1 /* 2 * Simultaneous authentication of equals 3 * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/crypto.h" 13 #include "crypto/sha256.h" 14 #include "crypto/random.h" 15 #include "crypto/dh_groups.h" 16 #include "ieee802_11_defs.h" 17 #include "sae.h" 18 19 20 int sae_set_group(struct sae_data *sae, int group) 21 { 22 struct sae_temporary_data *tmp; 23 24 sae_clear_data(sae); 25 tmp = sae->tmp = os_zalloc(sizeof(*tmp)); 26 if (tmp == NULL) 27 return -1; 28 29 /* First, check if this is an ECC group */ 30 tmp->ec = crypto_ec_init(group); 31 if (tmp->ec) { 32 sae->group = group; 33 tmp->prime_len = crypto_ec_prime_len(tmp->ec); 34 tmp->prime = crypto_ec_get_prime(tmp->ec); 35 tmp->order = crypto_ec_get_order(tmp->ec); 36 return 0; 37 } 38 39 /* Not an ECC group, check FFC */ 40 tmp->dh = dh_groups_get(group); 41 if (tmp->dh) { 42 sae->group = group; 43 tmp->prime_len = tmp->dh->prime_len; 44 if (tmp->prime_len > SAE_MAX_PRIME_LEN) { 45 sae_clear_data(sae); 46 return -1; 47 } 48 49 tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime, 50 tmp->prime_len); 51 if (tmp->prime_buf == NULL) { 52 sae_clear_data(sae); 53 return -1; 54 } 55 tmp->prime = tmp->prime_buf; 56 57 tmp->order_buf = crypto_bignum_init_set(tmp->dh->order, 58 tmp->dh->order_len); 59 if (tmp->order_buf == NULL) { 60 sae_clear_data(sae); 61 return -1; 62 } 63 tmp->order = tmp->order_buf; 64 65 return 0; 66 } 67 68 /* Unsupported group */ 69 return -1; 70 } 71 72 73 void sae_clear_temp_data(struct sae_data *sae) 74 { 75 struct sae_temporary_data *tmp; 76 if (sae == NULL || sae->tmp == NULL) 77 return; 78 tmp = sae->tmp; 79 crypto_ec_deinit(tmp->ec); 80 crypto_bignum_deinit(tmp->prime_buf, 0); 81 crypto_bignum_deinit(tmp->order_buf, 0); 82 crypto_bignum_deinit(tmp->sae_rand, 1); 83 crypto_bignum_deinit(tmp->pwe_ffc, 1); 84 crypto_bignum_deinit(tmp->own_commit_scalar, 0); 85 crypto_bignum_deinit(tmp->own_commit_element_ffc, 0); 86 crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0); 87 crypto_ec_point_deinit(tmp->pwe_ecc, 1); 88 crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0); 89 crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0); 90 os_free(sae->tmp); 91 sae->tmp = NULL; 92 } 93 94 95 void sae_clear_data(struct sae_data *sae) 96 { 97 if (sae == NULL) 98 return; 99 sae_clear_temp_data(sae); 100 crypto_bignum_deinit(sae->peer_commit_scalar, 0); 101 os_memset(sae, 0, sizeof(*sae)); 102 } 103 104 105 static void buf_shift_right(u8 *buf, size_t len, size_t bits) 106 { 107 size_t i; 108 for (i = len - 1; i > 0; i--) 109 buf[i] = (buf[i - 1] << (8 - bits)) | (buf[i] >> bits); 110 buf[0] >>= bits; 111 } 112 113 114 static struct crypto_bignum * sae_get_rand(struct sae_data *sae) 115 { 116 u8 val[SAE_MAX_PRIME_LEN]; 117 int iter = 0; 118 struct crypto_bignum *bn = NULL; 119 int order_len_bits = crypto_bignum_bits(sae->tmp->order); 120 size_t order_len = (order_len_bits + 7) / 8; 121 122 if (order_len > sizeof(val)) 123 return NULL; 124 125 for (;;) { 126 if (iter++ > 100) 127 return NULL; 128 if (random_get_bytes(val, order_len) < 0) 129 return NULL; 130 if (order_len_bits % 8) 131 buf_shift_right(val, order_len, 8 - order_len_bits % 8); 132 bn = crypto_bignum_init_set(val, order_len); 133 if (bn == NULL) 134 return NULL; 135 if (crypto_bignum_is_zero(bn) || 136 crypto_bignum_is_one(bn) || 137 crypto_bignum_cmp(bn, sae->tmp->order) >= 0) 138 continue; 139 break; 140 } 141 142 os_memset(val, 0, order_len); 143 return bn; 144 } 145 146 147 static struct crypto_bignum * sae_get_rand_and_mask(struct sae_data *sae) 148 { 149 crypto_bignum_deinit(sae->tmp->sae_rand, 1); 150 sae->tmp->sae_rand = sae_get_rand(sae); 151 if (sae->tmp->sae_rand == NULL) 152 return NULL; 153 return sae_get_rand(sae); 154 } 155 156 157 static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key) 