SAE: Store the group order in EC context data

This makes the SAE implementation a bit simpler by not having to build
the bignum for group order during execution.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/common/sae.c b/src/common/sae.c
index c83d48e0f0821835f6cda0678723cde5b1d3c0a3..19f9bd3d96a3f9540c1b6ecf2ddf21287b4f2e75 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -227,7 +227,7 @@ static int sae_derive_pwe(struct sae_data *sae, const u8 *addr1,
 
 static int sae_derive_commit(struct sae_data *sae, struct crypto_ec_point *pwe)
 {
-       struct crypto_bignum *x, *bn_rand, *bn_mask, *order;
+       struct crypto_bignum *x, *bn_rand, *bn_mask;
        struct crypto_ec_point *elem;
        u8 mask[SAE_MAX_PRIME_LEN];
        int ret = -1;
@@ -241,15 +241,13 @@ static int sae_derive_commit(struct sae_data *sae, struct crypto_ec_point *pwe)
        x = crypto_bignum_init();
        bn_rand = crypto_bignum_init_set(sae->sae_rand, sae->prime_len);
        bn_mask = crypto_bignum_init_set(mask, sizeof(mask));
-       order = crypto_bignum_init_set(group19_order, sizeof(group19_order));
        elem = crypto_ec_point_init(sae->ec);
-       if (x == NULL || bn_rand == NULL || bn_mask == NULL || order == NULL ||
-           elem == NULL)
+       if (x == NULL || bn_rand == NULL || bn_mask == NULL || elem == NULL)
                goto fail;
 
        /* commit-scalar = (rand + mask) modulo r */
        crypto_bignum_add(bn_rand, bn_mask, x);
-       crypto_bignum_mod(x, order, x);
+       crypto_bignum_mod(x, crypto_ec_get_order(sae->ec), x);
        crypto_bignum_to_bin(x, sae->own_commit_scalar,
                             sizeof(sae->own_commit_scalar), sae->prime_len);
        wpa_hexdump(MSG_DEBUG, "SAE: commit-scalar",
@@ -271,7 +269,6 @@ static int sae_derive_commit(struct sae_data *sae, struct crypto_ec_point *pwe)
        ret = 0;
 fail:
        crypto_ec_point_deinit(elem, 0);
-       crypto_bignum_deinit(order, 0);
        crypto_bignum_deinit(bn_mask, 1);
        os_memset(mask, 0, sizeof(mask));
        crypto_bignum_deinit(bn_rand, 1);
@@ -378,17 +375,15 @@ static int sae_derive_keys(struct sae_data *sae, const u8 *k)
        u8 null_key[SAE_KEYSEED_KEY_LEN], val[SAE_MAX_PRIME_LEN];
        u8 keyseed[SHA256_MAC_LEN];
        u8 keys[SAE_KCK_LEN + SAE_PMK_LEN];
-       struct crypto_bignum *order, *own_scalar, *peer_scalar, *tmp;
+       struct crypto_bignum *own_scalar, *peer_scalar, *tmp;
        int ret = -1;
 
-       order = crypto_bignum_init_set(group19_order, sizeof(group19_order));
        own_scalar = crypto_bignum_init_set(sae->own_commit_scalar,
                                            sae->prime_len);
        peer_scalar = crypto_bignum_init_set(sae->peer_commit_scalar,
                                             sae->prime_len);
        tmp = crypto_bignum_init();
-       if (order == NULL || own_scalar == NULL || peer_scalar == NULL ||
-           tmp == NULL)
+       if (own_scalar == NULL || peer_scalar == NULL || tmp == NULL)
                goto fail;
 
        /* keyseed = H(<0>32, k)
@@ -402,7 +397,7 @@ static int sae_derive_keys(struct sae_data *sae, const u8 *k)
        wpa_hexdump_key(MSG_DEBUG, "SAE: keyseed", keyseed, sizeof(keyseed));
 
        crypto_bignum_add(own_scalar, peer_scalar, tmp);
-       crypto_bignum_mod(tmp, order, tmp);
+       crypto_bignum_mod(tmp, crypto_ec_get_order(sae->ec), tmp);
        crypto_bignum_to_bin(tmp, val, sizeof(val), sae->prime_len);
        wpa_hexdump(MSG_DEBUG, "SAE: PMKID", val, SAE_PMKID_LEN);
        sha256_prf(keyseed, sizeof(keyseed), "SAE KCK and PMK",
@@ -417,7 +412,6 @@ fail:
        crypto_bignum_deinit(tmp, 0);
        crypto_bignum_deinit(peer_scalar, 0);
        crypto_bignum_deinit(own_scalar, 0);
-       crypto_bignum_deinit(order, 0);
        return ret;
 }
 

diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h
index da1dfc7f3bf02ec0172ffe05b631f52a603d8900..63c2fa1389a985f28783f6f7a907fbb88cc69bfc 100644 (file)
--- a/src/crypto/crypto.h
+++ b/src/crypto/crypto.h
@@ -549,6 +549,13 @@ void crypto_ec_deinit(struct crypto_ec *e);
  */
 size_t crypto_ec_prime_len(struct crypto_ec *e);
 
+/**
+ * crypto_ec_get_order - Get order of an EC group
+ * @e: EC context from crypto_ec_init()
+ * Returns: Order (bignum) of the group
+ */
+const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e);
+
 /**
  * struct crypto_ec_point - Elliptic curve point
  *

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index 386987aa41697d2f762e7bfab45008839542671e..c6b5d933afcb7786b0c7653c637e7760edc2cb8a 100644 (file)
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -901,6 +901,7 @@ struct crypto_ec {
        EC_GROUP *group;
        BN_CTX *bnctx;
        size_t prime_len;
+       BIGNUM *order;
 };
 
 struct crypto_ec * crypto_ec_init(int group)
@@ -917,7 +918,9 @@ struct crypto_ec * crypto_ec_init(int group)
        e->prime_len = 32;
        e->bnctx = BN_CTX_new();
        e->group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
-       if (e->group == NULL || e->bnctx == NULL) {
+       e->order = BN_new();
+       if (e->group == NULL || e->bnctx == NULL || e->order == NULL ||
+           !EC_GROUP_get_order(e->group, e->order, e->bnctx)) {
                crypto_ec_deinit(e);
                e = NULL;
        }
@@ -930,6 +933,7 @@ void crypto_ec_deinit(struct crypto_ec *e)
 {
        if (e == NULL)
                return;
+       BN_free(e->order);
        EC_GROUP_free(e->group);
        BN_CTX_free(e->bnctx);
        os_free(e);
@@ -950,6 +954,12 @@ size_t crypto_ec_prime_len(struct crypto_ec *e)
 }
 
 
+const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e)
+{
+       return (const struct crypto_bignum *) e->order;
+}
+
+
 void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear)
 {
        if (clear)