1/*
2 * Simultaneous authentication of equals
3 * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/crypto.h"
13#include "crypto/sha256.h"
14#include "crypto/random.h"
15#include "crypto/dh_groups.h"
16#include "ieee802_11_defs.h"
17#include "sae.h"
18
19
20int sae_set_group(struct sae_data *sae, int group)
21{
22	struct sae_temporary_data *tmp;
23
24	sae_clear_data(sae);
25	tmp = sae->tmp = os_zalloc(sizeof(*tmp));
26	if (tmp == NULL)
27		return -1;
28
29	/* First, check if this is an ECC group */
30	tmp->ec = crypto_ec_init(group);
31	if (tmp->ec) {
32		sae->group = group;
33		tmp->prime_len = crypto_ec_prime_len(tmp->ec);
34		tmp->prime = crypto_ec_get_prime(tmp->ec);
35		tmp->order = crypto_ec_get_order(tmp->ec);
36		return 0;
37	}
38
39	/* Not an ECC group, check FFC */
40	tmp->dh = dh_groups_get(group);
41	if (tmp->dh) {
42		sae->group = group;
43		tmp->prime_len = tmp->dh->prime_len;
44		if (tmp->prime_len > SAE_MAX_PRIME_LEN) {
45			sae_clear_data(sae);
46			return -1;
47		}
48
49		tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime,
50							tmp->prime_len);
51		if (tmp->prime_buf == NULL) {
52			sae_clear_data(sae);
53			return -1;
54		}
55		tmp->prime = tmp->prime_buf;
56
57		tmp->order_buf = crypto_bignum_init_set(tmp->dh->order,
58							tmp->dh->order_len);
59		if (tmp->order_buf == NULL) {
60			sae_clear_data(sae);
61			return -1;
62		}
63		tmp->order = tmp->order_buf;
64
65		return 0;
66	}
67
68	/* Unsupported group */
69	return -1;
70}
71
72
73void sae_clear_temp_data(struct sae_data *sae)
74{
75	struct sae_temporary_data *tmp;
76	if (sae == NULL || sae->tmp == NULL)
77		return;
78	tmp = sae->tmp;
79	crypto_ec_deinit(tmp->ec);
80	crypto_bignum_deinit(tmp->prime_buf, 0);
81	crypto_bignum_deinit(tmp->order_buf, 0);
82	crypto_bignum_deinit(tmp->sae_rand, 1);
83	crypto_bignum_deinit(tmp->pwe_ffc, 1);
84	crypto_bignum_deinit(tmp->own_commit_scalar, 0);
85	crypto_bignum_deinit(tmp->own_commit_element_ffc, 0);
86	crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0);
87	crypto_ec_point_deinit(tmp->pwe_ecc, 1);
88	crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0);
89	crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0);
90	os_free(sae->tmp);
91	sae->tmp = NULL;
92}
93
94
95void sae_clear_data(struct sae_data *sae)
96{
97	if (sae == NULL)
98		return;
99	sae_clear_temp_data(sae);
100	crypto_bignum_deinit(sae->peer_commit_scalar, 0);
101	os_memset(sae, 0, sizeof(*sae));
102}
103
104
105static void buf_shift_right(u8 *buf, size_t len, size_t bits)
106{
107	size_t i;
108	for (i = len - 1; i > 0; i--)
109		buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
110	buf[0] >>= bits;
111}
112
113
114static struct crypto_bignum * sae_get_rand(struct sae_data *sae)
115{
116	u8 val[SAE_MAX_PRIME_LEN];
117	int iter = 0;
118	struct crypto_bignum *bn = NULL;
119	int order_len_bits = crypto_bignum_bits(sae->tmp->order);
120	size_t order_len = (order_len_bits + 7) / 8;
121
122	if (order_len > sizeof(val))
123		return NULL;
124
125	for (;;) {
126		if (iter++ > 100)
127			return NULL;
128		if (random_get_bytes(val, order_len) < 0)
129			return NULL;
130		if (order_len_bits % 8)
131			buf_shift_right(val, order_len, 8 - order_len_bits % 8);
132		bn = crypto_bignum_init_set(val, order_len);
133		if (bn == NULL)
134			return NULL;
135		if (crypto_bignum_is_zero(bn) ||
136		    crypto_bignum_is_one(bn) ||
137		    crypto_bignum_cmp(bn, sae->tmp->order) >= 0)
138			continue;
139		break;
140	}
141
142	os_memset(val, 0, order_len);
143	return bn;
144}
145
146
147static struct crypto_bignum * sae_get_rand_and_mask(struct sae_data *sae)
148{
149	crypto_bignum_deinit(sae->tmp->sae_rand, 1);
150	sae->tmp->sae_rand = sae_get_rand(sae);
151	if (sae->tmp->sae_rand == NULL)
152		return NULL;
153	return sae_get_rand(sae);
154}
155
156
157static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
