Skip to content


Browse files Browse the repository at this point in the history
EAP-pwd: validate received scalar and element
When processing an EAP-pwd Commit frame, the peer's scalar and elliptic curve
point were not validated. This allowed an adversary to bypass authentication,
and impersonate any user.

Fix this vulnerability by assuring the received scalar lies within the valid
range, and by checking that the received element is not the point at infinity
and lies on the elliptic curve being used.
  • Loading branch information
vanhoefm authored and alandekok committed Apr 10, 2019
1 parent 8fd2231 commit a99746c
Showing 1 changed file with 22 additions and 0 deletions.
22 changes: 22 additions & 0 deletions src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
Expand Up @@ -351,11 +351,26 @@ int process_peer_commit(pwd_session_t *session, uint8_t *in, size_t in_len, BN_C
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);

/* validate received scalar */
if (BN_is_zero(session->peer_scalar) ||
BN_is_one(session->peer_scalar) ||
BN_cmp(session->peer_scalar, session->order) >= 0) {
ERROR("Peer's scalar is not within the allowed range");
goto finish;

if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bn_ctx)) {
ERROR("Unable to get coordinates of peer's element");
goto finish;

/* validate received element */
if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
EC_POINT_is_at_infinity(session->group, session->peer_element)) {
ERROR("Peer's element is not a point on the elliptic curve");
goto finish;

/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
Expand All @@ -369,6 +384,13 @@ int process_peer_commit(pwd_session_t *session, uint8_t *in, size_t in_len, BN_C

/* detect reflection attacks */
if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
ERROR("Reflection attack detected");
goto finish;

/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bn_ctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bn_ctx)) ||
Expand Down

0 comments on commit a99746c

Please sign in to comment.