1 /* 2 * Simultaneous authentication of equals 3 * Copyright (c) 2012-2016, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "common/defs.h" 13 #include "common/wpa_common.h" 14 #include "utils/const_time.h" 15 #include "crypto/crypto.h" 16 #include "crypto/sha256.h" 17 #include "crypto/sha384.h" 18 #include "crypto/sha512.h" 19 #include "crypto/random.h" 20 #include "crypto/dh_groups.h" 21 #include "ieee802_11_defs.h" 22 #include "dragonfly.h" 23 #include "sae.h" 24 25 26 int sae_set_group(struct sae_data *sae, int group) 27 { 28 struct sae_temporary_data *tmp; 29 30 #ifdef CONFIG_TESTING_OPTIONS 31 /* Allow all groups for testing purposes in non-production builds. */ 32 #else /* CONFIG_TESTING_OPTIONS */ 33 if (!dragonfly_suitable_group(group, 0)) { 34 wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group); 35 return -1; 36 } 37 #endif /* CONFIG_TESTING_OPTIONS */ 38 39 sae_clear_data(sae); 40 tmp = sae->tmp = os_zalloc(sizeof(*tmp)); 41 if (tmp == NULL) 42 return -1; 43 44 /* First, check if this is an ECC group */ 45 tmp->ec = crypto_ec_init(group); 46 if (tmp->ec) { 47 wpa_printf(MSG_DEBUG, "SAE: Selecting supported ECC group %d", 48 group); 49 sae->group = group; 50 tmp->prime_len = crypto_ec_prime_len(tmp->ec); 51 tmp->prime = crypto_ec_get_prime(tmp->ec); 52 tmp->order_len = crypto_ec_order_len(tmp->ec); 53 tmp->order = crypto_ec_get_order(tmp->ec); 54 return 0; 55 } 56 57 /* Not an ECC group, check FFC */ 58 tmp->dh = dh_groups_get(group); 59 if (tmp->dh) { 60 wpa_printf(MSG_DEBUG, "SAE: Selecting supported FFC group %d", 61 group); 62 sae->group = group; 63 tmp->prime_len = tmp->dh->prime_len; 64 if (tmp->prime_len > SAE_MAX_PRIME_LEN) { 65 sae_clear_data(sae); 66 return -1; 67 } 68 69 tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime, 70 tmp->prime_len); 71 if (tmp->prime_buf == NULL) { 72 sae_clear_data(sae); 73 return -1; 74 } 75 tmp->prime = tmp->prime_buf; 76 77 tmp->order_len = tmp->dh->order_len; 78 tmp->order_buf = crypto_bignum_init_set(tmp->dh->order, 79 tmp->dh->order_len); 80 if (tmp->order_buf == NULL) { 81 sae_clear_data(sae); 82 return -1; 83 } 84 tmp->order = tmp->order_buf; 85 86 return 0; 87 } 88 89 /* Unsupported group */ 90 wpa_printf(MSG_DEBUG, 91 "SAE: Group %d not supported by the crypto library", group); 92 return -1; 93 } 94 95 96 void sae_clear_temp_data(struct sae_data *sae) 97 { 98 struct sae_temporary_data *tmp; 99 if (sae == NULL || sae->tmp == NULL) 100 return; 101 tmp = sae->tmp; 102 crypto_ec_deinit(tmp->ec); 103 crypto_bignum_deinit(tmp->prime_buf, 0); 104 crypto_bignum_deinit(tmp->order_buf, 0); 105 crypto_bignum_deinit(tmp->sae_rand, 1); 106 crypto_bignum_deinit(tmp->pwe_ffc, 1); 107 crypto_bignum_deinit(tmp->own_commit_scalar, 0); 108 crypto_bignum_deinit(tmp->own_commit_element_ffc, 0); 109 crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0); 110 crypto_ec_point_deinit(tmp->pwe_ecc, 1); 111 crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0); 112 crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0); 113 wpabuf_free(tmp->anti_clogging_token); 114 wpabuf_free(tmp->own_rejected_groups); 115 wpabuf_free(tmp->peer_rejected_groups); 116 os_free(tmp->pw_id); 117 bin_clear_free(tmp, sizeof(*tmp)); 118 sae->tmp = NULL; 119 } 120 121 122 void sae_clear_data(struct sae_data *sae) 123 { 124 if (sae == NULL) 125 return; 126 sae_clear_temp_data(sae); 127 crypto_bignum_deinit(sae->peer_commit_scalar, 0); 128 crypto_bignum_deinit(sae->peer_commit_scalar_accepted, 0); 129 os_memset(sae, 0, sizeof(*sae)); 130 } 131 132 133 static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key) 134 { 135 wpa_printf(MSG_DEBUG, "SAE: PWE derivation - addr1=" MACSTR 136 " addr2=" MACSTR, MAC2STR(addr1), MAC2STR(addr2)); 137 if (os_memcmp(addr1, addr2, ETH_ALEN) > 0) { 138 os_memcpy(key, addr1, ETH_ALEN); 139 os_memcpy(key + ETH_ALEN, addr2, ETH_ALEN); 140 } else { 141 os_memcpy(key, addr2, ETH_ALEN); 142 os_memcpy(key + ETH_ALEN, addr1, ETH_ALEN); 143 } 144 } 145 146 147 static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, 148 const u8 *prime, const u8 *qr, const u8 *qnr, 149 u8 *pwd_value) 150 { 151 struct crypto_bignum *y_sqr, *x_cand; 152 int res; 153 size_t bits; 154 int cmp_prime; 155 unsigned int in_range; 156 157 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); 158 159 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */ 160 bits = crypto_ec_prime_len_bits(sae->tmp->ec); 161 if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking", 162 prime, sae->tmp->prime_len, pwd_value, bits) < 0) 163 return -1; 164 if (bits % 8) 165 buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8); 166 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", 167 pwd_value, sae->tmp->prime_len); 168 169 cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len); 170 /* Create a const_time mask for selection based on prf result 171 * being smaller than prime. */ 172 in_range = const_time_fill_msb((unsigned int) cmp_prime); 173 /* The algorithm description would skip the next steps if 174 * cmp_prime >= 0 (return 0 here), but go through them regardless to 175 * minimize externally observable differences in behavior. */ 176 177 x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); 178 if (!x_cand) 179 return -1; 180 y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand); 181 crypto_bignum_deinit(x_cand, 1); 182 if (!y_sqr) 183 return -1; 184 185 res = dragonfly_is_quadratic_residue_blind(sae->tmp->ec, qr, qnr, 186 y_sqr); 187 crypto_bignum_deinit(y_sqr, 1); 188 if (res < 0) 189 return res; 190 return const_time_select_int(in_range, res, 0); 191 } 192 193 194 /* Returns -1 on fatal failure, 0 if PWE cannot be derived from the provided 195 * pwd-seed, or 1 if a valid PWE was derived from pwd-seed. */ 196 static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, 197 struct crypto_bignum *pwe) 198 { 199 u8 pwd_value[SAE_MAX_PRIME_LEN]; 200 size_t bits = sae->tmp->prime_len * 8; 201 u8 exp[1]; 202 struct crypto_bignum *a, *b = NULL; 203 int res, is_val; 204 u8 pwd_value_valid; 205 206 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); 207 208 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */ 209 if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking", 210 sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value, 211 bits) < 0) 212 return -1; 213 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value, 214 sae->tmp->prime_len); 215 216 /* Check whether pwd-value < p */ 217 res = const_time_memcmp(pwd_value, sae->tmp->dh->prime, 218 sae->tmp->prime_len); 219 /* pwd-value >= p is invalid, so res is < 0 for the valid cases and 220 * the negative sign can be used to fill the mask for constant time 221 * selection */ 222 pwd_value_valid = const_time_fill_msb(res); 223 224 /* If pwd-value >= p, force pwd-value to be < p and perform the 225 * calculations anyway to hide timing difference. The derived PWE will 226 * be ignored in that case. */ 227 pwd_value[0] = const_time_select_u8(pwd_value_valid, pwd_value[0], 0); 228 229 /* PWE = pwd-value^((p-1)/r) modulo p */ 230 231 res = -1; 232 a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); 233 if (!a) 234 goto fail; 235 236 /* This is an optimization based on the used group that does not depend 237 * on the password in any way, so it is fine to use separate branches 238 * for this step without constant time operations. */ 239 if (sae->tmp->dh->safe_prime) { 240 /* 241 * r = (p-1)/2 for the group used here, so this becomes: 242 * PWE = pwd-value^2 modulo p 243 */ 244 exp[0] = 2; 245 b = crypto_bignum_init_set(exp, sizeof(exp)); 246 } else { 247 /* Calculate exponent: (p-1)/r */ 248 exp[0] = 1; 249 b = crypto_bignum_init_set(exp, sizeof(exp)); 250 if (b == NULL || 251 crypto_bignum_sub(sae->tmp->prime, b, b) < 0 || 252 crypto_bignum_div(b, sae->tmp->order, b) < 0) 253 goto fail; 254 } 255 256 if (!b) 257 goto fail; 258 259 res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe); 260 if (res < 0) 261 goto fail; 262 263 /* There were no fatal errors in calculations, so determine the return 264 * value using constant time operations. We get here for number of 265 * invalid cases which are cleared here after having performed all the 266 * computation. PWE is valid if pwd-value was less than prime and 267 * PWE > 1. Start with pwd-value check first and then use constant time 268 * operations to clear res to 0 if PWE is 0 or 1. 