Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 81f62d8b157eaf8f9ea3fd74d571b30e4aadd954 / . / src / common / sae.c
blob: 0da7145e2d183ccaf3aa4e47b3fcc15ce1506eb5 [file] [log] [blame]
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1/*
2 * Simultaneous authentication of equals
Dmitry Shmidte4663042016-04-04 10:07:49 -0700[diff] [blame]3 * Copyright (c) 2012-2016, Jouni Malinen <j@w1.fi>
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]12#include "utils/const_time.h"
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]13#include "crypto/crypto.h"
14#include "crypto/sha256.h"
15#include "crypto/random.h"
16#include "crypto/dh_groups.h"
17#include "ieee802_11_defs.h"
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]18#include "dragonfly.h"
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]19#include "sae.h"
20
21
22int sae_set_group(struct sae_data *sae, int group)
23{
24 struct sae_temporary_data *tmp;
25
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]26#ifdef CONFIG_TESTING_OPTIONS
27 /* Allow all groups for testing purposes in non-production builds. */
28#else /* CONFIG_TESTING_OPTIONS */
29 if (!dragonfly_suitable_group(group, 0)) {
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]30 wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group);
31 return -1;
32 }
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]33#endif /* CONFIG_TESTING_OPTIONS */
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]34
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]35 sae_clear_data(sae);
36 tmp = sae->tmp = os_zalloc(sizeof(*tmp));
37 if (tmp == NULL)
38 return -1;
39
40 /* First, check if this is an ECC group */
41 tmp->ec = crypto_ec_init(group);
42 if (tmp->ec) {
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]43 wpa_printf(MSG_DEBUG, "SAE: Selecting supported ECC group %d",
44 group);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]45 sae->group = group;
46 tmp->prime_len = crypto_ec_prime_len(tmp->ec);
47 tmp->prime = crypto_ec_get_prime(tmp->ec);
48 tmp->order = crypto_ec_get_order(tmp->ec);
49 return 0;
50 }
51
52 /* Not an ECC group, check FFC */
53 tmp->dh = dh_groups_get(group);
54 if (tmp->dh) {
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]55 wpa_printf(MSG_DEBUG, "SAE: Selecting supported FFC group %d",
56 group);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]57 sae->group = group;
58 tmp->prime_len = tmp->dh->prime_len;
59 if (tmp->prime_len > SAE_MAX_PRIME_LEN) {
60 sae_clear_data(sae);
61 return -1;
62 }
63
64 tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime,
65 tmp->prime_len);
66 if (tmp->prime_buf == NULL) {
67 sae_clear_data(sae);
68 return -1;
69 }
70 tmp->prime = tmp->prime_buf;
71
72 tmp->order_buf = crypto_bignum_init_set(tmp->dh->order,
73 tmp->dh->order_len);
74 if (tmp->order_buf == NULL) {
75 sae_clear_data(sae);
76 return -1;
77 }
78 tmp->order = tmp->order_buf;
79
80 return 0;
81 }
82
83 /* Unsupported group */
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]84 wpa_printf(MSG_DEBUG,
85 "SAE: Group %d not supported by the crypto library", group);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]86 return -1;
87}
88
89
90void sae_clear_temp_data(struct sae_data *sae)
91{
92 struct sae_temporary_data *tmp;
93 if (sae == NULL || sae->tmp == NULL)
94 return;
95 tmp = sae->tmp;
96 crypto_ec_deinit(tmp->ec);
97 crypto_bignum_deinit(tmp->prime_buf, 0);
98 crypto_bignum_deinit(tmp->order_buf, 0);
99 crypto_bignum_deinit(tmp->sae_rand, 1);
100 crypto_bignum_deinit(tmp->pwe_ffc, 1);
101 crypto_bignum_deinit(tmp->own_commit_scalar, 0);
102 crypto_bignum_deinit(tmp->own_commit_element_ffc, 0);
103 crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0);
104 crypto_ec_point_deinit(tmp->pwe_ecc, 1);
105 crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0);
106 crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0);
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]107 wpabuf_free(tmp->anti_clogging_token);
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]108 os_free(tmp->pw_id);
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]109 bin_clear_free(tmp, sizeof(*tmp));
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]110 sae->tmp = NULL;
111}
112
113
114void sae_clear_data(struct sae_data *sae)
115{
116 if (sae == NULL)
117 return;
118 sae_clear_temp_data(sae);
119 crypto_bignum_deinit(sae->peer_commit_scalar, 0);
120 os_memset(sae, 0, sizeof(*sae));
121}
122
123
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]124static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
125{
126 wpa_printf(MSG_DEBUG, "SAE: PWE derivation - addr1=" MACSTR
127 " addr2=" MACSTR, MAC2STR(addr1), MAC2STR(addr2));
128 if (os_memcmp(addr1, addr2, ETH_ALEN) > 0) {
129 os_memcpy(key, addr1, ETH_ALEN);
130 os_memcpy(key + ETH_ALEN, addr2, ETH_ALEN);
131 } else {
132 os_memcpy(key, addr2, ETH_ALEN);
133 os_memcpy(key + ETH_ALEN, addr1, ETH_ALEN);
134 }
135}
136
137
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]138static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]139 const u8 *prime, const u8 *qr, const u8 *qnr,
140 u8 *pwd_value)
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]141{
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]142 struct crypto_bignum *y_sqr, *x_cand;
143 int res;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]144 size_t bits;
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]145 int cmp_prime;
146 unsigned int in_range;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]147
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]148 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
149
150 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
151 bits = crypto_ec_prime_len_bits(sae->tmp->ec);
Dmitry Shmidte4663042016-04-04 10:07:49 -0700[diff] [blame]152 if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
153 prime, sae->tmp->prime_len, pwd_value, bits) < 0)
154 return -1;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]155 if (bits % 8)
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]156 buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]157 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
158 pwd_value, sae->tmp->prime_len);
159
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]160 cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len);
161 /* Create a const_time mask for selection based on prf result
162 * being smaller than prime. */
163 in_range = const_time_fill_msb((unsigned int) cmp_prime);
164 /* The algorithm description would skip the next steps if
165 * cmp_prime >= 0 (reutnr 0 here), but go through them regardless to
166 * minimize externally observable differences in behavior. */
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]167
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]168 x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
169 if (!x_cand)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]170 return -1;
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]171 y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]172 crypto_bignum_deinit(x_cand, 1);
173 if (!y_sqr)
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]174 return -1;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]175
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]176 res = dragonfly_is_quadratic_residue_blind(sae->tmp->ec, qr, qnr,
177 y_sqr);
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]178 crypto_bignum_deinit(y_sqr, 1);
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]179 if (res < 0)
180 return res;
181 return const_time_select_int(in_range, res, 0);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]182}
183
184
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]185/* Returns -1 on fatal failure, 0 if PWE cannot be derived from the provided
186 * pwd-seed, or 1 if a valid PWE was derived from pwd-seed. */
