1 /*
2  * SAE-PK password/modifier generator
3  * Copyright (c) 2020, The Linux Foundation
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/base64.h"
13 #include "crypto/crypto.h"
14 #include "common/sae.h"
15 
16 
main(int argc,char * argv[])17 int main(int argc, char *argv[])
18 {
19           char *der = NULL;
20           size_t der_len;
21           struct crypto_ec_key *key = NULL;
22           struct wpabuf *pub = NULL;
23           u8 *data = NULL, *m;
24           size_t data_len;
25           char *b64 = NULL, *pw = NULL, *pos, *src;
26           int sec, j;
27           int ret = -1;
28           u8 hash[SAE_MAX_HASH_LEN];
29           char hash_hex[2 * SAE_MAX_HASH_LEN + 1];
30           u8 pw_base_bin[SAE_MAX_HASH_LEN];
31           u8 *dst;
32           int group;
33           size_t hash_len;
34           unsigned long long i, expected;
35           char m_hex[2 * SAE_PK_M_LEN + 1];
36           u32 sec_1b, val20;
37 
38           wpa_debug_level = MSG_INFO;
39           if (os_program_init() < 0)
40                     goto fail;
41 
42           if (argc != 4) {
43                     fprintf(stderr,
44                               "usage: sae_pk_gen <DER ECPrivateKey file> <Sec:3|5> <SSID>\n");
45                     goto fail;
46           }
47 
48           sec = atoi(argv[2]);
49           if (sec != 3 && sec != 5) {
50                     fprintf(stderr,
51                               "Invalid Sec value (allowed values: 3 and 5)\n");
52                     goto fail;
53           }
54           sec_1b = sec == 3;
55           expected = 1;
56           for (j = 0; j < sec; j++)
57                     expected *= 256;
58 
59           der = os_readfile(argv[1], &der_len);
60           if (!der) {
61                     fprintf(stderr, "Could not read %s: %s\n",
62                               argv[1], strerror(errno));
63                     goto fail;
64           }
65 
66           key = crypto_ec_key_parse_priv((u8 *) der, der_len);
67           if (!key) {
68                     fprintf(stderr, "Could not parse ECPrivateKey\n");
69                     goto fail;
70           }
71 
72           pub = crypto_ec_key_get_subject_public_key(key);
73           if (!pub) {
74                     fprintf(stderr, "Failed to build SubjectPublicKey\n");
75                     goto fail;
76           }
77 
78           group = crypto_ec_key_group(key);
79           switch (group) {
80           case 19:
81                     hash_len = 32;
82                     break;
83           case 20:
84                     hash_len = 48;
85                     break;
86           case 21:
87                     hash_len = 64;
88                     break;
89           default:
90                     fprintf(stderr, "Unsupported private key group\n");
91                     goto fail;
92           }
93 
94           data_len = os_strlen(argv[3]) + SAE_PK_M_LEN + wpabuf_len(pub);
95           data = os_malloc(data_len);
96           if (!data) {
97                     fprintf(stderr, "No memory for data buffer\n");
98                     goto fail;
99           }
100           os_memcpy(data, argv[3], os_strlen(argv[3]));
101           m = data + os_strlen(argv[3]);
102           if (os_get_random(m, SAE_PK_M_LEN) < 0) {
103                     fprintf(stderr, "Could not generate random Modifier M\n");
104                     goto fail;
105           }
106           os_memcpy(m + SAE_PK_M_LEN, wpabuf_head(pub), wpabuf_len(pub));
107 
108           fprintf(stderr, "Searching for a suitable Modifier M value\n");
109           for (i = 0;; i++) {
110                     if (sae_hash(hash_len, data, data_len, hash) < 0) {
111                               fprintf(stderr, "Hash failed\n");
112                               goto fail;
113                     }
114                     if (hash[0] == 0 && hash[1] == 0) {
115                               if ((hash[2] & 0xf0) == 0)
116                                         fprintf(stderr, "\r%3.2f%%",
117                                                   100.0 * (double) i / (double) expected);
118                               for (j = 2; j < sec; j++) {
119                                         if (hash[j])
120                                                   break;
121                               }
122                               if (j == sec)
123                                         break;
124                     }
125                     inc_byte_array(m, SAE_PK_M_LEN);
126           }
127 
128           if (wpa_snprintf_hex(m_hex, sizeof(m_hex), m, SAE_PK_M_LEN) < 0 ||
129               wpa_snprintf_hex(hash_hex, sizeof(hash_hex), hash, hash_len) < 0)
130                     goto fail;
131           fprintf(stderr, "\nFound a valid hash in %llu iterations: %s\n",
132                     i + 1, hash_hex);
133 
134           b64 = base64_encode(der, der_len, NULL);
135           if (!b64)
136                     goto fail;
137           src = pos = b64;
138           while (*src) {
139                     if (*src != '\n')
140                               *pos++ = *src;
141                     src++;
142           }
143           *pos = '\0';
144 
145           /* Skip 8*Sec bits and add Sec_1b as the every 20th bit starting with
146            * one. */
147           os_memset(pw_base_bin, 0, sizeof(pw_base_bin));
148           dst = pw_base_bin;
149           for (j = 0; j < 8 * (int) hash_len / 20; j++) {
150                     val20 = sae_pk_get_be19(hash + sec);
151                     val20 |= sec_1b << 19;
152                     sae_pk_buf_shift_left_19(hash + sec, hash_len - sec);
153 
154                     if (j & 1) {
155                               *dst |= (val20 >> 16) & 0x0f;
156                               dst++;
157                               *dst++ = (val20 >> 8) & 0xff;
158                               *dst++ = val20 & 0xff;
159                     } else {
160                               *dst++ = (val20 >> 12) & 0xff;
161                               *dst++ = (val20 >> 4) & 0xff;
162                               *dst = (val20 << 4) & 0xf0;
163                     }
164           }
165           if (wpa_snprintf_hex(hash_hex, sizeof(hash_hex),
166                                    pw_base_bin, hash_len - sec) >= 0)
167                     fprintf(stderr, "PasswordBase binary data for base32: %s",
168                               hash_hex);
169 
170           pw = sae_pk_base32_encode(pw_base_bin, 20 * 3 - 5);
171           if (!pw)
172                     goto fail;
173 
174           printf("# SAE-PK password/M/private key for Sec=%d.\n", sec);
175           printf("sae_password=%s|pk=%s:%s\n", pw, m_hex, b64);
176           printf("# Longer passwords can be used for improved security at the cost of usability:\n");
177           for (j = 4; j <= ((int) hash_len * 8 + 5 - 8 * sec) / 19; j++) {
178                     os_free(pw);
179                     pw = sae_pk_base32_encode(pw_base_bin, 20 * j - 5);
180                     if (pw)
181                               printf("# %s\n", pw);
182           }
183 
184           ret = 0;
185 fail:
186           os_free(der);
187           wpabuf_free(pub);
188           crypto_ec_key_deinit(key);
189           os_free(data);
190           os_free(b64);
191           os_free(pw);
192 
193           os_program_deinit();
194 
195           return ret;
196 }
197