Re: [PATCH 3/6] dpp_pkex: EC point mul w/ value < prime

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, Nov 08, 2022 at 12:05:51AM -0500, Glenn Strauss wrote:
> crypto_ec_point_mul() with mbedtls requires point
> be multiplied by a multiplicand with value < prime

> diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c
> @@ -1567,7 +1567,9 @@ dpp_pkex_derive_Qr(const struct dpp_curve_params *curve, const u8 *mac_resp,
>  	hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
> -	if (!Pr || !Qr || !hash_bn || crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
> +	if (!Pr || !Qr || !hash_bn ||
> +	    crypto_bignum_mod(hash_bn, crypto_ec_get_prime(ec), hash_bn) ||
> +	    crypto_ec_point_mul(ec, Pr, hash_bn, Qr))

In addition to the previous comments, this reduction modulo prime does
not actually work. It might passed the test cases if you had the same
change on both ends, but that's not the case if only one end is doing
this. That should be modulo order instead of prime.

Only one hwsim test case (dpp_pkex_bp384) ended up generating hash
values that are larger than the prime (or the order, for that matter)
and that is executed with the same binary on both ends, so the issue
with this change does not show up without a custom test case that
operates between modified and not modified versions.
Jouni Malinen                                            PGP id EFC895FA

Hostap mailing list

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux