SAE: Store PWE as EC point or bignum instead of octet string

This avoids unnecessary EC point and bignum initialization steps during
the SAE exchange.

Signed-hostap: Jouni Malinen <j@w1.fi>

src/common/sae.c

@@ -73,6 +73,8 @@ void sae_clear_data(struct sae_data *sae)
 	crypto_bignum_deinit(sae->prime_buf, 0);
 	crypto_bignum_deinit(sae->order_buf, 0);
 	crypto_bignum_deinit(sae->sae_rand, 1);
+	crypto_bignum_deinit(sae->pwe_ffc, 1);
+	crypto_ec_point_deinit(sae->pwe_ecc, 1);
 	os_memset(sae, 0, sizeof(*sae));
 }
 
@@ -181,7 +183,7 @@ static void sae_pwd_seed_key(const u8 *addr1, const u8 *addr2, u8 *key)
 
 
 static int sae_test_pwd_seed(struct sae_data *sae, const u8 *pwd_seed,
-			     struct crypto_ec_point *pwe, u8 *pwe_bin)
+			     struct crypto_ec_point *pwe)
 {
 	u8 pwd_value[SAE_MAX_PRIME_LEN], prime[SAE_MAX_PRIME_LEN];
 	struct crypto_bignum *x;
@@ -220,21 +222,13 @@ static int sae_test_pwd_seed(struct sae_data *sae, const u8 *pwd_seed,
 
 	wpa_printf(MSG_DEBUG, "SAE: PWE found");
 
-	if (crypto_ec_point_to_bin(sae->ec, pwe, pwe_bin,
-				   pwe_bin + sae->prime_len) < 0)
-		return -1;
-
-	wpa_hexdump_key(MSG_DEBUG, "SAE: PWE x", pwe_bin, sae->prime_len);
-	wpa_hexdump_key(MSG_DEBUG, "SAE: PWE y",
-			pwe_bin + sae->prime_len, sae->prime_len);
 	return 1;
 }
 
 
 static int sae_derive_pwe(struct sae_data *sae, const u8 *addr1,
 			  const u8 *addr2, const u8 *password,
-			  size_t password_len, struct crypto_ec_point *pwe,
-			  u8 *pwe_bin)
+			  size_t password_len)
 {
 	u8 counter, k = 4;
 	u8 addrs[2 * ETH_ALEN];
@@ -242,8 +236,12 @@ static int sae_derive_pwe(struct sae_data *sae, const u8 *addr1,
 	size_t len[2];
 	int found = 0;
 	struct crypto_ec_point *pwe_tmp;
-	u8 pwe_bin_tmp[2 * SAE_MAX_PRIME_LEN];
 
+	if (sae->pwe_ecc == NULL) {
+		sae->pwe_ecc = crypto_ec_point_init(sae->ec);
+		if (sae->pwe_ecc == NULL)
+			return -1;
+	}
 	pwe_tmp = crypto_ec_point_init(sae->ec);
 	if (pwe_tmp == NULL)
 		return -1;
@@ -283,8 +281,7 @@ static int sae_derive_pwe(struct sae_data *sae, const u8 *addr1,
 				       pwd_seed) < 0)
 			break;
 		res = sae_test_pwd_seed(sae, pwd_seed,
-					found ? pwe_tmp : pwe,
-					found ? pwe_bin_tmp : pwe_bin);
+					found ? pwe_tmp : sae->pwe_ecc);
 		if (res < 0)
 			break;
 		if (res == 0)
@@ -304,7 +301,7 @@ static int sae_derive_pwe(struct sae_data *sae, const u8 *addr1,
 }
 
 
-static int sae_derive_commit(struct sae_data *sae, struct crypto_ec_point *pwe)
+static int sae_derive_commit(struct sae_data *sae)
 {
 	struct crypto_bignum *x, *mask;
 	struct crypto_ec_point *elem;
@@ -330,7 +327,7 @@ static int sae_derive_commit(struct sae_data *sae, struct crypto_ec_point *pwe)
 		    sae->own_commit_scalar, sae->prime_len);
 
 	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
-	if (crypto_ec_point_mul(sae->ec, pwe, mask, elem) < 0 ||
+	if (crypto_ec_point_mul(sae->ec, sae->pwe_ecc, mask, elem) < 0 ||
 	    crypto_ec_point_invert(sae->ec, elem) < 0 ||
 	    crypto_ec_point_to_bin(sae->ec, elem, sae->own_commit_element,
 				   sae->own_commit_element + sae->prime_len) <
@@ -357,26 +354,17 @@ static int sae_prepare_commit_ec(const u8 *addr1, const u8 *addr2,
 				 const u8 *password, size_t password_len,
 				 struct sae_data *sae)
 {
-	struct crypto_ec_point *pwe;
-	int ret = 0;
-
-	pwe = crypto_ec_point_init(sae->ec);
-	if (pwe == NULL ||
-	    sae_derive_pwe(sae, addr1, addr2, password, password_len, pwe,
-			   sae->pwe) < 0 ||
-	    sae_derive_commit(sae, pwe) < 0)
-		ret = -1;
-
-	crypto_ec_point_deinit(pwe, 1);
-
-	return ret;
+	if (sae_derive_pwe(sae, addr1, addr2, password, password_len) < 0 ||
+	    sae_derive_commit(sae) < 0)
+		return -1;
+	return 0;
 }
 
