mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-28 18:28:23 -05:00
Share common SAE and EAP-pwd functionality: is_quadratic_residue
Use a shared helper function for the blinded mechanism of determining the Legendre symbol. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
a9615b1b88
commit
17749e948a
@ -10,6 +10,7 @@
|
||||
#include "utils/includes.h"
|
||||
|
||||
#include "utils/common.h"
|
||||
#include "utils/const_time.h"
|
||||
#include "crypto/crypto.h"
|
||||
#include "dragonfly.h"
|
||||
|
||||
@ -60,7 +61,7 @@ int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
|
||||
}
|
||||
|
||||
|
||||
struct crypto_bignum *
|
||||
static struct crypto_bignum *
|
||||
dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
|
||||
{
|
||||
struct crypto_bignum *tmp, *pm1, *one;
|
||||
@ -80,3 +81,76 @@ dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
|
||||
crypto_bignum_deinit(one, 0);
|
||||
return tmp;
|
||||
}
|
||||
|
||||
|
||||
int dragonfly_is_quadratic_residue_blind(struct crypto_ec *ec,
|
||||
const u8 *qr, const u8 *qnr,
|
||||
const struct crypto_bignum *val)
|
||||
{
|
||||
struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
|
||||
int check, res = -1;
|
||||
u8 qr_or_qnr_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
|
||||
const struct crypto_bignum *prime;
|
||||
size_t prime_len;
|
||||
unsigned int mask;
|
||||
|
||||
prime = crypto_ec_get_prime(ec);
|
||||
prime_len = crypto_ec_prime_len(ec);
|
||||
|
||||
/*
|
||||
* Use a blinding technique to mask val while determining whether it is
|
||||
* a quadratic residue modulo p to avoid leaking timing information
|
||||
* while determining the Legendre symbol.
|
||||
*
|
||||
* v = val
|
||||
* r = a random number between 1 and p-1, inclusive
|
||||
* num = (v * r * r) modulo p
|
||||
*/
|
||||
r = dragonfly_get_rand_1_to_p_1(prime);
|
||||
if (!r)
|
||||
return -1;
|
||||
|
||||
num = crypto_bignum_init();
|
||||
if (!num ||
|
||||
crypto_bignum_mulmod(val, r, prime, num) < 0 ||
|
||||
crypto_bignum_mulmod(num, r, prime, num) < 0)
|
||||
goto fail;
|
||||
|
||||
/*
|
||||
* Need to minimize differences in handling different cases, so try to
|
||||
* avoid branches and timing differences.
|
||||
*
|
||||
* If r is odd:
|
||||
* num = (num * qr) module p
|
||||
* LGR(num, p) = 1 ==> quadratic residue
|
||||
* else:
|
||||
* num = (num * qnr) module p
|
||||
* LGR(num, p) = -1 ==> quadratic residue
|
||||
*
|
||||
* mask is set to !odd(r)
|
||||
*/
|
||||
mask = const_time_is_zero(crypto_bignum_is_odd(r));
|
||||
const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
|
||||
qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
|
||||
if (!qr_or_qnr ||
|
||||
crypto_bignum_mulmod(num, qr_or_qnr, prime, num) < 0)
|
||||
goto fail;
|
||||
/* branchless version of check = odd(r) ? 1 : -1, */
|
||||
check = const_time_select_int(mask, -1, 1);
|
||||
|
||||
/* Determine the Legendre symbol on the masked value */
|
||||
res = crypto_bignum_legendre(num, prime);
|
||||
if (res == -2) {
|
||||
res = -1;
|
||||
goto fail;
|
||||
}
|
||||
/* branchless version of res = res == check
|
||||
* (res is -1, 0, or 1; check is -1 or 1) */
|
||||
mask = const_time_eq(res, check);
|
||||
res = const_time_select_int(mask, 1, 0);
|
||||
fail:
|
||||
crypto_bignum_deinit(num, 1);
|
||||
crypto_bignum_deinit(r, 1);
|
||||
crypto_bignum_deinit(qr_or_qnr, 1);
|
||||
return res;
|
||||
}
|
||||
|
@ -10,13 +10,17 @@
|
||||
#ifndef DRAGONFLY_H
|
||||
#define DRAGONFLY_H
|
||||
|
||||
#define DRAGONFLY_MAX_ECC_PRIME_LEN 66
