Skip to content
Browse files

When processing an EAP-pwd Commit frame, the peer's scalar and ellipt…

…ic curve

point were not validated. This allowed an adversary to bypass authentication,
and impersonate any user.

Fix this vulnerability by assuring the received scalar lies within the valid
range, and by checking that the received element is not the point at infinity
and lies on the elliptic curve being used.
  • Loading branch information...
vanhoefm authored and alandekok committed Apr 9, 2019
1 parent c8d8a49 commit 85497b5ff37ccb656895b826b88585898c209586
Showing with 22 additions and 0 deletions.
  1. +22 −0 src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);

/* validate received scalar */
if (BN_is_zero(session->peer_scalar) ||
BN_is_one(session->peer_scalar) ||
BN_cmp(session->peer_scalar, session->order) >= 0) {
ERROR("Peer's scalar is not within the allowed range");
goto finish;

if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;

/* validate received element */
if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
EC_POINT_is_at_infinity(session->group, session->peer_element)) {
ERROR("Peer's element is not a point on the elliptic curve");
goto finish;

/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_

/* detect reflection attacks */
if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
ERROR("Reflection attack detected");
goto finish;

/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||

0 comments on commit 85497b5

Please sign in to comment.
You can’t perform that action at this time.