Lines Matching refs:sae
26 int sae_set_group(struct sae_data *sae, int group) in sae_set_group() argument
39 sae_clear_data(sae); in sae_set_group()
40 tmp = sae->tmp = os_zalloc(sizeof(*tmp)); in sae_set_group()
49 sae->group = group; in sae_set_group()
62 sae->group = group; in sae_set_group()
65 sae_clear_data(sae); in sae_set_group()
72 sae_clear_data(sae); in sae_set_group()
81 sae_clear_data(sae); in sae_set_group()
96 void sae_clear_temp_data(struct sae_data *sae) in sae_clear_temp_data() argument
99 if (sae == NULL || sae->tmp == NULL) in sae_clear_temp_data()
101 tmp = sae->tmp; in sae_clear_temp_data()
118 sae->tmp = NULL; in sae_clear_temp_data()
122 void sae_clear_data(struct sae_data *sae) in sae_clear_data() argument
124 if (sae == NULL) in sae_clear_data()
126 sae_clear_temp_data(sae); in sae_clear_data()
127 crypto_bignum_deinit(sae->peer_commit_scalar, 0); in sae_clear_data()
128 crypto_bignum_deinit(sae->peer_commit_scalar_accepted, 0); in sae_clear_data()
129 os_memset(sae, 0, sizeof(*sae)); in sae_clear_data()
147 static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, in sae_test_pwd_seed_ecc() argument
160 bits = crypto_ec_prime_len_bits(sae->tmp->ec); in sae_test_pwd_seed_ecc()
162 prime, sae->tmp->prime_len, pwd_value, bits) < 0) in sae_test_pwd_seed_ecc()
165 buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8); in sae_test_pwd_seed_ecc()
167 pwd_value, sae->tmp->prime_len); in sae_test_pwd_seed_ecc()
169 cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len); in sae_test_pwd_seed_ecc()
177 x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); in sae_test_pwd_seed_ecc()
180 y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand); in sae_test_pwd_seed_ecc()
185 res = dragonfly_is_quadratic_residue_blind(sae->tmp->ec, qr, qnr, in sae_test_pwd_seed_ecc()
196 static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, in sae_test_pwd_seed_ffc() argument
200 size_t bits = sae->tmp->prime_len * 8; in sae_test_pwd_seed_ffc()
210 sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value, in sae_test_pwd_seed_ffc()
214 sae->tmp->prime_len); in sae_test_pwd_seed_ffc()
217 res = const_time_memcmp(pwd_value, sae->tmp->dh->prime, in sae_test_pwd_seed_ffc()
218 sae->tmp->prime_len); in sae_test_pwd_seed_ffc()
232 a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); in sae_test_pwd_seed_ffc()
239 if (sae->tmp->dh->safe_prime) { in sae_test_pwd_seed_ffc()
251 crypto_bignum_sub(sae->tmp->prime, b, b) < 0 || in sae_test_pwd_seed_ffc()
252 crypto_bignum_div(b, sae->tmp->order, b) < 0) in sae_test_pwd_seed_ffc()
259 res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe); in sae_test_pwd_seed_ffc()
283 static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, in sae_derive_pwe_ecc() argument
314 prime_len = sae->tmp->prime_len; in sae_derive_pwe_ecc()
315 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), in sae_derive_pwe_ecc()
323 if (dragonfly_get_random_qr_qnr(sae->tmp->prime, &qr, &qnr) < 0 || in sae_derive_pwe_ecc()
349 k = dragonfly_min_pwe_loop_iter(sae->group); in sae_derive_pwe_ecc()
367 res = sae_test_pwd_seed_ecc(sae, pwd_seed, in sae_derive_pwe_ecc()
410 y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x); in sae_derive_pwe_ecc()
412 dragonfly_sqrt(sae->tmp->ec, y, y) < 0 || in sae_derive_pwe_ecc()
