File CVE-2019-11235.patch of Package freeradius-server.14500
commit 85497b5ff37ccb656895b826b88585898c209586
Author: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Date: Tue Apr 9 15:17:19 2019 -0400
When processing an EAP-pwd Commit frame, the peer's scalar and elliptic curve
point were not validated. This allowed an adversary to bypass authentication,
and impersonate any user.
Fix this vulnerability by assuring the received scalar lies within the valid
range, and by checking that the received element is not the point at infinity
and lies on the elliptic curve being used.
commit ab4c767099f263a7cd4109bcdca80ee74210a769
Author: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Date: Wed Apr 10 10:11:23 2019 +0100
fix incorrectly named variable
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
+ /* validate received scalar */
+ if (BN_is_zero(session->peer_scalar) ||
+ BN_is_one(session->peer_scalar) ||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
+ ERROR("Peer's scalar is not within the allowed range");
+ goto finish;
+ }
+
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;
}
+ /* validate received element */
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ ERROR("Peer's element is not a point on the elliptic curve");
+ goto finish;
+ }
+
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
}
+ /* detect reflection attacks */
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+ ERROR("Reflection attack detected");
+ goto finish;
+ }
+
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 848ca2055e..c54f08c030 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -387,7 +387,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
/* validate received element */
- if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
EC_POINT_is_at_infinity(session->group, session->peer_element)) {
ERROR("Peer's element is not a point on the elliptic curve");
goto finish;
@@ -408,7 +408,7 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
/* detect reflection attacks */
if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
- EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
ERROR("Reflection attack detected");
goto finish;
}
