Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-01-29 08:14:02 -05:00
Code Issues Projects Releases Wiki Activity

SAE: Rename and move ECC/FFC functions to be next to each other

Browse Source 
This makes it easier to see where there is separate implementation for
ECC and FFC groups.

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2013-01-06 18:30:11 +02:00
parent 4ef34a9960
commit 3b0ffebcda
1 changed files with 168 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

352
src/common/sae.c
View File

@ -177,8 +177,8 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
} }
static int sae_test_pwd_seed(struct sae_data *sae, const u8 *pwd_seed, static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
struct crypto_ec_point *pwe) struct crypto_ec_point *pwe)
{ {
u8 pwd_value[SAE_MAX_ECC_PRIME_LEN], prime[SAE_MAX_ECC_PRIME_LEN]; u8 pwd_value[SAE_MAX_ECC_PRIME_LEN], prime[SAE_MAX_ECC_PRIME_LEN];
struct crypto_bignum *x; struct crypto_bignum *x;
@ -221,135 +221,8 @@ static int sae_test_pwd_seed(struct sae_data *sae, const u8 *pwd_seed,
} }
static int sae_derive_pwe(struct sae_data *sae, const u8 *addr1, static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
const u8 *addr2, const u8 *password, struct crypto_bignum *pwe)
size_t password_len)
{
u8 counter, k = 4;
u8 addrs[2 * ETH_ALEN];
const u8 *addr[2];
size_t len[2];
int found = 0;
struct crypto_ec_point *pwe_tmp;
if (sae->pwe_ecc == NULL) {
sae->pwe_ecc = crypto_ec_point_init(sae->ec);
if (sae->pwe_ecc == NULL)
return -1;
}
pwe_tmp = crypto_ec_point_init(sae->ec);
if (pwe_tmp == NULL)
return -1;
wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
password, password_len);
/*
* H(salt, ikm) = HMAC-SHA256(salt, ikm)
* pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
* password || counter)
*/
sae_pwd_seed_key(addr1, addr2, addrs);
addr[0] = password;
len[0] = password_len;
addr[1] = &counter;
len[1] = sizeof(counter);
/*
* Continue for at least k iterations to protect against side-channel
* attacks that attempt to determine the number of iterations required
* in the loop.
*/
for (counter = 1; counter < k || !found; counter++) {
u8 pwd_seed[SHA256_MAC_LEN];
int res;
if (counter > 200) {
/* This should not happen in practice */
wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
break;
}
wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
pwd_seed) < 0)
break;
res = sae_test_pwd_seed(sae, pwd_seed,
found ? pwe_tmp : sae->pwe_ecc);
if (res < 0)
break;
if (res == 0)
continue;
if (found) {
wpa_printf(MSG_DEBUG, "SAE: Ignore this PWE (one was "
"already selected)");
} else {
wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
found = 1;
}
}
crypto_ec_point_deinit(pwe_tmp, 1);
return found ? 0 : -1;
}
static int sae_derive_commit(struct sae_data *sae)
{
struct crypto_bignum *mask;
int ret = -1;
mask = sae_get_rand_and_mask(sae);
if (mask == NULL) {
wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask");
return -1;
}
/* commit-scalar = (rand + mask) modulo r */
if (!sae->own_commit_scalar) {
sae->own_commit_scalar = crypto_bignum_init();
if (!sae->own_commit_scalar)
goto fail;
}
crypto_bignum_add(sae->sae_rand, mask, sae->own_commit_scalar);
crypto_bignum_mod(sae->own_commit_scalar, sae->order,
sae->own_commit_scalar);
/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
if (!sae->own_commit_element_ecc) {
sae->own_commit_element_ecc = crypto_ec_point_init(sae->ec);
if (!sae->own_commit_element_ecc)
goto fail;
}
if (crypto_ec_point_mul(sae->ec, sae->pwe_ecc, mask,
sae->own_commit_element_ecc) < 0 ||
crypto_ec_point_invert(sae->ec, sae->own_commit_element_ecc) < 0) {
wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
goto fail;
}
ret = 0;
fail:
crypto_bignum_deinit(mask, 1);
return ret;
}
static int sae_prepare_commit_ec(const u8 *addr1, const u8 *addr2,
const u8 *password, size_t password_len,
struct sae_data *sae)
{
if (sae_derive_pwe(sae, addr1, addr2, password, password_len) < 0 ||
sae_derive_commit(sae) < 0)
