From 85497b5ff37ccb656895b826b88585898c209586 Mon Sep 17 00:00:00 2001 From: Mathy Vanhoef Date: Tue, 9 Apr 2019 15:17:19 -0400 Subject: [PATCH] When processing an EAP-pwd Commit frame, the peer's scalar and elliptic curve point were not validated. This allowed an adversary to bypass authentication, and impersonate any user. Fix this vulnerability by assuring the received scalar lies within the valid range, and by checking that the received element is not the point at infinity and lies on the elliptic curve being used. --- .../rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c index 7f91e4b230..848ca2055e 100644 --- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c @@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ data_len = BN_num_bytes(session->order); BN_bin2bn(ptr, data_len, session->peer_scalar); + /* validate received scalar */ + if (BN_is_zero(session->peer_scalar) || + BN_is_one(session->peer_scalar) || + BN_cmp(session->peer_scalar, session->order) >= 0) { + ERROR("Peer's scalar is not within the allowed range"); + goto finish; + } + if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) { DEBUG2("pwd: unable to get coordinates of peer's element"); goto finish; } + /* validate received element */ + if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) || + EC_POINT_is_at_infinity(session->group, session->peer_element)) { + ERROR("Peer's element is not a point on the elliptic curve"); + goto finish; + } + /* check to ensure peer's element is not in a small sub-group */ if (BN_cmp(cofactor, BN_value_one())) { if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) { @@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ } } + /* detect reflection attacks */ + if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 || + EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) { + ERROR("Reflection attack detected"); + goto finish; + } + /* compute the shared key, k */ if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) || (!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) || From ab4c767099f263a7cd4109bcdca80ee74210a769 Mon Sep 17 00:00:00 2001 From: Matthew Newton Date: Wed, 10 Apr 2019 10:11:23 +0100 Subject: [PATCH] fix incorrectly named variable --- src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c index 848ca2055e..c54f08c030 100644 --- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c +++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c @@ -387,7 +387,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ } /* validate received element */ - if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) || + if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) || EC_POINT_is_at_infinity(session->group, session->peer_element)) { ERROR("Peer's element is not a point on the elliptic curve"); goto finish; @@ -408,7 +408,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ /* detect reflection attacks */ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 || - EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) { + EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) { ERROR("Reflection attack detected"); goto finish; }