sae.c revision a54fa5fb807eaeff45464139b5a7759f060cec68
1/* 2 * Simultaneous authentication of equals 3 * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/crypto.h" 13#include "crypto/sha256.h" 14#include "crypto/random.h" 15#include "crypto/dh_groups.h" 16#include "ieee802_11_defs.h" 17#include "sae.h" 18 19 20int sae_set_group(struct sae_data *sae, int group) 21{ 22 struct sae_temporary_data *tmp; 23 24 sae_clear_data(sae); 25 tmp = sae->tmp = os_zalloc(sizeof(*tmp)); 26 if (tmp == NULL) 27 return -1; 28 29 /* First, check if this is an ECC group */ 30 tmp->ec = crypto_ec_init(group); 31 if (tmp->ec) { 32 sae->group = group; 33 tmp->prime_len = crypto_ec_prime_len(tmp->ec); 34 tmp->prime = crypto_ec_get_prime(tmp->ec); 35 tmp->order = crypto_ec_get_order(tmp->ec); 36 return 0; 37 } 38 39 /* Not an ECC group, check FFC */ 40 tmp->dh = dh_groups_get(group); 41 if (tmp->dh) { 42 sae->group = group; 43 tmp->prime_len = tmp->dh->prime_len; 44 if (tmp->prime_len > SAE_MAX_PRIME_LEN) { 45 sae_clear_data(sae); 46 return -1; 47 } 48 49 tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime, 50 tmp->prime_len); 51 if (tmp->prime_buf == NULL) { 52 sae_clear_data(sae); 53 return -1; 54 } 55 tmp->prime = tmp->prime_buf; 56 57 tmp->order_buf = crypto_bignum_init_set(tmp->dh->order, 58 tmp->dh->order_len); 59 if (tmp->order_buf == NULL) { 60 sae_clear_data(sae); 61 return -1; 62 } 63 tmp->order = tmp->order_buf; 64 65 return 0; 66 } 67 68 /* Unsupported group */ 69 return -1; 70} 71 72 73void sae_clear_temp_data(struct sae_data *sae) 74{ 75 struct sae_temporary_data *tmp; 76 if (sae == NULL || sae->tmp == NULL) 77 return; 78 tmp = sae->tmp; 79 crypto_ec_deinit(tmp->ec); 80 crypto_bignum_deinit(tmp->prime_buf, 0); 81 crypto_bignum_deinit(tmp->order_buf, 0); 82 crypto_bignum_deinit(tmp->sae_rand, 1); 83 crypto_bignum_deinit(tmp->pwe_ffc, 1); 84 crypto_bignum_deinit(tmp->own_commit_scalar, 0); 85 crypto_bignum_deinit(tmp->own_commit_element_ffc, 0); 86 crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0); 87 crypto_ec_point_deinit(tmp->pwe_ecc, 1); 88 crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0); 89 crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0); 90 os_free(sae->tmp); 91 sae->tmp = NULL; 92} 93 94 95void sae_clear_data(struct sae_data *sae) 96{ 97 if (sae == NULL) 98 return; 99 sae_clear_temp_data(sae); 100 crypto_bignum_deinit(sae->peer_commit_scalar, 0); 101 os_memset(sae, 0, sizeof(*sae)); 102} 103 104 105static void buf_shift_right(u8 *buf, size_t len, size_t bits) 106{ 107 size_t i; 108 for (i = len - 1; i > 0; i--) 109 buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits); 110 buf[0] >>= bits; 111} 112 113 114static struct crypto_bignum * sae_get_rand(struct sae_data *sae) 115{ 116 u8 val[SAE_MAX_PRIME_LEN]; 117 int iter = 0; 118 struct crypto_bignum *bn = NULL; 119 int order_len_bits = crypto_bignum_bits(sae->tmp->order); 120 size_t order_len = (order_len_bits + 7) / 8; 121 122 if (order_len > sizeof(val)) 123 return NULL; 124 125 for (;;) { 126 if (iter++ > 100) 127 return NULL; 128 if (random_get_bytes(val, order_len) < 0) 129 return NULL; 130 if (order_len_bits % 8) 131 buf_shift_right(val, order_len, 8 - order_len_bits % 8); 132 bn = crypto_bignum_init_set(val, order_len); 133 if (bn == NULL) 134 return NULL; 135 if (crypto_bignum_is_zero(bn) || 136 crypto_bignum_is_one(bn) || 137 crypto_bignum_cmp(bn, sae->tmp->order) >= 0) 138 continue; 139 break; 140 } 141 142 os_memset(val, 0, order_len); 143 return bn; 144} 145 146 147static struct crypto_bignum * sae_get_rand_and_mask(struct sae_data *sae) 148{ 149 crypto_bignum_deinit(sae->tmp->sae_rand, 1); 150 sae->tmp->sae_rand = sae_get_rand(sae); 151 if (sae->tmp->sae_rand == NULL) 152 return NULL; 153 return sae_get_rand(sae); 154} 155 156 157static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key) 158{ 159 wpa_printf(MSG_DEBUG, "SAE: PWE derivation - addr1=" MACSTR 160 " addr2=" MACSTR, MAC2STR(addr1), MAC2STR(addr2)); 161 if (os_memcmp(addr1, addr2, ETH_ALEN) > 0) { 162 os_memcpy(key, addr1, ETH_ALEN); 163 os_memcpy(key + ETH_ALEN, addr2, ETH_ALEN); 164 } else { 165 os_memcpy(key, addr2, ETH_ALEN); 166 os_memcpy(key + ETH_ALEN, addr1, ETH_ALEN); 167 } 168} 169 170 171static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, 172 struct crypto_ec_point *pwe) 173{ 174 u8 pwd_value[SAE_MAX_ECC_PRIME_LEN], prime[SAE_MAX_ECC_PRIME_LEN]; 175 struct crypto_bignum *x; 176 int y_bit; 177 size_t bits; 178 179 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), 180 sae->tmp->prime_len) < 0) 181 return -1; 182 183 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); 184 185 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */ 186 bits = crypto_ec_prime_len_bits(sae->tmp->ec); 187 sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking", 188 prime, sae->tmp->prime_len, pwd_value, bits); 189 if (bits % 8) 190 buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8); 191 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", 192 pwd_value, sae->tmp->prime_len); 193 194 if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) 195 return 0; 196 197 y_bit = pwd_seed[SHA256_MAC_LEN - 1] & 0x01; 198 199 x = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); 200 if (x == NULL) 201 return -1; 202 if (crypto_ec_point_solve_y_coord(sae->tmp->ec, pwe, x, y_bit) < 0) { 203 crypto_bignum_deinit(x, 0); 204 wpa_printf(MSG_DEBUG, "SAE: No solution found"); 205 return 0; 206 } 207 crypto_bignum_deinit(x, 0); 208 209 wpa_printf(MSG_DEBUG, "SAE: PWE found"); 210 211 return 1; 212} 213 214 215static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, 216 struct crypto_bignum *pwe) 217{ 218 u8 pwd_value[SAE_MAX_PRIME_LEN]; 219 size_t bits = sae->tmp->prime_len * 8; 220 u8 exp[1]; 221 struct crypto_bignum *a, *b; 222 int res; 223 224 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); 225 226 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */ 227 sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking", 228 sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value, 229 bits); 230 if (bits % 8) 231 buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8); 232 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value, 233 sae->tmp->prime_len); 234 235 if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0) 236 { 237 wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p"); 238 return 0; 239 } 240 241 /* PWE = pwd-value^((p-1)/r) modulo p */ 242 243 a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); 244 245 if (sae->tmp->dh->safe_prime) { 246 /* 247 * r = (p-1)/2 for the group used here, so this becomes: 248 * PWE = pwd-value^2 modulo p 249 */ 250 exp[0] = 2; 251 b = crypto_bignum_init_set(exp, sizeof(exp)); 252 } else { 253 /* Calculate exponent: (p-1)/r */ 254 exp[0] = 1; 255 b = crypto_bignum_init_set(exp, sizeof(exp)); 256 if (b == NULL || 257 crypto_bignum_sub(sae->tmp->prime, b, b) < 0 || 258 crypto_bignum_div(b, sae->tmp->order, b) < 0) { 259 crypto_bignum_deinit(b, 0); 260 b = NULL; 261 } 262 } 263 264 if (a == NULL || b == NULL) 265 res = -1; 266 else 267 res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe); 268 269 crypto_bignum_deinit(a, 0); 270 crypto_bignum_deinit(b, 0); 271 272 if (res < 0) { 273 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE"); 274 return -1; 275 } 276 277 /* if (PWE > 1) --> found */ 278 if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) { 