xref: /freebsd/contrib/wpa/src/common/sae.c (revision 2284664ef9fcb0baaf59f1ef7df877c0b0f2b187)
1 /*
2  * Simultaneous authentication of equals
3  * Copyright (c) 2012-2016, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/crypto.h"
13 #include "crypto/sha256.h"
14 #include "crypto/random.h"
15 #include "crypto/dh_groups.h"
16 #include "ieee802_11_defs.h"
17 #include "sae.h"
18 
19 
20 int sae_set_group(struct sae_data *sae, int group)
21 {
22 	struct sae_temporary_data *tmp;
23 
24 	sae_clear_data(sae);
25 	tmp = sae->tmp = os_zalloc(sizeof(*tmp));
26 	if (tmp == NULL)
27 		return -1;
28 
29 	/* First, check if this is an ECC group */
30 	tmp->ec = crypto_ec_init(group);
31 	if (tmp->ec) {
32 		sae->group = group;
33 		tmp->prime_len = crypto_ec_prime_len(tmp->ec);
34 		tmp->prime = crypto_ec_get_prime(tmp->ec);
35 		tmp->order = crypto_ec_get_order(tmp->ec);
36 		return 0;
37 	}
38 
39 	/* Not an ECC group, check FFC */
40 	tmp->dh = dh_groups_get(group);
41 	if (tmp->dh) {
42 		sae->group = group;
43 		tmp->prime_len = tmp->dh->prime_len;
44 		if (tmp->prime_len > SAE_MAX_PRIME_LEN) {
45 			sae_clear_data(sae);
46 			return -1;
47 		}
48 
49 		tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime,
50 							tmp->prime_len);
51 		if (tmp->prime_buf == NULL) {
52 			sae_clear_data(sae);
53 			return -1;
54 		}
55 		tmp->prime = tmp->prime_buf;
56 
57 		tmp->order_buf = crypto_bignum_init_set(tmp->dh->order,
58 							tmp->dh->order_len);
59 		if (tmp->order_buf == NULL) {
60 			sae_clear_data(sae);
61 			return -1;
62 		}
63 		tmp->order = tmp->order_buf;
64 
65 		return 0;
66 	}
67 
68 	/* Unsupported group */
69 	return -1;
70 }
71 
72 
73 void sae_clear_temp_data(struct sae_data *sae)
74 {
75 	struct sae_temporary_data *tmp;
76 	if (sae == NULL || sae->tmp == NULL)
77 		return;
78 	tmp = sae->tmp;
79 	crypto_ec_deinit(tmp->ec);
80 	crypto_bignum_deinit(tmp->prime_buf, 0);
81 	crypto_bignum_deinit(tmp->order_buf, 0);
82 	crypto_bignum_deinit(tmp->sae_rand, 1);
83 	crypto_bignum_deinit(tmp->pwe_ffc, 1);
84 	crypto_bignum_deinit(tmp->own_commit_scalar, 0);
85 	crypto_bignum_deinit(tmp->own_commit_element_ffc, 0);
86 	crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0);
87 	crypto_ec_point_deinit(tmp->pwe_ecc, 1);
88 	crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0);
89 	crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0);
90 	wpabuf_free(tmp->anti_clogging_token);
91 	bin_clear_free(tmp, sizeof(*tmp));
92 	sae->tmp = NULL;
93 }
94 
95 
96 void sae_clear_data(struct sae_data *sae)
97 {
98 	if (sae == NULL)
99 		return;
100 	sae_clear_temp_data(sae);
101 	crypto_bignum_deinit(sae->peer_commit_scalar, 0);
102 	os_memset(sae, 0, sizeof(*sae));
103 }
104 
105 
106 static void buf_shift_right(u8 *buf, size_t len, size_t bits)
107 {
108 	size_t i;
109 	for (i = len - 1; i > 0; i--)
110 		buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
111 	buf[0] >>= bits;
112 }
113 
114 
115 static struct crypto_bignum * sae_get_rand(struct sae_data *sae)
116 {
117 	u8 val[SAE_MAX_PRIME_LEN];
118 	int iter = 0;
119 	struct crypto_bignum *bn = NULL;
120 	int order_len_bits = crypto_bignum_bits(sae->tmp->order);
121 	size_t order_len = (order_len_bits + 7) / 8;
122 
123 	if (order_len > sizeof(val))
124 		return NULL;
125 
126 	for (;;) {
127 		if (iter++ > 100 || random_get_bytes(val, order_len) < 0)
128 			return NULL;
129 		if (order_len_bits % 8)
130 			buf_shift_right(val, order_len, 8 - order_len_bits % 8);
131 		bn = crypto_bignum_init_set(val, order_len);
132 		if (bn == NULL)
133 			return NULL;
134 		if (crypto_bignum_is_zero(bn) ||
135 		    crypto_bignum_is_one(bn) ||
136 		    crypto_bignum_cmp(bn, sae->tmp->order) >= 0) {
137 			crypto_bignum_deinit(bn, 0);
138 			continue;
139 		}
140 		break;
141 	}
142 
143 	os_memset(val, 0, order_len);
144 	return bn;
145 }
146 
147 
148 static struct crypto_bignum * sae_get_rand_and_mask(struct sae_data *sae)
149 {
150 	crypto_bignum_deinit(sae->tmp->sae_rand, 1);
151 	sae->tmp->sae_rand = sae_get_rand(sae);
152 	if (sae->tmp->sae_rand == NULL)
153 		return NULL;
154 	return sae_get_rand(sae);
155 }
156 
157 
158 static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
159 {
160 	wpa_printf(MSG_DEBUG, "SAE: PWE derivation - addr1=" MACSTR
161 		   " addr2=" MACSTR, MAC2STR(addr1), MAC2STR(addr2));
162 	if (os_memcmp(addr1, addr2, ETH_ALEN) > 0) {
163 		os_memcpy(key, addr1, ETH_ALEN);
164 		os_memcpy(key + ETH_ALEN, addr2, ETH_ALEN);
165 	} else {
166 		os_memcpy(key, addr2, ETH_ALEN);
167 		os_memcpy(key + ETH_ALEN, addr1, ETH_ALEN);
168 	}
169 }
170 
171 
172 static struct crypto_bignum *
173 get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
174 		  int *r_odd)
175 {