return -1;
return 0;
}
static int sae_test_pwd_seed_dh(struct sae_data *sae, const u8 *pwd_seed,
struct crypto_bignum *pwe)
{ {
u8 pwd_value[SAE_MAX_PRIME_LEN], pwe_bin[SAE_MAX_PRIME_LEN]; u8 pwd_value[SAE_MAX_PRIME_LEN], pwe_bin[SAE_MAX_PRIME_LEN];
size_t bits = sae->prime_len * 8; size_t bits = sae->prime_len * 8;
@ -428,9 +301,84 @@ static int sae_test_pwd_seed_dh(struct sae_data *sae, const u8 *pwd_seed,
} }
static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1, static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
const u8 *addr2, const u8 *password, const u8 *addr2, const u8 *password,
size_t password_len) size_t password_len)
{
u8 counter, k = 4;
u8 addrs[2 * ETH_ALEN];
const u8 *addr[2];
size_t len[2];
int found = 0;
struct crypto_ec_point *pwe_tmp;
if (sae->pwe_ecc == NULL) {
sae->pwe_ecc = crypto_ec_point_init(sae->ec);
if (sae->pwe_ecc == NULL)
return -1;
}
pwe_tmp = crypto_ec_point_init(sae->ec);
if (pwe_tmp == NULL)
return -1;
wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
password, password_len);
/*
* H(salt, ikm) = HMAC-SHA256(salt, ikm)
* pwd-seed = H(MAX(STA-A-MAC, STA-B-MAC) || MIN(STA-A-MAC, STA-B-MAC),
* password || counter)
*/
sae_pwd_seed_key(addr1, addr2, addrs);
addr[0] = password;
len[0] = password_len;
addr[1] = &counter;
len[1] = sizeof(counter);
/*
* Continue for at least k iterations to protect against side-channel
* attacks that attempt to determine the number of iterations required
* in the loop.
*/
for (counter = 1; counter < k || !found; counter++) {
u8 pwd_seed[SHA256_MAC_LEN];
int res;
if (counter > 200) {
/* This should not happen in practice */
wpa_printf(MSG_DEBUG, "SAE: Failed to derive PWE");
break;
}
wpa_printf(MSG_DEBUG, "SAE: counter = %u", counter);
if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
pwd_seed) < 0)
break;
res = sae_test_pwd_seed_ecc(sae, pwd_seed,
found ? pwe_tmp : sae->pwe_ecc);
if (res < 0)
break;
if (res == 0)
continue;
if (found) {
wpa_printf(MSG_DEBUG, "SAE: Ignore this PWE (one was "
"already selected)");
} else {
wpa_printf(MSG_DEBUG, "SAE: Use this PWE");
found = 1;
}
}
crypto_ec_point_deinit(pwe_tmp, 1);
return found ? 0 : -1;
}
static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
const u8 *addr2, const u8 *password,
size_t password_len)
{ {
u8 counter; u8 counter;
u8 addrs[2 * ETH_ALEN]; u8 addrs[2 * ETH_ALEN];
@ -473,7 +421,7 @@ static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1,
if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len, if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
pwd_seed) < 0) pwd_seed) < 0)
break; break;
res = sae_test_pwd_seed_dh(sae, pwd_seed, sae->pwe_ffc); res = sae_test_pwd_seed_ffc(sae, pwd_seed, sae->pwe_ffc);
if (res < 0) if (res < 0)
break; break;
if (res > 0) { if (res > 0) {
@ -486,7 +434,48 @@ static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1,
} }
static int sae_derive_commit_dh(struct sae_data *sae) static int sae_derive_commit_ecc(struct sae_data *sae)
{
struct crypto_bignum *mask;
int ret = -1;
mask = sae_get_rand_and_mask(sae);
if (mask == NULL) {
wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask");
return -1;
}
/* commit-scalar = (rand + mask) modulo r */
if (!sae->own_commit_scalar) {
sae->own_commit_scalar = crypto_bignum_init();
if (!sae->own_commit_scalar)
goto fail;
}
crypto_bignum_add(sae->sae_rand, mask, sae->own_commit_scalar);
crypto_bignum_mod(sae->own_commit_scalar, sae->order,
sae->own_commit_scalar);
/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
if (!sae->own_commit_element_ecc) {
sae->own_commit_element_ecc = crypto_ec_point_init(sae->ec);
if (!sae->own_commit_element_ecc)
goto fail;
}
if (crypto_ec_point_mul(sae->ec, sae->pwe_ecc, mask,
sae->own_commit_element_ecc) < 0 ||
crypto_ec_point_invert(sae->ec, sae->own_commit_element_ecc) < 0) {
wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
goto fail;
}
ret = 0;
fail:
crypto_bignum_deinit(mask, 1);
return ret;
}
