22 	struct sae_temporary_data *tmp;  in sae_set_group()  local
25 	tmp = sae->tmp = os_zalloc(sizeof(*tmp));  in sae_set_group()
26 	if (tmp == NULL)  in sae_set_group()
30 	tmp->ec = crypto_ec_init(group);  in sae_set_group()
31 	if (tmp->ec) {  in sae_set_group()
33 		tmp->prime_len = crypto_ec_prime_len(tmp->ec);  in sae_set_group()
34 		tmp->prime = crypto_ec_get_prime(tmp->ec);  in sae_set_group()
35 		tmp->order = crypto_ec_get_order(tmp->ec);  in sae_set_group()
40 	tmp->dh = dh_groups_get(group);  in sae_set_group()
41 	if (tmp->dh) {  in sae_set_group()
43 		tmp->prime_len = tmp->dh->prime_len;  in sae_set_group()
44 		if (tmp->prime_len > SAE_MAX_PRIME_LEN) {  in sae_set_group()
49 		tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime,  in sae_set_group()
50 							tmp->prime_len);  in sae_set_group()
51 		if (tmp->prime_buf == NULL) {  in sae_set_group()
55 		tmp->prime = tmp->prime_buf;  in sae_set_group()
57 		tmp->order_buf = crypto_bignum_init_set(tmp->dh->order,  in sae_set_group()
58 							tmp->dh->order_len);  in sae_set_group()
59 		if (tmp->order_buf == NULL) {  in sae_set_group()
63 		tmp->order = tmp->order_buf;  in sae_set_group()
75 	struct sae_temporary_data *tmp;  in sae_clear_temp_data()  local
76 	if (sae == NULL || sae->tmp == NULL)  in sae_clear_temp_data()
78 	tmp = sae->tmp;  in sae_clear_temp_data()
79 	crypto_ec_deinit(tmp->ec);  in sae_clear_temp_data()
80 	crypto_bignum_deinit(tmp->prime_buf, 0);  in sae_clear_temp_data()
81 	crypto_bignum_deinit(tmp->order_buf, 0);  in sae_clear_temp_data()
82 	crypto_bignum_deinit(tmp->sae_rand, 1);  in sae_clear_temp_data()
83 	crypto_bignum_deinit(tmp->pwe_ffc, 1);  in sae_clear_temp_data()
84 	crypto_bignum_deinit(tmp->own_commit_scalar, 0);  in sae_clear_temp_data()
85 	crypto_bignum_deinit(tmp->own_commit_element_ffc, 0);  in sae_clear_temp_data()
86 	crypto_bignum_deinit(tmp->peer_commit_element_ffc, 0);  in sae_clear_temp_data()
87 	crypto_ec_point_deinit(tmp->pwe_ecc, 1);  in sae_clear_temp_data()
88 	crypto_ec_point_deinit(tmp->own_commit_element_ecc, 0);  in sae_clear_temp_data()
89 	crypto_ec_point_deinit(tmp->peer_commit_element_ecc, 0);  in sae_clear_temp_data()
90 	os_free(sae->tmp);  in sae_clear_temp_data()
91 	sae->tmp = NULL;  in sae_clear_temp_data()
119 	int order_len_bits = crypto_bignum_bits(sae->tmp->order);  in sae_get_rand()
137 		    crypto_bignum_cmp(bn, sae->tmp->order) >= 0) {  in sae_get_rand()
151 	crypto_bignum_deinit(sae->tmp->sae_rand, 1);  in sae_get_rand_and_mask()
152 	sae->tmp->sae_rand = sae_get_rand(sae);  in sae_get_rand_and_mask()
153 	if (sae->tmp->sae_rand == NULL)  in sae_get_rand_and_mask()
181 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),  in sae_test_pwd_seed_ecc()
182 				 sae->tmp->prime_len) < 0)  in sae_test_pwd_seed_ecc()
188 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);  in sae_test_pwd_seed_ecc()
190 			prime, sae->tmp->prime_len, pwd_value, bits);  in sae_test_pwd_seed_ecc()
194 			pwd_value, sae->tmp->prime_len);  in sae_test_pwd_seed_ecc()
196 	if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)  in sae_test_pwd_seed_ecc()
