22 	struct sae_temporary_data *tmp;
25 	tmp = sae->tmp = os_zalloc(sizeof(*tmp));
26 	if (tmp == NULL)
30 	tmp->ec = crypto_ec_init(group);
31 	if (tmp->ec) {
33 		tmp->prime_len = crypto_ec_prime_len(tmp->ec);
34 		tmp->prime = crypto_ec_get_prime(tmp->ec);
35 		tmp->order = crypto_ec_get_order(tmp->ec);
40 	tmp->dh = dh_groups_get(group);
41 	if (tmp->dh) {
43 		tmp->prime_len = tmp->dh->prime_len;
44 		if (tmp->prime_len > SAE_MAX_PRIME_LEN) {
49 		tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime,
50 							tmp->prime_len);
51 		if (tmp->prime_buf == NULL) {
55 		tmp->prime = tmp->prime_buf;
57 		tmp->order_buf = crypto_bignum_init_set(tmp->dh->order,
58 							tmp->dh->order_len);
59 		if (tmp->order_buf == NULL) {
63 		tmp->order = tmp->order_buf;
75 	struct sae_temporary_data *tmp;
76 	if (sae == NULL || sae->tmp == NULL)
78 	tmp = sae->tmp;
79 	crypto_ec_deinit(tmp->ec);
80 	crypto_bignum_deinit(tmp->prime_buf, 0);
81 	crypto_bignum_deinit(tmp->order_buf, 0);
82 	crypto_bignum_deinit(tmp->sae_rand, 1);
83 	crypto_bignum_deinit(tmp->pwe_ffc, 1);
84 	crypto_bignum_deinit(tmp->own_commit_scalar, 0);
85 	crypto_bignum_deinit(tmp->own_commit_element_ffc, 0);
86 	crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0);
87 	crypto_ec_point_deinit(tmp->pwe_ecc, 1);
88 	crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0);
89 	crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0);
90 	wpabuf_free(tmp->anti_clogging_token);
91 	bin_clear_free(tmp, sizeof(*tmp));
92 	sae->tmp = NULL;
120 	int order_len_bits = crypto_bignum_bits(sae->tmp->order);
136 		    crypto_bignum_cmp(bn, sae->tmp->order) >= 0) {
150 	crypto_bignum_deinit(sae->tmp->sae_rand, 1);
151 	sae->tmp->sae_rand = sae_get_rand(sae);
152 	if (sae->tmp->sae_rand == NULL)
178 		u8 tmp[SAE_MAX_ECC_PRIME_LEN];
180 		if (random_get_bytes(tmp, prime_len) < 0)
183 			buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
184 		if (os_memcmp(tmp, prime, prime_len) >= 0)
186 		r = crypto_bignum_init_set(tmp, prime_len);
194 		*r_odd = tmp[prime_len - 1] & 0x01;
220 	r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
226 	    crypto_bignum_mulmod(y_sqr, r, sae->tmp->prime, num) < 0 ||
227 	    crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
235 		if (crypto_bignum_mulmod(num, qr, sae->tmp->prime, num) < 0)
243 		if (crypto_bignum_mulmod(num, qnr, sae->tmp->prime, num) < 0)
248 	res = crypto_bignum_legendre(num, sae->tmp->prime);
277 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
279 			prime, sae->tmp->prime_len, pwd_value, bits);
283 			pwd_value, sae->tmp->prime_len);
285 	if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
288 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
291 	y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
313 	size_t bits = sae->tmp->prime_len * 8;
322 			sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value,
327 			sae->tmp->prime_len);
329 	if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)
337 	a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
339 	if (sae->tmp->dh->safe_prime) {
351 		    crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||
352 		    crypto_bignum_div(b, sae->tmp->order, b) < 0) {
361 		res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);
391 		u8 tmp[SAE_MAX_ECC_PRIME_LEN];
395 		if (random_get_bytes(tmp, prime_len) < 0)
398 			buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
399 		if (os_memcmp(tmp, prime, prime_len) >= 0)
401 		q = crypto_bignum_init_set(tmp, prime_len);
441 	prime_len = sae->tmp->prime_len;
442 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
445 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
451 	if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
520 	if (!sae->tmp->pwe_ecc)
521 		sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
522 	if (!sae->tmp->pwe_ecc)
525 		res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
526 						    sae->tmp->pwe_ecc, x,
555 	if (sae->tmp->pwe_ffc == NULL) {
556 		sae->tmp->pwe_ffc = crypto_bignum_init();
