xref: /freebsd/contrib/wpa/src/common/sae.c (revision f2b7bf8afcfd630e0fbd8417f1ce974de79feaf0)
1 /*
2  * Simultaneous authentication of equals
3  * Copyright (c) 2012-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/crypto.h"
13 #include "crypto/sha256.h"
14 #include "crypto/random.h"
15 #include "crypto/dh_groups.h"
16 #include "ieee802_11_defs.h"
17 #include "sae.h"
18 
19 
20 int sae_set_group(struct sae_data *sae, int group)
21 {
22 	struct sae_temporary_data *tmp;
23 
24 	sae_clear_data(sae);
25 	tmp = sae->tmp = os_zalloc(sizeof(*tmp));
26 	if (tmp == NULL)
27 		return -1;
28 
29 	/* First, check if this is an ECC group */
30 	tmp->ec = crypto_ec_init(group);
31 	if (tmp->ec) {
32 		sae->group = group;
33 		tmp->prime_len = crypto_ec_prime_len(tmp->ec);
34 		tmp->prime = crypto_ec_get_prime(tmp->ec);
35 		tmp->order = crypto_ec_get_order(tmp->ec);
36 		return 0;
37 	}
38 
39 	/* Not an ECC group, check FFC */
40 	tmp->dh = dh_groups_get(group);
41 	if (tmp->dh) {
42 		sae->group = group;
43 		tmp->prime_len = tmp->dh->prime_len;
44 		if (tmp->prime_len > SAE_MAX_PRIME_LEN) {
45 			sae_clear_data(sae);
46 			return -1;
47 		}
48 
49 		tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime,
50 							tmp->prime_len);
51 		if (tmp->prime_buf == NULL) {
52 			sae_clear_data(sae);
53 			return -1;
54 		}
55 		tmp->prime = tmp->prime_buf;
56 
57 		tmp->order_buf = crypto_bignum_init_set(tmp->dh->order,
58 							tmp->dh->order_len);
59 		if (tmp->order_buf == NULL) {
60 			sae_clear_data(sae);
61 			return -1;
62 		}
63 		tmp->order = tmp->order_buf;
64 
65 		return 0;
66 	}
67 
68 	/* Unsupported group */
69 	return -1;
70 }
71 
72 
73 void sae_clear_temp_data(struct sae_data *sae)
74 {
75 	struct sae_temporary_data *tmp;
76 	if (sae == NULL || sae->tmp == NULL)
77 		return;
78 	tmp = sae->tmp;
79 	crypto_ec_deinit(tmp->ec);
80 	crypto_bignum_deinit(tmp->prime_buf, 0);
81 	crypto_bignum_deinit(tmp->order_buf, 0);
82 	crypto_bignum_deinit(tmp->sae_rand, 1);
83 	crypto_bignum_deinit(tmp->pwe_ffc, 1);
84 	crypto_bignum_deinit(tmp->own_commit_scalar, 0);
85 	crypto_bignum_deinit(tmp->own_commit_element_ffc, 0);
86 	crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0);
87 	crypto_ec_point_deinit(tmp->pwe_ecc, 1);
88 	crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0);
89 	crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0);
90 	wpabuf_free(tmp->anti_clogging_token);
91 	bin_clear_free(tmp, sizeof(*tmp));
92 	sae->tmp = NULL;
93 }
94 
95 
96 void sae_clear_data(struct sae_data *sae)
97 {
98 	if (sae == NULL)
99 		return;
100 	sae_clear_temp_data(sae);
101 	crypto_bignum_deinit(sae->peer_commit_scalar, 0);
102 	os_memset(sae, 0, sizeof(*sae));
103 }
104 
105 
106 static void buf_shift_right(u8 *buf, size_t len, size_t bits)
107 {
108 	size_t i;
109 	for (i = len - 1; i > 0; i--)
110 		buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits);
111 	buf[0] >>= bits;
112 }
113 
114 
115 static struct crypto_bignum * sae_get_rand(struct sae_data *sae)
116 {
117 	u8 val[SAE_MAX_PRIME_LEN];
118 	int iter = 0;
119 	struct crypto_bignum *bn = NULL;
120 	int order_len_bits = crypto_bignum_bits(sae->tmp->order);
121 	size_t order_len = (order_len_bits + 7) / 8;
122 
123 	if (order_len > sizeof(val))
124 		return NULL;
125 
126 	for (;;) {
127 		if (iter++ > 100 || random_get_bytes(val, order_len) < 0)
128 			return NULL;
129 		if (order_len_bits % 8)
130 			buf_shift_right(val, order_len, 8 - order_len_bits % 8);
131 		bn = crypto_bignum_init_set(val, order_len);
132 		if (bn == NULL)
133 			return NULL;
134 		if (crypto_bignum_is_zero(bn) ||
135 		    crypto_bignum_is_one(bn) ||
136 		    crypto_bignum_cmp(bn, sae->tmp->order) >= 0) {
137 			crypto_bignum_deinit(bn, 0);
138 			continue;
139 		}
140 		break;
141 	}
142 
143 	os_memset(val, 0, order_len);
144 	return bn;
145 }
146 
147 
148 static struct crypto_bignum * sae_get_rand_and_mask(struct sae_data *sae)
149 {
150 	crypto_bignum_deinit(sae->tmp->sae_rand, 1);
151 	sae->tmp->sae_rand = sae_get_rand(sae);
152 	if (sae->tmp->sae_rand == NULL)
153 		return NULL;
154 	return sae_get_rand(sae);
155 }
156 
157 
158 static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
159 {
160 	wpa_printf(MSG_DEBUG, "SAE: PWE derivation - addr1=" MACSTR
161 		   " addr2=" MACSTR, MAC2STR(addr1), MAC2STR(addr2));
162 	if (os_memcmp(addr1, addr2, ETH_ALEN) > 0) {
163 		os_memcpy(key, addr1, ETH_ALEN);
164 		os_memcpy(key + ETH_ALEN, addr2, ETH_ALEN);
165 	} else {
166 		os_memcpy(key, addr2, ETH_ALEN);
167 		os_memcpy(key + ETH_ALEN, addr1, ETH_ALEN);
168 	}
169 }
170 
171 
172 static struct crypto_bignum *
173 get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
174 		  int *r_odd)
175 {
176 	for (;;) {