158 { 159 wpa_printf(MSG_DEBUG, "SAE: PWE derivation - addr1=" MACSTR 160 " addr2=" MACSTR, MAC2STR(addr1), MAC2STR(addr2)); 161 if (os_memcmp(addr1, addr2, ETH_ALEN) > 0) { 162 os_memcpy(key, addr1, ETH_ALEN); 163 os_memcpy(key + ETH_ALEN, addr2, ETH_ALEN); 164 } else { 165 os_memcpy(key, addr2, ETH_ALEN); 166 os_memcpy(key + ETH_ALEN, addr1, ETH_ALEN); 167 } 168 } 169 170 171 static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, 172 struct crypto_ec_point *pwe) 173 { 174 u8 pwd_value[SAE_MAX_ECC_PRIME_LEN], prime[SAE_MAX_ECC_PRIME_LEN]; 175 struct crypto_bignum *x; 176 int y_bit; 177 size_t bits; 178 179 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), 180 sae->tmp->prime_len) < 0) 181 return -1; 182 183 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); 184 185 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */ 186 bits = crypto_ec_prime_len_bits(sae->tmp->ec); 187 sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking", 188 prime, sae->tmp->prime_len, pwd_value, bits); 189 if (bits % 8) 190 buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8); 191 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", 192 pwd_value, sae->tmp->prime_len); 193 194 if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) 195 return 0; 196 197 y_bit = pwd_seed[SHA256_MAC_LEN - 1] & 0x01; 198 199 x = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); 200 if (x == NULL) 201 return -1; 202 if (crypto_ec_point_solve_y_coord(sae->tmp->ec, pwe, x, y_bit) < 0) { 203 crypto_bignum_deinit(x, 0); 204 wpa_printf(MSG_DEBUG, "SAE: No solution found"); 205 return 0; 206 } 207 crypto_bignum_deinit(x, 0); 208 209 wpa_printf(MSG_DEBUG, "SAE: PWE found"); 210 211 return 1; 212 } 213 214 215 static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, 216 struct crypto_bignum *pwe) 217 { 218 u8 pwd_value[SAE_MAX_PRIME_LEN]; 219 size_t bits = sae->tmp->prime_len * 8; 220 u8 exp[1]; 221 struct crypto_bignum *a, *b; 222 int res; 223 224 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-seed", pwd_seed, SHA256_MAC_LEN); 225 226 /* pwd-value = KDF-z(pwd-seed, "SAE Hunting and Pecking", p) */ 227 sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking", 228 sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value, 229 bits); 230 if (bits % 8) 231 buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8); 232 wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value, 233 sae->tmp->prime_len); 234 235 if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0) 236 { 237 wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p"); 238 return 0; 239 } 240 241 /* PWE = pwd-value^((p-1)/r) modulo p */ 242 243 a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); 244 245 if (sae->tmp->dh->safe_prime) { 246 /* 247 * r = (p-1)/2 for the group used here, so this becomes: 248 * PWE = pwd-value^2 modulo p 249 */ 250 exp[0] = 2; 251 b = crypto_bignum_init_set(exp, sizeof(exp)); 252 } else { 253 /* Calculate exponent: (p-1)/r */ 254 exp[0] = 1; 255 b = crypto_bignum_init_set(exp, sizeof(exp)); 256 if (b == NULL || 257 crypto_bignum_sub(sae->tmp->prime, b, b) < 0 || 258 crypto_bignum_div(b, sae->tmp->order, b) < 0) { 259 crypto_bignum_deinit(b, 0); 260 b = NULL; 261 } 262 } 263 264 if (a == NULL || b == NULL) 265 res = -1; 266 else 267 res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe); 268 269 crypto_bignum_deinit(a, 0); 270 crypto_bignum_deinit(b, 0); 271 272 if (res < 0) { 273 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE"); 274 return -1; 275 } 276 277 /* if (PWE > 1) --> found */ 278 if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) { 279 wpa_printf(MSG_DEBUG, "SAE: PWE <= 1"); 280 return 0; 281 } 282 283 wpa_printf(MSG_DEBUG, "SAE: PWE found"); 284 return 1; 285 } 286 287 288 