From patchwork Tue Oct 10 13:57:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13415631 Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65DD81DFF9 for ; Tue, 10 Oct 2023 13:57:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CRZ9oL3i" Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-6969b391791so3891597b3a.3 for ; Tue, 10 Oct 2023 06:57:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696946227; x=1697551027; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=wAUKOgvBnpbBryReM6CcnlI004rnlikb7s2SqBaWOt0=; b=CRZ9oL3iUQZIlot2ZJOQgEh6OFQ6rc5RyLl/8Z2knPT3syfxP74XtiBTQKvwjpggUm 1/to17EVX/AuaYCc/edwYFrQHJDPd1ZWy/xyrzGS3uMXOogDT1RPIy3pvF3r6v72mA15 sZHYfnhoPsmqujr7x20Ek8Xy+WNnWbTAxT+Bxw2rAH7loypUH0ji9JKv8YPkPup7H31O qLF7J8vx7yIxLAMPXA3rnrlYW6gxUtmqcUgNNvuQGz9edvdbnxZKTfco78IIYqprytox Mg8QPK/4pZRIw6BAK3YuYXwiWrsQlvZ2Tc+L2KfWByDsH81pIG1Kvbsn+QchUw02LfB7 eVQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696946227; x=1697551027; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wAUKOgvBnpbBryReM6CcnlI004rnlikb7s2SqBaWOt0=; b=aRpE0wA+gmfgDeQiG9mHMeJMw+N5Ir5GEnY/ITAnUC53Va+prJwF4ZBQcZmTiw6tUI 5zlbW4SOsyYJeoHUR0pOySs1a921itZyzkKakPo/dTAe1ILMAu2CxzaW2KW6rO6hpvWy 6Sc4TiHL6n6rVeRvFYnzCnU3rID4EqlkcdUJhtBCozxRWTL/XnnzmRpVp9u6z9pDW8MS /aMPi7o59CZNnXWlwoPaReg7YlUerCM/ArbLdZjFkRPmgQoIO/NQjXrpR3U4AXfRTxYc 4F7EyuWS+dXJHPnJBYYYtNoguzNjMIj2bP3q7ma2G8iRYjED5wKI05fkJOS8rNjosMaV F3ig== X-Gm-Message-State: AOJu0YxeiM3cXQ+vbu6zwI7S3AALyfruzdT41Z+Jx95wtds44C3h3aoA KDGsdT8orRS0Swz2h1LBnU8f3TNFg/A= X-Google-Smtp-Source: AGHT+IHbfslHodaOsiID4bOPm7LNzC6Jx8vGBAK4rjMUiWEgd7xNpV5cZMwN5PsKcDgg4g6i3MxEsA== X-Received: by 2002:a05:6a20:1584:b0:155:2359:e28c with SMTP id h4-20020a056a20158400b001552359e28cmr19198886pzj.9.1696946227337; Tue, 10 Oct 2023 06:57:07 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id b10-20020a170903228a00b001b03a1a3151sm11830364plh.70.2023.10.10.06.57.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 06:57:07 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 1/4] unit: add to test-dpp to expose ASN1 point conversion bug Date: Tue, 10 Oct 2023 06:57:01 -0700 Message-Id: <20231010135704.198723-1-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a test to show the incorrect ASN1 conversion to and from points. This was due to the check if Y is odd/even being inverted which incorrectly prefixes the X coordinate with the wrong byte. The test itself was not fully correct because it was using compliant points rather than full points, and the spec contains the entire Y coordinate so the full point should be used. This patch also adds ASN1 conversions to validate that dpp_point_from_asn1 and dpp_point_to_asn1 work properly. --- unit/test-dpp.c | 44 +++++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/unit/test-dpp.c b/unit/test-dpp.c index 96175759..c782efba 100644 --- a/unit/test-dpp.c +++ b/unit/test-dpp.c @@ -162,11 +162,14 @@ static void test_bad_channels(const void *data) * B.2 Test Vectors for DPP Authentication