Share common SAE and EAP-pwd functionality: is_quadratic_residue

Use a shared helper function for the blinded mechanism of determining the Legendre symbol. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-25 22:35:14 +03:00 · 2019-04-25 22:35:14 +03:00 · 17749e948a
commit 17749e948a
parent a9615b1b88
4 changed files with 93 additions and 115 deletions
--- a/src/common/dragonfly.c
+++ b/src/common/dragonfly.c
@ -10,6 +10,7 @@
 #include "utils/includes.h"

 #include "utils/common.h"
+#include "utils/const_time.h"
 #include "crypto/crypto.h"
 #include "dragonfly.h"

@ -60,7 +61,7 @@ int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
 }


-struct crypto_bignum *
+static struct crypto_bignum *
 dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
 {
 	struct crypto_bignum *tmp, *pm1, *one;
@ -80,3 +81,76 @@ dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime)
 	crypto_bignum_deinit(one, 0);
 	return tmp;
 }
+
+
+int dragonfly_is_quadratic_residue_blind(struct crypto_ec *ec,
+					 const u8 *qr, const u8 *qnr,
+					 const struct crypto_bignum *val)
+{
+	struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
+	int check, res = -1;
+	u8 qr_or_qnr_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
+	const struct crypto_bignum *prime;
+	size_t prime_len;
+	unsigned int mask;
+
+	prime = crypto_ec_get_prime(ec);
+	prime_len = crypto_ec_prime_len(ec);
+
+	/*
+	 * Use a blinding technique to mask val while determining whether it is
+	 * a quadratic residue modulo p to avoid leaking timing information
+	 * while determining the Legendre symbol.
+	 *
+	 * v = val
+	 * r = a random number between 1 and p-1, inclusive
+	 * num = (v * r * r) modulo p
+	 */
+	r = dragonfly_get_rand_1_to_p_1(prime);
+	if (!r)
+		return -1;
+
+	num = crypto_bignum_init();
+	if (!num ||
+	    crypto_bignum_mulmod(val, r, prime, num) < 0 ||
+	    crypto_bignum_mulmod(num, r, prime, num) < 0)
+		goto fail;
+
+	/*
+	 * Need to minimize differences in handling different cases, so try to
+	 * avoid branches and timing differences.
+	 *
+	 * If r is odd:
+	 * num = (num * qr) module p
+	 * LGR(num, p) = 1 ==> quadratic residue
+	 * else:
+	 * num = (num * qnr) module p
+	 * LGR(num, p) = -1 ==> quadratic residue
+	 *
+	 * mask is set to !odd(r)
+	 */
+	mask = const_time_is_zero(crypto_bignum_is_odd(r));
+	const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
+	qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
+	if (!qr_or_qnr ||
+	    crypto_bignum_mulmod(num, qr_or_qnr, prime, num) < 0)
+		goto fail;
+	/* branchless version of check = odd(r) ? 1 : -1, */
+	check = const_time_select_int(mask, -1, 1);
+
+	/* Determine the Legendre symbol on the masked value */
+	res = crypto_bignum_legendre(num, prime);
+	if (res == -2) {
+		res = -1;
+		goto fail;
+	}
+	/* branchless version of res = res == check
+	 * (res is -1, 0, or 1; check is -1 or 1) */
+	mask = const_time_eq(res, check);
+	res = const_time_select_int(mask, 1, 0);
+fail:
+	crypto_bignum_deinit(num, 1);
+	crypto_bignum_deinit(r, 1);
+	crypto_bignum_deinit(qr_or_qnr, 1);
+	return res;
+}
--- a/src/common/dragonfly.h
+++ b/src/common/dragonfly.h
@ -10,13 +10,17 @@
 #ifndef DRAGONFLY_H
 #define DRAGONFLY_H

