Lines Matching refs:sae
24 int sae_set_group(struct sae_data *sae, int group) in sae_set_group() argument
28 sae_clear_data(sae); in sae_set_group()
29 tmp = sae->tmp = os_zalloc(sizeof(*tmp)); in sae_set_group()
38 sae->group = group; in sae_set_group()
51 sae->group = group; in sae_set_group()
54 sae_clear_data(sae); in sae_set_group()
61 sae_clear_data(sae); in sae_set_group()
70 sae_clear_data(sae); in sae_set_group()
85 void sae_clear_temp_data(struct sae_data *sae) in sae_clear_temp_data() argument
88 if (sae == NULL || sae->tmp == NULL) in sae_clear_temp_data()
90 tmp = sae->tmp; in sae_clear_temp_data()
107 sae->tmp = NULL; in sae_clear_temp_data()
110 void sae_clear_data(struct sae_data *sae) in sae_clear_data() argument
112 if (sae == NULL) in sae_clear_data()
114 sae_clear_temp_data(sae); in sae_clear_data()
115 crypto_bignum_deinit(sae->peer_commit_scalar, 0); in sae_clear_data()
116 crypto_bignum_deinit(sae->peer_commit_scalar_accepted, 0); in sae_clear_data()
117 os_memset(sae, 0, sizeof(*sae)); in sae_clear_data()
134 static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, in sae_test_pwd_seed_ecc() argument
147 bits = crypto_ec_prime_len_bits(sae->tmp->ec); in sae_test_pwd_seed_ecc()
149 prime, sae->tmp->prime_len, pwd_value, bits) < 0) in sae_test_pwd_seed_ecc()
152 buf_shift_right(pwd_value, sae->tmp->prime_len, 8 - bits % 8); in sae_test_pwd_seed_ecc()
154 pwd_value, sae->tmp->prime_len); in sae_test_pwd_seed_ecc()
156 cmp_prime = const_time_memcmp(pwd_value, prime, sae->tmp->prime_len); in sae_test_pwd_seed_ecc()
164 x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); in sae_test_pwd_seed_ecc()
167 y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand); in sae_test_pwd_seed_ecc()
172 res = dragonfly_is_quadratic_residue_blind(sae->tmp->ec, qr, qnr, in sae_test_pwd_seed_ecc()
185 static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed, in sae_test_pwd_seed_ffc() argument
189 size_t bits = sae->tmp->prime_len * 8; in sae_test_pwd_seed_ffc()
199 sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value, in sae_test_pwd_seed_ffc()
203 sae->tmp->prime_len); in sae_test_pwd_seed_ffc()
206 res = const_time_memcmp(pwd_value, sae->tmp->dh->prime, in sae_test_pwd_seed_ffc()
207 sae->tmp->prime_len); in sae_test_pwd_seed_ffc()
221 a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); in sae_test_pwd_seed_ffc()
229 if (sae->tmp->dh->safe_prime) { in sae_test_pwd_seed_ffc()
241 crypto_bignum_sub(sae->tmp->prime, b, b) < 0 || in sae_test_pwd_seed_ffc()
242 crypto_bignum_div(b, sae->tmp->order, b) < 0) in sae_test_pwd_seed_ffc()
250 res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe); in sae_test_pwd_seed_ffc()
274 static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, in sae_derive_pwe_ecc() argument
305 prime_len = sae->tmp->prime_len; in sae_derive_pwe_ecc()
306 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), in sae_derive_pwe_ecc()
314 if (dragonfly_get_random_qr_qnr(sae->tmp->prime, &qr, &qnr) < 0 || in sae_derive_pwe_ecc()
335 k = dragonfly_min_pwe_loop_iter(sae->group); in sae_derive_pwe_ecc()
358 res = sae_test_pwd_seed_ecc(sae, pwd_seed, in sae_derive_pwe_ecc()
401 y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x); in sae_derive_pwe_ecc()
403 dragonfly_sqrt(sae->tmp->ec, y, y) < 0 || in sae_derive_pwe_ecc()
406 crypto_bignum_sub(sae->tmp->prime, y, y) < 0 || in sae_derive_pwe_ecc()
418 crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1); in sae_derive_pwe_ecc()
419 sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y); in sae_derive_pwe_ecc()