static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, 289 const u8 *addr2, const u8 *password, 290 size_t password_len) 291 { 292 u8 counter, k = 4; 293 u8 addrs[2 * ETH_ALEN]; 294 const u8 *addr[2]; 295 size_t len[2]; 296 int found = 0; 297 struct crypto_ec_point *pwe_tmp; 298 299 if (sae->tmp->pwe_ecc == NULL) { 300 sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec); 301 if (sae->tmp->pwe_ecc == NULL) 302 return -1; 303 } 304 pwe_tmp = crypto_ec_point_init(sae->tmp->ec); 305 if (pwe_tmp == NULL) 306 return -1; 307 308 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", 309 password, password_len); 310 311 /* 312 * H(salt, ikm) = HMAC-SHA256(salt, ikm) 313 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC), 314 * password || counter) 315 */ 316 sae_pwd_seed_key(addr1, addr2, addrs); 317 318 addr[0] = password; 319 len[0] = password_len; 320 addr[1] = &counter; 321 len[1] = sizeof(counter); 322 323 /* 324 * Continue for at least k iterations to protect against side-channel 325 * attacks that attempt to determine the number of iterations required 326 * in the loop. 327 */ 328 for (counter = 1; counter < k || !found; counter++) { 329 u8 pwd_seed[SHA256_MAC_LEN]; 330 int res; 331 332 if (counter > 200) { 333 /* This should not happen in practice */ 334 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE"); 335 break; 336 } 337 338 wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter); 339 if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len, 340 pwd_seed) < 0) 341 break; 342 res = sae_test_pwd_seed_ecc(sae, pwd_seed, 343 found ? pwe_tmp : 344 sae->tmp->pwe_ecc); 345 if (res < 0) 346 break; 347 if (res == 0) 348 continue; 349 if (found) { 350 wpa_printf(MSG_DEBUG, "SAE: Ignore this PWE (one was " 351 "already selected)"); 352 } else { 353 wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); 354 found = 1; 355 } 356 } 357 358 crypto_ec_point_deinit(pwe_tmp, 1); 359 360 return found ? 0 : -1; 361 } 362 363 364 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, 365 const u8 *addr2, const u8 *password, 366 size_t password_len) 367 { 368 u8 counter; 369 u8 addrs[2 * ETH_ALEN]; 370 const u8 *addr[2]; 371 size_t len[2]; 372 int found = 0; 373 374 if (sae->tmp->pwe_ffc == NULL) { 375 sae->tmp->pwe_ffc = crypto_bignum_init(); 376 if (sae->tmp->pwe_ffc == NULL) 377 return -1; 378 } 379 380 wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password", 381 password, password_len); 382 383 /* 384 * H(salt, ikm) = HMAC-SHA256(salt, ikm) 385 * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC), 386 * password || counter) 387 */ 388 sae_pwd_seed_key(addr1, addr2, addrs); 389 390 addr[0] = password; 391 len[0] = password_len; 392 addr[1] = &counter; 393 len[1] = sizeof(counter); 394 395 for (counter = 1; !found; counter++) { 396 u8 pwd_seed[SHA256_MAC_LEN]; 397 int res; 398 399 if (counter > 200) { 400 /* This should not happen in practice */ 401 wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE"); 402 break; 403 } 404 405 wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter); 406 if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len, 407 pwd_seed) < 0) 408 break; 409 res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc); 410 if (res < 0) 411 break; 412 if (res > 0) { 413 wpa_printf(MSG_DEBUG, "SAE: Use this PWE"); 414 found = 1; 415 } 416 } 417 418 return found ? 