415 crypto_bignum_sub(sae->tmp->prime, y, y) < 0 || in sae_derive_pwe_ecc()
427 crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1); in sae_derive_pwe_ecc()
428 sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y); in sae_derive_pwe_ecc()
429 if (!sae->tmp->pwe_ecc) { in sae_derive_pwe_ecc()
449 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, in sae_derive_pwe_ffc() argument
461 size_t prime_len = sae->tmp->prime_len; in sae_derive_pwe_ffc()
464 crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); in sae_derive_pwe_ffc()
465 sae->tmp->pwe_ffc = NULL; in sae_derive_pwe_ffc()
489 k = dragonfly_min_pwe_loop_iter(sae->group); in sae_derive_pwe_ffc()
505 res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe); in sae_derive_pwe_ffc()
527 sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len); in sae_derive_pwe_ffc()
531 return sae->tmp->pwe_ffc ? 0 : -1; in sae_derive_pwe_ffc()
1278 static int sae_derive_commit_element_ecc(struct sae_data *sae, in sae_derive_commit_element_ecc() argument
1282 if (!sae->tmp->own_commit_element_ecc) { in sae_derive_commit_element_ecc()
1283 sae->tmp->own_commit_element_ecc = in sae_derive_commit_element_ecc()
1284 crypto_ec_point_init(sae->tmp->ec); in sae_derive_commit_element_ecc()
1285 if (!sae->tmp->own_commit_element_ecc) in sae_derive_commit_element_ecc()
1289 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask, in sae_derive_commit_element_ecc()
1290 sae->tmp->own_commit_element_ecc) < 0 || in sae_derive_commit_element_ecc()
1291 crypto_ec_point_invert(sae->tmp->ec, in sae_derive_commit_element_ecc()
1292 sae->tmp->own_commit_element_ecc) < 0) { in sae_derive_commit_element_ecc()
1301 static int sae_derive_commit_element_ffc(struct sae_data *sae, in sae_derive_commit_element_ffc() argument
1305 if (!sae->tmp->own_commit_element_ffc) { in sae_derive_commit_element_ffc()
1306 sae->tmp->own_commit_element_ffc = crypto_bignum_init(); in sae_derive_commit_element_ffc()
1307 if (!sae->tmp->own_commit_element_ffc) in sae_derive_commit_element_ffc()
1311 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime, in sae_derive_commit_element_ffc()
1312 sae->tmp->own_commit_element_ffc) < 0 || in sae_derive_commit_element_ffc()
1313 crypto_bignum_inverse(sae->tmp->own_commit_element_ffc, in sae_derive_commit_element_ffc()
1314 sae->tmp->prime, in sae_derive_commit_element_ffc()
1315 sae->tmp->own_commit_element_ffc) < 0) { in sae_derive_commit_element_ffc()
1324 static int sae_derive_commit(struct sae_data *sae) in sae_derive_commit() argument
1330 if (!sae->tmp->sae_rand) in sae_derive_commit()
1331 sae->tmp->sae_rand = crypto_bignum_init(); in sae_derive_commit()
1332 if (!sae->tmp->own_commit_scalar) in sae_derive_commit()
1333 sae->tmp->own_commit_scalar = crypto_bignum_init(); in sae_derive_commit()
1334 ret = !mask || !sae->tmp->sae_rand || !sae->tmp->own_commit_scalar || in sae_derive_commit()
1335 dragonfly_generate_scalar(sae->tmp->order, sae->tmp->sae_rand, in sae_derive_commit()
1337 sae->tmp->own_commit_scalar) < 0 || in sae_derive_commit()
1338 (sae->tmp->ec && in sae_derive_commit()
1339 sae_derive_commit_element_ecc(sae, mask) < 0) || in sae_derive_commit()
1340 (sae->tmp->dh && in sae_derive_commit()
1341 sae_derive_commit_element_ffc(sae, mask) < 0); in sae_derive_commit()
