Share common SAE and EAP-pwd functionality: random 1..p-1 creation

Use a shared helper function to create a random value in 1..p-1 range
for is_quadratic_residue().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
index 334f492d429773367767b05dbdbc74c92ee567ea..d4c3561b5824c19a6a9e5d8928c914bea27aae56 100644 (file)
--- a/src/common/dragonfly.c
+++ b/src/common/dragonfly.c
@@ -58,3 +58,25 @@ int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
        *qr = *qnr = NULL;
        return -1;
 }
+
+
+struct crypto_bignum *
+dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
+{
+       struct crypto_bignum *tmp, *pm1, *one;
+
+       tmp = crypto_bignum_init();
+       pm1 = crypto_bignum_init();
+       one = crypto_bignum_init_set((const u8 *) "\x01", 1);
+       if (!tmp || !pm1 || !one ||
+           crypto_bignum_sub(prime, one, pm1) < 0 ||
+           crypto_bignum_rand(tmp, pm1) < 0 ||
+           crypto_bignum_add(tmp, one, tmp) < 0) {
+               crypto_bignum_deinit(tmp, 0);
+               tmp = NULL;
+       }
+
+       crypto_bignum_deinit(pm1, 0);
+       crypto_bignum_deinit(one, 0);
+       return tmp;
+}

diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
index 99a185159a9fb31309710cc1f16a64d3332d711b..d03fb73184e842bf2a33b97041fdaafdc266a4be 100644 (file)
--- a/src/common/dragonfly.h
+++ b/src/common/dragonfly.h
@@ -16,5 +16,7 @@ int dragonfly_suitable_group(int group, int ecc_only);
 int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
                                struct crypto_bignum **qr,
                                struct crypto_bignum **qnr);
+struct crypto_bignum *
+dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime);
 
 #endif /* DRAGONFLY_H */

diff --git a/src/common/sae.c b/src/common/sae.c
index 67d83edd077dc2819107a380aed34d8c0d89fb55..0d8ed1c5b154b9c1ecc19dfdf89bfccbd1e86f1c 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -178,43 +178,12 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
 }
 
 
-static struct crypto_bignum *
-get_rand_1_to_p_1(const u8 *prime, size_t prime_len, size_t prime_bits,
-                 int *r_odd)
-{
-       for (;;) {
-               struct crypto_bignum *r;
-               u8 tmp[SAE_MAX_ECC_PRIME_LEN];
-
-               if (random_get_bytes(tmp, prime_len) < 0)
-                       break;
-               if (prime_bits % 8)
-                       buf_shift_right(tmp, prime_len, 8 - prime_bits % 8);
-               if (os_memcmp(tmp, prime, prime_len) >= 0)
-                       continue;
-               r = crypto_bignum_init_set(tmp, prime_len);
-               if (!r)
-                       break;
-               if (crypto_bignum_is_zero(r)) {
-                       crypto_bignum_deinit(r, 0);
-                       continue;
-               }
-
-               *r_odd = tmp[prime_len - 1] & 0x01;
-               return r;
-       }
-
-       return NULL;
-}
-
-
 static int is_quadratic_residue_blind(struct sae_data *sae,
-                                     const u8 *prime, size_t bits,
                                      const u8 *qr, const u8 *qnr,
                                      const struct crypto_bignum *y_sqr)
 {
        struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
-       int r_odd, check, res = -1;
+       int check, res = -1;
        u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
        size_t prime_len = sae->tmp->prime_len;
        unsigned int mask;
@@ -228,7 +197,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
         * r = a random number between 1 and p-1, inclusive
         * num = (v * r * r) modulo p
         */
-       r = get_rand_1_to_p_1(prime, prime_len, bits, &r_odd);
+       r = dragonfly_get_rand_1_to_p_1(sae->tmp->prime);
        if (!r)
                return -1;
 
@@ -249,7 +218,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
         * num = (num * qnr) module p
         * LGR(num, p) = -1 ==> quadratic residue
         */
-       mask = const_time_is_zero(r_odd);
+       mask = const_time_is_zero(crypto_bignum_is_odd(r));
        const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
        qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
        if (!qr_or_qnr ||
@@ -306,7 +275,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
        if (!y_sqr)
                return -1;
 
-       res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
+       res = is_quadratic_residue_blind(sae, qr, qnr, y_sqr);
        crypto_bignum_deinit(y_sqr, 1);
        return res;
 }

diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
index 45ccff4557c92fcfbf27a3269fad6425c7e21d6c..4c236364fad72a8ed8dccbdc6724c2281782809e 100644 (file)
--- a/src/eap_common/eap_pwd_common.c
+++ b/src/eap_common/eap_pwd_common.c
@@ -121,14 +121,14 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
                             const u8 *id_peer, size_t id_peer_len,
                             const u8 *token)
 {
-       struct crypto_bignum *qr = NULL, *qnr = NULL, *one = NULL;
+       struct crypto_bignum *qr = NULL, *qnr = NULL;
        struct crypto_bignum *qr_or_qnr = NULL;
        u8 qr_bin[MAX_ECC_PRIME_LEN];
        u8 qnr_bin[MAX_ECC_PRIME_LEN];
        u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
        u8 x_bin[MAX_ECC_PRIME_LEN];
        u8 prime_bin[MAX_ECC_PRIME_LEN];
-       struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL;
+       struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL;
        struct crypto_hash *hash;
        unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
        int ret = 0, check, res;
@@ -151,10 +151,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
                                 primebytelen) < 0)
                return -1;
        grp->pwe = crypto_ec_point_init(grp->group);
-       tmp1 = crypto_bignum_init();
-       pm1 = crypto_bignum_init();
-       one = crypto_bignum_init_set((const u8 *) "\x01", 1);
-       if (!grp->pwe || !tmp1 || !pm1 || !one) {
+       if (!grp->pwe) {
                wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
                goto fail;
        }
@@ -164,8 +161,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
                           "buffer");
                goto fail;
        }
-       if (crypto_bignum_sub(prime, one, pm1) < 0)
-               goto fail;
 
        /* get a random quadratic residue and nonresidue */
        if (dragonfly_get_random_qr_qnr(prime, &qr, &qnr) < 0 ||
@@ -242,7 +237,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
                 *
                 * tmp1 is a random number between 1 and p-1
                 */
-               if (crypto_bignum_rand(tmp1, pm1) < 0 ||
+               tmp1 = dragonfly_get_rand_1_to_p_1(prime);
+               if (!tmp1 ||
                    crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 ||
                    crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0)
                        goto fail;
@@ -317,13 +313,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
        }
        /* cleanliness and order.... */
        crypto_bignum_deinit(x_candidate, 1);
-       crypto_bignum_deinit(pm1, 0);
        crypto_bignum_deinit(tmp1, 1);
        crypto_bignum_deinit(tmp2, 1);
        crypto_bignum_deinit(qr, 1);
        crypto_bignum_deinit(qnr, 1);
        crypto_bignum_deinit(qr_or_qnr, 1);
-       crypto_bignum_deinit(one, 0);
        bin_clear_free(prfbuf, primebytelen);
        os_memset(qr_bin, 0, sizeof(qr_bin));
        os_memset(qnr_bin, 0, sizeof(qnr_bin));