0 : -1; 419 } 420 421 422 static int sae_derive_commit_element_ecc(struct sae_data *sae, 423 struct crypto_bignum *mask) 424 { 425 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */ 426 if (!sae->tmp->own_commit_element_ecc) { 427 sae->tmp->own_commit_element_ecc = 428 crypto_ec_point_init(sae->tmp->ec); 429 if (!sae->tmp->own_commit_element_ecc) 430 return -1; 431 } 432 433 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask, 434 sae->tmp->own_commit_element_ecc) < 0 || 435 crypto_ec_point_invert(sae->tmp->ec, 436 sae->tmp->own_commit_element_ecc) < 0) { 437 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element"); 438 return -1; 439 } 440 441 return 0; 442 } 443 444 445 static int sae_derive_commit_element_ffc(struct sae_data *sae, 446 struct crypto_bignum *mask) 447 { 448 /* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */ 449 if (!sae->tmp->own_commit_element_ffc) { 450 sae->tmp->own_commit_element_ffc = crypto_bignum_init(); 451 if (!sae->tmp->own_commit_element_ffc) 452 return -1; 453 } 454 455 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime, 456 sae->tmp->own_commit_element_ffc) < 0 || 457 crypto_bignum_inverse(sae->tmp->own_commit_element_ffc, 458 sae->tmp->prime, 459 sae->tmp->own_commit_element_ffc) < 0) { 460 wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element"); 461 return -1; 462 } 463 464 return 0; 465 } 466 467 468 static int sae_derive_commit(struct sae_data *sae) 469 { 470 struct crypto_bignum *mask; 471 int ret = -1; 472 473 mask = sae_get_rand_and_mask(sae); 474 if (mask == NULL) { 475 wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask"); 476 return -1; 477 } 478 479 /* commit-scalar = (rand + mask) modulo r */ 480 if (!sae->tmp->own_commit_scalar) { 481 sae->tmp->own_commit_scalar = crypto_bignum_init(); 482 if (!sae->tmp->own_commit_scalar) 483 goto fail; 484 } 485 crypto_bignum_add(sae->tmp->sae_rand, mask, 486 sae->tmp->own_commit_scalar); 487 crypto_bignum_mod(sae->tmp->own_commit_scalar, sae->tmp->order, 488 sae->tmp->own_commit_scalar); 489 490 if (sae->tmp->ec && sae_derive_commit_element_ecc(sae, mask) < 0) 491 goto fail; 492 if (sae->tmp->dh && sae_derive_commit_element_ffc(sae, mask) < 0) 493 goto fail; 494 495 ret = 0; 496 fail: 497 crypto_bignum_deinit(mask, 1); 498 return ret; 499 } 500 501 502 int sae_prepare_commit(const u8 *addr1, const u8 *addr2, 503 const u8 *password, size_t password_len, 504 struct sae_data *sae) 505 { 506 if (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password, 507 password_len) < 0) 508 return -1; 509 if (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password, 510 password_len) < 0) 511 return -1; 512 if (sae_derive_commit(sae) < 0) 513 return -1; 514 return 0; 515 } 516 517 518 static int sae_derive_k_ecc(struct sae_data *sae, u8 *k) 519 { 520 struct crypto_ec_point *K; 521 int ret = -1; 522 523 K = crypto_ec_point_init(sae->tmp->ec); 524 if (K == NULL) 525 goto fail; 526 527 /* 528 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE), 529 * PEER-COMMIT-ELEMENT))) 530 * If K is identity element (point-at-infinity), reject 531 * k = F(K) (= x coordinate) 532 */ 533 534 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, 535 sae->peer_commit_scalar, K) < 0 || 536 crypto_ec_point_add(sae->tmp->ec, K, 537 sae->tmp->peer_commit_element_ecc, K) < 0 || 538 crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 || 539 crypto_ec_point_is_at_infinity(sae->tmp->ec, K) || 540 crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) { 541 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k"); 542 goto fail; 543 } 544 545 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); 546 547 ret = 0; 548 fail: 549 crypto_ec_point_deinit(K, 1); 550 return ret; 551 } 552 553 554 static int sae_derive_k_ffc(struct sae_data *sae, u8 *k) 555 { 556 struct crypto_bignum *K; 557 int ret = -1; 558 559 K = crypto_bignum_init(); 560 if (K == NULL) 561 goto fail; 562 563 /* 564 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE), 565 * PEER-COMMIT-ELEMENT))) 566 * If K is identity element (one), reject. 