On Tue, Nov 08, 2022 at 12:05:51AM -0500, Glenn Strauss wrote: > crypto_ec_point_mul() with mbedtls requires point > be multiplied by a multiplicand with value < prime > diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c > @@ -1567,7 +1567,9 @@ dpp_pkex_derive_Qr(const struct dpp_curve_params *curve, const u8 *mac_resp, > hash_bn = crypto_bignum_init_set(hash, curve->hash_len); > - if (!Pr || !Qr || !hash_bn || crypto_ec_point_mul(ec, Pr, hash_bn, Qr)) > + if (!Pr || !Qr || !hash_bn || > + crypto_bignum_mod(hash_bn, crypto_ec_get_prime(ec), hash_bn) || > + crypto_ec_point_mul(ec, Pr, hash_bn, Qr)) In addition to the previous comments, this reduction modulo prime does not actually work. It might passed the test cases if you had the same change on both ends, but that's not the case if only one end is doing this. That should be modulo order instead of prime. Only one hwsim test case (dpp_pkex_bp384) ended up generating hash values that are larger than the prime (or the order, for that matter) and that is executed with the same binary on both ends, so the issue with this change does not show up without a custom test case that operates between modified and not modified versions. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