269 */ 270 res = const_time_select_u8(pwd_value_valid, 1, 0); 271 is_val = crypto_bignum_is_zero(pwe); 272 res = const_time_select_u8(const_time_is_zero(is_val), res, 0); 273 is_val = crypto_bignum_is_one(pwe); 274 res = const_time_select_u8(const_time_is_zero(is_val), res, 0); 275 276 fail: 277 crypto_bignum_deinit(a, 1); 278 crypto_bignum_deinit(b, 1); 279 return res; 280 } 281 282 283 static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, 284 const u8 *addr2, const u8 *password, 285 size_t password_len) 286 { 287 u8 counter, k; 288 u8 addrs[2 * ETH_ALEN]; 289 const u8 *addr[2]; 290 size_t len[2]; 291 u8 *stub_password, *tmp_password; 292 int pwd_seed_odd = 0; 293 u8 prime[SAE_MAX_ECC_PRIME_LEN]; 294 size_t prime_len; 295 struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL; 296 u8 x_bin[SAE_MAX_ECC_PRIME_LEN]; 297 u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN]; 298 u8 qr_bin[SAE_MAX_ECC_PRIME_LEN]; 299 u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN]; 300 u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN]; 301 int res = -1; 302 u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* 303 * mask */ 304 unsigned int is_eq; 305 306 os_memset(x_bin, 0, sizeof(x_bin)); 307 308 stub_password = os_malloc(password_len); 309 tmp_password = os_malloc(password_len); 310 if (!stub_password || !tmp_password || 311 random_get_bytes(stub_password, password_len) < 0) 312 goto fail; 313 314 prime_len = sae->tmp->prime_len; 315 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), 316 prime_len) < 0) 317 goto fail; 318 319 /* 320 * Create a random quadratic residue (qr) and quadratic non-residue 321 * (qnr) modulo p for blinding purposes during the loop. 322 */ 323 if (dragonfly_get_random_qr_qnr(sae->tmp->prime, &qr, &qnr) < 0 || 324 crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 || 325 crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0) 326 goto fail; 327 328 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", 329 password, password_len); 330 331 /* 332 * H(salt, ikm) = HMAC-SHA256(salt, ikm) 333 * base = password 334 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC), 335 * base || counter) 336 */ 337 sae_pwd_seed_key(addr1, addr2, addrs); 338 339 addr[0] = tmp_password; 340 len[0] = password_len; 341 addr[1] = &counter; 342 len[1] = sizeof(counter); 343 344 /* 345 * Continue for at least k iterations to protect against side-channel 346 * attacks that attempt to determine the number of iterations required 347 * in the loop. 348 */ 349 k = dragonfly_min_pwe_loop_iter(sae->group); 350 351 for (counter = 1; counter <= k || !found; counter++) { 352 u8 pwd_seed[SHA256_MAC_LEN]; 353 354 if (counter > 200) { 355 /* This should not happen in practice */ 356 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE"); 357 break; 358 } 359 360 wpa_printf(MSG_DEBUG, "SAE: counter = %03u", counter); 361 const_time_select_bin(found, stub_password, password, 362 password_len, tmp_password); 363 if (hmac_sha256_vector(addrs, sizeof(addrs), 2, 364 addr, len, pwd_seed) < 0) 365 break; 366 367 res = sae_test_pwd_seed_ecc(sae, pwd_seed, 368 prime, qr_bin, qnr_bin, x_cand_bin); 369 const_time_select_bin(found, x_bin, x_cand_bin, prime_len, 370 x_bin); 371 pwd_seed_odd = const_time_select_u8( 372 found, pwd_seed_odd, 373 pwd_seed[SHA256_MAC_LEN - 1] & 0x01); 374 os_memset(pwd_seed, 0, sizeof(pwd_seed)); 375 if (res < 0) 376 goto fail; 377 /* Need to minimize differences in handling res == 0 and 1 here 378 * to avoid differences in timing and instruction cache access, 379 * so use const_time_select_*() to make local copies of the 380 * values based on whether this loop iteration was the one that 381 * found the pwd-seed/x. */ 382 383 /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them 384 * (with res converted to 0/0xff) handles this in constant time. 385 */ 386 found |= res * 0xff; 387 wpa_printf(MSG_DEBUG, "SAE: pwd-seed result %d found=0x%02x", 388 res, found); 389 } 390 391 if (!found) { 392 wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE"); 393 res = -1; 394 goto fail; 395 } 396 397 x = crypto_bignum_init_set(x_bin, prime_len); 398 if (!x) { 399 res = -1; 400 goto fail; 401 } 402 403 /* y = sqrt(x^3 + ax + b) mod p 404 * if LSB(save) == LSB(y): PWE = (x, y) 405 * else: PWE = (x, p - y) 406 * 407 * Calculate y and the two possible values for PWE and after that, 408 * use constant time selection to copy the correct alternative. 409 */ 410 y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x); 411 if (!y || 412 dragonfly_sqrt(sae->tmp->ec, y, y) < 0 || 413 crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN, 414 prime_len) < 0 || 415 crypto_bignum_sub(sae->tmp->prime, y, y) < 0 || 416 crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN, 417 SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) { 418 wpa_printf(MSG_DEBUG, "SAE: Could not solve y"); 419 goto fail; 420 } 421 422 is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01); 423 const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN, 424 prime_len, x_y + prime_len); 425 os_memcpy(x_y, x_bin, prime_len); 426 wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len); 427 crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1); 428 sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y); 429 if (!sae->tmp->pwe_ecc) { 430 wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE"); 431 res = -1; 432 } 433 434 fail: 435 forced_memzero(x_y, sizeof(x_y)); 436 crypto_bignum_deinit(qr, 0); 437 crypto_bignum_deinit(qnr, 0); 438 crypto_bignum_deinit(y, 1); 439 os_free(stub_password); 440 bin_clear_free(tmp_password, password_len); 441 crypto_bignum_deinit(x, 1); 442 os_memset(x_bin, 0, sizeof(x_bin)); 443 os_memset(x_cand_bin, 0, sizeof(x_cand_bin)); 444 445 return res; 446 } 447 448 449 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, 450 const u8 *addr2, const u8 *password, 451 size_t password_len) 452 { 453 u8 counter, k, sel_counter = 0; 454 u8 addrs[2 * ETH_ALEN]; 455 const u8 *addr[2]; 456 size_t len[2]; 457 u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* 458 * mask */ 459 u8 mask; 460 struct crypto_bignum *pwe; 461 size_t prime_len = sae->tmp->prime_len; 462 u8 *pwe_buf; 463 464 crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); 465 sae->tmp->pwe_ffc = NULL; 466 467 /* Allocate a buffer to maintain selected and candidate PWE for constant 468 * time selection. */ 469 pwe_buf = os_zalloc(prime_len * 2); 470 pwe = crypto_bignum_init(); 471 if (!pwe_buf || !pwe) 472 goto fail; 473 474 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", 475 password, password_len); 476 477 /* 478 * H(salt, ikm) = HMAC-SHA256(salt, ikm) 479 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC), 480 * password || counter) 481 */ 482 sae_pwd_seed_key(addr1, addr2, addrs); 483 484 addr[0] = password; 485 len[0] = password_len; 486 addr[1] = &counter; 487 len[1] = sizeof(counter); 488 489 k = dragonfly_min_pwe_loop_iter(sae->group); 490 491 for (counter = 1; counter <= k || !found; counter++) { 492 u8 pwd_seed[SHA256_MAC_LEN]; 493 int res; 494 495 if (counter > 200) { 496 /* This should not happen in practice */ 497 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE"); 498 break; 499 } 500 501 wpa_printf(MSG_DEBUG, "SAE: counter = %02u", counter); 502 if (hmac_sha256_vector(addrs, sizeof(addrs), 2, 503 addr, len, pwd_seed) < 0) 504 break; 505 res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe); 506 /* res is -1 for fatal failure, 0 if a valid PWE was not found, 507 * or 1 if a valid PWE was found. */ 508 if (res < 0) 509 break; 510 /* Store the candidate PWE into the second half of pwe_buf and 511 * the selected PWE in the beginning of pwe_buf using constant 512 * time selection. */ 513 if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len, 514 prime_len) < 0) 515 break; 516 const_time_select_bin(found, pwe_buf, pwe_buf + prime_len, 517 prime_len, pwe_buf); 518 sel_counter = const_time_select_u8(found, sel_counter, counter); 519 mask = const_time_eq_u8(res, 1); 520 found = const_time_select_u8(found, found, mask); 521 } 522 523 if (!found) 524 goto fail; 525 526 wpa_printf(MSG_DEBUG, "SAE: Use PWE from counter = %02u", sel_counter); 527 sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len); 528 fail: 529 crypto_bignum_deinit(pwe, 1); 530 bin_clear_free(pwe_buf, prime_len * 2); 531 return sae->tmp->pwe_ffc ? 0 : -1; 532 } 533 534 535 static int hkdf_extract(size_t hash_len, const u8 *salt, size_t salt_len, 536 size_t num_elem, const u8 *addr[], const size_t len[], 537 u8 *prk) 538 { 539 if (hash_len == 32) 540 return hmac_sha256_vector(salt, salt_len, num_elem, addr, len, 541 prk); 542 #ifdef CONFIG_SHA384 543 if (hash_len == 48) 544 return hmac_sha384_vector(salt, salt_len, num_elem, addr, len, 545 prk); 546 #endif /* CONFIG_SHA384 */ 547 #ifdef CONFIG_SHA512 548 if (hash_len == 64) 549 return hmac_sha512_vector(salt, salt_len, num_elem, addr, len, 550 prk); 551 #endif /* CONFIG_SHA512 */ 552 return -1; 553 } 554 555 556 static int hkdf_expand(size_t hash_len, const u8 *prk, size_t prk_len, 557 const char *info, u8 *okm, size_t okm_len) 558 { 559 size_t info_len = os_strlen(info); 560 561 if (hash_len == 32) 562 return hmac_sha256_kdf(prk, prk_len, NULL, 563 (const u8 *) info, info_len, 564 okm, okm_len); 565 #ifdef CONFIG_SHA384 566 if (hash_len == 48) 567 return hmac_sha384_kdf(prk, prk_len, NULL, 568 (const u8 *) info, info_len, 569 okm, okm_len); 570 #endif /* CONFIG_SHA384 */ 571 #ifdef CONFIG_SHA512 572 if (hash_len == 64) 573 return hmac_sha512_kdf(prk, prk_len, NULL, 574 (const u8 *) info, info_len, 575 okm, okm_len); 576 #endif /* CONFIG_SHA512 */ 577 return -1; 578 } 579 580 581 static int sswu_curve_param(int group, int *z) 582 { 583 switch (group) { 584 case 19: 585 *z = -10; 586 return 0; 587 case 20: 588 *z = -12; 589 return 0; 590 case 21: 591 *z = -4; 592 return 0; 593 case 25: 594 case 29: 595 *z = -5; 596 return 0; 597 case 26: 598 *z = 31; 599 return 0; 600 case 28: 601 *z = -2; 602 return 0; 603 case 30: 604 *z = 7; 605 return 0; 606 default: 607 return -1; 608 } 609 } 610 611 612 static void debug_print_bignum(const char *title, const struct crypto_bignum *a, 613 size_t prime_len) 614 { 615 u8 *bin; 616 617 bin = os_malloc(prime_len); 618 if (bin && crypto_bignum_to_bin(a, bin, prime_len, prime_len) >= 0) 619 wpa_hexdump_key(MSG_DEBUG, title, bin, prime_len); 620 else 621 wpa_printf(MSG_DEBUG, "Could not print bignum (%s)", title); 622 bin_clear_free(bin, prime_len); 623 } 624 625 626 static struct crypto_ec_point * sswu(struct crypto_ec *ec, int group, 627 const struct crypto_bignum *u) 628 { 629 int z_int; 630 const struct crypto_bignum *a, *b, *prime; 631 struct crypto_bignum *u2, *t1, *t2, *z, *t, *zero, *one, *two, *three, 632 *x1a, *x1b, *y = NULL; 633 struct crypto_bignum *x1 = NULL, *x2, *gx1, *gx2, *v = NULL; 634 unsigned int m_is_zero, is_qr, is_eq; 635 size_t prime_len; 636 u8 bin[SAE_MAX_ECC_PRIME_LEN]; 637 u8 