Share common SAE and EAP-pwd functionality: random 1..p-1 creation
Use a shared helper function to create a random value in 1..p-1 range for is_quadratic_residue(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
6c9543fcb7
commit
a9615b1b88
4 changed files with 33 additions and 46 deletions
|
@ -58,3 +58,25 @@ int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
|
|||
*qr = *qnr = NULL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
struct crypto_bignum *
|
||||
dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
|
||||
{
|
||||
struct crypto_bignum *tmp, *pm1, *one;
|
||||
|
||||
tmp = crypto_bignum_init();
|
||||
pm1 = crypto_bignum_init();
|
||||
one = crypto_bignum_init_set((const u8 *) "\x01", 1);
|
||||
if (!tmp || !pm1 || !one ||
|
||||
crypto_bignum_sub(prime, one, pm1) < 0 ||
|
||||
crypto_bignum_rand(tmp, pm1) < 0 ||
|
||||
crypto_bignum_add(tmp, one, tmp) < 0) {
|
||||
crypto_bignum_deinit(tmp, 0);
|
||||
tmp = NULL;
|
||||
}
|
||||
|
||||
crypto_bignum_deinit(pm1, 0);
|
||||
crypto_bignum_deinit(one, 0);
|
||||
return tmp;
|
||||
}
|
||||
|
|
|
@ -16,5 +16,7 @@ int dragonfly_suitable_group(int group, int ecc_only);
|
|||
int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
|
||||
struct crypto_bignum **qr,
|
||||
struct crypto_bignum **qnr);
|
||||
struct crypto_bignum *
|
||||
dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime);
|
||||
|
||||
#endif /* DRAGONFLY_H */
|
||||
|
|
|
@ -178,43 +178,12 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
|
|||
}
|
||||
|
||||
|
||||
static struct crypto_bignum *
|
||||
get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
|
||||
int *r_odd)
|
||||
{
|
||||
for (;;) {
|
||||
struct crypto_bignum *r;
|
||||
u8 tmp[SAE_MAX_ECC_PRIME_LEN];
|
||||
|
||||
if (random_get_bytes(tmp, prime_len) < 0)
|
||||
break;
|
||||
if (prime_bits % 8)
|
||||
buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
|
||||
if (os_memcmp(tmp, prime, prime_len) >= 0)
|
||||
continue;
|
||||
r = crypto_bignum_init_set(tmp, prime_len);
|
||||
if (!r)
|
||||
break;
|
||||
if (crypto_bignum_is_zero(r)) {
|
||||
crypto_bignum_deinit(r, 0);
|
||||
continue;
|
||||
}
|
||||
|
||||
*r_odd = tmp[prime_len - 1] & 0x01;
|
||||
return r;
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
static int is_quadratic_residue_blind(struct sae_data *sae,
|
||||
const u8 *prime, size_t bits,
|
||||
const u8 *qr, const u8 *qnr,
|
||||
const struct crypto_bignum *y_sqr)
|
||||
{
|
||||
struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
|
||||
int r_odd, check, res = -1;
|
||||
int check, res = -1;
|
||||
u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
|
||||
size_t prime_len = sae->tmp->prime_len;
|
||||
unsigned int mask;
|
||||
|
@ -228,7 +197,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
|
|||
* r = a random number between 1 and p-1, inclusive
|
||||
* num = (v * r * r) modulo p
|
||||
*/
|
||||
r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
|
||||
r = dragonfly_get_rand_1_to_p_1(sae->tmp->prime);
|
||||
if (!r)
|
||||
return -1;
|
||||
|
||||
|
@ -249,7 +218,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
|
|||
* num = (num * qnr) module p
|
||||
* LGR(num, p) = -1 ==> quadratic residue
|
||||
*/
|
||||
mask = const_time_is_zero(r_odd);
|
||||
mask = const_time_is_zero(crypto_bignum_is_odd(r));
|
||||
const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
|
||||
qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
|
||||
if (!qr_or_qnr ||
|
||||
|
@ -306,7 +275,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
|
|||
if (!y_sqr)
|
||||
return -1;
|
||||
|
||||
res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
|
||||
res = is_quadratic_residue_blind(sae, qr, qnr, y_sqr);
|
||||
crypto_bignum_deinit(y_sqr, 1);
|
||||
return res;
|
||||
}
|
||||
|
|
|
@ -121,14 +121,14 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
const u8 *id_peer, size_t id_peer_len,
|
||||
const u8 *token)
|
||||
{
|
||||
struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
|
||||
struct crypto_bignum *qr = NULL, *qnr = NULL;
|
||||
struct crypto_bignum *qr_or_qnr = NULL;
|
||||
u8 qr_bin[MAX_ECC_PRIME_LEN];
|
||||
u8 qnr_bin[MAX_ECC_PRIME_LEN];
|
||||
u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
|
||||
u8 x_bin[MAX_ECC_PRIME_LEN];
|
||||
u8 prime_bin[MAX_ECC_PRIME_LEN];
|
||||
struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
|
||||
struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL;
|
||||
struct crypto_hash *hash;
|
||||
unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
|
||||
int ret = 0, check, res;
|
||||
|
@ -151,10 +151,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
primebytelen) < 0)
|
||||
return -1;
|
||||
grp->pwe = crypto_ec_point_init(grp->group);
|
||||
tmp1 = crypto_bignum_init();
|
||||
pm1 = crypto_bignum_init();
|
||||
one = crypto_bignum_init_set((const u8 *) "\x01", 1);
|
||||
if (!grp->pwe || !tmp1 || !pm1 || !one) {
|
||||
if (!grp->pwe) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
|
||||
goto fail;
|
||||
}
|
||||
|
@ -164,8 +161,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
"buffer");
|
||||
goto fail;
|
||||
}
|
||||
if (crypto_bignum_sub(prime, one, pm1) < 0)
|
||||
goto fail;
|
||||
|
||||
/* get a random quadratic residue and nonresidue */
|
||||
if (dragonfly_get_random_qr_qnr(prime, &qr, &qnr) < 0 ||
|
||||
|
@ -242,7 +237,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
*
|
||||
* tmp1 is a random number between 1 and p-1
|
||||
*/
|
||||
if (crypto_bignum_rand(tmp1, pm1) < 0 ||
|
||||
tmp1 = dragonfly_get_rand_1_to_p_1(prime);
|
||||
if (!tmp1 ||
|
||||
crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 ||
|
||||
crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0)
|
||||
goto fail;
|
||||
|
@ -317,13 +313,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
}
|
||||
/* cleanliness and order.... */
|
||||
crypto_bignum_deinit(x_candidate, 1);
|
||||
crypto_bignum_deinit(pm1, 0);
|
||||
crypto_bignum_deinit(tmp1, 1);
|
||||
crypto_bignum_deinit(tmp2, 1);
|
||||
crypto_bignum_deinit(qr, 1);
|
||||
crypto_bignum_deinit(qnr, 1);
|
||||
crypto_bignum_deinit(qr_or_qnr, 1);
|
||||
crypto_bignum_deinit(one, 0);
|
||||
bin_clear_free(prfbuf, primebytelen);
|
||||
os_memset(qr_bin, 0, sizeof(qr_bin));
|
||||
os_memset(qnr_bin, 0, sizeof(qnr_bin));
|
||||
|
|
Loading…
Reference in a new issue