176 	for (;;) {
177 		struct crypto_bignum *r;
178 		u8 tmp[SAE_MAX_ECC_PRIME_LEN];
179 
180 		if (random_get_bytes(tmp, prime_len) < 0)
181 			break;
182 		if (prime_bits % 8)
183 			buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
184 		if (os_memcmp(tmp, prime, prime_len) >= 0)
185 			continue;
186 		r = crypto_bignum_init_set(tmp, prime_len);
187 		if (!r)
188 			break;
189 		if (crypto_bignum_is_zero(r)) {
190 			crypto_bignum_deinit(r, 0);
191 			continue;
192 		}
193 
194 		*r_odd = tmp[prime_len - 1] & 0x01;
195 		return r;
196 	}
197 
198 	return NULL;
199 }
200 
201 
202 static int is_quadratic_residue_blind(struct sae_data *sae,
203 				      const u8 *prime, size_t bits,
204 				      const struct crypto_bignum *qr,
205 				      const struct crypto_bignum *qnr,
206 				      const struct crypto_bignum *y_sqr)
207 {
208 	struct crypto_bignum *r, *num;
209 	int r_odd, check, res = -1;
210 
211 	/*
212 	 * Use the blinding technique to mask y_sqr while determining
213 	 * whether it is a quadratic residue modulo p to avoid leaking
214 	 * timing information while determining the Legendre symbol.
215 	 *
216 	 * v = y_sqr
217 	 * r = a random number between 1 and p-1, inclusive
218 	 * num = (v * r * r) modulo p
219 	 */
220 	r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
221 	if (!r)
222 		return -1;
223 
224 	num = crypto_bignum_init();
225 	if (!num ||
226 	    crypto_bignum_mulmod(y_sqr, r, sae->tmp->prime, num) < 0 ||
227 	    crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
228 		goto fail;
229 
230 	if (r_odd) {
231 		/*
232 		 * num = (num * qr) module p
233 		 * LGR(num, p) = 1 ==> quadratic residue
234 		 */
235 		if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0)
236 			goto fail;
237 		check = 1;
238 	} else {
239 		/*
240 		 * num = (num * qnr) module p
241 		 * LGR(num, p) = -1 ==> quadratic residue
242 		 */
243 		if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0)
244 			goto fail;
245 		check = -1;
246 	}
247 
248 	res = crypto_bignum_legendre(num, sae->tmp->prime);
249 	if (res == -2) {
250 		res = -1;
251 		goto fail;
252 	}
253 	res = res == check;
254 fail:
255 	crypto_bignum_deinit(num, 1);
256 	crypto_bignum_deinit(r, 1);
257 	return res;
258 }
259 
260 
261 static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
262 				 const u8 *prime,
263 				 const struct crypto_bignum *qr,
264 				 const struct crypto_bignum *qnr,
265 				 struct crypto_bignum **ret_x_cand)
266 {
267 	u8 pwd_value[SAE_MAX_ECC_PRIME_LEN];
268 	struct crypto_bignum *y_sqr, *x_cand;
269 	int res;
270 	size_t bits;
271 
272 	*ret_x_cand = NULL;
273 
274 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
275 
276 	/* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
277 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
278 	if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
279 			    prime, sae->tmp->prime_len, pwd_value, bits) < 0)
280 		return -1;
281 	if (bits % 8)
282 		buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
283 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
284 			pwd_value, sae->tmp->prime_len);
285 
286 	if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
287 		return 0;
288 
289 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
290 	if (!x_cand)
291 		return -1;
292 	y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
293 	if (!y_sqr) {
294 		crypto_bignum_deinit(x_cand, 1);
295 		return -1;
296 	}
297 
298 	res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
299 	crypto_bignum_deinit(y_sqr, 1);
300 	if (res <= 0) {
301 		crypto_bignum_deinit(x_cand, 1);
302 		return res;
303 	}
304 
305 	*ret_x_cand = x_cand;
306 	return 1;
307 }
308 
309 
310 static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
311 				 struct crypto_bignum *pwe)
312 {
313 	u8 pwd_value[SAE_MAX_PRIME_LEN];
314 	size_t bits = sae->tmp->prime_len * 8;
315 	u8 exp[1];
316 	struct crypto_bignum *a, *b;
317 	int res;
318 
319 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
320 
321 	/* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
322 	if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
323 			    sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value,
324 			    bits) < 0)
325 		return -1;
326 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
327 			sae->tmp->prime_len);
328 
329 	if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)
330 	{
331 		wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p");
332 		return 0;
333 	}
334 
335 	/* PWE = pwd-value^((p-1)/r) modulo p */
336 
337 	a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
338 
339 	if (sae->tmp->dh->safe_prime) {
340 		/*
341 		 * r = (p-1)/2 for the group used here, so this becomes:
342 		 * PWE = pwd-value^2 modulo p
343 		 */
344 		exp[0] = 2;
345 		b = crypto_bignum_init_set(exp, sizeof(exp));
346 	} else {
347 		/* Calculate exponent: (p-1)/r */
348 		exp[0] = 1;
349 		b = crypto_bignum_init_set(exp, sizeof(exp));
350 		if (b == NULL ||
351 		    crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
352 		    crypto_bignum_div(b, sae->tmp->order, b) < 0) {
353 			crypto_bignum_deinit(b, 0);
354 			b = NULL;
355 		}
356 	}
357 
358 	if (a == NULL || b == NULL)
359 		res = -1;
360 	else
361 		res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
362 
363 	crypto_bignum_deinit(a, 0);
364 	crypto_bignum_deinit(b, 0);
365 
366 	if (res < 0) {
367 		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE");
368 		return -1;
369 	}
370 
371 	/* if (PWE > 1) --> found */
372 	if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) {
373 		wpa_printf(MSG_DEBUG, "SAE: PWE <= 1");
374 		return 0;
375 	}
376 
377 	wpa_printf(MSG_DEBUG, "SAE: PWE found");
378 	return 1;
379 }
380 
381 
382 static int get_random_qr_qnr(const u8 *prime, size_t prime_len,
383 			     const struct crypto_bignum *prime_bn,
384 			     size_t prime_bits, struct crypto_bignum **qr,
385 			     struct crypto_bignum **qnr)
386 {
387 	*qr = NULL;
388 	*qnr = NULL;
389 
390 	while (!(*qr) || !(*qnr)) {
391 		u8 tmp[SAE_MAX_ECC_PRIME_LEN];
392 		struct crypto_bignum *q;
393 		int res;
394 
395 		if (random_get_bytes(tmp, prime_len) < 0)
396 			break;
397 		if (prime_bits % 8)
398 			buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
399 		if (os_memcmp(tmp, prime, prime_len) >= 0)
400 			continue;
401 		q = crypto_bignum_init_set(tmp, prime_len);
402 		if (!q)
403 			break;
404 		res = crypto_bignum_legendre(q, prime_bn);
405 
406 		if (res == 1 && !(*qr))
407 			*qr = q;
408 		else if (res == -1 && !(*qnr))
409 			*qnr = q;
410 		else
411 			crypto_bignum_deinit(q, 0);
412 	}
413 
414 	return (*qr && *qnr) ? 0 : -1;
415 }
416 
417 
418 static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
419 			      const u8 *addr2, const u8 *password,
420 			      size_t password_len)
421 {
422 	u8 counter, k = 40;
423 	u8 addrs[2 * ETH_ALEN];
424 	const u8 *addr[2];
425 	size_t len[2];
426 	u8 dummy_password[32];
427 	size_t dummy_password_len;
428 	int pwd_seed_odd = 0;
429 	u8 prime[SAE_MAX_ECC_PRIME_LEN];
430 	size_t prime_len;
431 	struct crypto_bignum *x = NULL, *qr, *qnr;
432 	size_t bits;
433 	int res;
434 
435 	dummy_password_len = password_len;
436 	if (dummy_password_len > sizeof(dummy_password))
437 		dummy_password_len = sizeof(dummy_password);
438 	if (random_get_bytes(dummy_password, dummy_password_len) < 0)
439 		return -1;
440 
441 	prime_len = sae->tmp->prime_len;
442 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
443 				 prime_len) < 0)
444 		return -1;
445 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
446 
447 	/*
448 	 * Create a random quadratic residue (qr) and quadratic non-residue
449 	 * (qnr) modulo p for blinding purposes during the loop.
450 	 */
451 	if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
452 			      &qr, &qnr) < 0)
453 		return -1;
454 
455 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
456 			      password, password_len);
457 
458 	/*
459 	 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
460 	 * base = password
461 	 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
462 	 *              base || counter)
463 	 */
464 	sae_pwd_seed_key(addr1, addr2, addrs);
465 
466 	addr[0] = password;
467 	len[0] = password_len;
468 	addr[1] = &counter;
469 	len[1] = sizeof(counter);
470 
471 	/*
472 	 * Continue for at least k iterations to protect against side-channel
473 	 * attacks that attempt to determine the number of iterations required
474 	 * in the loop.
475 	 */
476 	for (counter = 1; counter <= k || !x; counter++) {
477 		u8 pwd_seed[SHA256_MAC_LEN];
478 		struct crypto_bignum *x_cand;
479 
480 		if (counter > 200) {
481 			/* This should not happen in practice */
482 			wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
483 			break;
484 		}
485 
486 		wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
487 		if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
488 				       pwd_seed) < 0)
489 			break;
490 
491 		res = sae_test_pwd_seed_ecc(sae, pwd_seed,
492 					    prime, qr, qnr, &x_cand);
493 		if (res < 0)
494 			goto fail;
495 		if (res > 0 && !x) {
496 			wpa_printf(MSG_DEBUG,
497 				   "SAE: Selected pwd-seed with counter %u",
498 				   counter);
499 			x = x_cand;
500 			pwd_seed_odd = pwd_seed[SHA256_MAC_LEN - 1] & 0x01;
501 			os_memset(pwd_seed, 0, sizeof(pwd_seed));
502 
503 			/*
504 			 * Use a dummy password for the following rounds, if
505 			 * any.