177 		struct crypto_bignum *r;
178 		u8 tmp[SAE_MAX_ECC_PRIME_LEN];
179 
180 		if (random_get_bytes(tmp, prime_len) < 0)
181 			break;
182 		if (prime_bits % 8)
183 			buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
184 		if (os_memcmp(tmp, prime, prime_len) >= 0)
185 			continue;
186 		r = crypto_bignum_init_set(tmp, prime_len);
187 		if (!r)
188 			break;
189 		if (crypto_bignum_is_zero(r)) {
190 			crypto_bignum_deinit(r, 0);
191 			continue;
192 		}
193 
194 		*r_odd = tmp[prime_len - 1] & 0x01;
195 		return r;
196 	}
197 
198 	return NULL;
199 }
200 
201 
202 static int is_quadratic_residue_blind(struct sae_data *sae,
203 				      const u8 *prime, size_t bits,
204 				      const struct crypto_bignum *qr,
205 				      const struct crypto_bignum *qnr,
206 				      const struct crypto_bignum *y_sqr)
207 {
208 	struct crypto_bignum *r, *num;
209 	int r_odd, check, res = -1;
210 
211 	/*
212 	 * Use the blinding technique to mask y_sqr while determining
213 	 * whether it is a quadratic residue modulo p to avoid leaking
214 	 * timing information while determining the Legendre symbol.
215 	 *
216 	 * v = y_sqr
217 	 * r = a random number between 1 and p-1, inclusive
218 	 * num = (v * r * r) modulo p
219 	 */
220 	r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
221 	if (!r)
222 		return -1;
223 
224 	num = crypto_bignum_init();
225 	if (!num ||
226 	    crypto_bignum_mulmod(y_sqr, r, sae->tmp->prime, num) < 0 ||
227 	    crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
228 		goto fail;
229 
230 	if (r_odd) {
231 		/*
232 		 * num = (num * qr) module p
233 		 * LGR(num, p) = 1 ==> quadratic residue
234 		 */
235 		if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0)
236 			goto fail;
237 		check = 1;
238 	} else {
239 		/*
240 		 * num = (num * qnr) module p
241 		 * LGR(num, p) = -1 ==> quadratic residue
242 		 */
243 		if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0)
244 			goto fail;
245 		check = -1;
246 	}
247 
248 	res = crypto_bignum_legendre(num, sae->tmp->prime);
249 	if (res == -2) {
250 		res = -1;
251 		goto fail;
252 	}
253 	res = res == check;
254 fail:
255 	crypto_bignum_deinit(num, 1);
256 	crypto_bignum_deinit(r, 1);
257 	return res;
258 }
259 
260 
261 static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
262 				 const u8 *prime,
263 				 const struct crypto_bignum *qr,
264 				 const struct crypto_bignum *qnr,
265 				 struct crypto_bignum **ret_x_cand)
266 {
267 	u8 pwd_value[SAE_MAX_ECC_PRIME_LEN];
268 	struct crypto_bignum *y_sqr, *x_cand;
269 	int res;
270 	size_t bits;
271 
272 	*ret_x_cand = NULL;
273 
274 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
275 
276 	/* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
277 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
278 	sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
279 			prime, sae->tmp->prime_len, pwd_value, bits);
280 	if (bits % 8)
281 		buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
282 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
283 			pwd_value, sae->tmp->prime_len);
284 
285 	if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
286 		return 0;
287 
288 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
289 	if (!x_cand)
290 		return -1;
291 	y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
292 	if (!y_sqr) {
293 		crypto_bignum_deinit(x_cand, 1);
294 		return -1;
295 	}
296 
297 	res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
298 	crypto_bignum_deinit(y_sqr, 1);
299 	if (res <= 0) {
300 		crypto_bignum_deinit(x_cand, 1);
301 		return res;
302 	}
303 
304 	*ret_x_cand = x_cand;
305 	return 1;
306 }
307 
308 
309 static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
310 				 struct crypto_bignum *pwe)
311 {
312 	u8 pwd_value[SAE_MAX_PRIME_LEN];
313 	size_t bits = sae->tmp->prime_len * 8;
314 	u8 exp[1];
315 	struct crypto_bignum *a, *b;
316 	int res;
317 
318 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN);
319 
320 	/* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */
321 	sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
322 			sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value,
323 			bits);
324 	if (bits % 8)
325 		buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
326 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
327 			sae->tmp->prime_len);
328 
329 	if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)
330 	{
331 		wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p");
332 		return 0;
333 	}
334 
335 	/* PWE = pwd-value^((p-1)/r) modulo p */
336 
337 	a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
338 
339 	if (sae->tmp->dh->safe_prime) {
340 		/*
341 		 * r = (p-1)/2 for the group used here, so this becomes:
342 		 * PWE = pwd-value^2 modulo p
343 		 */
344 		exp[0] = 2;
345 		b = crypto_bignum_init_set(exp, sizeof(exp));
346 	} else {
347 		/* Calculate exponent: (p-1)/r */
348 		exp[0] = 1;
349 		b = crypto_bignum_init_set(exp, sizeof(exp));
350 		if (b == NULL ||
351 		    crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
352 		    crypto_bignum_div(b, sae->tmp->order, b) < 0) {
353 			crypto_bignum_deinit(b, 0);
354 			b = NULL;
355 		}
356 	}
357 
358 	if (a == NULL || b == NULL)
359 		res = -1;
360 	else
361 		res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
362 
363 	crypto_bignum_deinit(a, 0);
364 	crypto_bignum_deinit(b, 0);
365 
366 	if (res < 0) {
367 		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE");
368 		return -1;
369 	}
370 
371 	/* if (PWE > 1) --> found */
372 	if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) {
373 		wpa_printf(MSG_DEBUG, "SAE: PWE <= 1");
374 		return 0;
375 	}
376 
377 	wpa_printf(MSG_DEBUG, "SAE: PWE found");
378 	return 1;
379 }
380 
381 
382 static int get_random_qr_qnr(const u8 *prime, size_t prime_len,
383 			     const struct crypto_bignum *prime_bn,
384 			     size_t prime_bits, struct crypto_bignum **qr,
385 			     struct crypto_bignum **qnr)
386 {
387 	*qr = NULL;
388 	*qnr = NULL;
389 
390 	while (!(*qr) || !(*qnr)) {
391 		u8 tmp[SAE_MAX_ECC_PRIME_LEN];
392 		struct crypto_bignum *q;
393 		int res;
394 
395 		if (random_get_bytes(tmp, prime_len) < 0)
396 			break;
397 		if (prime_bits % 8)
398 			buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
399 		if (os_memcmp(tmp, prime, prime_len) >= 0)
400 			continue;
401 		q = crypto_bignum_init_set(tmp, prime_len);
402 		if (!q)
403 			break;
404 		res = crypto_bignum_legendre(q, prime_bn);
405 
406 		if (res == 1 && !(*qr))
407 			*qr = q;
408 		else if (res == -1 && !(*qnr))
409 			*qnr = q;
410 		else
411 			crypto_bignum_deinit(q, 0);
412 	}
413 
414 	return (*qr && *qnr) ? 0 : -1;
415 }
416 
417 
418 static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
419 			      const u8 *addr2, const u8 *password,
420 			      size_t password_len)
421 {
422 	u8 counter, k = 40;
423 	u8 addrs[2 * ETH_ALEN];
424 	const u8 *addr[2];
425 	size_t len[2];
426 	u8 dummy_password[32];
427 	size_t dummy_password_len;
428 	int pwd_seed_odd = 0;
429 	u8 prime[SAE_MAX_ECC_PRIME_LEN];
430 	size_t prime_len;
431 	struct crypto_bignum *x = NULL, *qr, *qnr;
432 	size_t bits;
433 	int res;
434 
435 	dummy_password_len = password_len;
436 	if (dummy_password_len > sizeof(dummy_password))
437 		dummy_password_len = sizeof(dummy_password);
438 	if (random_get_bytes(dummy_password, dummy_password_len) < 0)
439 		return -1;
440 
441 	prime_len = sae->tmp->prime_len;
442 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
443 				 prime_len) < 0)
444 		return -1;
445 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
446 
447 	/*
448 	 * Create a random quadratic residue (qr) and quadratic non-residue
449 	 * (qnr) modulo p for blinding purposes during the loop.
450 	 */
451 	if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
452 			      &qr, &qnr) < 0)
453 		return -1;
454 
455 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
456 			      password, password_len);
457 
458 	/*
459 	 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
460 	 * base = password
461 	 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
462 	 *              base || counter)
463 	 */
464 	sae_pwd_seed_key(addr1, addr2, addrs);
465 
466 	addr[0] = password;
467 	len[0] = password_len;
468 	addr[1] = &counter;
469 	len[1] = sizeof(counter);
470 
471 	/*
472 	 * Continue for at least k iterations to protect against side-channel
473 	 * attacks that attempt to determine the number of iterations required
474 	 * in the loop.
475 	 */
476 	for (counter = 1; counter <= k || !x; counter++) {
477 		u8 pwd_seed[SHA256_MAC_LEN];
478 		struct crypto_bignum *x_cand;
479 
480 		if (counter > 200) {
481 			/* This should not happen in practice */
482 			wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
483 			break;
484 		}
485 
486 		wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
487 		if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
488 				       pwd_seed) < 0)
489 			break;
490 
491 		res = sae_test_pwd_seed_ecc(sae, pwd_seed,
492 					    prime, qr, qnr, &x_cand);
493 		if (res < 0)
494 			goto fail;
495 		if (res > 0 && !x) {
496 			wpa_printf(MSG_DEBUG,
497 				   "SAE: Selected pwd-seed with counter %u",
498 				   counter);
499 			x = x_cand;
500 			pwd_seed_odd = pwd_seed[SHA256_MAC_LEN - 1] & 0x01;
501 			os_memset(pwd_seed, 0, sizeof(pwd_seed));
502 
503 			/*
504 			 * Use a dummy password for the following rounds, if
505 			 * any.