1349 struct sae_data *sae) in sae_prepare_commit() argument
1351 if (sae->tmp == NULL || in sae_prepare_commit()
1352 (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password, in sae_prepare_commit()
1354 (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password, in sae_prepare_commit()
1358 sae->h2e = 0; in sae_prepare_commit()
1359 sae->pk = 0; in sae_prepare_commit()
1360 return sae_derive_commit(sae); in sae_prepare_commit()
1364 int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt, in sae_prepare_commit_pt() argument
1368 if (!sae->tmp) in sae_prepare_commit_pt()
1372 if (pt->group == sae->group) in sae_prepare_commit_pt()
1378 sae->group); in sae_prepare_commit_pt()
1383 os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len); in sae_prepare_commit_pt()
1384 sae->tmp->ssid_len = pt->ssid_len; in sae_prepare_commit_pt()
1385 sae->tmp->ap_pk = pk; in sae_prepare_commit_pt()
1387 sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0; in sae_prepare_commit_pt()
1388 wpabuf_free(sae->tmp->own_rejected_groups); in sae_prepare_commit_pt()
1389 sae->tmp->own_rejected_groups = NULL; in sae_prepare_commit_pt()
1400 sae->tmp->own_rejected_groups = groups; in sae_prepare_commit_pt()
1404 crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1); in sae_prepare_commit_pt()
1405 sae->tmp->pwe_ecc = sae_derive_pwe_from_pt_ecc(pt, addr1, in sae_prepare_commit_pt()
1407 if (!sae->tmp->pwe_ecc) in sae_prepare_commit_pt()
1412 crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); in sae_prepare_commit_pt()
1413 sae->tmp->pwe_ffc = sae_derive_pwe_from_pt_ffc(pt, addr1, in sae_prepare_commit_pt()
1415 if (!sae->tmp->pwe_ffc) in sae_prepare_commit_pt()
1419 sae->h2e = 1; in sae_prepare_commit_pt()
1420 return sae_derive_commit(sae); in sae_prepare_commit_pt()
1424 static int sae_derive_k_ecc(struct sae_data *sae, u8 *k) in sae_derive_k_ecc() argument
1429 K = crypto_ec_point_init(sae->tmp->ec); in sae_derive_k_ecc()
1440 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, in sae_derive_k_ecc()
1441 sae->peer_commit_scalar, K) < 0 || in sae_derive_k_ecc()
1442 crypto_ec_point_add(sae->tmp->ec, K, in sae_derive_k_ecc()
1443 sae->tmp->peer_commit_element_ecc, K) < 0 || in sae_derive_k_ecc()
1444 crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 || in sae_derive_k_ecc()
1445 crypto_ec_point_is_at_infinity(sae->tmp->ec, K) || in sae_derive_k_ecc()
1446 crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) { in sae_derive_k_ecc()
1451 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); in sae_derive_k_ecc()
1460 static int sae_derive_k_ffc(struct sae_data *sae, u8 *k) in sae_derive_k_ffc() argument
1476 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar, in sae_derive_k_ffc()
1477 sae->tmp->prime, K) < 0 || in sae_derive_k_ffc()
1478 crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc, in sae_derive_k_ffc()
1479 sae->tmp->prime, K) < 0 || in sae_derive_k_ffc()
1480 crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0 in sae_derive_k_ffc()
1483 crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) < in sae_derive_k_ffc()
1489 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); in sae_derive_k_ffc()
1519 static int sae_derive_keys(struct sae_data *sae, const u8 *k) in sae_derive_keys() argument
