Lines Matching refs:prime_len
39 tmp->prime_len = crypto_ec_prime_len(tmp->ec); in sae_set_group()
52 tmp->prime_len = tmp->dh->prime_len; in sae_set_group()
53 if (tmp->prime_len > SAE_MAX_PRIME_LEN) { in sae_set_group()
59 tmp->prime_len); in sae_set_group()
149 prime, sae->tmp->prime_len, pwd_value, bits) < 0) in sae_test_pwd_seed_ecc()
152 buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8); in sae_test_pwd_seed_ecc()
154 pwd_value, sae->tmp->prime_len); in sae_test_pwd_seed_ecc()
156 cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len); in sae_test_pwd_seed_ecc()
164 x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); in sae_test_pwd_seed_ecc()
189 size_t bits = sae->tmp->prime_len * 8; in sae_test_pwd_seed_ffc()
199 sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value, in sae_test_pwd_seed_ffc()
203 sae->tmp->prime_len); in sae_test_pwd_seed_ffc()
207 sae->tmp->prime_len); in sae_test_pwd_seed_ffc()
221 a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); in sae_test_pwd_seed_ffc()
285 size_t prime_len; in sae_derive_pwe_ecc() local
305 prime_len = sae->tmp->prime_len; in sae_derive_pwe_ecc()
307 prime_len) < 0) in sae_derive_pwe_ecc()
315 crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin), prime_len) < 0 || in sae_derive_pwe_ecc()
316 crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin), prime_len) < 0) in sae_derive_pwe_ecc()
360 const_time_select_bin(found, x_bin, x_cand_bin, prime_len, in sae_derive_pwe_ecc()
388 x = crypto_bignum_init_set(x_bin, prime_len); in sae_derive_pwe_ecc()
405 prime_len) < 0 || in sae_derive_pwe_ecc()
408 SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) { in sae_derive_pwe_ecc()
413 is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01); in sae_derive_pwe_ecc()
415 prime_len, x_y + prime_len); in sae_derive_pwe_ecc()
416 os_memcpy(x_y, x_bin, prime_len); in sae_derive_pwe_ecc()
417 wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len); in sae_derive_pwe_ecc()
451 size_t prime_len = sae->tmp->prime_len * 8; in sae_derive_pwe_ffc() local
458 pwe_buf = os_zalloc(prime_len * 2); in sae_derive_pwe_ffc()
502 if (crypto_bignum_to_bin(pwe, pwe_buf + prime_len, prime_len, in sae_derive_pwe_ffc()
503 prime_len) < 0) in sae_derive_pwe_ffc()
505 const_time_select_bin(found, pwe_buf, pwe_buf + prime_len, in sae_derive_pwe_ffc()
506 prime_len, pwe_buf); in sae_derive_pwe_ffc()
516 sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len); in sae_derive_pwe_ffc()
519 bin_clear_free(pwe_buf, prime_len * 2); in sae_derive_pwe_ffc()
561 size_t prime_len) in debug_print_bignum() argument
565 bin = os_malloc(prime_len); in debug_print_bignum()
566 if (bin && crypto_bignum_to_bin(a, bin, prime_len, prime_len) >= 0) in debug_print_bignum()
567 wpa_hexdump_key(MSG_DEBUG, title, bin, prime_len); in debug_print_bignum()
570 bin_clear_free(bin, prime_len); in debug_print_bignum()
583 size_t prime_len; in sswu() local
594 prime_len = crypto_ec_prime_len(ec); in sswu()