506 			 */
507 			addr[0] = dummy_password;
508 			len[0] = dummy_password_len;
509 		} else if (res > 0) {
510 			crypto_bignum_deinit(x_cand, 1);
511 		}
512 	}
513 
514 	if (!x) {
515 		wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
516 		res = -1;
517 		goto fail;
518 	}
519 
520 	if (!sae->tmp->pwe_ecc)
521 		sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
522 	if (!sae->tmp->pwe_ecc)
523 		res = -1;
524 	else
525 		res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
526 						    sae->tmp->pwe_ecc, x,
527 						    pwd_seed_odd);
528 	crypto_bignum_deinit(x, 1);
529 	if (res < 0) {
530 		/*
531 		 * This should not happen since we already checked that there
532 		 * is a result.
533 		 */
534 		wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
535 	}
536 
537 fail:
538 	crypto_bignum_deinit(qr, 0);
539 	crypto_bignum_deinit(qnr, 0);
540 
541 	return res;
542 }
543 
544 
545 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
546 			      const u8 *addr2, const u8 *password,
547 			      size_t password_len)
548 {
549 	u8 counter;
550 	u8 addrs[2 * ETH_ALEN];
551 	const u8 *addr[2];
552 	size_t len[2];
553 	int found = 0;
554 
555 	if (sae->tmp->pwe_ffc == NULL) {
556 		sae->tmp->pwe_ffc = crypto_bignum_init();
557 		if (sae->tmp->pwe_ffc == NULL)
558 			return -1;
559 	}
560 
561 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
562 			      password, password_len);
563 
564 	/*
565 	 * H(salt, ikm) = HMAC-SHA256(salt, ikm)
566 	 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
567 	 *              password || counter)
568 	 */
569 	sae_pwd_seed_key(addr1, addr2, addrs);
570 
571 	addr[0] = password;
572 	len[0] = password_len;
573 	addr[1] = &counter;
574 	len[1] = sizeof(counter);
575 
576 	for (counter = 1; !found; counter++) {
577 		u8 pwd_seed[SHA256_MAC_LEN];
578 		int res;
579 
580 		if (counter > 200) {
581 			/* This should not happen in practice */
582 			wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
583 			break;
584 		}
585 
586 		wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
587 		if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
588 				       pwd_seed) < 0)
589 			break;
590 		res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);
591 		if (res < 0)
592 			break;
593 		if (res > 0) {
594 			wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
595 			found = 1;
596 		}
597 	}
598 
599 	return found ? 0 : -1;
600 }
601 
602 
603 static int sae_derive_commit_element_ecc(struct sae_data *sae,
604 					 struct crypto_bignum *mask)
605 {
606 	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
607 	if (!sae->tmp->own_commit_element_ecc) {
608 		sae->tmp->own_commit_element_ecc =
609 			crypto_ec_point_init(sae->tmp->ec);
610 		if (!sae->tmp->own_commit_element_ecc)
611 			return -1;
612 	}
613 
614 	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask,
615 				sae->tmp->own_commit_element_ecc) < 0 ||
616 	    crypto_ec_point_invert(sae->tmp->ec,
617 				   sae->tmp->own_commit_element_ecc) < 0) {
618 		wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
619 		return -1;
620 	}
621 
622 	return 0;
623 }
624 
625 
626 static int sae_derive_commit_element_ffc(struct sae_data *sae,
627 					 struct crypto_bignum *mask)
628 {
629 	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
630 	if (!sae->tmp->own_commit_element_ffc) {
631 		sae->tmp->own_commit_element_ffc = crypto_bignum_init();
632 		if (!sae->tmp->own_commit_element_ffc)
633 			return -1;
634 	}
635 
636 	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime,
637 				  sae->tmp->own_commit_element_ffc) < 0 ||
638 	    crypto_bignum_inverse(sae->tmp->own_commit_element_ffc,
639 				  sae->tmp->prime,
640 				  sae->tmp->own_commit_element_ffc) < 0) {
641 		wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
642 		return -1;
643 	}
644 
645 	return 0;
646 }
647 
648 
649 static int sae_derive_commit(struct sae_data *sae)
650 {
651 	struct crypto_bignum *mask;
652 	int ret = -1;
653 	unsigned int counter = 0;
654 
655 	do {
656 		counter++;
657 		if (counter > 100) {
658 			/*
659 			 * This cannot really happen in practice if the random
660 			 * number generator is working. Anyway, to avoid even a
661 			 * theoretical infinite loop, break out after 100
662 			 * attemps.
