File CVE-2019-11235.patch of Package freeradius-server.14500

commit 85497b5ff37ccb656895b826b88585898c209586
Author: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Date:   Tue Apr 9 15:17:19 2019 -0400

    When processing an EAP-pwd Commit frame, the peer's scalar and elliptic curve
    point were not validated. This allowed an adversary to bypass authentication,
    and impersonate any user.
    
    Fix this vulnerability by assuring the received scalar lies within the valid
    range, and by checking that the received element is not the point at infinity
    and lies on the elliptic curve being used.

commit ab4c767099f263a7cd4109bcdca80ee74210a769
Author: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Date:   Wed Apr 10 10:11:23 2019 +0100

    fix incorrectly named variable

diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
 	data_len = BN_num_bytes(session->order);
 	BN_bin2bn(ptr, data_len, session->peer_scalar);
 
+	/* validate received scalar */
+	if (BN_is_zero(session->peer_scalar) ||
+	    BN_is_one(session->peer_scalar) ||
+	    BN_cmp(session->peer_scalar, session->order) >= 0) {
+		ERROR("Peer's scalar is not within the allowed range");
+		goto finish;
+	}
+
 	if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
 		DEBUG2("pwd: unable to get coordinates of peer's element");
 		goto finish;
 	}
 
+	/* validate received element */
+	if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+	    EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+		ERROR("Peer's element is not a point on the elliptic curve");
+		goto finish;
+	}
+
 	/* check to ensure peer's element is not in a small sub-group */
 	if (BN_cmp(cofactor, BN_value_one())) {
 		if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
 		}
 	}
 
+	/* detect reflection attacks */
+	if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+	    EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+		ERROR("Reflection attack detected");
+		goto finish;
+	}
+
 	/* compute the shared key, k */
 	if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
 	    (!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 848ca2055e..c54f08c030 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -387,7 +387,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
 	}
 
 	/* validate received element */
-	if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+	if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
 	    EC_POINT_is_at_infinity(session->group, session->peer_element)) {
 		ERROR("Peer's element is not a point on the elliptic curve");
 		goto finish;
@@ -408,7 +408,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
 
 	/* detect reflection attacks */
 	if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
-	    EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+	    EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
 		ERROR("Reflection attack detected");
 		goto finish;
 	}