own_commit_element_ffc,
1516 if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
1517 wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
1518 wpa_hexdump(MSG_DEBUG, "SAE: Received confirm",
1519 data + 2, SHA256_MAC_LEN);
1520 wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier",
1521 verifier, SHA256_MAC_LEN);
1529 const char * sae_state_txt(enum sae_state state)
projects / FreeBSD / FreeBSD.git / blob