SAE: Reject commit-scalar value 1
IEEE Std 802.11-2012 description of SAE does not require this, i.e., it describes the requirement as 0 < scalar < r for processing the Commit message. However, this is not correct and will be changes to 1 < scalar < r to match the Dragonfly description so that a trivial secret case will be avoided explicitly. This is not much of an issue for the locally generated commit-scalar since it would be very unlikely to get the value of 1. For Commit message processing, a peer with knowledge of the password could potentially force the exchange to expose key material without this check. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
a3704b2aae
commit
0c2b3f6541
1 changed files with 32 additions and 16 deletions
|
@ -650,6 +650,19 @@ static int sae_derive_commit(struct sae_data *sae)
|
|||
{
|
||||
struct crypto_bignum *mask;
|
||||
int ret = -1;
|
||||
unsigned int counter = 0;
|
||||
|
||||
do {
|
||||
counter++;
|
||||
if (counter > 100) {
|
||||
/*
|
||||
* This cannot really happen in practice if the random
|
||||
* number generator is working. Anyway, to avoid even a
|
||||
* theoretical infinite loop, break out after 100
|
||||
* attemps.
|
||||
*/
|
||||
return -1;
|
||||
}
|
||||
|
||||
mask = sae_get_rand_and_mask(sae);
|
||||
if (mask == NULL) {
|
||||
|
@ -667,6 +680,8 @@ static int sae_derive_commit(struct sae_data *sae)
|
|||
sae->tmp->own_commit_scalar);
|
||||
crypto_bignum_mod(sae->tmp->own_commit_scalar, sae->tmp->order,
|
||||
sae->tmp->own_commit_scalar);
|
||||
} while (crypto_bignum_is_zero(sae->tmp->own_commit_scalar) ||
|
||||
crypto_bignum_is_one(sae->tmp->own_commit_scalar));
|
||||
|
||||
if ((sae->tmp->ec && sae_derive_commit_element_ecc(sae, mask) < 0) ||
|
||||
(sae->tmp->dh && sae_derive_commit_element_ffc(sae, mask) < 0))
|
||||
|
@ -954,8 +969,9 @@ static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
|
|||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||
}
|
||||
|
||||
/* 0 < scalar < r */
|
||||
/* 1 < scalar < r */
|
||||
if (crypto_bignum_is_zero(peer_scalar) ||
|
||||
crypto_bignum_is_one(peer_scalar) ||
|
||||
crypto_bignum_cmp(peer_scalar, sae->tmp->order) >= 0) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Invalid peer scalar");
|
||||
crypto_bignum_deinit(peer_scalar, 0);
|
||||
|
|
Loading…
Reference in a new issue