Using P-256 for * Responder-only Authentication */ -const char *i_proto_public_bytes = "50a532ae2a07207276418d2fa630295d45569be425aa634f02014d00a7d1f61a"; -const char *r_boot_public_bytes = "09c585a91b4df9fd25a045201885c39cc5cfae397ddaeda957dec57fa0e3503f"; +const char *i_proto_public_bytes = "50a532ae2a07207276418d2fa630295d45569be425aa634f02014d00a7d1f61a" + "e14f35a5a858bccad90d126c46594c49ef82655e78888e15a32d916ac2172491"; +const char *r_boot_public_bytes = "09c585a91b4df9fd25a045201885c39cc5cfae397ddaeda957dec57fa0e3503f" + "52bf05968198a2f92883e96a386d767579883302dbf292105c90a43694c2fd5c"; const char *r_boot_private_bytes = "54ce181a98525f217216f59b245f60e9df30ac7f6b26c939418cfc3c42d1afa0"; const char *r_proto_private_bytes = "f798ed2e19286f6a6efe210b1863badb99af2a14b497634dbfd2a97394fb5aa5"; -const char *r_proto_public_bytes = "5e3fb3576884887f17c3203d8a3a6c2fac722ef0e2201b61ac73bc655c709a90"; +const char *r_proto_public_bytes = "5e3fb3576884887f17c3203d8a3a6c2fac722ef0e2201b61ac73bc655c709a90" + "2d4b030669fb9eff8b0a79fa7c1a172ac2a92c626256963f9274dc90682c81e5"; const char *k1_bytes = "3d832a02ed6d7fc1dc96d2eceab738cf01c0028eb256be33d5a21a720bfcf949"; const char *k2_bytes = "ca08bdeeef838ddf897a5f01f20bb93dc5a895cb86788ca8c00a7664899bc310"; const char *ke_bytes = "c8882a8ab30c878467822534138c704ede0ab1e873fe03b601a7908463fec87a"; @@ -176,6 +179,8 @@ const char *i_nonce_bytes = "13f4602a16daeb69712263b9c46cba31"; const char *r_nonce_bytes = "3d0cfb011ca916d796f7029ff0b43393"; const char *i_auth_bytes = "787d1189b526448d2901e7f6c22775ce514fce52fc886c1e924f2fbb8d97b210"; const char *r_auth_bytes = "43509ef7137d8c2fbe66d802ae09dedd94d41b8cbfafb4954782014ff4a3f91c"; +const char *r_asn1 = "3039301306072a8648ce3d020106082a8648ce3d0301070322000209c585a91b" + "4df9fd25a045201885c39cc5cfae397ddaeda957dec57fa0e3503f"; #define HEX2BUF(s, buf, _len) { \ unsigned char *_tmp = l_util_from_hexstring(s, NULL); \ @@ -192,7 +197,7 @@ const char *r_auth_bytes = "43509ef7137d8c2fbe66d802ae09dedd94d41b8cbfafb4954782 static void test_key_derivation(const void *data) { - uint64_t tmp[L_ECC_MAX_DIGITS]; + uint64_t tmp[L_ECC_MAX_DIGITS * 2]; const struct l_ecc_curve *curve = l_ecc_curve_from_ike_group(19); _auto_(l_ecc_point_free) struct l_ecc_point *i_proto_public = NULL; _auto_(l_ecc_point_free) struct l_ecc_point *r_boot_public = NULL; @@ -201,6 +206,7 @@ static void test_key_derivation(const void *data) _auto_(l_ecc_point_free) struct l_ecc_point *r_proto_public = NULL; _auto_(l_ecc_scalar_free) struct l_ecc_scalar *m = NULL; _auto_(l_ecc_scalar_free) struct l_ecc_scalar *n = NULL; + _auto_(l_ecc_point_free) struct l_ecc_point *from_asn1 = NULL; uint64_t k1[L_ECC_MAX_DIGITS]; uint64_t k2[L_ECC_MAX_DIGITS]; uint64_t ke[L_ECC_MAX_DIGITS]; @@ -208,23 +214,35 @@ static void test_key_derivation(const void *data) uint8_t r_nonce[16]; uint64_t r_auth[L_ECC_MAX_DIGITS]; uint64_t i_auth[L_ECC_MAX_DIGITS]; + _auto_(l_free) uint8_t *asn1 = NULL; + size_t