506 			 */
507 			addr[0] = dummy_password;
508 			len[0] = dummy_password_len;
509 		} else if (res > 0) {
510 			crypto_bignum_deinit(x_cand, 1);
511 		}
512 	}
513 
514 	if (!x) {
515 		wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
516 		res = -1;
517 		goto fail;
518 	}
519 
520 	if (!sae->tmp->pwe_ecc)
521 		sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
522 	if (!sae->tmp->pwe_ecc)
523 		res = -1;
524 	else
525 		res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
526 						    sae->tmp->pwe_ecc, x,
527 						    pwd_seed_odd);
528 	crypto_bignum_deinit(x, 1);
529 	if (res < 0) {
530 		/*
531 		 * This should not happen since we already checked that there
532 		 * is a result.
533 		 */
534 		wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
535 	}
536 
537 fail:
538 	crypto_bignum_deinit(qr, 0);
539 	crypto_bignum_deinit(qnr, 0);
540 
541 	return res;
542 }
543 
544 
545 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
546 			      const u8 *addr2, const u8 *password,
547 			      size_t password_len)
548 {
549 	u8 counter;
550 	u8 addrs[2 * ETH_ALEN];
551 	const u8 *addr[2];
552 	size_t len[2];
553 	int found = 0;
554 
555 	if (sae->tmp->pwe_ffc == NULL) {
556 		sae->tmp->pwe_ffc = crypto_bignum_init();
557 		if (sae->tmp->pwe_ffc == NULL)
558 			return -1;
559 	}
560 
561 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
562 			      password, password_len);
563 
564 	/*
565 	 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
566 	 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
567 	 *              password || counter)
568 	 */
569 	sae_pwd_seed_key(addr1, addr2, addrs);
570 
571 	addr[0] = password;
572 	len[0] = password_len;
573 	addr[1] = &counter;
574 	len[1] = sizeof(counter);
575 
576 	for (counter = 1; !found; counter++) {
577 		u8 pwd_seed[SHA256_MAC_LEN];
578 		int res;
579 
580 		if (counter > 200) {
581 			/* This should not happen in practice */
582 			wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
583 			break;
584 		}
585 
586 		wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
587 		if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
588 				       pwd_seed) < 0)
589 			break;
590 		res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);
591 		if (res < 0)
592 			break;
593 		if (res > 0) {
594 			wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
595 			found = 1;
596 		}
597 	}
598 
599 	return found ? 0 : -1;
600 }
601 
602 
603 static int sae_derive_commit_element_ecc(struct sae_data *sae,
604 					 struct crypto_bignum *mask)
605 {
606 	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
607 	if (!sae->tmp->own_commit_element_ecc) {
608 		sae->tmp->own_commit_element_ecc =
609 			crypto_ec_point_init(sae->tmp->ec);
610 		if (!sae->tmp->own_commit_element_ecc)
611 			return -1;
612 	}
613 
614 	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask,
615 				sae->tmp->own_commit_element_ecc) < 0 ||
616 	    crypto_ec_point_invert(sae->tmp->ec,
617 				   sae->tmp->own_commit_element_ecc) < 0) {
618 		wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
619 		return -1;
620 	}
621 
622 	return 0;
623 }
624 
625 
626 static int sae_derive_commit_element_ffc(struct sae_data *sae,
627 					 struct crypto_bignum *mask)
628 {
629 	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
630 	if (!sae->tmp->own_commit_element_ffc) {
631 		sae->tmp->own_commit_element_ffc = crypto_bignum_init();
632 		if (!sae->tmp->own_commit_element_ffc)
633 			return -1;
634 	}
635 
636 	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime,
637 				  sae->tmp->own_commit_element_ffc) < 0 ||
638 	    crypto_bignum_inverse(sae->tmp->own_commit_element_ffc,
639 				  sae->tmp->prime,
640 				  sae->tmp->own_commit_element_ffc) < 0) {
641 		wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
642 		return -1;
643 	}
644 
645 	return 0;
646 }
647 
648 
649 static int sae_derive_commit(struct sae_data *sae)
650 {
651 	struct crypto_bignum *mask;
652 	int ret = -1;
653 	unsigned int counter = 0;
654 
655 	do {
656 		counter++;
657 		if (counter > 100) {
658 			/*
659 			 * This cannot really happen in practice if the random
660 			 * number generator is working. Anyway, to avoid even a
661 			 * theoretical infinite loop, break out after 100
662 			 * attemps.