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]187static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
188 struct crypto_bignum *pwe)
189{
190 u8 pwd_value[SAE_MAX_PRIME_LEN];
191 size_t bits = sae->tmp->prime_len * 8;
192 u8 exp[1];
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]193 struct crypto_bignum *a, *b = NULL;
194 int res, is_val;
195 u8 pwd_value_valid;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]196
197 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
198
199 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
Dmitry Shmidte4663042016-04-04 10:07:49 -0700[diff] [blame]200 if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
201 sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value,
202 bits) < 0)
203 return -1;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]204 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
205 sae->tmp->prime_len);
206
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]207 /* Check whether pwd-value < p */
208 res = const_time_memcmp(pwd_value, sae->tmp->dh->prime,
209 sae->tmp->prime_len);
210 /* pwd-value >= p is invalid, so res is < 0 for the valid cases and
211 * the negative sign can be used to fill the mask for constant time
212 * selection */
213 pwd_value_valid = const_time_fill_msb(res);
214
215 /* If pwd-value >= p, force pwd-value to be < p and perform the
216 * calculations anyway to hide timing difference. The derived PWE will
217 * be ignored in that case. */
218 pwd_value[0] = const_time_select_u8(pwd_value_valid, pwd_value[0], 0);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]219
220 /* PWE = pwd-value^((p-1)/r) modulo p */
221
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]222 res = -1;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]223 a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]224 if (!a)
225 goto fail;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]226
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]227 /* This is an optimization based on the used group that does not depend
228 * on the password in any way, so it is fine to use separate branches
229 * for this step without constant time operations. */
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]230 if (sae->tmp->dh->safe_prime) {
231 /*
232 * r = (p-1)/2 for the group used here, so this becomes:
233 * PWE = pwd-value^2 modulo p
234 */
235 exp[0] = 2;
236 b = crypto_bignum_init_set(exp, sizeof(exp));
237 } else {
238 /* Calculate exponent: (p-1)/r */
239 exp[0] = 1;
240 b = crypto_bignum_init_set(exp, sizeof(exp));
241 if (b == NULL ||
242 crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]243 crypto_bignum_div(b, sae->tmp->order, b) < 0)
244 goto fail;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]245 }
246
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]247 if (!b)
248 goto fail;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]249
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]250 res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
251 if (res < 0)
252 goto fail;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]253
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]254 /* There were no fatal errors in calculations, so determine the return
255 * value using constant time operations. We get here for number of
256 * invalid cases which are cleared here after having performed all the
257 * computation. PWE is valid if pwd-value was less than prime and
258 * PWE > 1. Start with pwd-value check first and then use constant time
259 * operations to clear res to 0 if PWE is 0 or 1.
260 */
261 res = const_time_select_u8(pwd_value_valid, 1, 0);
262 is_val = crypto_bignum_is_zero(pwe);
263 res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
264 is_val = crypto_bignum_is_one(pwe);
265 res = const_time_select_u8(const_time_is_zero(is_val), res, 0);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]266
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]267fail:
268 crypto_bignum_deinit(a, 1);
269 crypto_bignum_deinit(b, 1);
270 return res;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]271}
272
273
274static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
275 const u8 *addr2, const u8 *password,
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]276 size_t password_len, const char *identifier)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]277{
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]278 u8 counter, k = 40;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]279 u8 addrs[2 * ETH_ALEN];
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]280 const u8 *addr[3];
281 size_t len[3];
282 size_t num_elem;
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]283 u8 *dummy_password, *tmp_password;
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]284 int pwd_seed_odd = 0;
285 u8 prime[SAE_MAX_ECC_PRIME_LEN];
286 size_t prime_len;
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]287 struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
288 u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
289 u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
290 u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
291 u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]292 int res = -1;
293 u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
294 * mask */
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]295
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]296 os_memset(x_bin, 0, sizeof(x_bin));
297
298 dummy_password = os_malloc(password_len);
299 tmp_password = os_malloc(password_len);
300 if (!dummy_password || !tmp_password ||
301 random_get_bytes(dummy_password, password_len) < 0)
302 goto fail;
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]303
304 prime_len = sae->tmp->prime_len;
305 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
306 prime_len) < 0)
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]307 goto fail;
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]308
309 /*
310 * Create a random quadratic residue (qr) and quadratic non-residue
311 * (qnr) modulo p for blinding purposes during the loop.
312 */
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]313 if (dragonfly_get_random_qr_qnr(sae->tmp->prime, &qr, &qnr) < 0 ||
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]314 crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 ||
315 crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0)
316 goto fail;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]317
318 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
319 password, password_len);
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]320 if (identifier)
321 wpa_printf(MSG_DEBUG, "SAE: password identifier: %s",
322 identifier);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]323
324 /*
325 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]326 * base = password [|| identifier]
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]327 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]328 * base || counter)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]329 */
330 sae_pwd_seed_key(addr1, addr2, addrs);
331
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]332 addr[0] = tmp_password;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]333 len[0] = password_len;
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]334 num_elem = 1;
335 if (identifier) {
336 addr[num_elem] = (const u8 *) identifier;
337 len[num_elem] = os_strlen(identifier);
338 num_elem++;
339 }
340 addr[num_elem] = &counter;
341 len[num_elem] = sizeof(counter);
342 num_elem++;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]343
344 /*
345 * Continue for at least k iterations to protect against side-channel
346 * attacks that attempt to determine the number of iterations required
347 * in the loop.