158{
159	wpa_printf(MSG_DEBUG, "SAE: PWE derivation - addr1=" MACSTR
160		   " addr2=" MACSTR, MAC2STR(addr1), MAC2STR(addr2));
161	if (os_memcmp(addr1, addr2, ETH_ALEN) > 0) {
162		os_memcpy(key, addr1, ETH_ALEN);
163		os_memcpy(key + ETH_ALEN, addr2, ETH_ALEN);
164	} else {
165		os_memcpy(key, addr2, ETH_ALEN);
166		os_memcpy(key + ETH_ALEN, addr1, ETH_ALEN);
167	}
168}
169
170
171static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
172				 struct crypto_ec_point *pwe)
173{
174	u8 pwd_value[SAE_MAX_ECC_PRIME_LEN], prime[SAE_MAX_ECC_PRIME_LEN];
175	struct crypto_bignum *x;
176	int y_bit;
177	size_t bits;
178
179	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
180				 sae->tmp->prime_len) < 0)
181		return -1;
182
183	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
184
185	/* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
186	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
187	sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
188			prime, sae->tmp->prime_len, pwd_value, bits);
189	if (bits % 8)
190		buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
191	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
192			pwd_value, sae->tmp->prime_len);
193
194	if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
195		return 0;
196
197	y_bit = pwd_seed[SHA256_MAC_LEN - 1] & 0x01;
198
199	x = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
200	if (x == NULL)
201		return -1;
202	if (crypto_ec_point_solve_y_coord(sae->tmp->ec, pwe, x, y_bit) < 0) {
203		crypto_bignum_deinit(x, 0);
204		wpa_printf(MSG_DEBUG, "SAE: No solution found");
205		return 0;
206	}
207	crypto_bignum_deinit(x, 0);
208
209	wpa_printf(MSG_DEBUG, "SAE: PWE found");
210
211	return 1;
212}
213
214
215static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
216				 struct crypto_bignum *pwe)
217{
218	u8 pwd_value[SAE_MAX_PRIME_LEN];
219	size_t bits = sae->tmp->prime_len * 8;
220	u8 exp[1];
221	struct crypto_bignum *a, *b;
222	int res;
223
224	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
225
226	/* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
227	sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
228			sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value,
229			bits);
230	if (bits % 8)
231		buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
232	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
233			sae->tmp->prime_len);
234
235	if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)
236	{
237		wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p");
238		return 0;
239	}
240
241	/* PWE = pwd-value^((p-1)/r) modulo p */
242
243	a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
244
245	if (sae->tmp->dh->safe_prime) {
246		/*
247		 * r = (p-1)/2 for the group used here, so this becomes:
248		 * PWE = pwd-value^2 modulo p
249		 */
250		exp[0] = 2;
251		b = crypto_bignum_init_set(exp, sizeof(exp));
252	} else {
253		/* Calculate exponent: (p-1)/r */
254		exp[0] = 1;
255		b = crypto_bignum_init_set(exp, sizeof(exp));
256		if (b == NULL ||
257		    crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
258		    crypto_bignum_div(b, sae->tmp->order, b) < 0) {
259			crypto_bignum_deinit(b, 0);
260			b = NULL;
261		}
262	}
263
264	if (a == NULL || b == NULL)
265		res = -1;
266	else
267		res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
268
269	crypto_bignum_deinit(a, 0);
270	crypto_bignum_deinit(b, 0);
271
272	if (res < 0) {
273		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE");
274		return -1;
275	}
276
277	/* if (PWE > 1) --> found */
278	if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) {
279		wpa_printf(MSG_DEBUG, "SAE: PWE <= 1");
280		return 0;
281	}
282
283	wpa_printf(MSG_DEBUG, "SAE: PWE found");
284	return 1;
285}
286
287
288static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