663 			 */
664 			return -1;
665 		}
666 
667 		mask = sae_get_rand_and_mask(sae);
668 		if (mask == NULL) {
669 			wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask");
670 			return -1;
671 		}
672 
673 		/* commit-scalar = (rand + mask) modulo r */
674 		if (!sae->tmp->own_commit_scalar) {
675 			sae->tmp->own_commit_scalar = crypto_bignum_init();
676 			if (!sae->tmp->own_commit_scalar)
677 				goto fail;
678 		}
679 		crypto_bignum_add(sae->tmp->sae_rand, mask,
680 				  sae->tmp->own_commit_scalar);
681 		crypto_bignum_mod(sae->tmp->own_commit_scalar, sae->tmp->order,
682 				  sae->tmp->own_commit_scalar);
683 	} while (crypto_bignum_is_zero(sae->tmp->own_commit_scalar) ||
684 		 crypto_bignum_is_one(sae->tmp->own_commit_scalar));
685 
686 	if ((sae->tmp->ec && sae_derive_commit_element_ecc(sae, mask) < 0) ||
687 	    (sae->tmp->dh && sae_derive_commit_element_ffc(sae, mask) < 0))
688 		goto fail;
689 
690 	ret = 0;
691 fail:
692 	crypto_bignum_deinit(mask, 1);
693 	return ret;
694 }
695 
696 
697 int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
698 		       const u8 *password, size_t password_len,
699 		       struct sae_data *sae)
700 {
701 	if (sae->tmp == NULL ||
702 	    (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password,
703 						password_len) < 0) ||
704 	    (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password,
705 						password_len) < 0) ||
706 	    sae_derive_commit(sae) < 0)
707 		return -1;
708 	return 0;
709 }
710 
711 
712 static int sae_derive_k_ecc(struct sae_data *sae, u8 *k)
713 {
714 	struct crypto_ec_point *K;
715 	int ret = -1;
716 
717 	K = crypto_ec_point_init(sae->tmp->ec);
718 	if (K == NULL)
719 		goto fail;
720 
721 	/*
722 	 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
723 	 *                                        PEER-COMMIT-ELEMENT)))
724 	 * If K is identity element (point-at-infinity), reject
725 	 * k = F(K) (= x coordinate)
726 	 */
727 
728 	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc,
729 				sae->peer_commit_scalar, K) < 0 ||
730 	    crypto_ec_point_add(sae->tmp->ec, K,
731 				sae->tmp->peer_commit_element_ecc, K) < 0 ||
732 	    crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 ||
733 	    crypto_ec_point_is_at_infinity(sae->tmp->ec, K) ||
734 	    crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) {
735 		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
736 		goto fail;
737 	}
738 
739 	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
740 
741 	ret = 0;
742 fail:
743 	crypto_ec_point_deinit(K, 1);
744 	return ret;
745 }
746 
747 
748 static int sae_derive_k_ffc(struct sae_data *sae, u8 *k)
749 {
750 	struct crypto_bignum *K;
751 	int ret = -1;
752 
753 	K = crypto_bignum_init();
754 	if (K == NULL)
755 		goto fail;
756 
757 	/*
758 	 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
759 	 *                                        PEER-COMMIT-ELEMENT)))
760 	 * If K is identity element (one), reject.
761 	 * k = F(K) (= x coordinate)
762 	 */
763 
764 	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar,
765 				  sae->tmp->prime, K) < 0 ||
766 	    crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc,
767 				 sae->tmp->prime, K) < 0 ||
768 	    crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0
769 	    ||
770 	    crypto_bignum_is_one(K) ||
771 	    crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) <
772 	    0) {
773 		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k");
774 		goto fail;
775 	}
776 
777 	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
778 
779 	ret = 0;
780 fail:
781 	crypto_bignum_deinit(K, 1);
782 	return ret;
783 }
784 
785 
786 static int sae_derive_keys(struct sae_data *sae, const u8 *k)
787 {
788 	u8 null_key[SAE_KEYSEED_KEY_LEN], val[SAE_MAX_PRIME_LEN];
789 	u8 keyseed[SHA256_MAC_LEN];
790 	u8 keys[SAE_KCK_LEN + SAE_PMK_LEN];
791 	struct crypto_bignum *tmp;
792 	int ret = -1;
793 
794 	tmp = crypto_bignum_init();
795 	if (tmp == NULL)
796 		goto fail;
797 
798 	/* keyseed = H(<0>32, k)
799 	 * KCK || PMK = KDF-512(keyseed, "SAE KCK and PMK",
800 	 *                      (commit-scalar + peer-commit-scalar) modulo r)
801 	 * PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
802 	 */
803 
804 	os_memset(null_key, 0, sizeof(null_key));
805 	hmac_sha256(null_key, sizeof(null_key), k, sae->tmp->prime_len,
806 		    keyseed);
807 	wpa_hexdump_key(MSG_DEBUG, "SAE: keyseed", keyseed, sizeof(keyseed));
808 
809 	crypto_bignum_add(sae->tmp->own_commit_scalar, sae->peer_commit_scalar,
810 			  tmp);
811 	crypto_bignum_mod(tmp, sae->tmp->order, tmp);
812 	crypto_bignum_to_bin(tmp, val, sizeof(val), sae->tmp->prime_len);
813 	wpa_hexdump(MSG_DEBUG, "SAE: PMKID", val, SAE_PMKID_LEN);
814 	sha256_prf(keyseed, sizeof(keyseed), "SAE KCK and PMK",
815 		   val, sae->tmp->prime_len, keys, sizeof(keys));
816 	os_memset(keyseed, 0, sizeof(keyseed));
817 	os_memcpy(sae->tmp->kck, keys, SAE_KCK_LEN);
818 	os_memcpy(sae->pmk, keys + SAE_KCK_LEN, SAE_PMK_LEN);
819 	os_memset(keys, 0, sizeof(keys));
820 	wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", sae->tmp->kck, SAE_KCK_LEN);
821 	wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, SAE_PMK_LEN);
822 
823 	ret = 0;
824 fail:
825 	crypto_bignum_deinit(tmp, 0);
826 	return ret;
827 }
828 
829 
830 int sae_process_commit(struct sae_data *sae)
831 {
832 	u8 k[SAE_MAX_PRIME_LEN];
833 	if (sae->tmp == NULL ||
834 	    (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) ||
835 	    (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) ||
836 	    sae_derive_keys(sae, k) < 0)
837 		return -1;
838 	return 0;
839 }
840 
841 
842 void sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
