[PATCH 18/21] dpp: remove direct call to OpenSSL in dpp_test_gen_invalid_key

Mon Jun 28 09:25:35 PDT 2021

Instead of generating EC point with random coordinates, generate a
valid EC point and then corrupt the coordinates after exporting them
in binary format.

Signed-off-by: Cedric Izoard <cedric.izoard at ceva-dsp.com>
---
 src/common/dpp_crypto.c | 88 +++++++++++++----------------------------
 src/common/dpp_i.h      |  1 -
 2 files changed, 28 insertions(+), 61 deletions(-)

diff --git a/src/common/dpp_crypto.c b/src/common/dpp_crypto.c
index 597b12ef2..e1510e72f 100644
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@@ -296,20 +296,6 @@ int dpp_pbkdf2(size_t hash_len, const u8 *password, size_t password_len,
 #endif /* CONFIG_DPP2 */
 
 
-int dpp_bn2bin_pad(const BIGNUM *bn, u8 *pos, size_t len)
-{
-	int num_bytes, offset;
-
-	num_bytes = BN_num_bytes(bn);
-	if ((size_t) num_bytes > len)
-		return -1;
-	offset = len - num_bytes;
-	os_memset(pos, 0, offset);
-	BN_bn2bin(bn, pos + offset);
-	return 0;
-}
-
-
 struct crypto_ec_key * dpp_set_pubkey_point(struct crypto_ec_key *group_key,
 					    const u8 *buf, size_t len)
 {
@@ -2578,64 +2564,46 @@ fail:
 int dpp_test_gen_invalid_key(struct wpabuf *msg,
 			     const struct dpp_curve_params *curve)
 {
-	BN_CTX *ctx;
-	BIGNUM *x, *y;
+	struct crypto_ec *ec = NULL;
+	struct crypto_ec_key *key = NULL;
+	const struct crypto_ec_point *pub_key;
+	struct crypto_ec_point *p = NULL;
+	u8 *x, *y;
 	int ret = -1;
-	EC_GROUP *group;
-	EC_POINT *point;
-
-	group = EC_GROUP_new_by_curve_name(OBJ_txt2nid(curve->name));
-	if (!group)
-		return -1;
 
-	ctx = BN_CTX_new();
-	point = EC_POINT_new(group);
-	x = BN_new();
-	y = BN_new();
-	if (!ctx || !point || !x || !y)
+	ec = crypto_ec_init(curve->ike_group);
+	x = wpabuf_put(msg, curve->prime_len);
+	y = wpabuf_put(msg, curve->prime_len);
+	if (!ec || !x || !y)
 		goto fail;
 
-	if (BN_rand(x, curve->prime_len * 8, 0, 0) != 1)
+retry:
+	// Generate valid key pair
+	key = crypto_ec_key_gen(curve->ike_group);
+	if (!key)
 		goto fail;
 
-	/* Generate a random y coordinate that results in a point that is not
-	 * on the curve. */
-	for (;;) {
-		if (BN_rand(y, curve->prime_len * 8, 0, 0) != 1)
-			goto fail;
+	// Retrieve Pub key coordinates
+	pub_key = crypto_ec_key_get_public_key(key);
+	if (!pub_key)
+		goto fail;
 
-		if (EC_POINT_set_affine_coordinates_GFp(group, point, x, y,
-							ctx) != 1) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
-		/* Unlike older OpenSSL versions, OpenSSL 1.1.1 and BoringSSL
-		 * return an error from EC_POINT_set_affine_coordinates_GFp()
-		 * when the point is not on the curve. */
-			break;
-#else /* >=1.1.0 or OPENSSL_IS_BORINGSSL */
-			goto fail;
-#endif /* >= 1.1.0 or OPENSSL_IS_BORINGSSL */
-		}
+	crypto_ec_point_to_bin(ec, pub_key, x, y);
 
-		if (!EC_POINT_is_on_curve(group, point, ctx))
-			break;
+	// and corrupt them
+	y[curve->prime_len - 1] ^= 0x01;
+	p = crypto_ec_point_from_bin(ec, x);
+	if (p && crypto_ec_point_is_on_curve(ec, p)) {
+		crypto_ec_point_deinit(p, 0);
+		p = NULL;
+		goto retry;
 	}
 
-	if (dpp_bn2bin_pad(x, wpabuf_put(msg, curve->prime_len),
-			   curve->prime_len) < 0 ||
-	    dpp_bn2bin_pad(y, wpabuf_put(msg, curve->prime_len),
-			   curve->prime_len) < 0)
-		goto fail;
-
 	ret = 0;
 fail:
-	if (ret < 0)
-		wpa_printf(MSG_INFO, "DPP: Failed to generate invalid key");
-	BN_free(x);
-	BN_free(y);
-	EC_POINT_free(point);
-	BN_CTX_free(ctx);
-	EC_GROUP_free(group);
-
+	crypto_ec_point_deinit(p, 0);
+	crypto_ec_key_deinit(key);
+	crypto_ec_deinit(ec);
 	return ret;
 }
 
diff --git a/src/common/dpp_i.h b/src/common/dpp_i.h
index e1b3e16e6..26bcad0b9 100644
--- a/src/common/dpp_i.h
+++ b/src/common/dpp_i.h
@@ -77,7 +77,6 @@ int dpp_bi_pubkey_hash(struct dpp_bootstrap_info *bi,
 		       const u8 *data, size_t data_len);
 struct crypto_ec_key * dpp_set_pubkey_point(struct crypto_ec_key *group_key,
 					    const u8 *buf, size_t len);
-int dpp_bn2bin_pad(const BIGNUM *bn, u8 *pos, size_t len);
 int dpp_hkdf_expand(size_t hash_len, const u8 *secret, size_t secret_len,
 		    const char *label, u8 *out, size_t outlen);
 int dpp_hmac_vector(size_t hash_len, const u8 *key, size_t key_len,
-- 
2.17.0