bin1[SAE_MAX_ECC_PRIME_LEN]; 638 u8 bin2[SAE_MAX_ECC_PRIME_LEN]; 639 u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN]; 640 struct crypto_ec_point *p = NULL; 641 642 if (sswu_curve_param(group, &z_int) < 0) 643 return NULL; 644 645 prime = crypto_ec_get_prime(ec); 646 prime_len = crypto_ec_prime_len(ec); 647 a = crypto_ec_get_a(ec); 648 b = crypto_ec_get_b(ec); 649 650 u2 = crypto_bignum_init(); 651 t1 = crypto_bignum_init(); 652 t2 = crypto_bignum_init(); 653 z = crypto_bignum_init_uint(abs(z_int)); 654 t = crypto_bignum_init(); 655 zero = crypto_bignum_init_uint(0); 656 one = crypto_bignum_init_uint(1); 657 two = crypto_bignum_init_uint(2); 658 three = crypto_bignum_init_uint(3); 659 x1a = crypto_bignum_init(); 660 x1b = crypto_bignum_init(); 661 x2 = crypto_bignum_init(); 662 gx1 = crypto_bignum_init(); 663 gx2 = crypto_bignum_init(); 664 if (!u2 || !t1 || !t2 || !z || !t || !zero || !one || !two || !three || 665 !x1a || !x1b || !x2 || !gx1 || !gx2) 666 goto fail; 667 668 if (z_int < 0 && crypto_bignum_sub(prime, z, z) < 0) 669 goto fail; 670 671 /* m = z^2 * u^4 + z * u^2 */ 672 /* --> tmp = z * u^2, m = tmp^2 + tmp */ 673 674 /* u2 = u^2 675 * t1 = z * u2 676 * t2 = t1^2 677 * m = t1 = t1 + t2 */ 678 if (crypto_bignum_sqrmod(u, prime, u2) < 0 || 679 crypto_bignum_mulmod(z, u2, prime, t1) < 0 || 680 crypto_bignum_sqrmod(t1, prime, t2) < 0 || 681 crypto_bignum_addmod(t1, t2, prime, t1) < 0) 682 goto fail; 683 debug_print_bignum("SSWU: m", t1, prime_len); 684 685 /* l = CEQ(m, 0) 686 * t = CSEL(l, 0, inverse(m); where inverse(x) is calculated as 687 * x^(p-2) modulo p which will handle m == 0 case correctly */ 688 /* TODO: Make sure crypto_bignum_is_zero() is constant time */ 689 m_is_zero = const_time_eq(crypto_bignum_is_zero(t1), 1); 690 /* t = m^(p-2) modulo p */ 691 if (crypto_bignum_sub(prime, two, t2) < 0 || 692 crypto_bignum_exptmod(t1, t2, prime, t) < 0) 693 goto fail; 694 debug_print_bignum("SSWU: t", t, prime_len); 695 696 /* b / (z * a) */ 697 if (crypto_bignum_mulmod(z, a, prime, t1) < 0 || 698 crypto_bignum_inverse(t1, prime, t1) < 0 || 699 crypto_bignum_mulmod(b, t1, prime, x1a) < 0) 700 goto fail; 701 debug_print_bignum("SSWU: x1a = b / (z * a)", x1a, prime_len); 702 703 /* (-b/a) * (1 + t) */ 704 if (crypto_bignum_sub(prime, b, t1) < 0 || 705 crypto_bignum_inverse(a, prime, t2) < 0 || 706 crypto_bignum_mulmod(t1, t2, prime, t1) < 0 || 707 crypto_bignum_addmod(one, t, prime, t2) < 0 || 708 crypto_bignum_mulmod(t1, t2, prime, x1b) < 0) 709 goto fail; 710 debug_print_bignum("SSWU: x1b = (-b/a) * (1 + t)", x1b, prime_len); 711 712 /* x1 = CSEL(CEQ(m, 0), x1a, x1b) */ 713 if (crypto_bignum_to_bin(x1a, bin1, sizeof(bin1), prime_len) < 0 || 714 crypto_bignum_to_bin(x1b, bin2, sizeof(bin2), prime_len) < 0) 715 goto fail; 716 const_time_select_bin(m_is_zero, bin1, bin2, prime_len, bin); 717 x1 = crypto_bignum_init_set(bin, prime_len); 718 if (!x1) 719 goto fail; 720 debug_print_bignum("SSWU: x1 = CSEL(l, x1a, x1b)", x1, prime_len); 721 722 /* gx1 = x1^3 + a * x1 + b */ 723 if (crypto_bignum_exptmod(x1, three, prime, t1) < 0 || 724 crypto_bignum_mulmod(a, x1, prime, t2) < 0 || 725 crypto_bignum_addmod(t1, t2, prime, t1) < 0 || 726 crypto_bignum_addmod(t1, b, prime, gx1) < 0) 727 goto fail; 728 debug_print_bignum("SSWU: gx1 = x1^3 + a * x1 + b", gx1, prime_len); 729 730 /* x2 = z * u^2 * x1 */ 731 if (crypto_bignum_mulmod(z, u2, prime, t1) < 0 || 732 crypto_bignum_mulmod(t1, x1, prime, x2) < 0) 733 goto fail; 734 debug_print_bignum("SSWU: x2 = z * u^2 * x1", x2, prime_len); 735 736 /* gx2 = x2^3 + a * x2 + b */ 737 if (crypto_bignum_exptmod(x2, three, prime, t1) < 0 || 738 crypto_bignum_mulmod(a, x2, prime, t2) < 0 || 739 crypto_bignum_addmod(t1, t2, prime, t1) < 0 || 740 crypto_bignum_addmod(t1, b, prime, gx2) < 0) 741 goto fail; 742 debug_print_bignum("SSWU: gx2 = x2^3 + a * x2 + b", gx2, prime_len); 743 744 /* l = gx1 is a quadratic residue modulo p 745 * --> gx1^((p-1)/2) modulo p is zero or one */ 746 if (crypto_bignum_sub(prime, one, t1) < 0 || 747 crypto_bignum_rshift(t1, 1, t1) < 0 || 748 crypto_bignum_exptmod(gx1, t1, prime, t1) < 0) 749 goto fail; 750 debug_print_bignum("SSWU: gx1^((p-1)/2) modulo p", t1, prime_len); 751 is_qr = const_time_eq(crypto_bignum_is_zero(t1) | 752 crypto_bignum_is_one(t1), 1); 753 754 /* v = CSEL(l, gx1, gx2) */ 755 if (crypto_bignum_to_bin(gx1, bin1, sizeof(bin1), prime_len) < 0 || 756 crypto_bignum_to_bin(gx2, bin2, sizeof(bin2), prime_len) < 0) 757 goto fail; 758 const_time_select_bin(is_qr, bin1, bin2, prime_len, bin); 759 v = crypto_bignum_init_set(bin, prime_len); 760 if (!v) 761 goto fail; 762 debug_print_bignum("SSWU: v = CSEL(l, gx1, gx2)", v, prime_len); 763 764 /* x = CSEL(l, x1, x2) */ 765 if (crypto_bignum_to_bin(x1, bin1, sizeof(bin1), prime_len) < 0 || 766 crypto_bignum_to_bin(x2, bin2, sizeof(bin2), prime_len) < 0) 767 goto fail; 768 const_time_select_bin(is_qr, bin1, bin2, prime_len, x_y); 769 wpa_hexdump_key(MSG_DEBUG, "SSWU: x = CSEL(l, x1, x2)", x_y, prime_len); 770 771 /* y = sqrt(v) */ 772 y = crypto_bignum_init(); 773 if (!y || dragonfly_sqrt(ec, v, y) < 0) 774 goto fail; 775 debug_print_bignum("SSWU: y = sqrt(v)", y, prime_len); 776 777 /* l = CEQ(LSB(u), LSB(y)) */ 778 if (crypto_bignum_to_bin(u, bin1, sizeof(bin1), prime_len) < 0 || 779 crypto_bignum_to_bin(y, bin2, sizeof(bin2), prime_len) < 0) 780 goto fail; 781 is_eq = const_time_eq(bin1[prime_len - 1] & 0x01, 782 bin2[prime_len - 1] & 0x01); 783 784 /* P = CSEL(l, (x,y), (x, p-y)) */ 785 if (crypto_bignum_sub(prime, y, t1) < 0) 786 goto fail; 787 debug_print_bignum("SSWU: p - y", t1, prime_len); 788 if (crypto_bignum_to_bin(y, bin1, sizeof(bin1), prime_len) < 0 || 789 crypto_bignum_to_bin(t1, bin2, sizeof(bin2), prime_len) < 0) 790 goto fail; 791 const_time_select_bin(is_eq, bin1, bin2, prime_len, &x_y[prime_len]); 792 793 /* output P */ 794 wpa_hexdump_key(MSG_DEBUG, "SSWU: P.x", x_y, prime_len); 795 wpa_hexdump_key(MSG_DEBUG, "SSWU: P.y", &x_y[prime_len], prime_len); 796 p = crypto_ec_point_from_bin(ec, x_y); 797 798 fail: 799 crypto_bignum_deinit(u2, 1); 800 crypto_bignum_deinit(t1, 1); 801 crypto_bignum_deinit(t2, 1); 802 crypto_bignum_deinit(z, 0); 803 crypto_bignum_deinit(t, 1); 804 crypto_bignum_deinit(x1a, 1); 805 crypto_bignum_deinit(x1b, 1); 806 crypto_bignum_deinit(x1, 1); 807 crypto_bignum_deinit(x2, 1); 808 crypto_bignum_deinit(gx1, 1); 809 crypto_bignum_deinit(gx2, 1); 810 crypto_bignum_deinit(y, 1); 811 crypto_bignum_deinit(v, 1); 812 crypto_bignum_deinit(zero, 0); 813 crypto_bignum_deinit(one, 0); 814 crypto_bignum_deinit(two, 0); 815 crypto_bignum_deinit(three, 0); 816 forced_memzero(bin, sizeof(bin)); 817 forced_memzero(bin1, sizeof(bin1)); 818 forced_memzero(bin2, sizeof(bin2)); 819 forced_memzero(x_y, sizeof(x_y)); 820 return p; 821 } 822 823 824 static int sae_pwd_seed(size_t hash_len, const u8 *ssid, size_t ssid_len, 825 const u8 *password, size_t password_len, 826 const char *identifier, u8 *pwd_seed) 827 { 828 const u8 *addr[2]; 829 size_t len[2]; 830 size_t num_elem; 831 832 /* pwd-seed = HKDF-Extract(ssid, password [ || identifier ]) */ 833 addr[0] = password; 834 len[0] = password_len; 835 num_elem = 1; 836 wpa_hexdump_ascii(MSG_DEBUG, "SAE: SSID", ssid, ssid_len); 837 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", 838 password, password_len); 839 if (identifier) { 840 wpa_printf(MSG_DEBUG, "SAE: password identifier: %s", 841 identifier); 842 addr[num_elem] = (const u8 *) identifier; 843 len[num_elem] = os_strlen(identifier); 844 num_elem++; 845 } 846 if (hkdf_extract(hash_len, ssid, ssid_len, num_elem, addr, len, 847 pwd_seed) < 0) 848 return -1; 849 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, hash_len); 850 return 0; 851 } 852 853 854 size_t sae_ecc_prime_len_2_hash_len(size_t prime_len) 855 { 856 if (prime_len <= 256 / 8) 857 return 32; 858 if (prime_len <= 384 / 8) 859 return 48; 860 return 64; 861 } 862 863 864 static struct crypto_ec_point * 865 sae_derive_pt_ecc(struct crypto_ec *ec, int group, 866 const u8 *ssid, size_t ssid_len, 867 const u8 *password, size_t password_len, 868 const char *identifier) 869 { 870 u8 pwd_seed[64]; 871 u8 pwd_value[SAE_MAX_ECC_PRIME_LEN * 2]; 872 size_t pwd_value_len, hash_len, prime_len; 873 const struct crypto_bignum *prime; 874 struct crypto_bignum *bn = NULL; 875 struct crypto_ec_point *p1 = NULL, *p2 = NULL, *pt = NULL; 876 877 prime = crypto_ec_get_prime(ec); 878 prime_len = crypto_ec_prime_len(ec); 879 if (prime_len > SAE_MAX_ECC_PRIME_LEN) 880 goto fail; 881 hash_len = sae_ecc_prime_len_2_hash_len(prime_len); 882 883 /* len = olen(p) + ceil(olen(p)/2) */ 884 pwd_value_len = prime_len + (prime_len + 1) / 2; 885 886 if (sae_pwd_seed(hash_len, ssid, ssid_len, password, password_len, 887 identifier, pwd_seed) < 0) 888 goto fail; 889 890 /* pwd-value = HKDF-Expand(pwd-seed, "SAE Hash to Element u1 P1", len) 891 */ 892 if (hkdf_expand(hash_len, pwd_seed, hash_len, 893 "SAE Hash to Element u1 P1", pwd_value, pwd_value_len) < 894 0) 895 goto fail; 896 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value (u1 P1)", 897 pwd_value, pwd_value_len); 898 899 /* u1 = pwd-value modulo p */ 900 bn = crypto_bignum_init_set(pwd_value, pwd_value_len); 901 if (!bn || crypto_bignum_mod(bn, prime, bn) < 0 || 902 crypto_bignum_to_bin(bn, pwd_value, sizeof(pwd_value), 903 prime_len) < 0) 904 goto fail; 905 wpa_hexdump_key(MSG_DEBUG, "SAE: u1", pwd_value, prime_len); 906 907 /* P1 = SSWU(u1) */ 908 p1 = sswu(ec, group, bn); 909 if (!p1) 910 goto fail; 911 912 /* pwd-value = HKDF-Expand(pwd-seed, "SAE Hash to Element u2 P2", len) 913 */ 914 if (hkdf_expand(hash_len, pwd_seed, hash_len, 915 "SAE Hash to Element u2 P2", pwd_value, 916 