634 debug_print_bignum("SSWU: m", t1, prime_len); in sswu()
645 debug_print_bignum("SSWU: t", t, prime_len); in sswu()
652 debug_print_bignum("SSWU: x1a = b / (z * a)", x1a, prime_len); in sswu()
661 debug_print_bignum("SSWU: x1b = (-b/a) * (1 + t)", x1b, prime_len); in sswu()
664 if (crypto_bignum_to_bin(x1a, bin1, sizeof(bin1), prime_len) < 0 || in sswu()
665 crypto_bignum_to_bin(x1b, bin2, sizeof(bin2), prime_len) < 0) in sswu()
667 const_time_select_bin(m_is_zero, bin1, bin2, prime_len, bin); in sswu()
668 x1 = crypto_bignum_init_set(bin, prime_len); in sswu()
671 debug_print_bignum("SSWU: x1 = CSEL(l, x1a, x1b)", x1, prime_len); in sswu()
679 debug_print_bignum("SSWU: gx1 = x1^3 + a * x1 + b", gx1, prime_len); in sswu()
685 debug_print_bignum("SSWU: x2 = z * u^2 * x1", x2, prime_len); in sswu()
693 debug_print_bignum("SSWU: gx2 = x2^3 + a * x2 + b", gx2, prime_len); in sswu()
701 debug_print_bignum("SSWU: gx1^((p-1)/2) modulo p", t1, prime_len); in sswu()
706 if (crypto_bignum_to_bin(gx1, bin1, sizeof(bin1), prime_len) < 0 || in sswu()
707 crypto_bignum_to_bin(gx2, bin2, sizeof(bin2), prime_len) < 0) in sswu()
709 const_time_select_bin(is_qr, bin1, bin2, prime_len, bin); in sswu()
710 v = crypto_bignum_init_set(bin, prime_len); in sswu()
713 debug_print_bignum("SSWU: v = CSEL(l, gx1, gx2)", v, prime_len); in sswu()
716 if (crypto_bignum_to_bin(x1, bin1, sizeof(bin1), prime_len) < 0 || in sswu()
717 crypto_bignum_to_bin(x2, bin2, sizeof(bin2), prime_len) < 0) in sswu()
719 const_time_select_bin(is_qr, bin1, bin2, prime_len, x_y); in sswu()
720 wpa_hexdump_key(MSG_DEBUG, "SSWU: x = CSEL(l, x1, x2)", x_y, prime_len); in sswu()
726 debug_print_bignum("SSWU: y = sqrt(v)", y, prime_len); in sswu()
729 if (crypto_bignum_to_bin(u, bin1, sizeof(bin1), prime_len) < 0 || in sswu()
730 crypto_bignum_to_bin(y, bin2, sizeof(bin2), prime_len) < 0) in sswu()
732 is_eq = const_time_eq(bin1[prime_len - 1] & 0x01, in sswu()
733 bin2[prime_len - 1] & 0x01); in sswu()
738 debug_print_bignum("SSWU: p - y", t1, prime_len); in sswu()
739 if (crypto_bignum_to_bin(y, bin1, sizeof(bin1), prime_len) < 0 || in sswu()
740 crypto_bignum_to_bin(t1, bin2, sizeof(bin2), prime_len) < 0) in sswu()
742 const_time_select_bin(is_eq, bin1, bin2, prime_len, &x_y[prime_len]); in sswu()
745 wpa_hexdump_key(MSG_DEBUG, "SSWU: P.x", x_y, prime_len); in sswu()
746 wpa_hexdump_key(MSG_DEBUG, "SSWU: P.y", &x_y[prime_len], prime_len); in sswu()
807 size_t sae_ecc_prime_len_2_hash_len(size_t prime_len) in sae_ecc_prime_len_2_hash_len() argument
809 if (prime_len <= 256 / 8) in sae_ecc_prime_len_2_hash_len()
811 if (prime_len <= 384 / 8) in sae_ecc_prime_len_2_hash_len()
825 size_t pwd_value_len, hash_len, prime_len; in sae_derive_pt_ecc() local
831 prime_len = crypto_ec_prime_len(ec); in sae_derive_pt_ecc()
832 if (prime_len > SAE_MAX_ECC_PRIME_LEN) in sae_derive_pt_ecc()
834 hash_len = sae_ecc_prime_len_2_hash_len(prime_len); in sae_derive_pt_ecc()