567 * k = F(K) (= x coordinate) 568 */ 569 570 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar, 571 sae->tmp->prime, K) < 0 || 572 crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc, 573 sae->tmp->prime, K) < 0 || 574 crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0 575 || 576 crypto_bignum_is_one(K) || 577 crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) < 578 0) { 579 wpa_printf(MSG_DEBUG, "SAE: Failed to calculate K and k"); 580 goto fail; 581 } 582 583 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); 584 585 ret = 0; 586 fail: 587 crypto_bignum_deinit(K, 1); 588 return ret; 589 } 590 591 592 static int sae_derive_keys(struct sae_data *sae, const u8 *k) 593 { 594 u8 null_key[SAE_KEYSEED_KEY_LEN], val[SAE_MAX_PRIME_LEN]; 595 u8 keyseed[SHA256_MAC_LEN]; 596 u8 keys[SAE_KCK_LEN + SAE_PMK_LEN]; 597 struct crypto_bignum *tmp; 598 int ret = -1; 599 600 tmp = crypto_bignum_init(); 601 if (tmp == NULL) 602 goto fail; 603 604 /* keyseed = H(<0>32, k) 605 * KCK || PMK = KDF-512(keyseed, "SAE KCK and PMK", 606 * (commit-scalar + peer-commit-scalar) modulo r) 607 * PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128) 608 */ 609 610 os_memset(null_key, 0, sizeof(null_key)); 611 hmac_sha256(null_key, sizeof(null_key), k, sae->tmp->prime_len, 612 keyseed); 613 wpa_hexdump_key(MSG_DEBUG, "SAE: keyseed", keyseed, sizeof(keyseed)); 614 615 crypto_bignum_add(sae->tmp->own_commit_scalar, sae->peer_commit_scalar, 616 tmp); 617 crypto_bignum_mod(tmp, sae->tmp->order, tmp); 618 crypto_bignum_to_bin(tmp, val, sizeof(val), sae->tmp->prime_len); 619 wpa_hexdump(MSG_DEBUG, "SAE: PMKID", val, SAE_PMKID_LEN); 620 sha256_prf(keyseed, sizeof(keyseed), "SAE KCK and PMK", 621 val, sae->tmp->prime_len, keys, sizeof(keys)); 622 os_memcpy(sae->tmp->kck, keys, SAE_KCK_LEN); 623 os_memcpy(sae->pmk, keys + SAE_KCK_LEN, SAE_PMK_LEN); 624 wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", sae->tmp->kck, SAE_KCK_LEN); 625 wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, SAE_PMK_LEN); 626 627 ret = 0; 628 fail: 629 crypto_bignum_deinit(tmp, 0); 630 return ret; 631 } 632 633 634 int sae_process_commit(struct sae_data *sae) 635 { 636 u8 k[SAE_MAX_PRIME_LEN]; 637 if ((sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) || 638 (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) || 639 sae_derive_keys(sae, k) < 0) 640 return -1; 641 return 0; 642 } 643 644 645 void sae_write_commit(struct sae_data *sae, struct wpabuf *buf, 646 const struct wpabuf *token) 647 { 648 u8 *pos; 649 wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */ 650 if (token) 651 wpabuf_put_buf(buf, token); 652 pos = wpabuf_put(buf, sae->tmp->prime_len); 653 crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos, 654 sae->tmp->prime_len, sae->tmp->prime_len); 655 wpa_hexdump(MSG_DEBUG, "SAE: own commit-scalar", 656 pos, sae->tmp->prime_len); 657 if (sae->tmp->ec) { 658 pos = wpabuf_put(buf, 2 * sae->tmp->prime_len); 659 crypto_ec_point_to_bin(sae->tmp->ec, 660 sae->tmp->own_commit_element_ecc, 661 pos, pos + sae->tmp->prime_len); 662 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(x)", 663 pos, sae->tmp->prime_len); 664 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(y)", 665 pos + sae->tmp->prime_len, sae->tmp->prime_len); 666 } else { 667 pos = wpabuf_put(buf, sae->tmp->prime_len); 668 crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos, 669 sae->tmp->prime_len, sae->tmp->prime_len); 670 wpa_hexdump(MSG_DEBUG, "SAE: own commit-element", 671 pos, sae->tmp->prime_len); 672 } 673 } 674 675 676 static u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, 677 u16 group) 678 { 679 if (allowed_groups) { 680 int i; 681 for (i = 0; allowed_groups[i] > 0; i++) { 682 if (allowed_groups[i] == group) 683 break; 684 } 685 if (allowed_groups[i] != group) { 686 wpa_printf(MSG_DEBUG, "SAE: Proposed group %u not " 687 "enabled in the current configuration", 688 group); 689 