Share common SAE and EAP-pwd functionality: is_quadratic_residue

Use a shared helper function for the blinded mechanism of determining
the Legendre symbol.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-04-25 22:35:14 +03:00 committed by Jouni Malinen
parent a9615b1b88
commit 17749e948a
4 changed files with 93 additions and 115 deletions

View File

@ -10,6 +10,7 @@
#include "utils/includes.h"
#include "utils/common.h"
#include "utils/const_time.h"
#include "crypto/crypto.h"
#include "dragonfly.h"
@ -60,7 +61,7 @@ int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
}
struct crypto_bignum *
static struct crypto_bignum *
dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
{
struct crypto_bignum *tmp, *pm1, *one;
@ -80,3 +81,76 @@ dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
crypto_bignum_deinit(one, 0);
return tmp;
}
int dragonfly_is_quadratic_residue_blind(struct crypto_ec *ec,
const u8 *qr, const u8 *qnr,
const struct crypto_bignum *val)
{
struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
int check, res = -1;
u8 qr_or_qnr_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
const struct crypto_bignum *prime;
size_t prime_len;
unsigned int mask;
prime = crypto_ec_get_prime(ec);
prime_len = crypto_ec_prime_len(ec);
/*
* Use a blinding technique to mask val while determining whether it is
* a quadratic residue modulo p to avoid leaking timing information
* while determining the Legendre symbol.
*
* v = val
* r = a random number between 1 and p-1, inclusive
* num = (v * r * r) modulo p
*/
r = dragonfly_get_rand_1_to_p_1(prime);
if (!r)
return -1;
num = crypto_bignum_init();
if (!num ||
crypto_bignum_mulmod(val, r, prime, num) < 0 ||
crypto_bignum_mulmod(num, r, prime, num) < 0)
goto fail;
/*
* Need to minimize differences in handling different cases, so try to
* avoid branches and timing differences.
*
* If r is odd:
* num = (num * qr) module p
* LGR(num, p) = 1 ==> quadratic residue
* else:
* num = (num * qnr) module p
* LGR(num, p) = -1 ==> quadratic residue
*
* mask is set to !odd(r)
*/
mask = const_time_is_zero(crypto_bignum_is_odd(r));
const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
if (!qr_or_qnr ||
crypto_bignum_mulmod(num, qr_or_qnr, prime, num) < 0)
goto fail;
/* branchless version of check = odd(r) ? 1 : -1, */
check = const_time_select_int(mask, -1, 1);
/* Determine the Legendre symbol on the masked value */
res = crypto_bignum_legendre(num, prime);
if (res == -2) {
res = -1;
goto fail;
}
/* branchless version of res = res == check
* (res is -1, 0, or 1; check is -1 or 1) */
mask = const_time_eq(res, check);
res = const_time_select_int(mask, 1, 0);
fail:
crypto_bignum_deinit(num, 1);
crypto_bignum_deinit(r, 1);
crypto_bignum_deinit(qr_or_qnr, 1);
return res;
}

View File

@ -10,13 +10,17 @@
#ifndef DRAGONFLY_H
#define DRAGONFLY_H
#define DRAGONFLY_MAX_ECC_PRIME_LEN 66
struct crypto_bignum;
struct crypto_ec;
int dragonfly_suitable_group(int group, int ecc_only);
int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
struct crypto_bignum **qr,
struct crypto_bignum **qnr);
struct crypto_bignum *
dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime);
int dragonfly_is_quadratic_residue_blind(struct crypto_ec *ec,
const u8 *qr, const u8 *qnr,
const struct crypto_bignum *val);
#endif /* DRAGONFLY_H */

