jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

dragonfly: SAE/EAP-pwd min PWE derivation iteration count to shared code

Browse source 
Use a shared function to determine the k parameter, i.e., the minimum
number of iterations of the PWE derivation loop, for SAE and EAP-pwd.
This makes it easier to fine-tune the parameter based on the negotiated
group, if desired.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-07-23 21:21:30 +03:00 committed by Jouni Malinen
parent 036fc6bdbd
commit bfb6a482f6
3 changed files with 24 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
src/common/dragonfly.c
View file

@ -29,6 +29,25 @@ int dragonfly_suitable_group(int group, int ecc_only)
} }
unsigned int dragonfly_min_pwe_loop_iter(int group)
{
if (group == 22 || group == 23 || group == 24) {
/* FFC groups for which pwd-value is likely to be >= p
* frequently */
return 40;
}
if (group == 1 || group == 2 || group == 5 || group == 14 ||
group == 15 || group == 16 || group == 17 || group == 18) {
/* FFC groups that have prime that is close to a power of two */
return 1;
}
/* Default to 40 (this covers most ECC groups) */
return 40;
}
int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime, int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
struct crypto_bignum **qr, struct crypto_bignum **qr,
struct crypto_bignum **qnr) struct crypto_bignum **qnr)

1
src/common/dragonfly.h
View file

@ -16,6 +16,7 @@ struct crypto_bignum;
struct crypto_ec; struct crypto_ec;
int dragonfly_suitable_group(int group, int ecc_only); int dragonfly_suitable_group(int group, int ecc_only);
unsigned int dragonfly_min_pwe_loop_iter(int group);
int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime, int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
struct crypto_bignum **qr, struct crypto_bignum **qr,
struct crypto_bignum **qnr); struct crypto_bignum **qnr);

13
src/common/sae.c
View file

@ -275,7 +275,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
const u8 *addr2, const u8 *password, const u8 *addr2, const u8 *password,
size_t password_len, const char *identifier) size_t password_len, const char *identifier)
{ {
u8 counter, k = 40; u8 counter, k;
u8 addrs[2 * ETH_ALEN]; u8 addrs[2 * ETH_ALEN];
const u8 *addr[3]; const u8 *addr[3];
size_t len[3]; size_t len[3];
@ -346,6 +346,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
* attacks that attempt to determine the number of iterations required * attacks that attempt to determine the number of iterations required
* in the loop. * in the loop.
*/ */
k = dragonfly_min_pwe_loop_iter(sae->group);
for (counter = 1; counter <= k || !found; counter++) { for (counter = 1; counter <= k || !found; counter++) {
u8 pwd_seed[SHA256_MAC_LEN]; u8 pwd_seed[SHA256_MAC_LEN];
@ -427,13 +429,6 @@ fail:
} }
static int sae_modp_group_require_masking(int group)
{
/* Groups for which pwd-value is likely to be >= p frequently */
return group == 22 || group == 23 || group == 24;
}
static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1, static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
const u8 *addr2, const u8 *password, const u8 *addr2, const u8 *password,
size_t password_len, const char *identifier) size_t password_len, const char *identifier)
@ -482,7 +477,7 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
len[num_elem] = sizeof(counter); len[num_elem] = sizeof(counter);
num_elem++; num_elem++;
k = sae_modp_group_require_masking(sae->group) ? 40 : 1; k = dragonfly_min_pwe_loop_iter(sae->group);
for (counter = 1; counter <= k || !found; counter++) { for (counter = 1; counter <= k || !found; counter++) {
u8 pwd_seed[SHA256_MAC_LEN]; u8 pwd_seed[SHA256_MAC_LEN];