SAE: Use random "password" in extra hunting-and-pecking loops

If PWE is discovered before the minimum number of loops (k) is reached,
the extra iterations use a random "password" to further obfuscate the
cost of discovering PWE.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/common/sae.c b/src/common/sae.c
index e30246647faa8ae123ee7e18923f43122d22a6fc..eb5157bc19339517ddf9c7af85ada66911f2a564 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -423,6 +423,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
        u8 addrs[2 * ETH_ALEN];
        const u8 *addr[2];
        size_t len[2];
+       u8 dummy_password[32];
+       size_t dummy_password_len;
        int pwd_seed_odd = 0;
        u8 prime[SAE_MAX_ECC_PRIME_LEN];
        size_t prime_len;
@@ -430,6 +432,12 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
        size_t bits;
        int res;
 
+       dummy_password_len = password_len;
+       if (dummy_password_len > sizeof(dummy_password))
+               dummy_password_len = sizeof(dummy_password);
+       if (random_get_bytes(dummy_password, dummy_password_len) < 0)
+               return -1;
+
        prime_len = sae->tmp->prime_len;
        if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
                                 prime_len) < 0)
@@ -449,8 +457,9 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
 
        /*
         * H(salt, ikm) = HMAC-SHA256(salt, ikm)
+        * base = password
         * pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
-        *              password || counter)
+        *              base || counter)
         */
        sae_pwd_seed_key(addr1, addr2, addrs);
 
@@ -490,6 +499,13 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
                        x = x_cand;
                        pwd_seed_odd = pwd_seed[SHA256_MAC_LEN - 1] & 0x01;
                        os_memset(pwd_seed, 0, sizeof(pwd_seed));
+
+                       /*
+                        * Use a dummy password for the following rounds, if
+                        * any.
+                        */
+                       addr[0] = dummy_password;
+                       len[0] = dummy_password_len;
                } else if (res > 0) {
                        crypto_bignum_deinit(x_cand, 1);
                }