From bb0122f3e8ef1f0e82ebb7121e997dc107e5449e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 10 Mar 2013 11:45:55 +0200
Subject: [PATCH] SAE: Add forgotten commit element validation step for FFC
 groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The peer commit element needs to be validated to pass one of the steps
listed in IEEE 802.11, 11.3.5.4:
scalar-op(r, ELEMENT) = 1 modulo p

Similar step was present for ECC groups, but was missing for FFC groups.
This is needed to avoid dictionary attacks.

Thanks to Michael Roßberg and Sascha Grau for reporting this.

Signed-hostap: Jouni Malinen <j@w1.fi>
---
 src/common/sae.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/common/sae.c b/src/common/sae.c
index 900702a59..bce60a377 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -828,6 +828,8 @@ static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
 					const u8 *end)
 {
+	struct crypto_bignum *res;
+
 	if (pos + sae->tmp->prime_len > end) {
 		wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
 			   "commit-element");
@@ -849,6 +851,18 @@ static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
 	}
 
+	/* scalar-op(r, ELEMENT) = 1 modulo p */
+	res = crypto_bignum_init();
+	if (res == NULL ||
+	    crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
+				  sae->tmp->order, sae->tmp->prime, res) < 0 ||
+	    !crypto_bignum_is_one(res)) {
+		wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)");
+		crypto_bignum_deinit(res, 0);
+		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+	}
+	crypto_bignum_deinit(res, 0);
+
 	return WLAN_STATUS_SUCCESS;
 }