201 	x = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);  in sae_test_pwd_seed_ecc()
204 	if (crypto_ec_point_solve_y_coord(sae->tmp->ec, pwe, x, y_bit) < 0) {  in sae_test_pwd_seed_ecc()
221 	size_t bits = sae->tmp->prime_len * 8;  in sae_test_pwd_seed_ffc()
230 			sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value,  in sae_test_pwd_seed_ffc()
235 			sae->tmp->prime_len);  in sae_test_pwd_seed_ffc()
237 	if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)  in sae_test_pwd_seed_ffc()
245 	a = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);  in sae_test_pwd_seed_ffc()
247 	if (sae->tmp->dh->safe_prime) {  in sae_test_pwd_seed_ffc()
259 		    crypto_bignum_sub(sae->tmp->prime, b, b) < 0 ||  in sae_test_pwd_seed_ffc()
260 		    crypto_bignum_div(b, sae->tmp->order, b) < 0) {  in sae_test_pwd_seed_ffc()
269 		res = crypto_bignum_exptmod(a, b, sae->tmp->prime, pwe);  in sae_test_pwd_seed_ffc()
301 	if (sae->tmp->pwe_ecc == NULL) {  in sae_derive_pwe_ecc()
302 		sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);  in sae_derive_pwe_ecc()
303 		if (sae->tmp->pwe_ecc == NULL)  in sae_derive_pwe_ecc()
306 	pwe_tmp = crypto_ec_point_init(sae->tmp->ec);  in sae_derive_pwe_ecc()
346 					    sae->tmp->pwe_ecc);  in sae_derive_pwe_ecc()
376 	if (sae->tmp->pwe_ffc == NULL) {  in sae_derive_pwe_ffc()
377 		sae->tmp->pwe_ffc = crypto_bignum_init();  in sae_derive_pwe_ffc()
378 		if (sae->tmp->pwe_ffc == NULL)  in sae_derive_pwe_ffc()
411 		res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->tmp->pwe_ffc);  in sae_derive_pwe_ffc()
428 	if (!sae->tmp->own_commit_element_ecc) {  in sae_derive_commit_element_ecc()
429 		sae->tmp->own_commit_element_ecc =  in sae_derive_commit_element_ecc()
430 			crypto_ec_point_init(sae->tmp->ec);  in sae_derive_commit_element_ecc()
431 		if (!sae->tmp->own_commit_element_ecc)  in sae_derive_commit_element_ecc()
435 	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask,  in sae_derive_commit_element_ecc()
436 				sae->tmp->own_commit_element_ecc) < 0 ||  in sae_derive_commit_element_ecc()
437 	    crypto_ec_point_invert(sae->tmp->ec,  in sae_derive_commit_element_ecc()
438 				   sae->tmp->own_commit_element_ecc) < 0) {  in sae_derive_commit_element_ecc()
451 	if (!sae->tmp->own_commit_element_ffc) {  in sae_derive_commit_element_ffc()
452 		sae->tmp->own_commit_element_ffc = crypto_bignum_init();  in sae_derive_commit_element_ffc()
453 		if (!sae->tmp->own_commit_element_ffc)  in sae_derive_commit_element_ffc()
457 	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime,  in sae_derive_commit_element_ffc()
458 				  sae->tmp->own_commit_element_ffc) < 0 ||  in sae_derive_commit_element_ffc()
459 	    crypto_bignum_inverse(sae->tmp->own_commit_element_ffc,  in sae_derive_commit_element_ffc()
460 				  sae->tmp->prime,  in sae_derive_commit_element_ffc()
461 				  sae->tmp->own_commit_element_ffc) < 0) {  in sae_derive_commit_element_ffc()
482 	if (!sae->tmp->own_commit_scalar) {  in sae_derive_commit()
483 		sae->tmp->own_commit_scalar = crypto_bignum_init();  in sae_derive_commit()
484 		if (!sae->tmp->own_commit_scalar)  in sae_derive_commit()