843 		      const struct wpabuf *token)
844 {
845 	u8 *pos;
846 
847 	if (sae->tmp == NULL)
848 		return;
849 
850 	wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */
851 	if (token) {
852 		wpabuf_put_buf(buf, token);
853 		wpa_hexdump(MSG_DEBUG, "SAE: Anti-clogging token",
854 			    wpabuf_head(token), wpabuf_len(token));
855 	}
856 	pos = wpabuf_put(buf, sae->tmp->prime_len);
857 	crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos,
858 			     sae->tmp->prime_len, sae->tmp->prime_len);
859 	wpa_hexdump(MSG_DEBUG, "SAE: own commit-scalar",
860 		    pos, sae->tmp->prime_len);
861 	if (sae->tmp->ec) {
862 		pos = wpabuf_put(buf, 2 * sae->tmp->prime_len);
863 		crypto_ec_point_to_bin(sae->tmp->ec,
864 				       sae->tmp->own_commit_element_ecc,
865 				       pos, pos + sae->tmp->prime_len);
866 		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(x)",
867 			    pos, sae->tmp->prime_len);
868 		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(y)",
869 			    pos + sae->tmp->prime_len, sae->tmp->prime_len);
870 	} else {
871 		pos = wpabuf_put(buf, sae->tmp->prime_len);
872 		crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos,
873 				     sae->tmp->prime_len, sae->tmp->prime_len);
874 		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element",
875 			    pos, sae->tmp->prime_len);
876 	}
877 }
878 
879 
880 u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group)
881 {
882 	if (allowed_groups) {
883 		int i;
884 		for (i = 0; allowed_groups[i] > 0; i++) {
885 			if (allowed_groups[i] == group)
886 				break;
887 		}
888 		if (allowed_groups[i] != group) {
889 			wpa_printf(MSG_DEBUG, "SAE: Proposed group %u not "
890 				   "enabled in the current configuration",
891 				   group);
892 			return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
893 		}
894 	}
895 
896 	if (sae->state == SAE_COMMITTED && group != sae->group) {
897 		wpa_printf(MSG_DEBUG, "SAE: Do not allow group to be changed");
898 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
899 	}
900 
901 	if (group != sae->group && sae_set_group(sae, group) < 0) {
902 		wpa_printf(MSG_DEBUG, "SAE: Unsupported Finite Cyclic Group %u",
903 			   group);
904 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
905 	}
906 
907 	if (sae->tmp == NULL) {
908 		wpa_printf(MSG_DEBUG, "SAE: Group information not yet initialized");
909 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
910 	}
911 
912 	if (sae->tmp->dh && !allowed_groups) {
913 		wpa_printf(MSG_DEBUG, "SAE: Do not allow FFC group %u without "
914 			   "explicit configuration enabling it", group);
915 		return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
916 	}
917 
918 	return WLAN_STATUS_SUCCESS;
919 }
920 
921 
922 static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos,
923 				   const u8 *end, const u8 **token,
924 				   size_t *token_len)
925 {
926 	if (*pos + (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len < end) {
927 		size_t tlen = end - (*pos + (sae->tmp->ec ? 3 : 2) *
928 				     sae->tmp->prime_len);
929 		wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token", *pos, tlen);
930 		if (token)
931 			*token = *pos;
932 		if (token_len)
933 			*token_len = tlen;
934 		*pos += tlen;
935 	} else {
936 		if (token)
937 			*token = NULL;
938 		if (token_len)
939 			*token_len = 0;
940 	}
941 }
942 
943 
944 static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
945 				   const u8 *end)
946 {
947 	struct crypto_bignum *peer_scalar;
948 
949 	if (*pos + sae->tmp->prime_len > end) {
950 		wpa_printf(MSG_DEBUG, "SAE: Not enough data for scalar");
951 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
952 	}
953 
954 	peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len);
955 	if (peer_scalar == NULL)
956 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
957 
958 	/*
959 	 * IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for
960 	 * the peer and it is in Authenticated state, the new Commit Message
961 	 * shall be dropped if the peer-scalar is identical to the one used in
962 	 * the existing protocol instance.
963 	 */
964 	if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar &&
965 	    crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) {
966 		wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous "
967 			   "peer-commit-scalar");
968 		crypto_bignum_deinit(peer_scalar, 0);
969 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
970 	}
971 
972 	/* 1 < scalar < r */
973 	if (crypto_bignum_is_zero(peer_scalar) ||
974 	    crypto_bignum_is_one(peer_scalar) ||
975 	    crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) {
976 		wpa_printf(MSG_DEBUG, "SAE: Invalid peer scalar");
977 		crypto_bignum_deinit(peer_scalar, 0);
978 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
979 	}
980 
981 
982 	crypto_bignum_deinit(sae->peer_commit_scalar, 0);
983 	sae->peer_commit_scalar = peer_scalar;
984 	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-scalar",
985 		    *pos, sae->tmp->prime_len);
986 	*pos += sae->tmp->prime_len;
987 
988 	return WLAN_STATUS_SUCCESS;
989 }
990 
991 
992 static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
993 					const u8 *end)
994 {
995 	u8 prime[SAE_MAX_ECC_PRIME_LEN];
996 
997 	if (pos + 2 * sae->tmp->prime_len > end) {
998 		wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
999 			   "commit-element");
1000 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1001 	}
1002 
1003 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
1004 				 sae->tmp->prime_len) < 0)
1005 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1006 
1007 	/* element x and y coordinates < p */
1008 	if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 ||