1528 size_t hash_len, salt_len, prime_len = sae->tmp->prime_len; in sae_derive_keys()
1545 if (!sae->h2e) in sae_derive_keys()
1547 else if (sae->tmp->dh) in sae_derive_keys()
1551 if (wpa_key_mgmt_sae_ext_key(sae->akmp)) in sae_derive_keys()
1556 sae->h2e, sae->akmp, in sae_derive_keys()
1557 wpa_akm_to_suite(sae->akmp), in sae_derive_keys()
1558 wpa_key_mgmt_txt(sae->akmp, WPA_PROTO_RSN)); in sae_derive_keys()
1559 if (sae->h2e && (sae->tmp->own_rejected_groups || in sae_derive_keys()
1560 sae->tmp->peer_rejected_groups)) { in sae_derive_keys()
1563 own = sae->tmp->own_rejected_groups; in sae_derive_keys()
1564 peer = sae->tmp->peer_rejected_groups; in sae_derive_keys()
1573 if (sae->tmp->own_addr_higher) { in sae_derive_keys()
1599 if (crypto_bignum_add(sae->tmp->own_commit_scalar, in sae_derive_keys()
1600 sae->peer_commit_scalar, tmp) < 0 || in sae_derive_keys()
1601 crypto_bignum_mod(tmp, sae->tmp->order, tmp) < 0) in sae_derive_keys()
1610 sae->tmp->order_len) < 0) in sae_derive_keys()
1615 if (sae->pk) { in sae_derive_keys()
1617 val, sae->tmp->order_len, in sae_derive_keys()
1622 val, sae->tmp->order_len, in sae_derive_keys()
1628 val, sae->tmp->order_len, in sae_derive_keys()
1634 os_memcpy(sae->tmp->kck, keys, hash_len); in sae_derive_keys()
1635 sae->tmp->kck_len = hash_len; in sae_derive_keys()
1636 os_memcpy(sae->pmk, keys + hash_len, pmk_len); in sae_derive_keys()
1637 sae->pmk_len = pmk_len; in sae_derive_keys()
1638 os_memcpy(sae->pmkid, val, SAE_PMKID_LEN); in sae_derive_keys()
1640 if (sae->pk) { in sae_derive_keys()
1641 os_memcpy(sae->tmp->kek, keys + hash_len + SAE_PMK_LEN, in sae_derive_keys()
1643 sae->tmp->kek_len = hash_len; in sae_derive_keys()
1645 sae->tmp->kek, sae->tmp->kek_len); in sae_derive_keys()
1650 sae->tmp->kck, sae->tmp->kck_len); in sae_derive_keys()
1651 wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, sae->pmk_len); in sae_derive_keys()
1661 int sae_process_commit(struct sae_data *sae) in sae_process_commit() argument
1664 if (sae->tmp == NULL || in sae_process_commit()
1665 (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) || in sae_process_commit()
1666 (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) || in sae_process_commit()
1667 sae_derive_keys(sae, k) < 0) in sae_process_commit()
1673 int sae_write_commit(struct sae_data *sae, struct wpabuf *buf, in sae_write_commit() argument
1678 if (sae->tmp == NULL) in sae_write_commit()
1681 wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */ in sae_write_commit()
1682 if (!sae->h2e && token) { in sae_write_commit()
1687 pos = wpabuf_put(buf, sae->tmp->prime_len); in sae_write_commit()
1688 if (crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos, in sae_write_commit()
1689 sae->tmp->prime_len, sae->tmp->prime_len) < 0) in sae_write_commit()
1692 pos, sae->tmp->prime_len); in sae_write_commit()
1693 if (sae->tmp->ec) { in sae_write_commit()
1694 pos = wpabuf_put(buf, 2 * sae->tmp->prime_len); in sae_write_commit()
1695 if (crypto_ec_point_to_bin(sae->tmp->ec, in sae_write_commit()
1696 sae->tmp->own_commit_element_ecc, in sae_write_commit()
1697 pos, pos + sae->tmp->prime_len) < 0) in sae_write_commit()
1700 pos, sae->tmp->prime_len); in sae_write_commit()
1702 pos + sae->tmp->prime_len, sae->tmp->prime_len); in sae_write_commit()