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 690 } 691 } 692 693 if (sae->state == SAE_COMMITTED && group != sae->group) { 694 wpa_printf(MSG_DEBUG, "SAE: Do not allow group to be changed"); 695 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 696 } 697 698 if (group != sae->group && sae_set_group(sae, group) < 0) { 699 wpa_printf(MSG_DEBUG, "SAE: Unsupported Finite Cyclic Group %u", 700 group); 701 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 702 } 703 704 if (sae->tmp == NULL) { 705 wpa_printf(MSG_DEBUG, "SAE: Group information not yet initialized"); 706 return WLAN_STATUS_UNSPECIFIED_FAILURE; 707 } 708 709 if (sae->tmp->dh && !allowed_groups) { 710 wpa_printf(MSG_DEBUG, "SAE: Do not allow FFC group %u without " 711 "explicit configuration enabling it", group); 712 return WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 713 } 714 715 return WLAN_STATUS_SUCCESS; 716 } 717 718 719 static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos, 720 const u8 *end, const u8 **token, 721 size_t *token_len) 722 { 723 if (*pos + (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len < end) { 724 size_t tlen = end - (*pos + (sae->tmp->ec ? 3 : 2) * 725 sae->tmp->prime_len); 726 wpa_hexdump(MSG_DEBUG, "SAE: Anti-Clogging Token", *pos, tlen); 727 if (token) 728 *token = *pos; 729 if (token_len) 730 *token_len = tlen; 731 *pos += tlen; 732 } else { 733 if (token) 734 *token = NULL; 735 if (token_len) 736 *token_len = 0; 737 } 738 } 739 740 741 static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos, 742 const u8 *end) 743 { 744 struct crypto_bignum *peer_scalar; 745 746 if (*pos + sae->tmp->prime_len > end) { 747 wpa_printf(MSG_DEBUG, "SAE: Not enough data for scalar"); 748 return WLAN_STATUS_UNSPECIFIED_FAILURE; 749 } 750 751 peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len); 752 if (peer_scalar == NULL) 753 return WLAN_STATUS_UNSPECIFIED_FAILURE; 754 755 /* 756 * IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for 757 * the peer and it is in Authenticated state, the new Commit Message 758 * shall be dropped if the peer-scalar is identical to the one used in 759 * the existing protocol instance. 760 */ 761 if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar && 762 crypto_bignum_cmp(sae->peer_commit_scalar, peer_scalar) == 0) { 763 wpa_printf(MSG_DEBUG, "SAE: Do not accept re-use of previous " 764 "peer-commit-scalar"); 765 crypto_bignum_deinit(peer_scalar, 0); 766 return WLAN_STATUS_UNSPECIFIED_FAILURE; 767 } 768 769 /* 0 < scalar < r */ 770 if (crypto_bignum_is_zero(peer_scalar) || 771 crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) { 772 wpa_printf(MSG_DEBUG, "SAE: Invalid peer scalar"); 773 crypto_bignum_deinit(peer_scalar, 0); 774 return WLAN_STATUS_UNSPECIFIED_FAILURE; 775 } 776 777 778 crypto_bignum_deinit(sae->peer_commit_scalar, 0); 779 sae->peer_commit_scalar = peer_scalar; 780 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-scalar", 781 *pos, sae->tmp->prime_len); 782 *pos += sae->tmp->prime_len; 783 784 return WLAN_STATUS_SUCCESS; 785 } 786 787 788 static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos, 789 const u8 *end) 790 { 791 u8 prime[SAE_MAX_ECC_PRIME_LEN]; 792 793 if (pos + 2 * sae->tmp->prime_len > end) { 794 wpa_printf(MSG_DEBUG, "SAE: Not enough data for " 795 "commit-element"); 796 return WLAN_STATUS_UNSPECIFIED_FAILURE; 797 } 798 799 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), 800 sae->tmp->prime_len) < 0) 801 return WLAN_STATUS_UNSPECIFIED_FAILURE; 802 803 /* element x and y coordinates < p */ 804 if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 || 805 os_memcmp(pos + sae->tmp->prime_len, prime, 806 sae->tmp->prime_len) >= 0) { 807 wpa_printf(MSG_DEBUG, "SAE: Invalid coordinates in peer " 808 "element"); 809 return WLAN_STATUS_UNSPECIFIED_FAILURE; 