pwd_value_len) < 0) 917 goto fail; 918 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value (u2 P2)", 919 pwd_value, pwd_value_len); 920 921 /* u2 = pwd-value modulo p */ 922 crypto_bignum_deinit(bn, 1); 923 bn = crypto_bignum_init_set(pwd_value, pwd_value_len); 924 if (!bn || crypto_bignum_mod(bn, prime, bn) < 0 || 925 crypto_bignum_to_bin(bn, pwd_value, sizeof(pwd_value), 926 prime_len) < 0) 927 goto fail; 928 wpa_hexdump_key(MSG_DEBUG, "SAE: u2", pwd_value, prime_len); 929 930 /* P2 = SSWU(u2) */ 931 p2 = sswu(ec, group, bn); 932 if (!p2) 933 goto fail; 934 935 /* PT = elem-op(P1, P2) */ 936 pt = crypto_ec_point_init(ec); 937 if (!pt) 938 goto fail; 939 if (crypto_ec_point_add(ec, p1, p2, pt) < 0) { 940 crypto_ec_point_deinit(pt, 1); 941 pt = NULL; 942 } 943 944 fail: 945 forced_memzero(pwd_seed, sizeof(pwd_seed)); 946 forced_memzero(pwd_value, sizeof(pwd_value)); 947 crypto_bignum_deinit(bn, 1); 948 crypto_ec_point_deinit(p1, 1); 949 crypto_ec_point_deinit(p2, 1); 950 return pt; 951 } 952 953 954 size_t sae_ffc_prime_len_2_hash_len(size_t prime_len) 955 { 956 if (prime_len <= 2048 / 8) 957 return 32; 958 if (prime_len <= 3072 / 8) 959 return 48; 960 return 64; 961 } 962 963 964 static struct crypto_bignum * 965 sae_derive_pt_ffc(const struct dh_group *dh, int group, 966 const u8 *ssid, size_t ssid_len, 967 const u8 *password, size_t password_len, 968 const char *identifier) 969 { 970 size_t hash_len, prime_len, pwd_value_len; 971 struct crypto_bignum *prime, *order; 972 struct crypto_bignum *one = NULL, *two = NULL, *bn = NULL, *tmp = NULL, 973 *pt = NULL; 974 u8 pwd_seed[64]; 975 u8 pwd_value[SAE_MAX_PRIME_LEN + SAE_MAX_PRIME_LEN / 2]; 976 977 prime = crypto_bignum_init_set(dh->prime, dh->prime_len); 978 order = crypto_bignum_init_set(dh->order, dh->order_len); 979 if (!prime || !order) 980 goto fail; 981 prime_len = dh->prime_len; 982 if (prime_len > SAE_MAX_PRIME_LEN) 983 goto fail; 984 hash_len = sae_ffc_prime_len_2_hash_len(prime_len); 985 986 /* len = olen(p) + ceil(olen(p)/2) */ 987 pwd_value_len = prime_len + (prime_len + 1) / 2; 988 if (pwd_value_len > sizeof(pwd_value)) 989 goto fail; 990 991 if (sae_pwd_seed(hash_len, ssid, ssid_len, password, password_len, 992 identifier, pwd_seed) < 0) 993 goto fail; 994 995 /* pwd-value = HKDF-Expand(pwd-seed, "SAE Hash to Element", len) */ 996 if (hkdf_expand(hash_len, pwd_seed, hash_len, 997 "SAE Hash to Element", pwd_value, pwd_value_len) < 0) 998 goto fail; 999 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", 1000 pwd_value, pwd_value_len); 1001 1002 /* pwd-value = (pwd-value modulo (p-2)) + 2 */ 1003 bn = crypto_bignum_init_set(pwd_value, pwd_value_len); 1004 one = crypto_bignum_init_uint(1); 1005 two = crypto_bignum_init_uint(2); 1006 tmp = crypto_bignum_init(); 1007 if (!bn || !one || !two || !tmp || 1008 crypto_bignum_sub(prime, two, tmp) < 0 || 1009 crypto_bignum_mod(bn, tmp, bn) < 0 || 1010 crypto_bignum_add(bn, two, bn) < 0 || 1011 crypto_bignum_to_bin(bn, pwd_value, sizeof(pwd_value), 1012 prime_len) < 0) 1013 goto fail; 1014 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value(reduced)", 1015 pwd_value, prime_len); 1016 1017 /* PT = pwd-value^((p-1)/q) modulo p */ 1018 pt = crypto_bignum_init(); 1019 if (!pt || 1020 crypto_bignum_sub(prime, one, tmp) < 0 || 1021 crypto_bignum_div(tmp, order, tmp) < 0 || 1022 crypto_bignum_exptmod(bn, tmp, prime, pt) < 0) { 1023 crypto_bignum_deinit(pt, 1); 1024 pt = NULL; 1025 goto fail; 1026 } 1027 debug_print_bignum("SAE: PT", pt, prime_len); 1028 1029 fail: 1030 forced_memzero(pwd_seed, sizeof(pwd_seed)); 1031 forced_memzero(pwd_value, sizeof(pwd_value)); 1032 crypto_bignum_deinit(bn, 1); 1033 crypto_bignum_deinit(tmp, 1); 1034 crypto_bignum_deinit(one, 0); 1035 crypto_bignum_deinit(two, 0); 1036 crypto_bignum_deinit(prime, 0); 1037 crypto_bignum_deinit(order, 0); 1038 return pt; 1039 } 1040 1041 1042 static struct sae_pt * 1043 sae_derive_pt_group(int group, const u8 *ssid, size_t ssid_len, 1044 const u8 *password, size_t password_len, 1045 const char *identifier) 1046 { 1047 struct sae_pt *pt; 1048 1049 wpa_printf(MSG_DEBUG, "SAE: Derive PT - group %d", group); 1050 1051 if (ssid_len > 32) 1052 return NULL; 1053 1054 pt = os_zalloc(sizeof(*pt)); 1055 if (!pt) 1056 return NULL; 1057 1058 #ifdef CONFIG_SAE_PK 1059 os_memcpy(pt->ssid, ssid, ssid_len); 1060 pt->ssid_len = ssid_len; 1061 #endif /* CONFIG_SAE_PK */ 1062 pt->group = group; 1063 pt->ec = crypto_ec_init(group); 1064 if (pt->ec) { 1065 pt->ecc_pt = sae_derive_pt_ecc(pt->ec, group, ssid, ssid_len, 1066 password, password_len, 1067 identifier); 1068 if (!pt->ecc_pt) { 1069 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PT"); 1070 goto fail; 1071 } 1072 1073 return pt; 1074 } 1075 1076 pt->dh = dh_groups_get(group); 1077 if (!pt->dh) { 1078 wpa_printf(MSG_DEBUG, "SAE: Unsupported group %d", group); 1079 goto fail; 1080 } 1081 1082 pt->ffc_pt = sae_derive_pt_ffc(pt->dh, group, ssid, ssid_len, 1083 password, password_len, identifier); 1084 if (!pt->ffc_pt) { 1085 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PT"); 1086 goto fail; 1087 } 1088 1089 return pt; 1090 fail: 1091 sae_deinit_pt(pt); 1092 return NULL; 1093 } 1094 1095 1096 struct sae_pt * sae_derive_pt(int *groups, const u8 *ssid, size_t ssid_len, 1097 const u8 *password, size_t password_len, 1098 const char *identifier) 1099 { 1100 struct sae_pt *pt = NULL, *last = NULL, *tmp; 1101 int default_groups[] = { 19, 0 }; 1102 int i; 1103 1104 if (!groups) 1105 groups = default_groups; 1106 for (i = 0; groups[i] > 0; i++) { 1107 tmp = sae_derive_pt_group(groups[i], ssid, ssid_len, password, 1108 password_len, identifier); 1109 if (!tmp) 1110 continue; 1111 1112 if (last) 1113 last->next = tmp; 1114 else 1115 pt = tmp; 1116 last = tmp; 1117 } 1118 1119 return pt; 1120 } 1121 1122 1123 static void sae_max_min_addr(const u8 *addr[], size_t len[], 1124 const u8 *addr1, const u8 *addr2) 1125 { 1126 len[0] = ETH_ALEN; 1127 len[1] = ETH_ALEN; 1128 if (os_memcmp(addr1, addr2, ETH_ALEN) > 0) { 1129 addr[0] = addr1; 1130 addr[1] = addr2; 1131 } else { 1132 addr[0] = addr2; 1133 addr[1] = addr1; 1134 } 1135 } 1136 1137 1138 struct crypto_ec_point * 1139 sae_derive_pwe_from_pt_ecc(const struct sae_pt *pt, 1140 const u8 *addr1, const u8 *addr2) 1141 { 1142 u8 bin[SAE_MAX_ECC_PRIME_LEN * 2]; 1143 size_t prime_len; 1144 const u8 *addr[2]; 1145 size_t len[2]; 1146 u8 salt[64], hash[64]; 1147 size_t hash_len; 1148 const struct crypto_bignum *order; 1149 struct crypto_bignum *tmp = NULL, *val = NULL, *one = NULL; 1150 struct crypto_ec_point *pwe = NULL; 1151 1152 wpa_printf(MSG_DEBUG, "SAE: Derive PWE from PT"); 1153 prime_len = crypto_ec_prime_len(pt->ec); 1154 if (crypto_ec_point_to_bin(pt->ec, pt->ecc_pt, 1155 bin, bin + prime_len) < 0) 1156 return NULL; 1157 wpa_hexdump_key(MSG_DEBUG, "SAE: PT.x", bin, prime_len); 1158 wpa_hexdump_key(MSG_DEBUG, "SAE: PT.y", bin + prime_len, prime_len); 1159 1160 sae_max_min_addr(addr, len, addr1, addr2); 1161 1162 /* val = H(0^n, 1163 * MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC)) */ 1164 wpa_printf(MSG_DEBUG, "SAE: val = H(0^n, MAX(addrs) || MIN(addrs))"); 1165 hash_len = sae_ecc_prime_len_2_hash_len(prime_len); 1166 os_memset(salt, 0, hash_len); 1167 if (hkdf_extract(hash_len, salt, hash_len, 2, addr, len, hash) < 0) 1168 goto fail; 1169 wpa_hexdump(MSG_DEBUG, "SAE: val", hash, hash_len); 1170 1171 /* val = val modulo (q - 1) + 1 */ 1172 order = crypto_ec_get_order(pt->ec); 1173 tmp = crypto_bignum_init(); 1174 val = crypto_bignum_init_set(hash, hash_len); 1175 one = crypto_bignum_init_uint(1); 1176 if (!tmp || !val || !one || 1177 crypto_bignum_sub(order, one, tmp) < 0 || 1178 crypto_bignum_mod(val, tmp, val) < 0 || 1179 crypto_bignum_add(val, one, val) < 0) 1180 goto fail; 1181 debug_print_bignum("SAE: val(reduced to 1..q-1)", val, prime_len); 1182 1183 /* PWE = scalar-op(val, PT) */ 1184 pwe = crypto_ec_point_init(pt->ec); 1185 if (!pwe || 1186 crypto_ec_point_mul(pt->ec, pt->ecc_pt, val, pwe) < 0 || 1187 crypto_ec_point_to_bin(pt->ec, pwe, bin, bin + prime_len) < 0) { 1188 crypto_ec_point_deinit(pwe, 1); 1189 pwe = NULL; 1190 goto fail; 1191 } 1192 wpa_hexdump_key(MSG_DEBUG, "SAE: PWE.x", bin, prime_len); 1193 wpa_hexdump_key(MSG_DEBUG, "SAE: PWE.y", bin + prime_len, prime_len); 1194 1195 fail: 1196 crypto_bignum_deinit(tmp, 1); 1197 crypto_bignum_deinit(val, 1); 1198 crypto_bignum_deinit(one, 0); 1199 return pwe; 1200 } 1201 1202 1203 struct crypto_bignum * 1204 sae_derive_pwe_from_pt_ffc(const struct sae_pt *pt, 1205 const u8 *addr1, const u8 *addr2) 1206 { 1207 size_t prime_len; 1208 const u8 *addr[2]; 1209 size_t len[2]; 1210 u8 salt[64], hash[64]; 1211 size_t hash_len; 1212 struct crypto_bignum *tmp = NULL, *val = NULL, *one = NULL; 1213 struct crypto_bignum *pwe = NULL, *order = NULL, *prime = NULL; 1214 1215 wpa_printf(MSG_DEBUG, "SAE: Derive PWE from PT"); 1216 prime = crypto_bignum_init_set(pt->dh->prime, pt->dh->prime_len); 1217 order = crypto_bignum_init_set(pt->dh->order, pt->dh->order_len); 1218 if (!prime || !order) 1219 goto fail; 1220 prime_len = pt->dh->prime_len; 1221 1222 sae_max_min_addr(addr, len, addr1, addr2); 1223 1224 /* val = H(0^n, 1225 * MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC)) */ 1226 wpa_printf(MSG_DEBUG, "SAE: val = H(0^n, MAX(addrs) || MIN(addrs))"); 1227 hash_len = sae_ffc_prime_len_2_hash_len(prime_len); 1228 os_memset(salt, 0, hash_len); 1229 if (hkdf_extract(hash_len, salt, hash_len, 2, addr, len, hash) < 0) 1230 goto fail; 1231 wpa_hexdump(MSG_DEBUG, "SAE: val", hash, hash_len); 1232 1233 /* val = val modulo (q - 1) + 1 */ 1234 tmp = crypto_bignum_init(); 1235 val = crypto_bignum_init_set(hash, hash_len); 