348 */
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]349 for (counter = 1; counter <= k || !found; counter++) {
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]350 u8 pwd_seed[SHA256_MAC_LEN];
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]351
352 if (counter > 200) {
353 /* This should not happen in practice */
354 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
355 break;
356 }
357
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]358 wpa_printf(MSG_DEBUG, "SAE: counter = %03u", counter);
359 const_time_select_bin(found, dummy_password, password,
360 password_len, tmp_password);
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]361 if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
362 addr, len, pwd_seed) < 0)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]363 break;
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]364
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]365 res = sae_test_pwd_seed_ecc(sae, pwd_seed,
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]366 prime, qr_bin, qnr_bin, x_cand_bin);
367 const_time_select_bin(found, x_bin, x_cand_bin, prime_len,
368 x_bin);
369 pwd_seed_odd = const_time_select_u8(
370 found, pwd_seed_odd,
371 pwd_seed[SHA256_MAC_LEN - 1] & 0x01);
372 os_memset(pwd_seed, 0, sizeof(pwd_seed));
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]373 if (res < 0)
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]374 goto fail;
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]375 /* Need to minimize differences in handling res == 0 and 1 here
376 * to avoid differences in timing and instruction cache access,
377 * so use const_time_select_*() to make local copies of the
378 * values based on whether this loop iteration was the one that
379 * found the pwd-seed/x. */
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]380
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]381 /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
382 * (with res converted to 0/0xff) handles this in constant time.
383 */
384 found |= res * 0xff;
385 wpa_printf(MSG_DEBUG, "SAE: pwd-seed result %d found=0x%02x",
386 res, found);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]387 }
388
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]389 if (!found) {
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]390 wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
391 res = -1;
392 goto fail;
393 }
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]394
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]395 x = crypto_bignum_init_set(x_bin, prime_len);
396 if (!x) {
397 res = -1;
398 goto fail;
399 }
400
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]401 if (!sae->tmp->pwe_ecc)
402 sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
403 if (!sae->tmp->pwe_ecc)
404 res = -1;
405 else
406 res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
407 sae->tmp->pwe_ecc, x,
408 pwd_seed_odd);
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]409 if (res < 0) {
410 /*
411 * This should not happen since we already checked that there
412 * is a result.
413 */
414 wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
415 }
416
417fail:
418 crypto_bignum_deinit(qr, 0);
419 crypto_bignum_deinit(qnr, 0);
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]420 os_free(dummy_password);
421 bin_clear_free(tmp_password, password_len);
422 crypto_bignum_deinit(x, 1);
423 os_memset(x_bin, 0, sizeof(x_bin));
424 os_memset(x_cand_bin, 0, sizeof(x_cand_bin));
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]425
426 return res;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]427}
428
429
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]430static int sae_modp_group_require_masking(int group)
431{
432 /* Groups for which pwd-value is likely to be >= p frequently */
433 return group == 22 || group == 23 || group == 24;
434}
435
436
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]437static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
438 const u8 *addr2, const u8 *password,
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]439 size_t password_len, const char *identifier)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]440{
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]441 u8 counter, k, sel_counter = 0;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]442 u8 addrs[2 * ETH_ALEN];
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]443 const u8 *addr[3];
444 size_t len[3];
445 size_t num_elem;
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]446 u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
447 * mask */
448 u8 mask;
449 struct crypto_bignum *pwe;
450 size_t prime_len = sae->tmp->prime_len * 8;
451 u8 *pwe_buf;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]452
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]453 crypto_bignum_deinit(sae->tmp->pwe_ffc, 1);
454 sae->tmp->pwe_ffc = NULL;
455
456 /* Allocate a buffer to maintain selected and candidate PWE for constant
457 * time selection. */
458 pwe_buf = os_zalloc(prime_len * 2);
459 pwe = crypto_bignum_init();
460 if (!pwe_buf || !pwe)
461 goto fail;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]462
463 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
464 password, password_len);
465
466 /*
467 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
468 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]469 * password [|| identifier] || counter)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]470 */
471 sae_pwd_seed_key(addr1, addr2, addrs);
472
473 addr[0] = password;
474 len[0] = password_len;
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]475 num_elem = 1;
476 if (identifier) {
477 addr[num_elem] = (const u8 *) identifier;
478 len[num_elem] = os_strlen(identifier);
479 num_elem++;
480 }
481 addr[num_elem] = &counter;
482 len[num_elem] = sizeof(counter);
483 num_elem++;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]484
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]485 k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
486
487 for (counter = 1; counter <= k || !found; counter++) {
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]488 u8 pwd_seed[SHA256_MAC_LEN];
489 int res;
490
491 if (counter > 200) {
492 /* This should not happen in practice */
493 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