 
 static int sae_test_pwd_seed_dh(struct sae_data *sae, const u8 *pwd_seed,
 				struct crypto_bignum *pwe)
 {
-	u8 pwd_value[SAE_MAX_PRIME_LEN];
+	u8 pwd_value[SAE_MAX_PRIME_LEN], pwe_bin[SAE_MAX_PRIME_LEN];
 	size_t bits = sae->prime_len * 8;
 	u8 exp[1];
 	struct crypto_bignum *a, *b;
@@ -434,16 +422,16 @@ static int sae_test_pwd_seed_dh(struct sae_data *sae, const u8 *pwd_seed,
 		return -1;
 	}
 
-	res = crypto_bignum_to_bin(pwe, sae->pwe, sizeof(sae->pwe),
+	res = crypto_bignum_to_bin(pwe, pwe_bin, sizeof(pwe_bin),
 				   sae->prime_len);
 	if (res < 0) {
 		wpa_printf(MSG_DEBUG, "SAE: Not room for PWE");
 		return -1;
 	}
-	wpa_hexdump_key(MSG_DEBUG, "SAE: PWE candidate", sae->pwe, res);
+	wpa_hexdump_key(MSG_DEBUG, "SAE: PWE candidate", pwe_bin, res);
 
 	/* if (PWE > 1) --> found */
-	if (val_zero_or_one(sae->pwe, sae->prime_len)) {
+	if (val_zero_or_one(pwe_bin, sae->prime_len)) {
 		wpa_printf(MSG_DEBUG, "SAE: PWE <= 1");
 		return 0;
 	}
@@ -455,7 +443,7 @@ static int sae_test_pwd_seed_dh(struct sae_data *sae, const u8 *pwd_seed,
 
 static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1,
 			     const u8 *addr2, const u8 *password,
-			     size_t password_len, struct crypto_bignum *pwe)
+			     size_t password_len)
 {
 	u8 counter;
 	u8 addrs[2 * ETH_ALEN];
@@ -463,6 +451,12 @@ static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1,
 	size_t len[2];
 	int found = 0;
 
+	if (sae->pwe_ffc == NULL) {
+		sae->pwe_ffc = crypto_bignum_init();
+		if (sae->pwe_ffc == NULL)
+			return -1;
+	}
+
 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
 			      password, password_len);
 
@@ -492,7 +486,7 @@ static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1,
 		if (hmac_sha256_vector(addrs, sizeof(addrs), 2, addr, len,
 				       pwd_seed) < 0)
 			break;
-		res = sae_test_pwd_seed_dh(sae, pwd_seed, pwe);
+		res = sae_test_pwd_seed_dh(sae, pwd_seed, sae->pwe_ffc);
 		if (res < 0)
 			break;
 		if (res > 0) {
@@ -505,7 +499,7 @@ static int sae_derive_pwe_dh(struct sae_data *sae, const u8 *addr1,
 }
 
 
-static int sae_derive_commit_dh(struct sae_data *sae, struct crypto_bignum *pwe)
+static int sae_derive_commit_dh(struct sae_data *sae)
 {
 	struct crypto_bignum *x, *mask, *elem;
 	int ret = -1;
@@ -530,7 +524,7 @@ static int sae_derive_commit_dh(struct sae_data *sae, struct crypto_bignum *pwe)
 		    sae->own_commit_scalar, sae->prime_len);
 
 	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
-	if (crypto_bignum_exptmod(pwe, mask, sae->prime, elem) < 0 ||
+	if (crypto_bignum_exptmod(sae->pwe_ffc, mask, sae->prime, elem) < 0 ||
 	    crypto_bignum_inverse(elem, sae->prime, elem) < 0 ||
 	    crypto_bignum_to_bin(elem, sae->own_commit_element,
 				 sizeof(sae->own_commit_element),
@@ -555,19 +549,10 @@ static int sae_prepare_commit_dh(const u8 *addr1, const u8 *addr2,
 				 const u8 *password, size_t password_len,
 				 struct sae_data *sae)
 {
-	struct crypto_bignum *pwe;
-	int ret = 0;
-
-	pwe = crypto_bignum_init();
-	if (pwe == NULL ||
-	    sae_derive_pwe_dh(sae, addr1, addr2, password, password_len, pwe) <
-	    0 ||
-	    sae_derive_commit_dh(sae, pwe) < 0)
-		ret = -1;
-
-	crypto_bignum_deinit(pwe, 1);
-
-	return ret;
+	if (sae_derive_pwe_dh(sae, addr1, addr2, password, password_len) < 0 ||
+	    sae_derive_commit_dh(sae) < 0)
+		return -1;
+	return 0;
 }
 