289			      const u8 *addr2, const u8 *password,
290			      size_t password_len)
291{
292	u8 counter, k = 4;
293	u8 addrs[2 * ETH_ALEN];
294	const u8 *addr[2];
295	size_t len[2];
296	int found = 0;
297	struct crypto_ec_point *pwe_tmp;
298
299	if (sae->tmp->pwe_ecc == NULL) {
300		sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
301		if (sae->tmp->pwe_ecc == NULL)
302			return -1;
303	}
304	pwe_tmp = crypto_ec_point_init(sae->tmp->ec);
305	if (pwe_tmp == NULL)
306		return -1;
307
308	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
309			      password, password_len);
310
311	/*
312	 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
313	 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
314	 *              password || counter)
315	 */
316	sae_pwd_seed_key(addr1, addr2, addrs);
317
318	addr[0] = password;
319	len[0] = password_len;
320	addr[1] = &counter;
321	len[1] = sizeof(counter);
322
323	/*
324	 * Continue for at least k iterations to protect against side-channel
325	 * attacks that attempt to determine the number of iterations required
326	 * in the loop.
327	 */
328	for (counter = 1; counter < k || !found; counter++) {
329		u8 pwd_seed[SHA256_MAC_LEN];
330		int res;
331
332		if (counter > 200) {
333			/* This should not happen in practice */
334			wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
335			break;
336		}
337
338		wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
339		if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
340				       pwd_seed) < 0)
341			break;
342		res = sae_test_pwd_seed_ecc(sae, pwd_seed,
343					    found ? pwe_tmp :
344					    sae->tmp->pwe_ecc);
345		if (res < 0)
346			break;
347		if (res == 0)
348			continue;
349		if (found) {
350			wpa_printf(MSG_DEBUG, "SAE: Ignore this PWE (one was "
351				   "already selected)");
352		} else {
353			wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
354			found = 1;
355		}
356	}
357
358	crypto_ec_point_deinit(pwe_tmp, 1);
359
360	return found ? 0 : -1;
361}
362
363
364static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
365			      const u8 *addr2, const u8 *password,
366			      size_t password_len)
367{
368	u8 counter;
369	u8 addrs[2 * ETH_ALEN];
370	const u8 *addr[2];
371	size_t len[2];
372	int found = 0;
373
374	if (sae->tmp->pwe_ffc == NULL) {
375		sae->tmp->pwe_ffc = crypto_bignum_init();
376		if (sae->tmp->pwe_ffc == NULL)
377			return -1;
378	}
379
380	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
381			      password, password_len);
382
383	/*
384	 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
385	 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
386	 *              password || counter)
387	 */
388	sae_pwd_seed_key(addr1, addr2, addrs);
389
390	addr[0] = password;
391	len[0] = password_len;
392	addr[1] = &counter;
393	len[1] = sizeof(counter);
394
395	for (counter = 1; !found; counter++) {
396		u8 pwd_seed[SHA256_MAC_LEN];
397		int res;
398
399		if (counter > 200) {
400			/* This should not happen in practice */
401			wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
402			break;
403		}
404
405		wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
406		if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
407				       pwd_seed) < 0)
408			break;
409		res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);
410		if (res < 0)
411			break;
412		if (res > 0) {
413			wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
414			found = 1;
415		}
416	}
417
418	return found ? 0 : -1;
419}
420
421
422static int sae_derive_commit_element_ecc(struct sae_data *sae,
423					 struct crypto_bignum *mask)
424{
425	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
426	if (!sae->tmp->own_commit_element_ecc) {
427		sae->tmp->own_commit_element_ecc =
428			crypto_ec_point_init(sae->tmp->ec);
429		if (!sae->tmp->own_commit_element_ecc)
430			return -1;
431	}
432
