aboutsummaryrefslogtreecommitdiffstats
path: root/main/hostapd/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/hostapd/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch')
-rw-r--r--main/hostapd/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch257
1 files changed, 257 insertions, 0 deletions
diff --git a/main/hostapd/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch b/main/hostapd/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch
new file mode 100644
index 0000000000..9ffa00c1d0
--- /dev/null
+++ b/main/hostapd/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch
@@ -0,0 +1,257 @@
+From 8b093db2c3f489a74b67f687becf750d24fcf626 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 13 Apr 2019 17:30:22 +0300
+Subject: [PATCH] EAP-pwd: Remove unused checks for cofactor > 1 cases
+
+None of the ECC groups supported in the implementation had a cofactor
+greater than 1, so these checks are unreachable and for all cases, the
+cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use
+of ECC groups with cofactor larger than 1, so this checks cannot be
+needed for any curve that is compliant with the RFC.
+
+Remove the unneeded group cofactor checks to simplify the
+implementation.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_common/eap_pwd_common.c | 53 ++-------------------------------
+ src/eap_peer/eap_pwd.c | 23 ++------------
+ src/eap_server/eap_server_pwd.c | 23 ++------------
+ 3 files changed, 7 insertions(+), 92 deletions(-)
+
+diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
+index 00f85a390..884150e6c 100644
+--- a/src/eap_common/eap_pwd_common.c
++++ b/src/eap_common/eap_pwd_common.c
+@@ -151,7 +151,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
+ * mask */
+ size_t primebytelen = 0, primebitlen;
+- struct crypto_bignum *x_candidate = NULL, *cofactor = NULL;
++ struct crypto_bignum *x_candidate = NULL;
+ const struct crypto_bignum *prime;
+ u8 mask, found_ctr = 0, is_odd = 0;
+
+@@ -161,21 +161,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ os_memset(x_bin, 0, sizeof(x_bin));
+
+ prime = crypto_ec_get_prime(grp->group);
+- cofactor = crypto_bignum_init();
+ grp->pwe = crypto_ec_point_init(grp->group);
+ tmp1 = crypto_bignum_init();
+ pm1 = crypto_bignum_init();
+ one = crypto_bignum_init_set((const u8 *) "\x01", 1);
+- if (!cofactor || !grp->pwe || !tmp1 || !pm1 || !one) {
++ if (!grp->pwe || !tmp1 || !pm1 || !one) {
+ wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
+ goto fail;
+ }
+
+- if (crypto_ec_cofactor(grp->group, cofactor) < 0) {
+- wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for "
+- "curve");
+- goto fail;
+- }
+ primebitlen = crypto_ec_prime_len_bits(grp->group);
+ primebytelen = crypto_ec_prime_len(grp->group);
+ if ((prfbuf = os_malloc(primebytelen)) == NULL) {
+@@ -340,19 +334,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ goto fail;
+ }
+
+- if (!crypto_bignum_is_one(cofactor)) {
+- /* make sure the point is not in a small sub-group */
+- if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor,
+- grp->pwe) != 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: cannot multiply generator by order");
+- goto fail;
+- }
+- if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) {
+- wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity");
+- goto fail;
+- }
+- }
+ wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
+
+ if (0) {
+@@ -362,7 +343,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
+ ret = 1;
+ }
+ /* cleanliness and order.... */
+- crypto_bignum_deinit(cofactor, 1);
+ crypto_bignum_deinit(x_candidate, 1);
+ crypto_bignum_deinit(pm1, 0);
+ crypto_bignum_deinit(tmp1, 1);
+@@ -464,7 +444,6 @@ struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
+ struct crypto_ec_point *element;
+ const struct crypto_bignum *prime;
+ size_t prime_len;
+- struct crypto_bignum *cofactor = NULL;
+
+ prime = crypto_ec_get_prime(group->group);
+ prime_len = crypto_ec_prime_len(group->group);
+@@ -489,35 +468,7 @@ struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
+ goto fail;
+ }
+
+- cofactor = crypto_bignum_init();
+- if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: Unable to get cofactor for curve");
+- goto fail;
+- }
+-
+- if (!crypto_bignum_is_one(cofactor)) {
+- struct crypto_ec_point *point;
+- int ok = 1;
+-
+- /* check to ensure peer's element is not in a small sub-group */
+- point = crypto_ec_point_init(group->group);
+- if (!point ||
+- crypto_ec_point_mul(group->group, element,