+#define DRAGONFLY_MAX_ECC_PRIME_LEN 66
+
 struct crypto_bignum;
+struct crypto_ec;

 int dragonfly_suitable_group(int group, int ecc_only);
 int dragonfly_get_random_qr_qnr(const struct crypto_bignum *prime,
 				struct crypto_bignum **qr,
 				struct crypto_bignum **qnr);
-struct crypto_bignum *
-dragonfly_get_rand_1_to_p_1(const struct crypto_bignum *prime);
+int dragonfly_is_quadratic_residue_blind(struct crypto_ec *ec,
+					 const u8 *qr, const u8 *qnr,
+					 const struct crypto_bignum *val);

 #endif /* DRAGONFLY_H */
--- a/src/common/sae.c
+++ b/src/common/sae.c
@ -178,72 +178,6 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
 }


-static int is_quadratic_residue_blind(struct sae_data *sae,
-				      const u8 *qr, const u8 *qnr,
-				      const struct crypto_bignum *y_sqr)
-{
-	struct crypto_bignum *r, *num, *qr_or_qnr = NULL;
-	int check, res = -1;
-	u8 qr_or_qnr_bin[SAE_MAX_ECC_PRIME_LEN];
-	size_t prime_len = sae->tmp->prime_len;
-	unsigned int mask;
-
-	/*
-	 * Use the blinding technique to mask y_sqr while determining
-	 * whether it is a quadratic residue modulo p to avoid leaking
-	 * timing information while determining the Legendre symbol.
-	 *
-	 * v = y_sqr
-	 * r = a random number between 1 and p-1, inclusive
-	 * num = (v * r * r) modulo p
-	 */
-	r = dragonfly_get_rand_1_to_p_1(sae->tmp->prime);
-	if (!r)
-		return -1;
-
-	num = crypto_bignum_init();
-	if (!num ||
-	    crypto_bignum_mulmod(y_sqr, r, sae->tmp->prime, num) < 0 ||
-	    crypto_bignum_mulmod(num, r, sae->tmp->prime, num) < 0)
-		goto fail;
-
-	/*
-	 * Need to minimize differences in handling different cases, so try to
-	 * avoid branches and timing differences.
-	 *
-	 * If r_odd:
-	 * num = (num * qr) module p
-	 * LGR(num, p) = 1 ==> quadratic residue
-	 * else:
-	 * num = (num * qnr) module p
-	 * LGR(num, p) = -1 ==> quadratic residue
-	 */
-	mask = const_time_is_zero(crypto_bignum_is_odd(r));
-	const_time_select_bin(mask, qnr, qr, prime_len, qr_or_qnr_bin);
-	qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, prime_len);
-	if (!qr_or_qnr ||
-	    crypto_bignum_mulmod(num, qr_or_qnr, sae->tmp->prime, num) < 0)
-		goto fail;
-	/* r_odd is 0 or 1; branchless version of check = r_odd ? 1 : -1, */
-	check = const_time_select_int(mask, -1, 1);
-
-	res = crypto_bignum_legendre(num, sae->tmp->prime);
-	if (res == -2) {
-		res = -1;
-		goto fail;
-	}
-	/* branchless version of res = res == check
-	 * (res is -1, 0, or 1; check is -1 or 1) */
-	mask = const_time_eq(res, check);
-	res = const_time_select_int(mask, 1, 0);
-fail:
-	crypto_bignum_deinit(num, 1);
-	crypto_bignum_deinit(r, 1);
-	crypto_bignum_deinit(qr_or_qnr, 1);
-	return res;
-}
-
-
 static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
 				 const u8 *prime, const u8 *qr, const u8 *qnr,
 				 u8 *pwd_value)
@ -275,7 +209,8 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
 	if (!y_sqr)
 		return -1;