433	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask,
434				sae->tmp->own_commit_element_ecc) < 0 ||
435	    crypto_ec_point_invert(sae->tmp->ec,
436				   sae->tmp->own_commit_element_ecc) < 0) {
437		wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
438		return -1;
439	}
440
441	return 0;
442}
443
444
445static int sae_derive_commit_element_ffc(struct sae_data *sae,
446					 struct crypto_bignum *mask)
447{
448	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
449	if (!sae->tmp->own_commit_element_ffc) {
450		sae->tmp->own_commit_element_ffc = crypto_bignum_init();
451		if (!sae->tmp->own_commit_element_ffc)
452			return -1;
453	}
454
455	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime,
456				  sae->tmp->own_commit_element_ffc) < 0 ||
457	    crypto_bignum_inverse(sae->tmp->own_commit_element_ffc,
458				  sae->tmp->prime,
459				  sae->tmp->own_commit_element_ffc) < 0) {
460		wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
461		return -1;
462	}
463
464	return 0;
465}
466
467
468static int sae_derive_commit(struct sae_data *sae)
469{
470	struct crypto_bignum *mask;
471	int ret = -1;
472
473	mask = sae_get_rand_and_mask(sae);
474	if (mask == NULL) {
475		wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask");
476		return -1;
477	}
478
479	/* commit-scalar = (rand + mask) modulo r */
480	if (!sae->tmp->own_commit_scalar) {
481		sae->tmp->own_commit_scalar = crypto_bignum_init();
482		if (!sae->tmp->own_commit_scalar)
483			goto fail;
484	}
485	crypto_bignum_add(sae->tmp->sae_rand, mask,
486			  sae->tmp->own_commit_scalar);
487	crypto_bignum_mod(sae->tmp->own_commit_scalar, sae->tmp->order,
488			  sae->tmp->own_commit_scalar);
489
490	if (sae->tmp->ec && sae_derive_commit_element_ecc(sae, mask) < 0)
491		goto fail;
492	if (sae->tmp->dh && sae_derive_commit_element_ffc(sae, mask) < 0)
493		goto fail;
494
495	ret = 0;
496fail:
497	crypto_bignum_deinit(mask, 1);
498	return ret;
499}
500
501
502int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
503		       const u8 *password, size_t password_len,
504		       struct sae_data *sae)
505{
506	if (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password,
507					  password_len) < 0)
508		return -1;
509	if (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password,
510					  password_len) < 0)
511		return -1;
512	if (sae_derive_commit(sae) < 0)
513		return -1;
514	return 0;
515}
516
517
518static int sae_derive_k_ecc(struct sae_data *sae, u8 *k)
519{
520	struct crypto_ec_point *K;
521	int ret = -1;
522
523	K = crypto_ec_point_init(sae->tmp->ec);
524	if (K == NULL)
525		goto fail;
526
527	/*
528	 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
529	 *                                        PEER-COMMIT-ELEMENT)))
530	 * If K is identity element (point-at-infinity), reject
531	 * k = F(K) (= x coordinate)
532	 */
533
534	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc,
535				sae->peer_commit_scalar, K) < 0 ||
536	    crypto_ec_point_add(sae->tmp->ec, K,
537				sae->tmp->peer_commit_element_ecc, K) < 0 ||
538	    crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 ||
539	    crypto_ec_point_is_at_infinity(sae->tmp->ec, K) ||
540	    crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) {
541		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
542		goto fail;
543	}
544
545	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
546
547	ret = 0;
548fail:
549	crypto_ec_point_deinit(K, 1);
550	return ret;
551}
552
553
554static int sae_derive_k_ffc(struct sae_data *sae, u8 *k)
555{
556	struct crypto_bignum *K;
557	int ret = -1;
558
559	K = crypto_bignum_init();
560	if (K == NULL)
561		goto fail;
562
563	/*
564	 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
565	 *                                        PEER-COMMIT-ELEMENT)))
566	 * If K is identity element (one), reject.