279 wpa_printf(MSG_DEBUG, "SAE: PWE <= 1"); 280 return 0; 281 } 282 283 wpa_printf(MSG_DEBUG, "SAE: PWE found"); 284 return 1; 285} 286 287 288static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, 289 const u8 *addr2, const u8 *password, 290 size_t password_len) 291{ 292 u8 counter, k = 4; 293 u8 addrs[2 * ETH_ALEN]; 294 const u8 *addr[2]; 295 size_t len[2]; 296 int found = 0; 297 struct crypto_ec_point *pwe_tmp; 298 299 if (sae->tmp->pwe_ecc == NULL) { 300 sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec); 301 if (sae->tmp->pwe_ecc == NULL) 302 return -1; 303 } 304 pwe_tmp = crypto_ec_point_init(sae->tmp->ec); 305 if (pwe_tmp == NULL) 306 return -1; 307 308 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", 309 password, password_len); 310 311 /* 312 * H(salt, ikm) = HMAC-SHA256(salt, ikm) 313 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC), 314 * password || counter) 315 */ 316 sae_pwd_seed_key(addr1, addr2, addrs); 317 318 addr[0] = password; 319 len[0] = password_len; 320 addr[1] = &counter; 321 len[1] = sizeof(counter); 322 323 /* 324 * Continue for at least k iterations to protect against side-channel 325 * attacks that attempt to determine the number of iterations required 326 * in the loop. 327 */ 328 for (counter = 1; counter < k || !found; counter++) { 329 u8 pwd_seed[SHA256_MAC_LEN]; 330 int res; 331 332 if (counter > 200) { 333 /* This should not happen in practice */ 334 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE"); 335 break; 336 } 337 338 wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter); 339 if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len, 340 pwd_seed) < 0) 341 break; 342 res = sae_test_pwd_seed_ecc(sae, pwd_seed, 343 found ? pwe_tmp : 344 sae->tmp->pwe_ecc); 345 if (res < 0) 346 break; 347 if (res == 0) 348 continue; 349 if (found) { 350 wpa_printf(MSG_DEBUG, "SAE: Ignore this PWE (one was " 351 "already selected)"); 352 } else { 353 wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); 354 found = 1; 355 } 356 } 357 358 crypto_ec_point_deinit(pwe_tmp, 1); 359 360 return found ? 0 : -1; 361} 362 363 364static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, 365 const u8 *addr2, const u8 *password, 366 size_t password_len) 367{ 368 u8 counter; 369 u8 addrs[2 * ETH_ALEN]; 370 const u8 *addr[2]; 371 size_t len[2]; 372 int found = 0; 373 374 if (sae->tmp->pwe_ffc == NULL) { 375 sae->tmp->pwe_ffc = crypto_bignum_init(); 376 if (sae->tmp->pwe_ffc == NULL) 377 return -1; 378 } 379 380 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", 381 password, password_len); 382 383 /* 384 * H(salt, ikm) = HMAC-SHA256(salt, ikm) 385 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC), 386 * password || counter) 387 */ 388 sae_pwd_seed_key(addr1, addr2, addrs); 389 390 addr[0] = password; 391 len[0] = password_len; 392 addr[1] = &counter; 393 len[1] = sizeof(counter); 394 395 for (counter = 1; !found; counter++) { 396 u8 pwd_seed[SHA256_MAC_LEN]; 397 int res; 398 399 if (counter > 200) { 400 /* This should not happen in practice */ 401 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE"); 402 break; 403 } 404 405 wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter); 406 if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len, 407 pwd_seed) < 0) 408 break; 409 res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc); 410 if (res < 0) 411 break; 412 if (res > 0) { 413 wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); 414 found = 1; 415 } 416 } 417 418 return found ? 