dragonfly: Disable use of groups using Brainpool curves

Disable groups that use Brainpool curves for now since they leak more
timing information due to the prime not being close to a power of two.
This removes use of groups 28, 29, and 30 from SAE and EAP-pwd.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
index 233ae68a75c10f91dd0cefd05fa34ad73279bdc4..547be66f1561fb14523b1e705ae85827d43d6319 100644 (file)
--- a/src/common/dragonfly.c
+++ b/src/common/dragonfly.c
@@ -21,9 +21,11 @@ int dragonfly_suitable_group(int group, int ecc_only)
         * purposes: FFC groups whose prime is >= 3072 bits and ECC groups
         * defined over a prime field whose prime is >= 256 bits. Furthermore,
         * ECC groups defined over a characteristic 2 finite field and ECC
-        * groups with a co-factor greater than 1 are not suitable. */
+        * groups with a co-factor greater than 1 are not suitable. Disable
+        * groups that use Brainpool curves as well for now since they leak more
+        * timing information due to the prime not being close to a power of
+        * two. */
        return group == 19 || group == 20 || group == 21 ||
-               group == 28 || group == 29 || group == 30 ||
                (!ecc_only &&
                 (group == 15 || group == 16 || group == 17 || group == 18));
 }