EAP-pwd: Enforce 1 < rand,mask < r and rand+mask mod r > 1

RFC 5931 has these conditions as MUST requirements, so better follow them explicitly even if the rand,mask == 0 or rand+mask == 0 or 1 cases are very unlikely to occur in practice while generating random values locally. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-05 12:37:21 +03:00 · 2019-04-05 12:37:21 +03:00 · 4396f74a36
commit 4396f74a36
parent 2e3849bcf5
4 changed files with 35 additions and 23 deletions
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@ -542,19 +542,9 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
 		goto fin;
 	}

-	if (crypto_bignum_rand(data->private_value,
-			       crypto_ec_get_order(data->grp->group)) < 0 ||
-	    crypto_bignum_rand(mask,
-			       crypto_ec_get_order(data->grp->group)) < 0 ||
-	    crypto_bignum_add(data->private_value, mask,
-			      data->my_scalar) < 0 ||
-	    crypto_bignum_mod(data->my_scalar,
-			      crypto_ec_get_order(data->grp->group),
-			      data->my_scalar) < 0) {
-		wpa_printf(MSG_INFO,
-			   "EAP-pwd (peer): unable to get randomness");
+	if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask,
+				  data->my_scalar) < 0)
 		goto fin;
-	}

 	if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask,
 				data->my_element) < 0) {