Share common SAE and EAP-pwd functionality: random 1..p-1 creation

Use a shared helper function to create a random value in 1..p-1 range for is_quadratic_residue(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-25 20:43:41 +03:00 · 2019-04-25 20:43:41 +03:00 · a9615b1b88
parent 6c9543fcb7
commit a9615b1b88
4 changed files with 33 additions and 46 deletions
--- a/src/common/dragonfly.c
+++ b/src/common/dragonfly.c
@ -58,3 +58,25 @@ int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
 	*qr = *qnr = NULL;
 	return -1;
 }
+
+
+struct crypto_bignum *
+dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
+{
+	struct crypto_bignum *tmp, *pm1, *one;
+
+	tmp = crypto_bignum_init();
+	pm1 = crypto_bignum_init();
+	one = crypto_bignum_init_set((const u8 *) "\x01", 1);
+	if (!tmp || !pm1 || !one ||
+	    crypto_bignum_sub(prime, one, pm1) < 0 ||
+	    crypto_bignum_rand(tmp, pm1) < 0 ||
+	    crypto_bignum_add(tmp, one, tmp) < 0) {
+		crypto_bignum_deinit(tmp, 0);
+		tmp = NULL;
+	}
+
+	crypto_bignum_deinit(pm1, 0);
+	crypto_bignum_deinit(one, 0);
+	return tmp;
+}
--- a/src/common/dragonfly.h
+++ b/src/common/dragonfly.h
@ -16,5 +16,7 @@ int dragonfly_suitable_group(int group, int ecc_only);
 int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
 				struct crypto_bignum **qr,
 				struct crypto_bignum **qnr);
+struct crypto_bignum *
+dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime);

 #endif /* DRAGONFLY_H */
--- a/src/common/sae.c
+++ b/src/common/sae.c
@ -178,43 +178,12 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
 }


-static struct crypto_bignum *
-get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
-		  int *r_odd)
-{
-	for (;;) {
-		struct crypto_bignum *r;
-		u8 tmp[SAE_MAX_ECC_PRIME_LEN];
-
-		if (random_get_bytes(tmp, prime_len) < 0)
-			break;
-		if (prime_bits % 8)
-			buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
-		if (os_memcmp(tmp, prime, prime_len) >= 0)
-			continue;
-		r = crypto_bignum_init_set(tmp, prime_len);
-		if (!r)
-			break;
-		if (crypto_bignum_is_zero(r)) {
-			crypto_bignum_deinit(r, 0);
-			continue;
-		}
-
-		*r_odd = tmp[prime_len - 1] & 0x01;
-		return r;
-	}
-
-	return NULL;
-}
-
-
 static int is_quadratic_residue_blind(struct sae_data *sae,
-				      const u8 *prime, size_t bits,
 				      const u8 *qr, const u8 *qnr,
 				      const struct crypto_bignum *y_sqr)
 {
 	struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
-	int r_odd, check, res = -1;
+	int check, res = -1;
 	u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
 	size_t prime_len = sae->tmp->prime_len;
 	unsigned int mask;
@ -228,7 +197,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
 	 * r = a random number between 1 and p-1, inclusive
 	 * num = (v * r * r) modulo p
 	 */
-	r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
+	r = dragonfly_get_rand_1_to_p_1(sae->tmp->prime);
 	if (!r)
 		return -1;

@ -249,7 +218,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
 	 * num = (num * qnr) module p
 	 * LGR(num, p) = -1 ==> quadratic residue
 	 */
-	mask = const_time_is_zero(r_odd);
+	mask = const_time_is_zero(crypto_bignum_is_odd(r));
 	const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
 	qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
 	if (!qr_or_qnr ||
@ -306,7 +275,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
 	if (!y_sqr)
 		return -1;

-	res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
+	res = is_quadratic_residue_blind(sae, qr, qnr, y_sqr);
 	crypto_bignum_deinit(y_sqr, 1);
 	return res;
 }
--- a/src/eap_common/eap_pwd_common.c
+++ b/src/eap_common/eap_pwd_common.c
@ -121,14 +121,14 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 			     const u8 *id_peer, size_t id_peer_len,
 			     const u8 *token)
 {
-	struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
+	struct crypto_bignum *qr = NULL, *qnr = NULL;
 	struct crypto_bignum *qr_or_qnr = NULL;
 	u8 qr_bin[MAX_ECC_PRIME_LEN];
 	u8 qnr_bin[MAX_ECC_PRIME_LEN];
 	u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
 	u8 x_bin[MAX_ECC_PRIME_LEN];
 	u8 prime_bin[MAX_ECC_PRIME_LEN];
-	struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+	struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL;
 	struct crypto_hash *hash;
 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
 	int ret = 0, check, res;
@ -151,10 +151,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 				 primebytelen) < 0)
 		return -1;
 	grp->pwe = crypto_ec_point_init(grp->group);
-	tmp1 = crypto_bignum_init();
-	pm1 = crypto_bignum_init();
-	one = crypto_bignum_init_set((const u8 *) "\x01", 1);
-	if (!grp->pwe || !tmp1 || !pm1 || !one) {
+	if (!grp->pwe) {
 		wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
 		goto fail;
 	}
@ -164,8 +161,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 			   "buffer");
 		goto fail;
 	}
-	if (crypto_bignum_sub(prime, one, pm1) < 0)
-		goto fail;

 	/* get a random quadratic residue and nonresidue */
 	if (dragonfly_get_random_qr_qnr(prime, &qr, &qnr) < 0 ||
@ -242,7 +237,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 		 *
 		 * tmp1 is a random number between 1 and p-1
 		 */
-		if (crypto_bignum_rand(tmp1, pm1) < 0 ||
+		tmp1 = dragonfly_get_rand_1_to_p_1(prime);
+		if (!tmp1 ||
 		    crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 ||
 		    crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0)
 			goto fail;
@ -317,13 +313,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 	}
 	/* cleanliness and order.... */
 	crypto_bignum_deinit(x_candidate, 1);
-	crypto_bignum_deinit(pm1, 0);
 	crypto_bignum_deinit(tmp1, 1);
 	crypto_bignum_deinit(tmp2, 1);
 	crypto_bignum_deinit(qr, 1);
 	crypto_bignum_deinit(qnr, 1);
 	crypto_bignum_deinit(qr_or_qnr, 1);
-	crypto_bignum_deinit(one, 0);
 	bin_clear_free(prfbuf, primebytelen);
 	os_memset(qr_bin, 0, sizeof(qr_bin));
 	os_memset(qnr_bin, 0, sizeof(qnr_bin));