420 if (!sae->tmp->pwe_ecc) { in sae_derive_pwe_ecc()
439 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, in sae_derive_pwe_ffc() argument
451 size_t prime_len = sae->tmp->prime_len * 8; in sae_derive_pwe_ffc()
453 crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); in sae_derive_pwe_ffc()
454 sae->tmp->pwe_ffc = NULL; in sae_derive_pwe_ffc()
478 k = dragonfly_min_pwe_loop_iter(sae->group); in sae_derive_pwe_ffc()
494 res = sae_test_pwd_seed_ffc(sae, pwd_seed, pwe); in sae_derive_pwe_ffc()
516 sae->tmp->pwe_ffc = crypto_bignum_init_set(pwe_buf, prime_len); in sae_derive_pwe_ffc()
520 return sae->tmp->pwe_ffc ? 0 : -1; in sae_derive_pwe_ffc()
1231 static int sae_derive_commit_element_ecc(struct sae_data *sae, in sae_derive_commit_element_ecc() argument
1235 if (!sae->tmp->own_commit_element_ecc) { in sae_derive_commit_element_ecc()
1236 sae->tmp->own_commit_element_ecc = in sae_derive_commit_element_ecc()
1237 crypto_ec_point_init(sae->tmp->ec); in sae_derive_commit_element_ecc()
1238 if (!sae->tmp->own_commit_element_ecc) in sae_derive_commit_element_ecc()
1242 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask, in sae_derive_commit_element_ecc()
1243 sae->tmp->own_commit_element_ecc) < 0 || in sae_derive_commit_element_ecc()
1244 crypto_ec_point_invert(sae->tmp->ec, in sae_derive_commit_element_ecc()
1245 sae->tmp->own_commit_element_ecc) < 0) { in sae_derive_commit_element_ecc()
1254 static int sae_derive_commit_element_ffc(struct sae_data *sae, in sae_derive_commit_element_ffc() argument
1258 if (!sae->tmp->own_commit_element_ffc) { in sae_derive_commit_element_ffc()
1259 sae->tmp->own_commit_element_ffc = crypto_bignum_init(); in sae_derive_commit_element_ffc()
1260 if (!sae->tmp->own_commit_element_ffc) in sae_derive_commit_element_ffc()
1264 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime, in sae_derive_commit_element_ffc()
1265 sae->tmp->own_commit_element_ffc) < 0 || in sae_derive_commit_element_ffc()
1266 crypto_bignum_inverse(sae->tmp->own_commit_element_ffc, in sae_derive_commit_element_ffc()
1267 sae->tmp->prime, in sae_derive_commit_element_ffc()
1268 sae->tmp->own_commit_element_ffc) < 0) { in sae_derive_commit_element_ffc()
1277 static int sae_derive_commit(struct sae_data *sae) in sae_derive_commit() argument
1283 if (!sae->tmp->sae_rand) in sae_derive_commit()
1284 sae->tmp->sae_rand = crypto_bignum_init(); in sae_derive_commit()
1285 if (!sae->tmp->own_commit_scalar) in sae_derive_commit()
1286 sae->tmp->own_commit_scalar = crypto_bignum_init(); in sae_derive_commit()
1287 ret = !mask || !sae->tmp->sae_rand || !sae->tmp->own_commit_scalar || in sae_derive_commit()
1288 dragonfly_generate_scalar(sae->tmp->order, sae->tmp->sae_rand, in sae_derive_commit()
1290 sae->tmp->own_commit_scalar) < 0 || in sae_derive_commit()
1291 (sae->tmp->ec && in sae_derive_commit()
1292 sae_derive_commit_element_ecc(sae, mask) < 0) || in sae_derive_commit()
1293 (sae->tmp->dh && in sae_derive_commit()
1294 sae_derive_commit_element_ffc(sae, mask) < 0); in sae_derive_commit()
1302 struct sae_data *sae) in sae_prepare_commit() argument
1304 if (sae->tmp == NULL || in sae_prepare_commit()
1305 (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password, in sae_prepare_commit()
1307 (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password, in sae_prepare_commit()
1311 sae->h2e = 0; in sae_prepare_commit()
1312 sae->pk = 0; in sae_prepare_commit()
1313 return sae_derive_commit(sae); in sae_prepare_commit()
1317 int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt, in sae_prepare_commit_pt() argument
