diff options
Diffstat (limited to 'main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch')
-rw-r--r-- | main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch | 257 |
1 files changed, 257 insertions, 0 deletions
diff --git a/main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch b/main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch new file mode 100644 index 00000000000..9ffa00c1d0c --- /dev/null +++ b/main/wpa_supplicant/0018-EAP-pwd-Remove-unused-checks-for-cofactor-1-cases.patch @@ -0,0 +1,257 @@ +From 8b093db2c3f489a74b67f687becf750d24fcf626 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Apr 2019 17:30:22 +0300 +Subject: [PATCH] EAP-pwd: Remove unused checks for cofactor > 1 cases + +None of the ECC groups supported in the implementation had a cofactor +greater than 1, so these checks are unreachable and for all cases, the +cofactor is known to be 1. Furthermore, RFC 5931 explicitly disallow use +of ECC groups with cofactor larger than 1, so this checks cannot be +needed for any curve that is compliant with the RFC. + +Remove the unneeded group cofactor checks to simplify the +implementation. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/eap_common/eap_pwd_common.c | 53 ++------------------------------- + src/eap_peer/eap_pwd.c | 23 ++------------ + src/eap_server/eap_server_pwd.c | 23 ++------------ + 3 files changed, 7 insertions(+), 92 deletions(-) + +diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c +index 00f85a390..884150e6c 100644 +--- a/src/eap_common/eap_pwd_common.c ++++ b/src/eap_common/eap_pwd_common.c +@@ -151,7 +151,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* + * mask */ + size_t primebytelen = 0, primebitlen; +- struct crypto_bignum *x_candidate = NULL, *cofactor = NULL; ++ struct crypto_bignum *x_candidate = NULL; + const struct crypto_bignum *prime; + u8 mask, found_ctr = 0, is_odd = 0; + +@@ -161,21 +161,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + os_memset(x_bin, 0, sizeof(x_bin)); + + prime = crypto_ec_get_prime(grp->group); +- cofactor = crypto_bignum_init(); + grp->pwe = crypto_ec_point_init(grp->group); + tmp1 = crypto_bignum_init(); + pm1 = crypto_bignum_init(); + one = crypto_bignum_init_set((const u8 *) "\x01", 1); +- if (!cofactor || !grp->pwe || !tmp1 || !pm1 || !one) { ++ if (!grp->pwe || !tmp1 || !pm1 || !one) { + wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums"); + goto fail; + } + +- if (crypto_ec_cofactor(grp->group, cofactor) < 0) { +- wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for " +- "curve"); +- goto fail; +- } + primebitlen = crypto_ec_prime_len_bits(grp->group); + primebytelen = crypto_ec_prime_len(grp->group); + if ((prfbuf = os_malloc(primebytelen)) == NULL) { +@@ -340,19 +334,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + goto fail; + } + +- if (!crypto_bignum_is_one(cofactor)) { +- /* make sure the point is not in a small sub-group */ +- if (crypto_ec_point_mul(grp->group, grp->pwe, cofactor, +- grp->pwe) != 0) { +- wpa_printf(MSG_INFO, +- "EAP-pwd: cannot multiply generator by order"); +- goto fail; +- } +- if (crypto_ec_point_is_at_infinity(grp->group, grp->pwe)) { +- wpa_printf(MSG_INFO, "EAP-pwd: point is at infinity"); +- goto fail; +- } +- } + wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr); + + if (0) { +@@ -362,7 +343,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + ret = 1; + } + /* cleanliness and order.... */ +- crypto_bignum_deinit(cofactor, 1); + crypto_bignum_deinit(x_candidate, 1); + crypto_bignum_deinit(pm1, 0); + crypto_bignum_deinit(tmp1, 1); +@@ -464,7 +444,6 @@ struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group, + struct crypto_ec_point *element; + const struct crypto_bignum *prime; + size_t prime_len; +- struct crypto_bignum *cofactor = NULL; + + prime = crypto_ec_get_prime(group->group); + prime_len = crypto_ec_prime_len(group->group); +@@ -489,35 +468,7 @@ struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group, + goto fail; + } + +- cofactor = crypto_bignum_init(); +- if (!cofactor || crypto_ec_cofactor(group->group, cofactor) < 0) { +- wpa_printf(MSG_INFO, +- "EAP-pwd: Unable to get cofactor for curve"); +- goto fail; +- } +- +- if (!crypto_bignum_is_one(cofactor)) { +- struct crypto_ec_point *point; +- int ok = 1; +- +- /* check to ensure peer's element is not in a small sub-group */ +- point = crypto_ec_point_init(group->group); +- if (!point || +- crypto_ec_point_mul(group->group, element, +- cofactor, point) != 0 || +- crypto_ec_point_is_at_infinity(group->group, point)) +- ok = 0; +- crypto_ec_point_deinit(point, 0); +- +- if (!ok) { +- wpa_printf(MSG_INFO, +- "EAP-pwd: Small sub-group check on peer element failed"); +- goto fail; +- } +- } +- + out: +- crypto_bignum_deinit(cofactor, 0); + return element; + fail: + crypto_ec_point_deinit(element, 0); +diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c +index 4be4fcf35..46894a52f 100644 +--- a/src/eap_peer/eap_pwd.c ++++ b/src/eap_peer/eap_pwd.c +@@ -309,7 +309,7 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, + const u8 *payload, size_t payload_len) + { + struct crypto_ec_point *K = NULL; +- struct crypto_bignum *mask = NULL, *cofactor = NULL; ++ struct crypto_bignum *mask = NULL; + const u8 *ptr = payload; + u8 *scalar, *element; + size_t prime_len, order_len; +@@ -527,21 +527,14 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, + + data->private_value = crypto_bignum_init(); + data->my_element = crypto_ec_point_init(data->grp->group); +- cofactor = crypto_bignum_init(); + data->my_scalar = crypto_bignum_init(); + mask = crypto_bignum_init(); +- if (!data->private_value || !data->my_element || !cofactor || ++ if (!data->private_value || !data->my_element || + !data->my_scalar || !mask) { + wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail"); + goto fin; + } + +- if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) { +- wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor " +- "for curve"); +- goto fin; +- } +- + if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask, + data->my_scalar) < 0) + goto fin; +@@ -595,17 +588,8 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, + goto fin; + } + +- /* ensure that the shared key isn't in a small sub-group */ +- if (!crypto_bignum_is_one(cofactor)) { +- if (crypto_ec_point_mul(data->grp->group, K, cofactor, K) < 0) { +- wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply " +- "shared key point by order"); +- goto fin; +- } +- } +- + /* +- * This check is strictly speaking just for the case above where ++ * This check is strictly speaking just for the case where + * co-factor > 1 but it was suggested that even though this is probably + * never going to happen it is a simple and safe check "just to be + * sure" so let's be safe. +@@ -644,7 +628,6 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, + + fin: + crypto_bignum_deinit(mask, 1); +- crypto_bignum_deinit(cofactor, 1); + crypto_ec_point_deinit(K, 1); + if (data->outbuf == NULL) + eap_pwd_state(data, FAILURE); +diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c +index 9799c8197..81ecd773f 100644 +--- a/src/eap_server/eap_server_pwd.c ++++ b/src/eap_server/eap_server_pwd.c +@@ -648,7 +648,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, + const u8 *payload, size_t payload_len) + { + const u8 *ptr; +- struct crypto_bignum *cofactor = NULL; + struct crypto_ec_point *K = NULL; + int res = 0; + size_t prime_len, order_len; +@@ -667,20 +666,13 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, + } + + data->k = crypto_bignum_init(); +- cofactor = crypto_bignum_init(); + K = crypto_ec_point_init(data->grp->group); +- if (!data->k || !cofactor || !K) { ++ if (!data->k || !K) { + wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation " + "fail"); + goto fin; + } + +- if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) { +- wpa_printf(MSG_INFO, "EAP-PWD (server): unable to get " +- "cofactor for curve"); +- goto fin; +- } +- + /* element, x then y, followed by scalar */ + ptr = payload; + data->peer_element = eap_pwd_get_element(data->grp, ptr); +@@ -718,18 +710,8 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, + goto fin; + } + +- /* ensure that the shared key isn't in a small sub-group */ +- if (!crypto_bignum_is_one(cofactor)) { +- if (crypto_ec_point_mul(data->grp->group, K, cofactor, +- K) != 0) { +- wpa_printf(MSG_INFO, "EAP-PWD (server): cannot " +- "multiply shared key point by order!\n"); +- goto fin; +- } +- } +- + /* +- * This check is strictly speaking just for the case above where ++ * This check is strictly speaking just for the case where + * co-factor > 1 but it was suggested that even though this is probably + * never going to happen it is a simple and safe check "just to be + * sure" so let's be safe. +@@ -748,7 +730,6 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, + + fin: + crypto_ec_point_deinit(K, 1); +- crypto_bignum_deinit(cofactor, 1); + + if (res) + eap_pwd_state(data, PWD_Confirm_Req); +-- +2.22.0 + |