From dfb76edda888e4caf494d79c83623a05b261d752 Mon Sep 17 00:00:00 2001 From: James Prestwood Date: Tue, 10 Oct 2023 06:57:04 -0700 Subject: [PATCH] sae: fix usage of compressed points (after ELL is fixed) SAE was also relying on the ELL bug which was incorrectly performing a subtraction on the Y coordinate based on the compressed point type. Correct this and make the point type more clear (rather than something like "is_odd + 2"). --- src/sae.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/sae.c b/src/sae.c index cfd4d650..336954b4 100644 --- a/src/sae.c +++ b/src/sae.c @@ -511,7 +511,29 @@ static struct l_ecc_point *sae_compute_pwe(const struct l_ecc_curve *curve, return NULL; } - pwe = l_ecc_point_from_data(curve, !is_odd + 2, x, bytes); + /* + * The 802.11 spec requires the point be solved unambiguously (since + * solving for Y results in two solutions). The correct Y value + * is chosen based on the LSB of the pwd-seed: + * + * if (LSB(y) == LSB(pwd-seed)) + * then + * PWE = (x, y) + * else + * PWE = (x, p-y) + * + * The ELL API (somewhat hidden from view here) automatically + * performs a subtraction (P - Y) when: + * - Y is even and BIT1 + * - Y is odd and BIT0 + * + * So we choose the point type which matches the parity of + * pwd-seed. This means a subtraction will be performed (P - Y) + * if the parity of pwd-seed and the computed Y do not match. + */ + pwe = l_ecc_point_from_data(curve, + is_odd ? L_ECC_POINT_TYPE_COMPRESSED_BIT1 : + L_ECC_POINT_TYPE_COMPRESSED_BIT0, x, bytes); if (!pwe) l_error("computing y failed, was x quadratic residue?");