663 			 */
664 			return -1;
665 		}
666 
667 		mask = sae_get_rand_and_mask(sae);
668 		if (mask == NULL) {
669 			wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask");
670 			return -1;
671 		}
672 
673 		/* commit-scalar = (rand + mask) modulo r */
674 		if (!sae->tmp->own_commit_scalar) {
675 			sae->tmp->own_commit_scalar = crypto_bignum_init();
676 			if (!sae->tmp->own_commit_scalar)
677 				goto fail;
678 		}
679 		crypto_bignum_add(sae->tmp->sae_rand, mask,
680 				  sae->tmp->own_commit_scalar);
681 		crypto_bignum_mod(sae->tmp->own_commit_scalar, sae->tmp->order,
682 				  sae->tmp->own_commit_scalar);
683 	} while (crypto_bignum_is_zero(sae->tmp->own_commit_scalar) ||
684 		 crypto_bignum_is_one(sae->tmp->own_commit_scalar));
685 
686 	if ((sae->tmp->ec && sae_derive_commit_element_ecc(sae, mask) < 0) ||
687 	    (sae->tmp->dh && sae_derive_commit_element_ffc(sae, mask) < 0))
688 		goto fail;
689 
690 	ret = 0;
691 fail:
692 	crypto_bignum_deinit(mask, 1);
693 	return ret;
694 }
695 
696 
697 int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
698 		       const u8 *password, size_t password_len,
699 		       struct sae_data *sae)
700 {
701 	if (sae->tmp == NULL ||
702 	    (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password,
703 						password_len) < 0) ||
704 	    (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password,
705 						password_len) < 0) ||
706 	    sae_derive_commit(sae) < 0)
707 		return -1;
708 	return 0;
709 }
710 
711 
712 static int sae_derive_k_ecc(struct sae_data *sae, u8 *k)
713 {
714 	struct crypto_ec_point *K;
715 	int ret = -1;
716 
717 	K = crypto_ec_point_init(sae->tmp->ec);
718 	if (K == NULL)
719 		goto fail;
720 
721 	/*
722 	 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
723 	 *                                        PEER-COMMIT-ELEMENT)))
724 	 * If K is identity element (point-at-infinity), reject
725 	 * k = F(K) (= x coordinate)
726 	 */
727 
728 	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc,
729 				sae->peer_commit_scalar, K) < 0 ||
730 	    crypto_ec_point_add(sae->tmp->ec, K,
731 				sae->tmp->peer_commit_element_ecc, K) < 0 ||
732 	    crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 ||
733 	    crypto_ec_point_is_at_infinity(sae->tmp->ec, K) ||
734 	    crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) {
735 		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
736 		goto fail;
737 	}
738 
739 	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
740 
741 	ret = 0;
742 fail:
743 	crypto_ec_point_deinit(K, 1);
744 	return ret;
745 }
746 
747 
748 static int sae_derive_k_ffc(struct sae_data *sae, u8 *k)
749 {
750 	struct crypto_bignum *K;
751 	int ret = -1;
752 
753 	K = crypto_bignum_init();
754 	if (K == NULL)
755 		goto fail;
756 
757 	/*
758 	 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
759 	 *                                        PEER-COMMIT-ELEMENT)))
760 	 * If K is identity element (one), reject.
761 	 * k = F(K) (= x coordinate)
762 	 */
763 
764 	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar,
765 				  sae->tmp->prime, K) < 0 ||
766 	    crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc,
767 				 sae->tmp->prime, K) < 0 ||
768 	    crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0
769 	    ||
770 	    crypto_bignum_is_one(K) ||
771 	    crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) <
772 	    0) {
773 		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
774 		goto fail;
775 	}
776 
777 	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
778 
779 	ret = 0;
780 fail:
781 	crypto_bignum_deinit(K, 1);
782 	return ret;
783 }
784 
785 
786 static int sae_derive_keys(struct sae_data *sae, const u8 *k)
787 {
788 	u8 null_key[SAE_KEYSEED_KEY_LEN], val[SAE_MAX_PRIME_LEN];
789 	u8 keyseed[SHA256_MAC_LEN];
790 	u8 keys[SAE_KCK_LEN + SAE_PMK_LEN];
791 	struct crypto_bignum *tmp;
792 	int ret = -1;
793 
794 	tmp = crypto_bignum_init();
795 	if (tmp == NULL)
796 		goto fail;
797 
798 	/* keyseed = H(<0>32, k)
799 	 * KCK || PMK = KDF-512(keyseed, "SAE KCK and PMK",
800 	 *                      (commit-scalar + peer-commit-scalar) modulo r)
801 	 * PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
802 	 */
803 
804 	os_memset(null_key, 0, sizeof(null_key));
805 	hmac_sha256(null_key, sizeof(null_key), k, sae->tmp->prime_len,
806 		    keyseed);
807 	wpa_hexdump_key(MSG_DEBUG, "SAE: keyseed", keyseed, sizeof(keyseed));
808 
809 	crypto_bignum_add(sae->tmp->own_commit_scalar, sae->peer_commit_scalar,
810 			  tmp);
811 	crypto_bignum_mod(tmp, sae->tmp->order, tmp);
812 	crypto_bignum_to_bin(tmp, val, sizeof(val), sae->tmp->prime_len);
813 	wpa_hexdump(MSG_DEBUG, "SAE: PMKID", val, SAE_PMKID_LEN);
814 	if (sha256_prf(keyseed, sizeof(keyseed), "SAE KCK and PMK",
815 		       val, sae->tmp->prime_len, keys, sizeof(keys)) < 0)
816 		goto fail;
817 	os_memset(keyseed, 0, sizeof(keyseed));
818 	os_memcpy(sae->tmp->kck, keys, SAE_KCK_LEN);
819 	os_memcpy(sae->pmk, keys + SAE_KCK_LEN, SAE_PMK_LEN);
820 	os_memcpy(sae->pmkid, val, SAE_PMKID_LEN);
821 	os_memset(keys, 0, sizeof(keys));
822 	wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", sae->tmp->kck, SAE_KCK_LEN);
823 	wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, SAE_PMK_LEN);
824 
825 	ret = 0;
826 fail:
827 	crypto_bignum_deinit(tmp, 0);
828 	return ret;
829 }
830 
831 
832 int sae_process_commit(struct sae_data *sae)
833 {
834 	u8 k[SAE_MAX_PRIME_LEN];
835 	if (sae->tmp == NULL ||
836 	    (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) ||
837 	    (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) ||
838 	    sae_derive_keys(sae, k) < 0)
839 		return -1;
840 	return 0;
841 }
842 
843 
