dragonfly: SAE/EAP-pwd min PWE derivation iteration count to shared code

Use a shared function to determine the k parameter, i.e., the minimum number of iterations of the PWE derivation loop, for SAE and EAP-pwd. This makes it easier to fine-tune the parameter based on the negotiated group, if desired. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-07-23 21:21:30 +03:00 · 2019-07-23 21:21:30 +03:00 · bfb6a482f6
commit bfb6a482f6
parent 036fc6bdbd
3 changed files with 24 additions and 9 deletions
--- a/src/common/dragonfly.c
+++ b/src/common/dragonfly.c
@ -29,6 +29,25 @@ int dragonfly_suitable_group(int group, int ecc_only)
 }


+unsigned int dragonfly_min_pwe_loop_iter(int group)
+{
+	if (group == 22 || group == 23 || group == 24) {
+		/* FFC groups for which pwd-value is likely to be >= p
+		 * frequently */
+		return 40;
+	}
+
+	if (group == 1 || group == 2 || group == 5 || group == 14 ||
+	    group == 15 || group == 16 || group == 17 || group == 18) {
+		/* FFC groups that have prime that is close to a power of two */
+		return 1;
+	}
+
+	/* Default to 40 (this covers most ECC groups) */
+	return 40;
+}
+
+
 int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
 				struct crypto_bignum **qr,
 				struct crypto_bignum **qnr)
--- a/src/common/dragonfly.h
+++ b/src/common/dragonfly.h
@ -16,6 +16,7 @@ struct crypto_bignum;
 struct crypto_ec;

 int dragonfly_suitable_group(int group, int ecc_only);
+unsigned int dragonfly_min_pwe_loop_iter(int group);
 int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
 				struct crypto_bignum **qr,
 				struct crypto_bignum **qnr);
--- a/src/common/sae.c
+++ b/src/common/sae.c
@ -275,7 +275,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
 			      const u8 *addr2, const u8 *password,
 			      size_t password_len, const char *identifier)
 {
-	u8 counter, k = 40;
+	u8 counter, k;
 	u8 addrs[2 * ETH_ALEN];
 	const u8 *addr[3];
 	size_t len[3];
@ -346,6 +346,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
 	 * attacks that attempt to determine the number of iterations required
 	 * in the loop.
 	 */
+	k = dragonfly_min_pwe_loop_iter(sae->group);
+
 	for (counter = 1; counter <= k || !found; counter++) {
 		u8 pwd_seed[SHA256_MAC_LEN];

@ -427,13 +429,6 @@ fail:
 }


-static int sae_modp_group_require_masking(int group)
-{
-	/* Groups for which pwd-value is likely to be >= p frequently */
-	return group == 22 || group == 23 || group == 24;
-}
-
-
 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
 			      const u8 *addr2, const u8 *password,
 			      size_t password_len, const char *identifier)
@ -482,7 +477,7 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
 	len[num_elem] = sizeof(counter);
 	num_elem++;

-	k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
+	k = dragonfly_min_pwe_loop_iter(sae->group);

 	for (counter = 1; counter <= k || !found; counter++) {
 		u8 pwd_seed[SHA256_MAC_LEN];