487 	crypto_bignum_add(sae->tmp->sae_rand, mask,  in sae_derive_commit()
488 			  sae->tmp->own_commit_scalar);  in sae_derive_commit()
489 	crypto_bignum_mod(sae->tmp->own_commit_scalar, sae->tmp->order,  in sae_derive_commit()
490 			  sae->tmp->own_commit_scalar);  in sae_derive_commit()
492 	if (sae->tmp->ec && sae_derive_commit_element_ecc(sae, mask) < 0)  in sae_derive_commit()
494 	if (sae->tmp->dh && sae_derive_commit_element_ffc(sae, mask) < 0)  in sae_derive_commit()
508 	if (sae->tmp == NULL)  in sae_prepare_commit()
510 	if (sae->tmp->ec && sae_derive_pwe_ecc(sae, addr1, addr2, password,  in sae_prepare_commit()
513 	if (sae->tmp->dh && sae_derive_pwe_ffc(sae, addr1, addr2, password,  in sae_prepare_commit()
527 	K = crypto_ec_point_init(sae->tmp->ec);  in sae_derive_k_ecc()
538 	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc,  in sae_derive_k_ecc()
540 	    crypto_ec_point_add(sae->tmp->ec, K,  in sae_derive_k_ecc()
541 				sae->tmp->peer_commit_element_ecc, K) < 0 ||  in sae_derive_k_ecc()
542 	    crypto_ec_point_mul(sae->tmp->ec, K, sae->tmp->sae_rand, K) < 0 ||  in sae_derive_k_ecc()
543 	    crypto_ec_point_is_at_infinity(sae->tmp->ec, K) ||  in sae_derive_k_ecc()
544 	    crypto_ec_point_to_bin(sae->tmp->ec, K, k, NULL) < 0) {  in sae_derive_k_ecc()
549 	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);  in sae_derive_k_ecc()
574 	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, sae->peer_commit_scalar,  in sae_derive_k_ffc()
575 				  sae->tmp->prime, K) < 0 ||  in sae_derive_k_ffc()
576 	    crypto_bignum_mulmod(K, sae->tmp->peer_commit_element_ffc,  in sae_derive_k_ffc()
577 				 sae->tmp->prime, K) < 0 ||  in sae_derive_k_ffc()
578 	    crypto_bignum_exptmod(K, sae->tmp->sae_rand, sae->tmp->prime, K) < 0  in sae_derive_k_ffc()
581 	    crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->tmp->prime_len) <  in sae_derive_k_ffc()
587 	wpa_hexdump_key(MSG_DEBUG, "SAE: k", k, sae->tmp->prime_len);  in sae_derive_k_ffc()
601 	struct crypto_bignum *tmp;  in sae_derive_keys()  local
604 	tmp = crypto_bignum_init();  in sae_derive_keys()
605 	if (tmp == NULL)  in sae_derive_keys()
615 	hmac_sha256(null_key, sizeof(null_key), k, sae->tmp->prime_len,  in sae_derive_keys()
619 	crypto_bignum_add(sae->tmp->own_commit_scalar, sae->peer_commit_scalar,  in sae_derive_keys()
620 			  tmp);  in sae_derive_keys()
621 	crypto_bignum_mod(tmp, sae->tmp->order, tmp);  in sae_derive_keys()
622 	crypto_bignum_to_bin(tmp, val, sizeof(val), sae->tmp->prime_len);  in sae_derive_keys()
625 		   val, sae->tmp->prime_len, keys, sizeof(keys));  in sae_derive_keys()
626 	os_memcpy(sae->tmp->kck, keys, SAE_KCK_LEN);  in sae_derive_keys()
628 	wpa_hexdump_key(MSG_DEBUG, "SAE: KCK", sae->tmp->kck, SAE_KCK_LEN);  in sae_derive_keys()
633 	crypto_bignum_deinit(tmp, 0);  in sae_derive_keys()
641 	if (sae->tmp == NULL ||  in sae_process_commit()
642 	    (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) ||  in sae_process_commit()
643 	    (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) ||  in sae_process_commit()
655 	if (sae->tmp == NULL)  in sae_write_commit()
661 	pos = wpabuf_put(buf, sae->tmp->prime_len);  in sae_write_commit()
