|
0 |
From 85497b5ff37ccb656895b826b88585898c209586 Mon Sep 17 00:00:00 2001
|
|
1 |
From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
|
|
2 |
Date: Tue, 9 Apr 2019 15:17:19 -0400
|
|
3 |
Subject: [PATCH] When processing an EAP-pwd Commit frame, the peer's scalar
|
|
4 |
and elliptic curve point were not validated. This allowed an adversary to
|
|
5 |
bypass authentication, and impersonate any user.
|
|
6 |
|
|
7 |
Fix this vulnerability by assuring the received scalar lies within the valid
|
|
8 |
range, and by checking that the received element is not the point at infinity
|
|
9 |
and lies on the elliptic curve being used.
|
|
10 |
---
|
|
11 |
.../rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 22 +++++++++++++++++++
|
|
12 |
1 file changed, 22 insertions(+)
|
|
13 |
|
|
14 |
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
|
15 |
index 7f91e4b230..848ca2055e 100644
|
|
16 |
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
|
17 |
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
|
18 |
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
|
19 |
data_len = BN_num_bytes(session->order);
|
|
20 |
BN_bin2bn(ptr, data_len, session->peer_scalar);
|
|
21 |
|
|
22 |
+ /* validate received scalar */
|
|
23 |
+ if (BN_is_zero(session->peer_scalar) ||
|
|
24 |
+ BN_is_one(session->peer_scalar) ||
|
|
25 |
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
|
|
26 |
+ ERROR("Peer's scalar is not within the allowed range");
|
|
27 |
+ goto finish;
|
|
28 |
+ }
|
|
29 |
+
|
|
30 |
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
|
|
31 |
DEBUG2("pwd: unable to get coordinates of peer's element");
|
|
32 |
goto finish;
|
|
33 |
}
|
|
34 |
|
|
35 |
+ /* validate received element */
|
|
36 |
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
|
|
37 |
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
|
|
38 |
+ ERROR("Peer's element is not a point on the elliptic curve");
|
|
39 |
+ goto finish;
|
|
40 |
+ }
|
|
41 |
+
|
|
42 |
/* check to ensure peer's element is not in a small sub-group */
|
|
43 |
if (BN_cmp(cofactor, BN_value_one())) {
|
|
44 |
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
|
|
45 |
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
|
46 |
}
|
|
47 |
}
|
|
48 |
|
|
49 |
+ /* detect reflection attacks */
|
|
50 |
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
|
|
51 |
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
|
|
52 |
+ ERROR("Reflection attack detected");
|
|
53 |
+ goto finish;
|
|
54 |
+ }
|
|
55 |
+
|
|
56 |
/* compute the shared key, k */
|
|
57 |
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
|
|
58 |
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
|