567	 * k = F(K) (= x coordinate)
568	 */
569
570	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar,
571				  sae->tmp->prime, K) < 0 ||
572	    crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc,
573				 sae->tmp->prime, K) < 0 ||
574	    crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0
575	    ||
576	    crypto_bignum_is_one(K) ||
577	    crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) <
578	    0) {
579		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
580		goto fail;
581	}
582
583	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
584
585	ret = 0;
586fail:
587	crypto_bignum_deinit(K, 1);
588	return ret;
589}
590
591
592static int sae_derive_keys(struct sae_data *sae, const u8 *k)
593{
594	u8 null_key[SAE_KEYSEED_KEY_LEN], val[SAE_MAX_PRIME_LEN];
595	u8 keyseed[SHA256_MAC_LEN];
596	u8 keys[SAE_KCK_LEN + SAE_PMK_LEN];
597	struct crypto_bignum *tmp;
598	int ret = -1;
599
600	tmp = crypto_bignum_init();
601	if (tmp == NULL)
602		goto fail;
603
604	/* keyseed = H(<0>32, k)
605	 * KCK || PMK = KDF-512(keyseed, "SAE KCK and PMK",
606	 *                      (commit-scalar + peer-commit-scalar) modulo r)
607	 * PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
608	 */
609
610	os_memset(null_key, 0, sizeof(null_key));
611	hmac_sha256(null_key, sizeof(null_key), k, sae->tmp->prime_len,
612		    keyseed);
613	wpa_hexdump_key(MSG_DEBUG, "SAE: keyseed", keyseed, sizeof(keyseed));
614
615	crypto_bignum_add(sae->tmp->own_commit_scalar, sae->peer_commit_scalar,
616			  tmp);
617	crypto_bignum_mod(tmp, sae->tmp->order, tmp);
618	crypto_bignum_to_bin(tmp, val, sizeof(val), sae->tmp->prime_len);
619	wpa_hexdump(MSG_DEBUG, "SAE: PMKID", val, SAE_PMKID_LEN);
620	sha256_prf(keyseed, sizeof(keyseed), "SAE KCK and PMK",
621		   val, sae->tmp->prime_len, keys, sizeof(keys));
622	os_memcpy(sae->tmp->kck, keys, SAE_KCK_LEN);
623	os_memcpy(sae->pmk, keys + SAE_KCK_LEN, SAE_PMK_LEN);
624	wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", sae->tmp->kck, SAE_KCK_LEN);
625	wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, SAE_PMK_LEN);
626
627	ret = 0;
628fail:
629	crypto_bignum_deinit(tmp, 0);
630	return ret;
631}
632
633
634int sae_process_commit(struct sae_data *sae)
635{
636	u8 k[SAE_MAX_PRIME_LEN];
637	if ((sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) ||
638	    (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) ||
639	    sae_derive_keys(sae, k) < 0)
640		return -1;
641	return 0;
642}
643
644
645void sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
646		      const struct wpabuf *token)
647{
648	u8 *pos;
649	wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */
650	if (token)
651		wpabuf_put_buf(buf, token);
652	pos = wpabuf_put(buf, sae->tmp->prime_len);
653	crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos,
654			     sae->tmp->prime_len, sae->tmp->prime_len);
655	wpa_hexdump(MSG_DEBUG, "SAE: own commit-scalar",
656		    pos, sae->tmp->prime_len);
657	if (sae->tmp->ec) {
658		pos = wpabuf_put(buf, 2 * sae->tmp->prime_len);
659		crypto_ec_point_to_bin(sae->tmp->ec,
660				       sae->tmp->own_commit_element_ecc,
661				       pos, pos + sae->tmp->prime_len);
662		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(x)",
663			    pos, sae->tmp->prime_len);
664		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(y)",
665			    pos + sae->tmp->prime_len, sae->tmp->prime_len);
666	} else {
667		pos = wpabuf_put(buf, sae->tmp->prime_len);
668		crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos,
669				     sae->tmp->prime_len, sae->tmp->prime_len);
670		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element",
671			    pos, sae->tmp->prime_len);
672	}
673}
674
675
676static u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups,
677			     u16 group)
678{
679	if (allowed_groups) {
680		int i;
681		for (i = 0; allowed_groups[i] >= 0; i++) {
