diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c index 334f492d4..d4c3561b5 100644 --- a/src/common/dragonfly.c +++ b/src/common/dragonfly.c @@ -58,3 +58,25 @@ int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime, *qr = *qnr = NULL; return -1; } + + +struct crypto_bignum * +dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime) +{ + struct crypto_bignum *tmp, *pm1, *one; + + tmp = crypto_bignum_init(); + pm1 = crypto_bignum_init(); + one = crypto_bignum_init_set((const u8 *) "\x01", 1); + if (!tmp || !pm1 || !one || + crypto_bignum_sub(prime, one, pm1) < 0 || + crypto_bignum_rand(tmp, pm1) < 0 || + crypto_bignum_add(tmp, one, tmp) < 0) { + crypto_bignum_deinit(tmp, 0); + tmp = NULL; + } + + crypto_bignum_deinit(pm1, 0); + crypto_bignum_deinit(one, 0); + return tmp; +} diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h index 99a185159..d03fb7318 100644 --- a/src/common/dragonfly.h +++ b/src/common/dragonfly.h @@ -16,5 +16,7 @@ int dragonfly_suitable_group(int group, int ecc_only); int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime, struct crypto_bignum **qr, struct crypto_bignum **qnr); +struct crypto_bignum * +dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime); #endif /* DRAGONFLY_H */ diff --git a/src/common/sae.c b/src/common/sae.c index 67d83edd0..0d8ed1c5b 100644 --- a/src/common/sae.c +++ b/src/common/sae.c @@ -178,43 +178,12 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key) } -static struct crypto_bignum * -get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits, - int *r_odd) -{ - for (;;) { - struct crypto_bignum *r; - u8 tmp[SAE_MAX_ECC_PRIME_LEN]; - - if (random_get_bytes(tmp, prime_len) < 0) - break; - if (prime_bits % 8) - buf_shift_right(tmp, prime_len, 8 - prime_bits % 8); - if (os_memcmp(tmp, prime, prime_len) >= 0) - continue; - r = crypto_bignum_init_set(tmp, prime_len); - if (!r) - break; - if (crypto_bignum_is_zero(r)) { - crypto_bignum_deinit(r, 0); - continue; - } - - *r_odd = tmp[prime_len - 1] & 0x01; - return r; - } - - return NULL; -} - - static int is_quadratic_residue_blind(struct sae_data *sae, - const u8 *prime, size_t bits, const u8 *qr, const u8 *qnr, const struct crypto_bignum *y_sqr) { struct crypto_bignum *r, *num, *qr_or_qnr = NULL; - int r_odd, check, res = -1; + int check, res = -1; u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN]; size_t prime_len = sae->tmp->prime_len; unsigned int mask; @@ -228,7 +197,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae, * r = a random number between 1 and p-1, inclusive * num = (v * r * r) modulo p */ - r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd); + r = dragonfly_get_rand_1_to_p_1(sae->tmp->prime); if (!r) return -1; @@ -249,7 +218,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae, * num = (num * qnr) module p * LGR(num, p) = -1 ==> quadratic residue */ - mask = const_time_is_zero(r_odd); + mask = const_time_is_zero(crypto_bignum_is_odd(r)); const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin); qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len); if (!qr_or_qnr || @@ -306,7 +275,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, if (!y_sqr) return -1; - res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr); + res = is_quadratic_residue_blind(sae, qr, qnr, y_sqr); crypto_bignum_deinit(y_sqr, 1); return res; } diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c index 45ccff455..4c236364f 100644 --- a/src/eap_common/eap_pwd_common.c +++ b/src/eap_common/eap_pwd_common.c @@ -121,14 +121,14 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, const u8 *id_peer, size_t id_peer_len, const u8 *token) { - struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL; + struct crypto_bignum *qr = NULL, *qnr = NULL; struct crypto_bignum *qr_or_qnr = NULL; u8 qr_bin[MAX_ECC_PRIME_LEN]; u8 qnr_bin[MAX_ECC_PRIME_LEN]; u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; u8 x_bin[MAX_ECC_PRIME_LEN]; u8 prime_bin[MAX_ECC_PRIME_LEN]; - struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL; + struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL; struct crypto_hash *hash; unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; int ret = 0, check, res; @@ -151,10 +151,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, primebytelen) < 0) return -1; grp->pwe = crypto_ec_point_init(grp->group); - tmp1 = crypto_bignum_init(); - pm1 = crypto_bignum_init(); - one = crypto_bignum_init_set((const u8 *) "\x01", 1); - if (!grp->pwe || !tmp1 || !pm1 || !one) { + if (!grp->pwe) { wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums"); goto fail; } @@ -164,8 +161,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, "buffer"); goto fail; } - if (crypto_bignum_sub(prime, one, pm1) < 0) - goto fail; /* get a random quadratic residue and nonresidue */ if (dragonfly_get_random_qr_qnr(prime, &qr, &qnr) < 0 || @@ -242,7 +237,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, * * tmp1 is a random number between 1 and p-1 */ - if (crypto_bignum_rand(tmp1, pm1) < 0 || + tmp1 = dragonfly_get_rand_1_to_p_1(prime); + if (!tmp1 || crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 || crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0) goto fail; @@ -317,13 +313,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, } /* cleanliness and order.... */ crypto_bignum_deinit(x_candidate, 1); - crypto_bignum_deinit(pm1, 0); crypto_bignum_deinit(tmp1, 1); crypto_bignum_deinit(tmp2, 1); crypto_bignum_deinit(qr, 1); crypto_bignum_deinit(qnr, 1); crypto_bignum_deinit(qr_or_qnr, 1); - crypto_bignum_deinit(one, 0); bin_clear_free(prfbuf, primebytelen); os_memset(qr_bin, 0, sizeof(qr_bin)); os_memset(qnr_bin, 0, sizeof(qnr_bin));