662 	crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos,  in sae_write_commit()
663 			     sae->tmp->prime_len, sae->tmp->prime_len);  in sae_write_commit()
665 		    pos, sae->tmp->prime_len);  in sae_write_commit()
666 	if (sae->tmp->ec) {  in sae_write_commit()
667 		pos = wpabuf_put(buf, 2 * sae->tmp->prime_len);  in sae_write_commit()
668 		crypto_ec_point_to_bin(sae->tmp->ec,  in sae_write_commit()
669 				       sae->tmp->own_commit_element_ecc,  in sae_write_commit()
670 				       pos, pos + sae->tmp->prime_len);  in sae_write_commit()
672 			    pos, sae->tmp->prime_len);  in sae_write_commit()
674 			    pos + sae->tmp->prime_len, sae->tmp->prime_len);  in sae_write_commit()
676 		pos = wpabuf_put(buf, sae->tmp->prime_len);  in sae_write_commit()
677 		crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos,  in sae_write_commit()
678 				     sae->tmp->prime_len, sae->tmp->prime_len);  in sae_write_commit()
680 			    pos, sae->tmp->prime_len);  in sae_write_commit()
713 	if (sae->tmp == NULL) {  in sae_group_allowed()
718 	if (sae->tmp->dh && !allowed_groups) {  in sae_group_allowed()
732 	if (*pos + (sae->tmp->ec ? 3 : 2) * sae->tmp->prime_len < end) {  in sae_parse_commit_token()
733 		size_t tlen = end - (*pos + (sae->tmp->ec ? 3 : 2) *  in sae_parse_commit_token()
734 				     sae->tmp->prime_len);  in sae_parse_commit_token()
755 	if (*pos + sae->tmp->prime_len > end) {  in sae_parse_commit_scalar()
760 	peer_scalar = crypto_bignum_init_set(*pos, sae->tmp->prime_len);  in sae_parse_commit_scalar()
780 	    crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) {  in sae_parse_commit_scalar()
790 		    *pos, sae->tmp->prime_len);  in sae_parse_commit_scalar()
791 	*pos += sae->tmp->prime_len;  in sae_parse_commit_scalar()
802 	if (pos + 2 * sae->tmp->prime_len > end) {  in sae_parse_commit_element_ecc()
808 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),  in sae_parse_commit_element_ecc()
809 				 sae->tmp->prime_len) < 0)  in sae_parse_commit_element_ecc()
813 	if (os_memcmp(pos, prime, sae->tmp->prime_len) >= 0 ||  in sae_parse_commit_element_ecc()
814 	    os_memcmp(pos + sae->tmp->prime_len, prime,  in sae_parse_commit_element_ecc()
815 		      sae->tmp->prime_len) >= 0) {  in sae_parse_commit_element_ecc()
822 		    pos, sae->tmp->prime_len);  in sae_parse_commit_element_ecc()
824 		    pos + sae->tmp->prime_len, sae->tmp->prime_len);  in sae_parse_commit_element_ecc()
826 	crypto_ec_point_deinit(sae->tmp->peer_commit_element_ecc, 0);  in sae_parse_commit_element_ecc()
827 	sae->tmp->peer_commit_element_ecc =  in sae_parse_commit_element_ecc()
828 		crypto_ec_point_from_bin(sae->tmp->ec, pos);  in sae_parse_commit_element_ecc()
829 	if (sae->tmp->peer_commit_element_ecc == NULL)  in sae_parse_commit_element_ecc()
832 	if (!crypto_ec_point_is_on_curve(sae->tmp->ec,  in sae_parse_commit_element_ecc()
833 					 sae->tmp->peer_commit_element_ecc)) {  in sae_parse_commit_element_ecc()
847 	if (pos + sae->tmp->prime_len > end) {  in sae_parse_commit_element_ffc()
853 		    sae->tmp->prime_len);  in sae_parse_commit_element_ffc()
