commit 2f023193a0fd630eb82ce6381b80911ad5a3462f
author Dmitry Shmidt <dimitrysh@google.com> Tue Mar 12 12:44:17 2013 -0700
committer Dmitry Shmidt <dimitrysh@google.com> Tue Mar 12 12:44:17 2013 -0700
tree 223bec90f0613b193a63b670f3edad96de2e70b6
parent 26a19b244b797b825575f0851e16e2b2ad5dc174

Accumulative patch from commit f46fc73a3f8d0eeb1b43d17769464884f467ac47

P2P: Add a peer entry based on Association Request frame
P2P: Clear p2p_in_provisioning flag on group removal
Allow SME SA Query to be used by all drivers
Android: Sync makefile changes for HT/VHT overrides
wpa_supplicant: Support VHT capability overrides
wpa_supplicant: Parse int values in different bases and reject invalid
wpa_supplicant: Reschedule sched scan after network change
Remove unnecessary local variable
wpa_supplicant: Handle enabling of one or all networks equally
wpa_supplicant: Save prev_sched_ssid only if needed
wpa_supplicant: Do not allow too short sched scan
nl80211: Use helper function for phy_info_freqs()
nl80211: Split phy_info_band() into smaller helper functions
nl80211: Use helper function for phy_info_handler()
nl80211: Split wiphy_info_handler() into smaller helper functions
nl80211: Support splitting wiphy information in dumps
Synchronize with wireless-testing.git include/uapi/linux/nl80211.h
SAE: Add forgotten commit element validation step for FFC groups
SAE: Move commit element validation steps into single location

Change-Id: I369b6493f03714f6cfb4ed4a8c10ee6e6e71c1f8
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

src/common/sae.c

diff --git a/src/common/sae.c b/src/common/sae.c
index 44ffcd0..bce60a3 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -524,12 +524,6 @@
 	if (K == NULL)
 		goto fail;
 
-	if (!crypto_ec_point_is_on_curve(sae->tmp->ec,
-					 sae->tmp->peer_commit_element_ecc)) {
-		wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve");
-		goto fail;
-	}
-
 	/*
 	 * K = scalar-op(rand, (elem-op(scalar-op(peer-commit-scalar, PWE),
 	 *                                        PEER-COMMIT-ELEMENT)))
@@ -821,6 +815,12 @@
 	if (sae->tmp->peer_commit_element_ecc == NULL)
 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
 
+	if (!crypto_ec_point_is_on_curve(sae->tmp->ec,
+					 sae->tmp->peer_commit_element_ecc)) {
+		wpa_printf(MSG_DEBUG, "SAE: Peer element is not on curve");
+		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+	}
+
 	return WLAN_STATUS_SUCCESS;
 }
 
@@ -828,6 +828,8 @@
 static u16 sae_parse_commit_element_ffc(struct sae_data *sae, const u8 *pos,
 					const u8 *end)
 {
+	struct crypto_bignum *res;
+
 	if (pos + sae->tmp->prime_len > end) {
 		wpa_printf(MSG_DEBUG, "SAE: Not enough data for "
 			   "commit-element");
@@ -849,6 +851,18 @@
 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
 	}
 
+	/* scalar-op(r, ELEMENT) = 1 modulo p */
+	res = crypto_bignum_init();
+	if (res == NULL ||
+	    crypto_bignum_exptmod(sae->tmp->peer_commit_element_ffc,
+				  sae->tmp->order, sae->tmp->prime, res) < 0 ||
+	    !crypto_bignum_is_one(res)) {
+		wpa_printf(MSG_DEBUG, "SAE: Invalid peer element (scalar-op)");
+		crypto_bignum_deinit(res, 0);
+		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+	}
+	crypto_bignum_deinit(res, 0);
+
 	return WLAN_STATUS_SUCCESS;
 }