Share common SAE and EAP-pwd functionality: suitable groups
Start sharing common SAE and EAP-pwd functionality by adding a new source code file that can be included into both. This first step is bringing in a shared function to check whether a group is suitable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
ff229da309
commit
2b84ca4dd9
8 changed files with 74 additions and 29 deletions
|
|
@ -269,6 +269,7 @@ L_CFLAGS += -DCONFIG_SAE
|
|||
OBJS += src/common/sae.c
|
||||
NEED_ECC=y
|
||||
NEED_DH_GROUPS=y
|
||||
NEED_DRAGONFLY=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_OWE
|
||||
|
|
@ -462,6 +463,7 @@ L_CFLAGS += -DEAP_SERVER_PWD
|
|||
OBJS += src/eap_server/eap_server_pwd.c src/eap_common/eap_pwd_common.c
|
||||
NEED_SHA256=y
|
||||
NEED_ECC=y
|
||||
NEED_DRAGONFLY=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_EAP_EKE
|
||||
|
|
@ -595,6 +597,10 @@ ifdef CONFIG_PKCS12
|
|||
L_CFLAGS += -DPKCS12_FUNCS
|
||||
endif
|
||||
|
||||
ifdef NEED_DRAGONFLY
|
||||
OBJS += src/common/dragonfly.c
|
||||
endif
|
||||
|
||||
ifdef MS_FUNCS
|
||||
OBJS += src/crypto/ms_funcs.c
|
||||
NEED_DES=y
|
||||
|
|
|
|||
|
|
@ -313,6 +313,7 @@ OBJS += ../src/common/sae.o
|
|||
NEED_ECC=y
|
||||
NEED_DH_GROUPS=y
|
||||
NEED_AP_MLME=y
|
||||
NEED_DRAGONFLY=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_OWE
|
||||
|
|
@ -496,6 +497,7 @@ CFLAGS += -DEAP_SERVER_PWD
|
|||
OBJS += ../src/eap_server/eap_server_pwd.o ../src/eap_common/eap_pwd_common.o
|
||||
NEED_SHA256=y
|
||||
NEED_ECC=y
|
||||
NEED_DRAGONFLY=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_EAP_EKE
|
||||
|
|
@ -629,6 +631,10 @@ ifdef CONFIG_PKCS12
|
|||
CFLAGS += -DPKCS12_FUNCS
|
||||
endif
|
||||
|
||||
ifdef NEED_DRAGONFLY
|
||||
OBJS += ../src/common/dragonfly.o
|
||||
endif
|
||||
|
||||
ifdef MS_FUNCS
|
||||
OBJS += ../src/crypto/ms_funcs.o
|
||||
NEED_DES=y
|
||||
|
|
|
|||
27
src/common/dragonfly.c
Normal file
27
src/common/dragonfly.c
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
/*
|
||||
* Shared Dragonfly functionality
|
||||
* Copyright (c) 2012-2016, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2019, The Linux Foundation
|
||||
*
|
||||
* This software may be distributed under the terms of the BSD license.
|
||||
* See README for more details.
|
||||
*/
|
||||
|
||||
#include "utils/includes.h"
|
||||
|
||||
#include "utils/common.h"
|
||||
#include "dragonfly.h"
|
||||
|
||||
|
||||
int dragonfly_suitable_group(int group, int ecc_only)
|
||||
{
|
||||
/* Enforce REVmd rules on which SAE groups are suitable for production
|
||||
* purposes: FFC groups whose prime is >= 3072 bits and ECC groups
|
||||
* defined over a prime field whose prime is >= 256 bits. Furthermore,
|
||||
* ECC groups defined over a characteristic 2 finite field and ECC
|
||||
* groups with a co-factor greater than 1 are not suitable. */
|
||||
return group == 19 || group == 20 || group == 21 ||
|
||||
group == 28 || group == 29 || group == 30 ||
|
||||
(!ecc_only &&
|
||||
(group == 15 || group == 16 || group == 17 || group == 18));
|
||||
}
|
||||
15
src/common/dragonfly.h
Normal file
15
src/common/dragonfly.h
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
/*
|
||||
* Shared Dragonfly functionality
|
||||
* Copyright (c) 2012-2016, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2019, The Linux Foundation
|
||||
*
|
||||
* This software may be distributed under the terms of the BSD license.
|
||||
* See README for more details.