855 	crypto_bignum_deinit(sae->tmp->peer_commit_element_ffc, 0);  in sae_parse_commit_element_ffc()
856 	sae->tmp->peer_commit_element_ffc =  in sae_parse_commit_element_ffc()
857 		crypto_bignum_init_set(pos, sae->tmp->prime_len);  in sae_parse_commit_element_ffc()
858 	if (sae->tmp->peer_commit_element_ffc == NULL)  in sae_parse_commit_element_ffc()
860 	if (crypto_bignum_is_zero(sae->tmp->peer_commit_element_ffc) ||  in sae_parse_commit_element_ffc()
861 	    crypto_bignum_is_one(sae->tmp->peer_commit_element_ffc) ||  in sae_parse_commit_element_ffc()
862 	    crypto_bignum_cmp(sae->tmp->peer_commit_element_ffc,  in sae_parse_commit_element_ffc()
863 			      sae->tmp->prime) >= 0) {  in sae_parse_commit_element_ffc()
871 	    crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,  in sae_parse_commit_element_ffc()
872 				  sae->tmp->order, sae->tmp->prime, res) < 0 ||  in sae_parse_commit_element_ffc()
887 	if (sae->tmp->dh)  in sae_parse_commit_element()
942 			     sae->tmp->prime_len);  in sae_cn_confirm()
944 	len[1] = sae->tmp->prime_len;  in sae_cn_confirm()
948 			     sae->tmp->prime_len);  in sae_cn_confirm()
950 	len[3] = sae->tmp->prime_len;  in sae_cn_confirm()
953 	hmac_sha256_vector(sae->tmp->kck, sizeof(sae->tmp->kck), 5, addr, len,  in sae_cn_confirm()
968 	crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1,  in sae_cn_confirm_ecc()
969 			       element_b1 + sae->tmp->prime_len);  in sae_cn_confirm_ecc()
970 	crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2,  in sae_cn_confirm_ecc()
971 			       element_b2 + sae->tmp->prime_len);  in sae_cn_confirm_ecc()
973 	sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len,  in sae_cn_confirm_ecc()
974 		       scalar2, element_b2, 2 * sae->tmp->prime_len, confirm);  in sae_cn_confirm_ecc()
989 			     sae->tmp->prime_len);  in sae_cn_confirm_ffc()
991 			     sae->tmp->prime_len);  in sae_cn_confirm_ffc()
993 	sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len,  in sae_cn_confirm_ffc()
994 		       scalar2, element_b2, sae->tmp->prime_len, confirm);  in sae_cn_confirm_ffc()
1002 	if (sae->tmp == NULL)  in sae_write_confirm()
1010 	if (sae->tmp->ec)  in sae_write_confirm()
1011 		sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,  in sae_write_confirm()
1012 				   sae->tmp->own_commit_element_ecc,  in sae_write_confirm()
1014 				   sae->tmp->peer_commit_element_ecc,  in sae_write_confirm()
1017 		sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar,  in sae_write_confirm()
1018 				   sae->tmp->own_commit_element_ffc,  in sae_write_confirm()
1020 				   sae->tmp->peer_commit_element_ffc,  in sae_write_confirm()
1036 	if (sae->tmp == NULL) {  in sae_check_confirm()
1041 	if (sae->tmp->ec)  in sae_check_confirm()
1043 				   sae->tmp->peer_commit_element_ecc,  in sae_check_confirm()
1044 				   sae->tmp->own_commit_scalar,  in sae_check_confirm()
1045 				   sae->tmp->own_commit_element_ecc,  in sae_check_confirm()
1049 				   sae->tmp->peer_commit_element_ffc,  in sae_check_confirm()
1050 				   sae->tmp->own_commit_scalar,  in sae_check_confirm()
1051 				   sae->tmp->own_commit_element_ffc,  in sae_check_confirm()