change(esp_wifi): Improve handling group parameter A in H2E

Signed-off-by: Chien Wong <m@xv97.com>
2025-03-22 17:58:47 +08:00
parent c5a53842d1
commit ba9387b511
3 changed files with 47 additions and 7 deletions
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -149,6 +149,42 @@ const struct crypto_bignum *crypto_ec_get_order(struct crypto_ec *e)
    return (const struct crypto_bignum *) & ((mbedtls_ecp_group *)e)->N;
 }

+struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e)
+{
+    int ret = -1;
+    struct crypto_bignum *a;
+    mbedtls_mpi *m_a;
+    mbedtls_ecp_group *grp = (mbedtls_ecp_group *)e;
+    if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
+        return NULL;
+    }
+    a = crypto_bignum_init();
+    if (!a) {
+        return NULL;
+    }
+    m_a = (mbedtls_mpi *)a;
+    /* Handle Mbed TLS quirk.
+     *
+     * Mbed TLS default ECP implementation is using grp->A = NULL to represent A = -3 for
+     * Short Weierstrass curves(e.g. P-256) thus accessing A needs some tweaking.
+     *
+     * See mbedtls/ecp.h for details. */
+#ifdef MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED
+    if (mbedtls_ecp_group_a_is_minus_3(grp)) {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(m_a, &grp->P, 3));
+    } else {
+        MBEDTLS_MPI_CHK(mbedtls_mpi_copy(m_a, &grp->A));
+    }
+#else
+    goto cleanup;
+#endif
+    return a;
+
+cleanup:
+    crypto_bignum_deinit(a, 0);
+    return NULL;
+}
+
 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e)
 {
    return (const struct crypto_bignum *) & ((mbedtls_ecp_group *)e)->B;
--- a/components/wpa_supplicant/src/common/sae.c
+++ b/components/wpa_supplicant/src/common/sae.c
@@ -594,9 +594,7 @@ static struct crypto_ec_point * sswu(struct crypto_ec *ec, int group,

 	prime = crypto_ec_get_prime(ec);
 	prime_len = crypto_ec_prime_len(ec);
-	/* Value of 'a' defined for curve secp256r1 in 'y^2 = x^3 + ax + b' */
-	uint8_t buf[32] = {0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfc};
-	a = crypto_bignum_init_set(buf, 32);
+	a = crypto_ec_get_a(ec);
 	b = crypto_ec_get_b(ec);

 	u2 = crypto_bignum_init();
@@ -615,7 +613,7 @@ static struct crypto_ec_point * sswu(struct crypto_ec *ec, int group,
 	gx2 = crypto_bignum_init();
 	tmp = crypto_bignum_init();
 	if (!u2 || !t1 || !t2 || !z || !t || !zero || !one || !two || !three ||
-	    !x1a || !x1b || !x2 || !gx1 || !gx2 || !tmp)
+	    !x1a || !x1b || !x2 || !gx1 || !gx2 || !a || !tmp)
 		goto fail;

 	if (z_int < 0 && crypto_bignum_sub(prime, z, z) < 0)
--- a/components/wpa_supplicant/src/crypto/crypto.h
+++ b/components/wpa_supplicant/src/crypto/crypto.h
@@ -796,6 +796,14 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e);
 * Internal data structure for EC implementation to represent a point. The
 * contents is specific to the used crypto library.
 */
+struct crypto_ec_point;
+
+/**
+ * crypto_ec_get_a - Get 'a' coefficient of an EC group's curve
+ * @e: EC context from crypto_ec_init()
+ * Returns: 'a' coefficient (bignum) of the group
+ */
+struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e);

 /**
 * crypto_ec_get_b - Get 'b' coefficient of an EC group's curve
@@ -804,8 +812,6 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e);
 */
 const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e);

-struct crypto_ec_point;
-
 /**
 * crypto_ec_point_init - Initialize data for an EC point
 * @e: EC context from crypto_ec_init()