static int sae_derive_commit_ffc(struct sae_data *sae)
{ {
struct crypto_bignum *mask; struct crypto_bignum *mask;
int ret = -1; int ret = -1;
@ -528,36 +517,31 @@ fail:
} }
static int sae_prepare_commit_dh(const u8 *addr1, const u8 *addr2,
const u8 *password, size_t password_len,
struct sae_data *sae)
{
if (sae_derive_pwe_dh(sae, addr1, addr2, password, password_len) < 0 ||
sae_derive_commit_dh(sae) < 0)
return -1;
return 0;
}
int sae_prepare_commit(const u8 *addr1, const u8 *addr2, int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
const u8 *password, size_t password_len, const u8 *password, size_t password_len,
struct sae_data *sae) struct sae_data *sae)
{ {
if (sae->ec) { if (sae->ec) {
return sae_prepare_commit_ec(addr1, addr2, password, if (sae_derive_pwe_ecc(sae, addr1, addr2, password,
password_len, sae); password_len) < 0 ||
sae_derive_commit_ecc(sae) < 0)
return -1;
return 0;
} }
if (sae->dh) { if (sae->dh) {
return sae_prepare_commit_dh(addr1, addr2, password, if (sae_derive_pwe_ffc(sae, addr1, addr2, password,
password_len, sae); password_len) < 0 ||
sae_derive_commit_ffc(sae) < 0)
return -1;
return 0;
} }
return -1; return -1;
} }
static int sae_derive_k_ec(struct sae_data *sae, u8 *k) static int sae_derive_k_ecc(struct sae_data *sae, u8 *k)
{ {
struct crypto_ec_point *K; struct crypto_ec_point *K;
int ret = -1; int ret = -1;
@ -599,7 +583,7 @@ fail:
} }
static int sae_derive_k_dh(struct sae_data *sae, u8 *k) static int sae_derive_k_ffc(struct sae_data *sae, u8 *k)
{ {
struct crypto_bignum *K; struct crypto_bignum *K;
int ret = -1; int ret = -1;
@ -638,8 +622,8 @@ fail:
static int sae_derive_k(struct sae_data *sae, u8 *k) static int sae_derive_k(struct sae_data *sae, u8 *k)
{ {
if (sae->ec) if (sae->ec)
return sae_derive_k_ec(sae, k); return sae_derive_k_ecc(sae, k);
return sae_derive_k_dh(sae, k); return sae_derive_k_ffc(sae, k);
} }
@ -826,35 +810,6 @@ static u16 sae_parse_commit_scalar(struct sae_data *sae, const u8 **pos,
} }
static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
const u8 *end)
{
if (pos + sae->prime_len > end) {
wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
"commit-element");
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", pos, sae->prime_len);
if (val_zero_or_one(pos, sae->prime_len)) {
wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
crypto_bignum_deinit(sae->peer_commit_element_ffc, 0);
sae->peer_commit_element_ffc = crypto_bignum_init_set(pos,
sae->prime_len);
if (sae->peer_commit_element_ffc == NULL)
return WLAN_STATUS_UNSPECIFIED_FAILURE;
if (crypto_bignum_cmp(sae->peer_commit_element_ffc, sae->prime) >= 0) {
wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
return WLAN_STATUS_SUCCESS;
}
static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos, static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
const u8 *end) const u8 *end)
{ {
@ -893,6 +848,35 @@ static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
} }
static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
const u8 *end)
{
if (pos + sae->prime_len > end) {
wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
"commit-element");
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
wpa_hexdump(MSG_DEBUG, "SAE: Peer commit-element", pos, sae->prime_len);
if (val_zero_or_one(pos, sae->prime_len)) {
wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
crypto_bignum_deinit(sae->peer_commit_element_ffc, 0);
sae->peer_commit_element_ffc = crypto_bignum_init_set(pos,
sae->prime_len);
if (sae->peer_commit_element_ffc == NULL)
return WLAN_STATUS_UNSPECIFIED_FAILURE;
if (crypto_bignum_cmp(sae->peer_commit_element_ffc, sae->prime) >= 0) {
wpa_printf(MSG_DEBUG, "SAE: Invalid peer element");
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
return WLAN_STATUS_SUCCESS;
}
static u16 sae_parse_commit_element(struct sae_data *sae, const u8 *pos, static u16 sae_parse_commit_element(struct sae_data *sae, const u8 *pos,
const u8 *end) const u8 *end)
{ {