1704 pos = wpabuf_put(buf, sae->tmp->prime_len); in sae_write_commit()
1705 if (crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos, in sae_write_commit()
1706 sae->tmp->prime_len, in sae_write_commit()
1707 sae->tmp->prime_len) < 0) in sae_write_commit()
1710 pos, sae->tmp->prime_len); in sae_write_commit()
1723 if (sae->h2e && sae->tmp->own_rejected_groups) { in sae_write_commit()
1725 sae->tmp->own_rejected_groups); in sae_write_commit()
1728 1 + wpabuf_len(sae->tmp->own_rejected_groups)); in sae_write_commit()
1730 wpabuf_put_buf(buf, sae->tmp->own_rejected_groups); in sae_write_commit()
1733 if (sae->h2e && token) { in sae_write_commit()
1743 if (wpa_key_mgmt_sae_ext_key(sae->akmp)) { in sae_write_commit()
1744 u32 suite = wpa_akm_to_suite(sae->akmp); in sae_write_commit()
1751 sae->own_akm_suite_selector = suite; in sae_write_commit()
1758 u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group) in sae_group_allowed() argument
1774 if (sae->state == SAE_COMMITTED && group != sae->group) { in sae_group_allowed()
1779 if (group != sae->group && sae_set_group(sae, group) < 0) { in sae_group_allowed()
1785 if (sae->tmp == NULL) { in sae_group_allowed()
1790 if (sae->tmp->dh && !allowed_groups) { in sae_group_allowed()
1840 static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos, in sae_parse_commit_token() argument
1854 scalar_elem_len = (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len; in sae_parse_commit_token()
1876 static void sae_parse_token_container(struct sae_data *sae, in sae_parse_token_container() argument
1891 static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos, in sae_parse_commit_scalar() argument
1896 if (sae->tmp->prime_len > end - *pos) { in sae_parse_commit_scalar()
1901 peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len); in sae_parse_commit_scalar()
1911 if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar_accepted && in sae_parse_commit_scalar()
1912 crypto_bignum_cmp(sae->peer_commit_scalar_accepted, in sae_parse_commit_scalar()
1923 crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) { in sae_parse_commit_scalar()
1930 crypto_bignum_deinit(sae->peer_commit_scalar, 0); in sae_parse_commit_scalar()
1931 sae->peer_commit_scalar = peer_scalar; in sae_parse_commit_scalar()
1933 *pos, sae->tmp->prime_len); in sae_parse_commit_scalar()
1934 *pos += sae->tmp->prime_len; in sae_parse_commit_scalar()
1940 static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 **pos, in sae_parse_commit_element_ecc() argument
1945 if (2 * sae->tmp->prime_len > end - *pos) { in sae_parse_commit_element_ecc()
1951 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), in sae_parse_commit_element_ecc()
1952 sae->tmp->prime_len) < 0) in sae_parse_commit_element_ecc()
1956 if (os_memcmp(*pos, prime, sae->tmp->prime_len) >= 0 || in sae_parse_commit_element_ecc()
1957 os_memcmp(*pos + sae->tmp->prime_len, prime, in sae_parse_commit_element_ecc()
1958 sae->tmp->prime_len) >= 0) { in sae_parse_commit_element_ecc()
1965 *pos, sae->tmp->prime_len); in sae_parse_commit_element_ecc()
1967 *pos + sae->tmp->prime_len, sae->tmp->prime_len); in sae_parse_commit_element_ecc()
1969 crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0); in sae_parse_commit_element_ecc()
1970 sae->tmp->peer_commit_element_ecc = in sae_parse_commit_element_ecc()