844 void sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
845 		      const struct wpabuf *token)
846 {
847 	u8 *pos;
848 
849 	if (sae->tmp == NULL)
850 		return;
851 
852 	wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */
853 	if (token) {
854 		wpabuf_put_buf(buf, token);
855 		wpa_hexdump(MSG_DEBUG, "SAE: Anti-clogging token",
856 			    wpabuf_head(token), wpabuf_len(token));
857 	}
858 	pos = wpabuf_put(buf, sae->tmp->prime_len);
859 	crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos,
860 			     sae->tmp->prime_len, sae->tmp->prime_len);
861 	wpa_hexdump(MSG_DEBUG, "SAE: own commit-scalar",
862 		    pos, sae->tmp->prime_len);
863 	if (sae->tmp->ec) {
864 		pos = wpabuf_put(buf, 2 * sae->tmp->prime_len);
865 		crypto_ec_point_to_bin(sae->tmp->ec,
866 				       sae->tmp->own_commit_element_ecc,
867 				       pos, pos + sae->tmp->prime_len);
868 		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(x)",
869 			    pos, sae->tmp->prime_len);
870 		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(y)",
871 			    pos + sae->tmp->prime_len, sae->tmp->prime_len);
872 	} else {
873 		pos = wpabuf_put(buf, sae->tmp->prime_len);
874 		crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos,
875 				     sae->tmp->prime_len, sae->tmp->prime_len);
876 		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element",
877 			    pos, sae->tmp->prime_len);
878 	}
879 }
880 
881 
882 u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group)
883 {
884 	if (allowed_groups) {
885 		int i;
886 		for (i = 0; allowed_groups[i] > 0; i++) {
887 			if (allowed_groups[i] == group)
888 				break;
889 		}
890 		if (allowed_groups[i] != group) {
891 			wpa_printf(MSG_DEBUG, "SAE: Proposed group %u not "
892 				   "enabled in the current configuration",
893 				   group);
894 			return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
895 		}
896 	}
897 
898 	if (sae->state == SAE_COMMITTED && group != sae->group) {
899 		wpa_printf(MSG_DEBUG, "SAE: Do not allow group to be changed");
900 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
901 	}
902 
903 	if (group != sae->group && sae_set_group(sae, group) < 0) {
904 		wpa_printf(MSG_DEBUG, "SAE: Unsupported Finite Cyclic Group %u",
905 			   group);
906 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
907 	}
908 
909 	if (sae->tmp == NULL) {
910 		wpa_printf(MSG_DEBUG, "SAE: Group information not yet initialized");
911 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
912 	}
913 
914 	if (sae->tmp->dh && !allowed_groups) {
915 		wpa_printf(MSG_DEBUG, "SAE: Do not allow FFC group %u without "
916 			   "explicit configuration enabling it", group);
917 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
918 	}
919 
920 	return WLAN_STATUS_SUCCESS;
921 }
922 
923 
924 static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos,
925 				   const u8 *end, const u8 **token,
926 				   size_t *token_len)
927 {
928 	if ((sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len < end - *pos) {
929 		size_t tlen = end - (*pos + (sae->tmp->ec ? 3 : 2) *
930 				     sae->tmp->prime_len);
931 		wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token", *pos, tlen);
932 		if (token)
933 			*token = *pos;
934 		if (token_len)
935 			*token_len = tlen;
936 		*pos += tlen;
937 	} else {
938 		if (token)
939 			*token = NULL;
940 		if (token_len)
941 			*token_len = 0;
942 	}
943 }
944 
945 
946 static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
947 				   const u8 *end)
948 {
949 	struct crypto_bignum *peer_scalar;
950 
951 	if (sae->tmp->prime_len > end - *pos) {
952 		wpa_printf(MSG_DEBUG, "SAE: Not enough data for scalar");
953 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
954 	}
955 
956 	peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len);
957 	if (peer_scalar == NULL)
958 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
959 
960 	/*
961 	 * IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for
962 	 * the peer and it is in Authenticated state, the new Commit Message
963 	 * shall be dropped if the peer-scalar is identical to the one used in
964 	 * the existing protocol instance.
965 	 */
966 	if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar &&
967 	    crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) {
968 		wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous "
969 			   "peer-commit-scalar");
970 		crypto_bignum_deinit(peer_scalar, 0);
971 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
972 	}
973 
974 	/* 1 < scalar < r */
975 	if (crypto_bignum_is_zero(peer_scalar) ||
976 	    crypto_bignum_is_one(peer_scalar) ||
977 	    crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) {
978 		wpa_printf(MSG_DEBUG, "SAE: Invalid peer scalar");
979 		crypto_bignum_deinit(peer_scalar, 0);
980 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
981 	}
982 
983 
984 	crypto_bignum_deinit(sae->peer_commit_scalar, 0);
985 	sae->peer_commit_scalar = peer_scalar;
986 	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-scalar",
987 		    *pos, sae->tmp->prime_len);
988 	*pos += sae->tmp->prime_len;
989 
990 	return WLAN_STATUS_SUCCESS;
991 }
992 
993 
994 static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
995 					const u8 *end)
996 {
997 	u8 prime[SAE_MAX_ECC_PRIME_LEN];
998 
999 	if (2 * sae->tmp->prime_len > end - pos) {
1000 		wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
1001 			   "commit-element");
1002 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1003 	}
1004 
1005 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
1006 				 sae->tmp->prime_len) < 0)
1007 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1008 
1009 	/* element x and y coordinates < p */