557 		if (sae->tmp->pwe_ffc == NULL)
590 		res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);
607 	if (!sae->tmp->own_commit_element_ecc) {
608 		sae->tmp->own_commit_element_ecc =
609 			crypto_ec_point_init(sae->tmp->ec);
610 		if (!sae->tmp->own_commit_element_ecc)
614 	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask,
615 				sae->tmp->own_commit_element_ecc) < 0 ||
616 	    crypto_ec_point_invert(sae->tmp->ec,
617 				   sae->tmp->own_commit_element_ecc) < 0) {
630 	if (!sae->tmp->own_commit_element_ffc) {
631 		sae->tmp->own_commit_element_ffc = crypto_bignum_init();
632 		if (!sae->tmp->own_commit_element_ffc)
636 	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime,
637 				  sae->tmp->own_commit_element_ffc) < 0 ||
638 	    crypto_bignum_inverse(sae->tmp->own_commit_element_ffc,
639 				  sae->tmp->prime,
640 				  sae->tmp->own_commit_element_ffc) < 0) {
674 		if (!sae->tmp->own_commit_scalar) {
675 			sae->tmp->own_commit_scalar = crypto_bignum_init();
676 			if (!sae->tmp->own_commit_scalar)
679 		crypto_bignum_add(sae->tmp->sae_rand, mask,
680 				  sae->tmp->own_commit_scalar);
681 		crypto_bignum_mod(sae->tmp->own_commit_scalar, sae->tmp->order,
682 				  sae->tmp->own_commit_scalar);
683 	} while (crypto_bignum_is_zero(sae->tmp->own_commit_scalar) ||
684 		 crypto_bignum_is_one(sae->tmp->own_commit_scalar));
686 	if ((sae->tmp->ec && sae_derive_commit_element_ecc(sae, mask) < 0) ||
687 	    (sae->tmp->dh && sae_derive_commit_element_ffc(sae, mask) < 0))
701 	if (sae->tmp == NULL ||
702 	    (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password,
704 	    (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password,
717 	K = crypto_ec_point_init(sae->tmp->ec);
728 	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc,
730 	    crypto_ec_point_add(sae->tmp->ec, K,
731 				sae->tmp->peer_commit_element_ecc, K) < 0 ||
732 	    crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 ||
733 	    crypto_ec_point_is_at_infinity(sae->tmp->ec, K) ||
734 	    crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) {
739 	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
764 	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar,
765 				  sae->tmp->prime, K) < 0 ||
766 	    crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc,
767 				 sae->tmp->prime, K) < 0 ||
768 	    crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0
771 	    crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) <
777 	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);
791 	struct crypto_bignum *tmp;
794 	tmp = crypto_bignum_init();
795 	if (tmp == NULL)
805 	hmac_sha256(null_key, sizeof(null_key), k, sae->tmp->prime_len,
809 	crypto_bignum_add(sae->tmp->own_commit_scalar, sae->peer_commit_scalar,
810 			  tmp);
811 	crypto_bignum_mod(tmp, sae->tmp->order, tmp);
812 	crypto_bignum_to_bin(tmp, val, sizeof(val), sae->tmp->prime_len);
815 		   val, sae->tmp->prime_len, keys, sizeof(keys));
817 	os_memcpy(sae->tmp->kck, keys, SAE_KCK_LEN);
820 	wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", sae->tmp->kck, SAE_KCK_LEN);
825 	crypto_bignum_deinit(tmp, 0);
833 	if (sae->tmp == NULL ||
834 	    (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) ||
835 	    (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) ||
847 	if (sae->tmp == NULL)
856 	pos = wpabuf_put(buf, sae->tmp->prime_len);
857 	crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos,
858 			     sae->tmp->prime_len, sae->tmp->prime_len);
860 		    pos, sae->tmp->prime_len);
861 	if (sae->tmp->ec) {
862 		pos = wpabuf_put(buf, 2 * sae->tmp->prime_len);
863 		crypto_ec_point_to_bin(sae->tmp->ec,
864 				       sae->tmp->own_commit_element_ecc,
865 				       pos, pos + sae->tmp->prime_len);
867 			    pos, sae->tmp->prime_len);
869 			    pos + sae->tmp->prime_len, sae->tmp->prime_len);
871 		pos = wpabuf_put(buf, sae->tmp->prime_len);
872 		crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos,
873 				     sae->tmp->prime_len, sae->tmp->prime_len);