1321 if (!sae->tmp) in sae_prepare_commit_pt()
1325 if (pt->group == sae->group) in sae_prepare_commit_pt()
1331 sae->group); in sae_prepare_commit_pt()
1335 os_memcpy(sae->tmp->ssid, pt->ssid, pt->ssid_len); in sae_prepare_commit_pt()
1336 sae->tmp->ssid_len = pt->ssid_len; in sae_prepare_commit_pt()
1337 sae->tmp->ap_pk = pk; in sae_prepare_commit_pt()
1340 sae->tmp->own_addr_higher = os_memcmp(addr1, addr2, ETH_ALEN) > 0; in sae_prepare_commit_pt()
1341 wpabuf_free(sae->tmp->own_rejected_groups); in sae_prepare_commit_pt()
1342 sae->tmp->own_rejected_groups = NULL; in sae_prepare_commit_pt()
1353 sae->tmp->own_rejected_groups = groups; in sae_prepare_commit_pt()
1357 crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1); in sae_prepare_commit_pt()
1358 sae->tmp->pwe_ecc = sae_derive_pwe_from_pt_ecc(pt, addr1, in sae_prepare_commit_pt()
1360 if (!sae->tmp->pwe_ecc) in sae_prepare_commit_pt()
1365 crypto_bignum_deinit(sae->tmp->pwe_ffc, 1); in sae_prepare_commit_pt()
1366 sae->tmp->pwe_ffc = sae_derive_pwe_from_pt_ffc(pt, addr1, in sae_prepare_commit_pt()
1368 if (!sae->tmp->pwe_ffc) in sae_prepare_commit_pt()
1372 sae->h2e = 1; in sae_prepare_commit_pt()
1373 return sae_derive_commit(sae); in sae_prepare_commit_pt()
1377 static int sae_derive_k_ecc(struct sae_data *sae, u8 *k) in sae_derive_k_ecc() argument
1382 K = crypto_ec_point_init(sae->tmp->ec); in sae_derive_k_ecc()
1393 if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, in sae_derive_k_ecc()
1394 sae->peer_commit_scalar, K) < 0 || in sae_derive_k_ecc()
1395 crypto_ec_point_add(sae->tmp->ec, K, in sae_derive_k_ecc()
1396 sae->tmp->peer_commit_element_ecc, K) < 0 || in sae_derive_k_ecc()
1397 crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 || in sae_derive_k_ecc()
1398 crypto_ec_point_is_at_infinity(sae->tmp->ec, K) || in sae_derive_k_ecc()
1399 crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) { in sae_derive_k_ecc()
1404 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); in sae_derive_k_ecc()
1413 static int sae_derive_k_ffc(struct sae_data *sae, u8 *k) in sae_derive_k_ffc() argument
1429 if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar, in sae_derive_k_ffc()
1430 sae->tmp->prime, K) < 0 || in sae_derive_k_ffc()
1431 crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc, in sae_derive_k_ffc()
1432 sae->tmp->prime, K) < 0 || in sae_derive_k_ffc()
1433 crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0 in sae_derive_k_ffc()
1436 crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) < in sae_derive_k_ffc()
1442 wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len); in sae_derive_k_ffc()
1462 static int sae_derive_keys(struct sae_data *sae, const u8 *k) in sae_derive_keys() argument
1471 size_t hash_len, salt_len, prime_len = sae->tmp->prime_len; in sae_derive_keys()
1487 if (!sae->h2e) in sae_derive_keys()
1489 else if (sae->tmp->dh) in sae_derive_keys()
1494 if (sae->h2e && (sae->tmp->own_rejected_groups || in sae_derive_keys()
1495 sae->tmp->peer_rejected_groups)) { in sae_derive_keys()
1498 own = sae->tmp->own_rejected_groups; in sae_derive_keys()
1499 peer = sae->tmp->peer_rejected_groups; in sae_derive_keys()
1508 if (sae->tmp->own_addr_higher) { in sae_derive_keys()
1534 if (crypto_bignum_add(sae->tmp->own_commit_scalar, in sae_derive_keys()
1535 sae->peer_commit_scalar, tmp) < 0 || in sae_derive_keys()
1536 crypto_bignum_mod(tmp, sae->tmp->order, tmp) < 0) in sae_derive_keys()
1545 sae->tmp->order_len) < 0) { in sae_derive_keys()
1551 if (sae->pk) { in sae_derive_keys()