1010 	if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 ||
1011 	    os_memcmp(pos + sae->tmp->prime_len, prime,
1012 		      sae->tmp->prime_len) >= 0) {
1013 		wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer "
1014 			   "element");
1015 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1016 	}
1017 
1018 	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(x)",
1019 		    pos, sae->tmp->prime_len);
1020 	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(y)",
1021 		    pos + sae->tmp->prime_len, sae->tmp->prime_len);
1022 
1023 	crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0);
1024 	sae->tmp->peer_commit_element_ecc =
1025 		crypto_ec_point_from_bin(sae->tmp->ec, pos);
1026 	if (sae->tmp->peer_commit_element_ecc == NULL)
1027 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1028 
1029 	if (!crypto_ec_point_is_on_curve(sae->tmp->ec,
1030 					 sae->tmp->peer_commit_element_ecc)) {
1031 		wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve");
1032 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1033 	}
1034 
1035 	return WLAN_STATUS_SUCCESS;
1036 }
1037 
1038 
1039 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
1040 					const u8 *end)
1041 {
1042 	struct crypto_bignum *res, *one;
1043 	const u8 one_bin[1] = { 0x01 };
1044 
1045 	if (sae->tmp->prime_len > end - pos) {
1046 		wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
1047 			   "commit-element");
1048 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1049 	}
1050 	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", pos,
1051 		    sae->tmp->prime_len);
1052 
1053 	crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0);
1054 	sae->tmp->peer_commit_element_ffc =
1055 		crypto_bignum_init_set(pos, sae->tmp->prime_len);
1056 	if (sae->tmp->peer_commit_element_ffc == NULL)
1057 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1058 	/* 1 < element < p - 1 */
1059 	res = crypto_bignum_init();
1060 	one = crypto_bignum_init_set(one_bin, sizeof(one_bin));
1061 	if (!res || !one ||
1062 	    crypto_bignum_sub(sae->tmp->prime, one, res) ||
1063 	    crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) ||
1064 	    crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) ||
1065 	    crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, res) >= 0) {
1066 		crypto_bignum_deinit(res, 0);
1067 		crypto_bignum_deinit(one, 0);
1068 		wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
1069 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1070 	}
1071 	crypto_bignum_deinit(one, 0);
1072 
1073 	/* scalar-op(r, ELEMENT) = 1 modulo p */
1074 	if (crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
1075 				  sae->tmp->order, sae->tmp->prime, res) < 0 ||
1076 	    !crypto_bignum_is_one(res)) {
1077 		wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)");
1078 		crypto_bignum_deinit(res, 0);
1079 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1080 	}
1081 	crypto_bignum_deinit(res, 0);
1082 
1083 	return WLAN_STATUS_SUCCESS;
1084 }
1085 
1086 
1087 static u16 sae_parse_commit_element(struct sae_data *sae, const u8 *pos,
1088 				    const u8 *end)
1089 {
1090 	if (sae->tmp->dh)
1091 		return sae_parse_commit_element_ffc(sae, pos, end);
1092 	return sae_parse_commit_element_ecc(sae, pos, end);
1093 }
1094 
1095 
1096 u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
1097 		     const u8 **token, size_t *token_len, int *allowed_groups)
1098 {
1099 	const u8 *pos = data, *end = data + len;
1100 	u16 res;
1101 
1102 	/* Check Finite Cyclic Group */
1103 	if (end - pos < 2)
1104 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1105 	res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos));
1106 	if (res != WLAN_STATUS_SUCCESS)
1107 		return res;
1108 	pos += 2;
1109 
1110 	/* Optional Anti-Clogging Token */
1111 	sae_parse_commit_token(sae, &pos, end, token, token_len);
1112 
1113 	/* commit-scalar */
1114 	res = sae_parse_commit_scalar(sae, &pos, end);
1115 	if (res != WLAN_STATUS_SUCCESS)
1116 		return res;
1117 
1118 	/* commit-element */
1119 	res = sae_parse_commit_element(sae, pos, end);
1120 	if (res != WLAN_STATUS_SUCCESS)
1121 		return res;
1122 
1123 	/*
1124 	 * Check whether peer-commit-scalar and PEER-COMMIT-ELEMENT are same as
1125 	 * the values we sent which would be evidence of a reflection attack.
1126 	 */
1127 	if (!sae->tmp->own_commit_scalar ||
1128 	    crypto_bignum_cmp(sae->tmp->own_commit_scalar,
1129 			      sae->peer_commit_scalar) != 0 ||
1130 	    (sae->tmp->dh &&
1131 	     (!sae->tmp->own_commit_element_ffc ||
1132 	      crypto_bignum_cmp(sae->tmp->own_commit_element_ffc,
1133 				sae->tmp->peer_commit_element_ffc) != 0)) ||
1134 	    (sae->tmp->ec &&
1135 	     (!sae->tmp->own_commit_element_ecc ||
1136 	      crypto_ec_point_cmp(sae->tmp->ec,
1137 				  sae->tmp->own_commit_element_ecc,
1138 				  sae->tmp->peer_commit_element_ecc) != 0)))
1139 		return WLAN_STATUS_SUCCESS; /* scalars/elements are different */
1140 
1141 	/*
1142 	 * This is a reflection attack - return special value to trigger caller
1143 	 * to silently discard the frame instead of replying with a specific
1144 	 * status code.
1145 	 */
1146 	return SAE_SILENTLY_DISCARD;
1147 }
1148 
1149 
1150 static void sae_cn_confirm(struct sae_data *sae, const u8 *sc,
1151 			   const struct crypto_bignum *scalar1,
1152 			   const u8 *element1, size_t element1_len,
1153 			   const struct crypto_bignum *scalar2,
1154 			   const u8 *element2, size_t element2_len,
1155 			   u8 *confirm)
1156 {
1157 	const u8 *addr[5];
1158 	size_t len[5];
1159 	u8 scalar_b1[SAE_MAX_PRIME_LEN], scalar_b2[SAE_MAX_PRIME_LEN];
1160 
1161 	/* Confirm
1162 	 * CN(key, X, Y, Z, ...) =
1163 	 *    HMAC-SHA256(key, D2OS(X) || D2OS(Y) || D2OS(Z) | ...)
1164 	 * confirm = CN(KCK, send-confirm, commit-scalar, COMMIT-ELEMENT,
1165 	 *              peer-commit-scalar, PEER-COMMIT-ELEMENT)
1166 	 * verifier = CN(KCK, peer-send-confirm, peer-commit-scalar,
1167 	 *               PEER-COMMIT-ELEMENT, commit-scalar, COMMIT-ELEMENT)
1168 	 */
1169 	addr[0] = sc;
1170 	len[0] = 2;
1171 	crypto_bignum_to_bin(scalar1, scalar_b1, sizeof(scalar_b1),
1172 			     sae->tmp->prime_len);
1173 	addr[1] = scalar_b1;
1174 	len[1] = sae->tmp->prime_len;
1175 	addr[2] = element1;
1176 	len[2] = element1_len;
1177 	crypto_bignum_to_bin(scalar2, scalar_b2, sizeof(scalar_b2),
1178 			     sae->tmp->prime_len);
1179 	addr[3] = scalar_b2;
1180 	len[3] = sae->tmp->prime_len;
1181 	addr[4] = element2;
1182 	len[4] = element2_len;
1183 	hmac_sha256_vector(sae->tmp->kck, sizeof(sae->tmp->kck), 5, addr, len,
1184 			   confirm);
1185 }
1186 
1187 
1188 static void sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc,
1189 			       const struct crypto_bignum *scalar1,
1190 			       const struct crypto_ec_point *element1,
1191 			       const struct crypto_bignum *scalar2,
1192 			       const struct crypto_ec_point *element2,
1193 			       u8 *confirm)
1194 {
1195 	u8 element_b1[2 * SAE_MAX_ECC_PRIME_LEN];
1196 	u8 element_b2[2 * SAE_MAX_ECC_PRIME_LEN];
1197 
1198 	crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1,
1199 			       element_b1 + sae->tmp->prime_len);
1200 	crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2,
1201 			       element_b2 + sae->tmp->prime_len);
1202 
1203 	sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len,
1204 		       scalar2, element_b2, 2 * sae->tmp->prime_len, confirm);
1205 }
1206 
1207 
1208 static void sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc,
1209 			       const struct crypto_bignum *scalar1,
1210 			       const struct crypto_bignum *element1,
1211 			       const struct crypto_bignum *scalar2,
1212 			       const struct crypto_bignum *element2,
1213 			       u8 *confirm)
1214 {
1215 	u8 element_b1[SAE_MAX_PRIME_LEN];
1216 	u8 element_b2[SAE_MAX_PRIME_LEN];
1217 
1218 	crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1),
1219 			     sae->tmp->prime_len);
1220 	crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2),
1221 			     sae->tmp->prime_len);
1222 
1223 	sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len,
1224 		       scalar2, element_b2, sae->tmp->prime_len, confirm);
1225 }
1226 
1227 
1228 void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf)
1229 {
1230 	const u8 *sc;
1231 
1232 	if (sae->tmp == NULL)
1233 		return;
1234 
1235 	/* Send-Confirm */
1236 	sc = wpabuf_put(buf, 0);
1237 	wpabuf_put_le16(buf, sae->send_confirm);
1238 	sae->send_confirm++;
1239 
1240 	if (sae->tmp->ec)
1241 		sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,
1242 				   sae->tmp->own_commit_element_ecc,
1243 				   sae->peer_commit_scalar,
1244 				   sae->tmp->peer_commit_element_ecc,
1245 				   wpabuf_put(buf, SHA256_MAC_LEN));
1246 	else
1247 		sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar,
1248 				   sae->tmp->own_commit_element_ffc,
1249 				   sae->peer_commit_scalar,
1250 				   sae->tmp->peer_commit_element_ffc,
1251 				   wpabuf_put(buf, SHA256_MAC_LEN));
1252 }
1253 
1254 
1255 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
1256 {
1257 	u8 verifier[SHA256_MAC_LEN];
1258 
1259 	if (len < 2 + SHA256_MAC_LEN) {
1260 		wpa_printf(MSG_DEBUG, "SAE: Too short confirm message");
1261 		return -1;
1262 	}
1263 
1264 	wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
1265 
1266 	if (sae->tmp == NULL) {
1267 		wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
1268 		return -1;
1269 	}
1270 
1271 	if (sae->tmp->ec)
1272 		sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
1273 				   sae->tmp->peer_commit_element_ecc,
1274 				   sae->tmp->own_commit_scalar,
1275 				   sae->tmp->own_commit_element_ecc,
1276 				   verifier);
1277 	else
1278 		sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
1279 				   sae->tmp->peer_commit_element_ffc,
1280 				   sae->tmp->own_commit_scalar,
1281 				   sae->tmp->own_commit_element_ffc,
1282 				   verifier);
1283 
1284 	if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
1285 		wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
1286 		wpa_hexdump(MSG_DEBUG, "SAE: Received confirm",
1287 			    data + 2, SHA256_MAC_LEN);
1288 		wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier",
1289 			    verifier, SHA256_MAC_LEN);
1290 		return -1;
1291 	}
1292 
1293 	return 0;
1294 }
1295