asn1_len; - HEX2BUF(i_proto_public_bytes, tmp, 32); + HEX2BUF(i_proto_public_bytes, tmp, 64); i_proto_public = l_ecc_point_from_data(curve, - L_ECC_POINT_TYPE_COMPLIANT, - tmp, 32); + L_ECC_POINT_TYPE_FULL, + tmp, 64); assert(i_proto_public); - HEX2BUF(r_boot_public_bytes, tmp, 32); + HEX2BUF(r_boot_public_bytes, tmp, 64); r_boot_public = l_ecc_point_from_data(curve, - L_ECC_POINT_TYPE_COMPLIANT, - tmp, 32); + L_ECC_POINT_TYPE_FULL, + tmp, 64); assert(r_boot_public); - HEX2BUF(r_proto_public_bytes, tmp, 32); + HEX2BUF(r_asn1, tmp, sizeof(tmp)); + asn1 = dpp_point_to_asn1(r_boot_public, &asn1_len); + + from_asn1 = dpp_point_from_asn1(asn1, asn1_len); + + assert(l_ecc_points_are_equal(from_asn1, r_boot_public)); + + assert(asn1_len == 59); + assert(memcmp(tmp, asn1, asn1_len) == 0); + + HEX2BUF(r_proto_public_bytes, tmp, 64); r_proto_public = l_ecc_point_from_data(curve, - L_ECC_POINT_TYPE_COMPLIANT, - tmp, 32); + L_ECC_POINT_TYPE_FULL, + tmp, 64); assert(r_proto_public); HEX2BUF(r_boot_private_bytes, tmp, 32); From patchwork Tue Oct 10 13:57:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13415632 Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9C581F932 for ; Tue, 10 Oct 2023 13:57:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gRl0ANtW" Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-5859e22c7daso3616826a12.1 for ; Tue, 10 Oct 2023 06:57:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696946228; x=1697551028; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=R6FnZaOAUBMa6UG5nkGioyGUUnm/qc/lpqAgmpjoqfQ=; b=gRl0ANtWNSof26mkEDT4zIdbTfBhAv5hUdTZMSIqcBVsy+ilBglLiQrThJKET0AbLa AT/wY6c5gmDEIty8JXjlFBBmViSSa2DP8PZSC3/m8mvfiSyI4c2w8atHCbVlgoGn+aLg OPTjs5P9KP34opn/3SVgk68Ejge4SZDiRlg60Yu6o3UfPItl350/uQQp7nHWxpExzIC1 2onbcjZEmcMYxgahWYwnE4dKKm75/i6Ln+KXAX30p67N3enw9vE0wcKwfLnfb2bmmTiJ JCVEliebtv7Gyxc4xNtaJCC6BhKNl8/MNjKMfldegP1JLyMH2pSOJMOU9f4thoKsBUEr 5AIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696946228; x=1697551028; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=R6FnZaOAUBMa6UG5nkGioyGUUnm/qc/lpqAgmpjoqfQ=; b=dh0k+vwOodkJuGPXYArQ+nK8HYc6DWdb4tvC2pOrZ0cEKf4CKCMoZzLVrQ4K4WXlWp 0EFKJ4YdgrONi4GnrPE6/T+iLpSrIox758e0czYoJ+PYKWid8MXmg/eGMYhu9bQfnkfH OxcZpSYzu7nvnHBsFC/H8iauyYh9Q343ftJ8bQDWBjlohy58V3/hyNHGoz9zn07Ccyp+ i3+MMG/DuGGVdU4qZfyz04mlPun8MqUaANaY9iUKn075VvVsEbq0h1kuTj3Xx1xCGCDQ W060v0HdaQT+ctSdP88o8lHbGGLYRVT7B2C7ciAiKbjpYCIV459WdTjDo8qB5MBx7bOz 4Atg== X-Gm-Message-State: AOJu0YzeEFBn4UCROuE3PkZdyQBW2fx5t3meyWifk7tVaN+5Nqs5RsgS gbK+j1q1eLqDSS+/oqlNtZoihnMnNGk= X-Google-Smtp-Source: AGHT+IFxIYcIMSR+0ujUe1ZY8ttwWejKFD53VRg1dg4MUFhDy5iMM1WIZ8uIB4n1XuA8hYZYdOQY/w== X-Received: by 2002:a05:6a20:5488:b0:159:f71f:4083 with SMTP id i8-20020a056a20548800b00159f71f4083mr17540973pzk.6.1696946227769; Tue, 10 Oct 2023 06:57:07 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id b10-20020a170903228a00b001b03a1a3151sm11830364plh.70.2023.10.10.06.57.