810 } 811 812 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(x)", 813 pos, sae->tmp->prime_len); 814 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element(y)", 815 pos + sae->tmp->prime_len, sae->tmp->prime_len); 816 817 crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0); 818 sae->tmp->peer_commit_element_ecc = 819 crypto_ec_point_from_bin(sae->tmp->ec, pos); 820 if (sae->tmp->peer_commit_element_ecc == NULL) 821 return WLAN_STATUS_UNSPECIFIED_FAILURE; 822 823 if (!crypto_ec_point_is_on_curve(sae->tmp->ec, 824 sae->tmp->peer_commit_element_ecc)) { 825 wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve"); 826 return WLAN_STATUS_UNSPECIFIED_FAILURE; 827 } 828 829 return WLAN_STATUS_SUCCESS; 830 } 831 832 833 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos, 834 const u8 *end) 835 { 836 struct crypto_bignum *res; 837 838 if (pos + sae->tmp->prime_len > end) { 839 wpa_printf(MSG_DEBUG, "SAE: Not enough data for " 840 "commit-element"); 841 return WLAN_STATUS_UNSPECIFIED_FAILURE; 842 } 843 wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", pos, 844 sae->tmp->prime_len); 845 846 crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0); 847 sae->tmp->peer_commit_element_ffc = 848 crypto_bignum_init_set(pos, sae->tmp->prime_len); 849 if (sae->tmp->peer_commit_element_ffc == NULL) 850 return WLAN_STATUS_UNSPECIFIED_FAILURE; 851 if (crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) || 852 crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) || 853 crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, 854 sae->tmp->prime) >= 0) { 855 wpa_printf(MSG_DEBUG, "SAE: Invalid peer element"); 856 return WLAN_STATUS_UNSPECIFIED_FAILURE; 857 } 858 859 /* scalar-op(r, ELEMENT) = 1 modulo p */ 860 res = crypto_bignum_init(); 861 if (res == NULL || 862 crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc, 863 sae->tmp->order, sae->tmp->prime, res) < 0 || 864 !crypto_bignum_is_one(res)) { 865 wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)"); 866 crypto_bignum_deinit(res, 0); 867 return WLAN_STATUS_UNSPECIFIED_FAILURE; 868 } 869 crypto_bignum_deinit(res, 0); 870 871 return WLAN_STATUS_SUCCESS; 872 } 873 874 875 static u16 sae_parse_commit_element(struct sae_data *sae, const u8 *pos, 876 const u8 *end) 877 { 878 if (sae->tmp->dh) 879 return sae_parse_commit_element_ffc(sae, pos, end); 880 return sae_parse_commit_element_ecc(sae, pos, end); 881 } 882 883 884 u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len, 885 const u8 **token, size_t *token_len, int *allowed_groups) 886 { 887 const u8 *pos = data, *end = data + len; 888 u16 res; 889 890 /* Check Finite Cyclic Group */ 891 if (pos + 2 > end) 892 return WLAN_STATUS_UNSPECIFIED_FAILURE; 893 res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos)); 894 if (res != WLAN_STATUS_SUCCESS) 895 return res; 896 pos += 2; 897 898 /* Optional Anti-Clogging Token */ 899 sae_parse_commit_token(sae, &pos, end, token, token_len); 900 901 /* commit-scalar */ 902 res = sae_parse_commit_scalar(sae, &pos, end); 903 if (res != WLAN_STATUS_SUCCESS) 904 return res; 905 906 /* commit-element */ 907 return sae_parse_commit_element(sae, pos, end); 908 } 909 910 911 static void sae_cn_confirm(struct sae_data *sae, const u8 *sc, 912 const struct crypto_bignum *scalar1, 913 const u8 *element1, size_t element1_len, 914 const struct crypto_bignum *scalar2, 915 const u8 *element2, size_t element2_len, 916 u8 *confirm) 917 { 918 const u8 *addr[5]; 919 size_t len[5]; 920 u8 scalar_b1[SAE_MAX_PRIME_LEN], scalar_b2[SAE_MAX_PRIME_LEN]; 921 922 /* Confirm 923 * CN(key, X, Y, Z, ...) = 924 * HMAC-SHA256(key, D2OS(X) || D2OS(Y) || D2OS(Z) | ...) 