1971 crypto_ec_point_from_bin(sae->tmp->ec, *pos); in sae_parse_commit_element_ecc()
1972 if (!sae->tmp->peer_commit_element_ecc) { in sae_parse_commit_element_ecc()
1977 if (!crypto_ec_point_is_on_curve(sae->tmp->ec, in sae_parse_commit_element_ecc()
1978 sae->tmp->peer_commit_element_ecc)) { in sae_parse_commit_element_ecc()
1983 *pos += 2 * sae->tmp->prime_len; in sae_parse_commit_element_ecc()
1989 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 **pos, in sae_parse_commit_element_ffc() argument
1995 if (sae->tmp->prime_len > end - *pos) { in sae_parse_commit_element_ffc()
2001 sae->tmp->prime_len); in sae_parse_commit_element_ffc()
2003 crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0); in sae_parse_commit_element_ffc()
2004 sae->tmp->peer_commit_element_ffc = in sae_parse_commit_element_ffc()
2005 crypto_bignum_init_set(*pos, sae->tmp->prime_len); in sae_parse_commit_element_ffc()
2006 if (sae->tmp->peer_commit_element_ffc == NULL) in sae_parse_commit_element_ffc()
2012 crypto_bignum_sub(sae->tmp->prime, one, res) || in sae_parse_commit_element_ffc()
2013 crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) || in sae_parse_commit_element_ffc()
2014 crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) || in sae_parse_commit_element_ffc()
2015 crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, res) >= 0) { in sae_parse_commit_element_ffc()
2024 if (crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc, in sae_parse_commit_element_ffc()
2025 sae->tmp->order, sae->tmp->prime, res) < 0 || in sae_parse_commit_element_ffc()
2033 *pos += sae->tmp->prime_len; in sae_parse_commit_element_ffc()
2039 static u16 sae_parse_commit_element(struct sae_data *sae, const u8 **pos, in sae_parse_commit_element() argument
2042 if (sae->tmp->dh) in sae_parse_commit_element()
2043 return sae_parse_commit_element_ffc(sae, pos, end); in sae_parse_commit_element()
2044 return sae_parse_commit_element_ecc(sae, pos, end); in sae_parse_commit_element()
2048 static int sae_parse_password_identifier(struct sae_data *sae, in sae_parse_password_identifier() argument
2057 if (sae->tmp->pw_id) { in sae_parse_password_identifier()
2060 sae->tmp->pw_id); in sae_parse_password_identifier()
2063 os_free(sae->tmp->pw_id); in sae_parse_password_identifier()
2064 sae->tmp->pw_id = NULL; in sae_parse_password_identifier()
2076 if (sae->tmp->pw_id && in sae_parse_password_identifier()
2077 (len != os_strlen(sae->tmp->pw_id) || in sae_parse_password_identifier()
2078 os_memcmp(sae->tmp->pw_id, epos, len) != 0)) { in sae_parse_password_identifier()
2081 sae->tmp->pw_id); in sae_parse_password_identifier()
2085 os_free(sae->tmp->pw_id); in sae_parse_password_identifier()
2086 sae->tmp->pw_id = os_malloc(len + 1); in sae_parse_password_identifier()
2087 if (!sae->tmp->pw_id) in sae_parse_password_identifier()
2089 os_memcpy(sae->tmp->pw_id, epos, len); in sae_parse_password_identifier()
2090 sae->tmp->pw_id[len] = '\0'; in sae_parse_password_identifier()
2092 sae->tmp->pw_id, len); in sae_parse_password_identifier()
2098 static int sae_parse_rejected_groups(struct sae_data *sae, in sae_parse_rejected_groups() argument
2107 wpabuf_free(sae->tmp->peer_rejected_groups); in sae_parse_rejected_groups()
