Share common SAE and EAP-pwd functionality: random 1..p-1 creation

Use a shared helper function to create a random value in 1..p-1 range
for is_quadratic_residue().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-04-25 20:43:41 +03:00 committed by Jouni Malinen
parent 6c9543fcb7
commit a9615b1b88
4 changed files with 33 additions and 46 deletions

View file

@ -58,3 +58,25 @@ int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
*qr = *qnr = NULL;
return -1;
}
struct crypto_bignum *
dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
{
struct crypto_bignum *tmp, *pm1, *one;
tmp = crypto_bignum_init();
pm1 = crypto_bignum_init();
one = crypto_bignum_init_set((const u8 *) "\x01", 1);
if (!tmp || !pm1 || !one ||
crypto_bignum_sub(prime, one, pm1) < 0 ||
crypto_bignum_rand(tmp, pm1) < 0 ||
crypto_bignum_add(tmp, one, tmp) < 0) {
crypto_bignum_deinit(tmp, 0);
tmp = NULL;
}
crypto_bignum_deinit(pm1, 0);
crypto_bignum_deinit(one, 0);
return tmp;
}

View file

@ -16,5 +16,7 @@ int dragonfly_suitable_group(int group, int ecc_only);
int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
struct crypto_bignum **qr,
struct crypto_bignum **qnr);
struct crypto_bignum *
dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime);
#endif /* DRAGONFLY_H */

View file

@ -178,43 +178,12 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
}
static struct crypto_bignum *
get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
int *r_odd)
{
for (;;) {
struct crypto_bignum *r;
u8 tmp[SAE_MAX_ECC_PRIME_LEN];
if (random_get_bytes(tmp, prime_len) < 0)
break;
if (prime_bits % 8)
buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
if (os_memcmp(tmp, prime, prime_len) >= 0)
continue;
r = crypto_bignum_init_set(tmp, prime_len);
if (!r)
break;
if (crypto_bignum_is_zero(r)) {
crypto_bignum_deinit(r, 0);
continue;
}
*r_odd = tmp[prime_len - 1] & 0x01;
return r;
}
return NULL;
}
static int is_quadratic_residue_blind(struct sae_data *sae,
const u8 *prime, size_t bits,
const u8 *qr, const u8 *qnr,
const struct crypto_bignum *y_sqr)
{
struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
int r_odd, check, res = -1;
int check, res = -1;
u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
size_t prime_len = sae->tmp->prime_len;
unsigned int mask;
@ -228,7 +197,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
* r = a random number between 1 and p-1, inclusive
* num = (v * r * r) modulo p
*/
r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
r = dragonfly_get_rand_1_to_p_1(sae->tmp->prime);
if (!r)
return -1;
@ -249,7 +218,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
* num = (num * qnr) module p
* LGR(num, p) = -1 ==> quadratic residue
*/
mask = const_time_is_zero(r_odd);
mask = const_time_is_zero(crypto_bignum_is_odd(r));
const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
if (!qr_or_qnr ||
@ -306,7 +275,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
if (!y_sqr)
return -1;
res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
res = is_quadratic_residue_blind(sae, qr, qnr, y_sqr);
crypto_bignum_deinit(y_sqr, 1);
return res;
}

View file

@ -121,14 +121,14 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
const u8 *id_peer, size_t id_peer_len,
const u8 *token)
{
struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
struct crypto_bignum *qr = NULL, *qnr = NULL;
struct crypto_bignum *qr_or_qnr = NULL;
u8 qr_bin[MAX_ECC_PRIME_LEN];
u8 qnr_bin[MAX_ECC_PRIME_LEN];
u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
u8 x_bin[MAX_ECC_PRIME_LEN];
u8 prime_bin[MAX_ECC_PRIME_LEN];
struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL;
struct crypto_hash *hash;
unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
int ret = 0, check, res;
@ -151,10 +151,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
primebytelen) < 0)
return -1;
grp->pwe = crypto_ec_point_init(grp->group);
tmp1 = crypto_bignum_init();
pm1 = crypto_bignum_init();
one = crypto_bignum_init_set((const u8 *) "\x01", 1);
if (!grp->pwe || !tmp1 || !pm1 || !one) {
if (!grp->pwe) {
wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
goto fail;
}
@ -164,8 +161,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
"buffer");
goto fail;
}
if (crypto_bignum_sub(prime, one, pm1) < 0)
goto fail;
/* get a random quadratic residue and nonresidue */
if (dragonfly_get_random_qr_qnr(prime, &qr, &qnr) < 0 ||
@ -242,7 +237,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
*
* tmp1 is a random number between 1 and p-1
*/
if (crypto_bignum_rand(tmp1, pm1) < 0 ||
tmp1 = dragonfly_get_rand_1_to_p_1(prime);
if (!tmp1 ||
crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 ||
crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0)
goto fail;
@ -317,13 +313,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
}
/* cleanliness and order.... */
crypto_bignum_deinit(x_candidate, 1);
crypto_bignum_deinit(pm1, 0);
crypto_bignum_deinit(tmp1, 1);
crypto_bignum_deinit(tmp2, 1);
crypto_bignum_deinit(qr, 1);
crypto_bignum_deinit(qnr, 1);
crypto_bignum_deinit(qr_or_qnr, 1);
crypto_bignum_deinit(one, 0);
bin_clear_free(prfbuf, primebytelen);
os_memset(qr_bin, 0, sizeof(qr_bin));
os_memset(qnr_bin, 0, sizeof(qnr_bin));