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 06:57:07 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 2/4] dpp-util: fix incorrect ASN1 compressed public key encoding Date: Tue, 10 Oct 2023 06:57:02 -0700 Message-Id: <20231010135704.198723-2-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20231010135704.198723-1-prestwoj@gmail.com> References: <20231010135704.198723-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The prefix to the X coordinate was incorrect when using compressed points. This has been modified to match the ANSI X9.62 spec. --- src/dpp-util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/dpp-util.c b/src/dpp-util.c index a2640076..0406a4dc 100644 --- a/src/dpp-util.c +++ b/src/dpp-util.c @@ -767,11 +767,11 @@ uint8_t *dpp_point_to_asn1(const struct l_ecc_point *p, size_t *len_out) /* * Set the type to whatever avoids doing p - y when reading in the - * key. Working backwards from l_ecc_point_from_data if Y is odd and - * the type is BIT0 there is no subtraction. Similarly if Y is even + * key. Working backwards from l_ecc_point_from_data if Y is even and + * the type is BIT0 there is no subtraction. Similarly if Y is odd * and the type is BIT1. */ - if (l_ecc_point_y_isodd(p)) + if (!l_ecc_point_y_isodd(p)) point_type = L_ECC_POINT_TYPE_COMPRESSED_BIT0; else point_type = L_ECC_POINT_TYPE_COMPRESSED_BIT1; From patchwork Tue Oct 10 13:57:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13415634 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30A55341BC for ; Tue, 10 Oct 2023 13:57:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WeLre51z" Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1c7373cff01so49302125ad.1 for ; Tue, 10 Oct 2023 06:57:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696946228; x=1697551028; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3pxCFOGBQ6k2XnK8vVNfmg3MqVePjRgbxQ5V2oT2ivg=; b=WeLre51zz/bu2sX38d9UggcagQ0PzAredqFDeUVmbIdko1nZ+te+OUzbFB54cdW6jR iM3WRwLVJnf9VQfaK8NKsx6JL+qUQ5dr0LqybaSMbvkhr4EbC5bMUJHoSlLgpJ9mBfj4 HpQOE4QPN2vswIHivDh/FvYl91ACsiZxnQ86FKsLH4XCoOol5ApdYMni3Th/Zq6Z7Cuv FrPQo2wPzbsw1YkfIFfuydJhVDNtW7+ZLdIuzGxhU2AG9jcML3RxEwkCmXmuWc7u0kbu +k+e6XE4rDXEiBYJ0e/nSfOKvYj4oRHmHNBOzN8UggglIrrwSMkE7x9fIaOQwnQI12kV Osxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696946228; x=1697551028; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3pxCFOGBQ6k2XnK8vVNfmg3MqVePjRgbxQ5V2oT2ivg=; b=xK/w7FM842qEMQY0FFcAsv966StyB3yIwJr50rXu1mN2rof78V4Q3a2q5sg9D+NYk0 oQENfzKgrcZSQTFcuDhfIku3DJ/XhM7euOpyTtgCGbWmLBlz38fRRCuGhFT926I5HoJ4 PTtDnBE9uYr6tyn5EG/SasxoX9q+7FxFnD4SrgLxifatyFnMycNqG/DoAa2vrb/fn5Ka +/5mO8R8BOlOJNpO1KHE3re76kGDFtxNUA9Dgk6W29zY4EywvfLepAp0BS/Bncb1zLs0 Hkq7rLSeqwQo7t0BeEykdjfhqrAAJlCA77KqlFizkWYbgfAcfM4ehkBYcBp109aE/YZ0 85dQ== X-Gm-Message-State: AOJu0YwxrobzScZTvajwOF5Ha/31Vt1XhGJj3lsP5ilB+IqLikXoXBqu efPcobt8cBr5x3aR5MkP7/4glwrq+hY= X-Google-Smtp-Source: AGHT+IG6ajOzM6sXlhH3DRmf5xAd+enlevQja1+k8Mj2ITEtNDzwe36aku4CTYh2T3KSylmOo4tvfA== X-Received: by 2002:a17:902:6505:b0:1c9:b57c:f269 with SMTP id b5-20020a170902650500b001c9b57cf269mr1781160plk.32.1696946228254; Tue, 10 Oct 2023 06:57:08 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id b10-20020a170903228a00b001b03a1a3151sm11830364plh.70.2023.10.10.06.57.