dragonfly: SAE/EAP-pwd min PWE derivation iteration count to shared code

Use a shared function to determine the k parameter, i.e., the minimum
number of iterations of the PWE derivation loop, for SAE and EAP-pwd.
This makes it easier to fine-tune the parameter based on the negotiated
group, if desired.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
index e98bce68233a164a1317e300a00955c944b81d33..233ae68a75c10f91dd0cefd05fa34ad73279bdc4 100644 (file)
--- a/src/common/dragonfly.c
+++ b/src/common/dragonfly.c
@@ -29,6 +29,25 @@ int dragonfly_suitable_group(int group, int ecc_only)
 }
 
 
+unsigned int dragonfly_min_pwe_loop_iter(int group)
+{
+       if (group == 22 || group == 23 || group == 24) {
+               /* FFC groups for which pwd-value is likely to be >= p
+                * frequently */
+               return 40;
+       }
+
+       if (group == 1 || group == 2 || group == 5 || group == 14 ||
+           group == 15 || group == 16 || group == 17 || group == 18) {
+               /* FFC groups that have prime that is close to a power of two */
+               return 1;
+       }
+
+       /* Default to 40 (this covers most ECC groups) */
+       return 40;
+}
+
+
 int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
                                struct crypto_bignum **qr,
                                struct crypto_bignum **qnr)

diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
index e7627ef06dec461204de2ca877cdb3a2b1518c5c..ec3dd593eda41cfe948cd5b2710bfd48a1dc2f34 100644 (file)
--- a/src/common/dragonfly.h
+++ b/src/common/dragonfly.h
@@ -16,6 +16,7 @@ struct crypto_bignum;
 struct crypto_ec;
 
 int dragonfly_suitable_group(int group, int ecc_only);
+unsigned int dragonfly_min_pwe_loop_iter(int group);
 int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
                                struct crypto_bignum **qr,
                                struct crypto_bignum **qnr);

diff --git a/src/common/sae.c b/src/common/sae.c
index 0da7145e2d183ccaf3aa4e47b3fcc15ce1506eb5..2d520939a8741eb2d54e56994722209b1b7ab3b2 100644 (file)
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -275,7 +275,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
                              const u8 *addr2, const u8 *password,
                              size_t password_len, const char *identifier)
 {
-       u8 counter, k = 40;
+       u8 counter, k;
        u8 addrs[2 * ETH_ALEN];
        const u8 *addr[3];
        size_t len[3];
@@ -346,6 +346,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
         * attacks that attempt to determine the number of iterations required
         * in the loop.
         */
+       k = dragonfly_min_pwe_loop_iter(sae->group);
+
        for (counter = 1; counter <= k || !found; counter++) {
                u8 pwd_seed[SHA256_MAC_LEN];
 
@@ -427,13 +429,6 @@ fail:
 }
 
 
-static int sae_modp_group_require_masking(int group)
-{
-       /* Groups for which pwd-value is likely to be >= p frequently */
-       return group == 22 || group == 23 || group == 24;
-}
-
-
 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
                              const u8 *addr2, const u8 *password,
                              size_t password_len, const char *identifier)
@@ -482,7 +477,7 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
        len[num_elem] = sizeof(counter);
        num_elem++;
 
-       k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
+       k = dragonfly_min_pwe_loop_iter(sae->group);
 
        for (counter = 1; counter <= k || !found; counter++) {
                u8 pwd_seed[SHA256_MAC_LEN];