2108 sae->tmp->peer_rejected_groups = NULL; in sae_parse_rejected_groups()
2126 wpabuf_free(sae->tmp->peer_rejected_groups); in sae_parse_rejected_groups()
2127 sae->tmp->peer_rejected_groups = wpabuf_alloc(len); in sae_parse_rejected_groups()
2128 if (!sae->tmp->peer_rejected_groups) in sae_parse_rejected_groups()
2130 wpabuf_put_data(sae->tmp->peer_rejected_groups, epos, len); in sae_parse_rejected_groups()
2132 sae->tmp->peer_rejected_groups); in sae_parse_rejected_groups()
2138 static int sae_parse_akm_suite_selector(struct sae_data *sae, in sae_parse_akm_suite_selector() argument
2159 sae->peer_akm_suite_selector = RSN_SELECTOR_GET(epos); in sae_parse_akm_suite_selector()
2161 sae->peer_akm_suite_selector); in sae_parse_akm_suite_selector()
2167 u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len, in sae_parse_commit() argument
2177 res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos)); in sae_parse_commit()
2183 sae_parse_commit_token(sae, &pos, end, token, token_len, h2e); in sae_parse_commit()
2186 res = sae_parse_commit_scalar(sae, &pos, end); in sae_parse_commit()
2191 res = sae_parse_commit_element(sae, &pos, end); in sae_parse_commit()
2199 res = sae_parse_password_identifier(sae, &pos, end); in sae_parse_commit()
2205 res = sae_parse_rejected_groups(sae, &pos, end); in sae_parse_commit()
2209 wpabuf_free(sae->tmp->peer_rejected_groups); in sae_parse_commit()
2210 sae->tmp->peer_rejected_groups = NULL; in sae_parse_commit()
2215 sae_parse_token_container(sae, pos, end, token, token_len); in sae_parse_commit()
2219 res = sae_parse_akm_suite_selector(sae, &pos, end); in sae_parse_commit()
2224 if (sae->own_akm_suite_selector && in sae_parse_commit()
2225 sae->own_akm_suite_selector != sae->peer_akm_suite_selector) { in sae_parse_commit()
2228 sae->own_akm_suite_selector, in sae_parse_commit()
2229 sae->peer_akm_suite_selector); in sae_parse_commit()
2233 if (!sae->akmp) { in sae_parse_commit()
2234 if (sae->peer_akm_suite_selector == in sae_parse_commit()
2236 sae->akmp = WPA_KEY_MGMT_SAE_EXT_KEY; in sae_parse_commit()
2237 else if (sae->peer_akm_suite_selector == in sae_parse_commit()
2239 sae->akmp = WPA_KEY_MGMT_FT_SAE_EXT_KEY; in sae_parse_commit()
2246 if (!sae->tmp->own_commit_scalar || in sae_parse_commit()
2247 crypto_bignum_cmp(sae->tmp->own_commit_scalar, in sae_parse_commit()
2248 sae->peer_commit_scalar) != 0 || in sae_parse_commit()
2249 (sae->tmp->dh && in sae_parse_commit()
2250 (!sae->tmp->own_commit_element_ffc || in sae_parse_commit()
2251 crypto_bignum_cmp(sae->tmp->own_commit_element_ffc, in sae_parse_commit()
2252 sae->tmp->peer_commit_element_ffc) != 0)) || in sae_parse_commit()
2253 (sae->tmp->ec && in sae_parse_commit()
2254 (!sae->tmp->own_commit_element_ecc || in sae_parse_commit()
2255 crypto_ec_point_cmp(sae->tmp->ec, in sae_parse_commit()
2256 sae->tmp->own_commit_element_ecc, in sae_parse_commit()
2257 sae->tmp->peer_commit_element_ecc) != 0))) in sae_parse_commit()
2269 static int sae_cn_confirm(struct sae_data *sae, const u8 *sc, in sae_cn_confirm() argument
2289 sae->tmp->prime_len) < 0 || in sae_cn_confirm()
2291 sae->tmp->prime_len) < 0) in sae_cn_confirm()
2296 len[1] = sae->tmp->prime_len; in sae_cn_confirm()
2300 len[3] = sae->tmp->prime_len; in sae_cn_confirm()
2303 return hkdf_extract(sae->tmp->kck_len, sae->tmp->kck, sae->tmp->kck_len, in sae_cn_confirm()
