Skip to content
Permalink
Browse files

EAP-pwd: validate received scalar and element

When processing an EAP-pwd Commit frame, the peer's scalar and elliptic curve
point were not validated. This allowed an adversary to bypass authentication,
and impersonate any user.

Fix this vulnerability by assuring the received scalar lies within the valid
range, and by checking that the received element is not the point at infinity
and lies on the elliptic curve being used.
  • Loading branch information...
vanhoefm authored and alandekok committed Mar 30, 2019
1 parent 8fd2231 commit a99746c93b8b3ae3be367af0e46f0d6a9626f566
Showing with 22 additions and 0 deletions.
  1. +22 −0 src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -351,11 +351,26 @@ int process_peer_commit(pwd_session_t *session, uint8_t *in, size_t in_len, BN_C
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);

/* validate received scalar */
if (BN_is_zero(session->peer_scalar) ||
BN_is_one(session->peer_scalar) ||
BN_cmp(session->peer_scalar, session->order) >= 0) {
ERROR("Peer's scalar is not within the allowed range");
goto finish;
}

if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bn_ctx)) {
ERROR("Unable to get coordinates of peer's element");
goto finish;
}

/* validate received element */
if (!EC_POINT_is_on_curve(session->group, session->peer_element, bn_ctx) ||
EC_POINT_is_at_infinity(session->group, session->peer_element)) {
ERROR("Peer's element is not a point on the elliptic curve");
goto finish;
}

/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -369,6 +384,13 @@ int process_peer_commit(pwd_session_t *session, uint8_t *in, size_t in_len, BN_C
}
}

/* detect reflection attacks */
if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
EC_POINT_cmp(session->group, session->peer_element, session->my_element, bn_ctx) == 0) {
ERROR("Reflection attack detected");
goto finish;
}

/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bn_ctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bn_ctx)) ||

0 comments on commit a99746c

Please sign in to comment.
You can’t perform that action at this time.