|
||||
*/
|
||||
|
||||
#ifndef DRAGONFLY_H
|
||||
#define DRAGONFLY_H
|
||||
|
||||
int dragonfly_suitable_group(int group, int ecc_only);
|
||||
|
||||
#endif /* DRAGONFLY_H */
|
||||
|
|
@ -15,35 +15,22 @@
|
|||
#include "crypto/random.h"
|
||||
#include "crypto/dh_groups.h"
|
||||
#include "ieee802_11_defs.h"
|
||||
#include "dragonfly.h"
|
||||
#include "sae.h"
|
||||
|
||||
|
||||
static int sae_suitable_group(int group)
|
||||
{
|
||||
#ifdef CONFIG_TESTING_OPTIONS
|
||||
/* Allow all groups for testing purposes in non-production builds. */
|
||||
return 1;
|
||||
#else /* CONFIG_TESTING_OPTIONS */
|
||||
/* Enforce REVmd rules on which SAE groups are suitable for production
|
||||
* purposes: FFC groups whose prime is >= 3072 bits and ECC groups
|
||||
* defined over a prime field whose prime is >= 256 bits. Furthermore,
|
||||
* ECC groups defined over a characteristic 2 finite field and ECC
|
||||
* groups with a co-factor greater than 1 are not suitable. */
|
||||
return group == 19 || group == 20 || group == 21 ||
|
||||
group == 28 || group == 29 || group == 30 ||
|
||||
group == 15 || group == 16 || group == 17 || group == 18;
|
||||
#endif /* CONFIG_TESTING_OPTIONS */
|
||||
}
|
||||
|
||||
|
||||
int sae_set_group(struct sae_data *sae, int group)
|
||||
{
|
||||
struct sae_temporary_data *tmp;
|
||||
|
||||
if (!sae_suitable_group(group)) {
|
||||
#ifdef CONFIG_TESTING_OPTIONS
|
||||
/* Allow all groups for testing purposes in non-production builds. */
|
||||
#else /* CONFIG_TESTING_OPTIONS */
|
||||
if (!dragonfly_suitable_group(group, 0)) {
|
||||
wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group);
|
||||
return -1;
|
||||
}
|
||||
#endif /* CONFIG_TESTING_OPTIONS */
|
||||
|
||||
sae_clear_data(sae);
|
||||
tmp = sae->tmp = os_zalloc(sizeof(*tmp));
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@
|
|||
#include "includes.h"
|
||||
#include "common.h"
|
||||
#include "utils/const_time.h"
|
||||
#include "common/dragonfly.h"
|
||||
#include "crypto/sha256.h"
|
||||
#include "crypto/crypto.h"
|
||||
#include "eap_defs.h"
|
||||
|
|
@ -85,20 +86,11 @@ static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label,
|
|||
}
|
||||
|
||||
|
||||
static int eap_pwd_suitable_group(u16 num)
|
||||
{
|
||||
/* Do not allow ECC groups with prime under 256 bits based on guidance
|
||||
* for the similar design in SAE. */
|
||||
return num == 19 || num == 20 || num == 21 ||
|
||||
num == 28 || num == 29 || num == 30;
|
||||
}
|
||||
|
||||
|
||||
EAP_PWD_group * get_eap_pwd_group(u16 num)
|
||||
{
|
||||
EAP_PWD_group *grp;
|
||||
|
||||
if (!eap_pwd_suitable_group(num)) {
|
||||
if (!dragonfly_suitable_group(num, 1)) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unsuitable group %u", num);
|
||||
return NULL;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -243,6 +243,7 @@ L_CFLAGS += -DCONFIG_SAE
|
|||
OBJS += src/common/sae.c
|
||||
NEED_ECC=y
|
||||
NEED_DH_GROUPS=y
|
||||
NEED_DRAGONFLY=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_DPP
|
||||
|
|
@ -690,6 +691,7 @@ OBJS += src/eap_peer/eap_pwd.c src/eap_common/eap_pwd_common.c
|
|||
CONFIG_IEEE8021X_EAPOL=y
|
||||
NEED_SHA256=y
|
||||
NEED_ECC=y
|
||||
NEED_DRAGONFLY=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_EAP_EKE
|
||||
|
|
@ -979,6 +981,10 @@ ifdef CONFIG_SMARTCARD
|
|||
L_CFLAGS += -DCONFIG_SMARTCARD
|
||||
endif
|
||||
|
||||
ifdef NEED_DRAGONFLY
|
||||
OBJS += src/common/dragonfly.c
|
||||
endif
|
||||
|
||||
ifdef MS_FUNCS
|
||||
OBJS += src/crypto/ms_funcs.c
|
||||
NEED_DES=y
|
||||
|
|
|
|||
|
|
@ -275,6 +275,7 @@ CFLAGS += -DCONFIG_SAE
|
|||
OBJS += ../src/common/sae.o
|
||||
NEED_ECC=y
|
||||
NEED_DH_GROUPS=y
|
||||
NEED_DRAGONFLY=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_DPP
|
||||
|
|
@ -720,6 +721,7 @@ OBJS += ../src/eap_peer/eap_pwd.o ../src/eap_common/eap_pwd_common.o
|
|||
CONFIG_IEEE8021X_EAPOL=y
|
||||
NEED_SHA256=y
|
||||
NEED_ECC=y
|
||||
NEED_DRAGONFLY=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_EAP_EKE
|
||||
|
|
@ -1023,6 +1025,10 @@ ifdef CONFIG_SMARTCARD
|
|||
CFLAGS += -DCONFIG_SMARTCARD
|
||||
endif
|
||||
|
||||
ifdef NEED_DRAGONFLY
|
||||
OBJS += ../src/common/dragonfly.o
|
||||
endif
|
||||
|
||||
ifdef MS_FUNCS
|
||||
OBJS += ../src/crypto/ms_funcs.o
|
||||
NEED_DES=y
|
||||
|
|
|
|||
Loading…
Reference in a new issue