494 break;
495 }
496
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]497 wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter);
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]498 if (hmac_sha256_vector(addrs, sizeof(addrs), num_elem,
499 addr, len, pwd_seed) < 0)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]500 break;
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]501 res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe);
502 /* res is -1 for fatal failure, 0 if a valid PWE was not found,
503 * or 1 if a valid PWE was found. */
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]504 if (res < 0)
505 break;
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]506 /* Store the candidate PWE into the second half of pwe_buf and
507 * the selected PWE in the beginning of pwe_buf using constant
508 * time selection. */
509 if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len,
510 prime_len) < 0)
511 break;
512 const_time_select_bin(found, pwe_buf, pwe_buf + prime_len,
513 prime_len, pwe_buf);
514 sel_counter = const_time_select_u8(found, sel_counter, counter);
515 mask = const_time_eq_u8(res, 1);
516 found = const_time_select_u8(found, found, mask);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]517 }
518
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]519 if (!found)
520 goto fail;
521
522 wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter);
523 sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len);
524fail:
525 crypto_bignum_deinit(pwe, 1);
526 bin_clear_free(pwe_buf, prime_len * 2);
527 return sae->tmp->pwe_ffc ? 0 : -1;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]528}
529
530
531static int sae_derive_commit_element_ecc(struct sae_data *sae,
532 struct crypto_bignum *mask)
533{
534 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
535 if (!sae->tmp->own_commit_element_ecc) {
536 sae->tmp->own_commit_element_ecc =
537 crypto_ec_point_init(sae->tmp->ec);
538 if (!sae->tmp->own_commit_element_ecc)
539 return -1;
540 }
541
542 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask,
543 sae->tmp->own_commit_element_ecc) < 0 ||
544 crypto_ec_point_invert(sae->tmp->ec,
545 sae->tmp->own_commit_element_ecc) < 0) {
546 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
547 return -1;
548 }
549
550 return 0;
551}
552
553
554static int sae_derive_commit_element_ffc(struct sae_data *sae,
555 struct crypto_bignum *mask)
556{
557 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
558 if (!sae->tmp->own_commit_element_ffc) {
559 sae->tmp->own_commit_element_ffc = crypto_bignum_init();
560 if (!sae->tmp->own_commit_element_ffc)
561 return -1;
562 }
563
564 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime,
565 sae->tmp->own_commit_element_ffc) < 0 ||
566 crypto_bignum_inverse(sae->tmp->own_commit_element_ffc,
567 sae->tmp->prime,
568 sae->tmp->own_commit_element_ffc) < 0) {
569 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
570 return -1;
571 }
572
573 return 0;
574}
575
576
577static int sae_derive_commit(struct sae_data *sae)
578{
579 struct crypto_bignum *mask;
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]580 int ret;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]581
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]582 mask = crypto_bignum_init();
583 if (!sae->tmp->sae_rand)
584 sae->tmp->sae_rand = crypto_bignum_init();
585 if (!sae->tmp->own_commit_scalar)
586 sae->tmp->own_commit_scalar = crypto_bignum_init();
587 ret = !mask || !sae->tmp->sae_rand || !sae->tmp->own_commit_scalar ||
588 dragonfly_generate_scalar(sae->tmp->order, sae->tmp->sae_rand,
589 mask,
590 sae->tmp->own_commit_scalar) < 0 ||
591 (sae->tmp->ec &&
592 sae_derive_commit_element_ecc(sae, mask) < 0) ||
593 (sae->tmp->dh &&
594 sae_derive_commit_element_ffc(sae, mask) < 0);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]595 crypto_bignum_deinit(mask, 1);
Hai Shalom81f62d82019-07-22 12:10:00 -0700[diff] [blame^]596 return ret ? -1 : 0;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]597}
598
599
600int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
601 const u8 *password, size_t password_len,
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]602 const char *identifier, struct sae_data *sae)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]603{
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]604 if (sae->tmp == NULL ||
605 (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password,
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]606 password_len,
607 identifier) < 0) ||
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]608 (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password,
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]609 password_len,
610 identifier) < 0) ||
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]611 sae_derive_commit(sae) < 0)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]612 return -1;
613 return 0;
614}
615
616
617static int sae_derive_k_ecc(struct sae_data *sae, u8 *k)
618{
619 struct crypto_ec_point *K;
620 int ret = -1;
621
622 K = crypto_ec_point_init(sae->tmp->ec);
623 if (K == NULL)
624 goto fail;
625
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]626 /*
627 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
628 * PEER-COMMIT-ELEMENT)))
629 * If K is identity element (point-at-infinity), reject
630 * k = F(K) (= x coordinate)
631 */
632
633 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc,
634 sae->peer_commit_scalar, K) < 0 ||
635 crypto_ec_point_add(sae->tmp->ec, K,
636 sae->tmp->peer_commit_element_ecc, K) < 0 ||
637 crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 ||
638 crypto_ec_point_is_at_infinity(sae->tmp->ec, K) ||
639 crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) {
640 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
641 goto fail;
642 }
643
644 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
645
646 ret = 0;
647fail:
648 crypto_ec_point_deinit(K, 1);
649 return ret;
650}
651
652
653static int sae_derive_k_ffc(struct sae_data *sae, u8 *k)
654{
655 struct crypto_bignum *K;
656 int ret = -1;
657
658 K = crypto_bignum_init();
659 if (K == NULL)
660 goto fail;
661
662 /*
663 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
664 * PEER-COMMIT-ELEMENT)))
665 * If K is identity element (one), reject.