925 * confirm = CN(KCK, send-confirm, commit-scalar, COMMIT-ELEMENT, 926 * peer-commit-scalar, PEER-COMMIT-ELEMENT) 927 * verifier = CN(KCK, peer-send-confirm, peer-commit-scalar, 928 * PEER-COMMIT-ELEMENT, commit-scalar, COMMIT-ELEMENT) 929 */ 930 addr[0] = sc; 931 len[0] = 2; 932 crypto_bignum_to_bin(scalar1, scalar_b1, sizeof(scalar_b1), 933 sae->tmp->prime_len); 934 addr[1] = scalar_b1; 935 len[1] = sae->tmp->prime_len; 936 addr[2] = element1; 937 len[2] = element1_len; 938 crypto_bignum_to_bin(scalar2, scalar_b2, sizeof(scalar_b2), 939 sae->tmp->prime_len); 940 addr[3] = scalar_b2; 941 len[3] = sae->tmp->prime_len; 942 addr[4] = element2; 943 len[4] = element2_len; 944 hmac_sha256_vector(sae->tmp->kck, sizeof(sae->tmp->kck), 5, addr, len, 945 confirm); 946 } 947 948 949 static void sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc, 950 const struct crypto_bignum *scalar1, 951 const struct crypto_ec_point *element1, 952 const struct crypto_bignum *scalar2, 953 const struct crypto_ec_point *element2, 954 u8 *confirm) 955 { 956 u8 element_b1[2 * SAE_MAX_ECC_PRIME_LEN]; 957 u8 element_b2[2 * SAE_MAX_ECC_PRIME_LEN]; 958 959 crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1, 960 element_b1 + sae->tmp->prime_len); 961 crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2, 962 element_b2 + sae->tmp->prime_len); 963 964 sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len, 965 scalar2, element_b2, 2 * sae->tmp->prime_len, confirm); 966 } 967 968 969 static void sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc, 970 const struct crypto_bignum *scalar1, 971 const struct crypto_bignum *element1, 972 const struct crypto_bignum *scalar2, 973 const struct crypto_bignum *element2, 974 u8 *confirm) 975 { 976 u8 element_b1[SAE_MAX_PRIME_LEN]; 977 u8 element_b2[SAE_MAX_PRIME_LEN]; 978 979 crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1), 980 sae->tmp->prime_len); 981 crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2), 982 sae->tmp->prime_len); 983 984 sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len, 985 scalar2, element_b2, sae->tmp->prime_len, confirm); 986 } 987 988 989 void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf) 990 { 991 const u8 *sc; 992 993 /* Send-Confirm */ 994 sc = wpabuf_put(buf, 0); 995 wpabuf_put_le16(buf, sae->send_confirm); 996 sae->send_confirm++; 997 998 if (sae->tmp->ec) 999 sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar, 1000 sae->tmp->own_commit_element_ecc, 1001 sae->peer_commit_scalar, 1002 sae->tmp->peer_commit_element_ecc, 1003 wpabuf_put(buf, SHA256_MAC_LEN)); 1004 else 1005 sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar, 1006 sae->tmp->own_commit_element_ffc, 1007 sae->peer_commit_scalar, 1008 sae->tmp->peer_commit_element_ffc, 1009 wpabuf_put(buf, SHA256_MAC_LEN)); 1010 } 1011 1012 1013 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len) 1014 { 1015 u8 verifier[SHA256_MAC_LEN]; 1016 1017 if (len < 2 + SHA256_MAC_LEN) { 1018 wpa_printf(MSG_DEBUG, "SAE: Too short confirm message"); 1019 return -1; 1020 } 1021 1022 wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data)); 1023 1024 if (sae->tmp->ec) 1025 sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, 1026 sae->tmp->peer_commit_element_ecc, 1027 sae->tmp->own_commit_scalar, 1028 sae->tmp->own_commit_element_ecc, 1029 verifier); 1030 else 1031 sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, 1032 sae->tmp->peer_commit_element_ffc, 1033 sae->tmp->own_commit_scalar, 1034 sae->tmp->own_commit_element_ffc, 1035 verifier); 1036 1037 if (os_memcmp(verifier, data + 2, SHA256_MAC_LEN) != 0) { 1038 wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch"); 1039 wpa_hexdump(MSG_DEBUG, "SAE: Received confirm", 1040 data + 2, SHA256_MAC_LEN); 1041 wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier", 1042 verifier, SHA256_MAC_LEN); 1043 return -1; 1044 } 1045 1046 return 0; 1047 } 1048