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 06:57:08 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 3/4] eap-pwd: fix usage of compressed points (after ELL is fixed) Date: Tue, 10 Oct 2023 06:57:03 -0700 Message-Id: <20231010135704.198723-3-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20231010135704.198723-1-prestwoj@gmail.com> References: <20231010135704.198723-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 EAP-PWD was incorrectly computing the PWE but due to the also incorrect logic in ELL the point converted correctly. This is being fixed, so both places need the reverse logic. Also added a big comment explaining why this is, and how l_ecc_point_from_data behaves since its somewhat confusing since EAP-PWD expects the pwd-seed to be compared to the actual Y coordinate (which is handled automatically by ELL). --- src/eap-pwd.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/eap-pwd.c b/src/eap-pwd.c index cd6684e7..5aa51668 100644 --- a/src/eap-pwd.c +++ b/src/eap-pwd.c @@ -320,7 +320,27 @@ static void eap_pwd_handle_id(struct eap_state *eap, strlen("EAP-pwd Hunting And Pecking"), pwd_value, nbytes); - if (!(pwd_seed[31] & 1)) + /* + * The RFC requires the point be solved unambiguously (since + * solving for Y results in two solutions). The correct Y value + * is chosen based on the LSB of the pwd-seed: + * + * if (LSB(y) == LSB(pwd-seed)) + * then + * PWE = (x, y) + * else + * PWE = (x, p-y) + * + * The ELL API (somewhat hidden from view here) automatically + * performs a subtraction (P - Y) when: + * - Y is even and BIT1 + * - Y is odd and BIT0 + * + * So we choose the point type which matches the parity of + * pwd-seed. This means a subtraction will be performed (P - Y) + * if the parity of pwd-seed and the computed Y do not match. + */ + if (pwd_seed[31] & 1) pwe = l_ecc_point_from_data(pwd->curve, L_ECC_POINT_TYPE_COMPRESSED_BIT1, pwd_value, nbytes); From patchwork Tue Oct 10 13:57:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Prestwood X-Patchwork-Id: 13415633 Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D42FE347B0 for ; Tue, 10 Oct 2023 13:57:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="JpCp+zkg" Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-6934202b8bdso4664621b3a.1 for ; Tue, 10 Oct 2023 06:57:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696946229; x=1697551029; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=p8rZsKz3kuPjzOGAX7c+tlxaRnMVCQ281fEYBhf1FIA=; b=JpCp+zkgjSkPIuLYNeMSZWZbFBCrvNHdl9ww5N9nWTuLCRcYxy/GePCyCKtxbV3wcA SfyvZOEejkRNQekaCoACfejR2sEPVOkGKXrL+08KUpG3sKjRq0AugDPGI8zxv2p0FPS1 jeEn929yDjrJzMrdmNleG3vsjbAJLQILEUQ/P0D5VBoMB4vJSLlZh4CmIe7hA5R8ErX6 Kppd33T10tDjaHOFV8XcSI0McufGJAoIANUtrCOV4g4TSEIrGHqbLAzncc3CynjQrpTI +j+S66p2mZxQ0/QaXVbbofcUZVKrXZ1sjfnsJ1uOROBosQVEawqclaE+B5AAOPvpzeXo