 
@@ -631,17 +616,15 @@ static int sae_check_peer_commit(struct sae_data *sae)
 
 static int sae_derive_k_ec(struct sae_data *sae, u8 *k)
 {
-	struct crypto_ec_point *pwe, *peer_elem, *K;
+	struct crypto_ec_point *peer_elem, *K;
 	struct crypto_bignum *peer_scalar;
 	int ret = -1;
 
-	pwe = crypto_ec_point_from_bin(sae->ec, sae->pwe);
 	peer_scalar = crypto_bignum_init_set(sae->peer_commit_scalar,
 					     sae->prime_len);
 	peer_elem = crypto_ec_point_from_bin(sae->ec, sae->peer_commit_element);
 	K = crypto_ec_point_init(sae->ec);
-	if (pwe == NULL || peer_elem == NULL || peer_scalar == NULL ||
-	    K == NULL)
+	if (peer_elem == NULL || peer_scalar == NULL || K == NULL)
 		goto fail;
 
 	if (!crypto_ec_point_is_on_curve(sae->ec, peer_elem)) {
@@ -656,7 +639,7 @@ static int sae_derive_k_ec(struct sae_data *sae, u8 *k)
 	 * k = F(K) (= x coordinate)
 	 */
 
-	if (crypto_ec_point_mul(sae->ec, pwe, peer_scalar, K) < 0 ||
+	if (crypto_ec_point_mul(sae->ec, sae->pwe_ecc, peer_scalar, K) < 0 ||
 	    crypto_ec_point_add(sae->ec, K, peer_elem, K) < 0 ||
 	    crypto_ec_point_mul(sae->ec, K, sae->sae_rand, K) < 0 ||
 	    crypto_ec_point_is_at_infinity(sae->ec, K) ||
@@ -669,7 +652,6 @@ static int sae_derive_k_ec(struct sae_data *sae, u8 *k)
 
 	ret = 0;
 fail:
-	crypto_ec_point_deinit(pwe, 1);
 	crypto_ec_point_deinit(peer_elem, 0);
 	crypto_ec_point_deinit(K, 1);
 	return ret;
@@ -678,17 +660,15 @@ fail:
 
 static int sae_derive_k_dh(struct sae_data *sae, u8 *k)
 {
-	struct crypto_bignum *pwe, *peer_elem, *K, *peer_scalar;
+	struct crypto_bignum *peer_elem, *K, *peer_scalar;
 	int ret = -1;
 
-	pwe = crypto_bignum_init_set(sae->pwe, sae->prime_len);
 	peer_scalar = crypto_bignum_init_set(sae->peer_commit_scalar,
 					     sae->prime_len);
 	peer_elem = crypto_bignum_init_set(sae->peer_commit_element,
 					   sae->prime_len);
 	K = crypto_bignum_init();
-	if (pwe == NULL || peer_elem == NULL || peer_scalar == NULL ||
-	    K == NULL)
+	if (peer_elem == NULL || peer_scalar == NULL || K == NULL)
 		goto fail;
 
 	/*
@@ -698,7 +678,8 @@ static int sae_derive_k_dh(struct sae_data *sae, u8 *k)
 	 * k = F(K) (= x coordinate)
 	 */
 
-	if (crypto_bignum_exptmod(pwe, peer_scalar, sae->prime, K) < 0 ||
+	if (crypto_bignum_exptmod(sae->pwe_ffc, peer_scalar, sae->prime, K) < 0
+	    ||
 	    crypto_bignum_mulmod(K, peer_elem, sae->prime, K) < 0 ||
 	    crypto_bignum_exptmod(K, sae->sae_rand, sae->prime, K) < 0 ||
 	    crypto_bignum_to_bin(K, k, SAE_MAX_PRIME_LEN, sae->prime_len) < 0 ||
@@ -711,7 +692,6 @@ static int sae_derive_k_dh(struct sae_data *sae, u8 *k)
 
 	ret = 0;
 fail:
-	crypto_bignum_deinit(pwe, 1);
 	crypto_bignum_deinit(peer_elem, 0);
 	crypto_bignum_deinit(K, 1);
 	return ret;

src/common/sae.h

@@ -26,7 +26,8 @@ struct sae_data {
 	u8 own_commit_element[2 * SAE_MAX_PRIME_LEN];
 	u8 peer_commit_scalar[SAE_MAX_PRIME_LEN];
 	u8 peer_commit_element[2 * SAE_MAX_PRIME_LEN];
-	u8 pwe[2 * SAE_MAX_PRIME_LEN];
+	struct crypto_ec_point *pwe_ecc;
+	struct crypto_bignum *pwe_ffc;
 	struct crypto_bignum *sae_rand;
 	int group;
 	struct crypto_ec *ec;