SAE: Add forgotten commit element validation step for FFC groups

The peer commit element needs to be validated to pass one of the steps
listed in IEEE 802.11, 11.3.5.4:
scalar-op(r, ELEMENT) = 1 modulo p

Similar step was present for ECC groups, but was missing for FFC groups.
This is needed to avoid dictionary attacks.

Thanks to Michael Roßberg and Sascha Grau for reporting this.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/common/sae.c b/src/common/sae.c
index 900702a59321c48a3804d33ff1b332d85e91765f..bce60a3774bd8c6af382bfffc130f4213e1738f6 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -828,6 +828,8 @@ static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
                                        const u8 *end)
 {
+       struct crypto_bignum *res;
+
        if (pos + sae->tmp->prime_len > end) {
                wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
                           "commit-element");
@@ -849,6 +851,18 @@ static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
                return WLAN_STATUS_UNSPECIFIED_FAILURE;
        }
 
+       /* scalar-op(r, ELEMENT) = 1 modulo p */
+       res = crypto_bignum_init();
+       if (res == NULL ||
+           crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
+                                 sae->tmp->order, sae->tmp->prime, res) < 0 ||
+           !crypto_bignum_is_one(res)) {
+               wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)");
+               crypto_bignum_deinit(res, 0);
+               return WLAN_STATUS_UNSPECIFIED_FAILURE;
+       }
+       crypto_bignum_deinit(res, 0);
+
        return WLAN_STATUS_SUCCESS;
 }