diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c index 52cec2e4d2..d9a4801271 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -149,6 +149,42 @@ const struct crypto_bignum *crypto_ec_get_order(struct crypto_ec *e) return (const struct crypto_bignum *) & ((mbedtls_ecp_group *)e)->N; } +struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e) +{ + int ret = -1; + struct crypto_bignum *a; + mbedtls_mpi *m_a; + mbedtls_ecp_group *grp = (mbedtls_ecp_group *)e; + if (mbedtls_ecp_get_type(grp) != MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) { + return NULL; + } + a = crypto_bignum_init(); + if (!a) { + return NULL; + } + m_a = (mbedtls_mpi *)a; + /* Handle Mbed TLS quirk. + * + * Mbed TLS default ECP implementation is using grp->A = NULL to represent A = -3 for + * Short Weierstrass curves(e.g. P-256) thus accessing A needs some tweaking. + * + * See mbedtls/ecp.h for details. */ +#ifdef MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED + if (mbedtls_ecp_group_a_is_minus_3(grp)) { + MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(m_a, &grp->P, 3)); + } else { + MBEDTLS_MPI_CHK(mbedtls_mpi_copy(m_a, &grp->A)); + } +#else + goto cleanup; +#endif + return a; + +cleanup: + crypto_bignum_deinit(a, 0); + return NULL; +} + const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e) { return (const struct crypto_bignum *) & ((mbedtls_ecp_group *)e)->B; diff --git a/components/wpa_supplicant/src/common/sae.c b/components/wpa_supplicant/src/common/sae.c index f5b61bad62..1d11ecfd65 100644 --- a/components/wpa_supplicant/src/common/sae.c +++ b/components/wpa_supplicant/src/common/sae.c @@ -594,9 +594,7 @@ static struct crypto_ec_point * sswu(struct crypto_ec *ec, int group, prime = crypto_ec_get_prime(ec); prime_len = crypto_ec_prime_len(ec); - /* Value of 'a' defined for curve secp256r1 in 'y^2 = x^3 + ax + b' */ - uint8_t buf[32] = {0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfc}; - a = crypto_bignum_init_set(buf, 32); + a = crypto_ec_get_a(ec); b = crypto_ec_get_b(ec); u2 = crypto_bignum_init(); @@ -615,7 +613,7 @@ static struct crypto_ec_point * sswu(struct crypto_ec *ec, int group, gx2 = crypto_bignum_init(); tmp = crypto_bignum_init(); if (!u2 || !t1 || !t2 || !z || !t || !zero || !one || !two || !three || - !x1a || !x1b || !x2 || !gx1 || !gx2 || !tmp) + !x1a || !x1b || !x2 || !gx1 || !gx2 || !a || !tmp) goto fail; if (z_int < 0 && crypto_bignum_sub(prime, z, z) < 0) diff --git a/components/wpa_supplicant/src/crypto/crypto.h b/components/wpa_supplicant/src/crypto/crypto.h index 183cbf590f..7946e6be16 100644 --- a/components/wpa_supplicant/src/crypto/crypto.h +++ b/components/wpa_supplicant/src/crypto/crypto.h @@ -796,6 +796,14 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e); * Internal data structure for EC implementation to represent a point. The * contents is specific to the used crypto library. */ +struct crypto_ec_point; + +/** + * crypto_ec_get_a - Get 'a' coefficient of an EC group's curve + * @e: EC context from crypto_ec_init() + * Returns: 'a' coefficient (bignum) of the group + */ +struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e); /** * crypto_ec_get_b - Get 'b' coefficient of an EC group's curve @@ -804,8 +812,6 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e); */ const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e); -struct crypto_ec_point; - /** * crypto_ec_point_init - Initialize data for an EC point * @e: EC context from crypto_ec_init()