682			if (allowed_groups[i] == group)
683				break;
684		}
685		if (allowed_groups[i] != group) {
686			wpa_printf(MSG_DEBUG, "SAE: Proposed group %u not "
687				   "enabled in the current configuration",
688				   group);
689			return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
690		}
691	}
692
693	if (sae->state == SAE_COMMITTED && group != sae->group) {
694		wpa_printf(MSG_DEBUG, "SAE: Do not allow group to be changed");
695		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
696	}
697
698	if (group != sae->group && sae_set_group(sae, group) < 0) {
699		wpa_printf(MSG_DEBUG, "SAE: Unsupported Finite Cyclic Group %u",
700			   group);
701		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
702	}
703
704	if (sae->tmp->dh && !allowed_groups) {
705		wpa_printf(MSG_DEBUG, "SAE: Do not allow FFC group %u without "
706			   "explicit configuration enabling it", group);
707		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
708	}
709
710	return WLAN_STATUS_SUCCESS;
711}
712
713
714static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos,
715				   const u8 *end, const u8 **token,
716				   size_t *token_len)
717{
718	if (*pos + (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len < end) {
719		size_t tlen = end - (*pos + (sae->tmp->ec ? 3 : 2) *
720				     sae->tmp->prime_len);
721		wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token", *pos, tlen);
722		if (token)
723			*token = *pos;
724		if (token_len)
725			*token_len = tlen;
726		*pos += tlen;
727	} else {
728		if (token)
729			*token = NULL;
730		if (token_len)
731			*token_len = 0;
732	}
733}
734
735
736static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
737				   const u8 *end)
738{
739	struct crypto_bignum *peer_scalar;
740
741	if (*pos + sae->tmp->prime_len > end) {
742		wpa_printf(MSG_DEBUG, "SAE: Not enough data for scalar");
743		return WLAN_STATUS_UNSPECIFIED_FAILURE;
744	}
745
746	peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len);
747	if (peer_scalar == NULL)
748		return WLAN_STATUS_UNSPECIFIED_FAILURE;
749
750	/*
751	 * IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for
752	 * the peer and it is in Authenticated state, the new Commit Message
753	 * shall be dropped if the peer-scalar is identical to the one used in
754	 * the existing protocol instance.
755	 */
756	if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar &&
757	    crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) {
758		wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous "
759			   "peer-commit-scalar");
760		crypto_bignum_deinit(peer_scalar, 0);
761		return WLAN_STATUS_UNSPECIFIED_FAILURE;
762	}
763
764	/* 0 < scalar < r */
765	if (crypto_bignum_is_zero(peer_scalar) ||
766	    crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) {
767		wpa_printf(MSG_DEBUG, "SAE: Invalid peer scalar");
768		crypto_bignum_deinit(peer_scalar, 0);
769		return WLAN_STATUS_UNSPECIFIED_FAILURE;
770	}
771
772
773	crypto_bignum_deinit(sae->peer_commit_scalar, 0);
774	sae->peer_commit_scalar = peer_scalar;
775	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-scalar",
776		    *pos, sae->tmp->prime_len);
777	*pos += sae->tmp->prime_len;
778
779	return WLAN_STATUS_SUCCESS;
780}
781
782
783static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
784					const u8 *end)
785{
786	u8 prime[SAE_MAX_ECC_PRIME_LEN];
787
788	if (pos + 2 * sae->tmp->prime_len > end) {
789		wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
790			   "commit-element");
791		return WLAN_STATUS_UNSPECIFIED_FAILURE;
792	}
793
794	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
795				 sae->tmp->prime_len) < 0)
796		return WLAN_STATUS_UNSPECIFIED_FAILURE;
797
798	/* element x and y coordinates < p */
799	if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 ||
800	    os_memcmp(pos + sae->tmp->prime_len + sae->tmp->prime_len, prime,
801		      sae->tmp->prime_len) >= 0) {