|
||||
|
||||
struct crypto_bignum;
|
||||
struct crypto_ec;
|
||||
|
||||
int dragonfly_suitable_group(int group, int ecc_only);
|
||||
int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
|
||||
struct crypto_bignum **qr,
|
||||
struct crypto_bignum **qnr);
|
||||
struct crypto_bignum *
|
||||
dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime);
|
||||
int dragonfly_is_quadratic_residue_blind(struct crypto_ec *ec,
|
||||
const u8 *qr, const u8 *qnr,
|
||||
const struct crypto_bignum *val);
|
||||
|
||||
#endif /* DRAGONFLY_H */
|
||||
|
@ -178,72 +178,6 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
|
||||
}
|
||||
|
||||
|
||||
static int is_quadratic_residue_blind(struct sae_data *sae,
|
||||
const u8 *qr, const u8 *qnr,
|
||||
const struct crypto_bignum *y_sqr)
|
||||
{
|
||||
struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
|
||||
int check, res = -1;
|
||||
u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
|
||||
size_t prime_len = sae->tmp->prime_len;
|
||||
unsigned int mask;
|
||||
|
||||
/*
|
||||
* Use the blinding technique to mask y_sqr while determining
|
||||
* whether it is a quadratic residue modulo p to avoid leaking
|
||||
* timing information while determining the Legendre symbol.
|
||||
*
|
||||
* v = y_sqr
|
||||
* r = a random number between 1 and p-1, inclusive
|
||||
* num = (v * r * r) modulo p
|
||||
*/
|
||||
r = dragonfly_get_rand_1_to_p_1(sae->tmp->prime);
|
||||
if (!r)
|
||||
return -1;
|
||||
|
||||
num = crypto_bignum_init();
|
||||
if (!num ||
|
||||
crypto_bignum_mulmod(y_sqr, r, sae->tmp->prime, num) < 0 ||
|
||||
crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
|
||||
goto fail;
|
||||
|
||||
/*
|
||||
* Need to minimize differences in handling different cases, so try to
|
||||
* avoid branches and timing differences.
|
||||
*
|
||||
* If r_odd:
|
||||
* num = (num * qr) module p
|
||||
* LGR(num, p) = 1 ==> quadratic residue
|
||||
* else:
|
||||
* num = (num * qnr) module p
|
||||
* LGR(num, p) = -1 ==> quadratic residue
|
||||
*/
|
||||
mask = const_time_is_zero(crypto_bignum_is_odd(r));
|
||||
const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
|
||||
qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
|
||||
if (!qr_or_qnr ||
|
||||
crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
|
||||
goto fail;
|
||||
/* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
|
||||
check = const_time_select_int(mask, -1, 1);
|
||||
|
||||
res = crypto_bignum_legendre(num, sae->tmp->prime);
|
||||
if (res == -2) {
|
||||
res = -1;
|
||||
goto fail;
|
||||
}
|
||||
/* branchless version of res = res == check
|
||||
* (res is -1, 0, or 1; check is -1 or 1) */
|
||||
mask = const_time_eq(res, check);
|
||||
res = const_time_select_int(mask, 1, 0);
|
||||
fail:
|
||||
crypto_bignum_deinit(num, 1);
|
||||
crypto_bignum_deinit(r, 1);
|
||||
crypto_bignum_deinit(qr_or_qnr, 1);
|
||||
return res;
|
||||
}
|
||||
|
||||
|
||||
static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
|
||||
const u8 *prime, const u8 *qr, const u8 *qnr,
|
||||
u8 *pwd_value)
|
||||
@ -275,7 +209,8 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
|
||||
if (!y_sqr)
|
||||
return -1;
|
||||
|
||||
res = is_quadratic_residue_blind(sae, qr, qnr, y_sqr);
|
||||
res = dragonfly_is_quadratic_residue_blind(sae->tmp->ec, qr, qnr,
|
||||
y_sqr);
|
||||
crypto_bignum_deinit(y_sqr, 1);
|
||||
return res;
|
||||
}
|
||||
|
@ -122,22 +122,21 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
||||
const u8 *token)
|
||||
{
|
||||