837 pwd_value_len = prime_len + (prime_len + 1) / 2; in sae_derive_pt_ecc()
856 prime_len) < 0) in sae_derive_pt_ecc()
858 wpa_hexdump_key(MSG_DEBUG, "SAE: u1", pwd_value, prime_len); in sae_derive_pt_ecc()
879 prime_len) < 0) in sae_derive_pt_ecc()
881 wpa_hexdump_key(MSG_DEBUG, "SAE: u2", pwd_value, prime_len); in sae_derive_pt_ecc()
907 size_t sae_ffc_prime_len_2_hash_len(size_t prime_len) in sae_ffc_prime_len_2_hash_len() argument
909 if (prime_len <= 2048 / 8) in sae_ffc_prime_len_2_hash_len()
911 if (prime_len <= 3072 / 8) in sae_ffc_prime_len_2_hash_len()
923 size_t hash_len, prime_len, pwd_value_len; in sae_derive_pt_ffc() local
930 prime = crypto_bignum_init_set(dh->prime, dh->prime_len); in sae_derive_pt_ffc()
934 prime_len = dh->prime_len; in sae_derive_pt_ffc()
935 if (prime_len > SAE_MAX_PRIME_LEN) in sae_derive_pt_ffc()
937 hash_len = sae_ffc_prime_len_2_hash_len(prime_len); in sae_derive_pt_ffc()
940 pwd_value_len = prime_len + (prime_len + 1) / 2; in sae_derive_pt_ffc()
965 prime_len) < 0) in sae_derive_pt_ffc()
968 pwd_value, prime_len); in sae_derive_pt_ffc()
980 debug_print_bignum("SAE: PT", pt, prime_len); in sae_derive_pt_ffc()
1096 size_t prime_len; in sae_derive_pwe_from_pt_ecc() local
1106 prime_len = crypto_ec_prime_len(pt->ec); in sae_derive_pwe_from_pt_ecc()
1108 bin, bin + prime_len) < 0) in sae_derive_pwe_from_pt_ecc()
1110 wpa_hexdump_key(MSG_DEBUG, "SAE: PT.x", bin, prime_len); in sae_derive_pwe_from_pt_ecc()
1111 wpa_hexdump_key(MSG_DEBUG, "SAE: PT.y", bin + prime_len, prime_len); in sae_derive_pwe_from_pt_ecc()
1118 hash_len = sae_ecc_prime_len_2_hash_len(prime_len); in sae_derive_pwe_from_pt_ecc()
1134 debug_print_bignum("SAE: val(reduced to 1..q-1)", val, prime_len); in sae_derive_pwe_from_pt_ecc()
1140 crypto_ec_point_to_bin(pt->ec, pwe, bin, bin + prime_len) < 0) { in sae_derive_pwe_from_pt_ecc()
1145 wpa_hexdump_key(MSG_DEBUG, "SAE: PWE.x", bin, prime_len); in sae_derive_pwe_from_pt_ecc()
1146 wpa_hexdump_key(MSG_DEBUG, "SAE: PWE.y", bin + prime_len, prime_len); in sae_derive_pwe_from_pt_ecc()
1160 size_t prime_len; in sae_derive_pwe_from_pt_ffc() local
1169 prime = crypto_bignum_init_set(pt->dh->prime, pt->dh->prime_len); in sae_derive_pwe_from_pt_ffc()
1173 prime_len = pt->dh->prime_len; in sae_derive_pwe_from_pt_ffc()
1180 hash_len = sae_ffc_prime_len_2_hash_len(prime_len); in sae_derive_pwe_from_pt_ffc()
1195 debug_print_bignum("SAE: val(reduced to 1..q-1)", val, prime_len); in sae_derive_pwe_from_pt_ffc()
1204 debug_print_bignum("SAE: PWE", pwe, prime_len); in sae_derive_pwe_from_pt_ffc()
1404 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); in sae_derive_k_ecc()
1436 crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) < in sae_derive_k_ffc()
1442 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); in sae_derive_k_ffc()
1471 size_t hash_len, salt_len, prime_len = sae->tmp->prime_len; in sae_derive_keys() local
1490 hash_len = sae_ffc_prime_len_2_hash_len(prime_len); in sae_derive_keys()
