SAE: Add forgotten commit element validation step for FFC groups

The peer commit element needs to be validated to pass one of the steps listed in IEEE 802.11, 11.3.5.4: scalar-op(r, ELEMENT) = 1 modulo p Similar step was present for ECC groups, but was missing for FFC groups. This is needed to avoid dictionary attacks. Thanks to Michael Roßberg and Sascha Grau for reporting this. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-10 11:45:55 +02:00 · 2013-03-10 11:45:55 +02:00 · bb0122f3e8
commit bb0122f3e8
parent 0bb229a6e8
1 changed files with 14 additions and 0 deletions
--- a/src/common/sae.c
+++ b/src/common/sae.c
@ -828,6 +828,8 @@ static u16 sae_parse_commit_element_ecc(struct sae_data *sae, const u8 *pos,
 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
 					const u8 *end)
 {
+	struct crypto_bignum *res;
+
 	if (pos + sae->tmp->prime_len > end) {
 		wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
 			   "commit-element");
@ -849,6 +851,18 @@ static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
 	}

+	/* scalar-op(r, ELEMENT) = 1 modulo p */
+	res = crypto_bignum_init();
+	if (res == NULL ||
+	    crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
+				  sae->tmp->order, sae->tmp->prime, res) < 0 ||
+	    !crypto_bignum_is_one(res)) {
+		wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)");
+		crypto_bignum_deinit(res, 0);
+		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+	}
+	crypto_bignum_deinit(res, 0);
+
 	return WLAN_STATUS_SUCCESS;
 }