+- cofactor, point) != 0 ||
+- crypto_ec_point_is_at_infinity(group->group, point))
+- ok = 0;
+- crypto_ec_point_deinit(point, 0);
+-
+- if (!ok) {
+- wpa_printf(MSG_INFO,
+- "EAP-pwd: Small sub-group check on peer element failed");
+- goto fail;
+- }
+- }
+-
+ out:
+- crypto_bignum_deinit(cofactor, 0);
+ return element;
+ fail:
+ crypto_ec_point_deinit(element, 0);
+diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
+index 4be4fcf35..46894a52f 100644
+--- a/src/eap_peer/eap_pwd.c
++++ b/src/eap_peer/eap_pwd.c
+@@ -309,7 +309,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ const u8 *payload, size_t payload_len)
+ {
+ struct crypto_ec_point *K = NULL;
+- struct crypto_bignum *mask = NULL, *cofactor = NULL;
++ struct crypto_bignum *mask = NULL;
+ const u8 *ptr = payload;
+ u8 *scalar, *element;
+ size_t prime_len, order_len;
+@@ -527,21 +527,14 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+
+ data->private_value = crypto_bignum_init();
+ data->my_element = crypto_ec_point_init(data->grp->group);
+- cofactor = crypto_bignum_init();
+ data->my_scalar = crypto_bignum_init();
+ mask = crypto_bignum_init();
+- if (!data->private_value || !data->my_element || !cofactor ||
++ if (!data->private_value || !data->my_element ||
+ !data->my_scalar || !mask) {
+ wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
+ goto fin;
+ }
+
+- if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) {
+- wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
+- "for curve");
+- goto fin;
+- }
+-
+ if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask,
+ data->my_scalar) < 0)
+ goto fin;
+@@ -595,17 +588,8 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+ goto fin;
+ }
+
+- /* ensure that the shared key isn't in a small sub-group */
+- if (!crypto_bignum_is_one(cofactor)) {
+- if (crypto_ec_point_mul(data->grp->group, K, cofactor, K) < 0) {
+- wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
+- "shared key point by order");
+- goto fin;
+- }
+- }
+-
+ /*
+- * This check is strictly speaking just for the case above where
++ * This check is strictly speaking just for the case where
+ * co-factor > 1 but it was suggested that even though this is probably
+ * never going to happen it is a simple and safe check "just to be
+ * sure" so let's be safe.
+@@ -644,7 +628,6 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
+
+ fin:
+ crypto_bignum_deinit(mask, 1);
+- crypto_bignum_deinit(cofactor, 1);
+ crypto_ec_point_deinit(K, 1);
+ if (data->outbuf == NULL)
+ eap_pwd_state(data, FAILURE);
+diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
+index 9799c8197..81ecd773f 100644
+--- a/src/eap_server/eap_server_pwd.c
++++ b/src/eap_server/eap_server_pwd.c
+@@ -648,7 +648,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ const u8 *payload, size_t payload_len)
+ {
+ const u8 *ptr;
+- struct crypto_bignum *cofactor = NULL;
+ struct crypto_ec_point *K = NULL;
+ int res = 0;
+ size_t prime_len, order_len;
+@@ -667,20 +666,13 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ }
+
+ data->k = crypto_bignum_init();
+- cofactor = crypto_bignum_init();
+ K = crypto_ec_point_init(data->grp->group);
+- if (!data->k || !cofactor || !K) {
++ if (!data->k || !K) {
+ wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
+ "fail");
+ goto fin;
+ }
+
+- if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) {
+- wpa_printf(MSG_INFO, "EAP-PWD (server): unable to get "
+- "cofactor for curve");
+- goto fin;
+- }
+-
+ /* element, x then y, followed by scalar */
+ ptr = payload;
+ data->peer_element = eap_pwd_get_element(data->grp, ptr);
+@@ -718,18 +710,8 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+ goto fin;
+ }
+
+- /* ensure that the shared key isn't in a small sub-group */
+- if (!crypto_bignum_is_one(cofactor)) {
+- if (crypto_ec_point_mul(data->grp->group, K, cofactor,
+- K) != 0) {
+- wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
+- "multiply shared key point by order!\n");
+- goto fin;
+- }
+- }
+-
+ /*
+- * This check is strictly speaking just for the case above where
++ * This check is strictly speaking just for the case where
+ * co-factor > 1 but it was suggested that even though this is probably
+ * never going to happen it is a simple and safe check "just to be
+ * sure" so let's be safe.
+@@ -748,7 +730,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
+
+ fin:
+ crypto_ec_point_deinit(K, 1);
+- crypto_bignum_deinit(cofactor, 1);
+
+ if (res)
+ eap_pwd_state(data, PWD_Confirm_Req);
+--
+2.22.0
+