-	res = is_quadratic_residue_blind(sae, qr, qnr, y_sqr);
+	res = dragonfly_is_quadratic_residue_blind(sae->tmp->ec, qr, qnr,
+						   y_sqr);
 	crypto_bignum_deinit(y_sqr, 1);
 	return res;
 }
--- a/src/eap_common/eap_pwd_common.c
+++ b/src/eap_common/eap_pwd_common.c
@ -122,22 +122,21 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 			     const u8 *token)
 {
 	struct crypto_bignum *qr = NULL, *qnr = NULL;
-	struct crypto_bignum *qr_or_qnr = NULL;
 	u8 qr_bin[MAX_ECC_PRIME_LEN];
 	u8 qnr_bin[MAX_ECC_PRIME_LEN];
 	u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
 	u8 x_bin[MAX_ECC_PRIME_LEN];
 	u8 prime_bin[MAX_ECC_PRIME_LEN];
-	struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL;
+	struct crypto_bignum *tmp2 = NULL;
 	struct crypto_hash *hash;
 	unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
-	int ret = 0, check, res;
+	int ret = 0, res;
 	u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
 		       * mask */
 	size_t primebytelen = 0, primebitlen;
 	struct crypto_bignum *x_candidate = NULL;
 	const struct crypto_bignum *prime;
-	u8 mask, found_ctr = 0, is_odd = 0;
+	u8 found_ctr = 0, is_odd = 0;

 	if (grp->pwe)
 		return -1;
@ -232,47 +231,15 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 		if (!tmp2)
 			goto fail;

-		/*
-		 * mask tmp2 so doing legendre won't leak timing info
-		 *
-		 * tmp1 is a random number between 1 and p-1
-		 */
-		tmp1 = dragonfly_get_rand_1_to_p_1(prime);
-		if (!tmp1 ||
-		    crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0 ||
-		    crypto_bignum_mulmod(tmp2, tmp1, prime, tmp2) < 0)
+		res = dragonfly_is_quadratic_residue_blind(grp->group, qr_bin,
+							   qnr_bin, tmp2);
+		if (res < 0)
 			goto fail;
-
-		/*
-		 * Now tmp2 (y^2) is masked, all values between 1 and p-1
-		 * are equally probable. Multiplying by r^2 does not change
-		 * whether or not tmp2 is a quadratic residue, just masks it.
-		 *
-		 * Flip a coin, multiply by the random quadratic residue or the
-		 * random quadratic nonresidue and record heads or tails.
-		 */
-		mask = const_time_eq_u8(crypto_bignum_is_odd(tmp1), 1);
-		check = const_time_select_s8(mask, 1, -1);
-		const_time_select_bin(mask, qr_bin, qnr_bin, primebytelen,
-				      qr_or_qnr_bin);
-		crypto_bignum_deinit(qr_or_qnr, 1);
-		qr_or_qnr = crypto_bignum_init_set(qr_or_qnr_bin, primebytelen);
-		if (!qr_or_qnr ||
-		    crypto_bignum_mulmod(tmp2, qr_or_qnr, prime, tmp2) < 0)
-			goto fail;
-
-		/*
-		 * Now it's safe to do legendre, if check is 1 then it's
-		 * a straightforward test (multiplying by qr does not
-		 * change result), if check is -1 then it's the opposite test
-		 * (multiplying a qr by qnr would make a qnr).
-		 */
-		res = crypto_bignum_legendre(tmp2, prime);
-		if (res == -2)
-			goto fail;
-		mask = const_time_eq(res, check);
 		found_ctr = const_time_select_u8(found, found_ctr, ctr);
-		found |= mask;
+		/* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
+		 * (with res converted to 0/0xff) handles this in constant time.
+		 */
+		found |= res * 0xff;
 	}
 	if (found == 0) {
 		wpa_printf(MSG_INFO,
@ -313,11 +280,9 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
 	}
 	/* cleanliness and order.... */
 	crypto_bignum_deinit(x_candidate, 1);
-	crypto_bignum_deinit(tmp1, 1);
 	crypto_bignum_deinit(tmp2, 1);
 	crypto_bignum_deinit(qr, 1);
 	crypto_bignum_deinit(qnr, 1);
-	crypto_bignum_deinit(qr_or_qnr, 1);
 	bin_clear_free(prfbuf, primebytelen);
 	os_memset(qr_bin, 0, sizeof(qr_bin));
 	os_memset(qnr_bin, 0, sizeof(qnr_bin));