EAP-pwd: Enforce 1 < rand,mask < r and rand+mask mod r > 1

RFC 5931 has these conditions as MUST requirements, so better follow
them explicitly even if the rand,mask == 0 or rand+mask == 0 or 1 cases
are very unlikely to occur in practice while generating random values
locally.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

src/eap_common/eap_pwd_common.c

@@ -534,3 +534,31 @@ struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
 
 	return scalar;
 }
+
+
+int eap_pwd_get_rand_mask(EAP_PWD_group *group, struct crypto_bignum *_rand,
+			  struct crypto_bignum *_mask,
+			  struct crypto_bignum *scalar)
+{
+	const struct crypto_bignum *order;
+	int count;
+
+	order = crypto_ec_get_order(group->group);
+
+	/* Select two random values rand,mask such that 1 < rand,mask < r and
+	 * rand + mask mod r > 1. */
+	for (count = 0; count < 100; count++) {
+		if (crypto_bignum_rand(_rand, order) == 0 &&
+		    !crypto_bignum_is_zero(_rand) &&
+		    crypto_bignum_rand(_mask, order) == 0 &&
+		    !crypto_bignum_is_zero(_mask) &&
+		    crypto_bignum_add(_rand, _mask, scalar) == 0 &&
+		    crypto_bignum_mod(scalar, order, scalar) == 0 &&
+		    !crypto_bignum_is_zero(scalar) &&
+		    !crypto_bignum_is_one(scalar))
+			return 0;
+	}
+
+	wpa_printf(MSG_INFO, "EAP-pwd: unable to get randomness");
+	return -1;
+}

src/eap_common/eap_pwd_common.h

@@ -70,5 +70,8 @@ void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
 struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
 					     const u8 *buf);
 struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
+int eap_pwd_get_rand_mask(EAP_PWD_group *group, struct crypto_bignum *_rand,
+			  struct crypto_bignum *_mask,
+			  struct crypto_bignum *scalar);
 
 #endif  /* EAP_PWD_COMMON_H */