1009 	    os_memcmp(pos + sae->tmp->prime_len, prime,
1010 		      sae->tmp->prime_len) >= 0) {
1011 		wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer "
1012 			   "element");
1013 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1014 	}
1015 
1016 	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(x)",
1017 		    pos, sae->tmp->prime_len);
1018 	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(y)",
1019 		    pos + sae->tmp->prime_len, sae->tmp->prime_len);
1020 
1021 	crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0);
1022 	sae->tmp->peer_commit_element_ecc =
1023 		crypto_ec_point_from_bin(sae->tmp->ec, pos);
1024 	if (sae->tmp->peer_commit_element_ecc == NULL)
1025 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1026 
1027 	if (!crypto_ec_point_is_on_curve(sae->tmp->ec,
1028 					 sae->tmp->peer_commit_element_ecc)) {
1029 		wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve");
1030 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1031 	}
1032 
1033 	return WLAN_STATUS_SUCCESS;
1034 }
1035 
1036 
1037 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
1038 					const u8 *end)
1039 {
1040 	struct crypto_bignum *res, *one;
1041 	const u8 one_bin[1] = { 0x01 };
1042 
1043 	if (pos + sae->tmp->prime_len > end) {
1044 		wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
1045 			   "commit-element");
1046 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1047 	}
1048 	wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", pos,
1049 		    sae->tmp->prime_len);
1050 
1051 	crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0);
1052 	sae->tmp->peer_commit_element_ffc =
1053 		crypto_bignum_init_set(pos, sae->tmp->prime_len);
1054 	if (sae->tmp->peer_commit_element_ffc == NULL)
1055 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1056 	/* 1 < element < p - 1 */
1057 	res = crypto_bignum_init();
1058 	one = crypto_bignum_init_set(one_bin, sizeof(one_bin));
1059 	if (!res || !one ||
1060 	    crypto_bignum_sub(sae->tmp->prime, one, res) ||
1061 	    crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) ||
1062 	    crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) ||
1063 	    crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, res) >= 0) {
1064 		crypto_bignum_deinit(res, 0);
1065 		crypto_bignum_deinit(one, 0);
1066 		wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
1067 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1068 	}
1069 	crypto_bignum_deinit(one, 0);
1070 
1071 	/* scalar-op(r, ELEMENT) = 1 modulo p */
1072 	if (crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
1073 				  sae->tmp->order, sae->tmp->prime, res) < 0 ||
1074 	    !crypto_bignum_is_one(res)) {
1075 		wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)");
1076 		crypto_bignum_deinit(res, 0);
1077 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1078 	}
1079 	crypto_bignum_deinit(res, 0);
1080 
1081 	return WLAN_STATUS_SUCCESS;
1082 }
1083 
1084 
1085 static u16 sae_parse_commit_element(struct sae_data *sae, const u8 *pos,
1086 				    const u8 *end)
1087 {
1088 	if (sae->tmp->dh)
1089 		return sae_parse_commit_element_ffc(sae, pos, end);
1090 	return sae_parse_commit_element_ecc(sae, pos, end);
1091 }
1092 
1093 
1094 u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
1095 		     const u8 **token, size_t *token_len, int *allowed_groups)
1096 {
1097 	const u8 *pos = data, *end = data + len;
1098 	u16 res;
1099 
1100 	/* Check Finite Cyclic Group */
1101 	if (pos + 2 > end)
1102 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
1103 	res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos));
1104 	if (res != WLAN_STATUS_SUCCESS)
1105 		return res;
1106 	pos += 2;
1107 
1108 	/* Optional Anti-Clogging Token */
1109 	sae_parse_commit_token(sae, &pos, end, token, token_len);
1110 
1111 	/* commit-scalar */
1112 	res = sae_parse_commit_scalar(sae, &pos, end);
1113 	if (res != WLAN_STATUS_SUCCESS)
1114 		return res;
1115 
1116 	/* commit-element */
1117 	res = sae_parse_commit_element(sae, pos, end);
1118 	if (res != WLAN_STATUS_SUCCESS)
1119 		return res;
1120 
1121 	/*
1122 	 * Check whether peer-commit-scalar and PEER-COMMIT-ELEMENT are same as
1123 	 * the values we sent which would be evidence of a reflection attack.
1124 	 */
1125 	if (!sae->tmp->own_commit_scalar ||
1126 	    crypto_bignum_cmp(sae->tmp->own_commit_scalar,
1127 			      sae->peer_commit_scalar) != 0 ||
1128 	    (sae->tmp->dh &&
1129 	     (!sae->tmp->own_commit_element_ffc ||
1130 	      crypto_bignum_cmp(sae->tmp->own_commit_element_ffc,
1131 				sae->tmp->peer_commit_element_ffc) != 0)) ||
1132 	    (sae->tmp->ec &&
1133 	     (!sae->tmp->own_commit_element_ecc ||
1134 	      crypto_ec_point_cmp(sae->tmp->ec,
1135 				  sae->tmp->own_commit_element_ecc,
1136 				  sae->tmp->peer_commit_element_ecc) != 0)))
1137 		return WLAN_STATUS_SUCCESS; /* scalars/elements are different */
1138 
1139 	/*
1140 	 * This is a reflection attack - return special value to trigger caller
1141 	 * to silently discard the frame instead of replying with a specific
1142 	 * status code.
1143 	 */
1144 	return SAE_SILENTLY_DISCARD;
1145 }
1146 
1147 
1148 static void sae_cn_confirm(struct sae_data *sae, const u8 *sc,
1149 			   const struct crypto_bignum *scalar1,
1150 			   const u8 *element1, size_t element1_len,
1151 			   const struct crypto_bignum *scalar2,
1152 			   const u8 *element2, size_t element2_len,
1153 			   u8 *confirm)
1154 {
1155 	const u8 *addr[5];
1156 	size_t len[5];
1157 	u8 scalar_b1[SAE_MAX_PRIME_LEN], scalar_b2[SAE_MAX_PRIME_LEN];
1158 
1159 	/* Confirm
1160 	 * CN(key, X, Y, Z, ...) =
1161 	 *    HMAC-SHA256(key, D2OS(X) || D2OS(Y) || D2OS(Z) | ...)