0 : -1; 419} 420 421 422static int sae_derive_commit_element_ecc(struct sae_data *sae, 423 struct crypto_bignum *mask) 424{ 425 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */ 426 if (!sae->tmp->own_commit_element_ecc) { 427 sae->tmp->own_commit_element_ecc = 428 crypto_ec_point_init(sae->tmp->ec); 429 if (!sae->tmp->own_commit_element_ecc) 430 return -1; 431 } 432 433 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask, 434 sae->tmp->own_commit_element_ecc) < 0 || 435 crypto_ec_point_invert(sae->tmp->ec, 436 sae->tmp->own_commit_element_ecc) < 0) { 437 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element"); 438 return -1; 439 } 440 441 return 0; 442} 443 444 445static int sae_derive_commit_element_ffc(struct sae_data *sae, 446 struct crypto_bignum *mask) 447{ 448 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */ 449 if (!sae->tmp->own_commit_element_ffc) { 450 sae->tmp->own_commit_element_ffc = crypto_bignum_init(); 451 if (!sae->tmp->own_commit_element_ffc) 452 return -1; 453 } 454 455 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime, 456 sae->tmp->own_commit_element_ffc) < 0 || 457 crypto_bignum_inverse(sae->tmp->own_commit_element_ffc, 458 sae->tmp->prime, 459 sae->tmp->own_commit_element_ffc) < 0) { 460 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element"); 461 return -1; 462 } 463 464 return 0; 465} 466 467 468static int sae_derive_commit(struct sae_data *sae) 469{ 470 struct crypto_bignum *mask; 471 int ret = -1; 472 473 mask = sae_get_rand_and_mask(sae); 474 if (mask == NULL) { 475 wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask"); 476 return -1; 477 } 478 479 /* commit-scalar = (rand + mask) modulo r */ 480 if (!sae->tmp->own_commit_scalar) { 481 sae->tmp->own_commit_scalar = crypto_bignum_init(); 482 if (!sae->tmp->own_commit_scalar) 483 goto fail; 484 } 485 crypto_bignum_add(sae->tmp->sae_rand, mask, 486 sae->tmp->own_commit_scalar); 487 crypto_bignum_mod(sae->tmp->own_commit_scalar, sae->tmp->order, 488 sae->tmp->own_commit_scalar); 489 490 if (sae->tmp->ec && sae_derive_commit_element_ecc(sae, mask) < 0) 491 goto fail; 492 if (sae->tmp->dh && sae_derive_commit_element_ffc(sae, mask) < 0) 493 goto fail; 494 495 ret = 0; 496fail: 497 crypto_bignum_deinit(mask, 1); 498 return ret; 499} 500 501 502int sae_prepare_commit(const u8 *addr1, const u8 *addr2, 503 const u8 *password, size_t password_len, 504 struct sae_data *sae) 505{ 506 if (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password, 507 password_len) < 0) 508 return -1; 509 if (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password, 510 password_len) < 0) 511 return -1; 512 if (sae_derive_commit(sae) < 0) 513 return -1; 514 return 0; 515} 516 517 518static int sae_derive_k_ecc(struct sae_data *sae, u8 *k) 519{ 520 struct crypto_ec_point *K; 521 int ret = -1; 522 523 K = crypto_ec_point_init(sae->tmp->ec); 524 if (K == NULL) 525 goto fail; 526 527 if (!crypto_ec_point_is_on_curve(sae->tmp->ec, 528 sae->tmp->peer_commit_element_ecc)) { 529 wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve"); 530 goto fail; 531 } 532 533 /* 534 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE), 535 * PEER-COMMIT-ELEMENT))) 536 * If K is identity element (point-at-infinity), reject 537 * k = F(K) (= x coordinate) 538 */ 539 540 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, 541 sae->peer_commit_scalar, K) < 0 || 542 crypto_ec_point_add(sae->tmp->ec, K, 543 sae->tmp->peer_commit_element_ecc, K) < 0 || 544 crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 || 545 crypto_ec_point_is_at_infinity(sae->tmp->ec, K) || 546 crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) { 547 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k"); 548 goto fail; 549 } 550 551 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); 552 553 ret = 0; 554fail: 555 crypto_ec_point_deinit(K, 1); 556 return ret; 557} 558 559 560static int sae_derive_k_ffc(struct sae_data *sae, u8 *k) 561{ 562 struct crypto_bignum *K; 563 int ret = -1; 564 565 K = crypto_bignum_init(); 566 if (K == NULL) 567 goto fail; 568 569 /* 570 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE), 571 * PEER-COMMIT-ELEMENT))) 572 * If K is identity element (one), reject. 