802		wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer "
803			   "element");
804		return WLAN_STATUS_UNSPECIFIED_FAILURE;
805	}
806
807	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(x)",
808		    pos, sae->tmp->prime_len);
809	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(y)",
810		    pos + sae->tmp->prime_len, sae->tmp->prime_len);
811
812	crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0);
813	sae->tmp->peer_commit_element_ecc =
814		crypto_ec_point_from_bin(sae->tmp->ec, pos);
815	if (sae->tmp->peer_commit_element_ecc == NULL)
816		return WLAN_STATUS_UNSPECIFIED_FAILURE;
817
818	if (!crypto_ec_point_is_on_curve(sae->tmp->ec,
819					 sae->tmp->peer_commit_element_ecc)) {
820		wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve");
821		return WLAN_STATUS_UNSPECIFIED_FAILURE;
822	}
823
824	return WLAN_STATUS_SUCCESS;
825}
826
827
828static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
829					const u8 *end)
830{
831	struct crypto_bignum *res;
832
833	if (pos + sae->tmp->prime_len > end) {
834		wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
835			   "commit-element");
836		return WLAN_STATUS_UNSPECIFIED_FAILURE;
837	}
838	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", pos,
839		    sae->tmp->prime_len);
840
841	crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0);
842	sae->tmp->peer_commit_element_ffc =
843		crypto_bignum_init_set(pos, sae->tmp->prime_len);
844	if (sae->tmp->peer_commit_element_ffc == NULL)
845		return WLAN_STATUS_UNSPECIFIED_FAILURE;
846	if (crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) ||
847	    crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) ||
848	    crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc,
849			      sae->tmp->prime) >= 0) {
850		wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
851		return WLAN_STATUS_UNSPECIFIED_FAILURE;
852	}
853
854	/* scalar-op(r, ELEMENT) = 1 modulo p */
855	res = crypto_bignum_init();
856	if (res == NULL ||
857	    crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
858				  sae->tmp->order, sae->tmp->prime, res) < 0 ||
859	    !crypto_bignum_is_one(res)) {
860		wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)");
861		crypto_bignum_deinit(res, 0);
862		return WLAN_STATUS_UNSPECIFIED_FAILURE;
863	}
864	crypto_bignum_deinit(res, 0);
865
866	return WLAN_STATUS_SUCCESS;
867}
868
869
870static u16 sae_parse_commit_element(struct sae_data *sae, const u8 *pos,
871				    const u8 *end)
872{
873	if (sae->tmp->dh)
874		return sae_parse_commit_element_ffc(sae, pos, end);
875	return sae_parse_commit_element_ecc(sae, pos, end);
876}
877
878
879u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
880		     const u8 **token, size_t *token_len, int *allowed_groups)
881{
882	const u8 *pos = data, *end = data + len;
883	u16 res;
884
885	/* Check Finite Cyclic Group */
886	if (pos + 2 > end)
887		return WLAN_STATUS_UNSPECIFIED_FAILURE;
888	res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos));
889	if (res != WLAN_STATUS_SUCCESS)
890		return res;
891	pos += 2;
892
893	/* Optional Anti-Clogging Token */
894	sae_parse_commit_token(sae, &pos, end, token, token_len);
895
896	/* commit-scalar */
897	res = sae_parse_commit_scalar(sae, &pos, end);
898	if (res != WLAN_STATUS_SUCCESS)
899		return res;
900
901	/* commit-element */
902	return sae_parse_commit_element(sae, pos, end);
903}
904
905
906static void sae_cn_confirm(struct sae_data *sae, const u8 *sc,
907			   const struct crypto_bignum *scalar1,
908			   const u8 *element1, size_t element1_len,
909			   const struct crypto_bignum *scalar2,
910			   const u8 *element2, size_t element2_len,
911			   u8 *confirm)
912{
913	const u8 *addr[5];
914	size_t len[5];
915	u8 scalar_b1[SAE_MAX_PRIME_LEN], scalar_b2[SAE_MAX_PRIME_LEN];
916
917	/* Confirm
918	 * CN(key, X, Y, Z, ...) =
919	 *    HMAC-SHA256(key, D2OS(X) || D2OS(Y) || D2OS(Z) | ...)