1162 	 * confirm = CN(KCK, send-confirm, commit-scalar, COMMIT-ELEMENT,
1163 	 *              peer-commit-scalar, PEER-COMMIT-ELEMENT)
1164 	 * verifier = CN(KCK, peer-send-confirm, peer-commit-scalar,
1165 	 *               PEER-COMMIT-ELEMENT, commit-scalar, COMMIT-ELEMENT)
1166 	 */
1167 	addr[0] = sc;
1168 	len[0] = 2;
1169 	crypto_bignum_to_bin(scalar1, scalar_b1, sizeof(scalar_b1),
1170 			     sae->tmp->prime_len);
1171 	addr[1] = scalar_b1;
1172 	len[1] = sae->tmp->prime_len;
1173 	addr[2] = element1;
1174 	len[2] = element1_len;
1175 	crypto_bignum_to_bin(scalar2, scalar_b2, sizeof(scalar_b2),
1176 			     sae->tmp->prime_len);
1177 	addr[3] = scalar_b2;
1178 	len[3] = sae->tmp->prime_len;
1179 	addr[4] = element2;
1180 	len[4] = element2_len;
1181 	hmac_sha256_vector(sae->tmp->kck, sizeof(sae->tmp->kck), 5, addr, len,
1182 			   confirm);
1183 }
1184 
1185 
1186 static void sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc,
1187 			       const struct crypto_bignum *scalar1,
1188 			       const struct crypto_ec_point *element1,
1189 			       const struct crypto_bignum *scalar2,
1190 			       const struct crypto_ec_point *element2,
1191 			       u8 *confirm)
1192 {
1193 	u8 element_b1[2 * SAE_MAX_ECC_PRIME_LEN];
1194 	u8 element_b2[2 * SAE_MAX_ECC_PRIME_LEN];
1195 
1196 	crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1,
1197 			       element_b1 + sae->tmp->prime_len);
1198 	crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2,
1199 			       element_b2 + sae->tmp->prime_len);
1200 
1201 	sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len,
1202 		       scalar2, element_b2, 2 * sae->tmp->prime_len, confirm);
1203 }
1204 
1205 
1206 static void sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc,
1207 			       const struct crypto_bignum *scalar1,
1208 			       const struct crypto_bignum *element1,
1209 			       const struct crypto_bignum *scalar2,
1210 			       const struct crypto_bignum *element2,
1211 			       u8 *confirm)
1212 {
1213 	u8 element_b1[SAE_MAX_PRIME_LEN];
1214 	u8 element_b2[SAE_MAX_PRIME_LEN];
1215 
1216 	crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1),
1217 			     sae->tmp->prime_len);
1218 	crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2),
1219 			     sae->tmp->prime_len);
1220 
1221 	sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len,
1222 		       scalar2, element_b2, sae->tmp->prime_len, confirm);
1223 }
1224 
1225 
1226 void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf)
1227 {
1228 	const u8 *sc;
1229 
1230 	if (sae->tmp == NULL)
1231 		return;
1232 
1233 	/* Send-Confirm */
1234 	sc = wpabuf_put(buf, 0);
1235 	wpabuf_put_le16(buf, sae->send_confirm);
1236 	sae->send_confirm++;
1237 
1238 	if (sae->tmp->ec)
1239 		sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,
1240 				   sae->tmp->own_commit_element_ecc,
1241 				   sae->peer_commit_scalar,
1242 				   sae->tmp->peer_commit_element_ecc,
1243 				   wpabuf_put(buf, SHA256_MAC_LEN));
1244 	else
1245 		sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar,
1246 				   sae->tmp->own_commit_element_ffc,
1247 				   sae->peer_commit_scalar,
1248 				   sae->tmp->peer_commit_element_ffc,
1249 				   wpabuf_put(buf, SHA256_MAC_LEN));
1250 }
1251 
1252 
1253 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
1254 {
1255 	u8 verifier[SHA256_MAC_LEN];
1256 
1257 	if (len < 2 + SHA256_MAC_LEN) {
1258 		wpa_printf(MSG_DEBUG, "SAE: Too short confirm message");
1259 		return -1;
1260 	}
1261 
1262 	wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
1263 
1264 	if (sae->tmp == NULL) {
1265 		wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
1266 		return -1;
1267 	}
1268 
1269 	if (sae->tmp->ec)
1270 		sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
1271 				   sae->tmp->peer_commit_element_ecc,
1272 				   sae->tmp->own_commit_scalar,
1273 				   sae->tmp->own_commit_element_ecc,
1274 				   verifier);
1275 	else
1276 		sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
1277 				   sae->tmp->peer_commit_element_ffc,
1278 				   sae->tmp->own_commit_scalar,
1279 				   sae->tmp->own_commit_element_ffc,
1280 				   verifier);
1281 
1282 	if (os_memcmp_const(verifier, data + 2, SHA256_MAC_LEN) != 0) {
1283 		wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
1284 		wpa_hexdump(MSG_DEBUG, "SAE: Received confirm",
1285 			    data + 2, SHA256_MAC_LEN);
1286 		wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier",
1287 			    verifier, SHA256_MAC_LEN);
1288 		return -1;
1289 	}
1290 
1291 	return 0;
1292 }
1293