1236 one = crypto_bignum_init_uint(1); 1237 if (!tmp || !val || !one || 1238 crypto_bignum_sub(order, one, tmp) < 0 || 1239 crypto_bignum_mod(val, tmp, val) < 0 || 1240 crypto_bignum_add(val, one, val) < 0) 1241 goto fail; 1242 debug_print_bignum("SAE: val(reduced to 1..q-1)", val, prime_len); 1243 1244 /* PWE = scalar-op(val, PT) */ 1245 pwe = crypto_bignum_init(); 1246 if (!pwe || crypto_bignum_exptmod(pt->ffc_pt, val, prime, pwe) < 0) { 1247 crypto_bignum_deinit(pwe, 1); 1248 pwe = NULL; 1249 goto fail; 1250 } 1251 debug_print_bignum("SAE: PWE", pwe, prime_len); 1252 1253 fail: 1254 crypto_bignum_deinit(tmp, 1); 1255 crypto_bignum_deinit(val, 1); 1256 crypto_bignum_deinit(one, 0); 1257 crypto_bignum_deinit(prime, 0); 1258 crypto_bignum_deinit(order, 0); 1259 return pwe; 1260 } 1261 1262 1263 void sae_deinit_pt(struct sae_pt *pt) 1264 { 1265 struct sae_pt *prev; 1266 1267 while (pt) { 1268 crypto_ec_point_deinit(pt->ecc_pt, 1); 1269 crypto_bignum_deinit(pt->ffc_pt, 1); 1270 crypto_ec_deinit(pt->ec); 1271 prev = pt; 1272 pt = pt->next; 1273 os_free(prev); 1274 } 1275 } 1276 1277 1278 static int sae_derive_commit_element_ecc(struct sae_data *sae, 1279 struct crypto_bignum *mask) 1280 { 1281 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */ 1282 if (!sae->tmp->own_commit_element_ecc) { 1283 sae->tmp->own_commit_element_ecc = 1284 crypto_ec_point_init(sae->tmp->ec); 1285 if (!sae->tmp->own_commit_element_ecc) 1286 return -1; 1287 } 1288 1289 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask, 1290 sae->tmp->own_commit_element_ecc) < 0 || 1291 crypto_ec_point_invert(sae->tmp->ec, 1292 sae->tmp->own_commit_element_ecc) < 0) { 1293 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element"); 1294 return -1; 1295 } 1296 1297 return 0; 1298 } 1299 1300 1301 static int sae_derive_commit_element_ffc(struct sae_data *sae, 1302 struct crypto_bignum *mask) 1303 { 1304 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */ 1305 if (!sae->tmp->own_commit_element_ffc) { 1306 sae->tmp->own_commit_element_ffc = crypto_bignum_init(); 1307 if (!sae->tmp->own_commit_element_ffc) 1308 return -1; 1309 } 1310 1311 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime, 1312 sae->tmp->own_commit_element_ffc) < 0 || 1313 crypto_bignum_inverse(sae->tmp->own_commit_element_ffc, 1314 sae->tmp->prime, 1315 sae->tmp->own_commit_element_ffc) < 0) { 1316 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element"); 1317 return -1; 1318 } 1319 1320 return 0; 1321 } 1322 1323 1324 static int sae_derive_commit(struct sae_data *sae) 1325 { 1326 struct crypto_bignum *mask; 1327 int ret; 1328 1329 mask = crypto_bignum_init(); 1330 if (!sae->tmp->sae_rand) 1331 sae->tmp->sae_rand = crypto_bignum_init(); 1332 if (!sae->tmp->own_commit_scalar) 1333 sae->tmp->own_commit_scalar = crypto_bignum_init(); 1334 ret = !mask || !sae->tmp->sae_rand || !sae->tmp->own_commit_scalar || 1335 dragonfly_generate_scalar(sae->tmp->order, sae->tmp->sae_rand, 1336 mask, 1337 sae->tmp->own_commit_scalar) < 0 || 1338 (sae->tmp->ec && 1339 sae_derive_commit_element_ecc(sae, mask) < 0) || 1340 (sae->tmp->dh && 1341 sae_derive_commit_element_ffc(sae, mask) < 0); 1342 crypto_bignum_deinit(mask, 1); 1343 return ret ? -1 : 0; 1344 } 1345 1346 1347 int sae_prepare_commit(const u8 *addr1, const u8 *addr2, 1348 const u8 *password, size_t password_len, 1349 struct sae_data *sae) 1350 { 1351 if (sae->tmp == NULL || 1352 (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password, 1353 password_len) < 0) || 1354 (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password, 1355 password_len) < 0)) 1356 return -1; 1357 1358 sae->h2e = 0; 1359 sae->pk = 0; 1360 return sae_derive_commit(sae); 1361 } 1362 1363 1364 int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt, 1365 const u8 *addr1, const u8 *addr2, 1366 int *rejected_groups, const struct sae_pk *pk) 1367 { 1368 if (!sae->tmp) 1369 return -1; 1370 1371 while (pt) { 1372 if (pt->group == sae->group) 1373 break; 1374 pt = pt->next; 1375 } 1376 if (!pt) { 1377 wpa_printf(MSG_INFO, "SAE: Could not find PT for group %u", 1378 sae->group); 1379 return -1; 1380 } 1381 1382 #ifdef CONFIG_SAE_PK 1383 os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len); 1384 sae->tmp->ssid_len = pt->ssid_len; 1385 sae->tmp->ap_pk = pk; 1386 #endif /* CONFIG_SAE_PK */ 1387 sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0; 1388 wpabuf_free(sae->tmp->own_rejected_groups); 1389 sae->tmp->own_rejected_groups = NULL; 1390 if (rejected_groups) { 1391 int count, i; 1392 struct wpabuf *groups; 1393 1394 count = int_array_len(rejected_groups); 1395 groups = wpabuf_alloc(count * 2); 1396 if (!groups) 1397 return -1; 1398 for (i = 0; i < count; i++) 1399 wpabuf_put_le16(groups, rejected_groups[i]); 1400 sae->tmp->own_rejected_groups = groups; 1401 } 1402 1403 if (pt->ec) { 1404 crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1); 1405 sae->tmp->pwe_ecc = sae_derive_pwe_from_pt_ecc(pt, addr1, 1406 addr2); 1407 if (!sae->tmp->pwe_ecc) 1408 return -1; 1409 } 1410 1411 if (pt->dh) { 1412 crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); 1413 sae->tmp->pwe_ffc = sae_derive_pwe_from_pt_ffc(pt, addr1, 1414 addr2); 1415 if (!sae->tmp->pwe_ffc) 1416 return -1; 1417 } 1418 1419 sae->h2e = 1; 1420 return sae_derive_commit(sae); 1421 } 1422 1423 1424 static int sae_derive_k_ecc(struct sae_data *sae, u8 *k) 1425 { 1426 struct crypto_ec_point *K; 1427 int ret = -1; 1428 1429 K = crypto_ec_point_init(sae->tmp->ec); 1430 if (K == NULL) 1431 goto fail; 1432 1433 /* 1434 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE), 1435 * PEER-COMMIT-ELEMENT))) 1436 * If K is identity element (point-at-infinity), reject 1437 * k = F(K) (= x coordinate) 1438 */ 1439 1440 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, 1441 sae->peer_commit_scalar, K) < 0 || 1442 crypto_ec_point_add(sae->tmp->ec, K, 1443 sae->tmp->peer_commit_element_ecc, K) < 0 || 1444 crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 || 1445 crypto_ec_point_is_at_infinity(sae->tmp->ec, K) || 1446 crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) { 1447 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k"); 1448 goto fail; 1449 } 1450 1451 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); 1452 1453 ret = 0; 1454 fail: 1455 crypto_ec_point_deinit(K, 1); 1456 return ret; 1457 } 1458 1459 1460 static int sae_derive_k_ffc(struct sae_data *sae, u8 *k) 1461 { 1462 struct crypto_bignum *K; 1463 int ret = -1; 1464 1465 K = crypto_bignum_init(); 1466 if (K == NULL) 1467 goto fail; 1468 1469 /* 1470 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE), 1471 * PEER-COMMIT-ELEMENT))) 1472 * If K is identity element (one), reject. 1473 * k = F(K) (= x coordinate) 1474 */ 1475 1476 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar, 1477 sae->tmp->prime, K) < 0 || 1478 crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc, 1479 sae->tmp->prime, K) < 0 || 1480 crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0 1481 || 1482 crypto_bignum_is_one(K) || 1483 crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) < 1484 0) { 1485 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k"); 1486 goto fail; 1487 } 1488 1489 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); 1490 1491 ret = 0; 1492 fail: 1493 crypto_bignum_deinit(K, 1); 1494 return ret; 1495 } 1496 1497 1498 static int sae_kdf_hash(size_t hash_len, const u8 *k, const char *label, 1499 const u8 *context, size_t context_len, 1500 u8 *out, size_t out_len) 1501 { 1502 if (hash_len == 32) 1503 return sha256_prf(k, hash_len, label, 1504 context, context_len, out, out_len); 1505 #ifdef CONFIG_SHA384 1506 if (hash_len == 48) 1507 return sha384_prf(k, hash_len, label, 1508 context, context_len, out, out_len); 1509 #endif /* CONFIG_SHA384 */ 1510 #ifdef CONFIG_SHA512 1511 if (hash_len == 64) 1512 return sha512_prf(k, hash_len, label, 1513 context, context_len, out, out_len); 1514 #endif /* CONFIG_SHA512 */ 1515 return -1; 1516 } 1517 1518 1519 static int sae_derive_keys(struct sae_data *sae, const u8 *k) 1520 { 1521 u8 zero[SAE_MAX_HASH_LEN], val[SAE_MAX_PRIME_LEN]; 1522 const u8 *salt; 1523 struct wpabuf *rejected_groups = NULL; 1524 u8 keyseed[SAE_MAX_HASH_LEN]; 1525 u8 keys[2 * SAE_MAX_HASH_LEN + SAE_PMK_LEN_MAX]; 1526 struct crypto_bignum *tmp; 1527 int ret = -1; 1528 size_t hash_len, salt_len, prime_len = sae->tmp->prime_len; 1529 size_t pmk_len; 1530 const u8 *addr[1]; 1531 size_t len[1]; 1532 1533 tmp = crypto_bignum_init(); 1534 if (tmp == NULL) 1535 goto fail; 1536 1537 /* keyseed = H(salt, k) 1538 * KCK || PMK = KDF-Hash-Length(keyseed, "SAE KCK and PMK", 1539 * (commit-scalar + peer-commit-scalar) modulo r) 1540 * PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128) 1541 * 1542 * When SAE-PK is used, 1543 * KCK || PMK || KEK = KDF-Hash-Length(keyseed, "SAE-PK keys", context) 1544 */ 1545 if (!sae->h2e) 1546 hash_len = SHA256_MAC_LEN; 1547 else if (sae->tmp->dh) 1548 hash_len = sae_ffc_prime_len_2_hash_len(prime_len); 1549 else 1550 hash_len = sae_ecc_prime_len_2_hash_len(prime_len); 1551 if (wpa_key_mgmt_sae_ext_key(sae->akmp)) 1552 pmk_len = hash_len; 1553 else 1554 pmk_len = SAE_PMK_LEN; 1555 wpa_printf(MSG_DEBUG, "SAE: Derive keys - H2E=%d AKMP=0x%x = %08x (%s)", 1556 sae->h2e, sae->akmp, 1557 wpa_akm_to_suite(sae->akmp), 1558 wpa_key_mgmt_txt(sae->akmp, WPA_PROTO_RSN)); 1559 if (sae->h2e && (sae->tmp->own_rejected_groups || 1560 sae->tmp->peer_rejected_groups)) { 1561 struct wpabuf *own, *peer; 1562 1563 own = sae->tmp->own_rejected_groups; 1564 peer = sae->tmp->peer_rejected_groups; 1565 salt_len = 0; 1566 if (own) 1567 salt_len += wpabuf_len(own); 1568 if (peer) 1569 salt_len += wpabuf_len(peer); 1570 rejected_groups = wpabuf_alloc(salt_len); 1571 if (!rejected_groups) 1572 goto fail; 1573 if (sae->tmp->own_addr_higher) { 1574 if (own) 1575 wpabuf_put_buf(rejected_groups, own); 1576 if (peer) 1577 wpabuf_put_buf(rejected_groups, peer); 1578 } else { 1579 if (peer) 1580 wpabuf_put_buf(rejected_groups, peer); 1581 if (own) 1582 wpabuf_put_buf(rejected_groups, own); 1583 } 1584 salt = wpabuf_head(rejected_groups); 1585 salt_len = wpabuf_len(rejected_groups); 1586 } else { 1587 os_memset(zero, 0, hash_len); 1588 salt = zero; 1589 salt_len = hash_len; 1590 } 1591 wpa_hexdump(MSG_DEBUG, "SAE: salt for keyseed derivation", 1592 salt, salt_len); 1593 addr[0] = k; 1594 len[0] = prime_len; 1595 if (hkdf_extract(hash_len, salt, salt_len, 1, addr, len, keyseed) < 0) 1596 goto fail; 1597 wpa_hexdump_key(MSG_DEBUG, "SAE: keyseed", keyseed, hash_len); 1598 1599 if (crypto_bignum_add(sae->tmp->own_commit_scalar, 1600 sae->peer_commit_scalar, tmp) < 0 || 1601 crypto_bignum_mod(tmp, sae->tmp->order, tmp) < 0) 1602 goto fail; 1603 /* IEEE Std 802.11-2016 is not exactly clear on the encoding of the bit 1604 * string that is needed for KCK, PMK, and PMKID derivation, but it 1605 * seems to make most sense to encode the 1606 * (commit-scalar + peer-commit-scalar) mod r part as a bit string by 1607 * zero padding it from left to the length of the order (in full 1608 * octets). */ 1609 if (crypto_bignum_to_bin(tmp, val, sizeof(val), 1610 sae->tmp->order_len) < 0) 1611 goto fail; 1612 wpa_hexdump(MSG_DEBUG, "SAE: PMKID", val, SAE_PMKID_LEN); 1613 1614 #ifdef CONFIG_SAE_PK 1615 if (sae->pk) { 1616 if (sae_kdf_hash(hash_len, keyseed, "SAE-PK keys", 1617 val, sae->tmp->order_len, 1618 keys, 2 * hash_len + pmk_len) < 0) 1619 goto fail; 1620 } else { 1621 if (sae_kdf_hash(hash_len, keyseed, "SAE KCK and PMK", 1622 val, sae->tmp->order_len, 1623 keys, hash_len + pmk_len) < 0) 1624 goto fail; 1625 } 1626 #else /* CONFIG_SAE_PK */ 1627 if (sae_kdf_hash(hash_len, keyseed, "SAE KCK and PMK", 1628 val, sae->tmp->order_len, 1629 keys, hash_len + pmk_len) < 0) 1630 goto fail; 1631 #endif /* !CONFIG_SAE_PK */ 1632 1633 forced_memzero(keyseed, sizeof(keyseed)); 1634 os_memcpy(sae->tmp->kck, keys, hash_len); 1635 sae->tmp->kck_len = hash_len; 1636 os_memcpy(sae->pmk, keys + hash_len, pmk_len); 1637 sae->pmk_len = pmk_len; 1638 os_memcpy(sae->pmkid, val, SAE_PMKID_LEN); 1639 #ifdef CONFIG_SAE_PK 1640 if (sae->pk) { 1641 os_memcpy(sae->tmp->kek, keys + hash_len + SAE_PMK_LEN, 1642 hash_len); 1643 sae->tmp->kek_len = hash_len; 1644 wpa_hexdump_key(MSG_DEBUG, "SAE: KEK for SAE-PK", 1645 sae->tmp->kek, sae->tmp->kek_len); 1646 } 1647 #endif /* CONFIG_SAE_PK */ 1648 forced_memzero(keys, sizeof(keys)); 1649 wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", 1650 sae->tmp->kck, sae->tmp->kck_len); 1651 wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, sae->pmk_len); 1652 1653 ret = 0; 1654 fail: 1655 wpabuf_free(rejected_groups); 1656 crypto_bignum_deinit(tmp, 0); 1657 return ret; 1658 } 1659 1660 1661 int sae_process_commit(struct sae_data *sae) 1662 { 1663 u8 k[SAE_MAX_PRIME_LEN]; 1664 if (sae->tmp == NULL || 1665 (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) || 1666 (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) || 1667 sae_derive_keys(sae, k) < 0) 1668 return -1; 1669 return 0; 1670 } 1671 1672 1673 int sae_write_commit(struct sae_data *sae, struct wpabuf *buf, 1674 const struct wpabuf *token, const char *identifier) 1675 { 1676 u8 *pos; 1677 1678 if (sae->tmp == NULL) 1679 return -1; 1680 1681 wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */ 1682 if (!sae->h2e && token) { 1683 wpabuf_put_buf(buf, token); 1684 wpa_hexdump(MSG_DEBUG, "SAE: Anti-clogging token", 1685 wpabuf_head(token), wpabuf_len(token)); 1686 } 1687 pos = wpabuf_put(buf, sae->tmp->prime_len); 1688 if (crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos, 1689 sae->tmp->prime_len, sae->tmp->prime_len) < 0) 1690 return -1; 1691 wpa_hexdump(MSG_DEBUG, "SAE: own commit-scalar", 1692 pos, sae->tmp->prime_len); 1693 if (sae->tmp->ec) { 1694 pos = wpabuf_put(buf, 2 * sae->tmp->prime_len); 1695 if (crypto_ec_point_to_bin(sae->tmp->ec, 1696 sae->tmp->own_commit_element_ecc, 1697 pos, pos + sae->tmp->prime_len) < 0) 1698 return -1; 1699 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(x)", 1700 pos, sae->tmp->prime_len); 1701 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(y)", 1702 pos + sae->tmp->prime_len, sae->tmp->prime_len); 1703 } else { 1704 pos = wpabuf_put(buf, sae->tmp->prime_len); 1705 if (crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos, 1706 sae->tmp->prime_len, 1707 sae->tmp->prime_len) < 0) 1708 return -1; 1709 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element", 1710 pos, sae->tmp->prime_len); 1711 } 1712 1713 if (identifier) { 1714 /* Password Identifier element */ 1715 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); 1716 wpabuf_put_u8(buf, 1 + os_strlen(identifier)); 1717 wpabuf_put_u8(buf, WLAN_EID_EXT_PASSWORD_IDENTIFIER); 1718 wpabuf_put_str(buf, identifier); 1719 wpa_printf(MSG_DEBUG, "SAE: own Password Identifier: %s", 1720 identifier); 1721 } 1722 1723 if (sae->h2e && sae->tmp->own_rejected_groups) { 1724 wpa_hexdump_buf(MSG_DEBUG, "SAE: own Rejected Groups", 1725 sae->tmp->own_rejected_groups); 1726 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); 1727 wpabuf_put_u8(buf, 1728 1 + wpabuf_len(sae->tmp->own_rejected_groups)); 1729 wpabuf_put_u8(buf, WLAN_EID_EXT_REJECTED_GROUPS); 1730 wpabuf_put_buf(buf, sae->tmp->own_rejected_groups); 1731 } 1732 1733 if (sae->h2e && token) { 1734 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); 1735 wpabuf_put_u8(buf, 1 + wpabuf_len(token)); 1736 wpabuf_put_u8(buf, WLAN_EID_EXT_ANTI_CLOGGING_TOKEN); 1737 wpabuf_put_buf(buf, token); 1738 wpa_hexdump_buf(MSG_DEBUG, 1739 "SAE: Anti-clogging token (in container)", 1740 token); 1741 } 1742 1743 if (wpa_key_mgmt_sae_ext_key(sae->akmp)) { 1744 u32 suite = wpa_akm_to_suite(sae->akmp); 1745 1746 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); 1747 wpabuf_put_u8(buf, 1 + RSN_SELECTOR_LEN); 1748 wpabuf_put_u8(buf, WLAN_EID_EXT_AKM_SUITE_SELECTOR); 1749 RSN_SELECTOR_PUT(wpabuf_put(buf, RSN_SELECTOR_LEN), suite); 1750 wpa_printf(MSG_DEBUG, "SAE: AKM Suite Selector: %08x", suite); 1751 sae->own_akm_suite_selector = suite; 1752 } 1753 1754 return 0; 1755 } 1756 1757 1758 u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group) 1759 { 1760 if (allowed_groups) { 1761 int i; 1762 for (i = 0; allowed_groups[i] > 0; i++) { 1763 if (allowed_groups[i] == group) 1764 break; 1765 } 1766 if (allowed_groups[i] != group) { 1767 wpa_printf(MSG_DEBUG, "SAE: Proposed group %u not " 1768 "enabled in the current configuration", 1769 group); 1770 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1771 } 1772 } 1773 1774 if (sae->state == SAE_COMMITTED && group != sae->group) { 1775 wpa_printf(MSG_DEBUG, "SAE: Do not allow group to be changed"); 1776 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1777 } 1778 1779 if (group != sae->group && sae_set_group(sae, group) < 0) { 1780 wpa_printf(MSG_DEBUG, "SAE: Unsupported Finite Cyclic Group %u", 1781 group); 1782 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1783 } 1784 1785 if (sae->tmp == NULL) { 1786 wpa_printf(MSG_DEBUG, "SAE: Group information not yet initialized"); 1787 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1788 } 1789 1790 if (sae->tmp->dh && !allowed_groups) { 1791 wpa_printf(MSG_DEBUG, "SAE: Do not allow FFC group %u without " 1792 "explicit configuration enabling it", group); 1793 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 1794 } 1795 1796 return WLAN_STATUS_SUCCESS; 1797 } 1798 1799 1800 static int sae_is_password_id_elem(const u8 *pos, const u8 *end) 1801 { 1802 return end - pos >= 3 && 1803 pos[0] == WLAN_EID_EXTENSION && 1804 pos[1] >= 1 && 1805 end - pos - 2 >= pos[1] && 1806 pos[2] == WLAN_EID_EXT_PASSWORD_IDENTIFIER; 1807 } 1808 1809 1810 static int sae_is_rejected_groups_elem(const u8 *pos, const u8 *end) 1811 { 1812 return end - pos >= 3 && 1813 pos[0] == WLAN_EID_EXTENSION && 1814 pos[1] >= 2 && 1815 end - pos - 2 >= pos[1] && 1816 pos[2] == WLAN_EID_EXT_REJECTED_GROUPS; 1817 } 1818 1819 1820 static int sae_is_token_container_elem(const u8 *pos, const u8 *end) 1821 { 1822 return end - pos >= 3 && 1823 pos[0] == WLAN_EID_EXTENSION && 1824 pos[1] >= 1 && 1825 end - pos - 2 >= pos[1] && 1826 pos[2] == WLAN_EID_EXT_ANTI_CLOGGING_TOKEN; 1827 } 1828 1829 1830 static int sae_is_akm_suite_selector_elem(const u8 *pos, const u8 *end) 1831 { 1832 return end - pos >= 2 + 1 + RSN_SELECTOR_LEN && 1833 pos[0] == WLAN_EID_EXTENSION && 1834 pos[1] >= 1 + RSN_SELECTOR_LEN && 1835 end - pos - 2 >= pos[1] && 1836 pos[2] == WLAN_EID_EXT_AKM_SUITE_SELECTOR; 1837 } 1838 1839 1840 static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos, 1841 const u8 *end, const u8 **token, 1842 size_t *token_len, int h2e) 1843 { 1844 size_t scalar_elem_len, tlen; 1845 1846 if (token) 1847 *token = NULL; 1848 if (token_len) 1849 *token_len = 0; 1850 1851 if (h2e) 1852 return; /* No Anti-Clogging Token field outside container IE */ 1853 1854 scalar_elem_len = (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len; 1855 if (scalar_elem_len >= (size_t) (end - *pos)) 1856 return; /* No extra data beyond peer scalar and element */ 1857 1858 tlen = end - (*pos + scalar_elem_len); 1859 1860 if (tlen < SHA256_MAC_LEN) { 1861 wpa_printf(MSG_DEBUG, 1862 "SAE: Too short optional data (%u octets) to include our Anti-Clogging Token", 1863 (unsigned int) tlen); 1864 return; 1865 } 1866 1867 wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token", *pos, tlen); 1868 if (token) 1869 *token = *pos; 1870 if (token_len) 1871 *token_len = tlen; 1872 *pos += tlen; 1873 } 1874 1875 1876 static void sae_parse_token_container(struct sae_data *sae, 1877 const u8 *pos, const u8 *end, 1878 const u8 **token, size_t *token_len) 1879 { 1880 wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame", 1881 pos, end - pos); 1882 if (!sae_is_token_container_elem(pos, end)) 1883 return; 1884 *token = pos + 3; 1885 *token_len = pos[1] - 1; 1886 wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token (in container)", 1887 *token, *token_len); 1888 } 1889 1890 1891 static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos, 1892 const u8 *end) 1893 { 1894 struct crypto_bignum *peer_scalar; 1895 1896 if (sae->tmp->prime_len > end - *pos) { 1897 wpa_printf(MSG_DEBUG, "SAE: Not enough data for scalar"); 1898 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1899 } 1900 1901 peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len); 1902 if (peer_scalar == NULL) 1903 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1904 1905 /* 1906 * IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for 1907 * the peer and it is in Authenticated state, the new Commit Message 1908 * shall be dropped if the peer-scalar is identical to the one used in 1909 * the existing protocol instance. 