Home Explore Help
Register Sign In
RD_Software
/
linux-arkmicro
2
0
Fork 1
Files Issues 0 Pull Requests 0 Wiki
Tree: bddf170c47
Branches Tags
linux-arkmicro
/
buildroot
/
dl
/
wpa_supplicant
/
0011-EAP-pwd-server-Verify-received-scalar-and-element.patch

0011-EAP-pwd-server-Verify-received-scalar-and-element.patch 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 
  1. From 70ff850e89fbc8bc7da515321b4d15b5eef70581 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
    3. 

  3. Date: Sun, 31 Mar 2019 17:13:06 +0200
    4. 

  4. Subject: [PATCH 11/14] EAP-pwd server: Verify received scalar and element
    5. 

  5. 

  6. When processing an EAP-pwd Commit frame, the peer's scalar and element
    7. 

  7. (elliptic curve point) were not validated. This allowed an adversary to
    8. 

  8. bypass authentication, and impersonate any user if the crypto
    9. 

  9. implementation did not verify the validity of the EC point.
    10. 

  10. 

  11. Fix this vulnerability by assuring the received scalar lies within the
    12. 

  12. valid range, and by checking that the received element is not the point
    13. 

  13. at infinity and lies on the elliptic curve being used. (CVE-2019-9498)
    14. 

  14. 

  15. The vulnerability is only exploitable if OpenSSL version 1.0.2 or lower
    16. 

  16. is used, or if LibreSSL or wolfssl is used. Newer versions of OpenSSL
    17. 

  17. (and also BoringSSL) implicitly validate the elliptic curve point in
    18. 

  18. EC_POINT_set_affine_coordinates_GFp(), preventing the attack.
    19. 

  19. 

  20. Signed-off-by: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
    21. 

  21. ---
    22. 

  22.  src/eap_server/eap_server_pwd.c | 20 ++++++++++++++++++++
    23. 

  23.  1 file changed, 20 insertions(+)
    24. 

  24. 

  25. diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
    26. 

  26. index d0fa54a..74979da 100644
    27. 

  27. --- a/src/eap_server/eap_server_pwd.c
    28. 

  28. +++ b/src/eap_server/eap_server_pwd.c
    29. 

  29. @@ -718,6 +718,26 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
    30. 

  30.  		goto fin;
    31. 

  31.  	}
    32. 

  32.  
    33. 

  33. +	/* verify received scalar */
    34. 

  34. +	if (crypto_bignum_is_zero(data->peer_scalar) ||
    35. 

  35. +	    crypto_bignum_is_one(data->peer_scalar) ||
    36. 

  36. +	    crypto_bignum_cmp(data->peer_scalar,
    37. 

  37. +			      crypto_ec_get_order(data->grp->group)) >= 0) {
    38. 

  38. +		wpa_printf(MSG_INFO,
    39. 

  39. +			   "EAP-PWD (server): received scalar is invalid");
    40. 

  40. +		goto fin;
    41. 

  41. +	}
    42. 

  42. +
    43. 

  43. +	/* verify received element */
    44. 

  44. +	if (!crypto_ec_point_is_on_curve(data->grp->group,
    45. 

  45. +					 data->peer_element) ||
    46. 

  46. +	    crypto_ec_point_is_at_infinity(data->grp->group,
    47. 

  47. +					   data->peer_element)) {
    48. 

  48. +		wpa_printf(MSG_INFO,
    49. 

  49. +			   "EAP-PWD (server): received element is invalid");
    50. 

  50. +		goto fin;
    51. 

  51. +	}
    52. 

  52. +
    53. 

  53.  	/* check to ensure peer's element is not in a small sub-group */
    54. 

  54.  	if (!crypto_bignum_is_one(cofactor)) {
    55. 

  55.  		if (crypto_ec_point_mul(data->grp->group, data->peer_element,
    56. 

  56. -- 
    57. 

  57. 2.7.4
    58. 

  58.