875 			    pos, sae->tmp->prime_len);
907 	if (sae->tmp == NULL) {
912 	if (sae->tmp->dh && !allowed_groups) {
926 	if (*pos + (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len < end) {
927 		size_t tlen = end - (*pos + (sae->tmp->ec ? 3 : 2) *
928 				     sae->tmp->prime_len);
949 	if (*pos + sae->tmp->prime_len > end) {
954 	peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len);
975 	    crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) {
985 		    *pos, sae->tmp->prime_len);
986 	*pos += sae->tmp->prime_len;
997 	if (pos + 2 * sae->tmp->prime_len > end) {
1003 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
1004 				 sae->tmp->prime_len) < 0)
1008 	if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 ||
1009 	    os_memcmp(pos + sae->tmp->prime_len, prime,
1010 		      sae->tmp->prime_len) >= 0) {
1017 		    pos, sae->tmp->prime_len);
1019 		    pos + sae->tmp->prime_len, sae->tmp->prime_len);
1021 	crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0);
1022 	sae->tmp->peer_commit_element_ecc =
1023 		crypto_ec_point_from_bin(sae->tmp->ec, pos);
1024 	if (sae->tmp->peer_commit_element_ecc == NULL)
1027 	if (!crypto_ec_point_is_on_curve(sae->tmp->ec,
1028 					 sae->tmp->peer_commit_element_ecc)) {
1043 	if (pos + sae->tmp->prime_len > end) {
1049 		    sae->tmp->prime_len);
1051 	crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0);
1052 	sae->tmp->peer_commit_element_ffc =
1053 		crypto_bignum_init_set(pos, sae->tmp->prime_len);
1054 	if (sae->tmp->peer_commit_element_ffc == NULL)
1060 	    crypto_bignum_sub(sae->tmp->prime, one, res) ||
1061 	    crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) ||
1062 	    crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) ||
1063 	    crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc, res) >= 0) {
1072 	if (crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
1073 				  sae->tmp->order, sae->tmp->prime, res) < 0 ||
1088 	if (sae->tmp->dh)
1125 	if (!sae->tmp->own_commit_scalar ||
1126 	    crypto_bignum_cmp(sae->tmp->own_commit_scalar,
1128 	    (sae->tmp->dh &&
1129 	     (!sae->tmp->own_commit_element_ffc ||
1130 	      crypto_bignum_cmp(sae->tmp->own_commit_element_ffc,
1131 				sae->tmp->peer_commit_element_ffc) != 0)) ||
1132 	    (sae->tmp->ec &&
1133 	     (!sae->tmp->own_commit_element_ecc ||
1134 	      crypto_ec_point_cmp(sae->tmp->ec,
1135 				  sae->tmp->own_commit_element_ecc,
1136 				  sae->tmp->peer_commit_element_ecc) != 0)))
1170 			     sae->tmp->prime_len);
1172 	len[1] = sae->tmp->prime_len;
1176 			     sae->tmp->prime_len);
1178 	len[3] = sae->tmp->prime_len;
1181 	hmac_sha256_vector(sae->tmp->kck, sizeof(sae->tmp->kck), 5, addr, len,
1196 	crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1,
1197 			       element_b1 + sae->tmp->prime_len);
1198 	crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2,
1199 			       element_b2 + sae->tmp->prime_len);
1201 	sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len,
1202 		       scalar2, element_b2, 2 * sae->tmp->prime_len, confirm);
1217 			     sae->tmp->prime_len);
1219 			     sae->tmp->prime_len);
1221 	sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len,
1222 		       scalar2, element_b2, sae->tmp->prime_len, confirm);
1230 	if (sae->tmp == NULL)
1238 	if (sae->tmp->ec)
1239 		sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,
1240 				   sae->tmp->own_commit_element_ecc,
1242 				   sae->tmp->peer_commit_element_ecc,
1245 		sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar,
1246 				   sae->tmp->own_commit_element_ffc,
1248 				   sae->tmp->peer_commit_element_ffc,
1264 	if (sae->tmp == NULL) {
1269 	if (sae->tmp->ec)
1271 				   sae->tmp->peer_commit_element_ecc,
1272 				   sae->tmp->own_commit_scalar,
1273 				   sae->tmp->own_commit_element_ecc,
1277 				   sae->tmp->peer_commit_element_ffc,
1278 				   sae->tmp->own_commit_scalar,
1279 				   sae->tmp->own_commit_element_ffc,

Indexes created Wed Sep 11 23:09:49 MDT 2024