1910 */ 1911 if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar_accepted && 1912 crypto_bignum_cmp(sae->peer_commit_scalar_accepted, 1913 peer_scalar) == 0) { 1914 wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous " 1915 "peer-commit-scalar"); 1916 crypto_bignum_deinit(peer_scalar, 0); 1917 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1918 } 1919 1920 /* 1 < scalar < r */ 1921 if (crypto_bignum_is_zero(peer_scalar) || 1922 crypto_bignum_is_one(peer_scalar) || 1923 crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) { 1924 wpa_printf(MSG_DEBUG, "SAE: Invalid peer scalar"); 1925 crypto_bignum_deinit(peer_scalar, 0); 1926 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1927 } 1928 1929 1930 crypto_bignum_deinit(sae->peer_commit_scalar, 0); 1931 sae->peer_commit_scalar = peer_scalar; 1932 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-scalar", 1933 *pos, sae->tmp->prime_len); 1934 *pos += sae->tmp->prime_len; 1935 1936 return WLAN_STATUS_SUCCESS; 1937 } 1938 1939 1940 static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 **pos, 1941 const u8 *end) 1942 { 1943 u8 prime[SAE_MAX_ECC_PRIME_LEN]; 1944 1945 if (2 * sae->tmp->prime_len > end - *pos) { 1946 wpa_printf(MSG_DEBUG, "SAE: Not enough data for " 1947 "commit-element"); 1948 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1949 } 1950 1951 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), 1952 sae->tmp->prime_len) < 0) 1953 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1954 1955 /* element x and y coordinates < p */ 1956 if (os_memcmp(*pos, prime, sae->tmp->prime_len) >= 0 || 1957 os_memcmp(*pos + sae->tmp->prime_len, prime, 1958 sae->tmp->prime_len) >= 0) { 1959 wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer " 1960 "element"); 1961 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1962 } 1963 1964 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(x)", 1965 *pos, sae->tmp->prime_len); 1966 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(y)", 1967 *pos + sae->tmp->prime_len, sae->tmp->prime_len); 1968 1969 crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0); 1970 sae->tmp->peer_commit_element_ecc = 1971 crypto_ec_point_from_bin(sae->tmp->ec, *pos); 1972 if (!sae->tmp->peer_commit_element_ecc) { 1973 wpa_printf(MSG_DEBUG, "SAE: Peer element is not a valid point"); 1974 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1975 } 1976 1977 if (!crypto_ec_point_is_on_curve(sae->tmp->ec, 1978 sae->tmp->peer_commit_element_ecc)) { 1979 wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve"); 1980 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1981 } 1982 1983 *pos += 2 * sae->tmp->prime_len; 1984 1985 return WLAN_STATUS_SUCCESS; 1986 } 1987 1988 1989 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 **pos, 1990 const u8 *end) 1991 { 1992 struct crypto_bignum *res, *one; 1993 const u8 one_bin[1] = { 0x01 }; 1994 1995 if (sae->tmp->prime_len > end - *pos) { 1996 wpa_printf(MSG_DEBUG, "SAE: Not enough data for " 1997 "commit-element"); 1998 return WLAN_STATUS_UNSPECIFIED_FAILURE; 1999 } 2000 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", *pos, 2001 sae->tmp->prime_len); 2002 2003 crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0); 2004 sae->tmp->peer_commit_element_ffc = 2005 crypto_bignum_init_set(*pos, sae->tmp->prime_len); 2006 if (sae->tmp->peer_commit_element_ffc == NULL) 2007 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2008 /* 1 < element < p - 1 */ 2009 res = crypto_bignum_init(); 2010 one = crypto_bignum_init_set(one_bin, sizeof(one_bin)); 2011 if (!res || !one || 2012 crypto_bignum_sub(sae->tmp->prime, one, res) || 2013 crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) || 2014 crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) || 2015 crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, res) >= 0) { 2016 crypto_bignum_deinit(res, 0); 2017 crypto_bignum_deinit(one, 0); 2018 wpa_printf(MSG_DEBUG, "SAE: Invalid peer element"); 2019 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2020 } 2021 crypto_bignum_deinit(one, 0); 2022 2023 /* scalar-op(r, ELEMENT) = 1 modulo p */ 2024 if (crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc, 2025 sae->tmp->order, sae->tmp->prime, res) < 0 || 2026 !crypto_bignum_is_one(res)) { 2027 wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)"); 2028 crypto_bignum_deinit(res, 0); 2029 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2030 } 2031 crypto_bignum_deinit(res, 0); 2032 2033 *pos += sae->tmp->prime_len; 2034 2035 return WLAN_STATUS_SUCCESS; 2036 } 2037 2038 2039 static u16 sae_parse_commit_element(struct sae_data *sae, const u8 **pos, 2040 const u8 *end) 2041 { 2042 if (sae->tmp->dh) 2043 return sae_parse_commit_element_ffc(sae, pos, end); 2044 return sae_parse_commit_element_ecc(sae, pos, end); 2045 } 2046 2047 2048 static int sae_parse_password_identifier(struct sae_data *sae, 2049 const u8 **pos, const u8 *end) 2050 { 2051 const u8 *epos; 2052 u8 len; 2053 2054 wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame", 2055 *pos, end - *pos); 2056 if (!sae_is_password_id_elem(*pos, end)) { 2057 if (sae->tmp->pw_id) { 2058 wpa_printf(MSG_DEBUG, 2059 "SAE: No Password Identifier included, but expected one (%s)", 2060 sae->tmp->pw_id); 2061 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER; 2062 } 2063 os_free(sae->tmp->pw_id); 2064 sae->tmp->pw_id = NULL; 2065 return WLAN_STATUS_SUCCESS; /* No Password Identifier */ 2066 } 2067 2068 epos = *pos; 2069 epos++; /* skip IE type */ 2070 len = *epos++; /* IE length */ 2071 if (len > end - epos || len < 1) 2072 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2073 epos++; /* skip ext ID */ 2074 len--; 2075 2076 if (sae->tmp->pw_id && 2077 (len != os_strlen(sae->tmp->pw_id) || 2078 os_memcmp(sae->tmp->pw_id, epos, len) != 0)) { 2079 wpa_printf(MSG_DEBUG, 2080 "SAE: The included Password Identifier does not match the expected one (%s)", 2081 sae->tmp->pw_id); 2082 return WLAN_STATUS_UNKNOWN_PASSWORD_IDENTIFIER; 2083 } 2084 2085 os_free(sae->tmp->pw_id); 2086 sae->tmp->pw_id = os_malloc(len + 1); 2087 if (!sae->tmp->pw_id) 2088 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2089 os_memcpy(sae->tmp->pw_id, epos, len); 2090 sae->tmp->pw_id[len] = '\0'; 2091 wpa_hexdump_ascii(MSG_DEBUG, "SAE: Received Password Identifier", 2092 sae->tmp->pw_id, len); 2093 *pos = epos + len; 2094 return WLAN_STATUS_SUCCESS; 2095 } 2096 2097 2098 static int sae_parse_rejected_groups(struct sae_data *sae, 2099 const u8 **pos, const u8 *end) 2100 { 2101 const u8 *epos; 2102 u8 len; 2103 2104 wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame", 2105 *pos, end - *pos); 2106 if (!sae_is_rejected_groups_elem(*pos, end)) { 2107 wpabuf_free(sae->tmp->peer_rejected_groups); 2108 sae->tmp->peer_rejected_groups = NULL; 2109 return WLAN_STATUS_SUCCESS; 2110 } 2111 2112 epos = *pos; 2113 epos++; /* skip IE type */ 2114 len = *epos++; /* IE length */ 2115 if (len > end - epos || len < 1) 2116 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2117 epos++; /* skip ext ID */ 2118 len--; 2119 if (len & 1) { 2120 wpa_printf(MSG_DEBUG, 2121 "SAE: Invalid length of the Rejected Groups element payload: %u", 2122 len); 2123 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2124 } 2125 2126 wpabuf_free(sae->tmp->peer_rejected_groups); 2127 sae->tmp->peer_rejected_groups = wpabuf_alloc(len); 2128 if (!sae->tmp->peer_rejected_groups) 2129 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2130 wpabuf_put_data(sae->tmp->peer_rejected_groups, epos, len); 2131 wpa_hexdump_buf(MSG_DEBUG, "SAE: Received Rejected Groups list", 2132 sae->tmp->peer_rejected_groups); 2133 *pos = epos + len; 2134 return WLAN_STATUS_SUCCESS; 2135 } 2136 2137 2138 static int sae_parse_akm_suite_selector(struct sae_data *sae, 2139 const u8 **pos, const u8 *end) 2140 { 2141 const u8 *epos; 2142 u8 len; 2143 2144 wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame", 2145 *pos, end - *pos); 2146 if (!sae_is_akm_suite_selector_elem(*pos, end)) 2147 return WLAN_STATUS_SUCCESS; 2148 2149 epos = *pos; 2150 epos++; /* skip IE type */ 2151 len = *epos++; /* IE length */ 2152 if (len > end - epos || len < 1) 2153 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2154 epos++; /* skip ext ID */ 2155 len--; 2156 2157 if (len < RSN_SELECTOR_LEN) 