View File

@ -178,72 +178,6 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
}
static int is_quadratic_residue_blind(struct sae_data *sae,
const u8 *qr, const u8 *qnr,
const struct crypto_bignum *y_sqr)
{
struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
int check, res = -1;
u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
size_t prime_len = sae->tmp->prime_len;
unsigned int mask;
/*
* Use the blinding technique to mask y_sqr while determining
* whether it is a quadratic residue modulo p to avoid leaking
* timing information while determining the Legendre symbol.
*
* v = y_sqr
* r = a random number between 1 and p-1, inclusive
* num = (v * r * r) modulo p
*/
r = dragonfly_get_rand_1_to_p_1(sae->tmp->prime);
if (!r)
return -1;
num = crypto_bignum_init();
if (!num ||
crypto_bignum_mulmod(y_sqr, r, sae->tmp->prime, num) < 0 ||
crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
goto fail;
/*
* Need to minimize differences in handling different cases, so try to
* avoid branches and timing differences.
*
* If r_odd:
* num = (num * qr) module p
* LGR(num, p) = 1 ==> quadratic residue
* else:
* num = (num * qnr) module p
* LGR(num, p) = -1 ==> quadratic residue
*/
mask = const_time_is_zero(crypto_bignum_is_odd(r));
const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
if (!qr_or_qnr ||
crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
goto fail;
/* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
check = const_time_select_int(mask, -1, 1);
res = crypto_bignum_legendre(num, sae->tmp->prime);
if (res == -2) {
res = -1;
goto fail;
}
/* branchless version of res = res == check
* (res is -1, 0, or 1; check is -1 or 1) */
mask = const_time_eq(res, check);
res = const_time_select_int(mask, 1, 0);
fail:
crypto_bignum_deinit(num, 1);
crypto_bignum_deinit(r, 1);
crypto_bignum_deinit(qr_or_qnr, 1);
return res;
}
static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
const u8 *prime, const u8 *qr, const u8 *qnr,
u8 *pwd_value)
@ -275,7 +209,8 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
if (!y_sqr)
return -1;
res = is_quadratic_residue_blind(sae, qr, qnr, y_sqr);
res = dragonfly_is_quadratic_residue_blind(sae->tmp->ec, qr, qnr,
y_sqr);
crypto_bignum_deinit(y_sqr, 1);
return res;
}

View File

@ -122,22 +122,21 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
const u8 *token)
{
struct crypto_bignum *qr = NULL, *qnr = NULL;
struct crypto_bignum *qr_or_qnr = NULL;
u8 qr_bin[MAX_ECC_PRIME_LEN];
u8 qnr_bin[MAX_ECC_PRIME_LEN];
u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
u8 x_bin[MAX_ECC_PRIME_LEN];
u8 prime_bin[MAX_ECC_PRIME_LEN];
struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL;
struct crypto_bignum *tmp2 = NULL;
struct crypto_hash *hash;
unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
int ret = 0, check, res;
int ret = 0, res;
u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
* mask */
size_t primebytelen = 0, primebitlen;
struct crypto_bignum *x_candidate = NULL;
const struct crypto_bignum *prime;
u8 mask, found_ctr = 0, is_odd = 0;
u8 found_ctr = 0, is_odd = 0;
if (grp->pwe)
return -1;
@ -232,47 +231,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
if (!tmp2)
goto fail;
/*
* mask tmp2 so doing legendre won't leak timing info
*
* tmp1 is a random number between 1 and p-1
*/
tmp1 = dragonfly_get_rand_1_to_p_1(prime);
if (!tmp1 ||
crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 ||
crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0)
res = dragonfly_is_quadratic_residue_blind(grp->group, qr_bin,
qnr_bin, tmp2);
if (res < 0)
goto fail;
/*
* Now tmp2 (y^2) is masked, all values between 1 and p-1
* are equally probable. Multiplying by r^2 does not change
* whether or not tmp2 is a quadratic residue, just masks it.
*
* Flip a coin, multiply by the random quadratic residue or the
* random quadratic nonresidue and record heads or tails.
*/
mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1);
check = const_time_select_s8(mask, 1, -1);
const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen,
qr_or_qnr_bin);
crypto_bignum_deinit(qr_or_qnr, 1);
qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen);
if (!qr_or_qnr ||
crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0)
goto fail;
/*
* Now it's safe to do legendre, if check is 1 then it's
* a straightforward test (multiplying by qr does not
* change result), if check is -1 then it's the opposite test
* (multiplying a qr by qnr would make a qnr).
*/
res = crypto_bignum_legendre(tmp2, prime);
if (res == -2)
goto fail;
mask = const_time_eq(res, check);
found_ctr = const_time_select_u8(found, found_ctr, ctr);
found |= mask;
/* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
* (with res converted to 0/0xff) handles this in constant time.
*/
found |= res * 0xff;
}
if (found == 0) {
wpa_printf(MSG_INFO,
@ -313,11 +280,9 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
}
/* cleanliness and order.... */
crypto_bignum_deinit(x_candidate, 1);
crypto_bignum_deinit(tmp1, 1);
crypto_bignum_deinit(tmp2, 1);
crypto_bignum_deinit(qr, 1);
crypto_bignum_deinit(qnr, 1);
crypto_bignum_deinit(qr_or_qnr, 1);
bin_clear_free(prfbuf, primebytelen);
os_memset(qr_bin, 0, sizeof(qr_bin));
os_memset(qnr_bin, 0, sizeof(qnr_bin));