573 * k = F(K) (= x coordinate) 574 */ 575 576 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar, 577 sae->tmp->prime, K) < 0 || 578 crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc, 579 sae->tmp->prime, K) < 0 || 580 crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0 581 || 582 crypto_bignum_is_one(K) || 583 crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) < 584 0) { 585 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k"); 586 goto fail; 587 } 588 589 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); 590 591 ret = 0; 592fail: 593 crypto_bignum_deinit(K, 1); 594 return ret; 595} 596 597 598static int sae_derive_keys(struct sae_data *sae, const u8 *k) 599{ 600 u8 null_key[SAE_KEYSEED_KEY_LEN], val[SAE_MAX_PRIME_LEN]; 601 u8 keyseed[SHA256_MAC_LEN]; 602 u8 keys[SAE_KCK_LEN + SAE_PMK_LEN]; 603 struct crypto_bignum *tmp; 604 int ret = -1; 605 606 tmp = crypto_bignum_init(); 607 if (tmp == NULL) 608 goto fail; 609 610 /* keyseed = H(<0>32, k) 611 * KCK || PMK = KDF-512(keyseed, "SAE KCK and PMK", 612 * (commit-scalar + peer-commit-scalar) modulo r) 613 * PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128) 614 */ 615 616 os_memset(null_key, 0, sizeof(null_key)); 617 hmac_sha256(null_key, sizeof(null_key), k, sae->tmp->prime_len, 618 keyseed); 619 wpa_hexdump_key(MSG_DEBUG, "SAE: keyseed", keyseed, sizeof(keyseed)); 620 621 crypto_bignum_add(sae->tmp->own_commit_scalar, sae->peer_commit_scalar, 622 tmp); 623 crypto_bignum_mod(tmp, sae->tmp->order, tmp); 624 crypto_bignum_to_bin(tmp, val, sizeof(val), sae->tmp->prime_len); 625 wpa_hexdump(MSG_DEBUG, "SAE: PMKID", val, SAE_PMKID_LEN); 626 sha256_prf(keyseed, sizeof(keyseed), "SAE KCK and PMK", 627 val, sae->tmp->prime_len, keys, sizeof(keys)); 628 os_memcpy(sae->tmp->kck, keys, SAE_KCK_LEN); 629 os_memcpy(sae->pmk, keys + SAE_KCK_LEN, SAE_PMK_LEN); 630 wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", sae->tmp->kck, SAE_KCK_LEN); 631 wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, SAE_PMK_LEN); 632 633 ret = 0; 634fail: 635 crypto_bignum_deinit(tmp, 0); 636 return ret; 637} 638 639 640int sae_process_commit(struct sae_data *sae) 641{ 642 u8 k[SAE_MAX_PRIME_LEN]; 643 if ((sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) || 644 (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) || 645 sae_derive_keys(sae, k) < 0) 646 return -1; 647 return 0; 648} 649 650 651void sae_write_commit(struct sae_data *sae, struct wpabuf *buf, 652 const struct wpabuf *token) 653{ 654 u8 *pos; 655 wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */ 656 if (token) 657 wpabuf_put_buf(buf, token); 658 pos = wpabuf_put(buf, sae->tmp->prime_len); 659 crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos, 660 sae->tmp->prime_len, sae->tmp->prime_len); 661 wpa_hexdump(MSG_DEBUG, "SAE: own commit-scalar", 662 pos, sae->tmp->prime_len); 663 if (sae->tmp->ec) { 664 pos = wpabuf_put(buf, 2 * sae->tmp->prime_len); 665 crypto_ec_point_to_bin(sae->tmp->ec, 666 sae->tmp->own_commit_element_ecc, 667 pos, pos + sae->tmp->prime_len); 668 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(x)", 669 pos, sae->tmp->prime_len); 670 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(y)", 671 pos + sae->tmp->prime_len, sae->tmp->prime_len); 672 } else { 673 pos = wpabuf_put(buf, sae->tmp->prime_len); 674 crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos, 675 sae->tmp->prime_len, sae->tmp->prime_len); 676 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element", 677 pos, sae->tmp->prime_len); 678 } 679} 680 681 682static u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, 683 u16 group) 684{ 685 if (allowed_groups) { 686 int i; 687 for (i = 0; allowed_groups[i] >= 0; i++) { 688 if (allowed_groups[i] == group) 689 break; 690 } 691 if (allowed_groups[i] != group) { 692 wpa_printf(MSG_DEBUG, "SAE: Proposed group %u not " 693 "enabled in the current configuration", 694 group); 695 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 696 } 697 } 698 699 if (sae->state == SAE_COMMITTED && group != sae->group) { 700 wpa_printf(MSG_DEBUG, "SAE: Do not allow group to be changed"); 701 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 702 } 703 704 if (group != sae->group && sae_set_group(sae, group) < 0) { 705 wpa_printf(MSG_DEBUG, "SAE: Unsupported Finite Cyclic Group %u", 706 group); 707 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 708 } 709 710 if (sae->tmp->dh && !allowed_groups) { 711 wpa_printf(MSG_DEBUG, "SAE: Do not allow FFC group %u without " 712 "explicit configuration enabling it", group); 713 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 714 } 715 716 return WLAN_STATUS_SUCCESS; 717} 718 719 720static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos, 721 const u8 *end, const u8 **token, 722 size_t *token_len) 723{ 724 if (*pos + (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len < end) { 725 size_t tlen = end - (*pos + (sae->tmp->ec ? 3 : 2) * 726 sae->tmp->prime_len); 727 wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token", *pos, tlen); 728 if (token) 729 *token = *pos; 730 if (token_len) 731 *token_len = tlen; 732 *pos += tlen; 733 } else { 734 if (token) 735 *token = NULL; 736 if (token_len) 737 *token_len = 0; 738 } 739} 740 741 742static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos, 743 const u8 *end) 744{ 745 struct crypto_bignum *peer_scalar; 746 747 if (*pos + sae->tmp->prime_len > end) { 748 wpa_printf(MSG_DEBUG, "SAE: Not enough data for scalar"); 749 return WLAN_STATUS_UNSPECIFIED_FAILURE; 750 } 751 752 peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len); 753 if (peer_scalar == NULL) 754 return WLAN_STATUS_UNSPECIFIED_FAILURE; 755 756 /* 757 * IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for 758 * the peer and it is in Authenticated state, the new Commit Message 759 * shall be dropped if the peer-scalar is identical to the one used in 760 * the existing protocol instance. 761 */ 762 if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar && 763 crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) { 764 wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous " 765 "peer-commit-scalar"); 766 crypto_bignum_deinit(peer_scalar, 0); 767 return WLAN_STATUS_UNSPECIFIED_FAILURE; 768 } 769 770 /* 0 < scalar < r */ 771 if (crypto_bignum_is_zero(peer_scalar) || 772 crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) { 773 wpa_printf(MSG_DEBUG, "SAE: Invalid peer scalar"); 774 crypto_bignum_deinit(peer_scalar, 0); 775 return WLAN_STATUS_UNSPECIFIED_FAILURE; 776 } 777 778 779 crypto_bignum_deinit(sae->peer_commit_scalar, 0); 780 sae->peer_commit_scalar = peer_scalar; 781 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-scalar", 782 *pos, sae->tmp->prime_len); 783 *pos += sae->tmp->prime_len; 784 785 return WLAN_STATUS_SUCCESS; 786} 787 788 789static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos, 790 const u8 *end) 791{ 792 u8 prime[SAE_MAX_ECC_PRIME_LEN]; 793 794 if (pos + 2 * sae->tmp->prime_len > end) { 795 wpa_printf(MSG_DEBUG, "SAE: Not enough data for " 796 "commit-element"); 797 return WLAN_STATUS_UNSPECIFIED_FAILURE; 798 } 799 800 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), 801 sae->tmp->prime_len) < 0) 802 return WLAN_STATUS_UNSPECIFIED_FAILURE; 803 804 /* element x and y coordinates < p */ 805 if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 || 806 os_memcmp(pos + sae->tmp->prime_len + sae->tmp->prime_len, prime, 807 sae->tmp->prime_len) >= 0) { 808 wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer " 809 "element"); 810 return WLAN_STATUS_UNSPECIFIED_FAILURE; 811 } 812 813 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(x)", 814 pos, sae->tmp->prime_len); 815 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(y)", 816 pos + sae->tmp->prime_len, sae->tmp->prime_len); 817 818 crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0); 819 sae->tmp->peer_commit_element_ecc = 820 crypto_ec_point_from_bin(sae->tmp->ec, pos); 821 if (sae->tmp->peer_commit_element_ecc == NULL) 822 return WLAN_STATUS_UNSPECIFIED_FAILURE; 823 824 return WLAN_STATUS_SUCCESS; 825} 826 827 828static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos, 829 const u8 *end) 830{ 831 if (pos + sae->tmp->prime_len > end) { 832 wpa_printf(MSG_DEBUG, "SAE: Not enough data for " 833 "commit-element"); 834 return WLAN_STATUS_UNSPECIFIED_FAILURE; 835 } 836 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", pos, 837 sae->tmp->prime_len); 838 839 crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0); 840 sae->tmp->peer_commit_element_ffc = 841 crypto_bignum_init_set(pos, sae->tmp->prime_len); 842 if (sae->tmp->peer_commit_element_ffc == NULL) 843 return WLAN_STATUS_UNSPECIFIED_FAILURE; 844 if (crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) || 845 crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) || 846 crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, 847 sae->tmp->prime) >= 0) { 848 wpa_printf(MSG_DEBUG, "SAE: Invalid peer element"); 849 return WLAN_STATUS_UNSPECIFIED_FAILURE; 850 } 851 852 return WLAN_STATUS_SUCCESS; 853} 854 855 856static u16 sae_parse_commit_element(struct sae_data *sae, const u8 *pos, 857 const u8 *end) 858{ 859 if (sae->tmp->dh) 860 return sae_parse_commit_element_ffc(sae, pos, end); 861 return sae_parse_commit_element_ecc(sae, pos, end); 862} 863 864 865u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len, 866 const u8 **token, size_t *token_len, int *allowed_groups) 867{ 868 const u8 *pos = data, *end = data + len; 869 u16 res; 870 871 /* Check Finite Cyclic Group */ 872 if (pos + 2 > end) 873 return WLAN_STATUS_UNSPECIFIED_FAILURE; 874 res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos)); 875 if (res != WLAN_STATUS_SUCCESS) 876 return res; 877 pos += 2; 878 879 /* Optional Anti-Clogging Token */ 880 sae_parse_commit_token(sae, &pos, end, token, token_len); 881 882 /* commit-scalar */ 883 res = sae_parse_commit_scalar(sae, &pos, end); 884 if (res != WLAN_STATUS_SUCCESS) 885 return res; 886 887 /* commit-element */ 888 return sae_parse_commit_element(sae, pos, end); 889} 890 891 892static void sae_cn_confirm(struct sae_data *sae, const u8 *sc, 893 const struct crypto_bignum *scalar1, 894 const u8 *element1, size_t element1_len, 895 const struct crypto_bignum *scalar2, 896 const u8 *element2, size_t element2_len, 897 u8 *confirm) 898{ 899 const u8 *addr[5]; 900 size_t len[5]; 901 u8 scalar_b1[SAE_MAX_PRIME_LEN], scalar_b2[SAE_MAX_PRIME_LEN]; 902 903 /* Confirm 904 * CN(key, X, Y, Z, ...) = 905 * HMAC-SHA256(key, D2OS(X) || D2OS(Y) || D2OS(Z) | ...) 