1 /*
2  * Simultaneous authentication of equals
3  * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef SAE_H
10 #define SAE_H
11 
12 #define SAE_KCK_LEN 32
13 #define SAE_PMK_LEN 32
14 #define SAE_PMKID_LEN 16
15 #define SAE_MAX_PRIME_LEN 512
16 #define SAE_MAX_ECC_PRIME_LEN 66
17 #define SAE_MAX_HASH_LEN 64
18 #define SAE_COMMIT_MAX_LEN (2 + 3 * SAE_MAX_PRIME_LEN + 255)
19 #ifdef CONFIG_SAE_PK
20 #define SAE_CONFIRM_MAX_LEN ((2 + SAE_MAX_HASH_LEN) + 1500)
21 #else /* CONFIG_SAE_PK */
22 #define SAE_CONFIRM_MAX_LEN (2 + SAE_MAX_HASH_LEN)
23 #endif /* CONFIG_SAE_PK */
24 #define SAE_PK_M_LEN 16
25 
26 /* Special value returned by sae_parse_commit() */
27 #define SAE_SILENTLY_DISCARD 65535
28 
29 struct sae_pk {
30 	struct wpabuf *m;
31 	struct crypto_ec_key *key;
32 	int group;
33 	struct wpabuf *pubkey; /* DER encoded subjectPublicKey */
34 #ifdef CONFIG_TESTING_OPTIONS
35 	struct crypto_ec_key *sign_key_override;
36 #endif /* CONFIG_TESTING_OPTIONS */
37 };
38 
39 
40 struct sae_temporary_data {
41 	u8 kck[SAE_MAX_HASH_LEN];
42 	size_t kck_len;
43 	struct crypto_bignum *own_commit_scalar;
44 	struct crypto_bignum *own_commit_element_ffc;
45 	struct crypto_ec_point *own_commit_element_ecc;
46 	struct crypto_bignum *peer_commit_element_ffc;
47 	struct crypto_ec_point *peer_commit_element_ecc;
48 	struct crypto_ec_point *pwe_ecc;
49 	struct crypto_bignum *pwe_ffc;
50 	struct crypto_bignum *sae_rand;
51 	struct crypto_ec *ec;
52 	int prime_len;
53 	int order_len;
54 	const struct dh_group *dh;
55 	const struct crypto_bignum *prime;
56 	const struct crypto_bignum *order;
57 	struct crypto_bignum *prime_buf;
58 	struct crypto_bignum *order_buf;
59 	struct wpabuf *anti_clogging_token;
60 	char *pw_id;
61 	int vlan_id;
62 	u8 bssid[ETH_ALEN];
63 	struct wpabuf *own_rejected_groups;
64 	struct wpabuf *peer_rejected_groups;
65 	unsigned int own_addr_higher:1;
66 
67 #ifdef CONFIG_SAE_PK
68 	u8 kek[SAE_MAX_HASH_LEN];
69 	size_t kek_len;
70 	const struct sae_pk *ap_pk;
71 	u8 own_addr[ETH_ALEN];
72 	u8 peer_addr[ETH_ALEN];
73 	u8 fingerprint[SAE_MAX_HASH_LEN];
74 	size_t fingerprint_bytes;
75 	size_t fingerprint_bits;
76 	size_t lambda;
77 	unsigned int sec;
78 	u8 ssid[32];
79 	size_t ssid_len;
80 #ifdef CONFIG_TESTING_OPTIONS
81 	bool omit_pk_elem;
82 #endif /* CONFIG_TESTING_OPTIONS */
83 #endif /* CONFIG_SAE_PK */
84 };
85 
86 struct sae_pt {
87 	struct sae_pt *next;
88 	int group;
89 	struct crypto_ec *ec;
90 	struct crypto_ec_point *ecc_pt;
91 
92 	const struct dh_group *dh;
93 	struct crypto_bignum *ffc_pt;
94 #ifdef CONFIG_SAE_PK
95 	u8 ssid[32];
96 	size_t ssid_len;
97 #endif /* CONFIG_SAE_PK */
98 };
99 
100 enum sae_state {
101 	SAE_NOTHING, SAE_COMMITTED, SAE_CONFIRMED, SAE_ACCEPTED
102 };
103 
104 struct sae_data {
105 	enum sae_state state;
106 	u16 send_confirm;
107 	u8 pmk[SAE_PMK_LEN];
108 	u8 pmkid[SAE_PMKID_LEN];
109 	struct crypto_bignum *peer_commit_scalar;
110 	struct crypto_bignum *peer_commit_scalar_accepted;
111 	int group;
112 	unsigned int sync; /* protocol instance variable: Sync */
113 	u16 rc; /* protocol instance variable: Rc (received send-confirm) */
114 	unsigned int h2e:1;
115 	unsigned int pk:1;
116 	struct sae_temporary_data *tmp;
117 };
118 
119 int sae_set_group(struct sae_data *sae, int group);
120 void sae_clear_temp_data(struct sae_data *sae);
121 void sae_clear_data(struct sae_data *sae);
122 
123 int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
124 		       const u8 *password, size_t password_len,
125 		       struct sae_data *sae);
126 int sae_prepare_commit_pt(struct sae_data *sae, const struct sae_pt *pt,
127 			  const u8 *addr1, const u8 *addr2,
128 			  int *rejected_groups, const struct sae_pk *pk);
129 int sae_process_commit(struct sae_data *sae);
130 int sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
131 		     const struct wpabuf *token, const char *identifier);
132 u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
133 		     const u8 **token, size_t *token_len, int *allowed_groups,
134 		     int h2e);
135 int sae_write_confirm(struct sae_data *sae, struct wpabuf *buf);
136 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len);
137 u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group);
138 const char * sae_state_txt(enum sae_state state);
139 size_t sae_ecc_prime_len_2_hash_len(size_t prime_len);
140 size_t sae_ffc_prime_len_2_hash_len(size_t prime_len);
141 struct sae_pt * sae_derive_pt(int *groups, const u8 *ssid, size_t ssid_len,
142 			      const u8 *password, size_t password_len,
143 			      const char *identifier);
144 struct crypto_ec_point *
145 sae_derive_pwe_from_pt_ecc(const struct sae_pt *pt,
146 			   const u8 *addr1, const u8 *addr2);
147 struct crypto_bignum *
148 sae_derive_pwe_from_pt_ffc(const struct sae_pt *pt,
149 			   const u8 *addr1, const u8 *addr2);
150 void sae_deinit_pt(struct sae_pt *pt);
151 
152 /* sae_pk.c */
153 #ifdef CONFIG_SAE_PK
154 bool sae_pk_valid_password(const char *pw);
155 #else /* CONFIG_SAE_PK */
sae_pk_valid_password(const char * pw)156 static inline bool sae_pk_valid_password(const char *pw)
157 {
158 	return false;
159 }
160 #endif /* CONFIG_SAE_PK */
161 char * sae_pk_base32_encode(const u8 *src, size_t len_bits);
162 u8 * sae_pk_base32_decode(const char *src, size_t len, size_t *out_len);
163 int sae_pk_set_password(struct sae_data *sae, const char *password);
164 void sae_deinit_pk(struct sae_pk *pk);
165 struct sae_pk * sae_parse_pk(const char *val);
166 int sae_write_confirm_pk(struct sae_data *sae, struct wpabuf *buf);
167 int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len);
168 int sae_hash(size_t hash_len, const u8 *data, size_t len, u8 *hash);
169 u32 sae_pk_get_be19(const u8 *buf);
170 void sae_pk_buf_shift_left_19(u8 *buf, size_t len);
171 
172 #endif /* SAE_H */
173