666 * k = F(K) (= x coordinate)
667 */
668
669 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar,
670 sae->tmp->prime, K) < 0 ||
671 crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc,
672 sae->tmp->prime, K) < 0 ||
673 crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0
674 ||
675 crypto_bignum_is_one(K) ||
676 crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) <
677 0) {
678 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
679 goto fail;
680 }
681
682 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
683
684 ret = 0;
685fail:
686 crypto_bignum_deinit(K, 1);
687 return ret;
688}
689
690
691static int sae_derive_keys(struct sae_data *sae, const u8 *k)
692{
693 u8 null_key[SAE_KEYSEED_KEY_LEN], val[SAE_MAX_PRIME_LEN];
694 u8 keyseed[SHA256_MAC_LEN];
695 u8 keys[SAE_KCK_LEN + SAE_PMK_LEN];
696 struct crypto_bignum *tmp;
697 int ret = -1;
698
699 tmp = crypto_bignum_init();
700 if (tmp == NULL)
701 goto fail;
702
703 /* keyseed = H(<0>32, k)
704 * KCK || PMK = KDF-512(keyseed, "SAE KCK and PMK",
705 * (commit-scalar + peer-commit-scalar) modulo r)
706 * PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
707 */
708
709 os_memset(null_key, 0, sizeof(null_key));
710 hmac_sha256(null_key, sizeof(null_key), k, sae->tmp->prime_len,
711 keyseed);
712 wpa_hexdump_key(MSG_DEBUG, "SAE: keyseed", keyseed, sizeof(keyseed));
713
714 crypto_bignum_add(sae->tmp->own_commit_scalar, sae->peer_commit_scalar,
715 tmp);
716 crypto_bignum_mod(tmp, sae->tmp->order, tmp);
717 crypto_bignum_to_bin(tmp, val, sizeof(val), sae->tmp->prime_len);
718 wpa_hexdump(MSG_DEBUG, "SAE: PMKID", val, SAE_PMKID_LEN);
Dmitry Shmidte4663042016-04-04 10:07:49 -0700[diff] [blame]719 if (sha256_prf(keyseed, sizeof(keyseed), "SAE KCK and PMK",
720 val, sae->tmp->prime_len, keys, sizeof(keys)) < 0)
721 goto fail;
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]722 os_memset(keyseed, 0, sizeof(keyseed));
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]723 os_memcpy(sae->tmp->kck, keys, SAE_KCK_LEN);
724 os_memcpy(sae->pmk, keys + SAE_KCK_LEN, SAE_PMK_LEN);
Dmitry Shmidtd97138d2015-12-28 13:27:49 -0800[diff] [blame]725 os_memcpy(sae->pmkid, val, SAE_PMKID_LEN);
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]726 os_memset(keys, 0, sizeof(keys));
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]727 wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", sae->tmp->kck, SAE_KCK_LEN);
728 wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, SAE_PMK_LEN);
729
730 ret = 0;
731fail:
732 crypto_bignum_deinit(tmp, 0);
733 return ret;
734}
735
736
737int sae_process_commit(struct sae_data *sae)
738{
739 u8 k[SAE_MAX_PRIME_LEN];
Dmitry Shmidt96be6222014-02-13 10:16:51 -0800[diff] [blame]740 if (sae->tmp == NULL ||
741 (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) ||
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]742 (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) ||
743 sae_derive_keys(sae, k) < 0)
744 return -1;
745 return 0;
746}
747
748
749void sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]750 const struct wpabuf *token, const char *identifier)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]751{
752 u8 *pos;
Dmitry Shmidt96be6222014-02-13 10:16:51 -0800[diff] [blame]753
754 if (sae->tmp == NULL)
755 return;
756
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]757 wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]758 if (token) {
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]759 wpabuf_put_buf(buf, token);
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]760 wpa_hexdump(MSG_DEBUG, "SAE: Anti-clogging token",
761 wpabuf_head(token), wpabuf_len(token));
762 }
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]763 pos = wpabuf_put(buf, sae->tmp->prime_len);
764 crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos,
765 sae->tmp->prime_len, sae->tmp->prime_len);
766 wpa_hexdump(MSG_DEBUG, "SAE: own commit-scalar",
767 pos, sae->tmp->prime_len);
768 if (sae->tmp->ec) {
769 pos = wpabuf_put(buf, 2 * sae->tmp->prime_len);
770 crypto_ec_point_to_bin(sae->tmp->ec,
771 sae->tmp->own_commit_element_ecc,
772 pos, pos + sae->tmp->prime_len);
773 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(x)",
774 pos, sae->tmp->prime_len);
775 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(y)",
776 pos + sae->tmp->prime_len, sae->tmp->prime_len);
777 } else {
778 pos = wpabuf_put(buf, sae->tmp->prime_len);
779 crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos,
780 sae->tmp->prime_len, sae->tmp->prime_len);
781 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element",
782 pos, sae->tmp->prime_len);
783 }
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]784
785 if (identifier) {
786 /* Password Identifier element */
787 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
788 wpabuf_put_u8(buf, 1 + os_strlen(identifier));
789 wpabuf_put_u8(buf, WLAN_EID_EXT_PASSWORD_IDENTIFIER);
790 wpabuf_put_str(buf, identifier);
791 wpa_printf(MSG_DEBUG, "SAE: own Password Identifier: %s",
792 identifier);
793 }
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]794}
795
796
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]797u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]798{
799 if (allowed_groups) {
800 int i;
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800[diff] [blame]801 for (i = 0; allowed_groups[i] > 0; i++) {
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]802 if (allowed_groups[i] == group)
803 break;
804 }
805 if (allowed_groups[i] != group) {
806 wpa_printf(MSG_DEBUG, "SAE: Proposed group %u not "
807 "enabled in the current configuration",
808 group);
809 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
810 }
811 }
812
813 if (sae->state == SAE_COMMITTED && group != sae->group) {
814 wpa_printf(MSG_DEBUG, "SAE: Do not allow group to be changed");
815 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
816 }
817
818 if (group != sae->group && sae_set_group(sae, group) < 0) {
819 wpa_printf(MSG_DEBUG, "SAE: Unsupported Finite Cyclic Group %u",
820 group);
821 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
822 }
823
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800[diff] [blame]824 if (sae->tmp == NULL) {
825 wpa_printf(MSG_DEBUG, "SAE: Group information not yet initialized");
826 return WLAN_STATUS_UNSPECIFIED_FAILURE;
827 }
828
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]829 if (sae->tmp->dh && !allowed_groups) {
830 wpa_printf(MSG_DEBUG, "SAE: Do not allow FFC group %u without "
831 "explicit configuration enabling it", group);
832 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
833 }
834
835 return WLAN_STATUS_SUCCESS;
836}
837
838
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]839static int sae_is_password_id_elem(const u8 *pos, const u8 *end)
840{
841 return end - pos >= 3 &&
842 pos[0] == WLAN_EID_EXTENSION &&
843 pos[1] >= 1 &&
844 end - pos - 2 >= pos[1] &&
845 pos[2] == WLAN_EID_EXT_PASSWORD_IDENTIFIER;
846}
847
848
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]849static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos,
850 const u8 *end, const u8 **token,
851 size_t *token_len)
852{
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]853 size_t scalar_elem_len, tlen;
854 const u8 *elem;
855
856 if (token)
857 *token = NULL;
858 if (token_len)
859 *token_len = 0;
860
861 scalar_elem_len = (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len;
862 if (scalar_elem_len >= (size_t) (end - *pos))
863 return; /* No extra data beyond peer scalar and element */
864
865 /* It is a bit difficult to parse this now that there is an
866 * optional variable length Anti-Clogging Token field and
867 * optional variable length Password Identifier element in the
868 * frame. We are sending out fixed length Anti-Clogging Token
869 * fields, so use that length as a requirement for the received
870 * token and check for the presence of possible Password
871 * Identifier element based on the element header information.