2158 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2159 sae->peer_akm_suite_selector = RSN_SELECTOR_GET(epos); 2160 wpa_printf(MSG_DEBUG, "SAE: Received AKM Suite Selector: %08x", 2161 sae->peer_akm_suite_selector); 2162 *pos = epos + len; 2163 return WLAN_STATUS_SUCCESS; 2164 } 2165 2166 2167 u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len, 2168 const u8 **token, size_t *token_len, int *allowed_groups, 2169 int h2e, int *ie_offset) 2170 { 2171 const u8 *pos = data, *end = data + len; 2172 u16 res; 2173 2174 /* Check Finite Cyclic Group */ 2175 if (end - pos < 2) 2176 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2177 res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos)); 2178 if (res != WLAN_STATUS_SUCCESS) 2179 return res; 2180 pos += 2; 2181 2182 /* Optional Anti-Clogging Token */ 2183 sae_parse_commit_token(sae, &pos, end, token, token_len, h2e); 2184 2185 /* commit-scalar */ 2186 res = sae_parse_commit_scalar(sae, &pos, end); 2187 if (res != WLAN_STATUS_SUCCESS) 2188 return res; 2189 2190 /* commit-element */ 2191 res = sae_parse_commit_element(sae, &pos, end); 2192 if (res != WLAN_STATUS_SUCCESS) 2193 return res; 2194 2195 if (ie_offset) 2196 *ie_offset = pos - data; 2197 2198 /* Optional Password Identifier element */ 2199 res = sae_parse_password_identifier(sae, &pos, end); 2200 if (res != WLAN_STATUS_SUCCESS) 2201 return res; 2202 2203 /* Conditional Rejected Groups element */ 2204 if (h2e) { 2205 res = sae_parse_rejected_groups(sae, &pos, end); 2206 if (res != WLAN_STATUS_SUCCESS) 2207 return res; 2208 } else { 2209 wpabuf_free(sae->tmp->peer_rejected_groups); 2210 sae->tmp->peer_rejected_groups = NULL; 2211 } 2212 2213 /* Optional Anti-Clogging Token Container element */ 2214 if (h2e) 2215 sae_parse_token_container(sae, pos, end, token, token_len); 2216 2217 /* Conditional AKM Suite Selector element */ 2218 if (h2e) { 2219 res = sae_parse_akm_suite_selector(sae, &pos, end); 2220 if (res != WLAN_STATUS_SUCCESS) 2221 return res; 2222 } 2223 2224 if (sae->own_akm_suite_selector && 2225 sae->own_akm_suite_selector != sae->peer_akm_suite_selector) { 2226 wpa_printf(MSG_DEBUG, 2227 "SAE: AKM suite selector mismatch: own=%08x peer=%08x", 2228 sae->own_akm_suite_selector, 2229 sae->peer_akm_suite_selector); 2230 return WLAN_STATUS_UNSPECIFIED_FAILURE; 2231 } 2232 2233 if (!sae->akmp) { 2234 if (sae->peer_akm_suite_selector == 2235 RSN_AUTH_KEY_MGMT_SAE_EXT_KEY) 2236 sae->akmp = WPA_KEY_MGMT_SAE_EXT_KEY; 2237 else if (sae->peer_akm_suite_selector == 2238 RSN_AUTH_KEY_MGMT_FT_SAE_EXT_KEY) 2239 sae->akmp = WPA_KEY_MGMT_FT_SAE_EXT_KEY; 2240 } 2241 2242 /* 2243 * Check whether peer-commit-scalar and PEER-COMMIT-ELEMENT are same as 2244 * the values we sent which would be evidence of a reflection attack. 2245 */ 2246 if (!sae->tmp->own_commit_scalar || 2247 crypto_bignum_cmp(sae->tmp->own_commit_scalar, 2248 sae->peer_commit_scalar) != 0 || 2249 (sae->tmp->dh && 2250 (!sae->tmp->own_commit_element_ffc || 2251 crypto_bignum_cmp(sae->tmp->own_commit_element_ffc, 2252 sae->tmp->peer_commit_element_ffc) != 0)) || 2253 (sae->tmp->ec && 2254 (!sae->tmp->own_commit_element_ecc || 2255 crypto_ec_point_cmp(sae->tmp->ec, 2256 sae->tmp->own_commit_element_ecc, 2257 sae->tmp->peer_commit_element_ecc) != 0))) 2258 return WLAN_STATUS_SUCCESS; /* scalars/elements are different */ 2259 2260 /* 2261 * This is a reflection attack - return special value to trigger caller 2262 * to silently discard the frame instead of replying with a specific 2263 * status code. 2264 */ 2265 return SAE_SILENTLY_DISCARD; 2266 } 2267 2268 2269 static int sae_cn_confirm(struct sae_data *sae, const u8 *sc, 2270 const struct crypto_bignum *scalar1, 2271 const u8 *element1, size_t element1_len, 2272 const struct crypto_bignum *scalar2, 2273 const u8 *element2, size_t element2_len, 2274 u8 *confirm) 2275 { 2276 const u8 *addr[5]; 2277 size_t len[5]; 2278 u8 scalar_b1[SAE_MAX_PRIME_LEN], scalar_b2[SAE_MAX_PRIME_LEN]; 2279 2280 /* Confirm 2281 * CN(key, X, Y, Z, ...) = 2282 * HMAC-SHA256(key, D2OS(X) || D2OS(Y) || D2OS(Z) | ...) 2283 * confirm = CN(KCK, send-confirm, commit-scalar, COMMIT-ELEMENT, 2284 * peer-commit-scalar, PEER-COMMIT-ELEMENT) 2285 * verifier = CN(KCK, peer-send-confirm, peer-commit-scalar, 2286 * PEER-COMMIT-ELEMENT, commit-scalar, COMMIT-ELEMENT) 2287 */ 2288 if (crypto_bignum_to_bin(scalar1, scalar_b1, sizeof(scalar_b1), 2289 sae->tmp->prime_len) < 0 || 2290 crypto_bignum_to_bin(scalar2, scalar_b2, sizeof(scalar_b2), 2291 sae->tmp->prime_len) < 0) 2292 return -1; 2293 addr[0] = sc; 2294 len[0] = 2; 2295 addr[1] = scalar_b1; 2296 len[1] = sae->tmp->prime_len; 2297 addr[2] = element1; 2298 len[2] = element1_len; 2299 addr[3] = scalar_b2; 2300 len[3] = sae->tmp->prime_len; 2301 addr[4] = element2; 2302 len[4] = element2_len; 2303 return hkdf_extract(sae->tmp->kck_len, sae->tmp->kck, sae->tmp->kck_len, 2304 5, addr, len, confirm); 2305 } 2306 2307 2308 static int sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc, 2309 const struct crypto_bignum *scalar1, 2310 const struct crypto_ec_point *element1, 2311 const struct crypto_bignum *scalar2, 2312 const struct crypto_ec_point *element2, 2313 u8 *confirm) 2314 { 2315 u8 element_b1[2 * SAE_MAX_ECC_PRIME_LEN]; 2316 u8 element_b2[2 * SAE_MAX_ECC_PRIME_LEN]; 2317 2318 if (crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1, 2319 element_b1 + sae->tmp->prime_len) < 0 || 2320 crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2, 2321 element_b2 + sae->tmp->prime_len) < 0 || 2322 sae_cn_confirm(sae, sc, scalar1, element_b1, 2323 2 * sae->tmp->prime_len, 2324 scalar2, element_b2, 2 * sae->tmp->prime_len, 2325 confirm) < 0) 2326 return -1; 2327 return 0; 2328 } 2329 2330 2331 static int sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc, 2332 const struct crypto_bignum *scalar1, 2333 const struct crypto_bignum *element1, 2334 const struct crypto_bignum *scalar2, 2335 const struct crypto_bignum *element2, 2336 u8 *confirm) 2337 { 2338 u8 element_b1[SAE_MAX_PRIME_LEN]; 2339 u8 element_b2[SAE_MAX_PRIME_LEN]; 2340 2341 if (crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1), 2342 sae->tmp->prime_len) < 0 || 2343 crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2), 2344 sae->tmp->prime_len) < 0 || 2345 sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len, 2346 scalar2, element_b2, sae->tmp->prime_len, 2347 confirm) < 0) 2348 return -1; 2349 return 0; 2350 } 2351 2352 2353 int sae_write_confirm(struct sae_data *sae, struct wpabuf *buf) 2354 { 2355 const u8 *sc; 2356 size_t hash_len; 2357 int res; 2358 2359 if (sae->tmp == NULL) 2360 return -1; 2361 2362 hash_len = sae->tmp->kck_len; 2363 2364 /* Send-Confirm */ 2365 if (sae->send_confirm < 0xffff) 2366 sae->send_confirm++; 2367 sc = wpabuf_put(buf, 0); 2368 wpabuf_put_le16(buf, sae->send_confirm); 2369 2370 if (sae->tmp->ec) 2371 res = sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar, 2372 sae->tmp->own_commit_element_ecc, 2373 sae->peer_commit_scalar, 2374 sae->tmp->peer_commit_element_ecc, 2375 wpabuf_put(buf, hash_len)); 2376 else 2377 res = sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar, 2378 sae->tmp->own_commit_element_ffc, 2379 sae->peer_commit_scalar, 2380 sae->tmp->peer_commit_element_ffc, 2381 wpabuf_put(buf, hash_len)); 2382 if (res) 2383 return res; 2384 2385 #ifdef CONFIG_SAE_PK 2386 if (sae_write_confirm_pk(sae, buf) < 0) 2387 return -1; 2388 #endif /* CONFIG_SAE_PK */ 2389 2390 return 0; 2391 } 2392 2393 2394 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len, 2395 int *ie_offset) 2396 { 2397 u8 verifier[SAE_MAX_HASH_LEN]; 2398 size_t hash_len; 2399 2400 if (!sae->tmp) 2401 return -1; 2402 2403 hash_len = sae->tmp->kck_len; 2404 if (len < 2 + hash_len) { 2405 wpa_printf(MSG_DEBUG, "SAE: Too short confirm message"); 2406 return -1; 2407 } 2408 2409 wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data)); 2410 2411 if (!sae->peer_commit_scalar || !sae->tmp->own_commit_scalar) { 2412 wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available"); 2413 return -1; 2414 } 2415 2416 if (sae->tmp->ec) { 2417 if (!sae->tmp->peer_commit_element_ecc || 2418 !sae->tmp->own_commit_element_ecc || 2419 sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, 2420 sae->tmp->peer_commit_element_ecc, 2421 sae->tmp->own_commit_scalar, 2422 sae->tmp->own_commit_element_ecc, 2423 verifier) < 0) 2424 return -1; 2425 } else { 2426 if (!sae->tmp->peer_commit_element_ffc || 2427 !sae->tmp->own_commit_element_ffc || 2428 sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, 2429 sae->tmp->peer_commit_element_ffc, 2430 sae->tmp->own_commit_scalar, 2431 sae->tmp->own_commit_element_ffc, 2432 verifier) < 0) 2433 return -1; 2434 } 2435 2436 if (os_memcmp_const(verifier, data + 2, hash_len) != 0) { 2437 wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch"); 2438 wpa_hexdump(MSG_DEBUG, "SAE: Received confirm", 2439 data + 2, hash_len); 2440 wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier", 2441 verifier, hash_len); 2442 return -1; 2443 } 2444 2445 #ifdef CONFIG_SAE_PK 2446 if (sae_check_confirm_pk(sae, data + 2 + hash_len, 2447 len - 2 - hash_len) < 0) 2448 return -1; 2449 #endif /* CONFIG_SAE_PK */ 2450 2451 /* 2 bytes are for send-confirm, then the hash, followed by IEs */ 2452 if (ie_offset) 2453 *ie_offset = 2 + hash_len; 2454 2455 return 0; 2456 } 2457 2458 2459 const char * sae_state_txt(enum sae_state state) 2460 { 2461 switch (state) { 2462 case SAE_NOTHING: 2463 return "Nothing"; 2464 case SAE_COMMITTED: 2465 return "Committed"; 2466 case SAE_CONFIRMED: 2467 return "Confirmed"; 2468 case SAE_ACCEPTED: 2469 return "Accepted"; 2470 } 2471 return "?"; 2472 } 2473