906 * confirm = CN(KCK, send-confirm, commit-scalar, COMMIT-ELEMENT, 907 * peer-commit-scalar, PEER-COMMIT-ELEMENT) 908 * verifier = CN(KCK, peer-send-confirm, peer-commit-scalar, 909 * PEER-COMMIT-ELEMENT, commit-scalar, COMMIT-ELEMENT) 910 */ 911 addr[0] = sc; 912 len[0] = 2; 913 crypto_bignum_to_bin(scalar1, scalar_b1, sizeof(scalar_b1), 914 sae->tmp->prime_len); 915 addr[1] = scalar_b1; 916 len[1] = sae->tmp->prime_len; 917 addr[2] = element1; 918 len[2] = element1_len; 919 crypto_bignum_to_bin(scalar2, scalar_b2, sizeof(scalar_b2), 920 sae->tmp->prime_len); 921 addr[3] = scalar_b2; 922 len[3] = sae->tmp->prime_len; 923 addr[4] = element2; 924 len[4] = element2_len; 925 hmac_sha256_vector(sae->tmp->kck, sizeof(sae->tmp->kck), 5, addr, len, 926 confirm); 927} 928 929 930static void sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc, 931 const struct crypto_bignum *scalar1, 932 const struct crypto_ec_point *element1, 933 const struct crypto_bignum *scalar2, 934 const struct crypto_ec_point *element2, 935 u8 *confirm) 936{ 937 u8 element_b1[2 * SAE_MAX_ECC_PRIME_LEN]; 938 u8 element_b2[2 * SAE_MAX_ECC_PRIME_LEN]; 939 940 crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1, 941 element_b1 + sae->tmp->prime_len); 942 crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2, 943 element_b2 + sae->tmp->prime_len); 944 945 sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len, 946 scalar2, element_b2, 2 * sae->tmp->prime_len, confirm); 947} 948 949 950static void sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc, 951 const struct crypto_bignum *scalar1, 952 const struct crypto_bignum *element1, 953 const struct crypto_bignum *scalar2, 954 const struct crypto_bignum *element2, 955 u8 *confirm) 956{ 957 u8 element_b1[SAE_MAX_PRIME_LEN]; 958 u8 element_b2[SAE_MAX_PRIME_LEN]; 959 960 crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1), 961 sae->tmp->prime_len); 962 crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2), 963 sae->tmp->prime_len); 964 965 sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len, 966 scalar2, element_b2, sae->tmp->prime_len, confirm); 967} 968 969 970void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf) 971{ 972 const u8 *sc; 973 974 /* Send-Confirm */ 975 sc = wpabuf_put(buf, 0); 976 wpabuf_put_le16(buf, sae->send_confirm); 977 sae->send_confirm++; 978 979 if (sae->tmp->ec) 980 sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar, 981 sae->tmp->own_commit_element_ecc, 982 sae->peer_commit_scalar, 983 sae->tmp->peer_commit_element_ecc, 984 wpabuf_put(buf, SHA256_MAC_LEN)); 985 else 986 sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar, 987 sae->tmp->own_commit_element_ffc, 988 sae->peer_commit_scalar, 989 sae->tmp->peer_commit_element_ffc, 990 wpabuf_put(buf, SHA256_MAC_LEN)); 991} 992 993 994int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len) 995{ 996 u8 verifier[SHA256_MAC_LEN]; 997 998 if (len < 2 + SHA256_MAC_LEN) { 999 wpa_printf(MSG_DEBUG, "SAE: Too short confirm message"); 1000 return -1; 1001 } 1002 1003 wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data)); 1004 1005 if (sae->tmp->ec) 1006 sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, 1007 sae->tmp->peer_commit_element_ecc, 1008 sae->tmp->own_commit_scalar, 1009 sae->tmp->own_commit_element_ecc, 1010 verifier); 1011 else 1012 sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, 1013 sae->tmp->peer_commit_element_ffc, 1014 sae->tmp->own_commit_scalar, 1015 sae->tmp->own_commit_element_ffc, 1016 verifier); 1017 1018 if (os_memcmp(verifier, data + 2, SHA256_MAC_LEN) != 0) { 1019 wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch"); 1020 wpa_hexdump(MSG_DEBUG, "SAE: Received confirm", 1021 data + 2, SHA256_MAC_LEN); 1022 wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier", 1023 verifier, SHA256_MAC_LEN); 1024 return -1; 1025 } 1026 1027 return 0; 1028} 1029