2308 static int sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc, in sae_cn_confirm_ecc() argument
2318 if (crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1, in sae_cn_confirm_ecc()
2319 element_b1 + sae->tmp->prime_len) < 0 || in sae_cn_confirm_ecc()
2320 crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2, in sae_cn_confirm_ecc()
2321 element_b2 + sae->tmp->prime_len) < 0 || in sae_cn_confirm_ecc()
2322 sae_cn_confirm(sae, sc, scalar1, element_b1, in sae_cn_confirm_ecc()
2323 2 * sae->tmp->prime_len, in sae_cn_confirm_ecc()
2324 scalar2, element_b2, 2 * sae->tmp->prime_len, in sae_cn_confirm_ecc()
2331 static int sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc, in sae_cn_confirm_ffc() argument
2342 sae->tmp->prime_len) < 0 || in sae_cn_confirm_ffc()
2344 sae->tmp->prime_len) < 0 || in sae_cn_confirm_ffc()
2345 sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len, in sae_cn_confirm_ffc()
2346 scalar2, element_b2, sae->tmp->prime_len, in sae_cn_confirm_ffc()
2353 int sae_write_confirm(struct sae_data *sae, struct wpabuf *buf) in sae_write_confirm() argument
2359 if (sae->tmp == NULL) in sae_write_confirm()
2362 hash_len = sae->tmp->kck_len; in sae_write_confirm()
2365 if (sae->send_confirm < 0xffff) in sae_write_confirm()
2366 sae->send_confirm++; in sae_write_confirm()
2368 wpabuf_put_le16(buf, sae->send_confirm); in sae_write_confirm()
2370 if (sae->tmp->ec) in sae_write_confirm()
2371 res = sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar, in sae_write_confirm()
2372 sae->tmp->own_commit_element_ecc, in sae_write_confirm()
2373 sae->peer_commit_scalar, in sae_write_confirm()
2374 sae->tmp->peer_commit_element_ecc, in sae_write_confirm()
2377 res = sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar, in sae_write_confirm()
2378 sae->tmp->own_commit_element_ffc, in sae_write_confirm()
2379 sae->peer_commit_scalar, in sae_write_confirm()
2380 sae->tmp->peer_commit_element_ffc, in sae_write_confirm()
2386 if (sae_write_confirm_pk(sae, buf) < 0) in sae_write_confirm()
2394 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len, in sae_check_confirm() argument
2400 if (!sae->tmp) in sae_check_confirm()
2403 hash_len = sae->tmp->kck_len; in sae_check_confirm()
2411 if (!sae->peer_commit_scalar || !sae->tmp->own_commit_scalar) { in sae_check_confirm()
2416 if (sae->tmp->ec) { in sae_check_confirm()
2417 if (!sae->tmp->peer_commit_element_ecc || in sae_check_confirm()
2418 !sae->tmp->own_commit_element_ecc || in sae_check_confirm()
2419 sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, in sae_check_confirm()
2420 sae->tmp->peer_commit_element_ecc, in sae_check_confirm()
2421 sae->tmp->own_commit_scalar, in sae_check_confirm()
2422 sae->tmp->own_commit_element_ecc, in sae_check_confirm()
2426 if (!sae->tmp->peer_commit_element_ffc || in sae_check_confirm()
2427 !sae->tmp->own_commit_element_ffc || in sae_check_confirm()
2428 sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, in sae_check_confirm()
2429 sae->tmp->peer_commit_element_ffc, in sae_check_confirm()
2430 sae->tmp->own_commit_scalar, in sae_check_confirm()
2431 sae->tmp->own_commit_element_ffc, in sae_check_confirm()
2446 if (sae_check_confirm_pk(sae, data + 2 + hash_len, in sae_check_confirm()