From 85497b5ff37ccb656895b826b88585898c209586 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Date: Tue, 9 Apr 2019 15:17:19 -0400
Subject: [PATCH] When processing an EAP-pwd Commit frame, the peer's scalar
and elliptic curve point were not validated. This allowed an adversary to
bypass authentication, and impersonate any user.
Fix this vulnerability by assuring the received scalar lies within the valid
range, and by checking that the received element is not the point at infinity
and lies on the elliptic curve being used.
---
.../rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 22 +++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
+ /* validate received scalar */
+ if (BN_is_zero(session->peer_scalar) ||
+ BN_is_one(session->peer_scalar) ||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
+ ERROR("Peer's scalar is not within the allowed range");
+ goto finish;
+ }
+
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;
}
+ /* validate received element */
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ ERROR("Peer's element is not a point on the elliptic curve");
+ goto finish;
+ }
+
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
}
+ /* detect reflection attacks */
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+ ERROR("Reflection attack detected");
+ goto finish;
+ }
+
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
From ab4c767099f263a7cd4109bcdca80ee74210a769 Mon Sep 17 00:00:00 2001
From: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Date: Wed, 10 Apr 2019 10:11:23 +0100
Subject: [PATCH] fix incorrectly named variable
---
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 848ca2055e..c54f08c030 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -387,7 +387,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
/* validate received element */
- if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
EC_POINT_is_at_infinity(session->group, session->peer_element)) {
ERROR("Peer's element is not a point on the elliptic curve");
goto finish;
@@ -408,7 +408,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
/* detect reflection attacks */
if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
- EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
ERROR("Reflection attack detected");
goto finish;
}
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
8eacf99c77f3bda3614307f41e6afc48
>
files
>
2