872 */
873 tlen = end - (*pos + scalar_elem_len);
874
875 if (tlen < SHA256_MAC_LEN) {
876 wpa_printf(MSG_DEBUG,
877 "SAE: Too short optional data (%u octets) to include our Anti-Clogging Token",
878 (unsigned int) tlen);
879 return;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]880 }
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]881
882 elem = *pos + scalar_elem_len;
883 if (sae_is_password_id_elem(elem, end)) {
884 /* Password Identifier element takes out all available
885 * extra octets, so there can be no Anti-Clogging token in
886 * this frame. */
887 return;
888 }
889
890 elem += SHA256_MAC_LEN;
891 if (sae_is_password_id_elem(elem, end)) {
892 /* Password Identifier element is included in the end, so
893 * remove its length from the Anti-Clogging token field. */
894 tlen -= 2 + elem[1];
895 }
896
897 wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token", *pos, tlen);
898 if (token)
899 *token = *pos;
900 if (token_len)
901 *token_len = tlen;
902 *pos += tlen;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]903}
904
905
906static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
907 const u8 *end)
908{
909 struct crypto_bignum *peer_scalar;
910
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]911 if (sae->tmp->prime_len > end - *pos) {
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]912 wpa_printf(MSG_DEBUG, "SAE: Not enough data for scalar");
913 return WLAN_STATUS_UNSPECIFIED_FAILURE;
914 }
915
916 peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len);
917 if (peer_scalar == NULL)
918 return WLAN_STATUS_UNSPECIFIED_FAILURE;
919
920 /*
921 * IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for
922 * the peer and it is in Authenticated state, the new Commit Message
923 * shall be dropped if the peer-scalar is identical to the one used in
924 * the existing protocol instance.
925 */
926 if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar &&
927 crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) {
928 wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous "
929 "peer-commit-scalar");
930 crypto_bignum_deinit(peer_scalar, 0);
931 return WLAN_STATUS_UNSPECIFIED_FAILURE;
932 }
933
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]934 /* 1 < scalar < r */
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]935 if (crypto_bignum_is_zero(peer_scalar) ||
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]936 crypto_bignum_is_one(peer_scalar) ||
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]937 crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) {
938 wpa_printf(MSG_DEBUG, "SAE: Invalid peer scalar");
939 crypto_bignum_deinit(peer_scalar, 0);
940 return WLAN_STATUS_UNSPECIFIED_FAILURE;
941 }
942
943
944 crypto_bignum_deinit(sae->peer_commit_scalar, 0);
945 sae->peer_commit_scalar = peer_scalar;
946 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-scalar",
947 *pos, sae->tmp->prime_len);
948 *pos += sae->tmp->prime_len;
949
950 return WLAN_STATUS_SUCCESS;
951}
952
953
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]954static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 **pos,
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]955 const u8 *end)
956{
957 u8 prime[SAE_MAX_ECC_PRIME_LEN];
958
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]959 if (2 * sae->tmp->prime_len > end - *pos) {
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]960 wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
961 "commit-element");
962 return WLAN_STATUS_UNSPECIFIED_FAILURE;
963 }
964
965 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
966 sae->tmp->prime_len) < 0)
967 return WLAN_STATUS_UNSPECIFIED_FAILURE;
968
969 /* element x and y coordinates < p */
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]970 if (os_memcmp(*pos, prime, sae->tmp->prime_len) >= 0 ||
971 os_memcmp(*pos + sae->tmp->prime_len, prime,
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]972 sae->tmp->prime_len) >= 0) {
973 wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer "
974 "element");
975 return WLAN_STATUS_UNSPECIFIED_FAILURE;
976 }
977
978 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(x)",
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]979 *pos, sae->tmp->prime_len);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]980 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(y)",
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]981 *pos + sae->tmp->prime_len, sae->tmp->prime_len);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]982
983 crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0);
984 sae->tmp->peer_commit_element_ecc =
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]985 crypto_ec_point_from_bin(sae->tmp->ec, *pos);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]986 if (sae->tmp->peer_commit_element_ecc == NULL)
987 return WLAN_STATUS_UNSPECIFIED_FAILURE;
988
Dmitry Shmidt2f023192013-03-12 12:44:17 -0700[diff] [blame]989 if (!crypto_ec_point_is_on_curve(sae->tmp->ec,
990 sae->tmp->peer_commit_element_ecc)) {
991 wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve");
992 return WLAN_STATUS_UNSPECIFIED_FAILURE;
993 }
994
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]995 *pos += 2 * sae->tmp->prime_len;
996
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]997 return WLAN_STATUS_SUCCESS;
998}
999
1000
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1001static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 **pos,
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1002 const u8 *end)
1003{
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]1004 struct crypto_bignum *res, *one;
1005 const u8 one_bin[1] = { 0x01 };
Dmitry Shmidt2f023192013-03-12 12:44:17 -0700[diff] [blame]1006
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1007 if (sae->tmp->prime_len > end - *pos) {
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1008 wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
1009 "commit-element");
1010 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1011 }
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1012 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", *pos,
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1013 sae->tmp->prime_len);
1014
1015 crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0);
1016 sae->tmp->peer_commit_element_ffc =