1553 val, sae->tmp->order_len, in sae_derive_keys()
1558 val, sae->tmp->order_len, in sae_derive_keys()
1564 val, sae->tmp->order_len, in sae_derive_keys()
1570 os_memcpy(sae->tmp->kck, keys, hash_len); in sae_derive_keys()
1571 sae->tmp->kck_len = hash_len; in sae_derive_keys()
1572 os_memcpy(sae->pmk, keys + hash_len, SAE_PMK_LEN); in sae_derive_keys()
1573 sae->pmk_len = SAE_PMK_LEN; in sae_derive_keys()
1574 os_memcpy(sae->pmkid, val, SAE_PMKID_LEN); in sae_derive_keys()
1577 if (sae->pk) { in sae_derive_keys()
1578 os_memcpy(sae->tmp->kek, keys + hash_len + SAE_PMK_LEN, hash_len); in sae_derive_keys()
1579 sae->tmp->kek_len = hash_len; in sae_derive_keys()
1581 sae->tmp->kek, sae->tmp->kek_len); in sae_derive_keys()
1586 sae->tmp->kck, sae->tmp->kck_len); in sae_derive_keys()
1587 wpa_hexdump_key(MSG_DEBUG, "SAE: PMK", sae->pmk, SAE_PMK_LEN); in sae_derive_keys()
1597 int sae_process_commit(struct sae_data *sae) in sae_process_commit() argument
1600 if (sae->tmp == NULL || in sae_process_commit()
1601 (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) || in sae_process_commit()
1602 (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) || in sae_process_commit()
1603 sae_derive_keys(sae, k) < 0) in sae_process_commit()
1609 int sae_write_commit(struct sae_data *sae, struct wpabuf *buf, in sae_write_commit() argument
1614 if (sae->tmp == NULL) in sae_write_commit()
1617 wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */ in sae_write_commit()
1618 if (!sae->h2e && token) { in sae_write_commit()
1623 pos = wpabuf_put(buf, sae->tmp->prime_len); in sae_write_commit()
1624 if (crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos, in sae_write_commit()
1625 sae->tmp->prime_len, sae->tmp->prime_len) < 0) { in sae_write_commit()
1630 pos, sae->tmp->prime_len); in sae_write_commit()
1631 if (sae->tmp->ec) { in sae_write_commit()
1632 pos = wpabuf_put(buf, 2 * sae->tmp->prime_len); in sae_write_commit()
1633 if (crypto_ec_point_to_bin(sae->tmp->ec, in sae_write_commit()
1634 sae->tmp->own_commit_element_ecc, in sae_write_commit()
1635 pos, pos + sae->tmp->prime_len) < 0) { in sae_write_commit()
1640 pos, sae->tmp->prime_len); in sae_write_commit()
1642 pos + sae->tmp->prime_len, sae->tmp->prime_len); in sae_write_commit()
1644 pos = wpabuf_put(buf, sae->tmp->prime_len); in sae_write_commit()
1645 if (crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos, in sae_write_commit()
1646 sae->tmp->prime_len, sae->tmp->prime_len) < 0) { in sae_write_commit()
1651 pos, sae->tmp->prime_len); in sae_write_commit()
1663 if (sae->h2e && sae->tmp->own_rejected_groups) { in sae_write_commit()
1665 sae->tmp->own_rejected_groups); in sae_write_commit()
1668 1 + wpabuf_len(sae->tmp->own_rejected_groups)); in sae_write_commit()
1670 wpabuf_put_buf(buf, sae->tmp->own_rejected_groups); in sae_write_commit()
1673 if (sae->h2e && token) { in sae_write_commit()
1686 u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group) in sae_group_allowed() argument
1702 if (sae->state == SAE_COMMITTED && group != sae->group) { in sae_group_allowed()
1707 if (group != sae->group && sae_set_group(sae, group) < 0) { in sae_group_allowed()
1713 if (sae->tmp == NULL) { in sae_group_allowed()
1718 if (sae->tmp->dh && !allowed_groups) { in sae_group_allowed()
1758 static void sae_parse_commit_token(struct sae_data *sae, const u8 **pos, in sae_parse_commit_token() argument
1772 scalar_elem_len = (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len; in sae_parse_commit_token()
