dragonfly: SAE/EAP-pwd min PWE derivation iteration count to shared code
Use a shared function to determine the k parameter, i.e., the minimum number of iterations of the PWE derivation loop, for SAE and EAP-pwd. This makes it easier to fine-tune the parameter based on the negotiated group, if desired. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
036fc6bdbd
commit
bfb6a482f6
3 changed files with 24 additions and 9 deletions
|
|
@ -29,6 +29,25 @@ int dragonfly_suitable_group(int group, int ecc_only)
|
|||
}
|
||||
|
||||
|
||||
unsigned int dragonfly_min_pwe_loop_iter(int group)
|
||||
{
|
||||
if (group == 22 || group == 23 || group == 24) {
|
||||
/* FFC groups for which pwd-value is likely to be >= p
|
||||
* frequently */
|
||||
return 40;
|
||||
}
|
||||
|
||||
if (group == 1 || group == 2 || group == 5 || group == 14 ||
|
||||
group == 15 || group == 16 || group == 17 || group == 18) {
|
||||
/* FFC groups that have prime that is close to a power of two */
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Default to 40 (this covers most ECC groups) */
|
||||
return 40;
|
||||
}
|
||||
|
||||
|
||||
int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
|
||||
struct crypto_bignum **qr,
|
||||
struct crypto_bignum **qnr)
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ struct crypto_bignum;
|
|||
struct crypto_ec;
|
||||
|
||||
int dragonfly_suitable_group(int group, int ecc_only);
|
||||
unsigned int dragonfly_min_pwe_loop_iter(int group);
|
||||
int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
|
||||
struct crypto_bignum **qr,
|
||||
struct crypto_bignum **qnr);
|
||||
|
|
|
|||
|
|
@ -275,7 +275,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
|
|||
const u8 *addr2, const u8 *password,
|
||||
size_t password_len, const char *identifier)
|
||||
{
|
||||
u8 counter, k = 40;
|
||||
u8 counter, k;
|
||||
u8 addrs[2 * ETH_ALEN];
|
||||
const u8 *addr[3];
|
||||
size_t len[3];
|
||||
|
|
@ -346,6 +346,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
|
|||
* attacks that attempt to determine the number of iterations required
|
||||
* in the loop.
|
||||
*/
|
||||
k = dragonfly_min_pwe_loop_iter(sae->group);
|
||||
|
||||
for (counter = 1; counter <= k || !found; counter++) {
|
||||
u8 pwd_seed[SHA256_MAC_LEN];
|
||||
|
||||
|
|
@ -427,13 +429,6 @@ fail:
|
|||
}
|
||||
|
||||
|
||||
static int sae_modp_group_require_masking(int group)
|
||||
{
|
||||
/* Groups for which pwd-value is likely to be >= p frequently */
|
||||
return group == 22 || group == 23 || group == 24;
|
||||
}
|
||||
|
||||
|
||||
static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
|
||||
const u8 *addr2, const u8 *password,
|
||||
size_t password_len, const char *identifier)
|
||||
|
|
@ -482,7 +477,7 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
|
|||
len[num_elem] = sizeof(counter);
|
||||
num_elem++;
|
||||
|
||||
k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
|
||||
k = dragonfly_min_pwe_loop_iter(sae->group);
|
||||
|
||||
for (counter = 1; counter <= k || !found; counter++) {
|
||||
u8 pwd_seed[SHA256_MAC_LEN];
|
||||
|
|
|
|||
Loading…
Reference in a new issue