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1017 crypto_bignum_init_set(*pos, sae->tmp->prime_len);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1018 if (sae->tmp->peer_commit_element_ffc == NULL)
1019 return WLAN_STATUS_UNSPECIFIED_FAILURE;
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]1020 /* 1 < element < p - 1 */
1021 res = crypto_bignum_init();
1022 one = crypto_bignum_init_set(one_bin, sizeof(one_bin));
1023 if (!res || !one ||
1024 crypto_bignum_sub(sae->tmp->prime, one, res) ||
1025 crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) ||
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1026 crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) ||
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]1027 crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, res) >= 0) {
1028 crypto_bignum_deinit(res, 0);
1029 crypto_bignum_deinit(one, 0);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1030 wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
1031 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1032 }
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]1033 crypto_bignum_deinit(one, 0);
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1034
Dmitry Shmidt2f023192013-03-12 12:44:17 -0700[diff] [blame]1035 /* scalar-op(r, ELEMENT) = 1 modulo p */
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]1036 if (crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
Dmitry Shmidt2f023192013-03-12 12:44:17 -0700[diff] [blame]1037 sae->tmp->order, sae->tmp->prime, res) < 0 ||
1038 !crypto_bignum_is_one(res)) {
1039 wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)");
1040 crypto_bignum_deinit(res, 0);
1041 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1042 }
1043 crypto_bignum_deinit(res, 0);
1044
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1045 *pos += sae->tmp->prime_len;
1046
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1047 return WLAN_STATUS_SUCCESS;
1048}
1049
1050
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1051static u16 sae_parse_commit_element(struct sae_data *sae, const u8 **pos,
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1052 const u8 *end)
1053{
1054 if (sae->tmp->dh)
1055 return sae_parse_commit_element_ffc(sae, pos, end);
1056 return sae_parse_commit_element_ecc(sae, pos, end);
1057}
1058
1059
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1060static int sae_parse_password_identifier(struct sae_data *sae,
1061 const u8 *pos, const u8 *end)
1062{
1063 wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
1064 pos, end - pos);
1065 if (!sae_is_password_id_elem(pos, end)) {
1066 if (sae->tmp->pw_id) {
1067 wpa_printf(MSG_DEBUG,
1068 "SAE: No Password Identifier included, but expected one (%s)",
1069 sae->tmp->pw_id);
1070 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
1071 }
1072 os_free(sae->tmp->pw_id);
1073 sae->tmp->pw_id = NULL;
1074 return WLAN_STATUS_SUCCESS; /* No Password Identifier */
1075 }
1076
1077 if (sae->tmp->pw_id &&
1078 (pos[1] - 1 != (int) os_strlen(sae->tmp->pw_id) ||
1079 os_memcmp(sae->tmp->pw_id, pos + 3, pos[1] - 1) != 0)) {
1080 wpa_printf(MSG_DEBUG,
1081 "SAE: The included Password Identifier does not match the expected one (%s)",
1082 sae->tmp->pw_id);
1083 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER;
1084 }
1085
1086 os_free(sae->tmp->pw_id);
1087 sae->tmp->pw_id = os_malloc(pos[1]);
1088 if (!sae->tmp->pw_id)
1089 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1090 os_memcpy(sae->tmp->pw_id, pos + 3, pos[1] - 1);
1091 sae->tmp->pw_id[pos[1] - 1] = '\0';
1092 wpa_hexdump_ascii(MSG_DEBUG, "SAE: Received Password Identifier",
1093 sae->tmp->pw_id, pos[1] - 1);
1094 return WLAN_STATUS_SUCCESS;
1095}
1096
1097
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1098u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
1099 const u8 **token, size_t *token_len, int *allowed_groups)
1100{
1101 const u8 *pos = data, *end = data + len;
1102 u16 res;
1103
1104 /* Check Finite Cyclic Group */
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]1105 if (end - pos < 2)
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1106 return WLAN_STATUS_UNSPECIFIED_FAILURE;
1107 res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos));
1108 if (res != WLAN_STATUS_SUCCESS)
1109 return res;
1110 pos += 2;
1111
1112 /* Optional Anti-Clogging Token */
1113 sae_parse_commit_token(sae, &pos, end, token, token_len);
1114
1115 /* commit-scalar */
1116 res = sae_parse_commit_scalar(sae, &pos, end);
1117 if (res != WLAN_STATUS_SUCCESS)
1118 return res;
1119
1120 /* commit-element */
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1121 res = sae_parse_commit_element(sae, &pos, end);
1122 if (res != WLAN_STATUS_SUCCESS)
1123 return res;
1124
1125 /* Optional Password Identifier element */
1126 res = sae_parse_password_identifier(sae, pos, end);
Dmitry Shmidt41712582015-06-29 11:02:15 -0700[diff] [blame]1127 if (res != WLAN_STATUS_SUCCESS)
1128 return res;
1129
1130 /*
1131 * Check whether peer-commit-scalar and PEER-COMMIT-ELEMENT are same as
1132 * the values we sent which would be evidence of a reflection attack.
1133 */
1134 if (!sae->tmp->own_commit_scalar ||
1135 crypto_bignum_cmp(sae->tmp->own_commit_scalar,
1136 sae->peer_commit_scalar) != 0 ||
1137 (sae->tmp->dh &&
1138 (!sae->tmp->own_commit_element_ffc ||
1139 crypto_bignum_cmp(sae->tmp->own_commit_element_ffc,
1140 sae->tmp->peer_commit_element_ffc) != 0)) ||
1141 (sae->tmp->ec &&
1142 (!sae->tmp->own_commit_element_ecc ||
1143 crypto_ec_point_cmp(sae->tmp->ec,
1144 sae->tmp->own_commit_element_ecc,
1145 sae->tmp->peer_commit_element_ecc) != 0)))
1146 return WLAN_STATUS_SUCCESS; /* scalars/elements are different */
1147
1148 /*
1149 * This is a reflection attack - return special value to trigger caller
1150 * to silently discard the frame instead of replying with a specific
1151 * status code.
1152 */
1153 return SAE_SILENTLY_DISCARD;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1154}
1155
1156
1157static void sae_cn_confirm(struct sae_data *sae, const u8 *sc,
1158 const struct crypto_bignum *scalar1,
1159 const u8 *element1, size_t element1_len,
1160 const struct crypto_bignum *scalar2,
1161 const u8 *element2, size_t element2_len,
1162 u8 *confirm)
1163{
1164 const u8 *addr[5];
1165 size_t len[5];
1166 u8 scalar_b1[SAE_MAX_PRIME_LEN], scalar_b2[SAE_MAX_PRIME_LEN];
1167
1168 /* Confirm
1169 * CN(key, X, Y, Z, ...) =
1170 * HMAC-SHA256(key, D2OS(X) || D2OS(Y) || D2OS(Z) | ...)