struct crypto_bignum *qr = NULL, *qnr = NULL;
|
||||
struct crypto_bignum *qr_or_qnr = NULL;
|
||||
u8 qr_bin[MAX_ECC_PRIME_LEN];
|
||||
u8 qnr_bin[MAX_ECC_PRIME_LEN];
|
||||
u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
|
||||
u8 x_bin[MAX_ECC_PRIME_LEN];
|
||||
u8 prime_bin[MAX_ECC_PRIME_LEN];
|
||||
struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL;
|
||||
struct crypto_bignum *tmp2 = NULL;
|
||||
struct crypto_hash *hash;
|
||||
unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
|
||||
int ret = 0, check, res;
|
||||
int ret = 0, res;
|
||||
u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
|
||||
* mask */
|
||||
size_t primebytelen = 0, primebitlen;
|
||||
struct crypto_bignum *x_candidate = NULL;
|
||||
const struct crypto_bignum *prime;
|
||||
u8 mask, found_ctr = 0, is_odd = 0;
|
||||
u8 found_ctr = 0, is_odd = 0;
|
||||
|
||||
if (grp->pwe)
|
||||
return -1;
|
||||
@ -232,47 +231,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
||||
if (!tmp2)
|
||||
goto fail;
|
||||
|
||||
/*
|
||||
* mask tmp2 so doing legendre won't leak timing info
|
||||
*
|
||||
* tmp1 is a random number between 1 and p-1
|
||||
*/
|
||||
tmp1 = dragonfly_get_rand_1_to_p_1(prime);
|
||||
if (!tmp1 ||
|
||||
crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 ||
|
||||
crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0)
|
||||
res = dragonfly_is_quadratic_residue_blind(grp->group, qr_bin,
|
||||
qnr_bin, tmp2);
|
||||
if (res < 0)
|
||||
goto fail;
|
||||
|
||||
/*
|
||||
* Now tmp2 (y^2) is masked, all values between 1 and p-1
|
||||
* are equally probable. Multiplying by r^2 does not change
|
||||
* whether or not tmp2 is a quadratic residue, just masks it.
|
||||
*
|
||||
* Flip a coin, multiply by the random quadratic residue or the
|
||||
* random quadratic nonresidue and record heads or tails.
|
||||
*/
|
||||
mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1);
|
||||
check = const_time_select_s8(mask, 1, -1);
|
||||
const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen,
|
||||
qr_or_qnr_bin);
|
||||
crypto_bignum_deinit(qr_or_qnr, 1);
|
||||
qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen);
|
||||
if (!qr_or_qnr ||
|
||||
crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0)
|
||||
goto fail;
|
||||
|
||||
/*
|
||||
* Now it's safe to do legendre, if check is 1 then it's
|
||||
* a straightforward test (multiplying by qr does not
|
||||
* change result), if check is -1 then it's the opposite test
|
||||
* (multiplying a qr by qnr would make a qnr).
|
||||
*/
|
||||
res = crypto_bignum_legendre(tmp2, prime);
|
||||
if (res == -2)
|
||||
goto fail;
|
||||
mask = const_time_eq(res, check);
|
||||
found_ctr = const_time_select_u8(found, found_ctr, ctr);
|
||||
found |= mask;
|
||||
/* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
|
||||
* (with res converted to 0/0xff) handles this in constant time.
|
||||
*/
|
||||
found |= res * 0xff;
|
||||
}
|
||||
if (found == 0) {
|
||||
wpa_printf(MSG_INFO,
|
||||
@ -313,11 +280,9 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
||||
}
|
||||
/* cleanliness and order.... */
|
||||
crypto_bignum_deinit(x_candidate, 1);
|
||||
crypto_bignum_deinit(tmp1, 1);
|
||||
crypto_bignum_deinit(tmp2, 1);
|
||||
crypto_bignum_deinit(qr, 1);
|
||||
crypto_bignum_deinit(qnr, 1);
|
||||
crypto_bignum_deinit(qr_or_qnr, 1);
|
||||
bin_clear_free(prfbuf, primebytelen);
|
||||
os_memset(qr_bin, 0, sizeof(qr_bin));
|
||||
os_memset(qnr_bin, 0, sizeof(qnr_bin));
|
||||
|
Loading…
Reference in New Issue
Block a user