1794 static void sae_parse_token_container(struct sae_data *sae, in sae_parse_token_container() argument
1809 static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos, in sae_parse_commit_scalar() argument
1814 if (sae->tmp->prime_len > end - *pos) { in sae_parse_commit_scalar()
1819 peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len); in sae_parse_commit_scalar()
1829 if (sae->state == SAE_ACCEPTED && sae->peer_commit_scalar_accepted && in sae_parse_commit_scalar()
1830 crypto_bignum_cmp(sae->peer_commit_scalar_accepted, in sae_parse_commit_scalar()
1841 crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) { in sae_parse_commit_scalar()
1847 crypto_bignum_deinit(sae->peer_commit_scalar, 0); in sae_parse_commit_scalar()
1848 sae->peer_commit_scalar = peer_scalar; in sae_parse_commit_scalar()
1850 *pos, sae->tmp->prime_len); in sae_parse_commit_scalar()
1851 *pos += sae->tmp->prime_len; in sae_parse_commit_scalar()
1857 static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 **pos, in sae_parse_commit_element_ecc() argument
1862 if (2 * sae->tmp->prime_len > end - *pos) { in sae_parse_commit_element_ecc()
1868 if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime), in sae_parse_commit_element_ecc()
1869 sae->tmp->prime_len) < 0) in sae_parse_commit_element_ecc()
1873 if (os_memcmp(*pos, prime, sae->tmp->prime_len) >= 0 || in sae_parse_commit_element_ecc()
1874 os_memcmp(*pos + sae->tmp->prime_len, prime, in sae_parse_commit_element_ecc()
1875 sae->tmp->prime_len) >= 0) { in sae_parse_commit_element_ecc()
1882 *pos, sae->tmp->prime_len); in sae_parse_commit_element_ecc()
1884 *pos + sae->tmp->prime_len, sae->tmp->prime_len); in sae_parse_commit_element_ecc()
1886 crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0); in sae_parse_commit_element_ecc()
1887 sae->tmp->peer_commit_element_ecc = in sae_parse_commit_element_ecc()
1888 crypto_ec_point_from_bin(sae->tmp->ec, *pos); in sae_parse_commit_element_ecc()
1889 if (!sae->tmp->peer_commit_element_ecc) { in sae_parse_commit_element_ecc()
1894 if (!crypto_ec_point_is_on_curve(sae->tmp->ec, in sae_parse_commit_element_ecc()
1895 sae->tmp->peer_commit_element_ecc)) { in sae_parse_commit_element_ecc()
1900 *pos += 2 * sae->tmp->prime_len; in sae_parse_commit_element_ecc()
1906 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 **pos, in sae_parse_commit_element_ffc() argument
1912 if (sae->tmp->prime_len > end - *pos) { in sae_parse_commit_element_ffc()
1918 sae->tmp->prime_len); in sae_parse_commit_element_ffc()
1920 crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0); in sae_parse_commit_element_ffc()
1921 sae->tmp->peer_commit_element_ffc = in sae_parse_commit_element_ffc()
1922 crypto_bignum_init_set(*pos, sae->tmp->prime_len); in sae_parse_commit_element_ffc()
1923 if (sae->tmp->peer_commit_element_ffc == NULL) in sae_parse_commit_element_ffc()
1929 crypto_bignum_sub(sae->tmp->prime, one, res) || in sae_parse_commit_element_ffc()
1930 crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) || in sae_parse_commit_element_ffc()
1931 crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) || in sae_parse_commit_element_ffc()
1932 crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, res) >= 0) { in sae_parse_commit_element_ffc()
1941 if (crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc, in sae_parse_commit_element_ffc()
1942 sae->tmp->order, sae->tmp->prime, res) < 0 || in sae_parse_commit_element_ffc()
1950 *pos += sae->tmp->prime_len; in sae_parse_commit_element_ffc()
1956 static u16 sae_parse_commit_element(struct sae_data *sae, const u8 **pos, in sae_parse_commit_element() argument