1492 hash_len = sae_ecc_prime_len_2_hash_len(prime_len); in sae_derive_keys()
1529 len[0] = prime_len; in sae_derive_keys()
1623 pos = wpabuf_put(buf, sae->tmp->prime_len); in sae_write_commit()
1625 sae->tmp->prime_len, sae->tmp->prime_len) < 0) { in sae_write_commit()
1630 pos, sae->tmp->prime_len); in sae_write_commit()
1632 pos = wpabuf_put(buf, 2 * sae->tmp->prime_len); in sae_write_commit()
1635 pos, pos + sae->tmp->prime_len) < 0) { in sae_write_commit()
1640 pos, sae->tmp->prime_len); in sae_write_commit()
1642 pos + sae->tmp->prime_len, sae->tmp->prime_len); in sae_write_commit()
1644 pos = wpabuf_put(buf, sae->tmp->prime_len); in sae_write_commit()
1646 sae->tmp->prime_len, sae->tmp->prime_len) < 0) { in sae_write_commit()
1651 pos, sae->tmp->prime_len); in sae_write_commit()
1772 scalar_elem_len = (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len; in sae_parse_commit_token()
1814 if (sae->tmp->prime_len > end - *pos) { in sae_parse_commit_scalar()
1819 peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len); in sae_parse_commit_scalar()
1850 *pos, sae->tmp->prime_len); in sae_parse_commit_scalar()
1851 *pos += sae->tmp->prime_len; in sae_parse_commit_scalar()
1862 if (2 * sae->tmp->prime_len > end - *pos) { in sae_parse_commit_element_ecc()
1869 sae->tmp->prime_len) < 0) in sae_parse_commit_element_ecc()
1873 if (os_memcmp(*pos, prime, sae->tmp->prime_len) >= 0 || in sae_parse_commit_element_ecc()
1874 os_memcmp(*pos + sae->tmp->prime_len, prime, in sae_parse_commit_element_ecc()
1875 sae->tmp->prime_len) >= 0) { in sae_parse_commit_element_ecc()
1882 *pos, sae->tmp->prime_len); in sae_parse_commit_element_ecc()
1884 *pos + sae->tmp->prime_len, sae->tmp->prime_len); in sae_parse_commit_element_ecc()
1900 *pos += 2 * sae->tmp->prime_len; in sae_parse_commit_element_ecc()
1912 if (sae->tmp->prime_len > end - *pos) { in sae_parse_commit_element_ffc()
1918 sae->tmp->prime_len); in sae_parse_commit_element_ffc()
1922 crypto_bignum_init_set(*pos, sae->tmp->prime_len); in sae_parse_commit_element_ffc()
1950 *pos += sae->tmp->prime_len; in sae_parse_commit_element_ffc()
2147 sae->tmp->prime_len) < 0 || in sae_cn_confirm()
2149 sae->tmp->prime_len) < 0) in sae_cn_confirm()
2154 len[1] = sae->tmp->prime_len; in sae_cn_confirm()
2158 len[3] = sae->tmp->prime_len; in sae_cn_confirm()
2177 element_b1 + sae->tmp->prime_len) < 0) { in sae_cn_confirm_ecc()
2182 element_b2 + sae->tmp->prime_len) < 0) { in sae_cn_confirm_ecc()
2187 sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len, in sae_cn_confirm_ecc()
2188 scalar2, element_b2, 2 * sae->tmp->prime_len, confirm); in sae_cn_confirm_ecc()
2204 sae->tmp->prime_len) < 0) { in sae_cn_confirm_ffc()
2209 sae->tmp->prime_len) < 0) { in sae_cn_confirm_ffc()
2214 if (sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len, in sae_cn_confirm_ffc()
2215 scalar2, element_b2, sae->tmp->prime_len, confirm) < 0) in sae_cn_confirm_ffc()