[PATCH 3/6] dpp_pkex: EC point mul w/ value < prime
Jouni Malinen
j at w1.fi
Sun Nov 20 10:15:41 PST 2022
On Tue, Nov 08, 2022 at 12:05:51AM -0500, Glenn Strauss wrote:
> crypto_ec_point_mul() with mbedtls requires point
> be multiplied by a multiplicand with value < prime
> diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c
> @@ -1567,7 +1567,9 @@ dpp_pkex_derive_Qr(const struct dpp_curve_params *curve, const u8 *mac_resp,
> hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
> - if (!Pr || !Qr || !hash_bn || crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
> + if (!Pr || !Qr || !hash_bn ||
> + crypto_bignum_mod(hash_bn, crypto_ec_get_prime(ec), hash_bn) ||
> + crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
In addition to the previous comments, this reduction modulo prime does
not actually work. It might passed the test cases if you had the same
change on both ends, but that's not the case if only one end is doing
this. That should be modulo order instead of prime.
Only one hwsim test case (dpp_pkex_bp384) ended up generating hash
values that are larger than the prime (or the order, for that matter)
and that is executed with the same binary on both ends, so the issue
with this change does not show up without a custom test case that
operates between modified and not modified versions.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list