1959 if (sae->tmp->dh) in sae_parse_commit_element()
1960 return sae_parse_commit_element_ffc(sae, pos, end); in sae_parse_commit_element()
1961 return sae_parse_commit_element_ecc(sae, pos, end); in sae_parse_commit_element()
1965 static int sae_parse_password_identifier(struct sae_data *sae, in sae_parse_password_identifier() argument
1974 if (sae->tmp->pw_id) { in sae_parse_password_identifier()
1977 sae->tmp->pw_id); in sae_parse_password_identifier()
1980 os_free(sae->tmp->pw_id); in sae_parse_password_identifier()
1981 sae->tmp->pw_id = NULL; in sae_parse_password_identifier()
1993 if (sae->tmp->pw_id && in sae_parse_password_identifier()
1994 (len != os_strlen(sae->tmp->pw_id) || in sae_parse_password_identifier()
1995 os_memcmp(sae->tmp->pw_id, epos, len) != 0)) { in sae_parse_password_identifier()
1998 sae->tmp->pw_id); in sae_parse_password_identifier()
2002 os_free(sae->tmp->pw_id); in sae_parse_password_identifier()
2003 sae->tmp->pw_id = os_malloc(len + 1); in sae_parse_password_identifier()
2004 if (!sae->tmp->pw_id) in sae_parse_password_identifier()
2006 os_memcpy(sae->tmp->pw_id, epos, len); in sae_parse_password_identifier()
2007 sae->tmp->pw_id[len] = '\0'; in sae_parse_password_identifier()
2013 static int sae_parse_rejected_groups(struct sae_data *sae, in sae_parse_rejected_groups() argument
2022 wpabuf_free(sae->tmp->peer_rejected_groups); in sae_parse_rejected_groups()
2023 sae->tmp->peer_rejected_groups = NULL; in sae_parse_rejected_groups()
2041 wpabuf_free(sae->tmp->peer_rejected_groups); in sae_parse_rejected_groups()
2042 sae->tmp->peer_rejected_groups = wpabuf_alloc(len); in sae_parse_rejected_groups()
2043 if (!sae->tmp->peer_rejected_groups) in sae_parse_rejected_groups()
2045 wpabuf_put_data(sae->tmp->peer_rejected_groups, epos, len); in sae_parse_rejected_groups()
2047 sae->tmp->peer_rejected_groups); in sae_parse_rejected_groups()
2053 u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len, in sae_parse_commit() argument
2063 res = sae_group_allowed(sae, allowed_groups, WPA_GET_LE16(pos)); in sae_parse_commit()
2069 sae_parse_commit_token(sae, &pos, end, token, token_len, h2e); in sae_parse_commit()
2072 res = sae_parse_commit_scalar(sae, &pos, end); in sae_parse_commit()
2077 res = sae_parse_commit_element(sae, &pos, end); in sae_parse_commit()
2082 res = sae_parse_password_identifier(sae, &pos, end); in sae_parse_commit()
2088 res = sae_parse_rejected_groups(sae, &pos, end); in sae_parse_commit()
2092 wpabuf_free(sae->tmp->peer_rejected_groups); in sae_parse_commit()
2093 sae->tmp->peer_rejected_groups = NULL; in sae_parse_commit()
2098 sae_parse_token_container(sae, pos, end, token, token_len); in sae_parse_commit()
2104 if (!sae->tmp->own_commit_scalar || in sae_parse_commit()
2105 crypto_bignum_cmp(sae->tmp->own_commit_scalar, in sae_parse_commit()
2106 sae->peer_commit_scalar) != 0 || in sae_parse_commit()
2107 (sae->tmp->dh && in sae_parse_commit()
2108 (!sae->tmp->own_commit_element_ffc || in sae_parse_commit()
2109 crypto_bignum_cmp(sae->tmp->own_commit_element_ffc, in sae_parse_commit()
2110 sae->tmp->peer_commit_element_ffc) != 0)) || in sae_parse_commit()
2111 (sae->tmp->ec && in sae_parse_commit()
2112 (!sae->tmp->own_commit_element_ecc || in sae_parse_commit()
2113 crypto_ec_point_cmp(sae->tmp->ec, in sae_parse_commit()
2114 sae->tmp->own_commit_element_ecc, in sae_parse_commit()
2115 sae->tmp->peer_commit_element_ecc) != 0))) in sae_parse_commit()
2127 static int sae_cn_confirm(struct sae_data *sae, const u8 *sc, in sae_cn_confirm() argument