1171 * confirm = CN(KCK, send-confirm, commit-scalar, COMMIT-ELEMENT,
1172 * peer-commit-scalar, PEER-COMMIT-ELEMENT)
1173 * verifier = CN(KCK, peer-send-confirm, peer-commit-scalar,
1174 * PEER-COMMIT-ELEMENT, commit-scalar, COMMIT-ELEMENT)
1175 */
1176 addr[0] = sc;
1177 len[0] = 2;
1178 crypto_bignum_to_bin(scalar1, scalar_b1, sizeof(scalar_b1),
1179 sae->tmp->prime_len);
1180 addr[1] = scalar_b1;
1181 len[1] = sae->tmp->prime_len;
1182 addr[2] = element1;
1183 len[2] = element1_len;
1184 crypto_bignum_to_bin(scalar2, scalar_b2, sizeof(scalar_b2),
1185 sae->tmp->prime_len);
1186 addr[3] = scalar_b2;
1187 len[3] = sae->tmp->prime_len;
1188 addr[4] = element2;
1189 len[4] = element2_len;
1190 hmac_sha256_vector(sae->tmp->kck, sizeof(sae->tmp->kck), 5, addr, len,
1191 confirm);
1192}
1193
1194
1195static void sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc,
1196 const struct crypto_bignum *scalar1,
1197 const struct crypto_ec_point *element1,
1198 const struct crypto_bignum *scalar2,
1199 const struct crypto_ec_point *element2,
1200 u8 *confirm)
1201{
1202 u8 element_b1[2 * SAE_MAX_ECC_PRIME_LEN];
1203 u8 element_b2[2 * SAE_MAX_ECC_PRIME_LEN];
1204
1205 crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1,
1206 element_b1 + sae->tmp->prime_len);
1207 crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2,
1208 element_b2 + sae->tmp->prime_len);
1209
1210 sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len,
1211 scalar2, element_b2, 2 * sae->tmp->prime_len, confirm);
1212}
1213
1214
1215static void sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc,
1216 const struct crypto_bignum *scalar1,
1217 const struct crypto_bignum *element1,
1218 const struct crypto_bignum *scalar2,
1219 const struct crypto_bignum *element2,
1220 u8 *confirm)
1221{
1222 u8 element_b1[SAE_MAX_PRIME_LEN];
1223 u8 element_b2[SAE_MAX_PRIME_LEN];
1224
1225 crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1),
1226 sae->tmp->prime_len);
1227 crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2),
1228 sae->tmp->prime_len);
1229
1230 sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len,
1231 scalar2, element_b2, sae->tmp->prime_len, confirm);
1232}
1233
1234
1235void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf)
1236{
1237 const u8 *sc;
1238
Dmitry Shmidt96be6222014-02-13 10:16:51 -0800[diff] [blame]1239 if (sae->tmp == NULL)
1240 return;
1241
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1242 /* Send-Confirm */
1243 sc = wpabuf_put(buf, 0);
1244 wpabuf_put_le16(buf, sae->send_confirm);
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1245 if (sae->send_confirm < 0xffff)
1246 sae->send_confirm++;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1247
1248 if (sae->tmp->ec)
1249 sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,
1250 sae->tmp->own_commit_element_ecc,
1251 sae->peer_commit_scalar,
1252 sae->tmp->peer_commit_element_ecc,
1253 wpabuf_put(buf, SHA256_MAC_LEN));
1254 else
1255 sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar,
1256 sae->tmp->own_commit_element_ffc,
1257 sae->peer_commit_scalar,
1258 sae->tmp->peer_commit_element_ffc,
1259 wpabuf_put(buf, SHA256_MAC_LEN));
1260}
1261
1262
1263int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
1264{
1265 u8 verifier[SHA256_MAC_LEN];
1266
1267 if (len < 2 + SHA256_MAC_LEN) {
1268 wpa_printf(MSG_DEBUG, "SAE: Too short confirm message");
1269 return -1;
1270 }
1271
1272 wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
1273
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]1274 if (!sae->tmp || !sae->peer_commit_scalar ||
1275 !sae->tmp->own_commit_scalar) {
Dmitry Shmidt96be6222014-02-13 10:16:51 -0800[diff] [blame]1276 wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
1277 return -1;
1278 }
1279
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]1280 if (sae->tmp->ec) {
1281 if (!sae->tmp->peer_commit_element_ecc ||
1282 !sae->tmp->own_commit_element_ecc)
1283 return -1;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1284 sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
1285 sae->tmp->peer_commit_element_ecc,
1286 sae->tmp->own_commit_scalar,
1287 sae->tmp->own_commit_element_ecc,
1288 verifier);
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]1289 } else {
1290 if (!sae->tmp->peer_commit_element_ffc ||
1291 !sae->tmp->own_commit_element_ffc)
1292 return -1;
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1293 sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
1294 sae->tmp->peer_commit_element_ffc,
1295 sae->tmp->own_commit_scalar,
1296 sae->tmp->own_commit_element_ffc,
1297 verifier);
Hai Shalom021b0b52019-04-10 11:17:58 -0700[diff] [blame]1298 }
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1299
Dmitry Shmidtc2817022014-07-02 10:32:10 -0700[diff] [blame]1300 if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800[diff] [blame]1301 wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
1302 wpa_hexdump(MSG_DEBUG, "SAE: Received confirm",
1303 data + 2, SHA256_MAC_LEN);
1304 wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier",
1305 verifier, SHA256_MAC_LEN);
1306 return -1;
1307 }
1308
1309 return 0;
1310}
Roshan Pius3a1667e2018-07-03 15:17:14 -0700[diff] [blame]1311
1312
1313const char * sae_state_txt(enum sae_state state)
1314{
1315 switch (state) {
1316 case SAE_NOTHING:
1317 return "Nothing";
1318 case SAE_COMMITTED:
1319 return "Committed";
1320 case SAE_CONFIRMED:
1321 return "Confirmed";
1322 case SAE_ACCEPTED:
1323 return "Accepted";
1324 }
1325 return "?";
1326}