uxig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696946229; x=1697551029; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p8rZsKz3kuPjzOGAX7c+tlxaRnMVCQ281fEYBhf1FIA=; b=PhUOmPNL62jYsuBev9XciIH7iWUPxIjZ6K7p4TCneLuS4q6xCPf6HLU+HJC0djGVQp Ex0eVsKRDpQVRRAeUohSRtAkVK3u/clYvj8CXneCJ5BfCl20c7mH3wUs19/Ncr6jV3CA AuP1PnwonEjexLqAY74fsawUFpVbPfWKIbdNa41rw/muWodMBmXgqmqgQ4M8GOYQqjjd Hs5awC7k4Cqd5cY7Ww9ko3qJYYIuvnPS9jWcrM3JsLWlT66zpXoNZiDeY14xnHrulVXJ tSoHL96uqo+7tb0etW7kV854HktrjHAr264OvowpZxrBDxT+xTZlFTioaCNieuG77xLr t9Ig== X-Gm-Message-State: AOJu0Yy0x6BNSDFelzCi+zQJNaVu6XpP6hVU6EJCCS7m3ZzFnOwz7XpP NCVutqpdDJ1vJe7AGrx16czMaWKSkzA= X-Google-Smtp-Source: AGHT+IFIPU+IAJ9rklsuLyszu21jvmWqo+Kddn31/TWaN5zJxrb2zxrNsT91LwELN6s26ev0x3Z5gA== X-Received: by 2002:a05:6a20:1596:b0:15c:7223:7bb1 with SMTP id h22-20020a056a20159600b0015c72237bb1mr22845421pzj.20.1696946228839; Tue, 10 Oct 2023 06:57:08 -0700 (PDT) Received: from localhost.localdomain ([50.39.172.77]) by smtp.gmail.com with ESMTPSA id b10-20020a170903228a00b001b03a1a3151sm11830364plh.70.2023.10.10.06.57.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 06:57:08 -0700 (PDT) From: James Prestwood To: iwd@lists.linux.dev Cc: James Prestwood Subject: [PATCH 4/4] sae: fix usage of compressed points (after ELL is fixed) Date: Tue, 10 Oct 2023 06:57:04 -0700 Message-Id: <20231010135704.198723-4-prestwoj@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20231010135704.198723-1-prestwoj@gmail.com> References: <20231010135704.198723-1-prestwoj@gmail.com> Precedence: bulk X-Mailing-List: iwd@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 SAE was also relying on the ELL bug which was incorrectly performing a subtraction on the Y coordinate based on the compressed point type. Correct this and make the point type more clear (rather than something like "is_odd + 2"). --- src/sae.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/sae.c b/src/sae.c index cfd4d650..336954b4 100644 --- a/src/sae.c +++ b/src/sae.c @@ -511,7 +511,29 @@ static struct l_ecc_point *sae_compute_pwe(const struct l_ecc_curve *curve, return NULL; } - pwe = l_ecc_point_from_data(curve, !is_odd + 2, x, bytes); + /* + * The 802.11 spec requires the point be solved unambiguously (since + * solving for Y results in two solutions). The correct Y value + * is chosen based on the LSB of the pwd-seed: + * + * if (LSB(y) == LSB(pwd-seed)) + * then + * PWE = (x, y) + * else + * PWE = (x, p-y) + * + * The ELL API (somewhat hidden from view here) automatically + * performs a subtraction (P - Y) when: + * - Y is even and BIT1 + * - Y is odd and BIT0 + * + * So we choose the point type which matches the parity of + * pwd-seed. This means a subtraction will be performed (P - Y) + * if the parity of pwd-seed and the computed Y do not match. + */ + pwe = l_ecc_point_from_data(curve, + is_odd ? L_ECC_POINT_TYPE_COMPRESSED_BIT1 : + L_ECC_POINT_TYPE_COMPRESSED_BIT0, x, bytes); if (!pwe) l_error("computing y failed, was x quadratic residue?");