920	 * confirm = CN(KCK, send-confirm, commit-scalar, COMMIT-ELEMENT,
921	 *              peer-commit-scalar, PEER-COMMIT-ELEMENT)
922	 * verifier = CN(KCK, peer-send-confirm, peer-commit-scalar,
923	 *               PEER-COMMIT-ELEMENT, commit-scalar, COMMIT-ELEMENT)
924	 */
925	addr[0] = sc;
926	len[0] = 2;
927	crypto_bignum_to_bin(scalar1, scalar_b1, sizeof(scalar_b1),
928			     sae->tmp->prime_len);
929	addr[1] = scalar_b1;
930	len[1] = sae->tmp->prime_len;
931	addr[2] = element1;
932	len[2] = element1_len;
933	crypto_bignum_to_bin(scalar2, scalar_b2, sizeof(scalar_b2),
934			     sae->tmp->prime_len);
935	addr[3] = scalar_b2;
936	len[3] = sae->tmp->prime_len;
937	addr[4] = element2;
938	len[4] = element2_len;
939	hmac_sha256_vector(sae->tmp->kck, sizeof(sae->tmp->kck), 5, addr, len,
940			   confirm);
941}
942
943
944static void sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc,
945			       const struct crypto_bignum *scalar1,
946			       const struct crypto_ec_point *element1,
947			       const struct crypto_bignum *scalar2,
948			       const struct crypto_ec_point *element2,
949			       u8 *confirm)
950{
951	u8 element_b1[2 * SAE_MAX_ECC_PRIME_LEN];
952	u8 element_b2[2 * SAE_MAX_ECC_PRIME_LEN];
953
954	crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1,
955			       element_b1 + sae->tmp->prime_len);
956	crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2,
957			       element_b2 + sae->tmp->prime_len);
958
959	sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len,
960		       scalar2, element_b2, 2 * sae->tmp->prime_len, confirm);
961}
962
963
964static void sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc,
965			       const struct crypto_bignum *scalar1,
966			       const struct crypto_bignum *element1,
967			       const struct crypto_bignum *scalar2,
968			       const struct crypto_bignum *element2,
969			       u8 *confirm)
970{
971	u8 element_b1[SAE_MAX_PRIME_LEN];
972	u8 element_b2[SAE_MAX_PRIME_LEN];
973
974	crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1),
975			     sae->tmp->prime_len);
976	crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2),
977			     sae->tmp->prime_len);
978
979	sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len,
980		       scalar2, element_b2, sae->tmp->prime_len, confirm);
981}
982
983
984void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf)
985{
986	const u8 *sc;
987
988	/* Send-Confirm */
989	sc = wpabuf_put(buf, 0);
990	wpabuf_put_le16(buf, sae->send_confirm);
991	sae->send_confirm++;
992
993	if (sae->tmp->ec)
994		sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,
995				   sae->tmp->own_commit_element_ecc,
996				   sae->peer_commit_scalar,
997				   sae->tmp->peer_commit_element_ecc,
998				   wpabuf_put(buf, SHA256_MAC_LEN));
999	else
1000		sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar,
1001				   sae->tmp->own_commit_element_ffc,
1002				   sae->peer_commit_scalar,
1003				   sae->tmp->peer_commit_element_ffc,
1004				   wpabuf_put(buf, SHA256_MAC_LEN));
1005}
1006
1007
1008int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
1009{
1010	u8 verifier[SHA256_MAC_LEN];
1011
1012	if (len < 2 + SHA256_MAC_LEN) {
1013		wpa_printf(MSG_DEBUG, "SAE: Too short confirm message");
1014		return -1;
1015	}
1016
1017	wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
1018
1019	if (sae->tmp->ec)
1020		sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
1021				   sae->tmp->peer_commit_element_ecc,
1022				   sae->tmp->own_commit_scalar,
1023				   sae->tmp->own_commit_element_ecc,
1024				   verifier);
1025	else
1026		sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
1027				   sae->tmp->peer_commit_element_ffc,
1028				   sae->tmp->own_commit_scalar,
1029				   sae->tmp->own_commit_element_ffc,
1030				   verifier);
1031
1032	if (os_memcmp(verifier, data + 2, SHA256_MAC_LEN) != 0) {
1033		wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
1034		wpa_hexdump(MSG_DEBUG, "SAE: Received confirm",
1035			    data + 2, SHA256_MAC_LEN);
1036		wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier",
1037			    verifier, SHA256_MAC_LEN);
1038		return -1;
1039	}
1040
1041	return 0;
1042}
1043