2147 sae->tmp->prime_len) < 0 || in sae_cn_confirm()
2149 sae->tmp->prime_len) < 0) in sae_cn_confirm()
2154 len[1] = sae->tmp->prime_len; in sae_cn_confirm()
2158 len[3] = sae->tmp->prime_len; in sae_cn_confirm()
2161 return hkdf_extract(SAE_KCK_LEN, sae->tmp->kck, sae->tmp->kck_len, in sae_cn_confirm()
2166 static int sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc, in sae_cn_confirm_ecc() argument
2176 if (crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1, in sae_cn_confirm_ecc()
2177 element_b1 + sae->tmp->prime_len) < 0) { in sae_cn_confirm_ecc()
2181 if (crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2, in sae_cn_confirm_ecc()
2182 element_b2 + sae->tmp->prime_len) < 0) { in sae_cn_confirm_ecc()
2187 sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len, in sae_cn_confirm_ecc()
2188 scalar2, element_b2, 2 * sae->tmp->prime_len, confirm); in sae_cn_confirm_ecc()
2193 static int sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc, in sae_cn_confirm_ffc() argument
2204 sae->tmp->prime_len) < 0) { in sae_cn_confirm_ffc()
2209 sae->tmp->prime_len) < 0) { in sae_cn_confirm_ffc()
2214 if (sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len, in sae_cn_confirm_ffc()
2215 scalar2, element_b2, sae->tmp->prime_len, confirm) < 0) in sae_cn_confirm_ffc()
2221 int sae_write_confirm(struct sae_data *sae, struct wpabuf *buf) in sae_write_confirm() argument
2226 if (sae->tmp == NULL) in sae_write_confirm()
2229 hash_len = sae->tmp->kck_len; in sae_write_confirm()
2232 wpabuf_put_le16(buf, sae->send_confirm); in sae_write_confirm()
2233 if (sae->send_confirm < 0xffff) in sae_write_confirm()
2234 sae->send_confirm++; in sae_write_confirm()
2236 if (sae->tmp->ec) { in sae_write_confirm()
2237 if (sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar, in sae_write_confirm()
2238 sae->tmp->own_commit_element_ecc, in sae_write_confirm()
2239 sae->peer_commit_scalar, in sae_write_confirm()
2240 sae->tmp->peer_commit_element_ecc, in sae_write_confirm()
2246 if (sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar, in sae_write_confirm()
2247 sae->tmp->own_commit_element_ffc, in sae_write_confirm()
2248 sae->peer_commit_scalar, in sae_write_confirm()
2249 sae->tmp->peer_commit_element_ffc, in sae_write_confirm()
2259 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len) in sae_check_confirm() argument
2264 if (!sae->tmp) { in sae_check_confirm()
2267 hash_len = sae->tmp->kck_len; in sae_check_confirm()
2275 if (sae->tmp == NULL || !sae->peer_commit_scalar || in sae_check_confirm()
2276 !sae->tmp->own_commit_scalar) { in sae_check_confirm()
2281 if (sae->tmp->ec) { in sae_check_confirm()
2282 if (!sae->tmp->peer_commit_element_ecc || in sae_check_confirm()
2283 !sae->tmp->own_commit_element_ecc) in sae_check_confirm()
2285 if (sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar, in sae_check_confirm()
2286 sae->tmp->peer_commit_element_ecc, in sae_check_confirm()
2287 sae->tmp->own_commit_scalar, in sae_check_confirm()
2288 sae->tmp->own_commit_element_ecc, in sae_check_confirm()
2294 if (!sae->tmp->peer_commit_element_ffc || in sae_check_confirm()
2295 !sae->tmp->own_commit_element_ffc) in sae_check_confirm()
2297 if (sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar, in sae_check_confirm()
2298 sae->tmp->peer_commit_element_ffc, in sae_check_confirm()
2299 sae->tmp->own_commit_scalar, in sae_check_confirm()
2300 sae->tmp->own_commit_element_ffc, in sae_check_confirm()
2317 if (sae_check_confirm_pk(sae, data + 2 + hash_len, in sae_check_confirm()