From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 23 Jul 2019 18:21:30 +0000 (+0300)
Subject: dragonfly: SAE/EAP-pwd min PWE derivation iteration count to shared code
X-Git-Tag: hostap_2_9~64
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bfb6a482f6ed805f01bfafe201a5a7226c55ee9b;p=thirdparty%2Fhostap.git

dragonfly: SAE/EAP-pwd min PWE derivation iteration count to shared code

Use a shared function to determine the k parameter, i.e., the minimum
number of iterations of the PWE derivation loop, for SAE and EAP-pwd.
This makes it easier to fine-tune the parameter based on the negotiated
group, if desired.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c
index e98bce682..233ae68a7 100644
--- a/src/common/dragonfly.c
+++ b/src/common/dragonfly.c
@@ -29,6 +29,25 @@ int dragonfly_suitable_group(int group, int ecc_only)
 }
 
 
+unsigned int dragonfly_min_pwe_loop_iter(int group)
+{
+	if (group == 22 || group == 23 || group == 24) {
+		/* FFC groups for which pwd-value is likely to be >= p
+		 * frequently */
+		return 40;
+	}
+
+	if (group == 1 || group == 2 || group == 5 || group == 14 ||
+	    group == 15 || group == 16 || group == 17 || group == 18) {
+		/* FFC groups that have prime that is close to a power of two */
+		return 1;
+	}
+
+	/* Default to 40 (this covers most ECC groups) */
+	return 40;
+}
+
+
 int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
 				struct crypto_bignum **qr,
 				struct crypto_bignum **qnr)
diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h
index e7627ef06..ec3dd593e 100644
--- a/src/common/dragonfly.h
+++ b/src/common/dragonfly.h
@@ -16,6 +16,7 @@ struct crypto_bignum;
 struct crypto_ec;
 
 int dragonfly_suitable_group(int group, int ecc_only);
+unsigned int dragonfly_min_pwe_loop_iter(int group);
 int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
 				struct crypto_bignum **qr,
 				struct crypto_bignum **qnr);
diff --git a/src/common/sae.c b/src/common/sae.c
index 0da7145e2..2d520939a 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -275,7 +275,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
 			      const u8 *addr2, const u8 *password,
 			      size_t password_len, const char *identifier)
 {
-	u8 counter, k = 40;
+	u8 counter, k;
 	u8 addrs[2 * ETH_ALEN];
 	const u8 *addr[3];
 	size_t len[3];
@@ -346,6 +346,8 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
 	 * attacks that attempt to determine the number of iterations required
 	 * in the loop.
 	 */
+	k = dragonfly_min_pwe_loop_iter(sae->group);
+
 	for (counter = 1; counter <= k || !found; counter++) {
 		u8 pwd_seed[SHA256_MAC_LEN];
 
@@ -427,13 +429,6 @@ fail:
 }
 
 
-static int sae_modp_group_require_masking(int group)
-{
-	/* Groups for which pwd-value is likely to be >= p frequently */
-	return group == 22 || group == 23 || group == 24;
-}
-
-
 static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
 			      const u8 *addr2, const u8 *password,
 			      size_t password_len, const char *identifier)
@@ -482,7 +477,7 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
 	len[num_elem] = sizeof(counter);
 	num_elem++;
 
-	k = sae_modp_group_require_masking(sae->group) ? 40 : 1;
+	k = dragonfly_min_pwe_loop_iter(sae->group);
 
 	for (counter = 1; counter <= k || !found; counter++) {
 		u8 pwd_seed[SHA256_MAC_LEN];