1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
From 4396f74a36e16e32a51238d84bf6225b89c8b25c Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Fri, 5 Apr 2019 12:37:21 +0300
Subject: [PATCH] EAP-pwd: Enforce 1 < rand,mask < r and rand+mask mod r > 1
RFC 5931 has these conditions as MUST requirements, so better follow
them explicitly even if the rand,mask == 0 or rand+mask == 0 or 1 cases
are very unlikely to occur in practice while generating random values
locally.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
src/eap_common/eap_pwd_common.c | 28 ++++++++++++++++++++++++++++
src/eap_common/eap_pwd_common.h | 3 +++
src/eap_peer/eap_pwd.c | 14 ++------------
src/eap_server/eap_server_pwd.c | 13 ++-----------
4 files changed, 35 insertions(+), 23 deletions(-)
diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c
index c28b56d62..4288b5299 100644
--- a/src/eap_common/eap_pwd_common.c
+++ b/src/eap_common/eap_pwd_common.c
@@ -534,3 +534,31 @@ struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
return scalar;
}
+
+
+int eap_pwd_get_rand_mask(EAP_PWD_group *group, struct crypto_bignum *_rand,
+ struct crypto_bignum *_mask,
+ struct crypto_bignum *scalar)
+{
+ const struct crypto_bignum *order;
+ int count;
+
+ order = crypto_ec_get_order(group->group);
+
+ /* Select two random values rand,mask such that 1 < rand,mask < r and
+ * rand + mask mod r > 1. */
+ for (count = 0; count < 100; count++) {
+ if (crypto_bignum_rand(_rand, order) == 0 &&
+ !crypto_bignum_is_zero(_rand) &&
+ crypto_bignum_rand(_mask, order) == 0 &&
+ !crypto_bignum_is_zero(_mask) &&
+ crypto_bignum_add(_rand, _mask, scalar) == 0 &&
+ crypto_bignum_mod(scalar, order, scalar) == 0 &&
+ !crypto_bignum_is_zero(scalar) &&
+ !crypto_bignum_is_one(scalar))
+ return 0;
+ }
+
+ wpa_printf(MSG_INFO, "EAP-pwd: unable to get randomness");
+ return -1;
+}
diff --git a/src/eap_common/eap_pwd_common.h b/src/eap_common/eap_pwd_common.h
index 2387e59a2..c48acee20 100644
--- a/src/eap_common/eap_pwd_common.h
+++ b/src/eap_common/eap_pwd_common.h
@@ -70,5 +70,8 @@ void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest);
struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
const u8 *buf);
struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf);
+int eap_pwd_get_rand_mask(EAP_PWD_group *group, struct crypto_bignum *_rand,
+ struct crypto_bignum *_mask,
+ struct crypto_bignum *scalar);
#endif /* EAP_PWD_COMMON_H */
diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
index f37b974eb..5f6c00218 100644
--- a/src/eap_peer/eap_pwd.c
+++ b/src/eap_peer/eap_pwd.c
@@ -542,19 +542,9 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
goto fin;
}
- if (crypto_bignum_rand(data->private_value,
- crypto_ec_get_order(data->grp->group)) < 0 ||
- crypto_bignum_rand(mask,
- crypto_ec_get_order(data->grp->group)) < 0 ||
- crypto_bignum_add(data->private_value, mask,
- data->my_scalar) < 0 ||
- crypto_bignum_mod(data->my_scalar,
- crypto_ec_get_order(data->grp->group),
- data->my_scalar) < 0) {
- wpa_printf(MSG_INFO,
- "EAP-pwd (peer): unable to get randomness");
+ if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask,
+ data->my_scalar) < 0)
goto fin;
- }
if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask,
data->my_element) < 0) {
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index f6c75cf80..cf6affdaf 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -261,18 +261,9 @@ static void eap_pwd_build_commit_req(struct eap_sm *sm,
goto fin;
}
- if (crypto_bignum_rand(data->private_value,
- crypto_ec_get_order(data->grp->group)) < 0 ||
- crypto_bignum_rand(mask,
- crypto_ec_get_order(data->grp->group)) < 0 ||
- crypto_bignum_add(data->private_value, mask, data->my_scalar) < 0 ||
- crypto_bignum_mod(data->my_scalar,
- crypto_ec_get_order(data->grp->group),
- data->my_scalar) < 0) {
- wpa_printf(MSG_INFO,
- "EAP-pwd (server): unable to get randomness");
+ if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask,
+ data->my_scalar) < 0)
goto fin;
- }
if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask,
data->my_element) < 0) {
--
2.22.0
|
